Oswe

  • SQLi
    • Look fir "query", "search", "sql"
    • Enable database logs to check for queries with input data
    • Extract data / structure
    • Exec code
    • Blind
      • Substring + Ascii
      • Like based match
  • XSS
    • Cookie extraction
    • CSRF bypass
  • XXE
  • Important functions
    • Login / registration
    • Forgot password / recovery
    • Attachments / file uploads
  • Review
    • Identify publicly accessible pages for initial attack
    • Identify interesting high privileged actions for secondary attack
  • Try default passwords (admin:admin admin:password)
  • When Base64 (or similar encoded) value is observed, decode and check.
  • User provided XML, JSON, Pickle is processed
    • Check for locations that reflect values in XML/JSON
    • Deserialization vulnerabilities
    • Parser related issues
    • Break the syntax to see parser errors
  • When a hash values is observed check if it can be broken based on online search (admin:admin)
  • Look for file with "credential" "password" "key" in it.
  • Look for configuration files like:
    • FileZilla Server.xml
    • wp-config.php
    • /etc/hosts <- for custom mappings
    • ifconfig <- for other interfaces
  • Look at logs
    • /var/log/auth.log