bscp notes
  • Resources
  • Exam Hints/Tips
  • Burp dynamic header in Intruder
  • Methodology
  • Payloads
  • Stage 1
    • XSS
    • Information disclosure
    • DOM-based
    • Web Cache Poison
    • Host Headers
    • HTTP Req Smuggling
    • Authentication
  • Stage 2
    • oAuth
    • CSRF
    • Password Reset
    • SQLi
      • SQLi Cheat Sheet
    • JWT
    • Prototype Pollution
    • API Testing - TODO
    • Access Control
    • CORS
  • DATA EXFILTRATION
    • XXE Injections
    • SSRF
    • SSTI
    • Path Traversal
    • File Upload
    • Insecure Desarialization
    • OS Cmd Injection
  • graphql api vulns
  • no sql
  • web cache deception
  • clickjacking
  • websockets
  • web cache deception
Powered by GitBook
On this page

Methodology

What are the functionalities?

a) Authentication

  • Auth attacks (Intruder):

    • Response differences

    • Enumerating valid accounts

    • Time-based indicators

  • OAuth:

    • Study the flow

    • Look for vulnerabilities

  • Password reset:

    • Exploit server using the Host header

    • Additional headers

    • Host header injection bypasses

b) Search function / Advanced search

  • XSS: May be linked to CSRF

  • SQLi: Less common in basic searches, more frequent in advanced search features

c) Viewing blog posts

  • LFI: If only viewing posts is allowed, look for requests that include files and attempt to traverse the file path

d) Commenting on blog posts

  • XSS: In the comment text, website field, or other user inputs

  • File upload: If file uploads are possible

e) Category filter

  • SQLi: In the ?category= parameter

f) Check stock function

  • XXE: Depending on the data input method, even with POST requests containing data and parameters

  • XSS: There may be XSS vectors

  • SQLi: Often linked to XML

g) Update e-mail

  • CSRF: Analyze cookies for CSRF protections

h) Submit feedback

  • OS Command Injection: Commonly found in the email parameter

i) View details function, or other visible templates

  • SSTI: Use DOM Invader to identify potential vectors

j) API calls, JavaScript files pointing to APIs, POST with JSONs

  • IDOR: Modifying the returned data

  • API vulnerabilities

  • GraphQL vulnerabilities: Learn to work with GraphQL using Burp Suite to ease the analysis

k) Live chat

  • XSS: Injecting JavaScript code, manipulating the handshake

  • CSRF

2. Missing functionalities?

  • Cookies, JWT, serialized objects

  • Cache response headers and poisoning

  • SSRF: Using Referer or other headers (e.g., X-Forwarded-Host)

  • Tracking cookie, blind SQLi

  • HTTP request smuggling: Use the HTTP Request Smuggler extension — a must-have

  • DOM-based, reflected input: Use DOM Invader with Burp Browser

  • Access Control headers: Check CORS

  • CSRF: In various forms

PreviousBurp dynamic header in IntruderNextPayloads

Last updated 5 months ago