cyber-security-resources/web_application_testing

Web Application Testing References

Vulnerable Servers

There are a series of vulnerable web applications that you can use to practice your skills in a safe environment. You can get more information about them in the vulnerable_servers directory in this repository.

A Few Popular Tools

The following are a few popular tools that you learned in the video courses part of these series:

• Burp Suite
• OWASP Zed Attack Proxy (ZAP)
• sqlmap
• httrack
• skipfish
• nikto
• ffuf

Article: A Quick Guide to Using ffuf with Burp Suite

WebSploit

WebSploit is a virtual machine (VM) created by Omar Santos for different Cybersecurity Ethical Hacking (Web Penetration Testing) training sessions delivered at DEFCON, Live Training in Safari, video on demand LiveLessons, and others.

The purpose of this VM is to have a lightweight (single VM) with a few web application penetration testing tools, as well as vulnerable applications.

How to Integrate OWASP ZAP with Jenkins

You can integrate ZAP with Jenkins and even automatically create Jira issues based on your findings. You can download the ZAP plug in here.

This video provides an overview of how to integrate

Kubernetes Security

• Kubernetes Pentest Methodology (part 1) by CyberArk
• Kubernetes Pentest Methodology (part 2) by CyberArk
• Kubernetes Pentest Methodology (part 2) by CyberArk
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Kubernetes Network Policies Recipes
• Kubiscan
• Kube-hunter
• Kubernetes Goat

Docker Security

• OWASP Docker security resources
• Docker Bench for Security
• Dockerscan
• Docker Security Playground

Javascript Tools

• Retire.js

Popular Commercial Tools

• Qualys Web Scanning
• IBM Security AppScan

XSS - Cross-Site Scripting

• Cross-Site Scripting – Application Security – Google - Introduction to XSS by Google.
• H5SC - HTML5 Security Cheatsheet - Collection of HTML5 related XSS attack vectors by @cure53.
• XSS.png - XSS mind map by @jackmasa.
• EXCESS-XSS Guide - Comprehensive tutorial on cross-site scripting by @JakobKallin and Irene Lobo Valbuena.

CSV Injection

• CSV Injection -> Meterpreter on Pornhub - Written by Andy.
• The Absurdly Underestimated Dangers of CSV Injection - Written by George Mauer.

SQL Injection

• SQL Injection Cheat Sheet - Written by @netsparker.
• SQL Injection Wiki - Written by NETSPI.
• SQL Injection Pocket Reference - Written by @LightOS.

Command Injection

• Potential command injection in resolv.rb - Written by @drigg3r.

ORM Injection

• HQL for pentesters - Written by @h3xstream.
• HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by @_m0bius.
• ORM2Pwn: Exploiting injections in Hibernate ORM - Written by Mikhail Egorov.
• ORM Injection - Written by Simone Onofri.

FTP Injection

• Advisory: Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.
• SMTP over XXE − how to send emails using Java's XML parser - Written by Alexander Klink.

XXE - XML eXternal Entity

• XXE - Written by @phonexicum.

CSRF - Cross-Site Request Forgery

• Wiping Out CSRF - Written by @jrozner.

SSRF - Server-Side Request Forgery

• SSRF bible. Cheatsheet - Written by @Wallarm.

Rails

• Rails Security - First part - Written by @qazbnm456.

AngularJS

• XSS without HTML: Client-Side Template Injection with AngularJS - Written by Gareth Heyes.
• DOM based Angular sandbox escapes - Written by @garethheyes

SSL/TLS

• SSL & TLS Penetration Testing - Written by APTIVE.

Webmail

NFS

• NFS | PENETRATION TESTING ACADEMY - Written by PENETRATION ACADEMY.

Fingerprint

Sub Domain Enumeration

• A penetration tester’s guide to sub-domain enumeration - Written by Bharath.
• The Art of Subdomain Enumeration - Written by Patrik Hudak.

Crypto

• Applied Crypto Hardening - Written by The bettercrypto.org Team.

Web Shell

• Hunting for Web Shells - Written by Jacob Baines.
• Hacking with JSP Shells - Written by @_nullbind.

OSINT

• Hacking Cryptocurrency Miners with OSINT Techniques - Written by @s3yfullah.
• OSINT x UCCU Workshop on Open Source Intelligence - Written by Philippe Lin.
• 102 Deep Dive in the Dark Web OSINT Style Kirby Plessas - Presented by @kirbstr.

Evasions

CSP

• CSP: bypassing form-action with reflected XSS - Written by Detectify Labs.
• TWITTER XSS + CSP BYPASS - Written by Paulos Yibelo.

WAF

• Web Application Firewall (WAF) Evasion Techniques - Written by @secjuice.
• Web Application Firewall (WAF) Evasion Techniques #2 - Written by @secjuice.
• Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by @Brett Buerhaus.
• How to bypass libinjection in many WAF/NGWAF - Written by @d0znpp.

JSMVC

• JavaScript MVC and Templating Frameworks - Written by Mario Heiderich.

Authentication

• Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by @malerisch and @steventseeley.
• Yahoo Bug Bounty: Chaining 3 Minor Issues To Takeover Flickr Accounts - Written by Mishre.

Tricks

CSRF

• Neat tricks to bypass CSRF-protection - Written by Twosecurity.
• Exploiting CSRF on JSON endpoints with Flash and redirects - Written by @riyazwalikar.
• Stealing CSRF tokens with CSS injection (without iFrames) - Written by @dxa4481.

Remote Code Execution

• Exploiting Node.js deserialization bug for Remote Code Execution - Written by OpSecX.
• DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by Ambionics Security.
• How we exploited a remote code execution vulnerability in math.js - Written by @capacitorset.
• GitHub Enterprise Remote Code Execution - Written by @iblue.
• How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Written by Orange.
• How i Hacked into a PayPal's Server - Unrestricted File Upload to Remote Code Execution - Written by Vikas Anil Sharma.

XSS

• Query parameter reordering causes redirect page to render unsafe URL - Written by kenziy.
• ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else - Written by Mario Heiderich.
• How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Written by @marin_m.
• DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.
• Uber XSS via Cookie - Written by zhchbin.
• DOM XSS – auth.uber.com - Written by StamOne_.
• Stored XSS on Facebook - Written by Enguerran Gillier.

SQL Injection

• MySQL Error Based SQL Injection Using EXP - Written by @osandamalith.
• SQL injection in an UPDATE query - a bug bounty story! - Written by Zombiehelp54.
• GitHub Enterprise SQL Injection - Written by Orange.

NoSQL Injection

• GraphQL NoSQL Injection Through JSON Types - Written by @east5th.

FTP Injection

• XML Out-Of-Band Data Retrieval - Written by @a66at and Alexey Osipov.
• XXE OOB exploitation at Java 1.7+ - Written by Ivan Novikov.

XXE

• Evil XML with two encodings - Written by Arseniy Sharoglazov.

SSRF

• PHP SSRF Techniques - Written by @themiddleblue.
• SSRF in https://imgur.com/vidgif/url - Written by aesteral.
• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by Orange.
• SSRF Tips - Written by xl7dev.

Header Injection

• Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.

URL

• Some Problems Of URLs - Written by Chris Palmer.
• Phishing with Unicode Domains - Written by Xudong Zheng.
• Unicode Domains are bad and you should feel bad for supporting them - Written by VRGSEC.
• [dev.twitter.com] XSS - Written by Sergey Bobrov.

AMAZING RESOURCES ABOUT WEB TECHNOLOGIES, FRAMEWORKS, PLATFORMS (hundreds of resources)

Platforms

• Node.js - JavaScript runtime built on Chrome's V8 JavaScript engine.
• Frontend Development
• iOS - Mobile operating system for Apple phones and tablets.
• Android
• IoT & Hybrid Apps
• Electron - Cross-platform native desktop apps using JavaScript/HTML/CSS.
• Cordova - JavaScript API for hybrid apps.
• React Native
• Xamarin - Mobile app development IDE, testing, and distribution.
• Linux
  • Containers
• macOS
  • Command-Line
  • Screensavers
• watchOS - Operating system for the Apple Watch.
• JVM
• Salesforce
• Amazon Web Services
• Windows
• IPFS - P2P hypermedia protocol.
• Fuse - Mobile development tools.
• Heroku - Cloud platform as a service.
• Raspberry Pi - Credit card-sized computer aimed at teaching kids programming, but capable of a lot more.
• Qt - Cross-platform GUI app framework.
• WebExtensions - Cross-browser extension system.
• RubyMotion - Write cross-platform native apps for iOS, Android, macOS, tvOS, and watchOS in Ruby.
• Smart TV - Create apps for different TV platforms.
• GNOME - Simple and distraction-free desktop environment for Linux.

Programming Languages

• JavaScript
  • Promises
  • Standard Style - Style guide and linter.
  • Must Watch Talks
  • Tips
  • Network Layer
  • Micro npm Packages
  • Mad Science npm Packages - Impossible sounding projects that exist.
  • Maintenance Modules - For npm packages.
  • npm - Package manager.
  • AVA - Test runner.
  • ESLint - Linter.
  • Functional Programming
  • Observables
  • npm scripts - Task runner.
• Swift
  • Education
  • Playgrounds
• Python
  • Asyncio - Asynchronous I/O in Python 3.
  • Scientific Audio - Scientific research in audio/music.
• Rust
• Haskell
• PureScript
• Go
• Scala
• Ruby
  • Events
• Clojure
• ClojureScript
• Elixir
• Elm
• Erlang
• Julia
• Lua
• C
• C/C++
• R
• D
• Common Lisp
• Perl
• Groovy
• Dart
• Java
  • RxJava
• Kotlin
• OCaml
• ColdFusion
• .NET
  • Core
• PHP
  • Composer - Package manager.
• Delphi
• Assembler
• AutoHotkey
• AutoIt
• Crystal
• Frege - Haskell for the JVM.
• CMake - Build, test, and package software.
• ActionScript 3 - Object-oriented language targeting Adobe AIR.
• Eta - Functional programming language for the JVM.
• Idris - General purpose pure functional programming language with dependent types influenced by Haskell and ML.

Front-End Development

• ES6 Tools
• Web Performance Optimization
• Web Tools
• CSS
  • Critical-Path Tools
  • Scalability
  • Must-Watch Talks
  • Protips
• React - App framework.
  • Relay - Framework for building data-driven React apps.
• Web Components
• Polymer - JavaScript library to develop Web Components.
• Angular - App framework.
• Backbone - App framework.
• HTML5 - Markup language used for websites & web apps.
• SVG - XML-based vector image format.
• Canvas
• KnockoutJS
• Dojo Toolkit
• Inspiration
• Ember - App framework.
• Android UI
• iOS UI
• Meteor
• BEM
• Flexbox
• Web Typography
• Web Accessibility
• Material Design
• D3 - Library for producing dynamic, interactive data visualizations.
• Emails
• jQuery - Easy to use JavaScript library for DOM manipulation.
  • Tips
• Web Audio
• Offline-First
• Static Website Services
• A-Frame VR - Virtual reality for web browsers.
• Cycle.js - Functional and reactive JavaScript framework.
• Text Editing
• Motion UI Design
• Vue.js - App framework.
• Marionette.js - App framework.
• Aurelia - App framework.
• Charting
• Ionic Framework 2
• Chrome DevTools
• PostCSS - CSS tool.
• Draft.js - Rich text editor framework for React.
• Service Workers
• Progressive Web Apps
• choo - App framework.
• Redux - State container for JavaScript apps.
• webpack - Module bundler.
• Browserify - Module bundler.
• Sass - CSS preprocessor.
• Ant Design - Enterprise-class UI design language.
• Less - CSS preprocessor.
• WebGL - JavaScript API for rendering 3D graphics.
• Preact - App framework.
• Progressive Enhancement
• Next.js - Framework for server-rendered React apps.
• Hyperapp - Tiny JavaScript library for building web apps.

Back-End Development

• Django
• Flask
• Docker
• Vagrant
• Pyramid
• Play1 Framework
• CakePHP - PHP framework.
• Symfony
  • Education
• Laravel - PHP framework.
  • Education
• Rails - Web app framework for Ruby.
  • Gems - Packages.
• Phalcon
• Useful .htaccess Snippets
• nginx - Web server.
• Dropwizard
• Kubernetes
• Lumen
• Serverless Framework
• Apache Wicket - Java web app framework.
• Vert.x - Toolkit for building reactive apps on the JVM.
• Terraform - Tool for building, changing, and versioning infrastructure.

Databases

• Database
• MySQL
• SQLAlchemy
• InfluxDB
• Neo4j
• MongoDB - NoSQL database.
• RethinkDB
• TinkerPop - Graph computing framework.
• PostgreSQL - Object-relational database.
• CouchDB - Document-oriented NoSQL database.
• HBase - Distributed, scalable, big data store.

Content Management Systems

• Umbraco
• Refinery CMS - Ruby on Rails CMS.
• Wagtail - Django CMS focused on flexibility and user experience.
• Textpattern - Lightweight PHP-based CMS.
• Drupal - Extensible PHP-based CMS.
• Craft CMS - Content-first CMS.