OpenSkillIndex← back to search

Hacktricks-skills web-vulnerability-methodology

Comprehensive web vulnerability assessment methodology and checklist. Use this skill whenever the user mentions web pentesting, vulnerability assessment, security testing, bug bounty hunting, web application security, OWASP testing, or any security audit of web applications. This skill provides a systematic approach to finding vulnerabilities across all attack vectors including proxies, user input, authentication, file handling, APIs, frameworks, and more. Make sure to use this skill for any web security testing task, even if the user doesn't explicitly mention 'pentesting' or 'vulnerability assessment'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/web-vulnerabilities-methodology/SKILL.MD
source content

Web Vulnerability Assessment Methodology

A systematic checklist for comprehensive web application security testing. Use this as your guide when conducting security assessments.

Quick Start Workflow

  1. Reconnaissance: Map the application, identify technologies, enumerate endpoints
  2. Proxy Analysis: Check for intermediary proxy vulnerabilities
  3. Input Testing: Test all user-controllable inputs
  4. Authentication/Authorization: Test login, 2FA, session management
  5. File Operations: Test upload/download functionality
  6. API Testing: Test all API endpoints
  7. Framework-Specific: Check for framework-specific vulnerabilities

1. Proxy & Middleware Vulnerabilities

Modern web applications use proxies that can be exploited. Test these when you identify intermediary infrastructure:

Core Proxy Attacks

  • Hop-by-hop headers: Check for header manipulation vulnerabilities
  • Cache Poisoning/Deception: Test cache behavior with different inputs
  • HTTP Request/Response Smuggling: Test for desync attacks between proxies
  • H2C Smuggling: Test HTTP/2 cleartext smuggling
  • Server Side Inclusion (SSI/ESI): Test for template injection via edge servers
  • Cloudflare bypass: Attempt to bypass WAF protections
  • XSLT Injection: Test for stylesheet injection
  • WAF bypass: Test for filter evasion techniques

2. User Input Vectors

Reflected Input Testing

When user data appears in responses, test for:

  • XSS: Cross-site scripting (stored, reflected, DOM-based)
  • Command Injection: OS command execution
  • SSRF: Server-side request forgery
  • SSTI: Server-side template injection
  • Path Traversal: File system access (
    ../
    sequences)
  • Open Redirect: URL manipulation attacks
  • CRLF Injection: HTTP header injection
  • Prototype Pollution: JavaScript object manipulation
  • XSSI: Cross-site script inclusion
  • Client-Side Template Injection: Template engine exploitation
  • Dangling Markup: HTML/scriptless injection
  • Reverse Tab Nabbing: Window manipulation attacks

Search Functionality

Test search features for:

  • SQL Injection: Database manipulation
  • NoSQL Injection: Document database attacks
  • LDAP Injection: Directory service attacks
  • XPath Injection: XML query manipulation
  • ReDoS: Regular expression denial of service
  • ORM Injection: Object-relational mapping attacks
  • RSQL Injection: REST query parameter attacks

Forms & WebSockets

Test form submissions and WebSocket connections for:

  • CSRF: Cross-site request forgery
  • CSWSH: Cross-site WebSocket hijacking
  • PostMessage: Cross-origin messaging vulnerabilities
  • Phone Number Injection: SMS/voice injection attacks

HTTP Headers

Check for header-related vulnerabilities:

  • Clickjacking: UI redressing attacks
  • CSP Bypass: Content Security Policy evasion
  • CORS Misconfiguration: Cross-origin resource sharing issues
  • Cookie Manipulation: Session hijacking
  • Iframe Traps: Click isolation attacks

3. Authentication & Authorization

Bypass Techniques

Test authentication mechanisms for:

  • 2FA/OTP Bypass: Multi-factor authentication evasion
  • Login Bypass: Authentication circumvention
  • Password Reset Bypass: Account recovery manipulation
  • Account Takeover: Credential compromise
  • Race Conditions: Timing-based attacks
  • Rate Limit Bypass: Request throttling evasion
  • Captcha Bypass: Automated challenge completion
  • Payment Bypass: Transaction manipulation
  • Registration Vulnerabilities: Account creation abuse

Authorization Issues

  • IDOR: Insecure direct object references
  • Mass Assignment: Property injection attacks
  • Parameter Pollution: Query parameter manipulation
  • Unicode Normalization: Character encoding attacks

4. Data Format Vulnerabilities

Structured Data

Test for format-specific attacks:

  • Deserialization: Object deserialization attacks
  • JWT Vulnerabilities: Token manipulation and forgery
  • XXE: XML external entity injection
  • JSON/XML/YAML Hacking: Data format attacks
  • GraphQL Attacks: API query manipulation
  • gRPC-Web: Protocol-specific vulnerabilities
  • SOAP/JAX-WS: Web service attacks

File Operations

Test file handling for:

  • File Upload: Malicious file execution
  • Formula Injection: Spreadsheet formula attacks (CSV, DOC, LaTeX)
  • PDF Injection: Document manipulation
  • Server-Side XSS: Dynamic content injection in generated files

5. Identity & Integration

External Identity

  • OAuth to Account Takeover: Authorization flow attacks
  • SAML Attacks: Security assertion manipulation

Third-Party Integrations

  • Domain/Subdomain Takeover: DNS hijacking
  • Storage Buckets: Cloud storage misconfiguration (S3, Firebase)
  • Artifactory: Package registry attacks
  • Code Review Tools: CI/CD pipeline attacks
  • Imagemagick Security: Image processing vulnerabilities

6. Infrastructure & Frameworks

Web Servers

  • Apache: Server-specific vulnerabilities
  • Nginx: Reverse proxy attacks
  • IIS: Windows server attacks
  • Tomcat: Java application server attacks
  • Spring Actuators: Management endpoint exposure
  • WebDAV: File protocol attacks (PUT method)
  • WSGI: Python deployment attacks
  • Werkzeug: Debug endpoint exposure
  • Special HTTP Headers: Header-based attacks

Application Frameworks

  • Django: Python framework attacks
  • Flask: Micro-framework vulnerabilities
  • NodeJS/Express: JavaScript runtime attacks
  • Angular: Frontend framework attacks
  • Vue/Nuxt: Modern frontend attacks
  • Next.js: React framework attacks
  • Laravel: PHP framework attacks
  • Symfony: PHP framework attacks

CMS & Platforms

  • WordPress: Plugin/theme vulnerabilities
  • Joomla: CMS-specific attacks
  • Drupal: Enterprise CMS attacks
  • Moodle: LMS vulnerabilities
  • Prestashop: E-commerce attacks
  • Jira: Project management attacks
  • Grafana: Monitoring dashboard attacks
  • Rocket.Chat: Communication platform attacks
  • Zabbix: Monitoring system attacks
  • SharePoint: Enterprise collaboration attacks
  • Sitecore: CMS platform attacks

7. Supply Chain & Modern Vectors

Build Pipeline Attacks

  • Dependency Confusion: Package registry poisoning
  • Timing Attacks: Side-channel information leakage
  • UUID Insecurities: Predictable identifier attacks

Emerging Technologies

  • dApps: Decentralized application attacks
  • Browser Extensions: Add-on vulnerabilities
  • Web Fuzzing: Automated vulnerability discovery with wfuzz

Testing Workflow

Phase 1: Reconnaissance

  1. Map all endpoints and parameters
  2. Identify technologies (Wappalyzer, manual inspection)
  3. Document authentication flows
  4. Enumerate subdomains and related assets

Phase 2: Systematic Testing

  1. Work through each category in this checklist
  2. Test all user-controllable inputs
  3. Check for reflected, stored, and processed data
  4. Test authentication and authorization boundaries

Phase 3: Documentation

  1. Record all vulnerabilities with evidence
  2. Include reproduction steps
  3. Note affected endpoints and parameters
  4. Assess severity and impact

Phase 4: Prioritization

  1. Rank by severity (CVSS scoring)
  2. Consider exploitability
  3. Evaluate business impact
  4. Identify chainable vulnerabilities

Key Principles

  • Think like an attacker: Consider all possible attack vectors, not just the obvious ones
  • Test edge cases: Boundary conditions often reveal vulnerabilities
  • Chain vulnerabilities: Combine multiple issues for greater impact
  • Stay updated: New vulnerabilities emerge regularly; check CVE databases
  • Document everything: Clear documentation aids remediation and future testing
  • Respect scope: Only test authorized targets
  • Be thorough: Hidden endpoints and parameters often contain the most critical bugs

When to Use This Skill

Use this methodology when:

  • Conducting a web application security assessment
  • Performing bug bounty hunting
  • Reviewing code for security issues
  • Designing secure applications
  • Creating security test plans
  • Training security teams
  • Auditing third-party applications
  • Preparing for penetration testing engagements

References

  • OWASP Testing Guide
  • OWASP Top 10
  • PortSwigger Web Security Academy
  • HackTricks Web Pentesting
  • NIST Security Guidelines