Web exploitation guide

Public exploits

We can use these resources: - searchsploit - ExploitDB. - Rapid7.com. - Vulnerability Lab. - metasploit: check verification scripts to test the existence of a vulnerability.

OWASP	Attack	Tools	Payloads
WSTG-INPV-12	Command injection attack		https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection.
	CRLF attack - Carriage Return and LineFeed attack		https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection.
WSTG-SESS-05	CSRF attack - Cross Site Request Forgery attack	BurpSuite, CSRFTester	PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSRF%20Injection. OWASP: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html Portswigger: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet Unleashing an Ultimate XSS Polyglot: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
	Directory traversal attack
	LFI attack - Local File Inclusion attack
	Remote Code Execution
	RFD attack - Reflected File Download attack	Reflected File Download Checker - Burp Extension
	RFI attack - Remote File Inclusion attack
	Session Puzzling	XSS-Me
	SSRF attack - Server Side Request Forgery	Burp Collaborator, Burp Intruder, manually	Built-in lists in Burp
WSTG-INPV-05	SQL injection	Cheat sheet for manual attack, sqlmap	Payloads from my dictionary repo
	XFS attack - Cross-frame Scripting attack
WSTG-INPV-01 WSTG-INPV-02 WSTG-CLNT-01	XSS attack - Cross-Site Scripting attack	beef, XSSer, Easy-XSS, Manual testing, XSSMe tool on github	https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection https://github.com/payloadbox/xss-payload-list https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626

Last update: 2024-09-16
Created: December 26, 2023 19:00:18