"- Identify the file upload functionality.

- Review the project documentation to

identify what file types are considered
acceptable, and what types would be
considered dangerous or malicious.

Test Upload of Malicious Files - Determine how the uploaded files are
processed.

- Obtain or create a set of malicious files

for testing.
Bypass Payment Process
- Try to upload the malicious files to the
Captcha Bypass application and determine whether it is
accepted and processed."
Login Bypass

Race Condition
Bypasses Testing for XPath Injection - Identify XPATH injection points.
Rate Limit Bypass

Reset Forgotten Password Bypass

/[Link]
Registration Vulnerabilities
/[Link]
2FA/OPT Bypass Default pages with interesting /[Link]
info
/[Link]
Enumerate all possible domains (previous
and current). /.well-known/
Test for Subdomain Takeover
Identify forgotten or misconfigured Check also comments in the main and
domains. secondary pages.

"- Identify IMAP/SMTP injection points.

Check Response HTTP/HTTPS
Testing for IMAP SMTP Injection - Understand the data flow and
deployment structure of the system.

PortScanner Identification - Assess the injection impacts."

"- Identify data injection points.

Abusing hop-by-hop headers
Test Business Logic Data - Validate that all checks are occurring on
Cache Poisoning/Cache Deception
Validation the back end and can't be bypassed.
HTTP Request Smuggling
- Attempt to break the format of the
H2C Smuggling
Proxies expected data and analyze how the
application is handling it."
Server Side Inclusion/Edge Side Inclusion

Uncovering Cloudflare "- Identify injection points where you can

inject code into the application.
XSLT Server Side Injection
Testing for Code Injection
- Assess the injection severity."

template-generator
- Identify and assess the command
bountyplz Testing for Command Injection injection points.
Reporting Tool
dradisframework
"- Identify injection points that pertain to
Serpico Testing Directory Traversal File path traversal.
Include
- Assess bypassing techniques and
Postman Interceptor identify the extent of path traversal."

EditThisCookie
Browser Extensions

d3coder Scan log4j using BBRF

Using shodan to jaeles Using wappalyzer browser plugin

Using BURP (spidering the web) or by

manually navigating through the page all
resources loaded will be save in the
Search to files using assetfinder History.
and ffuf
S3 Buckets Enumerating AWS User

Get User Policies

Checking invalid certificate
Get Snapshots

[Link]
pentesting/pentesting-web/buckets/aws-
Search .json subdomain s3

- Generate a map of the application at

Map Application Architecture Testing for Bypassing
hand based on the research conducted. - Ensure that authentication is applied
Authentication Schema across all services that require it.

Access fake pages like /whatever_fake.

php (.aspx,.html,.etc) "- Assess that a secure and production-
ready configuration is deployed.
Add "[]", "]]", and "[[" in cookie values and
parameter values to create errors - Validate all input fields against generic
Testing GraphQL
Forcing errors attacks.
Generate error by giving input as /~
randomthing/%s at the end of URL - Ensure that proper access controls are
applied."
Try different HTTP Verbs like PATCH,
DEBUG or wrong like FAKE
"- Enumerate the applications for default
credentials and validate if they still exist.

Testing for Server-Side Request Login Page Identified Testing for Default Credentials - Review and assess new user accounts
Forgery and if they are created with any defaults
or identifiable patterns."

Testing for Server-side Template

Review the HSTS header and its
Injection
validity.

"- Assess if the Host header is being

parsed dynamically in the application. Review Webpage Content for
Testing for Host Header Injection Information Leakage
- Bypass security controls that rely on the
header."

[Link]
"- Monitor all incoming and outgoing web-security
HTTP requests to the Web Server to
inspect any suspicious requests. Testing for HTTP Incoming [Link]
web/web-vulnerabilities-methodology
- Monitor HTTP traffic without changes of
Requests
end user Browser proxy or client-side [Link]
application." pentesting-web

[Link]
KingOfBugBountyTips
"- Assess if the application is vulnerable to
splitting, identifying what possible
[Link]
attacks are achievable. Testing for HTTP Splitting tricks
- Assess if the chain of communication is
Smuggling
Amass
vulnerable to smuggling, identifying what
possible attacks are achievable."
Anew

Anti-burl
"- Identify injections that are stored and
require a recall step to the stored injection. Assetfinder
Testing for Incubated
- Understand how a recall step could Axiom
occur.
Vulnerability
Bhedak
- Set listeners or activate the recall step if
possible." CF-check

Chaos
- Assess whether injecting format string
conversion specifiers into user-controlled Cariddi
Testing for Format String
fields causes undesired behaviour from
the application.
Injection Dalfox

DNSgen

"- Identify SSI injection points. Filter-resolved

Testing for SSI Injection
- Assess the severity of the injection." Findomain

Fuff
"- Identify XML injection points.
Gargs
Testing for XML Injection
- Assess the types of exploits that can be
attained and their severities." Gau

Gf

Github-Search
Testing for LDAP Injection
Gospider

"- Identify SQL injection points. Gowitness

- Assess the severity of the injection and

Testing for SQL Injection Hakrawler
the level of access that can be achieved
through it." HakrevDNS

Haktldextract

"- Identify the backend and the parsing Haklistgen

method used. Testing for HTTP Parameter
Pollution Html-tool
- Assess injection points and try bypassing
input filters using HPP."
Web PenTest
Httpx
Resume by Joas
Jaeles
Tools
Testing for HTTP Verb Jsubfinder
Tampering
Kxss

LinkFinder
"- Identify stored input that is reflected on
the client-side. Testing for Stored Cross Site log4j-scan

- Assess the input they accept and the

Scripting Metabigor
encoding that gets applied on return (if
any)." MassDNS

Nuclei

"- Identify variables that are reflected in

Naabu
responses. Testing for Reflected Cross Site
- Assess the input they accept and the
Scripting Qsreplace

encoding that gets applied on return (if

Rush
any)."
SecretFinder

"- Identify injection points related to Shodan

privilege manipulation.
Testing for Privilege Escalation ShuffleDNS
- Fuzz or otherwise attempt to bypass
security measures." SQLMap

Subfinder

Test HTTP method overriding SubJS

techniques.
Unew

WaybackURLs

Test XST vulnerabilities. Wingman

Notify

Goop
Test for access control bypass.
Tojson

GetJS
Enumerate supported HTTP
X8
methods.
Unfurl

XSStrike
[Link]
OSINT Framework
Page-fetch

Burp Suite

Review Webserver Metafiles for OWASP-ZAP

Information Leakage
Nikto

Waybackurl
Exact PHP version.
Wfuzz
Exact OS and its version.
SecList
Details of the PHP configuration.
Phpinfo TurboSearch
Internal IP addresses.

Server environment variables.

CVE Scans
Loaded PHP extensions and their
configurations.

Content Discovery
phpmyadmin Identified

File Backups
MySQL

MSSQL
Database Identified
JBoss
Oracle
ColdFusion

Weblogic
Parser Logics
Tomcat

Railo
Misconfigurations in Server and
Axis2
Application
Type of CMS Glassfish

Wordpress
CGI Server Scanner
Drupal

Joomla

Asset Identification vbulletin

Moodle

Data Input [Link]

Data Input Parameters Testing services-pentesting/pentesting-web

Tomcat Admin Page [Link]

Google Dorks hacking-database

Old Content Shodan Check URL

Plugins and Libraries Vulnerable Waybackup Machine

Whois Check Web Directorys

Cloud Discovery Check .git

Tomcat Discovery information Check .env

Sensitive

Hidden Parameters Discovery

ASN Identification

Server Vulnerabilities
Github Recon and Sensitive Identificaiton
Information

Search CORS
CMS Scanners

Verificy CERT SSL

[Link]

Spoofcheck
Forcing Erros

Extract .js in Subdomains

API Keys

API Endpoints
Extract Subdomains

Web Spidering
DNS Transfer Zone

Server Version Identification

Imperva

Cloudflare

Sucuri
Check if you have any WAF
Fortiweb

AWS WAF

Barracuda