When exploiting web application vulnerabilities:

  • Perform reconnaissance on the underlying web technologies used by the app.
  • Manipulate data stored in cookies that a user shouldn't be able to modify, such as data associated with database objects.
  • Use ../ to traverse the server's directory.
  • Encode directory traversal in hexadecimal (%2E%2E%2F) to bypass rudimentary filters.
  • Double encode the % symbol as %25 to bypass filters that check for single encoding.
  • Use the poison null byte (%00) to get around file extension restrictions in directory traversal.
  • Use online and offline password cracking tools on a web app where applicable.
  • Steal a user's session cookie and use it from your own machine to hijack the session.
  • Send duplicate instances of a parameter in a request to bypass poorly configured authorization mechanisms.
  • Leverage insecure direct object references to change the value of a parameter to something malicious.
  • Add a semicolon at the end of a request that makes a system call to execute the command after it in a Linux shell.
  • Use a single apostrophe in an input form to test for SQL errors.
  • Use a statement like OR 1=1 in an SQL injection to retrieve all available values.
  • Use the SQL comment characters (--) to have the app ignore a portion of the query.
  • Combine tables with UNION SELECT to dump data from a table not otherwise accessible.
  • Ensure both queries in a UNION SELECT include the same number of columns.
  • Inject forms with HTML code that includes malicious elements, like a link to a malicious site.
  • Test for input fields' susceptibility to XSS attacks through JavaScript.
  • Use social engineering tactics to initiate a reflected XSS against a victim.
  • Craft HTTP requests to manipulate tables with malicious JavaScript that gets stored on the server.
  • Leverage the trust established between client and server to execute a CSRF attack.
  • Hide web elements in an invisible iframe behind some other visible element, like a button, to trick users.
  • Exploit poor input validation in parameters to upload a remote file to the server.
  • Execute local files on the server using directory traversal.
  • Load a web shell onto a server using a number of exploit tactics to gain control over the server.
  • Test the app for insecure coding practices like verbose error messages and comments.