We teach the following technical and business logic issues related to web applications and after all topics we push the students to solve our CTFs.
Information Gathering via Whois Query |
Try to find out all websites hosted on same IP address. |
Try to find out all websites via reverse dns queries |
Try to find out all subdomians of the all target domains |
Perform a full TCP/UDP port scan for all website’s IP address. |
Try to identificate new web interfaces on the different TCP ports. |
Look at the Google search engine to find out subdomins. Google dorks. |
Information gathering(subdomains,leaked credentials) via Pastebin/Github |
Try to find out new subdomain via DNS Dumpster |
Perform a bruteforce to DNS server with a good wordlist to identificate new subdomains. |
Analyse error message, banner information etc for information gathering. |
Look at the Archive.org records |
Try to perform subdirectory tests |
Identificate Directory Listing Vulnerabilities by visiting subdirectory |
Identificate Directory Listing via Google Dork |
Try to gather information via robots.txt, elmah.axd, trace.axde |
Elmah.axd and Trace.axd Session Stealing Tests |
Try to identificate target operation systems, databases etc |
Try to find out new files under discovered new subdirectories with different extensions |
Try to identificate used CMS application on the target system |
Scan this CMS application with special tools. |
Try to identificate installed plugins of these CMS and known vulnerabilities on this plugins |
Search all known vulnerabilities related to CMS version |
Try to identificate admin pages identification of the target websites. |
Try to check if there is any backdoor on the target systems with known web backdoors |
Data transmission security chekcs(HTTP usage, without HSTS header,unsecure SSL/TLS etc) |
Discover dangerous HTTP method usage such as PUT and DELETE |
Username enumeration tests via error or warning messages |
Username enumeration via mis-developments |
Brute force testing for web form fields. |
Try to bypass WAF systems |
Manuel crawling of the target applications |
Find out all input fields throughout the target applications |
Hidden form fields tests |
Source code review of HTML and javascript files |
Identifiying and abusing of unused captcha forms |
CSRF vulnerability check on the sensitive functions of the targets |
Anti-CSRF token bypass techniques |
Session manipulation tests |
Cookie attributes tests |
Session id weaknesses tests |
Vulnerabilities on the login functions |
Login function(authentication) bypass techniques |
Known and published vulnerabilites on the targets |
Two-factor authentication bypass techniques |
Session fixation tests |
Directory traversal vulnerabilities |
Authorization issues |
Try to access other user asssets unauthorized(files,private assets) |
IDOR tests |
Try to find out weaknesses on the logout function of targets |
Privilage escalation tests with different role users |
Focus on just business logic issues of the target’s functions |
HTTP Header tests |
User agent manipulation test |
X-Forwarded-For Restriction bypass tests. |
XSS Tests(reflected,stored,dom,blind) |
Sql Injection Tests |
Code injection tests |
Command Execution tests |
SSRF Tests(local,remote) |
LFI/RFI tests |
Try to focus on web servis tests(ASMX,restful,WCF) |
Business and technical tests on the web services |
Spesific tests for related to used technologies(nodejs,ajax,frameworks etc) |
Try to use right attack vectos depands on used database/development platforms |
Password reset functionality abuse testing |
Takeover account via spesific functionality of the targets(password change,reset etc) |
Image Captcha’s size manipulation DoS tests |
Application Level DoS tests(abusing functions,BoF etc) |
Session timeout tests |
Secure,httponly,HSTS header usage tests |
Advenced authentication and authorization tests. |
Open Redirection Tests |
File upload tests(command execution,stored xss,DoS) |
LDAP Incjection tests |
XML injection tests |
Xml External Entity(XXE) tests |
Buffer over flow tests |
Login bypass,DoS via Long payload usage |
HTTP Response Splitting tests(XSS PoC) |
HTTP Parameter Pollution Tests(Bypass WAF PoC) |
Iframe Injection tests |
LFI via Iframe injections |
XSS tests via drag-drop |
XSS tests via filen names of uploaded files |
Try to discover technical web vulnerabilities via Google dorks |
Signup Function Tests(takeover account,XSS,SQL or many business logic bugs) |
Code execution via uploadable excel files |
Try to discover advenced injection points via FUZZing(wfuzz) |
Try to enforce the targets to get sensitive informations via error messages |
Vulnerabilities on the webserver versions |
Try to determine remotely the encrytion sitiuations of the passwords on the target database. |
SWF,JAR files decompiling tests If we have on the targets |
Code execution via SMTP/IMAP |
Spesific wordlist creation (crunch,cewl) |
Phpmyadmin Vulnerabilities(Directory listing,bruteforce,XSS etc) |
Code execution via Phpmyadmin with mysql into outfile function |
URL Poisioning Tests |
Try to use bypassing methos for all technical vulnerabilities |
DoS via Code Injection |
Default or predictable password usage tests |
Post-exploitation via accessed systems(tomcat,wordpress etc) |
Clickjacking Vulnerability Tests on the important function of the targets |
Full Automate scan all websites |