WAPT L2 Checks

# WAPT L2 Checks 1. WAF Detection (wafw00f scan) 2. User-Agent Dependency Check [Reference](https://medium.com/@secureitmania/the-importance-of-checking-user-agent-header-dependency-in-penetration-testing-a7ca49122f49) ``` Before proceeding with XSS, SQL, and automated scans, it's crucial to understand the WAF protection and User-agent dependency of the target application. Use appropriate WAF bypass payloads and perform scan by appropriate request rate-limit Below are the sample github repos https://github.com/gprime31/WAF-bypass-xss-payloads https://github.com/Xyntax/waf-bypass/tree/master/payload ``` ### Input Validation 1. Cross-Site Scripting 2. Cross-Site Request Forgery 3. SQL Injection 4. OS Command Injection ### Registration/Signup Form Checks 1. HTML/Email Template injection at Reflected user-input ``` Example: Observe any userinput is reflected in the Email template. Then verify the user-input for the HTML Injection or SSTI vulnerability. ``` 2. Long password DOS attack [Reference](https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0) 3. Verify Email link poisoning (Host Header Injection) 4. Verify Email token strength ### Abuse Functionality 1. Unrestricted File Upload 2. Server-Side Request Forgery 3. Path Traversal 4. Remote File Inclusion 5. Local File Inclusion 6. Insecure Deserialization 7. LDAP Injection 8. Server-Side Template Injection ### JWT 1. None Alg acceptance 2. RS256 to HS512 Signature Attack ### Forgot/Reset Password Form 1. Reset password link poisoning (Host Header Injection) 2. Reset password token/code strength 3. Reset password code/token expiration 4. Sensitive information leakage via referrer header ### OTP Bypass [Reference](https://medium.com/@secureitmania/the-six-most-common-unsecured-methods-of-otp-validation-unpacking-the-pitfalls-dc526f90f3c4) 1. OTP lekage in response 2. Client-Side OTP validation 3. OTP expiration 4. OTP Bruteforce ### After Login 1. Excessive data exposure in the reponse 2. Vertical Broken Access Controls 3. Horizontal Broken Access Controls 4. Insecure Direct Object Reference ### Payment Gateway 1. Negative amount validaiton 2. Transaction reply attack 3. Purchase order with less MRP price 4. Purchase order without account balance ### Scans ``` These scans should also be performed on all the target subdomains, which are part of the target application. example: https://www.example.com, https://api.example.com, https://payment.example.com etc., ``` 1. Nikto 2. Directory bruteforce (dirsearch scan) 3. Nuclei CVE Scan 4. Nuclei Exposed panels scan 5. Nuclei vulnrabiities scan 6. Nuclei misconfiguration scan 7. Request Smuggling scan