Types of Web Application Attacks

Penetration Testing Wiki

Server-Side Attacks

Client-Side Attacks

  • XSS (Cross-Site Scripting)
  • CSRF (Cross-Site Request Forgery)

HTTP headers security

  • HSTS (HTTP Strict Transport Security) Protects against Man-in-the-Middle, downgrade attacks and cookie hijacking in the webbrowser
  • CORS (Cross-origin resource sharing) Protects cross-domain XHR calls to prevent XSS in the webbrower
  • CSP (Content Security Policy) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Controls which origins and scripts the user agents loads to prevent XSS in the webbrowser

Authentication protocols

SAML Atacks

SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). The single most important use case that SAML addresses is web browser single sign-on (SSO).

Attacks on SAML protocol

PHP Attacks

Payloads to test injections:

NULL byte in octal: \400
NULL byte in hex: \x00

Tricky php file uploads extensions for bypassing restrictions:


JavaScript Attacks

Meteor Framework



SSRF Attacks

Internal URLs by provider: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b




NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://metadata.google.internal/computeMetadata/v1/
  • http://metadata/computeMetadata/v1/
  • http://metadata.google.internal/computeMetadata/v1/instance/hostname
  • http://metadata.google.internal/computeMetadata/v1/instance/id
  • http://metadata.google.internal/computeMetadata/v1/instance/region
  • http://metadata.google.internal/computeMetadata/v1/instance/zone
  • http://metadata.google.internal/computeMetadata/v1/project/project-id
  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/
  • http://metadata.google.internal/computeMetadata/v1beta1/



Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains

More payloads: https://github.com/defensahacker/spinfuzz (Fuzzing lists for webapp pentesting)