Web Security Exam Guide

Uploaded by

jhsdnck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

138 views4 pages

Web Security Exam Guide

Uploaded by

jhsdnck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

Version Author

3 A3h1nt

2 A3h1nt

1 A3h1nt

Stage - 1 Stage - 2
Authentication Authentication
OAuth OAuth
Access Control Access Control

XSS XSS
CSRF CSRF
CORS CORS
Clickjacking Clickjacking
Web Sockets Web Sockets

Web Cache Poisioning Web Cache Poisioning

Host Header Attacks Host Header Attacks
JWT
HTTP Request Smuggling HTTP Request Smuggling
SQL Injection
Date Commits
11/04/24 Completed All

16/01/24 Updated Checklist with unfinished topics

19/11/23 Initial Draft

Stage - 3

Directory Traversal
SSRF
File Upload Vulnerabilities
OS Command Injection
XXE Injection

Insecure Deserialisation
SSTI
SSRF

SQL Injection
Ignore all the random comments and side notes, make a copy, make it your own.

TIPS
1. Make sure all your extensions are running before you start the exam
2.
3. Run param
If there's miner else,
nothing > guess headers
literally nothing else to find, try Host header injection SSRF to access admin panel :
192.168.0.x or localhost:TBF
4. Dont be in a hurry, read the error output completely.
5. In insecure deserialisation, use cyberchef, always use wget/curl to see if it hits the collaborator, and the
right payload might give `java.io.StreamCorruptedException`
6.There is only one active user per application
7.If SSRF try localhost:6566 ( try first in host or referer header and then move on )
8.
9.You
"SSRFcan use chatGPT to understand the code in case
: stockApi=http://127.1/%25%36%31dmin of DOM
: Here XSS.double encoded character `a` to bypass
we have
validation. "
10. XSS try encoding into HTML, hex or HTMLHex to bypass FW
Important Links
1. Keep it handy 1 https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study?tab=readme-ov-file#reflected-stri
2.Keep it handy 2 https://github.com/DingyShark/BurpSuiteCertifiedPractitioner#insecure-deserialization
3. CyberChef https://gchq.github.io/CyberChef/#recipe=URL_Encode(true)&input=KCk
4. Ruby Compiler For Deserialisation Attack https://onecompiler.com/ruby/428epcnus
5. Hex To Decimal & Vice Versa : HTTP Request Smuggling https://coolconversion.com/math/binary-octal-hexa-decimal/How-t
6. XSS Cheatsheet https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
7. SQL Injection Cheatsheet https://portswigger.net/web-security/sql-injection/cheat-sheet
8. Payload All The Thingshttps://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20
9. Hacktricks XYZhttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
otes, make a copy, make it your own.

t the exam
st header injection SSRF to access admin panel :

et/curl to see if it hits the collaborator, and the

der and then move on )

e have double encoded character `a` to bypass

inks
-Practitioner-Exam-Study?tab=readme-ov-file#reflected-string-xss
Practitioner#insecure-deserialization
e(true)&input=KCk
m/ruby/428epcnus
coolconversion.com/math/binary-octal-hexa-decimal/How-to-Convert_hex__5C_in_decimal_%3F
cripting/cheat-sheet
-injection/cheat-sheet
llTheThings/tree/master/Server%20Side%20Template%20Injection
ver-side-template-injection

BSCP1
No ratings yet
BSCP1
4 pages
BSCP Tracker
No ratings yet
BSCP Tracker
207 pages
Web App Security Course Agenda
No ratings yet
Web App Security Course Agenda
43 pages
Apis Fuzzing For Bug Bounty: Tools
No ratings yet
Apis Fuzzing For Bug Bounty: Tools
7 pages
Ccs374-Web Application Securitty Lab Manual
No ratings yet
Ccs374-Web Application Securitty Lab Manual
36 pages
Oswe Notes Basic by Joas 1648716052
No ratings yet
Oswe Notes Basic by Joas 1648716052
233 pages
Web Application Penetration Testing EXtreme - 1
100% (4)
Web Application Penetration Testing EXtreme - 1
300 pages
SSRF Attack Techniques and Exploits Guide
No ratings yet
SSRF Attack Techniques and Exploits Guide
23 pages
Stages in Exam of The Exam
No ratings yet
Stages in Exam of The Exam
3 pages
ccs374-WebApplicationSecurity Lab Manual
No ratings yet
ccs374-WebApplicationSecurity Lab Manual
30 pages
ELearnSecurity EWPTX Notes Basic by Joas
No ratings yet
ELearnSecurity EWPTX Notes Basic by Joas
311 pages
SSRF Exploitation Guide
No ratings yet
SSRF Exploitation Guide
23 pages
Tip Trick Day Before Exam
No ratings yet
Tip Trick Day Before Exam
3 pages
Web Application Penetration Testing Guide
No ratings yet
Web Application Penetration Testing Guide
60 pages
Cybersecurity Interviews - 200 Must-Know Questions!
No ratings yet
Cybersecurity Interviews - 200 Must-Know Questions!
28 pages
Beginner's Guide to Bug Hunting
No ratings yet
Beginner's Guide to Bug Hunting
16 pages
Nahamsec Bug Bounty Course Resources
No ratings yet
Nahamsec Bug Bounty Course Resources
3 pages
Web Security Lab: XSS & CSRF Attacks
No ratings yet
Web Security Lab: XSS & CSRF Attacks
6 pages
Recon Methdology and Notes....
No ratings yet
Recon Methdology and Notes....
4 pages
Burp Update
No ratings yet
Burp Update
26 pages
Cross-Site Request Forgery
No ratings yet
Cross-Site Request Forgery
6 pages
BSCP Official Exam
100% (2)
BSCP Official Exam
12 pages
API Testing Checklist
No ratings yet
API Testing Checklist
7 pages
Very Very Import Tip For Burp
No ratings yet
Very Very Import Tip For Burp
2 pages
OSWE Exam Report
No ratings yet
OSWE Exam Report
33 pages
SSRF and XXE Vulnerabilities Explained
No ratings yet
SSRF and XXE Vulnerabilities Explained
123 pages
Advanced Web Application Hacking Guide
No ratings yet
Advanced Web Application Hacking Guide
118 pages
Web Penetration Testing Roadmap
No ratings yet
Web Penetration Testing Roadmap
7 pages
ACS-Admin Penetration Testing Report
No ratings yet
ACS-Admin Penetration Testing Report
21 pages
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
No ratings yet
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
5 pages
Programming Project 1
No ratings yet
Programming Project 1
4 pages
WebHacking All Bugs
No ratings yet
WebHacking All Bugs
84 pages
Web Exploitation
No ratings yet
Web Exploitation
18 pages
Security Vulnerability Questions-1
No ratings yet
Security Vulnerability Questions-1
2 pages
Slides Insecure Direct Object Reference
No ratings yet
Slides Insecure Direct Object Reference
35 pages
Web Penetration Testing Roadmap
No ratings yet
Web Penetration Testing Roadmap
11 pages
Web Application Advanced
No ratings yet
Web Application Advanced
118 pages
Lab 3 Web Attacks: XSS, XSRF, SQL Injection
0% (1)
Lab 3 Web Attacks: XSS, XSRF, SQL Injection
11 pages
A Study On API Security Pentesting
No ratings yet
A Study On API Security Pentesting
108 pages
H1-212 CTF Solution
No ratings yet
H1-212 CTF Solution
12 pages
Understanding HTTP Headers
No ratings yet
Understanding HTTP Headers
14 pages
Two Million
No ratings yet
Two Million
30 pages
(CyberSec'24) Lab07 - Student Version
No ratings yet
(CyberSec'24) Lab07 - Student Version
45 pages
HRS SMUGGLINGs
No ratings yet
HRS SMUGGLINGs
56 pages
Understanding SSRF Vulnerabilities
No ratings yet
Understanding SSRF Vulnerabilities
123 pages
Book of Tips by Aditya Shende PDF
No ratings yet
Book of Tips by Aditya Shende PDF
23 pages
Udemy - Web Pentesting Course Slides
100% (1)
Udemy - Web Pentesting Course Slides
103 pages
20bcs4908 Ashwani Sharma Wms Exp 3
No ratings yet
20bcs4908 Ashwani Sharma Wms Exp 3
7 pages
Web Application Security Lab Manual Word
No ratings yet
Web Application Security Lab Manual Word
27 pages
18DCS068 3-4
No ratings yet
18DCS068 3-4
16 pages
Web Pentesting Course Slides
No ratings yet
Web Pentesting Course Slides
63 pages
Cross-Protocol Request Forgery Overview
No ratings yet
Cross-Protocol Request Forgery Overview
16 pages
Análisis de Protocolos con Wireshark
No ratings yet
Análisis de Protocolos con Wireshark
21 pages
Advanced Web Hacking Techniques Guide
No ratings yet
Advanced Web Hacking Techniques Guide
18 pages
Web Application Security Vulnerabilities
No ratings yet
Web Application Security Vulnerabilities
112 pages
Midterm1 Solucionario Cap 1 4 e 5
No ratings yet
Midterm1 Solucionario Cap 1 4 e 5
6 pages
Delphi 2010 REST WP Marco Cantu 0911
No ratings yet
Delphi 2010 REST WP Marco Cantu 0911
54 pages
Api Rest
No ratings yet
Api Rest
322 pages
WT-web Technology Akash
No ratings yet
WT-web Technology Akash
54 pages
Toll Management System Overview
No ratings yet
Toll Management System Overview
12 pages
SAP E2E Trace Analysis Guide
100% (4)
SAP E2E Trace Analysis Guide
12 pages
Building and Using Web Services JDeveloper
No ratings yet
Building and Using Web Services JDeveloper
27 pages
Packet Sniffing with Wireshark
0% (1)
Packet Sniffing with Wireshark
6 pages
Pardot API Documentation
No ratings yet
Pardot API Documentation
4 pages
Network Technology
100% (2)
Network Technology
73 pages
AJAX XMLHttpRequest Guide
No ratings yet
AJAX XMLHttpRequest Guide
5 pages
Sparkle User Guide
No ratings yet
Sparkle User Guide
90 pages
Python For Network Engineers
100% (1)
Python For Network Engineers
141 pages
Web Application Scalability - Introduction
No ratings yet
Web Application Scalability - Introduction
24 pages
Extrusion Detection for Obfuscated Content
No ratings yet
Extrusion Detection for Obfuscated Content
3 pages
Hotel Management
67% (9)
Hotel Management
21 pages
Lab 13 - Socket Programming Using UDP Protocol
No ratings yet
Lab 13 - Socket Programming Using UDP Protocol
11 pages
IIB v9r0 Overview
No ratings yet
IIB v9r0 Overview
134 pages
List of Maharashtra Government Polytechnic Colleges - Wikipedia
No ratings yet
List of Maharashtra Government Polytechnic Colleges - Wikipedia
8 pages
Lab 2.3.5 Configuring Basic Routing and Switching
100% (1)
Lab 2.3.5 Configuring Basic Routing and Switching
12 pages
Be First Year (First Sem Foc 2 Mark Notes)
No ratings yet
Be First Year (First Sem Foc 2 Mark Notes)
58 pages
Postman Quick Reference Guide
100% (5)
Postman Quick Reference Guide
26 pages
CloudHub Log Integration Guide
No ratings yet
CloudHub Log Integration Guide
10 pages
Wireshark Basics: Packet Capture Lab
No ratings yet
Wireshark Basics: Packet Capture Lab
7 pages
DHIS2 Developer Manual
No ratings yet
DHIS2 Developer Manual
222 pages
Reporte 3
No ratings yet
Reporte 3
20 pages
Cookies
No ratings yet
Cookies
289 pages
@bca Studies : Most Important Question
No ratings yet
@bca Studies : Most Important Question
9 pages
Schedule: Vahid Shahbazian Fard Jahromy WWW - Learnmikrotik.Ir ©learnmikrotik - Ir 2014
50% (2)
Schedule: Vahid Shahbazian Fard Jahromy WWW - Learnmikrotik.Ir ©learnmikrotik - Ir 2014
22 pages
Default Username and Password For Routers - All Makes Jean's Blog
100% (1)
Default Username and Password For Routers - All Makes Jean's Blog
23 pages