# Application Security ### Getting Started
ComponentDescription
Back end ServersThe hardware and operating system that hosts all other components and are usually run on operating systems like Linux, Windows, or using Containers.
Web ServersWeb servers handle HTTP requests and connections. Some examples are Apache, NGINX, and IIS.
DatabasesDatabases (DBs) store and retrieve the web application data. Some examples of relational databases are MySQL, MSSQL, Oracle, PostgreSQL, while examples of non-relational databases include NoSQL and MongoDB.
Development FrameworksDevelopment Frameworks are used to develop the core Web Application. Some well-known frameworks include PHP, C#, Java, Python, and NodeJS JavaScript
### Field References {% tabs %} {% tab title="General" %} | [OWASP WSTG 4.2](https://owasp.org/www-project-web-security-testing-guide/v42/) ! | [Burpsuite: Commercial Web app testing tool](https://portswigger.net/burp) ! | [Awesome Application Security Checklist](https://github.com/MahdiMashrur/Awesome-Application-Security-Checklist) | | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | | [OWASP Cheat Sheet Series](https://github.com/OWASP/CheatSheetSeries) | [Awesome Web Hacking from @infoslack](https://github.com/infoslack/awesome-web-hacking) | [Awesome Web Security](https://github.com/qazbnm456/awesome-web-security) | | [PortSwigger Web Security Academy Lab Files from @rkhal101](https://github.com/rkhal101/Web-Security-Academy-Series) | [Hack-Tools Chrome Extension for Web Pentesting](https://chrome.google.com/webstore/detail/hack-tools/cmbndhnoonmghfofefkcccljbkdpamhi) | [OWASP Vulnerability Scanner Tool List](https://owasp.org/www-community/Vulnerability_Scanning_Tools) | | [Awesome Hacking Resources](https://github.com/vitalysim/Awesome-Hacking-Resources) | [Damn Vulnerable PHP App](https://github.com/c0brabaghdad1/DVPA) | [Vulnerable Java Application](https://github.com/CSPF-Founder/JavaVulnerableLab) | | [OWASP Secrets Management focused vulnerable app](https://github.com/commjoen/wrongsecrets) | [403 byebye](https://github.com/nxenon/403-byebye) | [TCM Security PWST Lab Environment](https://github.com/mttaggart/pwst-resources) ! | | [Web Pentesting Checklist by Joas](https://drive.google.com/file/d/1oNTZeFRM3gM9U55BinxIjnL7168v1otK/view?usp=sharing) | [Hetty tool](https://github.com/dstotijn/hetty) | [HBSQLi](https://github.com/SAPT01/HBSQLI) | | {% endtab %} | | | {% tab title="Mobile" %} **Mobile Application Testing Guides** | [OWASP MASVS](https://mas.owasp.org/MASVS/) -Mobile Application Security Verification Standard | [OWASP MSTG](https://mas.owasp.org/MASTG/) - Mobile Application Security Testing Guide | [OWASP MAS Checklist](https://mas.owasp.org/MAS_checklist/) | | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ----------------------------------------------------------- | **iOS** | [iOS Testing Guide](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf) by Security Innovation | | | | -------------------------------------------------------------------------------------------------------------- | - | - | **Android** | [Secure Coding guide](https://www.jssec.org/dl/android_securecoding_en.pdf) by JSSEC | [Intro to Android Pentesting by HackTheBox](https://www.hackthebox.com/blog/intro-to-mobile-pentesting#suggested_tools_for_android_penetration_testing) | | | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | - | | {% endtab %} | | | {% tab title="Security Research" %} | [Bug Hunter Handbook](https://gowthams.gitbook.io/bughunter-handbook) | [Awesome Bug Bounty Resources](https://github.com/djadmin/awesome-bug-bounty) | [Awesome Bug Bounty Hunting Tool](https://github.com/0xApt/awesome-bbht) | | -------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | [All About Bug Bounty Note Repo](https://github.com/daffainfo/AllAboutBugBounty) | [BugHunter Handbook](https://gowthams.gitbook.io/bughunter-handbook/) | [Bug Bounty Wiki](https://bug.bounty.wiki/) | | [VulnPlanet](https://github.com/yevh/VulnPlanet) - Vulnerable code snippets with fixes | | | ### Top Programs 1. Bugcrowd 2. HackerOne 3. Intigriti 4. YesWeHack 5. Synack, Inc. 6. HackenProof | Web3 bug bounty platform 7. Open Bug Bounty 8. Immunefi 9. Cobalt 10. Zerocopter 11. Yogosha 12. SafeHats 13. Vulnerability Research Labs, LLC 14. AntiHACKme Pte Ltd 15. RedStorm Information Security 16. Cyber Army Indonesia 17. Hacktrophy 18. Nordic Defender 19. Capture The Bug 20. Bugbounter 21. Detectify 22. BugBase 23. Code4rena 24. huntr 25. Pentabug {% endtab %} {% tab title="Code Analysis" %} * [SonarQube](https://www.sonarsource.com/products/sonarqube/downloads/) website and [Git Repo](https://github.com/SonarSource/sonarqube) * [CodeCat](https://github.com/CoolerVoid/codecat) - open-source tool to help find/track user input sinks and other security bugs * [Betterscan](https://www.betterscan.io/) {% endtab %} {% tab title="API" %} **References** | Resources | | | | --------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | [OWASP API Security Top 10 Vulnerabilities](https://owasp.org/www-project-api-security/) | [API Security Checklist](https://github.com/Martian1337/API-Security-Checklist) | [Keyhacks](https://github.com/streaak/keyhacks) | | [Vulnerable API Instance by @raj-kumar-j](https://github.com/raj-kumar-j/Vulnerable-API) | [Hacking APIs book by Corey Ball](https://www.amazon.com/Hacking-APIs-Application-Programming-Interfaces/dp/1718502443) | [DVWS: Vulnerable application with web service and API](https://github.com/snoopysecurity/dvws) | | [DVGA: Vulnerable GraphQL API application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) | [API Workshop by Corey Ball](https://sway.office.com/HVrL2AXUlWGNDHqy) | [OWASP API Tool List](https://owasp.org/www-community/api_security_tools) | | [MindAPI](https://dsopas.github.io/MindAPI/play/) - interactive Mind Map | | | **Testing Tools**
Tools
Grapql-copgraphql voyager -converts a response of an introspection query into a visual graph that mapsInQL -can inspect the introspection query results and generate clean documentation in different formats (Burp Extension)
Online JSON Web Token (JWT) Tool/Reference !SOAPUIPostman
Kubeshark - API Traffic Viewer for KubernetesMetlo - API security toolKiteRunner
{% endtab %} {% tab title="Threat Modeling" %} * [NIST SP 800-30](https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final) * {% endtab %} {% endtabs %} {% tabs %} {% tab title="Recon" %} **Reconnaissance** | [Final Recon (Web Reconnaissance) from @thewhiteh4t](https://github.com/thewhiteh4t/FinalRecon) | [Sublist3r](https://github.com/aboul3la/Sublist3r) | [patator](https://github.com/lanjelot/patator) | | -------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------ | | [ffuf](https://github.com/ffuf/ffuf) | [wfuzz](https://github.com/xmendez/wfuzz) | [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder) | | [WebOSINT](https://github.com/C3n7ral051nt4g3ncy/webosint) | [All in One Recon Tool (AORT)](https://github.com/D3Ext/AORT) | [katana by ProjectDiscovery](https://github.com/projectdiscovery/katana) | | [Domain to IP converter (Python) by @YSSVirus](https://github.com/YSSVirus/domain-to-ip_converter) | [Cariddi by @edoardott](https://github.com/edoardottt/cariddi) | | **Directory Fuzzing** | [CeWL](https://github.com/digininja/CeWL) | [fzf](https://github.com/junegunn/fzf) - Use alias in CLI to easily discover installed wordlists | [SecLists](https://github.com/danielmiessler/SecLists) - various lists | | ----------------------------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | **SubDomain/DNS Enumeration** | [MayorSec DNS Scan](https://github.com/dievus/msdnsscan) ! | [PureDNS](https://github.com/d3mondev/puredns) | [DNSrr](https://github.com/A3h1nt/Dnsrr) | | ---------------------------------------------------------- | ------------------------------------------------------- | ---------------------------------------- | | [AquaTone](https://github.com/michenriksen/aquatone) | [DNSReaper](https://github.com/punk-security/dnsReaper) | | | {% endtab %} | | | {% tab title="WAF" %} **Detection and Evasions** | [wafw00f from @enableSecurity](https://github.com/EnableSecurity/wafw00f) | --- | --- | | ------------------------------------------------------------------------- | --- | --- | | {% endtab %} | | | {% tab title="Deobfuscation" %} **JS, PHP, HTML Deobfuscation** | [Online Javascript Obfuscator](https://obfuscator.io/) | [JavaScript Console](https://jsconsole.com/) (test javascript code excution) | [Toptal JavaScript-Minifier](https://www.toptal.com/developers/javascript-minifier) | | ---------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | | [Beautifier ](https://beautifier.io/)(obfuscator/code editor for CSS, HTML and JS) | [JSNice](http://www.jsnice.org/) (JS de-obfuscator) | [Prettier ](https://prettier.io/playground/)(obfuscator/code editor) | | {% endtab %} | | | | {% endtabs %} | | | ### Plugins {% tabs %} {% tab title="BurpSuite Plugins" %}
Common
Nuclei burp plugin (in Bapp store) - generate nuclei template from burp requestsHackBar Extension (in Bapp store) - Security testing Payloads
IP Rotate Burp Extension (in BApp store)Bypass-WAF (in BAPP store)
Autorize - Automatic authorization enforcement detectionHackvertor – Handy type conversion
Sensitive Discoverer - Discovers sensitive information inside HTTP messagesNowafpls - Bypass WAFs through the insertion of Junk Data
Attack Surface Detector (in BAppp store) - uses static code analyses to identify web app endpoints by parsing routes and identifying parameters
**Additional Plugins** Burp Bounty – Profile-based scanner Active Scan++ – Add more power to Burp’s Active Scanner AuthMatrix – Authorization/PrivEsc checks Broken Link Hijacking – For BLH (Broken Link Hijacking) Collaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery) Command Injection Attacker Content-Type Converter – Trying to bypass certain restrictions by changing Content-Type Decoder Improved – More decoder features Freddy – Deserialization Flow – Better HTTP history HTTP Request Smuggler Hunt – Potential vuln identifier InQL – GraphQL Introspection testing J2EE Scan – Scanning J2EE apps JSON/JS Beautifier JSON Web Token Attacker ParamMiner – Mine hidden parameters Reflected File Download Checker Reflected Parameter – Potential reflection SAML Raider – SAML testing Upload Scanner – File upload tester Web Cache Deception Scanner {% endtab %} {% tab title="Browser Add-ons" %} | [HackTools Browser Extension Repo (Easier install from extension menu)](https://github.com/LasCC/Hack-Tools.git) | [Penetration Testing Kit Browser Extension](https://pentestkit.co.uk/index.html) ! | [Wappalyzer Browser Extension](https://www.wappalyzer.com/apps) | | ------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | [Vulners Browser Extension](https://chrome.google.com/webstore/detail/vulners-web-scanner/dgdelbjijbkahooafjfnonijppnffhmd?hl) | [Awesome Burp Extensions](https://github.com/snoopysecurity/awesome-burp-extensions) | [Burp Upload Scanner](https://github.com/PortSwigger/upload-scanner) | | [Dorkish](https://github.com/yousseflahouifi/dorkish) (Recon) | | | | {% endtab %} | | | | {% endtabs %} | | | #### Common Attacks {% tabs %} {% tab title="XSS" %} | [PortSwigger XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) ! | [XSS Exploitatation Tool](https://github.com/Sharpforce/XSS-Exploitation-Tool) | [Tiny XSS Payloads](https://tinyxss.terjanq.me/) | | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------ | ------------------------------------------------ | | [D4rkXSS](https://github.com/R0X4R/D4rkXSS) | [IbrahimXSS](https://ibrahimxss.store/) | | | {% endtab %} | | | {% tab title="LFI/RFI" %} * [LFI Tester](https://github.com/kostas-pa/LFITester) {% endtab %} {% tab title="SSRF" %} [Blind SSRF Chains repo](https://github.com/assetnote/blind-ssrf-chains) {% endtab %} {% tab title="SSTI" %} * [TPLMap](https://github.com/epinna/tplmap) (Automated Template Injection) from @epinna * [SSTImap](https://github.com/vladko312/SSTImap) (Automated Template Injection) from @vladko312 {% endtab %} {% tab title="SQLi" %} | [SqlMap: An SQL injection and database takeover tool](https://github.com/sqlmapproject/sqlmap) ! | [SQL Injection Cheatsheet](https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet) | [Advanced SQL Injection Cheatsheet](https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet) ! | | ------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | [Ghauri](https://github.com/r0oth3x49/ghauri) | [Userefuzz - SQLi Fuzzing tool](https://github.com/root-tanishq/userefuzz) | [SQLi Knowledge Base](https://www.websec.ca/kb/sql_injection) | | [SQLRecon - C# Recon and Exploitation](https://github.com/skahwah/SQLRecon) for MSSQL | [PySQLRecon - Python Recon and Exploitation](https://github.com/Tw1sm/PySQLRecon) for MSSQL | | | {% endtab %} | | | {% tab title="Clickjacking" %} * [CSS Button Generator](https://cssbuttongenerator.com/) * [CSS Version 3 Button Generator](https://css3buttongenerator.com/) * [Clickjacker](https://clickjacker.io/) - Online tool * [Click-Jack](https://github.com/princep4/Click-Jack) - cli tool {% endtab %} {% endtabs %} #### Advanced Attacks {% tabs %} {% tab title="Deserialization" %} | | | | | --------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | [ysoerial for Java libraries](https://github.com/frohoff/ysoserial) | [Java Deserialization CheatSheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet) | [ysoserial for .NET libraries](https://github.com/pwntester/ysoserial.net) | | [PHP Generic Gadget chains (PHPGGC)](https://github.com/ambionics/phpggc) - AKA "ysoserial for PHP" | | | | {% endtab %} | | | | {% endtabs %} | | |