Skip to main content
In every web pentest there are several hidden and obvious places that might be vulnerable. This page is a checklist to confirm you have searched for vulnerabilities in all possible places.

Proxies

Modern web applications often use intermediary proxies. These vulnerabilities require a vulnerable proxy to be in place, but they usually also need an extra vulnerability in the backend.
Proxy-related attack surface:
  • Abusing hop-by-hop headers
  • Cache Poisoning / Cache Deception
  • HTTP Connection Contamination
  • HTTP Request Smuggling
  • HTTP Response Smuggling / Desync
  • H2C Smuggling
  • Server Side Inclusion / Edge Side Inclusion
  • XSLT Server Side Injection
  • Proxy / WAF Protections Bypass

User Input

Most web applications allow users to input data that will be processed later. Depending on the structure of the data the server expects, some vulnerabilities may or may not apply.

Reflected Values

If introduced data may be reflected in the response, the page might be vulnerable to several issues:

Client Side Path Traversal

Exploiting path manipulation on the client side.

Command Injection

Injecting OS commands via user-controlled input.

File Inclusion / Path Traversal

Including local or remote files through path manipulation.

Open Redirect

Redirecting users to attacker-controlled URLs.

Server Side Request Forgery

Forcing the server to make requests to internal resources.

Server Side Template Injection

Injecting template expressions into server-side template engines.

XSS

Executing arbitrary JavaScript in victims’ browsers.

CRLF Injection

Injecting carriage return/line feed into HTTP headers.

Search Functionalities

If the functionality searches data inside the backend, you may be able to abuse it to search arbitrary data:
  • File Inclusion / Path Traversal
  • NoSQL Injection
  • LDAP Injection
  • ReDoS (Regular Expression Denial of Service)
  • SQL Injection
  • ORM Injection
  • XPATH Injection

Forms, WebSockets, and PostMessages

When a WebSocket posts a message or a form allows users to perform actions, vulnerabilities may arise:
  • Cross Site Request Forgery (CSRF)
  • Cross-site WebSocket hijacking (CSWSH)
  • Phone Number Injections
  • PostMessage Vulnerabilities
WebSocket Hijacking + Localhost Abuse: WebSocket upgrades automatically forward cookies and do not block ws://127.0.0.1, so any web origin can drive desktop IPC endpoints that skip Origin validation. Observe emitted frames, bruteforce the listening port, then chain a create → privileged action pair.If you can pass arbitrary JVM flags (such as AdditionalJavaArguments), force an error with -XX:MaxMetaspaceSize=<tiny> and attach -XX:OnOutOfMemoryError="<cmd>" to run OS commands.

HTTP Headers

Depending on HTTP headers given by the web server, some vulnerabilities might be present:
  • Clickjacking
  • Iframe Traps / Click Isolation
  • Content Security Policy bypass
  • Cookies Hacking
  • CORS Misconfigurations

Authentication Bypasses

  • 2FA/OTP Bypass
  • Bypass Payment Process
  • Captcha Bypass
  • Account Takeover Playbooks
  • Login Bypass
  • Race Condition
  • Rate Limit Bypass
  • Reset Forgotten Password Bypass
  • Registration Vulnerabilities

Structured Objects & Specific Functionalities

Some functionalities require data in a very specific format (like serialized objects or XML):
  • Deserialization
  • Email Header Injection
  • JWT Vulnerabilities
  • JSON / XML / YAML Hacking
  • XML External Entity (XXE)
  • GraphQL Attacks
  • gRPC-Web Attacks

Files

Functionalities that allow uploading files might be vulnerable to several issues:
  • File Upload
  • Formula Injection (CSV, LaTeX, etc.)
  • PDF Injection
  • Server Side XSS

External Identity Management

  • OAUTH to Account Takeover
  • SAML Attacks

Other Helpful Vulnerabilities

  • Domain / Subdomain Takeover
  • IDOR (Insecure Direct Object Reference)
  • Mass Assignment (CWE-915)
  • Parameter Pollution
  • Unicode Normalization Vulnerability

Web Servers & Middleware

Misconfigurations in the edge stack often unlock more impactful bugs in the application layer:
  • Apache
  • Nginx
  • IIS (Internet Information Services)
  • Tomcat
  • Werkzeug Debug Exposure
  • PUT Method / WebDAV
  • Special HTTP Headers
  • WSGI Deployment
  • Django
  • Flask
  • NodeJS / Express
  • Angular
  • Vue / Nuxt
  • Next.js
  • Laravel
  • Symfony
  • Spring Actuators
  • WordPress
  • Joomla
  • Drupal
  • Moodle
  • Prestashop
  • Atlassian Jira
  • Grafana
  • Rocket.Chat
  • Zabbix
  • Microsoft SharePoint
  • Sitecore
  • Web API Pentesting
  • Storage Buckets & Firebase
  • Imagemagick Security
  • Artifactory & Package Registries

Supply Chain & Identifier Abuse

Attacks targeting build pipelines or predictable identifiers can become initial footholds:
  • Dependency Confusion
  • Timing Attacks
  • UUID Insecurities

Web3, Extensions & Tooling

Modern applications extend into browsers, wallets, and automation pipelines:
  • dApps / Decentralized Applications
  • Browser Extension Pentesting
  • wfuzz Web Fuzzing

Build docs developers (and LLMs) love

Get started for freeTalk to us