Web Application Penetration Testing

  1. Client-Side Vulnerabilities
    1. Cross-Site Scripting
      1. Reflected XSS
        1. URL-Based Reflection
          1. Form-Based Reflection
            1. HTTP Header Reflection
            2. Stored XSS
              1. Database Storage
                1. File System Storage
                  1. Log File Injection
                  2. DOM-Based XSS
                    1. Source and Sink Analysis
                      1. JavaScript Framework Vulnerabilities
                        1. Client-Side Template Injection
                        2. XSS Filter Evasion
                          1. Encoding Techniques
                            1. Polyglot Payloads
                              1. Context-Specific Bypasses
                              2. XSS Exploitation Techniques
                                1. Session Token Theft
                                  1. Keylogging
                                    1. Phishing Attacks
                                      1. Defacement
                                      2. Prevention and Mitigation
                                        1. Input Validation
                                          1. Output Encoding
                                            1. Content Security Policy
                                          2. Cross-Site Request Forgery
                                            1. GET-Based CSRF
                                              1. POST-Based CSRF
                                                1. JSON-Based CSRF
                                                  1. CSRF Token Bypass Techniques
                                                    1. Prevention and Mitigation
                                                    2. Clickjacking and UI Redressing
                                                      1. Basic Clickjacking
                                                        1. Likejacking
                                                          1. Cursorjacking
                                                            1. Drag and Drop Attacks
                                                              1. Prevention and Mitigation
                                                              2. Cross-Origin Resource Sharing Issues
                                                                1. CORS Misconfiguration
                                                                  1. Credential Exposure
                                                                    1. Subdomain Takeover via CORS
                                                                      1. Prevention and Mitigation
                                                                      2. DOM-Based Vulnerabilities
                                                                        1. DOM Clobbering
                                                                          1. Client-Side Path Traversal
                                                                            1. Open Redirection
                                                                              1. Prevention and Mitigation
                                                                              2. Web Storage Security Issues
                                                                                1. Local Storage Vulnerabilities
                                                                                  1. Session Storage Risks
                                                                                    1. IndexedDB Security
                                                                                      1. Prevention and Mitigation
                                                                                      2. Content Security Policy Bypass
                                                                                        1. Script-src Bypass Techniques
                                                                                          1. Object-src Exploitation
                                                                                            1. Base-uri Manipulation
                                                                                              1. Prevention and Mitigation

                                                                                            Previous

                                                                                            6. Server-Side Vulnerabilities

                                                                                            Go to top

                                                                                            Next

                                                                                            8. Authentication and Session Management Testing