We teach the following technical and business logic issues related to web applications and after all topics we push the students to solve our CTFs.
| Information Gathering via Whois Query |
| Try to find out all websites hosted on same IP address. |
| Try to find out all websites via reverse dns queries |
| Try to find out all subdomians of the all target domains |
| Perform a full TCP/UDP port scan for all website’s IP address. |
| Try to identificate new web interfaces on the different TCP ports. |
| Look at the Google search engine to find out subdomins. Google dorks. |
| Information gathering(subdomains,leaked credentials) via Pastebin/Github |
| Try to find out new subdomain via DNS Dumpster |
| Perform a bruteforce to DNS server with a good wordlist to identificate new subdomains. |
| Analyse error message, banner information etc for information gathering. |
| Look at the Archive.org records |
| Try to perform subdirectory tests |
| Identificate Directory Listing Vulnerabilities by visiting subdirectory |
| Identificate Directory Listing via Google Dork |
| Try to gather information via robots.txt, elmah.axd, trace.axde |
| Elmah.axd and Trace.axd Session Stealing Tests |
| Try to identificate target operation systems, databases etc |
| Try to find out new files under discovered new subdirectories with different extensions |
| Try to identificate used CMS application on the target system |
| Scan this CMS application with special tools. |
| Try to identificate installed plugins of these CMS and known vulnerabilities on this plugins |
| Search all known vulnerabilities related to CMS version |
| Try to identificate admin pages identification of the target websites. |
| Try to check if there is any backdoor on the target systems with known web backdoors |
| Data transmission security chekcs(HTTP usage, without HSTS header,unsecure SSL/TLS etc) |
| Discover dangerous HTTP method usage such as PUT and DELETE |
| Username enumeration tests via error or warning messages |
| Username enumeration via mis-developments |
| Brute force testing for web form fields. |
| Try to bypass WAF systems |
| Manuel crawling of the target applications |
| Find out all input fields throughout the target applications |
| Hidden form fields tests |
| Source code review of HTML and javascript files |
| Identifiying and abusing of unused captcha forms |
| CSRF vulnerability check on the sensitive functions of the targets |
| Anti-CSRF token bypass techniques |
| Session manipulation tests |
| Cookie attributes tests |
| Session id weaknesses tests |
| Vulnerabilities on the login functions |
| Login function(authentication) bypass techniques |
| Known and published vulnerabilites on the targets |
| Two-factor authentication bypass techniques |
| Session fixation tests |
| Directory traversal vulnerabilities |
| Authorization issues |
| Try to access other user asssets unauthorized(files,private assets) |
| IDOR tests |
| Try to find out weaknesses on the logout function of targets |
| Privilage escalation tests with different role users |
| Focus on just business logic issues of the target’s functions |
| HTTP Header tests |
| User agent manipulation test |
| X-Forwarded-For Restriction bypass tests. |
| XSS Tests(reflected,stored,dom,blind) |
| Sql Injection Tests |
| Code injection tests |
| Command Execution tests |
| SSRF Tests(local,remote) |
| LFI/RFI tests |
| Try to focus on web servis tests(ASMX,restful,WCF) |
| Business and technical tests on the web services |
| Spesific tests for related to used technologies(nodejs,ajax,frameworks etc) |
| Try to use right attack vectos depands on used database/development platforms |
| Password reset functionality abuse testing |
| Takeover account via spesific functionality of the targets(password change,reset etc) |
| Image Captcha’s size manipulation DoS tests |
| Application Level DoS tests(abusing functions,BoF etc) |
| Session timeout tests |
| Secure,httponly,HSTS header usage tests |
| Advenced authentication and authorization tests. |
| Open Redirection Tests |
| File upload tests(command execution,stored xss,DoS) |
| LDAP Incjection tests |
| XML injection tests |
| Xml External Entity(XXE) tests |
| Buffer over flow tests |
| Login bypass,DoS via Long payload usage |
| HTTP Response Splitting tests(XSS PoC) |
| HTTP Parameter Pollution Tests(Bypass WAF PoC) |
| Iframe Injection tests |
| LFI via Iframe injections |
| XSS tests via drag-drop |
| XSS tests via filen names of uploaded files |
| Try to discover technical web vulnerabilities via Google dorks |
| Signup Function Tests(takeover account,XSS,SQL or many business logic bugs) |
| Code execution via uploadable excel files |
| Try to discover advenced injection points via FUZZing(wfuzz) |
| Try to enforce the targets to get sensitive informations via error messages |
| Vulnerabilities on the webserver versions |
| Try to determine remotely the encrytion sitiuations of the passwords on the target database. |
| SWF,JAR files decompiling tests If we have on the targets |
| Code execution via SMTP/IMAP |
| Spesific wordlist creation (crunch,cewl) |
| Phpmyadmin Vulnerabilities(Directory listing,bruteforce,XSS etc) |
| Code execution via Phpmyadmin with mysql into outfile function |
| URL Poisioning Tests |
| Try to use bypassing methos for all technical vulnerabilities |
| DoS via Code Injection |
| Default or predictable password usage tests |
| Post-exploitation via accessed systems(tomcat,wordpress etc) |
| Clickjacking Vulnerability Tests on the important function of the targets |
| Full Automate scan all websites |