VAPT-Master-Checklists

🛡️ Web Application VAPT Master Checklist

A comprehensive, actionable checklist and methodology guide for Vulnerability Assessment and Penetration Testing (VAPT), focusing on the most critical web application vulnerabilities.

Designed for authorized penetration testers, bug bounty hunters, and security researchers.

---

📌 Table of Contents

1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Insecure Direct Object Reference (IDOR)
4. Server-Side Request Forgery (SSRF)
5. XML External Entity (XXE)
6. Server-Side Template Injection (SSTI)
7. Broken Authentication & Session Management
8. Mass Assignment (Auto-Binding)
9. Race Condition (TOCTOU)
10. CORS Misconfigurations

---

1. SQL Injection (SQLi)

✅ Checklist

• Identify all input vectors (URL parameters, JSON bodies, headers like User-Agent or X-Forwarded-For).
• Determine if the injection is Error-based, Boolean-based, Time-based, or OOB.
• Check for the presence of a Web Application Firewall (WAF).

🛠️ Techniques

• Error/Blind: Inject math operators or logical statements (' OR 1=1--, ' AND SLEEP(5)--) to observe database errors or response delays.
• Out-of-Band (OOB): Force the database server to make a DNS request to an external server you control (e.g., using xp_cmdshell or LOAD_FILE depending on the DBMS) to exfiltrate data when in-band reflection is blind.
• WAF Bypass: Use URL encoding (%27 for '), double encoding (%2527), hex encoding, or SQL comment obfuscation (SELECT/*!10000foo*/) to sneak payloads past signature-based WAFs.

---

2. Cross-Site Scripting (XSS)

✅ Checklist

• Map all reflection points where user input is returned in the HTTP response.
• Prioritize testing: Stored (highest impact) > Reflected (requires social engineering) > DOM (client-side only).
• Analyze Content Security Policy (CSP) headers for weaknesses.

🛠️ Techniques

• Stored/Reflected: Inject polyglot payloads (javascript://%250Aalert(1)//"onclick=alert(1)//<svg/onload=alert(1)>) to break out of HTML attributes and script tags.
• DOM: Trace source-to-sink flows in JavaScript files (e.g., from location.hash to innerHTML).
• CSP Bypass: If unsafe-inline is blocked, look for missing script-src restrictions, JSONP endpoints hosted on whitelisted domains, or open redirects that can be leveraged to execute scripts.

---

3. Insecure Direct Object Reference (IDOR)

✅ Checklist

• Enumerate all endpoints relying on identifiers (e.g., /api/users/1234/profile).
• Determine if identifiers are predictable (sequential integers) or obscure (UUIDs).
• Attempt CRUD (Create, Read, Update, Delete) operations on objects belonging to other tenants.

🛠️ Techniques

• Direct Modification: Simply change the ID in the parameter and send the request using a lower-privileged session.
• HTTP Parameter Pollution (HPP): Supply multiple IDs to see if the backend logic gets confused (?user_id=attacker_id&user_id=victim_id).
• Type Juggling/Array Wrapping: Change the ID parameter from a string to an array in JSON payloads ({"user_id": [1234]}) to bypass strict string validation checks.

---

4. Server-Side Request Forgery (SSRF)

✅ Checklist

• Identify features that fetch external URLs (webhooks, PDF generators, image uploaders, link previews).
• Attempt to hit localhost/internal network ranges.
• Target cloud metadata endpoints if hosted on AWS, GCP, or Azure.

🛠️ Techniques

• Internal Services: Point the URL to http://127.0.0.1:port or http://localhost:port to port-scan internal services or access administrative panels not exposed to the internet.
• Cloud Metadata: Request http://169.254.169.254/latest/meta-data/ to extract cloud environment configurations, temporary IAM credentials, and keys.
• Bypasses: If 127.0.0.1 is blacklisted, use decimal IPs (2130706433), IPv6 ([::]), octal representations, or DNS rebinding techniques.

---

5. XML External Entity (XXE)

✅ Checklist

• Identify endpoints accepting XML data (or try changing the Content-Type from application/json to application/xml to see if the backend parser accepts it).
• Determine if external entity resolution is enabled.

🛠️ Techniques

• In-Band: Declare an external entity fetching local files (e.g., <!ENTITY xxe SYSTEM "file:///etc/passwd">) and reference &xxe; in the XML body to read server files.
• Out-of-Band (OOB): When the application doesn't reflect the XML output, host a malicious Document Type Definition (DTD) on your server. Use parameter entities to fetch a local file on the target server and send it as a parameter in a GET request to your attacker logs.

---

6. Server-Side Template Injection (SSTI)

✅ Checklist

• Identify fields where user input might be parsed by a template engine (e.g., dynamic email templates, customizable web pages).
• Determine the underlying engine (Jinja2, Twig, Freemarker, etc.) via syntax testing.

🛠️ Techniques

• Engine Identification: Inject basic math expressions like {{7*7}}, ${7*7}, or <%= 7*7 %>. If the server returns 49, SSTI is confirmed.
• Remote Code Execution (RCE): Escalate from math evaluation to OS command execution. For example, in Jinja2 (Python), traverse the method resolution order (MRO) to reach the os module: {{ config.__class__.__init__.__globals__['os'].popen('id').read() }}.

---

7. Broken Authentication & Session Management

✅ Checklist

• Analyze the implementation of JSON Web Tokens (JWTs) or traditional session cookies.
• Test password reset flows and multi-factor authentication (MFA) implementation.

🛠️ Techniques

• JWT "None" Algorithm: Modify the JWT header to {"alg":"none"}, remove the signature, and see if the backend still accepts the token as valid.
• Weak Secret Cracking: Extract the JWT, identify the hashing algorithm, and run it through Hashcat/John the Ripper with a wordlist to crack weak signing keys.
• Session Fixation: Obtain a valid session ID, force a victim to use it (via XSS or parameter injection), wait for them to log in, and then hijack their authenticated session.

---

8. Mass Assignment (Auto-Binding)

✅ Checklist

• Analyze API responses (GET requests) to see the full structure of user objects (e.g., hidden fields like role, is_admin, balance).
• Test if these internal fields can be modified during POST/PUT requests.

🛠️ Techniques

• JSON Injection: If registering a user only requires {"username":"test", "password":"123"}, add unauthorized parameters: {"username":"test", "password":"123", "admin":true} or {"role":"admin"}.
• Form Data Injection: Append hidden parameters to form submissions (e.g., &user[is_admin]=1).

---

9. Race Condition (Time-of-Check to Time-of-Use / TOCTOU)

✅ Checklist

• Identify critical, state-changing business logic (e.g., transferring funds, applying discount coupons, voting, redeeming points).
• Look for operations that have a strict limit (e.g., "use once").

🛠️ Techniques

• Concurrent Requests: Use tools like Burp Suite’s Turbo Intruder or custom scripts to send 20-50 identical requests at the exact same millisecond.
• Goal: Exploit the microsecond delay between the server checking a condition (e.g., "Is coupon valid?") and updating the database (e.g., "Mark coupon as used"). If successful, a single-use coupon might be applied multiple times.

---

10. CORS Misconfigurations

✅ Checklist

• Monitor API responses for Cross-Origin Resource Sharing (CORS) headers.
• Test if the server blindly trusts the Origin header provided by the client.

🛠️ Techniques

• Origin Reflection: Intercept a request and modify the header to Origin: https://evil.com.
• Exploitation: If the server responds with Access-Control-Allow-Origin: https://evil.com AND Access-Control-Allow-Credentials: true, the configuration is vulnerable. You can host a malicious JavaScript payload on evil.com that forces the victim's browser to make authenticated requests to the vulnerable API and exfiltrate the returned sensitive data.

---

⚠️ Disclaimer

This repository is for educational purposes and authorized penetration testing only. Do not use these techniques on systems you do not own or do not have explicit written permission to test.