Which web vulnerabilities should I test for when pentesting a static site?

Question

I have a static-page website that I need to pentest. What I mean by this is that the site does not have a database, and it has no area to submit user input except for to a third party payment service that is managed entirely by them.

I have actually done web app pentesting before and found vulnerabilities such as XSS, CSRF, IDOR, and DoS. However, these were web apps where content was being reflected back to the page, and a user was "logged in."

Off the top of my head, I can think of:

1. Exposed/improperly protected admin panels
2. Directory traversal
3. Weak admin credentials on the host accounts/admin controls

Aside from those issues, I am having a difficult time coming up with other vulnerabilities to look for on a static site where user input is not collected or reflected, there is no notion of an "account", and etc... The site does use PHP 7 on Apache, but the site is rather basic compared to many of the modern "web app" sites which utilize OAuth, social media login, reflect content back to the page, and so on.

Note: I did see Which security measures make sense for a static web site? but that post is more from a "blue team" standpoint, whereas I am asking for pentesting advice, not advice for how to secure the site.

Answer 1

Regarding the third party payment service, there are many possible vulnerabilities. Off the top of my head, I'd try to intercept and modify a request made from the web page to the third party payment service (eg. lower the amount).

After, I would focus on the apache server that delivers the html page to the client. Try looking up apache vulnerabilities.

I'd fiddle around with the URL (I've heard about DoS by browsing to domain.com/shutdown) looking for direct request vulnerabilities, and test the request headers looking after OS injection, overflows, CRLF, etc.

Also, I'd check for inconsitencies like making requests with HTTP 0.9 vs HTTP 1.1 (this could provide a auth bypass)

"I am having a difficult time coming up with other vulnerabilities to look for"

• I suggest you browse reported vulnerabilities from MITRE as a habit and read the references when something makes you curious. (NVD imports the content from MITRE and I personally read if from here: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&search_type=all)
• but for now you could take a look at all the CWEs and find some inspiration there (https://cwe.mitre.org/data/definitions/699.html)