Lua For Web - Pentesting Checklist
Bellow is a pentesting checklist we are using to test Lua Web applications./p>
Syn Cubes Team - May 30, 2021
Word Ahead
Are you doing an Offensive Pentesting against a Lua web application?
Q. What is Lua?
A. "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping." - Lua.org
The following checklist represents a simplified visual alternative to the original document Lua Web Application Security Vulnerabilities published in 2014 by Felipe Daragon. In addition, we complete the overall knowledge with a couple of other resources shared at the end of this post.
An updated list of known attack vectors will be provided with an updated version of this checklist.
Checklist
-
Read more
-
Read more
-
Read more
-
Read more
-
Read more
-
Read more
-
Read more
Other Security Considerations
- Main-in-the-Middle (MITM)
- Lua Packages Supply Chain
- User Input Validation
- Server Hardening Configuration
Aknowledgements | References | Resources
- https://ieeexplore.ieee.org/abstract/document/8227299
- https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities
- https://github.com/LewisJEllis/awesome-lua/
- https://www.programmersought.com/article/6860106469/
- http://lua-users.org/lists/lua-l/2014-05/msg00714.html
- https://www.cvedetails.com/product/28436/LUA-LUA.html?vendor_id=13641
- https://www.google.com/search?q=lua+site%3Ahackerone.com&newwindow=1