Lua For Web - Pentesting Checklist

Bellow is a pentesting checklist we are using to test Lua Web applications./p>

Syn Cubes Team - May 30, 2021
Lua for Web - Security Considerations

Word Ahead

Are you doing an Offensive Pentesting against a Lua web application?

Q. What is Lua?
A. "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.

Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping." -

The following checklist represents a simplified visual alternative to the original document Lua Web Application Security Vulnerabilities published in 2014 by Felipe Daragon. In addition, we complete the overall knowledge with a couple of other resources shared at the end of this post.

An updated list of known attack vectors will be provided with an updated version of this checklist.


Other Security Considerations

  • Main-in-the-Middle (MITM)

  • Lua Packages Supply Chain

  • User Input Validation

  • Server Hardening Configuration

Aknowledgements | References | Resources


Be the adversary - attack first