Lua For Web Threat Model Pentesting Checklist

The following is a pentesting checklist we are using to test Lua Web application.

May 30, 2021
  • Lua
  • Pentest Checklist
Lua for Web Applications Pentesting Checklist

WORD AHEAD


Are you doing an Offensive Pentesting against a Lua web application?

Q. What is Lua?
A. "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.

Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping." - Lua.org

The following checklist represents a simplified visual alternative to the original document Lua Web Application Security Vulnerabilities published in 2014 by Felipe Daragon. In addition, we complete the overall knowledge with a couple of other resources shared at the end of this post.

An updated list contains less know attack vectors will be disclosed with an incremented version of this checklist.

CHECKLIST










Other Security Considerations




LUA PENTEST CHECK LIST MINDMAP - INSANE QUALITY IMAGE


[*] No high quality picture this time. This is all we know.

LUA PENTEST CHECK LIST MINDMAP - CHERRY TREE IMPORTABLE VERSION


[*] Come back later.

ACKNOWLEDGEMENTS | REFERENCES | RESOURCES


- https://ieeexplore.ieee.org/abstract/document/8227299
- https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities
- https://github.com/LewisJEllis/awesome-lua/
- https://www.programmersought.com/article/6860106469/
- http://lua-users.org/lists/lua-l/2014-05/msg00714.html
- https://www.cvedetails.com/product/28436/LUA-LUA.html?vendor_id=13641
- https://www.google.com/search?q=lua+site%3Ahackerone.com&newwindow=1


Stay in the loop

Join our newsletter to get top security news before anyone else.