diff --git a/pentesting/pentesting-web/README.md b/pentesting/pentesting-web/README.md index 7f5d015e..fe18a7a8 100644 --- a/pentesting/pentesting-web/README.md +++ b/pentesting/pentesting-web/README.md @@ -58,13 +58,13 @@ whatweb -a 3 #Aggresive webtech -u ``` -Search **for** [**vulnerabilities of the web application** **version**](../../search-exploits.md)\*\*\*\* +Search **for** [**vulnerabilities of the web application** **version**](../../search-exploits.md) **Check if any WAF** -* \*\*\*\*[**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f)\*\*\*\* -* \*\*\*\*[**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)\*\*\*\* -* \*\*\*\*[**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)\*\*\*\* +* [**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f) +* [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git) +* [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html) ### **Cookies** @@ -75,22 +75,22 @@ Also, the [**flags of the cookies**](../../pentesting-web/hacking-with-cookies.m Some **tricks** for **finding vulnerabilities** in different well known **technologies** being used: -* [**IIS tricks**](iis-internet-information-services.md)\*\*\*\* -* [**PHP \(php has a lot of interesting tricks that could be exploited\)**](php-tricks-esp/)\*\*\*\* -* \*\*\*\*[**Nginx**](nginx.md)\*\*\*\* -* \*\*\*\*[**Python**](python.md)\*\*\*\* -* \*\*\*\*[**Flask**](flask.md)\*\*\*\* -* \*\*\*\*[**WebDav**](put-method-webdav.md)\*\*\*\* -* \*\*\*\*[**CGI**](cgi.md)\*\*\*\* -* [**Tomcat**](tomcat.md)\*\*\*\* -* \*\*\*\*[**Jenkins**](jenkins.md)\*\*\*\* -* \*\*\*\*[**JBOSS**](jboss.md)\*\*\*\* -* \*\*\*\*[**JIRA**](jira.md) -* [**JSP**](jsp.md)\*\*\*\* -* \*\*\*\*[**Wordpress**](wordpress.md)\*\*\*\* -* \*\*\*\*[**Drupal**](drupal.md)\*\*\*\* -* \*\*\*\*[**VMWare \(EXS, VCenter...\)**](vmware-esx-vcenter....md)\*\*\*\* -* \*\*\*\*[**GraphQL**](graphql.md)\*\*\*\* +* [**IIS tricks**](iis-internet-information-services.md) +* [**PHP \(php has a lot of interesting tricks that could be exploited**](php-tricks-esp/) +* [**Nginx**](nginx.md) +* [**Python**](python.md) +* [**Flask**](flask.md) +* [**WebDav**](put-method-webdav.md) +* [**CGI**](cgi.md) +* [**Tomcat**](tomcat.md) +* [**Jenkins**](jenkins.md) +* [**JBOSS**](jboss.md) +* [**JIRA**](jira.md) +* [**JSP**](jsp.md) +* [**Wordpress**](wordpress.md) +* [**Drupal**](drupal.md) +* [**VMWare \(EXS, VCenter**](vmware-esx-vcenter....md) +* [**GraphQL**](graphql.md) If the **source code** of the application is available in **github**, apart of performing by **your own a White box test** of the application \(no guide available yet in hacktricks\) there is **some information** that could be **useful** for the current **Black-Box testing**: @@ -108,10 +108,10 @@ If the web application is using any well known **tech/platform listed before** o You should look for these kind of vulnerabilities every time you find a **path** were a **different technology** is **running**. For example, if you find a **java** webapp and in `/wordpress` a **wordpress** is running. -* [**Abusing hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)\*\*\*\* -* \*\*\*\*[**Request Smuggling**](../../pentesting-web/http-request-smuggling.md)\*\*\*\* -* \*\*\*\*[**Cache Poisoning / Cache Deception**](../../pentesting-web/cache-deception.md)\*\*\*\* -* \*\*\*\*[**Uncovering CloudFlare**](uncovering-cloudflare.md)\*\*\*\* +* [**Abusing hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md) +* [**Request Smuggling**](../../pentesting-web/http-request-smuggling.md) +* [**Cache Poisoning / Cache Deception**](../../pentesting-web/cache-deception.md) +* [**Uncovering CloudFlare**](uncovering-cloudflare.md) ## Automatic scanners @@ -132,7 +132,7 @@ If a CMS is used don't forget to **run a scanner**, maybe something juicy is fou [**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. \(GUI\) [**VulnX**](https://github.com/anouarbensaad/vulnx)**: Joomla,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart CMSMap**: [**\(W\)ordpress**](wordpress.md)**, \(J\)oomla,** [**\(D\)rupal**](drupal.md) **or \(M\)oodle** -[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**, Joomla, Moodle, Silverstripe,** [**Wordpress**](wordpress.md)\*\*\*\* +[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**, Joomla, Moodle, Silverstripe,** [**Wordpress**](wordpress.md) ```bash cmsmap [-f W] -F -d @@ -184,15 +184,15 @@ Information about SSL/TLS vulnerabilities: Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible. -* [**gospider**](https://github.com/jaeles-project/gospider) **\(go\):** HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\). -* [**hakrawler**](https://github.com/hakluke/hakrawler) _\*\*_\(go\): HML spider, with LinkFider for JS files and Archive.org as external source. -* [**dirhunt**](https://github.com/Nekmo/dirhunt) _\*\*_\(python\): HTML spider, also indicates "juicy files". +* [**gospider**](https://github.com/jaeles-project/gospider) \(go\): ****HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\). +* [**hakrawler**](https://github.com/hakluke/hakrawler) \(go\): HML spider, with LinkFider for JS files and Archive.org as external source. +* [**dirhunt**](https://github.com/Nekmo/dirhunt) \(python\): HTML spider, also indicates "juicy files". * [**evine** ](https://github.com/saeeddhqan/evine)\(go\): Interactive CLI HTML spider. It also searches in Archive.org -* \*\*\*\*[**meg**](https://github.com/tomnomnom/meg) \(go\): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response. -* \*\*\*\*[**urlgrab**](https://github.com/IAmStoxe/urlgrab) \(go\): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile -* [**gau**](https://github.com/lc/gau) _\*\*_\(go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\) +* [**meg**](https://github.com/tomnomnom/meg) \(go\): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response. +* [**urlgrab**](https://github.com/IAmStoxe/urlgrab) \(go\): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile +* [**gau**](https://github.com/lc/gau) go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\) * [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them. -* \*\*\*\*[**galer**](https://github.com/dwisiswant0/galer) \(go\): HTML spider with JS rendering capabilities. +* [**galer**](https://github.com/dwisiswant0/galer) \(go\): HTML spider with JS rendering capabilities. ### Brute Force directories and files @@ -200,7 +200,7 @@ Start **brute-forcing** from the root folder and be sure to brute-force **all** Tools: * **Dirb** / **Dirbuster** - Included in Kali, **old** \(and **slow**\) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options. -* [**Dirsearch**](https://github.com/maurosoria/dirsearch) **\*\*\(python\): It doesn't allow auto-signed certificates but** allows recursive\*\* search. +* [**Dirsearch**](https://github.com/maurosoria/dirsearch) \(python\)**: It doesn't allow auto-signed certificates but** allows recursive search. * [**Gobuster**](https://github.com/OJ/gobuster) \(go\): It allows auto-signed certificates, it **doesn't** have **recursive** search. * [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.** * [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ` @@ -208,9 +208,9 @@ Tools: **Recommended dictionaries:** -* \*\*\*\*[https://github.com/danielmiessler/RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) \(Very interesting\) +* [https://github.com/danielmiessler/RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) \(Very interesting\) * [**Seclists**](https://github.com/danielmiessler/SecLists) -* [**Dirsearch**](https://github.com/maurosoria/dirsearch) _\*\*_included dictionary +* [**Dirsearch**](https://github.com/maurosoria/dirsearch) included dictionary * [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10) * [Assetnote wordlists](https://wordlists.assetnote.io/) * _/usr/share/wordlists/dirb/common.txt_ @@ -221,12 +221,12 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri ### What to check on each file found -* \*\*\*\*[**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers +* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers * **File Backups**: Once you have found all the files, look for backups of all the executable files \("_.php_", "_.aspx_"...\). Common variations for naming a backup are: _file.ext~, \#file.ext\#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old_ -* **Discover new parameters**: You can use tools like **\*\*\[**Arjun**\]\(**[https://github.com/s0md3v/Arjun](https://github.com/s0md3v/Arjun)**\)** and **\[**Parameth**\]\(**[https://github.com/maK-/parameth](https://github.com/maK-/parameth)**\) to discover hidden parameters. If you can, you could try to search** hidden parameters\*\* on each executable web file. +* **Discover new parameters**: You can use tools like [Arjun](https://github.com/s0md3v/Arjun) ****and ****[parameth](https://github.com/maK-/parameth) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file. * **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**. * If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** \(using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser\). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page. -* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: **\*\*\[**keyhacks**\]\(**[https://github.com/streaak/keyhacks](https://github.com/streaak/keyhacks)**\)**, **\[**zile**\]\(**[https://github.com/xyele/zile.git](https://github.com/xyele/zile.git)**\)**, **\[**truffleHog**\]\(**[https://github.com/dxa4481/truffleHog/](https://github.com/dxa4481/truffleHog/)**\)**, **\[**SecretFinder**\]\(**[https://github.com/m4ll0k/SecretFinder](https://github.com/m4ll0k/SecretFinder)**\)**, **\[**RegHex_\*\]\(_[https://github.com/l4yton/RegHex\)\](https://github.com/l4yton/RegHex%29\)\*\*\* +* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), ****[zile](https://github.com/xyele/zile.git), ****[truffleHog](https://github.com/dxa4481/truffleHog/), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex%29\) * **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/). ### Special findings @@ -244,7 +244,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri The **JS code** of a web application can be really interesting: It could contain **API keys**, **credentials**, other **endpoints**, and understanding it you could be able to **bypass security measures**. It could be also very useful to **parse** the **JS files** in order to search for other **endpoints:** [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder)**,** [**JSScanner**](https://github.com/dark-warlord14/JSScanner) **\(wrap of LinkFinder\),** [**JSParser**](https://github.com/nahamsec/JSParser)**,** [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor)**.** Another interesting approach could be **monitoring the JS files** with a tool like [**JSMon**](https://github.com/robre/jsmon) that checks for changes. -You should also **check** if the application is using any **outdated** and **vulnerable javascript library** with: [**RetireJS**](https://github.com/retirejs/retire.js/)\*\*\*\* +You should also **check** if the application is using any **outdated** and **vulnerable javascript library** with: [**RetireJS**](https://github.com/retirejs/retire.js/) If the **javascript** code is **obfuscated**, these tools could be useful: @@ -308,7 +308,7 @@ In several occasions you will need to **understand regular expressions** used, t #### 502 Proxy Error -If any page **responds** with that **code**, it's probably a **bad configured proxy**. **\*\*If you send a HTTP request like: `GET https://google.com HTTP/1.1` \(with the host header and other common headers\), the** proxy **will try to** access **\_**google.com**\_ and you will have found a** SSRF\*\*. +If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1` \(with the host header and other common headers\), the** proxy **will try to** access **\_**google.com**\_ and you will have found a** SSRF. #### **NTLM Authentication - Info disclosure** @@ -338,53 +338,53 @@ If you find a login page, here you can find some techniques to try to bypass it: You should also check for: -* [**SQL Injection authentication bypass**](../../pentesting-web/sql-injection/#authentication-bypass)\*\*\*\* -* \*\*\*\*[**NoSQL Injection**](../../pentesting-web/nosql-injection.md)\*\*\*\* -* \*\*\*\*[**XPath Injection**](../../pentesting-web/xpath-injection.md)\*\*\*\* -* \*\*\*\*[**LDAP Injection**](../../pentesting-web/ldap-injection.md)\*\*\*\* +* [**SQL Injection authentication bypass**](../../pentesting-web/sql-injection/#authentication-bypass) +* [**NoSQL Injection**](../../pentesting-web/nosql-injection.md) +* [**XPath Injection**](../../pentesting-web/xpath-injection.md) +* [**LDAP Injection**](../../pentesting-web/ldap-injection.md) ### Insert into/Create Object -Check for **\*\*\[**SQL INSERT INTO Injections._\*\]\(../../pentesting-web/sql-injection/\#insert-statement\)\_\*\*\* +Check for [SQL INSERT INTO Injections](../../pentesting-web/sql-injection/#insert-statement) ### **Upload Files** Check for this vulnerabilities: -* \*\*\*\*[**File Upload**](../../pentesting-web/file-upload/)\*\*\*\* +* [**File Upload**](../../pentesting-web/file-upload/) ## **User input Web Vulnerabilities list** -* \*\*\*\*[**2FA Bypass**](../../pentesting-web/2fa-bypass.md)\*\*\*\* -* \*\*\*\*[**Captcha Bypass**](../../pentesting-web/captcha-bypass.md)\*\*\*\* -* \*\*\*\*[**Clickjacking**](../../pentesting-web/clickjacking.md)\*\*\*\* -* \*\*\*\*[**Client Side Template Injection \(CSTI\)**](../../pentesting-web/client-side-template-injection-csti.md)\*\*\*\* -* \*\*\*\*[**Command Injection**](../../pentesting-web/command-injection.md)\*\*\*\* -* \*\*\*\*[**Content Security Policy \(CSP\) Bypass**](../../pentesting-web/content-security-policy-csp-bypass.md)\*\*\*\* -* \*\*\*\*[**Cookies Hacking**](../../pentesting-web/hacking-with-cookies.md)\*\*\*\* -* \*\*\*\*[**CORS - Misconfigurations & Bypass**](../../pentesting-web/cors-bypass.md)\*\*\*\* -* \*\*\*\*[**CRLF Injection**](../../pentesting-web/crlf-0d-0a.md)\*\*\*\* -* \*\*\*\*[**CSRF \(Cross Site Request Forgery\)**](../../pentesting-web/csrf-cross-site-request-forgery.md)\*\*\*\* -* \*\*\*\*[**Dangling Markup - HTML scriptless injection**](../../pentesting-web/dangling-markup-html-scriptless-injection.md)\*\*\*\* -* \*\*\*\*[**Deserialization**](../../pentesting-web/deserialization/)\*\*\*\* -* \*\*\*\*[**Email Header Injection**](../../pentesting-web/email-header-injection.md)\*\*\*\* -* \*\*\*\*[**File Inclusion**](../../pentesting-web/file-inclusion/)\*\*\*\* -* \*\*\*\*[**File Upload**](../../pentesting-web/file-upload/)\*\*\*\* -* \*\*\*\*[**IDOR**](../../pentesting-web/idor.md)\*\*\*\* -* \*\*\*\*[**JWT Vulnerabilities**](../../pentesting-web/hacking-jwt-json-web-tokens.md)\*\*\*\* -* \*\*\*\*[**NoSQL Injection**](../../pentesting-web/nosql-injection.md)\*\*\*\* -* \*\*\*\*[**LDAP Injection**](../../pentesting-web/ldap-injection.md)\*\*\*\* -* \*\*\*\*[**Open Redirect**](../../pentesting-web/open-redirect.md) -* [**Race Condition**](../../pentesting-web/race-condition.md)\*\*\*\* -* \*\*\*\*[**SQL Injection**](../../pentesting-web/sql-injection/)\*\*\*\* -* \*\*\*\*[**SSRF \(Server Side Request Forgery\)**](../../pentesting-web/ssrf-server-side-request-forgery.md)\*\*\*\* -* \*\*\*\*[**SSTI \(Server Side Template Injection\)**](../../pentesting-web/ssti-server-side-template-injection.md)\*\*\*\* -* \*\*\*\*[**Unicode Normalization vulnerability**](../../pentesting-web/unicode-normalization-vulnerability.md)\*\*\*\* -* \*\*\*\*[**XPATH Injection**](../../pentesting-web/xpath-injection.md)\*\*\*\* -* \*\*\*\*[**XSLT Server Side Injection**](../../pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\* -* \*\*\*\*[**XXE \(XML External Entity\)**](../../pentesting-web/xxe-xee-xml-external-entity.md)\*\*\*\* -* \*\*\*\*[**XSS \(Cross Site Scripting\)**](../../pentesting-web/xss-cross-site-scripting/)\*\*\*\* -* \*\*\*\*[**XS-Search**](../../pentesting-web/xs-search.md)\*\*\*\* +* [**2FA Bypass**](../../pentesting-web/2fa-bypass.md) +* [**Captcha Bypass**](../../pentesting-web/captcha-bypass.md) +* [**Clickjacking**](../../pentesting-web/clickjacking.md) +* [**Client Side Template Injection \(CSTI**](../../pentesting-web/client-side-template-injection-csti.md) +* [**Command Injection**](../../pentesting-web/command-injection.md) +* [**Content Security Policy \(CSP\) Bypass**](../../pentesting-web/content-security-policy-csp-bypass.md) +* [**Cookies Hacking**](../../pentesting-web/hacking-with-cookies.md) +* [**CORS - Misconfigurations & Bypass**](../../pentesting-web/cors-bypass.md) +* [**CRLF Injection**](../../pentesting-web/crlf-0d-0a.md) +* [**CSRF \(Cross Site Request Forgery**](../../pentesting-web/csrf-cross-site-request-forgery.md) +* [**Dangling Markup - HTML scriptless injection**](../../pentesting-web/dangling-markup-html-scriptless-injection.md) +* [**Deserialization**](../../pentesting-web/deserialization/) +* [**Email Header Injection**](../../pentesting-web/email-header-injection.md) +* [**File Inclusion**](../../pentesting-web/file-inclusion/) +* [**File Upload**](../../pentesting-web/file-upload/) +* [**IDOR**](../../pentesting-web/idor.md) +* [**JWT Vulnerabilities**](../../pentesting-web/hacking-jwt-json-web-tokens.md) +* [**NoSQL Injection**](../../pentesting-web/nosql-injection.md) +* [**LDAP Injection**](../../pentesting-web/ldap-injection.md) +* [**Open Redirect**](../../pentesting-web/open-redirect.md) +* [**Race Condition**](../../pentesting-web/race-condition.md) +* [**SQL Injection**](../../pentesting-web/sql-injection/) +* [**SSRF \(Server Side Request Forgery**](../../pentesting-web/ssrf-server-side-request-forgery.md) +* [**SSTI \(Server Side Template Injection**](../../pentesting-web/ssti-server-side-template-injection.md) +* [**Unicode Normalization vulnerability**](../../pentesting-web/unicode-normalization-vulnerability.md) +* [**XPATH Injection**](../../pentesting-web/xpath-injection.md) +* [**XSLT Server Side Injection**](../../pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md) +* [**XXE \(XML External Entity**](../../pentesting-web/xxe-xee-xml-external-entity.md) +* [**XSS \(Cross Site Scripting**](../../pentesting-web/xss-cross-site-scripting/) +* [**XS-Search**](../../pentesting-web/xs-search.md) **More references** for each Web Vulnerability: [https://cyberzombie.in/bug-bounty-methodology-techniques-tools-procedures/](https://cyberzombie.in/bug-bounty-methodology-techniques-tools-procedures/) **Another checklist**: [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)