GitBook: [master] 3 pages modified

SUMMARY.md

@@ -223,6 +223,7 @@
 * [69/UDP TFTP/Bittorrent-tracker](pentesting/69-udp-tftp.md)
 * [79 - Pentesting Finger](pentesting/pentesting-finger.md)
 * [80,443 - Pentesting Web Methodology](pentesting/pentesting-web/README.md)
+  * [Special HTTP headers](pentesting/pentesting-web/special-http-headers.md)
   * [AEM - Adobe Experience Cloud](pentesting/pentesting-web/aem-adobe-experience-cloud.md)
   * [Apache](pentesting/pentesting-web/apache.md)
   * [Artifactory Hacking guide](pentesting/pentesting-web/artifactory-hacking-guide.md)

pentesting/pentesting-web/README.md

@@ -288,7 +288,8 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
 
 #### 403 Forbidden/Basic Authentication/401 Unauthorized \(bypass\)
 
-* Try using **different verbs** to access the file: _GET, POST, INVENTED_
+* Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
+  * Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
 * If _/path_ is blocked, try using _**/**_**%2e/**path _\(if the access is blocked by a proxy, this could bypass the protection\). Try also_ /**%252e**/path \(double URL encode\)
 * Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
 * Try to **stress the server** sending common GET requests \([It worked for this guy wit Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)\).
@@ -330,6 +331,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
   * If the **path is protected** you can try to bypass the path protection using these other headers:
     * `X-Original-URL: /admin/console`
     * `X-Rewrite-URL: /admin/console`
+* If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing **HTTP Request Smuggling**.
 * **Guess the password**: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
 * [**Brute force**](../../brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.
 

pentesting/pentesting-web/special-http-headers.md

@@ -0,0 +1,36 @@
+# Special HTTP headers
+
+## Headers to Change Location
+
+Rewrite **IP source**:
+
+* `X-Originating-IP: 127.0.0.1` 
+* `X-Forwarded-For: 127.0.0.1` 
+* `X-Remote-IP: 127.0.0.1` 
+* `X-Remote-Addr: 127.0.0.1`
+* `X-ProxyUser-Ip: 127.0.0.1`
+* `X-Original-URL: 127.0.0.1`
+* `Connection: close, X-Forwarded-For` \(Check hop-by-hop headers\)
+
+Rewrite **location**:
+
+* `X-Original-URL: /admin/console`
+* `X-Rewrite-URL: /admin/console`
+
+## Hop-by-Hop headers
+
+A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
+
+* `Connection: close, X-Forwarded-For`
+
+{% page-ref page="../../pentesting-web/abusing-hop-by-hop-headers.md" %}
+
+## HTTP Request Smuggling
+
+* `Content-Length: 30`
+* `Transfer-Encoding: chunked`
+
+{% page-ref page="../../pentesting-web/http-request-smuggling.md" %}
+
+
+