I needed a place to collect all tools, resources, tutorial about web application security and testing. This is my way.
- https://github.com/jhaddix/SecLists/tree/master/Discovery/DNS
- https://github.com/caffix/amass/tree/master/wordlists
- https://github.com/danielmiessler/RobotsDisallowed
python sublist3r.py -d domain.com -o domain_report_sublist3r.txt
gobuster -u domain.com -fw -m dns -v -w list.txt -o domain_report_gobuster.txt
./enumall.py domain.com
Not tested yet
python domLink.py -D domain.com -o domlink_report_domain.txt
amass -d domain.com
Lists can be found here
- Scanner -> Live scanning -> Live Passive Scanning -> Don't scan
- Spider -> Options -> Form submission -> Don't submit forms or Prompt for guidance
- Target -> Scope -> "Use advanced scope control" and -> Add -> Host field -> Domain name (eg if it is example.com i use "example" keyword)
- Manually browse
- Target -> Site map -> Filter -> Show only in-scope items
- Target -> Site map -> manually select host to spider, right click and Spider Selected items
- inurl: example.com (removing every new host using -already_known_host)
- Trademark: "© 2015 - 2018 Company Name Inc." depending what format is used (look for it in main domain footer)
- Insert domain.com and check for SLL certificate to get others domains and subdomains covered by the same certificate
- Insert domain.com and check for SLL certificate to get others domains and subdomains covered by the same certificate
- Can find information, related companies, new acquisition and a lot of other stuff about a company and its domain(s)
Search all js for hidden path and urls with BurpSuite
- Right click on target site/
- Engagement tools -> Find scripts -> Search
- Once found -> Export script (eg. for use in some JS parser)
python handler.py
Then visit http://localhost:8008
Sounds interesting. Have to test it yet
./EyeWitness.py --timeout 31 --prepend-https -f domain_domain_list.txt
If i found a 401/403, basic auth or some is locked down
cat domains.txt | waybackurls > urls
Get all links from archive.org using a domains list
SubOver -l /root/Documents/company_subdomain_list.txt -https -v
./subjack -w subdomains.txt -o subjack_results.txt -ssl -a -vAn interesting source to understand IF and HOW is possible a subdomain takeover
- intext:"There isn't a Github Pages site here" and intitle:"Site not found · GitHub Pages"
gobuster -u domain.com -fw -v -w list.txt -o domain_report_gobuster.txt
An interestin list is RobotsDisallowed
An useful list to add while bruteforcing for subdirectory maybe this DB backup filename
Will test soon.
Too early to say something
- Typical parameters to look at:
- redirect_to=
- domain_name=
- checkout_url=
- r=
- u=
- returnTo=
- return=
- go=
- redirect=
- url=
- Common pages are: login, register, logout, change site language, links in emails.
- java%0d%0ascript%0d%0a:alert(0)
(crlf injection to bypass javascript: being blacklisted) - //google.com
(incase http:// is blacklisted) - https:google.com
(browsers accept this, good if // is blacklisted!) - //google%E3%80%82com
(%E3%80%82 is 。 encoded. A HUGE thanks to filedescriptor for showing me that) - \/\/google.com/
(useful for bypassing // http:// blacklists. Browsers see \/\/ as //) - /\/google.com/
(same as above) - //google%00.com
(null byte to bypasses blacklist filter. can be used anywhere) - http://www.theirsite.com@yoursite.com/
(oldie, but browsers will redirect to anything after @) - http://www.yoursite.com/http://www.theirsite.com/
(if @ is blacklisted and they check if their domain is in the param, make a folder as their domain :D) - ";alert(0);//
(example from above. if the url is echo'd in a variable and we want to get xss in script tag)
- Add new parameter with the same name (e.g. ?par1=123&par2=456&par1=789)
- Replace ampersand character "&" with "%26"
- Change parameter position
- Try to change typical or intelligible parameters names (edit, view, delete)
- Change HTTP method (POST if GET and viceversa)
- you put in a minus number?
- you increment or decrement the number?
- you put in a really large number?
- you put in a string or symbol characters?
- you try traverse a directory with …/
- you put in XSS vectors?
- you put in SQLI vectors?
- you put in non-ascii characters?
- you mess with the variable type such as casting a string to an array
- you use null characters or no value
Web Application Server Backend | Parsing Result | Example |
---|---|---|
ASP.NET / IIS | All occurrences concatenated with a comma | color=red,blue |
ASP / IIS | All occurrences concatenated with a comma | color=red,blue |
PHP / Apache | Last occurrence only | color=blue |
PHP / Zeus | Last occurrence only | color=blue |
JSP, Servlet / Apache Tomcat | First occurrence only | color=red |
JSP, Servlet / Oracle Application Server 10g | First occurrence only | color=red |
JSP, Servlet / Jetty | First occurrence only | color=red |
IBM Lotus Domino | Last occurrence only | color=blue |
IBM HTTP Server | First occurrence only | color=red |
mod_perl, libapreq2 / Apache | First occurrence only | color=red |
Perl CGI / Apache | First occurrence only | color=red |
mod_wsgi (Python) / Apache | First occurrence only | color=red |
Python / Zope | All occurrences in List data type | color=['red','blue'] |
- If a site is sending CSRF token with POST request, try changing its value or removing it to ensure the server is validating its existence.
- Rename file extension. Eg. file.png -> file.png.php, file.php -> file.php.png
- Rename file extension changing case. Eg. file.png -> file.png.PHP, file.php -> file.PhP.png
- Change extension position. Eg. file.png.php -> file_png.php
- Use unusual file extension like pht (can execute php in html)
- Insert a Null Byte in file name: shell.php%001.jpg or shell.php\x00.jpg
- Insert a payload in Exif Headers
- Upload a huge file so to get a DOS on server
- If filename is not changed before being inserted in DB, maybe possible an Sql Injection
- Try blind XSS injection into User-Agent or Referrer/Origin Headers. Firefox User Agent Switcher extension can be useful to change UA on fly
python3 xsstrike
python XssPy.py -d website.com -v -e
python3 xsstrike
python XssPy.py -d website.com -v -e
- Scan a CIDR for phpinfo() to get php information disclosure.
This script can scan huge amount of IPs for phpinfo.php file.#!/bin/bash for ipa in 98.13{6..9}.{0..255}.{0..255}; do wget -t 1 -T 5 http://${ipa}/phpinfo.php; done &
- Hidden form field
- HTTP Cookies
- URL Parameters (?name=value)
- Referer header
- Opaque data (encrypted or obfuscated data in hidden form field, in cookie etc)
- ViewState in ASP.NET (if not protected with MAC protection)
- Hidden form field
- HTTP Cookies
- URL Parameters (?name=value)
- Referer header
- Opaque data (encrypted or obfuscated data in hidden form field, in cookie etc)
- ViewState in ASP.NET (if not protected with MAC protection)
- Too short or blank
- Common dictionary words or names
- Same as username
- Set to default value
- No limits un login attempts
- Common dictionary words or names
- Stored in clear text (no need to use any encryption to bruteforce)
- Login attempts number only on client side (eh cookie such as failedLogin = 1)
- Login attempts number held in current session (so only have to obtain fresh session eg deleting session cookie)
- Account locked after a certain number of login attempts but application still confirm if password is correct. In this case maybe account is unlocked after certain delay automatically
- Application response whether the reason for failure was unrecognised username or wrong password (so can iterate with common username list to guess a valid one. After can do the same for password)
- Username disclosure in registration form (to prevent duplicates) or password change form or forgotten password function
- Predictable username (username is email address, email name or automatically generated as user123 user124 user125)
- Subtle failed login response when wrong or valid username is provided. Response may appears the same but cookie, http response or html code can contains differences
- Time attacks: different response time for wrong and valid username. Try it with a common username list and if possible with at least one valid username
- Sometimes this function is accessible without authentication
- Allow unrestricted (eg no rate limits) guesses of existing password
- Verbose message for username validity
- New password and confirm password fields may change their value if existing password is valid or if current and new password are identical
- If this function is accessible only for authenticaticated users, maybe it hide somewhere (hidden form field, cookie, other) the username whom which password is going to be changed. Try to override this hidden username
- Easy guessable challenge (public information as mother's name, birthday)
- Bruteforcible response to challenge
- Password recover hint equal to password
- User dropped in authenticated session after successfull completion of a challenge
- Recovery URL sent to an address which is specified and not to registered email address
- Recovery URL or user email visible in hidden fields or in cookie
- Password reset after successfull completion of challenge
- Only username is stored in cookie which is used to allow user access
- Only user ID or another identifier is stored on cookie which is used to allow user access on logged in computer
- No access control so anyone who knows this function URL can use it
- User controllable data may determine which user is impersonated
- If administrators accounts may be impersonated, attacker can gain full control of the application
- A default password is used to impersonate any user on login function
- Only firsts password n character are validated
- Case insensitive check of password
- Unusual characters stripped before checking password
- May append that two users can register with same password
- Unpredictable conseguences on users login
- Usernames can be nonintrusively discovered
- Default password for any new account
- The means of generating passwords can be replicated by an attacker
- Insecure distribution of credentials
- Majority of users will not modify initial credentials
- Activation token can be guessed
- Username and password sent together
- If username or password are empty, the application throws an exception and login succeed
- Application may assume that user who access to stage two have cleared stage one
- Application may trust data on stage two because this was validated on stage one
- Application assume that the same user identity is used in every stage
- Passwords stored in clear text
- Passwords encrypted in standard algorithm
- Meaningful tokens
- Can be decrypted and its structure disclosed
- May be not all components in decrypted token are validated server side. So fuzzing become faster
- With a small sample of tokens it's possible to guess all session tokens
- Concealed sequences: try to discover mean of generating
- Time dependency: eg token contain ID and timestamp. With this predictable pattern it's easy to brute force and gain a valid session token
- Weak random number generation: random generation may be deterministic, eg generated based on user's ip (php 5.3.2 with phpwn tool)
- Burp can test quality of randomness with a sample of session tokens and sequencer
- ECB Ciphers
- CBC Ciphers (flip bit with burp intruder)
- Cookie domain restrictions
- Cookie path restrictions
- Vertical access control: from user to admin
- Horizontal access control: from user to user
- Context--dependent access control: user should access only what it permitted to
- Anyone who knows admin URL can access it with full use of administrative functions
- Links to administrative functions may be hide in javascript or in hidden fields or in comments
- Administrative methods can be reached directly through API or javascript
- User who knows resources URL can access it even if not logged or if resources is owned by another user
- Application assumes that earlier stage has been completed when accessing to later stage
- Can be accessed directly
- A function may be made to work with POST but still works with GET
- Application handle request that use unrecognized HTTP methods by passing to GET
- User role is determined via client transmitted parameters (hidden forms fields, cookie, query string parameters
- Application check referer to allow administrative functions use. If they comes from administration page they're allowed
- Can be circumvented using proxy, VPN, client side manipulation of geolocation mechanism
- Test with Burp -> compare site maps
- Test with different user level accounts (not logged user, logged user, admin user)
- Test with Burp Suite BurpAuthzPlugin
- Test with Burp Suite AutoRepeater plugin
- Complete each stage with high privilege account. After use "request in browser" features to request each stage with lower privileges account to test for access control and with higher privileges to test if a stage is reacheable without earlier stages
- Try to add parameters such as admin=true to GET or POST requests
- Try removing or modifying Refer parameter to check if application trust this header in unsafe way
- Check client side html and script for hidden functionality
- Every times application use any kind of identifiers (document ID, account number, order references) to select a resource, attempt to discover identifier for resources to which access is unauthorized
- Try to generate a series of identifier (for example by creating multiple documents) to discover identifiers mean of creation
- Using high privileged user to test if changing HTTP methods, request are still carried out. Then test with low privileged user to check if restrictions applied based on privileges are still validated when HTTP methods are changed.