📋Web Application Checklist

Fuzz first with feroxbuster

feroxbuster -u http://whatever.com/ -x php -C 404 -A --wordlist '/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt' -B --auto-tune

robots.txt , .svn, .DS_STORE
Try different request type(POST & GET) in burp
Try to analyse website with html2markdown:

curl -s http://192.168.219.140:8000/ | html2markdown

Use cewl for custom wordlists and --lowercase for lowercase letters.
If apache try shellshock (cgi-bin) might be in windows too

nmap -sV -p8081 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=echo\;/bin/ls 127.0.0.1

Try DoNotExist.php, DoNotExist.html, DoNotExist to check if the website 404 message changes . Refer snoopy ippsec.
Always add the DNS address
Check for default passwords
Check for headers if any special header required to access vhost
Nmap http enum scan: sudo nmap -p80 --script=http-enum <ip>
In curl use --data-urlencode to automaticatlly url encode
If Apache 2.4.49 then path traversal is vulnerable.
phpinfo for path:

Git

To find git repo use linpeas or winpeas and to check use ls -la or ls -fo to look for .git file in the repo.

If git repo found as a directory:

git-dumper

To check the commit log

git log

Then check the commit diff:

git show 967fa71c359fffcbeb7e2b72b27a321612e3ad11

Use git-extractor

Common Attacks

</> Command Injections
Path Traversal & File Inclusion
- Check for phpinfo if the HTTP server uses PHP
- Fuzzing for LFI
ffuf -u http://<url>/download?file=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
There are other worldlists to fuzz for LFI as well.
File Upload Attacks
IDOR(Insecure Direct Object References)
SQL Injection & 🛢Attacking SQL
XSS (Cross-Site Scripting)
XXE(XML External Entity)
Log4Shell
Check Abusing APIs
Try Custom Wordlist on the website if login required
Bypassing WAF

Wordpress

First check plugins

To enumerate wordpress plugins

wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive

Run normally too otherwise might miss plugins

Normally:

wpscan --url http://192.168.50.244

Directory Busting

For overall content search: Ferozbuster with —thorough and smart Dirsearch - brings in different stuff. Check robots.txt and sitemap.xml Also try txt and pdf files

-f can cause a ton of false positives
-n stops recursive directory lookups
-b searches for backups; can produce false positives

feroxbuster -u http://host.domain.tld:80/ -f -n -C 404 -A -e -S 0 --auto-tune --burp-replay

feroxbuster -u http://host.domain.tld:80/ -f -n -C 404 -A -e -S 0 --auto-tune --burp-replay --dont-scan Css Js css img js IMG JS Img CSS fonts Fonts master

feroxbuster -u http://host.domain.tld:80/ -x asp,aspx,html,php,xml,json,txt,log -C 404 -A -e -S 0 --auto-tune --burp-replay

feroxbuster -u http://host.domain.tld:80/ -C 404 -A -e -S 0 --wordlist '/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt' -B --auto-tune --burp-replay

Gobuster

gobuster dir -u ${url} -w /usr/share/wordlists/dirb/common.txt -t 5

Curl

-L - to follow redirects -d - To add json data -i - To

PreviousWeb Applications Next🛢Attacking SQL

Last updated 4 days ago