Web Attacks
Web application vulns and exploits
Banner grabbing
Netcat (for HTTP services)
OpenSSL (for HTTPS services)
Httprint
HTTP Verbs
GET, POST, HEAD, PUT, DELETE
PUT is used to upload a file to the server
You have to find the size of the file you are uploading first
DELETE is used to delete a file from the server
OPTIONS is used to query the webserver for enabled HTTP Verbs
Directory and File scanning
Dirbuster
dirb
If Webpage is authenticated
You can choose different wordlists for the dictionary brute force but from my experience in most labs you can find them in the
common.txt
You can also choose different extensions but
php
andbak
will be the most useful ones to find.If there is HTTP authentication or login of some other kind for the webpage you can set the creds using [Options -> Advanced Options -> Authentication options]
The con with Dirbuster is that it sometimes freezes which is a real bummer otherwise it's real good.
Google Dorks
site:
intitle:
inurl:
filetype:
AND, OR & |
-
GHDB for more resources.
XSS (Cross-Site Scripting)
Find a reflection point
Test with HTML tag (<h1>Test</h1>)
Test with JS code [alert('XSS')]
XSS filter bypass cheatsheet: OWASP cheatsheet
Reflected XSS: Payload is carried inside the request the victim sends to the website. Typically the link contains the malicious payload.
Persistent XSS: Payload remains in the site that multiple users can fall victim to. Typically embedded via a form or forum post.
SQL Injections
GET
Database USER
Databases
Dump all
POST
Find the parameters that are being passed in POST using BurpSuite.
E.g: username=some&password=thing
where the parameter username is vulnerable.
The Databases, Users and dump-all switches are the same as for the GET parameter.
If you aren't able to deduce which parameter is vulnerable in POST, you can drop the -p switch. SQLMAP will try to test them and find them on its own so don't sweat it and also for most of the prompts use the default options(i.e. just press enter).
The --technique switch is to create less noise and prevent the service from shutting down due to query overload. If the given techniques do not work try it removing the switch.
OS-Shell
SQL-Shell
Last updated