80,443 - Pentesting Web Methodology

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Huduma ya wavuti ni huduma ya kawaida na yenye wigo mpana, na kuna aina nyingi tofauti za vulnerabilities.

Bandari ya chaguo-msingi: 80 (HTTP), 443(HTTPS)

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https

nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Mwongozo wa Web API

Web API Pentesting

Muhtasari wa mbinu

Katika mbinu hii tutadhani kwamba unalenga domain (au subdomain) na hiyo tu. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyothibitishwa ndani ya upeo.

  • Anza kwa kutambua teknolojia zinazotumika na web server. Tafuta tricks za kuzikumbuka wakati wa mtihani endapo utafanikiwa kutambua tech.
  • Kuna udahifu unaojulikana wa toleo la teknolojia?
  • Unatumia teknolojia inayojulikana? Kuna njia muhimu yoyote ya kupata taarifa zaidi?
  • Kuna specialised scanner ya kuendesha (kama wpscan)?
  • Endesha skana za matumizi ya jumla. Haujui kama zitaweza kupata kitu au kutoa taarifa za kuvutia.
  • Anza na ukaguzi wa awali: robots, sitemap, hitilafu 404 na SSL/TLS scan (ikiwa HTTPS).
  • Anza spidering ukurasa wa wavuti: Ni wakati wa kutafuta mafaili yote, folda na vigezo vinavyotumika. Pia, angalia special findings.
  • Kumbuka kwamba kila unapopata directory mpya wakati wa brute-forcing au spidering, inapaswa kufanyiwa spidering.
  • Directory Brute-Forcing: Jaribu brute-force folda zote zilizogunduliwa ukitafuta files na directories.
  • Kumbuka kwamba kila unapogundua directory mpya wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force.
  • Backups checking: Jaribu kuona kama unaweza kupata backups za mafayela yaliyogunduliwa kwa kuambatisha extensions za backup za kawaida.
  • Brute-Force parameters: Jaribu kutafuta parameters zilizofichwa.
  • Mara baada ya kutambua endpoints zote zinazowezekana zinazopokea user input, angalia aina zote za vulnerabilities zinazohusiana nazo.
  • Fuata orodha hii ya ukaguzi

Toleo la Server (Je, ni Dhaifu?)

Kutambua

Angalia kama kuna known vulnerabilities kwa toleo la server linaloendesha. HTTP headers and cookies of the response zinaweza kuwa muhimu sana kutambua technologies na/au toleo zinazotumika. Nmap scan inaweza kutambua toleo la server, lakini pia zana whatweb, webtech au https://builtwith.com/:

whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

Tafuta kwa vulnerabilities of the web application version

Angalia kama kuna WAF

Mbinu za teknolojia za wavuti

Baadhi ya triki za kugundua udhaifu katika teknolojia maarufu tofauti zinazotumika:

Chukulia kwamba domain ile ile inaweza kutumia teknolojia tofauti katika bandari, folda na subdomeni tofauti.
Ikiwa web application inatumia tech/platform listed before au any other, usisahau kutafuta mtandaoni triki mpya (na nijulishe!).

Ukaguzi wa Source Code

Ikiwa source code ya application inapatikana kwenye github, mbali na kufanya kwa your own a White box test ya application kuna some information ambazo zinaweza kuwa useful kwa sasa Black-Box testing:

  • Je, kuna Change-log or Readme or Version file au kitu chochote chenye version info accessible kupitia web?
  • Je, credentials zimehifadhiwa vipi na wapi? Kuna file yoyote (inayoweza kupatikana?) yenye credentials (usernames au passwords)?
  • Je, passwords ziko katika plain text, encrypted au ni algorithm gani ya hashing algorithm inayotumika?
  • Je, inatumia master key yoyote kwa ajili ya ku-encrypt kitu? Ni algorithm ipi inayotumika?
  • Je, unaweza access any of these files kwa kutumia udhaifu fulani?
  • Je, kuna interesting information in the github (solved and not solved) issues? Au katika commit history (labda password introduced inside an old commit)?

Source code Review / SAST Tools

Skana za kiotomatiki

Skana za kiotomatiki za matumizi ya jumla

nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

CMS scanners

Ikiwa CMS inatumiwa usisahau run a scanner, huenda ukapata kitu kitamu:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin tovuti kwa masuala ya usalama. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal or (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa za web server zinazotumiwa na mteja (ikiwa data imepatikana) pamoja na mbinu za kuzingatia wakati wa mtihani. Ikiwa uko mwenye bahati umepata hata CMS na kuendesha scanner.

Ugunduzi wa Programu ya wavuti hatua kwa hatua

Kuanzia hapa tutaanza kuingiliana na programu ya wavuti.

Ukaguzi wa awali

Kurasa za default zenye taarifa za kuvutia:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • Kagua pia maoni katika ukurasa mkuu na wa pili.

Kusababisha makosa

Web servers zinaweza kutenda kwa njia isiyotegemewa wakati data isiyo ya kawaida inapotumwa. Hii inaweza kufungua udhaifu au kusababisha kutolewa kwa taarifa nyeti.

  • Fikia fake pages kama /whatever_fake.php (.aspx,.html,.etc)
  • Ongeza “[]”, “]]”, na “[[” katika cookie values na parameter values ili kusababisha makosa
  • Zalisha kosa kwa kutoa input kama /~randomthing/%s mwishoni mwa URL
  • Jaribu different HTTP Verbs kama PATCH, DEBUG au maneno yasiyo sahihi kama FAKE

Angalia kama unaweza kupakia faili (PUT verb, WebDav)

Ikiwa unagundua kwamba WebDav imewezeshwa lakini huna ruhusa za kutosha za uploading files kwenye root folder jaribu:

  • Brute Force credentials
  • Upload files via WebDav kwenye rest ya found folders ndani ya ukurasa wa wavuti. Huenda ukao na ruhusa za kupakia faili katika folda nyingine.

SSL/TLS udhaifu

  • Ikiwa application isn’t forcing the user of HTTPS katika sehemu yoyote, basi iko vulnerable to MitM
  • Ikiwa application iko sending sensitive data (passwords) using HTTP. Hii ni udhaifu mkubwa.

Tumia testssl.sh kuangalia udhaifu (Katika programu za Bug Bounty aina hizi za udhaifu huenda hazikubaliki) na tumia a2sv kuangalia upya udhaifu:

./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

Taarifa kuhusu SSL/TLS vulnerabilities:

Spidering

Zindua aina fulani ya spider ndani ya wavuti. Lengo la spider ni kupata njia nyingi iwezekanavyo kutoka kwa application inayojaribiwa. Kwa hivyo, crawling ya wavuti na vyanzo vya nje vinapaswa kutumika ili kupata njia nyingi halali iwezekanavyo.

  • gospider (go): HTML spider, LinkFinder katika faili za JS na vyanzo vya nje (Archive.org, CommonCrawl.org, VirusTotal.com).
  • hakrawler (go): HML spider, na LinkFider kwa faili za JS na Archive.org kama chanzo cha nje.
  • dirhunt (python): HTML spider, pia inaonyesha “juicy files”.
  • evine (go): Interactive CLI HTML spider. Pia inatafuta kwenye Archive.org
  • meg (go): Tool hii si spider lakini inaweza kuwa muhimu. Unaweza kuonyesha tu faili lenye hosts na faili lenye paths na meg itachukua kila path kwenye kila host na kuhifadhi response.
  • urlgrab (go): HTML spider yenye uwezo wa JS rendering. Hata hivyo, inaonekana haifanyi kazi kwa sasa, precompiled version ni ya zamani na code ya sasa haijkompyuta.
  • gau (go): HTML spider inayotumia provida za nje (wayback, otx, commoncrawl)
  • ParamSpider: Script hii itapata URLs zenye parameter na zitaorodhesha.
  • galer (go): HTML spider yenye uwezo wa JS rendering.
  • LinkFinder (python): HTML spider, na uwezo wa JS beautify inayoweza kutafuta njia mpya katika faili za JS. Inaweza kuwa vyema pia kuangalia JSScanner, ambayo ni wrapper ya LinkFinder.
  • goLinkFinder (go): Kutoka kwa HTML source na embedded javascript files huchota endpoints. Inafaa kwa bug hunters, red teamers, infosec ninjas.
  • JSParser (python2.7): Script ya python 2.7 inayotumia Tornado na JSBeautifier kuchambua relative URLs kutoka kwa faili za JavaScript. Inafaa kugundua AJAX requests kwa urahisi. Inaonekana haendeshwi tena.
  • relative-url-extractor (ruby): Ikipewa faili (HTML) itachota URLs kutoka ndani yake kwa kutumia regular expressions kupatikana na kuchota relative URLs kutoka kwa faili zilizominify.
  • JSFScan (bash, several tools): Kusanya taarifa za kuvutia kutoka kwa faili za JS kwa kutumia tools kadhaa.
  • subjs (go): Kupata faili za JS.
  • page-fetch (go): Pakia ukurasa katika headless browser na chapisha URLs zote zilizo load ili kupakia ukurasa.
  • Feroxbuster (rust): Content discovery tool inayochanganya chaguo kadhaa za tools zilizo hapo juu
  • Javascript Parsing: Burp extension ya kupata path na params katika faili za JS.
  • BurpJSLinkFinder Enhanced: Burp extension (Jython) inayofanya passive analysis ya JavaScript responses (kwa MIME type na /js paths) kuchota endpoints/links na hiari kuonyesha embedded secrets kwa severity.
  • Sourcemapper: Tool ambayo ikipata .js.map URL itakuletea code ya JS iliyofumwa (beatified).
  • xnLinkFinder: Tool inayotumiwa kugundua endpoints kwa target fulani.
  • waymore: Gundua links kutoka wayback machine (pia kupakua responses kwenye wayback na kutafuta links zaidi)
  • HTTPLoot (go): Crawl (hata kwa kujaza forms) na pia itafuta info nyeti kwa kutumia regex maalum.
  • SpiderSuite: Spider Suite ni GUI web security Crawler/Spider yenye sifa nyingi iliyotengenezwa kwa wataalamu wa cybersecurity.
  • jsluice (go): Ni Go package na command-line tool ya kuchota URLs, paths, secrets, na data nyingine ya kuvutia kutoka kwa JavaScript source code.
  • ParaForge: ParaForge ni simple Burp Suite extension ya kuchota paramters na endpoints kutoka request ili kuunda custom wordlist kwa fuzzing na enumeration.
  • katana (go): Awesome tool kwa hili.
  • Crawley (go): Chapisha kila link ambayo inaweza kupatikana.

Brute Force directories and files

Anza brute-forcing kutoka kwenye folda ya mzizi na hakikisha unafanya brute-force kwa direktori zote ulizopata kwa kutumia njia hii na tutte direktori zilizoonekana na Spidering (unaweza kufanya brute-forcing hii kikamilifu kwa urudufu na kuongeza mwanzoni mwa wordlist iliyotumika majina ya direktorisi zilizopatikana).
Tools:

  • Dirb / Dirbuster - Imejumuishwa katika Kali, old (na slow) lakini inafanya kazi. Inaruhusu auto-signed certificates na recursive search. Polepole ikilinganishwa na chaguo nyingine.
  • Dirsearch (python): Haikubali auto-signed certificates lakini inaruhusu recursive search.
  • Gobuster (go): Inaruhusu auto-signed certificates, haijumuishi recursive search.
  • Feroxbuster - Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): Hii si spider lakini ni tool ambayo ikipewa orodha ya URLs zilizopatikana itafuta na kuondoa URL zilizorudishwa (duplicated).
  • Scavenger: Burp Extension ya kuunda orodha ya directories kutoka burp history ya kurasa tofauti
  • TrashCompactor: Ondoa URLs zenye functionalities zinazorudia (kulingana na js imports)
  • Chamaleon: Inatumia wapalyzer kugundua teknolojia zinazotumika na kuchagua wordlists za kutumia.

Recommended dictionaries:

Kumbuka kwamba kila wakati direktori mpya inapotambuliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Force.

What to check on each file found

Special findings

Wakati unafanya spidering na brute-forcing unaweza kugundua vitu vya kuvutia ambavyo unapaswa kuzingatia.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

403 & 401 Bypasses

502 Proxy Error

Ikiwa ukurasa wowote unajibu kwa kode hiyo, kuna uwezekano ni proxy iliyopangwa vibaya. Ikiwa utatuma HTTP request kama: GET https://google.com HTTP/1.1 (na host header na headers nyingine za kawaida), proxy itajaribu kufikia google.com na utakuwa umeipata SSRF.

NTLM Authentication - Info disclosure

Ikiwa server inayomhitaji mtu uthibitisho ni Windows au ukiona login inayoomba credentials zako (na kuomba jina la domain), unaweza kusababisha information disclosure.
Tuma header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” na kutokana na jinsi NTLM authentication inavyofanya kazi, server itaweka info za ndani (toleo la IIS, toleo la Windows…) ndani ya header “WWW-Authenticate”.
Unaweza kuweka hii kuendesha kwa automation kwa kutumia nmap pluginhttp-ntlm-info.nse”.

HTTP Redirect (CTF)

Inawezekana kuweka maudhui ndani ya Redirection. Maudhui haya hayataonyeshwa kwa mtumiaji (kwa sababu browser itatekeleza redirection) lakini kitu kinaweza kuwa kimefichwa ndani yake.

Web Vulnerabilities Checking

Sasa baada ya enumeration kamili ya web application, ni wakati wa kuangalia udhaifu mwingi unaowezekana. Unaweza kupata checklist hapa:

Web Vulnerabilities Methodology

Pata taarifa zaidi kuhusu web vulns katika:

Monitor Pages for changes

Unaweza kutumia tools kama https://github.com/dgtlmoon/changedetection.io kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza udhaifu.

HackTricks Automatic Commands

HackTricks Automatic Commands ```yaml Protocol_Name: Web #Protocol Abbreviation if there is one. Port_Number: 80,443 #Comma separated if there is more than one. Protocol_Description: Web #Protocol Abbreviation Spelled out

Entry_1: Name: Notes Description: Notes for Web Note: | https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

Entry_2: Name: Quick Web Scan Description: Nikto and GoBuster Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3: Name: Nikto Description: Basic Site Info via Nikto Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4: Name: WhatWeb Description: General purpose auto scanner Command: whatweb -a 4 {IP}

Entry_5: Name: Directory Brute Force Non-Recursive Description: Non-Recursive Directory Brute Force Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6: Name: Directory Brute Force Recursive Description: Recursive Directory Brute Force Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7: Name: Directory Brute Force CGI Description: Common Gateway Interface Brute Force Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8: Name: Nmap Web Vuln Scan Description: Tailored Nmap Scan for web Vulnerabilities Command: nmap -vv –reason -Pn -sV -p {Web_Port} –script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer) {IP}

Entry_9: Name: Drupal Description: Drupal Enumeration Notes Note: | git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10: Name: WordPress Description: WordPress Enumeration with WPScan Command: | ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php wpscan –url {Web_Proto}://{IP}{1} –enumerate ap,at,cb,dbe && wpscan –url {Web_Proto}://{IP}{1} –enumerate u,tt,t,vp –passwords {Big_Passwordlist} -e

Entry_11: Name: WordPress Hydra Brute Force Description: Need User (admin is default) Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’

Entry_12: Name: Ffuf Vhost Description: Simple Scan with Ffuf for discovering additional vhosts Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H “Host:FUZZ.{Domain_Name}” -c -mc all {Ffuf_Filters}

</details>

## Marejeleo

- [https://github.com/panchocosil/burp-js-linkfinder-enhanced](https://github.com/panchocosil/burp-js-linkfinder-enhanced)

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>