Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:
Evidence :
Copy ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md
Evidence :
Copy ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .asa,.inc,.config,.zip,.tar,.gz,.tgz,.rar,.java,.pdf,.docx,.rtf,.xlsx,.pptx -of md -o conf_files.md
Check :
Copy ffuf -w < WORDLIS T > -e .bak,.backup,.old,.tmp,.swp,.bkp -of md -o backup_files.md -u https:// < DOMAI N > /FUZZ
Copy ffuf -ac -w /usr/share/wordlists/backup_files_with_path.txt -u https:// < DOMAI N > /FUZZ
ffuf -ac -w /usr/share/wordlists/backup_files_only.txt -u https:// < DOMAI N > /FUZZ
Evidence :
Identify hidden administrator interfaces, functionality, cookies, etc.
List of default web page:
Copy # WebSphere
admin
admin-authz.xml
admin.conf
admin.passwd
admin/
admin/logon.jsp
admin/secure/logon.jsp
administration
# PHP
phpinfo
phpmyadmin/
phpMyAdmin/
mysqladmin/
MySQLadmin
MySQLAdmin
login.php
logon.php
xmlrpc.php
dbadmin
# FrontPage
admin.dll
admin.exe
administrators.pwd
author.dll
author.exe
author.log
authors.pwd
cgi-bin
# WebLogic
AdminCaptureRootCA
AdminClients
AdminConnections
AdminEvents
AdminJDBC
AdminLicense
AdminMain
AdminProps
AdminRealm
AdminThreads
# WordPress
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php
Evidence :
Copy curl -sq -X OPTIONS Â -I <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i "allow"
Copy CONNECT < OASTIF Y > :80 HTTP/1.1
Host: < DOMAI N > :443
Copy echo '<html><body><h1>RTG</h1></body></html>' > /tmp/test.html
curl -sq -D - -X PUT -T /tmp/test.html https:// < DOMAI N > / -H "Content-Type: text/html" | head -n 1
â
curl -sq -D - https:// < DOMAI N > /test.html | head -n 1
Copy curl -sq -D - -X DELETE < URL_IMAG E > | head -n 1
Evidence :
Copy curl -sq -D- < UR L > | grep -i "Strict-Transport-Security:" --color
Evidence :
Copy curl -D- -sq https:// < UR L > /crossdomain.xml -b "<COOKIE>" ; echo
curl -D- -sq https:// < UR L > /clientaccesspolicy.xml -b "<COOKIE>" ; echo
Evidence :
Evidence :
A subdomain of the company is pointing to a third-party service with a name not registered . If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.
Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file
Then perform an HTTP request to all the domains looking for a domain that returns a 404.
Copy cat burp_urls.txt | awk -F/ '{print $1"//"$3}' | sort -u > domains_url.txt
meg -d 10 -c 200 / domains_url.txt requests
grep -iRl 404 requests/ | awk -F/ '{print $2}' > domains_to_be_checked.txt
Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.
Evidence :
Evidence :