80,443 - Pentesting Web metodologija

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Osnovne informacije

Web servis je najčešći i najopsežniji servis i postoji mnogo različitih tipova ranjivosti.

Podrazumevani port: 80 (HTTP), 443 (HTTPS)

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https

nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Web API Smernice

Web API Pentesting

Sažetak metodologije

U ovoj metodologiji pretpostavljamo da ćeš napadati jedan domen (ili subdomen) i samo njega. Dakle, primeni ovu metodologiju na svaki otkriveni domen, subdomen ili IP sa neodređenim web serverom koji je unutar opsega.

  • Start by identifying the technologies used by the web server. Look for tricks to keep in mind during the rest of the test if you can successfully identify the tech.
  • Any known vulnerability of the version of the technology?
  • Using any well known tech? Any useful trick to extract more information?
  • Any specialised scanner to run (like wpscan)?
  • Launch general purposes scanners. You never know if they are going to find something or if the are going to find some interesting information.
  • Start with the initial checks: robots, sitemap, 404 error and SSL/TLS scan (if HTTPS).
  • Start spidering the web page: It’s time to find all the possible files, folders and parameters being used. Also, check for special findings.
  • Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered.
  • Directory Brute-Forcing: Try to brute force all the discovered folders searching for new files and directories.
  • Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced.
  • Backups checking: Test if you can find backups of discovered files appending common backup extensions.
  • Brute-Force parameters: Try to find hidden parameters.
  • Once you have identified all the possible endpoints accepting user input, check for all kind of vulnerabilities related to it.
  • Sledi ovu kontrolnu listu

Server Version (Vulnerable?)

Identifikacija

Proveri da li postoje poznate ranjivosti za verziju servera koja je u upotrebi.
HTTP headers and cookies of the response mogu biti veoma korisni za identifikaciju tehnologija i/ili verzije koja se koristi. Nmap scan može identifikovati verziju servera, ali korisni mogu biti i alati whatweb, webtech or https://builtwith.com/:

whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

Pretraži for vulnerabilities of the web application version

Proveri da li postoji WAF

Trikovi za web tehnologije

Neki trikovi za pronalaženje ranjivosti u različitim dobro poznatim tehnologijama koje se koriste:

Uzmite u obzir da isti domen može koristiti različite tehnologije na različitim ports, folders i subdomains.
Ako web aplikacija koristi neku dobro poznatu tech/platform listed before ili bilo koju drugu, ne zaboravite da search on the Internet za nove trikove (i obavestite me!).

Pregled izvornog koda

Ako je izvorni kod aplikacije dostupan na github, osim što obavite sopstveni White box test aplikacije, postoji neka informacija koja bi mogla biti korisna za trenutni Black-Box testing:

  • Da li postoji Change-log or Readme or Version fajl ili bilo šta sa version info accessible putem weba?
  • Kako i gde su sačuvani credentials? Da li postoji neki (accessible?) file sa credentials (usernames or passwords)?
  • Da li su passwords u plain text, encrypted ili koji hashing algorithm se koristi?
  • Da li se koristi neki master key za enkripciju nečega? Koji algorithm se koristi?
  • Možete li access any of these files iskorištavanjem neke ranjivosti?
  • Ima li neke interesting information in the github (solved and not solved) issues? Ili u commit history (možda je neka password introduced inside an old commit)?

Source code Review / SAST Tools

Automatski skeneri

Automatski skeneri opšte namene

nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

CMS scanners

Ako se koristi CMS, ne zaboravite da run a scanner, možda se pronađe nešto vredno:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin websites for Security issues. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal or (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

U ovom trenutku biste već trebalo da imate neke informacije o web serveru koji koristi klijent (ako su podaci dati) i neke trikove koje treba imati na umu tokom testa. Ako imate sreće, možda ste čak pronašli CMS i pokrenuli neki skener.

Korak-po-korak otkrivanje web aplikacije

Od ovog trenutka počinjemo da komuniciramo sa web aplikacijom.

Početne provere

Podrazumevane stranice sa zanimljivim informacijama:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • Proverite i komentare na glavnim i sekundarnim stranicama.

Izazivanje grešaka

Web serveri se mogu ponašati neočekivano kada im se pošalju neobični podaci. Ovo može otvoriti ranjivosti ili dovesti do otkrivanja osetljivih informacija.

  • Pristupite lažnim stranicama kao što su /whatever_fake.php (.aspx,.html,.etc)
  • Dodajte “[]”, “]]”, i “[[” u cookie values i parameter values da izazovete greške
  • Generišite grešku tako što ćete dati unos kao /~randomthing/%s na kraju URL-a
  • Isprobajte različite HTTP Verbs kao što su PATCH, DEBUG ili pogrešne kao FAKE

Proverite da li možete otpremiti fajlove (PUT verb, WebDav)

Ako otkrijete da je WebDav omogućen, ali nemate dovoljno dozvola za otpremanje fajlova u root folder, pokušajte da:

  • Brute Force credentials
  • Pokušajte da otpremite fajlove preko WebDav-a u ostale pronađene foldere unutar web stranice. Možda imate dozvole za otpremanje fajlova u drugim folderima.

SSL/TLS ranjivosti

  • Ako aplikacija ne forsira korišćenje HTTPS-a ni u jednom delu, onda je ranjiva na MitM
  • Ako aplikacija šalje osetljive podatke (lozinke) koristeći HTTP — to predstavlja ozbiljnu ranjivost.

Koristite testssl.sh za proveru ranjivosti (u Bug Bounty programima verovatno ovakve vrste ranjivosti neće biti prihvaćene) i koristite a2sv za ponovnu proveru ranjivosti:

./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

Informacije o SSL/TLS ranjivostima:

Spidering

Pokrenite neku vrstu spider unutar web-a. Cilj spidera je da pronađe što više putanja iz testirane aplikacije. Zbog toga treba koristiti web crawling i eksterne izvore da bi se pronašlo što više validnih putanja.

  • gospider (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com).
  • hakrawler (go): HML spider, with LinkFider for JS files and Archive.org as external source.
  • dirhunt (python): HTML spider, also indicates “juicy files”.
  • evine (go): Interactive CLI HTML spider. It also searches in Archive.org
  • meg (go): This tool isn’t a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
  • urlgrab (go): HTML spider with JS rendering capabilities. However, it looks like it’s unmaintained, the precompiled version is old and the current code doesn’t compile
  • gau (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
  • ParamSpider: This script will find URLs with parameter and will list them.
  • galer (go): HTML spider with JS rendering capabilities.
  • LinkFinder (python): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to JSScanner, which is a wrapper of LinkFinder.
  • goLinkFinder (go): To extract endpoints in both HTML source and embedded javascript files. Useful for bug hunters, red teamers, infosec ninjas.
  • JSParser (python2.7): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintained.
  • relative-url-extractor (ruby): Given a file (HTML) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly (minify) files.
  • JSFScan (bash, several tools): Gather interesting information from JS files using several tools.
  • subjs (go): Find JS files.
  • page-fetch (go): Load a page in a headless browser and print out all the urls loaded to load the page.
  • Feroxbuster (rust): Content discovery tool mixing several options of the previous tools
  • Javascript Parsing: A Burp extension to find path and params in JS files.
  • Sourcemapper: A tool that given the .js.map URL will get you the beatified JS code
  • xnLinkFinder: This is a tool used to discover endpoints for a given target.
  • waymore: Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links)
  • HTTPLoot (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
  • SpiderSuite: Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
  • jsluice (go): It’s a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
  • ParaForge: ParaForge is a simple Burp Suite extension to extract the paramters and endpoints from the request to create custom wordlist for fuzzing and enumeration.
  • katana (go): Awesome tool for this.
  • Crawley (go): Print every link it’s able to find.

Brute Force directories and files

Počnite sa brute-forcing iz root foldera i budite sigurni da brute-forcujete sve direktorijume koje nađete koristeći ovu metodu i sve direktorijume otkrivene pomoću Spidering (možete raditi brute-forcing rekurzivno i dodavati na početak korišćenog wordlist-a nazive pronađenih direktorijuma).
Alati:

  • Dirb / Dirbuster - Included in Kali, old (and slow) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
  • Dirsearch (python): It doesn’t allow auto-signed certificates but allows recursive search.
  • Gobuster (go): It allows auto-signed certificates, it doesn’t have recursive search.
  • Feroxbuster - Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): This isn’t a spider but a tool that given the list of found URLs will to delete “duplicated” URLs.
  • Scavenger: Burp Extension to create a list of directories from the burp history of different pages
  • TrashCompactor: Remove URLs with duplicated functionalities (based on js imports)
  • Chamaleon: It uses wapalyzer to detect used technologies and select the wordlists to use.

Preporučeni wordlist-i:

Napomena: kad god se otkrije novi direktorijum tokom brute-forcing-a ili spideringa, treba ga brute-forcovati.

What to check on each file found

  • Broken link checker: Find broken links inside HTMLs that may be prone to takeovers
  • File Backups: Kada pronađete sve fajlove, tražite backup-ove izvršnih fajlova (“.php”, “.aspx”…). Uobičajene varijacije za imenovanje backupa su: file.ext~, #file.ext#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old. Možete koristiti i alat bfac ili backup-gen.
  • Discover new parameters: Možete koristiti alate kao što su Arjun, parameth, x8 i Param Miner za otkrivanje skrivenih parametara. Ako možete, pokušajte da tražite skrivene parametre u svakom izvršnom web fajlu.
  • Arjun all default wordlists: https://github.com/s0md3v/Arjun/tree/master/arjun/db
  • Param-miner “params” : https://github.com/PortSwigger/param-miner/blob/master/resources/params
  • Assetnote “parameters_top_1m”: https://wordlists.assetnote.io/
  • nullenc0de “params.txt”: https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773
  • Comments: Proverite komentare svih fajlova, možete pronaći credentials ili skrivenu funkcionalnost.
  • Ako igrate CTF, česta fora je da se informacije sakriju unutar komentara sa desne strane stranice (korišćenjem stotina razmaka tako da ne vidite podatke ako otvorite source code u browseru). Druga mogućnost je korišćenje više novih redova i skrivanje informacija u komentaru na dnu web stranice.
  • API keys: Ako pronađete bilo koji API key postoji vodič koji pokazuje kako koristiti API keys na različitim platformama: keyhacks, zile, truffleHog, SecretFinder, RegHex, DumpsterDive, EarlyBird
  • Google API keys: Ako nađete bilo koji API key koji izgleda kao AIzaSyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik možete koristiti projekat gmapapiscanner da proverite koje API-je ključ može pristupiti.
  • S3 Buckets: Tokom spideringa proverite da li je neki subdomain ili neki link povezan sa nekim S3 bucket-om. U tom slučaju, proverite dozvole bucket-a.

Special findings

Tokom spideringa i brute-forcing-a možete pronaći interesantne stvari koje treba zabeležiti.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

403 & 401 Bypasses

502 Proxy Error

Ako neka stranica odgovori tim kodom, verovatno je loše konfigurisani proxy. Ako pošaljete HTTP zahtev kao: GET https://google.com HTTP/1.1 (sa Host header-om i ostalim uobičajenim header-ima), proxy će pokušati da pristupi google.com i time ste verovatno našli SSRF.

NTLM Authentication - Info disclosure

Ako server koji traži autentikaciju radi na Windows ili nađete login koji traži vaše credentials (i traži domain name), možete izazvati otkrivanje informacija.
Pošaljite header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” i zbog načina na koji NTLM authentication funkcioniše, server će odgovoriti internim informacijama (IIS verzija, Windows verzija…) unutar header-a “WWW-Authenticate”.
Možete to automatizovati koristeći nmap pluginhttp-ntlm-info.nse”.

HTTP Redirect (CTF)

Moguće je staviti sadržaj unutar Redirection. Ovaj sadržaj se neće prikazati korisniku (jer će browser izvršiti redirekciju) ali nešto može biti sakriveno tamo.

Web Vulnerabilities Checking

Sada kada je sprovedena sveobuhvatna enumeracija web aplikacije, vreme je da se proveri veliki broj mogućih ranjivosti. Checklistu možete naći ovde:

Web Vulnerabilities Methodology

Više informacija o web vulns:

Monitor Pages for changes

Možete koristiti alate kao što je https://github.com/dgtlmoon/changedetection.io za praćenje stranica radi izmena koje mogu ubaciti ranjivosti.

HackTricks Automatic Commands

HackTricks Automatic Commands ```yaml Protocol_Name: Web #Protocol Abbreviation if there is one. Port_Number: 80,443 #Comma separated if there is more than one. Protocol_Description: Web #Protocol Abbreviation Spelled out

Entry_1: Name: Notes Description: Notes for Web Note: | https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

Entry_2: Name: Quick Web Scan Description: Nikto and GoBuster Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3: Name: Nikto Description: Basic Site Info via Nikto Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4: Name: WhatWeb Description: General purpose auto scanner Command: whatweb -a 4 {IP}

Entry_5: Name: Directory Brute Force Non-Recursive Description: Non-Recursive Directory Brute Force Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6: Name: Directory Brute Force Recursive Description: Recursive Directory Brute Force Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7: Name: Directory Brute Force CGI Description: Common Gateway Interface Brute Force Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8: Name: Nmap Web Vuln Scan Description: Tailored Nmap Scan for web Vulnerabilities Command: nmap -vv –reason -Pn -sV -p {Web_Port} –script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer) {IP}

Entry_9: Name: Drupal Description: Drupal Enumeration Notes Note: | git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10: Name: WordPress Description: WordPress Enumeration with WPScan Command: | ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php wpscan –url {Web_Proto}://{IP}{1} –enumerate ap,at,cb,dbe && wpscan –url {Web_Proto}://{IP}{1} –enumerate u,tt,t,vp –passwords {Big_Passwordlist} -e

Entry_11: Name: WordPress Hydra Brute Force Description: Need User (admin is default) Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’

Entry_12: Name: Ffuf Vhost Description: Simple Scan with Ffuf for discovering additional vhosts Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H “Host:FUZZ.{Domain_Name}” -c -mc all {Ffuf_Filters}

</details>

> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>