80,443 - Pentesting Web metodologija

Reading time: 20 minutes

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Osnovne informacije

Web servis je najčešća i najopsežnija usluga i postoji mnogo različitih vrsta ranjivosti.

Podrazumevani port: 80 (HTTP), 443(HTTPS)

bash
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  ssl/https
bash
nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0

Web API smernice

Web API Pentesting

Sažetak metodologije

U ovoj metodologiji pretpostavićemo da ćete napasti jedan domen (ili poddomen) i samo njega. Dakle, ovu metodologiju treba primeniti na svaki otkriveni domen, poddomen ili IP sa nedeterminisanim web serverom unutar scope-a.

  • Počnite sa identifikacijom tehnologija koje koristi web server. Potražite trikove koje treba imati na umu tokom ostatka testa ako uspešno identifikujete tehnologiju.
  • Ima li poznatih ranjivosti za verziju te tehnologije?
  • Koristi li se neka dobro poznata tehnologija? Postoji li neki koristan trik da se izvuku dodatne informacije?
  • Postoji li neki specijalizovani skener koji treba pokrenuti (npr. wpscan)?
  • Pokrenite skenere opšte namene. Nikad ne znate da li će nešto pronaći ili otkriti interesantne informacije.
  • Počnite sa početnim proverama: robots, sitemap, 404 greška i SSL/TLS skeniranje (ako je HTTPS).
  • Počnite sa spidering-om web stranice: vreme je da pronađete sve moguće fajlove, foldere i parametre koji se koriste. Takođe, proverite za specijalna otkrića.
  • Napomena: svaki put kada se otkrije novi direktorijum tokom brute-forcing-a ili spidering-a, trebalo bi ga spiderovati.
  • Directory Brute-Forcing: Pokušajte da brute-force-ujete sve otkrivene foldere u potrazi za novim fajlovima i direktorijumima.
  • Napomena: svaki put kada se otkrije novi direktorijum tokom brute-forcing-a ili spidering-a, trebalo bi ga Brute-Forcovati.
  • Backups checking: Testirajte da li možete pronaći backup-e otkrivenih fajlova dodavanjem uobičajenih backup ekstenzija.
  • Brute-Force parameters: Pokušajte da pronađete skrivene parametre.
  • Kada identifikujete sve moguće endpointe koji prihvataju ulaz od korisnika, proverite sve vrste ranjivosti vezanih za njih.
  • Pratite ovaj kontrolni spisak

Verzija servera (Ranjiv?)

Identifikacija

Check if there are known vulnerabilities for the server version that is running.
The HTTP headers and cookies of the response could be very useful to identify the technologies and/or version being used. Nmap scan can identify the server version, but it could also be useful the tools whatweb, webtech or https://builtwith.com/:

bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2

Potražite vulnerabilities of the web application version

Proveri da li postoji WAF

Trikovi za web tehnologije

Neki trikovi za pronalaženje ranjivosti u različitim dobro poznatim tehnologijama koje se koriste:

Uzmite u obzir da isti domen može koristiti različite tehnologije na različitim portovima, folderima i poddomenima.
Ako web aplikacija koristi neku dobro poznatu tehnologiju/platformu navedenu gore ili neku drugu, ne zaboravite da pretražite Internet za nove trikove (i javite mi!).

Pregled izvornog koda

Ako je source code aplikacije dostupan na github, pored sprovođenja sopstvenog White box test aplikacije, postoji neka informacija koja bi mogla biti korisna za trenutni Black-Box testing:

  • Da li postoji Change-log or Readme or Version file ili bilo šta sa version info accessible putem weba?
  • Kako i gde su sačuvani credentials? Postoji li neki (dostupan?) file sa credentials-ima (usernames or passwords)?
  • Da li su passwords u plain text, encrypted ili koji hashing algorithm se koristi?
  • Da li koristi neki master key za enkriptovanje nečega? Koji algorithm se koristi?
  • Možete li access any of these files iskorišćavajući neku ranjivost?
  • Ima li neke interesting information in the github (solved and not solved) u issues? Ili u commit history (možda je neki password introduced inside an old commit)?

Source code Review / SAST Tools

Automatski skeneri

Opšti automatski skeneri

bash
nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zaproxy #You can use an API
nuclei -ut && nuclei -target <URL>

# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"

CMS skeneri

Ako se koristi CMS, ne zaboravite da pokrenete skener, možda se pronađe nešto sočno:

Clusterd: JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
CMSScan: WordPress, Drupal, Joomla, vBulletin web sajtove za bezbednosne propuste. (GUI)
VulnX: Joomla, Wordpress, Drupal, PrestaShop, Opencart
CMSMap: (W)ordpress, (J)oomla, (D)rupal ili (M)oodle
droopscan: Drupal, Joomla, Moodle, Silverstripe, Wordpress

bash
cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs

U ovom trenutku trebalo bi već da imate neke informacije o web serveru koji koristi klijent (ako su podaci dati) i neke trikove koje treba imati na umu tokom testa. Ako imate sreće, možda ste čak pronašli CMS i pokrenuli neki scanner.

Step-by-step Web Application Discovery

From this point we are going to start interacting with the web application.

Initial checks

Default pages with interesting info:

  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /clientaccesspolicy.xml
  • /.well-known/
  • Check also comments in the main and secondary pages.

Forcing errors

Web servers may behave unexpectedly when weird data is sent to them. This may open vulnerabilities or disclosure sensitive information.

  • Access fake pages like /whatever_fake.php (.aspx,.html,.etc)
  • Add "[]", "]]", and "[[" in cookie values and parameter values to create errors
  • Generate error by giving input as /~randomthing/%s at the end of URL
  • Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE

Check if you can upload files (PUT verb, WebDav)

If you find that WebDav is enabled but you don't have enough permissions for uploading files in the root folder try to:

  • Brute Force credentials
  • Upload files via WebDav to the rest of found folders inside the web page. You may have permissions to upload files in other folders.

SSL/TLS vulnerabilites

  • If the application isn't forcing the user of HTTPS in any part, then it's vulnerable to MitM
  • If the application is sending sensitive data (passwords) using HTTP. Then it's a high vulnerability.

Use testssl.sh to checks for vulnerabilities (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use a2sv to recheck the vulnerabilities:

bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also

# You can also use other tools, by testssl.sh at this momment is the best one (I think)
sslscan <host:port>
sslyze --regular <ip:port>

Informacije o SSL/TLS ranjivostima:

Spidering

Pokrenite neku vrstu spider unutar web-a. Cilj spidera je da pronađe što više puteva iz testirane aplikacije. Zato treba koristiti web crawling i eksterne izvore kako biste pronašli što više validnih puteva.

  • gospider (go): HTML spider, LinkFinder u JS fajlovima i eksternim izvorima (Archive.org, CommonCrawl.org, VirusTotal.com).
  • hakrawler (go): HML spider, sa LinkFinder za JS fajlove i Archive.org kao eksterni izvor.
  • dirhunt (python): HTML spider, takođe označava "juicy files".
  • evine (go): Interaktivni CLI HTML spider. Takođe pretražuje Archive.org
  • meg (go): Ovaj alat nije spider ali može biti koristan. Možete navesti fajl sa hosts i fajl sa paths i meg će fetch-ovati svaki path na svakom hostu i sačuvati response.
  • urlgrab (go): HTML spider sa mogućnostima renderovanja JS-a. Međutim, izgleda nedovoljno održavan, prekompajlirana verzija je stara i trenutni kod se ne kompajlira.
  • gau (go): HTML spider koji koristi eksterne provajdere (wayback, otx, commoncrawl)
  • ParamSpider: Skripta koja će pronaći URL-ove sa parametrima i izlistati ih.
  • galer (go): HTML spider sa mogućnostima renderovanja JS-a.
  • LinkFinder (python): HTML spider, sa mogućnostima JS beautify koji može tražiti nove puteve u JS fajlovima. Vredi pogledati i JSScanner, koji je wrapper za LinkFinder.
  • goLinkFinder (go): Za ekstrakciju endpoint-a kako iz HTML source-a tako i iz embedded javascript fajlova. Korisno za bug hunter-e, red team-ere, infosec ninje.
  • JSParser (python2.7): Python 2.7 skripta koristeći Tornado i JSBeautifier za parsiranje relativnih URL-ova iz JavaScript fajlova. Korisno za lako otkrivanje AJAX zahteva. Izgleda neodržavano.
  • relative-url-extractor (ruby): Dajući fajl (HTML) izvući će URL-ove iz njega koristeći zgodne regularne izraze da pronađe i izdvoji relativne URL-ove iz "ružnih" (minified) fajlova.
  • JSFScan (bash, several tools): Prikuplja interesantne informacije iz JS fajlova koristeći više alata.
  • subjs (go): Pronalazi JS fajlove.
  • page-fetch (go): Učita stranicu u headless browser-u i ispiše sve URL-ove koji su učitani da bi se stranica prikazala.
  • Feroxbuster (rust): Alat za otkrivanje sadržaja koji meša nekoliko opcija prethodnih alata.
  • Javascript Parsing: Burp ekstenzija za pronalaženje puteva i parametara u JS fajlovima.
  • Sourcemapper: Alat koji, dato .js.map URL, dohvata beautified JS kod.
  • xnLinkFinder: Alat za otkrivanje endpoint-a za dati target.
  • waymore: Otkrij linkove iz wayback machine (takođe preuzima response-ove iz wayback-a i traži dalje linkove).
  • HTTPLoot (go): Crawl-uje (čak i popunjavanjem formi) i takođe nalazi sensitivan info koristeći specifične regex-e.
  • SpiderSuite: Spider Suite je napredni multi-feature GUI web security Crawler/Spider dizajniran za cybersecurity profesionalce.
  • jsluice (go): Go package i command-line tool za ekstrakciju URL-ova, path-ova, secret-a i drugih interesantnih podataka iz JavaScript source koda.
  • ParaForge: ParaForge je jednostavna Burp Suite extension za extract the paramters and endpoints iz request-a da bi se napravila custom wordlist za fuzzing i enumeraciju.
  • katana (go): Awesome tool za ovo.
  • Crawley (go): Ispisuje svaki link koji uspe da pronađe.

Brute Force directories and files

Start brute-forcing from the root folder and be sure to brute-force all the directories found using this method and all the directories discovered by the Spidering (you can do this brute-forcing recursively and appending at the beginning of the used wordlist the names of the found directories).
Tools:

  • Dirb / Dirbuster - Included in Kali, old (and slow) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
  • Dirsearch (python): It doesn't allow auto-signed certificates but allows recursive search.
  • Gobuster (go): It allows auto-signed certificates, it doesn't have recursive search.
  • Feroxbuster - Fast, supports recursive search.
  • wfuzz wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ
  • ffuf - Fast: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
  • uro (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs.
  • Scavenger: Burp Extension to create a list of directories from the burp history of different pages
  • TrashCompactor: Remove URLs with duplicated functionalities (based on js imports)
  • Chamaleon: It uses wapalyzer to detect used technologies and select the wordlists to use.

Recommended dictionaries:

Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced.

What to check on each file found

Special findings

While performing the spidering and brute-forcing you could find interesting things that you have to notice.

Interesting files

403 Forbidden/Basic Authentication/401 Unauthorized (bypass)

403 & 401 Bypasses

502 Proxy Error

If any page responds with that code, it's probably a bad configured proxy. If you send a HTTP request like: GET https://google.com HTTP/1.1 (with the host header and other common headers), the proxy will try to access google.com and you will have found a SSRF.

NTLM Authentication - Info disclosure

If the running server asking for authentication is Windows or you find a login asking for your credentials (and asking for domain name), you can provoke an information disclosure.
Send the header: “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” and due to how the NTLM authentication works, the server will respond with internal info (IIS version, Windows version...) inside the header "WWW-Authenticate".
You can automate this using the nmap plugin "http-ntlm-info.nse".

HTTP Redirect (CTF)

It is possible to put content inside a Redirection. This content won't be shown to the user (as the browser will execute the redirection) but something could be hidden in there.

Web Vulnerabilities Checking

Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:

Web Vulnerabilities Methodology

Find more info about web vulns in:

Monitor Pages for changes

You can use tools such as https://github.com/dgtlmoon/changedetection.io to monitor pages for modifications that might insert vulnerabilities.

HackTricks Automatic Commands

Protocol_Name: Web    #Protocol Abbreviation if there is one.
Port_Number:  80,443     #Comma separated if there is more than one.
Protocol_Description: Web         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Web
Note: |
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html

Entry_2:
Name: Quick Web Scan
Description: Nikto and GoBuster
Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_3:
Name: Nikto
Description: Basic Site Info via Nikto
Command: nikto -host {Web_Proto}://{IP}:{Web_Port}

Entry_4:
Name: WhatWeb
Description: General purpose auto scanner
Command: whatweb -a 4 {IP}

Entry_5:
Name: Directory Brute Force Non-Recursive
Description:  Non-Recursive Directory Brute Force
Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}

Entry_6:
Name: Directory Brute Force Recursive
Description: Recursive Directory Brute Force
Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10

Entry_7:
Name: Directory Brute Force CGI
Description: Common Gateway Interface Brute Force
Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200

Entry_8:
Name: Nmap Web Vuln Scan
Description: Tailored Nmap Scan for web Vulnerabilities
Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}

Entry_9:
Name: Drupal
Description: Drupal Enumeration Notes
Note: |
git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration

Entry_10:
Name: WordPress
Description: WordPress Enumeration with WPScan
Command: |
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e

Entry_11:
Name: WordPress Hydra Brute Force
Description: Need User (admin is default)
Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Entry_12:
Name: Ffuf Vhost
Description: Simple Scan with Ffuf for discovering additional vhosts
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks