Web Reconnaissance

Check-List

• Check robots.txt

• Check .git

• Use TRACE method

• Force error messages

Nmap Scripts

Scan for config files

nmap -n -p<PORT> --script http-config-backup <IP>

Site map generator

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

Stealthy Scan

nmap -n -Pn -vv -O -sV --script=http-enum,http-headers,http-methods,http-title,http-vuln* 192.168.1.1

fast scan

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Shellshock Vulnerability Check

sudo nmap --script http-shellshock --script-args uri=<URL_ARCHIVO_SH> -p80 <IP>

TRACE Method

Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies

• If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.

• Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC

curl -X TRACE https://target.com -H "Test: XST"

• If the response includes the custom header, TRACE is enabled.

• If it leaks Set-Cookie headers, it’s a serious security issue.

• Bug Bounty Impact: Session Hijacking

---

Finding Internal Headers & Debug Info

Some servers return sensitive internal headers when TRACE is enabled, such as:

• X-Forwarded-For --> Real client IP leak.

• X-Backend-Server --> Internal server exposure.

• Via --> Reveals proxy setup.

POC

curl -X TRACE https://target.com

• Look for unusual headers in the response.

• Bug Bounty Impact: Information Disclosure

---

Finding WAF / Security Device Bypasses

• Some WAFs don’t inspect TRACE requests properly.

• You can use TRACE to test whether WAF protections apply to certain endpoints.

POC

curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

---

Checking for Cross-Origin Attacks

• If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.

• Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Bypass User-Agent filtering

• Use HTTPBin to check the User-Agent from any client.

• Experiment with those User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0

Ruby Configuration Files

Worth to read the documentation

Look for this files

config/application.rb
config/database.yml