Recon

Check-List

Check robots.txt
Check .git
Use TRACE method
Force error messages

`TRACE` method

Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies

If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.
Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC

curl -X TRACE https://target.com -H "Test: XST"

If the response includes the custom header, TRACE is enabled.
If it leaks Set-Cookie headers, it’s a serious security issue.
Bug Bounty Impact: Session Hijacking

Finding Internal Headers & Debug Info

Some servers return sensitive internal headers when TRACE is enabled, such as:

X-Forwarded-For --> Real client IP leak.
X-Backend-Server --> Internal server exposure.
Via --> Reveals proxy setup.

POC

curl -X TRACE https://target.com

Look for unusual headers in the response, which might reveal backend infrastructure details.
Bug Bounty Impact: Information Disclosure

Finding WAF / Security Device Bypasses

Some WAFs don’t inspect TRACE requests properly.
You can use TRACE to test whether WAF protections apply to certain endpoints.

POC

curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

Checking for Cross-Origin Attacks

If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.
Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Browser `DevTools`

Show devtools

[CTRL+SHIFT+I] or [F12]

Show Network tab

[CTRL+SHIFT+E]

Show Console tab

[CTRL+SHIFT+K]

Bypass `User-Agent` filtering

Use HTTPBin to check the User-Agent from any client.
Experiment with those User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0

Website Fingerprinting

Use Wappalyzer
Or in the command line:

whatweb -v 10.10.10.121

Website banners

curl -IL https://www.inlanefreight.com

`SSL` Certificates

Use openssl to get the certificate's info:

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text

Grep for subdomains

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

Create a custom wordlist with the subdomains to fuzz for response codes and gain a general idea of the content:

 ffuf -c -w domains -u https://FUZZ

When working with HTTPS is good practice to validate the SSL/TLS version and ciphers in use:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -showcerts

You can follow up with the -cipher flag to specify the cipher suites you're interested in:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -cipher ECDHE-RSA-AES256-GCM-SHA384

Check if the server implements HSTS by looking for it's header:

curl -I https://10.10.10.124

PreviousNetExec NextMain Techniques

Last updated 19 days ago

TRACE method

Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies

If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.
Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC

curl -X TRACE https://target.com -H "Test: XST"

If the response includes the custom header, TRACE is enabled.
If it leaks Set-Cookie headers, it’s a serious security issue.
Bug Bounty Impact: Session Hijacking

Finding Internal Headers & Debug Info

Some servers return sensitive internal headers when TRACE is enabled, such as:

X-Forwarded-For --> Real client IP leak.
X-Backend-Server --> Internal server exposure.
Via --> Reveals proxy setup.

POC

curl -X TRACE https://target.com

Look for unusual headers in the response, which might reveal backend infrastructure details.
Bug Bounty Impact: Information Disclosure

Finding WAF / Security Device Bypasses

Some WAFs don’t inspect TRACE requests properly.
You can use TRACE to test whether WAF protections apply to certain endpoints.

POC

curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

Checking for Cross-Origin Attacks

If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.
Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0

SSL Certificates

Use openssl to get the certificate's info:

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text

Grep for subdomains

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

Create a custom wordlist with the subdomains to fuzz for response codes and gain a general idea of the content:

 ffuf -c -w domains -u https://FUZZ

When working with HTTPS is good practice to validate the SSL/TLS version and ciphers in use:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -showcerts

You can follow up with the -cipher flag to specify the cipher suites you're interested in:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -cipher ECDHE-RSA-AES256-GCM-SHA384

Check if the server implements HSTS by looking for it's header:

curl -I https://10.10.10.124

TRACE method

Browser DevTools

Bypass User-Agent filtering

Website Fingerprinting

SSL Certificates

TRACE method

Browser DevTools

Bypass User-Agent filtering

Website Fingerprinting

SSL Certificates

`TRACE` method

Browser `DevTools`

Bypass `User-Agent` filtering

`SSL` Certificates

`TRACE` method

Browser `DevTools`

Bypass `User-Agent` filtering

`SSL` Certificates