0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Brute force directories / files / vhosts
  • Initial checks
  • CMS Scanners
  • 401 Forbidden & 403 Unauthorized - Bypass
  • 502 Proxy Error - SSRF
  • Python3 HTTP Redirect

Was this helpful?

  1. Network Services
  2. Ports

80, 443 - HTTP(S)

Last updated 12 months ago

Was this helpful?

Brute force directories / files / vhosts

ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com -H "Host: FUZZ.target.com"
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ.php -b "PHPSESSID=qotlc86o7lnh9jm51atioq3fbc"

## WAF Bypass using HTTP Headers
ffuf -c -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ -H "X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1, X-Client-IP: 127.0.0.1"

## Find URL-parameters
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u https://target.com/admin/?FUZZ= -b "PHPSESSID=ciku9juef85i9sj1eju4alj375"  -fs 1678

: wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ

Initial checks

Server Version

Check if there are known vulnerabilities for the server version that is running. The HTTP headers and cookies of the response could be very useful to identify the technologies and/or version being used.

webanalyze -host https://google.com -crawl 2

Default pages with interesting info

/robots.txt
/sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/
Check also comments in the main and secondary pages.

CMS Scanners

If a CMS is used don't forget to run a scanner, maybe something juicy is found:

cmsmap [-f W] -F -d <URL>
wpscan --force update -e --url <URL>
joomscan --ec -u <URL>

401 Forbidden & 403 Unauthorized - Bypass

Automatic fuzzing with byp4xx

40X bypasser in Go. Methods from #bugbountytips, headers, verb tampering, user agents and more.

502 Proxy Error - SSRF

If any page responds with 502 Proxy Error, it's probably a bad configured proxy. If you send a HTTP request like: GET https://google.com HTTP/1.1 (with the host header and other common headers), the proxy will try to access google.com and you will have found a SSRF.

Protocol version

If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.

Other bypass techniques

  • Get the IP or CNAME of the domain and try contacting it directly.

  • Change the protocol: from http to https, or for https to http

Python3 HTTP Redirect

Good script to redirect HTTP traffic, this is useful for bypassing certain 301 Redirect checks or when using MSDT Follina.

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("""
Usage: {} <port_number> <url>
    """.format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
$ python3 redirect.py 80 http://10.10.14.2:8888
10.10.11.175 - - [19/Aug/2022 12:18:18] "GET / HTTP/1.1" 301 -
10.10.11.175 - - [19/Aug/2022 12:18:20] "GET /nc64.exe HTTP/1.1" 301 -

Go to and check if in the past that file was worldwide accessible.

ffuf:
wfuzz
https://archive.org/web/
LogoGitHub - lobuhi/byp4xx: Pyhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.GitHub