# 80, 443 - HTTP(S) ### Brute force directories / files / vhosts [**ffuf:**](https://github.com/ffuf/ffuf) ```bash ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com -H "Host: FUZZ.target.com" ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ.php -b "PHPSESSID=qotlc86o7lnh9jm51atioq3fbc" ## WAF Bypass using HTTP Headers ffuf -c -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ -H "X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1, X-Client-IP: 127.0.0.1" ## Find URL-parameters ffuf -c -w /usr/share/wordlists/dirb/big.txt -u https://target.com/admin/?FUZZ= -b "PHPSESSID=ciku9juef85i9sj1eju4alj375" -fs 1678 ``` [**wfuzz**](https://github.com/xmendez/wfuzz)**:** `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ` ### Initial checks #### Server Version Check if there are **known vulnerabilities** for the server **version** that is running.\ The **HTTP headers and cookies of the response** could be very useful to **identify** the **technologies** and/or **version** being used. ``` webanalyze -host https://google.com -crawl 2 ``` #### Default pages with interesting info ```bash /robots.txt /sitemap.xml /crossdomain.xml /clientaccesspolicy.xml /.well-known/ Check also comments in the main and secondary pages. ``` ### CMS Scanners If a CMS is used don't forget to **run a scanner**, maybe something juicy is found: ```bash cmsmap [-f W] -F -d wpscan --force update -e --url joomscan --ec -u ``` ### 401 Forbidden & 403 Unauthorized - Bypass #### Automatic fuzzing with byp4xx 40X bypasser in Go. Methods from #bugbountytips, headers, verb tampering, user agents and more. {% embed url="" %} ### 502 Proxy Error - SSRF If any page **responds** with 502 Proxy Error, it's probably a **bad configured proxy**. If you send a HTTP request like: `GET https://google.com HTTP/1.1` (with the host header and other common headers), the **proxy** will try to access *google.com* and you will have found a **SSRF**. #### Protocol version If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**. #### Other bypass techniques * Get the **IP** or **CNAME** of the domain and try **contacting it directly**. * **Change the protocol**: from http to https, or for https to http * Go to [**https://archive.org/web/**](https://archive.org/web/) and check if in the past that file was **worldwide accessible**. ### Python3 HTTP Redirect Good script to redirect HTTP traffic, this is useful for bypassing certain 301 Redirect checks or when using MSDT Follina. ```python #!/usr/bin/env python3 import sys from http.server import HTTPServer, BaseHTTPRequestHandler if len(sys.argv)-1 != 2: print(""" Usage: {} """.format(sys.argv[0])) sys.exit() class Redirect(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header('Location', sys.argv[2]) self.end_headers() HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever() ``` ``` $ python3 redirect.py 80 http://10.10.14.2:8888 10.10.11.175 - - [19/Aug/2022 12:18:18] "GET / HTTP/1.1" 301 - 10.10.11.175 - - [19/Aug/2022 12:18:20] "GET /nc64.exe HTTP/1.1" 301 - ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.