80/443 - HTTP(s)

Web applications often contain vulnerabilities due to a large attack surface reliant on multiple technologies, dependencies and configuration challenges. Thorough enumeration is critical to ensure a thorough understanding of the attack surface.

Enumeration process

1. Manual review

Set up a proxy interceptor (BurpSuite or ZAP) to passively audit
Identify links, input fields, login pages, etc.
Note version or software information
Inspect the page source, look for version info, comments, etc.
Inspect URLs for file extensions (php, jsp, do, html, etc.)
Inspect URLs for possible bypass vulnerabilities
Check for and review sitemaps/robots.txt/security.txt
Check HTTP headers, observe how the web page and server exchange information

2. Scan for vulnerabilities

Utilize scanning tools to crawl web pages and audit for vulnerabilities
Manually review scan results

nikto -h 10.11.1.5
BurpSuite Pro active/live scan
ZAP active scan
Nessus web application scan

3. Identify underlying server technologies

Web applications often utilize a number of underlying components that are typically outdated (examples: jQuery, Bootstrap, Telerik, etc.)
Use nMap to identify technologies operating on ports other than 80/443
Attempt to identify:
- Programming languages and frameworks
- Web server software
- Database software
- Server operating system
Default pages and configuration files will often be identified by vulnerability scanners or through scanning for open directories
WhatWeb - Tool with over 1,800 plugins designed to help identify website technologies.
Wappalyzer - Webiste and plugin for recognizing website technologies.

4. Scan for open directories

Scanning for open directories is often called forced browsing. This technique uses a wordlist to search for unlinked directory and file names on the target.

Tools that automate this process should be configured to look for filetypes based on what you know about the web server.

Microsoft IIS - .asp or .aspx (+ html)
Apache - .php (+ html)
Tomcat - .war (+ html)
other - .pdf, .doc, .xls, .xlsx, .ppt, .pptx

Directory busting methodology (order of precedence)

.php OR .asp, .aspx AND .html AND .txt
.doc, .docx, .xls, .pdf
.webconfig, .config, .json, .yml, .env
.bk, .bak, .swp
.zip, .log

The following tools (and others) all have similar forced browsing functionality.

Dirsearch

python3 dirsearch.py -u http://10.10.87.202 -e html,asp,aspx -x 401,402,403

-e: extensions to include
-x: status codes to exclude
-f: forces the addition of extensions on every wordlist entry
-w: wordlist

Dirb

dirb $ipaddress
-X filetype : searches for specific files

ffuf

ffuf -w wordlist.txt -u http://somesite.com/FUZZ
ffuf -w wordlist.txt -u http://somesite.com/FUZZ -e .aspx,.html,.php,.txt
ffuf -w wordlist.txt -u http://somesite.com -H "Host: FUZZ.somesite.com"

BurpSuite

On 'Target' tab, Right click target site --> Engagement tools --> Discover content

5. Finally, review and test interesting items

Test input fields for XSS and SQL injection
Test login forms for weak authentication, default/weak credentials, and SQL injection
Test URL parameters for local/remote file inclusion
Test URLs for directory traversal
Review identified components for known vulnerabilities

Testing SSL

Nmap scripting engine

nmap -p 443 --script=ssl-enum-ciphers www.somesite.org

SSLscan

sslscan IP_ADDRESS:<Port>

Qualys SSL labs

SSL Server Test (Powered by Qualys SSL Labs)www.ssllabs.com

Previous53 - DNS Next111 - NFS

Last updated 3 years ago

hashtagEnumeration process

hashtag1. Manual review

hashtag2. Scan for vulnerabilities

hashtag3. Identify underlying server technologies

hashtag4. Scan for open directories

hashtagDirectory busting methodology (order of precedence)

hashtagThe following tools (and others) all have similar forced browsing functionality.

hashtagDirsearch

hashtagDirb

hashtagffuf

hashtagBurpSuite

hashtag5. Finally, review and test interesting items

hashtagTesting SSL

hashtagNmap scripting engine

hashtagSSLscan

hashtagQualys SSL labs