Web applications often contain vulnerabilities due to a large attack surface reliant on multiple technologies, dependencies and configuration challenges. Thorough enumeration is critical to ensure a thorough understanding of the attack surface.

Enumeration process

1. Manual review

• Set up a proxy interceptor (BurpSuite or ZAP) to passively audit

• Identify links, input fields, login pages, etc.

• Note version or software information

• Inspect the page source, look for version info, comments, etc.

• Inspect URLs for file extensions (php, jsp, do, html, etc.)

• Inspect URLs for possible bypass vulnerabilities

• Check for and review sitemaps/robots.txt/security.txt

• Check HTTP headers, observe how the web page and server exchange information

2. Scan for vulnerabilities

• Utilize scanning tools to crawl web pages and audit for vulnerabilities

• Manually review scan results

nikto -h 10.11.1.5
BurpSuite Pro active/live scan
ZAP active scan
Nessus web application scan

3. Identify underlying server technologies

• Web applications often utilize a number of underlying components that are typically outdated (examples: jQuery, Bootstrap, Telerik, etc.)

• Use nMap to identify technologies operating on ports other than 80/443

• Attempt to identify:

  • Programming languages and frameworks

  • Web server software

  • Database software

  • Server operating system

• Default pages and configuration files will often be identified by vulnerability scanners or through scanning for open directories

• WhatWeb - Tool with over 1,800 plugins designed to help identify website technologies.

• Wappalyzer - Webiste and plugin for recognizing website technologies.

4. Scan for open directories

Scanning for open directories is often called forced browsing. This technique uses a wordlist to search for unlinked directory and file names on the target.

Tools that automate this process should be configured to look for filetypes based on what you know about the web server.

Microsoft IIS - .asp or .aspx (+ html)
Apache - .php (+ html)
Tomcat - .war (+ html)
other - .pdf, .doc, .xls, .xlsx, .ppt, .pptx

Directory busting methodology (order of precedence)

.php OR .asp, .aspx AND .html AND .txt
.doc, .docx, .xls, .pdf
.webconfig, .config, .json, .yml, .env
.bk, .bak, .swp
.zip, .log

The following tools (and others) all have similar forced browsing functionality.

Dirsearch

python3 dirsearch.py -u http://10.10.87.202 -e html -x 401,402,403

-e: extensions to include
-x: status codes to exclude
-f: forces the addition of extensions on every wordlist entry
-w: woD

Dirb

dirb $ipaddress
-X filetype : searches for specific files

ffuf

ffuf -w wordlist.txt -u http://somesite.com/FUZZ
ffuf -w wordlist.txt -u http://somesite.com/FUZZ -e .aspx,.html,.php,.txt
ffuf -w wordlist.txt -u http://somesite.com -H "Host: FUZZ.somesite.com"

BurpSuite

On 'Target' tab, Right click target site --> Engagement tools --> Discover content

5. Finally, review and test interesting items

• Test input fields for XSS and SQL injection

• Test login forms for weak authentication, default/weak credentials, and SQL injection

• Test URL parameters for local/remote file inclusion

• Test URLs for directory traversal

• Review identified components for known vulnerabilities

Testing SSL

Nmap scripting engine

nmap -p 443 --script=ssl-enum-ciphers www.somesite.org

SSLscan

sslscan IP_ADDRESS:<Port>

Qualys SSL labs