# Web application penetration testing ## Reconocimiento y recolección de información

```sh wafw00f nuclei -u -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -ts -silent ```

```sh dig any @ dnsrecon -d nuclei -u -t dns -ts -silent ```

Subdominios y Virtual Host (VHost)

```sh # Subdominios subfinder -d -recursive -all -silent | alterx -en -silent | dnsx -silent -o subdomains.txt dnsx -d -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -silent -o dnsx-subdomains.txt ffuf -u http://FUZZ./ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html # Virtual Host (VHost) ffuf -u http:/// -w :FUZZ -H 'Host: FUZZ.' -fs -c -o ffuf-vhost.html -of html ```

SSL/TLS y algoritmos de cifrados

```bash sslscan nuclei -u -t ssl -ts -silent ```

Tecnologías web

```sh whatweb -v -a 1 nuclei -u -t http/technologies -ts --silent ```

Otros

* Revisión de archivo `robots.txt`. ```sh curl /robots.txt ``` * Revisión de código fuente. * Meta tags de HTML. * Titulo y pie de página (footer). * Comentarios. * Funciones y endpoints/APIs en archivos JavaScript. * [Google hacking / dorks](https://app.gitbook.com/s/-M885ZMMY91-3v53_ySd/reconocimiento-y-recoleccion-de-informacion/google-hacking-dorks).

## Escaneo y enumeración

HTTP security headers

```sh shcheck.py -i -k nuclei -u -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent ```

Redireccionamiento estricto de HTTP a HTTPS

```sh nmap -sV -p 80,443 -n -Pn curl -I -l http:// curl https:// ```

Crawling y spidering

```sh echo 'http://' | hakrawler | sort -u cewl http:// -d 2 -m 5 -w wordlist-crawling-01.txt cewl http:// -d 3 -m 3 -w wordlist-crawling-02.txt ```

Fuzzing

[Fuzzing general](https://web.mrw0l05zyn.cl/escaneo-y-enumeracion/fuzzing). ```sh # General dirsearch -u http:/// -o $(pwd)/dirsearch-fuzzing.txt # Búsqueda recursiva dirsearch -u http:/// -o $(pwd)/dirsearch-fuzzing-recursive.txt -r ``` [Fuzzing de directorios](https://web.mrw0l05zyn.cl/escaneo-y-enumeracion/fuzzing/directorios). ```sh # Wordlist ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories.html -of html # Wordlist crawling ffuf -u http:///FUZZ -w :FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories-crawling.html -of html ``` [Fuzzing de archivos](https://web.mrw0l05zyn.cl/escaneo-y-enumeracion/fuzzing/archivos). ```sh # Wordlist ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html ``` [Fuzzing por extensiones](https://web.mrw0l05zyn.cl/escaneo-y-enumeracion/fuzzing/extensiones). ```sh # Identificación de extensiones ffuf -u http:///indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -c -mc all -fc 404 # Wordlist + extensiones (.html, .js, .php, .jsp, .aspx) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html # Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html # Wordlist crawling + extensiones ffuf -u http:///FUZZ -w :FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html ```

Escaneo automatizado

* Burp Suite Professional. * Nuclei. ```sh nuclei -u -ts -silent ``` * OWASP Zed Attack Proxy (ZAP). * Nessus.

## **Explotación** * [API keys](https://web.mrw0l05zyn.cl/explotacion/api-keys) * [Clickjacking](https://web.mrw0l05zyn.cl/explotacion/clickjacking) * [HTTP methods (verbs)](https://web.mrw0l05zyn.cl/explotacion/http-methods-verbs) * [Input data validation](https://web.mrw0l05zyn.cl/explotacion/input-data-validation) * [HTTP Host header](https://web.mrw0l05zyn.cl/explotacion/http-host-header) * [Autenticación y autorización](https://web.mrw0l05zyn.cl/explotacion/autenticacion-y-autorizacion) * [Same-origin policy (SOP)](https://web.mrw0l05zyn.cl/explotacion/same-origin-policy-sop) * [Cross-site scripting (XSS)](https://web.mrw0l05zyn.cl/explotacion/cross-site-scripting-xss) * [Cross-site request forgery (CSRF)](https://web.mrw0l05zyn.cl/explotacion/cross-site-request-forgery-csrf) * [File upload](https://web.mrw0l05zyn.cl/explotacion/file-upload) * [Path traversal & file inclusion](https://web.mrw0l05zyn.cl/explotacion/path-traversal-and-file-inclusion) * [Command injection](https://web.mrw0l05zyn.cl/explotacion/command-injection) * [SQL injection (SQLi)](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli) * [NoSQL injection (NoSQLi)](https://web.mrw0l05zyn.cl/explotacion/nosql-injection-nosqli) * [XML external entity (XXE) injection](https://web.mrw0l05zyn.cl/explotacion/xml-external-entity-xxe-injection) * [CRLF injection](https://web.mrw0l05zyn.cl/explotacion/crlf-injection) * [XPath injection](https://web.mrw0l05zyn.cl/explotacion/xpath-injection) * [LDAP injection](https://web.mrw0l05zyn.cl/explotacion/ldap-injection) * [PDF injection](https://web.mrw0l05zyn.cl/explotacion/pdf-injection) * [Server-side template injection (SSTI)](https://web.mrw0l05zyn.cl/explotacion/server-side-template-injection-ssti) * [Server-side include (SSI) injection](https://web.mrw0l05zyn.cl/explotacion/server-side-include-ssi-injection) * [Server-side request forgery (SSRF)](https://web.mrw0l05zyn.cl/explotacion/server-side-request-forgery-ssrf) * [Web cache poisoning](https://web.mrw0l05zyn.cl/explotacion/web-cache-poisoning) * [HTTP request smuggling](https://web.mrw0l05zyn.cl/explotacion/http-request-smuggling) * [Prototype pollution](https://web.mrw0l05zyn.cl/explotacion/prototype-pollution) * [Web API](https://web.mrw0l05zyn.cl/checklist/web-api-penetration-testing) * [GraphQL](https://web.mrw0l05zyn.cl/explotacion/graphql) * Webservices * Obtención de archivo WSDL * Análisis de archivo WSDL para obtener información general sobre la estructura de cada operación y la existencia de métodos ocultos * SOAPAction spoofing * [Open redirect](https://web.mrw0l05zyn.cl/explotacion/open-redirect) * [Content Management System (CMS)](https://web.mrw0l05zyn.cl/explotacion/content-management-system-cms) * [WordPress](https://web.mrw0l05zyn.cl/explotacion/content-management-system-cms/wordpress) * [Websocket](https://web.mrw0l05zyn.cl/explotacion/websocket) * [Deserialization](https://web.mrw0l05zyn.cl/explotacion/deserialization) * [Flash](https://web.mrw0l05zyn.cl/explotacion/flash)