Web application penetration testing

Reconocimiento y recolección de información

wafw00f <target>
nuclei -u <target> -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -ts -silent

dig any <target> @<dns-server>
dnsrecon -d <target>
gobuster dns -d <target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -i -o gobuster-dns-subdomains.txt
nuclei -u <target> -t dns -ts -silent

Subdominios y Virtual Host (VHost)

# Subdominios
ffuf -u http://FUZZ.<target>/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html
# Virtual Host (VHost)
ffuf -u http://<target>/ -w <path-wordlist>:FUZZ -H 'Host: FUZZ.<target>' -fs <size> -c -o ffuf-vhost.html -of html

SSL/TLS y algoritmos de cifrados

sslscan <target>
nuclei -u <target> -t ssl -ts -silent

Tecnologías web

whatweb -v -a 1 <target>
nuclei -u <target> -t http/technologies -ts --silent

Otros

Revisión de archivo robots.txt.

curl <target>/robots.txt

Revisión de código fuente.
- Meta tags de HTML.
- Titulo y pie de página (footer).
- Comentarios.
- Funciones y endpoints/APIs en archivos JavaScript.

Escaneo y enumeración

HTTP security headers

shcheck.py -i -k <target>
nuclei -u <target> -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent

Redireccionamiento estricto de HTTP a HTTPS

nmap -sV -p 80,443 -n -Pn <host>
curl -I -l http://<target>
curl https://<target>

Crawling y spidering

echo 'http://<target>' | hakrawler | sort -u
cewl http://<target> -d 2 -m 5 -w wordlist-crawling-01.txt
cewl http://<target> -d 3 -m 3 -w wordlist-crawling-02.txt

Fuzzing

Fuzzing general.

# General
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing.txt
# Búsqueda recursiva
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing-recursive.txt -r

Fuzzing de directorios.

# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories.html -of html
# Wordlist crawling
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories-crawling.html -of html

Fuzzing de archivos.

# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html

Fuzzing por extensiones.

# Identificación de extensiones
ffuf -u http://<target>/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -c -mc all -fc 404
# Wordlist + extensiones (.html, .js, .php, .jsp, .aspx)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html
# Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html
# Wordlist crawling + extensiones
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html

Escaneo automatizado

Burp Suite Professional.
Nuclei.

nuclei -u <target> -ts -silent

OWASP Zed Attack Proxy (ZAP).
Nessus.

Explotación

API keys.
Clickjacking.
HTTP methods (verbs).
Input data validation.
Autenticación y autorización.
- JSON Web Token (JWT).
Same-origin policy (SOP).
- Cross-origin resource sharing (CORS).
Cross-site scripting (XSS).
Cross-site request forgery (CSRF).
File upload.
Path traversal & file inclusion.
Command injection.
SQL injection (SQLi).
NoSQL injection (NoSQLi).
XML external entity (XXE) injection.
XPath injection.
LDAP injection.
PDF injection.
Server-side template injection (SSTI).
Server-side include (SSI) injection.
Server-side request forgery (SSRF).
Web API.
- GraphQL.
Webservices.
- Obtención de archivo WSDL.
- Análisis de archivo WSDL para obtener información general sobre la estructura de cada operación y la existencia de métodos ocultos.
- SOAPAction spoofing.
Content Management System (CMS).
- WordPress.
Flash.

AnteriorFlash SiguienteWeb API penetration testing

Última actualización hace 3 meses

Reconocimiento y recolección de información

Web Application Firewall (WAF)

wafw00f <target>
nuclei -u <target> -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -ts -silent

dig any <target> @<dns-server>
dnsrecon -d <target>
gobuster dns -d <target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -i -o gobuster-dns-subdomains.txt
nuclei -u <target> -t dns -ts -silent

Subdominios y Virtual Host (VHost)

# Subdominios
ffuf -u http://FUZZ.<target>/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html
# Virtual Host (VHost)
ffuf -u http://<target>/ -w <path-wordlist>:FUZZ -H 'Host: FUZZ.<target>' -fs <size> -c -o ffuf-vhost.html -of html

SSL/TLS y algoritmos de cifrados

sslscan <target>
nuclei -u <target> -t ssl -ts -silent

Tecnologías web

whatweb -v -a 1 <target>
nuclei -u <target> -t http/technologies -ts --silent

Otros

Revisión de archivo robots.txt.

curl <target>/robots.txt

Revisión de código fuente.
- Meta tags de HTML.
- Titulo y pie de página (footer).
- Comentarios.
- Funciones y endpoints/APIs en archivos JavaScript.
.

Escaneo y enumeración

HTTP security headers

shcheck.py -i -k <target>
nuclei -u <target> -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent

Redireccionamiento estricto de HTTP a HTTPS

nmap -sV -p 80,443 -n -Pn <host>
curl -I -l http://<target>
curl https://<target>

Crawling y spidering

echo 'http://<target>' | hakrawler | sort -u
cewl http://<target> -d 2 -m 5 -w wordlist-crawling-01.txt
cewl http://<target> -d 3 -m 3 -w wordlist-crawling-02.txt

Fuzzing

Fuzzing general.

# General
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing.txt
# Búsqueda recursiva
dirsearch -u http://<target>/ -o $(pwd)/dirsearch-fuzzing-recursive.txt -r

Fuzzing de directorios.

# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories.html -of html
# Wordlist crawling
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-directories-crawling.html -of html

Fuzzing de archivos.

# Wordlist
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html

Fuzzing por extensiones.

# Identificación de extensiones
ffuf -u http://<target>/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -c -mc all -fc 404
# Wordlist + extensiones (.html, .js, .php, .jsp, .aspx)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html
# Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc)
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html
# Wordlist crawling + extensiones
ffuf -u http://<target>/FUZZ -w <wordlist-crawling.txt>:FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html

Escaneo automatizado

Burp Suite Professional.
Nuclei.

nuclei -u <target> -ts -silent

OWASP Zed Attack Proxy (ZAP).
Nessus.