Web Technologies
Auth0
Adobe AEM
Adobe Coldfusion
API
- API-Security-Checklist
- api-testing-checklist
- API Security
- 31-days-of-API-Security-Tips
- awesome-api-security
- web-api-pentesting
- OpenAPI Scanner
- General tips
- Mindmap
Apache
Apache Struts2
- Endpoints with .action, .do, .go are all using struts2
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('Added Header',4*4)}.multipart/form-data
Artifactory Hacking
ASP.NET/IIS
- ASPX and ASP.net have viewstate in cookie values, default ASP has not
- exploiting-viewstate
- viewgen
- shortname scanner
- XSS
- https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
trace.axd
any.aspx/trace.axd
WEB-INF/web.xml
con/
aux/
con.aspx
aux.aspx
Axis2
Cloudflare
Techniques to try to uncover web servers behind cloudflare:
- Search domain in https://leaked.site/index.php?resolver%2Fcloudflare.0%2F=
- CloudFlair
- Historical DNS records, IP records, see WAF Bypass
Cloudflare R2 Buckets
check company r2.dev company.r2.dev
Cockpit CMS
Django
- Try to
POST
in/admin
, data will maybe leak - (SQLi in ?date)[https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265]
- Shodan dork to find DEBUG instances
http.title:"DisallowedHost at /"
Flask
GraphQL
- GraphQL introspection
- Voyager
- clairvoyance - bruteforce introspection
- HackTricks - GraphQL
- Fingerprint
- Explore Introspection
- Awesome Security
Google Forms
When misconfigured, it is possible to see analytics
https://docs.google.com/forms/d/e/
Intercom
Interact with an email, log off, then run the command below with the same email. You will be able to see “Conversation history” if “Enforce Identity Validation” is not properly setup.
Intercom('boot', {
email: '<MY_EMAIL_ADDRESS>'
});
Java RMI
Jetty
RCE by hotdeploy is enabled by default
- https://pbs.twimg.com/media/FZUf9KOXwAALOsw?format=jpg&name=large
- https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/
JBoss
Jenkins
JENKINSIP/PROJECT//securityRealm/user/admin
JENKINSIP/jenkins/script
Jira
Check, unauth users should not have privileges
/rest/api/2/mypermissions
/rest/api/3/mypermissions
JSON Web Tokens
Meteor
Mongo
(Mongo IDs can lead to IDOR)[https://www.mickaelwalter.fr/idor-with-mongodb-understanding-objectid/]
username[$ne]=toto&password[$ne]=toto
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt":""}, "password": {"$gt":""}
Next.JS
Look for _buildManifest.js in source coode, it exposes routes inside sortedPages.
console.log(__BUILD_MANIFEST.sortedPages)
Node/Express
- If the target is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that NodeJs with server-side templating is being used
- Add layout in your wordlist of parameter discovery/fuzzing for GET query or POST body.
- If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, You have hit the LFR.
https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/
Pentaho
Ruby
- Add .json to the end of endpoints
- Ruby uses server side javascript rendering which returns application/javascript in the response, this request can be embeded to a site to leak information
- Add c=HTTPVERB in body to override requisitions
- Force string interpolation https://buer.haus/2017/03/13 airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/
Salesforce
SAP
ServiceNow
- kb_view_customer.do?sysparm_article=KB00XXXXX, unauth endpoint sometimes return data
Sharepoint
Spring
- https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html
- Actuators
- Spring RCE
- APL
Symphony
Swagger
- https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/#newsletter
- https://github.com/seanmarpo/springfox-swagger-xss
- https://github.com/amalmurali47/swagroutes
- https://github.com/BishopFox/sj
Telerik Web UI
Tomcat
- Check for
WEB-INF/web.xml
Traccar 5
- https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/
WebDAV
- Methods PROPPATCH, PROPFIND and LOCK accept XML input
- https://dhiyaneshgeek.github.io/web/security/2021/02/19/exploiting-out-of-band-xxe/