Web Technologies

Auth0

https://amjadali110.medium.com/how-i-exploited-an-auth0-misconfiguration-to-bypass-login-restrictions-c5d8c20d5505

Adobe AEM

Adobe Coldfusion

https://www.jomar.fr/posts/2021/basic_recon_to_rce/

API

Apache

Exploit default apache

Apache Struts2

Endpoints with .action, .do, .go are all using struts2

Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('Added Header',4*4)}.multipart/form-data

Artifactory Hacking

Artifactory Hacking guide

ASP.NET/IIS

ASPX and ASP.net have viewstate in cookie values, default ASP has not
exploiting-viewstate
viewgen
shortname scanner
XSS
https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/

trace.axd
any.aspx/trace.axd
WEB-INF/web.xml
con/
aux/
con.aspx
aux.aspx

Cloudflare

Techniques to try to uncover web servers behind cloudflare:

Search domain in https://leaked.site/index.php?resolver%2Fcloudflare.0%2F=
CloudFlair
Historical DNS records, IP records, see WAF Bypass

Cockpit CMS

https://swarm.ptsecurity.com/rce-cockpit-cms/

Django

Try to POST in /admin, data will maybe leak
(SQLi in ?date)[https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265]

Flask

Flask-Unsign

GraphQL

Intercom

Interact with an email, log off, then run the command below with the same email. You will be able to see “Conversation history” if “Enforce Identity Validation” is not properly setup.

Intercom('boot', {
  email: '<MY_EMAIL_ADDRESS>'
});

http://dday.us/2021/11/03/h1vendorATO.html

Java RMI

https://github.com/NickstaDB/BaRMIe

Jetty

RCE by hotdeploy is enabled by default

JBoss

jexboss

Jenkins

https://github.com/gquere/pwn_jenkins

JENKINSIP/PROJECT//securityRealm/user/admin
JENKINSIP/jenkins/script

Jira

Check, unauth users should not have privileges
/rest/api/2/mypermissions
/rest/api/3/mypermissions

JSON Web Tokens

jwt-pwn
jwt_tool
Hashcat to brute’em all! Mode 16500

Meteor

https://www.offsec.com/offsec/wekan-authentication-bypass/

Mongo

(Mongo IDs can lead to IDOR)[https://www.mickaelwalter.fr/idor-with-mongodb-understanding-objectid/]

username[$ne]=toto&password[$ne]=toto

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt":""}, "password": {"$gt":""}

Next.JS

Look for _buildManifest.js in source coode, it exposes routes inside sortedPages.

console.log(__BUILD_MANIFEST.sortedPages)

Node/Express

If the target is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that NodeJs with server-side templating is being used
Add layout in your wordlist of parameter discovery/fuzzing for GET query or POST body.
If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, You have hit the LFR.

https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/

Pentaho

https://research.aurainfosec.io/pentest/pentah0wnage/

Ruby

Add .json to the end of endpoints
Ruby uses server side javascript rendering which returns application/javascript in the response, this request can be embeded to a site to leak information
Add c=HTTPVERB in body to override requisitions
Force string interpolation https://buer.haus/2017/03/13 airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/

Salesforce

SAP

ServiceNow

kb_view_customer.do?sysparm_article=KB00XXXXX, unauth endpoint sometimes return data

Sharepoint

https://medium.com/@ujmalhotra95/tales-of-sharepoint-api-misconfigurations-11073ad384fd

Spring

Symphony

https://book.hacktricks.xyz/pentesting/pentesting-web/symphony

Swagger

Telerik Web UI

https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html

Tomcat

Check for WEB-INF/web.xml

WebDAV

Methods PROPPATCH, PROPFIND and LOCK accept XML input
https://dhiyaneshgeek.github.io/web/security/2021/02/19/exploiting-out-of-band-xxe/

WebLogic

https://pyn3rd.github.io/2022/06/18/Weblogic-SSRF-Involving-Deserialized-JDBC-Connection/