Member-only story
Automation of the reconnaissance phase during Web Application Penetration Testing III
This article is a continuation of the previous one available at this link and is the final article in the reconnaissance automation trilogy. After enumerating subdomains, selecting one of them, and further enumerating to find endpoints and queries, it is time to look for bugs.
In this episode, you will learn about the various techniques and tools that will help you detect those misconfigurations of the application being tested. You will also learn how to use them and automate the entire process.
Described research is based on the OWASP methodology and the methodology in the book “Hack Tricks” by Carlos Polop.
One thing to mension — I will not describe those vulnerabilities in this article. Rather I will focus on automation processs. If you are not familiar in described vulnerabilities click on the below links to learn more about each of them and practice how to find and exploit.
- Cross-Site Request Forgery (CSRF)
- Cryptographic issues in TLS/SSL servers
- Cross-Site Scripting (XSS):
a) Reflected XSS
b) DOM XSS
c) Blind XSS - URL rewriting via request header:
a) X-Rewrite-Url
b) X-Original-Url - Out-of-bounds interaction (OOB):
a) Blind Remote Code Execution (RCE)
b) Blind Cross-Site Scripting (XSS)
c) Blind SQL injection (SQLi)
d) Blind Server Side Request Forgery (SSRF) - Server-Side Template Injection (SSTI)
- Java insecure deserialization
- Carriage Return Line Feed Injection (CRLF)
- Reflected Open Redirect (OR)
- Bypassing 403/401 endpoints
- WordPress flaws:
a) Broken Authentication
b) Sensitive Data Exposure
c) Enumeration of Components with Known Vulnerabilities
d) Scanning Internal Network
e) Server-side Request Forgery (SSRF) - HTTP request smuggling
- Hop-by-hop deletion
- Broken links enumeration
- SQL injection (SQLi)
- JSON Web Tokens flaws (JWT)
- Directory Traversal / Path Traversal
