Page 52 - Hands-On Bug Hunting for Penetration Testers
P. 52

Preparing for an Engagement                                                 Chapter 3

            Here, too, there are candidates for immediate follow-up and dismissal. Purely
            informational pages such as  QSJWBDZ QPMJDZ,  NFUIPE SVMF UXP, and  QSJDJOH
            HVBSBOUFF, are simple markup, with no opportunity to interact with the server or an
            external service. Pages such as  DPOUBDU VT,  CPPL QSFPSEFS FOUSZ GPSN (the form's
            in the title!), and  SFGFSSBM (which might have a form for submitting them) are all worth a
            follow-up.  KPCT, which could have a resume-submission field or could be just job listings,
            is a gray area. Some pages will simply need to be perused.

            Sitemaps aren't always available d and they're always limited to what the site wants to
            show you d but they can be useful starting points for further investigation.



            Scanning and Target Reconaissance

            Automated information-gathering is a great way to get consistent, easy-to-understand
            information about site layout, attack surface, and security posture.


            Brute-forcing Web Content

            Fuzzing tools such as XGV[[ can be used to discover web content by trying different paths,
            with URIs taken from giant wordlists, then analyzing the HTTP status codes of the
            responses to discover hidden directories and files. XGV[[ is versatile and can do both
            content-discovery and form-manipulation. It's easy to get started with, and because XGV[[
            supports plugins, recipes, and other advanced features, it can be extended and customized
            into other workflows.

            The quality of the wordlists you're using to brute-force-discover hidden content is
            important. After installing XGV[[, clone the SecLists GitHub repository (a curated collection
            of fuzz lists, SQLi injection scripts, XSS snippets, and other generally malicious input) at
            IUUQT   HJUIVC DPN EBOJFMNJFTTMFS 4FD-JTUT. We can start a scan of the target site
            simply be replacing the part of the URL we'd like to replace with the wordlist with
            the '6;; string:
                wfuzz -w ~/Code/SecLists/Discovery/Web-Content/SVNDigger/all.txt --hc 404
                http://webscantest.com/FUZZ











                                                    [ 37 ]
   47   48   49   50   51   52   53   54   55   56   57