## Web Application Enumeration Interested: 1. Programming Language and Framework 2. Web Server Software 3. Database Software 4. Server OS ### Inspecting URLs Some programming languages can be figured out from URLs/extensions, like php. ### Inspecting Page Content From developer tool->debugger, we may find js library used. ### Viewing Response Header Developer Tool => Network Server Header could review Software running on server ### Inspecting Sitemaps ```bash curl https://www.google.com/robots.txt ``` ### Locating Admin Consoles ## Web Application Assessment Tools ### DIRB Web Content Scanner. ```bash dirb <URL> -r -z 10 # -z 10 for delay -r for non-recursive ``` ### Burp Suite `burpsuite` command. Can be used to track requests send to a web server as a proxy, and regenerate these requests with custom settings. For example, if some input doesn't allow more than 20 chars, we can use this method to surpass the check. ### Nikto Web Server Scanner. Test dangerous/vulnerable files/programs/server version/config. Could take very long. Solution: 1. set `-maxtime` 2. -T: to set type of test ```bash nikto -host=http://www.megacorpone.com -maxtime=30s ``` ## Exploiting Web-based Vulnerabilities ### Exploiting Admin Console Use Nikto to find vulnerabilities, such as PHPmyAdmin, and guess its password ## Cross-Site Scripting (XSS) ### Identify XSS Vulnerabilities Search input fields. Inject code into website (input) and they maybe executed as real scripts if not encoded/sanitized properly. ## Directory Traversal Vulnerabilities Gain access to files of a web app. ### Identifying and Exploiting Directory Traversals Examine URL query strings and forms. ## File Inclusion Vulnerabilities Include a file into the application. ## SQL Injection `sqlmap` for automating sql injection.