# Web Basic Pentesting

Basic methodologies of web penetration tests. A default port is 80. HTTPS uses a port 443.

### Cheat Sheet <a href="#cheat-sheet" id="cheat-sheet"></a>

[Web Attack Cheat Sheet](https://github.com/riramar/Web-Attack-Cheat-Sheet)

### Enumeration <a href="#enumeration" id="enumeration"></a>

#### Nmap <a href="#nmap" id="nmap"></a>

```shellscript
nmap --script http-auth --script-args http-auth.path=/login -p 80,443 <target-ip>
nmap --script http-devframework -p 80,443 <target-ip>
nmap --script http-enum -p 80,443 <target-ip>
nmap --script http-headers -p 80,443 <target-ip>
nmap --script http-methods -p 80,443 <target-ip>
```

#### Whois <a href="#whois" id="whois"></a>

```
whois example.com
```

#### Nikto <a href="#nikto" id="nikto"></a>

```shellscript
nikto -h https://example.com

# -p: Specify ports
nikto -p 80,3000 -h https://example.com

# -T: Tuning
#  1: Interesting files
#  2: Misconfiguration
#  3: Information Disclosure
#  4: Injection (XSS/Script/HTML)
nikto -T 1 2 3 -h https://example.com

# -useragent: Custom user agent
nikto -useragent <user-agent> -h https://example.com

# -e: IDS evasion
#  1: Random URI encoding
#  7: Change the case of URL
nikto -e 1 7 -h <target-ip>
```

#### WhatWeb <a href="#whatweb" id="whatweb"></a>

```shellscript
whatweb <target-ip>

# Aggression level (1-4)
whatweb -a 3 <target-ip>

# List all plugins
whatweb -l

# Search plugins
whatweb -I apache
whatweb -I phpBB
whatweb -I phpmyadmin
whatweb -I windows

# Use plugin
whatweb -p phpBB <target-ip>
```

### SSL Certificate <a href="#ssl-certificate" id="ssl-certificate"></a>

It may contain the sensitive information about the target company.\
We can find it on the key icon in the URL bar in the most web browsers.

```shellscript
# Check SSL/TLS connection and get the certificate
openssl s_client --connect example.com:443
sslscan example.com

# Detect TLS version
openssl s_client -connect example.com:443 -tls1
openssl s_client -connect example.com:443 -tls1_1
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
```

#### Check Certificate Content <a href="#check-certificate-content" id="check-certificate-content"></a>

1. Open web browser.
2. Click on the lock icon at the left of URL bar.
3. Download the PEM (`.pem`) file of the certificate .
4. Get the content of the PEM file using `openssl`.

```
openssl x509 -text -noout -in example.pem
```

### Web Archive <a href="#web-archive" id="web-archive"></a>

Checking old contents of target website might be useful.

[Wayback Machine](https://web.archive.org/) is the best tool for the purpose.

### Google Dorks <a href="#google-dorks" id="google-dorks"></a>

We might find interesting information about target site by google dorking.

```
site:example.com
"example.com"
```

### Bypass HTTPS Forbidden (403) <a href="#bypass-https-forbidden-403" id="bypass-https-forbidden-403"></a>

If we cannot access to target website with such error **`403 Forbidden`**, we need to check the certificate.\
For example, in **FireFox**, we can see the certificate by clicking on the **lock icon** at the left of the URL bar. Then check the **Common Name** e.g. “example.abc”.

We might be able to access to the domain host by adding the domain in **`/etc/hosts`** in our local machine as below.

```
10.0.0.1 example.abc
```

Now access to the website again. We might be able to see the contents of the website.

### Check Comments in HTML Source <a href="#check-comments-in-html-source" id="check-comments-in-html-source"></a>

There may be comments in the HTML source code that provide hints for exploitation.

### Find Source Code <a href="#find-source-code" id="find-source-code"></a>

If the target organization (or user) manages the source code in such like **GitHub** or **GitLab**, we might be able to find the source code.\
Here is **GitHub Dorks** examples. Try searching the repository with the site name or project name in **GitHub**.

```shellscript
<site_name> language:Python
<site_name> language:PHP

# e.g.
ExampleBlog language:PHP
```

### Request using Python <a href="#request-using-python" id="request-using-python"></a>

#### GET Request <a href="#get-request" id="get-request"></a>

```shellscript
#!/usr/bin/env python3
import requests

ip = '10.0.0.1'
port '80'
url = 'http://%s:%s' % (ip, port)
ua = 'Mozilla/5.0 ...'

# Args
params = {'page': '2', 'item': 'chair'}
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}
auth = requests.auth.HTTPBasicAuth('username', 'password')

r = requests.get(url, params=params, headers=headers, cookies=cookies, auth=auth)

print(r.text)
```

* **With Session**

  ```shellscript
  #!/usr/bin/env python3
  import requests

  url = 'http://example.com'

  session = requests.Session()
  r = session.get(url)

  print(r.text)
  ```

#### POST Request <a href="#post-request" id="post-request"></a>

```shellscript
#!/usr/bin/env python3
import requests

url = 'http://example.com/login'

data = {'username': 'admin', 'password': 'admin'}

# Args
headers = {'User-Agent': ua}
cookies = {'PHPSESSID': 'a953b5...'}

r = requests.post(url, data=data, headers=headers, cookies=cookies)
```

* **With Session**

  ```shellscript
  #!/usr/bin/env python3
  import requests

  url = 'http://example.com/comment'

  data = {'name': 'Mike', 'comment': 'Hello'}

  session = requests.Session()

  r = session.post(url, data=data)

  print(r.text)
  ```