Skip to content

Latest commit

 

History

History
72 lines (57 loc) · 1.67 KB

3_Mapping.markdown

File metadata and controls

72 lines (57 loc) · 1.67 KB

Mapping

Mapping Tips:

  • Google
  • Smart* Directory Brute Forcing
    • RAFT lists (included in Seclists)
    • SVN Digger (included in Seclists)
    • Git Digger
  • Platform Identification:
    • Wapplyzer (Chrome)
    • Builtwith (Chrome)
    • retire.js (cmd-line or Burp)
    • Check CVE’s
  • Auxiliary
    • WPScan -CMSmap

##Directory Bruteforce Workflow After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.

Example:

GET http://www.acme.com - 200
GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - **401 hmm.. ok**
GET http://www.acme.com/controlpanel/[bruteforce here now]

Mapping/Vuln Discovery using OSINT

Find previous/existing problem:

  • Xssed.com
  • Reddit XSS - /r/xss
  • Punkspider
  • xss.cx
  • xssposed.org
  • twitter searching

Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass

New Project: Maps

New OSINT/Mapping project

  • 250+ bounty programs
  • Crawl
  • DNS info + bruteforce
  • Bounty metadata (links, rewards, scope)
  • API -> Intrigue

https://github.com/bugcrowdlabs/maps

Using the Maps Project: Crawling

Using + Ruby + Anemone + JSON + Grep

$cat test_target_json.txt | grep redirect

https://test_target/redirect/?url=http://twitter.com
https://test_target/redirect/?url=http://facebook.com/...
https://test_target/redirect/?url=http://pinterest.com/...

New Tool: Intrigue

OSINT framework, simple to integrate. Features like: