websecurity

Web_Security/README.md

@@ -7,50 +7,50 @@
 
 1. Information Gathering
 
-		* creation of dictionary: with **cewl.rb**/
+* creation of dictionary: with **cewl.rb**/
 
-		* download website: **wget -rck**, **httrack**:
+* download website: **wget -rck**, **httrack**:
 ```
 $ wget -rck <TARGET-WEBSITE>
 ```
-		* identification of email accounts: with **theharverster**, **maltego**, **msfcli (metasploit)**.
+* identification of email accounts: with **theharverster**, **maltego**, **msfcli (metasploit)**.
 
-		* extract metadata: with **Metagoofil** and **FOCA**. It also can be done with googling qith ```site: www.url.com ext:pdf intitle:"Documents and settings"```.
+* extract metadata: with **Metagoofil** and **FOCA**. It also can be done with googling qith ```site: www.url.com ext:pdf intitle:"Documents and settings"```.
 
-		* a search for other domains that are hosted on the same IP  (virtual host): with **revhosts**.
+* a search for other domains that are hosted on the same IP  (virtual host): with **revhosts**.
 
 
 
 2. Automatic Testing (scanners)
 
-		* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
+* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
 
-		* spidering: **GoLISMERO**.
+* spidering: **GoLISMERO**.
 
-		* interesting files: search for robots.txt, gitignore, .svn, .listin, .dstore, etc. Tool: **FOCA**.
+* interesting files: search for robots.txt, gitignore, .svn, .listin, .dstore, etc. Tool: **FOCA**.
 
-		* brute force folders and files: **dirb** and **dirbuster**.
+* brute force folders and files: **dirb** and **dirbuster**.
 
-		* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
+* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
 
 
 3. Manual testing
 
-		* testing vulnerabilities: Burpproxy, ZAP, sitescope.
+* testing vulnerabilities: Burpproxy, ZAP, sitescope.
 
-		* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
+* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
 
-		* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
+* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
-		* fingerprinting to identify the architecture and configuration of the site: **httprint**.
+* fingerprinting to identify the architecture and configuration of the site: **httprint**.
 
-		* manipulation of parameters  to identify any errors and / or vulnerabilities. We can use any proxy to manipulate the requests. Alteration of the normal operation of the application by: single quotes, nulls values “%00”, carriage returns, random numbers, etc.
+* manipulation of parameters  to identify any errors and / or vulnerabilities. We can use any proxy to manipulate the requests. Alteration of the normal operation of the application by: single quotes, nulls values “%00”, carriage returns, random numbers, etc.
 
-		* analysis of Flash, Java, and other files: identify and download all flash files that exist on the Website. To do this, we could use the Google search: ```filetype:swf site:domain.com```. We could also use wget tool:
+* analysis of Flash, Java, and other files: identify and download all flash files that exist on the Website. To do this, we could use the Google search: ```filetype:swf site:domain.com```. We could also use wget tool:
 
 ```
 $ /wget -r -l1 -H -t1 -nd -N -nd -N -A.swf -erobots=off <WEBSITE> -i output_swf_files.txt
-```
+
-		* Once we have identified and downloaded *.swf files, we must analyze the code, the functions (as *loadMovie*) variables in order to identify those that call and allow other types of vulnerabilities such as cross site scripting. Below shows some vulnerable functions:
+* Once we have identified and downloaded *.swf files, we must analyze the code, the functions (as *loadMovie*) variables in order to identify those that call and allow other types of vulnerabilities such as cross site scripting. Below shows some vulnerable functions:
 
 ```
 _root.videourl = _root.videoload + '.swf';
@@ -61,8 +61,7 @@ function.getURL,javascript:alert('css')
 	TextField.html - payload: <img src='javascript:alert("css")//.swf'>
 ```
 
-		* We could use tools such as **Deblaze** and **SWFIntruder**. We should also
+* We could use tools such as **Deblaze** and **SWFIntruder**. We should also analyze the parameter AllowScriptAccess, Flash Parameter Pollution or sensitive APIs:
-analyze the parameter AllowScriptAccess, Flash Parameter Pollution or sensitive APIs:
 
 ```
 loadVariables, loadVariblesNum, MovieClip.loadVariables, loadVars.load, loadVars.sendAndLoad