websecurity

Web_Security/README.md

@@ -6,31 +6,43 @@
 ## Steps of web exploitation:
 
 1. Information Gathering
+
 		* creation of dictionary: with **cewl.rb**/
+
 		* download website: **wget -rck**, **httrack**:
 ```
 $ wget -rck <TARGET-WEBSITE>
 ```
 		* identification of email accounts: with **theharverster**, **maltego**, **msfcli (metasploit)**.
+
 		* extract metadata: with **Metagoofil** and **FOCA**. It also can be done with googling qith ```site: www.url.com ext:pdf intitle:"Documents and settings"```.
+
 		* a search for other domains that are hosted on the same IP  (virtual host): with **revhosts**.
 
 
 	
 2. Automatic Testing (scanners)
+
 		* Tools: **Nikto**, **w3af**, **skipfish**, **Arachni**, **ZAP**/
+
 		* spidering: **GoLISMERO**.
+
 		* interesting files: search for robots.txt, gitignore, .svn, .listin, .dstore, etc. Tool: **FOCA**.
+
 		* brute force folders and files: **dirb** and **dirbuster**.
+
 		* fuzzing to the various parameters, directories and others, in order to identify different types of vulnerabilities such as: XSS, SQLi, LDAPi, Xpathi, LFI, or RFI. Tool: **PowerFuzzer**, **Pipper** or ***Burpproxy***. A good fuzzy dictionary is **fuzzdb**.
 
 
 3. Manual testing
+
 		* testing vulnerabilities: Burpproxy, ZAP, sitescope.
+
 		* identify components and plugins that have enabled the Website, as might be the following types of CMS (Content Managment Systems): Joomla Component, Wordpress plugin, Php-Nuke, drupal, Movable Type, Custom CMS, Blogsmith/Weblogs, Gawker CMS, TypePad, Blogger/Blogspot, Plone, Scoop, ExpressionEngine, LightCMS, GoodBarry, Traffik, Pligg, Concrete5, Typo3, Radiant CMS, Frog CMS, Silverstripe, Cushy CMS etc. Then find known vulnerabilities and **/** associated with it. Tools: **joomla Scan** or **cms-explorer**.
 
 		* headers, http methods, sessions, certifications: we could use any tool like a proxy or a simple telnet connection to the Website.
 		* fingerprinting to identify the architecture and configuration of the site: **httprint**.
+
 		* manipulation of parameters  to identify any errors and / or vulnerabilities. We can use any proxy to manipulate the requests. Alteration of the normal operation of the application by: single quotes, nulls values “%00”, carriage returns, random numbers, etc.
 
 		* analysis of Flash, Java, and other files: identify and download all flash files that exist on the Website. To do this, we could use the Google search: ```filetype:swf site:domain.com```. We could also use wget tool:
@@ -39,6 +51,7 @@ $ wget -rck <TARGET-WEBSITE>
 $ /wget -r -l1 -H -t1 -nd -N -nd -N -A.swf -erobots=off <WEBSITE> -i output_swf_files.txt
 ```
 		* Once we have identified and downloaded *.swf files, we must analyze the code, the functions (as *loadMovie*) variables in order to identify those that call and allow other types of vulnerabilities such as cross site scripting. Below shows some vulnerable functions:
+
 ```
 _root.videourl = _root.videoload + '.swf';
 video.loadMovie(_root.videourl);
@@ -50,6 +63,7 @@ function.getURL,javascript:alert('css')
 
 		* We could use tools such as **Deblaze** and **SWFIntruder**. We should also
 analyze the parameter AllowScriptAccess, Flash Parameter Pollution or sensitive APIs:
+
 ```
 loadVariables, loadVariblesNum, MovieClip.loadVariables, loadVars.load, loadVars.sendAndLoad
 XML.load, XML.sendAndLoad
@@ -60,6 +74,7 @@ SharedObject.getLocal, SharedObject.getRemote
 ```
 
 		* authentication system: the first thing is to determine if the website stored the credentials in the browser. This could be exploited with attacks on defaults accounts and dictionary attacks. The default accounts are: admin, administrator, root, system, user, default, name application. We can use **hydra** for this:
+		
 ```
 $ hydra -L users.txt -P pass.txt <WEBSTE> http-head/private
 ```