-
Subdomains
-
Subfinder ⭐Post install configuration
subfinder -silent -d <target domain> | dnsx -silent > /tmp/servers.txt sudo nmap -iL /tmp/servers.txt -Pn -sT
-
Fuff
# Providing a rate setting helps avoid network issues ffuf -t 10 -c -ac -mc 200,204,301,307,401,405,400,302 -u https://FUZZ.<target domain> -H 'X-Forwarded-For: 0.0.0.0' -w <wordlist> -rate 20
tor
# Providing a rate setting helps avoid network issues ffuf -t 10 -c -ac -mc 200,204,301,307,401,405,400,302 -u https://FUZZ.<target domain> -H 'X-Forwarded-For: 0.0.0.0' -w <wordlist> -x socks5://127.0.0.1:9050 -rate 20
The wordlist must be split into smaller parts, otherwise there may be loading issues.
https://wordlists.assetnote.io/ ➡️ httparchive_subdomains_YYYY_MM_dd.txt
# Set the input file name input_file="/tmp/httparchive_subdomains_YYYY_MM_dd.txt" # Set the number of lines per file lines_per_file=150000 # Create a directory to store the split files mkdir -p /tmp/split_files # Split the input file split --lines=$lines_per_file --numeric-suffixes=1 --suffix-length=4 --additional-suffix=".txt" "$input_file" /tmp/split_files/split_ echo "Wordlist split completed."
-
bbot -t target.com -f subdomain-enum
-
-
Ports
-
Server version
-
Applications
- Google Maps API Scanner
- ⭐Nuclei
- Arjun: HTTP Parameter Discovery Suite
- dirsearch: Web path discovery
- Testing Headers:
X-Forwarded-For: <internal IP address> X-Originating-IP: <internal IP address> X-Remote-IP: <internal IP address> X-Remote-Addr: <internal IP address>-
Google Dorks
-
Parameter Pollution:
- Mitigation Methods: Whitelist validation, Strong type validation, Reject duplicate parameters, Regular expression filtering
-
WAF
-
API
-
Third party
-
Source code
-
XSS
-
-
Business logic error
- vulnerability-Checklist
- InsiderPhD
- Hacking APIs
- XSS payloads: From reports, we can learn about the payloads used by other testers.