80 HTTP

Enumeration

Start Burp
Start ./script/web-enum.sh
Browse through the page (with Burp)
1. Check robots.txt
2. Check a 404 page (site /dsoidfsiohfdghfdghfgdiofdiogidgffg)
Determine and write down each used technology:
1. Server
2. Application Server
3. Languages
4. Frameworks
For all of the previous findings:
1. Check if there is a blog post here
2. Check for exploits.
3. Check for web tech tricks on Hacktricks
4. Try a specialized scanner
5. Download the exact version of the CMS and look for interesting files.
Repeat web crawling for all found directories.

Check for sequential URLs and try to enumerate other URLs.
If there are parameters, try change them (maybe also with a small script and a wordlist with usual command parameters)
- See ParamSpider
Try other wordlists
Try wordlists with other suffixes
Try other crawlers (dirb / dirbuster / nikto / …)
Find exploits for the server
Check if external sources are embeded (e.g. via a parameter / LFI)
Make a wordlist with cewl
Analyze the cookies
Analyze the local storage
If you have a domain:
1. Try vhost enumeration
For logins / htauth:
1. Search for default passwords
2. Typ ’ or ” or — to trigger a possible SQL injection.
3. Try usual combinations:
  - admin / admin
  - admin / password
  - guest / guest
  - test / test
  - admin / 123456
4. Brute-force with cewl-based wordlist
5. Brute-force with general wordlists
6. Set another Host header
7. Set proxy header
8. Try other tips from the Hacktricks list
Perform a general vulnerability scan:
1. Nmap NSE
2. Metasploit exploit_suggester
3. OpenVAS
4. Nessus
For forms:
1. Make a pseudo-normal request which is recorded in Burp
2. Perform requests with the following:
  1. ’
  2. ”
  3. Extrem long input data
  4. Escaping characters for the used technology (e.g. <% %> {{ }} …)
3. Store the request in a file and execute sqlmap -v 4 -r /tmp/request.
For file uploads:
- See file upload tricks.
You have many text to look through / parse? See the grepable strings page.