Lets shed some light on anything in or past /
So, you got a target web application? Sweet.
The beginning of your enumeration is going to start with Discovery.
In other words, what the heck can I actually view, enumerate, etc?
I will go into Web Application Assessments in much more detail with a sample machine in a future blog post or dedicated page.
For now, export your URL immediately and localize these commands such that they are ready to launch in a *snap*.
Before anything - are you going to be using SecLists? Hope so!
git clone https://github.com/danielmiessler/SecLists.git
nikto --host $URL -C all
+ We will begin with Gobuster.
+ Here are my localized commands:
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
gobuster dns -d someDomain.com -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 30
--> Make sure any DNS name you find resolves to an in-scope address before you test it.
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 "$URL"
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
wfuzz -c -b "<SESSIONVARIABLE>=<SESSIONVALUE>" -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 "$URL"
FUZZ DATA AND CHECK FOR PARAMETERS:
--> and/or some combination of...
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt "$URL"
+ Can I FUZZ Post Data?
--> Example of Command Injection POST Checks:
wfuzz -c -z file,/usr/share/wordlists/Fuzzing/command-injection.txt -d "postParameter=FUZZ" "$URL"
Get creative with WFUZZ!