🚩
Practical CTF
BlogContact
  • 🚩Home - Practical CTF
  • 🌐Web
    • Enumeration
      • Finding Hosts & Domains
      • Masscan
      • Nmap
      • OSINT
    • Client-Side
      • Cross-Site Scripting (XSS)
        • HTML Injection
        • Content-Security-Policy (CSP)
      • CSS Injection
      • Cross-Site Request Forgery (CSRF)
      • XS-Leaks
      • Window Popup Tricks
      • Header / CRLF Injection
      • WebSockets
      • Caching
    • Server-Side
      • SQL Injection
      • NoSQL Injection
      • GraphQL
      • XML External Entities (XXE)
      • HTTP Request Smuggling
      • Local File Disclosure
      • Arbitrary File Write
      • Reverse Proxies
    • Frameworks
      • Flask
      • Ruby on Rails
      • NodeJS
      • Bun
      • WordPress
      • Angular
    • Chrome Remote DevTools
    • ImageMagick
  • 🔣Cryptography
    • Encodings
    • Ciphers
    • Custom Ciphers
      • Z3 Solver
    • XOR
    • Asymmetric Encryption
      • RSA
      • Diffie-Hellman
      • PGP / GPG
    • AES
    • Hashing
      • Cracking Hashes
      • Cracking Signatures
    • Pseudo-Random Number Generators (PRNG)
    • Timing Attacks
    • Blockchain
      • Smart Contracts
      • Bitcoin addresses
  • 🔎Forensics
    • Wireshark
    • File Formats
    • Archives
    • Memory Dumps (Volatility)
    • VBA Macros
    • Grep
    • Git
    • File Recovery
  • ⚙️Reverse Engineering
    • Ghidra
    • Angr Solver
    • Reversing C# - .NET / Unity
    • PowerShell
  • 📟Binary Exploitation
    • ir0nstone's Binary Exploitation Notes
    • Reverse Engineering for Pwn
    • PwnTools
    • ret2win
    • ret2libc
    • Shellcode
    • Stack Canaries
    • Return-Oriented Programming (ROP)
      • SigReturn-Oriented Programming (SROP)
      • ret2dlresolve
    • Sandboxes (chroot, seccomp & namespaces)
    • Race Conditions
  • 📲Mobile
    • Setup
    • Reversing APKs
    • Patching APKs
    • HTTP(S) Proxy for Android
    • Android Backup
    • Compiling C for Android
    • iOS
  • 🌎Languages
    • PHP
    • Python
    • JavaScript
      • Prototype Pollution
      • postMessage Exploitation
    • Java
    • C#
    • Assembly
    • Markdown
    • LaTeX
    • JSON
    • YAML
    • CodeQL
    • NASL (Nessus Plugins)
    • Regular Expressions (RegEx)
  • 🤖Networking
    • Modbus - TCP/502
    • Redis/Valkey - TCP/6379
  • 🐧Linux
    • Shells
    • Bash
    • Linux Privilege Escalation
      • Enumeration
      • Networking
      • Command Triggers
      • Command Exploitation
      • Outdated Versions
      • Network File Sharing (NFS)
      • Docker
      • Filesystem Permissions
    • Analyzing Processes
  • 🪟Windows
    • The Hacker Recipes - AD
    • Scanning/Spraying
    • Exploitation
    • Local Enumeration
    • Local Privilege Escalation
    • Windows Authentication
      • Kerberos
      • NTLM
    • Lateral Movement
    • Active Directory Privilege Escalation
    • Persistence
    • Antivirus Evasion
    • Metasploit
    • Alternate Data Streams (ADS)
  • ☁️Cloud
    • Kubernetes
    • Microsoft Azure
  • ❔Other
    • Business Logic Errors
    • Password Managers
    • ANSI Escape Codes
    • WSL Tips
Powered by GitBook
On this page
  • Find Content
  • Wordlists
  • Find Technologies
  • Passively Find Content
  • Googling
  • Internet Archive: Wayback Machine
  • Fuzzing Inputs / Polyglots
  1. Web

Enumeration

Find all content and functionality on a website, to get an idea of the attack surface. Often through fuzzing

PreviousHome - Practical CTFNextFinding Hosts & Domains

Last updated 3 months ago

Find Content

For a quick recursive map of a website the feroxbuster tool has great defaults. While it uses a medium-sized wordlist to test for non-404-like responses, it also parses links and directory listings in responses to discover even more content. While it does not have much customization for a scan, it's great for a first scan if you need something quick:

$ feroxbuster -u http://example.com

For more control over your scan, ffuf is a great choice. It allows you to easily create your own rules for exactly how the website should be fuzzed, like where inputs are placed, what is put there, and how a good response is defined.

Examples
# # Simplest example, using a wordlist at the start of a path and auto-calibrating
$ ffuf -u http://example.com/FUZZ -w common.txt -ac
# # Probe for unknown virtual hosts on a domain by changing the Host header
$ ffuf -u http://example.com/ -H 'Host: FUZZ.example.com' -w subdomains.txt
# # Find parameters that alter the response
$ ffuf -u http://example.com/?FUZZ=1 -w parameters.txt
# # Use payload fuzzing to do less guesswork, for example Path Traversal
$ ffuf -u http://example.com/?page=FUZZ -w path-traversal.txt

# # POST with JSON data and fuzz value, filtered on 'error' RegEx
$ ffuf -X POST -u http://example.com/ -H 'Content-Type: application/json' -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr 'error' -w values.txt
# # Fuzz multiple parameter and values at the same time, matching reflected values
$ ffuf -u http://example.com/?PARAM=VAL -w params.txt:PARAM -w values.txt:VAL -mr "VAL"
# # POST form data using command substitution for a 1-100 sequence of IDs
$ ffuf -X POST -u http://example.com/ -H 'Content-Type: application/x-www-form-urlencoded' -d 'id=FUZZ&action=view' -fs 1341 -w <(seq 1 100)
$ default ffuf content http://example.com/
$ default ffuf param http://example.com/page
$ default ffuf vhost example.com

$ default ffuf auto example.com  # An attempt at combining content and vhost

Wordlists

Another more recent resource is the autogenerated wordlists from Assetnote:

Find Technologies

Passively Find Content

As opposed to the brute-force methods shown above, most public websites get indexed many times by search engines and other services. We can use these to find content that was indexed, but not easily findable in the results by creating complex queries.

Googling

Google search indexes lots of web pages and makes them easily searchable. This is nice for us web testers because we can ask it for pages from a certain site, and gives us lots of results. We can also ask for more specific and obscure results.

One simple way to ensure we only get pages on the target domain is to use the site: keyword. Simply put your domain in there to only find results on that host.

site:gitbook.com

Then we can add things like ext: to specify the file extension of the webpage.

site:gitbook.com ext:pdf

Another useful trick is the - sign. Use this with any keyword to exclude any results that match that word.

site:gitbook.com ext:pdf -files.gitbook.com

Viewing Cache

When looking at a result from your query, you might find a page that has some interesting content in the description but appears offline when you click the link. Google has a previous (cached) version of the site with the content, but right now you can only see a preview.

cache:https://gitbook.com/about

A more powerful version of a search engine cache is the Wayback Machine, which archives snapshots of websites at specific times. If a website was changed, or some information was removed, it can often still be found using this tool. Simply search for a URL and you'll find a calendar full of snapshots to choose from.

There may be a lot of snapshots and different pages. To analyze the results there are a few options like Changes which track changes in the HTML code delivered to the browser, show you at what points the biggest changes happened, and use the @ icons to compare them. This way you won't have to search endlessly to find that one snapshot where the page changed.

cat domains.txt | waybackurls | tee wayback-urls.txt

Fuzzing Inputs / Polyglots

Generic Payload
|:<u><?=-->"\"1'\'a`\`/../]${{<%[%'"}}%s)&gt;%0d%0a%C0%8a%3Cļ👨‍💻A
%00\
Blind Command Injection
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
sleep 5
>>> import string
>>> string.printable
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'

Check out for a great tutorial on how to use various options in the tool.

There is also a ffuf module in my tool!

Good results come from good wordlists. You also don't want to wait weeks for a scan to complete, so a short but packed wordlist is often the best choice, while this depends on your test. The SecLists repository is a collection of many such wordlists for all kinds of purposes, including :

: 4715 common web paths (small), alphabetically ordered

& : ~100.000 total files and directories (large), ordered by count

: top 5000 subdomains (small), ordered by count

To view it, you can click the three dots after the result, press the arrow down, and view Cached. Another way to manually do this for any URL is by prefixing it with cache:, for example:

Internet Archive:

Another useful option is URLs which lists all known URLs in a table where you can search. The tool can also extract all these URLs for you to analyze locally with more tools and can be a very effective way of finding many pages with parameters too.

Here is a polyglot payload I made of a few different injection attacks with various pieces of syntax. If any part of this payload is removed, transformed or causes errors on the target, you might have injected something and it is worth reverse engineering what part of the payload caused it to see if it is exploitable (, ):

Here is another specifically for blind command injection that tries to work in as many different contexts as possible with filter bypasses. If the application waits for any multiple of 5 seconds, it has likely worked and you can try more targetted payloads (, ):

For less attack-focussed fuzzing it is sometimes useful to find what characters are allowed to give you ideas on possible bypasses. Python's string.printable variable contains all printable ASCII characters. You can input this string and see if anything is blocked. If you only get a simple "error" message, you can use binary search to remove half of the payload and see what character causes the error (keep in mind that there may be multiple) (, ):

🌐
FFUF.me
default
discovering web content
common.txt
raft-large-files.txt
raft-large-directories.txt
subdomains-5000.txt
Wayback Machine
waybackurls
url-encoded
JSON
url-encoded
JSON
url-encoded
JSON
GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.GitHub
Feroxbuster: A fast, simple, recursive content discovery tool written in Rust
GitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub
Highly customizable web fuzzer that is fast and simple to use
GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHub
Collection of different types of wordlists from usernames and passwords to web content and payloads
Assetnote Wordlists
Autogenerated wordlists for all kinds of scenario's in web content fuzzing
Logo
Find out what websites are built with - Wappalyzer
Browser Extension to detect the front- and backend techlogies used by a website
Logo
Logo
Logo
Logo