Discovering running services
After using reconnaissance to define our web application target’s presence on the internet, we aim to enumerate the target’s services. A good example is simple simple banner grabbing.
Manual HTTP endpoint discovery
In this context, HTTP endpoints are pages that we can request from the target web application. We’re interested in forms - ways we can provide input to the web application. A common tool used to interact with web application targets is Burp Suite. Endpoints of interest can commonly be found in a robots.txt file or an XML sitemap.
Automated HTTP endpoint discovery
Manual HTTP endpoint discovery can be tedious, maybe time consuming, often fruitless. Here are some tools / methods that can automatically crawl and discover HTTP endpoints of a web application target:
Information disclosure
Occasionally, we’ll run into web application targets that leak information via errors or bad input due to poor design. We can go about discovering these edge cases by fuzzing a web application, and some useful tools for fuzzing are:
Fuzzing isn’t the best way to go about finding information - it’s likely you’ll be throttled, shadow banned, etc. for fuzzing a web application target. In addition, it’s likely the security team for the web app will be alerted to your attack.
Components with vulnerabilities
When targeting web applications, we’ll find that some use JavaScript frameworks like React, Angular, and jQuery. These frameworks can contain reported vulnerabilities, and we can use automated tools like Retire.js to find them.