Exploit Notes
Exploit Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass
Virtual Hosts (VHOSTS) Enumeration
WAF (Web Application Firewall) Detection
Web Basic Pentesting
Web Content Discovery
Web Login Bypass

Security Risk

Blind XXE
Broken Access Control
Business Logic Attack
CORS (Cross-Origin Resource Sharing) Attack
CRLF (Carriage Return Line Feed) Injection
CSRF (Cross-Site Request Forgery)
Cookie Hijacking
Directory (Path) Traversal
File Inclusion
File Upload Attack
HTTP Request Smuggling
IDOR (Insecure Direct Object References) Attack
Insecure Deserialization
JSON.NET Deserialization
NoSQL Injection
Node.js Deserialization Attack
OAuth Attack
OS Command Injection
Open Redirect
PHP Object Injection
SQL Injection Cheat Sheet
SQL Injection with Sqlmap
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
XSS (Cross-Site Scripting)
XSS with Dynamic PDF
XST (Cross-Site Tracing)
XXE (XML External Entity)

CMS

Bolt CMS Pentesting
CMS (Content Management System) Pentesting
Cockpit CMS Pentesting
Concrete CMS Pentesting
FUEL CMS Pentesting
Joomla CMS Pentesting
Mara CMS Pentesting
Subrion CMS Pentesting
TYPO3 Pentesting
WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting
Angular Pentesting
Apache Struts Pentesting
Django Pentesting
Flask Jinja2 Pentesting
Spring Cloud Function RCE
Spring Pentesting
Werkzeug Pentesting

API

API Pentesting
GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting
Spring Cloud Function RCE

Tool

How to Use Burp Suite
How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting
Apache Tomcat Pentesting
Atlassian Confluence Pentesting
Browser in the Browser (BITB) Attack
ClipBucket Pentesting
Code Deobfuscation
Codiad Pentesting
Dompdf RCE
Dump Git Repository from Website
Grafana Pentesting
HashiCorp Consul Pentesting
JBOSS Pentesting
JWT (Json Web Token) Pentesting
Jenkins Pentesting
Log4j Pentesting
OpenCATS Pentesting
PHP Srand Time Abusing
Restaurant Management System (RMS) Pentesting
TeamCity Pentesting
Tiny File Manager Pentesting
Web Browser Settings for Pentesting
Web PHP Pentesting
WebAnno Pentesting
WebDAV Pentesting
WebSocket Pentesting
Webmin Pentesting

How to Use Burp Suite

Last modified: 2023-01-01

Web

Burp Suite is an application security testing software.

Custom HTTP Header

For bug bounties, you might need to add a custom header which identifies you to programs.

  1. Go to Proxy -> Options tab.

  2. Scroll down to "Match and Replace".

  3. Click on "Add".

  4. Set rule:

    • User Agent

      Type: Request header
Match: ^User-Agent.*$
Replace: User-Agent: HackerOne-username
Comment:

    • New Original Header

      Type: Request header
Match: (empty)
Replace: X-Bug-Bounty: HackerOne-username
Comment:

  5. Check the box of "Regex match".

  6. Click on "OK".

  7. Search for the rule in the list and click on "Enabled".


Automate a Sequence of Requests with Burp Intruder

1. "Project options" -> "Sessions" -> "Session handling rules" panel -> Click "Add"
2. "Session handling rules editor" opens
3. "Scope" tab -> Select "Include all URLs"
4. "Details" tab -> Under "Rule actions" -> Click "Add" -> "Run a macro" -> Under "Select macro" -> Click "Add"
5. "Macro Recorder" opens
6. Select the sequence of requests as follows:
	POST /message/submit
	GET /message
	POST /account
7. Click "OK"

<For management of parameters>
option 1. In the list of requests, select the requests in which specific value used POST parameter changes.
option 2. Click "Configure item" -> Dialog opens -> Click "Add" -> Enter the name of the parameter.
option 3. Highlight the value in the response code.
option 4. Click "OK" twice to go back to the Macro editor.
option 5. Select the POST request in which using the above value for parameter.
option 6. Click "Configure item" -> In the "Parameter handling" section -> drop-down to menus to specify the parameter name to be "derived from the prior response (response 4) -> Click "OK"
option 7. In the Macro editor -> Click "Test macro" to check if the sequence does correctly.

8. Send the arbitrary request to the Burp Intruder.
9. Select "Sniper" attack type.
10. On the "Payloads" tab -> select the payload type "Null payloads" -> Under "Payload options" -> enter the arbitrary number of payloads.
11. Start the attack.

Brute Force using Turbo Intruder

Single Parameter

Set “%s” to the parameter for brute force.

POST /login HTTP/1.1
...
username=admin&password=%s

# -------------------------------------------------------------------

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=5,
                        pipeline=False
                        )

    # Brute force (wordlist)
    for word in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute force (0 - 255)
    for i in range(0, 255):
        engine.queue(target.req, str(i))

    # Brute force (0000 - 9999)
    for word in open('/usr/share/seclists/Fuzzing/4-digits-0000-9999.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphabet)
    for word in open('/usr/share/seclists/Fuzzing/char.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphanum upper-lower)
    for word in open('/usr/share/seclists/Fuzzing/alphanum-case.txt'):
        engine.queue(target.req, word.rstrip())

    # Null payloads (infinite loop)
    i = 0
    while i < 1:
        engine.queue(target.req, None)

    # Null payloads (100 loops)
    i = 0
    while i < 100:
        engine.queue(target.req, None)
        i += 1


def handleResponse(req, interesting):
    if interesting:
        table.add(req)

Multiple Parameters

Set multipla “%s” to the parameters for brute force.


POST /login HTTP/1.1
...
username=%s&password=%s

# --------------------------------------------------------------

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=100,
                        pipeline=False
                        )

    for firstWord in open('/path/to/usernames'):
    for secondWord in open('/path/to/passwords'):
        engine.queue(target.req, [firstWord.rstrip(), secondWord.rstrip()])


def handleResponse(req, interesting):
    # currently available attributes are req.status, req.wordcount, req.length and req.response
    if req.status != 404:
        table.add(req)

Useful BApps

To install them, move to “Extender” → “BApp Store”.

Decoder Improved
Turbo Intruder

Download Request Data for Sqlmap

When using Sqlmap, you'll be able to use the downloaded file.

# On Burp Suite

1. Right click in the request field.
2. Click "Add item" or "Copy to file" to download the request url, headers, so on.
3. Save as "request.txt" (this is arbitrary).

# ----------------------------------

# On your terminal

sqlmap -r request.txt
Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.