Hello and welcome to another one of my contributions. This time, we're going to focus on how to discover web application vulnerabilities.
If you haven't read my last contribution into how to manually perform SQL Injection, I recommend you to do that after reading this. It's easy to have a tool actually do stuff for you, but you also have to learn how to do it manually - Link: Manually SQL Injection
Let's start... First, I want to introduce you to some well-known web application vulnerabilities:
- SQL Injection
- XSS Cross site scripting
- RFI which is remote file inclusion
- LFI which is local file inclusion
In addition to these, you can attack a login panel using brute force to try out passwords, usernames etc. And, if you don't know what these are, I recommend you to search this and PM me with any questions you may come up with.To discover vulnerabilities can be quite a challenge when it comes to doing it all manually. I will give you insight into how you can do it with a short overview, but not take you to the actual performance. Website Lookie Lookie - It's just a name I came up with, but it actually has a point here...Let's say that we're going to our website https://target.com (not the retailer called Target, but our target) - we're seeing a bunch of stuff and want to take a look around. We're are going to an example "news" section and in our URL bar and it will say something like this "https://target.com/news/"Arrh damn...we have to look even more, so let's check if there's anything in one of their articles. We're clicking on one of them. It's saying something we might work with in the bar "https://target.com/news/article.php?id=10" for example. Let's try to work with it.
https://target.com/news/article.php?id=10' (We added ' to it to see if an error is actually there. If you don't know the errors and how they look, check out my contribution for manually performing SQL Injection.
Maybe our vuln was there and an error came up or maybe not. We can keep searching around for this until we actually find what we're looking for. Google Dorking - Is one of many favorites and super easy to use.I have my own private dorks for this and am not going to share these, but I will upload free public information for your use and give you an understanding into "how to."So, let's go to our friend https://google.com. We really want to find our vuln since we could maybe not find it manually. We're going to try to search for it using Google. We saw our target using PHP when we were searching manually, but we want to make sure that there are no other types like ASPX or ASP. We could do like this.
site:target.com ext:asp ext:php
Let's say it seems that our target is also using ASP. We want to work with that first, since it wasn't what we could see directly on the website when searching around to get an overview of our target. When we Google dorked it, we saw one of the links might have said something on the end like asp?id= so we're going to search that:
site:target.com inurl:asp?id=
Now, we simply check each one of them to see if we find anything good here. Like I said, I have some methods that I simply don't share. So, I would do it differently, but when you get good at this, you might find hidden tricks around. Here's a link for a Google hacking database: https://www.exploit-db.com/google-hacking-database/ You can always just search on Google for google dorks, which are shared on pastebin and social networks. Scanners - there is a lot of scanners out there, and if you have taken courses, you will know the names and how to use them.One that's a really advanced scanner and on my favorites is acunetix. It has many features for your use: https://www.acunetix.comAnother to look at is: Qualys.com/ It's very good, super easy to use and will give you what you search for.Finish your courses on Cybrary so you'll also know tools like Nikto and all that.Thanks!If you have any questions, you can always PM me. I'll be available all the time, whether it might be about this, my other contributions or anything else.