Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Common Files
  • Headers
  • Confirm Use of PHP
  • PHP Easter Eggs
  • Default Headers
  • Vendor Identifiers

Was this helpful?

  1. Web App Hacking
  2. Enumeration

Common Identifiers

Common Files

Look at:

  • robots.txt

  • .well-known/apple-app-site-association

    • This is used by pretty much every website that has a corresponding Apple mobile app tied to it

Headers

View HTTP headers to see if they tell you something.

For HTTP headers:

netcat [ip or domain] [port]
GET / HTTP/1.1
Host: [ip or domain]

For HTTPS headers:

openssl s_client -connect [ip or domain]:443
GET / HTTP/1.1
Host: [ip or domain]

If requests don't come back like they do in the browser (e.g 403 instead of 404), there might be a WAF (web application firewall) installed. In that case, mimic the browser and send a user-agent string and other parameters.

Tip: You can copy a request as a curl request from firefox's network tab.

Interesting Headers:

  • X-Frame-Options

    • Might prevent you from doing clickjacking attacks

  • Content-Security-Policy

    • Can protect against some exploits, depending on security policy.

Confirm Use of PHP

PHP Easter Eggs

Note: ONLY WORKS BEFORE PHP5.5

Default Headers

The PHP session ID cookie's name defaults to "PHPSESSIONID".

The website might have "X-powered by PHP" in a HTTP response header.

Vendor Identifiers

If the site you are looking at has been created by a third party vendor, you might see a variant of “Powered by Third-Party-Developer-Company” somewhere at the bottom of the home page.

Use this to see what types of frameworks and version numbers they use.

If the vendor is a software development company, they may have left behind an admin user or test account for customer support purposes. When enumerating usernames, you can take this into account. For example, if the contractor company was called “Example Developers” then try 001Example, Example001, 00example, example00 and so on

PreviousWebserver Virtualhost SubdomainsNextWeb Fuzzing

Last updated 3 years ago

Was this helpful?

Taken from documentation about how to hide PHP usage.

If expose_php hasn't been set to off in the Apache conf file (which also hides .php extensions), then you can put this as an argument to get php info: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 . There are also easter eggs.

this
other