# Web Application (80/443)

set the variable

* Normal URL

  `export URL=http://`<mark style="color:yellow;">`<web url>`</mark>
* File fuzzing

  `export URL=http://`<mark style="color:yellow;">`<web url>`</mark>`/FUZZ`
* Directory fuzzing

  `export URL=http://`<mark style="color:yellow;">`<web url>`</mark>`/FUZZ/`

## Manual Checking

### Grep a username or subdomain

```
curl $URL -s -q |grep -o http://.*.worker.htb

curl $URL -s -q | grep -o */*.js
```

### Important files

```
robots.txt
.svn
.DS_STORE
cgi-bin/
.git

# check backend
index.php
index.html
```

### Additional Checks

* Check the copy right web apps and search the version
* Search version with changelog

  example: FreePBX 2.8.1.4 changelog&#x20;

  maybe you will discover a juicy info about the last version's vulnerability
* Check cookies
* Check date in the pictures
* Check backend language
* Check metadata of the pictures
* Check source code

## Fuzzing

### \[<mark style="color:orange;">Important</mark>] Please check without exclude 404 code, because you will mis any third parties control. Go forward with exclude 404 if it is an inhouse production web apps

### Wordlist

**big.txt** --> for getting a juicy file

**directory-list-2.3-medium.txt** --> for directory

Next level wordlist using **SecLists.**

If your Kali haven't installed SecLists, use this command:

```
sudo apt install seclists
cp -r /usr/share/seclists /usr/share/wordlists/SecLists
```

### **FUZZ Files**

```
export URL="http://<web url>/FUZZ"
```

```
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"
```

### FUZZ Directory

```
export URL="http://<web url>/FUZZ/"
```

```
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
```

### FUZZ Subdomain / VHOST

```
export URL="http://<web url>
```

wfuzz

```
wfuzz -u $URL -H "Host: FUZZ.<domain>.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hh <some number>
```

gobuster

```
gobuster vhost -u <domain> -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 100
```

### FUZZ Params

If you have a .php file but no output try this:

**/secret/evil.php**

```
export URL="http://$IP/secret/evil.php?FUZZ=../../../../../../../etc/passwd"
```

```
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 "$URL"
```

### Sub domain

```
gobuster dns -d realcorp.htb -r 0.10.10.224 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o gobuster-dns.out
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/penetration-testing-notes/web-application-80-443.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.