We all have somewhat heard about Reconnaissance, that is the most beginning step while starting to hack any target. Typically hearing recon we can imagine, subdomain enumeration — active, passive, permutation, resolution, horizontal — vertical and what not? But what happens when you are put in a closed box, without any space to breathe & just with a few holes for light to pass? 

We welcome you to Limited Scoped Targets!

By limited scope, we meant a single domain or host or it can also be just a specific endpoint allowed to be tested. We will come to this matter at the end, after we finish discussing about the recon methods, for this kind of scope, there is a little difference in recon for a limited scope target & a black box target (Scoped to just an unauthenticated Login Panel without any credentials provided)

When we are thinking about a small scope, it seems to be a very limited space to live in, but it’s actually quite the opposite. When hacking on a very limited scope we can also gather a lot of active & passive resources about that specific asset. Let’s Dive In!

Service Fingerprinting

A dynamic web application runs with the help of different services & technologies. These technologies & services in use can introduce new vulnerabilities in the web application. 

For Example: You know that the application you are using is made of a CMS (Wordpress, Drupal etc), with this in knowledge you can look for CVE available for that version in use. Or you saw that the web application is using Angular JS, meaning there is a chance of getting a CSTI or SSTI. Knowing the service or technologies in use, helps to construct an attach methodology for the target.

Nuclei running Technology Detection template

Making use of gathered information

Exploiting a Path Traversal Vulnerability after we fingerprinted a service version

Tools: Wappalyzer, Nuclei

Directory & File Fuzzing

A website is always composed of numerous directories for serving different unauthenticated & authenticated resources, meaningful & random directories have any junk they forgot to remove before deploying in production! You got the catch? 

For Example: A lot of time many authenticated folders are left open with directory listing due to misconfigured server configuration & many sensitive files are also left on the production server without any proper authentication. You can find open directories with database files, sensitive files, open dashboards etc. Even if an attacker doesn’t know the exact names of the directories or files, they can always guess. Seems like a lot of work but not with automation!

Content Discovery using FFUF & Seclists

“Never send a human to do a machine’s job”

Tools: Dirsearch, Gobuster, RustBuster, FFUF (Recommended)

Wordlists: AssetNote , Seclists

URL Enumeration

Do you know that there is something called internet archive, which is all the time scraping the web & taking snapshots of every possible page from time to time. This archive is a great resource dump for getting all the possible files, directories & parameters that were used before or are being used now. There are also services like urlscan.io, AlienVault and more which crawl the web.

Found Mass User Invoice Leak using OTX https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$TargetDomain?limit=100&page=1

We can also use active crawlers to actively crawl the website in real time recursively.

We can use the urls to know more about the application, find similar endpoints (if we initially find any bugs), look for deprecated endpoints (Might be still available to be used), These can also provide us with parameters for being reused on different endpoints for testing bugs like XSS, SQLi, SSRF & more.

Tools (Passive): GAU, WayMore (Recommended)

Tools (Active): Burpsuite Spider/Scanner, Hakrawler, Katana (Recommended)

Tips: If your target domain has country based TLDs like .eu, .in, .br etc, try to look for all the urls from all the TLDs as there might be differences in resulted output for different domains (All the same URLs might not be archived for all the domains). Being the same codebase we can use the collected urls cross domain, thus the result of the enumeration is more in number.

It can also help to find unique endpoints for similar typed functionalities.

Output for xyz.com.br

Output for xyz.cn (Same Codebase)

Javascript File Recon

After we have collected all the URLs from passive & active sources. We can then collect all the javascript files from both the sources. Javascript files are sometimes a goldmine for hardcoded credentials, API Keys & many times can also leak various unauthenticated endpoints that leaks sensitive data. Reading javascript files, we can also have an insight about the filters being applied in DOM & also look for DOM sinks.

Javascript Static Analysis

Exploiting Reflected XSS

Tools: JSParser, Linkfinder(Recommended), SecretFinder(Recommended)

Mining Parameters

It’s not obvious that the parameters that are passed on by default are everything in use. There are many times when parameters remain hidden for different purposes that are not directly used inside any functionality.

We can go through the javascript code (The variable names are often used as parameters too) & hidden input fields to find possible hidden parameters in use. We can also bruteforce with a suitable wordlist for guessing parameters.

X8 found a reflecting parameter ‘locale’

Found Reflected XSS using locale parameter. After we enumerate the possible parameters based on different observations like reflection of value, change in content length etc, then we can test the parameter accordingly for suitable vulnerabilities.

Tips: Always try the same parameter for both GET & POST requests for the exact same endpoint. Sometimes developers use the same parameter for both GET & POST requests forgetting to filter both, which leads to unfiltered input that can lead to vulnerabilities like XSS in terms of reflection & also SQLi, LFI as there is no filter. 

GET vs POST filter

CSRF to trigger the POST request

Successful POST based Reflected XSS

Tools: Arjun, X8 (Recommended)

Header Discovery

HTTP headers can be quite a good attack vector when vulnerable. Sometimes few headers are left out for different purposes but not directly used in every request. However we can still guess them and find valid ones. 

Reflection of Host header in page, can lead to Host Header Injection that again leads to Password Reset Poisoning or Web Cache Poisoning in presence of cache. Even if they validate the Host header, these can also be bypassed when headers like X-Host & X-Forwarded-Host are available there to be used. 

X-Forwarded-Host was available to be used

The Injected Host is reflecting inside a JS src. Simply creating a JS file with this name in our server will lead to taking control of the DOM.

The server is also caching the response making it persistent for every visitor

This doesn’t stop there, Headers like X-Forwarded-For can be used for bypassing 403 forbidden endpoints sometimes too.

Using “X-Forwarded-For: localhost” for 403 Bypass

Tools: Param Miner

Dorking

We can look for credentials & API keys by dorking through the internet with a specific pattern. A company might have a GitHub account or their employees might. We can search through them for sensitive data like username/password, different API Secret tokens and Access tokens. A lot of time developers also take note or share sensitive things via services like Pastebin which are left public, we can also dork in google looking for leaks like these.

Tools: Manual Dorking (Recommended), TruffleHog

Breached Data / Malware Data

There are very few companies in the world which haven’t gone through a data breach, even if the companies went safe , many employees did go through malware attacks. The data from the breaches are sometimes made public or sold on the dark web for people to have access.  Redsentry provides users with a scanner for monitoring their credentials just with the domain name. 

It will scan the data sources from the dark web & find out all the leaked credentials for you if there are any. 

Found leaked credentials.

Interested in checking out our Red Sentry Scanner? Try Here!

‍