The Nen-Book
  • Whoami
  • Write-ups
    • Intigriti 1337Up 2024
      • Intigriti 1337Up 2024-CTF OSINT Challenges
      • Intigriti 1337Up Live 2024-CTF Web Challenges
    • CyCTF Quals 2024
      • OSINT Challenges CyCTF Quals 2024
      • Old Friend OSINT Challenge CyCTF 2024 Quals Writeup
    • PicoCTF
      • PicoCTF 2024 Web Exploitation Challenges
      • PicoCTF 2024 General Skills Challenges
      • PicoCTF 2021 Web Exploitation Challenges Walkthrough
      • PicoCTF 2019 Web Exploitation Challenges
  • πŸ•ΈοΈWeb_AppSec πŸ•ΈοΈ
    • Web_Recon
    • ATO
    • Backend_Technology_Tips
    • XSS
    • SSRF
    • CSRF
    • XXE
    • SSTI
    • Insecure_Deserialization
    • Open_Redirects
    • Information_Disclosures
    • Rate_Limiting
    • Clickjacking
    • Broken Access Control & IDORS
    • Bash_Scripting
    • Authentication_Vulnerabilities
    • App_Logic_Errors
  • πŸ“ΊNetwork_Pentesting πŸ“Ί
    • Scanning & Enumeration
    • Active_Directory
      • AD_Overview_&_ Lab Build
      • AD_Initial_Attack_Vectors
      • AD_Post-Compromise_Enumeration
      • AD_Post-Compromise_Attacks
    • Buffer_Overflow_Attacks
    • Web_Applications
    • Privilege_Escalation
  • 🌩️Cloud_Security 🌩️
    • AWS Pentesting
  • 🀡APISec 🀡
    • API_Recon
    • Broken_Access_Control & Info_Leaks
  • πŸ”¬Code_Review πŸ”¬
    • Source_Code_Review_101
    • Code Review Tools
  • 🐝Bug_Bounty 🐝
    • Picking_A_BugBounty_Program
    • Writing_A_Good_Report
  • πŸ“‘Purple Teaming & MITRE ATT&CK πŸ“‘
    • Introducing the ATT&CK Framework
    • MITRE Engenuity
    • Threat-Informed Defense
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Network_Pentesting πŸ“Ί

Web_Applications

For more Detailed Guide Take a look at Web_Recon

Web App Enum

Web App Enum refers to the process of identifying and categorizing different components and functionalities of a web application, such as pages, forms, input fields, buttons, and links, in order to assess its security posture and potential vulnerabilities.

we can use wappalyzer extension to know the tech of the web app (the OS on which the app is running on , the web server, the Programming language and sometimes the database server ) OR using command line tool whatweb

it’s important to know which database service the app using in order to know it u have to fuzz the app so it replies u with an error

As we speak about fuzzing, let’s fuzz the application to know what directories and files it has we will use wfuzz :

wefuzz -c -z file,usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,301,302 http://example.com/FUZZ

or using GUI tool like dirbuster

PreviousBuffer_Overflow_AttacksNextPrivilege_Escalation

Last updated 19 days ago

πŸ“Ί