For web applications, I run these initial checks:

# Stack
curl -IL http://target.com

# Checking the HTML source code.

The Server header can sometimes provide the version of the web server. These versions aren’t common, but they are worth looking out for:

Server	Version(s)	Vulnerability
Apache	2.4.49	CVE-2021-41773 (Path Traversal/RCE)

Keep the web server in mind in case you get the ability to read local files.

Directory Fuzzing

feroxbuster
ffuf

feroxbuster --url http://app.com

feroxbuster --url http://app.com -w /path/to/wordlist

feroxbuster --url http://app.com -x php,html,bak,xml,txt

I run two wordlists: directory-list-2.3-medium.txt and common.txt from…? common.txt has hidden files so I get those out of the way before I use the former.

Subdomain/VHost Fuzzing

ffuf
gobuster

ffuf -u http://10.10.10.10 -w /path/to/wordlist:FUZZ -H 'HOST: FUZZ.domain.local'

gobuster vhost -u http://app.com -w /path/to/wordlist

For subdomains/vhosts, I use https://github.com/n0kovo/n0kovo_subdomains. There’s also an option with ffuf, -mc all, that will return all status codes. This is helpful for catching subdomains that hosts an API.

Parameter Fuzzing

todo

Introduction

Info Gathering

Exploitation

80 - HTTP

Directory Fuzzing

Subdomain/VHost Fuzzing

Parameter Fuzzing

Introduction

Info Gathering

Exploitation

​Directory Fuzzing

​Subdomain/VHost Fuzzing

​Parameter Fuzzing

Directory Fuzzing

Subdomain/VHost Fuzzing

Parameter Fuzzing