Skip to main content
The web service is the most common and extensive service and a wide variety of vulnerability types exist. Default Ports: 80 (HTTP), 443 (HTTPS) 
nc -v domain.com 80          # GET / HTTP/1.0
openssl s_client -connect domain.com:443  # GET / HTTP/1.0

Methodology Overview

1

Identify Technologies

Find the technologies being used to look for known vulnerabilities and useful tricks.
whatweb -a 1 <URL>   # Stealthy
whatweb -a 3 <URL>   # Aggressive
webtech -u <URL>
webanalyze -host https://target.com -crawl 2
2

Check for WAF

wafw00f <URL>
nmap --script http-waf-detect <IP>
3

Launch General Scanners

nikto -h <URL>
whatweb -a 4 <URL>
nuclei -ut && nuclei -target <URL>
zaproxy  # Via API
4

Initial Checks

Check default informational pages:
  • /robots.txt
  • /sitemap.xml
  • /crossdomain.xml
  • /.well-known/
  • Check comments in main and secondary pages
Run SSL/TLS scan if HTTPS:
./testssl.sh 10.10.10.10:443
sslscan <host:port>
sslyze --regular <ip:port>
5

Spider the Application

Find all possible files, folders, and parameters:
gospider -s https://target.com
hakrawler -url https://target.com
katana -u https://target.com
gau target.com  # Uses wayback, otx, commoncrawl
6

Directory Brute-Forcing

# Feroxbuster (fast, recursive)
feroxbuster -u https://target.com -w /usr/share/wordlists/dirb/big.txt

# ffuf
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ

# gobuster
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -u https://target.com

# dirsearch (recursive)
python3 dirsearch.py -w small_dirlist -e php,html,py -u https://target.com -r
7

Backup Checking

Check for backup files appending common extensions: file.ext~, #file.ext#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old
8

Parameter Discovery

# Arjun
arjun -u https://target.com/endpoint

# Param Miner (Burp extension)
# x8
x8 -u https://target.com/endpoint
9

Vulnerability Checking

Use the web vulnerabilities methodology checklist for all discovered endpoints.

Technology-Specific Tricks

# WordPress
wpscan --force update -e --url <URL>
wpscan --url <URL> --enumerate u,ap,at,cb,dbe

# Joomla
joomscan --ec -u <URL>

# Drupal
droopescan scan drupal -u <URL>

# Generic CMS
cmsmap [-f W] -F -d <URL>
If source code is available on GitHub:
  • Check Change-log/Readme for version info
  • Look for credentials in code, configs, commit history
  • Search for hash algorithms, encryption keys
  • Check Issues for unresolved vulnerabilities
  • .git directory exposed → extract source code
  • .env file → API keys, DB passwords
  • JS files → use RetireJS to check for known vulnerabilities
  • API endpoints → test for API-specific vulnerabilities
  • 403 Forbidden → try bypass techniques
  • 502 Proxy Error → potential misconfigured proxy/SSRF
  • NTLM Authentication → info disclosure via NTLM challenge

NTLM Authentication Info Disclosure

# Windows servers with NTLM auth disclose version info
curl -s -I -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" \
  http://target.com/
# Check WWW-Authenticate header for IIS and Windows version

# Automated with nmap
nmap -p 80,443 --script http-ntlm-info <IP>

Automated Command Reference

# Quick web scan (Nikto + Gobuster)
nikto -host http://<IP>:<PORT> && \
gobuster dir -w <Small_Dirlist> -u http://<IP>:<PORT> && \
gobuster dir -w <Big_Dirlist> -u http://<IP>:<PORT>

# WhatWeb
whatweb -a 4 <IP>

# Nmap web vuln scan
nmap -vv --reason -Pn -sV -p <Port> \
  --script="banner,(http* or ssl*) and not (brute or broadcast or dos or fuzzer)" <IP>

# WordPress
wpscan --url http://<IP>/wp-login.php --enumerate ap,at,cb,dbe && \
wpscan --url http://<IP>/wp-login.php --enumerate u,tt,t,vp --passwords <Big_Passwordlist>

# Ffuf vhost discovery
ffuf -w <Subdomain_List>:FUZZ -u http://<Domain_Name> -H "Host: FUZZ.<Domain_Name>" \
  -c -mc all -fs <common_size>

SSL/TLS Vulnerability Reference

  • No HTTPS enforcement → MitM possible
  • Sensitive data in HTTP → high severity
  • Check for BEAST, POODLE, HEARTBLEED, ROBOT, DROWN via testssl.sh

Build docs developers (and LLMs) love

Get started for freeTalk to us