OWASP Favicon Database:
Other places to find information only using basic tools:
robots.txt, sitemap.xml, HTTP Headers, Framework Stack – developer tools
Google Hacking / Dorking
Google hacking / Dorking utilizes Google’s advanced search engine features, which allow you to pick out custom content. You can, for instance, pick out results from a certain domain name using the site: filter, for example (site:tryhackme.com) you can then match this up with certain search terms, say, for example, the word admin (site:tryhackme.com admin) this then would only return results from the tryhackme.com website which contain the word admin in its content. You can combine multiple filters as well. Here is an example of more filters you can use:
| Filter | Example | Description |
| site | site:tryhackme.com | returns results only from the specified website address |
| inurl | inurl:admin | returns results that have the specified word in the URL |
| filetype | filetype:pdf | returns results which are a particular file extension |
| intitle | intitle:admin | returns results that contain the specified word in the title |
Wappalyzer – idnetify technologies a website uses
Wayback Machine – Identify changes to versions and previous vulnerabilities
GitHub – version tracker
S3 Buckets – storage service where people store files to access over cloud
Automated Discover Through Wordlists
Sub Domain Enumeration
Methods: Brute Force, OSINT, Virtual Host
SSL/TLS Certificates: sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.
Use Google, EG. site:*.tryhackme.com -site:www.tryhackme.com to find submdomains
Bruteforce DNS Tool such as dnsrecon, sublist3r, FFUF
Authentication Bypass
ffuf to enumerate valid usernames by checking which ones trigger the response username already exists (or similar)
brute force login with valid usernames and password wordlist
Use logic flaws to bypass logins
Intercept password reset requests using valid username via curl requests, create account on site to forward password reset email to via curl request, use resources like support tickets etc to bypass login screen for valid user.
Cookie Tampering
Alter login cookies changing booleans to true
Hash replays – database of hashes
Encode and Decode https://www.base64encode.org/
IDOR
Insecure Direct Object Reference
Altering requests to retrieve different files or info
Altering your invoice number in a url from an email to receive another customers invoice data
decode requests, alter info, encode again and resend
create two accounts and swap the ID numbers
parameter mining
Leave a Reply