# Security Headers

# /!\ HTTP POST Requests needs two carriage return at the end to be valid !

# Firefox extension for security

HTTP Methods

# With this script, you can test various HTTP methods against an URL.
# Cool and usefull tool by Shutdown for the recon phase

HTTP Methods Tester, v1.0.2
usage: httpmethods.py [-h] -u URL [-v] [-q] [-k] [-w WORDLIST]
                              [-t THREADS] [-j JSONFILE]

This Python script can be used for HTTP verb tampering to bypass forbidden access, and for HTTP methods enumeration to find dangerous enabled methods like PUT

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     e.g. https://example.com:port/path
  -v, --verbose         verbosity level (-v for verbose, -vv for debug)
  -q, --quiet           Show no informations at all
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -w WORDLIST, --wordlist WORDLIST
                        HTTP methods wordlist (default: default_wordlist.txt)
  -t THREADS, --threads THREADS
                        Number of threads (default: 5)
  -j JSONFILE, --jsonfile JSONFILE
                        Save results to specified JSON file.

Working on 403 Errors - Byp4xx

# A bash script to bypass "403 Forbidden" responses with well-known methods discussed in #bugbountytips

./byp4xx.sh [OPTIONS] http(s)://url/path

  -c Return the entire curl command if response is 200
  -r Redirects if the response is 3XX

NIP IO / SSRF Redirections

# Redirections / Bypass filters for SSRF
# <anything>.<IP>.nip.io will redirect to the <IP> you specify  will resolve to

Spring Boot

# Spring Boot / Metrics
/metrics → Endpoint showing tons of endpoints
/heapdump → Get a memory dump of the application
Exploit → jhat -port 7401 -J-Xmx4G heapdump2016-12-27-13-54-live2196484565712626494.hprof

VERB tampering

# Test for others HTTP methods (verb tampering)
# Bypass .htaccess
curl -X COUCOU <target>

Install files

# Install files
# You can check for backup files using the following extensions
.backup, .bck, .old, .save, .bak, .sav, ~, .copy, .old, .orig, .tmp, .txt, .back, .bkp, .bac, .tar, .gz, .tar.gz, .zip, .rar

# Check headers
# They often give informations
curl -v <target>

Parameter override

# If some JSON objects are in the response but not in the request
# Try do add them in the request, you could override properties
{"id":"7"} => {"id":"7", "admin":false}
{"id":"7", "admin":true} => {"id":"7", "admin":true}

O365 Testing

# If facing OWA applications, you can check if the target is using O365 or on premise applications
# If the following is "Managed", the targets uses o365

Payload Transformations


# Transformation tool

# It helps finding processes made to an input, given then output
# Can be usefull for crafting