MISC

# Security Headers
https://securityheaders.com

# /!\ HTTP POST Requests needs two carriage return at the end to be valid !


NIP IO / SSRF Redirections

# Redirections / Bypass filters for SSRF
# <anything>.<IP>.nip.io will redirect to the <IP> you specify
1.1.1.1.nip.io  will resolve to 1.1.1.1


Spring Boot

# Spring Boot / Metrics
/metrics → Endpoint showing tons of endpoints
/heapdump → Get a memory dump of the application
Exploit → jhat -port 7401 -J-Xmx4G heapdump2016-12-27-13-54-live2196484565712626494.hprof


VERB tampering

# Test for others HTTP methods (verb tampering)
# Bypass .htaccess
curl -X COUCOU <target>


Install files

# Install files
# You can check for backup files using the following extensions
.backup, .bck, .old, .save, .bak, .sav, ~, .copy, .old, .orig, .tmp, .txt, .back, .bkp, .bac, .tar, .gz, .tar.gz, .zip, .rar

# Check headers
# They often give informations
curl -v <target>


Parameter override

# If some JSON objects are in the response but not in the request
# Try do add them in the request, you could override properties
{"id":"7"} => {"id":"7", "admin":false}
{"id":"7", "admin":true} => {"id":"7", "admin":true}


O365 Testing

```bash
# If facing OWA applications, you can check if the target is using O365 or on premise applications
# If the following is "Managed", the targets uses o365
https://login.microsoftonline.com/getuserrealm.srf?login=targetemail@company.com&xml=1


Payload Transformations

https://twitter.com/jobertabma/status/1257126413699670016

# Transformation tool
https://github.com/jobertabma/transformations
https://transformations.jobertabma.nl/

# It helps finding processes made to an input, given then output
# Can be usefull for crafting