- 0xduraki

Web Penetration Testing Oneliners

NextJS Endpoint Disclosure Trick

If a webapp uses NextJS, there is an easy way to avoid recon/fuzz ✨ and enumerate all paths (ie. endpoints). A quick way to find “all” paths for Next.js websites:

  1. Open DevTools->Console in Web Browser
  2. In Chrome, type allow pasting and use this oneliner:
  • console.log(__BUILD_MANIFEST.sortedPages); javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n'));
  1. Check the output of the logged endpoints/routes
  2. Milan shared the trick via this tweet, but the original author is Ismail Sojal
console.log(__BUILD_MANIFEST.sortedPages)
javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n'));

Result:

Check if vhost is a live on specific DNS or subdomain:

curl -s -H "Host. $SUBDOMAIN.EXAMPLE.BA" http://example.ba

Other techniques described in vhost enumeration

Redirect URI with a Set-Cookie in GET request:

http://$EXAMPLE.BA/index.php?redirect_url=/%3f%0d%0a%09set-cookie:+hello=yoyoo

Rate Limit Bypass

Headers:
    * X-Forwarded-Host: http://evil.com (Password reset poisoning)
    * X-Forwarded-For: 127.0.0.* (Rate Limit Bypass)
Permutations:
    * Null byte techniques
    * Case sensitiveness

Some other techniques can be used, ie. 403 bypass via header manipulation.

Captcha Bypass Tricks 😂

Captcha Bypass is described in separate page.

Using Google Chrome Dev Tools regex to search for leaked credentials in the WebApp

To search for leaked credentials using Google Chrome’s Developer Tools and regex, follow these short steps:

  1. Open DevTools: In Chrome, navigate to the site you’re inspecting, then open Developer Tools with Ctrl+Shift+I (Windows/Linux) or Cmd+Option+I (macOS).
  2. Go to Network Tab: Click on the “Network” tab.
  3. Enable Regex Search: Click the regex icon in the filter bar to enable regex mode.
  4. Refresh Page: Refresh the page to load all network requests.
  5. Apply Regex: Paste the regex below into the filter bar to search for patterns indicating leaked credentials.
  6. Review Matches: Manually inspect the filtered requests to identify potential leaks.

Regex Pattern Filter:

(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|apikey|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|heroku_api_key|sonatype_password|awssecretkey)

Also See