Map Execution Paths
Check List
Methodology
Path
Use a proxy tool to map the target website by analyzing its sitemap, identifying all accessible pages, endpoints, and resources to build a comprehensive view of the application’s structure
Perform a targeted analysis within the proxy tool by selecting a domain and running engagement tools to extract detailed insights about endpoints, parameters, and linked resources
Configure a web application scan in the proxy tool, selecting a preset scan mode to crawl the target, enumerating URLs, and summarizing findings to identify hidden or sensitive paths
Execute a directory brute-forcing tool with the target URL, filtering for specific response codes (e.g., 200) and targeting file extensions like PHP, ASPX, or JSP to discover hidden files or directories
Run a directory enumeration tool with a comprehensive wordlist, testing for a wide range of file extensions (e.g., php, html, js, config, backup) to uncover sensitive files, backups, or misconfigured endpoints
Analyze discovered paths for sensitive resources like configuration files (.conf, .ini), database backups (.sql, .db), or logs (.log), checking for exposed credentials or internal data
Cross-reference enumerated paths with the proxy tool’s sitemap to validate findings, ensuring all discovered endpoints are tested for accessibility and functionality
Document all identified paths, including URLs, file extensions, and response codes, to create a detailed proof-of-concept for responsible disclosure
Assess the impact of discovered files or directories, such as exposed admin panels, configuration leaks, or backup files, to prioritize reporting based on severity
Data Flow
Configure a proxy tool to intercept and map the target website’s sitemap, capturing all accessible pages, endpoints, and resources to understand the application’s structure and data flow
Select multiple domains within the proxy tool’s sitemap and perform a targeted analysis to trace data interactions, identifying how requests and responses flow between domains, subdomains, or external services
Examine HTTP requests and responses in the sitemap to identify parameters, headers, and cookies, mapping how data is transmitted across endpoints like forms, APIs, or redirects
Analyze request chains to detect sensitive data (e.g., tokens, session IDs, or user inputs) passed between pages or domains, checking for improper handling or exposure
Identify cross-domain interactions by reviewing Referer headers, CORS policies, or API calls, assessing risks like data leakage or unauthorized access to external services
Inspect response bodies for sensitive information, such as inline JavaScript variables or hidden inputs, that may reveal internal data flows or configuration details
Document all data flow paths, including request sequences, parameter names, and sensitive data exposures, to create a comprehensive proof-of-concept for responsible disclosure
Assess the impact of identified data flow issues, such as exposed credentials, session mismanagement, or cross-origin vulnerabilities, to prioritize reporting based on severit
Race
Configure a proxy tool to intercept and map the target website’s sitemap, identifying critical endpoints like forms, API calls, or resource-modifying requests prone to race conditions
Select a specific domain or endpoint within the proxy tool’s sitemap and use an extension designed for rapid request manipulation to prepare for race condition testing
Send the selected request to a specialized tool within the proxy suite, enabling high-speed, concurrent request execution to simulate multiple simultaneous submissions
Modify the tool’s configuration to include a wordlist or parameter values, targeting inputs like session tokens, user IDs, or resource identifiers that could trigger race conditions
Execute the attack by sending multiple concurrent requests to the target endpoint, aiming to exploit timing issues that allow unauthorized actions, such as duplicate resource creation or privilege escalation
Monitor responses for anomalies, such as unexpected success codes, data overwrites, or inconsistent states, indicating a successful race condition exploit\
Document the request sequence, timing details, and response outcomes to create a detailed proof-of-concept, including steps to reproduce the race condition
Assess the impact of the race condition, such as unauthorized access, data corruption, or resource abuse, to prioritize reporting based on severity for responsible disclosure
.Git File
Navigate to the target domain in a web browser.
Directly access the Git configuration file by visiting:
https://example.com/.git/configObserve that the server responds with HTTP 200 OK and allows the .git/config file to be downloaded
Confirm that the .git/ directory is publicly accessible.
Use an automated dumping tool (e.g., git-dumper) to retrieve the exposed repository
./git_dumper.py https://victim.com/.git/ /tmp/victim-sourceWait for the tool to finish downloading the full .git directory and reconstruct the repository.
Navigate to the dumped repository directory
cd /tmp/victim-sourceReview the commit history
git logInspect source code and commit diffs for sensitive information such as
API keys
Database credentials
Access tokens
Internal endpoints
Confirm that sensitive secrets are exposed within the source code or Git history
Verify that full source code access is achieved without authentication
Conclude that the exposed .git/ directory results in full source code disclosure and potential compromise of the application
Cheat Sheet
Path
Burp Suite
Mapping a Website with Burp Suite
Burp Suite > Target > Site map > Right Click on One Domain > Engagement tools > Analyze Target
Crawling a Website with Burp Suite
Burp Suite > ِDashbord > New Scan > Use Web app Scan > Use a preset scan mode > Analyze Target in Summary
Data Flow
Find Parameters
Burp Suite > Target > Site map > Analyze Three Domain
Race
Burp Suite > Target > Right Click on One Domain > Extensions > Turbo intruder > send to turbo intruder > Add to WordList path in line "for word in open('/usr/share/dict/words')" > Attack
Last updated