Web Application Enumeration:

Web application enumeration is a process of web application penetration testing. It involves gathering
information and identifying the various components, functionalities and potential vulnerabilities of a
web application. By conducting through enumeration, security professionals can gain valuable insights
into the web application’s architecture, underlying technologies and potential attack vectors.

There are always some hidden directories on a website, to find out the hidden directories, I will be using
feroxbuster tool.

Feroxbuster is a tool designed for web content discovery and directory/file enumeration. It is used for
finding hidden files and directories on web servers by performing brute-force and recursive directory
and file searches. The tool works by sending HTTP requests to a target web server, checking the
response codes, and analyzing the content to identify existing directories and files. It uses wordlists to
generate different paths and filenames to be tested during the scanning process.

feroxbuster -u http://pwst-server:8002/ -n -t 10 -L 10 -w ~/Desktop/pwst-resources/pwst-

resources/scripts/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o
feroxbuster.txt

feroxbuster: This is the command used to invoke the feroxbuster tool.

- n: indicates new scan

-u http://pwst-server:8002/: Specifies the target URL to scan. In this case, it is set to http://pwst-
server:8002/.

-t 10: Sets the timeout for each request to 10 seconds. If a response is not received within this time, the
request will be abandoned.

-L 10: Sets the maximum depth or recursion level for directory enumeration to 10. This means that
feroxbuster will continue exploring directories up to a depth of 10.

-w ~/Desktop/pwst-resources/pwst-resources/scripts/SecLists/Discovery/Web-Content/directory-list-
lowercase-2.3-medium.txt: Specifies the path to the wordlist file that will be used for directory brute-
forcing. The wordlist file in this example is directory-list-lowercase-2.3-medium.txt located at
~/Desktop/pwst-resources/pwst-resources/scripts/SecLists/Discovery/Web-Content/. You may need to
adjust this path based on your specific file location.

-o feroxbuster.txt: Sets the output file name as feroxbuster.txt. The scan results, such as discovered
directories, will be saved in this file.

grep "200" feroxbuster.txt | tr -s " " | cut -d " " -f 6

grep "200" feroxbuster.txt: The grep command is used to search for lines in the file "feroxbuster.txt"
that contain the string "200." This command filters the lines that have the pattern "200" in them.

tr -s " ": The tr command with the -s option is used to squeeze or condense consecutive spaces into a
single space. It ensures that there is only one space between each field in the output.
cut -d " " -f 6: The cut command is used to extract specific fields from the input. In this case, it is
configured to use a space (" ") as the delimiter (-d " "). The -f 6 option specifies that the 6th field should
be extracted from each line. This assumes that the fields in the line are separated by spaces.

To summarize the overall purpose of the command: it searches for lines in "feroxbuster.txt" that contain
the string "200," then manipulates the output to extract the 6th field from each matching line.

grep -v "400" New_feroxbuster.txt

The command grep -v "400" New_feroxbuster.txt is used to filter out lines containing the string "400"
from the file "New_feroxbuster.txt". The -v option is used to invert the match, meaning it will display
lines that do not contain the specified pattern.

In the screen shot below, it is shown that juice shop is been operated by a Hash-based routing (#). In
this approach, when a user interacts with the website and navigates to different sections or pages, the
URL in the browser’s address bar doesn’t change entirely.

Let's break down the different components of the URL:

http:// specifies the protocol used to access the website, in this case, HTTP.

pwst-server is the hostname or domain name of the server hosting the website.

8002 is the port number on which the server is listening for incoming HTTP requests.

#/score-board is the fragment identifier that follows the "#" symbol. This indicates that the website is
likely using hash-based routing, and the "score-board" is the specific section or page within the website.

When you navigate to this URL in a web browser, the browser will load the initial webpage from the
server specified by the hostname and port number. Then, the JavaScript code on the webpage will
interpret the fragment identifier (#/score-board) and display the appropriate content on the page, such
as a score board section.
These were the routes which are handled by the hash-based routing.

Robots.txt and security.txt

Robots.txt: The purpose of the robots.txt file is to provide guidance to web crawlers about which parts
of a website they are allowed to access and crawl.

Security.txt: a text file that website owners can create to provide information about their security
practices and contact details to security researchers or ethical hackers who may discover vulnerabilities
or security issues on their website. It includes specific fields that provide information about security-
related aspects of the website.

SQL Injection
SQL injection is a type of vulnerability where an attacker can manipulate an application’s SQL query
through untrusted user input. By exploiting this vulnerability, an attacker can execute unintended SQL
commands and potentially gain unauthorized access to a database, extract sensitive data, modify data
or perform other malicious actions.

Problem:
As we can see the red arrow pointing to the text that we wrote into the input field got reflected inside
the repeater and when we send that request, the green arrow pointing to the error states that it’s an
SQLITE error hence proves that it is vulnerable to the SQL injection attack.

Now the blue part tells us that, SELECT * from users where email = test’, so we guessed that right and
there an ‘AND’ condition between email and password, where the password is being hashed, and
deletedAt IS NULL, so if the account was deleted if it’s no then it wasn’t deleted which means the
account still exits.

Now when, we use our email as “test’ OR 1=1;--”, the output is:
As you can see, due to unproper sanitation we were able to login as administrator.

Problem: Order the Christmas special offer of 2014

(https://pwning.owasp-juice.shop/part2/injection.html)
After sending the request to the repeater,
Now, we try to play with the URL to find out whether it’s vulnerable to SQL injection attack,
After adding ‘; after the q= we find out that the URL is vulnerable to SQL injection but since our request
has syntax error, it proves that it is vulnerable to SQL injection attack. The only job we need to perform
is to provide SQL commands.

The SQL query after appending ‘; to the existing URL looks like

"SELECT * FROM Products WHERE ((name LIKE '%';%' OR description LIKE '%';%') AND deletedAt IS NULL)
ORDER BY name".

Please note that: % is a wildcard character used for pattern matching in SQL queries, while * is used in
SQL as a shorthand to select all columns in a table

Example:

SQL: SELECT * FROM products WHERE name LIKE '%apple%'

This query will select all rows from the products table where the name contains the substring "apple"
anywhere within the string. For example, it would match "apple", "pineapple", "crabapple", etc.

Now, if we make a query such as:

"SELECT * FROM Products WHERE ((name LIKE '%'))--;%' OR description LIKE '%';%') AND deletedAt IS
NULL) ORDER BY name".
At the end, we got our query, and we were able to able find the hidden products. The below screenshot
shows the proof. Please take note of the id of the Christmas Super-Surprise-Box is 10.
Now we go back to http proxy and search for http://pwst-server:8002/rest/basket/0 and send it to the
repeater
Now, instead of 0 we are going to modify the GET request in the repeater from 0 to 10, and the
screenshot of the output is:

SQLMAP Tool:

1. Identify the parameters to test

2. Identify SQL injection technique to use
3. Fingerprint the backend database (to gather info)
4. Attempt to exploit vulnerabilities