Skip to content

Map Execution Paths through applications

OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.7. Map Execution Paths through applications

ID Link to Hackinglife Link to OWASP Objectives
1.7 WSTG-INFO-07 Map Execution Paths Through Application - Map the target application and understand the principal workflows. - Use HTTP(s) Proxy Spider/Crawler feature aligned with application walkthrough

Map the target application and understand the principal workflows (paths, data flow and race conditions.)

You may use authomatic spidering tools such as Zed Attack Proxy (ZAP).

Spidering

HTTRack

HTTRack tutorial

Create a folder for replicating in it your target.

1
2
mkdir targetsite
httrack domain.com  targetsite/

Interactive mode:

1
httrack

EyeWitness

EyeWitness tutorial

First, create a file with the target domains, like for instance, listOfdomains.txt.

Then, run:

1
eyewitness --web -f listOfdomains.txt -d path/to/save/

After that you will get a report.html file with the request and a screenshot of those domains.

1
2
# Proxing the request via BurpSuite
eyewitness --web -f listOfdomains.txt -d path/to/save/ --proxy-ip 127.0.0.1 --proxy-port 8080

Directory/File enumeration

nmap

1
nmap -sV -p80 --script=http-enum <target>

dirb

Cheat sheet with dirb.

1
dirb http://domain.com /usr/share/metasploit-framework/data/wordlists/directory.txt

gobuster

Gobuster:

1
2
3
4
gobuster dir -u <exact target url> -w </path/dic.txt> -b 403,4.4 -x .php,.txt -r 
# -b: exclude from results an specific http response`
# -r: follow redirects
# -x: add to the path provided by dictionary these extensions

Ffuf

Ffuf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
ffuf -w /path/to/wordlist -u https://target/FUZZ

# Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (`-fs 4242`)while fuzzing the Host - header:
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

# Enumerating directories and folders:
ffuf -recursion -recursion-depth 1 -u http://$ip/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
# -recursion: activates the recursive scan
# -recursion-depth 1: specifies the maximum depth to scan

# fuzz a combination of folder names, with a wordlist of possible files and a dictionary of extensions
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://$ip/FOLDERS/WORDLISTEXTENSIONS

Wfuzz

Wfuzz

feroxbuster

feroxbuster

Last update: 2024-02-04
Created: December 24, 2023 11:19:43