Hacking Web
Burpsuite Tool set
Turbo Intruder
Collaborator Everywhere
Request to pythin
Hackvector
Polyglot payload:
${{<%[%'"}}%\\.Identifying Web Technologies by Tokens, Headers, and Cookies
Language/Framework
Common Headers or Cookies
Token Patterns
Additional Indicators
PHP
PHPSESSID, laravel_session, ci_session
- CSRF: csrf_test_name, X-CSRF-TOKEN (Laravel)<br>- JWT: Authorization: Bearer
Cookie length; Base64-encoded tokens
Python (Django)
csrftoken, sessionid
- CSRF: X-CSRFToken<br>- JWT: Authorization: Bearer
Use of headers like X-CSRFToken
Ruby on Rails
_rails_session, _csrf_token
- CSRF: authenticity_token in forms
Clean URLs; RESTful route names
Java (Spring)
JSESSIONID
- CSRF: X-CSRF-TOKEN<br>- JWT: Authorization: Bearer
Common names like JSESSIONID
Node.js (Express)
connect.sid
- JWT: Authorization: Bearer
Routes like /api or /auth; custom headers
.ASPXAUTH, .AspNet.Session
- CSRF: __RequestVerificationToken in forms<br>- JWT: Authorization: Bearer
Cookies with .ASPX
**ASP.NET Core**
.AspNetCore.Session, .AspNetCore.Identity
- CSRF: RequestVerificationToken
Middleware for JWT and OAuth2
Laravel (PHP)
laravel_session, XSRF-TOKEN
- CSRF: X-CSRF-TOKEN
SHA-256 encoded tokens
CodeIgniter (PHP)
ci_session
- CSRF: csrf_test_name in forms
Lightweight cookies, basic values
Angular (Frontend)
X-XSRF-TOKEN, Authorization: Bearer
- JWT in headers or cookies
Common use of AngularJS in SPAs
React (Frontend)
Authorization: Bearer
- JWT and OAuth2
Tokens managed in local storage or cookies
Vue.js (Frontend)
Authorization: Bearer, X-XSRF-TOKEN
- Similar to Angular
Libraries for handling CSRF and OAuth2
Flask (Python)
session, csrf_token
- JWT: Authorization: Bearer
RESTful APIs with clear routes
FastAPI (Python)
Authorization: Bearer
- JWT: Authorization: Bearer
Similar to Flask, more OpenAPI oriented
Symfony (PHP)
PHPSESSID, symfony
- CSRF: tokens in forms
Custom cookie names
Spring Boot (Java)
JSESSIONID
- JWT: Authorization: Bearer<br>- CSRF: X-CSRF-TOKEN
RESTful routes like /v1/api/
Express.js (Node)
connect.sid
- JWT in headers
Flexible cookie and middleware handling
Django Rest Framework (Python)
Authorization: Bearer
- JWT: Authorization: Bearer
REST prefixes in routes, like /api/v1/
Next.js (React)
Authorization: Bearer, custom cookies
- CSRF or JWT tokens
Combined use of APIs and SSR
External reconnaissance
IP Space
Identify the valid ASN for the target.
Find netblocks used for the organization’s public-facing infrastructure.
Check for cloud presence and hosting providers.
Domain Information
Based on IP data, DNS, and site registrations.
Who administers the domain?
Are there any subdomains tied to the target?
Publicly accessible domain services (Mail servers, DNS, Websites, VPN portals, etc.).
Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use).
Manual DNS record requests against the domain in question or against well known DNS servers, such as
8.8.8.8.Tools:
Schema Format
Can we discover email accounts, AD usernames, and password policies?
Use this information to build a valid username list for testing external-facing services (password spraying, credential stuffing, brute force, etc.).
Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.
Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.
Data Disclosures
Look for publicly accessible files (.pdf, .ppt, .docx, .xlsx) that provide insights into the target.
Example: files with intranet site listings, user metadata, or critical software/hardware in the environment (e.g., credentials pushed to a public GitHub repo, internal AD username format in PDF metadata).
Breach Data
Check for publicly released usernames, passwords, or other critical information.
Use this data to help attackers gain a foothold.
Last updated