> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web.md). # Hacking Web Burpsuite Tool set * Turbo Intruder * Collaborator Everywhere * Request to pythin * Hackvector {% hint style="info" %} It is a good idea to get in the habit of using non-standard file names and parameters for our web shells `system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);` {% endhint %} ## Polyglot payload: ```python ${{<%[%'"}}%\\. ``` ## Identifying Web Technologies by Tokens, Headers, and Cookies
Language/FrameworkCommon Headers or CookiesToken PatternsAdditional Indicators
PHPPHPSESSID, laravel_session, ci_session- CSRF: csrf_test_name, X-CSRF-TOKEN (Laravel)<br>- JWT: Authorization: BearerCookie length; Base64-encoded tokens
Python (Django)csrftoken, sessionid- CSRF: X-CSRFToken<br>- JWT: Authorization: BearerUse of headers like X-CSRFToken
Ruby on Rails_rails_session, _csrf_token- CSRF: authenticity_token in formsClean URLs; RESTful route names
Java (Spring)JSESSIONID- CSRF: X-CSRF-TOKEN<br>- JWT: Authorization: BearerCommon names like JSESSIONID
Node.js (Express)connect.sid- JWT: Authorization: BearerRoutes like /api or /auth; custom headers
ASP.NET.ASPXAUTH, .AspNet.Session- CSRF: __RequestVerificationToken in forms<br>- JWT: Authorization: BearerCookies with .ASPX
**ASP.NET Core**.AspNetCore.Session, .AspNetCore.Identity- CSRF: RequestVerificationTokenMiddleware for JWT and OAuth2
Laravel (PHP)laravel_session, XSRF-TOKEN- CSRF: X-CSRF-TOKENSHA-256 encoded tokens
CodeIgniter (PHP)ci_session- CSRF: csrf_test_name in formsLightweight cookies, basic values
Angular (Frontend)X-XSRF-TOKEN, Authorization: Bearer- JWT in headers or cookiesCommon use of AngularJS in SPAs
React (Frontend)Authorization: Bearer- JWT and OAuth2Tokens managed in local storage or cookies
Vue.js (Frontend)Authorization: Bearer, X-XSRF-TOKEN- Similar to AngularLibraries for handling CSRF and OAuth2
Flask (Python)session, csrf_token- JWT: Authorization: BearerRESTful APIs with clear routes
FastAPI (Python)Authorization: Bearer- JWT: Authorization: BearerSimilar to Flask, more OpenAPI oriented
Symfony (PHP)PHPSESSID, symfony- CSRF: tokens in formsCustom cookie names
Spring Boot (Java)JSESSIONID- JWT: Authorization: Bearer<br>- CSRF: X-CSRF-TOKENRESTful routes like /v1/api/
Express.js (Node)connect.sid- JWT in headersFlexible cookie and middleware handling
Django Rest Framework (Python)Authorization: Bearer- JWT: Authorization: BearerREST prefixes in routes, like /api/v1/
Next.js (React)Authorization: Bearer, custom cookies- CSRF or JWT tokensCombined use of APIs and SSR
#### External reconnaissance {% hint style="info" %} Understanding where that infrastructure resides is extremely important for our testing. We have to ensure we are not interacting with infrastructure out of our scope. {% endhint %} **IP Space** * Identify the valid ASN for the target. * Find netblocks used for the organization’s public-facing infrastructure. * Check for cloud presence and hosting providers. * Review DNS record entries. **Tools:** * * **Domain Information** * Based on IP data, DNS, and site registrations. * Who administers the domain? * Are there any subdomains tied to the target? * Publicly accessible domain services (Mail servers, DNS, Websites, VPN portals, etc.). * Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use). * Manual DNS record requests against the domain in question or against well known DNS servers, such as `8.8.8.8`. **Tools:** * * * **Schema Format** * Can we discover email accounts, AD usernames, and password policies? * Use this information to build a valid username list for testing external-facing services (password spraying, credential stuffing, brute force, etc.). * Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines. * Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization. * Tools: * * **Data Disclosures** * Look for publicly accessible files (.pdf, .ppt, .docx, .xlsx) that provide insights into the target. * Example: files with intranet site listings, user metadata, or critical software/hardware in the environment (e.g., credentials pushed to a public GitHub repo, internal AD username format in PDF metadata). * [GitHub](https://github.com/), [AWS S3 buckets & Azure Blog storage containers](https://grayhatwarfare.com/), [Google searches using "Dorks"](https://www.exploit-db.com/google-hacking-database) **Tools:** * * * **Breach Data** * Check for publicly released usernames, passwords, or other critical information. * Use this data to help attackers gain a foothold. * Tool: * * ## --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.