INTRO to Web App Testing Coming

sudo nmap -p80 --script=http-enum 192.168.1.22

Firefox will present a warning, but we can proceed by clicking I accept the risk!. Finally, search for network.captive-portal-service.enabled and double-click it to change the value to false. This will prevent these messages from appearing in the proxy history.

Gobuster Pattern matching

gobuster dir -u http://192.168.1.22:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern.txt

When using pattern matching with gobuster you can supply the {GOBUSTER} where you would like the pattern to be introduced.

For instance:

{GOBUSTER}/v1
{GOBUSTER}/v2

An expected output could look like this:

/baby_books/v1             (Status: 200) [Size: 235]
/console              (Status: 200) [Size: 1985]
/ui                   (Status: 308) [Size: 265] [--> http://192.168.1.22:5001/ui/]
/users/v1             (Status: 200) [Size: 241]

Testing the API

curl -i http://192.168.1.22:5002/users/v1/admin/password

HTTP/1.0 405 METHOD NOT ALLOWED
Content-Type: application/problem+json
Content-Length: 142
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Wed, 06 Apr 2022 10:58:51 GMT

{
  "detail": "The method is not allowed for the requested URL.",
  "status": 405,
  "title": "Method Not Allowed",
  "type": "about:blank"
}

The above output shows status: 405 which means the resource exists but our HTTP method is unsupported. By default, the GET request is sent via curl. We could send this with a POST or PUT.