2016-04-10

‎Gray Box Testing

← Older revision

Revision as of 00:24, 10 April 2016

(4 intermediate revisions by the same user not shown)

Line 47:

Line 47:

<br>

<br>

+

+

Each web framework may have its own admin default pages or path. For example

+

+

WebSphere:

+

<pre>

+

/admin

+

/admin-authz.xml

+

/admin.conf

+

/admin.passwd

+

/admin/*

+

/admin/logon.jsp

+

/admin/secure/logon.jsp

+

</pre>

+

+

PHP:

+

<pre>

+

/phpinfo

+

/phpmyadmin/

+

/phpMyAdmin/

+

/mysqladmin/

+

/MySQLadmin

+

/MySQLAdmin

+

/login.php

+

/logon.php

+

/xmlrpc.php

+

/dbadmin

+

</pre>

+

+

+

FrontPage:

+

<pre>

+

/admin.dll

+

/admin.exe

+

/administrators.pwd

+

/author.dll

+

/author.exe

+

/author.log

+

/authors.pwd

+

/cgi-bin

+

</pre>

+

+

WebLogic:

+

<pre>

+

/AdminCaptureRootCA

+

/AdminClients

+

/AdminConnections

+

/AdminEvents

+

/AdminJDBC

+

/AdminLicense

+

/AdminMain

+

/AdminProps

+

/AdminRealm

+

/AdminThreads

+

</pre>

+

+

WordPress:

+

<pre>

+

wp-admin/

+

wp-admin/about.php

+

wp-admin/admin-ajax.php

+

wp-admin/admin-db.php

+

wp-admin/admin-footer.php

+

wp-admin/admin-functions.php

+

wp-admin/admin-header.php

+

</pre>

== Tools ==

== Tools ==

Line 52:

Line 117:

* [https://www.thc.org/thc-hydra/ THC-HYDRA] is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.

* [https://www.thc.org/thc-hydra/ THC-HYDRA] is a tool that allows brute-forcing of many interfaces, including form-based HTTP authentication.

*A brute forcer is much better when it uses a good dictionary, for example the [https://www.netsparker.com/blog/web-security/svn-digger-better-lists-for-forced-browsing/ netsparker] dictionary.

*A brute forcer is much better when it uses a good dictionary, for example the [https://www.netsparker.com/blog/web-security/svn-digger-better-lists-for-forced-browsing/ netsparker] dictionary.

−

== References ==

== References ==

* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php

* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php

* Default Password list: http://www.cirt.net/passwords

* Default Password list: http://www.cirt.net/passwords

+

* FuzzDB can be used to do brute force browsing.

+

* admin login path [https://github.com/fuzzdb-project/fuzzdb/blob/f801f5c5adc9aa5e54f20d273d213c5ab58826b9/discovery/predictable-filepaths/login-file-locations/Logins.fuzz.txt]

+

* Common admin or debugging parameters [https://github.com/fuzzdb-project/fuzzdb/blob/f801f5c5adc9aa5e54f20d273d213c5ab58826b9/attack/business-logic/CommonDebugParamNames.fuzz.txt]

Wiki.owasp.org

Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)