# Web Recon ## Fuzz for backdoors and params ``` wfuzz -u 'http://example.com/index.php?FUZZ=ls' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: somecookie" ``` ## Find & Enum After [port scanning](https://book.turbosec.net/all-the-other-layers-recon/scanning) and finding web servers. ### Brute force directories #### Using ffuf ``` ffuf -u http://:/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -fc 404,400 -of ecsv -o ffufed ``` ## Login & Authentication brute force ### HTTP Basic Authorization Header Brute Force Basic authorization is..**basic**. A username and a password separated by a colon is then encoded in Base64. The screenshot below demonstrate the credentials admin:admin being sent through the Authorization header of an HTTP request. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mk3RnfEHBP3zuZMsnli%2F-MkV9dCxoroYOZmK8JfL%2F-MkXr148onxpziKddnkj%2Fimage.png?alt=media\&token=19dacfd0-fb6d-4ec4-8676-820b3956052b) ``` hydra -l admin -P passwordlist -s -f example.com http-get /api/v1/users -vV -t 64 ``` {% hint style="info" %} **ProTip:** You can/should always test first by using a set of valid credentials and check if it returns it valid. ``` hydra -l known_user -p known_password -s -f example.com http-get /api/v1/users -vV ``` {% endhint %} ### HTTP Post form Brute Force Most of the time, authentication is made via a form posted to the web server. You can try to brute force it but watch out for **CSRF**. Try sending the same request twice using **burp.** ``` hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 31111 -f example.com http-post-f ```