5 Hacking Tools I Can't Live Without
Tools for Testing Web Applications
In this section, the speaker introduces the tools used for testing web applications and emphasizes the importance of manual testing alongside automation.
Firebug and Dev Tools
- Firebug, integrated into Dev Tools in 2016-2017, allows easy inspection of pages.
- Components like console, debugger, network tab, and storage aid in application interaction and behavior analysis.
Burp Suite and Sequencer Feature
- Burp Suite is highlighted for its significance in testing; sequencer feature analyzes tokens for potential vulnerabilities.
- Demonstrates configuring token analysis in Burp Suite to identify patterns and assess randomness.
Extensions for Testing Web Applications
The speaker discusses various extensions that enhance the testing process of web applications.
Useful Extensions
- JWT editor aids in handling JSON Web Tokens efficiently.
- Pen test mapper provides a checklist for organized testing procedures.
- Authorize plugin is recommended for access control testing.
Testing Across Different User Accounts
Exploring tools to facilitate testing across multiple user accounts without constant re-login requirements.
Container Plugin
- Container plugin enables separate sessions for different users, simplifying access control and session issue tests.
Fuzzing with FFUF Tool
Introduction to FFUF tool for endpoint discovery and parameter fuzzing in web applications.
Fuzz Faster You Fool (FFUF)
Results and Endpoint Discovery
In this section, the speaker discusses analyzing results, status codes, sizes, and other information from admin endpoints. Additionally, they touch on subdomain discovery using tools like ffuf and param spider.
Analyzing Endpoints
- Admin endpoints return a 302 status code, likely redirecting to login.
- Assets such as profile, robots, and register also show 302 redirects.
- Subdomain Discovery can be done using ffuf with specific word lists.
Subdomain Discovery with ffuf
The speaker demonstrates how to utilize ffuf for subdomain discovery by specifying word lists and utilizing the host header.
Utilizing ffuf for Subdomains
- Use ffuf with specified word lists like user share cyclists.
- Employ DNS Discovery to find subdomains from top 1 million list.
- Add host header using
-Hflag in ffuf command.
Filtering Results for Efficiency
This part focuses on filtering out unnecessary results by size to enhance efficiency in result analysis during subdomain discovery.
Filtering Results
- Filter out results with a size of 1495 using
FSflag in ffuf command.
- Avoid excessive false positives by refining result filters effectively.
Utilizing Param Spider Tool
The speaker introduces the Param Spider tool for endpoint analysis and demonstrates its setup process from GitHub repository cloning to execution.
Setting Up Param Spider
- Clone Param Spider repository from GitHub.
- Install requirements using
pip3 install -r requirements.txt.
- Execute Param Spider tool with domain input like ecmsec.com for endpoint analysis.
Endpoint Analysis with Param Spider
The speaker showcases how Param Spider provides insights into endpoints and parameters for further analysis or functionality checks within a target domain.
Endpoint Analysis Process
- Run Param Spider tool with
-Dflag followed by the domain name (e.g., ecmsec.com).