מיפוי משטח תקיפה¶
מבוא¶
מיפוי משטח תקיפה (Attack Surface Mapping) הוא תהליך שיטתי של זיהוי כל נקודות הכניסה שתוקף יכול לנצל. בעוד שבקורס הבסיסי למדנו להשתמש בכלי סריקה פשוטים, בשיעור זה נלמד טכניקות מתקדמות - גילוי פרמטרים נסתרים, סריקות תוכן רקורסיביות, זיהוי טכנולוגיות, ובניית רשימות מילים מותאמות.
גילוי פרמטרים נסתרים¶
מה הם פרמטרים נסתרים¶
פרמטרים נסתרים הם פרמטרים שהשרת מגיב אליהם אך אינם מתועדים ואינם חלק מהinterface הרגיל. הם יכולים לשנות התנהגות, לחשוף מידע, או לbypass מנגנוני אבטחה.
Arjun - גילוי פרמטרים¶
# Installation
pip3 install arjun
# Discover GET parameters
arjun -u "https://target.com/api/search" -m GET
# Discover POST parameters
arjun -u "https://target.com/api/login" -m POST
# Discover JSON parameters
arjun -u "https://target.com/api/data" -m JSON
# Use a custom wordlist
arjun -u "https://target.com/endpoint" -w custom_params.txt
# Scan multiple URLs
arjun -i urls.txt -m GET -o arjun_results.json
# Example output:
# [+] Parameter found: debug (Type: GET)
# [+] Parameter found: admin (Type: GET)
# [+] Parameter found: verbose (Type: GET)
# [+] Parameter found: format (Type: GET)
Param Miner ב-Burp Suite¶
# Using Param Miner (see the advanced Burp lesson):
# Right-click a request > Extensions > Param Miner > Guess params
# Common parameters discovered:
# debug=1 - enables debug mode
# admin=true - grants admin permissions
# test=1 - test mode
# verbose=1 - verbose output
# format=json - changes response format
# callback=func - JSONP parameter
# _method=PUT - HTTP method bypass
# x-debug=1 - debug header
HTTP headers נסתרות¶
HTTP headers מסוימות יכולות לשנות את התנהגות השרת. רוב הheaders האלו משמשות Reverse Proxies ו-Load Balancers.
# Headers to bypass access restrictions:
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
# Headers to change the path:
X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Custom-IP-Authorization: 127.0.0.1
# Headers to bypass cache:
X-Forwarded-Host: attacker.com
X-Host: attacker.com
# Test with curl:
curl -s "https://target.com/admin" -H "X-Forwarded-For: 127.0.0.1" -v
curl -s "https://target.com/" -H "X-Original-URL: /admin" -v
curl -s "https://target.com/" -H "X-Rewrite-URL: /admin" -v
# header_fuzz.py - script to test hidden headers
import requests
target = "https://target.com/admin"
headers_to_test = {
"X-Forwarded-For": "127.0.0.1",
"X-Real-IP": "127.0.0.1",
"X-Originating-IP": "127.0.0.1",
"X-Client-IP": "127.0.0.1",
"True-Client-IP": "127.0.0.1",
"X-Custom-IP-Authorization": "127.0.0.1",
"X-Original-URL": "/admin",
"X-Rewrite-URL": "/admin",
"X-Forwarded-Host": "localhost",
"X-Host": "localhost",
"X-Forwarded-Proto": "https",
"X-ProxyUser-Ip": "127.0.0.1",
"Client-IP": "127.0.0.1",
"Forwarded": "for=127.0.0.1",
}
# Request without special headers (baseline)
baseline = requests.get(target, verify=False)
print(f"[Baseline] Status: {baseline.status_code}, Length: {len(baseline.text)}")
for header, value in headers_to_test.items():
resp = requests.get(target, headers={header: value}, verify=False)
if resp.status_code != baseline.status_code or len(resp.text) != len(baseline.text):
print(f"[INTERESTING] {header}: {value}")
print(f" Status: {resp.status_code}, Length: {len(resp.text)}")
סריקת תוכן מתקדמת¶
ffuf - סריקה מהירה ומתקדמת¶
# Basic directory scan
ffuf -u "https://target.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc all -fc 404
# Recursive scan
ffuf -u "https://target.com/FUZZ" -w wordlist.txt -recursion -recursion-depth 3
# Scan with extensions
ffuf -u "https://target.com/FUZZ" -w wordlist.txt -e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt
# Scan with response-size filtering (ignoring custom 404 pages)
ffuf -u "https://target.com/FUZZ" -w wordlist.txt -mc all -fs 1234
# Scan with word-count filtering
ffuf -u "https://target.com/FUZZ" -w wordlist.txt -mc all -fw 42
# Scan with custom headers
ffuf -u "https://target.com/FUZZ" -w wordlist.txt \
-H "Cookie: session=abc123" \
-H "Authorization: Bearer token123"
# Parameter scan
ffuf -u "https://target.com/api/search?FUZZ=test" -w params.txt -mc all -fs 0
# Parameter value scan
ffuf -u "https://target.com/api/user?id=FUZZ" -w /usr/share/wordlists/ids.txt -mc 200
# Subdomain scan
ffuf -u "https://FUZZ.target.com" -w subdomains.txt -mc 200,301,302,403
# vhost scan (Virtual Hosts)
ffuf -u "https://target.com" -w vhosts.txt -H "Host: FUZZ.target.com" -mc all -fs 1234
feroxbuster - סריקה רקורסיבית מתקדמת¶
# Installation
sudo apt install feroxbuster
# Recursive scan with extensions
feroxbuster -u https://target.com -w wordlist.txt -x php,asp,html,js \
--depth 4 --threads 50
# Scan with a filter
feroxbuster -u https://target.com -w wordlist.txt \
--filter-status 404 --filter-size 1234
# Scan with authentication
feroxbuster -u https://target.com -w wordlist.txt \
-H "Cookie: session=abc123" \
-H "Authorization: Bearer token"
# Save results
feroxbuster -u https://target.com -w wordlist.txt -o results.txt
gobuster - סריקה מהירה¶
# Directory scan
gobuster dir -u https://target.com -w wordlist.txt -t 50 -x php,html,js
# vhost scan
gobuster vhost -u https://target.com -w vhosts.txt -t 50
# DNS scan
gobuster dns -d target.com -w subdomains.txt -t 50
# Scan with follow redirects
gobuster dir -u https://target.com -w wordlist.txt -r
זיהוי טכנולוגיות - Technology Fingerprinting¶
כלי זיהוי¶
# Wappalyzer (browser extension) - automatically detects technologies on pages you browse
# WhatWeb - command-line tool
whatweb https://target.com
# Example output:
# https://target.com [200 OK] Apache[2.4.41], Bootstrap, HTML5,
# JQuery[3.6.0], PHP[7.4.3], WordPress[6.0]
# httpx with technology detection
echo "https://target.com" | httpx -tech-detect -status-code -title
# builtwith.com - online service for technology detection
# https://builtwith.com/target.com
זיהוי ידני מheaders¶
# HTTP headers that reveal technology
curl -sI https://target.com | grep -iE "server|x-powered|x-aspnet|x-generator|x-drupal|x-framework"
# Common headers:
# Server: Apache/2.4.41 (Ubuntu)
# Server: nginx/1.18.0
# X-Powered-By: PHP/7.4.3
# X-Powered-By: Express
# X-Powered-By: ASP.NET
# X-Generator: WordPress 6.0
# X-Drupal-Cache: HIT
# X-Framework: Laravel
זיהוי מתוכן הדף¶
# Search for identifiers in the HTML code
curl -s https://target.com | grep -oP '(wp-content|wp-includes|drupal|joomla|angular|react|vue|next|nuxt)'
# Search for meta tags
curl -s https://target.com | grep -i "generator"
# <meta name="generator" content="WordPress 6.0">
# Check specific files
curl -sI https://target.com/wp-login.php # WordPress
curl -sI https://target.com/administrator/ # Joomla
curl -sI https://target.com/user/login # Drupal
curl -sI https://target.com/elmah.axd # ASP.NET
curl -sI https://target.com/package.json # Node.js
גוגל דורקינג - Google Dorking¶
דורקים מתקדמים¶
# Expose configuration files
site:target.com ext:conf OR ext:cfg OR ext:ini OR ext:env OR ext:yml
# Expose backups
site:target.com ext:bak OR ext:old OR ext:backup OR ext:swp OR ext:save
# Expose logs
site:target.com ext:log OR inurl:log OR inurl:logs
# Expose databases
site:target.com ext:sql OR ext:db OR ext:sqlite OR ext:mdb
# Expose internal documents
site:target.com ext:doc OR ext:docx OR ext:xls OR ext:xlsx OR ext:pdf intext:confidential
# Find login pages
site:target.com inurl:login OR inurl:signin OR inurl:admin OR inurl:dashboard
# Find errors
site:target.com intitle:"Error" OR intitle:"Exception" OR intext:"stack trace"
# Expose open directories
site:target.com intitle:"index of" OR intitle:"directory listing"
# Find API documentation
site:target.com inurl:swagger OR inurl:api-docs OR inurl:graphql
# Expose source code
site:target.com ext:php OR ext:asp OR ext:jsp intext:"<?php" OR intext:"<%"
# Find phpinfo pages
site:target.com inurl:phpinfo OR ext:php intitle:"phpinfo()"
אוטומציה של דורקים¶
# google_dork.py - automatic dork generation
import sys
domain = sys.argv[1]
dorks = [
f'site:{domain} ext:conf OR ext:cfg OR ext:ini OR ext:env',
f'site:{domain} ext:bak OR ext:old OR ext:backup',
f'site:{domain} ext:log inurl:log',
f'site:{domain} ext:sql OR ext:db',
f'site:{domain} inurl:admin OR inurl:dashboard',
f'site:{domain} intitle:"index of"',
f'site:{domain} inurl:swagger OR inurl:api-docs',
f'site:{domain} intitle:"phpinfo()"',
f'site:{domain} intext:"sql syntax" OR intext:"mysql_fetch"',
f'site:{domain} ext:xml OR ext:json inurl:config',
f'site:{domain} inurl:wp-content OR inurl:wp-includes',
f'site:{domain} inurl:".git" OR inurl:".svn" OR inurl:".env"',
f'site:{domain} filetype:pdf OR filetype:doc "confidential"',
f'site:{domain} inurl:redirect OR inurl:return OR inurl:next',
]
print(f"Google Dorks for {domain}:")
print("=" * 50)
for dork in dorks:
print(dork)
בניית רשימות מילים מותאמות¶
CeWL - יצירת רשימת מילים מאתר¶
# CeWL crawls a site and generates a wordlist from its content
cewl https://target.com -d 3 -m 5 -w custom_wordlist.txt
# Explanation:
# -d 3 : crawl depth (3 levels)
# -m 5 : minimum word length (5 characters)
# -w : output file
# Including email addresses
cewl https://target.com -d 3 -m 5 -e --email_file emails.txt -w wordlist.txt
יצירת רשימת מילים מותאמת¶
# custom_wordlist.py - generate a wordlist based on target information
import itertools
company_name = "TargetCorp"
products = ["widget", "gadget", "service"]
years = ["2023", "2024", "2025"]
common_suffixes = [
"admin", "api", "app", "auth", "backup", "beta", "blog",
"cms", "config", "console", "dashboard", "db", "debug",
"demo", "dev", "docs", "download", "files", "git",
"internal", "jenkins", "jira", "lab", "legacy", "login",
"mail", "manage", "monitor", "new", "old", "panel",
"portal", "prod", "qa", "secret", "staging", "status",
"store", "test", "tmp", "upload", "v1", "v2", "vpn", "wiki"
]
words = set()
# Base names
words.update(common_suffixes)
# Combinations with the company name
for suffix in common_suffixes:
words.add(f"{company_name.lower()}-{suffix}")
words.add(f"{suffix}-{company_name.lower()}")
# Combinations with products
for product in products:
words.add(product)
for suffix in ["api", "admin", "app", "dev", "test", "staging"]:
words.add(f"{product}-{suffix}")
# Combinations with years
for year in years:
for suffix in ["backup", "archive", "old", "data"]:
words.add(f"{suffix}-{year}")
words.add(f"{suffix}{year}")
# Write to file
with open("target_wordlist.txt", "w") as f:
for word in sorted(words):
f.write(word + "\n")
print(f"[+] Generated {len(words)} words")
שילוב רשימות מילים¶
# Combine built-in wordlists with custom ones
cat /usr/share/wordlists/dirb/common.txt \
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
custom_wordlist.txt \
target_wordlist.txt | sort -u > combined_wordlist.txt
echo "Total words: $(wc -l < combined_wordlist.txt)"
השוואת גרסאות קבצי JavaScript¶
מציאת שינויים בין גרסאות¶
# Download the old version from Wayback Machine
curl -s "https://web.archive.org/web/2024/https://target.com/static/js/app.js" > old.js
# Download the current version
curl -s "https://target.com/static/js/app.js" > new.js
# Format
js-beautify old.js > old_pretty.js
js-beautify new.js > new_pretty.js
# Compare
diff old_pretty.js new_pretty.js | head -100
# Search for new paths that were added
diff old_pretty.js new_pretty.js | grep "^>" | grep -oP '"/[a-zA-Z0-9/_-]+"'
# js_diff.py - compare API paths between JS versions
import re
import sys
def extract_paths(content):
patterns = [
r'["\'](/api/[a-zA-Z0-9/_\-{}:.?&=]+)["\']',
r'["\'](/v[0-9]+/[a-zA-Z0-9/_\-{}:.]+)["\']',
r'fetch\(["\']([^"\']+)["\']',
r'path:\s*["\']([^"\']+)["\']',
]
paths = set()
for pattern in patterns:
paths.update(re.findall(pattern, content))
return paths
with open(sys.argv[1]) as f:
old_paths = extract_paths(f.read())
with open(sys.argv[2]) as f:
new_paths = extract_paths(f.read())
added = new_paths - old_paths
removed = old_paths - new_paths
print(f"\n[+] New paths ({len(added)}):")
for p in sorted(added):
print(f" + {p}")
print(f"\n[-] Removed paths ({len(removed)}):")
for p in sorted(removed):
print(f" - {p}")
מיפוי גרסאות API ונקודות קצה ישנות¶
זיהוי גרסאות API¶
# Check common versions
for version in v1 v2 v3 v4 v5; do
status=$(curl -s -o /dev/null -w "%{http_code}" "https://target.com/api/$version/users")
echo "[$status] /api/$version/users"
done
# Example output:
# [200] /api/v1/users <- old version, may be vulnerable
# [200] /api/v2/users <- current version
# [404] /api/v3/users <- doesn't exist
הexploit גרסאות ישנות¶
# Old API versions often:
# 1. Lack permission checks added in newer versions
# 2. Accept parameters that were blocked in newer versions
# 3. Return more detailed information
# 4. Lack rate limiting
# Example - version v1 exposes sensitive information
curl -s "https://target.com/api/v1/users/1" | jq
# {"id":1,"name":"admin","email":"admin@target.com","password_hash":"$2b$10$...","role":"admin"}
# Version v2 filters out sensitive information
curl -s "https://target.com/api/v2/users/1" | jq
# {"id":1,"name":"admin","email":"admin@target.com"}
מיפוי שלם - מתודולוגיה¶
סדר הפעולות המומלץ¶
1. Subdomain mapping (previous lesson)
2. Technology identification (WhatWeb, Wappalyzer)
3. Content scanning (ffuf, feroxbuster)
4. Parameter discovery (Arjun, Param Miner)
5. JavaScript analysis (previous lesson)
6. Google dorking
7. API version checking
8. Hidden HTTP header checking
9. Building a custom wordlist and scanning again
10. Documenting all findings
תיעוד ממצאים¶
# Recommended documentation structure:
# target: target.com
# date: 2024-01-15
#
# Subdomains:
# - admin.target.com [200] - Admin panel (WordPress)
# - api.target.com [200] - REST API (Node.js/Express)
# - staging.target.com [403] - Staging environment
# - old.target.com [200] - Legacy application (PHP/Apache)
#
# Technologies:
# - Main site: React, Next.js, CloudFlare
# - API: Node.js, Express, MongoDB
# - Admin: WordPress 6.0, PHP 7.4, MySQL
#
# Hidden Parameters:
# - /api/search?debug=1 - Exposes query details
# - /api/users?admin=true - Bypasses role check (!)
#
# Interesting Endpoints:
# - /api/v1/users (legacy, returns password hashes)
# - /admin/phpinfo.php (PHP info page)
# - /.git/HEAD (Git repository exposed)
# - /api/internal/config (Internal configuration)
סיכום¶
בשיעור זה למדנו:
- גילוי פרמטרים נסתרים - שימוש ב-Arjun, Param Miner, ובדיקת HTTP headers מיוחדות
- סריקת תוכן מתקדמת - ffuf, feroxbuster, gobuster עם הגדרות מתקדמות
- זיהוי טכנולוגיות - WhatWeb, Wappalyzer, זיהוי מheaders ותוכן
- גוגל דורקינג - דורקים מתקדמים לחשיפת מידע רגיש
- רשימות מילים מותאמות - בניית רשימות ייעודיות ליעד ספציפי
- מיפוי גרסאות API - זיהוי וexploit גרסאות ישנות
שילוב כל הטכניקות האלו יוצר תמונה מלאה של משטח התקיפה ומגלה נקודות כניסה שכלים אוטומטיים מפספסים.