Interesting Headers

Host header issues / WAF bypass

curl -i -s -k -X $'GET' -H $'Host: example.com' $'http://<target>/'
Host header: www.xxx:[email protected]
Host header: evildomain.com
X-Forwarded-Host: evildomain.com > in request, if present in response then issue
X-Forwarded-Host: burpcollaborator
X-Forwarded-Host: http://burpcollaborator

X-Forwarded-For: 127.0.0.1
X-Forwarded-For: burpcollaborator
X-Forwarded-For: http://burpcollaborator

X-Custom-IP-Authorization: 127.0.0.1

X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Scheme
Origin: null
Origin: [siteDomain].attacker.com
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1

Basic NTLM auth header

Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

OR use nmap

nmap --script http-ntlm-info <target>

Basic authentication test field

Basic auth generator

Username Password Basic auth header
admin admin Authorization: Basic YWRtaW46YWRtaW4=
Aladdin OpenSesame Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
test test Authorization: Basic dGVzdDp0ZXN0
admin welcome Authorization: Basic YWRtaW46d2VsY29tZQ==
guest welcome Authorization: Basic Z3Vlc3Q6d2VsY29tZQ==
gast welkom Authorization: Basic Z2FzdDp3ZWxrb20=
YWRtaW46YWRtaW4=
QWxhZGRpbjpPcGVuU2VzYW1l
dGVzdDp0ZXN0
YWRtaW46d2VsY29tZQ==
Z3Vlc3Q6d2VsY29tZQ==
Z2FzdDp3ZWxrb20=

Potential internal IP disclosure due to http1.0

curl --http1.0 -i -s -k -X $'GET' -H $'Host: ' $'http://<ip>/'
curl --http1.0 -i -s -k -X $'GET' -H $'Host: ' $'http://<dns>/'

Interesting files

Simple things

robots.txt
web.config
.git
trace.axd (IIS .NET ASPNET)
.well-known/openid-configuration

Umbraco

/Umbraco
/Umbraco/Views/install/database.html
/Umbraco/Views/install/user.html
/Umbraco/Views/common/dialogs/login.html
/Umbraco/Webservices/publication.asmx
/Umbraco/Webservices/CheckForUpgrade.asmx
/Umbraco/Webservices/CMSNode.asmx
/Umbraco/Webservices/legacyAjaxCalls.asmx
/Umbraco/Webservices/progressStatus.asmx

Sharepoint

_vti_bin/Webs.asmx
_vti_bin/SPDisco.aspx
_vti_inf.html (http://www.ktskumar.com/2015/09/remote-identification-of-sharepoint-version/)
_vti_pvt/service.cnf (http://www.ktskumar.com/2015/09/remote-identification-of-sharepoint-version/)

ADFS

/adfs/ls
/adfs/ls/IdpInitiatedSignOn.aspx?

Microsoft Remote Gateway (RDG / RDGateway)

https://<domain>/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx
https://<domain>/RDWeb/Pages/en-US/password.aspx

Topdesk Admin page

Try header if blocked.

<domain>/tas/admin/index.jsp
X-Forwarded-For: 127.0.0.1

Oracle APEX

python3 sqlmap.py -u "https://<url>/apex/wwv_flow.show?p_flow_id=121&p_flow_step_id=1&p_instance=0&p_arg_name=P1_ITEM&p_arg_value=ABC" --batch --dbms Oracle -p p_arg_value --flush-session

Oracle Application Express management interface

<url>/apex/gexswe

JBOSS

:8080/invoker/EJBInvokerServlet
:8080/invoker/JMXInvokerServlet
:8080/jmx-console
:8080/web-console
:8080/admin-console [with credentials admin:admin]
:8080/jbpm-console

Apache TomCat

:8080/manager/html [with credentials admin:blank]