0) What is HTTP?
HTTP (Hypertext Transfer Protocol) is the foundational protocol for the web, typically served over TCP port 80 (unencrypted). It handles requests and responses between clients and web servers and exposes application logic, content, and APIs. Web applications on HTTP are frequent targets due to complex server-side logic, user input, and third-party components.
1) Recon Phase
- Simple discovery: nmap -p 80 -sV --script=http-enum- Banner & server detection: curl -I http:// - Crawl the site for structure and endpoints: gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt - Passive recon: check crt.sh, Wayback Machine, Google dorks for known endpoints
Start by identifying server software (Apache, Nginx, IIS), visible directories, and basic endpoints. Record robots.txt, sitemap.xml, and any API routes.
2) Enumeration Phase
- Directory brute-force: gobuster dir -u http://-w wordlist.txt - Virtual host discovery: vhost discovery with ffuf/gobuster vhost mode - Parameter discovery and fuzzing: wfuzz / ffuf to find query parameters and hidden endpoints - Fingerprinting web frameworks: whatweb http:// / wappalyzer - Check for common files: robots.txt, .git/, backup files (.bak, .zip), .env exposures - Automated scanning: nikto -h http:// and OWASP ZAP / Burp scan (authorized only)
Enumerate input fields, cookies, auth endpoints, file upload features, and API endpoints. Harvest version numbers and third-party components for CVE checks.
3) Exploitation Phase
- Test for common web flaws: XSS, SQLi, CSRF, LFI/RFI, command injection, auth bypass - SQL Injection automated check: sqlmap -u "http:///page.php?id=1" --batch --dbs - XSS testing: inject payloads in parameters and observe reflected output or stored contexts - File upload abuse: test upload restrictions, content-type, and file parsing vulnerabilities - Authentication attacks: bruteforce/login enumeration with hydra or Burp Intruder (authorized) - Exploit misconfigurations: exposed admin panels, default credentials, exposed backups, or .git leaks - Post-exploitation: plant webshell (only in authorized tests), pivot to internal services
Exploitation must be careful and authorized. Focus on retrieving sensitive data (credentials, tokens), and use discovered vulnerabilities to move laterally when permitted.
HTTP Info — What to Look For
- Exposed admin interfaces and dashboards
- Unprotected API endpoints returning sensitive data
- Input fields vulnerable to XSS, SQLi, or command injection
- Insecure file uploads and backup exposures (.git, .env)
- Misconfigured CORS allowing token theft
- Debug pages, stack traces, or verbose error messages
Tools required
sudo apt install nmap gobuster ffuf curl whatweb nikto sqlmap hydra
# Optional / advanced:
# - Burp Suite (Community/Pro)
# - OWASP ZAP
# - wafw00f (WAF detection)
# - wfuzz / ffuf for fuzzing
Quick copy-paste command cheatsheet
# discovery & banner nmap -p 80 -sV --script=http-enumcurl -I http:// # directory brute-force gobuster dir -u http:// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt # vhost discovery gobuster vhost -u http:// -w vhosts.txt # parameter fuzzing (example) ffuf -u http:// /page.php?id=FUZZ -w params.txt # XSS quick test (reflected) # inject into query and open in browser / proxy ?q= # SQLi quick test (automated) sqlmap -u "http:// /page.php?id=1" --batch --dbs # scan with nikto nikto -h http:// # WAF detection wafw00f http://
Citations
Disclaimer: Use these techniques only on web servers and applications you own or are explicitly authorized to test. Unauthorised scanning, exploitation, or data access is illegal and unethical.