The course is part of this learning path
Now that you know all about the fundamentals of bug bounty hunting and web pen-testing, we're now going to look at the information gathering techniques that you can carry out as reconnaissance on the website you're planning to attack.
Hi. Within this lecture, we're going to see how we can detect if the target website is using a Firewall or not. So, we're going to need a tool called wafw00f in order to do that. And we're going to use Kali Linux in order to leverage this tool. Okay.
So, make sure you open your Kali Linux and open your terminal. So, we need to understand if the target website is behind a Firewall so that we can actually customize our attacks for that. For example, if I know there is a Firewall in the target website that I'm doing your weapon testing, maybe I wouldn't go into Nikto at all. So, we have seen Nikto before. It kind of gathers general information about the website that we're weapon testing against.
And as I said before, it does a lot of pinging and it may block us. Okay. It may block our IP address. So, it's a very good idea to start with this Wafw00f. So, it's spelled like this, not with o's but in with zeros. Okay. So, like that and you can just come over here and give the domain that you're targeting. So, and my website, of course, you can do this for other websites as well. But it's a good idea to start with mine. As you can see, it actually gathers information very fast. It says that this website is using a WAF which is a web application firewall, and it's behind WordFence. It even gives the specifics of that WAF, the web application firewall, so that you can search for WordFence if you want.
So, let's see one of the websites that I own but does not use a firewall. So, unicornitems.com. Okay. If you search against that, as you can see, it takes a little bit more because it cannot find anything and it's actually sent, it has sent seven request but come up with anything, nothing even here, not even one. So, I'm not using any Firewall in that website because it's a test website. And if you find something like a Firewall or like any measure, any kind of security measure in this case, you have to consider it.
So, I'm going to share this link with you. This is written by Pentestit and they are actually instructing or they are actually telling how they bypass the Firewall against the SQL injection and you will see it gets a little bit complicated. So, they're doing this thing that we have done before. So, they are trying to do a union select which is okay with us because we have seen it before. So, they found a Cookie where they can inject a SQL command over here and they're doing exactly what we have done before. But it didn't work, apparently, because it's behind the Firewall and the Firewall is blocking all of those things or filtering all of those things.
Okay. So, as you can see, it says that payload was blocked by WAF. So, they tried to bypass it and I'm going to show you how it got complicated. It looks like it's very advanced, but it's not. As you can see, rather than select, they have tried this. So, they just added double quotation marks and commas over here just to trick WAF into believing that. So, if you scroll down a little bit, you can see that it gets complicated and they're adding much more characters in this command. They are doing the same thing actually, but they are trying this kind of thing that we have tried before like Hex representation or any other representations over here. But eventually, they found it.
So, they are writing the same thing, but with different characters and look how it got complicated, how it got mixed in this case. Okay. So, rather than one, they're just doing it within the parentheses. Sometimes they're trying to give Hex representations. We have seen some kind of URL encoding and Hex representations as well, but it can get really messy as you can see. So, if you detect a Firewall, then before being certain that there is no SQL injection possibility or opportunity, you can try every one of those things.
For example, rather than passwords, etc/pa?sword they use this ? rather than s. And over here, they just separated this with single quotation marks. And rather than password, they can use this startings, and you can test this on your own Linux to see if it's working or not. For example, I'm going to say cat/etc/passwd. But rather than password, an etc/ passwd is obviously working. So, rather than password, let's try what they have tried, okay, like that with single quotation marks but with two times. Now they have just did it with only one quotation marks apparently. And as you can see, it still works. Okay. So, you can try this. If it works on your Linux system, then you can try to do it on the target system as well.
Okay. So, you can try the other ones over here like cat, etc/ pa**wd. But rather than ss, they just write stars, double stars over here like cat etc/passwd, not pass**wd. Okay. And it still shows the thing. So, they all work. You have to search for this kind of thing in order to bypass filtering in the Firewall applications. So, application Firewalls. So, if you see a Firewall, then it means that your job would be much more harder, but it's not impossible. As you can see, they have found the thing, and they showed us the solution and it's a real weapon testing. It's not even a CTF I believe. So, if you detect the Firewall, then try to adjust your attacks regarding with considering that information. And also you want to check this lbd thing as well.
So, load balancing detector. What is it? If your website is getting a lot of clicks, a lot of traffic in like millions of traffic in one day, then you need this load balancing thing. So, you need to direct them to the other IP addresses in order to make sure you sustain your servers. So, if you're going against a big website that actually has a lot of traffic, then generally they will have this load balancing detector or load balancing session in place. So, maybe you can get some different IP addresses time to time when you do weapon testing. So, it shouldn't be a surprise for you. So, if I do lbd against my website, then I'm not going to find anything as you can see because I'm not even using it. Because my website doesn't get millions of hits daily.
But if you do this against another website, then you can see that it has a load balancing detector that maybe you don't actually change the way you attack or change the way you search for vulnerabilities in that case. But if you get different IP addresses like we have seen before even though I don't have a load balancing, but that's a case that you can come across in the weapon testing section. And if you see different IP addresses, then you shouldn't be surprised and act accordingly. Maybe you will see multiple IP addresses in that case. So, it got stuck for some reason. I tried to do 'Ctrl + C' or try to just close this down. Now we're going to stop here, and continue within the next section.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.