Skip to content

HTTP/HTTPS Enumeration

Nmap HTTP Scripts

# HTTP enumeration
nmap --script http-enum -p 80 target.com

# HTTP methods
nmap --script http-methods -p 80 target.com

# HTTP headers
nmap --script http-headers -p 80 target.com

# HTTP title
nmap --script http-title -p 80,443 target.com

# HTTP robots.txt
nmap --script http-robots.txt -p 80 target.com

# HTTP git
nmap --script http-git -p 80 target.com

Nikto

# Basic scan
nikto -h http://target.com

# Scan with SSL
nikto -h https://target.com

# Specific port
nikto -h http://target.com -p 8080

# Save output
nikto -h http://target.com -o output.txt

# Tuning options
nikto -h http://target.com -Tuning 123

Burp Suite

  • Proxy traffic through Burp (127.0.0.1:8080)
  • Use Repeater for request manipulation
  • Use Intruder for fuzzing
  • Use Scanner for vulnerability detection

HTTP Headers Analysis

# Get headers with curl
curl -I http://target.com

# Get headers with wget
wget --server-response --spider http://target.com

# Check security headers
curl -I http://target.com | grep -i "x-frame-options\|x-xss-protection\|x-content-type-options\|strict-transport-security"

Cookies

# Get cookies
curl -c cookies.txt http://target.com

# Use cookies
curl -b cookies.txt http://target.com

# Show cookies in request
curl -v http://target.com 2>&1 | grep Cookie

HTTP Methods

# Test OPTIONS
curl -X OPTIONS http://target.com -v

# Test PUT
curl -X PUT -d "data" http://target.com/file.txt

# Test DELETE
curl -X DELETE http://target.com/file.txt

# Test TRACE
curl -X TRACE http://target.com

WebDAV

# Check WebDAV
davtest -url http://target.com

# Upload file
cadaver http://target.com
# put file.txt

# With credentials
cadaver http://target.com
# username: user
# password: pass

API Testing

# GET request
curl http://target.com/api/endpoint

# POST request
curl -X POST -H "Content-Type: application/json" -d '{"key":"value"}' http://target.com/api/endpoint

# With authentication
curl -H "Authorization: Bearer TOKEN" http://target.com/api/endpoint

# PUT request
curl -X PUT -H "Content-Type: application/json" -d '{"key":"value"}' http://target.com/api/endpoint

# DELETE request
curl -X DELETE http://target.com/api/endpoint/1