GitBook: [master] 2 pages modified

pentesting-web/file-upload.md

@@ -4,7 +4,7 @@
 
 1. Try to upload a file with a **double extension** \(ex: _file.png.php_ or _file.png.php5_\).
    * PHP extensions: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, ._phps_, ._pht_, _.phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc_
-   * ASP extensions: _.asp, .aspx, .config_
+   * ASP extensions: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .asp, .cer, .shtml_
 2. Try to **uppercase some letter\(s\)** of the extension. Like: _.pHp, .pHP5, .PhAr ..._
 3. Try to upload some **double \(or more\) extension** \(useful to bypass misconfigured checks that test if a specific extension is just present\):
    1. _file.png.php_

pentesting/pentesting-web/README.md

@@ -250,6 +250,12 @@ In several occasions you will need to **understand regular expressions** used, t
 * Try using **different verbs** to access the file: _GET, POST, INVENTED_
 * If _/path_ is blocked, try using _**/**_**%2e/**path __\(if the access is blocked by a proxy, this could bypass the protection\). Try also _/**%252e**/path_ \(double URL encode\)
 * Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
+* **Other path bypasses**:
+  * site.com/secret –> HTTP 403 Forbidden
+  * site.com/secret/ –> HTTP 200 OK
+  * site.com/secret/. –> HTTP 200 OK
+  * site.com//secret// –> HTTP 200 OK
+  * site.com/./secret/.. –> HTTP 200 OK
 * Go to [https://archive.org/web/](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
 * **Fuzz the page**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force \(with a few combinations only\) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
   * `X-Originating-IP: 127.0.0.1`