💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • Dist folder
  • Why is it important
  • Exploitation
  • Package Enumeration
  1. VULNERABILITIES
  2. Cross Site Scripting

Hunting for files

Dist folder

When you are able to see dist folder in the web application sitemap it usually means that the developer included all the package files instead only the .js ones.

Why is it important

Among these files there can be sample .html pages which can lead to Cross Site Scripting.

Exploitation

Search for developer's home page / github in order to identify files which will give us broader surface attack.

Package Enumeration

When we encounter "vendor" or "libraries" folders we can try to enumerate them using Gobuster and Seclists. That can uncover new vectors of attack.

PreviousCross Site ScriptingNextInsecure Deserialization

Last updated 1 month ago