ASP.NET Security Testing
Reference
ASP Fuzzing
- Extensions. 
Xml
Txt
Zip
7z 
Dll
Ashx
Asmx
Svc
HTML
HTM
JS
JSON- Headers. 
Cookie: 
User-Agent: 
Accept: */*- Example Findings 
Api.zip
Wwwroot.zip
Bin.7z
Web.dll
Login.htm
Accesses.txt
appsettings.json
UploadHandler.ashx
File_Manager.asmx
Service1.svc- Tools 
- FFUF 
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://target.example/FUZZ -D -e .php,.html,.bak -t 40
go install -v github.com/musana/fuzzuli@latest
echo https://fuzzuli.musana.net fuzzuli -p
echo https://fuzzuli.musana.net|fuzzuli -mt shuffle
echo https://fuzzuli.musana.net|fuzzuli -mt regular
echo https://fuzzuli.musana.net|fuzzuli -mt withoutdots
echo https://fuzzuli.musana.net|fuzzuli -mt withoutvowels
echo https://fuzzuli.musana.net|fuzzuli -mt withoutdv
echo https://fuzzuli.musana.net|fuzzuli -mt reverse
echo https://fuzzuli.musana.net|fuzzuli -mt allCritical ASP Paths Often Overlooked by Pentesters.
/OBJ/Debug
intitle:"index of /obj“
APPname.dll, APPNAME.FUZZ.dll
Web.dll, WebConfig.txt, Web.xml
*.DLL
*.TXT
*.XML
/XML/
FUZZService.EXT|AppNameService.EXT|AppName.EXT
Login.asmx, admin.asmx, FileTransferService.svc
FUZZ /XML/ with XSL EXT
/xml/SupportAuth.xsl
*.XML
*.XSL
*.ZIP
/WebServices/
Config.xml, Export.zip, Login.XSL
SUPPORTTOKENINTERNAL on SupportAuth.aspx
*.ASMX
*.SVCAbusing ASP.NET_SessionId for Unauthorized Access.
/Backup/ 403
Web.config
 <deny users="?" /> =anonymous  
UnAuth ASP.NET_SessionId=X
 <deny users="?" /> ≠ anonymous
 /backup/ 200
--------------------
/UsersInfo.ashx 302
if (Request.Cookies[".ASPXAUTH"] = null
UnAuth
.ASPXPath=X
if (Request.Cookies[".ASPXAUTH"] != null
/UsersInfo.ashx 200
---------------------
# Scenario
1. /Hdownload.ashx -> 302
2. /Login.aspx -> .ASPXPATH= (cookie parameter) 
3. /Hdownload.ashx  + .ASPXPATH= (cookie parameter) -> BypassedBypassing WAFs with ASP.NET Cookieless Sessions.
- Bypass WAF-Blocked Endpoints Using (S(x)) 
1. GET /admin/login.ASPX
2. The WAF only allows internal IPs to access the endpoint.
3. GET /admin/S(X))/login.ASPX --> 200 OK
Uncovering Secrets in ASP.NET JS Files.
- Fuzzing For JS On ASP.NET 
/
/js
/Javascript
/include- Critical JavaScript Filenames On ASP.NET 
appsettings.js
Config.js
debug.js
service-worker-assets.jsBreaking Auth with Unique Path Manipulation.

Last updated
Was this helpful?
