Theory

This step ends the reconnaissance phase. The previous steps were aimed at gaining knowledge about the attack surface

• Web server

• Content Management System (CMS)

• Web Application Firewall (WAF)

• JavaScript Frameworks

• and other technologies

Known vulnerabilities may then be identified depending on these information.

Practice

Known vulnerabilities can be found from the following resources

• exploit-db.com: an online exploit database

• searchsploit is a command-line utility that allows to do offline searches through the exploit-db

• CVE Details, NVD NIST and MITRE are online CVE (Common Vulnerabilities and Exposures) searches

# search exploits for a technology
searchsploit $technology

# Read an exploit
searchsploit -x $exploit_path

# Copy an exploit to the current directory
searchsploit -m $exploit_path

# Update the searchsploit database
searchsploit -u

When a vulnerability is found, one can research a Proof-Of-Concept (PoC) to try at exploiting the vulnerability. Most public PoCs can be found on GitHub.