HackTricks-wiki · carlospolop · Jun 14, 2026
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -88,6 +88,24 @@ WebSocket upgrades automatically forward cookies and do not block `ws://127.0.0.
 
 If you can pass arbitrary JVM flags (such as `AdditionalJavaArguments`), force an error with `-XX:MaxMetaspaceSize=<tiny>` and attach `-XX:OnOutOfMemoryError="<cmd>"` to run OS commands without touching application logic. See [WebSocket attacks](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery) for a walk-through.
 
+### Installers / setup wizards / recovery leftovers
+
+First-run installers and recovery endpoints are often forgotten in production. If a live application still exposes paths such as `/install/`, `/setup/`, `/init/`, `/admin/install`, `/setup/setupadministrator.action`, or readable config files such as `/config/database.php`, treat them as **high-value takeover primitives** instead of low-value information leaks.
+
+Checks to perform:
+
+- Fuzz for installer and reconfiguration paths with `ffuf`, `dirsearch`, or wordlists containing `install`, `setup`, `wizard`, `init`, `upgrade`, `db`, `config`, and `admin`.
+- Open the wizard and determine whether it still accepts **database / SMTP / admin** parameters after deployment, or whether a server-side `setupComplete` / lock file can be flipped or bypassed.
+- If the installer accepts arbitrary DB settings, test whether the application will connect to an **attacker-controlled external DB** and bootstrap its schema there. This can yield **admin creation**, backend **state disclosure**, or application **DoS** if the remote DB later disappears.
+- After any successful reinitialization, revisit old authenticated tabs and test whether **pre-existing sessions remain valid** even after the backend DB/configuration is restored. PHP apps often keep session state outside MySQL, so restoring the DB may not revoke attacker sessions.
+- Review incident-response paths: password reset, admin creation, DB restore, installer rerun, maintenance exit. If none of them rotate session IDs or invalidate server-side session stores, keep testing for persistent dashboard access.
+
+Operational notes:
+
+- Outbound connectivity matters: if the web tier can reach arbitrary MySQL hosts, SSRF-style egress restrictions are missing and installer abuse becomes much easier.
+- Sudden `500` errors immediately after setup changes can indicate the application is still pointing to attacker-supplied infrastructure.
+- Framework/app-specific examples exist (for example Confluence setup reactivation admin creation), but the reusable technique is **production reinstallation / reinitialization abuse**.
+
 ### **HTTP Headers**
 
 Depending on the HTTP headers given by the web server some vulnerabilities might be present.
@@ -224,6 +242,7 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
 ## References
 
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
+- [I Accidentally Logged as Admin Into a Threat Actor Website](https://potato.id/en/posts/i-accidentally-logged-into-threat-actor-website)
 
 {{#include ../banners/hacktricks-training.md}}