Squid is an HTTP proxy commonly exposed on TCP 3128. If it allows unauthenticated proxying to internal services, use it to discover web apps that are not directly reachable.
nmap -sC -sV TARGET -p 3128
# 3128/tcp open http-proxy Squid http proxy 4.14
# http-title: ERROR: The requested URL could not be retrieved
# http-server-header: squid/4.14Direct browsing to the proxy port may return a Squid error page:
Generated ... by SQUID (squid/4.14)
Use curl --proxy to test whether Squid can reach internal web ports:
curl -I --proxy http://TARGET:3128 http://TARGET:8080
# HTTP/1.1 200 OK
# Server: Apache/2.4.46 (Win64) PHP/7.3.21
# X-Powered-By: PHP/7.3.21
# Via: 1.1 SQUID (squid/4.14)If a proxied port returns 200 OK, configure the browser to use the Squid host and port as an HTTP proxy, then browse to the internal web app normally:
HTTP proxy: TARGET
Port: 3128
URL: http://TARGET:8080/