A canopy of apple-blossom

TL/DR: Many web applications can still easily be exploited to gain unauthorised access to sensitive data and webservers. Notes on techniques based on, and writeups of, Portswigger Labs, Root-me challenges and TryHackMe CTFs.

---

Testlab

• Web application pentesting tools

Preparation

• Reconnaissance
• Enumeration

Notes on techniques

• Introduction
• Cross-site scripting (XSS)
• Open redirection
• Clickjacking
• Cross-site request forgery (CSRF)
• Insecure direct object references (IDOR)
• SQL injection
• Race conditions
• Server-side request forgery (SSRF)
• Insecure deserialisation
• XML external entity (XXE) injection
• Web cache poisoning
• HTTP Request smuggling
• Template injection (SSTI)
• Directory traversal
• Authentication vulnerabilities
• Single-sign-on security (SSO)
• Broken access control
• Application logic errors
• HTTP Host header attacks
• Websocket vulnerabilities
• Remote code execution (RCE)
• Same-origin policy (SOP)
• Information disclosure
• File uploads
• JSON web tokens attacks
• Prototype pollution

---

TryHackMe rooms

• Introduction
• Picklerick

---

Root-me challenges

Web client

• Introduction
• HTML disabled buttons
• Javascript authentication
• Javascript source
• Javascript native code
• XSS stored 1
• CSP bypass inline
• CSRF: zero protection

Web server

• Introduction
• Insecure code management
• Directory traversal
• File upload: null byte
• PHP assert()
• PHP Filters
• PHP Register globals
• JWT Introduction
• JWT (not) revoked token
• JWT weak secret
• Python: Server-side Template Injection Introduction
• Command injection: filter bypass
• Java: Server-side Template Injection (SSTI)
• Local file inclusion
• Local file inclusion: double encoding
• PHP preg_replace
• PHP type juggling
• SQL injection: authentication
• SQL injection: string
• XSLT code execution
• PHP path truncation
• PHP serialisation
• SQL injection: numeric
• SQL injection: routed
• SQL truncation
• XPath injection: authentication
• SQL injection: time-based

---

Portswigger Web Security Academy labs

XSS

• Introduction
• Reflected XSS into HTML context with nothing encoded
• Stored XSS into HTML context with nothing encoded
• DOM XSS in document.write sink using source location.search
• DOM XSS in innerHTML sink using source location.search
• DOM XSS in jQuery anchor href attribute sink using location.search source
• DOM XSS in jQuery selector sink using a hashchange event
• Reflected XSS into attribute with angle brackets HTML-encoded
• Stored XSS into anchor href attribute with double quotes HTML-encoded
• Reflected XSS into a JavaScript string with angle brackets HTML encoded
• DOM XSS in document.write sink using source location.search inside a select element
• DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
• Reflected DOM XSS
• Stored DOM XSS
• Exploiting cross-site scripting to steal cookies
• Exploiting cross-site scripting to capture passwords
• Exploiting XSS to perform CSRF
• Reflected XSS into HTML context with most tags and attributes blocked
• Reflected XSS into HTML context with all tags blocked except custom ones
• Reflected XSS with some SVG markup allowed
• Reflected XSS in canonical link tag
• Reflected XSS into a JavaScript string with single quote and backslash escaped
• Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
• Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
• Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
• Reflected XSS with event handlers and href attributes blocked
• Reflected XSS in a JavaScript URL with some characters blocked
• Reflected XSS with AngularJS sandbox escape without strings
• Reflected XSS with AngularJS sandbox escape and CSP
• Reflected XSS protected by very strict CSP, with dangling markup attack
• Reflected XSS protected by CSP, with CSP bypass

SQLi

• Introduction
• SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
• SQL injection vulnerability allowing login bypass
• SQL injection UNION attack, determining the number of columns returned by the query
• SQL injection UNION attack, finding a column containing text
• SQL injection UNION attack, retrieving data from other tables
• SQL injection UNION attack, retrieving multiple values in a single column
• SQL injection attack, querying the database type and version on Oracle
• SQL injection attack, querying the database type and version on MySQL and Microsoft
• SQL injection attack, listing the database contents on non-Oracle databases
• SQL injection attack, listing the database contents on Oracle
• Blind SQL injection with conditional responses
• Blind SQL injection with conditional errors
• Blind SQL injection with time delays
• Blind SQL injection with time delays and information retrieval
• Blind SQL injection with out-of-band interaction
• Blind SQL injection with out-of-band data exfiltration
• SQL injection with filter bypass via XML encoding

CSRF

• Introduction
• CSRF vulnerability with no defenses
• CSRF where token validation depends on request method
• CSRF where token validation depends on token being present
• CSRF where token is not tied to user session
• CSRF where token is tied to non-session cookie
• CSRF where token is duplicated in cookie
• SameSite Lax bypass via method override
• SameSite Strict bypass via client-side redirect
• SameSite Strict bypass via sibling domain
• SameSite Lax bypass via cookie refresh
• CSRF where Referer validation depends on header being present
• CSRF with broken Referer validation

Clickjacking

• Introduction
• Basic clickjacking with CSRF token protection
• Clickjacking with form input data prefilled from a URL parameter
• Clickjacking with a frame buster script
• Exploiting clickjacking vulnerability to trigger DOM-based XSS
• Multistep clickjacking

DOM-based vulns

• Introduction
• DOM XSS using web messages
• DOM XSS using web messages and a JavaScript URL
• DOM XSS using web messages and JSON.parse
• DOM-based open redirection
• DOM-based cookie manipulation
• Exploiting DOM clobbering to enable XSS
• Clobbering DOM attributes to bypass HTML filters

CORS

• Introduction
• CORS vulnerability with basic origin reflection
• CORS vulnerability with trusted null origin
• CORS vulnerability with trusted insecure protocols
• CORS vulnerability with internal network pivot attack

XXE

• Introduction
• Exploiting XXE using external entities to retrieve files
• Exploiting XXE to perform SSRF attacks
• Blind XXE with out-of-band interaction
• Blind XXE with out-of-band interaction via XML parameter entities
• Exploiting blind XXE to exfiltrate data using a malicious external DTD
• Exploiting blind XXE to retrieve data via error messages
• Exploiting XInclude to retrieve files
• Exploiting XXE via image file upload
• Exploiting XXE to retrieve data by repurposing a local DTD

SSRF

• Introduction
• Basic SSRF against the local server
• Basic SSRF against another back-end system
• SSRF with blacklist-based input filter
• SSRF with filter bypass via open redirection vulnerability
• Blind SSRF with out-of-band detection
• SSRF with whitelist-based input filter
• Blind SSRF with Shellshock exploitation

HTTP request smuggling

• Introduction
• HTTP request smuggling, basic CL.TE vulnerability
• HTTP request smuggling, basic TE.CL vulnerability
• HTTP request smuggling, obfuscating the TE header
• HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
• HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
• Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
• Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
• Exploiting HTTP request smuggling to reveal front-end request rewriting
• Exploiting HTTP request smuggling to capture other users’ requests
• Exploiting HTTP request smuggling to deliver reflected XSS
• Response queue poisoning via H2.TE request smuggling
• H2.CL request smuggling
• HTTP/2 request smuggling via CRLF injection
• HTTP/2 request splitting via CRLF injection
• CL.0 request smuggling
• Exploiting HTTP request smuggling to perform web cache poisoning
• Exploiting HTTP request smuggling to perform web cache deception
• Bypassing access controls via HTTP/2 request tunnelling
• Web cache poisoning via HTTP/2 request tunnelling
• Client-side desync
• Browser cache poisoning via client-side desync
• Server-side pause-based request smuggling

OS command injection

• Introduction
• OS command injection, simple case
• Blind OS command injection with time delays
• Blind OS command injection with output redirection
• Blind OS command injection with out-of-band interaction
• Blind OS command injection with out-of-band data exfiltration

SSTI

• Introduction
• Basic server-side template injection
• Basic server-side template injection (code context)
• Server-side template injection using documentation
• Server-side template injection in an unknown language with a documented exploit
• Server-side template injection with information disclosure via user-supplied objects
• Server-side template injection in a sandboxed environment
• Server-side template injection with a custom exploit

Directory traversal

• Introduction
• File path traversal, simple case
• File path traversal, traversal sequences blocked with absolute path bypass
• File path traversal, traversal sequences stripped non-recursively
• File path traversal, traversal sequences stripped with superfluous URL-decode
• File path traversal, validation of start of path
• File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

• Introduction
• Unprotected admin functionality
• Unprotected admin functionality with unpredictable URL
• User role controlled by request parameter
• User role can be modified in user profile
• User ID controlled by request parameter
• User ID controlled by request parameter, with unpredictable user IDs
• User ID controlled by request parameter with data leakage in redirect
• User ID controlled by request parameter with password disclosure
• Insecure direct object references
• URL-based access control can be circumvented
• Method-based access control can be circumvented
• Multistep process with no access control on one step
• Referer-based access control

Authentication

• Introduction
• Username enumeration via different responses
• 2FA simple bypass
• Password reset broken logic
• Username enumeration via subtly different responses
• Username enumeration via response timing
• Broken brute-force protection, IP block
• Username enumeration via account lock
• 2FA broken logic
• Brute-forcing a stay-logged-in cookie
• Offline password cracking
• Password reset poisoning via middleware
• Password brute-force via password change
• Broken brute-force protection, multiple credentials per request
• 2FA bypass using a brute-force attack

Websockets

• Introduction
• Manipulating WebSocket messages to exploit vulnerabilities
• Manipulating the WebSocket handshake to exploit vulnerabilities
• Cross-site WebSocket hijacking

Web cache poisoning

• Introduction
• Web cache poisoning with an unkeyed header
• Web cache poisoning with an unkeyed cookie
• Web cache poisoning with multiple headers
• Targeted web cache poisoning using an unknown header
• Web cache poisoning via an unkeyed query string
• Web cache poisoning via an unkeyed query parameter
• Parameter cloaking
• Web cache poisoning via a fat GET request
• URL normalisation
• Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
• Combining web cache poisoning vulnerabilities
• Cache key injection
• Internal cache poisoning

Insecure deserialisation

• Introduction
• Modifying serialised objects
• Modifying serialised data types
• Using application functionality to exploit insecure deserialisation
• Arbitrary object injection in PHP
• Exploiting Java deserialisation with Apache Commons
• Exploiting PHP deserialisation with a pre-built gadget chain
• Exploiting Ruby deserialisation using a documented gadget chain
• Developing a custom gadget chain for Java deserialisation
• Developing a custom gadget chain for PHP deserialisation
• Using PHAR deserialisation to deploy a custom gadget chain

Information disclosure

• Introduction
• Information disclosure in error messages
• Information disclosure on debug page
• Source code disclosure via backup files
• Authentication bypass via information disclosure
• Information disclosure in version control history

Business logic vulnerabilities

• Introduction
• Excessive trust in client-side controls
• High-level logic vulnerability
• Inconsistent security controls
• Flawed enforcement of business rules
• Low-level logic flaw
• Inconsistent handling of exceptional input
• Weak isolation on dual-use endpoint
• Insufficient workflow validation
• Authentication bypass via flawed state machine
• Infinite money logic flaw
• Authentication bypass via encryption oracle

HTTP Host header attacks

• Introduction
• Basic password reset poisoning
• Host header authentication bypass
• Web cache poisoning via ambiguous requests
• Routing-based SSRF
• SSRF via flawed request parsing
• Host validation bypass via connection state attack
• Password reset poisoning via dangling markup

OAuth authentication

• Introduction
• Authentication bypass via OAuth implicit flow
• Forced OAuth profile linking
• OAuth account hijacking via redirect_uri
• Stealing OAuth access tokens via an open redirect
• SSRF via OpenID dynamic client registration
• Stealing OAuth access tokens via a proxy page

File upload vulnerabilities

• Introduction
• Remote code execution via web shell upload
• Web shell upload via Content-Type restriction bypass
• Web shell upload via path traversal
• Web shell upload via extension blacklist bypass
• Web shell upload via obfuscated file extension
• Remote code execution via polyglot web shell upload
• Web shell upload via race condition

JWT

• Introduction
• JWT authentication bypass via unverified signature
• JWT authentication bypass via flawed signature verification
• JWT authentication bypass via weak signing key
• JWT authentication bypass via jwk header injection
• JWT authentication bypass via jku header injection
• JWT authentication bypass via kid header path traversal
• JWT authentication bypass via algorithm confusion
• JWT authentication bypass via algorithm confusion with no exposed key

Prototype pollution

• Introduction
• DOM XSS via client-side prototype pollution
• DOM XSS via an alternative prototype pollution vector
• Client-side prototype pollution via flawed sanitisation
• Client-side prototype pollution in third-party libraries
• Client-side prototype pollution via browser APIs
• Privilege escalation via server-side prototype pollution
• Detecting server-side prototype pollution without polluted property reflection
• Bypassing flawed input filters for server-side prototype pollution
• Remote code execution via server-side prototype pollution
• Exfiltrating sensitive data via server-side prototype pollution

---

Books