A canopy of apple-blossom
TL/DR: Many web applications can still easily be exploited to gain unauthorised access to sensitive data and webservers. Notes on techniques based on, and writeups of, Portswigger Labs, Root-me challenges and TryHackMe CTFs.
- Introduction
- Cross-site scripting (XSS)
- Open redirection
- Clickjacking
- Cross-site request forgery (CSRF)
- Insecure direct object references (IDOR)
- SQL injection
- Race conditions
- Server-side request forgery (SSRF)
- Insecure deserialisation
- XML external entity (XXE) injection
- Web cache poisoning
- HTTP Request smuggling
- Template injection (SSTI)
- Directory traversal
- Authentication vulnerabilities
- Single-sign-on security (SSO)
- Broken access control
- Application logic errors
- HTTP Host header attacks
- Websocket vulnerabilities
- Remote code execution (RCE)
- Same-origin policy (SOP)
- Information disclosure
- File uploads
- JSON web tokens attacks
- Prototype pollution
Root-me challenges
- Introduction
- Insecure code management
- Directory traversal
- File upload: null byte
- PHP assert()
- PHP Filters
- PHP Register globals
- JWT Introduction
- JWT (not) revoked token
- JWT weak secret
- Python: Server-side Template Injection Introduction
- Command injection: filter bypass
- Java: Server-side Template Injection (SSTI)
- Local file inclusion
- Local file inclusion: double encoding
- PHP preg_replace
- PHP type juggling
- SQL injection: authentication
- SQL injection: string
- XSLT code execution
- PHP path truncation
- PHP serialisation
- SQL injection: numeric
- SQL injection: routed
- SQL truncation
- XPath injection: authentication
- SQL injection: time-based
Portswigger Web Security Academy labs
- Introduction
- Reflected XSS into HTML context with nothing encoded
- Stored XSS into HTML context with nothing encoded
- DOM XSS in document.write sink using source location.search
- DOM XSS in innerHTML sink using source location.search
- DOM XSS in jQuery anchor href attribute sink using location.search source
- DOM XSS in jQuery selector sink using a hashchange event
- Reflected XSS into attribute with angle brackets HTML-encoded
- Stored XSS into anchor href attribute with double quotes HTML-encoded
- Reflected XSS into a JavaScript string with angle brackets HTML encoded
- DOM XSS in document.write sink using source location.search inside a select element
- DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
- Reflected DOM XSS
- Stored DOM XSS
- Exploiting cross-site scripting to steal cookies
- Exploiting cross-site scripting to capture passwords
- Exploiting XSS to perform CSRF
- Reflected XSS into HTML context with most tags and attributes blocked
- Reflected XSS into HTML context with all tags blocked except custom ones
- Reflected XSS with some SVG markup allowed
- Reflected XSS in canonical link tag
- Reflected XSS into a JavaScript string with single quote and backslash escaped
- Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
- Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
- Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
- Reflected XSS with event handlers and href attributes blocked
- Reflected XSS in a JavaScript URL with some characters blocked
- Reflected XSS with AngularJS sandbox escape without strings
- Reflected XSS with AngularJS sandbox escape and CSP
- Reflected XSS protected by very strict CSP, with dangling markup attack
- Reflected XSS protected by CSP, with CSP bypass
- Introduction
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- SQL injection vulnerability allowing login bypass
- SQL injection UNION attack, determining the number of columns returned by the query
- SQL injection UNION attack, finding a column containing text
- SQL injection UNION attack, retrieving data from other tables
- SQL injection UNION attack, retrieving multiple values in a single column
- SQL injection attack, querying the database type and version on Oracle
- SQL injection attack, querying the database type and version on MySQL and Microsoft
- SQL injection attack, listing the database contents on non-Oracle databases
- SQL injection attack, listing the database contents on Oracle
- Blind SQL injection with conditional responses
- Blind SQL injection with conditional errors
- Blind SQL injection with time delays
- Blind SQL injection with time delays and information retrieval
- Blind SQL injection with out-of-band interaction
- Blind SQL injection with out-of-band data exfiltration
- SQL injection with filter bypass via XML encoding
- Introduction
- CSRF vulnerability with no defenses
- CSRF where token validation depends on request method
- CSRF where token validation depends on token being present
- CSRF where token is not tied to user session
- CSRF where token is tied to non-session cookie
- CSRF where token is duplicated in cookie
- SameSite Lax bypass via method override
- SameSite Strict bypass via client-side redirect
- SameSite Strict bypass via sibling domain
- SameSite Lax bypass via cookie refresh
- CSRF where Referer validation depends on header being present
- CSRF with broken Referer validation
- Introduction
- Exploiting XXE using external entities to retrieve files
- Exploiting XXE to perform SSRF attacks
- Blind XXE with out-of-band interaction
- Blind XXE with out-of-band interaction via XML parameter entities
- Exploiting blind XXE to exfiltrate data using a malicious external DTD
- Exploiting blind XXE to retrieve data via error messages
- Exploiting XInclude to retrieve files
- Exploiting XXE via image file upload
- Exploiting XXE to retrieve data by repurposing a local DTD
- Introduction
- Basic SSRF against the local server
- Basic SSRF against another back-end system
- SSRF with blacklist-based input filter
- SSRF with filter bypass via open redirection vulnerability
- Blind SSRF with out-of-band detection
- SSRF with whitelist-based input filter
- Blind SSRF with Shellshock exploitation
- Introduction
- HTTP request smuggling, basic CL.TE vulnerability
- HTTP request smuggling, basic TE.CL vulnerability
- HTTP request smuggling, obfuscating the TE header
- HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
- HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
- Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
- Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
- Exploiting HTTP request smuggling to reveal front-end request rewriting
- Exploiting HTTP request smuggling to capture other users’ requests
- Exploiting HTTP request smuggling to deliver reflected XSS
- Response queue poisoning via H2.TE request smuggling
- H2.CL request smuggling
- HTTP/2 request smuggling via CRLF injection
- HTTP/2 request splitting via CRLF injection
- CL.0 request smuggling
- Exploiting HTTP request smuggling to perform web cache poisoning
- Exploiting HTTP request smuggling to perform web cache deception
- Bypassing access controls via HTTP/2 request tunnelling
- Web cache poisoning via HTTP/2 request tunnelling
- Client-side desync
- Browser cache poisoning via client-side desync
- Server-side pause-based request smuggling
- Introduction
- Basic server-side template injection
- Basic server-side template injection (code context)
- Server-side template injection using documentation
- Server-side template injection in an unknown language with a documented exploit
- Server-side template injection with information disclosure via user-supplied objects
- Server-side template injection in a sandboxed environment
- Server-side template injection with a custom exploit
- Introduction
- File path traversal, simple case
- File path traversal, traversal sequences blocked with absolute path bypass
- File path traversal, traversal sequences stripped non-recursively
- File path traversal, traversal sequences stripped with superfluous URL-decode
- File path traversal, validation of start of path
- File path traversal, validation of file extension with null byte bypass
- Introduction
- Unprotected admin functionality
- Unprotected admin functionality with unpredictable URL
- User role controlled by request parameter
- User role can be modified in user profile
- User ID controlled by request parameter
- User ID controlled by request parameter, with unpredictable user IDs
- User ID controlled by request parameter with data leakage in redirect
- User ID controlled by request parameter with password disclosure
- Insecure direct object references
- URL-based access control can be circumvented
- Method-based access control can be circumvented
- Multistep process with no access control on one step
- Referer-based access control
- Introduction
- Username enumeration via different responses
- 2FA simple bypass
- Password reset broken logic
- Username enumeration via subtly different responses
- Username enumeration via response timing
- Broken brute-force protection, IP block
- Username enumeration via account lock
- 2FA broken logic
- Brute-forcing a stay-logged-in cookie
- Offline password cracking
- Password reset poisoning via middleware
- Password brute-force via password change
- Broken brute-force protection, multiple credentials per request
- 2FA bypass using a brute-force attack
- Introduction
- Web cache poisoning with an unkeyed header
- Web cache poisoning with an unkeyed cookie
- Web cache poisoning with multiple headers
- Targeted web cache poisoning using an unknown header
- Web cache poisoning via an unkeyed query string
- Web cache poisoning via an unkeyed query parameter
- Parameter cloaking
- Web cache poisoning via a fat GET request
- URL normalisation
- Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
- Combining web cache poisoning vulnerabilities
- Cache key injection
- Internal cache poisoning
- Introduction
- Modifying serialised objects
- Modifying serialised data types
- Using application functionality to exploit insecure deserialisation
- Arbitrary object injection in PHP
- Exploiting Java deserialisation with Apache Commons
- Exploiting PHP deserialisation with a pre-built gadget chain
- Exploiting Ruby deserialisation using a documented gadget chain
- Developing a custom gadget chain for Java deserialisation
- Developing a custom gadget chain for PHP deserialisation
- Using PHAR deserialisation to deploy a custom gadget chain
- Introduction
- Excessive trust in client-side controls
- High-level logic vulnerability
- Inconsistent security controls
- Flawed enforcement of business rules
- Low-level logic flaw
- Inconsistent handling of exceptional input
- Weak isolation on dual-use endpoint
- Insufficient workflow validation
- Authentication bypass via flawed state machine
- Infinite money logic flaw
- Authentication bypass via encryption oracle
- Introduction
- Remote code execution via web shell upload
- Web shell upload via Content-Type restriction bypass
- Web shell upload via path traversal
- Web shell upload via extension blacklist bypass
- Web shell upload via obfuscated file extension
- Remote code execution via polyglot web shell upload
- Web shell upload via race condition
- Introduction
- JWT authentication bypass via unverified signature
- JWT authentication bypass via flawed signature verification
- JWT authentication bypass via weak signing key
- JWT authentication bypass via jwk header injection
- JWT authentication bypass via jku header injection
- JWT authentication bypass via kid header path traversal
- JWT authentication bypass via algorithm confusion
- JWT authentication bypass via algorithm confusion with no exposed key
- Introduction
- DOM XSS via client-side prototype pollution
- DOM XSS via an alternative prototype pollution vector
- Client-side prototype pollution via flawed sanitisation
- Client-side prototype pollution in third-party libraries
- Client-side prototype pollution via browser APIs
- Privilege escalation via server-side prototype pollution
- Detecting server-side prototype pollution without polluted property reflection
- Bypassing flawed input filters for server-side prototype pollution
- Remote code execution via server-side prototype pollution
- Exfiltrating sensitive data via server-side prototype pollution