Testlab

Web application pentesting tools

Preparation

Reconnaissance
Enumeration

Notes on techniques

Introduction
Cross-site scripting (XSS)
Open redirection
Clickjacking
Cross-site request forgery (CSRF)
Insecure direct object references (IDOR)
SQL injection
Race conditions
Server-side request forgery (SSRF)
Insecure deserialisation
XML external entity (XXE) injection
Web cache poisoning
HTTP Request smuggling
Template injection (SSTI)
Directory traversal
Authentication vulnerabilities
Single-sign-on security (SSO)
Broken access control
Application logic errors
HTTP Host header attacks
Websocket vulnerabilities
Remote code execution (RCE)
Same-origin policy (SOP)
Information disclosure
File uploads
JSON web tokens attacks
Prototype pollution

TryHackMe rooms

Introduction
Picklerick

Web client

Introduction
- What?
- Why?
- How?
HTML disabled buttons
Javascript authentication
Javascript source
Javascript native code
XSS stored 1
CSP bypass inline
CSRF: zero protection

Web server

Introduction
Insecure code management
Directory traversal
File upload: null byte
PHP assert()
PHP Filters
PHP Register globals
JWT Introduction
JWT (not) revoked token
JWT weak secret
Python: Server-side Template Injection Introduction
Command injection: filter bypass
Java: Server-side Template Injection (SSTI)
Local file inclusion
Local file inclusion: double encoding
PHP preg_replace
PHP type juggling
SQL injection: authentication
SQL injection: string
XSLT code execution
PHP path truncation
PHP serialisation
SQL injection: numeric
SQL injection: routed
SQL truncation
XPath injection: authentication
SQL injection: time-based

XSS

Introduction
Reflected XSS into HTML context with nothing encoded
Stored XSS into HTML context with nothing encoded
DOM XSS in document.write sink using source location.search
DOM XSS in innerHTML sink using source location.search
DOM XSS in jQuery anchor href attribute sink using location.search source
DOM XSS in jQuery selector sink using a hashchange event
Reflected XSS into attribute with angle brackets HTML-encoded
Stored XSS into anchor href attribute with double quotes HTML-encoded
Reflected XSS into a JavaScript string with angle brackets HTML encoded
DOM XSS in document.write sink using source location.search inside a select element
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
Reflected DOM XSS
Stored DOM XSS
Exploiting cross-site scripting to steal cookies
Exploiting cross-site scripting to capture passwords
Exploiting XSS to perform CSRF
Reflected XSS into HTML context with most tags and attributes blocked
Reflected XSS into HTML context with all tags blocked except custom ones
Reflected XSS with some SVG markup allowed
Reflected XSS in canonical link tag
Reflected XSS into a JavaScript string with single quote and backslash escaped
Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
Reflected XSS with event handlers and href attributes blocked
Reflected XSS in a JavaScript URL with some characters blocked
Reflected XSS with AngularJS sandbox escape without strings
Reflected XSS with AngularJS sandbox escape and CSP
Reflected XSS protected by very strict CSP, with dangling markup attack
Reflected XSS protected by CSP, with CSP bypass

SQLi

Introduction
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
SQL injection vulnerability allowing login bypass
SQL injection UNION attack, determining the number of columns returned by the query
SQL injection UNION attack, finding a column containing text
SQL injection UNION attack, retrieving data from other tables
SQL injection UNION attack, retrieving multiple values in a single column
SQL injection attack, querying the database type and version on Oracle
SQL injection attack, querying the database type and version on MySQL and Microsoft
SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on Oracle
Blind SQL injection with conditional responses
Blind SQL injection with conditional errors
Blind SQL injection with time delays
Blind SQL injection with time delays and information retrieval
Blind SQL injection with out-of-band interaction
Blind SQL injection with out-of-band data exfiltration
SQL injection with filter bypass via XML encoding

CSRF

Introduction
CSRF vulnerability with no defenses
CSRF where token validation depends on request method
CSRF where token validation depends on token being present
CSRF where token is not tied to user session
CSRF where token is tied to non-session cookie
CSRF where token is duplicated in cookie
SameSite Lax bypass via method override
SameSite Strict bypass via client-side redirect
SameSite Strict bypass via sibling domain
SameSite Lax bypass via cookie refresh
CSRF where Referer validation depends on header being present
CSRF with broken Referer validation

Clickjacking

Introduction
Basic clickjacking with CSRF token protection
Clickjacking with form input data prefilled from a URL parameter
Clickjacking with a frame buster script
Exploiting clickjacking vulnerability to trigger DOM-based XSS
Multistep clickjacking

DOM-based vulns

Introduction
DOM XSS using web messages
DOM XSS using web messages and a JavaScript URL
DOM XSS using web messages and JSON.parse
DOM-based open redirection
DOM-based cookie manipulation
Exploiting DOM clobbering to enable XSS
Clobbering DOM attributes to bypass HTML filters

CORS

Introduction
CORS vulnerability with basic origin reflection
CORS vulnerability with trusted null origin
CORS vulnerability with trusted insecure protocols
CORS vulnerability with internal network pivot attack

XXE

Introduction
Exploiting XXE using external entities to retrieve files
Exploiting XXE to perform SSRF attacks
Blind XXE with out-of-band interaction
Blind XXE with out-of-band interaction via XML parameter entities
Exploiting blind XXE to exfiltrate data using a malicious external DTD
Exploiting blind XXE to retrieve data via error messages
Exploiting XInclude to retrieve files
Exploiting XXE via image file upload
Exploiting XXE to retrieve data by repurposing a local DTD

SSRF

Introduction
Basic SSRF against the local server
Basic SSRF against another back-end system
SSRF with blacklist-based input filter
SSRF with filter bypass via open redirection vulnerability
Blind SSRF with out-of-band detection
SSRF with whitelist-based input filter
Blind SSRF with Shellshock exploitation

HTTP request smuggling

Introduction
HTTP request smuggling, basic CL.TE vulnerability
HTTP request smuggling, basic TE.CL vulnerability
HTTP request smuggling, obfuscating the TE header
HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
Exploiting HTTP request smuggling to reveal front-end request rewriting
Exploiting HTTP request smuggling to capture other users’ requests
Exploiting HTTP request smuggling to deliver reflected XSS
Response queue poisoning via H2.TE request smuggling
H2.CL request smuggling
HTTP/2 request smuggling via CRLF injection
HTTP/2 request splitting via CRLF injection
CL.0 request smuggling
Exploiting HTTP request smuggling to perform web cache poisoning
Exploiting HTTP request smuggling to perform web cache deception
Bypassing access controls via HTTP/2 request tunnelling
Web cache poisoning via HTTP/2 request tunnelling
Client-side desync
Browser cache poisoning via client-side desync
Server-side pause-based request smuggling

OS command injection

Introduction
OS command injection, simple case
Blind OS command injection with time delays
Blind OS command injection with output redirection
Blind OS command injection with out-of-band interaction
Blind OS command injection with out-of-band data exfiltration

SSTI

Introduction
Basic server-side template injection
Basic server-side template injection (code context)
Server-side template injection using documentation
Server-side template injection in an unknown language with a documented exploit
Server-side template injection with information disclosure via user-supplied objects
Server-side template injection in a sandboxed environment
Server-side template injection with a custom exploit

Directory traversal

Introduction
File path traversal, simple case
File path traversal, traversal sequences blocked with absolute path bypass
File path traversal, traversal sequences stripped non-recursively
File path traversal, traversal sequences stripped with superfluous URL-decode
File path traversal, validation of start of path
File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

Introduction
Unprotected admin functionality
Unprotected admin functionality with unpredictable URL
User role controlled by request parameter
User role can be modified in user profile
User ID controlled by request parameter
User ID controlled by request parameter, with unpredictable user IDs
User ID controlled by request parameter with data leakage in redirect
User ID controlled by request parameter with password disclosure
Insecure direct object references
URL-based access control can be circumvented
Method-based access control can be circumvented
Multistep process with no access control on one step
Referer-based access control

Authentication

Introduction
Username enumeration via different responses
2FA simple bypass
Password reset broken logic
Username enumeration via subtly different responses
Username enumeration via response timing
Broken brute-force protection, IP block
Username enumeration via account lock
2FA broken logic
Brute-forcing a stay-logged-in cookie
Offline password cracking
Password reset poisoning via middleware
Password brute-force via password change
Broken brute-force protection, multiple credentials per request
2FA bypass using a brute-force attack

Websockets

Introduction
Manipulating WebSocket messages to exploit vulnerabilities
Manipulating the WebSocket handshake to exploit vulnerabilities
Cross-site WebSocket hijacking

Web cache poisoning

Introduction
Web cache poisoning with an unkeyed header
Web cache poisoning with an unkeyed cookie
Web cache poisoning with multiple headers
Targeted web cache poisoning using an unknown header
Web cache poisoning via an unkeyed query string
Web cache poisoning via an unkeyed query parameter
Parameter cloaking
Web cache poisoning via a fat GET request
URL normalisation
Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
Combining web cache poisoning vulnerabilities
Cache key injection
Internal cache poisoning

Insecure deserialisation

Introduction
Modifying serialised objects
Modifying serialised data types
Using application functionality to exploit insecure deserialisation
Arbitrary object injection in PHP
Exploiting Java deserialisation with Apache Commons
Exploiting PHP deserialisation with a pre-built gadget chain
Exploiting Ruby deserialisation using a documented gadget chain
Developing a custom gadget chain for Java deserialisation
Developing a custom gadget chain for PHP deserialisation
Using PHAR deserialisation to deploy a custom gadget chain

Information disclosure

Introduction
Information disclosure in error messages
Information disclosure on debug page
Source code disclosure via backup files
Authentication bypass via information disclosure
Information disclosure in version control history

Business logic vulnerabilities

Introduction
Excessive trust in client-side controls
High-level logic vulnerability
Inconsistent security controls
Flawed enforcement of business rules
Low-level logic flaw
Inconsistent handling of exceptional input
Weak isolation on dual-use endpoint
Insufficient workflow validation
Authentication bypass via flawed state machine
Infinite money logic flaw
Authentication bypass via encryption oracle

HTTP Host header attacks

Introduction
Basic password reset poisoning
Host header authentication bypass
Web cache poisoning via ambiguous requests
Routing-based SSRF
SSRF via flawed request parsing
Host validation bypass via connection state attack
Password reset poisoning via dangling markup

OAuth authentication

Introduction
Authentication bypass via OAuth implicit flow
Forced OAuth profile linking
OAuth account hijacking via redirect_uri
Stealing OAuth access tokens via an open redirect
SSRF via OpenID dynamic client registration
Stealing OAuth access tokens via a proxy page

File upload vulnerabilities

Introduction
Remote code execution via web shell upload
Web shell upload via Content-Type restriction bypass
Web shell upload via path traversal
Web shell upload via extension blacklist bypass
Web shell upload via obfuscated file extension
Remote code execution via polyglot web shell upload
Web shell upload via race condition

JWT

Introduction
JWT authentication bypass via unverified signature
JWT authentication bypass via flawed signature verification
JWT authentication bypass via weak signing key
JWT authentication bypass via jwk header injection
JWT authentication bypass via jku header injection
JWT authentication bypass via kid header path traversal
JWT authentication bypass via algorithm confusion
JWT authentication bypass via algorithm confusion with no exposed key

Prototype pollution

Introduction
DOM XSS via client-side prototype pollution
DOM XSS via an alternative prototype pollution vector
Client-side prototype pollution via flawed sanitisation
Client-side prototype pollution in third-party libraries
Client-side prototype pollution via browser APIs
Privilege escalation via server-side prototype pollution
Detecting server-side prototype pollution without polluted property reflection
Bypassing flawed input filters for server-side prototype pollution
Remote code execution via server-side prototype pollution
Exfiltrating sensitive data via server-side prototype pollution

A canopy of apple-blossom

Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact

Introduction

What?

RootMe

Why?

The fast, easy, and very affordable way to test hacking skills.

How?

HTML disabled buttons
Javascript authentication
Javascript source
Javascript native code
XSS stored 1
CSP bypass inline
CSRF: zero protection

Previous Next

Unseen University, 2024, with a forest garden fostered by /ut7.