Logo

Testlab

  • Web application pentesting tools

Preparation

  • Reconnaissance
  • Enumeration

Notes on techniques

  • Introduction
  • Cross-site scripting (XSS)
  • Open redirection
  • Clickjacking
  • Cross-site request forgery (CSRF)
  • Insecure direct object references (IDOR)
  • SQL injection
  • Race conditions
  • Server-side request forgery (SSRF)
  • Insecure deserialisation
  • XML external entity (XXE) injection
  • Web cache poisoning
  • HTTP Request smuggling
  • Template injection (SSTI)
  • Directory traversal
  • Authentication vulnerabilities
  • Single-sign-on security (SSO)
  • Broken access control
  • Application logic errors
  • HTTP Host header attacks
  • Websocket vulnerabilities
  • Remote code execution (RCE)
  • Same-origin policy (SOP)
  • Information disclosure
  • File uploads
  • JSON web tokens attacks
  • Prototype pollution

TryHackMe rooms

  • Introduction
  • Picklerick

Web client

  • Introduction
  • HTML disabled buttons
  • Javascript authentication
  • Javascript source
  • Javascript native code
  • XSS stored 1
  • CSP bypass inline
  • CSRF: zero protection

Web server

  • Introduction
  • Insecure code management
  • Directory traversal
  • File upload: null byte
  • PHP assert()
  • PHP Filters
  • PHP Register globals
  • JWT Introduction
  • JWT (not) revoked token
  • JWT weak secret
  • Python: Server-side Template Injection Introduction
  • Command injection: filter bypass
  • Java: Server-side Template Injection (SSTI)
  • Local file inclusion
  • Local file inclusion: double encoding
  • PHP preg_replace
  • PHP type juggling
  • SQL injection: authentication
  • SQL injection: string
  • XSLT code execution
  • PHP path truncation
  • PHP serialisation
  • SQL injection: numeric
  • SQL injection: routed
  • SQL truncation
  • XPath injection: authentication
  • SQL injection: time-based

XSS

  • Introduction
  • Reflected XSS into HTML context with nothing encoded
  • Stored XSS into HTML context with nothing encoded
  • DOM XSS in document.write sink using source location.search
  • DOM XSS in innerHTML sink using source location.search
  • DOM XSS in jQuery anchor href attribute sink using location.search source
  • DOM XSS in jQuery selector sink using a hashchange event
  • Reflected XSS into attribute with angle brackets HTML-encoded
  • Stored XSS into anchor href attribute with double quotes HTML-encoded
  • Reflected XSS into a JavaScript string with angle brackets HTML encoded
  • DOM XSS in document.write sink using source location.search inside a select element
  • DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
  • Reflected DOM XSS
  • Stored DOM XSS
  • Exploiting cross-site scripting to steal cookies
  • Exploiting cross-site scripting to capture passwords
  • Exploiting XSS to perform CSRF
  • Reflected XSS into HTML context with most tags and attributes blocked
  • Reflected XSS into HTML context with all tags blocked except custom ones
  • Reflected XSS with some SVG markup allowed
  • Reflected XSS in canonical link tag
    • Description
    • Reproduction and proof of concept
  • Reflected XSS into a JavaScript string with single quote and backslash escaped
  • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
  • Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
  • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
  • Reflected XSS with event handlers and href attributes blocked
  • Reflected XSS in a JavaScript URL with some characters blocked
  • Reflected XSS with AngularJS sandbox escape without strings
  • Reflected XSS with AngularJS sandbox escape and CSP
  • Reflected XSS protected by very strict CSP, with dangling markup attack
  • Reflected XSS protected by CSP, with CSP bypass

SQLi

  • Introduction
  • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
  • SQL injection vulnerability allowing login bypass
  • SQL injection UNION attack, determining the number of columns returned by the query
  • SQL injection UNION attack, finding a column containing text
  • SQL injection UNION attack, retrieving data from other tables
  • SQL injection UNION attack, retrieving multiple values in a single column
  • SQL injection attack, querying the database type and version on Oracle
  • SQL injection attack, querying the database type and version on MySQL and Microsoft
  • SQL injection attack, listing the database contents on non-Oracle databases
  • SQL injection attack, listing the database contents on Oracle
  • Blind SQL injection with conditional responses
  • Blind SQL injection with conditional errors
  • Blind SQL injection with time delays
  • Blind SQL injection with time delays and information retrieval
  • Blind SQL injection with out-of-band interaction
  • Blind SQL injection with out-of-band data exfiltration
  • SQL injection with filter bypass via XML encoding

CSRF

  • Introduction
  • CSRF vulnerability with no defenses
  • CSRF where token validation depends on request method
  • CSRF where token validation depends on token being present
  • CSRF where token is not tied to user session
  • CSRF where token is tied to non-session cookie
  • CSRF where token is duplicated in cookie
  • SameSite Lax bypass via method override
  • SameSite Strict bypass via client-side redirect
  • SameSite Strict bypass via sibling domain
  • SameSite Lax bypass via cookie refresh
  • CSRF where Referer validation depends on header being present
  • CSRF with broken Referer validation

Clickjacking

  • Introduction
  • Basic clickjacking with CSRF token protection
  • Clickjacking with form input data prefilled from a URL parameter
  • Clickjacking with a frame buster script
  • Exploiting clickjacking vulnerability to trigger DOM-based XSS
  • Multistep clickjacking

DOM-based vulns

  • Introduction
  • DOM XSS using web messages
  • DOM XSS using web messages and a JavaScript URL
  • DOM XSS using web messages and JSON.parse
  • DOM-based open redirection
  • DOM-based cookie manipulation
  • Exploiting DOM clobbering to enable XSS
  • Clobbering DOM attributes to bypass HTML filters

CORS

  • Introduction
  • CORS vulnerability with basic origin reflection
  • CORS vulnerability with trusted null origin
  • CORS vulnerability with trusted insecure protocols
  • CORS vulnerability with internal network pivot attack

XXE

  • Introduction
  • Exploiting XXE using external entities to retrieve files
  • Exploiting XXE to perform SSRF attacks
  • Blind XXE with out-of-band interaction
  • Blind XXE with out-of-band interaction via XML parameter entities
  • Exploiting blind XXE to exfiltrate data using a malicious external DTD
  • Exploiting blind XXE to retrieve data via error messages
  • Exploiting XInclude to retrieve files
  • Exploiting XXE via image file upload
  • Exploiting XXE to retrieve data by repurposing a local DTD

SSRF

  • Introduction
  • Basic SSRF against the local server
  • Basic SSRF against another back-end system
  • SSRF with blacklist-based input filter
  • SSRF with filter bypass via open redirection vulnerability
  • Blind SSRF with out-of-band detection
  • SSRF with whitelist-based input filter
  • Blind SSRF with Shellshock exploitation

HTTP request smuggling

  • Introduction
  • HTTP request smuggling, basic CL.TE vulnerability
  • HTTP request smuggling, basic TE.CL vulnerability
  • HTTP request smuggling, obfuscating the TE header
  • HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
  • HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
  • Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
  • Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
  • Exploiting HTTP request smuggling to reveal front-end request rewriting
  • Exploiting HTTP request smuggling to capture other users’ requests
  • Exploiting HTTP request smuggling to deliver reflected XSS
  • Response queue poisoning via H2.TE request smuggling
  • H2.CL request smuggling
  • HTTP/2 request smuggling via CRLF injection
  • HTTP/2 request splitting via CRLF injection
  • CL.0 request smuggling
  • Exploiting HTTP request smuggling to perform web cache poisoning
  • Exploiting HTTP request smuggling to perform web cache deception
  • Bypassing access controls via HTTP/2 request tunnelling
  • Web cache poisoning via HTTP/2 request tunnelling
  • Client-side desync
  • Browser cache poisoning via client-side desync
  • Server-side pause-based request smuggling

OS command injection

  • Introduction
  • OS command injection, simple case
  • Blind OS command injection with time delays
  • Blind OS command injection with output redirection
  • Blind OS command injection with out-of-band interaction
  • Blind OS command injection with out-of-band data exfiltration

SSTI

  • Introduction
  • Basic server-side template injection
  • Basic server-side template injection (code context)
  • Server-side template injection using documentation
  • Server-side template injection in an unknown language with a documented exploit
  • Server-side template injection with information disclosure via user-supplied objects
  • Server-side template injection in a sandboxed environment
  • Server-side template injection with a custom exploit

Directory traversal

  • Introduction
  • File path traversal, simple case
  • File path traversal, traversal sequences blocked with absolute path bypass
  • File path traversal, traversal sequences stripped non-recursively
  • File path traversal, traversal sequences stripped with superfluous URL-decode
  • File path traversal, validation of start of path
  • File path traversal, validation of file extension with null byte bypass

Access control vulnerabilities

  • Introduction
  • Unprotected admin functionality
  • Unprotected admin functionality with unpredictable URL
  • User role controlled by request parameter
  • User role can be modified in user profile
  • User ID controlled by request parameter
  • User ID controlled by request parameter, with unpredictable user IDs
  • User ID controlled by request parameter with data leakage in redirect
  • User ID controlled by request parameter with password disclosure
  • Insecure direct object references
  • URL-based access control can be circumvented
  • Method-based access control can be circumvented
  • Multistep process with no access control on one step
  • Referer-based access control

Authentication

  • Introduction
  • Username enumeration via different responses
  • 2FA simple bypass
  • Password reset broken logic
  • Username enumeration via subtly different responses
  • Username enumeration via response timing
  • Broken brute-force protection, IP block
  • Username enumeration via account lock
  • 2FA broken logic
  • Brute-forcing a stay-logged-in cookie
  • Offline password cracking
  • Password reset poisoning via middleware
  • Password brute-force via password change
  • Broken brute-force protection, multiple credentials per request
  • 2FA bypass using a brute-force attack

Websockets

  • Introduction
  • Manipulating WebSocket messages to exploit vulnerabilities
  • Manipulating the WebSocket handshake to exploit vulnerabilities
  • Cross-site WebSocket hijacking

Web cache poisoning

  • Introduction
  • Web cache poisoning with an unkeyed header
  • Web cache poisoning with an unkeyed cookie
  • Web cache poisoning with multiple headers
  • Targeted web cache poisoning using an unknown header
  • Web cache poisoning via an unkeyed query string
  • Web cache poisoning via an unkeyed query parameter
  • Parameter cloaking
  • Web cache poisoning via a fat GET request
  • URL normalisation
  • Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
  • Combining web cache poisoning vulnerabilities
  • Cache key injection
  • Internal cache poisoning

Insecure deserialisation

  • Introduction
  • Modifying serialised objects
  • Modifying serialised data types
  • Using application functionality to exploit insecure deserialisation
  • Arbitrary object injection in PHP
  • Exploiting Java deserialisation with Apache Commons
  • Exploiting PHP deserialisation with a pre-built gadget chain
  • Exploiting Ruby deserialisation using a documented gadget chain
  • Developing a custom gadget chain for Java deserialisation
  • Developing a custom gadget chain for PHP deserialisation
  • Using PHAR deserialisation to deploy a custom gadget chain

Information disclosure

  • Introduction
  • Information disclosure in error messages
  • Information disclosure on debug page
  • Source code disclosure via backup files
  • Authentication bypass via information disclosure
  • Information disclosure in version control history

Business logic vulnerabilities

  • Introduction
  • Excessive trust in client-side controls
  • High-level logic vulnerability
  • Inconsistent security controls
  • Flawed enforcement of business rules
  • Low-level logic flaw
  • Inconsistent handling of exceptional input
  • Weak isolation on dual-use endpoint
  • Insufficient workflow validation
  • Authentication bypass via flawed state machine
  • Infinite money logic flaw
  • Authentication bypass via encryption oracle

HTTP Host header attacks

  • Introduction
  • Basic password reset poisoning
  • Host header authentication bypass
  • Web cache poisoning via ambiguous requests
  • Routing-based SSRF
  • SSRF via flawed request parsing
  • Host validation bypass via connection state attack
  • Password reset poisoning via dangling markup

OAuth authentication

  • Introduction
  • Authentication bypass via OAuth implicit flow
  • Forced OAuth profile linking
  • OAuth account hijacking via redirect_uri
  • Stealing OAuth access tokens via an open redirect
  • SSRF via OpenID dynamic client registration
  • Stealing OAuth access tokens via a proxy page

File upload vulnerabilities

  • Introduction
  • Remote code execution via web shell upload
  • Web shell upload via Content-Type restriction bypass
  • Web shell upload via path traversal
  • Web shell upload via extension blacklist bypass
  • Web shell upload via obfuscated file extension
  • Remote code execution via polyglot web shell upload
  • Web shell upload via race condition

JWT

  • Introduction
  • JWT authentication bypass via unverified signature
  • JWT authentication bypass via flawed signature verification
  • JWT authentication bypass via weak signing key
  • JWT authentication bypass via jwk header injection
  • JWT authentication bypass via jku header injection
  • JWT authentication bypass via kid header path traversal
  • JWT authentication bypass via algorithm confusion
  • JWT authentication bypass via algorithm confusion with no exposed key

Prototype pollution

  • Introduction
  • DOM XSS via client-side prototype pollution
  • DOM XSS via an alternative prototype pollution vector
  • Client-side prototype pollution via flawed sanitisation
  • Client-side prototype pollution in third-party libraries
  • Client-side prototype pollution via browser APIs
  • Privilege escalation via server-side prototype pollution
  • Detecting server-side prototype pollution without polluted property reflection
  • Bypassing flawed input filters for server-side prototype pollution
  • Remote code execution via server-side prototype pollution
  • Exfiltrating sensitive data via server-side prototype pollution
A canopy of apple-blossom
  • Ty Myrddin Home
  • Unseen University
  • Improbability Blog
  • About
  • Contact

Reflected XSS in canonical link tag

Description

The website in this lab reflects user input in a canonical link tag and escapes angle brackets. Note: The solution to this lab is only possible in Chrome.

Reproduction and proof of concept

  1. Visit the following URL, replacing lab-id with your lab ID:

https://0a8e007b03ebd129c06bf93500c800bd.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)

This sets the X key as an access key for the whole page. When a user presses the access key, the alert function is called.

  1. To trigger the exploit, press one of the following key combinations:

  • On Windows: ALT+SHIFT+X

  • On MacOS: CTRL+ALT+X

  • On Linux: Alt+X

Previous Next
Unseen University, 2024, with a forest garden fostered by /ut7.