Attacks and Vulnerabilities

Broken Authentication

Broken Links

Browser Attacks

Business logic flaws

Bypass Methodology

Clickjacking

Command Injection

CORS Misconfiguration

CORS Bypass

Cross Site Leaks

CSRF - Cross Site Request Forgery

Carriage Return and Line Feed Injection

Client Side Template Injection

​Client Side Template Injection Scanner - ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.

CSV Injection

Dependancy Confusion

Deserialization Attacks

Directory Transversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

Basics

  • Simple attack
    • Linux system - ../../../etc/passwd
    • Windows system ..\..\..\windows\win.ini
  • Absolute path from filesystem without traversal sequences
    • filename=/etc/passwd
  • Nested Traversal Sequences
    • ....// or ....\/ will revert when stripped
    • ....//....//....//etc/passwd
  • Non standard encoding
    • You might be able to use various non-standard encodings, such as ..%c0%af or ..%252f, to bypass the input filter.
    • ..%252f..%252f..%252fetc/passwd
  • Valid start of path/base folder
    • filename=/var/www/images/../../../etc/passwd
  • File extension null byte bypass
    • If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension.
    • filename=../../../etc/passwd%00.png
  • ​dotdotpwn - DotDotPwn is a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Resources

File Inclusion Vulnerabilities

File inclusion vulnerabilities allow an attacker to include a file into the applications running code. In order to actually exploit a file inclusion vulnerability, we must be able to not only execute code, but also to write our shell payload somewhere.

Identification

  • Discovered the same way as directory transversals
  • Locate parameters you can manipulate and attempt to use them to load arbitrary files
  • We take it one step further and attempt to execute the contents of the file within the application
  • Local file inclusions (LFI) occur when the included file is loaded from the same web server.
    • http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
  • Remote file inclusions (RFI) occur when a file is loaded from an external source.

Tools

  • ​LFISuite - LFI Suite is a totally automatic tool able to scan and exploit Local File Inclusion vulnerabilities using many different methods of attack
  • ​Liffy - Local File Inclusion Exploitation tool.
  • ​Kadimus - Kadimus is a tool to check for and exploit LFI vulnerabilities, with a focus on PHP systems.
  • ​fimap - Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.

Reference

File Upload

HTML Injection

HTTP Host Header Attacks

HTTP Request Smuggling

Input Fuzzing

  • ​Wfuzz - Powerful Web application content fuzzer.
  • ​FuzzDb - FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing.
  • ​ffuf - A super fast web fuzzer written in Go.
  • ​QsFuzz - Qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
  • ​AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!

Insecure Direct Object Reference

LDAP Injection

Open Redirect Vulnerabilities

Prototype Pollution

  • ​ppfuzz - A fast tool to scan client-side prototype pollution vulnerability written in Rust.

Security Misconfigurations

Security misconfigurations include: β€’ Poorly configured permissions on cloud services, like S3 buckets β€’ Having unnecessary features enabled, like services, pages, accounts or privileges β€’ Default accounts with unchanged passwords β€’ Error messages that are overly detailed and allow an attacker to find out more about the system β€’ Not using HTTP security headers, or revealing too much detail in the Server: HTTP header

Sidejacking

  • ​hamster-sidejack - Hamster is tool or β€œsidejacking”. It acts as a proxy server that replaces your cookies with session cookies stolen from somebody else, allowing you to hijack their sessions.

Sub-Domain Takeover

  • ​TKO-subs - A tool that can help detect and takeover subdomains with dead DNS records
  • ​Subjack - Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
  • ​Second-Order - Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match some specific rules, or respond in a specific way.
  • Sub-Domain Takeovers - Bug Bounty Hunting Essentials, pg.159

SQL Injection

SSRF: Server Side Request Forgery

SSTI: Server Side Template Injection

X-Path Injection

Web Cache Poisoning

Web Man-In-The-Middle

  • ​Evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
  • ​MITM Proxy - Mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

Web Sockets

XXE - XML External Entity Attacks

XSS - Cross Site Scripting

​