Broken Web Security
Broken Web Security
Author
Harish SG
Application web security
researcher | Microsoft MSRC Top
Security researcher | Incoming
Cybersecurity graduate student at
one of the top grad schools in US
@CoderHarish @harish-sg-31b
a96171
2
2
NAME OF BOOK - Demystifying broken web Security
3
Table of Contents
01 Introduction Page 7
XSS
03 Page 9
04 CSRF Page 17
06 Clickjacking Page 29
4
3
Table of Contents
9 OAuth Vulnerabilities Page 47
12 RCE Page 64
13 IDOR Page 67
16 SSRF Page 83
5
3
Table of Contents
18 Page 87
Thanks Note
6
3
Intro Page
Introduction
Before trying to learn web security,first you need to
know how internet and computer works.If you are
reading this i assume you have enough idea about how
internet and computer networks work. If you are
beginner and want to start a career in information
security then I recommend you to first try to understand
how a computer, internet, web servers , database works
from inside by googling and reading other available
books on internet then by reading this book you can
understand concepts behind web vulnerabilities well.
7
5
Prerequisites for web
security
Prerequisite requirements:
1. Computer with minimum 4 GB ram and
running with any OS.
2. Good internet connection
Prerequisite knowledge requirements:
1. Basic networking knowledge
2. Linux fundamentals
3. Understanding of how a website works
4. Python and JS fundamentals
Prerequisite Software requirements:
1. Burpsuite
2. Firefox browser
8
6
Cross site
scripting or XSS
9
Cross site
scripting or XSS
How does Cross site Scripting or XSS work?
10
Cross site
scripting or XSS
Three main types of XSS attacks:
1. Reflected XSS
2. Stored XSS
3. DOM based XSS
11
Cross site
scripting or XSS
Analyze Input Vectors
Analyze each input vector to look for any flaws. The
tester will often employ specially constructed input data
with each input vector to find an XSS vulnerability. Such
input data is usually safe, but it causes the web browser
to respond in a way that exposes the vulnerability.
Testing data can be created manually, with the use of a
web application fuzzer, an automated predetermined list
of known attack strings, or by employing a web
application fuzzer or manually. The following are some
examples of input data:
● <script>alert(123)</script>
● “><script>alert(document.cookie)</script>
Check Impact:
The tester will assess each test input attempted in the
previous step to see if it indicates a vulnerability with a
realistic impact on the web application's security. This
involves looking through the HTML of the resulting web
page and looking for the test input. The tester then looks
for any special characters that were not correctly
encoded, changed, or filtered out after they've been
12
detected.
Cross site
scripting or XSS
Interesting XSS hackerone Reports:
1. https://hackerone.com/reports/84601
2. https://hackerone.com/reports/29328
3. https://hackerone.com/reports/647130
4. https://hackerone.com/reports/1173040
5. https://hackerone.com/reports/751870
13
Cross site scripting or XSS
14
Cross site scripting or XSS
XSS vulnerable Code 3
15
Cross site scripting or XSS
Payload and Exploits
16
Cross site
request forgery
or CSRF
What is cross site request forgery or CSRF?
Cross-site request forgery (also known as CSRF) is
a web security flaw that allows an attacker to
induce users to perform actions that they do not
intend to perform. It allows an attacker to partly
circumvent the same origin policy, which is
designed to prevent different websites from
interfering with each other.
17
Cross site
request forgery
or CSRF
Three conditions required for CSRF explained:
1. A relevant action. The attacker has a cause to initiate
an activity within the application. This might be a
privileged action (like altering other users'
permissions) or any action on user-specific data (like
changing the user's own password).
2. Cookie-based session handling. The activity entails
sending one or more HTTP requests, and the
application exclusively depends on session cookies to
determine who made the requests. There is no
alternative way to keep track of sessions or validate
user requests.
18
Cross site
request forgery
or CSRF
Types of CSRF attack;
1. JSON based CSRF
2. HTML form based CSRF
19
Cross site request
forgery or CSRF
Preventing CSRF attacks
20
Cross site request
forgery or CSRF
CSRF Attack H1 reports:
1. https://hackerone.com/reports/419891
2. https://hackerone.com/reports/152569
3. https://hackerone.com/reports/127703
4. https://hackerone.com/reports/148156
5. https://hackerone.com/reports/856518
21
Cross site request forgery or CSRF
Sadas,nd,as
22
Cross site request forgery or CSRF
\
23
CORS Misconfiguration
What is CORS Miconfiguration?
CORS (cross-origin resource sharing) is a browser feature
that allows you to control access to resources outside of
your domain. It expands and expands the same-origin
policy's flexibility (SOP). However, if a website's CORS policy
is inadequately established and implemented, it paves the
way to cross-domain threats. Cross-origin attacks, such as
cross-site request forgery, are not protected by CORS (CSRF).
24
CORS Misconfiguration
Impact of CORS:
25
CORS
Misconfiguration
CORS H1 reports
1. https://hackerone.com/reports/426165
2. https://hackerone.com/reports/758785
3. https://hackerone.com/reports/426147
4. https://hackerone.com/reports/769058
5. https://hackerone.com/reports/896093
26
CORS Misconfiguration
27
CORS Misconfiguration exploits and
resources
28
Clickjacking
What is clickjacking?
Clickjacking is an interface-based attack in which a
user is enticed to click on actionable material on a
concealed website by clicking on fake content.
Consider the following example
29
Clickjacking
Impact of clickjacking:
1. The hacker can profit from the diverted clicks in a variety of
ways. The replication of a login and password form on a
website is a popular kind of clickjacking. The user thinks they're
filling out a standard form, but they're actually filling out fields
that the hacker has layered over the UI. Hackers will go for
passwords, credit card numbers, and any other sensitive
information they can get their hands on.
2. An attacker may also choose to redirect the clicks to download
malware or gain access to vital systems as a starting point for
an APT This spells trouble for any organizations that rely on
protecting sensitive data and intellectual property.
30
Clickjacking
31
Clickjacking
32
Clickjacking
Clickjacking Exploit:
33
SQL Injection
34
SQL Injection
36
SQL Injection
Below Express Js Code Snippet is vulnerable to SQLi
37
SQL Injection
38
SQL Injection
39
SQL Injection
40
NOSQL Injection
What is NOSQL injection?
An fault in a web application that employs a NoSQL
database is known as a NoSQL injection vulnerability.
A malicious actor can use this web security flaw to
circumvent authentication, harvest data, change data,
or even take entire control of the application.
Types of NoSQL injection attacks?
1. Tautologies
2. Union queries
3. JavaScript injections
4. Piggybacked queries
5. Cross origin violation
41
NOSQL Injection
42
NOSQL Injection
43
NOSQL Injection
Below JS Code Snippet is vulnerable to NO SQLi Auth
Bypass
44
NOSQL Injection
45
NOSQL Injection
46
OAuth Vulnerabilities
What is OAuth?
OAuth is an open-standard authorisation mechanism
or framework that enables "safe authorized access" in
apps. You may inform Facebook that it's OK for
canva.com to access your profile and post updates to
your timeline without giving canva.com your
Facebook password, for example. This significantly
reduces risk: even if canva experiences a security
compromise, your Facebook password is protected.
How does OAuth 2.0 work?
OAuth 2.0 was created with the intention of allowing
applications to share access to specified data. It
functions via specifying a set of interactions between
three parties: a client application, a resource owner,
and an OAuth service provider.
● Client application - The website or web application
that wants to access the user's data.
● Resource owner - The user whose data the client
application wants to access.
● OAuth service provider - The website or
application that controls the user's data and
access to it.
47
OAuth Vulnerabilities
What is implementation of OAuth Authentication?
1. The user can log in using their social media
account if they want to. The client application
then requests access to some data from the
social media site's OAuth service, which it may
use to identify the user. It's possible that this is
the email account associated with their account.
48
OAuth Vulnerabilities
49
OAuth Vulnerabilities
50
OAuth Vulnerabilities
51
OAuth Vulnerabilities
52
SAML Vulnerabilities
What is SAML?
53
SAML Vulnerabilities
How does SAML works?
A typical SAML authentication process involves
these three parties:
2. Identity provider
3. Service provider
54
SAML Vulnerabilities
55
SAML Vulnerabilities
56
SAML Vulnerabilities
57
SAML Vulnerabilities
58
Command line Injection
59
Command line Injection
1. https://hackerone.com/reports/685447
2. https://hackerone.com/reports/497312
3. https://hackerone.com/reports/690010
4. https://hackerone.com/reports/303061
5. https://hackerone.com/reports/680480
60
Command line Injection
61
Command line Injection
In the below code snippet Attacker can inject command
line as input to abuse intended purpose of the website.
62
Command line Injection
63
Remote Code Execution
What is RCE or Remote Code Execution?
1. Out of Bound
2. Injection
3. Deserialization Attack
64
Remote Code Execution
65
Remote Code Execution
Code Snippet vulnerable to infamous Log4j RCE
66
Remote Code Execution
67
Remote Code Execution
68
Indirect Object Reference
IDOR
Types of IDOR :
1. Numerical IDOR
2. Alphanumerical IDOR
70
Indirect Object Reference
IDOR
71
Indirect Object Reference
IDOR
Articles and Blog post:
1. https://corneacristian.medium.com/top-25-idor
-bug-bounty-reports-ba8cd59ad331
2. https://medium.com/@aysebilgegunduz/everyt
hing-you-need-to-know-about-idor-insecure-dire
ct-object-references-375f83e03a87
3. https://medium.com/armourinfosec/idor-a-tale
-of-account-takeover-77d9066a8055
72
Directory Traversal
73
Directory Traversal
74
Directory Traversal
75
Directory Traversal
76
Directory Traversal
77
Open Redirect
What is Open Redirect?
An open redirect vulnerability exists when the
destination of the redirect is provided by the client
and it is not filtered or validated.
78
Open Redirect
79
Open Redirect
80
Open Redirect
81
Open Redirect
82
Server Side Request Forgery
Mitigations of SSRF:
1. Validate input url
2. Sanitize input url
3. Maintain a whitelist and cross validate against
that list to allow url
84
Server Side Request Forgery
85
Server Side Request Forgery
86
Author’s thanks note
On 10 th April 2021,I had a painful MS Teams call
with a person I don’t want to share their name.
That call motivated me to start working to stop
privacy breach , stalking etc. First of all I like to
thank that person for rejecting me or ignoring me
which eventually made me to work hard on
cybersecurity and privacy .
87