0% found this document useful (0 votes)
248 views87 pages

Broken Web Security

Uploaded by

Bo Bean
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
248 views87 pages

Broken Web Security

Uploaded by

Bo Bean
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 87

About the

Author
Harish SG
Application web security
researcher | Microsoft MSRC Top
Security researcher | Incoming
Cybersecurity graduate student at
one of the top grad schools in US

@CoderHarish @harish-sg-31b
a96171

2
2
NAME OF BOOK - Demystifying broken web Security

Published by - Harish SG Copyright © 2022 All right reserved.

No part of this E-Book may be produced or used in any manner


without the prior written permission of the copyright owner,
except for the use of brief quotations in a book review or as
permitted by Copyright Law. For permissions contact -
[email protected]

A collection of vulnerable code snippets , payloads ,blog post


links and article links taken from around the internet. Snippets
taken from various blog posts, books, resources etc. No Copyright
Infringement Intended

Content in the blog post attached in book are belong to


respective authors

3
Table of Contents
01 Introduction Page 7

02 Understanding how Page 8


things works

XSS
03 Page 9

04 CSRF Page 17

05 CORS MIsconfiguration Page 24

06 Clickjacking Page 29

07 SQL Injection Page 34

08 MongoDB Injection Page 41

4
3
Table of Contents
9 OAuth Vulnerabilities Page 47

10 SAML vulnerabilities Page 53

Command line Injection


11 Page 59

12 RCE Page 64

13 IDOR Page 67

14 Directory Traversal Page 73

15 Open Redirect Page 78

16 SSRF Page 83

5
3
Table of Contents
18 Page 87
Thanks Note

6
3
Intro Page

Introduction
Before trying to learn web security,first you need to
know how internet and computer works.If you are
reading this i assume you have enough idea about how
internet and computer networks work. If you are
beginner and want to start a career in information
security then I recommend you to first try to understand
how a computer, internet, web servers , database works
from inside by googling and reading other available
books on internet then by reading this book you can
understand concepts behind web vulnerabilities well.

Why this book?


This book helps aspiring security researchers to
understand web vulnerabilities from depth ie from
definition to root cause. Developers can read this book
and understand the vulnerabilities and mitigate them in
their source code.

7
5
Prerequisites for web
security
Prerequisite requirements:
1. Computer with minimum 4 GB ram and
running with any OS.
2. Good internet connection
Prerequisite knowledge requirements:
1. Basic networking knowledge
2. Linux fundamentals
3. Understanding of how a website works
4. Python and JS fundamentals
Prerequisite Software requirements:
1. Burpsuite
2. Firefox browser
8
6
Cross site
scripting or XSS

Lets Start with a basic and high impact web security


vulnerability called XSS or Cross Site Scripting.

What is cross site scripting or XSS?

Cross-site scripting (also known as XSS) is a web


security flaw that allows an attacker to manipulate
how users interact with a vulnerable application. It
allows an attacker to get around the same origin
policy, which is meant to keep websites separate from
one another. Cross-site scripting flaws allow an
attacker to impersonate a target user and execute any
activities that the user is capable of, as well as
access any of the user's data. If the target user has
privileged access to the application, the attacker will
be able to take complete control of the site's
functionality and data.

9
Cross site
scripting or XSS
How does Cross site Scripting or XSS work?

Cross-site scripting exploits by redirecting visitors to a


vulnerable website that contains malicious JavaScript.
When malicious code runs in a victim's browser, the
attacker seemed to have complete control over how they
interact with the app.

What can XSS be used for?

An attacker who exploits a cross-site scripting


vulnerability is typically able to:

● Impersonate or masquerade as the victim user.


● Carry out any action that the user is able to perform.
● Read any data that the user is able to access.
● Capture the user's login credentials.
● Perform virtual defacement of the web site.
● Inject trojan functionality into the web site

10
Cross site
scripting or XSS
Three main types of XSS attacks:
1. Reflected XSS
2. Stored XSS
3. DOM based XSS

How to Test for XSS using black box testing?


A black-box test will include at least three phases:

1. Detect Input Vectors


Identify input vectors. The tester must determine all
of the web application's user-defined variables and
how to input them for each web page. HTTP
parameters, POST data, hidden form field values, and
predetermined radio or selection values are example
of hidden or non-obvious inputs.

11
Cross site
scripting or XSS
Analyze Input Vectors
Analyze each input vector to look for any flaws. The
tester will often employ specially constructed input data
with each input vector to find an XSS vulnerability. Such
input data is usually safe, but it causes the web browser
to respond in a way that exposes the vulnerability.
Testing data can be created manually, with the use of a
web application fuzzer, an automated predetermined list
of known attack strings, or by employing a web
application fuzzer or manually. The following are some
examples of input data:

● <script>alert(123)</script>
● “><script>alert(document.cookie)</script>

Check Impact:
The tester will assess each test input attempted in the
previous step to see if it indicates a vulnerability with a
realistic impact on the web application's security. This
involves looking through the HTML of the resulting web
page and looking for the test input. The tester then looks
for any special characters that were not correctly
encoded, changed, or filtered out after they've been
12
detected.
Cross site
scripting or XSS
Interesting XSS hackerone Reports:

1. https://hackerone.com/reports/84601
2. https://hackerone.com/reports/29328
3. https://hackerone.com/reports/647130
4. https://hackerone.com/reports/1173040
5. https://hackerone.com/reports/751870

13
Cross site scripting or XSS

XSS vulnerable Code 1

14
Cross site scripting or XSS
XSS vulnerable Code 3

15
Cross site scripting or XSS
Payload and Exploits

Articles and Blog post:


1. https://infosecwriteups.com/xss-all-resources-i
n-one-blog-cce53c79f6bb
2. https://brutelogic.com.br/blog/

Resources for XSS Payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/XSS%20Injection#common-
payloads
2. https://github.com/payloadbox/xss-payload-list
3. https://portswigger.net/web-security/cross-site-
scripting/cheat-sheet

16
Cross site
request forgery
or CSRF
What is cross site request forgery or CSRF?
Cross-site request forgery (also known as CSRF) is
a web security flaw that allows an attacker to
induce users to perform actions that they do not
intend to perform. It allows an attacker to partly
circumvent the same origin policy, which is
designed to prevent different websites from
interfering with each other.

How does CSRF work?


For a CSRF attack to be possible, following three key
conditions must be in place
1. A relevant action
2. Cookie based session handling
3. No unpredictable request parameter

17
Cross site
request forgery
or CSRF
Three conditions required for CSRF explained:
1. A relevant action. The attacker has a cause to initiate
an activity within the application. This might be a
privileged action (like altering other users'
permissions) or any action on user-specific data (like
changing the user's own password).
2. Cookie-based session handling. The activity entails
sending one or more HTTP requests, and the
application exclusively depends on session cookies to
determine who made the requests. There is no
alternative way to keep track of sessions or validate
user requests.

3. No unpredictable request parameters. The requests


that perform the action do not contain any parameters
whose values the attacker cannot determine or guess.
For example, when causing a user to change their
password, the function is not vulnerable if an attacker
needs to know the value of the existing password.

18
Cross site
request forgery
or CSRF
Types of CSRF attack;
1. JSON based CSRF
2. HTML form based CSRF

Common CSRF pitfalls and CSRF Protection


bypasses :
1. Validation of CSRF token depends on request
method
2. Validation of CSRF token depends on token being
present
3. CSRF token is not tied to the user session
4. CSRF token is tied to a non-session cookie
5. CSRF token is simply duplicated in a cookie
6. Referer-based defenses against CSRF
7. Validation of Referer depends on header being
present
8. Validation of Referer can be circumvented

19
Cross site request
forgery or CSRF
Preventing CSRF attacks

The most robust way to defend against CSRF attacks is


to include a CSRF token within relevant requests. The
token should be:

Unpredictable with high entropy, as for session tokens


in general.
Tied to the user's session.
Strictly validated in every case before the relevant
action is executed.

Common Attack surface for CSRF Attacks with high


impact :

1. Email Address update functionality


2. Update user profile info functionality
3. Oauth fallback request

20
Cross site request
forgery or CSRF
CSRF Attack H1 reports:
1. https://hackerone.com/reports/419891

2. https://hackerone.com/reports/152569

3. https://hackerone.com/reports/127703

4. https://hackerone.com/reports/148156

5. https://hackerone.com/reports/856518

21
Cross site request forgery or CSRF

CSRF vulnerable code

Sadas,nd,as

In this above express.js code developer does not


validate CSRF or XSRF token

22
Cross site request forgery or CSRF
\

Articles and Blog post:


1. https://medium.com/@chiragrai3666/csrf-today
-techniques-mitigations-and-bypasses-b1cf6a6c
d81c
2. https://medium.com/swlh/intro-to-csrf-cross-sit
e-request-forgery-9de669df03de
3. https://medium.com/@onehackman/cross-site-r
equest-forgery-techniques-19270174ea4

Resources for CSRF Payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/CSRF%20Injection

23
CORS Misconfiguration
What is CORS Miconfiguration?
CORS (cross-origin resource sharing) is a browser feature
that allows you to control access to resources outside of
your domain. It expands and expands the same-origin
policy's flexibility (SOP). However, if a website's CORS policy
is inadequately established and implemented, it paves the
way to cross-domain threats. Cross-origin attacks, such as
cross-site request forgery, are not protected by CORS (CSRF).

What is Same Origin Policy?


The same-origin policy is a cross-origin restriction that
restricts a website's ability to communicate with resources
outside of the source domain. The same-origin policy was
created in reaction to potentially dangerous cross-domain
interactions, such as one website obtaining sensitive data
from another domains, many years ago. It generally allows a
domain to issue requests to other domains, but not to access
the responses.

24
CORS Misconfiguration

Vulnerabilities arising from CORS misconfiguration


issue:
1. Server-generated ACAO header from client-specified
Origin header
2. Errors parsing Origin headers
3. Whitelisted null origin value
4. Exploiting XSS via CORS trust relationships
5. Intranets and CORS without credentials

Headers that CORS misconfiguration relies on or root


cause of CORs misconfiguration
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Impact of CORS:

1. CORs can be chained with CSRF attack by stealing


CSRF token
2. CORS can be used to Steal PII and Sensitive
credentials such as Access token , Client Secret etc
3. CORS can be chained with XSS to steal Cookie which
leads to Account takeover.

25
CORS
Misconfiguration

Prevention from CORS based attacks are


1. Proper configuration of cross-origin requests.
2. Only allow trusted sites.
3. Avoid whitelisting null
4. Avoid wildcards in internal networks
5. CORS is not a substitute for server-side security
policies

CORS H1 reports

1. https://hackerone.com/reports/426165
2. https://hackerone.com/reports/758785
3. https://hackerone.com/reports/426147
4. https://hackerone.com/reports/769058
5. https://hackerone.com/reports/896093

26
CORS Misconfiguration

PHP Code vulnerable to CORs Misconfiguration


This code allows request from arbitrary origin

27
CORS Misconfiguration exploits and
resources

Articles and Blog post:


1. https://medium.com/@amangupta566/cors-mis
configuration-leads-to-steal-sensitive-informatio
n-disclosure-fdf050b68b66
2. https://medium.com/swlh/exploiting-cors-misco
nfiguration-vulnerabilities-2a16b5b979

Resources for COR Misconfiguartion Payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/CORS%20Misconfiguration#
readme

28
Clickjacking

What is clickjacking?
Clickjacking is an interface-based attack in which a
user is enticed to click on actionable material on a
concealed website by clicking on fake content.
Consider the following example

A web user accesses a decoy website (perhaps this is


a link provided by an email) and clicks on a button to
win a prize. Unknowingly, they have been deceived by
an attacker into pressing an alternative hidden button
and this results in the payment of an account on
another site. This is an example of a clickjacking
attack. The technique depends upon the incorporation
of an invisible, actionable web page (or multiple
pages) containing a button or hidden link, say, within
an iframe. The iframe is overlaid on top of the user's
anticipated decoy web page content. This attack
differs from a CSRF attack in that the user is required
to perform an action such as a button click whereas a
CSRF attack depends upon forging an entire request
without the user's knowledge or input.

29
Clickjacking

What is root cause of clickjacking?


1. Setting X-Frame-Options to allow like below
X-Frame-Options: allow
2. Setting Content-Security-Policy: to none like below
Content-Security-Policy: frame-ancestors 'none’';

Impact of clickjacking:
1. The hacker can profit from the diverted clicks in a variety of
ways. The replication of a login and password form on a
website is a popular kind of clickjacking. The user thinks they're
filling out a standard form, but they're actually filling out fields
that the hacker has layered over the UI. Hackers will go for
passwords, credit card numbers, and any other sensitive
information they can get their hands on.
2. An attacker may also choose to redirect the clicks to download
malware or gain access to vital systems as a starting point for
an APT This spells trouble for any organizations that rely on
protecting sensitive data and intellectual property.
30
Clickjacking

Prevention from Clickjacking are


1. Setting X-Frame-Options to allow like below
X-Frame-Options: deny
2. Setting Content-Security-Policy: to none like below
Content-Security-Policy: frame-ancestors 'self’';

Clickjacking Hackerone reports


1. https://hackerone.com/reports/405342
2. https://hackerone.com/reports/591432
3. https://hackerone.com/reports/832593
4. https://hackerone.com/reports/305128
5. https://hackerone.com/reports/765355

31
Clickjacking

This below code is nginx configuration which is


vulnerable to Clickjacking

32
Clickjacking

Articles and Blog post:


1. https://medium.com/@abhishake21/clickjackin
g-to-account-takeover-97e286f26b95
2. https://medium.com/@osamaavvan/1800-wort
h-clickjacking-1f92e79d0414

Clickjacking Exploit:

33
SQL Injection

What is SQL injection (SQLi)?


SQL injection is a type of online security flaw that
allows an attacker to tamper with a web
application's database queries. It allows an attacker
to see data that they wouldn't ordinarily be able to
see. This might include data belonging to other
users or any other information that the app has
access to. In many circumstances, an attacker can
edit or remove this data, causing the application's
content or behaviour to be permanently altered.

Types of SQL Injections:

In-band SQLi (Classic), inferential SQLi (Blind), and


out-of-band SQLi are the three types of SQL
injections. SQL injections are classified according to
the methods they utilise to access backend data and
the degree of impact they may do.

34
SQL Injection

Impact of SQL injection attack


1. Attacker can bypass authentication using SQLi
2. Attacker can access unauthorised data for which
he does not have access using SQLi.
3. Attacker can breach and expose data from entire
database using SQLi.

How to detect SQL injection vulnerabilities?


1. Submitting the single quote character ' and looking
for errors or other anomalies.
2. Submitting some SQL-specific syntax that
evaluates to the base (original) value of the entry point,
and to a different value, and looking for systematic
differences in the resulting application responses.
3. Submitting Boolean conditions such as OR 1=1
and OR 1=2, and looking for differences in the
application's responses.
4. Submitting payloads designed to trigger time
delays when executed within an SQL query, and
looking for differences in the time taken to
respond.
35
SQL Injection
Prevention from SQLi vulnerabilities
1. Most instances of SQL injection can be prevented by
using parameterized queries (also known as prepared
statements) instead of string concatenation within
the query.

Hackerone SQLi Reports


1. https://hackerone.com/reports/1046084
2. https://hackerone.com/reports/297478
3. https://hackerone.com/reports/816254
4. https://hackerone.com/reports/1224660
5. https://hackerone.com/reports/1039315

36
SQL Injection
Below Express Js Code Snippet is vulnerable to SQLi

37
SQL Injection

Below PHP Code Snippet is vulnerable to SQLi

38
SQL Injection

Below Ruby Code Snippet is vulnerable to SQLi

39
SQL Injection

Blog Post and Articles:


1. https://medium.com/purplebox/sql-injection-d
a949c39dbe6
2. https://ismailtasdelen.medium.com/sql-injecti
on-payload-list-b97656cfd66b
3. https://medium.com/spidernitt/sql-injection-att
ack-it-might-pain-44ab11056f6c

SQLI Payloads and exploits:


1. https://github.com/swisskyrepo/PayloadsAllTh
eThings/tree/master/SQL%20Injection

40
NOSQL Injection
What is NOSQL injection?
An fault in a web application that employs a NoSQL
database is known as a NoSQL injection vulnerability.
A malicious actor can use this web security flaw to
circumvent authentication, harvest data, change data,
or even take entire control of the application.
Types of NoSQL injection attacks?
1. Tautologies
2. Union queries
3. JavaScript injections
4. Piggybacked queries
5. Cross origin violation

Impact of NOSQL injection attack


1. Attacker can bypass authentication using NOSQLi
2. Attacker can access unauthorised data for which
he does not have access using NOSQLi.
3. Attacker can breach and expose data from entire
database using NOSQLi.

41
NOSQL Injection

How to Avoid NoSQL Injections

To avoid NoSQL injections, you must always


treat user input as untrusted. Here is what you
can do to validate user input:

1. Use a sanitization library. For example,


mongo-sanitize or mongoose.
2. If a library for your environment isn't available, cast
user input to the required type. Cast usernames
and passwords to strings, for example.
3. Never use the where or group operators with user
input in MongoDB because they let the attacker to
inject JavaScript and are therefore far more risky
than other operators. If possible, change
javascript Enabled to false in mongod.conf for
enhanced security.
4. Furthermore, always follow the least-privilege
model: run your application with the minimum
privileges available so that the attacker cannot
access other resources if it is compromised.

42
NOSQL Injection

NOSQL injection H1 reports:


1. https://hackerone.com/reports/1130721
2. https://hackerone.com/reports/1130874
3. https://hackerone.com/reports/386807
4. https://hackerone.com/reports/397445
5. https://hackerone.com/reports/909375

43
NOSQL Injection
Below JS Code Snippet is vulnerable to NO SQLi Auth
Bypass

44
NOSQL Injection

45
NOSQL Injection

Articles and Blog Post:


1. https://medium.com/rangeforce/nosql-injection-6
514a8db29e3
2. https://berkegokmen1.medium.com/your-nodejs-
app-is-probably-vulnerable-to-nosql-injection-attac
ks-69e6acba7b65
3. https://infosecwriteups.com/nosql-injection-8732
c2140576
Exploits and Payloads:
1. https://github.com/swisskyrepo/PayloadsAllTheT
hings/tree/master/NoSQL%20Injection

46
OAuth Vulnerabilities

What is OAuth?
OAuth is an open-standard authorisation mechanism
or framework that enables "safe authorized access" in
apps. You may inform Facebook that it's OK for
canva.com to access your profile and post updates to
your timeline without giving canva.com your
Facebook password, for example. This significantly
reduces risk: even if canva experiences a security
compromise, your Facebook password is protected.
How does OAuth 2.0 work?
OAuth 2.0 was created with the intention of allowing
applications to share access to specified data. It
functions via specifying a set of interactions between
three parties: a client application, a resource owner,
and an OAuth service provider.
● Client application - The website or web application
that wants to access the user's data.
● Resource owner - The user whose data the client
application wants to access.
● OAuth service provider - The website or
application that controls the user's data and
access to it.

47
OAuth Vulnerabilities
What is implementation of OAuth Authentication?
1. The user can log in using their social media
account if they want to. The client application
then requests access to some data from the
social media site's OAuth service, which it may
use to identify the user. It's possible that this is
the email account associated with their account.

2. After acquiring an access token, the client


application retrieves this data from the resource
server, usually via the /userinfo endpoint.
3. The client application logs the user in by utilising
the access token instead of a username after
getting it. It commonly utilises the access token it
acquired from the authorization server instead of
a conventional password.
How do OAuth vulnerabilities arise?
Even though OAuth includes various flows of
interaction for acquiring authorisation, it is generally
safe by design, but developers can occasionally
break OAuth when they implement it.

48
OAuth Vulnerabilities

Common vulnerabilities of broken OAuth flow:

Vulnerabilities in the client application:

1. Improper implementation of the implicit grant


type.
2. Flawed CSRF protection or not using state
parameter or using easily guessable state
parameter.

Vulnerabilities in the OAuth service:

1. Leaking authorization codes and access tokens


2. Flawed scope validation
3. Unverified user registration

Impact of OAuth vulnerabilities :


1. Account takeover
2. UnAuthorized data access

49
OAuth Vulnerabilities

OAuth Vulnerabilities H1 reports:


1. https://hackerone.com/reports/1074047
2. https://hackerone.com/reports/665651
3. https://hackerone.com/reports/3930
4. https://hackerone.com/reports/1212374
5. https://hackerone.com/reports/55140
6. https://hackerone.com/reports/541701
7. https://hackerone.com/reports/405100
8. https://hackerone.com/reports/131202
9. https://hackerone.com/reports/110293
10. https://hackerone.com/reports/202781

50
OAuth Vulnerabilities

In this bellow code snippet developer does not check for


state parameter which might leads to Account takeover via
CSRF

51
OAuth Vulnerabilities

Articles and Blog Post:


1. https://geekboyranjeet.medium.com/oauth-miscon
figuration-working-of-oauth-types-of-vulnerabilities-i
n-it-and-how-you-can-exploit-38bbe566c468
2. https://medium.com/@Jacksonkv22/oauth-miscon
figuration-lead-to-complete-account-takeover-c8e4e
89a96a
3. https://gaya3-r.medium.com/account-takeover-usi
ng-oauth-misconfiguration-3fab424317c1

Exploits and Payload:


1. https://github.com/swisskyrepo/PayloadsAllTheTh
ings/tree/master/OAuth

52
SAML Vulnerabilities

What is SAML?

The Security Assertion Markup Language, or SAML, is


a standardised mechanism to verify that a person is
who they claim they are to other applications and
services. SAML enables single sign-on (SSO) by
allowing a user to be authenticated once and then
have that authentication communicated to various
apps. SAML 2.0 is the most recent version of SAML.

One of the most difficult difficulties in computing and


networking is getting systems and devices created by
different suppliers for different reasons to function
together. This is referred to as "interoperability," which
refers to the ability of various machines to
communicate with one another despite their
differences in technical specifications. SAML is a
generally established interoperable protocol for
communicating a user's identity to cloud service
providers.

53
SAML Vulnerabilities
How does SAML works?
A typical SAML authentication process involves
these three parties:

1. Principal (also known as the "subject")

2. Identity provider

3. Service provider

Principal/subject:Almost usually, this is a human


attempting to access a cloud-hosted application.

Identity provider: An identity provider (IdP) is a


cloud software service that saves and verifies a
user's identity, usually via a login process.

54
SAML Vulnerabilities

Common vulnerabilities in SAML:


1. Signature Stripping
2. Comment Injection
3. Known Key(if IDP uses SAML key for all users)
4. Trusted Embedded Key

Signature Stripping Attack:


One of the most prevalent problems with protocols
that use signatures to prevent tampering is that the
signature is only checked if it is present. We'll change
the email address in the signature to that of the
service provider's user, and then we'll delete the
signature.
Comment Injection:
One of the common issues with protocols relying on
signatures to prevent tampering comes from the fact
that the signed data is parsed differently by the
system receiving it.Here we are going to create a
malicious email address to become the user for the
service provider.(continued from next page)

55
SAML Vulnerabilities

The issue here is that the Service Provider will stripe


XML comments from the email address provided in
the SAMLResponse by the IDP.
Known key Attack:
Since the IDP makes use of the library's key, which
can be accessed by anybody with access to the
source code. It is feasible for attackers to construct
genuine SAMLResponse that the Service Provider
would believe.
Trusted Embedded Key Attack:
Since the Service Provider does not examine the
fingerprint of the certificate when confirming the
SAMLResponse, attackers can submit their own
certificate with a similar signature and the
application will trust it.

56
SAML Vulnerabilities

SAML Vulnerabilities H1 reports:


1. https://hackerone.com/reports/888930
2. https://hackerone.com/reports/106865
3. https://hackerone.com/reports/324005
4. https://hackerone.com/reports/136169
5. https://hackerone.com/reports/1049375

57
SAML Vulnerabilities

Articles and Blog Post:


1. https://medium.com/swlh/hacking-saml-bce304
83d020
2. https://medium.com/brightlab-techblog/single-si
gn-on-sso-saml-authentication-explained-1e463b
9168cb
3. https://infosecwriteups.com/bounty-tip-how-to-b
ypass-authorization-in-saml-f7577a6541c4

Expoits and Payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/SAML%20Injection
:

58
Command line Injection

What is Command line injection?


A vulnerability known as command injection involves
the execution of arbitrary instructions on a host
operating system (OS). Typically, the threat actor
injects the orders via taking advantage of an
application flaw, such as a lack of input validation.

How does command line injection work?


1. An hacker discovers a serious flaw in an
application. This allows them to inject malicious
code into the operating system and obtain access
to any capability provided by the underlying
programme. The attackers can carry out the
assault even if they don't have direct access to the
operating system.
2. The attacker alters dynamically generated content
on a web page using HTML code through an input
mechanism such as a form field or cookies.
3. Browsers interpret the code after it is placed into
the impacted web page. This allows the attackers
to run specific commands across users'
computers, as well as their networks and the
network of the compromised machine.

59
Command line Injection

Impact of Command line injection:

1. alter or corrupt a database.


2. Can Install malware such as Ransomware or
Trojan etc.
3. Corrupt the Server etc

Mitigation of Command line injection:

1. Avoid system calls and user input.


2. Set up input validation
3. Create a white list of inputs

Command line injection H1 reports:

1. https://hackerone.com/reports/685447
2. https://hackerone.com/reports/497312
3. https://hackerone.com/reports/690010
4. https://hackerone.com/reports/303061
5. https://hackerone.com/reports/680480
60
Command line Injection

In the below code snippet Attacker can inject


commandline as input to abuse intended purpose of
the website.

61
Command line Injection
In the below code snippet Attacker can inject command
line as input to abuse intended purpose of the website.

62
Command line Injection

Articles and blog post:


1. https://musyokaian.medium.com/os-command-i
njection-vulnerability-22cc70e0e6a6
2. https://shahjerry33.medium.com/blind-command
-injection-it-hurts-9f396c1f63f2
3. https://www.cobalt.io/blog/a-pentesters-guide-to
-command-injection

Exploits and Payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/Command%20Injection

63
Remote Code Execution
What is RCE or Remote Code Execution?

An attacker can remotely execute malicious


code on a computer via remote code execution
(RCE) assaults. An RCE vulnerability can lead in
malware being deployed or an attacker
obtaining complete control of a vulnerable
system.

How does RCE work?


RCE vulnerabilities allow an attacker to execute
arbitrary code on a remote device. An attacker can
achieve RCE in a few different ways, including:

1. Out of Bound
2. Injection
3. Deserialization Attack

64
Remote Code Execution

Main impacts of an RCE attack:


1. Complete Access to Server and Database
2. Installing Ransomware
3. Installing Crypto Miner

Mitigation or Prevention for RCE:


1. Input Sanitization
2. Secure Memory Management
3. Traffic Inspection
4. Access Control

RCE hackerone Reports:


1. https://hackerone.com/reports/303061
2. https://hackerone.com/reports/914392
3. https://hackerone.com/reports/783877
4. https://hackerone.com/reports/212696
5. https://hackerone.com/reports/248116

65
Remote Code Execution
Code Snippet vulnerable to infamous Log4j RCE

66
Remote Code Execution

67
Remote Code Execution

Articles and blog post:


1. https://medium.com/@harishhacker3010/microso
ft-teams-rce-48fbcf844f7d
2. https://medium.com/@harishhacker3010/how-i-h
acked-nasa-to-execute-arbitrary-commands-in-thei
r-server-29d44292a60a
3. https://corneacristian.medium.com/top-25-rce-bu
g-bounty-reports-bc9555cca7bc

Exploits and Payloads:


1. https://github.com/swisskyrepo/PayloadsAllTheT
hings/tree/master/Command%20Injection

68
Indirect Object Reference
IDOR

What is IDOR or Insecured direct Object Reference?

Insecure direct object references (IDOR) are a sort of


access control flaw that occurs when a programme
utilises user-supplied input to directly access objects.

How does IDOR work?


IDOR is an access control vulnerability that may be
exploited by altering ID or numerical values in the
body or parameter, as we all know. When we change
an ID, the backend will run a query with the new ID and
get or update data associated with it.

Types of IDOR :
1. Numerical IDOR
2. Alphanumerical IDOR

Main impacts of an IDOR bug:


1. Exposure of Confidential Information
2. Auth Bypass
3. Account takeover
4. Authorized Alteration of Data
69
Indirect Object Reference
IDOR

Mitigations for IDOR:


1. Developers should avoid displaying private object
references such as keys or file names.
2. Validation of Parameters should be properly
implemented.
3. Verification of all the Referenced objects should
be done.
4. Tokens should be generated in such a way that it
should only be mapped to the user and should not
be public.

IDOR hackerone Reports:


1. https://hackerone.com/reports/227522
2. https://hackerone.com/reports/287789
3. https://hackerone.com/reports/391092
4. https://hackerone.com/reports/1004745
5. https://hackerone.com/reports/498351

70
Indirect Object Reference
IDOR

71
Indirect Object Reference
IDOR
Articles and Blog post:
1. https://corneacristian.medium.com/top-25-idor
-bug-bounty-reports-ba8cd59ad331
2. https://medium.com/@aysebilgegunduz/everyt
hing-you-need-to-know-about-idor-insecure-dire
ct-object-references-375f83e03a87
3. https://medium.com/armourinfosec/idor-a-tale
-of-account-takeover-77d9066a8055

Exploits and Payloads:


1. https://github.com/swisskyrepo/PayloadsAllTh
eThings/tree/master/Insecure%20Direct%20Ob
ject%20References

72
Directory Traversal

What is Directory Traversal?


Directory traversal (sometimes called file path
traversal) is a web security flaw that allows an
attacker to access arbitrary files on a server that is
hosting an application. This might comprise
application code and data, back-end system
credentials, and critical operating system files,
among other things. An attacker may be able to
write to arbitrary files on the server in some
instances, allowing them to change application data
or behaviour and eventually gain complete control of
the server.
What an attacker can do if your website is
vulnerable?
An attacker can utilise a system vulnerable to
directory traversal to step out of the root directory
and gain access to other areas of the file system.
This might allow the attacker to read restricted files,
providing the attacker with more information needed
to further breach the system.

73
Directory Traversal

What is root cause of Directory Traversal?


Inadequate filtering/validation of browser input
from users leads to a directory traversal
vulnerability.

Mitigations of Directory Traversal


Developer need to practice to validate input from
users.

Directory Traversal H1 reports


1. https://hackerone.com/reports/694141
2. https://hackerone.com/reports/333306
3. https://hackerone.com/reports/579517
4. https://hackerone.com/reports/1102067
5. https://hackerone.com/reports/959679

74
Directory Traversal

75
Directory Traversal

76
Directory Traversal

Articles and Blog post:


1. https://medium.com/@nerdy_researcher/directory
-traversal-aka-path-traversal-c76dc7bbe61
2. https://securitylit.medium.com/everything-about-p
ath-traversal-vulnerability-9658dd4191ee
3. https://infosecwriteups.com/finding-path-traversal
-vulnerability-e2506d390569

Exploits and Payloads:


1. https://github.com/swisskyrepo/PayloadsAllTheT
hings/tree/master/Directory%20Traversal

77
Open Redirect
What is Open Redirect?
An open redirect vulnerability exists when the
destination of the redirect is provided by the client
and it is not filtered or validated.

Types of Open Redirect vulnerability:


1. Header based Open Redirect
2. Javascript based Open Redirect
3. Parameter based Open Redirect

Impact of Open Redirect Vulnerability


1. Phishing
2. Stealing of OAuth token

What is root cause of Open Redirect?


When an application inserts user-controllable
data into the target of a redirection in an unsafe
way, open redirection vulnerabilities develop.
Within the application, an attacker can create a
URL that redirects to an arbitrary external domain.

78
Open Redirect

Mitigations of Open Redirect


1. Developer need to practice to validate input from
users.
2. Do not allow URLs as user input for a destination.
3. Create a list of all trusted URLs, including hosts
or a regex, in order to sanitize input.
4. Force redirects to first go to a page that notify
users they are redirected out of the website.

Hackerone report of Open Redirect


1. https://hackerone.com/reports/504751
2. https://hackerone.com/reports/698416
3. https://hackerone.com/reports/753399
4. https://hackerone.com/reports/206591
5. https://hackerone.com/reports/125791

79
Open Redirect

80
Open Redirect

81
Open Redirect

Articles and Blog post:


1. https://corneacristian.medium.com/top-25-open-
redirect-bug-bounty-reports-5ffe11788794
2. https://safaras.medium.com/find-your-first-bug-2
-open-redirect-b46aa88dbcfb
3. https://ruvlol.medium.com/1000-for-open-redirec
t-via-unknown-technique-675f5815e38a

Expoits and payloads:


1. https://github.com/swisskyrepo/PayloadsAllThe
Things/tree/master/Open%20Redirect

82
Server Side Request Forgery

What is SSRF or Server Side Request Forgery?


Server-side request forgery (also known as SSRF) is a
web security vulnerability that allows an attacker to
induce the server-side application to make requests
to an unintended location. In a typical SSRF attack,
the attacker might cause the server to make a
connection to internal-only services within the
organization's infrastructure. In other cases, they may
be able to force the server to connect to arbitrary
external systems, potentially leaking sensitive data
such as authorization credentials.

Impact of SSRF or Server Side Request Forgery


1. Authorization leak
2. Access internal Company
3. RCE( Rare Case)

Common types for SSRF


1. SSRF against Server
2. SSRF against Backend Service
3. Blind SSRF
83
Server Side Request Forgery

Root cause of SSRF vulnerability:


SSRF occurs when a web application has to download
resources from another domain to complete a
request, but the input URL is not properly sanitised,
allowing attackers to modify the destination.

Mitigations of SSRF:
1. Validate input url
2. Sanitize input url
3. Maintain a whitelist and cross validate against
that list to allow url

SSRF Hackerone Reports:


1. https://hackerone.com/reports/514224
2. https://hackerone.com/reports/341876
3. https://hackerone.com/reports/923132
4. https://hackerone.com/reports/793704

84
Server Side Request Forgery

85
Server Side Request Forgery

Article and Blog post:


1. https://medium.com/geekculture/ssrf-vulner
ability-from-a-developers-perspective-3d1562
f29c7c
2. https://medium.com/@briskinfosec/ssrf-ser
ver-side-request-forgery-ae44ec737cb8
3. https://medium.com/techfenix/ssrf-server-si
de-request-forgery-worth-4913-my-highest-bo
unty-ever-7d733bb368cb

Exploits and payload


1. https://github.com/swisskyrepo/PayloadsAll
TheThings/tree/master/Server%20Side%20R
equest%20Forgery

86
Author’s thanks note
On 10 th April 2021,I had a painful MS Teams call
with a person I don’t want to share their name.
That call motivated me to start working to stop
privacy breach , stalking etc. First of all I like to
thank that person for rejecting me or ignoring me
which eventually made me to work hard on
cybersecurity and privacy .

I started my infosec journey since last one year, I


found vulnerabilities on websites and reported
them to more than 100+ companies including
Google,Microsoft,twitter etc. I like to thank for
everyone who have been supported and motivated
me till now.

Thanks for reading this book!

You can read my writeups on


Medium:https://medium.com/@harishhacker3010
You can DM me on my instagram or twitter if u any
doubts after reading this book!

87

You might also like