Web Security 2
Web Security 2
SECURITY
CROSS-SITE SCRIPTING
CONTINUED
How to Exploit?
Find parameter
Find Input field
Check for injection
Check the context
Attempt to exploit
XSS CONTINUED
What if <script> tag is blocked in the code?
https://noobsec.notion.site/Introduction-to-XSS-By-Mehedi-Hasan-42a1a052ec80430fa7d31358f04a9fae?pvs=4
https://noobsec.notion.site/XSS-writeup-by-Mehedi-Hasan-509e4e90d90747869d589e41f6b52d27?pvs=4
XSS CONTINUED
Code Review
<?php include 'includes/header.php';?>
<?php include 'includes/header.php';?> <?php include 'includes/navbar.php';?>
<?php include 'includes/navbar.php';?> <?php
<?php if(!isset($_GET['welcome'])) {
if(isset($_GET['status'])) { header('Location: 4.php?welcome=Welcome');
} else { }
header('Location:'.$_SERVER['PHP_SELF'].'?'.'status=hello'); ?>
die; <?php
} if(isset($_GET['welcome'])) {
?> $welcome = $_GET['welcome'];
<?php $welcome = preg_replace('/script/', '', $welcome);
echo "<br>Value : "; $welcome = preg_replace('/img/', '', $welcome);
if(isset($_GET['status'])) { $welcome = preg_replace('/alert/', '', $welcome);
$status = $_GET['status']; $welcome = preg_replace('/prompt/', '', $welcome);
echo $status; echo $welcome;
} }
?> ?>
<?php include 'includes/footer.php';?> <?php include 'includes/footer.php';?>
Code Review 1
Code Review 2
XSS CONTINUED
Impact and Prevention
Impact: DEFENSE:
Blind-based Injection: The results of the commands that you inject will
not be displayed to the attacker and no error messages are returned. The
attacker might use another technique to identify whether the command
was really executed on the server or not.
COMMAND INJECTION
Steps to Exploit
Runtime.exec Java
Commands to try
Windows
Linux
whoami
whoami ver
id ipconfig
ifconfig/ip addr tasklist
uname -a netstat -an
ps -ef
COMMAND INJECTION
Lab: security-vault.security-pedia.com
COMMAND INJECTION
Impact:
Defense:
The impact of command
injection can be devastating, Input Validation and
allowing attackers to execute Sanitization
unauthorized commands with Parameterized Queries
the same privileges as the Least Privilege Principle
vulnerable application or Input Validation on the Server
service. This can lead to data and Client Side
breaches, unauthorized access Content Security Policy (CSP)
to sensitive information, Web Application Firewalls (WAF)
manipulation or deletion of
files, disruption of services,
and even complete
compromise of the affected
system.
SQL INJECTION
A SQL injection occurs when a malicious user attempts to pass
input that changes the final SQL query sent by the web application
to the database, enabling the user to perform other unintended
SQL queries directly against the database.
Union Based: Union-based SQL Injections use the UNION SQL operator
to aggregate the results of two or more SELECT queries into a single
result, which is subsequently returned as part of the HTTP response.
SELECT * FROM USERS LIMIT 1; select * from users where username = 3 jerry 123456
'admin';
select * from users where username !=
'admin';
Let’s assume another table
id fullname address
id username fullname address
Some other
1 Mehedi Hasan abc
1 admin Mehedi Hasan abc query-
INSERT,
2 Bruce Lee xyz
2 tom Bruce Lee xyz UPDATE,
DELETE
3 Alex Nail axy
3 jerry Alex Nail axy
Table: user_details select id, username from users union select fullname, address
from user_details;
SQL INJECTION
How to Detect?
https://noobsec.notion.site/SQLI-Notes-8cebcebce0394e31b66e96971c32cf02?
pvs=4
SQLMAP
Scenario Description Example Command
Using SQLMap
Capture the request with Burp Suite and save it in a file
with a login sqlmap -r request.txt
(request.txt).
page
Crawling a sqlmap -u
Execute SQLMap with the -u flag followed by the URL and --
page to find http://example.com --
crawl=1 to enable crawling.
injections crawl=1
Use the --proxy flag followed by the proxy server address to sqlmap --
Using a proxy
route requests through a proxy. proxy="x.x.x.x:yyyy"
SQLI LAB
SQL INJECTION
Authentication Bypass
Lab: https://juice-shop.herokuapp.com/
SQL INJECTION
Impact:
Defense:
A SIMPLE EXAMPLE