Scribd
Upload
194 views66 pages

Web Attacks From Zero To Hero

Uploaded by

sara omd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
194 views66 pages

Web Attacks From Zero To Hero

Uploaded by

sara omd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 66

LAB and research by :mohammad e taheri

Api :application programming interface

Apis connect application together

Catfactsapi lab

https://github.com/alexwohlbruck/cat-facts

use burp for api intercept

or you can use postman

terminology and types of api:

Rest apis:

Client-server architecture

Statelessnerss

Cacheability

Layered system

Use of http methods (GET,POST,etc)

Use of uris to identify resources

Types of apis : public,partnet,private

Enumerate api :

Fuzzing send different data and see what come back

Burpsuit+wfuzz

You must check all api version for example if v1 we must change to v2 and visa versa for checking server
response also we must check all character in api

For example

GET /api/v1/resources/books?show=test HTTP/1.1

Wfuzz –c –z file, /usr/share/wordlists/dirb/common.txt ‘your target url


api/v1/resources/books?show=FUZZ’ (your api target this is for example)

This command return all response so if we wanna filter only 200 request we can use this command :

Wfuzz –c –z file, /usr/share/wordlists/dirb/common.txt’ –sc 200 ‘your target url


/api/v1/resources/books?show=FUZZ

Discovery from source code :

Login to you account


And check all functionality in web site

https://beautifier.io/ you can check sensitive information in source code with this site if your source
code is unreadable

difference between authentication and authorization

authentication is who you are youre identity

authorization is what you allow to do

owasp top 10 vuln :

API1 Broken object level authorization

API2 Broken user authentication

API3 Excessive Data exposure

API4 lack of resources & rate limiting

Api5 broken function level authorization

API6 mass assignment

API7 security misconfiguration

API8 injection

API9 Improper assets management

API10 insufficient logging and monitoring

API1 Broken object level authorization :


Find and exploit some hidden admin functionality :

For our lab we using vapi +post man

Link of vapi : https://github.com/roottusk/vapi

After installation vapi we can import our library with post man for do something like this in post man :

Import >> upload files >>> home>> dev>>vapi>>>postman>>> and upload vapi.postmanand
vapi_env.postman

Attacking authentication :

Usually we can broke authentication in 2 ways :

Firstly the target is unprotected against brute force attack

Secondly logic issue in authentication

For brute force and fuzzing we must use seclists for do this we can use

Sudo apt install seclists

We can use burp request copy that and go to this path :

Cd temp>>> vim req.txt >>> change request in “email”:”admin” , “password” : “admin to FUZZ”

>> mousepad req.txt (basically like notepad but in kali ) >> fuff –request req.txt –request-proto http –w
/usr/share/seclists/passwords/xato-net-10-million-passwords-10000.txt -mc 200

Json web token:


Each path encoded by base 64 and we can decod this very easy

Send request to server with curl so we can send to dashboard with token generated with our request
with curl

We can check jwt with https://jwt.io/

We can change user id from user to admin with jwt.io


So we can login with admin with this technique

Crack token :

Jwt-tool

You can dl this tools from github

We can copy token from token request from burp and copy token to jwt and finding the result the
result will same as using jwt.io you can see algorithem and payload

We can use jwt –help to see all function on this app you can copy token from burp suite
You should read jwt attck playbook

You can use jwt editor extention in burp

You can click attack and select your attack type

Injection :

Payload sample in api :


Attacks we will cover that :

Fuzzing for sqli ,triggering error messages , verifying sqli , union select to steal data

A common authentication bypass , nosql injection

https://github.com/binderlabs/BASS

for testing owasp top 10 api vuln you can use this lab

we can use burp suite intruder for fuzzing sql injection please payattention fuziing sql is just a name I
setup for my wordlist for name
A simple way for testing sql injection for finding error message is using ‘ character (warning in real
world may not working )

Also we can use url encode payload for testing


Union select allow use to grab data from different table

Some data base can actually have code execution depended on database users,privillages and etc

Using ffuf for sql :

You can dl and install ffuf with this link :

https://github.com/ffuf/ffuf
Testing nosql injection is similar to sqlinjection but you must have different wordlist for this purpose you

Can use seclist and test payload nosql with burp or other tools

Mass assignment:

OWASP attributes the API mass assignment vulnerability as an input validation flaw that allows hackers
to perform advanced attacks by manipulating payload data.The threat arises when the API endpoints
save a request body as it is instead of extracting request parameters one by one.Malicious users
typically exploit the flaw to initialize or overwrite server-side parameters that the developers never
intend to expose.A common development practice is to create a copy of the incoming request and save
it in a database, as it seems appropriate for internal object sharing.However, the approach leads to a
risky configuration since attackers can decipher the properties in request payloads and send additional
parameters to change their effect on the API endpoint.
POST /editdata HTTP/1.1

Host: target.com

...

username=daffa

The response
HTTP/1.1 200 OK

...

{"status":"success","username":"daffainfo","isAdmin":"false"}

Modified Request
POST /editdata HTTP/1.1

Host: target.com

...
username=daffa&admin=true

HTTP/1.1 200 OK

...

{"status":"success","username":"daffainfo","isAdmin":"true"}

impact:
The main impact of a Mass Assignment vulnerability is linked to modifying or creating variables.
Depending on the variables or objects affected, the impact can be more or less significant, ranging from
the simple modification of a value with no impact to a privilege escalation

How To Prevent

If possible, avoid using functions that automatically bind a client’s input into code variables or internal
objects.

Whitelist only the properties that should be updated by the client.

Use built-in features to blacklist properties that should not be accessed by clients.

If applicable, explicitly define and enforce schemas for the input data payloads.

For testing mass assignment lab you can use :

https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability

SSRF:

Is a vulnerability that’s allow an attacker to have a server side application send request behalf
Access control :
Also known as authorization

In a nutshell: it’s what you’re allow to do

Common finding in modern and complex application

Different types of access control exist :

Horizontal and vertical and contex-depended

Typical access control issues :

Forceful browsing

Idor/bola/bfla

Trusting user input

IDOR:

Sometimes applications use user-supplied input to access object directly.

Often used to access information of other objects (e.g another user’s account information)

May need to become combined with another weakness if the object id is not easyto guess

Or brute force

Can also impact files and work in various other contexts

Know as bola apis

Idor is used when we access objects directly.BFLA or BAC is used when we can abuse functionality, such
as updating the account of another user

Lab :portswigger unprotected admin functionality

Web socket history extention in burp

Weak access control :

Some times applications will user input we can control for access control such as http methods or
headers

We should check to see if modifying the http request will lead to behavior

http method

headers (eg.referer,x-origin-url)

comparing request between different users may help us uncover weakness such as these.
SSRF:

Ssrf occurs when a server-side application makes requestON OUR BEHALF. FOR example

With an ssrf payload we can potentially make an external-facing website make requests to internal
resources that we have no direct access to

Blind ssrf :

As with all blind attacks the server is carrying out some action,but the result or data is not included in
http response
Sql injection :
Sql injection allows us to manipulate queries that are made
To a database and typically leads
To :
Exposure of sensitive data
Data manipulation
Denial of service
Discovery :
Manual payload
Code review
Fuzzing
Dynamic Queries vs Parameterized Queries VS Stored Procedures
First is php code
Second is java
And third is javascript

ORM (object relational mapping)


Orm is a programming technique that allows developers to
Manipulate database data as objects ratherthan dealing with sql queries
Directly
ORM acts as a bridge between the object- oriented world of application
Code and the relational word databases,automating the tedious task of
Converting data between different systems.
Sqli and orm:
Lab :
We can add our payload and send our request to intruder for testing parameters
and finding sql vuln and send it to repeater for testing manual payloads.

Using sqlmap for extracting db


Blind sqli :
The target application isvulnerable to sql injection however ,the response does
Not contain the results of the query .
Union attacks become ineffective as we rely on seeing the results.
Instead,we can use conditional responses to extract information.
NOSQL :
Nosql databases are designed to store,retrievw,and manage large volumes of
data that do not fit well in traditional relational databases. They are known for
Their felexibility,scalability,and high performance

Type of nosql databases :Document stores (mongodb) ,keyvalue stores (redis) ,


Wide-column stores (Cassandra),and graph databases(neo4)
Flexibility :
Nosql databases do not require a fixed scheme,allowing the structure of the data
To change overtime
Scalability:
Designed to scale out by using distributed architectures, making them suitable
For cloud-based applications
Use cases:big data applications,real time web apps , iot devices ,and more
https://mongoplayground.net
you can emulate and develop code in nosql on this website
you use portswigger lab for testing real word scenario
You can use portswigger lab for solving challenges or owasp broken web
application
What is prevention :

XXE injection (XML External Entities) :


Example of xml :
DTD (document type definition):
Xss / javascript injection
Types of xss :

Xss contexys:
Tools:
Offensive javascript:
Refrence mdn :
By pass web application firewall:
You can check more payload on this site:
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Shee
t.html
JWT Json :
Jwt.io +burp
JWT Misconfiguration:
You can download this tools from github
Selelct >>attack >>> embedded jwk >>>
Grab cookie and past cookie instead of cookie in source code with ctrl +shif +c
In application select cookie and paste
MASS ASSIGNMENT :

Example:
Identify parameters:
How we can find and exploit vuln:
Web Sockets :

You might also like