WEB

APPLICATION
PEN-TESTING
COURSE
WHO AM I?

• Also known as FlEx.

• Cyber Security Engineer @ CyShield.

• I also make videos about hacking on Youtube.

Mohamed Sayed • [Small] Bug Hunter.

DAY 1
 WHAT IS
VULNERABILITY
DAY 1 CONTENT
• Web Technologies.

• HTTP Headers.

• CIA Triad.

• Hashing, Encryption, Encoding.

• Using web Proxies (burp).

• Basic Attacks
WEB TECHNOLOGIES
● HTML

● JS

● XML

● JSON

● Databases (mysql, sqlite, ..)

● Programming Language (php, .net, java, etc..)

WEB TECHNOLOGIES (HTML)
HTML stand for Hyper Text Markup Language, used to create web pages and describes the
Structure of web page.

● HTML: https://www.youtube.com/playlist?list=PLDoPjvoNmBAwClZ1PDcjWilxp9YERUbNt
WEB TECHNOLOGIES (JS)
JavaScript is a scripting language that enables you to create dynamically updating content

● JS: https://www.youtube.com/playlist?list=PLDoPjvoNmBAw6p0z0Ek0OjPzeXoqlFlCh
WEB TECHNOLOGIES (XML)
XML stands for eXtensible Markup Language looks like HTML, used to store and transport data.
WEB TECHNOLOGIES (JSON)
JSON stand for JavaScript Object Notation, simple way to store and transport data, it is easy to
understand.
WEB TECHNOLOGIES (DB)
Database is an organized collection of data.

● MySQL: https://www.youtube.com/playlist?list=PLDoPjvoNmBAz6DT8SzQ1CODJTH-NIA7R9

● SELECT
● FROM
● WHERE
● UNION
WEB TECHNOLOGIES (PROGRAMING
LANG)
Programming is a formal language.

● PHP: https://www.youtube.com/playlist?list=PLDoPjvoNmBAzH72MTPuAAaYfReraNlQgM
HTTP HEADERS
HTTP HEADERS
HTTP HEADERS
CIA TRIAD

● Confidentiality
Prevent private information from unauthorized Access.

● Integrity
Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized
people.

● Availability
Web site.
HASHING, ENCRYPTION, ENCODING

● Hashing
One way Hash and it's not reversible.

● Encryption
Convert plaintext to cipher text and use a Key to encrypt and Decrypt.

● Encoding
Convert plaintext to a format and it’s reversible.
HASHING

098f6bcd4621d
Test
# 373cade4e8326
27b4f6

Plain Text Hash Function Hashed Text

ENCRYPTION

Key Key
wD2+mxZmuS
7jzu0BvbgxBn
Test Test
q7xPigMceTV
N8Xw9Ejeik=

Unencrypted Encrypted CipherText Decrytped

Plain Text Plain Text
message Message
ENCODING

Test
# dGVzdA==

Plain Text Hash Function Encoded Text

BURP SUITE
ATTACKS
● Clickjacking

● CORS Attack

● Open redirect

● JSON With Padding

CLICKJACKING
CLICKJACKING
● https://medium.com/@raushanraj_65039/clickjacking-in-google-docs-and-voice-typing-feature-
c481d00b020a

● https://hackerone.com/reports/1144081

● https://samy.pl/quickjack/quickjack.html

● https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected
CORS MISCONFIGURATION ATTACK

Victim Attacker
Target Website

Victim

Send Malicious script

Execute Malicious script

Response with Data

CORS Origin,
Credentials allowed

Replay Data
CORS

● https://hackerone.com/reports/1016744

● https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack
CORS
OPEN REDIRECT
● XSS [Javascript, data]

● Using #

● Using [\, \\]

● Using @

● Modify Top level domain [TLD]

● Without // [http:google.com]

● https://hackerone.com/reports/396295
JSON WITH PADDING
● Leak Credit card numbers [https://hackerone.com/reports/941718]

● Bypass SOP with JSONP [https://hackerone.com/reports/10373]

● https://flex0geek.blogspot.com/2019/04/steal-some-json-response-by-jsonp.html
JSON WITH PADDING
TASKS
● Tell me about Security Headers

● Examples with info for hashing, Encryption, Encoding

● What is Magic Hashes

● What can I do with open redirect

● Read 2 reports
DAY 2
DAY 2
● LFI / RFI

● Path Traversal / LFD

● Cross Site Request Forgery (CSRF)

● HTTP Host Header Injection

● XXS

● Use Vulnerable components.

LFI & RFI
● Different between LFI & Path traversal

● LFI to RCE [http://18.192.3.151/join-team/ CyberTalent challenge]

PATH TRAVERSAL & LFD
● What is Path Traversal and difference with LFI.

● https://portswigger.net/web-security/file-path-traversal/lab-simple

● https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass
CSRF
Exploit Page Vulnerable Page

Send request
Change Email when receive a request
CSRF
● No CSRF Token

● Weak CSRF Token

● Check content type

● Check Referer Header [?, same path]

● https://flex0geek.blogspot.com/2019/04/critical-ibm-bypass-csrf-protection.html
CSRF TOKEN BYPASS
● Removing Anti-CSRF Token

● No check for the user’s Token

● Weak Token

● Reusable tokens

● Change request method

● Guessable tokens

● Bypass referer
HOST HEADER INJECTION

Use forgot password

function
Catch the request

vulnerable = true
Link sent with ur Change host header
domain to victim value to ur domain

Token sent to your

Victim open the link
domain
XSS
● XSS in [Attribute, JS variable, Blind, DOM, Direct HTML, XSS in Link]

● Reflected XSS

○ https://hackerone.com/reports/838910

● Stored XSS

○ https://bugcrowd.com/submissions/
aebed3b9459704fa9daaa9fdda3450a60c2bec44fae34e2600ce3a547800f0a0

○ https://bugcrowd.com/submissions/
5275ad4bba20545f09b18de9d6ddce572d456f8eb485e4ce19e9aee53f8f9120

● DOM XSS

● Blind XSS
USE VULNERABLE COMPONENTS
● CVEs

● PHP Type Juggling = Magic Hash

● PHP-8.0.1 dev
TASKS
● https://xss-game.appspot.com/

● http://23.239.9.22/queryMe/

● http://18.192.3.151/join-team/

● Read 2 reports
DAY 3
DAY 3
● SQL Injection.

● SSRF

● XML External Entities (XXE).

● APIs

● PostMessage.
SQL INJECTION
● General

● Blind

○ Time based

○ Boolean based
SQL INJECTION
● Database

● Table

● Column

● Query
SQL QUERIES
● UNION

● SELECT

● FROM

● Information_schema [tables,columns]

● WHERE & HAVING

● LIKE

● Comment [#, --, /**/]

● version()

● database()
SSRF
SSRF
● Internal Networks

● Basic SSRF Attack

● Blind SSRF Attack

SSRF
● http://domain.com:port

● 127.0.0.1 | localhost

● https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

● https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system

● https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter
XXE
First line contain the Meta Data

Second line contain Root Element Opening

Third & Fourth line is children of root element

Fifth line is the closing of root element

Not Allowed:

1. Tag name is case sensitive

2. ‘”>< Not allowed in the XML doc directly
Entity Let’s say it like a variable

Document type definition (DTD) define the Entities

 ENTITIES TYPES
● General

We saw this type in preview example

● Parameter

This type only in DTD and useful for creating entity have value another entity.

● Predefined

This type is used predefined values which could break the syntax like using (&#x3C;)
which is (<)
FEATURES WE CAN USE
1. Using System Keyword we can use External Entity.

2. XML accept any valid URI

 TYPES
• Inband

• The common type which display the output on the screen.

• Error Based

• This type is parsing the XML and you can see just Errors.

• (Out of band) OOB

• This type is Blind without any errors or results, you can do some requests to check
it.
EXPLOIT
Inband Type
Vulnerable
Send payload in function parsing Print the result
request payload

Error Based
Vulnerable
Send payload in Return error
function parsing
request contain the result
payload
EXPLOIT
Error Based Example

If we send a payload like that

The output will be in error like that

 EXPLOIT
OOB Type
Vulnerable
Send payload in function parsing No result printed
request payload

The payload is
executed
INFORMATION LEAK
● https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files

● https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page

● https://hackerone.com/reports/1267743

● https://hackerone.com/reports/823454
APIS
● RESTful API

○ Common

○ Use JSON

● GraphQL

○ New

○ Uses a custom query.

○ Single endpoint control all API

● SOAP

○ Less common

○ Uses XML
POSTMESSA
GE
EXPLAIN POSTMESSAGE
We can use it postMessage with iframe or pop-up

To create event listener

we will give it a name and a
function to call when it used,
this function will take the value
from postMessage and do its
actions.

message.origin  will display the origin which send the request.

message.data  will display the sent value.

We can use the following like to check and validate the origins before take the value
but the check have an issue and could be
bypassed.
 EXPLOIT POSTMESSAGE
Vulnerable page  Have a listener
Exploit Page
Exploit Page  send postMessage with
malicious value like XSS payload

Vulnerable page in iframe

The pages will communicate together using

the postMessage.
TASKS
● Our application blocks [Information_schema] what we can do?

● Write script for Blind SQLi Time based.

● Read 2 Reports
DAY 4
DAY 4
● Brute force Attacks.

● Authentication VS Authorization.

● Broken Authentication.

● IDOR

● Insecure Deserialization.
BRUTE FORCE ATTACKS
● Weak passwords

● Bypass OTP

● DOS and block accounts

AUTHENTICATION VS AUTHORIZATION
● Authentication

○ Who you are?

● Authorization

○ What you can do?

BROKEN AUTHENTICATION
● Bypass 2FA

○ Brute Force

○ 2FA code Reusability

○ Code back in response

○ Edit Response

○ Use Another user’s code

● Broken Logic of Password reset function.

● Default credentials

○ https://hackerone.com/reports/699030
BROKEN ACCESS CONTROL
● Vertical access controls VS Horizontal access controls

● IDOR

● Force Browsing
VERTICAL / HORIZONTAL ACCESS
CONTROLS
● Vertical

○ Access to sensitive functionality that is not available to other types of users.

● Horizontal

○ Access to resources to the users who are specifically allowed to access those resources.
IDOR

User 1000

Change email of user 1001 Change email of user 1000

200 OK 200 OK
TYPES OF IDORS
● Typical IDOR

○ User A try to access Data of User B.

● Unauthenticated IDOR

○ Access the endpoint without a Cookie.

● Permission IDOR

○ Check the Admin endpoints with Normal User.

IDOR
● https://hackerone.com/reports/391092

● https://hackerone.com/reports/887387

● https://hackerone.com/reports/845733
FORCE BROWSING
● https://hackerone.com/reports/565736
WHAT IS
SERIALIZATION
INSECURE DESERIALIZATION
● PHP

● Java

● .NET

○ JSON

○ XML

○ Binary
PHP SERIALIZATION
.NET SERIALIZATION
INSECURE DESERIALIZATION
● http://35.197.254.240/wantbiscuits/

● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-
objects

● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-
types

● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-
deserialization-with-apache-commons
TASKS
● Read 2 Reports.

● Solve Labs and tell me about issues.

DAY 5
DAY 5
● File Upload.

● Oath Misconfigurations.

● Server Side Template Injection.

FILE UPLOAD
● Shell

● Filter bypass

● XSS

○ SVG

○ PDF

○ HTML
FILE UPLOAD BYPASS
● Blacklist

○ Try non-common extensions

● Whitelist

○ Try double extensions

○ NULL byte

○ Change Content-Type

● Magic Bytes
OAUTH

Client Application  Web App want to access user’s data

Resource Owner  The user.

OAuth service provider  application that control user’s data and access to it.

Parameters:

redirect_uri
code
state
HOW IT WORK (OAUTH)
Client App User-Agent OAuth
Auth request
service API
1

Resource 2
Owner User Login & consent
/Auth
Access Token
/oauth-login
3

API Call
4

/info
5

Data
OAUTH MISCONFIGURATION
● Open redirect with OAuth

● CSRF with OAuth

OPEN REDIRECT IN OAUTH
CSRF IN OAUTH
Client App User-Agent OAuth
Auth request
service API
1

Resource 2
Owner User Login & consent
/Auth
Access Token &
connect Social account
/oauth-login
3

API Call
4

/info
5

Data
SERVER SIDE TEMPLATE INJECTION
SERVER SIDE TEMPLATE INJECTION

● Docker Machine
DAY 6
DAY 6
● Common Mitigation of Vulnerabilities.

● Reporting.

● Risk Calculate (CVSS)

● Skills

● Next Step
WRITING A GOOD REPORT

● Choose well title to the vulnerability.

● Explain Finding.

● Risk and Impact [Business impact]

● Recommendations

● Proof-of-Concept

● References

● Ref [https://github.com/juliocesarfort/public-pentesting-reports]
SKILLS

● Scripting / write a code

● Write reports
● Dealing with clients
● Soft Skills
● Understand web technologies

○ Protocols

○ Html / Html5

○ Data formats (JSON, XML, CSV)

○ Web Framework

○ Programming languages (PHP, JS, etc..)

IMPROVE YOURSELF & NEXT STEP

● PortSwigger

● PentesterLab

● Increase your knowledge [reading * 1000] | H1 Reports

● Practice

● Targets
THANK YOU

Talk to me if you need anything.

• Facebook: @flex0geek

• Twitter: @flex0geek

• Linkedin: @flex0geek

• Blog: https://flex0geek.blogspot.com/

• Youtube: http://youtube.com/c/HackWizFlEx/