Professional Documents
Culture Documents
APPLICATION
PEN-TESTING
COURSE
WHO AM I?
• HTTP Headers.
• CIA Triad.
• Basic Attacks
WEB TECHNOLOGIES
● HTML
● JS
● XML
● JSON
● HTML: https://www.youtube.com/playlist?list=PLDoPjvoNmBAwClZ1PDcjWilxp9YERUbNt
WEB TECHNOLOGIES (JS)
JavaScript is a scripting language that enables you to create dynamically updating content
● JS: https://www.youtube.com/playlist?list=PLDoPjvoNmBAw6p0z0Ek0OjPzeXoqlFlCh
WEB TECHNOLOGIES (XML)
XML stands for eXtensible Markup Language looks like HTML, used to store and transport data.
WEB TECHNOLOGIES (JSON)
JSON stand for JavaScript Object Notation, simple way to store and transport data, it is easy to
understand.
WEB TECHNOLOGIES (DB)
Database is an organized collection of data.
● MySQL: https://www.youtube.com/playlist?list=PLDoPjvoNmBAz6DT8SzQ1CODJTH-NIA7R9
● SELECT
● FROM
● WHERE
● UNION
WEB TECHNOLOGIES (PROGRAMING
LANG)
Programming is a formal language.
● PHP: https://www.youtube.com/playlist?list=PLDoPjvoNmBAzH72MTPuAAaYfReraNlQgM
HTTP HEADERS
HTTP HEADERS
HTTP HEADERS
CIA TRIAD
● Confidentiality
Prevent private information from unauthorized Access.
● Integrity
Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized
people.
● Availability
Web site.
HASHING, ENCRYPTION, ENCODING
● Hashing
One way Hash and it's not reversible.
● Encryption
Convert plaintext to cipher text and use a Key to encrypt and Decrypt.
● Encoding
Convert plaintext to a format and it’s reversible.
HASHING
098f6bcd4621d
Test
# 373cade4e8326
27b4f6
Key Key
wD2+mxZmuS
7jzu0BvbgxBn
Test Test
q7xPigMceTV
N8Xw9Ejeik=
Test
# dGVzdA==
● CORS Attack
● Open redirect
● https://hackerone.com/reports/1144081
● https://samy.pl/quickjack/quickjack.html
● https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected
CORS MISCONFIGURATION ATTACK
Victim Attacker
Target Website
Victim
CORS Origin,
Credentials allowed
Replay Data
CORS
● https://hackerone.com/reports/1016744
● https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack
CORS
OPEN REDIRECT
● XSS [Javascript, data]
● Using #
● Using @
● Without // [http:google.com]
● https://hackerone.com/reports/396295
JSON WITH PADDING
● Leak Credit card numbers [https://hackerone.com/reports/941718]
● https://flex0geek.blogspot.com/2019/04/steal-some-json-response-by-jsonp.html
JSON WITH PADDING
TASKS
● Tell me about Security Headers
● Read 2 reports
DAY 2
DAY 2
● LFI / RFI
● XXS
● https://portswigger.net/web-security/file-path-traversal/lab-simple
● https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass
CSRF
Exploit Page Vulnerable Page
Send request
Change Email when receive a request
CSRF
● No CSRF Token
● https://flex0geek.blogspot.com/2019/04/critical-ibm-bypass-csrf-protection.html
CSRF TOKEN BYPASS
● Removing Anti-CSRF Token
● Weak Token
● Reusable tokens
● Guessable tokens
● Bypass referer
HOST HEADER INJECTION
vulnerable = true
Link sent with ur Change host header
domain to victim value to ur domain
● Reflected XSS
○ https://hackerone.com/reports/838910
● Stored XSS
○ https://bugcrowd.com/submissions/
aebed3b9459704fa9daaa9fdda3450a60c2bec44fae34e2600ce3a547800f0a0
○ https://bugcrowd.com/submissions/
5275ad4bba20545f09b18de9d6ddce572d456f8eb485e4ce19e9aee53f8f9120
● DOM XSS
● Blind XSS
USE VULNERABLE COMPONENTS
● CVEs
● PHP-8.0.1 dev
TASKS
● https://xss-game.appspot.com/
● http://23.239.9.22/queryMe/
● http://18.192.3.151/join-team/
● Read 2 reports
DAY 3
DAY 3
● SQL Injection.
● SSRF
● APIs
● PostMessage.
SQL INJECTION
● General
● Blind
○ Time based
○ Boolean based
SQL INJECTION
● Database
● Table
● Column
● Query
SQL QUERIES
● UNION
● SELECT
● FROM
● Information_schema [tables,columns]
● LIKE
● version()
● database()
SSRF
SSRF
● Internal Networks
● 127.0.0.1 | localhost
● https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost
● https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system
● https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter
XXE
First line contain the Meta Data
Not Allowed:
● Parameter
This type only in DTD and useful for creating entity have value another entity.
● Predefined
This type is used predefined values which could break the syntax like using (<)
which is (<)
FEATURES WE CAN USE
1. Using System Keyword we can use External Entity.
• Error Based
• This type is parsing the XML and you can see just Errors.
• This type is Blind without any errors or results, you can do some requests to check
it.
EXPLOIT
Inband Type
Vulnerable
Send payload in function parsing Print the result
request payload
Error Based
Vulnerable
Send payload in Return error
function parsing
request contain the result
payload
EXPLOIT
Error Based Example
The payload is
executed
INFORMATION LEAK
● https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files
● https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page
● https://hackerone.com/reports/1267743
● https://hackerone.com/reports/823454
APIS
● RESTful API
○ Common
○ Use JSON
● GraphQL
○ New
● SOAP
○ Less common
○ Uses XML
POSTMESSA
GE
EXPLAIN POSTMESSAGE
We can use it postMessage with iframe or pop-up
We can use the following like to check and validate the origins before take the value
but the check have an issue and could be
bypassed.
EXPLOIT POSTMESSAGE
Vulnerable page Have a listener
Exploit Page
Exploit Page send postMessage with
malicious value like XSS payload
● Read 2 Reports
DAY 4
DAY 4
● Brute force Attacks.
● Authentication VS Authorization.
● Broken Authentication.
● IDOR
● Insecure Deserialization.
BRUTE FORCE ATTACKS
● Weak passwords
● Bypass OTP
● Authorization
○ Brute Force
○ Edit Response
● Default credentials
○ https://hackerone.com/reports/699030
BROKEN ACCESS CONTROL
● Vertical access controls VS Horizontal access controls
● IDOR
● Force Browsing
VERTICAL / HORIZONTAL ACCESS
CONTROLS
● Vertical
● Horizontal
○ Access to resources to the users who are specifically allowed to access those resources.
IDOR
User 1000
200 OK 200 OK
TYPES OF IDORS
● Typical IDOR
● Unauthenticated IDOR
● Permission IDOR
● https://hackerone.com/reports/887387
● https://hackerone.com/reports/845733
FORCE BROWSING
● https://hackerone.com/reports/565736
WHAT IS
SERIALIZATION
INSECURE DESERIALIZATION
● PHP
● Java
● .NET
○ JSON
○ XML
○ Binary
PHP SERIALIZATION
.NET SERIALIZATION
INSECURE DESERIALIZATION
● http://35.197.254.240/wantbiscuits/
● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-
objects
● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-
types
● https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-
deserialization-with-apache-commons
TASKS
● Read 2 Reports.
● Oath Misconfigurations.
● Filter bypass
● XSS
○ SVG
○ HTML
FILE UPLOAD BYPASS
● Blacklist
● Whitelist
○ NULL byte
○ Change Content-Type
● Magic Bytes
OAUTH
OAuth service provider application that control user’s data and access to it.
Parameters:
redirect_uri
code
state
HOW IT WORK (OAUTH)
Client App User-Agent OAuth
Auth request
service API
1
Resource 2
Owner User Login & consent
/Auth
Access Token
/oauth-login
3
API Call
4
/info
5
Data
OAUTH MISCONFIGURATION
● Open redirect with OAuth
Resource 2
Owner User Login & consent
/Auth
Access Token &
connect Social account
/oauth-login
3
API Call
4
/info
5
Data
SERVER SIDE TEMPLATE INJECTION
SERVER SIDE TEMPLATE INJECTION
● Docker Machine
DAY 6
DAY 6
● Common Mitigation of Vulnerabilities.
● Reporting.
● Skills
● Next Step
WRITING A GOOD REPORT
● Explain Finding.
● Recommendations
● Proof-of-Concept
● References
● Ref [https://github.com/juliocesarfort/public-pentesting-reports]
SKILLS
○ Protocols
○ Html / Html5
○ Web Framework
● PortSwigger
● PentesterLab
● Practice
● Targets
THANK YOU
• Facebook: @flex0geek
• Twitter: @flex0geek
• Linkedin: @flex0geek
• Blog: https://flex0geek.blogspot.com/
• Youtube: http://youtube.com/c/HackWizFlEx/