Web Exploitation Security

WEB Exploitation &
Security
- Aman Singh, Cyber-Security Wing

Workflow
Basics of Web
and Websites
What are common
web vulnerabilities
Practical
Demo of each
Attack
How to Secure
Resources to learn
from.

What is Internet and What is web ?
HTTP Over TCP/IP
How does internet work?
Web(WWW)

Difference between Internet and WWW
Internet :- Interconnected computer Network
Uses TCP/IP protocol to link devices
WWW :- Online Content that is formatted in HTML and
accessed via HTTP protocol

Port
Number
Usage
21 File Transfer Protocol (FTP) Command Control
22 Secure Shell (SSH)
25 Simple Mail Transfer Protocol (SMTP) E-mail Routing
53 Domain Name System (DNS) service
80 Hypertext Transfer Protocol (HTTP) used in World Wide
Web
443 HTTP Secure (HTTPS) HTTP over TLS/SSL
Ports

DNS is the phonebook for Internet
The Domain Name
System (DNS) is the way
that “www.google.com” is
located and translated
into internet protocol (IP)
addresses something
like “172.217.163.132”.

UNIFORM RESOURCE LOCATOR (URL)

WEB Exploitation
These vulnerabilities can exist on websites where the user can exploit a
bug/vulnerability to gain some kind of higher level privilege.
A web application typically involves a web server, an application server,
application middleware, internal or third-party web services, a database, and so
on.
Any of these components could be attacked.
• Specific vulnerabilities in each programming language
• Issues fundamental to the internet that can show up regardless of the
chosen language or framework.

Top Web Vulnerabilities
• SQL
• Command
INJECTION
CSRF
Logic Flaws
Directory
Traversal
XSS
DOM-
Based
Broken
Auth
SSRF
• Self XSS
• Stored XSS
• Blind XSS

INJECTION
• SQL Injection
• Command Injection
01

SQL Injection
• SQL stands for Structured Query Language
• SQL is used to store, extract and change inputs in a database
• SQL Query looks like:-
SELECT * FROM Users WHERE Name =‘Admin’ AND Pass =‘Password’;
SQL Payload:- Name:- Admin’ OR 1=1;–-
SELECT * FROM Users WHERE Name =‘Admin’ OR 1=1;–- ‘ AND Pass =‘anything’;
https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
https://portswigger.net/web-security/sql-injection/lab-login-bypass

Command Injection
Command injection is a web security vulnerability that allows an attacker to execute
arbitrary operating system (OS) commands on the server that is running an
application.
https://insecure-website.com/ProductStatus?productID=381&storeID=29
Functionality is implemented by calling out to a shell command with the product
and store IDs as arguments:
stockreport.pl 381 29
Payload:- productid=381;whoami;storeID=29
stockreport.pl 381;whoami; 29
https://portswigger.net/web-security/os-command-injection/lab-simple
https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays

XSS
• Cross Site Scripting
02

Cross Site Scripting
Cross-site scripting works by manipulating a vulnerable web site so that it
returns malicious JavaScript to users
Reflected XSS, where the malicious script comes from the current HTTP request.
E.g. : JavaScript in parameters
https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded
Stored XSS, where the malicious script comes from the website's database.
Eg: Comments on a blog.
https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded
DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.
https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink

DOMPurify.sanitize('<img src=x onerror=alert(1)//>’);  becomes <img
src="x">
Sanitization of input
“User Input is malicious and should be sanitized”

Application Logic Vulnerabilities
Business logic vulnerabilities are flaws in the design and implementation of an application that
allow an attacker to cause unintended behavior.
https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level

Broken Authentication
Authentication is the process of verifying the identity of a given user or client
Logic flaws or poor coding in the implementation allow the authentication mechanisms
to be bypassed entirely by an attacker. This is sometimes referred to as "broken
authentication".
https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic

Cross Site Request Forgery
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to
induce users to perform actions that they do not intend to perform
https://portswigger.net/web-security/csrf/lab-no-defenses

How does CSRF work?
For a CSRF attack to be possible, three key conditions must be in place:
A relevant action.
Cookie-based session handling.
No unpredictable request parameters.
To defend against CSRF attacks include a CSRF token within relevant
requests.
Unpredictable, Tied to the user's session, Strictly validated.
POST /email/change HTTP/1.1
Host: vulnerable-website.com
csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@n
ormal-user.com

DOM-based vulnerabilities
DOM-based vulnerabilities arise when a website contains JavaScript that takes an attacker-
controllable value, known as a source, and passes it into a dangerous function, known as a sink.
Already Seen DOM XSS
Let see DOM Open Redirect
https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection

Directory Traversal
Directory traversal (also known as file path traversal) is a web
security vulnerability that allows an attacker to read arbitrary files on
the server that is running an application
<img src="/loadImage?filename=218.png">
The loadImage URL takes a filename parameter and returns the contents of the specified file. The image
files themselves are stored on disk in the location /var/www/images/218.png
https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass

Server Side Request Forgery
Allows an attacker to induce the server-side application to make HTTP requests to an
arbitrary domain of the attacker's choosing.
https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

1. We use hashing for integrity and we use encryption for confidentiality.
2. What is Encryption?
3. Encryption is the practice of scrambling information in a way that only someone with a
corresponding key can unscramble and read it. Encryption is a two-way function. When you
encrypt something, you’re doing so with the intention of decrypting it later.
4. Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is
called a hash value (or sometimes hash code or hash sums or even a hash digest if you’re
feeling fancy). Whereas encryption is a two-way function, hashing is a one-way function. While
it’s technically possible to reverse-hash something, the computing power required makes it
unfeasible. Hashing is one-way.
5. Now, whereas encryption is meant to protect data in transit, hashing is meant to verify that a file
or piece of data hasn’t been altered—that it is authentic. In other words, it serves as a check-
sum.
6. Salting is a concept that typically pertains to password hashing. Essentially, it’s a unique value
that can be added to the end of the password to create a different hash value. This adds a layer
of security to the hashing process, specifically against brute force attacks. A brute force attack is
where a computer or botnet attempt every possible combination of letters and numbers until the
password is found.
Cryptography

Web Exploitation Security

More Related Content

What's hot

Similar to Web Exploitation Security

Recently uploaded

Web Exploitation Security