Web Hacking Fundamentals: OWASP Juice Shop [summarized]

-

 SQL Injection


SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.


Command Injection


Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests. 


Email Injection


Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly. 


---------------------------------------------------------------------------------


1. The character ' will close the brackets in the SQL query


2. 'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.


3.The -- character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.


Now, forward that to the server!


But why don't we put the 1=1?


Well, as the email address is valid (which will return true), we do not need to force it to be true. Thus we are able to use '-- to bypass the login system. Note the 1=1 can be used when the email or username is not known or invalid.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

"Poison Null Byte". A Poison Null Byte looks like this: %00.

The Poison Null Byte will now look like this: %2500. Adding this and then a .md to the end will bypass the 403 error!

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Modern-day systems will allow for multiple users to have access to different pages.


Administrators most commonly use an administration page to edit, add and remove different elements of a website.


You might use these when you are building a website with programs such as Weebly or Wix.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

=> When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:

* Horizontal Privilege Escalation

=> Occurs when a user can perform an action or access data of another user with the same level of permissions.


* Vertical Privilege Escalation

=> Occurs when a user can perform an action or access data of another user with a higher level of permissions.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

=> DOM (Special) 


DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script></script> HTML tag.


=> Persistent (Server-side)


Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts. 


=> Reflected (Client-side)


Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data. 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DOM XSS

<iframe src="javascript:alert(`xss`)"> 


This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications.


Websites that allow the user to modify the iframe or other DOM elements will most likely be vulnerable to XSS.


It is common practice that the search bar will send a request to the server in which it will then send back the related information, but this is where the flaw lies. 


Without correct input sanitation, we are able to perform an XSS attack against the search bar.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

reflected XSS


http://[Target IP]/#/track-result?id=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E


<iframe src="javascript:alert(`xss`)">, in the place of the 5267-f73dcd000abcc353


The server will have a lookup table or database (depending on the type of server) for each tracking ID. As the 'id' parameter is not sanitised before it is sent to the server, we are able to perform an XSS attack.  

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks for reading! 

Roger - Ozz961

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more