Web Hacking Fundamentals: OWASP Juice Shop [summarized]

 SQL Injection


SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.


Command Injection


Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests. 


Email Injection


Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly. 


---------------------------------------------------------------------------------


1. The character ' will close the brackets in the SQL query


2. 'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.


3.The -- character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.


Now, forward that to the server!


But why don't we put the 1=1?


Well, as the email address is valid (which will return true), we do not need to force it to be true. Thus we are able to use '-- to bypass the login system. Note the 1=1 can be used when the email or username is not known or invalid.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

"Poison Null Byte". A Poison Null Byte looks like this: %00.

The Poison Null Byte will now look like this: %2500. Adding this and then a .md to the end will bypass the 403 error!

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Modern-day systems will allow for multiple users to have access to different pages.


Administrators most commonly use an administration page to edit, add and remove different elements of a website.


You might use these when you are building a website with programs such as Weebly or Wix.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

=> When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:

* Horizontal Privilege Escalation

=> Occurs when a user can perform an action or access data of another user with the same level of permissions.


* Vertical Privilege Escalation

=> Occurs when a user can perform an action or access data of another user with a higher level of permissions.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

=> DOM (Special) 


DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script></script> HTML tag.


=> Persistent (Server-side)


Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts. 


=> Reflected (Client-side)


Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data. 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DOM XSS

<iframe src="javascript:alert(`xss`)"> 


This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications.


Websites that allow the user to modify the iframe or other DOM elements will most likely be vulnerable to XSS.


It is common practice that the search bar will send a request to the server in which it will then send back the related information, but this is where the flaw lies. 


Without correct input sanitation, we are able to perform an XSS attack against the search bar.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

reflected XSS


http://[Target IP]/#/track-result?id=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E


<iframe src="javascript:alert(`xss`)">, in the place of the 5267-f73dcd000abcc353


The server will have a lookup table or database (depending on the type of server) for each tracking ID. As the 'id' parameter is not sanitised before it is sent to the server, we are able to perform an XSS attack.  

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks for reading! 

Roger - Ozz961

Comments

Popular posts from this blog

Common Network Commands: IP R

Junior Security Analyst Intro

Example of A Day in the Life of a Junior (Associate) Security Analyst