Basics

OWASP

Open Web Application Testing Project Guide is available in this Github

At the start of each web pentest, I follow the OWASP guide to go through all possible security tests.

OWASP cheatsheets

Guide for Penetration Testing OWASP Top 10 Vulnerabilities

A01:2021 - Broken Access Control

• Test Tool: Burp Suite

• Command: Use Burp's Repeater to alter user roles or permissions in requests.

A02:2021 - Cryptographic Failures

• Test Tool: OpenSSL

• Command: openssl s_client -connect <hostname>:<port> to check SSL/TLS configuration.

A03:2021 - Injection

• Test Tool: SQLmap

• Command: sqlmap -u "http://example.com/page?id=1" --dbs

A04:2021 - Insecure Design

• Test Tool: Manual code review

• Command: N/A, engage in reviewing architecture and design patterns.

A05:2021 - Security Misconfiguration

• Test Tool: Nmap

• Command: nmap --script vuln <target> to detect misconfigurations.

A06:2021 - Vulnerable and Outdated Components

• Test Tool: OWASP Dependency-Check

• Command: dependency-check --project <proj_name> -s <source_path>

A07:2021 - Identification and Authentication Failures

• Test Tool: Hydra

• Command: hydra -l <username> -P <password_list> <target> http-post-form "/path:username=^USER^&password=^PASS^"

A08:2021 - Software and Data Integrity Failures

• Test Tool: Manual review of CI/CD pipelines

• Command: N/A, inspect integrity checks and configuration.

A09:2021 - Security Logging and Monitoring Failures

• Test Tool: Splunk

• Command: Analyze existing logs with specific search queries for anomalies.

A10:2021 - Server-Side Request Forgery (SSRF)

• Test Tool: Burp Suite

• Command: Use Burp's Intruder to manipulate URLs in requests for probable SSRF.

For more details, always refer to updated tools and methods per the latest security practices

Web development frameworks testing

To test HTML, SQL or any other web development framework, I use the W3schools resource which is great for testing and learning all different web developement frameworks:

HTML

Javascript

CVSS

A full description of all available parameters of each HTTP header is available at this site: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

HTTP headers and codes

Security Headers

General Headers

General headers are used in both HTTP requests and responses. They are contextual and are used to describe the message rather than its contents.

Entity Headers

Similar to general headers, Entity Headers can be common to both the request and response. These headers are used to describe the content (entity) transferred by a message. They are usually found in responses and POST or PUT requests.

Request Headers

The client sends Request Headers in an HTTP transaction. These headers are used in an HTTP request and do not relate to the content of the message. The following headers are commonly seen in HTTP requests.

A complete list of request headers and their usage can be found here.

Response Headers

Response Headers can be used in an HTTP response and do not relate to the content. Certain response headers such as Age, Location, and Server are used to provide more context about the response. The following headers are commonly seen in HTTP responses.

Request Methods

The following are some of the commonly used methods:

The list only highlights a few of the most commonly used HTTP methods. The availability of a particular method depends on the server as well as the application configuration. For a full list of HTTP methods, you can visit this link.

Response Codes

HTTP status codes are used to tell the client the status of their request. An HTTP server can return five types of response codes:

The following are some of the commonly seen examples from each of the above HTTP method types:

For a full list of standard HTTP response codes, you can visit this link. Apart from the standard HTTP codes, various servers and providers such as Cloudflare or AWS implement their own codes.

Web pentest process

Information gathering

The primary goals of web reconnaissance include:

• Identifying Assets: Uncovering all publicly accessible components of the target, such as web pages, subdomains, IP addresses, and technologies used. This step provides a comprehensive overview of the target's online presence.

• Discovering Hidden Information: Locating sensitive information that might be inadvertently exposed, including backup files, configuration files, or internal documentation. These findings can reveal valuable insights and potential entry points for attacks.

• Analysing the Attack Surface: Examining the target's attack surface to identify potential vulnerabilities and weaknesses. This involves assessing the technologies used, configurations, and possible entry points for exploitation.

• Gathering Intelligence: Collecting information that can be leveraged for further exploitation or social engineering attacks. This includes identifying key personnel, email addresses, or patterns of behaviour that could be exploited.

Active Reconnaissance

In active reconnaissance, the attacker directly interacts with the target system to gather information. This interaction can take various forms:

Passive Reconnaissance

In contrast, passive reconnaissance involves gathering information about the target without directly interacting with it. This relies on analysing publicly available information and resources, such as:

DNS

It's Like a Relay Race

Think of the DNS process as a relay race. Your computer starts with the domain name and passes it along to the resolver. The resolver then passes the request to the root server, the TLD server, and finally, the authoritative server, each one getting closer to the destination. Once the IP address is found, it's relayed back down the chain to your computer, allowing you to access the website.

DNS records

WHOIS

WHOIS is a widely used query and response protocol designed to access databases that store information about registered internet resources. Primarily associated with domain names, WHOIS can also provide details about IP address blocks and autonomous systems. Think of it as a giant phonebook for the internet, letting you look up who owns or is responsible for various online assets.

https://whoisfreaks.com/ can reveal changes in ownership, contact information, or technical details over time. This can be useful for tracking the evolution of the target's digital presence.

Each WHOIS record typically contains the following information:

• Domain Name: The domain name itself (e.g., example.com)

• Registrar: The company where the domain was registered (e.g., GoDaddy, Namecheap)

• Registrant Contact: The person or organization that registered the domain.

• Administrative Contact: The person responsible for managing the domain.

• Technical Contact: The person handling technical issues related to the domain.

• Creation and Expiration Dates: When the domain was registered and when it's set to expire.

• Name Servers: Servers that translate the domain name into an IP address.

Let's consider three scenarios to help illustrate the value of WHOIS data.

1. Scenario 1: Phishing Investigation

An email security gateway flags a suspicious email sent to multiple employees within a company. The email claims to be from the company's bank and urges recipients to click on a link to update their account information. A security analyst investigates the email and begins by performing a WHOIS lookup on the domain linked in the email.

The WHOIS record reveals the following:

• Registration Date: The domain was registered just a few days ago.

• Registrant: The registrant's information is hidden behind a privacy service.

• Name Servers: The name servers are associated with a known bulletproof hosting provider often used for malicious activities.

This combination of factors raises significant red flags for the analyst. The recent registration date, hidden registrant information, and suspicious hosting strongly suggest a phishing campaign. The analyst promptly alerts the company's IT department to block the domain and warns employees about the scam.

Further investigation into the hosting provider and associated IP addresses may uncover additional phishing domains or infrastructure the threat actor uses.

1. Scenario 2: Malware Analysis

A security researcher is analysing a new strain of malware that has infected several systems within a network. The malware communicates with a remote server to receive commands and exfiltrate stolen data. To gain insights into the threat actor's infrastructure, the researcher performs a WHOIS lookup on the domain associated with the command-and-control (C2) server.

The WHOIS record reveals:

• Registrant: The domain is registered to an individual using a free email service known for anonymity.

• Location: The registrant's address is in a country with a high prevalence of cybercrime.

• Registrar: The domain was registered through a registrar with a history of lax abuse policies.

Based on this information, the researcher concludes that the C2 server is likely hosted on a compromised or "bulletproof" server. The researcher then uses the WHOIS data to identify the hosting provider and notify them of the malicious activity.

1. Scenario 3: Threat Intelligence Report

A cybersecurity firm tracks the activities of a sophisticated threat actor group known for targeting financial institutions. Analysts gather WHOIS data on multiple domains associated with the group's past campaigns to compile a comprehensive threat intelligence report.

By analysing the WHOIS records, analysts uncover the following patterns:

• Registration Dates: The domains were registered in clusters, often shortly before major attacks.

• Registrants: The registrants use various aliases and fake identities.

• Name Servers: The domains often share the same name servers, suggesting a common infrastructure.

• Takedown History: Many domains have been taken down after attacks, indicating previous law enforcement or security interventions.

These insights allow analysts to create a detailed profile of the threat actor's tactics, techniques, and procedures (TTPs). The report includes indicators of compromise (IOCs) based on the WHOIS data, which other organisations can use to detect and block future attacks.

Web Archives

Web archives are digital repositories that store snapshots of websites across time, providing a historical record of their evolution. Among these archives, the Wayback Machine is the most comprehensive and accessible resource for web reconnaissance.

The Wayback Machine, a project by the Internet Archive, has been archiving the web for over two decades, capturing billions of web pages from across the globe. This massive historical data collection can be an invaluable resource for security researchers and investigators.

By leveraging the Wayback Machine, you can gain a historical perspective on your target's online presence, potentially revealing vulnerabilities that may have been overlooked in the current version of the website.

Cross Site Scripting (XSS)

Cross Site Scripting (XSS) is a web application vulnerability that allows attackers to inject malicious scripts into content that is served to users. This typically occurs in the context of a web page, enabling scripts to be executed in the user's web browser.

Key Points:

• Injection of JavaScript: As you mentioned, the vulnerability allows malicious JavaScript to be executed on the client-side, compromising user data and session integrity.

• Lack of Sanitization: XSS vulnerabilities arise when there is insufficient sanitization or validation of user inputs at both the frontend and backend levels.

Types of Cross Site Scripting

1. DOM-based XSS:

   • This type occurs when the client-side JavaScript modifies the Document Object Model (DOM) of a web page. The malicious script is typically executed as a result of changes made to the DOM based on user input. It does not involve sending data to the server; rather, it relies on the manipulation of the client-side page.

2. Reflected XSS:

   • Reflected XSS happens when the malicious script is included in a URL (via query parameters) or in the headers and is reflected back from the server. To exploit this, the attacker must craft a link that contains the malicious script and trick the user into clicking it. The script is not stored; it is executed immediately when the user accesses the crafted URL.

3. Stored XSS:

   • Stored XSS (or Persistent XSS) is indeed considered the most dangerous form of XSS. In this case, the malicious script is stored on the server (such as in a database) and is delivered to users in the context of a web page they are accessing. Since the script is saved on the server, multiple users can be affected simply by visiting the compromised page.

Prevention Measures

• Front-end Prevention:

  • Input Validation: Ensure valid data is submitted, such as validating email formats with JavaScript.

    Copy

    function validateEmail(email) {
        const re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
        return re.test($("#login input[name=email]").val());
    }

• input Sanitization: Use libraries like DOMPurify to sanitize user input, escaping special characters.

let clean = DOMPurify.sanitize(dirty);

• Avoid Direct Input Usage: Never use user input directly in HTML tags or certain JavaScript and jQuery functions that can execute scripts.

• Back-end Prevention:

  • Similar input validation is required on the back-end to prevent Stored and Reflected XSS.

  • Input Validation Example (PHP):

    Copy

    if (filter_var($_GET['email'], FILTER_VALIDATE_EMAIL)) {
        // do task
    } else {
        // reject input - do not display it
    }

Input Sanitization Example (PHP):

addslashes($_GET['email']);

Back-end libraries like DOMPurify can also be utilized for sanitization:

import DOMPurify from 'dompurify';
var clean = DOMPurify.sanitize(dirty);

Output HTML Encoding:

• Convert special characters to HTML codes when displaying user input to prevent injections.

• Encoding Example (PHP):

  Copy

  htmlentities($_GET['email']);

Encoding Example (NodeJS):

import encode from 'html-entities';
encode('<'); // -> '<'

• Server Configuration:

  • Configure web servers to use HTTPS, set XSS prevention headers, and implement Content Security Policy (CSP) to restrict script sources.

  • Consider using a Web Application Firewall (WAF) for enhanced security.

• Direct input

We should always ensure that we never use user input directly within certain HTML tags, like:

1. JavaScript code <script></script>

2. CSS Style Code <style></style>

3. Tag/Attribute Fields <div name='INPUT'></div>

4. HTML Comments <!-- -->

If user input goes into any of the above examples, it can inject malicious JavaScript code, which may lead to an XSS vulnerability. In addition to this, we should avoid using JavaScript functions that allow changing raw text of HTML fields, like:

• DOM.innerHTML

• DOM.outerHTML

• document.write()

• document.writeln()

• document.domain

And the following jQuery functions:

• html()

• parseHTML()

• add()

• append()

• prepend()

• after()

• insertAfter()

• before()

• insertBefore()

• replaceAll()

• replaceWith()

SQL Injection (SQLi)

A SQL injection occurs when a malicious user attempts to pass input that changes the final SQL query sent by the web application to the database, enabling the user to perform other unintended SQL queries directly against the database.

First, the attacker has to inject code outside the expected user input limits, so it does not get executed as simple user input. In the most basic case, this is done by injecting a single quote (') or a double quote (") to escape the limits of user input and inject data directly into the SQL query.

Once an attacker can inject, they have to look for a way to execute a different SQL query. This can be done using SQL code to make up a working query that executes both the intended and the new SQL queries. There are many ways to achieve this, like using stacked queries or using Union queriesCode:

Vulnerable PHP example code

$searchInput =  $_POST['findUser'];
$query = "select * from logins where username like '%$searchInput'";
$result = $conn->query($query);

In typical cases, the searchInput would be inputted to complete the query, returning the expected outcome. Any input we type goes into the following SQL query:

Code: sql

select * from logins where username like '%$searchInput'

So, if we input admin, it becomes '%admin'. In this case, if we write any SQL code, it would just be considered as a search term. For example, if we input SHOW DATABASES;, it would be executed as '%SHOW DATABASES;' The web application will search for usernames similar to SHOW DATABASES;. However, as there is no sanitization, in this case, we can add a single quote ('), which will end the user-input field, and after it, we can write actual SQL code. For example, if we search for 1'; DROP TABLE users;, the search input would be:

Code: php

'%1'; DROP TABLE users;'

Notice how we added a single quote (') after "1", in order to escape the bounds of the user-input in ('%$searchInput').

So, the final SQL query executed would be as follows:

Code: sql

select * from logins where username like '%1'; DROP TABLE users;'

As we can see from the syntax highlighting, we can escape the original query's bounds and have our newly injected query execute as well. Once the query is run, the users table will get deleted.

Note: In the above example, for the sake of simplicity, we added another SQL query after a semi-colon (;). Though this is actually not possible with MySQL, it is possible with MSSQL and PostgreSQL. In the coming sections, we'll discuss the real methods of injecting SQL queries in MySQL.

the MySQL documentation for operation precedence states that the AND operator would be evaluated before the OR operator. This means that if there is at least one TRUE condition in the entire query along with an OR operator, the entire query will evaluate to TRUE since the OR operator returns TRUE if one of its operands is TRUE.

An example of a condition that will always return true is '1'='1'. However, to keep the SQL query working and keep an even number of quotes, instead of using ('1'='1'), we will remove the last quote and use ('1'='1), so the remaining single quote from the original query would be in its place.

So, if we inject the below condition and have an OR operator between it and the original condition, it should always return true:

Code: sql

admin' or '1'='1

The final query should be as follow:

Code: sql

SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something';

This means the following:

• If username is admin OR

• If 1=1 return true 'which always returns true' AND

• If password is something

The AND operator will be evaluated first, and it will return false. Then, the OR operator would be evalutated, and if either of the statements is true, it would return true. Since 1=1 always returns true, this query will return true, and it will grant us access.

Write File Privileges

To be able to write files to the back-end server using a MySQL database, we require three things:

1. User with FILE privilege enabled

2. MySQL global secure_file_priv variable not enabled

3. Write access to the location we want to write to on the back-end server

Secure_file_priv

The secure_file_priv variable is used to determine where to read/write files from. An empty value lets us read files from the entire file system. Otherwise, if a certain directory is set, we can only read from the folder specified by the variable. On the other hand, NULL means we cannot read/write from any directory. MariaDB has this variable set to empty by default, which lets us read/write to any file if the user has the FILE privilege. However, MySQL uses /var/lib/mysql-files as the default folder. This means that reading files through a MySQL injection isn't possible with default settings. Even worse, some modern configurations default to NULL, meaning that we cannot read/write files anywhere within the system.

Within MySQL, we can use the following query to obtain the value of this variable:

SHOW VARIABLES LIKE 'secure_file_priv';

Mitigating SQL Injection

We have learned about SQL injections, why they occur, and how we can exploit them. We should also learn how to avoid these types of vulnerabilities in our code and patch them when found. Let's look at some examples of how SQL Injection can be mitigated.

Input Sanitization

Here's the snippet of the code from the authentication bypass section we discussed earlier:

Code: php

<SNIP>
  $username = $_POST['username'];
  $password = $_POST['password'];

  $query = "SELECT * FROM logins WHERE username='". $username. "' AND password = '" . $password . "';" ;
  echo "Executing query: " . $query . "<br /><br />";

  if (!mysqli_query($conn ,$query))
  {
          die('Error: ' . mysqli_error($conn));
  }

  $result = mysqli_query($conn, $query);
  $row = mysqli_fetch_array($result);
<SNIP>

As we can see, the script takes in the username and password from the POST request and passes it to the query directly. This will let an attacker inject anything they wish and exploit the application. Injection can be avoided by sanitizing any user input, rendering injected queries useless. Libraries provide multiple functions to achieve this, one such example is the mysqli_real_escape_string() function. This function escapes characters such as ' and ", so they don't hold any special meaning.

Code: php

<SNIP>
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

$query = "SELECT * FROM logins WHERE username='". $username. "' AND password = '" . $password . "';" ;
echo "Executing query: " . $query . "<br /><br />";
<SNIP>

The snippet above shows how the function can be used.

As expected, the injection no longer works due to escaping the single quotes. A similar example is the pg_escape_string() which used to escape PostgreSQL queries.

Input Validation

User input can also be validated based on the data used to query to ensure that it matches the expected input. For example, when taking an email as input, we can validate that the input is in the form of ...@email.com, and so on.

Consider the following code snippet from the ports page, which we used UNION injections on:

Code: php

<?php
if (isset($_GET["port_code"])) {
	$q = "Select * from ports where port_code ilike '%" . $_GET["port_code"] . "%'";
	$result = pg_query($conn,$q);
    
	if (!$result)
	{
   		die("</table></div><p style='font-size: 15px;'>" . pg_last_error($conn). "</p>");
	}
<SNIP>
?>

We see the GET parameter port_code being used in the query directly. It's already known that a port code consists only of letters or spaces. We can restrict the user input to only these characters, which will prevent the injection of queries. A regular expression can be used for validating the input:

Code: php

<SNIP>
$pattern = "/^[A-Za-z\s]+$/";
$code = $_GET["port_code"];

if(!preg_match($pattern, $code)) {
  die("</table></div><p style='font-size: 15px;'>Invalid input! Please try again.</p>");
}

$q = "Select * from ports where port_code ilike '%" . $code . "%'";
<SNIP>

The code is modified to use the preg_match() function, which checks if the input matches the given pattern or not. The pattern used is [A-Za-z\s]+, which will only match strings containing letters and spaces. Any other character will result in the termination of the script.

We can test the following injection:

Code: sql

'; SELECT 1,2,3,4-- -

As seen in the images above, input with injected queries was rejected by the server.

User Privileges

As discussed initially, DBMS software allows the creation of users with fine-grained permissions. We should ensure that the user querying the database only has minimum permissions.

Superusers and users with administrative privileges should never be used with web applications. These accounts have access to functions and features, which could lead to server compromise.

Mitigating SQL Injection

MariaDB [(none)]> CREATE USER 'reader'@'localhost';

Query OK, 0 rows affected (0.002 sec)


MariaDB [(none)]> GRANT SELECT ON ilfreight.ports TO 'reader'@'localhost' IDENTIFIED BY 'p@ssw0Rd!!';

Query OK, 0 rows affected (0.000 sec)

The commands above add a new MariaDB user named reader who is granted only SELECT privileges on the ports table. We can verify the permissions for this user by logging in:

Mitigating SQL Injection

HackJiji@htb[/htb]$ mysql -u reader -p

MariaDB [(none)]> use ilfreight;
MariaDB [ilfreight]> SHOW TABLES;

+---------------------+
| Tables_in_ilfreight |
+---------------------+
| ports               |
+---------------------+
1 row in set (0.000 sec)


MariaDB [ilfreight]> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

+--------------------+
| SCHEMA_NAME        |
+--------------------+
| information_schema |
| ilfreight          |
+--------------------+
2 rows in set (0.000 sec)


MariaDB [ilfreight]> SELECT * FROM ilfreight.credentials;
ERROR 1142 (42000): SELECT command denied to user 'reader'@'localhost' for table 'credentials'

The snippet above confirms that the reader user cannot query other tables in the ilfreight database. The user only has access to the ports table that is needed by the application.

Web Application Firewall

Web Application Firewalls (WAF) are used to detect malicious input and reject any HTTP requests containing them. This helps in preventing SQL Injection even when the application logic is flawed. WAFs can be open-source (ModSecurity) or premium (Cloudflare). Most of them have default rules configured based on common web attacks. For example, any request containing the string INFORMATION_SCHEMA would be rejected, as it's commonly used while exploiting SQL injection.

Parameterized Queries

Another way to ensure that the input is safely sanitized is by using parameterized queries. Parameterized queries contain placeholders for the input data, which is then escaped and passed on by the drivers. Instead of directly passing the data into the SQL query, we use placeholders and then fill them with PHP functions.

Consider the following modified code:

Code: php

<SNIP>
  $username = $_POST['username'];
  $password = $_POST['password'];

  $query = "SELECT * FROM logins WHERE username=? AND password = ?" ;
  $stmt = mysqli_prepare($conn, $query);
  mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
  mysqli_stmt_execute($stmt);
  $result = mysqli_stmt_get_result($stmt);

  $row = mysqli_fetch_array($result);
  mysqli_stmt_close($stmt);
<SNIP>

The query is modified to contain two placeholders, marked with ? where the username and password will be placed. We then bind the username and password to the query using the mysqli_stmt_bind_param() function. This will safely escape any quotes and place the values in the query.

Sources

HackTheBox Academy