Skip to content

I needed a place to collect all tools, resources, tutorial about web application security and testing

License

Notifications You must be signed in to change notification settings

energiatel/WebApp-Sec-Resources

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WebApp-Sec-Resources

I needed a place to collect all tools, resources, tutorial about web application security and testing. This is my way.

Subdomain enumeration

Lists

Sublist3r

python sublist3r.py -d domain.com -o domain_report_sublist3r.txt

Gobuster

gobuster -u domain.com -fw -m dns -v -w list.txt -o domain_report_gobuster.txt

enumall.sh

./enumall.py domain.com

MassDNS

Not tested yet

DomLink

python domLink.py -D domain.com -o domlink_report_domain.txt

Amass

amass -d domain.com

Lists can be found here

Burp Suite

  • Scanner -> Live scanning -> Live Passive Scanning -> Don't scan
  • Spider -> Options -> Form submission -> Don't submit forms or Prompt for guidance
  • Target -> Scope -> "Use advanced scope control" and -> Add -> Host field -> Domain name (eg if it is example.com i use "example" keyword)
  • Manually browse
  • Target -> Site map -> Filter -> Show only in-scope items
  • Target -> Site map -> manually select host to spider, right click and Spider Selected items

Google (dork)

  • inurl: example.com (removing every new host using -already_known_host)
  • Trademark: "© 2015 - 2018 Company Name Inc." depending what format is used (look for it in main domain footer)

crt.sh

  • Insert domain.com and check for SLL certificate to get others domains and subdomains covered by the same certificate

censys.io

  • Insert domain.com and check for SLL certificate to get others domains and subdomains covered by the same certificate

crunchbase.com

  • Can find information, related companies, new acquisition and a lot of other stuff about a company and its domain(s)

Others

Search all js for hidden path and urls with BurpSuite

  • Right click on target site/
  • Engagement tools -> Find scripts -> Search
  • Once found -> Export script (eg. for use in some JS parser)

JSParser

python handler.py
Then visit http://localhost:8008

LinkFinder

Sounds interesting. Have to test it yet

After subdomain enumeration

EyeWitness

./EyeWitness.py --timeout 31 --prepend-https -f domain_domain_list.txt

Archive.org/web

If i found a 401/403, basic auth or some is locked down

waybackurls

cat domains.txt | waybackurls > urls

Get all links from archive.org using a domains list

Subdomain takeover & Cloud misconfiguration

SubOver

SubOver -l /root/Documents/company_subdomain_list.txt -https -v

subjack

./subjack -w subdomains.txt -o subjack_results.txt -ssl -a -v

Can i take over xyz

An interesting source to understand IF and HOW is possible a subdomain takeover

Scan for open S3 buckets and dump

Google dork

  • intext:"There isn't a Github Pages site here" and intitle:"Site not found · GitHub Pages"

Content discovery

Gobuster (again)

gobuster -u domain.com -fw -v -w list.txt -o domain_report_gobuster.txt

An interestin list is RobotsDisallowed
An useful list to add while bruteforcing for subdirectory maybe this DB backup filename

Discover unknown parameters in script with parameth

Will test soon.

Backslash Powered Scanning (Vulnerability scanner)

Too early to say something

Open redirect

Lists

Some tricks

  • Typical parameters to look at:
    • redirect_to=
    • domain_name=
    • checkout_url=
    • r=
    • u=
    • returnTo=
    • return=
    • go=
    • redirect=
    • url=
  • Common pages are: login, register, logout, change site language, links in emails.

Some resources and tutorial

  • java%0d%0ascript%0d%0a:alert(0)
    (crlf injection to bypass javascript: being blacklisted)
  • //google.com
    (incase http:// is blacklisted)
  • https:google.com
    (browsers accept this, good if // is blacklisted!)
  • //google%E3%80%82com
    (%E3%80%82 is 。 encoded. A HUGE thanks to filedescriptor for showing me that)
  • \/\/google.com/
    (useful for bypassing // http:// blacklists. Browsers see \/\/ as //)
  • /\/google.com/
    (same as above)
  • //google%00.com
    (null byte to bypasses blacklist filter. can be used anywhere)
  • http://www.theirsite.com@yoursite.com/
    (oldie, but browsers will redirect to anything after @)
  • http://www.yoursite.com/http://www.theirsite.com/
    (if @ is blacklisted and they check if their domain is in the param, make a folder as their domain :D)
  • ";alert(0);//
    (example from above. if the url is echo'd in a variable and we want to get xss in script tag)

HTTP Parameter pollution

Some tricks

  • Add new parameter with the same name (e.g. ?par1=123&par2=456&par1=789)
  • Replace ampersand character "&" with "%26"
  • Change parameter position
  • Try to change typical or intelligible parameters names (edit, view, delete)
  • Change HTTP method (POST if GET and viceversa)
  • you put in a minus number?
  • you increment or decrement the number?
  • you put in a really large number?
  • you put in a string or symbol characters?
  • you try traverse a directory with …/
  • you put in XSS vectors?
  • you put in SQLI vectors?
  • you put in non-ascii characters?
  • you mess with the variable type such as casting a string to an array
  • you use null characters or no value

Expected Behavior by Application Server

Given the URL and querystring: http://example.com/?color=red&color=blue

Web Application Server Backend Parsing Result Example
ASP.NET / IIS All occurrences concatenated with a comma color=red,blue
ASP / IIS All occurrences concatenated with a comma color=red,blue
PHP / Apache Last occurrence only color=blue
PHP / Zeus Last occurrence only color=blue
JSP, Servlet / Apache Tomcat First occurrence only color=red
JSP, Servlet / Oracle Application Server 10g First occurrence only color=red
JSP, Servlet / Jetty First occurrence only color=red
IBM Lotus Domino Last occurrence only color=blue
IBM HTTP Server First occurrence only color=red
mod_perl, libapreq2 / Apache First occurrence only color=red
Perl CGI / Apache First occurrence only color=red
mod_wsgi (Python) / Apache First occurrence only color=red
Python / Zope All occurrences in List data type color=['red','blue']

References

CSRF

Some tricks

  • If a site is sending CSRF token with POST request, try changing its value or removing it to ensure the server is validating its existence.

SSRF

Some tricks

File Upload

Some tricks

  • Rename file extension. Eg. file.png -> file.png.php, file.php -> file.php.png
  • Rename file extension changing case. Eg. file.png -> file.png.PHP, file.php -> file.PhP.png
  • Change extension position. Eg. file.png.php -> file_png.php
  • Use unusual file extension like pht (can execute php in html)
  • Insert a Null Byte in file name: shell.php%001.jpg or shell.php\x00.jpg
  • Insert a payload in Exif Headers
  • Upload a huge file so to get a DOS on server
  • If filename is not changed before being inserted in DB, maybe possible an Sql Injection

Some tricks

XSS

[BLIND XSS] Some tricks

XSStrike

python3 xsstrike

XssPy

python XssPy.py -d website.com -v -e

Tutorials and resources

XSStrike

python3 xsstrike

XssPy

python XssPy.py -d website.com -v -e

Tutorials and resources

Information disclosure

Php Information disclosure

Application logic

Ways data are transmitted via client

  • Hidden form field
  • HTTP Cookies
  • URL Parameters (?name=value)
  • Referer header
  • Opaque data (encrypted or obfuscated data in hidden form field, in cookie etc)
  • ViewState in ASP.NET (if not protected with MAC protection)
Also take a look to fields length limit in form fields (can be changed?), script-based validation (eg javascript: can be overwritten or deleted?), disabled elements (are they processed by server?)

Ways data are transmitted via client

  • Hidden form field
  • HTTP Cookies
  • URL Parameters (?name=value)
  • Referer header
  • Opaque data (encrypted or obfuscated data in hidden form field, in cookie etc)
  • ViewState in ASP.NET (if not protected with MAC protection)

Authentication

Bad password

  • Too short or blank
  • Common dictionary words or names
  • Same as username
  • Set to default value

Brute forcible login

  • No limits un login attempts
  • Common dictionary words or names
  • Stored in clear text (no need to use any encryption to bruteforce)
  • Login attempts number only on client side (eh cookie such as failedLogin = 1)
  • Login attempts number held in current session (so only have to obtain fresh session eg deleting session cookie)
  • Account locked after a certain number of login attempts but application still confirm if password is correct. In this case maybe account is unlocked after certain delay automatically

Verbose failed login message

  • Application response whether the reason for failure was unrecognised username or wrong password (so can iterate with common username list to guess a valid one. After can do the same for password)
  • Username disclosure in registration form (to prevent duplicates) or password change form or forgotten password function
  • Predictable username (username is email address, email name or automatically generated as user123 user124 user125)
  • Subtle failed login response when wrong or valid username is provided. Response may appears the same but cookie, http response or html code can contains differences
  • Time attacks: different response time for wrong and valid username. Try it with a common username list and if possible with at least one valid username

Password change function

  • Sometimes this function is accessible without authentication
  • Allow unrestricted (eg no rate limits) guesses of existing password
  • Verbose message for username validity
  • New password and confirm password fields may change their value if existing password is valid or if current and new password are identical
  • If this function is accessible only for authenticaticated users, maybe it hide somewhere (hidden form field, cookie, other) the username whom which password is going to be changed. Try to override this hidden username

Forgotten password function

  • Easy guessable challenge (public information as mother's name, birthday)
  • Bruteforcible response to challenge
  • Password recover hint equal to password
  • User dropped in authenticated session after successfull completion of a challenge
  • Recovery URL sent to an address which is specified and not to registered email address
  • Recovery URL or user email visible in hidden fields or in cookie
  • Password reset after successfull completion of challenge

Remember me function

  • Only username is stored in cookie which is used to allow user access
  • Only user ID or another identifier is stored on cookie which is used to allow user access
  • on logged in computer

User impersonate function

  • No access control so anyone who knows this function URL can use it
  • User controllable data may determine which user is impersonated
  • If administrators accounts may be impersonated, attacker can gain full control of the application
  • A default password is used to impersonate any user on login function

Incomplete validation of credentials

  • Only firsts password n character are validated
  • Case insensitive check of password
  • Unusual characters stripped before checking password

Non unique username

  • May append that two users can register with same password
  • Unpredictable conseguences on users login

Predictable username

  • Usernames can be nonintrusively discovered

Predictable initial password

  • Default password for any new account
  • The means of generating passwords can be replicated by an attacker

Insecure distribution of credentials

  • Insecure distribution of credentials
  • Majority of users will not modify initial credentials
  • Activation token can be guessed
  • Username and password sent together

Implementation flaws in authentication

Fail-open logic mechanism

  • If username or password are empty, the application throws an exception and login succeed

Multistage login mechanism

  • Application may assume that user who access to stage two have cleared stage one
  • Application may trust data on stage two because this was validated on stage one
  • Application assume that the same user identity is used in every stage

Insecure storage of credentials

  • Passwords stored in clear text
  • Passwords encrypted in standard algorithm

Attacking session management

Token generation

  • Meaningful tokens
  • Can be decrypted and its structure disclosed
  • May be not all components in decrypted token are validated server side. So fuzzing become faster

Predictable tokens

  • With a small sample of tokens it's possible to guess all session tokens
  • Concealed sequences: try to discover mean of generating
  • Time dependency: eg token contain ID and timestamp. With this predictable pattern it's easy to brute force and gain a valid session token
  • Weak random number generation: random generation may be deterministic, eg generated based on user's ip (php 5.3.2 with phpwn tool)
  • Burp can test quality of randomness with a sample of session tokens and sequencer

Encrypted tokens

  • ECB Ciphers
  • CBC Ciphers (flip bit with burp intruder)

Liberal cookie scope

  • Cookie domain restrictions
  • Cookie path restrictions

Attacking Access controls

Common vulnerabilities

  • Vertical access control: from user to admin
  • Horizontal access control: from user to user
  • Context--dependent access control: user should access only what it permitted to

Completely unprotected functionality

  • Anyone who knows admin URL can access it with full use of administrative functions
  • Links to administrative functions may be hide in javascript or in hidden fields or in comments
  • Administrative methods can be reached directly through API or javascript

Identifier-based functions

  • User who knows resources URL can access it even if not logged or if resources is owned by another user

Multistage functions

  • Application assumes that earlier stage has been completed when accessing to later stage

Static files

  • Can be accessed directly

Platforms misconfiguration

  • A function may be made to work with POST but still works with GET
  • Application handle request that use unrecognized HTTP methods by passing to GET

Insecure access control methods

Parameters based access control

  • User role is determined via client transmitted parameters (hidden forms fields, cookie, query string parameters

Referer based access control

  • Application check referer to allow administrative functions use. If they comes from administration page they're allowed

Location based access control

  • Can be circumvented using proxy, VPN, client side manipulation of geolocation mechanism

Attacking access control

Testing with different user accounts

Multistage processes

  • Complete each stage with high privilege account. After use "request in browser" features to request each stage with lower privileges account to test for access control and with higher privileges to test if a stage is reacheable without earlier stages

Testing with limited access

  • Try to add parameters such as admin=true to GET or POST requests
  • Try removing or modifying Refer parameter to check if application trust this header in unsafe way
  • Check client side html and script for hidden functionality
  • Every times application use any kind of identifiers (document ID, account number, order references) to select a resource, attempt to discover identifier for resources to which access is unauthorized
  • Try to generate a series of identifier (for example by creating multiple documents) to discover identifiers mean of creation

Testing restrictions on HTTP methods

  • Using high privileged user to test if changing HTTP methods, request are still carried out. Then test with low privileged user to check if restrictions applied based on privileges are still validated when HTTP methods are changed.

About

I needed a place to collect all tools, resources, tutorial about web application security and testing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages