🈯Server-side vulnerabilities

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application.

A vulnerable application would look something like this:

<img src="/loadImage?filename=218.png">

and we'd use ../../ to read content we are not meant to read:

https://insecure-website.com/loadImage?filename=../../../etc/passwd

Lab: File path traversal, simple case

I go on a product page:

i see where the image is fetched from:

I capture a request when loading the image and modify the path to go and fetch another file:

and I am able to see the passwd file:

Access Control

Access control is the application of constraints on who or what is authorized to perform actions or access resources.

if a non-administrative user can gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation.

Lab: Unprotected admin functionality

looking at the website:

after enumeration, or a gobuster we find a /robots.txt:

we then go on the admin panel and are able to delete users:

If the application uses "security by obscurity", or more complex URL's it might not be discoverable by gobuster or directory bruteforce like:

https://insecure-website.com/administrator-panel-yb556

However, the application might still leak the URL to users. The URL might be disclosed in JavaScript that constructs the user interface based on the user's role:

<script>
	var isAdmin = false;
	if (isAdmin) {
		...
		var adminPanelTag = document.createElement('a');
		adminPanelTag.setAttribute('https://insecure-website.com/administrator-panel-yb556');
		adminPanelTag.innerText = 'Admin panel';
		...
	}
</script>

Lab: Unprotected admin functionality with unpredictable URL

We get a new website, i go and check the source code immediately:

and bingo:

Parameter-based access control methods

Some applications determine the user's access rights or role at login, and then store this information in a user-controllable location. This could be:

  • A hidden field.

  • A cookie.

  • A preset query string parameter.

https://insecure-website.com/login/home.jsp?admin=true
https://insecure-website.com/login/home.jsp?role=1

a user can modify the value and access functionality they're not authorized to, such as administrative functions.

Lab: User role controlled by request parameter

i connect with the given credentials wiener:peter and go to the given admin panel /admin

we see he cookies:

We modify the value to true and refresh the page:

bingo

Horizontal privilege escalation

Horizontal privilege escalation occurs if a user is able to gain access to resources belonging to another user

https://insecure-website.com/myaccount?id=123

we could change the admin id to 124 and maybe access to another users panel

Lab: User ID controlled by request parameter, with unpredictable user IDs

we connect:

while looking around we find an article written by carlos:

when clicking on the name, we see the url change:

and on our space we can see that the page is based on our ID:

so what if we change the values ->

we get the value of carlos and are able to solve the lab

Lab: User ID controlled by request parameter with password disclosure

after connecting with the given creds, we immediatly see 👍

the "id=wiener" seems to be the way to go, let's modify it->

we are able to see to the admin page and extract the password if we look at the source code ->

we are then able to connect to the admin account and delete user carlos:

Authentication vulnerabilities

Authentication vulnerabilities can allow attackers to gain access to sensitive data and functionality.

Lab: Username enumeration via different responses

we got 2 lists, usernames and passwords, the best way would be a cluster bomb attack but without burp Pro it would be very long

We stick to sniper attack by only selecting usernames and throw in the attack to see if we can identify a valid user with response code or length ->

all of the status codes are 200 but one of the Length is not the same:

let's try with users ads

we put the password as the target of this new sniper attack and launch the attack with the wordlist ->

we just have to wait and pick up a response code or length and lab is solved

Lab: 2FA simple bypass

Ok so when i connect to my account, i am able to see the verification code and login

i then try to connect with carlos account cred:

the catch here is even if we connected and are requested a verif code, we are in fact already logged in and if I were to replace the URL with the expected URL after inputting the 2FA code, i'll have access to everything:

Server-side request forgery

It's a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.

Lab: Basic SSRF against the local server

We do not have any creds, while looking on the website we see this odd button:

we also see we can't access admin panel except for a few conditions:

we capture it:

when we capture the request:

We modify the api request to do a loopback:

and in the source code we see the url we need to access to delete user carlos:

we then request this URL via the API and solve the lab:

Lab: Basic SSRF against another back-end system

We start by capturing the request:

according to the exercise i have to find an admin panel on a network so i start by making a request to /admin:8080 but put the network in a sniper attack position:

we finally find the url that gives us a status code 200:

and when we request the admin control panel we get a 200:

in the source code we see the delete carlos request:

So we just request it through the stockAPI and lab solved 👍

File upload vulnerabilities

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.

Lab: Remote code execution via web shell upload

we start by uploading an image to the server:

We see this ouput in the burp request:

We have to modify a few things to read content:

Lab: Web shell upload via Content-Type restriction bypass

we start by uploading an image FP.png and putting our malicious php code in it ->

and everything works:

OS command injection

OS command injection is also known as shell injection. It allows an attacker to execute operating system (OS) commands on the server that is running an application, and typically fully compromise the application and its data. Often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, and exploit trust relationships to pivot the attack to other systems within the organization.

Lab: OS command injection, simple case

We start by going on a product and checking the stock and sending it to burp:

sending it to repeater and pipe whoami the storeID parameter:

and find the user just like that

SQL injection

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks.

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

We simply input 'OR 1=1-- - in the category section:

Lab: SQL injection vulnerability allowing login bypass

This one was straightforward

just had to input in the username field: wiener'0R 1=1-- -

PreviousReflected XSSNextAPI Testing

Last updated