Cybersecurity Society ATU

Web Exploitation

Prerequisites

Before getting into web exploitation, there are some things you will need to have. They are listed below:

  • Burp Suite
  • Python
  • WSL (if using Windows only)

To get started, there are some good places to look. One of the first things I ever did was read the OWASP Vulnerabilities page which links practically every web application vulnerability in existence. Be careful, lots of the bugs listed are pointless and just a waste of time. Focus on the ones which matter.

Two of the most primitive exploits are SQL Injection (SQLi) and Cross-Site Scripting (XSS). I would recommend checking out Computerphile’s videos on these topics on YouTube. They give a pretty good explanation of complex topics and have decent illustrations to make it easier to understand.

That covers most of the theory. For the practical side of learning I would suggest PicoGym. Essentially a library of older challenges from PicoCTF. They have LOTS of Web hacking challenges which are pretty beginner friendly. You will need to have Burp Suite set up for this in order to work through the challenges. Some solutions exist online but it’s best to make your attempt first before reading answers.

For in-depth training on specific topics I would highly recommend PortSwigger Academy which contains a bunch of material and labs covering vulnerabilities in extreme detail. This can be helpful to look at when you encounter a vulnerability class you’ve never seen before.

Lastly, HackTricks is pretty essential for web exploitation challenges. It has plenty of notes to help you for all sorts of challenges. When you are struggling to solve a challenge, it’s always a good idea to consult HackTricks for the relevant article on that vulnerability class.

Introduction

Fundamentally, what is web? Usually, it boils down to manipulating interactions with a webserver. Webservers generally use HTTP requests and responses. As such, it’s pretty important to understand exactly how HTTP requests work, and how the server uses them to serve you a response.

Client Side, Server Side

Let’s dig a bit deeper.

It’s important to understand the distinction between client-side vulnerabilities, and server-side vulnerabilities. Client-side means that the behaviour is happening locally, in your session. This generally applies to vulnerabilities like cross-site scripting – everything is occurring in the context of YOUR computer. Server-side, conversely, means that the magic is happening in the backend – in how servers process the information you provide. This applies to vulnerabilities like server-side request forgery and server-side template injection.

Example: CSTI vs SSTI

To illustrate this, let’s examine Client-Side Template Injection, and Server-Side template injection. Let’s pretend that you’re testing a website. You see an input field! Great! You decide to test this payload: {{ 7*7 }}.

The server responds with 49. Your heart races. Is this an SSTI? Can we get remote code execution here?

Here, we must be more careful. Through careful analysis of this behaviour we can deduce which it is. Firstly, we should use a browser extension like Wappalyzer to determine what technologies the webserver is using. If the extension tells us that it’s using AngularJS, a Javascript library, the odds are high that we have a CSTI. On the other hand, if we’re looking at a Flask webserver, we may have a server-side template injection on our hands, which is far more serious.

Extensions alone aren’t enough. We can consult HackTricks to find more payloads to test. These payloads will generally help you to narrow down which it is. In a CTF context, generally it will be SSTI – but this doesn’t mean that CSTI won’t crop up.

This example illustrates how important it is to understand the difference between client-side vulnerabilities and server-side vulnerabilities. Eventually you will develop an intuitive understanding of this.

Common CTF Web Vulnerabilities

  • Blind XSS (XSS on the client side, but visited by the server, so technically this is a server-side issue).
  • SSTI (Flask, PHP, Golang)
  • Bruteforce (Fuzzing login pages, fuzzing directories)
  • Prototype Pollution (can occur both client-side and server side)
  • SQL Injection (Very common)
  • NoSQL Injection (Less common than SQLi)
  • Path Traversal
  • Deserialization (Java, Python, PHP…)

Often, challenges will use a combination of these.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *