Aggregate Notes

# Tags #web-application #bug-bounties #practical-junior-web-tester-exam # Helpful Docs #### Attack Methodology Resources - https://academy.tcm-sec.com/courses/enrolled/2167756 - https://owasp.org/Top10/ - https://cwe.mitre.org/index.html - https://www.sans.org/top25-software-errors/ - https://appsecexplained.gitbook.io/appsecexplained #### Enumeration and Fingerprinting Tools - https://securityheaders.com - https://ssllabs.com - https://builtwith.com - https://srt.sh #### Payloads and Toolkits - https://github.com/swisskyrepo/PayloadsAllTheThings - https://portswigger.net/web-security/sql-injection/cheat-sheet - https://www.w3schools.com/sql/func_sqlserver_substring.asp - https://book.hacktricks.xyz/pentesting-web #### Report Templates - https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report # Notes ## Web App Pentesting Methodology Advice - When testing webapps it's important to try to test each functionality with input and gauge the responses, try to figure out the intended purpose of each piece you are testing - Think about all of the things you are supplying an application and how it might be using that input ## Security Best Practices - Regular patching/updates - Least privilege - Secure coding - Secure data storage - MFA - Logging and monitoring - Training ## Web App Security #### Pentest vs Bug Bounty - An admin login *could* be a finding, but a bug bounties want to know the *impact* - Pentesting is often compliance focused - A weak password policy could be a finding for a pentest, but for a bug bounty guessing a password and getting - A vulnerability is not interesting but asking how a vulnerability leads to exploitation is a better question to ask - The impact of vulnerability A leads to the the exploitation of B #### Phases of Webapp Pentesting - SOW and MSA signed - Statement of work, master service agreement - ROE - Rules of engagement - Scope is verified - Pentest occurs - Written report gets delivered - Client debrief on the findings - Retesting where necessary ## Before Attacking #### Scope, Ethics, and Code of Conduct - Scope - The boundaries of the engagement, all assets included - Anything not defined in the scope is considered "out of scope" - Dupes - Occurs when multiple researchers report the same bug - CCoC - Community Code of Conduct - Exposure - Access minimum amount of data to prove your concept - Technical Attacks - Bug bounties are typically something that can be solved by a technical answer so something like phishing a user and gaining access is likely out of scope as it is social engineering and not a technical deficiency ## Web App Tech #### Basic Web Tech - HTML, hyper text markup language - Used to create web pages - Elements are represented by tags - CSS, cascading style sheets - Describes the representation of a document written in HTML - Javascript - Used to make web pages interactive - Necessary to know - HTTP Response Codes - 1xx, informational - 2xx, successful - 3xx, redirects - 4xx, client errors - 5xx, server errors ## Recon and Info Gathering #### Fingerprinting - Tools such as the Wappalyzer browser extension or sites like Builtwith, ssllabs, etc - Going to a website and seeing frameworks, proxies, script libraries, and other web technologies that are running, this is useful for versioning or just in general understanding how the page is built - Some tools with Kali - `curl` with the `-i` and `-L` flags - You can also use nmap to scan specific web ports but it isn't quite as reliable as other tools #### Directory Enumeration/Bruteforcing - In a domain it is everything that comes after `https://google.com/` the `/`, there are often special directories that could lead to admin access or sensitive information leaks, config issues, error generation, etc - It's about the method not the tools - Tools for directory bruteforcing - `dirbuster` - UI version if you don't want command line tooling - `dirb` - Recursion is automatic and should be set manually - `ffuf`, fuzz faster u fool - Recursion is not automatic and can be super loud - You give it a wordlist to enumerate against the endpoint, wordlists are often found in `/usr/share/wordlists/` ``` ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://[target]/FUZZ ``` #### Subdomain Enumeration - A top-level domain or TLD would be something like `google.com`, a subdomain would be `accounts.google.com`, or anything before the TLD, in bug bounties it would likely be represented by `*.site.com` - Tools for subdomain enumeration - `subfinder` - `assetfinder` - `amass` - `gowitness`, can use this to aggregate screenshots off domains - Example usage ``` subfinder -d [target domain] ``` ``` assetfinder [target domain] | grep [interesting text] | sort -u > [file name] ``` ``` amass enum -d [target domain] > [file name] ``` ``` gowitness file -f [file name] -P [name of file output] --no-http ``` ## Burp Suite Basics - An easy way to utilize Burp Suite is to use Mozilla FireFox, this browser offers its own CA storage so when you pair it with Burp's intercept ability and accept the certification in the browser you won't get those big red warnings about certificate issues - When you turn on Burp's intercept you will have the ability to manually manipulate each individual HTTP requests and responses - You can turn off intercept and as you navigate around Burp will automatically start building a site map based on the traffic you have generated allowing you to manually enumerate the site and understand the business logic of the platform #### Commonly Used UI Components - Target - Contains the site map, scope, crawl paths - Proxy - Contains the ability to intercept and review http history - Intruder - You can send a request here to manipulate the fields to perform attacks by choosing different attack types and payloads - Repeater - Allows you to resend the same request again and again using small tweaks to analyze outputs - Decoder - Will encode or decode different strings - Comparer - A byte-per-byte comparison of different HTTP responses, manual diff-checking - Logger - All activity performed utilizing the current session of Burp Suite - Extensions - Enhance the effectiveness of Burp Suite using 3rd party extensions in the BApp Store ## Authentication and Authorization - Authentication, is having valid credentials - Authorization, is the ability to access content once authenticated ## Brute-force Attacks - This type of attack will work on any typical login form embedded on a website - In Burp you can go into your HTTP history and after attempting to send fake credentials into the login form you can capture the `POST` request here - ![[Pasted image 20240802172351.png]] - This allows you to see HTTP request made which you can then send to the `Intruder` part of Burp and allows you to edit the parameters so you can brute force the requests - ![[Pasted image 20240802172507.png]] - With these variables under `username` and `password` you can highlight them and click `Add` on the right hand side and for brute-forcing you can add lists from those installed on your Kali instance or you if are using the Pro edition of Burp you can just select from the drop down - Seclists is a popular repository of usernames and passwords that can be installed with a simple command - After the command is run you can find the installed files in `/usr/share/seclists` and then just pick the topic usable for you ``` sudo apt install seclists ``` - You can also take the HTTP request from Burp and copy to a file to pass to other tools as well such as `ffuf` - Open up your saved HTTP request in a text editor and replace one of the variables with the word FUZZ - `ffuf` will pick up on the variable and apply your wordlists there just like in Burp - ![[Pasted image 20240802174927.png]] - Run the following command to test with the `ffuf` tool ``` ffuf -request /home/theoss/Downloads/http-request.txt -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt -fs 1814 ``` - `-request` flag is fed the path to the saved request file - `-request-proto` is for declaring the protocol to use - `-w` is for declaring the path to the wordlist - `-fs 1814` was used in the second search I ran to eliminate the false positives from the response request sizes to clean up the results ## Attacking MFA - MFA is the act of logging into an account and then requiring a secondary token to input to increase the complexity of the login while making it more difficult to perform simple attacks like brute-forcing - There are a few strategies you can thinking about when tackling MFA - Is the code generated simple enough that you could brute-force it? - Is there rate limiting? - Can you grab the code and intercept the login request and change accounts to move laterally with it? - Is there anything odd about the login process when you walk through it? - Does the token expire? - Can you use the token multiple times? - Does the token apply to multiple users? ## Authentication Challenge Walkthrough - This attack uses multiple payload sets and is referred to as a `cluster bomb` since we do not know which username and password combination will get us in we will have to try to brute force both - Browse to the site and generate a test payload in Burp - ![[Pasted image 20240803131340.png]] - Then send to Intruder - ![[Pasted image 20240803131649.png]] - Change to the Attack Type to `Cluster bomb` - Edit the variable by highlighting them and clicking `Add` - Then add payloads to the variables - ![[Pasted image 20240803132751.png]] - `Payload set 1` is the username variable - `Payload set 2` is the password variable - Choose some usernames and passwords from the `seclists` install from earlier - Click on `Start Attack` - Sort by `response` and `length` and eventually you will get the combination that is successful - ![[Pasted image 20240803133452.png]] ## Intro to Authorization - Vertical, stops a user from escalating to a higher privilege - Horizontal, stops a user from accessing or editing users at their level - Context-dependent, stops a user from performing a task unless conditions are met to perform it ## IDOR - Insecure Direct Object Reference - When ever you see a distinct parameter being passed in the URL, the body, or the request it should could as no surprise as something you might want to attempt to manipulate - Capture the activity, go to `HTTP History` and find the `POST` request - Send it to the `Repeater` section of Burp this time to manipulate this account number - ![[Pasted image 20240803144427.png]] - When you change the account number to corresponding numbers like `1001, 1002, 1003, etc` the response you get back provides different information assigned to that account - When you check the HTTP response to these and go to the `Render` tab you can see this is showing the account as `User` access level - ![[Pasted image 20240803145220.png]] - We want to find an admin account so the logical thing to do would attack this sequentially - Create a numerical attack using Burp - ![[Pasted image 20240803145317.png]] - You could also create a script to generate a list and load the payload that way as well - Run the attack and search for an `admin` access response - ![[Pasted image 20240803145435.png]] ## Introduction to APIs - Application Programming Interface - You don't really interface with APIs through a web browser like you would with a traditional website - In order to intercept the traffic in Burp you can use curl to pass traffic to it by declaring the proxy in the CLI - Review how to in this note [[Using Curl to Pass Traffic to Burp Suite]] - JWT, JSON Web Token - Typically comes in three sections separated by dots and each section is base64 encoded ## Broken Access Controls - This exists when you can authenticate as a user, such as capturing a cookie or a JWT and the program does not enforce permission boundaries - Username1, JWT: TOKEN1 - Username2, JWT: TOKEN2 - Then you would use Username1's token to authenticate as Username2 to edit things about their account, this would be BAC ## Local and Remote File Inclusion - LFI and RFIs happen when either a local resource is allowed to be interacted with by a user without checks and RFI happens when a user is allowed to upload a file without proper checks #### LFI Attack Example - Passing parameters in the URL is a good way kick the tires of LFI - ![[Pasted image 20240807211915.png]] - We can target the `filename=` parameter, in this case we can use a site like [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion) to get ideas for LFI attacks - Let's check for world readable `/etc/passwd` if we can hit it, it should display in the page - It might take some time to see how many directories you have to escape but here is a successful LFI attack - ![[Pasted image 20240807212140.png]] - You can also send the request to the `Intruder` section of Burp and run a `Sniper` attack for directory traversal on the same parameter - ![[Pasted image 20240807212624.png]] - ![[Pasted image 20240807212728.png]] - ![[Pasted image 20240807212800.png]] - Sort by `Length` to tease out true positive results #### RFI Attack Example - Using the same method for LFI we can also use the parameter to call out to external resources as well - ![[Pasted image 20240808213339.png]] - The response should call back resource data from the `https://zeroedbits.com` website - ![[Pasted image 20240808213927.png]] - Sometimes when you are attempting to perform LFI/RFI the common methods can be filtered so directly calling to `../etc/passwd` doesn't work as intended so you have to add filler to get stripped out - `..///////..////..//////etc/passwd`, the extra `/`'s get stripped away due to filtering as well as the `..`'s leaving just the original call of `../etc/passwd` to be passed through ## SQL Injection Attacks #### Basic SQL Injection - `#` or `-- -` are terminators for the end of a SQL query - `union select` can only be used to choose two columns in a query - `testinput' or 1=1-- -` - `null`, `NULL` or `'NULL'` can be used to bypass validation attempts - The `null` value can be used in place of any variable you are attempting to bypass that might be required by a SQL query #### Blind SQLi Pt - When doing Blind SQL you should always be looking for *where* it could exist, consider all of the inputs the application is taking in - Here is an example of a login with successful creds - ![[Pasted image 20240811223031.png]] - Now if we go to the next response in the `HTTP History` of Burp we see this - ![[Pasted image 20240811223143.png]] - We already auth'd and now we have a cookie we are authenticated with - In this scenario you could test the username, the password, as well as the cookie, a tool like SQLmap could be of assistance - Saving a `POST` request to a file and then passing that file to SQLmap is a great way to test fields for basic levels of weakness to SQLi - ![[Pasted image 20240811224503.png]] - It will run this test on all fields within the request - To manually test SQLi in an authentication cookie look for things like `Content-Length` - ![[Pasted image 20240811234913.png]] - Now test an SQLi to see if the `Content-Length` matches - ![[Pasted image 20240811235128.png]] #### Blind SQLi Pt 2 - You don't always get output in an expected visual way - like a fancy verbose error code on a webpage or an HTTP response that tells you something about what happened - In `Blind SQL Injection Pt 1` we tested proving SQL injection was possible on a session cookie by running a SQL statement and comparing `Content-Length` outputs of the answer - We identified that `1027` bytes was a positive correlation and `1928` bytes was an error correlation - Let's identify the version of SQL running using `Pt 1` as the example - Instead of using `or 1=1#` which only shows us that SQL injection is possible, let's tease information out of the database using `substrings` - Here is a test example from the lab ``` ' and substring((select version()), 1, 5) = '8.0.3'# ``` - Using the `substring` function - `1` is the starting position, extracts the first character of the version string - `5` is the length, extracts 5 characters from the first character of the version string - You will get the `1027` `content-length` if the character is correct, this allows for a manual brute forcing methodology to prove small strings worth of characters to tease out information that might not be otherwise verbose enough to be displayed - You could brute force this using `Intruder` as well if you are just guessing characters - add the a-z, 1-9 sequence to the payload list and you can brute force one character at a time #### Second Order SQLi - Malicious code is entered into the SQL DB but gets executed later without having to re-inject it ## XSS (Cross-Site Scripting) ###### ==This section needs more review== - Types of XSS - Reflected - The script has to be included in the initial HTTP request and you can only target yourself - Stored - The script is stored into a DB and retrieved later allowing it to be called and utilized later to attack other users - DOM-based - Only happens within the local browser for the client, there is no server interaction ## Command Injection Attacks - Takes input from the user and processes it as a function - `Eval()` is evil, it executes whatever input it is given - When you see an opportunity for command injection some things to think about are.. - Can you chain commands? - Can you add something to whatever is being executed? - Is there filtering happening on the input? - Are there characters that cannot be passed through? #### Blind Command Injection - When you do not get to see the output from a command injection attempt but a system, application, etc behaves in a way to imply that the injection was successful ## Server-Side Template Injection - Template Engine separates the presentation layer from the logic layer in an application\ - If input is passed with valid syntax to a rendering engine it could allow for exploitation - Template Engines - Jinja2 - Twig - Handlebars - Etc ## XML External Entity (XXE) Injection ###### ==This section needs more review== ## Insecure File Uploads ###### ==This section needs more review== ## Automated Scanners - Most bug bounty programs won't allow automated scanning, read and understand the scope - ![[Pasted image 20240909205006.png]] ## Scripting and Automation ==This section needs more review== ## Cross-Site Request Forgery (CSRF) ==This section needs more review== - Trick a user into performing an action in a web application that the user is already authenticated to ## Server-Side Request Forgery (SSRF) ==This section needs more review== ## CVSS Scoring - A security assessment framework to standardize vulnerability language across industries - A score is rated on three categories - Exploitability - Impact - Scope - The scoring is far more nuanced when evaluating your own findings when doing Bug Bounty ## Effective Pentest & Bug Bounty Report Writing - Demo pentest reports from multiple sources are widely available and should be reviewed to get a feel for writing style, clarity, and succinctness - https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report ## VDP, Vulnerability Disclosure Program - Usually not monetarily focused, often will give you swag in lieu of financial compensation - This is not the same thing as a bug bounty program but the rules are pretty similar ## Common Bug Bounty Mistakes From a Triager Perspective ![[Pasted image 20240914193325.png]]