OSCPath Week 2: Web Applications Attacks
Second week of the OSCP learning path! In this week we are taking our first steps into Web Application Pentesting. I recommend paying special attention to this week and the following as the number web apps keep growing everyday and so their vulnerabilities – and so Bug Bounty programs! I haven’t found many videos covering web topics in a structured manner as the previous week but I have tried my best to supply you with as many resources I have found and tested.
DISCLAIMER
All the information I provide is for educational purposes only and I am no liable of any bad use or damage caused directly or indirectly using this information.
What will we be covering this week?
- Introduction to Web Applications Attacks
- Common Web Application Attacks
Exercises
- Security Testing with Burp Suite
- Enumerating and Abusing APIs
- Privilege Escalation via XSS
- Absolute vs Relative Paths
- Identifying and Exploiting Directory Traversals
- Encoding Special Characters
- Local File Inclusion (LFI)
- PHP Wrappers
- Remote File Inclusion (RFI)
- Using Executable Files
- Using Non-Executable Files
- OS Command Injection
Practice
Instead of VMs, I will be using vulnerable web apps as practice.
If you want to try other vulnerable web apps, here’s a list of some of them:
1. Introduction to Web Applications Attacks
Methodology and Vulnerabilities
To learn about web application testing we can start here. This is the OWASP’s Web Security Testing Guide, a very detailed guide about web security. I know it’s quite a long guide but for now we only need point 4 as an introduction.
After reading this we will have a better understanding about webapp pentesting. Now we need to know the OWASP Top 10 - the 10 most common web application vulnerabilities. Here’s the list simplified (2023):
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server Side Request Forgery (SSRF)
Tools
The most common tool used for web app testing is Burp Suite. Although it’s not the only one it’s probably the one you’re gonna use the most. If you want to know more about a similar tool but open source, check the OWASP Zed Attack Proxy tool.
Here’s a good video by the great John Hammond on How to Use Burp Suite Community Edition (free).
Enumeration
Before we can start exploiting a web app we have to perform some enumeration. The Cyber Mentor has a really good playlist about enumeration and exploitation: Web App Testing
NOTE:
I don’t know why but OffSec places Cross-Site Scripting (XSS) inside Introduction to Web Applications Attack. I am gonna put it under the next section as it has more sense in my opinion.
Now let’s dive into the most common attacks.
2. Common Web Application Attacks
To cover this entire section I will be taking PortSwigger’s Web Security Learning Path. Here you can find the explanation of all this common attacks and labs to practice them. I would recommend you check Rana Khalil’s YouTube Channel for further information about the labs and the vulnerabilities covered.
TIP
Use all this simple labs to start building a web app testing cheat sheet. It would be useful in a future!
I am following the steps described here. I’m mixing both PortSwigger and OffSec Guides so we will cover just 5 types of attack this week:
Cross-Site Scripting (XSS)
Simply put, XSS is one of the most important vulnerabilities out there. It’s both incredibly common and extremely powerful, especially when used as part of a wider exploit chain. This is a huge topic, with plenty of labs for complete beginners and seasoned pros alike.
To learn the basics and perform some easy XSS I would be using PortSwigger Academy. Here you can find the XSS section with some fairly easy labs.
Directory Traversal
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
To learn the basics and perform some easy directory traversal I would be using PortSwigger Academy. Here you can find the Directory Traversal section with some fairly easy labs.
File Inclusion Vulnerabilities
First, we should learn the difference between File Inclusion and Directory Traversal vulnerabilities:
Directory Traversal is when a server allows an attacker to read a file or directories outside of the normal web server directory. Local File Inclusion (LFI) allows an attacker the ability to include an arbitrary file in the web server to be executed locally. And Remote File Inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.
PortSwigger doesn’t have File Inclussion labs as in July 2023 but here are some resources I found useful:
- Elevate Cyber’s LFI for OSCP
Loi Liang Yang’s RFI Explanation and Demonstration
- Advanced Local and Remote File Inclusion - PHP Wrappers
File Upload Vulnerabilities
Back to PortSwigger! Here’s the File Upload section. Pay special attention to this section as it is very useful – you’ll prove this true while hacking VMs.
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead.
Command Injection
Here’s the OS Command Injection section from PortSwigger.
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
By now, that’s all for this second week. I think that PortSwigger’s Learning Path only scratches the surface of Web App Testing so maybe I will need further reading and practice about the topics. Anyway, it’s a really good starting point! Check my posts about Web App Testing to learn how to exploit all this vulnerabilities.