Skip to content

ru44/eWPT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

eWPT - Web Application Penetration Testing

Tool Proficiency: Be comfortable with tools like Burp Suite, ZAP, sqlmap, ffuf, and custom scripts for automation, AND OF COURSE CHATGPT. Also yeah edit your /etc/resolv.conf to only allow ine dns servers while testing otherwise your scans are gonna get messed up.

Topics

Web Application Penetration Testing Processes and Methodologies (10%)

Accurately assess a web application based on methodological, industry-standard best practices Identify vulnerabilities in web applications in accordance with the OWASP Web Security Testing Guide

Information Gathering & Reconnaissance (10%)

Extract information from websites using passive reconnaissance & OSINT techniques Extract information about a target organization’s domains, subdomains, and IP addresses Examine Web Server Metafiles for information exposure

Web Application Analysis & Inspection (10%)

Identify the type and version of a web server technology running on a given domain Identify the specific technologies or frameworks being used in a web application Analyze the structure of web applications to identify potential attack vectors Locate hidden files and directories not accessible through normal browsing Identify and exploit vulnerabilities caused by the improper implementation of HTTP methods

Web Application Vulnerability Assessment (15%)

Identify and exploit common misconfigurations in web servers Test web applications for default credentials and weak passwords Bypass weak/broken authentication mechanisms Identify information disclosure vulnerabilities

Web Application Security Testing (25%)

Identify and exploit directory traversal vulnerabilities for information disclosure Identify and exploit file upload vulnerabilities for remote code execution Identify and exploit Local File Inclusion(LFI) and Remote File Inclusion(RFI) vulnerabilities Identify and exploit Session Management vulnerabilities Exploit vulnerable and outdated web application components Perform bruteforce attacks against login forms Identify and exploit command injection vulnerabilities for remote code execution

Manual Exploitation of Common Web Application Vulnerabilities (20%)

Identify and exploit Reflected XSS vulnerabilities Identify and exploit Stored XSS vulnerabilities Identify and exploit SQL Injection vulnerabilities Identify and exploit vulnerabilities in content management systems Extract information and credentials from backend databases

Web Service Security Testing (10%)

Identify and enumerate information from web services Exploit vulnerable web services

Web Application Penetration Testing Methodology (10%)

Accurately assess a web application based on methodological, industry-standard best practices. Identify and prioritize testing objectives based on business impact and risk assessment.

Web Application Reconnaissance (15%)

Perform a comprehensive passive and active reconnaissance on designated target web applications by utilizing tools and techniques such as WHOIS lookups, DNS enumeration, and network scanning. Extract information about a target organization’s domains, subdomains, and IP addresses. Utilize fuzzing techniques to discover input validation vulnerabilities in web applications. Utilize Git-specific tools to automate the discovery of secrets and vulnerabilities in code.

Authentication Attacks (15%)

Test various authentication methods (e.g., Basic, Digest, OAuth) by executing practical attacks such as credential stuffing and brute force. Identify common vulnerabilities in SSO implementations and their potential impacts. Identify and exploit Session Management vulnerabilities (e.g., session fixation and hijacking). Identify and exploit weaknesses in OAuth and OpenID Connect protocols.

Injection Vulnerabilities (15%)

Identify and exploit SQL injection vulnerabilities in web applications, including error-based, blind, and time-based techniques. Utilize SQLMap and other tools to automate SQL injection attacks and demonstrate effective exploitation. Identify and exploit NoSQL injection vulnerabilities in web applications, demonstrating hands-on skills in manipulating data in NoSQL databases. Extract sensitive data from compromised databases using advanced querying techniques.

API Penetration Testing (25%)

Conduct hands-on penetration tests on API endpoints to identify and exploit vulnerabilities effectively. Utilize automation tools for API vulnerability testing and demonstrate efficiency in identifying vulnerabilities. Analyze API endpoints for potential parameter manipulation vulnerabilities and demonstrate exploitation techniques. Conduct tests to identify vulnerabilities related to rate limiting, such as denial-of-service (DoS) attacks and resource exhaustion. Demonstrate the ability to bypass or manipulate rate limiting mechanisms in a controlled testing environment.

Server-Side Attacks (10%)

Identify and exploit SSRF (Server-Side Request Forgery) attacks against server-side services. Perform deserialization attacks to manipulate server-side objects, leading to arbitrary code execution or privilege escalation. Perform LDAP injection attacks against web application directories to bypass authentication or extract sensitive information.

Filter Evasion & WAF Bypass (10%)

Analyze and test WAF rules to identify weak configurations, demonstrating practical bypass techniques. Perform hands-on WAF evasion techniques, such as encoding, obfuscation, and payload fragmentation, to bypass filtering mechanisms. Bypass input validation mechanisms through obfuscation, payload encoding, and altering content types, focusing on SSRF and XXE exploitation.

Table of Contents

Introduction

Hi I'm RuM and I'm currently studying for the eWPT exam. I write these notes to help me understand the concepts better and to help others who are studying for the exam. I hope you find these notes helpful and if you have any suggestions or you want to add more stuff please make a PR, Most resources are from the Sergio Medeiros please go check out his website for more information.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This occurs when an application includes untrusted data in its output without proper validation or escaping, allowing attackers to execute scripts in the context of other users' browsers. and it can be classified into three types:

  1. Reflected XSS
  2. Stored/Persistent XSS
  3. DOM-based XSS

Reflected Cross-Site Scripting (XSS)

Reflected XSS is a web vulnerability where an attacker injects malicious scripts into a website that are immediately reflected back to the user without being stored on the server. This happens when an application dynamically includes untrusted user input in its response without proper sanitization or encoding.

How it Happens

  1. User Input: A vulnerable website accepts user input (e.g., via a query parameter).
  2. Response Reflection: The input is included in the HTML response without escaping.
  3. Malicious Script Execution: An attacker crafts a malicious URL containing a script, and the victim unknowingly visits the URL, leading to script execution.

Vulnerable Code Example

<?php
if (isset($_GET['search'])) {
    $search = $_GET['search'];
    echo "Search results for: " . $search; // User input is reflected without sanitization
}
?>

Exploiting Reflected XSS

  1. Exploiting Reflected XSS
http://localhost:8080/eWPTXv2/reflectedXSS.php?search=<script>alert(1)</script>
  1. Execution:
Search results for: <script>alert(1)</script>
  1. Impact: The script is executed in the context of the vulnerable website, allowing an attacker to steal cookies, redirect users to malicious sites, or deface the website. The attacker can steal cookies, session tokens, or perform unauthorized actions.

Prevention Strategies

  1. Escape Output :Use functions to escape HTML special characters:
    • PHP: htmlspecialchars($input, ENT_QUOTES, 'UTF-8')
    • Java: StringEscapeUtils.escapeHtml4(input)
    • Python: cgi.escape(input)
  2. Use Content Security Policy (CSP) : Implement a Content Security Policy to restrict the sources of content that can be loaded on a page.
    • Example: Content-Security-Policy: default-src 'self'
  3. Use HTTPOnly Cookies
  4. Implement Input Validation : Validate and sanitize user input to ensure it adheres to expected formats and values.
    • PHP: $search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
  5. Avoid inline JavaScript : Avoid inline JavaScript and use external scripts instead.
    • Bad: <script>alert('XSS')</script>

Stored/Persistent XSS

Stored/Persistent XSS occurs when malicious scripts are injected into a website and stored persistently in a database, file system, or any storage. These scripts are later served to users without proper sanitization, leading to their execution in users' browsers.

How it Happens

  1. User Input: The attacker submits a payload via a form, API, or another input method (e.g., comment box or profile fields).
  2. Data Storage: The input is stored in a database or file without sanitization.
  3. Malicious Script Execution: The stored input is displayed to other users, leading to script execution.
  4. impact: The attacker can steal cookies, session tokens, or Defacing the website, redirecting users to malicious sites, or performing unauthorized actions.

Vulnerable Code Example

<?php
// Database connection (for example purposes)
$conn = new mysqli("localhost", "root", "", "xss_demo");

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $comment = $_POST['comment']; // No sanitization here
    $conn->query("INSERT INTO comments (content) VALUES ('$comment')");
    echo "Comment added!";
}

$comments = $conn->query("SELECT content FROM comments");
?>
<!DOCTYPE html>
<html>
<body>
    <h2>Comments</h2>
    <form method="POST">
        <textarea name="comment"></textarea><br>
        <button type="submit">Submit</button>
    </form>
    <ul>
        <?php while ($row = $comments->fetch_assoc()) {
            echo "<li>" . $row['content'] . "</li>"; // Directly outputs stored data
        } ?>
    </ul>
</body>
</html>

Exploiting Stored XSS

  1. Malicious Payload:

    • The attacker submits:

      <script>alert('Stored XSS');</script>
  2. Stored Data:

    • The payload is stored in the comments table.
  3. Execution:

    • When another user views the comments section, the payload executes:

      <li><script>alert('Stored XSS');</script></li>

Prevention Strategies

  1. Escape Output:

    • Use htmlspecialchars() to sanitize data before displaying it:

      echo htmlspecialchars($row['content'], ENT_QUOTES, 'UTF-8');
  2. Validate and Sanitize Input:

    • Filter dangerous inputs before storing them:

      $comment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
  3. Use Parameterized Queries:

    • Prevent SQL injection and sanitize input simultaneously:

      $stmt = $conn->prepare("INSERT INTO comments (content) VALUES (?)");
      $stmt->bind_param("s", $comment);
      $stmt->execute();
  4. Content Security Policy (CSP):

    • Add a CSP header to prevent execution of malicious scripts:

      Content-Security-Policy: script-src 'self';
  5. Regular Security Audits:

    • Test for XSS vulnerabilities regularly using tools like Burp Suite or OWASP ZAP.

Example Fix

<?php
// Secure example with parameterized queries and escaping
$conn = new mysqli("localhost", "root", "", "xss_demo");

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $comment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
    $stmt = $conn->prepare("INSERT INTO comments (content) VALUES (?)");
    $stmt->bind_param("s", $comment);
    $stmt->execute();
    echo "Comment added!";
}

$comments = $conn->query("SELECT content FROM comments");
?>
<!DOCTYPE html>
<html>
<body>
    <h2>Comments</h2>
    <form method="POST">
        <textarea name="comment"></textarea><br>
        <button type="submit">Submit</button>
    </form>
    <ul>
        <?php while ($row = $comments->fetch_assoc()) {
            echo "<li>" . htmlspecialchars($row['content'], ENT_QUOTES, 'UTF-8') . "</li>";
        } ?>
    </ul>
</body>
</html>

DOM-Based Cross-Site Scripting (XSS)

DOM-based XSS occurs when malicious scripts are executed in the browser due to insecure client-side JavaScript code. Unlike Reflected or Stored XSS, the server is not directly involved in rendering the attack payload; instead, the vulnerability is in the manipulation of the DOM on the client side.


How It Happens

  1. Client-Side JavaScript: The vulnerable code dynamically modifies the DOM using untrusted user input (e.g., from URL parameters or cookies) without proper validation or sanitization.
  2. Execution: The attack payload is injected and executed within the browser context.

Vulnerable Code Example

HTML + JavaScript

<!DOCTYPE html>
<html>
<body>
    <h2>Welcome!</h2>
    <div id="output"></div>
    <script>
        // Vulnerable code: reads data from the URL without sanitization
        const urlParams = new URLSearchParams(window.location.search);
        const user = urlParams.get('name');
        document.getElementById('output').innerHTML = `Hello, ${user}!`; // Dangerous: unsanitized input
    </script>
</body>
</html>

Exploiting DOM-Based XSS

  1. Malicious URL:

    • An attacker crafts the following URL:

      http://example.com/?name=<script>alert('DOM XSS')</script>
      
  2. Execution:

    • When the victim visits the link, the browser executes the script:

      <div id="output">Hello, <script>alert('DOM XSS')</script>!</div>
  3. Impact:

    • Stealing cookies or sensitive data.
    • Redirecting users to malicious websites.
    • Defacing the website.

Prevention Strategies

  1. Avoid Direct innerHTML Usage

    • Use safer methods like textContent for inserting untrusted input:

      document.getElementById('output').textContent = `Hello, ${user}!`;
  2. Validate and Sanitize Input

    • Use a client-side sanitization library like DOMPurify:

      const sanitizedUser = DOMPurify.sanitize(user);
      document.getElementById('output').innerHTML = `Hello, ${sanitizedUser}!`;
  3. Content Security Policy (CSP)

    • Restrict inline scripts by implementing a CSP header:

      Content-Security-Policy: script-src 'self';
  4. Use Safe JavaScript APIs

    • Prefer methods like createElement or textContent instead of innerHTML.
  5. Audit JavaScript Code

    • Review all places where user-controlled input interacts with the DOM.

Example Fix

<!DOCTYPE html>
<html>
<body>
    <h2>Welcome!</h2>
    <div id="output"></div>
    <script>
        const urlParams = new URLSearchParams(window.location.search);
        const user = urlParams.get('name');
        const sanitizedUser = DOMPurify.sanitize(user); // Sanitize input
        document.getElementById('output').textContent = `Hello, ${sanitizedUser}!`; // Use safer method
    </script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.10/purify.min.js"></script> <!-- DOMPurify -->
</body>
</html>

Testing DOM-Based XSS

  1. Host the vulnerable example on a local server (e.g., with Laragon).

  2. Visit a URL like:

    http://localhost/?name=<script>alert('Test')</script>
  3. Observe the behavior and validate the fix with sanitized code.

Cross-Site Request Forgery (CSRF)

  • Cross-Site Request Forgery (CSRF)
  • Anti-CSRF Token Bypass using SQLmap

SQL Injection

  • SQL Injection
    • Boolean Blind SQL Injection
    • Time-Based SQL Injection
    • Error-Based SQL Injection
    • Time-Based SQL Injection (SQLi)
  • Second Order SQL Injection

Injection Attacks

  • Command Injection
  • XML External Entity (XXE)
  • PHP Object Injection
  • Java Deserialization
  • Server Side Template Injection (SSTI)
  • Server Side Request Forgery (SSRF)
  • Out-of-Band (OOB) XML eXternal Entity Injection
  • Host Header Injection

Other Exploits

  • File Upload Exploitation
  • Session Hijacking

Miscellaneous

  • De-Obfuscate JavaScript Code
  • PHP Coding Resources

Enumeration

Subdomain Brute Forcing

Directory Busting

Low/Informational Vulnerabilities

Report Template

Master the Art of The Following Vulnerabilities

Cross Scripting Resources

Reflected XSS

Stored/Persistent XSS

SQL Injection Resources

Remember.. SQLmap is your best friend when exploiting these vulnerabilities. The -r switch goes a long way! ;-)

Boolean Blind SQL Injection

Error-Based SQL Injection

Time-Based SQL Injection

File Upload Exploitation

Session Hijacking

PHP Object Injection

PHP Object Injection is a type of security vulnerability where an attacker can manipulate and exploit an application's deserialization mechanism to execute unintended actions. This occurs when user input is passed to unserialize() without proper validation.

How it Happens

  1. Untrusted Input to unserialize(): User input is directly passed to the unserialize() function.
  2. Malicious Serialized Object: An attacker crafts a malicious serialized object to exploit the application.
  3. Triggering a Magic Method: PHP objects often have magic methods like __wakeup() __destruct() __toString() hat execute when an object is deserialized or destroyed. If these methods contain exploitable functionality, they can be abused.

Java Deserialization

Server Side Template Injection (SSTI)

Server Side Request Forgery (SSRF)

Second Order SQL Injection

Note: Please do not depend on SQLmap for each SQL injection that you find, not all of them can be exploited using SQLmap, and you may need to exploit them manually. In this case, be sure that you understand why you are using special characters like ' or # when testing manually. ;)

Anti-CSRF Token Bypass using SQLmap

Out-of-Band (OOB) XML eXternal Entity Injection

Host Header Injection

De-Obfuscate JavaScript Code

PHP Coding Resources

Time-Based SQL Injection (SQLi)

Conclusion

Explore thoroughly by searching for hidden directories, subdomains, and endpoints that could be leveraged to create attack chains. Finding one vulnerability is just the beginning; look for ways to link it with other vulnerabilities to form a more powerful attack chain.

About

eWPT exam notes

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published