Tool Proficiency: Be comfortable with tools like Burp Suite, ZAP, sqlmap, ffuf, and custom scripts for automation, AND OF COURSE CHATGPT. Also yeah edit your /etc/resolv.conf to only allow ine dns servers while testing otherwise your scans are gonna get messed up.
Accurately assess a web application based on methodological, industry-standard best practices Identify vulnerabilities in web applications in accordance with the OWASP Web Security Testing Guide
Extract information from websites using passive reconnaissance & OSINT techniques Extract information about a target organization’s domains, subdomains, and IP addresses Examine Web Server Metafiles for information exposure
Identify the type and version of a web server technology running on a given domain Identify the specific technologies or frameworks being used in a web application Analyze the structure of web applications to identify potential attack vectors Locate hidden files and directories not accessible through normal browsing Identify and exploit vulnerabilities caused by the improper implementation of HTTP methods
Identify and exploit common misconfigurations in web servers Test web applications for default credentials and weak passwords Bypass weak/broken authentication mechanisms Identify information disclosure vulnerabilities
Identify and exploit directory traversal vulnerabilities for information disclosure Identify and exploit file upload vulnerabilities for remote code execution Identify and exploit Local File Inclusion(LFI) and Remote File Inclusion(RFI) vulnerabilities Identify and exploit Session Management vulnerabilities Exploit vulnerable and outdated web application components Perform bruteforce attacks against login forms Identify and exploit command injection vulnerabilities for remote code execution
Identify and exploit Reflected XSS vulnerabilities Identify and exploit Stored XSS vulnerabilities Identify and exploit SQL Injection vulnerabilities Identify and exploit vulnerabilities in content management systems Extract information and credentials from backend databases
Identify and enumerate information from web services Exploit vulnerable web services
Accurately assess a web application based on methodological, industry-standard best practices. Identify and prioritize testing objectives based on business impact and risk assessment.
Perform a comprehensive passive and active reconnaissance on designated target web applications by utilizing tools and techniques such as WHOIS lookups, DNS enumeration, and network scanning. Extract information about a target organization’s domains, subdomains, and IP addresses. Utilize fuzzing techniques to discover input validation vulnerabilities in web applications. Utilize Git-specific tools to automate the discovery of secrets and vulnerabilities in code.
Test various authentication methods (e.g., Basic, Digest, OAuth) by executing practical attacks such as credential stuffing and brute force. Identify common vulnerabilities in SSO implementations and their potential impacts. Identify and exploit Session Management vulnerabilities (e.g., session fixation and hijacking). Identify and exploit weaknesses in OAuth and OpenID Connect protocols.
Identify and exploit SQL injection vulnerabilities in web applications, including error-based, blind, and time-based techniques. Utilize SQLMap and other tools to automate SQL injection attacks and demonstrate effective exploitation. Identify and exploit NoSQL injection vulnerabilities in web applications, demonstrating hands-on skills in manipulating data in NoSQL databases. Extract sensitive data from compromised databases using advanced querying techniques.
Conduct hands-on penetration tests on API endpoints to identify and exploit vulnerabilities effectively. Utilize automation tools for API vulnerability testing and demonstrate efficiency in identifying vulnerabilities. Analyze API endpoints for potential parameter manipulation vulnerabilities and demonstrate exploitation techniques. Conduct tests to identify vulnerabilities related to rate limiting, such as denial-of-service (DoS) attacks and resource exhaustion. Demonstrate the ability to bypass or manipulate rate limiting mechanisms in a controlled testing environment.
Identify and exploit SSRF (Server-Side Request Forgery) attacks against server-side services. Perform deserialization attacks to manipulate server-side objects, leading to arbitrary code execution or privilege escalation. Perform LDAP injection attacks against web application directories to bypass authentication or extract sensitive information.
Analyze and test WAF rules to identify weak configurations, demonstrating practical bypass techniques. Perform hands-on WAF evasion techniques, such as encoding, obfuscation, and payload fragmentation, to bypass filtering mechanisms. Bypass input validation mechanisms through obfuscation, payload encoding, and altering content types, focusing on SSRF and XXE exploitation.
- Introduction
- Cross-Site Scripting (XSS)
- SQL Injection
- Injection Attacks
- Other Exploits
- Miscellaneous
- Enumeration
- Low/Informational Vulnerabilities
- Report Template
Hi I'm RuM and I'm currently studying for the eWPT exam. I write these notes to help me understand the concepts better and to help others who are studying for the exam. I hope you find these notes helpful and if you have any suggestions or you want to add more stuff please make a PR, Most resources are from the Sergio Medeiros please go check out his website for more information.
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This occurs when an application includes untrusted data in its output without proper validation or escaping, allowing attackers to execute scripts in the context of other users' browsers. and it can be classified into three types:
- Reflected XSS
- Stored/Persistent XSS
- DOM-based XSS
Reflected XSS is a web vulnerability where an attacker injects malicious scripts into a website that are immediately reflected back to the user without being stored on the server. This happens when an application dynamically includes untrusted user input in its response without proper sanitization or encoding.
- User Input: A vulnerable website accepts user input (e.g., via a query parameter).
- Response Reflection: The input is included in the HTML response without escaping.
- Malicious Script Execution: An attacker crafts a malicious URL containing a script, and the victim unknowingly visits the URL, leading to script execution.
<?php
if (isset($_GET['search'])) {
$search = $_GET['search'];
echo "Search results for: " . $search; // User input is reflected without sanitization
}
?>
- Exploiting Reflected XSS
http://localhost:8080/eWPTXv2/reflectedXSS.php?search=<script>alert(1)</script>
- Execution:
Search results for: <script>alert(1)</script>
- Impact: The script is executed in the context of the vulnerable website, allowing an attacker to steal cookies, redirect users to malicious sites, or deface the website. The attacker can steal cookies, session tokens, or perform unauthorized actions.
- Escape Output :Use functions to escape HTML special characters:
- PHP:
htmlspecialchars($input, ENT_QUOTES, 'UTF-8')
- Java:
StringEscapeUtils.escapeHtml4(input)
- Python:
cgi.escape(input)
- PHP:
- Use Content Security Policy (CSP) : Implement a Content Security Policy to restrict the sources of content that can be loaded on a page.
- Example:
Content-Security-Policy: default-src 'self'
- Example:
- Use HTTPOnly Cookies
- Implement Input Validation : Validate and sanitize user input to ensure it adheres to expected formats and values.
- PHP:
$search = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
- PHP:
- Avoid inline JavaScript : Avoid inline JavaScript and use external scripts instead.
- Bad:
<script>alert('XSS')</script>
- Bad:
Stored/Persistent XSS occurs when malicious scripts are injected into a website and stored persistently in a database, file system, or any storage. These scripts are later served to users without proper sanitization, leading to their execution in users' browsers.
- User Input: The attacker submits a payload via a form, API, or another input method (e.g., comment box or profile fields).
- Data Storage: The input is stored in a database or file without sanitization.
- Malicious Script Execution: The stored input is displayed to other users, leading to script execution.
- impact: The attacker can steal cookies, session tokens, or Defacing the website, redirecting users to malicious sites, or performing unauthorized actions.
<?php
// Database connection (for example purposes)
$conn = new mysqli("localhost", "root", "", "xss_demo");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$comment = $_POST['comment']; // No sanitization here
$conn->query("INSERT INTO comments (content) VALUES ('$comment')");
echo "Comment added!";
}
$comments = $conn->query("SELECT content FROM comments");
?>
<!DOCTYPE html>
<html>
<body>
<h2>Comments</h2>
<form method="POST">
<textarea name="comment"></textarea><br>
<button type="submit">Submit</button>
</form>
<ul>
<?php while ($row = $comments->fetch_assoc()) {
echo "<li>" . $row['content'] . "</li>"; // Directly outputs stored data
} ?>
</ul>
</body>
</html>
-
Malicious Payload:
-
The attacker submits:
<script>alert('Stored XSS');</script>
-
-
Stored Data:
- The payload is stored in the
comments
table.
- The payload is stored in the
-
Execution:
-
When another user views the comments section, the payload executes:
<li><script>alert('Stored XSS');</script></li>
-
-
Escape Output:
-
Use
htmlspecialchars()
to sanitize data before displaying it:echo htmlspecialchars($row['content'], ENT_QUOTES, 'UTF-8');
-
-
Validate and Sanitize Input:
-
Filter dangerous inputs before storing them:
$comment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
-
-
Use Parameterized Queries:
-
Prevent SQL injection and sanitize input simultaneously:
$stmt = $conn->prepare("INSERT INTO comments (content) VALUES (?)"); $stmt->bind_param("s", $comment); $stmt->execute();
-
-
Content Security Policy (CSP):
-
Add a CSP header to prevent execution of malicious scripts:
Content-Security-Policy: script-src 'self';
-
-
Regular Security Audits:
- Test for XSS vulnerabilities regularly using tools like Burp Suite or OWASP ZAP.
<?php
// Secure example with parameterized queries and escaping
$conn = new mysqli("localhost", "root", "", "xss_demo");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$comment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
$stmt = $conn->prepare("INSERT INTO comments (content) VALUES (?)");
$stmt->bind_param("s", $comment);
$stmt->execute();
echo "Comment added!";
}
$comments = $conn->query("SELECT content FROM comments");
?>
<!DOCTYPE html>
<html>
<body>
<h2>Comments</h2>
<form method="POST">
<textarea name="comment"></textarea><br>
<button type="submit">Submit</button>
</form>
<ul>
<?php while ($row = $comments->fetch_assoc()) {
echo "<li>" . htmlspecialchars($row['content'], ENT_QUOTES, 'UTF-8') . "</li>";
} ?>
</ul>
</body>
</html>
DOM-based XSS occurs when malicious scripts are executed in the browser due to insecure client-side JavaScript code. Unlike Reflected or Stored XSS, the server is not directly involved in rendering the attack payload; instead, the vulnerability is in the manipulation of the DOM on the client side.
- Client-Side JavaScript: The vulnerable code dynamically modifies the DOM using untrusted user input (e.g., from URL parameters or cookies) without proper validation or sanitization.
- Execution: The attack payload is injected and executed within the browser context.
<!DOCTYPE html>
<html>
<body>
<h2>Welcome!</h2>
<div id="output"></div>
<script>
// Vulnerable code: reads data from the URL without sanitization
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('name');
document.getElementById('output').innerHTML = `Hello, ${user}!`; // Dangerous: unsanitized input
</script>
</body>
</html>
-
Malicious URL:
-
An attacker crafts the following URL:
http://example.com/?name=<script>alert('DOM XSS')</script>
-
-
Execution:
-
When the victim visits the link, the browser executes the script:
<div id="output">Hello, <script>alert('DOM XSS')</script>!</div>
-
-
Impact:
- Stealing cookies or sensitive data.
- Redirecting users to malicious websites.
- Defacing the website.
-
Avoid Direct
innerHTML
Usage-
Use safer methods like
textContent
for inserting untrusted input:document.getElementById('output').textContent = `Hello, ${user}!`;
-
-
Validate and Sanitize Input
-
Use a client-side sanitization library like DOMPurify:
const sanitizedUser = DOMPurify.sanitize(user); document.getElementById('output').innerHTML = `Hello, ${sanitizedUser}!`;
-
-
Content Security Policy (CSP)
-
Restrict inline scripts by implementing a CSP header:
Content-Security-Policy: script-src 'self';
-
-
Use Safe JavaScript APIs
- Prefer methods like
createElement
ortextContent
instead ofinnerHTML
.
- Prefer methods like
-
Audit JavaScript Code
- Review all places where user-controlled input interacts with the DOM.
<!DOCTYPE html>
<html>
<body>
<h2>Welcome!</h2>
<div id="output"></div>
<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('name');
const sanitizedUser = DOMPurify.sanitize(user); // Sanitize input
document.getElementById('output').textContent = `Hello, ${sanitizedUser}!`; // Use safer method
</script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.10/purify.min.js"></script> <!-- DOMPurify -->
</body>
</html>
-
Host the vulnerable example on a local server (e.g., with Laragon).
-
Visit a URL like:
http://localhost/?name=<script>alert('Test')</script>
-
Observe the behavior and validate the fix with sanitized code.
- Cross-Site Request Forgery (CSRF)
- Anti-CSRF Token Bypass using SQLmap
- SQL Injection
- Boolean Blind SQL Injection
- Time-Based SQL Injection
- Error-Based SQL Injection
- Time-Based SQL Injection (SQLi)
- Second Order SQL Injection
- Command Injection
- XML External Entity (XXE)
- PHP Object Injection
- Java Deserialization
- Server Side Template Injection (SSTI)
- Server Side Request Forgery (SSRF)
- Out-of-Band (OOB) XML eXternal Entity Injection
- Host Header Injection
- File Upload Exploitation
- Session Hijacking
- De-Obfuscate JavaScript Code
- PHP Coding Resources
- Bruteforcing Subdomains with Wfuzz
- Subdomain Enumeration Guide
- Subdomains Enumeration Cheatsheet
- Google Dorking for Subdomain Enumeration
- Bug Bounty Recon: Content Discovery
- Recon and Content Discovery
- YouTube: Directory Busting
- Directory Bruteforcing Web Server
- Total OSCP Guide: Web Scanning
- Reflected XSS
- BrightSec: Cross-Site Scripting (XSS)
- YouTube: Reflected XSS
- Public Firing Range: Reflected XSS Labs
- Stored XSS
- The Ultimate Guide to Stored XSS Attacks
- Complete Cross-Site Scripting Walkthrough
- A Pentester's Guide to Cross-Site Scripting (XSS)
- PortSwigger: Reflected XSS Lab
- PortSwigger: Stored XSS Lab
Remember.. SQLmap is your best friend when exploiting these vulnerabilities. The -r switch goes a long way! ;-)
- Beginner Guide to SQL Injection
- Boolean Exploitation Technique
- YouTube: Boolean Blind SQL Injection
- Exploitation Blind Boolean-Based SQL Injection
- PortSwigger: Conditional Responses Lab
- PortSwigger: Conditional Errors Lab
- PortSwigger: Time Delays Lab
- PortSwigger: Time Delays Info Retrieval Lab
- Example of Error-Based SQL Injection
- Manual SQL Injection
- SQL Injection Exploitation
- SQL Injection Exploitation Error-Based
- Time-Based Blind SQL Injection
- YouTube: Time-Based SQL Injection
- Security Idiots: Time-Based Blind Injection
- File Upload
- Exploiting File Upload Vulnerabilities
- YouTube: File Upload Exploitation
- YouTube: File Upload Exploitation
- PortSwigger: Remote Code Execution via Web Shell Upload Lab
- PortSwigger: Web Shell Upload via Content-Type Restriction Bypass Lab
- The Ultimate Guide to Session Hijacking
- YouTube: Session Hijacking
- YouTube: Session Hijacking
- Session Hijacking Cheat Sheet
PHP Object Injection is a type of security vulnerability where an attacker can manipulate and exploit an application's deserialization mechanism to execute unintended actions. This occurs when user input is passed to unserialize()
without proper validation.
- Untrusted Input to
unserialize()
: User input is directly passed to theunserialize()
function. - Malicious Serialized Object: An attacker crafts a malicious serialized object to exploit the application.
- Triggering a Magic Method: PHP objects often have magic methods like
__wakeup()
__destruct()
__toString()
hat execute when an object is deserialized or destroyed. If these methods contain exploitable functionality, they can be abused.
- Arbitrary Object Injection in PHP
- Modifying Serialized Objects
- PayloadsAllTheThings - PHP Object Injection
- YouTube: PHP Object Injection
- YouTube: PHP Object Injection
- Exploiting Java Deserialization with Apache Commons
- Exploiting Blind Java Deserialization
- Tricking Java Serialization
- Testing and Exploiting Java Deserialization
- Server Side Template Injection
- Server Side Template Injection in Tornado
- HackTricks - SSTI
- PortSwigger: Basic Code Context
- PortSwigger: Basic
- PortSwigger: Using Documentation
- SSRF Guide
- SSRF Attacks
- YouTube: SSRF
- YouTube: SSRF
- PortSwigger: Basic SSRF Against Localhost
- PortSwigger: Basic SSRF Against Backend System
- Second Order SQL Injection Attack
- The Wrath of Second Order SQL Injection
- Second Order SQL Injection Attack
Note: Please do not depend on SQLmap for each SQL injection that you find, not all of them can be exploited using SQLmap, and you may need to exploit them manually. In this case, be sure that you understand why you are using special characters like ' or # when testing manually. ;)
- Blind XXE Attacks
- PortSwigger: XXE with Out-of-Band Interaction
- PortSwigger: XXE with Out-of-Band Interaction Using Parameter Entities
- PortSwigger: XXE with Out-of-Band Exfiltration
Explore thoroughly by searching for hidden directories, subdomains, and endpoints that could be leveraged to create attack chains. Finding one vulnerability is just the beginning; look for ways to link it with other vulnerabilities to form a more powerful attack chain.