Server-Side Attacks
- Server side request forgery (SSRF)
- RCE: Remote Code Execution
- Shell injection
- LFI: Local File Inclusion https://tools.kali.org/web-applications/fimap
- RMI: Remote File Inclusion https://tools.kali.org/web-applications/fimap
- Path Traversal / Arbitrary
- SQL injection, REST injection: http://sqlmap.org/
- LDAP injection
- Server-side Template Injection (SSTI)
- XXE: XML External Entities
- File Upload: https://github.com/almandin/fuxploider, https://imagetragick.com/
- De-serialization: https://github.com/frohoff/ysoserial
- JSON: JWS/JWE weaknesses
- HTTP request smuggling
- Brute-forcing: Hydra, Medusa, Patator
- Broken Session management (login/cookie bypass, impersonation, …)
- Logical flaws (IDOR, …)
Client-Side Attacks
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
HTTP headers security
- HSTS (HTTP Strict Transport Security) Protects against Man-in-the-Middle, downgrade attacks and cookie hijacking in the webbrowser
- CORS (Cross-origin resource sharing) Protects cross-domain XHR calls to prevent XSS in the webbrower
- CSP (Content Security Policy) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Controls which origins and scripts the user agents loads to prevent XSS in the webbrowser
Authentication protocols
- HTTP Auth Basic
- OAUTH1.0
- OAUTH2.0 https://tools.ietf.org/html/rfc6749
- OpenID Connect (OIDC) https://auth0.com/docs/protocols/oidc Based on OAUTH2 + JWT
- SAML (Security Assertion Markup Language) https://developers.onelogin.com/saml Uses XML and X.509 certificate validation
SAML Atacks
SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). The single most important use case that SAML addresses is web browser single sign-on (SSO).
Attacks on SAML protocol
PHP Attacks
Payloads to test injections:
{phpinfo()}.txt {${phpinfo()}}.txt {sleep(5)}.txt NULL byte in octal: \400 NULL byte in hex: \x00
Tricky php file uploads extensions for bypassing restrictions:
.php3 .php4 .php5 .pht
JavaScript Attacks
Meteor Framework
Meteor.connection._methodHandlers
Reference:
https://www.offensive-security.com/offsec/wekan-authentication-bypass/
More payloads: https://github.com/defensahacker/spinfuzz (Fuzzing lists for webapp pentesting)