Types of Web Application Attacks

Server-Side Attacks

• Server side request forgery (SSRF)
• RCE: Remote Code Execution
• Shell injection
• LFI: Local File Inclusion https://tools.kali.org/web-applications/fimap
• RMI: Remote File Inclusion https://tools.kali.org/web-applications/fimap
• Path Traversal / Arbitrary
• SQL injection, REST injection: http://sqlmap.org/
• LDAP injection
• Server-side Template Injection (SSTI)
• XXE: XML External Entities
• File Upload: https://github.com/almandin/fuxploider, https://imagetragick.com/
• De-serialization: https://github.com/frohoff/ysoserial
• JSON: JWS/JWE weaknesses
• HTTP request smuggling
• Brute-forcing: Hydra, Medusa, Patator
• Broken Session management (login/cookie bypass, impersonation, …)
• Logical flaws (IDOR, …)

Client-Side Attacks

• XSS (Cross-Site Scripting)
• CSRF (Cross-Site Request Forgery)

HTTP headers security

• HSTS (HTTP Strict Transport Security) Protects against Man-in-the-Middle, downgrade attacks and cookie hijacking in the webbrowser
• CORS (Cross-origin resource sharing) Protects cross-domain XHR calls to prevent XSS in the webbrower
• CSP (Content Security Policy) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Controls which origins and scripts the user agents loads to prevent XSS in the webbrowser

Authentication protocols

• HTTP Auth Basic
• OAUTH1.0
• OAUTH2.0 https://tools.ietf.org/html/rfc6749
• OpenID Connect (OIDC) https://auth0.com/docs/protocols/oidc Based on OAUTH2 + JWT
• SAML (Security Assertion Markup Language) https://developers.onelogin.com/saml Uses XML and X.509 certificate validation

SAML Atacks

SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). The single most important use case that SAML addresses is web browser single sign-on (SSO).

Attacks on SAML protocol

• https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet
• https://github.com/SAMLRaider/SAMLRaider

PHP Attacks

Payloads to test injections:

{phpinfo()}.txt
{${phpinfo()}}.txt
{sleep(5)}.txt
NULL byte in octal: \400
NULL byte in hex: \x00

Tricky php file uploads extensions for bypassing restrictions:

.php3
.php4
.php5
.pht

JavaScript Attacks

Meteor Framework

Meteor.connection._methodHandlers

Reference:
https://www.offensive-security.com/offsec/wekan-authentication-bypass/

More payloads: https://github.com/defensahacker/spinfuzz (Fuzzing lists for webapp pentesting)