WebAppSec 101
Date: 11, August, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Walking through the application
Nmap
What version of Apache is being used?
Answer: 2.4.7
What language was used to create the website?
Answer: PHP
What version of this language is used?
Answer: 5.5.9
Establishing a methodology
Two wasy to test a wb application:
Going through every page and testing all the functionality
Breaking down the testing into different stages like:
Authorization
Authentication
Injection
Client Side controls
Application Logic
Gobuster
Authentication
Authentication can be tested in the following ways:
Brute Forcing/Weak Credentials
Session Management
What is the admin username?
Answer: admin
What is the admin password?
Answer: admin
What is the name of the cookie that can be manipulated?
Answer: session
What is the username of a logged on user?
Answer: bryce
What is the corresponding password to the username?
Answer: bryce
XSS
Types of XSS:
Persistent/Non-Reflected - Here the XSS payload has been stored in the database, and once the server/framework passes the data from the database into the webpage, the script/payload is executed -** Non-Persistent/Reflected** - Here the XSS payload is usually crafted using a malicious link. It is not stored.
Test for XSS on the search bar -
<script>alert(1)</script>
(Non Persistent)Test for XSS on the guestbook page -
<script>alert(1)</script>
(Persistent)Test for XSS behind the flash form on the home page
Injection
Common injection attacks include:
SQL injection
Command Injection
Perform command injection on the check password field
Entering a simple payload gives the error:
Use the payload
hi| rm -f
to remove the/etc/dictionaries-common/words
file from the server.This will disrupt the working of
passcheck.php
Check for SQLi on the application
Register a user with username as
' or '1=1
Misc & Logic Flaws
Parameter Manipulation
In sample.php -
http://10.10.116.46/users/sample.php?userid=2
, change the userid parameter
Directory Traversal
In
upload.php
page, use../
in the tag field.
Forceful Browsing
Use gobuster to find hidden URLs.
Logic flaw - try get an item for free.
Reuse the coupon -
SUPERYOU21
The price will eventually reach zero
Last updated