Advanced Web Attacks and Exploitation (Offensive Security) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 23.9 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 1 Advanced Web Attacks and Exploitation Offensive Security 559312

📄 Page 2

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 2 Copyright © 2021 Offensive Security Ltd. All rights reserved. No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from the author.

📄 Page 3

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 3 Table of Contents 1. io . .. . . ... .. .. . ... . .... . . ... .... .. . . .... ... ... . .. . . . . . . . . . . .. . .. .. 0 1.1 I d A u b c o t ut . h . e .. A . A .. E . C . o r . s . e . . . .... . . ... .... ... . .. . .... ... ... . .. . .. . . . . . . . . .. . ... . 1 1 0 2 1 n .1 tr .2 o O n t SW . E . W E .. xam At . u temp . . t . . . . .. . . . . . ..... . . .. . . . . . . . . . . . . . . .. . . .... . . ..... . . . . . . . . . . . .... . .. . . .. . . . . . ..... . . .... . . . . . .... . . . . . .. . . ... . . .. . . . . . .. . . .. .. . . . . . . . .. . . . . . .. . . . . . . . . . . . .. . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . .. . . .. . . .. . . ... . . .. . . ... . . .. 1 1.2 A ro h . . . . . 2 1.3 ai p i g S c uppo t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 41.4 1 O O O f u b f r t en n si e Secu t . r y AW . . E Labs ...................... . . ................................ . . ................................ . . ............ 1 1 .4.1 Ge p n v ne a ral In .. r f . i o . rmati . . A o . . n . . . . .. . . .............................. . . ................................ . . ................................ . . ............ 1 14 1.4.2 Lab Restrictions ...................................................................................................................14 1.4.3 Forewarning and Lab Behavior .........................................................................................14 1.4.4 Control Panel ........................................................................................................................14 1 5 Rep ing. ..... .. ... . . . . . . . . 15 6 ckups ... . . . ............................ ............................... ............................... ............................... ........ 51 1 . .7 a b t he SWE Ex m . . . . .. . . ... . . .. ... .. . . .. . ..... . .. . .. . . . . . . . 1 15 . .8 B Wr o u p n . .. . . . . 16 2. T A & o Me r t p t t i ho p log . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1 2.1 We a b Tra . d fi O o c I . p . . s e . . . t a io . . . n . . . . . .. . .. . .. . . . .. . . . ... . .. . . . . . .. . .... . . . .. . .. . . . . . ... . . . . . .... . ... . .. . .. . . . . . . . . . ... . . . .. . . . . . . . ...... . . . .. . . . . . . . . . . . . . ... . . . .. . . . . . ... . .. . . . . . .. . . . . . . . .. . .. . . . . . .. . . . . . . . . . . . . . . . .. 17 2. o 1 o .1 ls Bur g f p U Su n i . t . s e e Pr . c o . . . xy . . . . . . ................................................ . ................................................................ . .. 18 2.1.2 Using Burp Suite with Other Browsers ............................................................................23 2.1.3 Burp Suite Scope .................................................................................................................24 2.1.4 Burp Suite Repeater and Comparer ................................................................................27 2.1.5 Burp Suite Decoder .............................................................................................................32 ti ith We hon 2 2 . . I S n o te u r r c e C R cov r i . . . . . . . . 3 3 2 3 2.3.1 a c Man n o a g d g w e ed e .NET b e C L y o s . d t . e e . . . n . . . . e . . . . r . . . . s . . . . . . u . . . . s . . . . i . . n . . . . g . . . . . . . . P . . . . y . . . . t . . . .. . .. . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 8 8 Sourc 0 2.3.2 Decompiling Java Classes ................................................................................................46 .4.1 24 2 A e n C A o p d p e ro A a n c a h ly t s o i s A M na e l t y h s o is d . o ... lo ... g .. y ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 5 5 1 Debu . 57 1 2.4.2 Using an IDE .........................................................................................................................52 2.4.3 Common HTTP Routing Patterns ....................................................................................55 2.4.4 Analyzing Source Code for Vulnerabilities ......................................................................56 .5.1 25 2 R g e g m ing ot .. e .. . D ... e .. b .. u .. g ... g .. i . n .. g ... . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . 6 ... . 3. 2.6 ATuto W r A ra u p t p h i e n n g ti U ca p t . i . o .. n ... . B .. y .. p ... a .. s .. s .. . a .. n ... d .. . RC .. E ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 6 7 9 0

📄 Page 4

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 4 Gettin . ... . . . . . . . . . 0 0 3.1 3.1.1 S g e t S ti t n a g rt U ed p t .. h .. e .. . En .. v .. i . ro ... n .. m e.. n .. t .. . . . .. .. . . .. .. . . .. . . ... .. . . .. . . .. .. . . .. . . ... .. . . ... .. .. .. . . . . .. .. . . . . .. .. .. . . .. . . ... .. . . .. . . .. .. . . .. . . ... .. . . ... .. .. . . .. .. . . .. . . ... .. . . .. . . .. .. . . .. . . .. . . .. . . ... .. .. .. . . . . .. .. . . . . .. . 7 7 ti l nerab t i covery . .. ................................................................................................ r e f R l evie i of y B D l n QL In e . ctions ........................................................ . . 7 8 3 3 3 . . I A D n i i B gg a i in V g eep w e r l . i .. . . . i . s . . S . .......... . j ...................................................................... 8 2.2 3 4 3.4.1 W h u D en $addsl . a . s . h d . e . s . Are No . t ................................................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1 2 3 Data ... ... .. 6 3.4.2 Improper Use of Parameterization ..................................................................................84 3.5 3.5.1 C E o xf m ilt p ra a t r i i o n n g . HT .. M L.. . Re .. s .. po ... n .. s .. e .. s .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 87 3.5.2 MySQL Version Extraction ................................................................................................89 3.6 S ver i t Tu r Authentication .... ............................... ............................... ............... 93 3.7 A e i n c g a ti e n A Gon t e o Ba .. . .... .. .......... . ................. ............. . ................. ............. . ............... . . . . 98 8 B u yp h as n s t t ing F e Upload s . t . ic n ............................ . ................................ . ............................. 003 3 . .9 G u a b t ining R m h o il o e Code E d xe ti . . . . . ............................. . ................................ . ............................. 1 109 3.9.1 Esca e ping t the Jail . R .. e .... c .. r u .... t . o . . i . . o n . . . . . . s ........................................................................................... 109 3.9.2 Disclosing the Web Root ..................................................................................................110 3.9.3 Finding Writable Directories ...........................................................................................111 3.9.4 Bypassing File Extension Filter ......................................................................................112 3.10 Wrapping Up .......... . . . . ................................... ............................... ............................ 114 4. ATutor L S Type gling Vulnerab y .............................. . ................................ . ............................ 116 4.1 G et M t n Start J e g ..... . . . . . . . . . . . . . . . . . . . .. . . . . . .. . .. . .. . . . . . . i . l . i . t .................................. ............................................... . . .. . 116 2 PH ose a Strict Comparisons .. . . . . . .... . .. .. .. . .. .... ......... . .. 116. . H L S ring C n o u d d n . versio to Numbers .. . .. . .. . .. . . . . . .. . . . .. . . . ..... . . . . . . . . . .. . . . . ... . ... . . . . . . . . . . . . . . . ... . . . . . . . .. . . . ... . . . . . . . . . ..... . .......... . . . . . . . . . . . . . . . . .. . . ... . . . . . . . . 8 4 4 4 3 4 P V l P P n i er bi i y Dis over n y ...... ...... ............ . . ................................................... ................................ 1 1 1 20 4. . 5 A u ttack g o t a i t t he Lo c ose Comp . aris . on ............................................................ . ................................ 12 4.5.1 M n a g g l ic Hashes .................................................................................................................... 12 3 3 4.5.2 ATutor and the Magic E-Mail address ...........................................................................124 rapp ng Up... ...... .......... .......... . .. ... .. . . .. ............ . . . . . .............. . . . .. .... ....... ........ 1 5. ngi i ne Appli ations Manage AMUse Resourc SyncS rvlet SQ . Injection RCE ... 1 5 W G e e E tt ng S ted . c . . . . . . . ..... . ............ . r .. . .. . .... . ... . .. . .. . . . e . . . . . . . . . . . . . . . . . . . . ................ . L ... . .. . ... . ..... . . ..... . ......... 1 3 3 0 1 4 5 . . .6 1 2 V g uln i erabi r y D s . c . o . e . r . y ............................... r . . . . s . . . .. . . . e ................................ . ............... 1 1 1 M 5.2 a . n 2 a Serv t l l a i e t t M i app . i v ngs ................................ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . .. . . . ... . .. . . . . .. . . . . ................................ . ............... 1 3 3 3 2 5.2.3 Source Code Recovery ....................................................................................................133 5.2.4 Analyzing the Source Code..............................................................................................134 5.2.5 Enabling Database Logging.............................................................................................139

📄 Page 5

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 5 How E 4 7 5.2.6 Triggering the Vulnerability..............................................................................................142 .3.2 5.3 5 U H s o i u n d g i n C i HR s c a a n p d e S s. t . r . i . n ... g .. . C ... o .. n .. c ... a .. t . e .. n ... a .. t . i . o .. n ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 1 14 5.3.3 It Makes Lexical Sense .....................................................................................................148 t . .. . .. .... . . .......................... ..... ........................ ..... ........................ .... 145 5 . . B A l c in c d e n t . F . il . e S .. ystem . . . .. . . . .. . .......................... ...... . ......................... ...... . ......................... ..... 149 84 5 5.5.2 s R B s e a i ve s g rs .. h e .. e . She . l . l V . ia Cop . . y . . To ......................... . . . ...... . ......................... . . . ...... . ......................... . . . ..... . 151 Postg 85.6 5.6.1 B r u e i S ld Q E L n E v x ir t o e n n m sio e n n s t . . . .. . . . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . . . . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. .. . . .. . . .. . . . 1 15 5 8 5.6.2 Testing the Extension ......................................................................................................161 5.6.3 Loading the Extension from a Remote Location.........................................................162 7 Reve l . .. . . . . . .. ....... ...................... 15 5 . .8 U M D o F re She r l . . .. l ... . ... . .. . . . ... . . . .. . ... . .. . ... . . . . . ........ ...................... 1 2 5.8.1 Post l g s s re e !!! S S . Q h .. L e . Large . Ob . jects .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . ...................... 16 6 65 5 5.8.2 Large Object Reverse Shell ..............................................................................................168 5.9 Sum ar ................................... ........................... .. .................................................................. 7 6 Bassm st y o . deJ Arbitrary Java . S ipt Injection . V . u rability .. .. 1 17 1 2 6 1 G a ett m e n r g N S rte S d ............................ c .. r ............................. l . n .. e ............................................................. 1 2 6 2 T e a aste . r P ug n ................................................................ . 1 7 72 36 . . .3 V h uln i B era t m l a ity isco l ve i y ................................................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6. Trigg ri b n i g the Vulner r ability .............................................................. . . . ......................................... 181 6. 4 5 Ob ai a Reverse Shell ................................................................ . . . ......................................... 183 6 6 Wr t ap e n p i i s n n Up..................................... ............................. ............................... ............................ 187 7. . D e N ke Cooki D e Deserialization RC ..... . .. . 188 7 . .1 S t er u ializa ion asics . ....................... E ....... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 7. o 1 t . N 1 Xm s g g t lSeri B alizer Li . mitations ...... . ........................................................................................... 189 DotN 0 0 7.1.2 Basic XmlSerializer Example...........................................................................................189 7.1.3 Expanded XmlSerializer Example...................................................................................193 7.1.4 Watch your Type, Dude ...................................................................................................197 .2.1 7.2 7 V et u N ln u e k r e ab V i u lit ln y e O ra v b er il v it i y ew A n .. a .. l . y .. s .. i . s ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 2 2 0 0 7.2.2 Manipulation of Assembly Attributes for Debugging ................................................203 7.2.3 Debugging DotNetNuke Using dnSpy ...........................................................................206 7.2.4 How Did We Get Here? ....................................................................................................208 7.3 Payload Options..........................................................................................................................211

📄 Page 6

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 6 7.3.1 FileSystemUtils PullFile Method .....................................................................................212 7.3.2 ObjectDataProvider Class ................................................................................................212 7.3.3 Example Use of the ObjectDataProvider Instance ......................................................216 7.3.4 Serialization of the ObjectDataProvider .......................................................................220 7.3.5 Enter The Dragon (ExpandedWrapper Class) ..............................................................223 7.4 n I A Toget .. .. . ....... . . . . . ........ . 28 7.5 E P Wrap n U . e ... r .. . . . .. . . . . . 33 8. e A p u i th t g e . tion h Bypass . nd . . . . e ver S . id . e . T . em e Injec . t . io . n . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . .......... . . . . . . . . . . . . 4 48. G u x e t t t t t i i S t n a l p i t c e . d . . . . . . . . . . . . . .. .. . . . .. . . . .... . . . . . . . . . . . . . ... . . S .. . . . . . . . . . . . . 2 2 3 31 8. R 1 P .1 N n C g g onfig l t r ur . a ing . . the . . SMTP a Serve . . . r r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . l . . . . a . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 234 Introd 5 5 8.1.2 Configuring Remote Debugging ....................................................................................235 8.1.3 Configuring MariaDB Query Logging .............................................................................244 .2.1 8.2 8 M u o c d ti e o l n -V t i o ew M - V C C on , M tro e l t l a e d r a In ta tr - o D d r u iv c e t n io A n r . c ... h .. i . t . e .. c .. t .. u .. r .. e .. , . a ... n .. d ... H ... T ... T .. P .... R ... o .. u .. t .. i . n .. g ... . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 24 4 Authe s 7 8.2.2 Metadata-driven Design Patterns...................................................................................248 8.2.3 HTTP Routing in Frappe...................................................................................................252 .3.1 8.3 8 D n is ti c c o a v ti e o r n in B g y t p h a e s SQ D L is I c n o je v c e t r i y o . n .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 5 57 Authe 6 7 8.4 8.4.1 O n b t t ic a a in ti i o n n g B A y d p m a i s n s U E s x e p r l o In it f a o t r i m on a . t . i . o ... n .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 6 6 SSTI 2 7 8.4.2 Resetting the Admin Password .....................................................................................268 .5.1 8.5 8 I V n u tr l o n d er u a c b ti i o lit n y t D o i s T c e o m ve p r la y t .. i . n .. g .. . E ... n .. g .. i . n .. e ... s .. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . 27 7 7 SSTI a .. ... .. . 293 3 8.5.2 Discovering The Rendering Function ............................................................................282 8.5.3 SSTI Vulnerability Filter Evasion ....................................................................................290 .6.1 8.6 8 F V i u n l d n i e n r g b a i l M ity et E h x o p d lo f i o ta r t R io e n m .. o .. t .. e . C ... o .. m m... a ... n .. d E ... x .. e .. c .. u .. t .. i . o .. n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 29 8.6.2 Gaining Remote Command Execution ..........................................................................298 8. W p .... . .. . ............ . . . . ... . 2 9 9. 7 o CR r X t catio Byp ss and m ode Ex . . 3 9 0 9 1 Get i p u g n t S i ed . . . . . . . . . . . .. . . . . ....... .. . R .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 9. . 2 Pas a t s g d a U n R p t ese . . t V . . u . . lner . . a . . bility Dis . . o . . e . . r . . . . . . . . . . . . . 3 0 0 9. p 2 e .1 n A n w W i o h h r e e t n r Rando n m . Isn a ’ . . t . . . ........ . . . ..... . c . e ... . . . . v . . . o .. t . . . y . e . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . c . . . . . . u . . . . . . t . . . . . . i . . o . . . . . . n . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 0 0 0 08 9.2.2 Account Determination ...................................................................................................311 9.2.3 Timing the Reset Request ...............................................................................................312

📄 Page 7

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 7 XML 9 0 9.2.4 Generate Token List ..........................................................................................................313 9.2.5 Automating Resets ...........................................................................................................315 .3.2 9.3 I E n x t t r e o r d n u a c l t E io n n ti t t y o V X u M ln L e . r .. a .. b .. i . l . i . t . y ... D ... i . s .. c .. o ... v .. e .. r . y ... .. . . . . .. . . . . .. . . . . .. .. . . . . .. . . . . .. . . . . .. .. . . . . .. . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . .. .. . . . . .. . . . . .. . . . . .. .. . . . . .. . . . . .. . . . . . . . . . . . . . . .. . . .. . . . . . 3 3 1 2 Remo 336 2 9.3.3 XML Parsing ......................................................................................................................320 9.3.4 XML Entities........................................................................................................................321 9.3.5 Understanding XML External Entity Processing Vulnerabilities ..............................322 9.3.6 Finding the Attack Vector ................................................................................................323 9.3.7 CDATA ................................................................................................................................329 9.3.8 Updating the XXE Exploit ................................................................................................330 9.3.9 Gaining Remote Access to HSQLDB .............................................................................331 9.3.10 Java Language Routines .................................................................................................336 .4.2 9.4 9 F t i e nd C in o g d e th E e x e W c r u it t e io L n o .. c .. a .. t .. i . o .. n .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 34 9.4.3 Writing Web Shells ...........................................................................................................342 .5 ing Up .. . . . ...................... . . . 343 10 op W e r I a T C P . XSS and OS Com jection - ................................ 4 9 1 .1 G tt K t I t . .. . . ... . . . . . . . . . . . 3 3 4 4 . 0 2 B e ac p i k p ox Te T e s d tin . . g . . . n . openITCOC . K . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4 41 1 0 0 . .3 0 A n l ppl C i t r D scov . . i e . ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . 345 1 .3.1 n c B O g B a ui S i l o d a n ing i a Sitemap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . . . . . . . . . . . a P . . . . . . n . . . . I . . d . . . . . . . . . . . I . . n . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . l . . . . . a . . . . . . . . c . . . . . . . . . . . . . k . . . . . . . . b . . . . . . . o . . . . . . . x . .................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 10.3.2 Targeted Discovery ..........................................................................................................350 . I tro To D M d .. ........ ... .... ... .... ... . 5 . X S Hunti g . - . b . a ... s .. e . .. . S . .... . .... ..... .... . . .... .... . . .... .... . . . 3 3 7 1 1 1 . 4 5 6 0 A S dvanced O S . S . Exp . l . oi X . ta S . i . on . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . . 5 5 59 0 0 0 1 .6.1 n What n X We Can an . d . t Can . . ’t . . . Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . . 3 359 CE H 3 10.6.2 Writing to DOM...................................................................................................................361 10.6.3 Creating the Database......................................................................................................364 10.6.4 Creating the API .................................................................................................................367 10.6.5 Scraping Content...............................................................................................................369 10.6.6 Dumping the Contents .....................................................................................................372 10 1 .7 0.7.1 R D u is n c t o in v g er . y .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 7 74 10.7.2 Reading and Understanding the JavaScript.................................................................376 10.7.3 Interacting With the WebSocket Server ........................................................................381

📄 Page 8

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 8 10.7.4 Building a Client ................................................................................................................381 10.7.5 Attempting to Inject Commands ....................................................................................385 10.7.6 Digging Deeper...................................................................................................................386 0.8 Wra p ng .. .. . . . . ... .. . .. ....... ........ ......... ..... .. ... . . ..... . . . . .. .. ... . . . . .. 389 11 n rd i Au he t . i . catio By as o C .... .. .. . .... . ... . .. ....................... .. .. ..................... 3 1.1 G c e o tt ng t ar n ed . . . . ... . . . . . . .... R . . . . ....... . .......... . . . ... . ..... . . . .. . . 39 1 1 1 . 1. Auth p i ent S ic i p t on B . . y . . a n s s . . : R . . u . . n . . d t . On . e . . . CS d OR . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 9 1 5 1 2 1. C 2. o 1 Sam t a e U t -Orig . in . . . p P . o . . l . . i . cy p ( . . o S . O s . P . ) ....... . .. E - . . . ...... . R ... . F ... . a .. . n ..... . . . C .. . ...... . . . .... . . ..................... . ... . . . ... . . . . . . . ...................... 3 39 1 6 11.2.2 Cross-Origin Resource Sharing (CORS) .......................................................................401 11.2.3 Discovering Unsafe CORS Headers ..............................................................................409 11.2.4 SameSite Attribute ...........................................................................................................411 11.2.5 Exploit Permissive CORS and CSRF .............................................................................414 11 3 A henticat on B pa o Two - Insecure D faults ................................................... . 8 1 4 r p ing i p ... . . s . s .. : . R ... . u ... n .. d . ................................ e .... . .............................. . 5 12 W rve a r S p id R U eq . ues y t Forgery ....... . .. .................. ........ . . .............................. . 7 1 1 1 G t tting e Start d . .. . . . . . . . . . . .. . . ... ....... . ........................ ............. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . ............................... . 4 2 37 1 . 2 . . . . I u e troduct ion e to M ro . . se . . rvi . . ces . . ... . ................... . . . ........ . .............................. . . .. 2 1 2 2. S 2 e .2 n Web Service . . i c URL . Format . . s ............................... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . .............................. . . .. 4 4 4 4 4 3 3 3 3 7 8 PI D 4 012 1 .3 2.3.1 A I i n s i c ti o a v l e E r n y u v m ia e V ra e t r i b on T . a .. mp .. e .. r .. i . n .. g ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 44 4 0 trod . 4 8 12.3.2 Advanced Enumeration with Verb Tampering .............................................................445 12 1 .4 2.4.1 In S u e c rv ti e o r n -S t i o de S e R r e v q e u r- e S s id t e Fo R r e g q e u ry e s D t is F c o o rg v e e r r y y . .. . . .. . . . . .. .. . . . . .. .. . . . . . . .. . . .. . . . . . . .. .. . . . . .. .. . . . . .. . . .. . . . . .. .. . . . . .. .. . . . . . . .. .. . . . . .. .. . . . . .. . . .. . . . . .. .. . . . . .. .. . . . . . . .. . . .. .. . . . . . . 44 4 8 5 R r AP t ass . 4 12.4.2 Source Code Analysis .......................................................................................................450 12.4.3 Exploiting Blind SSRF in Directus ..................................................................................452 12.4.4 Port Scanning via Blind SSRF .........................................................................................454 12.4.5 Subnet Scanning with SSRF............................................................................................456 12.4.6 Host Enumeration ............................................................................................................459 1 12 . .6 2 Ex e p n l e iti g H d e C ro . e . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 3 2 1 .6.2 d o Us n ing I J A e a u a va h l S B s c y s ri p pt h to . m E ... x . fi . . l . . t . . r . . a . . te . . D . . a . . t . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 6 6 5 emo . 472 3 12.6.3 Stealing Credentials from Kong Admin API .................................................................467 12.6.4 URL to PDF Microservice Source Code Analysis ........................................................468 12 1 .7 2.7.1 R R t C e E C i o n d K e o E n x g e c A u d t m io i n n . A ... P .. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . 47

📄 Page 9

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 9 1 U . ... . . ... .. . ..... . . .. . .. . ..... ..... . . .. .. . . . . . ..... 476 13. m g Lit Protot pe P lluti ..... . . .. . ... . ..... ..... . . .. ... . . . . . ..... 477 1 . W G c e r a t a t in e Star p t . . . . . . . . . . . . . . . . . . . . . . . ... . . ..... . . .. . . . . . . . .... . ..... ..... . . .. . . . . . . .... . . . . . ..... . . . . . 77 2 3 1 .8 1 3. G 1. u 2 a p in U p o g n l ders e t e a . d nd . . i . . n . . g . y t . . h . . e . C o od . . e . . . . . . . o . . . . . . n . . . . . . . . . . . . . . ...... . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . ... . . . . . . . .. . . . .... . . . . . .. . . . ...... . . . ...... . . . . . . . . . . . . . . . .. . . . .. . . . . . . . ... . . . . . . . .... . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . .. . . . .. . . . . . . . . . . . .. . . . . . . . ...... . . . . . . . . . . . . . . . . . . 4 4 83 trod 2 9 13.1.3 Configuring Remote Debugging ....................................................................................488 13 1.2 3.2.2 In P u ro ct t i o o t n yp to e J P a o v ll a u S ti c o r n ip .. t ... P .. r .. o .. t . o ... t . y .. p .. e .... . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 4 49 9 13.2.3 Blackbox Discovery ..........................................................................................................504 13.2.4 Whitebox Discovery ..........................................................................................................511 3 yp u ion pl t t 181 1 . .4 J ro S t . t .. l . l ... .... E ... x . . i ... . . . . . . . 19 3 3 13.4.1 P E o . EJS e . . - . P . P o r .. oo t . f of .. . Conc o . ep a . t . . i . . o . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 20 and . 532 2 13.4.2 EJS - Remote Code Execution .......................................................................................527 13 1.5 3.5.1 H H le a b n a d rs le . b ... a .. r . s ... . - . . P .. r .. o .. o .. f .. . o .. f .. . C .. o ... n .. c .. e .. p ... t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 53 13.5.2 Handlebars - Remote Code Execution ..........................................................................544 13 rapping Up .. .......................................................... .................................................... ......... 5 14. Co clusio .... .. . .............................. ................... . ......... ......................... ... ................. . . .. . 14 he ou n r . ney S Far .... .......... ................... ......... . . . ................... .... ... ................. . . .. . 5 2 3 14 6 2 r J cises n . d o E tra . l . es ........ . .................... . . . . . ............................... . ..... . .... . . . . . . . . . . . .................. . . . . .. . ... . .. 5 3 34 . . . . 1 3 W T E T n x h e e Road . oe . s . x Ever M O . i n . . ........... . ..................... . . . ............................... . ..... . .... . . . . . . . . . . . .................. . . . . . . . . .. . . . .. . ... . .. 5 56 6 61 14.4 Wra pping a G Up .................................................................................................................... . . . . . . . . .......... 5 6 6 6 3 4

📄 Page 10

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 10 0.1.1.1.1 1 Introduction Modern web applications present an attack surface that has unquestionably continued to grow in importance over the last decade. With the security improvements in network edge devices and the reduction of successful attacks against them, web applications, along with social engineering, arguably represent the most viable way of breaching the network security perimeter. The desire to provide end-users with an ever-increasingly rich web experience has resulted in the birth of various technologies and development frameworks that are often layered on top of each other. Although these designs achieve their functional goals, they also introduce complexities into web applications that can lead to vulnerabilities with high impact. In this course, we will focus on the exploitation of chained web application vulnerabilities of various classes, which lead to a compromise of the underlying host operating system. As a part of the exploit development process, we will also dig deep into the methodologies and techniques used to analyze the target web applications. This will give us a complete understanding of the underlying flaws that we are going to exploit. Ultimately, the goal of this course is to expose you to a general and repeatable approach to web application vulnerability discovery and exploitation, while continuing to strengthen the foundational knowledge that is necessary when faced with modern-day web applications. 1.1 About the AWAE Course This course is designed to develop, or expand, your exploitation skills in web application penetration testing and exploitation research. This is not an entry level course–it is expected that you are familiar with basic web technologies and scripting languages. We will dive into, read, understand, and write code in several languages, including but not limited to JavaScript, PHP, Java, and C#. Web services have become more resilient and harder to exploit. In order to penetrate today’s modern networks, a new approach is required to gain that initial critical foothold into a network. Penetration testers must be fluent in the art of exploitation when using web based attacks. This intensive hands-on course will take your skills beyond run-of-the-mill SQL injection and file inclusion attacks and introduce you into a world of multi-step, non-trivial web attacks. This web application security training will broaden your knowledge of web service architecture in order to help you identify and exploit a variety of vulnerability classes that can be found on the web today. The AWAE course is made up of multiple parts. A brief overview of what you should now have access to is below:

📄 Page 11

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 11 1.1.1.1.1 • The AWAE course materials • Access to the AWAE VPN lab network • Student forum credentials • Live support • OSWE exam attempt/s AWAE course materials: comprised of various book modules and the accompanying course videos. The information covered in both the book modules and videos overlaps, which allows you to watch what is being presented in the videos in a quick and efficient manner, and then reference the book modules to fill in the gaps at a later time. In some modules, the book modules will go into more depth than the videos but the videos are also able to convey some information better than text, so it is important that you pay close attention to both. The book modules also contains exercises for each chapter, as well as extra miles for those students who would like to go above and beyond what is required in order to get the most out of the course. Access to the AWAE VPN lab network: Once you have signed up for the course, you will be able to download the VPN pack required to access the lab network via the course lab page in the Offsec Training Library. This will enable you to access the AWAE VPN lab network, where you will be spending a considerable amount of time. Lab time starts when your course begins, and is in the form of continuous access. If your lab time expires, or is about to expire, you can purchase a lab extension at any time. To purchase additional lab time, use the “Extend” link available at top right corner of the Offsec Training Library. If you purchase a lab extension while your lab access is still active, you can continue to use the same VPN connectivity pack. If you purchase a lab extension after your existing lab access has ended, you will need to download a new VPN connectivity pack via the course lab page in the Offsec Training Library. Students who have purchased a subscription will have access to the lab as long as the subscription is active. Your subscription will be automatically renewed, unless cancelled via the billing page. The Offensive Security Student Forum:1 The student forum is only accessible to Offensive Security students. Forum access is permanent and does not expire when your lab time ends. You may even continue to interact with your peers long after having passed the OSWE exam. By using the forum, you are able to freely communicate with your peers to ask questions, share interesting resources, and offer tips and nudges as long as there are no spoilers (due to the fact they may ruin the overall course experience for others). Please be very mindful when using the forums, otherwise the content you post may be moderated. Once you have successfully passed the OSWE exam, you will gain access to the sub-forum for certificate holders. Live Support:2 The support system allows you to directly communicate with our student administrators, who are members of the Offensive Security staff. Student administrators will 1 (Offensive Security, 2021), https://forums.offensive-security.com/

📄 Page 12

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 12 primarily assist with technical issues; however, they may also clear up any doubts you may have regarding the course material or the corresponding course exercises. Moreover, they may occasionally provide with you a nudge or two if you happen to be truly stuck on a given exercise, provided you have already given it your best try. The more detail you provide in terms of things you have already tried and the outcome, the better. 1.1.2 OSWE Exam Attempt Included with your initial purchase of the WEB-300 course is an attempt at the Offensive Security Web Expert (OSWE) certification. To book your OSWE exam, go to your exam scheduling calendar. The calendar can be located in the OffSec Training Library under the course exam page. Here you will be able to see your exam expiry date, as well as schedule the exam for your preferred date and time. Keep in mind that you won’t be able to select a start time if the exam labs are full for that time period so we encourage you to schedule your exam as soon as possible. For additional information, please visit our support page.3 1.2 Our Approach Students who have taken our introductory PWK course will find this course to be significantly different. The AWAE labs are less diverse and contain a few test case scenarios that the course focuses on. Moreover, a set of dedicated virtual machines hosting these scenarios will be available to each AWAE student to experiment with the course material. In few occasions, explanations are intentionally vague in order to challenge you and ensure the concept behind the module is clear to you. How you approach the AWAE course is up to you. Due to the uniqueness of each student, it is not practical for us to tell you how you should approach it, but if you don’t have a preferred learning style, we suggest you: 1. Read the emails that were sent to you as part of signup process 2. Start each module by reading the book module and getting a general familiarity with it 3. Once you have finished reading the book module, proceed by watching the accompanying video for that module 4. Gain an understanding of what you are required to do and attempt to recreate the exercise in the lab 5. Perform the Extra Mile exercises. These are not covered in the labs and are up to you to complete on your own 6. Document your findings in your preferred documentation environment You may opt to start with the course videos, and then review the information for that given book module, or vice versa. As you go through the course material, you may need to re-watch or re- 2 (Offensive Security, 2021), https://help.offensive-security.com/ 3 (Offensive Security, 2021), https://help.offensive-security.com/

📄 Page 13

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 13 read modules a number of times prior to fully understanding what is being taught. Remember, it is a marathon, not a sprint, so take all the time you need. As part of most course modules, there will be course exercises for you to complete. We recommend that you fully complete them prior to moving on to the next module. These will test your understanding of the material to ensure you are ready to move forward and will help you preparing for the OSWE exam. The extra miles exercises are optional but we encourage students to “play” with them especially if they have the intention of attempting the certification challenge. The time it takes to complete these exercises depends on your background. Note that IPs and certain code snippets shown in the book module and videos will not match your environment. We strongly recommend you try to recreate all example scenarios from scratch, rather than copying code from the book modules or videos. In all modules we will challenge you to think in different ways, and rise to the challenges presented. In addition to the course modules, the lab also contains three standalone lab machines running custom web applications. These applications contain multiple vulnerabilities based on the material covered in the course modules. You will need to apply the lessons learned in this course to tackle these additional machines on your own. A heavy focus of the course is on whitebox application security research, so that you can create exploits for vulnerabilities in widely deployed appliances and technologies. Eventually, each security professional develops his or her own methodology, usually based on specific technical strengths. The methodologies suggested in this course are only suggestions. We encourage you to develop your own methodology for approaching web application security testing as you progress through the course. 1.3 Obtaining Support AWAE is a self-paced online course. It allows you to go at your own desired speed, perform additional research in areas you may be weak at, and so forth. Take advantage of this type of setting to get the most out of the course–there is no greater feeling than figuring something out on your own. Prior to contacting us for support, we expect that you have not only gone over the course material but also have taken it upon yourself to dig deeper into the subject area by performing additional research. Our Help Centre may help answer some of your questions prior to contacting support (the link is accessible without the VPN): • https://help.offensive-security.com/ If your questions have not been covered there, we recommend that you check the student forum, which also can be accessed outside of the internal VPN lab network. Ultimately, if you are unable to obtain the assistance you need, you can get in touch with our student administrators by visiting Live Support or sending an email to help@offensive-security.com.

📄 Page 14

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 14 1.4 Offensive Security AWAE Labs 1.4.1 General Information As noted above, take note that the IP addresses presented in this guide (and the videos) do not necessarily reflect the IP addresses in the Offensive Security lab. Do not try to copy the examples in the book modules verbatim; you need to adapt the example to your specific lab configuration. You will find the IP addresses of your assigned lab machines in your student control panel within the VPN labs. 1.4.2 Lab Restrictions The following restrictions are strictly enforced in the internal VPN lab network. If you violate any of the restrictions below, Offensive Security reserves the right to disable your lab access. 1. Do not ARP spoof or conduct any other type of poisoning or man-in-the-middle attacks against the network 2. Do not intentionally disrupt other students who are working in the labs. This includes but is not limited to: – Shutting down machines – Kicking users off machines – Blocking a specific IP or range – Hacking into other students’ lab clients or Kali machines 1.4.3 Forewarning and Lab Behavior The internal VPN lab network is a hostile environment and no sensitive information should be stored on your Kali Linux virtual machine that you use to connect to the labs. You can help protect yourself by stopping services when they are not being used and by making sure any default passwords have been changed on your Kali Linux system. 1.4.4 Control Panel Once logged into the AWAE VPN lab network, you can access your AWAE control panel. The AWAE control panel enables you to revert lab machines in the event they become unresponsive, and so on. Each student is provided with 24 reverts every 24 hours, enabling them to return a particular lab machine to its pristine state. This counter is reset every day at 00:00 GMT +0. Should you require additional reverts, you can contact a student administrator via email (help@offensive- security.com) or via live support platform4 to have your revert counter reset. The minimum amount of time between lab machine reverts is 5 minutes. 4 (Offensive Security, 2021), https://help.offensive-security.com/

📄 Page 15

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 15 1.5 Reporting Students opting for the OSWE certification must submit an exam report clearly demonstrating how they successfully achieved the certification exam objectives. This final report must be sent back to our Certification Board in PDF format no more than 24 hours after the completion of the certification exam. Please note that reporting of the course exercises is mandatory for those students planning to claim CPE credits prior to having successfully passed the OSWE certification exam. If you were to ask 10 different pentesters how to write a good report, you would likely get 12 different answers. In other words, everybody has an opinion and they are all correct in their own minds. As many people in this industry have demonstrated, there are good ways to write a report and there are some really bad ways to do it. 1.6 Backups There are two types of people: those who regularly back up their documentation, and those who wish they did. Backups are often thought of as insurance - you never know when you’re going to need it until you do. As a general rule, we recommend that you backup your documentation regularly as it’s a good practice to do so. Please keep your backups in a safe place, as you certainly don’t want them to end up in a public git repo, or the cloud for obvious reasons! Documentation should not be the only thing you back up. Make sure you back up important files on your Kali VM, take appropriate snapshots if needed, and so on. 1.7 About the OSWE Exam The OSWE certification exam simulates a live network in a private lab, which contains a small number of vulnerable systems. The environment is completely dedicated to you for the duration of the exam, and you will have 47 hours and 45 minutes to complete it. To ensure the integrity of our certifications, the exam will be remotely proctored. You are required to be present 15 minutes before your exam start time to perform identity verification and other pre-exam tasks. In order to do so, click on the Exam tab in the Offsec Training Library, which is situated at the top right of your screen. During these pre-exam verification steps, you will be provided with a VPN connectivity pack. Once the exam has ended, you will have an additional 24 hours to put together your exam report and document your findings. You will be evaluated on quality and accuracy of the exam report, so please include as much detail as possible and make sure your findings are all reproducible. Once your exam files have been accepted, your exam will be graded and you will receive your results in ten business days. If you achieve a passing score, we will ask you to confirm your physical address so we can mail your certificate. If you have not achieved a passing score, we will notify you, and you may purchase a certification retake using the appropriate links. We highly recommend that you carefully schedule your exam for a two day window when you can ensure no outside distractions or commitments. Also, please note that exam availability is handled on a first come, first served basis, so it is best to schedule your exam as far in advance as possible to ensure your preferred date is available.

📄 Page 16

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 16 For additional information regarding the exam, we encourage you to take some time to go over the OSWE exam guide.5 1.8 Wrapping Up In this module, we discussed important information needed to make the most of the AWAE course and lab. We wish you the best of luck on your AWAE journey and hope you enjoy the new challenges you will face. 5 (Offensive Security, 2021), https://help.offensive-security.com/hc/en-us/articles/360046869951-OSWE-Exam-Guide

📄 Page 17

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 17 1.8.1.1.1 2 Tools & Methodologies When assessing a web application, researchers use a variety of tools and methodologies. Nevertheless, certain principles should be followed regardless of the tools used. In this module, we will introduce some of the more common tools and demonstrate their use to establish a foundation for the remainder of this course. Before we get started, it’s important to clarify that web application research and exploitation can be conducted from a whitebox,6 blackbox,7 or greybox8 perspective. In a whitebox scenario, the researcher either has access to the original source code or is at least able to recover it in a near- original state. When neither of these scenarios is possible, the researcher must adopt a blackbox approach, in which minimal information about the target application is available. In this case, in order to find a vulnerability, the researcher needs to observe the behavior of the application by inspecting the output and/or the effects generated as result of precisely-crafted input requests. We might also take a greybox approach when we have access to credentials or documentation to the application, but not full access required for a whitebox approach. When adopting a whitebox perspective, web applications are often easier to research and exploit than traditional compiled applications since web applications are written in interpreted languages, which do not require reverse engineering. In addition, the source code for web applications written in bytecode-based languages such as Java, .NET, or similar can also be trivially recovered into near-original state with the help of specialized tools. It’s worth mentioning that the ability to recover and read the source code of a modern web application does not necessarily reduce the complexity of the required research. However, once the source code is recovered, the researcher can better inspect the internal structure of the application and perform a thorough analysis of the code flow. As a penetration tester, we can use chained attack methods to exploit a variety or programming oversights. 2.1 Web Traffic Inspection When dealing with an unknown web application, we should always begin with traffic inspection. A web application presents various interface elements and conducts various network transactions. As researchers, we are always interested in capturing as much information about our targets as possible and in this case, a web application proxy is an indispensable tool. We can use a good proxy to capture relevant client requests and server responses and easily manipulate a chosen request in arbitrary ways. In this course, we will primarily use the community edition of the Burp Suite (installed in Kali Linux by default), which provides us with everything we need to conduct thorough information gathering and HTTP request manipulation. 6 (Wikipedia, 2021), https://en.wikipedia.org/wiki/White-box_testing 7 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Black-box_testing 8 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Gray_box_testing

📄 Page 18

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 18 2.1.1 Burp Suite Proxy We can launch Burp Suite in Kali via the launcher menu. Once we start it, we may receive a notification indicating that Burp Suite has not been tested with our current Java version (Figure 1). Figure 1: Burp Suite Java version warning Since the Kali team always tests Burp Suite on the Java version shipped with the OS, we can safely ignore this warning. The first time we run Burp Suite, it will prompt us to accept the Terms and Conditions. Figure 2: Burp Suite Terms and Conditions We can accept the Terms and Conditions by clicking I Accept after deciding whether or not to submit anonymous feedback. The next window offers us the opportunity to start a new project or restore a previously saved one. The ability to use project files is a Burp Suite Professional feature. We do not need to use this feature for this course, so we’ll leave Temporary project selected and continue.

📄 Page 19

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 19 Figure 3: Burp Suite temporary project The final prompt presents the option to load a custom configuration or accept the defaults. Burp Suite allows us to customize and streamline our workflow and settings through these custom configurations. For now we will stick with the Burp Suite default profile and click Start Burp. Figure 4: Burp Suite configuration settings Once Burp Suite has started, we can validate that our proxy service is running by checking the Event log in the lower-lefthand corner of the Dashboard. A message similar to the following will be displayed:

📄 Page 20

Advanced Web Attacks and Exploitation WEB-300 Copyright © 2022 . All rights reserved. 20 Figure 5: Burp Suite proxy running Now that the proxy service is running, we need to configure a browser. Burp Suite includes an embedded Chromium browser that is preconfigured to proxy traffic through Burp Suite’s proxy. We can launch it by clicking on the Proxy tab and then the Intercept tab. Figure 6: Burp Suite Intercept tab