IntroductionThe following is a copy/paste from BHL (source included at the bottom). I figured I would post this as it's a great starting point to get people started with web exploitation. There are tutorials on here that talk about these subjects but in my search on here I didn't really find a starting point on web exploitation in general. This way a newcomer looking into web exploitation can start here and then continue on to more in depth knowledge after they know what to look for.
Web ExploitationWeb exploitation is the attacking and taking advantage of a vulnerability in a computer system through a web application. There are numerous ways to exploit vulnerabilities so only some of the basics will be covered here. The topics and tools covered in this series can be dangerous enough to compromise an HTTP server's database, source code, or allow a remote operating system level shell. Additionally, many web application vulnerabilities leverage the victim's browser (such as Javascript execution) to chain vulnerabilities together.
When testing a domain for security problems, it is different than penetration testing a network, and different than assessing the vulnerability of a server. However, compromising one of these layers may result in the other proximal layers being compromised in the future. Web application vulnerabilities are currently the amongst the most prominent vulnerabilities exploited by cybercriminals.
Affected LanguagesMany web sites run web applications for the purpose of dynamic content. Usually this would include an SQL database backend of some sort, and a web application (like forums, talkboards, content management systems, and blogs) to interface with the SQL database. Therefore the affected programming languages are anything that can be used as an interface over HTTP to dynamic content, but are usually one of many interpreted languages.
- PHP
- Perl
- Ruby
- Python
- CFM
- ASP
- Any CGI interfaced language may also be vulnerable to web exploitation.
Types of ExploitationXSS can be used to capture logins and sessions or a page redirect if a user clicks a malicious link. *m0rph note* XSS can also be used to inject iframes that redirect to a client-side exploit, resulting in client code execution. This attack vector is common in drive-by attacks, and malware delivery. *end of m0rph note*
SQL injection can be used to copy, modify, or delete the affected application's database, *m0rph note* create web files, and enumerate potential system accounts. If the particular database you attack is running under a DBA account, you can leverage command execution by uploading shared objects into the SQL library directory. *end of m0rph note* Blind SQL injection can be used to retrieve data without the data ever appearing in band.
File inclusion vulnerabilities can be exploited to create a remote shell, which can lead to database manipulation and file tampering.
Command injection effectively hands a remote shell to an attacker by arbitrary bash, MS-DOS, or native command-line execution.
- Cross Site Request Forgery
CSRF allows an attacker to perform actions as any unsuspecting user that clicks a link or loads a page on a separate domain from the affected site; a user's vulnerability is limited to the time spent while logged into the affected site.
- Cross Site Content Forgery
XSCF Sends different data to different hosts. This way, if a piece of malware is able to recognize the source machine as something analyzing it, the malware can return something innocent, while unsuspecting users are directed to something of the attacker's choosing. This could range from a prank to a web browser drive-by exploit, similar to XSS
- XSRF(XSS mixed with CSRF)
XSRF is using XSS to produce a same-domain URL that will perform actions as the logged in user via a CSRF attack.
Mass assignment abuse can allow an attacker to directly overwrite database values without having to write any SQL queries and without the use of SQL injection.
HTTP Methods*m0rph note*
HTTP PUT method allows for a http client to directly put arbitrary files onto an http server. This method is not commonly enabled due to its obvious drawbacks.
HTTP TRACE method allows an http client to see information being received on the server. This has the potential to reveal another user's cookie to the attack client with the help of XSS. Most browsers now prohibit trace methods from being called from javascript; however, this can still be pulled off from other languages such as java and perl.
*end of m0rph note*
HTTP GET request parameters (Variables in the URL)
Rewritten or "clean" URL's can have GET parameters too! HTTP HEAD requests can also exploit poor input sanitizing in these parameters.
HTTP POST request parameters (Fields and fieldsets in web forms)
You can send post parameters to a URL that has GET parameters!
HTTP Header parameters (Variables passed by header information)
This includes cookies, user agents, connection type, and more
FingerprintingBecause web vulnerability identification sometimes requires that you identify the backbone of a particular web configuration, fingerprinting is commonly used as a medium to gain information about commonly used platforms in an attempt to identify them through common fingerprints.
These might include things such as common headers, footers, comments in code- or simply the existence of a very particular page. Fingerprinting is a key aspect in determining vulnerabilities in specific software packages, and might also be used in conjunction with a search engine in order to get large lists of vulnerable hosts through searching for a single commonality.
In the instance that a site being tested is using open source software available in a git repository, it is possible to use halcyon to create signature data from the repository metadata. Providing these signatures to kolkata and initiating a scan can determine the version of the software running on the site.
Source (includes links to vulnerability scanners as well as some more in depth information on the topics discussed here):
http://www.blackhatlibrary.net/Web_exploitation
