Web Exploitation 101
An Introduction to web hacking
Created by Paul-Emmanuel Raoul / skyper@skyplabs.net / @SkypLabs
What's the web?
Network protocol: HTTP
Clients: web browsers
Content providers: web servers
Content itself: web resources
HTTP Requests
A Method
A resource locator
Headers
HTTP Requests
Example of an HTTP request:
GET / HTTP/1.1
Host: duckduckgo.com
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: ax=v114-3; ae=d; aq=-1; 5=2; ah=fr-fr%2Cie-en; l=wt-wt
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-None-Match: W/"5ba01b0d-157a"
HTTP Requests
It's only plain text:
What types of content?
HTML
CSS
JavaScript
Multimedia
...
HTML
Describes the structure of the web page:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Sample page</title>
</head>
<body>
Sample page content.
</body>
</html>
CSS
Describes the presentation of the web page:
h1 {
text-align: center;
color: red;
}
h2 {
text-align: center;
color: red;
}
p {
text-align: center;
color: red;
}
JavaScript
High-level interpreted programming language:
function factorial(n) {
if (n === 0) {
return 1;
}
return n * factorial(n - 1);
}
How to know what we query?
From the client: Accept
From the server: Content-Type
It can be tricky...
Different languages can be mixed together:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Sample website</title>
<style type="text/css">
.green-title {
color: green;
}
</style>
</head>
<body>
<h1>Sample page</h1>
<script src="https://code.jquery.com/jquery-3.3.1.min.js"</script>
<script>
$('h1').mouseover(function() {
$(this).addClass('green-title');
});
</script>
</body>
</html>
Different parsers for different content types
What can go wrong after all?
Static title
The title is hard-coded here:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Sample page</title>
</head>
<body>
Sample page content.
</body>
</html>
Dynamic title
The title's value comes from a PHP variable:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title><?php echo $_GET['title'] ?></title>
</head>
<body>
Sample page content.
</body>
</html>
Let's inject some JavaScript
http://vuln-website.net/index.php?title=</title><script>alert('XSS')</script>
You need to encode an URL encoded format:
http%3A%2F%2Fvuln-website.net%2Findex.php%3Ftitle%3D%3C%2Ftitle%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
You can use online tools to do it
Let's practice
Depends on the web browser
Same things can happen server-side
Different back-ends
SQL databases are the most common ones
Typical SQL query
SELECT * FROM users
WHERE username = 'admin'
AND password = 'superadmin';
Dynamic SQL queries
$query =
"SELECT * FROM users WHERE username = "
. $username .
" AND password = "
. $passwd .
";"
Let's practice
SQL back-ends are used everywhere!
Webpages are independent
Each page is an independent resource
To save your webapp's state: cookies
Same-origin policy
Same protocol
Same host
Same port
Quiz
http://store.company.com/dir/page.html
http://store.company.com/dir2/other.html
http://store.company.com/dir/inner/another.html
https://store.company.com/secure.html
http://store.company.com:81/dir/etc.html
http://news.company.com/dir/other.html
Examples taken from MDN web docs
Cross-Site Request Forgery
JavaScript can send web requests
The web browser will use the corresponding cookies
An XSS can lead to an CSRF attack
CSRF attack example
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
Examples taken from OWASP