Web Exploitation 101

An Introduction to web hacking

Created by Paul-Emmanuel Raoul / skyper@skyplabs.net / @SkypLabs

Creative Commons License

What's the web?

Network protocol: HTTP

Clients: web browsers

Content providers: web servers

Content itself: web resources

HTTP Requests

A Method

A resource locator

Headers

HTTP Requests

Example of an HTTP request:


GET / HTTP/1.1
Host: duckduckgo.com
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: ax=v114-3; ae=d; aq=-1; 5=2; ah=fr-fr%2Cie-en; l=wt-wt
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-None-Match: W/"5ba01b0d-157a"
            

HTTP Requests

It's only plain text:

What types of content?

HTML

CSS

JavaScript

Multimedia

...

HTML

Describes the structure of the web page:


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <title>Sample page</title>
  </head>
  <body>
    Sample page content.
  </body>
</html>
            

CSS

Describes the presentation of the web page:


h1 {
  text-align: center;
  color: red;
}

h2 {
  text-align: center;
  color: red;
}

p {
  text-align: center;
  color: red;
}
            

JavaScript

High-level interpreted programming language:


function factorial(n) {
  if (n === 0) {
    return 1;
  }

  return n * factorial(n - 1);
}
            

How to know what we query?

From the client: Accept

From the server: Content-Type

It can be tricky...

Different languages can be mixed together:


<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Sample website</title>

  <style type="text/css">
    .green-title {
      color: green;
    }
  </style>
</head>
<body>
  <h1>Sample page</h1>

  <script src="https://code.jquery.com/jquery-3.3.1.min.js"</script>
  <script>
    $('h1').mouseover(function() {
      $(this).addClass('green-title');
    });
  </script>
</body>
</html>
            

Different parsers for different content types

Areas
"Which parser should I choose?"

What can go wrong after all?

Static title

The title is hard-coded here:


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <title>Sample page</title>
  </head>
  <body>
    Sample page content.
  </body>
</html>
            

Dynamic title

The title's value comes from a PHP variable:


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <title><?php echo $_GET['title'] ?></title>
  </head>
  <body>
    Sample page content.
  </body>
</html>
            

Let's inject some JavaScript


http://vuln-website.net/index.php?title=</title><script>alert('XSS')</script>
            

You need to encode an URL encoded format:


http%3A%2F%2Fvuln-website.net%2Findex.php%3Ftitle%3D%3C%2Ftitle%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
            

You can use online tools to do it

Let's practice

Hello Stored XSS challenge

Depends on the web browser

OWASP XSS Filter Evasion Cheat Sheet

Same things can happen server-side

Different back-ends

SQL databases are the most common ones

Typical SQL query


SELECT * FROM users
WHERE username = 'admin'
AND password = 'superadmin';
            

Dynamic SQL queries


$query =
"SELECT * FROM users WHERE username = "
. $username .
" AND password = "
. $passwd .
";"
            

Let's practice

Vulnerable Login

SQL back-ends are used everywhere!

Areas
Source: Hackaday

Webpages are independent

Each page is an independent resource

To save your webapp's state: cookies

Same-origin policy

Same protocol

Same host

Same port

Quiz

http://store.company.com/dir/page.html

http://store.company.com/dir2/other.html

http://store.company.com/dir/inner/another.html

https://store.company.com/secure.html

http://store.company.com:81/dir/etc.html

http://news.company.com/dir/other.html

Examples taken from MDN web docs

Cross-Site Request Forgery

JavaScript can send web requests

The web browser will use the corresponding cookies

An XSS can lead to an CSRF attack

CSRF attack example


GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
            

Examples taken from OWASP

Let's practice

CSRF Tutorial

Want to learn and practice more?

Hacker101

Avatao Web Security Path