SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques

Overview

As applications and their vulnerabilities become more complex, penetration testers have to be able to handle advanced targets. We'll start the course with a warm-up pen test of a small application using Cross-Site Scripting based on the Document Object Model (DOM) to steal and use a Cross-site Request Forgery (CSRF) token. After our review of this exercise, we will explore some of the more advanced techniques for NoSQL Injection server-based flaws in MongoDB. We will then take a stab at Server-Side Request Forgery (SSRF), Lightweight Directory Access Protocol (LDAP) injection attacks, and Security Markup (SAML) Single Sign On (SSO) privilege escalation. HTTP Desynchronization attacks are also known as request smuggling, which can allow for Web Application Firewall (WAF) bypass. After discovering the flaws, we will work through various ways to exploit these flaws beyond the typical methods used these days. These advanced techniques will help penetration testers find ways to demonstrate these vulnerabilities to their organization through advanced and custom exploitation.

Exercises

Activated the Burp Suite Pro license for training

• Getting warmed up with DOM-XSS
• Exploiting SSRF
• Exploiting LDAP injection
• Exploiting NoSQL injection
• HTTP desynchronization attacks
• Attacking SAML

Topics

• Review of the testing methodology
• Using Burp Suite in a web penetration test
• DOM-XSS to steal and use a CSRF token
• Discovering and exploiting SSRF
• Discovering and exploiting LDAP injection
• Discovering and exploiting NoSQL injection
• Using HTTP desynchronization attacks
• Performing privilege escalation in SAML SSO
• Learning advanced exploitation techniques

Overview

Cryptographic weaknesses are a major area of web application vulnerabilities, yet very few penetration testers have the skill to investigate, attack, and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer. However, they often do not protect encrypted data from being attacked, or they enable the developer to use cryptography only weakly. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn techniques ranging from identifying types of encryption to exploiting various flaws within encryption or hashing techniques.

Exercises

• Discovering and exploiting hash length extension attacks
• Exploiting weak keys chosen by the backend system
• Attacking stream ciphers
• Discovering and exploiting ECB Shuffling in web applications
• Discovering and exploiting CBC Bit Flipping in web applications
• Discovering and exploiting Padding Oracle Attack in web applications

Topics

• Identifying the cryptography used in the web application
• Identifying and exploiting hash length extension attacks
• Analyzing and attacking the encryption keys
• Exploiting stream cipher IV collisions
• Exploiting Electronic Codebook (ECB) Mode Ciphers with block shuffling
• Exploiting Cipher Block Chaining (CBC) Mode with bit flipping
• Vulnerabilities in PKCS#7 padding implementations

Overview

Web applications are no longer limited to the traditional HTML-based interfaces. Web services and mobile applications have become more common and are regularly being used to attack clients and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. We will explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets. We'll use lab exercises to explore the newer protocols of HTTP/2 and WebSockets, exploiting flaws exposed within each of them. We'll then examine a mobile backend, Representational State Transfer (REST) and Simple Object Access Protocol (SOAP) Application Programming Interfaces ( APIs), Graph Query Language (GraphQL), XML XPath injection, and XML External Entity (XXE) attacks.

Exercises

• Playing with WebSockets in SocketToMe
• Discovering weaknesses in H2O's HTTP/2 implementation
• Wireshark stream extraction to interact with a mobile server
• Exploiting a REST API
• Exploring and exploiting a GraphQL service
• Exploring and exploiting XML XPath injection
• Exploring and exploiting XXE attacks

Topics

WebSocket protocol issues and vulnerabilities

New HTTP/2 and HTTP/3 protocol issues and penetration testing

• Interacting with a mobile application backend
• SOAP and REST web services
• Penetration testing of web services
• GraphQL services
• XML Xpath injection
• XML External Entities (XXE)

Overview

In this section we start exploring the underlying infrastructure of our frameworks and languages. It all begins with an exploration of the architecture of popular frameworks. There is coverage on architectural vulnerabilities found in frameworks even today, such as Mass Assignment. Newer frameworks such as server-side JavaScript frameworks with NodeJS show us some different exploitation options. Students will explore how to abuse vulnerabilities to append our JavaScript code blocks within these frameworks, leading to full system takeover. Next, we'll explore Modern PHP, and while it is a much-maligned language, it is still hugely popular. Our exploration of Modern PHP takes us into types-inference bugs and how these issues can be abused and lead to system manipulation or bypassing controls. We'll then turn to PHP deserialization bugs. Students will get to discover and build custom PHP deserialization payloads. We end the section with a lab that walks the student through building a PHAR payload that causes deserialization to occur, allowing us to exploit the underlying system. The topics covered in this section help us connect to the concepts that will be valuable in the next section, when we’ll be dealing with much more complex frameworks.

Exercises

• Mass assignments
• Template injections
• Testing for and abusing SSJIs
• Authentication bypasses with type confusions
• PHP deserialization lab
• PHAR deserialization lab

Topics

• Web architectures
• MVC and its architecture components
• JavaScript and JavaScript frameworks
• Server-Side JavaScript
• Modern PHP
• PHP deserialization bugs
• Deserialization through PHAR

Overview

This course section continues the topics of the previous section with web frameworks. We start with Ruby- and Rack-based applications such as Sinatra and Ruby on Rails. Developers can improperly set up the Rack-based applications, and as part of that misconfiguration, we explore the abuse of the middleware layer using Ruby deserialization techniques. Next we'll look at the Java Language and all its complexity. Some maintain that the Java language is a mature, enterprise language, while others claim it to be a complete security failure. Students will review Java's security features and its security failings to discover, assess, and exploit Java Applications. The section features a walkthrough on how to construct Java attacks through Reflection, Serialization Issues, RMI, and the use of Java-Jar-based payloads.

While the Modern Framework Sections ends in Java, students will continue on to the next topic on bypassing application protections. Applications today are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. The controls block many of the automated tools and simple techniques used to discover flaws. Students will use HTML5, UNICODE, and other encodings that enable discovery techniques to work within the protected application. In the final part of the class, we will abuse a PHP Language feature that uses operating system commands to do its work. Manipulating interpreter functionality like this can yield system compromise, and we demonstrate this in our final lab.

Exercises

• Rack Cookie Deserialization lab
• Elasticsearch and Groovy Sandboxing lab
• Building Java Payloads
• Java Deserialization lab
• Testing and fingerprinting defense based on difficult-to-defend web vulnerabilities
• Working through XSS defenses compound data URIs
• Bypassing SQL injection defense with custom tamper scripts in sqlmap
• RCE Bypass through PHP and its Mail() function

Topics

• Ruby and Rack applications
• Java, Java Gadgets, and Java Payloads
• Java Payload Weaponization
• Java serialization
• Fingerprinting the defense techniques used
• Learning how HTML5 injections work
• Using UNICODE, CTYPEs, and Data URIs to bypass restrictions
• Bypassing a Web Application Firewall's best-defended vulnerabilities, XSS and SQLi
• Bypassing application restrictions

Overview

In this final course section you will be placed on a network and given the opportunity to complete an entire penetration test. The goal is for you to explore the techniques, tools, and methodology you will have learned during the previous five course section. You'll be able to use these skills against a realistic extranet and intranet. At the end of the challenge, you will provide a verbal report of the findings and methodology you followed to complete it. Students will be provided with a virtual machine that contains the SEC642 Slingshot Virtual Machine with Burp Suite Pro installed. You will be able to use this both in the class and after leaving and returning to your jobs.