In this module, we will delve into the exploitation of web vulnerabilities. This is a critical area of penetration testing as web applications are often the most exposed part of an organization's infrastructure. Understanding how to identify and exploit these vulnerabilities is essential for any pentester.

1. Web Vulnerabilities Overview

   • Definition and importance
   • Common types of web vulnerabilities

2. Injection Attacks

   • SQL Injection
   • Command Injection

3. Cross-Site Scripting (XSS)

   • Stored XSS
   • Reflected XSS
   • DOM-based XSS

4. Cross-Site Request Forgery (CSRF)

   • Understanding CSRF
   • Exploiting CSRF

5. Insecure Direct Object References (IDOR)

   • Identifying IDOR
   • Exploiting IDOR

6. Security Misconfigurations

   • Common misconfigurations
   • Exploiting misconfigurations

Web vulnerabilities are weaknesses or flaws in web applications that can be exploited by attackers to gain unauthorized access, steal data, or perform other malicious activities. These vulnerabilities are critical because web applications are often publicly accessible and can be a gateway to an organization's internal network.

• Injection Attacks: Occur when untrusted data is sent to an interpreter as part of a command or query.
• Cross-Site Scripting (XSS): Allows attackers to inject malicious scripts into web pages viewed by other users.
• Cross-Site Request Forgery (CSRF): Forces a user to execute unwanted actions on a web application in which they are authenticated.
• Insecure Direct Object References (IDOR): Occurs when an application exposes a reference to an internal implementation object.
• Security Misconfigurations: Involve improper configuration of security settings in web applications.

Explanation: SQL Injection occurs when an attacker can insert or manipulate SQL queries in an application's database.

Example:

If the application does not properly sanitize inputs, an attacker could input:

Resulting in the query:

This query always returns true, potentially granting unauthorized access.

Exercise:

1. Identify a vulnerable SQL query in a sample web application.
2. Exploit the vulnerability to gain unauthorized access.

Solution:

1. Locate the login form and input ' OR '1'='1 in the username or password field.
2. Observe if access is granted without valid credentials.

Explanation: Command Injection allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.

Example:

If an attacker inputs:

The command ls -la will be executed on the server.

Exercise:

1. Identify a vulnerable command execution point in a sample web application.
2. Exploit the vulnerability to execute arbitrary commands.

Solution:

1. Locate the input field that passes data to the system function.
2. Input ; ls -la and observe the output.

Explanation: Stored XSS occurs when malicious scripts are permanently stored on the target server, such as in a database.

Example:

If this script is stored in a comment section, it will execute whenever the page is loaded.

Exercise:

1. Identify a vulnerable input field in a sample web application.
2. Inject a script and observe if it is executed when the page is loaded.

Solution:

1. Locate the comment section and input <script>alert('XSS');</script>.
2. Reload the page and observe if the alert box appears.

Explanation: Reflected XSS occurs when malicious scripts are reflected off a web application to the victim's browser.

Example:

If the application reflects the input without sanitization, the script will execute.

Exercise:

1. Identify a vulnerable search field in a sample web application.
2. Inject a script and observe if it is executed.

Solution:

1. Locate the search field and input <script>alert('XSS');</script>.
2. Observe if the alert box appears.

Explanation: DOM-based XSS occurs when the vulnerability is in the client-side code rather than the server-side code.

Example:

If the URL contains #<script>alert('XSS');</script>, the script will execute.

Exercise:

1. Identify a vulnerable client-side script in a sample web application.
2. Inject a script and observe if it is executed.

Solution:

1. Locate the client-side script and input #<script>alert('XSS');</script> in the URL.
2. Observe if the alert box appears.

Explanation: CSRF forces a user to execute unwanted actions on a web application in which they are authenticated.

Example:

If the user is authenticated, the request will be executed.

Exercise:

1. Identify a vulnerable action in a sample web application.
2. Create a malicious request to exploit the vulnerability.

Solution:

1. Locate the transfer money functionality.
2. Create an HTML page with an image tag pointing to the transfer URL with parameters.

Explanation: IDOR occurs when an application exposes a reference to an internal implementation object.

Example:

If changing the id parameter to another user's ID grants access to their data, it is an IDOR vulnerability.

Exercise:

1. Identify a vulnerable endpoint in a sample web application.
2. Change the parameter to access unauthorized data.

Solution:

1. Locate the user profile URL and change the id parameter to another user's ID.
2. Observe if access to another user's data is granted.

Explanation: Security misconfigurations involve improper configuration of security settings in web applications.

Examples:

• Default credentials
• Directory listing enabled
• Verbose error messages

Exercise:

1. Identify a common misconfiguration in a sample web application.
2. Exploit the misconfiguration to gain unauthorized access.

Solution:

1. Locate the admin panel with default credentials.
2. Log in using default credentials and observe if access is granted.

In this module, we covered various types of web vulnerabilities, including injection attacks, XSS, CSRF, IDOR, and security misconfigurations. Understanding these vulnerabilities and how to exploit them is crucial for effective penetration testing. In the next module, we will explore the exploitation of network vulnerabilities.