Till Studer's Notes

Recent Notes

Eating Your Own Dog Food
Dec 27, 2024
The Map Is Not the Territory
Dec 27, 2024
The Zen of Security Rules
Aug 22, 2024
Public Attack Simulation Repos
Aug 03, 2024
Public Detection Rule Repos
Aug 03, 2024

❯

01_Zettelkasten

❯

Web Application Attacks

Aug 29, 20232 min read

Web Application Attacks

Web Application Assessment Methodology

Information Gathering
1. What does the web app do?
2. What language(s) are used?
3. What is the software running the web server?
4. …
Increase our permissions or move laterally
Repeat steps 1 and 2 (→ Enumerate and adapt) until every avenue has been tried or the target system is successfully compromised

Web Application Enumeration

Understand the tech stack used by the web app:
- Language and Frameworks
- Web Server Software
- Database Software
- Host Operating System

Inspecting URLs

File Extensions can revel the language
This is becoming less common because modern frameworks allow routing

Inspecting Page Content

Inspect the source of the webpage using the browsers debugger to identify:
- Frameworks and their versions
- Hidden Input Fields
- Comments
- Client Side Controls
- JavaScript code
- …

Viewing Response Headers

Use the browser’s debugger networking section
- The Server Header usually reveals the Web Server Software and its version (sometimes even the Operating System)
- X- are none standard HTTP Headers, these can be used to identify further elements of the tech stack

Inspecting Sitemaps

Sitemaps include what bots should index and what NOT to index
Common sitemaps are:
- https://www.google.com/sitemap.xml
- https://www.google.com/robots.txt
  - Allow: should be indexed
  - Disallow: should NOT be indexed (→ interesting for us)

Locating Administration Consoles

Common to be found wrongly configured as the default is insecure:
- Tomcat Manager
- PHP MyAdmin (MySQL)

Web Application Assessment Tools

DIRB

Uses a wordlist to identify valid directories/pages even if they aren’t indexed
dirb http://www.megacorpone.com -r -z 10
- -r: NONE-recursively
- -z: add a delay for each request (in milliseconds)

Burp Suite

Powerful Proxy with a LOT more features
burpsuite
- Access the Java Runtime warning
- Select “Start Burp”
- Select “Proxy”
  - Used to Intercept, Inspect and Modify or Drop requests
  - List the HTTP Traffic History (this can be used in the Repeater)

Nikto

Very aggressive Web Server Software Scanner to find low hanging fruits
- nikto -host=http://www.megacropone.com -maxtime=30s
  - -maxtime: Halt the scan after the time limit
  - -T: Tune the scan

Web Application Strategies

Exploiting Admin Consoles
Cross-Site Scripting
Directory Traversal Vulnerabilities
File Inclusion Vulnerabilities
SQL Injection

Relevant Note(s): Penetration Testing

Graph View

Web Application Attacks
Web Application Assessment Methodology
Web Application Enumeration
Inspecting URLs
Inspecting Page Content
Viewing Response Headers
Inspecting Sitemaps
Locating Administration Consoles
Web Application Assessment Tools
DIRB
Burp Suite
Nikto
Web Application Strategies

Backlinks

Fixing Exploits

Created with Quartz v4.4.0 © 2025

GitHub
LinkedIn
Email