CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • SQL Injection
  • Defenses again SQLi
  • Broken authentication
  • Sensitive data exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Cross Site Scripting
  • Reflected
  • Stored
  • Prevent XSS
  • Insecure deserialization
  • Using components with known vulnerabilities
  • Insufficient Logging and Monitoring
  • Resources
  1. Web Pentesting

OWASP Top 10

PreviousEnumerationNextGeneral Methodo & Misc Tips

Last updated 2 years ago

  • Note: In this section our example will be taken using OWASP Juice shop which is a voluntarily vulnerable application. You can get it along with explainations on how to install and run it on Kali (For the example the install was made using Docker and for challenges not available with docker I used the one from tryhackme ) We are also going to use examples from

  • To go further with juice shop check out the gitbook

SQL Injection

image
  • To find a SQL injection we can try to add special chars in forms and analyze the responses we get.

Defenses again SQLi

Broken authentication

  • In our example we have user enumeration

  • We also have to see if we can bypass authentication

Sensitive data exposure

  • Using directory busting we can find sensitive info like folders or backup files

  • We can check the response and grep on keywords like passwords or keys

XML External Entities (XXE)

  • In this XML code we are defining something that works like a constant in a way, everytime we will call the &from; we will put the value "someone".

  • However when using this we could mess up with it by adding special chars that would be interpreted as xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE gift [
  <!ENTITY from "someone">
]>
<gift>
  <To>someone else</To>
  <From>&from;</From>
  <Item>A nice item</Item>
</gift>
  • We can try this payload taken from PayloadsAllTheThings(https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#classic-xxe)

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
  • For our example we put this in a file called test.xml

Broken Access Control

  • It means that a user gets access to something they should not be able to access

Security Misconfiguration

  • Default credentials in a login page

  • Stack traces

Cross Site Scripting

  • To find an XSS the thing to do is to look for inputs in the website like search bar, comment form, etc.

  • Goals: steal cookies, deface website, denial of service, keylogging, ...

Reflected

  • Our XSS is not persistent so our payload is not kept in database

Stored

  • Our XSS is persistent so our payload is stored in the database so anyone accessing our page will have the payload executed.

Prevent XSS

Insecure deserialization

Using components with known vulnerabilities

Insufficient Logging and Monitoring

Resources

Source:

image

Source:

image

Source:

In our example when using a special char in the login form we got a very verbose sqlite error that indicates that we have sql injection

Using this payload test' OR 1=1;-- we were able to login because -- comments the rest of the query so the password is not checked

image

Source:

When a user exist if we go to forgot password we can get a security question

If the user does not exist we do not get a security question

In our example there is an ftp page

We also need to check if HSTS is enabled which means that we need to check if the strict transport security header is used and properly set up. Check on OWASP for more info.

It is also checking SSL we can use for this purpose or nmap with nmap --script=ssl-enum-ciphers -p 443 domain.com

We will abuse this file upload function

We select our xml file to upload it and enter some string in the description field and send this

It works we are able to get the /etc/passwd file

In our example we are going to use the customer feedback section and leave a feedback as another customer.

There is a hidden userID field on the form that we can see if we check out the source code

If we make it visible we can see our own user id is 21

We can change it to 1 for example

If we submit this we have successfully exploited Broken Access Control by posing feedback as another user

In our example we stumble on an interesting url that takes an id parameter:

We can try to inject our payload <iframe src="javascript:alert(xss)">

For this example we are going to use XSS game and this payload <img src='#' onerror=alert(1) />

It works

image

Source:

Practical Ethical Hacking - TCM Security
Practical Ethical Hacking - TCM Security
Practical Ethical Hacking - TCM Security
PEH - TCM Security Academy
OWASP A2-Broken Authentication
OWASP A3-Sensetive Data Exposure
this
testssl
OWASP A5-Broken Access Control
OWASP A6-Security Misconfigurations
OWASP A7-Cross Site Scripting
DOM Based XSS
XSS Game
PEH - TCM Security Academy
OWASP A8-Insecure Deserialization
OWASP A9-Using Components with Known Vulnerabilities
OWASP A10-Insufficient Logging & Monitoring
here
here
XSS Game
here
My talk on Solving web vulnerabilities with pentesting
Practical Ethical Hacking - The Complete Course
Practical Ethical Hacking - TCM Security
GitHub - tanprathan/OWASP-Testing-Checklist: OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases.GitHub
OWASP Testing Checklist
https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
OWASP Testing Guide
image
image
image
image
image
image
image
image
image
image
image
image
image
image
image
Logo
Logo
image
image