To successfully identify and exploit advanced web vulnerabilities, it is essential to have a deep understanding of modern web concepts and exploitation techniques. In this module, we will explore these concepts and techniques, building upon our foundational knowledge of basic web vulnerabilities like Cross-Site Scripting, SQL injection, and Local File Inclusion. We will also examine their second-order variations and explore their exploitation over protocols beyond HTTP, particularly the WebSocket Protocol.
In more detail, this module covers the following:
DNS Rebinding & Advanced SSRF Filter Bypasses:
- Bypassing SSRF filters
- Conducting DNS Rebinding attacks
- Exploitation of second-order IDORs
- Exploitation of second-order LFIs
- Exploitation of second-order Command Injections
- Introduction to WebSockets
- Analysis and Manipulation of WebSocket connections
- Exploitation of web vulnerabilities via WebSockets
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
Introduction to Modern Web Exploitation Techniques
This module explores three advanced web exploitation techniques:
Second-Order vulnerabilities, and
It is recommended to have a good understanding of basic web vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Insecure Direct Object References (IDORs) before tackling this module. A good start is the Web Attacks module.
Modern Web Exploitation Techniques
DNS Rebinding is an advanced attack technique that relies on changes in the Domain Name System (DNS); it allows an attacker to bypass insufficient SSRF filters as well as the Same-Origin policy.
A second-order vulnerability, sometimes referred to as a second-order injection or delayed vulnerability, arises when malicious input supplied by a user does not immediately exploit a weakness at the initial point of input. Instead, this input is stored by the web application and remains latent until it is later retrieved, processed, or utilized elsewhere within the application's codebase. During this subsequent interaction or processing, the vulnerability manifests and potentially leads to security breaches. By their nature, second-order vulnerabilities are much harder to identify because the initial "first-order" injection point might not be vulnerable, potentially leading an attacker to the assumption that the web application is not vulnerable at all.
WebSockets enable bidirectional communication between WebSocket clients and servers, providing an alternative means of transmitting data compared to the traditional HTTP protocol. Common web vulnerabilities such as Cross-Site Scripting, and SQL Injection may arise depending on how a website integrates WebSockets.
Let's get started by discussing the first technique in the next section.