Launching HTB CWEE: Certified Web Exploitation Expert Learn More

Modern Web Exploitation Techniques

This module covers advanced web concepts and exploitation techniques, including performing DNS Rebinding to bypass faulty SSRF filters and the Same-Origin Policy, identifying and exploiting Second-Order vulnerabilities, and conducting common web attacks via WebSocket connections.

4.91

Created by vautia
Co-Authors: Sentinal

Hard Offensive

Summary

To successfully identify and exploit advanced web vulnerabilities, it is essential to have a deep understanding of modern web concepts and exploitation techniques. In this module, we will explore these concepts and techniques, building upon our foundational knowledge of basic web vulnerabilities like Cross-Site Scripting, SQL injection, and Local File Inclusion. We will also examine their second-order variations and explore their exploitation over protocols beyond HTTP, particularly the WebSocket Protocol.

In more detail, this module covers the following:

  • DNS Rebinding & Advanced SSRF Filter Bypasses:
    • Bypassing SSRF filters
    • Conducting DNS Rebinding attacks
  • Second-Order Attacks:
    • Exploitation of second-order IDORs
    • Exploitation of second-order LFIs
    • Exploitation of second-order Command Injections
  • WebSocket Attacks
    • Introduction to WebSockets
    • Analysis and Manipulation of WebSocket connections
    • Exploitation of web vulnerabilities via WebSockets

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

  • Server-side Attacks
  • Web Attacks
  • File Inclusion
  • SQL Injection Fundamentals

Introduction to Modern Web Exploitation Techniques

This module explores three advanced web exploitation techniques: DNS Rebinding, Second-Order vulnerabilities, and WebSocket attacks.

It is recommended to have a good understanding of basic web vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Insecure Direct Object References (IDORs) before tackling this module. A good start is the Web Attacks module.

Modern Web Exploitation Techniques

DNS Rebinding

DNS Rebinding is an advanced attack technique that relies on changes in the Domain Name System (DNS); it allows an attacker to bypass insufficient SSRF filters as well as the Same-Origin policy.

Second-Order Attacks

A second-order vulnerability, sometimes referred to as a second-order injection or delayed vulnerability, arises when malicious input supplied by a user does not immediately exploit a weakness at the initial point of input. Instead, this input is stored by the web application and remains latent until it is later retrieved, processed, or utilized elsewhere within the application's codebase. During this subsequent interaction or processing, the vulnerability manifests and potentially leads to security breaches. By their nature, second-order vulnerabilities are much harder to identify because the initial "first-order" injection point might not be vulnerable, potentially leading an attacker to the assumption that the web application is not vulnerable at all.

WebSocket Attacks

WebSockets enable bidirectional communication between WebSocket clients and servers, providing an alternative means of transmitting data compared to the traditional HTTP protocol. Common web vulnerabilities such as Cross-Site Scripting, and SQL Injection may arise depending on how a website integrates WebSockets.

Let's get started by discussing the first technique in the next section.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Relevant Paths

This module progresses you towards the following Paths

Senior Web Penetration Tester image

Senior Web Penetration Tester

The Senior Web Penetration Tester Job Role Path is designed for individuals who aim to develop skills in identifying advanced and hard-to-find web vulnerabilities using both black box and white box techniques. This path encompasses advanced-level training in web security, web penetration testing, and secure coding concepts. It also provides a deep understanding of the application debugging, source code review, and custom exploit development aspects of web security. Equipped with the necessary theoretical background, multiple practical exercises, and a proven methodology for web vulnerability identification, students will eventually be capable of performing professional security assessments against modern and highly secure web applications, as well as effectively reporting vulnerabilities found in code or arising from logical errors.

Hard Path Sections 243 Sections
Required: 7500
Reward: +1500
Path Modules
Injection Attacks
Medium
Path Sections 15 Sections
Reward: +100
This module covers three injection attacks: XPath injection, LDAP injection, and HTML injection in PDF generation libraries. While XPath and LDAP injection vulnerabilities can lead to authentication bypasses and data exfiltration, HTML injection in PDF generation libraries can lead to Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and other common web vulnerabilities. We will cover how to identify, exploit, and prevent each of these injection attacks.
Introduction to NoSQL Injection
Medium
Path Sections 12 Sections
Reward: +100
In this module, we will look at exploiting NoSQL injection vulnerabilities, specifically MongoDB, with examples in Python, PHP, and Node.JS.
Attacking Authentication Mechanisms
Medium
Path Sections 18 Sections
Reward: +100
Authentication plays an essential role in almost every web application. If a vulnerability arises in the application's authentication mechanism, it could result in unauthorized access, data loss, or potentially even remote code execution, depending on the application's functionality. This module will provide an overview of various authentication methods, such as JWT, OAuth, and SAML, and potential attacks against each. Knowledge of modern authentication mechanisms will greatly benefit your penetration testing and bug bounty hunting journey when facing web applications.
Advanced XSS and CSRF Exploitation
Medium
Path Sections 17 Sections
Reward: +100
Modern web browsers and applications utilize a variety of security measures to protect against CSRF and XSS vulnerabilities, rendering their exploitation more difficult. This module focuses on exploiting advanced CSRF and XSS vulnerabilities, identifying and bypassing weak and wrongly implemented defensive mechanisms.
HTTPs/TLS Attacks
Medium
Path Sections 15 Sections
Reward: +100
This module covers details on Transport Layer Security (TLS) and how it helps to make HTTP secure with the widely used HTTPS. That includes how TLS works, how TLS sessions are established, common TLS misconfigurations, as well as famous attacks on TLS. We will discuss how to identify, exploit, and prevent TLS attacks.
Abusing HTTP Misconfigurations
Hard
Path Sections 20 Sections
Reward: +100
This module covers three common HTTP vulnerabilities: Web Cache Poisoning, Host Header Vulnerabilities, and Session Puzzling or Session Variable Overloading. These vulnerabilities can arise on the HTTP level due to web server misconfigurations, other systems that have to be considered during real-world deployment such as web caches, or coding mistakes in the web application. We will cover how to identify, exploit, and prevent each of these vulnerabilities.
HTTP Attacks
Hard
Path Sections 18 Sections
Reward: +100
This module covers three HTTP vulnerabilities: CRLF Injection, HTTP Request Smuggling, and HTTP/2 Downgrading. These vulnerabilities can arise on the HTTP level in real-world deployment settings utilizing intermediary systems such as reverse proxies in front of the web server. We will cover how to identify, exploit, and prevent each of these vulnerabilities.
Blind SQL Injection
Hard
Path Sections 16 Sections
Reward: +100
In this module, we cover blind SQL injection attacks and MSSQL-specific attacks.
Intro to Whitebox Pentesting
Hard
Path Sections 18 Sections
Reward: +100
Whitebox penetration testing enables thorough testing to identify various hard-to-find vulnerabilities. This module covers the process of whitebox pentesting and follows that with a practical demo by exploiting an advanced code injection vulnerability.
Modern Web Exploitation Techniques
Hard
Path Sections 18 Sections
Reward: +100
This module covers advanced web concepts and exploitation techniques, including performing DNS Rebinding to bypass faulty SSRF filters and the Same-Origin Policy, identifying and exploiting Second-Order vulnerabilities, and conducting common web attacks via WebSocket connections.
Introduction to Deserialization Attacks
Hard
Path Sections 15 Sections
Reward: +100
In this module, we will explore deserialization attacks with specific examples in Python and PHP.
Whitebox Attacks
Hard
Path Sections 15 Sections
Reward: +100
This module explores several web vulnerabilities from a whitebox approach: Prototype Pollution, Timing Attacks & Race Conditions, and those arising from Type Juggling. We will discuss how to identify, exploit, and prevent each vulnerability.
Advanced SQL Injections
Hard
Path Sections 12 Sections
Reward: +100
This module covers advanced SQL injection techniques with a focus on white-box testing, Java/Spring and PostgreSQL.
Advanced Deserialization Attacks
Hard
Path Sections 13 Sections
Reward: +100
This module focuses on developing custom exploits for .NET deserialization vulnerabilities from a whitebox perspective.
Parameter Logic Bugs
Hard
Path Sections 21 Sections
Reward: +100
This 'secure coding' module teaches how to identify logic bugs through code review and analysis, and covers three types of logic bugs caused by user input manipulation.