As web applications' popularity keeps increasing, so do the number and types of attacks that web applications are vulnerable to. Many of the most common web attacks have been covered in other web modules already. This module will cover a few other important web exploitation techniques.
The module starts by covering
HTTP Verb Tampering vulnerabilities that allow attacks to manipulate HTTP requests to access restricted web pages, which may give an attacker access to sensitive resources. The second topic covered is
Insecure Direct Object References (IDOR) vulnerabilities. IDORs are among the most common vulnerabilities in web applications and allow attackers to easily view and leak other user's private data due to improper access controls. Finally, the module will cover
XML External Entity (XXE) Injection vulnerabilities. These recently became among the top 10 most critical web vulnerabilities, as XXE vulnerabilities may allow attackers to read local files stored on the server, gain remote code execution (RCE), or even cause a Denial of Service.
In addition to the above, the
Web Attacks module will teach you the following:
HTTP Verb Tampering:
- What are HTTP Verb Tampering vulnerabilities?
- Examples of insecure configurations
- Detecting and exploiting HTTP Verb Tampering vulnerabilities
- Examples of secure serve configuration to prevent HTTP Verb Tampering vulnerabilities
- What are IDOR vulnerabilities, and how do they occur
- Examples of code vulnerable to IDOR
- Different types of IDOR vulnerabilities
- How to detect IDOR vulnerabilities
- Various methods of exploiting IDOR vulnerabilities
- Preventing IDOR vulnerabilities
- What are XXE vulnerabilities, and how do they occur
- Examples of code vulnerable to XXE
- Identifying and exploiting XXE vulnerabilities
- Various XXE prevention techniques
CREST CPSA/CRT-related Sections:
- Introduction to Web Attacks
- Intro to HTTP Verb Tampering
- Bypassing Basic Authentication
- Verb Tampering Prevention
- Intro to IDOR
- Identifying IDORs
- IDOR Prevention
- Intro to XXE
- Local File Disclosure
- XXE Prevention
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
The module is classified as "
Medium" and assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. The module also assumes a basic understanding of web applications and web requests and will build on this understanding to teach how these vulnerabilities work and how to exploit them.
In addition to the above, a firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:
- Web Requests
- Introduction to Web Applications
- Using Web Proxies
- Linux Fundamentals
- Introduction to Bash Scripting
Introduction to Web Attacks
As web applications are becoming very common and being utilized for most businesses, the importance of protecting them against malicious attacks also becomes more critical. As modern web applications become more complex and advanced, so do the types of attacks utilized against them. This leads to a vast attack surface for most businesses today, which is why web attacks are the most common types of attacks against companies. Protecting web applications is becoming one of the top priorities for any IT department.
Attacking external-facing web applications may result in compromise of the businesses' internal network, which may eventually lead to stolen assets or disrupted services. It may potentially cause a financial disaster for the company. Even if a company has no external facing web applications, they likely utilize internal web applications, or external facing API endpoints, both of which are vulnerable to the same types of attacks and can be leveraged to achieve the same goals.
While other HTB Academy modules covered various topics about web applications and various types of web exploitation techniques, in this module, we will cover three other web attacks that can be found in any web application, which may lead to compromise. We will discuss how to detect, exploit, and prevent each of these three attacks.
HTTP Verb Tampering
The first web attack discussed in this module is HTTP Verb Tampering. An HTTP Verb Tampering attack exploits web servers that accept many HTTP verbs and methods. This can be exploited by sending malicious requests using unexpected methods, which may lead to bypassing the web application's authorization mechanism or even bypassing its security controls against other web attacks. HTTP Verb Tampering attacks are one of many other HTTP attacks that can be used to exploit web server configurations by sending malicious HTTP requests.
Insecure Direct Object References (IDOR)
The second attack discussed in this module is Insecure Direct Object References (IDOR). IDOR is among the most common web vulnerabilities and can lead to accessing data that should not be accessible by attackers. What makes this attack very common is essentially the lack of a solid access control system on the back-end. As web applications store users' files and information, they may use sequential numbers or user IDs to identify each item. Suppose the web application lacks a robust access control mechanism and exposes direct references to files and resources. In that case, we may access other users' files and information by simply guessing or calculating their file IDs.
XML External Entity (XXE) Injection
The third and final web attack we will discuss is XML External Entity (XXE) Injection. Many web applications process XML data as part of their functionality. Suppose a web application utilizes outdated XML libraries to parse and process XML input data from the front-end user. In that case, it may be possible to send malicious XML data to disclose local files stored on the back-end server. These files may be configuration files that may contain sensitive information like passwords or even the source code of the web application, which would enable us to perform a Whitebox Penetration Test on the web application to identify more vulnerabilities. XXE attacks can even be leveraged to steal the hosting server's credentials, which would compromise the entire server and allow for remote code execution.
Let's get started by discussing the first of these attacks in the next section.