In this module, we will discuss how to identify and exploit three common web vulnerabilities in a whitebox penetration test. In particular, we will discuss prototype pollution, timing attacks & race conditions, and type juggling vulnerabilities from a whitebox approach, focusing on identifying and exploiting them by analyzing the web application's source code.
In more detail, this module covers the following:
- Introduction to prototype pollution
- Exploitation of prototype pollution to escalate privileges
- Exploitation of prototype pollution to execute code
- Exploitation of client-side prototype pollution to achieve XSS
Timing Attacks & Race Conditions
- Exploitation of differences in response time to enumerate users
- Exploitation of differences in response time to exfiltrate data
- Exploitation of race conditions
- What is type juggling?
- Exploitation of type juggling to bypass authentication
- Exploitation of type juggling to bypass security measures
CREST CCT INF-related Sections:
- All sections
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
A firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:
Introduction to Whitebox Attacks
This module will explore three advanced web vulnerabilities using a
whitebox approach and how to exploit them:
Timing Attacks &
Race Conditions, and
Prototype Pollution is a vulnerability specific to
Timing Attacks & Race Conditions
Timing Attacks and
Race Conditions are vulnerabilities that can arise in any software, not just web applications. As such, they are often overlooked in web security since they are not exclusive to web applications. A web application is vulnerable to timing attacks if response timing can be used as a
side-channel to infer information about the web application. That may include the enumeration of valid usernames or the exfiltration of data from the web server. On the other hand, race conditions arise from the multithreaded execution of a web application. Suppose the web application assumes a sequential execution of certain operations but is deployed on a multithreaded web server. In that case, race condition vulnerabilities can arise, leading to data loss or business logic vulnerabilities.
Type Juggling in PHP occurs when variables are converted to different data types in specific contexts. In particular, PHP features loose comparisons (using the
== operator), which compare two values after type juggling, and strict comparisons (using the
=== operator), which compare two values as well as their data type. Confusing these two operations can lead to security vulnerabilities and bugs if the web application code contains a loose comparison instead of a strict one. Abusing loose comparisons can lead to unexpected and undesired outcomes, potentially leading to security vulnerabilities such as authentication bypasses or privilege escalation.