Whitebox Pentesting 101 Module, you will build upon what you learned in the Secure Coding 101 module through identifying a Command Injection vulnerability in a NodeJS server and exploiting it to get control over the remote server.
This module is your first step in learning the techniques of Whitebox Pentesting.
Whitebox Pentesting 101
Unlike Blackbox Pentesting, in which an attacker is given no prior knowledge or access to what they would attack, in
Whitebox Pentesting, you have complete access to the codebase, debugging tools, and the local environment. This enables you to get a better understanding of the code design, and therefore identify hard-to-find vulnerabilities, which otherwise would be usually impossible to find using Blackbox Pentesting only.
In this module, you will learn the basics of Whitebox Pentesing, as follows:
- Code Review: Review the code and identify potential vulnerabilities
- Command Injection: Intro to Injections and Command Injections
- Local Debugging: Chart your way towards the vulnerable function
- Exploitation: Craft your payload to get remote code execution
This module builds upon the Secure Coding 101 module and assumes that you have already completed it. Hence, you are expected to be familiar with concepts discussed in it, such as Code Review, Reverse Engineering, and Deobfuscating JS Code, and Secure Coding.
Welcome to the
Whitebox Pentesting 101: Command Injection module!
When we begin a
Whitebox Pentesting exercise, we start by reviewing the codebase and analyzing it for vulnerabilities, as learned in the Secure Coding 101 module. Once we identify a potential vulnerability, we start our attempts to exploit it, through planning, local debugging, and eventually exploitation, which is what we will cover in this module.
In this module, we will discuss four main topics, as follows:
Code Review 'highlights'
For example, we can imagine that our client has invited us to their site and asked us to analyze the application's code and check for vulnerabilities. One of the most common vulnerabilities in newly written code is the
Command Injection vulnerability. These vulnerabilities are mostly caused by the inattention and time pressure that the developers have to endure during the development process.
This often results in solving complex processes as simple as possible, which leads to functions not being written correctly, allowing certain types of privilege escalation or breakouts. Some functions are then written in such a way that they execute internal system commands. Our goal is to identify these vulnerabilities during the Whitebox penetration test.