Advanced Web Hacking

INTRODUCTION

This module is an overview of offensive security for web applications, focusing on understanding the necessary tools and techniques for successful security testing. The module dives into web application architecture and introduces foundational concepts such as HTTP protocol, web proxies, and penetration testing methodologies. It emphasizes the importance of a secure development lifecycle (SDLC) and how it relates to the security testing process to prepare attendees to master web application penetration testing.

• Lab Setup And Architecture Overview
• Burp Suite 101

ATTACKING AUTHENTICATION AND AND SINGLE SIGN ON (SSO)

This module introduces various authentication protocols used in modern web applications and discusses various techniques for exploiting and bypassing them. Participants will learn how to identify common authentication vulnerabilities such as vulnerable JWT implementations, vulnerabilities in SAML authorization, and misconfigurations in OAuth.

Additionally, the module includes case studies that demonstrate how to bypass 2-factor authentication (2FA) mechanisms and exploit authentication bypasses using subdomain takeover techniques.

• Boundary Condition
• Exploiting JWT and JWS Implementation
• SAML Authorization Bypass
• Case Studies:
  • Bypassing 2-Factor Authentication (2FA)
  • Authentication Bypass using Subdomain Takeover
  • OAuth Misconfiguration Attack

PASSWORD RESET ATTACKS

The module introduces techniques to attack and bypass validation mechanisms, such as Host Header Validation Bypass, which can be used to bypass password reset validation across different domains. The attendees will also learn about Bypassing IP Based Bruteforce Protections, where attackers can leverage cloud services to carry out brute-force attacks against password reset tokens.

• Cookie Swap Attack
• Host Header Validation Bypass
• Bypassing IP Based Brute force Protections

BUSINESS LOGIC FLAWS / AUTHORIZATION FLAWS

The module educates attendees on identifying and exploiting common web application business logic and authorization flaws and provides them with in-depth knowledge of the different types of flaws.

Covering Mass Assignment, which occurs when information is unnecessarily indexed or written in fields that should remain blank, and Second Order Insecure Direct Object Reference (IDOR), where an attacker can indirectly manipulate data without an ID. Additionally, the module introduces attendees to race conditions in web applications, a type of flaw that arises when multiple requests make an unpredicted effect on the intended function.

• Mass Assignment
• Second Order IDOR
• HTTP Parameter Pollution (HPP)
• Identifying and Exploiting Race Conditions in Web Apps

API PENTESTING

This module focuses on application programming interface (API) security testing, which is critical for securing web applications that rely on them. Attendees will learn how to identify and exploit authorization bypass vulnerabilities in REST APIs using different techniques. Moreover, the module includes training on exploiting GraphQL APIs that have become popular due to their flexibility in handling complex data queries. Additionally, the module covers gRPC endpoints and how to identify and exploit them effectively.

• API Authorization Bypass - REST APIs
• Exploiting GraphQL APIs

XML EXTERNAL ENTITY (XXE) ATTACK

This module is designed to give attendees an in-depth understanding of XML External Entity (XXE) attacks, which can be exploited to gain unauthorized system access. The module covers the basics of XXE, then moves to explain advanced XXE exploitation techniques such as exfiltrating data through out-of-band (OOB) channels and techniques to exploit XXE through SAML. The module also demonstrates the use of XXE in applications that parse files containing XML, such as MS Office documents.

• XXE Basics
• Advanced XXE Exploitation over OOB channels
• XXE through SAML
• XXE in File Parsing

BREAKING CRYPTOGRAPHY

This module focuses on cryptography testing and attacks which was commonly found in web applications. Attendees will learn how to identify and exploit different cryptography vulnerabilities to understand the importance of utilizing strong & modern cryptography implementations for web application security.

The module covers the basics of cryptography with examples of how cryptography can be used in password reset workflows and how to exploit the known plaintext attack in these scenarios.Furthermore, it covers Hash Length Extension Attacks, which can be used to spoof a valid hash signature and alter the contents of data. Finally, it dives into authentication bypasses using .NET Machine Keys that have been leaked or exposed to the internet.

• Known Plaintext Attack (Faulty Password Reset)
• Exploiting padding oracles with fixed IVs
• Hash length extension attacks
• Auth bypass using .NET Machine Key

REMOTE CODE EXECUTION (RCE)

This module covers deserialization attacks that can lead to Remote Code Execution (RCE) vulnerability in web applications. It educates attendees on methods to exploit insecure deserialization against various coding languages, including PHP, Java, & Python. The module then moves to less conventional RCE attacks such as Git misconfigurations, and Server-side Template Injection. The module demonstrates real-life examples of how these attacks can be exploited and also highlights the importance of secure coding practices to mitigate the risks of these attacks in web applications.

• PHP Deserialization Attack
• Java Serialisation Attack
• Binary
• XML
• SerialVersionUID Mismatch
• .Net Serialisation Attack
• Plex Python Deserialization Attack
• Leverage Git Misconfiguration to ViewState Deserialization
• Server Side Template Injection
• Server-Side Template Injection in YouTrack

SQL INJECTION (SQLi) MASTERCLASS

This module is devoted to mastering SQL Injection (SQLi), one of the most dangerous vulnerabilities that allow attackers to execute unauthorized SQL queries. The module outlines Advanced SQL injection techniques such as Second-order Injection and Out-of-Band (OOB) Exploitation, which can be used to bypass modern-day security measures such as Web Application Firewalls (WAFs). Additionally, it covers SQLi through Cryptography, where the attacker can manipulate input parameters or fields using different cryptographic techniques. The module demonstrates exploiting the Operating System through PowerShell and covers advanced SQLMap usage, which is a potent SQL injection tool.

• 2nd order injection
• Out-of-Band exploitation
• SQLi through Cryptography
• OS code Execution via powershell
• Advanced topics in SQli
• Advanced SQLMap Usage and Web Application Firewall (WAF) bypass

TRICKY FILE UPLOAD

This module delves into some less commonly identified methods to bypass file validation checks.Attendees will learn about the importance of preventing unauthorized executable code from being uploaded onto the web server and how attackers can exploit file upload vulnerabilities.

The module emphasizes the use of malicious file extensions, such as asp or phtml, that can pass through validation protocols not designed to detect executable files. Additionally, the module covers strategies to identify and exploit hardened web servers that have implemented security measures against file upload attacks.

• Malicious File Extensions
• Circumventing File validation checks
• Exploiting hardened web servers
• SQL injection via File Metadata

SERVER SIDE REQUEST FORGERY (SSRF)

This module provides attendees with an in-depth understanding of Server-Side Request Forgery (SSRF) attacks and how they can be exploited to gain unauthorized access to sensitive information on internal networks, often bypassing firewall restrictions.

• SSRF to query internal network
• SSRF to exploit templates and extensions
• SSRF filter bypass techniques
  • SSRF Filter Bypass via DNS Rebinding

ATTACKING THE CLOUD

This module is focused on attacking various cloud services and outlines different techniques attackers can use to exploit vulnerabilities in cloud services. It covers Serverless Exploitation and gaining code execution via Lambda functions, Google Dorking in the Cloud Era, AWS Cognito Misconfigurations leading to Data Exfiltration, and SSRF to RCE in Legacy AWS Web Applications.This module is designed to empower individuals to proactively address security challenges within various cloud infrastructures.

• Serverless exploitation
• Google Dorking in the Cloud Era
• Cognito misconfiguration to data exfiltration
• SSRF to RCE in Legacy AWS Web Applications
• Case studies:
  • SSRF to Amazon Elastic Compute Cloud (EC2) takeover
  • AWS credentials Leaked (Netflix, TD Bank)

WEB CACHING ATTACKS

This module covers the Web Cache Poisoning Attack, where an attacker can manipulate the content that the cache serves to all the users, often bypassing typical security measures. The attendees will learn how attackers can manipulate the cache mechanisms to execute cache poisoning attacks and the impact of cascading cache poisoning attacks. Furthermore, the module highlights the importance of secure coding practices when designing caching mechanisms, emphasizing the strategies to prevent caching attacks effectively.

• Web Cache Deception
• Web Cache Poisoning Attack
• Web Cache Poisoning in Drupal8

CLIENT-SIDE VULNERABILITIES

This module covers the vulnerability related to client side bypasses, where an attacker can analyse the client-side JavaScript file and identify the potential vulnerability which leads to XSS or sensitive information leakage in case of post message bugs. In modern application it has implemented the protection of integrity of data supplied in HTTP request which prevents from further testing of the web application, here by creating your own burp suite custom plugins we can update the parameter at runtime which was used to protect the integrity allow an attacker to modify the request data and test the entire application for security vulnerabilities.

• Exploiting Post Message Bugs
• Writing your own Burp Plugins to Bypass Integrity Checks
  • Understanding the Limitation
  • Understanding Burp Montaya APIs
  • Writing your Burp Plugin
  • Exploiting the Application
• HTTP Desync Attack

VARIOUS CASE STUDIES

• A Collection of weird and wonderful XSS, CSRF, SSRF, RCE attacks