Ethical Hacking Techniques for Web Application Security

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Solving Labs that are created for the
following vulnerabilities:
1. Login Bypass
2. Admin Credentials Access (SQLi)
3. CSRF
4. XSS

Abstract:
• The objective of this report is to solve labs designed to demonstrate vulnerabilities in web applications. These labs focus on
the following vulnerabilities:
• Login Bypass
• Admin Credentials Access (SQLi)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Utilizing VMware for penetration testing, the objective is to comprehensively investigate and demonstrate identified
vulnerabilities. Each vulnerability will be assessed based on its impact . Recommendations for mitigating each vulnerability will
be provided to enhance security measures.
• The investigation will also explore effective mechanisms and strategies to safeguard the entire web application against these
vulnerabilities. This report aims to enhance understanding among web application developers, providers, and users regarding
common security issues in web applications and the best practices for addressing them.

Research:
• Hack The Box (HTB) is a popular platform for penetration testing and ethical hacking practice. Here are some details about it:
• Name: Hack The Box
• URL: https://academy.hackthebox.com
• Category/Type: Penetration Testing Labs, CTF (Capture The Flag) Challenges
• Overall Ranking/Usage/Popularity: Hack The Box is highly popular among cybersecurity enthusiasts, penetration testers, and
ethical hackers worldwide. It offers a wide range of machines with varying difficulty levels, from beginner to advanced, to
simulate real-world scenarios and challenges. Users can practice their skills in areas like web application security, network
penetration testing, cryptography, and more. Hack The Box also hosts regular competitions and events, contributing to its
popularity within the cybersecurity community.

About XSS:
Cross Site Scripting(XSS):
Types of XSS
Reflected XSS
Stored XSS
 XSS - Cross-Site Scripting (XSS) is a common security vulnerability in web applications. It occurs when an attacker injects
malicious scripts into web pages viewed by other users. These scripts are executed in the context of the user's browser, which
can lead to various malicious activities.
o Reflected XSS - Reflected XSS occurs when an attacker injects a malicious script into a web application, and this script is
immediately reflected (or echoed) back to the user's browser within the server's response.
o Stored XSS - Stored XSS occurs when an attacker injects malicious scripts (typically JavaScript) into a vulnerable web
application. These scripts are stored on the server-side, such as in a database, and are later served to users when they
request the compromised content.

Solving Labs:
• Question: What is the value of the 'flag' cookie?
• Lab Exploration: In our lab setup, depicted in image 1, there is an
input field available.
• Testing for XSS Vulnerability: To determine if the website is
vulnerable to XSS, we crafted a simple payload:
• <script>alert("Never Give up")</script>
• Payload Explanation: The alert() function in JavaScript is utilized
to display a dialog box with the specified message, in this case,
"Never Give up".
• Upon injecting this payload, as shown in image 2, a popup
displaying our message confirms the website's susceptibility to
XSS.
• Next Step: Now, let's proceed to extract the website's cookie
using an XSS payload.
Image 1
Image 2

Continuation:
• We employed the following JavaScript payload to access and display all cookies associated with the current domain:
• <script>alert(document.cookie)</script>
• Executing this script successfully retrieved the cookie flag from the website, as depicted in image 3."
Image 3

Impact Analysis for XSS Vulnerabilities:
1. Data Theft:
• Impact: Attackers can steal sensitive information like user credentials or personal data.
• Example: By exploiting an XSS vulnerability on a social media site, an attacker injects a script into comments to steal users' session
cookies. This allows them to log in as the victim without needing their password.
2. Session Hijacking:
• Impact: Attackers can take over legitimate user sessions.
• Example: An XSS flaw in an online banking site lets an attacker redirect a user to a malicious page that captures their session cookie. This
allows unauthorized access to the victim's account.
3. Client-Side Defacement:
• Impact: Attackers can modify a website's appearance, damaging trust.
• Example: Using XSS on an e-commerce site, an attacker posts a review with a script that changes the website's layout to display offensive
content, harming the site's reputation.
4. Malware Distribution:
• Impact: XSS vulnerabilities can deliver malware to users' devices.
• Example: An attacker exploits an XSS weakness in a news site's comment section to inject a script that downloads malware onto visitors'
computers, potentially compromising their security.

Recommendations:
1. Implement robust input validation and output encoding
• Action: Sanitize user inputs to strip out or neutralize potentially dangerous characters.
• Example: On a forum website, input fields should filter out HTML tags and JavaScript code, ensuring only plain text is displayed. This
prevents attackers from injecting harmful scripts that could compromise users' browsers.
2. Use Content Security Policy (CSP) headers
• Action: Implement CSP directives to specify which domains are allowed to load scripts and resources.
• Example: A website can set a CSP header that only allows scripts to be loaded from its own domain (self) and trusted sources
(trusted.com). This prevents malicious scripts from unauthorized domains from executing in users' browsers.
3. Regularly update and patch web application
• Action: Stay informed about security updates for frameworks like React or Angular and apply patches promptly.
• Example: After discovering an XSS vulnerability in a widely used JavaScript library, developers quickly release a patched version. Websites
using the updated library avoid the risk of exploitation by attackers targeting the vulnerability.

Login Bypass using SQL Injection:
• SQL Injection is a type of cyber attack where an attacker inserts
or "injects" malicious SQL code into a query. This can allow the
attacker to view, modify, or delete data from a database without
proper authorization.
• In this exercise, we will attempt to bypass the login page without
a password.
• Initially, we will test default credentials – admin, admin.
However, this approach was unsuccessful.
• Next, we will perform SQL Injection (SQLI) using a basic payload:
• admin ' or '1' = '1'-- -
• Unfortunately, this payload did not work.
• Therefore , we will proceed to brute-force the login page using
various SQLI payloads.
• We will use payloads from the following GitHub repository:
PayloadsAllTheThings - SQL Injection - Authentication Bypass
Image 4
image 5

Continuation:
• We will utilize Burp Suite Intruder to perform a brute-force
attack on the target application. The intercepted request, as
shown in the attached image, has the username field
designated as the target (payload encoding must be disabled).
• As indicated in the image, shorter payloads are effective and can
bypass the login page. We will employ a straightforward
payload:
• admin’ or 1=1#
• In this payload, 1=1 always evaluates to true, and the #
character is used to comment out the remainder of the SQL
statement, effectively ignoring the password field.
• Using this technique, we successfully bypassed the login
mechanism and gained access to the application dashboard.
Image 6
Image 7
Image 8

Impact Analysis of SQL Injection for Login Bypass:
1. Unauthorized Access
• Impact: Attackers can gain access to restricted areas of the application.
• Example: Bypassing authentication to login as an administrator.
2. Privilege Escalation
• Impact: Attackers can elevate their privileges within the application.
• Example: Accessing sensitive functions or data reserved for privileged users.
3. Data Exposure
• Impact: Attackers can retrieve sensitive user information.
• Example: Extracting user credentials or personal details from the database.

Recommendations:
1. Validate and Sanitize Inputs
• Action: Check user inputs to ensure they're safe.
• Example: Validate username and password formats strictly.
2. Implement Strong Authentication
• Action: Use multi-factor authentication (MFA).
• Example: Require users to verify identity through a second factor like OTPs.
3. Regular Security Updates
• Action: Keep software and libraries updated.
• Example: Schedule routine security patches and updates.
4. Educate Developers
• Action: Train developers on secure coding practices.
• Example: Foster awareness of SQL injection risks.

Admin credential Access using SQLI:
• Question: Using SQL injection, retrieve the password for the
username 'Adam' stored in the SQL database.
• We utilized SQLMAP, an automated tool, to extract data from the
database. The command used is as follows:
• sqlmap -u "http://94.237.60.99:38071/" --
data="username=admin&password=admin123" --dbs --batch --
dbms=mysql
• Explanation:
• SQLMAP: Tool used for automated SQL injection and database
takeover.
• -u: Specifies the URL of the target website.
• --data: Defines the POST data for the request.
• --dbs: Instructs SQLMAP to extract database names.
• --batch: Executes SQLMAP in batch mode for automated operation.
• --dbms=mysql: Specifies the database management system as Mysql.
Image 9(DASHBOARD)

Continuation:
• Results: Following execution, SQLMAP successfully identified the database
structure and contents, facilitating the retrieval of necessary information to
proceed with extracting the password for the username 'Adam'. The database
name was retrieved as shown in the provided image.
• To explore the ilfreight database further and retrieve its tables, we executed the
following SQLMAP command:
• sqlmap -u "http://94.237.60.99:38071/" --
data="username=admin&password=admin123" -D ilfreight --tables --batch --
dbms=mysql
• Command Breakdown:
• -D ilfreight: Specifies the ilfreight database for SQLMAP to focus on.
• --tables: Instructs SQLMAP to enumerate all tables within the specified database.
• Outcome: We identified 2 tables within the ilfreight database. Subsequently, we
proceeded to examine the 'users' table.
• Extracting Data from 'users' Table:
• To retrieve data from the 'users' table, we used the following SQLMAP command:
Image 10
Image 11

Continuation:
• sqlmap -u "http://94.237.60.99:38071/" --
data="username=admin&password=admin123" -D ilfreight -T
users --dump --batch --dbms=mysql
• Command Breakdown:
• -T users: Targets the 'users' table within the ilfreight database.
• --dump: Instructs SQLMAP to extract and display all data from
the specified table.
• The command successfully retrieved data from the 'users'
table, revealing stored information including the password for
the user Adam.
Image 12

CSRF(Cross-Site Request Forgery):
• CSRF is a web security vulnerability that tricks a user into executing
unwanted actions on a web application where they're authenticated.
It exploits the trust that a site has in the user's browser.
• Question- To solve the lab, craft some HTML that uses a CSRF attack
to change the viewer's email address and upload it to your exploit
server.
• We will change users account email id from “weiner@normal-
user.net” to lucky@gmail.com.
• Open Burp's browser and log in to our account. Submit the "Update
email" form, and find the resulting request in our Proxy history.
• The resulting request URL is “/my-account/change-email”.
• Using this we will Create a form that submits a request to change the
user's email ID.
Image 13
Image 14

Continuation:
• <form method="POST"
action="https://0aa900d8042951e28278b0d2004900a2.web-security-
academy.net/my-account/change-email">
<input type="hidden" name="email" value=”lucky@gmail.com">
</form> <script> document.forms[0].submit(); </script>
• Method: The form uses the POST method to submit data to the server.
• Action: The action attribute specifies the URL to which the form data
will be sent. In this case, it's the endpoint for changing the user's email.
• Hidden Input: The input element of type "hidden" includes the new
email address, lucky@gmail.com, which the attacker wants to set.
• Script Tag: This script automatically submits the form when the page
loads.
• document.forms[0].submit(): This JavaScript code selects the first form
on the page (in this case, the only form) and submits it immediately.
• User Interaction: Trick the user into clicking the link. Once the user clicks
on this malicious link and the page loads, the email ID will be changed to
lucky@gmail.com without the user's knowledge.
Image 15

Impact analysis of CSRF:
1. Unauthorized Actions:
• Attackers can perform actions on behalf of the user without their knowledge
• Example: Hackers change your social media password without you knowing, locking you out of your account.
2. Data Integrity:
• Sensitive data could be altered or deleted, leading to potential data breaches.
• Example: A hacker alters grades in a school database through a software flaw, affecting student records.
3. Loss of User Trust:
• Users may lose trust in the application if they realize their accounts can be manipulated without their consent.
• Example: A data breach leaks customer emails from an online store, making users wary of shopping there again.
4. Financial Loss:
• For applications involving financial transactions, CSRF can lead to significant financial loss.
• Example: Cybercriminals use stolen credit card details to make unauthorized purchases online.
5. Escalation of Privileges:
• If the user has administrative privileges, the attack's impact can be more severe, potentially compromising the entire system.
• Example: Exploiting a software bug, a hacker gains admin rights on a forum, deleting user posts at will.

Recommendation:
1. Utilize Tokens:
• Action: Use anti-CSRF tokens in forms and requests to verify the origin of requests.
• Example: A banking application includes a unique token in each form submission. When a user attempts to transfer funds, the server
verifies that the token matches, preventing forged requests from being processed.
2. Implement SameSite cookies:
• Action: Set the SameSite attribute on cookies to "Strict" or "Lax" to restrict how cookies are sent in requests.
• Example: A social media platform ensures that session cookies are set with the SameSite attribute to prevent them from being used in
CSRF attacks initiated from another website.
3. Educate users:
• Action: Provide users with security awareness training to recognize phishing attempts and malicious websites.
• Example: An email service advises users not to click on links from unknown senders or to verify the authenticity of requests before
entering sensitive information.

Reference
• https://owasp.org/www-community/attacks/xss/
• https://portswigger.net/web-security/cross-site-scripting
• https://portswigger.net/web-security/sql-injection
• https://owasp.org/www-community/attacks/SQL_Injection
• https://portswigger.net/web-security/csrf
• https://medium.com/@ry4nnnn/portswigger-labs-csrf-
10b496d6580c
• https://github.com/sqlmapproject/sqlmap
• https://www.geeksforgeeks.org/use-sqlmap-test-website-sql-
injection-vulnerability/
• https://academy.hackthebox.com

Questions ?

Thank You!

Ethical Hacking Techniques for Web Application Security

More Related Content

What's hot (20)

Similar to Ethical Hacking Techniques for Web Application Security (20)

More from Boston Institute of Analytics (20)

Recently uploaded (20)

Ethical Hacking Techniques for Web Application Security