![Step 3:-
use the following HTML template. You can get the request
URL by right-clicking and selecting "Copy URL“ and Store the
exploit, then click "Deliver to victim" .
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://0a9800da03544bed81608aa800080017.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="dinkarmishra105@test.com" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
DINKAR MISHRA 29](https://image.slidesharecdn.com/dinkar-solvelabsthatarecreat-0624-biaprojctdinkarmishra-240620134858-da8e7086/85/Solving-Labs-for-Common-Web-Vulnerabilities-29-320.jpg)
Solving Labs for Common Web Vulnerabilities
- 2. • Solve Labs that are created for the following vulnerabilities: 1.Login Bypass 2. Admin Credentials Access (SQLi) 3. CSRF 4. XSS DINKAR MISHRA 2
- 3. 1. Login Bypass :- Introduction :- Login bypass vulnerabilities are security flaws that allow unauthorized users to gain access to a system by circumventing the standard authentication mechanisms. These vulnerabilities can be exploited in various ways, each depending on the specific weaknesses of the system in question. Here are some common method of login bypass vulnerabilities:- 1. SQL Injection. 2. Brute Force Attack. 3. Default Credentials. DINKAR MISHRA 3
- 4. 4. URL Manipulation. 5. Weak Password Recovery Mechanisms. Tools Used :- 1. Brup Suite 2. Kali Linux 3. Wappalizer Web site Link for Practical used :- https://0ac5007d0496376680a6c61e008c0063.web- security-academy.net/ ----> Port Swigger DINKAR MISHRA 4
- 5. Technology Used By Site :- DINKAR MISHRA 5
- 6. Login Bypass using Brute Force Password Change :- Step 1:- Login a site with your username and Password. Step 2:- Change a password using two different new password the error msg says “New passwords do not match”. We can use this message to enumerate correct passwords. Step 3:-Send This MSG to Burp Intruder “POST /my-account/change-password HTTP/2” DINKAR MISHRA 6
- 9. Step 4:- In Burp Intruder, change the username parameter to carlos and add a payload position to the current-password parameter. Step 5:- On the Payloads tab, enter the list of passwords as the payload set Step 6:- On the Settings tab, add a grep match rule to flag responses containing New passwords do not match. Start the attack DINKAR MISHRA 9
- 10. DINKAR MISHRA 10
- 11. DINKAR MISHRA 11
- 12. Step 7 :- When the attack finished, notice that one response was found that contains the New passwords do not match message. Make a note of this password. Step 8:- In the browser, log out of your own account and lock back in with the username carlos and the password that you just identified. DINKAR MISHRA 12
- 13. DINKAR MISHRA 13
- 14. Mitigations :- • Implement Strong Password Policies: Encourage users to create complex passwords that include a mix of upper and lowercase letters, numbers, and special characters. Enforce password complexity requirements through your authentication system. • Enforce Regular Password Changes: Regularly prompt users to change their passwords, but ensure that the frequency isn't so high that it becomes burdensome or encourages users to create predictable passwords. • Multi-factor Authentication (MFA): Implement MFA to add an extra layer of security beyond passwords. This could involve using a one-time code sent to a user's phone or email, biometric authentication, or hardware tokens. DINKAR MISHRA 14
- 15. • Account Lockout Policies: Implement account lockout mechanisms that temporarily lock an account after a certain number of failed login attempts. This prevents brute force attacks by making it impractical to try a large number of passwords. • Monitoring and Alerting: Set up monitoring systems to detect unusual login attempts or patterns of activity that may indicate a brute force attack. Configure alerts to notify administrators when such activity is detected so they can take action. • Rate Limiting: Implement rate limiting on login attempts to prevent an attacker from making too many requests in a short period of time. This can help mitigate the effectiveness of brute force attacks by slowing down the rate at which passwords can be tried. DINKAR MISHRA 15
- 16. 2. ADMIN CREDENTIALS ACCESS (SQLI) Introduction :- SQLi stands for SQL Injection, and it's a type of vulnerability that occurs in web applications. In VAPT (Vulnerability Assessment and Penetration Testing), SQLi refers to the exploitation of this vulnerability to manipulate a database using SQL queries. when a web application doesn't properly sanitize or validate user input, an attacker can inject malicious SQL code into the input fields. DINKAR MISHRA 16
- 17. This malicious code can then be executed by the application's database, allowing the attacker to perform various actions like retrieving sensitive data, modifying or deleting data, and even taking control of the entire database server. SQLi is identified through various techniques such as input validation testing, automated scanning tools, and manual testing. Once identified, it's crucial to fix the vulnerability by implementing proper input validation and sanitization techniques to prevent potential exploitation. DINKAR MISHRA 17
- 18. Tool used :- 1. Brup Suite 2. Kali Linux 3. Wappalizer Web site Link for Practical used :- https://0a6d003e03145e2d8015940d00fb00f7.web- security-academy.net/ ----> Port Swigger “The login function on the website already has a SQL Injection Vulnerability, so we don’t need to use any additional tools to find it. So we can directly perform our labs.” DINKAR MISHRA 18
- 19. SQL Injection Vulnerability Attack and Login As Admin User :- Step :-1 Use default Username and password to capture the request in Burp Suite. Step :-2 Analyze the pattern of SQL query Like :- Select * from users where username =‘admin’ and password=‘admin’ DINKAR MISHRA 19
- 20. • As you can see if write a wrong username and password it gives and error “400 Bad request” • But if we use SQL injection it give a error which defines that this site has a SQLi Vulnerability DINKAR MISHRA 20
- 21. Step 3:- After Capturing the request send the request to Intruder and Repeater. After that make parameterize username And payload list and run the payload. DINKAR MISHRA 21
- 22. Step 4:- As you can “302” code is for successful authentication. Correct SQLi payload is “Administrator’—” Username :- Administrator’— Password :- Anything DINKAR MISHRA 22
- 23. Mitigations:- Parameterized Queries: Use parameterized queries or prepared statements provided by your programming language or ORM (Object- Relational Mapping) framework. This helps separate SQL code from data, making it much harder for attackers to inject malicious SQL code. Stored Procedures: Utilize stored procedures to encapsulate SQL code on the database server. This can prevent attackers from directly manipulating SQL queries. Input Validation: Validate and sanitize user inputs to ensure they conform to expected formats. Reject any input that doesn't meet validation criteria. Least Privilege Principle: Ensure that the database user account used by the application has the least privileges necessary. For example, it should only have permissions to execute stored procedures or specific queries, rather than being able to directly modify database structure or access sensitive data. DINKAR MISHRA 23
- 24. 3. CSRF:- Introduction:- CSRF stands for Cross-Site Request Forgery. It's a type of malicious attack where an attacker tricks a user into unintentionally executing actions on a web application in which they are authenticated. This is achieved by exploiting the trust that a web application has in a user's browser. Here's how CSRF attacks typically work: 1.Authentication: The victim user is authenticated to a web application by logging in, and a session cookie is stored in their browser to maintain the session. 2.Malicious Link or Code: The attacker then lures the victim into visiting a web page controlled by the attacker. This could be through a phishing email, a malicious website, or other means. The malicious page contains code or a link that automatically sends a request to the vulnerable web application. DINKAR MISHRA 24
- 25. Tool used :- 1. Brup Suite 2. Kali Linux 3. Wappalizer Web site Link for Practical used :- https://0a9800da03544bed81608aa800080017.web- security-academy.net/login ----> Port Swigger “The login function on the website already has a CSRF Vulnerability, so we don’t need to use any additional tools to find it. So we can directly perform our labs.” DINKAR MISHRA 25
- 26. CSRF vulnerability test :- Step 1:- Checking that the site has CSRF vulnerability or not . We need to test whether changing the request method from “POST” to “GET” allows the request to work without requiring a CSRF token or not. DINKAR MISHRA 26
- 27. • Request Method can be changed to GET which does not required CSRF token. • Hence it states that this site has CSRF vulnerability. Step 2:- Exploit • Generate CSRF PoC. • right-click on the request, and from the context menu select Engagement tools / Generate CSRF PoC. Enable the option to include an auto-submit script and click "Regenerate". DINKAR MISHRA 27
- 28. Change the email Address and match the Request Session ID. DINKAR MISHRA 28
- 29. Step 3:- use the following HTML template. You can get the request URL by right-clicking and selecting "Copy URL“ and Store the exploit, then click "Deliver to victim" . <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a9800da03544bed81608aa800080017.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="dinkarmishra105@test.com" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> DINKAR MISHRA 29
- 30. DINKAR MISHRA 30
- 31. Mitigations:- CSRF Tokens: Generate unique tokens for each session or form submission. These tokens are embedded in forms or included in requests, and the server verifies them to ensure the request is legitimate. SameSite Cookies: Set the SameSite attribute on cookies to "Strict" or "Lax" to prevent cookies from being sent in cross-origin requests. This helps mitigate CSRF attacks by reducing the likelihood of unauthorized requests originating from other sites. Custom Headers: Include custom headers in requests and verify them on the server side. This can add an extra layer of protection, as attackers would need to know and include these custom headers in their forged requests. DINKAR MISHRA 31
- 32. 4. XSS :- • XSS, or Cross-Site Scripting, is a type of security vulnerability commonly found in web applications. In an XSS attack, an attacker injects malicious scripts (usually JavaScript) into web pages viewed by other users. These scripts execute in the context of the victim's browser, allowing the attacker to steal sensitive information, hijack user sessions, deface websites, or perform other malicious actions. • There are three main types of XSS attacks: 1.Reflected XSS: In a reflected XSS attack, the malicious script is injected into a web application's input (e.g., a URL parameter or a form field) and then reflected back to the user in the application's response. This often occurs when an application fails to properly sanitize user input before echoing it back to the user. DINKAR MISHRA 32
- 33. 2.Stored XSS: In a stored XSS attack, the malicious script is permanently stored on the web server, typically in a database, and then served to multiple users whenever they access the vulnerable web page. This type of XSS attack is more dangerous as it can affect multiple users and persists over time. 3.DOM-based XSS: DOM-based XSS occurs when the client- side JavaScript code in a web page processes data from an untrusted source in an unsafe way, leading to the execution of malicious scripts. Unlike reflected and stored XSS, DOM- based XSS does not involve server-side vulnerabilities; instead, it exploits client-side vulnerabilities in the Document Object Model (DOM) of the web page. DINKAR MISHRA 33
- 34. Tool used :- 1. Brup Suite 2. Kali Linux 3. Wappalizer Web site Link for Practical used :- https://0a34004f043720a881b46bbb00cb00e9.web- security-academy.net/ ----> Port Swigger “The login function on the website already has a XSS Vulnerability, so we don’t need to use any additional tools to find it. So we can directly perform our labs.” DINKAR MISHRA 34
- 35. “DOM-based cross-site scripting vulnerability” in the search query tracking functionality :- It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL. Step 1:- Enter a random alphanumeric string into the search box. Right-click and inspect the element, and observe that your random string has been placed inside an img src attribute. DINKAR MISHRA 35
- 36. DINKAR MISHRA 36
- 37. Step 2:- Break out of the img attribute by searching for: "><svg onload=alert(1)> DINKAR MISHRA 37
- 38. DINKAR MISHRA 38
- 39. Mitigations:- To prevent XSS attacks, developers should implement proper input validation and output encoding techniques. This includes validating and sanitizing user input to ensure that it does not contain malicious scripts and encoding output data to prevent unintended script execution. Additionally, using security mechanisms such as Content Security Policy (CSP) can help mitigate the risk of XSS attacks by restricting the types of content that can be executed on a web page. Regular security audits and testing are also essential to identify and address XSS vulnerabilities in web applications. DINKAR MISHRA 39
- 40. Thank You!! From :- DINKAR MISHRA DINKAR MISHRA 40