web application penetration testing extreme version 2 · 2020-01-21 · web application penetration...

WEB APPLICATION PENETRATION TESTING EXTREME

VERSION 2

The most advanced course on web application penetration testing

Course Home Page: www.elearnsecurity.com/waptx

COURSE DESCRIPTION Web Application Penetration Testing eXtreme is a practical online course on the most advanced web application penetration testing techniques. This training course is tied to Hera Lab, where students will access a number of laboratories for each learning module.

PRE-REQUISITES WAPTX is an advanced course that requires the following pre-requisites:

• Deep understanding of HTML, HTTP, Server-side languages, XML, JavaScript. • Good understanding and practical proficiency of XSS, XSRF, SQLi, and basic

HTML5 attacks. • Ability to read and understand PHP code will help, although not mandatory. • Basic development skills required.

The eLearnSecurity WAPT course provides most of the above pre-requisites.

WHO SHOULD TAKE THIS COURSE? The WAPTX course is primarily geared towards:

• Penetration Testers • Web Developers • IT Security professionals with a technical background

HOW AM I GOING TO LEARN THIS? eLearnSecurity courses are very interactive, addictive, and presents content in such a way that it appeals to all learning styles. WAPTX comes with practical lessons and videos, so do not expect the outdated way of learning by just reading pages of theoretical methodologies. During this training course, you will have several guided labs that will provide you with relevant and hands-on practical application experience.

INTRODUCTION

http://www.elearnsecurity.com/waptx


WILL I GET A CERTIFICATE?

Once you satisfy the requirements of the final practical certification test, you will be awarded an “eLearnSecurity Web Penetration Tester eXtreme” certificate and will hold the eWPTX certification.

ORGANIZATION OF CONTENTS The WAPTX is a follow up of the WAPT course but at an “extreme” level. This course brings students into a new world of advanced exploitation techniques using real-world scenarios – all served with challenging and extremely hands-on laboratories in which to put the covered techniques into practice.

• Module 1: Encoding and Filtering • Module 2: Evasion Basic • Module 3: Cross-Site Scripting • Module 4: XSS Filter Evasion and WAF Bypassing • Module 5: Cross-Site Request Forgery • Module 6: HTML 5 • Module 7: SQL Injections • Module 8: SQLi Filter Evasion and WAF Bypassing • Module 9: XML Attacks • Module 10: Attacking Serialization • Module 11: Server Side Attacks • Module 12: Attacking Crypto • Module 13: Attacking Authentication & SSO • Module 14: Pentesting APIs & Cloud Applications • Module 15: Attacking LDAP-based Implementations

CONTENTS



MODULE 1: ENCODING AND FILTERING The first module of this course is not just another module on encoding. It provides some esoteric encoding skills that will be helpful during the rest of the course. Understanding what kind of data encoding is used and how it works is fundamental and ensures that the tests are performed as intended, which is why this module starts with the basic concept of data encoding. The Encoding and Filtering module is about filtering basics, starting from a brief introduction on how to deal with regular expression, to understanding how to detect, fingerprint, and evade web application firewalls. We conclude by analyzing the most common client-side defensive mechanism. 1. ENCODING AND FILTERING 1.1 Data Encoding Basics 1.1.1 Dissecting Encoding Types 1.1.1.1 URL Encoding 1.1.1.2 HTML Encoding

1.1.1.2.1 Document Character Encoding 1.1.1.2.2 Character References

1.1.1.3 Base (36|64) Encoding 1.1.1.3.1 Base 36 1.1.1.3.2 Base 64

1.1.1.4 Unicode Encoding 1.1.2 Multiple (De|En)codings

1.2 Filtering Basics 1.2.1 Regular Expressions

1.2.1.1 Metacharacters 1.2.1.2 Shorthand Character Classes 1.2.1.3 Non-printing Characters 1.2.1.4 Unicode

1.2.2 Web Application Firewall 1.2.2.1 Simple Rules to Bypass WAFs 1.2.2.2 WAF Detection and Fingerprinting

1.2.3 Client-side Filters 1.2.3.1 Browser Add-ons 1.2.3.2 Native Browser Filters

WAPTX



MODULE 2: EVASION BASICS The Evasion Basics module provides advanced coverage of most modern filter evasion techniques using different client-side and server-side languages. To ensure that you have a complete understanding of filters and encoding, the main evasion techniques that start from Base64 and lesser-known URI obfuscation techniques and concludes with JavaScript and PHP obfuscation techniques are introduced. 2. EVASION BASICS

2.1 Base64 Encoding Evasion 2.1.1 Cookie Stealer 2.2 URI Obfuscation Techniques

2.2.1 URL Shortening 2.2.1.1 Bitly.com Short Link Info 2.2.1.2 Other Services Short Link Info 2.2.1.3 cURL Link Resolver 2.2.2. URL Hostname Obfuscation 2.2.2.1 URL Authority Obfuscation

2.3 JavaScript Obfuscation Techniques 2.3.1 JavaScript Encoding – Non-Alphanumeric

2.3.1.1 String Casting 2.3.1.2 Booleans 2.3.1.3 Numbers 2.3.1.4 String

2.3.1.4.1 Generate ‘alert’ String 2.3.1.5 JJencode 2.3.1.6 AAencode 2.3.17 JSFuck

2.3.2 JavaScript Compressing 2.3.2.1 Minifying 2.3.2.2 Packing

2.4 PHP Obfuscation Techniques 2.4.1 Basic Language Reference

2.4.1.1 Type Juggling 2.4.1.2 Numerical Data Types 2.4.1.3 String Data Types 2.4.1.4 Array Data Types 2.4.1.5 Variable Variables

2.4.2 Non-alphanumeric Code 2.4.2.1 Strings Generation 2.4.2.2 Hackvector.co.uk

WAPTX



MODULE 3: CROSS-SITE SCRIPTING Module three is entirely dedicated to cross-site scripting attacks. It starts with a brief recap of the different types of XSS and then introduces advanced attacking techniques and exotic XSS vectors. This module also covers how to use the most advanced tools available and exploit any XSS. 3. CROSS-SITE SCRIPTING

3.1 Introduction 3.2 Cross-Site Scripting

3.2.1 Reflected XSS 3.2.2 Persistent XSS 3.2.3 DOM XSS 3.2.4 Universal XSS

3.3 XSS Attacks 3.3.1 Cookie Grabbing

3.3.1.1 Script Injection 3.3.1.2 Cookie Recording & Logging 3.3.1.3 Netcat Example 3.3.1.4 Bypassing HTTPOnly Flag

3.3.1.4.1 Cross-site Tracing (XST) 3.3.1.4.2 CVE: 2012-0053 3.3.1.4.3 BeEF’s Tunneling Proxy

3.3.2 Defacements 3.3.2.1 Virtual Defacement 3.3.2.2 Persistent Defacement

3.3.3 Phishing 3.3.3.1 Cloning a Website 3.3.3.2 Choosing a Domain Name 3.3.4 Keylogging

3.3.4.1 JavaScript Example 3.3.4.2 Keylogging with Metasploit 3.3.4.3 Keylogging with BeEF

3.3.5 Network Attacks 3.3.5.1 IP Detection 3.3.5.2 Subnet Detection 3.3.5.3 Ping Sweeping 3.3.5.4 Port Scanning

Simple Port Scanner HTML5 Alternatives

WAPTX



MODULE 3: CROSS-SITE SCRIPTING (cont.)

3.3.6 Self-XSS 3.3.6.1 Browsers Based on Chromium 3.3.6.2 Browsers Based on Chromium / Bypasses 3.3.6.3 Browsers Based on Mozilla Firefox 3.3.6.4 Browsers Based on Mozilla Firefox / Bypasses 3.3.6.5 Browsers’ Security Measures 3.3.6.6 Browsers Add-ons 3.3.6.7 JavaScript Console Limitations

3.4 Exotic XSS Vectors 3.4.1 Mutation-based XSS

3.4.1.1 mXSS Examples 3.4.1.2 mXSS Multiple Mutations

WAPTX



MODULE 4: XSS FILTER EVASION AND WAF BYPASSING In this module, the student will learn about advanced filter evasion and WAF bypassing techniques. Starting from simple blacklisting filters, the student will go through different mechanisms to bypass common input sanitization techniques, browser filters, and much more. The student will not only find a number of well-known vectors but will also understand how to find new ones. At the end of this module, the student will be able to recognize the presence of WAF’s and filters and implement effective bypassing techniques. 4. XSS FILTER EVASION AND WAF BYPASSING

4.1 Introduction 4.2 Bypassing Blacklisting Filters

4.2.1 Injecting Script Code 4.2.1.1 Bypassing Weak <script> Tag Banning 4.2.1.2 ModSecurity > Script Tag Based XSS Vectors Rule 4.2.1.3 Beyond <script> Tag…Using HTML Attributes 4.2.1.4 Beyond <script> Tag…Using HTML Events

4.2.2 Keyword Based Filter 4.2.2.1 Character Escaping

4.2.2.1.1 Unicode 4.2.2.1.2 Decimal, Octal, Hexadecimal

4.2.2.2 Constructing Strings 4.2.2.3 Execution Sinks 4.2.2.4 Pseudo-protocols

4.2.2.4.1 Data 4.2.2.4.2 Vbscript

4.3 Bypassing Sanitization 4.3.1 String Manipulations

4.3.1.1 Removing HTML Tags 4.3.1.2 Escaping Quotes 4.3.1.3 Escape Parentheses

4.4 Bypassing Browser Filters 4.4.1 (Un)Filtered Scenarios - Injecting Inside HTML Tag 4.4.2 (Un)Filtered Scenarios - Injecting Inside HTML Tag Attributes 4.4.3 (Un)Filtered Scenarios - Injecting Inside SCRIPT Tag 4.4.4 (Un)Filtered Scenarios - Injecting Inside Event Attributes 4.4.5 (Un)Filtered Scenarios - DOM Based

WAPTX



MODULE 5: CROSS-SITE REQUEST FORGERY This module is entirely dedicated to Cross-Site Request Forgery attacks. It starts from a brief recap about this vulnerability and then introduces the main Attack Techniques and Vectors in order to later introduce how to Exploit Weak Anti-CSRF Measures and to conclude Advanced Exploitation techniques. 5. CROSS-SITE REQUEST FORGERY

5.1 CSRF: Recap & More 5.1.1 Vulnerable Scenario

5.2 Attack Vectors 5.2.1 Force Browsing with GET

5.2.1.1 Example > Change Email Address 5.2.2 Post Requests

5.2.2.1 Auto-submitting from > v1 5.2.2.2 Auto-submitting form > v2

5.3 Exploiting Weak Anti-CSRF Measures 5.3.1 Using Post-only Requests 5.3.2 Multi-Step Transactions 5.3.3 Checking Referer Header 5.3.4 Predictable Anti-CSRF Token 5.3.5 Unverified Anti-CSRF Token 5.3.6 Secret Cookies

5.4 Advanced CSRF Exploitation 5.4.1 Bypassing CSRF defenses with XSS

5.4.1.1 Bypassing Header Checks 5.4.1.2 Bypassing Anti-CSRF Token

5.4.1.2.1 1> Request a Valid Form with a Valid Token 5.4.1.2.2 2 > Extract the Valid Token from the Source Code 5.4.1.2.3 3 > Forge the Form with the Stolen Token

5.4.2 Bypassing Anti-CSRF Token Brute Forcing

WAPTX



MODULE 6: HTML5 Module six is entirely dedicated to HTML5 and its attack vectors. It starts with a recap of this language, analyzing the main features to focus our security research, and then dives deep into the main exploitation techniques and attack scenarios. Once the security concerns related to HTML5 features are analyzed, the student will learn about the most common security mechanisms developers use. These are critical in understanding how to leverage even more sophisticated attacks. The module concludes with an analysis of the UI redressing attacks and an overview of related attack vectors introduced with HTML5. 6. HTML5

6.1 HTML5: Recap & More 6.1.1 Introduction 6.1.2 Semantics

6.1.2.1 Form Elements 6.1.2.2 Media Elements 6.1.2.3 Semantic/Structural Elements 6.1.2.4 Attributes

6.1.3 Offline & Storage 6.1.3.1 Web Storage > Attack Scenario

6.1.3.1.1 Session Hijacking 6.1.3.2 Offline Web Application > Attack Scenario

6.1.4 Device Access 6.1.4.1 Geolocation > Attack Scenario 6.1.4.2 Fullscreen Mode > Attack Scenario

6.1.4.2.1 Phishing 6.1.5 Performance, Integration & Connectivity

6.1.5.1 Attack Scenarios 6.2 Exploiting HTML5

6.2.1 CORS Attack Scenario 6.2.1.1 Universal Allow

6.2.1.1.1 Allow by Wildcard Value* 6.2.1.1.2 Allow by Server-Side

6.2.1.2 Weak Access Control 6.2.1.2.1 Check Origin Example

6.2.1.3 Intranet Scanning 6.2.1.3.1 JS-Recon

WAPTX



MODULE 6: HTML5 (cont.)

6.2.1.4 Remote Web Shell 6.2.1.4.1 The Shell of the Future

6.2.2 Storage Attack Scenarios 6.2.2.1 Web Storage

6.2.2.1.1 Session Hijacking 6.2.2.1.2 Cross-directory Attacks 6.2.2.1.3 User Tracking and Confidential Data Disclosure

6.2.2.2 IndexedDB 6.2.2.2.1 IndexedDB vs. WebSQL Database

6.2.3 Web Messaging Attack Scenarios 6.2.3.1 DOM XSS 6.2.3.2 Origin Issue

6.2.4 Web Sockets Attack Scenarios 6.2.4.1 Data Validation 6.2.4.2 MiTM 6.2.4.3 Remote Shell 6.2.4.4 Network Reconnaissance

6.2.5 Web Workers Attack Scenarios 6.2.5.1 Browser-Based Botnet 6.2.5.2 Distributed Password Cracking 6.2.5.3 WebWorkers + CORS - DDoS Attacks

6.3 HTML5 Security Measures 6.3.1 Security Headers: X-XSS-Protection 6.3.2 Security Headers: X-Frame-Options 6.3.3 Security Headers: Strict-Transport-Security 6.3.4 Security Headers: X-Content-Type-Options 6.3.5 Security Headers: Content Security Policy

6.4 UI Redressing: The x-Jacking Art 6.4.1 ClickJacking 6.4.1.1 ClickJacking Example 6.4.2 LikeJacking 6.4.3 StrokeJacking 6.4.3.1 StrokeJacking Example – Show Me the Hidden Picture 6.4.4 New Attack Vectors in HTML5

6.4.4.1 Drag-and-Drop 6.4.4.1.1 Text Field Injection 6.4.4.1.2 Content Extraction

WAPTX



MODULE 7: SQL INJECTIONS This module is entirely dedicated to SQL injection attacks, which recaps the main classification of exploitation techniques and then introduces advanced attack techniques on different DBMS’s. 7. SQL INJECTIONS

7.1 SQL Injection: Introduction, Recap & More 7.1.1 Introduction 7.1.2 Recap & More 7.2 Exploiting SQLi

7.2.1 Techniques Classification 7.2.1.1 Inband Attacks 7.2.1.2 Out-of-Band Attacks 7.2.1.3 Inference Attacks 7.2.2 Gathering Information from the Environment

7.2.2.1 Identify the DBMS 7.2.2.1.1 Error Codes Analysis 7.2.2.1.2 Error Codes Analysis > MySQL

7.2.2.1.3 Error Codes Analysis > MSSQL Server 7.2.2.1.4 Error Codes Analysis > Oracle 7.2.2.1.5 Banner Grabbing 7.2.2.1.6 Educated Guessing 7.2.2.1.7 Educated Guessing > String Concatenation 7.2.2.1.8 Educated Guessing > Numeric Functions 7.2.2.1.9 Educated Guessing > SQL Dialect

7.2.2.2 Enumerating the DBMS Content 7.2.2.2.1 Databases > MySQL

7.2.2.2.2 Databases > MSSQL 7.2.2.2.3 Databases > Oracle 7.2.2.2.4 Databases > Tables & Columns 7.2.2.2.5 Databases > Users and Privileges

7.3 Advanced SQLi Exploitation 7.3.1 Out-of-Band Exploitation

7.3.1.1 Alternative OOB Channels 7.3.1.2 OOB via HTTP

7.3.1.2.1 Oracle URL_HTTP Package 7.3.1.2.2 Oracle HTTPURITYPE Package

WAPTX



MODULE 7: SQL Injections (cont.) 7.3.1.3 OOB via DNS

7.3.1.3.1 DNS Exfiltration Flow 7.3.1.3.2 Provoking DNS Requests

• MySQL (win) • MSSQL • Oracle

7.3.2 Exploiting Second-Order SQL Injection 7.3.2.1 First-order Example 7.3.2.2 Second-order Example 7.3.2.3 Security Considerations 7.3.2.4 Automation Considerations

WAPTX



MODULE 8: SQLi FILTER EVASION AND WAF BYPASSING In this advanced module, the student will learn about advanced filter evasion and WAF bypassing techniques. These foundational skills will be necessary to understand and master further techniques. By the end of this module, the student will be able to recognize the presence of WAF’s and filters and implement effective bypassing techniques. 8. SQLi FILTER EVASION AND WAF BYPASSING

8.1 Introduction 8.2 DBMS Gadgets

8.2.1 Comments 8.2.2 Functions and Operators 8.2.3 Intermediary Characters 8.2.4 Constants and Variables 8.2.5 Strings 8.2.6 Integers 8.2.7 MySQL Type Conversion

8.3 Bypassing Keywords Filters 8.3.1 Case changing 8.3.2 Using Intermediary Characters 8.3.3 Using Alternative Techniques 8.3.4 Circumventing by Encoding 8.3.5 Replaced Keywords

8.4 Bypassing Functions Filters 8.4.1 Building Strings 8.4.2 Brute-force Strings 8.4.3 Building Substring

WAPTX



MODULE 9: XML ATTACKS Module nine is entirely dedicated to XML attacks, which starts with a recap of this language and then dives into the most modern attacks, such as XML Tag Injection, XXE, XEE, and XPath Injection. For each of them, basic and advanced exploitation techniques are analyzed. By the end of this module, the student will be able to pentest complex applications using XML. 9. XML ATTACKS

9.1 XML Attacks: Introduction, Recap & More 9.1.1 Introduction 9.1.2 XML Attacks: Recap & More

9.1.2.1 XML Document with Internal DTD 9.1.2.2 XML Document with External DTD 9.1.2.3 Entities

9.2 XML Tag Injection 9.2.1 Testing XML Injection - Single/Double Quotes 9.2.2 Testing XML Injection - Ampersand 9.2.3 Testing XML Injection - Angular parentheses 9.2.4 Testing XML Injection - XSS with CDATA

9.3 XML eXternal Entity 9.3.1 Taxonomy

9.3.1.1 External Entities: Private vs. Public 9.3.2 XML eXternal Entity

9.3.2.1 Resource Inclusion 9.3.2.2 Resource Inclusion – Improved

• Invalid resource to extract • CDATA Escape Using Parameter Entities • php://I/O Stream

9.3.3 Bypassing Access Control 9.3.4 Out-Of-Band Data Retrieval

• OOB via HTTP • OOB via HTTP using XXEServe

9.4 XML Entity Expansion 9.4.1 Recursive Entity Expansion

9.4.1.1 Billion Laugh Attack 9.4.2 Generic Entity Expansion

9.4.2.1 Quadratic Blowup Attack 9.4.3 Remote Entity Expansion

WAPTX



MODULE 9: XML ATTACKS (cont.)

9.5 XPath Injection 9.5.1 XPath Recap

9.5.1.1 XPath 1.0 vs 2.0 • New Operations and Expressions on Sequences

o Function on Strings o FOR Operator o Conditional Expression o Regular Expression o Assemble/Disassemble Strings o Data Types

9.5.2 Advanced XPath Exploitation 9.5.2.1 Blind Exploitation

• Error Based • Boolean Based

9.5.2.2 OOB Exploitation • HTTP Channel • DNS Channel

WAPTX



MODULE 10: ATTACKING SERIALIZATION In this module, you will learn about serialization and deserialization in Java, PHP, and .NET. We also present untypical serialization that you may come across during web application penetration testing. By the end of the module, you should have a better understanding of serialization mechanisms and how to find/exploit untrusted deserialization in common web technologies. 10. ATTACKING SERIALIZATION

10.1 What is Serialization? 10.2 Serialization in Java 10.2.1 Creating Serialized Objects 10.2.2 Deserializing Data 10.2.3 Insecure Deserialization Conditions 10.2.3.1 Properties and Reflection 10.2.4 Gadgets 10.2.5 Introduction to Ysoserial 10.2.5.1 Additions to Ysoserial 10.2.6 Brute-force Attack with Ysoserial 10.2.7 Exploring Ysoserial 10.2.8 Exploiting Java Deserialization 10.2.8.1 Deciphering Serialized Data 10.2.8.2 Injecting Serialized Payload 10.2.9 Analysis of URLDNS Payload 10.2.9.1 Arbitrary DNS Resolution Exploit 10.2.10 Troubleshooting Ysoserial 10.2.11 Spotting Java Serialized Objects 10.2.12 Recommended Reading 10.3 Serialization in PHP 10.4 .NET Serialization 10.4.1 .NET Serialization Types 10.4.2 .NET Serialization Example 10.4.3 Spotting .NET Serialized Data 10.4.4 VIEWSTATE 10.5 Other Serialization

WAPTX



MODULE 11: SERVER-SIDE ATTACKS In this module, you will come to understand how user-supplied input can sometimes be insecurely handled by back-end logic, as well as learn how to find and exploit server-side bugs. Specifically, during this module, you will learn how Server-Side Request Forgery, Server Side Include, Edge Side Include, Server Side Template Injection, and Expression Language Injection attacks work. Attacking XSLT engines is also covered. Note that the abovementioned attacks can have quite an impact on the overall security of an application since they can lead to not only sensitive information leakage but remote code execution as well. 11. SERVER-SIDE ATTACKS 11.1 Server-Side Infrastructure 11.1.1 Understanding Modern Infrastructure 11.1.2 Abusing Intermediate Devices 11.2 Server-Side Request Forgery 11.2.1 SSRF Attack 11.2.2 When SSRF is a Feature 11.2.3 Blind SSRF Exploitation 11.2.3.1 Abusing URL Structure 11.2.4 SSRF Example 11.2.4.1 Forcing Authentication 11.2.4.2 Changing Protocol 11.2.4.3 Attacking SSRF on Windows 11.2.4.4 Other SSRF Scenarios 11.2.4.5 Time-based SSRF 11.2.4.6 Extending SSRF 11.3 Server-Side Include 11.3.1 SSI Expressions 11.3.2 SSI Example 11.3.3 Edge Side Includes 11.3.4 ESI Expressions 11.3.4.1 ESI Detection 11.3.4.2 ESI Exploitation 11.4 Language Evaluation 11.4.1 Template Engines 11.4.2 Detecting Template Injection 11.4.3 Confirming Template Injection 11.4.4 Exploiting Template Injection

WAPTX



MODULE 11: SERVER-SIDE ATTACKS (cont.)

11.4 Language Evaluation (cont.) 11.4.5 Expression Language 11.4.5.1 Expression Language Example 11.4.5.2 Talking to EL Parser 11.4.5.3 Playing with Classes 11.4.5.4 EL Code Execution 11.4.5.5 Extending EL Exploitation 11.4.5.6 References 11.5 Attacking XSLT Engines 11.5.1 XSLT Purpose 11.5.2 XSLT Example 11.5.2.1 XSLT Usage 11.5.3 Experimenting with XSLT Parser 11.5.3.1 XSLT Engine Detection 11.5.3.2 XSLT Documentation 11.5.3.3 XSLT File Read 11.5.3.4 XSLT SSRF 11.5.3.5 Extending XSLT Attacks

WAPTX



MODULE 12: ATTACKING CRYPTO This module will focus on identifying and attacking flawed or poorly constructed crypto implementations. Attacks such as Known Plaintext, Padding Oracle, Hash Length Extension, and Authorization bypass via .NET machine key will be covered. 12. ATTACKING CRYPTO

12.1 Encryption Fundamentals 12.1.1 Cryptography 12.1.2 Key Encryption Terms 12.1.2.1 Encryption 12.1.2.2 Ciphers 12.1.2.3 Electronic Code Book (ECB) 12.1.2.4 Cipher Block Chaining (CBC) 12.1.2.5 Padding 12.1.3 Attacks Against Crypto 12.2 Insecure Password Reset 12.2.1 Known Plaintext Attack Scenario 12.2.2 Exploitation 12.3 Padding Oracle Attack 12.3.1 What is a Padding Oracle? 12.3.2 Padding Oracle Attack Scenario 12.4 Hash Length Extension Attack 12.4.1 Hash Length Extension Attack Fundamentals 12.4.2 Hash Length Extension Attack Scenario 12.5 Leveraging machineKey 12.5.1 The Importance of machineKey 12.5.2 Leveraging a Leaked machineKey for RCE 12.6 Subverting HMAC in Node.js 12.6.1 Subverting HMAC in Node.js Scenario

WAPTX



MODULE 13: ATTACKING AUTHENTICATION & SSO In module thirteen, you will have the opportunity to study advanced attacks against various Authentication and Single Sign On implementations. Before covering the attacks, you will dive into each implementation’s internals, security shortcomings, and common misconfigurations. SAML, OAuth, JWT, and others will be covered. 13. ATTACKING AUTHENTICATION & SSO 13.1 Authentication in Web Apps 13.2 Attacking JWT 13.2.1 JSON Web Tokens (JWT) 13.2.2 JWT Security Facts 13.2.3 JWT Attack Scenario 1 13.2.4 JWT Attack Scenario 2 13.2.5 JWT Attack Scenario 3 13.3 Attacking OAuth 13.3.1 OAuth 13.3.2 Common OAuth Attacks 13.3.3 OAuth Attack Scenario 2 13.3.4 OAuth Attack Scenario 3 13.3.5 OAuth Attack Scenario 4 13.4 Attacking SAML 13.4.1 Security Assertion Markup Language (SAML) 13.4.2 SAML Security Considerations 13.4.3 SAML Attack Scenario 13.5 Bypassing 2FA 13.5.1 2FA Bypasses 13.5.2 2FA Bypass Scenario 1 13.5.3 2FA Bypass Scenario 2

WAPTX



MODULE 14: PENTESTING APIS & CLOUD APPLICATIONS APIs can be found in any IT aspect nowadays, from web and mobile applications all the way to IOT solutions and the cloud. It is of paramount importance for a penetration tester to be able to perform a thorough penetration test against an API. This module will cover in detail the most effective attacking tactics against APIs and Cloud-powered applications. 14. PENTESTING APIS & CLOUD APPLICATIONS 14.1 Introduction to APIs 14.2 API Testing and Attacking 14.3 API Access Control 14.4 Resource Sharing 14.5 Attacking Cloud Based Applications 14.5.1 Microservices 14.5.2 Serverless Applications 14.5.3 Details of Serverless Architecture 14.5.3.1 Serverless Application Example 14.5.4 S3 Buckets 14.5.5 Tool: s3recon 14.5.6 S3 AWS Signed URLs 14.5.6.1 Creating Signed URLs 14.5.6.2 Signed Cookies 14.5.7 Serverless Event Injection 14.5.7.1 Serverless Event Injection Scenario 14.5.7.2 Serverless Event Injection 2 14.5.8 GraphQL APIs 14.5.9Function as a Service

WAPTX



MODULE 15: ATTACKING LDAP-BASED IMPLEMENTATIONS For numerous reasons, a web application can make use of LDAP (query objects from a directory database, authentication, management, etc.). In this module, you will learn how to exploit vulnerable LDAP-based implementations. Specifically, you will learn all about LDAP basics, LDAP injections, and LDAP manipulation/poisoning. 15. ATTACKING LDAP-BASED IMPLEMENTATIONS 15.1 What is LDAP? 15.1.1 Directory Database Structure 15.1.1.1 LDIF Format 15.2 LDAP Syntax 15.2.1 LDAP Implementations 15.3 Abusing LDAP 15.3.1 LDAP Over TCP 15.3.2 LDAP Vulnerabilities 15.3.3 LDAP Injection 15.3.3.1 Blind LDAP Injection 15.3.4 LDAP Python Implementation 15.3.4.1 Implementing LDAP Server 15.3.4.2 Implementing LDAP Client 15.3.5 Blind LDAP Injection Example

WAPTX


We are eLearnSecurity. Based in Santa Clara, California, with offices in Pisa, Italy, and Dubai, UAE, Caendra Inc. is a trusted source of IT security skills for IT professionals and corporations of all sizes. Caendra Inc. is the Silicon Valley-based company behind the eLearnSecurity brand. eLearnSecurity has proven to be a leading innovator in the field of practical security training, with best of breed virtualization technology, in-house projects such as Coliseum Web Application Security Framework and Hera Network Security Lab, which has changed the way students learn and practice new skills. Contact details: www.elearnsecurity.com [email protected]

http://www.elearnsecurity.com/

mailto:[email protected]

web application penetration testing extreme version 2 · 2020-01-21 · web application penetration...

Documents