Web Application Security
Comprehensive web application vulnerabilities including SQL injection, XSS, CSRF, authentication bypass, information disclosure, and business logic flaws for penetration testing and security assessments.
Overview
Web applications are the most common attack surface in modern security engagements. Understanding web vulnerabilities is fundamental for any penetration tester or security professional. This section covers the OWASP Top 10 and other critical web application security issues.
Injection Attacks
- SQL Injection - Database query manipulation for data extraction and RCE
- Cross-Site Scripting (XSS) - Client-side code injection attacks
Authentication & Authorization
- Authentication Bypass - Circumvent login mechanisms and access controls
- Cross-Site Request Forgery (CSRF) - Force authenticated actions via victim's browser
Deserialization & Logic Flaws
- Insecure Deserialization - Exploit object deserialization for RCE
- Business Logic Flaws - Abuse application workflow and business rules
API Security
- API Security - REST API vulnerabilities, GraphQL attacks, and API authentication issues
Server-Side Attacks
- Host Header Poisoning - Manipulate HTTP Host header for cache poisoning and password resets
Information Disclosure
Information leakage can reveal sensitive data and facilitate further attacks:
- Directory Listing - Exposed directory contents revealing file structure
- Verbose Error Messages - Stack traces and debugging information exposure
- TLS/SSL Information Leakage - Certificate and protocol information disclosure
Supply Chain & Dependencies
- Outdated JavaScript Dependencies - Vulnerable npm packages and front-end libraries
Attack Methodology
Phase 1: Reconnaissance
- Identify web technologies and frameworks
- Map application structure and endpoints
- Discover hidden files and directories
- Review JavaScript files for API endpoints
- Check SSL/TLS configuration
Phase 2: Vulnerability Discovery
- Test for injection vulnerabilities (SQL, XSS, SSTI)
- Analyze authentication mechanisms
- Test authorization and access controls
- Check for CSRF protections
- Review business logic
- Test API endpoints and parameters
Phase 3: Exploitation
- Craft payloads for identified vulnerabilities
- Chain vulnerabilities for greater impact
- Extract sensitive data
- Establish persistence if applicable
Phase 4: Post-Exploitation
- Pivot to internal systems
- Escalate privileges on compromised hosts
- Maintain access
- Document findings with proof-of-concept
Essential Tools
| Tool | Primary Use |
|---|---|
| BurpSuite | Web proxy and vulnerability scanner |
| OWASP ZAP | Open-source web application scanner |
| SQLmap | Automated SQL injection exploitation |
| ffuf/gobuster | Directory and parameter fuzzing |
| Nuclei | Template-based vulnerability scanner |
Testing Checklist
Input Validation
- Test all input fields for injection
- Check file upload functionality
- Test parameter pollution
- Verify input sanitization
Authentication & Session Management
- Test login mechanisms
- Check password policies
- Review session handling
- Test logout functionality
- Check for session fixation
Authorization
- Test vertical privilege escalation
- Test horizontal privilege escalation
- Check direct object references
- Verify API authorization
Business Logic
- Test workflow bypass
- Check for race conditions
- Test payment flows
- Verify rate limiting
Configuration
- Review HTTP security headers
- Check CORS configuration
- Test SSL/TLS setup
- Review error handling
Related Resources
- Network Protocol Attacks - HTTP and HTTPS exploitation
- API Security Deep Dive - REST and GraphQL testing
- Cloud Security - Cloud-native application security
Last updated on
Sliver C2 Cheatsheet
Complete cheatsheet for Sliver C2 framework covering payload generation, listeners, beaconing, sessions, and post-exploitation for red team operations.
Authentication Bypass: Breaking Login Mechanisms
Authentication vulnerabilities including credential attacks, session management flaws, MFA bypass, and OAuth vulnerabilities.