Table of Contents

• Web Application Exploitation
  • SQL Injection (SQLi)
  • Crosssite Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • Session Token Entropy
  • Fuzzing/Input validation
  • Business Logic
• Summary

Web Application Exploitation

First things first, two good resources for webapp pentest.

OWASP WebApp Testing Guid

The Web Application Hacker's Handbook

SQL Injection (SQLi)

TODO
Read more about SQL database, how it works, commands, common and advanced vulns and explolits. For advanced ones, blind SQLi is something I have read for sure.

Crosssite Scripting (XSS)

The author talks about XSS attack with BeEF framework. And a little bit of code obfuscation because there exists something called filters.

The recommended link is to a active XSS thread where people post XSS exploit findings.

Reddit XSS Thread

And, below is the cheatsheet from OWSAP on XSS. If you have identified an XSS vulnerability, don't forget to check this out.

OWSP XSS Cheatsheet

Cross-site Request Forgery (CSRF)

The steps to confirm that a request can be vulnerable to CSRF:

• tool required - Burp Suite
• make a request to the target site, most case should be a post request
• send the reuqest to Repeater
• click go and send a same request to the target site
• if the response is with status code 200
• CSRF confirmed

Session Token Entropy

Entropy here means randomness. It is used to judge if a session token is secure enough.

Determine the entropy of a site's session token:

• tool required - Burp Suite
• make a reuqest to the site
• in history tab, send the raw response to Sequencer
• pick the token that you are interested in
• click Start live capture
• results will be shown in a new window

It is hard to determine if a session token is well randomized. Sometimes, going over the source code is also needed to aid the process.

Fuzzing/Input validation

Here the author talks about the use of the Intruder function of Burp Suite. Nothing fancy. But have to remember this feature when it comes to fuzzing or bute forcing sutff.

Business Logic

Basic tests for business logic. So I directly quote the author

• Testing that users aren’t able to see other user’s sensitive data.
• Regular users can’t access administrative pages.
• Users can’t change data values of other users.
• Workflows cannot be modified outside their intended flow.

Summary

For webapp testing, the ultimate guide is OWSAP Guide for WebApp Testing.