In this page talk about some basic web vulnerabilities and mitigations. Use the navigation menu below to jump to a specific part of the page. In my free time I am an avid bug bounty hunter. This entails identifying, exploiting, and reporting vulnerabilities in companies' perimeter assets. I am currently globally ranked in the all-time top 75 on Bugcrowd.
XSS occurs when user input is trusted without sensitization. For example, consider the following scenario: You login to a website. The website greets you with your name, displaying "Hello Chris" on the page. However, a malicious user sets his or her name to the following string:
In turn, the website would now try to display the following text: "Hello <script>alert(1)</script>". If the website was not properly sanitizing this code, the script tags would render and execute the alert function. This is a very simple example, but demonstrates the basic fundamentals of XSS. In my career I have discovered and reported over 130 XSS vulnerabilities. The three major types of XSS are:
SQL Injection is a much more severe web vulnerability. With SQL injection, a malicious user is able to directly pass their own custom SQL queries to a back-end database. This allows them to run malicious queries that oftentimes result in full database compromise. SQL injection once again occurs when a website blindly trusts user input. For example, consider the example URL below:
This fictitious webpage would load the profile page for the user with userID equal to 1. A back-end SQL query for this may look similar to the following:
SELECT * FROM users WHERE userID='1';
However, consider if a malicious user injected the following SQL query into the URL:
http://example.com/profile.php?userID=1' AND userID='2
Now, the backend SQL query would be altered. It would query the following:
SELECT * FROM users WHERE userID='1' AND userID='2';
This would now select the information for userID 1, but it would also display the information for userID 2. Consider if userID 2 was meant to be private, the information would still show on user 1's page. Again, this is a very simple example but it demonstrates the potential dangers of SQLi. In my career I have found roughly 15 SQL injection vulnerabilities. The main types of SQLi are shown below:
Local file inclusion (LFI) is a relatively rare vulnerability; however, it is generally critical in severity. LFI occurs when a web server is attempting to retrieve an internal file or page through a URL parameter. Consider the following URL:
This code might be a website with a gallery where a user is viewing a cute dog picture. However, consider if the user injected the following path in the file parameter:
Now, instead of fetching the dog.jpg picture, this web server will instead retrieve the /etc/passwd file (a sensitive file for Linux web servers). If the user can control this parameter with no restrictions they can view any file on the file system. As previously mentioned, this vulnerability is relatively rare, I have only discovered 3 in my career.
As an example, I have intentionally created an intentionally vulnerable page to step you through exploiting XSS.
Steps to Exploit: