Skip to content

OSWE learning process

Challenge Labs

Answers, Chat, DocEdit, Erka, and Sqeakr.

The final machine, Sqeakr, is a black box test without any credentials or application source code provided. Of course, if you are able to get a shell on this machine, you can reverse engineer the application to look for other vulnerabilities.

Tools

Tools Features
Burp Suite Web Proxy/Listener
dnSpy .NET Code decompilers
dotPeek
ilSpy
JD-GUI Java decompilers

Code Review Checklist

  • [x] Identify Tech Stack:
    • [x] Programming language? What version, i.e., PHP 5 or 7?
    • [x] Database?
    • [x] Framework?
    • [x] Templating engine?
    • [x] Is it MVC based?
    • [x] What are the communication protocols, does it use websockets?
    • [x] Does it have an API?
    • [x] What Opertating System? find ubuntu version using lsb_release -a
  • [x] Map the app
    • [x] Use tree -L 3 command, open the app in VSCode or build a sitemap using burp suite to understand the application directory structure
    • [x] What are the routes/pages? If java app search for doPost and doGet. In case of python find routes starting with @
    • [x] Is the app MVC based? where are the Models, Views and Controllers located?
  • [x] Explore the app
    • [x] Is the application running as root?
    • [x] Which pages don't require authentication? You can prioritise testing them first
    • [x] MVC: Check if some logic breaks the MVC driven pattern, try to search for direct SQL queries within controller
  • [x] Discover vulnerabilities
    • [x] What are the interesting functionalities? Password reset, comment section visible to all users, search bar etc
    • [x] SQLi: Find database queries using regex ^.*?query.*?select.*?
    • [x] SSTI: Find templating engine, you might have a similar line app.set('view engine', 'pug'); in app.js
    • [x] DOM based XSS: Grep for sinks. REF: https://domgo.at/cxss/sinks
    • [x] Weak random token generator: java.util.random is vulnerable

Reconnaissance in the background

nmapAutomator

Brief syllabus

  • [ ] JavaScript Prototype Pollution

  • [ ] Advanced Server-Side Request Forgery (SSRF)

  • [ ] Web Security Tools and Methodologies

  • [ ] Source Code Analysis

  • [ ] Persistent Cross-Site Scripting

  • [ ] Session Hijacking

  • [ ] .NET Deserialization

  • [ ] Remote Code Execution

  • [ ] Blind SQL Injection

  • [ ] Data Exfiltration

ATutor Authentication Bypass and RCE

  • [ ] Blind SQL Injections

  • [ ] Bypassing File Upload Restrictions

  • [ ] ...

ATutor LMS Type Juggling Vulnerability

  • [ ] PHP Loose and Strict Comparisons

  • [ ] PHP String Conversion to Numbers

  • [ ] ...

ManageEngine Applications Manager AMUserResourcesSyn cServlet SQL Injection RCE

  • [ ] PostgreSQL Extensions

  • [ ] ...

Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability

  • [ ] .Net? Serialization

ERPNext Authentication Bypass and Server Side Template Injection

  • [ ] SSTI

openCRX Authentication Bypass and Remote Code Execution

  • [ ] XML External Entity

openITCOCKPIT XSS and OS Command Injection - Blackbox

  • [ ] DOM-based XSS

Concord Authentication Bypass to RCE

  • [ ] CSRF and CORS

Server Side Request Forgery (SSRF)

Guacamole Lite Prototype Pollution

  • [ ] JavaScript Prototype Pollution