AWAE Course Syllabus

  1. 0.
  2. 0.1 About the AWAE Course
  3. 0.2 Our Approach
  4. 0.3 Obtaining Support
  5. 0.4 Legal
  6. 0.5 Offensive Security Labs
  7. 0.6 Backups
  8. 1.
  9. 1.1 Web Traffic Inspection
  10. 1.2 Interacting with Web Listeners with Python
  11. 1.3 Source Code Recovery
  12. 2.
  13. 2.1 Overview
  14. 2.2 Getting Started
  15. 2.3 Atmail Vulnerability Discovery
  16. 2.4 Session Hijacking
  17. 2.5 Session Riding
  18. 2.6 Gaining Remote Code Execution
  19. 2.7 Summary
  20. 3.
  21. 3.1 Overview
  22. 3.2 GetStarted
  23. 3.3 Initial Vulnerability Discovery
  24. 3.4 Brief Review of Blind SQL Injections
  25. 3.5 Digging Deeper
  26. 3.6 Data Exfiltration
  27. 3.7 Subverting the ATutor Authentication
  28. 3.8 Authentication Gone Bad
  29. 3.9 Bypassing File Upload Restrictions
  30. 3.10 Gaining Remote Code Execution
  31. 3.11 Summary
  32. 4.
  33. 4.1 Overview
  34. 4.2 Getting Started
  35. 4.3 PHP Loose and Strict Comparisons
  36. 4.4 PHPString Conversion to Numbers
  37. 4.5 Vulnerability Discovery
  38. 4.6 Attacking the Loose Comparison
  39. 4.7 Summary
  40. 5.
  41. 5.1 Overview
  42. 5.2 Getting Started
  43. 5.3 Vulnerability Discovery
  44. 5.4 Bypassing Character Restrictions
  45. 5.5 Blind Bats
  46. 5.6 Accessing the File System
  47. 5.7 PostgreSQL Extensions
  48. 5.8 UDF Reverse Shell
  49. 5.9 More Shells!!!
  50. 5.10 Summary
  51. 6.
  52. 6.1 Overview
  53. 6.2 Getting Started
  54. 6.3 The Bassmaster Plugin
  55. 6.4 Vulnerability Discovery
  56. 6.5 Triggering the Vulnerability
  57. 6.6 Obtaining a Reverse Shell
  58. 6.7 Summary
  59. 7.
  60. 7.1 Overview
  61. 7.2 Getting Started
  62. 7.3 Introduction
  63. 7.4 Serialization Basics
  64. 7.5 DotNetNuke Vulnerability Analysis
  65. 7.6 Payload Options
  66. 7.7 Putting It All Together
  67. 7.8 ysoserial.net
  68. 7.9 Summary

1. Tools & Methodologies

The security tools and methodologies used when dealing with a web application can vary from researcher to researcher. Nevertheless, there are general principles that should be followed when attacking a web application, regardless of the tools used. In this module, we will introduce some of the more common tools and how they are used, which will provide us with sufficient tooling for the remainder of this course.

Before we get started, it's important to clarify that, similar to approaches taken when targeting Windows or Linux binary applications, exploitation research into web applications can be conducted from a white box or a black box perspective. In a white box scenario, the researcher either has access to the original source code or is at least able to recover it in a near-original state. When neither of these scenarios is possible, the researcher has to adopt a black box approach, in which minimal information about the target application is available. In this case, in order to find a vulnerability, the researcher needs to observe the behavior of the application by inspecting the output and or the effects generated as result of precisely crafted input requests. Arguably, web applications present a slightly easier target than traditional compiled applications when tested using a white box approach. The reason behind this is that in most cases, web applications are written in interpreted languages, which require no reverse engineering. Moreover, as we will see during this course, the source code for web applications written in byte-code based languages such as Java, .NET, or similar can also be trivially recovered into near-original state with the help of specialized tools.

It's worth mentioning that the ability to recover and read the source code of a modern web application does not reduce the complexity of the required research. However, once the application source code is recovered, the researcher is able to inspect the internal structure of the application and perform a thorough analysis of the code flow. Therefore, in order to conduct a deep vulnerability analysis of the selected test cases, we will mostly use this approach throughout the course.

The exposure to, and complete understanding of, common coding pitfalls combined with chained attack methods will provide us with a good foundation of knowledge that can be used in various scenarios.

1.1 Web Traffic Inspection

One of the first steps when dealing with an unknown web application should always be traffic inspection. While there are many elements a web application can present to the end-user withinthe browser interface, most applications also make numerous requests between a client and server during the construction of those elements before they reach their final presentation state.In other words, a simple request from a browser to render a webpage such as www.offensivesecurity.com will likely translate into a number of additional HTTP requests behind the scenes.

In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.

  • Explore unique challenges and vulnerabilities related to web applications
  • Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
  • Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
  • 1.2 Interacting with Web Listeners with Python

    The focus for this course is the creation of fully functional and complex exploits for targeted web applications and our language of choice for this task is Python. Nevertheless, if you are already well-versed in a different language and prefer to develop the course exercises in it, you are certainly welcome to do so. In Python, a very popular library that can be used to interact with a web application is the requests library. While there are many well-written guides on how to use requests, including the official documentation, we will demonstrate a very basic way to get us started. The following script will issue an HTTP request to the ManageEngine webserver in the labs and output the details of the relative response:

  • 1.3 Source Code Recovery

    As we mentioned at the beginning of this module, the ability to recover the source code from webapplications written in compiled languages is extremely valuable. In this course, we will be focusing mainly on Java and .NET source code recovery, as they are directly related to the vulnerable applications we will explore.

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE