/WhiteboxPentest

Whitebox source code review cheatsheet (Based on AWAE syllabus)

Primary LanguagePHP

Whitebox Pentest (Based on AWAE/OSWE)

This repo is based on the offensive security AWAE syllabus and is designed to act as a cheatsheet for the OSWE exam and whitebox source code reviews in general.

Free Source Code Review Courses

Source Code Review Methdologies

S. No Approach
1 String matching/Grep for bugs
2 Following user input
3 Reading source code randomly
4 Read all the code
5 Check one functionality at a time (login, password reset...)

Reference: https://pentesterlab.com/exercises/codereview/course

Dangerous Functions

References:

Enable Database Logging

MySQL/MariaDB

Modify the following values on my.cnf file(Typically located at /etc/mysql/my.cnf)

```
 [mysqld]
 general_log_file = /var/log/mysql/mariadb.log
 general_log = 1
```

*In case of mariadb the settings will be present under [mariadb]
Restart the mysql service for the change to take affect
You can read the log file in realtime using sudo tail -f /var/log/mysql/mysql.log

Enable Remote Debugging

OSWE: Possible vulnerabilities that might show up in exam based on the syllabus

Auth Bypass RCE
SQL Injection - Payloads Deserialization
Persistent Cross-Site Scripting Bypassing File Upload Restrictions
IDOR SQL Injection RCE (Postgres UDF or Mysql copy to function)
Weak random token generator XXE - Payloads
Type Juggling XML Injection
Cross-Site Request Forgery - Payloads SSTI - Payloads
Authentication Token/Cookie Manipulation Prototype Pollution
- JavaScript Injection
- OS Command Injection

Vulnerable Code Examples

Language - PHP
XSS
LFI
SSRF
OS Command Injection
SQL Injection - Boolean
SQL Injection - Error

Code Review Checklist

  • Identify Tech Stack:
    • Programming language? What version, i.e., PHP 5 or 7?
    • Database?
    • Framework?
    • Templating engine?
    • Is it MVC based?
    • What are the communication protocols, does it use websockets?
    • Does it have an API?
    • What Opertating System? find ubuntu version using lsb_release -a
  • Map the app
    • Use tree -L 3 command, open the app in VSCode or build a sitemap using burp suite to understand the application directory structure
    • What are the routes/pages? If java app search for doPost and doGet. In case of python find routes starting with @
    • Is the app MVC based? where are the Models, Views and Controllers located?
  • Explore the app
    • Is the application running as root?
    • Which pages don't require authentication? You can prioritise testing them first
    • MVC: Check if some logic breaks the MVC driven pattern, try to search for direct SQL queries within controller
  • Discover vulnerabilities
    • What are the interesting functionalities? Password reset, comment section visible to all users, search bar etc
    • SQLi: Find database queries using regex ^.*?query.*?select.*?
    • SSTI: Find templating engine, you might have a similar line app.set('view engine', 'pug'); in app.js
    • DOM based XSS: Grep for sinks. REF: https://domgo.at/cxss/sinks
    • Weak random token generator: java.util.random is vulnerable

OSWE Like Machines

Skeleton Scripts

Purpose File
Basic skeleton script which makes an HTTP request in python main.py
Run shell command and capture the output system_level_commands.py
Run Java from within Python run_java_from_python.py
SQLI multi threaded python exploit MYSQL_Injection_multithread.py
Postgres SQLI to RCE JS session riding exploit Windows_RCE_XHR.js
XSS Steal cookie XHR steal_cookie_xhr.js

Regex

Tutorial: https://www.youtube.com/watch?v=rhzKDrUiJVk

Exam Tips:

  • Make sure you have templated exploit scripts and exam report ready, before you appear for the exam.
  • You will have to RDP into a machine to review code, so be prepared for a lag while clicking buttons and browsing through the code. It will be best to have an external monitor, it will drastically improve your performance since you will be able to look at more lines of code without scrolling. Try to make the font size in the remote code editor smaller as well, that can also help you avoid scrolling.
  • During exam, first & foremost setup remote debugging & database query logs, you cannot survive the exam without these.
  • Once you pickup an app to test, identify all the routes, preferably list them in a text editor as a checklist.
  • Once you have the routes list, sort them based on attack potential i.e., unauthenticated routes and critical features like password reset, authentication logic etc should be on top of the list.
  • Set breakpoints, supply input and go one by one through the routes to understand the complete flow and try to identify vulnerabilities.
  • Don't jump into exploitation straight away, what looks like a vulnerability might be a rabbit hole, make sure you have looked into enough routes and have a fair idea of what all potential vulnerable functionalities are present before you decide to spend time on a single vulnerability.
  • Keep a note of all the confirmed/potential vulnerabilities you identify even if they don't appear to lead to auth bypass or RCE, same as labs the exam also involves vulnerability chaining, you might need them later.
  • Learn multithreading to save your precious exam time, it's not mandatory but just imagine testing & debugging a Blind SQLi script during the exam which takes 20 minutes for each run. Without multithreading you'll already be putting yourself in a bad position to pass the exam.
  • Take a lot of breaks; during the breaks rethink if you are pursuing the right exploitation path.

All the best !!

Author: https://www.linkedin.com/in/hitman/