Advanced Web Attacks & Exploitation
All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam.
Study Strategy
- Several rounds of course content
- First round:
- Watch videos
- Read text and take good notes
- Complete the main exercises
- Second round:
- Watch videos again
- Read text and take more notes as-needed
- Craft your own tools and scripts in a language other than python
- Complete exercises AND all extra mile exercises
- Further study:
- Find interesting vulns in open source software, find the vuln from scratch and analyze
- Analyze APKs for Android apps. Take 8 hours and analyze several each, tryna find vulns as if you're mid-test and have a time limit to find exploit chains
- Find interesting vulns in OSS.
- Use vuln apps first to help develop custom regex tools for SAST: Webgoat (Java), JuiceShop (JavaScript), Mutillidae (PHP), .NETGoat (C#)
- Check out an app in each relevant language that may not have had any security review done. Try to find some vulns and get some CVEs!!
- Check for the main suspects as taught in the course for each app, timebox it, and move on to another one.
- Make sure to pay attn to app architecture, request routing, etc in each language:
- Java
- JavaScript (node.js)
- PHP
- C#/.NET
- HackTheBox and CTFs (see wetw0rk's prep guide)
- SecureCodeWarrior (see bookmark in AWAE)
- Codecademy courses
- Java
- JavaScript
- PHP
- C#
- Find interesting vulns in open source software, find the vuln from scratch and analyze
Course Completion
Taken from publicly-available syllabus.
- 1. Introduction
- Videos
- Read/Notes
- 2. Tools & Methodologies
- Videos
- Read/Notes
- 2.1.5 Exercise - Web Inspection
- 2.2.1 Exercise - Python Requests
- 2.3.3 Exercise - Decompilation
- 3. Atmail Mail Server Appliance: from XSS to RCE
- Videos
- Read/Notes
- 3.3.1 Exercise - Vuln Discovery
- 3.4.1 Exercise - Session Hijack
- 3.5.4 Exercise - Session Riding
- 3.5.5 Extra Mile - Session Riding
- 3.6.5 Exercise - globalsaveAction Vuln Analysis
- 3.6.7 Exercise - Make it fully automagical
- 3.6.8 Extra Mile
- 3.6.8 Extra Mile - Also see if you can background it completely
- 4. ATutor Auth Bypass and RCE
- Videos
- Read/Notes
- 4.3.1 Exercise - Vuln Discovery
- 4.6.3 Exercise - Data Exfil
- 4.6.4 Extra Mile - Data Exfil
- 4.7.1 Exercise - ATutor Auth
- 4.7.2 Extra Mile - ATutor Auth
- 4.8.1 Exercise - ATutor Auth
- 4.8.2 Extra Mile - ATutor Auth
- 4.9.1 Exercise - File Upload
- 4.10.5 Exercise - RCE
- 4.10.6 Extra Mile - RCE
- 5. ATutor LMS Type Juggling Vuln
- Videos
- Read/Notes
- 5.4.1 Exercise - String Conversion
- 5.6.3 Exercise - Loose Comparison
- 5.6.4 Extra Mile - Loose Comparison
- 6. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE
- Videos
- Read/Notes
- 6.3.6 Exercise - Vuln Discovery
- 6.5.1 Exercise - Blind Bats
- 6.6.1 Exercise - Access FS
- 6.6.3 Exercise - VBS file [!! Need to do the batch! Got the reverse shell... !!]
- 6.6.4 Extra Mile - Shell via JSP
- 6.7.4 Exercise - PostgreSQL Extensions
- 6.8.1 Exercise - UDF Reverse Shell
- 6.9.3 Exercise - Moar Shells
- 6.9.4 Extra Mile - Moar Shells
- 7. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- Videos
- Read/Notes
- 7.6.1 Exercise - RevShell
- 7.6.2 Extra Mile - RevShell
- 8. DotNetNuke Deserialization RCE
- Videos
- Read/Notes
- 8.4.3 Exercise - Serialization Basics
- 8.4.5 Exercise - Serialization Basics
- 8.4.7 Exercise - Serialization Basics
- 8.5.3 Exercise - DNN Vuln Analysis
- 8.6.4 Exercise - Payload Options
- 8.6.7 Exercise - Payload Options
- 8.7.1 Exercise - Payload Options
- 8.8.1 Extra Mile - Y SO SERIAL? .NET
- 8.8.2 Extra Mile - Y SO SERIAL? Java
- 9. ERPNext Authentication Bypass and Server Side Template Injection
- Videos
- Read/Notes
- 9.1.1.1 Exercise - Configure Kali SMTPd server
- 9.1.2.1 Exercise - Configure remote debugging
- 9.1.3.1 Exercise - Configure MariaDB logging
- 9.2.3.2 Exercise - Find whitelisted functions
- 9.3.1.2 Exercises - SQLi
- 9.4.2.1 Exercises - Access the admin acct
- 9.5.2.1 Exercise - Find the SSTI
- 9.5.2.2 Extra Mile - Find another instance of SSTI
- 9.5.3.1 Exercise - Recreate the
__class__
rendering - 9.5.3.2 Extra Mile - Alternative filter bypass
- 9.6.1.1 Exercises - Recreate the filter bypass and exploit and find other classes to own
- 9.6.2.1 Exercises - Recreate RCE and get shell
- 9.6.2.2 Extra Mile - Get output to display
- 10. openCRX Authentication Bypass and Remote Code Execution
- Videos
- Read/Notes
- 10.2.1.1 Exercise - Recreate the Rando and SecureRando
- 10.2.4.1 Exercise - Generate a token list
- 10.2.4.2 Extra Mile - Update token program to take start/stop
- 10.2.5.2 Exercises - Reset password
- 10.2.5.3 Extra Mile - Automate the attack chain
- 10.3.6.2 Exercises - Recreate the XXE attack
- 10.3.6.3 Extra Mile - Script to parse XXE results
- 10.3.8.1 Exercise - Implement the "wrapper" payload
- 10.3.9.2 Exercise - Connect to HSQLDB
- 10.4.1.1 Exercises - Write file and confirm
- 10.4.2.1 Exercise - Find dir with JSP files
- 10.4.3.1 Exercises - Get. That. Shell.
- 11. openITCOCKPITXSSandOSCommandInjection - Blackbox
- Videos
- Read/Notes
- 11.5.1 Exercise - Recreate the XSS
- 11.6.2.1 Exercises - DOM rewrite
- 11.6.2.2 Extra Mile - Prevent new page load
- 11.6.3.1 Exercises - Finish the script and initialize the DB
- 11.6.4.1 Exercises - Finish the API script and get a fake login page with the XSS
- 11.6.4.2 Extra Mile - Add cookie functionality
- 11.6.5.1 Exercises - Exploit the XSS
- 11.6.5.2 Extra Miles - Beef up dat XSS
- 11.6.6.1 Exercise - Dump the SQLite DB
- 11.7.4.1 Exercise - Fuzz and find cmds
- 11.7.5.1 Exercise - Test cmd injection
- 11.7.6.1 Exercise - Get a meterpreter shell
- 10.7.7 Extra Mile - Get RCE via administrator session