This repo is based on the offensive security AWAE syllabus and is designed to act as a cheatsheet for the OSWE exam and whitebox source code reviews in general.
- https://owasp.org/SecureCodingDojo/codereview101/
- https://pentesterlab.com/exercises/codereview/course
| S. No | Approach |
|---|---|
| 1 | String matching/Grep for bugs |
| 2 | Following user input |
| 3 | Reading source code randomly |
| 4 | Read all the code |
| 5 | Check one functionality at a time (login, password reset...) |
Reference: https://pentesterlab.com/exercises/codereview/course
References:
- Nodejs: https://github.com/rinku191/OSWE-prepration/wiki/Nodejs-Dangerous-function
- C#: https://github.com/rinku191/OSWE-prepration/wiki/C%23-Dangerous-Function
- PHP: https://github.com/rinku191/OSWE-prepration/wiki/PHP-Dangerous-function
- Java: https://github.com/Cryin/JavaID
- Java, Ruby, ASP.NET, PHP, Android: https://github.com/cldrn/InsecureProgrammingDB
MySQL/MariaDB
Modify the following values on my.cnf file(Typically located at /etc/mysql/my.cnf)
```
[mysqld]
general_log_file = /var/log/mysql/mariadb.log
general_log = 1
```
*In case of mariadb the settings will be present under [mariadb]
Restart the mysql service for the change to take affect
You can read the log file in realtime using sudo tail -f /var/log/mysql/mysql.log
- Java: https://stackify.com/java-remote-debugging/
- Java: https://stackoverflow.com/questions/975271/remote-debugging-a-java-application
- Java, PHP, NodeJs: [Requires access to offsec forums] https://forums.offensive-security.com/showthread.php?37965-Visual-Studio-Code-debugging&p=172805
| Auth Bypass | RCE |
|---|---|
| SQL Injection - Payloads | Deserialization |
| Persistent Cross-Site Scripting | Bypassing File Upload Restrictions |
| IDOR | SQL Injection RCE (Postgres UDF or Mysql copy to function) |
| Weak random token generator | XXE - Payloads |
| Type Juggling | XML Injection |
| Cross-Site Request Forgery - Payloads | SSTI - Payloads |
| Authentication Token/Cookie Manipulation | Prototype Pollution |
| - | JavaScript Injection |
| - | OS Command Injection |
| Language - PHP |
|---|
| XSS |
| LFI |
| SSRF |
| OS Command Injection |
| SQL Injection - Boolean |
| SQL Injection - Error |
- Identify Tech Stack:
- Programming language? What version, i.e., PHP 5 or 7?
- Database?
- Framework?
- Templating engine?
- Is it MVC based?
- What are the communication protocols, does it use websockets?
- Does it have an API?
- What Opertating System? find ubuntu version using lsb_release -a
- Map the app
- Use
tree -L 3command, open the app inVSCodeor build a sitemap usingburp suiteto understand the application directory structure - What are the routes/pages? If java app search for
doPostanddoGet. In case of python find routes starting with@ - Is the app MVC based? where are the
Models,ViewsandControllerslocated?
- Use
- Explore the app
- Is the application running as root?
- Which pages don't require authentication? You can prioritise testing them first
- MVC: Check if some logic breaks the MVC driven pattern, try to search for direct SQL queries within controller
- Discover vulnerabilities
- What are the interesting functionalities? Password reset, comment section visible to all users, search bar etc
- SQLi: Find database queries using regex
^.*?query.*?select.*? - SSTI: Find templating engine, you might have a similar line
app.set('view engine', 'pug');inapp.js - DOM based XSS: Grep for sinks. REF: https://domgo.at/cxss/sinks
- Weak random token generator:
java.util.randomis vulnerable
| Purpose | File |
|---|---|
| Basic skeleton script which makes an HTTP request in python | main.py |
| Run shell command and capture the output | system_level_commands.py |
| Run Java from within Python | run_java_from_python.py |
| SQLI multi threaded python exploit | MYSQL_Injection_multithread.py |
| Postgres SQLI to RCE JS session riding exploit | Windows_RCE_XHR.js |
| XSS Steal cookie XHR | steal_cookie_xhr.js |
Tutorial: https://www.youtube.com/watch?v=rhzKDrUiJVk
- Make sure you have templated exploit scripts and exam report ready, before you appear for the exam.
- You will have to RDP into a machine to review code, so be prepared for a lag while clicking buttons and browsing through the code. It will be best to have an external monitor, it will drastically improve your performance since you will be able to look at more lines of code without scrolling. Try to make the font size in the remote code editor smaller as well, that can also help you avoid scrolling.
- During exam, first & foremost setup remote debugging & database query logs, you cannot survive the exam without these.
- Once you pickup an app to test, identify all the routes, preferably list them in a text editor as a checklist.
- Once you have the routes list, sort them based on attack potential i.e., unauthenticated routes and critical features like password reset, authentication logic etc should be on top of the list.
- Set breakpoints, supply input and go one by one through the routes to understand the complete flow and try to identify vulnerabilities.
- Don't jump into exploitation straight away, what looks like a vulnerability might be a rabbit hole, make sure you have looked into enough routes and have a fair idea of what all potential vulnerable functionalities are present before you decide to spend time on a single vulnerability.
- Keep a note of all the confirmed/potential vulnerabilities you identify even if they don't appear to lead to auth bypass or RCE, same as labs the exam also involves vulnerability chaining, you might need them later.
- Learn multithreading to save your precious exam time, it's not mandatory but just imagine testing & debugging a Blind SQLi script during the exam which takes 20 minutes for each run. Without multithreading you'll already be putting yourself in a bad position to pass the exam.
- Take a lot of breaks; during the breaks rethink if you are pursuing the right exploitation path.
All the best !!