Exploitation - Overview

Once the mapping, and some basic functional analysis, of the web application have been conducted, the next step is to identify as much vulnerabilities as possible. Summary of the vulnerabilities impacting web applications:

Component	Possible vulnerabilities
HTTP stack	Information leakage through HTTP headers or error message Supports of unnecessary HTTP methods HTTP headers misconfiguration /cgi-bin Shellshock
Clear text communications	Transmission of credentials and sensitive data Session hijacking
SSL/TLS configuration	Use of an invalid certificate Supports of insecure encryption protocols or algorithms
Third-party components	Use of unsecure default configuration CVE & public exploits
Client-side validation	Absence of replicated checks server side
Authentication	Username enumeration Weak password policy Absence of brute force protection mechanisms Desin flaws of auxiliary functionalities
Session	Predictable tokens Insecure handling of tokens
Access control	Horizontal partitioning bypass Vertical privilege escalation
Business logic	Absence of business validation on data input Business flaw and vulnerability by design Absence of anti Cross Site Request Forgery token on core business functionality
User-supplied data	Cross-site scripting SQL injection LDAP injection Template injection OS code injection
XML	XML Injection XML External Entities (XXE)
File download	Path traversal Local and remote file inclusion
File upload	Shell/reverse shell upload Malicious file upload
Native code interaction	Buffer overflows
Dynamic redirects	Redirection and header injection attacks
Off-site links & API	Communication of sensible or tracking information Leak of query string parameters in the Referer header

Component

Possible vulnerabilities

HTTP stack

Information leakage through HTTP headers or error message Supports of unnecessary HTTP methods HTTP headers misconfiguration /cgi-bin Shellshock

Clear text communications

Transmission of credentials and sensitive data Session hijacking

SSL/TLS configuration

Use of an invalid certificate Supports of insecure encryption protocols or algorithms

Third-party components

Use of unsecure default configuration CVE & public exploits

Client-side validation

Absence of replicated checks server side

Authentication

Username enumeration Weak password policy Absence of brute force protection mechanisms Desin flaws of auxiliary functionalities

Session

Predictable tokens Insecure handling of tokens

Access control

Horizontal partitioning bypass Vertical privilege escalation

Business logic

Absence of business validation on data input Business flaw and vulnerability by design Absence of anti Cross Site Request Forgery token on core business functionality

User-supplied data

Cross-site scripting SQL injection LDAP injection Template injection OS code injection

XML

XML Injection XML External Entities (XXE)

File download

Path traversal Local and remote file inclusion

File upload

Shell/reverse shell upload Malicious file upload

Native code interaction

Buffer overflows

Dynamic redirects

Redirection and header injection attacks