Summary of web security vulnerabilities

SQL injection is to insert SQL commands into web forms to submit or enter query strings of domain names or page requests, and finally achieve the purpose of deceiving the server to execute malicious SQL commands. When the application processes the request, if the parameters are not fully verified and filtered, the attacker Malicious queries can be executed by modifying parameter values

Vulnerability classification:

By request type:

GET type : inject malicious SQL statements by modifying parameter values in the URL.

POST type : inject malicious SQL statements by modifying the parameter values in the POST request

Cookie injection type : inject malicious SQL statements into the Cookie parameter of the request header,

Note: (SQL injection attacks may not be limited to a certain type of request, attackers can try different ways to inject malicious SQL statements)

By character type:

Numeric : An attacker attempts to inject SQL code into a numeric data field. Usually add a test statement after: and 1=1

Character type : inject SQL code into the character type data field, and usually add a test statement after it: 'or 1=1

According to the test method:

Error reporting : This is based on the vulnerability that the application returns detailed information when processing errors. By constructing malicious SQL statements, the application is triggered to generate errors, and obtain sensitive data or perform other malicious operations from the error information.

Delay : This is an attack method that uses the difference in response time to determine the vulnerability. By constructing a malicious SQL statement, the delay function of the database management system is used to determine whether the query is successfully executed, and the SQL injection vulnerability is speculated accordingly. Existence, use functions such as sleep() or benchmark() to make mysql execute longer

Blind injection type : The attacker cannot directly obtain detailed information about the injection result from the response, and then construct a specific SQL statement to infer the result of the query by using the response difference under different conditions. A blind injection function is commonly used: substr() , Left(), ORD()

Boolean : An attack method in which the result of a Boolean conditional statement in the response is used to determine whether the query was executed successfully. By constructing a malicious SQL statement and observing the response of the application, the result of the SQL query is inferred. The result does not return database data, and the results are false and true.

Vulnerabilities exist in common places:

User input form: users can submit data to the server through the form of the website (such as search box, registration form, login form, etc.)

URL parameters: In some applications, URL parameters are used to dynamically generate SQL queries

Cookies: Some applications store some user data in cookies and use that data in subsequent requests

HTTP header information: The attacker injects malicious SQL statements (UserAgent, Referer, etc.) by modifying the value in the header information of the HTTP request

Hidden fields: Some websites store data using hidden fields that can be automatically included in the request when the form is submitted

Exploitation:

Obtain the private information of the target stored in the background database, and further use this information to infiltrate and expand;

Hang a horse on the target website to further carry out targeted phishing attacks;

Obtain the control authority of the background application system and further control the background server. Method 1: Write a select into outfile x through SQL injection into webshell Method 2: Use the --os-cmd parameter of this SQLMAP to perform webshll Method 3: Yes --os-shell way to write webshel

Vulnerability Defense:

Parameterized query interface, because a parameterized query interface can achieve parameter filtering and execution reuse, which can ensure that the semantics of the SQL statement does not change, and maintain an original query meaning. Simply put, parameterization can prevent The reason for injection is that a statement is a statement, a parameter is a parameter, and the value of a parameter is not part of the statement. The database only runs according to the semantics of the statement, so even if some malicious instructions are written in the parameter, the SQL server will not execute it. Instructive

Strictly verify and filter all user input, and ensure that the input data conforms to the expected format and type for keywords or special characters (keywords: and, or, select, declare, update, xp_cmdshell, special characters: ', " ;)

Configure additional configuration to avoid printing some error messages of SQL

Restrict the privileges of database users to ensure that database users can only perform necessary operations and restrict their access to database structures

Use security tools like Web Application Firewall (WAF) to detect and block SQL injection attacks

Attack Traffic Characteristics

The traffic related to sql is divided into two parts, one is generated by the application itself, and the other is the real attack. If the security device alarm is triggered due to the occurrence of the select keyword, it is first necessary to determine whether it is an SQL statement or a parameter name False positives caused by the select keyword. If it is not a false negative, then look at what the SQL statement is written to determine whether it is harmful. If it is a business SQL statement, you can check whether it contains malicious functions or sensitive high-risk operations. If not, then contact the business to confirm whether it is the code design defect of the application itself that directly transmits the SQL statement in the parameter

Common methods to bypass waf interception

Generally, there are two methods to find the waf interception method: black box test and white box test:

White box: find bypass methods through code audit

Black box: from the perspective of resource limitation at the architectural level Bypassing the rule level at the protocol level Bypassing the
architectural level : looking for the source site address, suitable for scenarios where cloud waf is used Use hosts or servers on the same network segment for intranet injection, bypassing waf defense
resource limitation perspective : It is to post a large data packet. The online waf device generally considers the running speed. The detection of large data packets will waste a lot of hardware resources, so it generally does not filter large traffic packets and can send large files to bypass the protocol layer
. : If the page only filters the get method but does not filter the post or a certain file, by modifying other unfiltered formats to bypass the protocol, there is also a pollution rule level bypass for parameters: comment
character bypass Bypassing function segmentation by blank characters Bypassing floating-point numbers Bypassing sql injection using error base, bypassing MySQL special syntax

2. File upload vulnerability

Vulnerability Explanation and Causes:

The file upload vulnerability refers to the lack of control or processing defects in the part of the user's file upload by the programmer, which leads to the user being able to upload an executable dynamic script file to the server beyond his/her own authority. The files uploaded here can be Trojan horses, viruses, malicious scripts or WebShells, etc. There is no problem with "file upload" itself. The problem is how the server processes and interprets the file after the file is uploaded. If the processing logic of the server is not secure enough, it will lead to serious consequences.

exploit

Upload script files to the target website or application, collect key information or obtain target control authority through the script;

Upload Trojan horse files to target websites or applications to carry out watering hole attacks.

edit

File upload attack process

Vulnerabilities exist in common places:

There is usually a file upload function, such as posting pictures on BBS, posting ZIP archives on personal websites, posting DOC files on office platforms, etc. As long as the web application allows file uploads, there may be file upload vulnerabilities

Vulnerability Defense

File Type Verification: Limit the file types allowed to be uploaded, only allow uploads of verified file types, and exclude executable files, script files, or other dangerous types of files.

File Size Limit: Limit the size of uploaded files to prevent attackers from uploading large files and consuming server resources.

File name verification: Verify and filter uploaded file names to prevent the use of malicious file names.

File content inspection: After receiving the file, check and analyze the file content, such as using a security scanning tool to detect whether the file contains malicious code.

Storage Security: Store uploaded files in a secure location and make sure the files cannot be executed directly

Ways to bypass waf interception

Modify upload form fields

Form Field Case Replacement

Form fields increase or decrease spaces

Form field string concatenation

Construct a dual file upload form,

Upload two files at the same time

encoding bypass

Junk data padding bypass

filename case bypass

In addition, regarding the server detection bypass file upload vulnerability:

MIME type bypass

Front-end JS detection packet capture and packet modification bypass

Blacklist bypass: php3, asa, ashx, windows features (test.asp_, stream features), apache parsing vulnerabilities

Image content detection uses image horse bypass.htassess bypass

3. The file contains vulnerabilities

Vulnerability Explanation and Causes:

File Inclusion Vulnerability (File Inclusion Vulnerability) refers to a vulnerability in an application that can dynamically include other files at runtime. An attacker can use this vulnerability to execute unauthorized code, access sensitive files, or perform other tasks in the system. Malicious operation

The reason for the vulnerability:

Insufficient user input validation : The file path or file name input by the user is not correctly verified, and file inclusion attacks are implemented by constructing malicious file names or paths.

Unsafe file includes functions : Some programming languages and frameworks provide file include functions, such as PHP's include(), require()or Python's import, etc. If these functions are used incorrectly, without properly verifying the origin and integrity of the file, an attacker may construct a special file path to execute malicious code.

Weak passwords or unauthorized access : If attackers are able to guess or decipher file paths or filenames used by applications, they may gain access to sensitive files through file containment vulnerabilities. This could involve access through a directory traversal attack or using known weak passwords.

Referencing untrusted files : If an application references files from untrusted sources, such as using user-uploaded files or remote resources, without properly verifying the integrity and origin of the files, an attacker can tamper with these files to execute malicious code .

Insecure file permission settings : If an application is running on a server and file permissions are set incorrectly, an attacker may be able to directly access sensitive files, exploiting a file inclusion vulnerability.

exploit

File reading : Attackers can use file inclusion vulnerabilities to read sensitive files on the server, such as configuration files, authentication credentials, keys, etc. This sensitive information may be used in subsequent attacks or other illegal activities.

Remote code execution : Attackers can execute malicious code through file inclusion vulnerabilities, inject their own code into the attacked application, execute arbitrary commands on the server, run malicious scripts, or gain full system access rights.

Obtain control of the server : Trojan horses can be installed on the server, and the shell can be reversed by accessing files to obtain control

Containing remote file packages: Attackers can use file containment vulnerabilities to contain remote malicious files, such as remote Trojan horses or malicious scripts, to further infiltrate and control the affected system.

Vulnerability Defense

Strictly verify and filter user input to ensure that the file name or path provided by the user is legal and safe.

Use safe file include functions and properly verify the origin and integrity of files.

Avoid referencing untrusted files, use fixed file paths where possible, and restrict access to files.

Operating systems, frameworks, and libraries are regularly updated and fixed to avoid known file inclusion vulnerabilities.

Enforce secure programming practices such as code review, input validation, and output encoding to reduce other security vulnerabilities in your application.

Ways to bypass waf interception

Bypass filtering rules: WAFs typically use rule sets to detect and block malicious requests. Attackers can attempt to bypass these rules by using special characters, encodings, morphing techniques, or multiple multipart loads. For example, obfuscating requests with URL encoding, Unicode encoding, double encoding, or line breaks, etc.

Character truncation: An attacker may exploit the character truncation vulnerability in the file inclusion vulnerability to bypass WAF. They will try to use special characters or truncation techniques to remove or bypass the detection rules used by the WAF. For example, use spaces, null bytes, truncated null bytes, or other byte truncation techniques to bypass string matching.

Encoding and obfuscation: Attackers can use various encoding and obfuscation techniques to hide malicious code and bypass WAF detection. This may include using Base64 encoding, HEX encoding, HTML entity encoding, JavaScript encoding or a combination of encoding techniques.

Bypassing file type detection: WAFs typically detect requested file types to prevent file inclusion vulnerabilities. An attacker could try to change the requested file extension or use a bogus file type to bypass this detection. They may also try to mix in other types of requests, such as images, text or data files, to make it harder for the WAF to identify malicious requests.

4. Command execution vulnerability

Vulnerability Explanation and Causes:

The command execution vulnerability is a vulnerability caused by the data submitted by the user being parsed and executed due to lax code filtering on web applications, network devices, and business systems. The reason for this is that the execution function is not filtered when the target application or device is developed. Insufficient security monitoring of commands entered by users.

Causes of command execution:

No filtering or lax filtering of user input, for example, no filtering of &, &&, |, || and other connectors

Command execution caused by system vulnerabilities, bash shell vulnerability (CVE-2014-6271), this vulnerability can construct the value of environment variables to execute offensive script code, which will affect various applications of bash interaction, such as http, ssh and dhcp etc.

There are code execution vulnerabilities in the third-party components called, php (system(), shell_exec(), exec(), eval()), command execution vulnerabilities in JAVA (struts2/ElasticsearchGroovy, etc.)

Vulnerability classification:

Command execution vulnerabilities can be divided into system command execution and script (PHP, JSP, etc.) code execution, which are realized by passing in system commands and script codes respectively:

System command execution: In a system command execution vulnerability, an attacker executes system-level operations by injecting malicious commands. This can happen in applications where user input is spliced directly into system commands without proper validation and filtering, an attacker can inject a malicious command and execute it

Script code execution: Execution of scripting language (such as PHP, JSP, etc.) vulnerabilities by injecting script code. This kind of vulnerability usually occurs in dynamic web pages or applications, and attackers can perform illegal operations by injecting malicious script code in parameters or user input

Vulnerabilities exist in common places:

This vulnerability may exist anywhere where the server does not properly filter and validate data that has not been submitted by the user:

Web application: In a web application, input validation is insufficient in places such as form submission, URL parameters, and file upload.

Command-line applications: Command-line applications accept user input and execute related system commands without properly validating and filtering user input

Remote Services and API: When an application interacts with a remote service

File parsing and rendering: the application parses or renders file content (such as parsing templates, parsing documents, rendering images, etc.),

cron jobs and scripts: in cron jobs, background scripts or batch scripts

Plug-ins and custom code: These plug-ins or custom code have not been reviewed for security or have security vulnerabilities,

Inter-application communication: Communication between applications is insufficient or not properly secured,

Exploitation:

Obtain system operation authority: By executing malicious commands, obtain system operation authority and escalate privileges so that it can perform higher-level operations, tamper with system configuration, access sensitive data, or perform other malicious activities.

Data leakage: Execute malicious commands to obtain sensitive data in the system, such as database credentials, user information, password files, etc.

Further intrusion: Upload and execute malware, establish backdoors, scan the network as a springboard, and launch other attacks from within.

Vulnerability Defense

System command execution vulnerability defense measures:

Input validation and filtering: Strictly validate and filter user input data to ensure that potential command injection characters are not allowed. A whitelist or a regular expression can be used to limit the legal characters entered.

Parameterized query or precompiled statement: For parameters related to system commands, use parameterized query or precompiled statement instead of directly splicing user input into system commands.

Principle of Least Privilege: Ensure that the process or user executing the command has minimal privileges to reduce the scope of potential attacks.

Script code execution vulnerabilities, you can take the following defensive measures:

Input validation and filtering: Strictly validate and filter user input, remove or escape special characters that may contain malicious code to prevent script execution.

Output Encoding: Ensure that user input is properly encoded before returning it to the user as part of the output to prevent script code execution.

Use safe functions and frameworks: Build applications using functions and frameworks that have good security logging and validating user input to reduce the risk of script code execution.

Common methods to bypass waf interception:

Character truncation and encoding: Use spaces, null bytes, truncated null bytes, or URL encoding to bypass string matching.

Splitting and splicing commands: splitting malicious commands into multiple parts, and then constructing command execution by splicing, concatenating, or combining these parts. This allows command parts to evade detection in WAF rules.

Obfuscation and deformation: Attackers can use various obfuscation and deformation techniques to hide malicious commands and their parameters to bypass regular expression or signature detection of WAF. This may include the use of encoding, encryption, character substitution and other obfuscation techniques.

Bypass command execution restrictions: Sometimes WAF can restrict specific commands and keywords to prevent command execution vulnerabilities. Attackers can try to use bypass tricks and other variants of command execution, such as using another language or tool to execute the command.

5. Code Execution Vulnerabilities

Vulnerability Explanation and Causes:

Attackers can execute malicious code or commands on the target system, leading to code execution vulnerabilities. Possible causes:

Secure user input handling: The application does not properly validate, filter, or escape user input data, allowing attackers to inject malicious code or commands in the input, resulting in code execution.

Dynamic code execution: Some applications allow dynamic code execution, such as using functions such as eval(), exec(), or deserialization. If the input is not properly validated and restricted before executing these dynamic codes, attackers can construct malicious code and execute it.

File Upload: Failure to properly validate and process uploaded files leads to file upload vulnerabilities, uploading files containing malicious code, and accessing and executing these files leads to code execution vulnerabilities

Remote command execution: When an application communicates with a remote system or service, such as executing a remote command or through a remote API call, if the input data is not properly validated, an attacker may inject malicious commands to execute remote code.

exploit

Remote command execution reverse shell: use code execution vulnerabilities to inject malicious code, and execute remote commands on the target system to achieve the goal of obtaining server control permissions, and then use it as a springboard to further attack or collect information.

Access and tamper with data: Access or tamper with sensitive data in applications or databases.

Malicious file upload: Through code execution vulnerabilities, upload malicious files and execute them on the target system. Lead to remote command execution, backdoor creation, privilege escalation, etc.

Vulnerability Defense

Input validation and filtering: For user input and external data, strict validation, filtering and escaping are performed to ensure that only expected safe characters and formats are allowed.

Use safe execution methods: Avoid using functions that dynamically execute code, such as eval(), exec(), etc. If dynamic code must be executed, ensure that inputs are strictly restricted and validated to minimize risk.

File upload control: For the file upload function, strict file type verification, file size limitation and safe storage measures are implemented to ensure that files uploaded by users do not contain malicious code.

6. xxe vulnerability

Vulnerability Explanation and Causes:

XXE (XML External Entity Injection), xml external entity injection vulnerability, XXE vulnerability occurs when the application parses the XML input, and the loading of external entities is not prohibited, resulting in the loading of malicious external files, resulting in file reading, command execution, and intranet ports Scanning, attacking intranet websites, launching dos attacks and other hazards. The point where the xxe vulnerability is triggered is often the location where the xml file can be uploaded, and the uploaded xml file is not filtered, resulting in the upload of malicious xml files.

XML is a structural markup language used to mark electronic files. It can be used to mark data and define data types. It is a source language that allows users to define their own markup languages. XML document structure includes XML statement, DTD document type definition, document element.

Exploitation:

Read sensitive files: Read sensitive files on the server, such as configuration files, user credentials, private keys and other sensitive information files, to further collect important information and prepare for other attacks

Execute remote requests: Inject malicious external entity references through XXE vulnerabilities, thereby triggering remote requests, and finally obtain server permissions through a series of operations.

Internal Port Scanning: Attackers can perform internal port scanning through XXE vulnerabilities to detect other accessible services and vulnerabilities in the target network.

SSRF attack: Through the XXE vulnerability, the server is used to initiate requests for other services, thereby performing server-side request forgery (SSRF) attacks, attacking internal systems or accessing undisclosed resources.

Vulnerability Defense:

Input Validation and Filtering: Validate and filter XML data entered by users to ensure that it does not contain malicious external entity references. You can use whitelists or blacklists to restrict specific entity references or prohibit the use of external entities.

Use a safe XML parser: Use a safe XML parser, such as a SAX (Simple API for XML) parser, which does not support entity extensions. Avoid using parsers with entity extensions, such as DOM (Document Object Model) parsers.

Disable Entity Expansion: Disables the entity expansion feature in the XML parser's configuration. For some parsers, related attributes or options can be set before parsing XML data to disable entity expansion.

Use a secure XML processing library: Choose a widely recognized and security-audited XML processing library.

Principle of Least Privilege: When parsing and processing XML data, ensure that minimal privileges are used. Even if attacked, the attacker can only obtain limited information.

Input validation and output encoding: For user input and output XML data, adequate input validation and output encoding are performed. Ensuring that the input does not contain malicious content and encoding the output appropriately prevents attackers from exploiting vulnerabilities.

7. ssrf vulnerability, xss vulnerability, csrf vulnerability

Vulnerability explained:

xss (cross-site scripting): Insert malicious Script code. If the server does not recognize the content, the content will be sent to the specified location. If the page is returned, it will invade into the page. When the user browses the page, it will be embedded in the Web The script code inside will be executed, so as to achieve the purpose of maliciously attacking users

csrf (Cross-Site Request Forgery): The attacker steals the user's identity and initiates a malicious request in the name of the user. The server does not identify the identity, and will consider the request to be initiated by the user, and will respond according to the request.

ssrf (server request forgery): The attacker will forge the server to send a request to the internal network or other protected resources. If the server does not recognize it, it will consider it a server request and respond normally.

What is the difference between CSRF and SSRF?

CSRF is Cross Site Request Forgery initiated by the client

SSRF is a server request forgery initiated by the server

Vulnerability classification:

XSS is divided into three categories:

Reflective XSS: Non-persistent, by injecting js code, when returning to the page, it is integrated into the front-end page, when the user clicks on the link, it will trigger the XSS code (there is no such page and content in the server), and it is generally easy to appear in the search page

Stored XSS: Persistence, by injecting js code, stored in the server, such as inserting code in personal information or publishing articles, if there is no filtering or filtering is not strict, then these codes will be stored in the server and accessed by users When the page triggers code execution. This kind of XSS is more dangerous, it is easy to cause worms and steal cookies

DOM type XSS: XSS formed by modifying the DOM node of the page

The difference between DOM type and reflection type:

Vulnerabilities are exploited in different locations: DOM-type XSS utilizes the DOM (Document Object Model) in the client, and reflection-type XSS utilizes the response returned by the server

Attack method: DOM-type XSS: The attack is triggered by modifying the DOM structure, using JavaScript to modify the content or attributes of DOM elements, thereby inserting malicious scripts. Reflected XSS is triggered by constructing malicious requests, usually by modifying URL parameters or form data, and injecting malicious scripts into the page

Scope of influence: The scope of influence of DOM-type XSS mainly depends on the execution location and access rights of malicious scripts, and the scope of influence of reflected XSS mainly depends on whether the user clicks on a maliciously constructed URL or submits a maliciously constructed form

exploit

xss exploit

Implant malicious code on the target website, and carry out further attack and penetration in a targeted manner;

Steal the security authentication information of website administrators or access users, and further expand to personal hosts;

Hijack user sessions to further obtain website user privacy, including accounts, browsing history, IP addresses, etc.

cssrf vulnerability:

Unauthorized operations: Attackers can use CSRF vulnerabilities to deceive authenticated users to perform some unauthorized operations, such as changing passwords, modifying user settings, performing financial transactions, etc., and may also use forgery to obtain sensitive user information.

Phishing attack: Attackers can use CSRF vulnerabilities to generate phishing links to pretend to be trusted websites or services, and trick users into performing certain operations, such as entering sensitive information or downloading malicious files.

ssrf vulnerability

Probe and access internal networks: obtain sensitive data or control internal resources,

Attacking external services: An attacker can specify the URL of an external service, such as sending a request to a third-party service provider to send a malicious request, launch a DDoS attack, and so on.

Vulnerability Defense

xss vulnerability :

Input validation and filtering: Use regular expressions, whitelists or blacklists to strictly validate and filter to ensure that only legal inputs are accepted

Output encoding: When outputting user-input data to an HTML page, properly encode it and convert special characters into HTML entities.

Content Security Policy (CSP): By setting CSP, limit the resources that can be loaded and the code that can be executed in the page, thereby reducing the risk of XSS attacks. CSP can restrict script execution in the page, prohibit inline scripts, restrict external resource loading, etc.

HTTP-only mark: Mark sensitive cookies as HTTP-only, so that they can only be accessed through the HTTP protocol, preventing JavaScript scripts from obtaining sensitive information.

Secure HTTP headers: configure secure HTTP headers, such as Strict-Transport-Security (HSTS), X-XSS-Protection, X-Content-Type-Options, etc., to increase application security.

csrf vulnerability :

The refer field is added to the request header, and the Referer header field is a field in the HTTP protocol, which is used to identify the source address of the request. The server can validate the Referer field to confirm the legitimacy of the request. When performing sensitive operations (such as modification and deletion), the server can check the Referer field and reject the request if the source address is illegal

Use token verification to generate a random Token for each user, and embed it in an HTML page or send it to the client through a cookie. When performing sensitive operations, the client needs to send Token as a parameter or part of the request header to the server for verification

Double cookie verification: store the user's identity information in the cookie, and store it in the server-side session at the same time, and verify it when requesting.

Restrict sensitive operations: For sensitive operations, such as changing passwords or important data changes, require users to authenticate themselves, such as entering a password or performing a second confirmation.

Same-Origin Policy: Use Same-Origin Policy to restrict cross-domain requests in pages and reduce the risk of CSRF attacks.

ssrf vulnerability :

Restrict IP: During the input verification process, users are prohibited from entering specific IP address ranges, such as private IP address ranges (starting with 172, 10, and 192), to prevent requests from being sent to the local or internal network.

Restricted protocols: Only specific protocols such as HTTP and HTTPS are allowed, and other protocols are prohibited to prevent requests from being sent to insecure protocols.

Port restriction: The target port of the restriction request can only be the port commonly used by HTTP, such as 80, 443, 8080, etc., to prevent requests to other unnecessary ports and reduce the attack surface.

Filter return information: After sending the request, filter and verify the response returned by the remote server. Check whether the returned response contains sensitive information or content that may lead to vulnerability exploitation, such as internal IP address, file path, etc.

Unified error information: For an error request caused by a direct connection to a certain port, similar error information can be returned uniformly without revealing the existence of a specific port, preventing attackers from judging the port status of the remote server based on the error information

Common places for vulnerabilities:

Xss vulnerability: various input points, names, uploads, messages, interactive places, all inputs may have xss vulnerabilities

Common bypass waf interception

xss vulnerability:

\1. Mixed case

\2. double write

3. Coding

\4. fuzz low frequency use tag <details/open/ontoggle>

\5. Fuzz low-frequency use function ontoggle, etc.

6.<img/src=1>

7. %0a or %0d bypass

csrf vulnerability:

ssrf vulnerability:

Remote picture downloading, loading remote files, offline downloading, remote avatars, webpage translation, etc. where the server needs to initiate a request

8. Deserialization vulnerability

Vulnerability Explanation and Causes:

Serialization is the process of converting an object into a stream of bytes, while deserialization is the process of converting a stream of bytes back into an object. Manipulating deserialized data to perform unauthorized operations or trigger unexpected behavior is a deserialization vulnerability, which usually occurs in applications that receive and process serialized data from untrusted sources

exploit

Execute remote code: Construct malicious serialized data to execute arbitrary code on the target system, bypass authentication, reverse shell intrusion into the server, and then perform privilege escalation, control the target system, obtain important sensitive data, and further attack other systems.

Vulnerability Defense

Input Validation and Filtering: Validate and filter serialized data from untrusted sources to ensure data integrity and legality.

Mandatory type checking: Before deserialization, strict type checking is performed to prevent objects of unknown or malicious types from being created.

Minimize permissions on serializable objects: only serialize necessary data, and avoid serializing sensitive data or privileged objects.

Common Vulnerabilities

Remote Procedure Calls (RPC): When applications use RPC for remote communication, there is a risk of deserialization vulnerabilities. An attacker can send malicious serialized data to the target application to achieve code execution or other malicious behavior.

Web Applications: Web applications typically use serialization and deserialization to process user-submitted data, such as via cookies, forms, URL parameters, etc. Deserialization vulnerabilities may exist if the application does not adequately validate and sanitize user input, and does not perform security checks when deserializing.

Distributed systems and message queues: In distributed systems, message queues are often used to communicate between components. If the message queue uses serialization and deserialization mechanisms, and does not properly validate and filter the received message data, then there may be a deserialization vulnerability.

Third-Party Components and Libraries: There may be unresolved deserialization vulnerabilities in applications using third-party components or libraries. If the application does not update these components or libraries in a timely manner, attackers may exploit these vulnerabilities to attack

9. Middleware vulnerabilities

Vulnerability Explanation and Causes:

Middleware vulnerabilities refer to security vulnerabilities in middleware used in applications (such as operating systems, databases, Web servers, etc.). These vulnerabilities could allow malicious users or attackers to exploit system vulnerabilities to perform unauthorized operations or access sensitive information.

There are many possibilities for the formation of middleware vulnerabilities, the following are a few common reasons:

Software bugs: There may be bugs or flaws in the middleware software development process that could be exploited by attackers. For example, logic errors in program code, buffer overflows, incomplete input validation, etc.

Not up-to-date: Middleware vendors often release security patches to fix discovered vulnerabilities. If system administrators do not install these patches in a timely manner, attackers can exploit known vulnerabilities to break into the system.

Default configuration issues: Middleware software often has default configurations that can be flawed in terms of security. An attacker can break into a system by exploiting a weakness in the default configuration. Therefore, when using middleware, it is imperative to pay close attention to the security configuration and customize it appropriately.

Weak passwords or default credentials: Middleware software often has default usernames and passwords, and if system administrators do not change these credentials or set strong password policies, attackers can easily break into the system.

Third-party component vulnerabilities: Middleware software often uses third-party components or libraries to implement specific functions. If there are vulnerabilities in these components, attackers can exploit the vulnerabilities of these components to invade the system

Vulnerabilities exist in common places

IIS:

IIS6.0 PUT vulnerability

IIS6.0 Remote Code Execution Vulnerability

IIS6.0 Parsing Vulnerability IIS Enables .net Short Filename Vulnerability

IS7.0/7.5 parsing vulnerability

Apache:

Unknown extension parsing vulnerability

Parsing vulnerabilities and directory traversal caused by coordination errors

Nginx：

Parsing vulnerabilities and directory traversal caused by configuration errors

Tomcat:

Arbitrary code execution and arbitrary file writing vulnerabilities caused by configuration errors

Weak password + management background war package deployment getshell manager/html

Management background weak password blasting

JBoss:

x/6.x deserialization vulnerability (CVE-2017-12149)

JMXInvokerServlet deserialization

EJBInvokerServlet deserialization

Unauthorized access to JMX Console

Weak password + management background war package deployment getshell

WebLogic:

XMLDecoder Deserialization Vulnerability (CVE-2017-10271 & CVE-2017-3506)

wls9_async_response, wls-wsat deserialization remote code execution vulnerability (CVE-2019-2725)

WLS Core Components Deserialization Command Execution Vulnerability (CVE-2018-2628)

Weak password + management background war package deployment getshell

exploit

Timely Updates and Patches: Keep middleware up-to-date and use the latest security patches. Many middleware vendors release fixes for known vulnerabilities. Regularly check the vendor's website to ensure that the middleware used in the system is up to date.

Hardened configuration: Ensure middleware is configured in accordance with best security practices. Review and tune middleware default configurations based on vendor recommendations and relevant security guidelines. Disable unnecessary features and services, restrict access, and set strong passwords and access controls.

Strong network security protection: firewall, intrusion detection and prevention system (IDS/IPS), anti-virus software, etc. These measures can help prevent malicious actors from exploiting and intruding middleware.

Vulnerability Defense

Regularly update and upgrade middleware versions to get the latest security fixes and patches.

Configure security options, such as enabling security authentication, restricting access, and using secure transmission protocols.

Enforce access controls to ensure only authorized users or services can access middleware.

Implement security audits and monitoring to detect anomalous activities in a timely manner and take appropriate actions.

Limit the permissions of middleware and avoid using accounts or services with excessive permissions.

Implement data backup and disaster recovery plans in case of possible middleware failure or attack.

Pay attention to and refer to security recommendations and best practices issued by middleware vendors or security agencies in a timely manner.

How to bypass waf interception

Middleware exploits that bypass web application firewalls (WAFs) are one tactic an attacker might try. While every middleware vulnerability and WAF configuration is different, here are a few common techniques that might be used to bypass WAF interception:

Request Segmentation: An attacker can split a malicious request into multiple fragments and use specific characters or structures of the middleware protocol to bypass WAF rules. In this way, a WAF may not recognize a complete malicious request as malicious.

Encoding and Encryption: An attacker can encode or encrypt malicious requests to make them difficult for WAFs to detect while in transit. This includes Base64 encoding the data, using special encoding techniques, or employing custom encryption algorithms.

Protocol obfuscation: An attacker can modify or forge part of a middleware protocol so that it looks like a legitimate request when transmitted. This may involve modifying specific fields of the request, populating additional headers or parameters, and using specific protocol syntax rules.

Exploitation of special characters: Attackers can use special characters in middleware protocols to bypass WAF rules. This includes using encoded characters, Unicode characters, double-byte characters, or other unusual characters to confuse and interfere with the WAF's filtering mechanisms.

Overlong or incorrect input: An attacker can attempt to send an overly long or maliciously crafted request to trigger a buffer overflow or error handling logic in the middleware. This can cause middleware to misbehave or bypass WAF detection rules.

Protocol switching: An attacker can switch to other protocols supported by the middleware to evade specific WAF rules for the currently used protocol. For example, switching from HTTP to HTTPS, WebSockets, or other protocols.

10. Analyzing Vulnerabilities

Vulnerability Explanation and Causes:

Parsing vulnerability refers to the situation that when the application processes the input provided by the user, there is a loophole that causes malicious input to be parsed and executed. Such vulnerabilities can occur in various contexts, including web applications, command line applications, code parsers, etc.

exploit

Code Injection: An attacker can inject arbitrary code in user input to be parsed and executed by the application. This could include inserting malicious scripts such as JavaScript for cross-site scripting (XSS), remote command execution, or operating system command injection, among others.

Command execution: If an application parses user input and executes commands, an attacker can attempt to execute arbitrary commands through malicious input. This can lead to security issues such as command injection, remote command execution, and operating system command injection.

File system access: If the application has vulnerabilities in parsing files uploaded by users or handling file paths, attackers can try various attacks such as directory traversal, file reading, and file uploading. This can lead to the disclosure of sensitive files, the gaining of full system access, and more.

Database injection: If there is a vulnerability in the application parsing user input and constructing database query statements, attackers can try to execute arbitrary SQL statements through malicious input. This may lead to the disclosure, tampering, deletion of database data or the impact of the entire database server.

Vulnerability Defense

Input validation and filtering: Strictly validate user input, including validating data type, length, character set, etc., and filter or escape special characters to prevent malicious code injection.

Parameterized queries and prepared statements: Use parameterized queries or prepared statements to execute database queries to avoid SQL injection vulnerabilities.

Minimize parser permissions: Restrict parser permissions to only allow access to necessary resources and functions.

Secure coding practices: Follow secure coding practices, including using secure functions provided by libraries and frameworks, avoiding dynamic code execution and dynamic parsing, etc.

Input and output filtering: Filter and escape the input and output data provided by users to prevent the injection of malicious code and the leakage of sensitive information in the output.

Security Updates and Patches: Keep updated and patched versions of relevant parsers, libraries, and middleware to get the latest security fixes and bug fixes.

How to bypass waf interception

Encoding and Encryption: An attacker can encode or encrypt malicious requests to make them difficult for WAFs to detect while in transit. This can include using Base64 encoding, URL encoding, using special encoding techniques or custom encryption algorithms, etc.

Request Segmentation: Attackers can split malicious requests into multiple fragments, and use WAF rules to analyze and evade the request stage. In this way, a WAF may not recognize a complete malicious request as malicious.

Obfuscation and deformation: Attackers can use various techniques to alter the structure and format of malicious requests so that they do not comply with the signature or rules of WAF rules. This may include changing the order of parameters, adding extra characters, using specific encoding techniques, etc.

HTTP protocol switching: An attacker can try to switch from the standard HTTP protocol to another protocol, such as HTTPS (encrypted with SSL/TLS) or use a different port. This may bypass the WAF's rule detection, because the WAF may be configured to only monitor specific protocols and ports.

Normal traffic masquerading: Attackers can simulate normal traffic patterns and fine-tune requests to bypass WAF detection. This might include simulating real user behavior, tweaking request intervals, adding randomness, etc.

11. Privilege Escalation Vulnerability

Vulnerability Explanation and Causes:

Privilege escalation vulnerability means that an attacker successfully obtains a higher permission level than his current permission by exploiting a vulnerability in the system or application to perform unauthorized operations

Vulnerability Defense:

Secure Configuration Management: Ensure secure configuration of operating systems, applications, and services, disabling unnecessary services and features to reduce potential vulnerabilities.

Strong password policy: Enforce the use of complex passwords and change passwords regularly to ensure default passwords are changed.

Principle of Least Privilege: Every user and process should be granted the minimum necessary privileges to reduce the potential risk of privilege escalation.

Input Validation and Filtering: Ensure applications adequately validate, filter, and escape user input to prevent attackers from exploiting input injection attacks to elevate privileges.

(2) Other loopholes

1. Sensitive information disclosure vulnerability

Vulnerability Explanation and Causes:

Sensitive information disclosure vulnerability refers to the risk that sensitive information of an organization or individual (such as personally identifiable information, financial information, health records, business secrets, etc.) is obtained or disclosed by unauthorized persons due to security breaches or mistakes

exploit

To obtain sensitive information, the degree of information leakage may be large or small. In severe cases, the account password of the server administrator may be leaked, and some information about system configuration may be leaked. According to these are of great help to the attacker, the attacker will attack next.

csrf attack: The attacker can use the leaked sensitive information to impersonate the victim and carry out csrf attack (cross-site request forgery)

Phishing: Attackers can use leaked sensitive information for social engineering attacks,

Vulnerability Defense

Keep sensitive information confidential: Use encryption algorithms to encrypt sensitive information for storage and transmission.

Enhanced Access Control: Implement strict authentication and authorization mechanisms to ensure that only authorized users can access sensitive information.

Implement a secure password policy: require strong passwords, change passwords regularly, and prevent common passwords.

Ongoing Monitoring: Periodically audit, monitor, and analyze system logs for timely detection of anomalous activity and

2. Authorization verification bypass vulnerability

Vulnerability Explanation and Causes:

Authorization verification bypass vulnerability means that an attacker successfully bypasses the authorization verification mechanism by exploiting a vulnerability in the system, application, or network service to gain unauthorized access

exploit

Sensitive information leakage: use authorization verification bypass vulnerabilities to obtain sensitive information,

Privilege escalation attack: After successfully bypassing authorization verification, try to elevate your own privilege level to obtain higher-level privileges

Vulnerability Defense:

Implement strict input validation and filtering to prevent bypassing of malicious and abnormal inputs.

Strengthen authentication mechanisms, including using strong password policies, multi-factor authentication, and protection against common attacks such as session hijacking and password guessing.

3. Logic loopholes

Vulnerability Explanation and Causes:

Logical vulnerabilities refer to errors or negligence in the software or system design process, resulting in potential security risks and loopholes. These vulnerabilities are usually caused by developers not properly handling input, authenticating users, authorizing access, etc.

Examples of common logic vulnerabilities:

Unauthorized access: The lack of proper authentication and authorization mechanisms in the application allows attackers to bypass permission restrictions to access unauthorized functions, data, or system resources.

Weak password policy: The system allows users to use weak passwords (such as simple or common passwords) to protect their accounts, making them vulnerable to attacks such as password guessing and brute force cracking.

Insufficient data validation: The application does not fully validate and filter user input, allowing attackers to perform unauthorized operations by injecting malicious code, SQL statements, or operating system commands.

Session management vulnerabilities: Errors in the application's handling of user sessions may lead to threats such as session fixation attacks, session hijacking, or session logout, allowing attackers to impersonate legitimate users and access their accounts.

Logic errors: flaws in system design or logic errors that may cause unexpected behavior of applications under certain conditions, such as unauthorized access, data loss, or system crashes.

4. Unauthorized access vulnerability

Vulnerability Explanation and Causes:

An unauthorized access vulnerability is when an attacker is able to gain access to a system, application, or resource without going through the proper authentication or authorization process. This vulnerability could lead to unauthorized access to sensitive information, data disclosure, tampering or destruction

Causes of unauthorized access vulnerabilities:

Lack of authentication: The system does not implement authentication mechanisms properly, or provides access to restricted resources without authenticating the user.

Session management issues: There are issues in the session management process where an attacker can hijack or reuse a session token to impersonate a legitimate user and gain access

Authorization issues: The system has flaws in the authorization mechanism, attackers can bypass permission checks and gain unauthorized access to resources

Business logic errors: The system has flaws in the business logic that attackers can exploit to bypass access restrictions. For example, an application might not properly validate the legitimacy of certain actions, allowing an attacker to perform unauthorized actions.

Vulnerability Defense

Strong authentication and access control: use a secure authentication mechanism; implement fine-grained access control, and configure different permissions for different roles

periodically review and update permissions,

Strong Password Policy:

Check session management mechanism

Input validation and filtering:

Regular updates and bug fixes:

5. Middleware Vulnerabilities

Vulnerability Explanation and Causes:

Middleware vulnerabilities refer to security holes in middleware software (such as servers, application frameworks, database systems, etc.). Middleware is responsible for connecting different systems and components to provide the necessary functions and services for the application

exploit

Remote code execution: Attackers can use middleware buffer overflow or other code execution vulnerabilities to inject malicious code, so that they can execute remote code on the target system with middleware permissions, obtain sensitive data, invade the target server, and perform privilege escalation , install the backdoor, and eventually take full control of the target system

Sensitive information leakage: Attackers can obtain sensitive information stored in systems, applications, or databases by exploiting middleware configuration or security setting vulnerabilities

Vulnerability Defense

Update and upgrade middleware software in a timely manner, and install the latest patches and security updates.

Configure middleware security settings, turn off or disable unnecessary features and services, and follow best security practices.

Implement strong authentication and access controls to ensure only authorized users can access middleware and related resources.