Web vulnerabilities
Web vulnerabilities are weaknesses in websites that attackers exploit to gain unauthorized access, steal data, or disrupt services. Common vulnerabilities include Cross-Site Scripting (XSS), which allows attackers to inject malicious scripts, and SQL Injection, where database queries are manipulated to extract sensitive information. Local File Inclusion (LFI) exposes server files, while Insecure Direct Object References (IDOR) allow unauthorized access to user data by modifying URLs. Weak authentication or authorization controls lead to account takeover or unauthorized actions. File upload flaws can enable malicious code execution. These vulnerabilities emphasize the need for secure coding practices, regular testing, and robust defense mechanisms.
During testing of http://example.com, several critical vulnerabilities are uncovered. The comment section is vulnerable to XSS, allowing JavaScript execution. A Local File Inclusion flaw exposes sensitive server files. SQL Injection is found in the search and login forms, enabling data extraction. The settings page lacks authorization checks, allowing unauthorized email changes. An IDOR vulnerability exposes user data by modifying the URL's id parameter. Additionally, the file upload feature is bypassed by renaming a malicious script, risking remote code execution. These flaws highlight severe security issues, underscoring the need for input validation, access control, and robust security measures to protect users.
Steps are mentioned below:-
You are testing the comment section of a blog on http://example.com.
Upon inspecting the form, you find that the input field is vulnerable to Cross-Site Scripting (XSS) and allows JavaScript execution.
On http://example.com/view, there is a file inclusion feature.
After reviewing the URL structure, you realize you can manipulate the file path to include files from the server, including sensitive system files like /etc/passwd.
You notice that http://example.com/search is vulnerable to SQL injection.
By using the UNION operator in the search query, you can extract the database version from the server.
On the login form at http://example.com/login, the application does not display error messages.
You decide to use SQL injection with boolean-based payloads to extract the first user's email address.
You visit http://example.com/settings where users can change their email.
The email change request is not protected against unauthorized modifications,
so you craft a malicious request that changes the email address to yours.
While browsing http://example.com/user?id=1, you find that the page displays user data based on the id parameter in the URL.
By changing the id parameter, you are able to access other users' information.
On http://example.com/upload, you try to upload a file, but the file type is restricted.
By renaming a PHP shell to shell.php.jpg, you suInject a script to pop an alert box in the website’s comment section.