Chapter 3: Application Attacks
Introducing BeEF
A short explanation:
A deeper tutorial, also introducing Kody and Null Byte:
Introducing OWASP
https://owasp.org/www-project-top-ten/
XSS – Cross-Site Scripting
Persistent
Non-persistent
DOM-based
Learn how XSS works, and how to do it: http://localhost/2021/04/02/xss-game-learn-cross-site-scripting-bug-test-google-apps-step-3-profit/
Get familiar with OWASP and their Top Ten Web Application Security Risks: https://owasp.org/www-project-top-ten/
Injection Attacks
On-path Attack (Man in the Browser)
Privilege Escalation
…then search for “privilege escalation”.
Directory Traversal
cd ../../.. http://vulnerabledomain.com/../../..
Buffer Overflow
…then search for “buffer overflow”.
Error Handling
https://holisticinfosec.blogspot.com/2012/08/toolsmith-nowasp-mutillidae.html
Replay Attacks
Session replay is an attack in which a TCP session’s traffic is captured, the data is altered for nefarious purposes, and the session is “replayed”. This calls for some clever manipulation of the recorded TCP sequence numbers, so the attack can be inserted into a new traffic stream.
CSRF: Cross-Site Request Forgery
SSL Stripping
Pass the Hash