Introduction

This tutorial aims to equip you with skills to exploit vulnerabilities in web applications as part of penetration testing. In doing so, you will:

• Understand key concepts like SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
• Learn how to exploit these common vulnerabilities.
• Get some hands-on experience with practical examples.

Prerequisites: Basic knowledge of JavaScript, SQL, and HTML.

Step-by-Step Guide

SQL Injection

SQL Injection is when an attacker can manipulate SQL queries by injecting malicious SQL code. This can lead to unauthorized access, data leaks, or even data loss.

Example:

Consider a login form that uses an SQL query to check user credentials:

SELECT * FROM users WHERE username = 'INPUT_USERNAME' AND password = 'INPUT_PASSWORD';

An attacker could enter a' OR 'a'='a as both the username and password, making the query:

SELECT * FROM users WHERE username = 'a' OR 'a'='a' AND password = 'a' OR 'a'='a';

This will return all users as a'='a is always true.

Best practices:

• Never trust user input.
• Use parameterized queries or prepared statements.
• Limit the permissions of database accounts used by web applications.

Cross-Site Scripting (XSS)

XSS is when an attacker can inject malicious scripts into webpages viewed by other users.

Example:

Consider a forum that doesn't sanitize user input:

<div>INPUT_TEXT</div>

An attacker could enter <script>alert('Hacked');</script> as INPUT_TEXT, causing a JavaScript alert to pop up whenever the page is viewed.

Best practices:

• Sanitize user input.
• Use HTTP-only cookies.
• Implement Content Security Policy (CSP).

Cross-Site Request Forgery (CSRF)

CSRF is when an attacker tricks a victim into performing actions they didn't intend to.

Example:

An attacker might send a link that, when clicked by a logged-in user, performs an action on their behalf:

<a href="http://vulnerable.site/deleteAccount">Click me!</a>

Best practices:

• Use anti-CSRF tokens.
• Don't allow state-changing operations to be performed through GET requests.
• Implement Same-Site cookies.

Code Examples

SQL Injection

-- Vulnerable code
SELECT * FROM users WHERE username = 'INPUT_USERNAME' AND password = 'INPUT_PASSWORD';

-- Safe code
PREPARE statement FROM 'SELECT * FROM users WHERE username = ? AND password = ?';
EXECUTE statement USING INPUT_USERNAME, INPUT_PASSWORD;

The safe code uses a prepared statement, which treats the inputs as literal strings, not as part of the SQL command.

XSS

<!-- Vulnerable code -->
<div>INPUT_TEXT</div>

<!-- Safe code -->
<div>htmlspecialchars(INPUT_TEXT)</div>

The safe code uses htmlspecialchars(), which converts special characters to their HTML entities, preventing them from being interpreted as code.

CSRF

<!-- Vulnerable code -->
<a href="http://vulnerable.site/deleteAccount">Click me!</a>

<!-- Safe code -->
<form action="http://vulnerable.site/deleteAccount" method="POST">
  <input type="hidden" name="csrf_token" value="RANDOM_TOKEN">
  <input type="submit" value="Delete account">
</form>

The safe code uses an anti-CSRF token, which ensures that the request is made intentionally by the user.

Summary

In this tutorial, you've learned about SQL Injection, XSS, and CSRF, how they can be exploited, and how to prevent them. To further your knowledge, you can explore other types of web vulnerabilities, such as XML External Entity (XXE), Server Side Request Forgery (SSRF), and Insecure Direct Object References (IDOR).

Practice Exercises

1. Write a prepared statement for updating a user's email in a database.
2. Write an HTML form that is safe from XSS.
3. Write an HTML form that is safe from CSRF.

Remember to use the skills you've learned in this tutorial when solving these exercises. Happy hacking (ethically and legally)!