How to Hack Websites

Videos

• 初章：https://youtu.be/a5vrGYsKc_A
• 續章：https://youtu.be/hWC-Evt-sBc
• 終章：https://youtu.be/73uI7BK8k3g

Topics

初章

Full slide

• Web & Web security introduction [slide]
• Access control & Bussiness logic
• Recon & Information leak [slide]
• Insecure Upload / Path traversal / LFI [slide]
• Basic injection [slide]
  • Code injection
  • Command injection
  • SQL injection: Basic

續章

Full slide

• SQL injection: Advanced
  • Union-based
  • Boolean-based
  • Other
• Server-side request forgery (SSRF)
• Insecure deserialization
  • Intro
  • Pickle

終章

Full slide

• Insecure deserialization [slide]
  • PHP
  • POP Chain
  • Misc (Java, .NET etc.)
• Frontend security: Basic [slide]
  • Same-origin policy
  • CSRF
  • XSS
• Frontend security: Content Security Policy (CSP) [slide]
• Frontend security: Advanced
  • XS-Leak / CSS injection [slide]
  • DOM Clobbering [slide]
• Advanced injection
  • NoSQL injection
  • Server-side template injection (SSTI)
• Misc
  • JavaScript prototype pollution [slide]
  • XXE

Labs

題目之後的 數字 代表的是 docker 對外通訊埠編號

• Basic
  • [x] Cat Shop 8100
• SQL injection
  • [x] Login me: Login bypass 8200
  • [x] Login me again: UNION-based SQL injection 8201
• Command injection
  • [x] DNS tool 8300
  • [x] DNS tool: WAF edition 8301
• LFI
  • [x] Meow site: Basic LFI 8400
  • [x] HakkaMD: LFI to RCE 8401
• SSRF
  • [x] Web Preview Service: Use gopher:// to forge a request 8500
  • [x] SSRFrog: Bypass blacklist 8501
• Deserialization
  • [x] Pickle 8600
  • [x] Cat: Basic PHP unserialize 8601
  • [x] Magic cat: POP chain 8602
• SSTI
  • [x] Jinja2 SSTI 8700
• Frontend
  • [x] XSS 8800

Homework

• Imgura: Information Leak / Upload / LFI
• DVD Screensaver: Path traversal / SQL injection / Signed Cookie
• Profile Card: XSS / CSRF / CSP Bypass
• Double SSTI: SSTI
• Log me in: FINAL: SQL injection / Information Leak