AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page

Was this helpful?

  1. Code review

Sinks

Vulnerability Type
Java Sinks
PHP Sinks
Node.js Sinks

Remote Code Execution (RCE)

Runtime.getRuntime().exec() ProcessBuilder.start() Method.invoke() ScriptEngine.eval() InitialContext.lookup() (JNDI Injection)

shell_exec() exec() system() passthru() proc_open() popen() eval() assert() create_function()

child_process.exec() child_process.execSync() child_process.spawn() vm.runInContext() vm.runInNewContext()

SQL Injection (SQLi)

Statement.executeQuery() Statement.executeUpdate() Statement.execute() EntityManager.createQuery()

mysqli_query() mysql_query() pg_query() PDO::query() (without prepared statements)

db.collection.find({ user: req.query.user }) (NoSQLi in MongoDB) sequelize.query() (raw queries)

Path Traversal / Arbitrary File Read/Write

File(String) FileReader(String) FileWriter(String) Files.readAllBytes(Path) ZipInputStream.getNextEntry()

file_get_contents() fopen() readfile() include() require() unlink()

fs.readFileSync() fs.readFile() fs.createReadStream() fs.writeFileSync() fs.unlinkSync()

Server-Side Request Forgery (SSRF)

HttpURLConnection.openConnection() URL.openStream() RestTemplate.getForObject() WebClient.get().uri()

file_get_contents("http://...") curl_exec() stream_context_create()

http.get() axios.get() fetch() request()

Cross-Site Scripting (XSS)

response.getWriter().write() HttpServletResponse.getOutputStream().print() JSP: <%= userInput %>

echo $_GET["input"]; print($_POST["input"]); printf($_GET["input"]); exit($_GET["input"]);

res.send(req.query.input) res.write(req.body.input) document.write(req.query.input) (in client-side JS)

Cross-Site Request Forgery (CSRF)

doPost(HttpServletRequest req, HttpServletResponse res) doPut(HttpServletRequest req, HttpServletResponse res) doDelete(HttpServletRequest req, HttpServletResponse res)

Forms with method="POST" and no CSRF token Session-modifying endpoints ($_SESSION, setcookie())

app.post('/update', (req, res) => {...} (without CSRF token verification)

XML External Entity (XXE) Injection

DocumentBuilder.parse() SAXParser.parse() XMLReader.parse() TransformerFactory.newInstance().newTransformer().transform()

simplexml_load_string() DOMDocument.loadXML() xml_parser_create()

xml2js.parseString() libxmljs.parseXml()

LDAP Injection

DirContext.search() LdapContext.search()

ldap_search() ldap_list() ldap_read()

ldapClient.search() (Node.js LDAP client)

Insecure Logging (Information Disclosure)

Logger.info() Logger.debug() System.out.println() PrintWriter.println()

error_log($_GET["input"]); var_dump($_POST["password"]); print_r($_SERVER);

console.log(req.body.password) winston.log('info', req.query.debug)

Insecure Cryptography

MessageDigest.getInstance("MD5") Cipher.getInstance("DES") Cipher.getInstance("ECB")

md5() sha1() crypt("plaintext", "salt") base64_encode()

crypto.createHash('md5') crypto.createCipher('des', key)

Insecure Session Management

HttpSession.getAttribute() request.getSession(true)

session_start(); setcookie("PHPSESSID", ...)

req.session.user = "admin" (without secure flags)

PreviousGetting started

Last updated 3 months ago

Was this helpful?