1. The document discusses web exploitation and provides tips for assessing what functionality a server may have and how to test for vulnerabilities. 2. It lists common server-side technologies like PHP, Python, NodeJS that have been exploited in past events, and encourages researching assumed functionality and how others may have previously exploited similar systems. 3. The document emphasizes that web exploitation involves searching and researching to understand what a server can do in response to inputs, as its functionality may not always be obvious, in order to discover ways to read files or execute code remotely.

1. Web Exploitation
November 14th, 2018

2. Get Involved
● Discord - discord.gg/kuejt8p

3. Events
● November 28th - Windows Exploitation
● December 5th - Stress Buster - ECSS 4.619

4. SQL Injection is useless* if the server
isn’t using SQL

5. OR: “Why I fail at Web Exploitation”

6. Why is Web Exploitation difficult?

7. We don’t know what is running!

8. 2 Questions of Web Exploitation
● What can I do?
● What does the server do when I do that?

9. What are developers bad at?
● Deserialization
● Escaping input to be rendered/executed
● Making sure only the right people can do the “right” things

10. Web Primer

11. Client-side Technologies
● HTML
● CSS
● Javascript (Good for execution malicious code in a users browser)

12. Server-side Technologies
Yes

13. Server-side Technologies (I’ve seen and exploited)
● PHP - CSAW 2016
● Python - Hack The Box
● NodeJS - Hack The Box
● Bash - CSAW 2016
● Java - Hack The Box
● Rust - TexSAW 2017
● C - Hack The Box

14. Web Exploitation is a game of search
and research

15. What can I do? - Tips
● Reverse engineer known page functionality, see how it communicates with the
server (Burp / Inspect Element + Console)
● Check common directories for additional functionality
● Bruteforce common directories/files for additional functionality (gobuster)
● Bruteforce subdomains for additional functionality (gobuster)

16. What does the server do when I do that? - Tips
● Fuzz inputs (send ;:’”!@#$%^&*(((()-_=+)
● Research assumed functionality, look for how people have exploited it in the
past (OWASP Top 10)
● Look for UNIQUE functionality that you haven’t seen elsewhere (Unique
inclusion of special protections like a strict CSP) - Particularly useful if you
know the application is or used to be vulnerable

17. Making life easy

18. Goals
● Reading files off disk
● Executing code on the remote server

19. Case Study - DevOops

20. Additional Thoughts

21. A “Modern” Web Architecture