Whitebox source code review cheatsheet (Based on AWAE syllabus)
This repo is based on the offensive security AWAE syllabus and is designed to act as a cheatsheet for the OSWE exam and whitebox source code reviews in general.
S. No | Approach |
---|---|
1 | String matching/Grep for bugs |
2 | Following user input |
3 | Reading source code randomly |
4 | Read all the code |
5 | Check one functionality at a time (login, password reset...) |
Reference: https://pentesterlab.com/exercises/codereview/course
References:
Modify the following values on my.cnf file(Typically located at /etc/mysql/my.cnf)
```
[mysqld]
general_log_file = /var/log/mysql/mariadb.log
general_log = 1
```
*In case of mariadb the settings will be present under [mariadb]
Restart the mysql service for the change to take affect
You can read the log file in realtime using sudo tail -f /var/log/mysql/mysql.log
Auth Bypass | RCE |
---|---|
SQL Injection - Payloads | Deserialization |
Persistent Cross-Site Scripting | Bypassing File Upload Restrictions |
IDOR | SQL Injection RCE (Postgres UDF or Mysql copy to function) |
Weak random token generator | XXE - Payloads |
Type Juggling | XML Injection |
Cross-Site Request Forgery - Payloads | SSTI - Payloads |
Authentication Token/Cookie Manipulation | Prototype Pollution |
- | JavaScript Injection |
- | OS Command Injection |
Language - PHP |
---|
XSS |
LFI |
SSRF |
OS Command Injection |
SQL Injection - Boolean |
SQL Injection - Error |
tree -L 3
command, open the app in VSCode
or build a sitemap using burp suite
to understand the application directory structuredoPost
and doGet
. In case of python find routes starting with @
Models
, Views
and Controllers
located?^.*?query.*?select.*?
app.set('view engine', 'pug');
in app.js
java.util.random
is vulnerablePurpose | File |
---|---|
Basic skeleton script which makes an HTTP request in python | main.py |
Run shell command and capture the output | system_level_commands.py |
Run Java from within Python | run_java_from_python.py |
SQLI multi threaded python exploit | MYSQL_Injection_multithread.py |
Postgres SQLI to RCE JS session riding exploit | Windows_RCE_XHR.js |
XSS Steal cookie XHR | steal_cookie_xhr.js |
Tutorial: https://www.youtube.com/watch?v=rhzKDrUiJVk
All the best !!