Whitebox Attacks
Introduction to Whitebox Attacks
This module will explore several advanced web vulnerabilities using a whitebox approach and how to exploit them: Prototype Pollution, Timing Attacks & Race Conditions, and those arising from Type Juggling.
It is recommended to have a strong understanding of basic web vulnerabilities and how to exploit them; a good start is the Web Attacks module. Throughout the module, we will focus mainly on understanding the root causes of these vulnerabilities and not covering the entire codebase for each vulnerable web application. A high-level understanding of JavaScript, Python, and PHP source codes is required to complete this module.
Whitebox Attacks
Prototype Pollution
Prototype Pollution is a vulnerability specific to prototype-oriented programming languages and how they handle objects and inheritance, with JavaScript being the flagship exploited programming language. It can arise when user input is used to manipulate the properties of a JavaScript object. Depending on the vulnerable code, prototype pollution can lead to server-side vulnerabilities on the web application, such as privilege escalation, denial-of-service (DoS), or remote code execution (RCE). However, prototype pollution vulnerabilities can also be present in client-side JavaScript code, resulting in client-side vulnerabilities such as Cross-Site Scripting (XSS).
Timing Attacks & Race Conditions
Timing Attacks and Race Conditions are vulnerabilities that can arise in any software, not just web applications. As such, they are often overlooked in web security since they are not exclusive to web applications. A web application is vulnerable to timing attacks if response timing can be used as a side-channel to infer information about the web application. That may include the enumeration of valid usernames or the exfiltration of data from the web server. On the other hand, race conditions arise from the multithreaded execution of a web application. Suppose the web application assumes a sequential execution of certain operations but is deployed on a multithreaded web server. In that case, race condition vulnerabilities can arise, leading to data loss or business logic vulnerabilities.
Type Juggling
Type Juggling in PHP occurs when variables are converted to different data types in specific contexts. In particular, PHP features loose comparisons (using the == operator), which compare two values after type juggling, and strict comparisons (using the === operator), which compare two values as well as their data type. Confusing these two operations can lead to security vulnerabilities and bugs if the web application code contains a loose comparison instead of a strict one. Abusing loose comparisons can lead to unexpected and undesired outcomes, potentially leading to security vulnerabilities such as authentication bypasses or privilege escalation.
Table of Contents
Introduction to Whitebox Attacks
Introduction to Whitebox AttacksPrototype Pollution
JavaScript Objects & Prototypes Introduction to Prototype Pollution Privilege Escalation Remote Code Execution Client-Side Prototype Pollution Exploitation Remarks & PreventionTiming Attacks & Race Conditions
Introduction to Race Conditions & Timing Attacks User Enumeration via Response Timing Data Exfiltration via Response Timing Race ConditionsType Juggling
Introduction to Type Juggling Authentication Bypass Advanced ExploitationSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
