Whitebox Pentesting 101: Command Injection Hard
This module focuses on discovering Command Injection vulnerabilities in NodeJS servers and exploiting them to control the server.
Created by 21y4d
Whitebox Pentesting 101 Module, you will build upon what you learned in the Secure Coding 101 module through identifying a Command Injection vulnerability in a NodeJS server and exploiting it to get control over the remote server.
This module is your first step in learning the techniques of Whitebox Pentesting.
Whitebox Pentesting 101
Unlike Blackbox Pentesting, in which an attacker is given no prior knowledge or access to what they would attack, in
Whitebox Pentesting, you have complete access to the codebase, debugging tools, and the local environment. This enables you to get a better understanding of the code design, and therefore identify hard-to-find vulnerabilities, which otherwise would be usually impossible to find using Blackbox Pentesting only.
In this module, you will learn the basics of Whitebox Pentesing, as follows:
- Code Review: Review the code and identify potential vulnerabilities
- Command Injection: Intro to Injections and Command Injections
- Local Debugging: Chart your way towards the vulnerable function
- Exploitation: Craft your payload to get remote code execution
This module builds upon the Secure Coding 101 module and assumes that you have already completed it. Hence, you are expected to be familiar with concepts discussed in it, such as Code Review, Reverse Engineering, and Deobfuscating JS Code, and Secure Coding.
- Obtaining the code
- Code Analysis
- Vulnerability Identification
- Command Injection
- Syntax Errors
- POST Requests
- JSON keys
- Controlling the Eval Function
- Preparing Payload
- Code Injection
- Command Execution
- Blind Verification
- Remote Code Execution
- Skills Assessment