Web application penetration testing tutorials Common security protocols

Web Application Penetration Testing Tutorials - Common Security Protocols

Web application penetration testing tutorials Common security protocols

This is the first Tutorial of Web aapplication penetration testing tutorial and it will cover some basic security Protocols and Mechanisms.

These little things will be very useful to understand web applications in a holistic way.

We will start with the same basic policy (SOP), which is a restrictive policy that prevents web pages from bashing together (in a simple sense).

Then we have shared Cross-Origin Resource Sharing (Core), which is relatively new and allows resource sharing.

Later, we will cover the encoding techniques used in various web applications, such as URL or percentage encoding, double encoding and base64 encoding.

Web application penetration testing basic: 


The same basic policy is security enforcement found in most common browsers, which prohibits a document or script (or other data) that loads from an original, can communicate and associate with the properties of another origin.

This is an important concept of security that runs a variety of web applications.

To better understand the same basic policy, let's consider an example. Imagine that you are logged into a web browser such as Gmail in a browser tab.

You open the app in another browser tab, which has some pieces of JavaScript (JS) that attempts to read your Gmail messages.

This happens when the same basic policy kicks in: As soon as an attempt is made to access Gmail from another domain that is not Gmail The same basic policy will prevent this participation from occurring.

Therefore, basically, the same basic policy prevented a random web page that was not part of Gmail since taking action on your behalf on the actual Gmail web page.

Allow me to explain more specifically that what originally means the origin is based on the protocol, port number and, more importantly, the web page's hostname.

Please note that the path of the page does not matter unless the rest of the things described are satisfied.

Keep in mind that the same basic policy is not only for JS but also for cookies, AJAX, Flash, etc. The data stored inside the local storage is also governed by this policy, i.e. the original-isolated

When comparing the following table with the original, different native-origin policy results are displayed based on hostname, port number, and protocol: http://example.com/meme/derp.html

URL Result Explanation
http://example.com/random/derp.html Pass Path does not Matter
http://example.com/other/meme/derp.html Pass Path does not Matter
http://www.example.com/meme/derp.html Fail Different domain
http://example.com:8081/meme/derp.html Fail Different Ports
ftp://example.com/meme/derp.html Fail Different Protocol
http://demo.example.com/meme/derp.html Fail Different domain
http://packtpub.com/meme/derp.html Fail Different domain

Demonstration of the same-origin policy in Google Chrome

Now we are ready with the basics of the same basic policy, try to show me an example in which I will try to violate the same basic policy and trigger the security mechanism:

<!DOCTYPE html>
<meta charset="utf-8">
<title>SOP Demo</title>
<iframe src="http://example.com" name="demo"></iframe>
document.getElementsByName('demo')[0].onload = function() {
try {
} catch(e) {

As soon as the code runs inside the Chrome browser, it throws the following message into the console. () Output:

Web Application Penetration Testing Tutorials 1 | Common Security Protocols

I effectively implemented the script with the same basic policy of output.jsbin.com and Chrome and prevented output.jsbin.com from accessing the content of example.com iframe.

Switching Origins

If some conditions are met then JS provides a way to change the origin. Document domain property allows the creation of the current page to be converted into a different origin, for example, the original A can switch to A basic B; This will only work if the current page is subscribed to the main domain.

Explain the concept mentioned in an example. Consider the page that runs under Example.com, which has two iframes, abc.example.com and xyz.example.com.

If none of these issues the iframe's document. Domain = 'example.com' will then be based on the same-original check example.com. However, as I mentioned, one page can not misuse this functionality to put a completely different domain.

Therefore, malicious.com can not issue a child to change bankofamerica.com and access its data:

Web Application Penetration Testing Tutorials 1 | Common Security Protocols

This screenshot shows the error thrown by the Google Chrome browser when example.com tries to apply bankofamerica.com by changing its document. Domain Property

Quirks with Internet Explorer 

As expected, the exceptions to the same basic policy of Microsoft Internet Explorer (IE) are; If the following conditions have to be faced, it will stop the investigation of the policy:

  • IE sleeps the original check if the original belongs to the trust zone, for example, the internal corporate website.
  • IE does not give importance to port numbers, so http: // example.com: 8081 and http://example.com:8000 will be considered as the same origin; However, it will not be suitable for other browsers. For example, there are browser bugs that can lead to SOP bypass; One such example is an SOP bypass in Firefox abusing the PDF reader - https://www.mozilla.org/enUS/security/advisories/mfsa2015-78/.

Cross-Domain Messaging

Sometimes, communication between different values ​​is required. For a long time, the exchange of messages between different domains was restricted by the same basic policy.

Cross-Domain Messaging (CDM) was introduced with HTML5; This provides the postages () method, which allows sending messages or data in different values.

Let's say that there is an original A on www.example.com, which, using postMessage (), can send a message to the original B at www.prakharprasad.com.

Post message () method accepts two criteria:

  • Message: This is the data that the receiving window has to pass
  • Target Domain: URL of the received window

Postmessage Send ():


reciever.postMessage ('Hello', 'http://example.com')

Receiving Post measures ():

window.addEventListener('message',function(event) {
if(event.origin != 'http://sender.com') return;
console.log('Received: ' + event.data,event);

AJAX and the same-origin policy 

To date, all interactive web applications use AJAX, which is a powerful one Technology that allows the browser to quietly exchange data without server Reloading the page. 

A very common example of AJAX in use is a different online chat Application or functionality, such as Facebook Chat or Google Hangouts.

AJAX works by using JS's XMLHttpRequest () method. This allows a URL A page is loaded without releasing fresh, as mentioned. It works quite decently Face-to-face policy, but to bring or send data to a server The URL that is on a different origin is a completely different story. 

Let us try Load the homepage of packtpub.com by using the web page located at output.jsbin. Com through an XMLHttpRequest () call We will use the following code:

<!DOCTYPE html>
<meta charset="utf-8">
var request = new XMLHTTPRequests();
request.open ('GET', 'http://packtpub.com', true);

As soon as this code runs. We get the following security error inside the Google Chrome browser:

Web Application Penetration Testing Tutorials 1 | Common Security Protocols

This error looks interesting because it mentions 'access-control-permission-origin' The header tells us that packtpub.com effectively lacks this header, so cross-domain XMLHttpRequest () will fall according to security enforcement. 

Consider one example in which a web page running at original A sends an HTTP request in the original B impersonates the user and loads the page, which may include a Cross-site Request Forgery (CSRF) token, and then they can be used to mount CSRF attacks.

The same-original policy basically makes the original document calling AJAX is a problem. However, in the next part, we will try to dig deeper into this matter.


CORS allows cross-domain HTTP data exchange, which means that a page is running The original A can send/receive data from a server on the Basic B. 

The core is used extensively Web applications where web fonts, CSS, documents, and so on are loaded Different origins, which can not be of origin, where resources are actually Archived. 

Most Content Delivery Networks (CDNs) that offer resource-hosting Functionality usually allows any website or origin to interact with itself.

CORS works by adding a new HTTP header that allows the web server to speak A list of whitelisted domains that allows connecting and interacting with the server.

This thing also applies to the browser; Reads browser headers and processes Accordingly.

The following flow chart shows the CORS flow at different positions:

Web Application Penetration Testing Tutorials - Common Security Protocols

CORS Headers

There are less than a dozen HTTP headers related to the Cores, but I will try to explain some commonly used core headers:
  • Access-control-permission-origin: This is a feedback header; As soon as a request Is created for the exchange of data from the server, the server responds with a header It tells the browser whether the origin of the request is listed in The value of this reaction If the header does not exist or is the feedback header The request inside the header is not original, then the request is Dropped and a security error was raised (as seen in the previous part before), Otherwise, the request is processed. Example: Access-Control-Permission-Origin: http://api.example.com
  • Access-Control-Permission-Ways: This is another feedback header; Server Reacts with this header and instructs the browser to check for permission HTTP methods are described within it If the server only allows GET and A The POST request is initiated, if not mentioned in this list, it will be removed. Examples: Access-Control-Permission-Methods: GET
  • Origin: This is a request header that tells the server which domain it belongs to The original request was attempted. The original header is always sent together Cross-domain request Example: Origin: http://example.com

Pre-flight request

The preflight request is only a normal HTTP request that occurs before the actual Cross-Domain Communication The logic behind this is to ensure the client and the server Data are fully compatible with each other (protocol, security, and so on) Really exchanged. If they are not, then the related error is raised.

Please keep in mind that a pre-flight request is triggered only if:

  • Custom HTTP headers are sent
  • Body MIME-type is different from text/plain
  • HTTP method differs from GET or POST

The following is a specific pre-flight request-response:


Origin: http://api.user.com
Access-Control-Request-Method: PUT
Host: api.example.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Browser


HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://api.user.com
Access-Control-Allow-Methods: GET, POST, PUT
Content-Type: text/html; charset=utf-8

Simple Request

A simple core request is similar to the pre-flight request without the initial capacity Exchange sequence occurring. In a simple core request, the following The sequence is:

Request: http://example.com - Original A

Feedback: http://cdn.prakharprasad.com - Basic B

  1. Attempt to access CDN's home page running Genesis Genesis B http://cdn.prakharprasad.com, using the core.
  2. Original A sends a GET request to the original B Webserver
  3. Original B server responds with access-control-all-origin.

URL encoding – percent-encoding

In this section, I will explain the percentage encoding, which is the commonly used encoding technique to encode the URL.

URL encoding is a way in which some characters are encoded or replaced After the hexadecimal of the character is equal to%.

Developers often Use encoding because there are some cases when the desired character or The representation is sent to the server but when the receipt is received, the character changes or becomes
The wrong interpretation was done due to transport issues. 

Some protocols such as OAuth also Some parameters are required, such as Redirect_urie, to be encoded percentages Make it different from the rest of the browser URL.

Example: < is represented as %3c in percent-encoding format.

URL encoding is usually done on URI characters that are defined in RFC 3986 RFC mentions that characters should be divided into two separate sets: reserved Eligible and unreserved characters.

Reserved characters have special meaning and should be in the context of URL There is another form encoding to avoid any other type, which is a percentage-encoded form Opacity This can be a classic example of ambiguity, which is used to differentiate Path in URL, so if the requirement occurs in the URL to broadcast /character

We have to encode accordingly so that the URL does not get the receiver or parser Misrepresent and parse the URL incorrectly. Therefore, in that case, is encoded in% 2F, This URL will be decoded by the parser to /.

Unrestricted Characters

The following characters are not encoded as part of the URL encoding technology:

a b c d e f g h i j k l m n o p q r s t u v w xRestricted characters y z
0 1 2 3 4 5 6 7 8 9 - _ . ~

Restricted Characters

! * ' ( ) ; : @ & = +
$ , / ? # [ ]

The following characters are encoded as URL encoding techniques such as POWER:

Encoding Table 

The following is a list of characters with their encoded forms:

Character Encoded
: %3A
/ %2F
# %23
? %3F
& %24
@ %40
% %25
+ %2B
<space> %20
; %3B
= %3D
$ %26
, %2C
< %3C
> %3E
^ %5E
` %60
\ %5C
[ %5B
] %5D
{ %7B
| %7C
" %22

Encoding unrestricted characters

Although the percentage encoding technique usually encodes the restricted characters, It is also possible to encode unrestricted characters by providing equivalent ASCII The hexadecimal code for the character was before%.

For example, if we had to encode A to percent encoding, then we could only provide% 41; Here, hexadecimal for 41 65, which in turn, has the ASCII code for Capital A.

A web-based URL encoder / decoder can be found here:


Double Encoding

Double percentage encoding is equal to percent encoding with each turn The character is encoded twice instead of one time. 

This technique works a lot When trying to blacklist certain encoded attempts to avoid the filter Characters, so we can encode instead and change the filter to the original Form. 

This technique only works when recursive decoding is done.

This is the same technology that was used in the notorious IIS 5.0 directory traversal Exploitation in 2001

Double encoding sometimes works well in Local File Inclusion (LFI) or Remote File Inclusion (RFI) scenario also, in which we need to encode our path payload.

Usually .. /../ or .. \ _ \ _ is used to return to the original directory; some Filters detect it and block the attempt. We can use double techniques avoid it.

Introducing Double Encoding

In percent encoding, if our percentage-encoded character was as% 3C, then it becomes Was decoded in In double encoding, percent-encoded characters are re-encoded, Which means that% prefix hex-character is encoded more than 25% again Hex-character of the original character. 

So if I had to encode <by using double encoding, I would like to convert it to its encoded format in percent-encoded format, which is% 3c and again Percentage coded% chars. 

The result will be% 253c. Generally, this Decoding should be done only once, but there are scenarios where developers make
It is a mistake to decode it several times or in a situation in which this is done by the design.

This effectively results in the bypass of the filter based on the scenario:

IIS 5.0 Directory Traversal Code Execution – CVE-2001-0333

In 2001, a directory traversal vulnerability in Microsoft's popular IIS 5.0 web server Has you seen. 

Vulnerability was important because it was a zero authentication code Performance vulnerability. 

There was vulnerability due to the double decoding of a URL Passed in the request.

Microsoft released security bulletin MS01-026 and described it to remove this flaw Vulnerability in their own words. I will quote the published technical adviser Microsoft's website:

Note: A vulnerability that can enable an attacker to run operating system commands An affected server. 

When IIS receives a user request to run a script or other server side program, it passes a decoding to present the request in a canonical
The form then performs a security check on the decoded request. 

A vulnerability result Because after a security check, a second, superb decoding is passed Has been completed. 

If an attacker presents a specially created request, it can be It may be possible to request security checks to pass, but can then be mapped through The second decoding passes through one that should have been blocked - in particular, it can be
Enable request to execute operating system commands or programs outside Virtual folder structure. 

These will be executed in terms of security IUSR_machinename account, which is all based on its membership The group will grant the same attacker capabilities as a non-administrative Interactively logged into user console.

This quotation specifically mentions that a vulnerability resulted because a second, Great security decoding is done after the completion of the security check.

It expresses itself clearly that IIS is accidentally double decoding
Server that allows anyone to locate the name of the path and execute the commands Comming with the cmd.exe parser; Code is executed under the rights For the IIS webserver account.

Whenever IIS was asked to serve a CGI page with that ../../ in that path The request may have been blocked outside the root directory because it is clear Path Traversal Outside the Route Directory

Assume that the root directory is a Windows folder, if we send the following Request, it will be blocked because it includes ../../ Inside Directory Traversal Pathname

Normal URL:

http: //example.com/scripts/../../winnt/system32/cmd.exe/c + dir + c: \

Then superfluous is using another decoding because Microsoft likes to call it. We can do it Execute path traversal and execute commands with command-line parser Windows.

Then bypassing the following double-encoded URLs and executing the code References to the IIS server account name.

Double-Encoded URL:


Using double encoding to evade XSS filters 

We have covered a directory traversal security check bypass through double Encoding technique In this section, I will cover how we can erase some XSS filters or Dual decoding check for input

Assuming that we have an XSS filter that detects <,>, /, or their percentage-encoded form,We can apply double encoding techniques on our XSS payload, if our input is received Frequently Disintegrated

Original request with XSS payload (blocked): http://www.example.com/search.
php? q = <script> WARNING (0) </ script>

Percent-encoded XSS payload (blocked):


Double-percent-encoded payload (allowed): http://www.example.com/search.php

Basically, we can tabulate the encodings we've just done:

Character Percent Encoded Double Encoded
< %3C %253C
> %3E %253E
/ %2F %252F

Before concluding this topic, I should say double encoding technique to bypass Countermeasures are very powerful provided that our requirements (such as recursive) Decoding. 

It can be applied to other attack techniques such as SQL injection.

Double encoding can be extrapolated on triple encoding and so on. for Triple encoding, we all need the prefix% 25, ​​then attach the 25 hex code; For triple encoding% 25253C will be.

Base 64 Encoding

Base 64 is an encoding mechanism that was originally designed for encoding binary Data in Text Format Used in the first e-mail system where binary attachments are required Pictures sent in ASCII format and rich text documents such as.

Base 64 is usually used in websites, not for encoding binary data, but for Obscure request parameter values, sessions, and so on. 

Maybe you Know that protection is not beneficial in any way through obscenity. in this matter, Developers are generally not aware of the fact that even a little skilled person can do it
Decode hidden values ​​hidden as base 64 strings. 

Base64 encoding is used Encoded through media such as images, fonts and so on data URI.

JS also provides built-in function for encoding / decoding encoded strings of Base64-enc Such as:

  • Etob (): Encoder on Base 64
  • Quota (): Decode from base 64

Character set of Base64 encoding

Base64 encoding has a character set of 64 printable ASCII characters.

The following set of characters is used to encode text to binary:

  • Z to the letter
  • A to Z character
  • + (plus character)
  • / (forward-slash character)
  • = (same letter)

The following table is used to index the values ​​of their respective base64 Encoding Options:

Web Application Penetration Testing Tutorials - Common Security Protocols

Encoding Process

The encoding process is as follows:

  1. Binary or non-binary data is read from left to right.
  2. To create a 24-bit-long group, three different 8-bit data is connected to the input.
  3. The 24-bit tall group is divided into 6-bit individual groups, i.e. 4 groups.
  4. Now each 6-bit group is converted into base 64-encoded format using the previous look table.


Let us take the word God We will create a table to display the process more easily:

Web Application Penetration Testing Tutorials - Common Security Protocols

Therefore, the Base64 R29k for God becomes.

However, a problem occurs when the character groups do not produce 24-bit patterns. Let me explain this example. Payx word attention. We can not divide this term evenly into 24-bit groups.

Speaking hypothesally, where is the first 24-bit group PAC and the second group, Katie? Shows a missing 8-bit character.

This is where the padding system of 64 based on enters the system.

Padding in Base64

Where there is a missing character (8-bit) in forming 24-bit groups, for each missing character (8-bit), the location of = is added. So, for a missing character, = is used; For every two missing characters == is used:
Web Application Penetration Testing Tutorials - Common Security Protocols


In thisWeb penetration testing tutorial, We have learned about some of the basic pledges, courses and various types of encoding mechanisms on the web application. 

For your understanding, you can use other encoding techniques such as Base32, RT 13 and so on.


Hi'i'm Rahim Ansari ,from India, I Love to Blogging, Desing Website, Web Developing and Desiging I Like to Learn and share Technical Hacking/Security tips with you,I Love my Friends.

Please Ask Question on Comment Box

Related Posts

Next Post »