Research Academy
My account Customers About Blog Careers Legal Contact Resellers
Back to all learning paths
APPRENTICE

Server-side vulnerabilities

This learning path introduces you to a range of common server-side vulnerabilities. This is perfect if you're new to web security and want to get an overview of the kinds of vulnerabilities that exist, as well as how an attacker might identify and exploit them in real-world systems.

Contents

Get started: What is path traversal?

0 of 51

GET STARTED

Path traversal Path traversal (also known as directory traversal) vulnerabilities enable an attacker to interact with arbitrary files on the server, giving them access to sensitive data. If they can also write to these files, they can potentially modify application data or behavior, ultimately taking full control of the server. 0 of 3

What is path traversal? Get started

Reading arbitrary files via path traversal

Lab: File path traversal, simple case APPRENTICE

Access control Access controls are designed to prevent users from interacting with data or functionality for which they don't have the relevant permissions. Due to the obvious security impact, broken access controls are critical bugs in their own right. They often also provide access to more attack surface, which could contain additional vulnerabilities. 0 of 12

What is access control?

Vertical privilege escalation

Unprotected functionality

Lab: Unprotected admin functionality APPRENTICE

Unprotected functionality - Continued

Lab: Unprotected admin functionality with unpredictable URL APPRENTICE

Parameter-based access control methods

Lab: User role controlled by request parameter APPRENTICE

Horizontal privilege escalation

Lab: User ID controlled by request parameter, with unpredictable user IDs APPRENTICE

Horizontal to vertical privilege escalation

Lab: User ID controlled by request parameter with password disclosure APPRENTICE

Authentication Authentication is the process of checking that a user really is who they claim to be. For example, a login form where you enter your username and password is one form of authentication mechanism. Flawed authentication mechanisms may allow an attacker to guess valid sets of credentials by automating thousands of login attempts using specialist tools like Burp Intruder. 0 of 9

Authentication vulnerabilities

What is the difference between authentication and authorization?

Brute-force attacks

Brute-forcing usernames

Brute-forcing passwords

Username enumeration

Lab: Username enumeration via different responses APPRENTICE

Bypassing two-factor authentication

Lab: 2FA simple bypass APPRENTICE

Server-side request forgery (SSRF) SSRF vulnerabilities enable an attacker to trigger malicious server-to-server requests to unintended URLs. As the server issuing the request is likely to have a strong trust relationship with other systems on the network, the attacker can potentially abuse this behavior to access data, functionality, and services that are not meant to be exposed to external users. 0 of 6

What is SSRF?

SSRF attacks against the server

SSRF attacks against the server - Continued

Lab: Basic SSRF against the local server APPRENTICE

SSRF attacks against other back-end systems

Lab: Basic SSRF against another back-end system APPRENTICE

File upload vulnerabilities Any functionality that enables users to upload files to the server's filesystem are inherently dangerous. Failing to enforce proper restrictions on the files that users are allowed to upload can potentially enable an attacker to run arbitrary system commands, giving them full control over the server. 0 of 9

What are file upload vulnerabilities?

How do file upload vulnerabilities arise?

Exploiting unrestricted file uploads to deploy a web shell

Lab: Remote code execution via web shell upload APPRENTICE

Exploiting flawed validation of file uploads

Flawed file type validation

Flawed file type validation - Continued

Flawed file type validation - Continued

Lab: Web shell upload via Content-Type restriction bypass APPRENTICE

OS command injection Command injection vulnerabilities enable an attacker to execute arbitrary operating system (OS) commands on the server. This gives them full control over the server, compromising the application and all of its data. 0 of 5

What is OS command injection?

Useful commands

Injecting OS commands

Injecting OS commands - Continued

Lab: OS command injection, simple case APPRENTICE

SQL injection SQL injection is a classic vulnerability that is responsible for many high-profile data breaches. It enables an attacker to interfere with the queries the application issues to its database, potentially returning sensitive data from arbitrary tables within the database. 0 of 7

What is SQL injection (SQLi)?

How to detect SQL injection vulnerabilities

Retrieving hidden data

Retrieving hidden data - Continued

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data APPRENTICE

Subverting application logic

Lab: SQL injection vulnerability allowing login bypass APPRENTICE