Some web applications give you access to directories containing files you are allowed to display or download. Imagine a web app that lets users share images of their custom skateboards or bikes. Images uploaded by the site’s users could be all stored in a given directory. If you click on one of these images,...
What is a file inclusion – LFI – RFI
In some situations, a web application will allow a user to access a file stored on the server (such as a text file or a PDF document) and display or render its content to the web page viewed by the user. Imagine a web site that lets users upload their resume and allows hiring...
What is an IDOR?
IDOR means Insecure Direct Object Reference. It’s one of the easier web application vulnerabilities to understand (or at least, the basic concept is). An IDOR happens when a user of a web site can find ways to access pages and data that belong to a different user on the same site, by changing a...
What is a command injection?
Web applications sometimes use system commands as part of their features. Imagine a web application that lets you enter an IP address, then pings this address to check if the host is accessible. In order to do this, the app could maybe use the ping command to do the job. Bottom line: a web app...
What is XSS – Cross Site Scripting?
XSS or Cross Site Scripting is a technique that allows malicious users to insert JavaScript code into a page from a target web site. When the page is then displayed or refreshed, the attacker’s JavaScript is executed by the browser just like any legit JavaScript code contained in the code of the page. If...
Clusterbomb or pitchfork?
Clusterbomb and pitchfork are terms you will come across when fuzzing web apps using tools like FFUF or Burp Suite. Let’s see how this works with FFUF. FFUF has two wordlist modes : clusterbomb and pitchfork. These modes will matter when you want to fuzz two separate positions in your target URL, using two wordlists. Here...