Many of the systems a PenTest-er targets rely on web applications and cloud resources to perform their functions. Because of this, web applications and cloud resources are often prime targets for gaining access to a system. The PenTest-er needs to be familiar with the different types of attacks that can be used against these environments.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Evaluate a Database using SQLMap
• Exploit Directory Traversal
• Perform XSS
• Abuse Insecure Direct Object Reference
• Perform Lateral Movement
• Perform RFI and LFI Exploitation
• Perform and Analyze a SYN Flood Attack </aside>

1. Web-Based Attacks

Modern applications are complex, often involving a front-end, an API, and a database. We look for breaks in the communication between these layers.

• Injection Attacks: * SQL Injection (SQLi): Manipulating database queries to bypass login or leak data.
  • Command Injection: Forcing the web server to execute OS-level commands.
• Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users to steal session cookies or redirect traffic.
• Broken Access Control: Gaining access to files or administrative panels that should be restricted (e.g., IDOR—Insecure Direct Object Reference).
• Request Forgery:
  • SSRF (Server-Side Request Forgery): Forcing the server to make requests to internal resources it shouldn't access.
  • CSRF (Cross-Site Request Forgery): Tricking a user's browser into performing actions on a web app where they are authenticated.
• API Exploitation: Interrogating RESTful or SOAP APIs for excessive data exposure or improper rate limiting.

2. Cloud-Based Attacks

Attacking "the cloud" isn't about attacking the provider (Amazon/Microsoft); it’s about attacking the user's misconfigurations.

• Identity and Access Management (IAM): Exploiting overly permissive roles to escalate privileges or move laterally between cloud services.
• Storage Misconfigurations: Finding publicly accessible S3 Buckets (AWS) or Blob Storage (Azure) containing sensitive backups or keys.
• Instance Metadata Service (IMDS): Using SSRF to query the metadata service (169.254.169.254) to steal temporary cloud credentials.
• Serverless Vulnerabilities: Attacking AWS Lambda or Azure Functions that lack proper input validation.