oswe-learning-plan

Vulns to study

• Deserialization
  • Java
    • https://www.youtube.com/watch?v=VviY3O-euVQ
    • https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
    • https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data
    • https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
    • Deserialization-cheatsheet
    • https://www.youtube.com/watch?v=oZPZLiY2PeA
    • https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities
  • NODEJS
    • https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf
    • https://blog.websecurify.com/2017/02/hacking-node-serialize.html
    • https://www.youtube.com/watch?v=t-zVC-CxYjw
    • nodejs deserialization cheatsheet
  • C#
    • https://www.youtube.com/watch?v=eDfGpu3iE4Q
    • https://www.youtube.com/watch?v=Xfbu-pQ1tIc
  • PHP
    • https://vkili.github.io/blog/insecure%20deserialization/pop-chains/
• php Type Juggling
• Advanced SQLi techniques

Playground

• CTF.LIVE
• Hackthebox

Skill

• Source Code Review
  • OWASP Secure Code Review Guide
  • https://medium.com/swlh/secure-code-review-and-penetration-testing-of-node-js-and-javascript-apps-41485b1a9518
• Exploit development automation in prefered language
• dynamic analysis of web application

HTB Boxes

• Archam : Java Deserialization
• Falafel : PHP Type Juggling
• Zipper : API to RCE ( )
• HackBack : API to RCE
• Holiday : NodeJS Command Injection
• Fighter : Boolean SQLi to RCE
• Writeup : Time Base SQLI to RCE
• Unattended : Time Base SQLI to RCE
• Help : Time Base SQLI to RCE /File upload
• Ghoul : File upload

Other labs

• JavaDeserH2HC
• NodeGoat
• DSerlab
• SQLi to Shell
• XSS to RCE
• pipe
• XVNA

Tools

• ysoserial
  • Jar : https://github.com/frohoff/ysoserial
  • .NET : https://github.com/pwntester/ysoserial.net
  • about payload : http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html
  • burp plugin : https://github.com/summitt/burp-ysoserial
• GadgetProbe
• NodeJSscan
• Frida-node

Books

• You don't know JS

other refs

https://github.com/wetw0rk/AWAE-PREP

https://medium.com/swlh/secure-code-review-and-penetration-testing-of-node-js-and-javascript-apps-41485b1a9518

https://forum.hackthebox.eu/discussion/2646/oswe-exam-review-2020-notes-gifts-inside https://github.com/lirantal/awesome-nodejs-security