From 1a3e605d64fc50d302607e4274d7d6776b2925a7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 10 Nov 2024 15:28:12 +0100 Subject: [PATCH] Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM --- JSON Web Token/README.md | 12 ++++++++- LDAP Injection/README.md | 26 +++++++++++------- LaTeX Injection/README.md | 26 +++++++++++++----- Mass Assignment/README.md | 4 +-- .../Miscellaneous - Tricks.md | 27 ------------------- NoSQL Injection/README.md | 13 +++++++-- OAuth Misconfiguration/README.md | 24 ++++++++++------- ORM Leak/README.md | 20 +++++++------- Open Redirect/README.md | 19 ++++++------- Prototype Pollution/README.md | 18 ++++++------- 10 files changed, 103 insertions(+), 86 deletions(-) delete mode 100644 Methodology and Resources/Miscellaneous - Tricks.md diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 858589f..d25cb24 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -2,7 +2,8 @@ > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. -## Summary + +## Summary - [Tools](#tools) - [JWT Format](#jwt-format) @@ -23,6 +24,7 @@ - [JWT Claims](#jwt-claims) - [JWT kid Claim Misuse](#jwt-kid-claim-misuse) - [JWKS - jku header injection](#jwks---jku-header-injection) +- [Labs](#labs) - [References](#references) @@ -509,6 +511,14 @@ You should create your own key pair for this attack and host it. It should look * [PortSwigger - JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection) * [PortSwigger - JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection) * [PortSwigger - JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal) +* [Root Me - JWT - Introduction](https://www.root-me.org/fr/Challenges/Web-Serveur/JWT-Introduction) +* [Root Me - JWT - Revoked token](https://www.root-me.org/en/Challenges/Web-Server/JWT-Revoked-token) +* [Root Me - JWT - Weak secret](https://www.root-me.org/en/Challenges/Web-Server/JWT-Weak-secret) +* [Root Me - JWT - Unsecure File Signature](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-File-Signature) +* [Root Me - JWT - Public key](https://www.root-me.org/en/Challenges/Web-Server/JWT-Public-key) +* [Root Me - JWT - Header Injection](https://www.root-me.org/en/Challenges/Web-Server/JWT-Header-Injection) +* [Root Me - JWT - Unsecure Key Handling](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-Key-Handling) + ## References diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md index 69b6a95..7e42213 100644 --- a/LDAP Injection/README.md +++ b/LDAP Injection/README.md @@ -2,9 +2,10 @@ > LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. + ## Summary -* [Exploitation](#exploitation) +* [Methodology](#methodology) * [Payloads](#payloads) * [Blind Exploitation](#blind-exploitation) * [Defaults attributes](#defaults-attributes) @@ -12,8 +13,11 @@ * [Scripts](#scripts) * [Discover valid LDAP fields](#discover-valid-ldap-fields) * [Special blind LDAP injection](#special-blind-ldap-injection) +* [Labs](#labs) +* [References](#references) -## Exploitation + +## Methodology Example 1. @@ -78,6 +82,7 @@ We can extract using a bypass login (&(sn=administrator)(password=MYKE)) : OK ``` + ## Defaults attributes Can be used in an injection like `*)(ATTRIBUTE_HERE=*` @@ -94,6 +99,7 @@ givenName commonName ``` + ## Exploiting userPassword attribute `userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING @@ -113,15 +119,12 @@ userPassword:2.5.13.18:=\xx\xx\xx ```python #!/usr/bin/python3 - import requests import string fields = [] - url = 'https://URL.com/' - -f = open('dic', 'r') #Open the worldists of common attributes +f = open('dic', 'r') world = f.read().split('\n') f.close() @@ -137,7 +140,6 @@ print(fields) ```python #!/usr/bin/python3 - import requests, string alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;" @@ -152,15 +154,14 @@ for i in range(50): break ``` +Exploitation script by [@noraj](https://github.com/noraj) ```ruby #!/usr/bin/env ruby - require 'net/http' alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('') flag = '' - (0..50).each do |i| puts("[i] Looking for number #{i}") alphabet.each do |char| @@ -174,7 +175,12 @@ flag = '' end ``` -By [noraj](https://github.com/noraj) + + +## Labs + +* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication) +* [Root Me - LDAP injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Blind) ## References diff --git a/LaTeX Injection/README.md b/LaTeX Injection/README.md index 2e756d2..3d670ec 100644 --- a/LaTeX Injection/README.md +++ b/LaTeX Injection/README.md @@ -1,17 +1,23 @@ -# LaTex Injection +# LaTeX Injection + +> LaTeX Injection is a type of injection attack where malicious content is injected into LaTeX documents. LaTeX is widely used for document preparation and typesetting, particularly in academia, for producing high-quality scientific and mathematical documents. Due to its powerful scripting capabilities, LaTeX can be exploited by attackers to execute arbitrary commands if proper safeguards are not in place. + ## Summary -* [Read File](#read-file) -* [Write File](#write-file) +* [File Manipulation](#file-manipulation) + * [Read File](#read-file) + * [Write File](#write-file) * [Command Execution](#command-execution) * [Cross Site Scripting](#cross-site-scripting) * [References](#references) -## Read File +## File Manipulation -You might need to adjust injection with wrappers as `\[` or `$`. +### Read File + +Attackers can read the content of sensitive files on the server. Read file and interpret the LaTeX code in it: @@ -70,7 +76,7 @@ To bypass a blacklist try to replace one character with it's unicode hex value. \lstin^^70utlisting{/etc/passwd} ``` -## Write File +### Write File Write single lined file: @@ -83,6 +89,7 @@ Write single lined file: \closeout\outfile ``` + ## Command Execution The output of the command will be redirected to stdout, therefore you need to use a temp file to get it. @@ -104,6 +111,7 @@ If you get any LaTex error, consider using base64 to get the result without bad \input{|"/bin/hostname"} ``` + ## Cross Site Scripting From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) @@ -120,6 +128,12 @@ in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.htm ``` +## Labs + +* [Root Me - LaTeX - Input](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Input) +* [Root Me - LaTeX - Command execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution) + + ## References - [Hacking with LaTeX - Sebastian Neef - March 10, 2016](https://0day.work/hacking-with-latex/) diff --git a/Mass Assignment/README.md b/Mass Assignment/README.md index 831ec24..9138d4d 100644 --- a/Mass Assignment/README.md +++ b/Mass Assignment/README.md @@ -4,12 +4,12 @@ ## Summary -* [Exploit](#exploit) +* [Methodology](#methodology) * [Labs](#labs) * [References](#references) -## Exploit +## Methodology Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality. diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md deleted file mode 100644 index e82618b..0000000 --- a/Methodology and Resources/Miscellaneous - Tricks.md +++ /dev/null @@ -1,27 +0,0 @@ -# Miscellaneous & Tricks - -All the tricks that couldn't be classified somewhere else. - -## Send a message to another user - -```powershell -# Windows -PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" -PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" - -# Linux -$ wall "Stop messing with the XXX service !" -$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root -$ who -$ write root pts/2 # press Ctrl+D after typing the message. -``` - -## CrackMapExec Credential Database - -```ps1 -cmedb (default) > workspace create test -cmedb (test) > workspace default -cmedb (test) > proto smb -cmedb (test)(smb) > creds -cmedb (test)(smb) > export creds csv /tmp/creds -``` \ No newline at end of file diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 28f62d0..7467684 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -2,10 +2,11 @@ > NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. + ## Summary * [Tools](#tools) -* [Exploit](#exploits) +* [Methodology](#methodology) * [Authentication Bypass](#authentication-bypass) * [Extract length information](#extract-length-information) * [Extract data information](#extract-data-information) @@ -14,8 +15,10 @@ * [POST with urlencoded body](#post-with-urlencoded-body) * [GET](#get) * [MongoDB Payloads](#mongodb-payloads) +* [Labs](#references) * [References](#references) + ## Tools * [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool @@ -23,7 +26,7 @@ * [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities. -## Exploit +## Methodology ### Authentication Bypass @@ -214,6 +217,12 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi ``` +## Labs + +* [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication) +* [Root Me - NoSQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Blind) + + ## References - [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) diff --git a/OAuth Misconfiguration/README.md b/OAuth Misconfiguration/README.md index cdd411e..c251917 100644 --- a/OAuth Misconfiguration/README.md +++ b/OAuth Misconfiguration/README.md @@ -1,26 +1,20 @@ # OAuth Misconfiguration +> OAuth is a widely-used authorization framework that allows third-party applications to access user data without exposing user credentials. However, improper configuration and implementation of OAuth can lead to severe security vulnerabilities. This document explores common OAuth misconfigurations, potential attack vectors, and best practices for mitigating these risks. + + ## Summary -- [Labs](#labs) - [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer) - [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri) - [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri) - [OAuth private key disclosure](#oauth-private-key-disclosure) - [Authorization Code Rule Violation](#authorization-code-rule-violation) - [Cross-Site Request Forgery](#cross-site-request-forgery) +- [Labs](#labs) - [References](#references) -## Labs - -* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) -* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) -* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) -* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) -* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) - - ## Stealing OAuth Token via referer > Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer - [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) @@ -66,6 +60,7 @@ Some Android/iOS app can be decompiled and the OAuth Private key can be accessed ## Authorization Code Rule Violation > The client MUST NOT use the authorization code more than once. + If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. @@ -77,6 +72,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request. +## Labs + +* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) +* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) +* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) +* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) +* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) + + ## References - [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) diff --git a/ORM Leak/README.md b/ORM Leak/README.md index 9c7e29f..a3335aa 100644 --- a/ORM Leak/README.md +++ b/ORM Leak/README.md @@ -5,7 +5,6 @@ An ORM leak vulnerability occurs when sensitive information, such as database st ## Summary -* [CVE](#cve) * [Django (Python)](#django-python) * [Query filter](#query-filter) * [Relational Filtering](#relational-filtering) @@ -17,14 +16,8 @@ An ORM leak vulnerability occurs when sensitive information, such as database st * [One-to-One](#one-to-one-1) * [Many-to-Many](#many-to-many-1) * [Ransack (Ruby)](#ransack-ruby) -* [Resources](#resources) - - -## CVE - -* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw) -* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9) -* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf) +* [CVE](#cve) +* [References](#references) ## Django (Python) @@ -233,7 +226,14 @@ Only in Ransack < `4.0.0`. ``` -## Resources +## CVE + +* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw) +* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9) +* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf) + + +## References - [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection) - [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3) diff --git a/Open Redirect/README.md b/Open Redirect/README.md index 50a38a3..125313b 100644 --- a/Open Redirect/README.md +++ b/Open Redirect/README.md @@ -2,24 +2,19 @@ > Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. + ## Summary -* [Labs](#labs) -* [Exploitation](#exploitation) +* [Methodology](#methodology) * [HTTP Redirection Status Code](#http-redirection-status-code) * [Fuzzing](#fuzzing) * [Filter Bypass](#filter-bypass) * [Common injection parameters](#common-injection-parameters) +* [Labs](#labs) * [References](#references) -## Labs - -* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect) -* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection) - - -## Exploitation +## Methodology An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing. @@ -191,6 +186,12 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) ``` +## Labs + +* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect) +* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection) + + ## References - [Host/Split Exploitable Antipatterns in Unicode Normalization - Jonathan Birch - August 3, 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf) diff --git a/Prototype Pollution/README.md b/Prototype Pollution/README.md index d577bbc..f17d4bd 100644 --- a/Prototype Pollution/README.md +++ b/Prototype Pollution/README.md @@ -6,14 +6,14 @@ ## Summary * [Tools](#tools) -* [Labs](#labs) -* [Exploit](#exploit) +* [Methodology](#methodology) * [Examples](#examples) * [Manual Testing](#manual-testing) * [Prototype Pollution via JSON input](#prototype-pollution-via-json-input) * [Prototype Pollution in URL](#prototype-pollution-in-url) * [Prototype Pollution Payloads](#prototype-pollution-payloads) * [Prototype Pollution Gadgets](#prototype-pollution-gadgets) +* [Labs](#labs) * [References](#references) @@ -27,13 +27,7 @@ * [msrkp/PPScan](https://github.com/msrkp/PPScan) - Client Side Prototype Pollution Scanner -## Labs - -* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution) -* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution) - - -## Exploit +## Methodology In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of `Object.prototype`, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks. @@ -174,6 +168,12 @@ A "gadget" in the context of vulnerabilities typically refers to a piece of code Either create your own gadget using part of the source with [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder), or try to use already discovered gadgets [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) / [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution). +## Labs + +* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution) +* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution) + + ## References - [A Pentester's Guide to Prototype Pollution Attacks - Harsh Bothra - January 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)