mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Fix typo and structure
This commit is contained in:
parent
99f3557415
commit
3eae8d7458
@ -1,4 +1,4 @@
|
||||
# API Key Leaks
|
||||
# API Key and Token Leaks
|
||||
|
||||
> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
|
||||
|
||||
|
@ -15,54 +15,65 @@ Unlike other types of security vulnerabilities like SQL injection or cross-site
|
||||
|
||||
Common examples of Business Logic Errors.
|
||||
|
||||
* Review Feature Testing
|
||||
* Assess if you can post a product review as a verified reviewer without having purchased the item.
|
||||
* Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system.
|
||||
* Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions.
|
||||
* Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints.
|
||||
* Investigate the possibility of posting reviews impersonating other users.
|
||||
* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
|
||||
### Review Feature Testing
|
||||
|
||||
* Discount Code Feature Testing
|
||||
* Try to apply the same discount code multiple times to assess if it's reusable.
|
||||
* If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously.
|
||||
* Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one.
|
||||
* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
|
||||
* Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
|
||||
* Assess if you can post a product review as a verified reviewer without having purchased the item.
|
||||
* Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system.
|
||||
* Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions.
|
||||
* Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints.
|
||||
* Investigate the possibility of posting reviews impersonating other users.
|
||||
* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
|
||||
|
||||
* Delivery Fee Manipulation
|
||||
* Experiment with negative values for delivery charges to see if it reduces the final amount.
|
||||
* Evaluate if free delivery can be activated by modifying parameters.
|
||||
|
||||
* Currency Arbitrage
|
||||
* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
|
||||
### Discount Code Feature Testing
|
||||
|
||||
* Try to apply the same discount code multiple times to assess if it's reusable.
|
||||
* If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously.
|
||||
* Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one.
|
||||
* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
|
||||
* Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
|
||||
|
||||
|
||||
### Delivery Fee Manipulation
|
||||
|
||||
* Experiment with negative values for delivery charges to see if it reduces the final amount.
|
||||
* Evaluate if free delivery can be activated by modifying parameters.
|
||||
|
||||
|
||||
### Currency Arbitrage
|
||||
|
||||
* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
|
||||
|
||||
* Premium Feature Exploitation
|
||||
* Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription.
|
||||
* Purchase a premium feature, cancel it, and see if you can still use it after a refund.
|
||||
* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
|
||||
* Review cookies or local storage for variables validating premium access.
|
||||
|
||||
* Refund Feature Exploitation
|
||||
* Purchase a product, ask for a refund, and see if the product remains accessible.
|
||||
* Look for opportunities for currency arbitrage.
|
||||
* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
|
||||
### Premium Feature Exploitation
|
||||
|
||||
* Cart/Wishlist Exploitation
|
||||
* Test the system by adding products in negative quantities, along with other products, to balance the total.
|
||||
* Try to add more of a product than is available.
|
||||
* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
|
||||
* Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription.
|
||||
* Purchase a premium feature, cancel it, and see if you can still use it after a refund.
|
||||
* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
|
||||
* Review cookies or local storage for variables validating premium access.
|
||||
|
||||
* Thread Comment Testing
|
||||
* Check if there's a limit to the number of comments on a thread.
|
||||
* If a user can only comment once, use race conditions to see if multiple comments can be posted.
|
||||
* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
|
||||
* Attempt to post comments impersonating other users.
|
||||
|
||||
* Parameter Tampering
|
||||
* Manipulate payment or other critical fields to alter their values.
|
||||
* By exploiting HTTP Parameter Pollution & Mass Assignment, add extra or unexpected fields.
|
||||
* Try to manipulate the response to bypass restrictions, such as 2FA.
|
||||
### Refund Feature Exploitation
|
||||
|
||||
* Purchase a product, ask for a refund, and see if the product remains accessible.
|
||||
* Look for opportunities for currency arbitrage.
|
||||
* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
|
||||
|
||||
|
||||
### Cart/Wishlist Exploitation
|
||||
|
||||
* Test the system by adding products in negative quantities, along with other products, to balance the total.
|
||||
* Try to add more of a product than is available.
|
||||
* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
|
||||
|
||||
|
||||
### Thread Comment Testing
|
||||
|
||||
* Check if there's a limit to the number of comments on a thread.
|
||||
* If a user can only comment once, use race conditions to see if multiple comments can be posted.
|
||||
* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
|
||||
* Attempt to post comments impersonating other users.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
@ -51,7 +51,7 @@ Real-World Scenarios:
|
||||
|
||||
* [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)
|
||||
* [Exploiting Client-Side Path Traversal - CSRF is dead, long live CSRF - Whitepaper- Maxence Schmitt](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf)
|
||||
* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024][https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf]
|
||||
* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf)
|
||||
* [Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug - Davwwwx - 30-08-2023](https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/)
|
||||
* [Tweet - @HusseiN98D - 5 july 2024](https://twitter.com/HusseiN98D/status/1809164551822172616)
|
||||
* [On-site request forgery - Dafydd Stuttard - 03 May 2007](https://portswigger.net/blog/on-site-request-forgery)
|
||||
|
@ -363,7 +363,7 @@ vbscript:msgbox("XSS")
|
||||
|
||||
## XSS in files
|
||||
|
||||
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
|
||||
**NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
|
||||
|
||||
```xml
|
||||
<name>
|
||||
|
Loading…
Reference in New Issue
Block a user