mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
References updated for NoSQL, OAuth, ORM, Prompt, RegEx
This commit is contained in:
parent
b80b72d3a3
commit
9ed40edfca
@ -6,21 +6,21 @@
|
|||||||
|
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Exploit](#exploits)
|
* [Exploit](#exploits)
|
||||||
* [Authentication Bypass](#authentication-bypass)
|
* [Authentication Bypass](#authentication-bypass)
|
||||||
* [Extract length information](#extract-length-information)
|
* [Extract length information](#extract-length-information)
|
||||||
* [Extract data information](#extract-data-information)
|
* [Extract data information](#extract-data-information)
|
||||||
* [Blind NoSQL](#blind-nosql)
|
* [Blind NoSQL](#blind-nosql)
|
||||||
* [POST with JSON body](#post-with-json-body)
|
* [POST with JSON body](#post-with-json-body)
|
||||||
* [POST with urlencoded body](#post-with-urlencoded-body)
|
* [POST with urlencoded body](#post-with-urlencoded-body)
|
||||||
* [GET](#get)
|
* [GET](#get)
|
||||||
* [MongoDB Payloads](#mongodb-payloads)
|
* [MongoDB Payloads](#mongodb-payloads)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
* [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool
|
||||||
* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)
|
* [digininja/nosqlilab](https://github.com/digininja/nosqlilab) - A lab for playing with NoSQL Injection
|
||||||
* [Burp-NoSQLiScanner - Plugin available in burpsuite](https://github.com/matrix/Burp-NoSQLiScanner)
|
* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities.
|
||||||
|
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
@ -216,9 +216,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
- [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
|
||||||
* [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
|
- [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
||||||
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
|
- [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
|
||||||
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
|
- [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)
|
||||||
* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
|
- [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)
|
||||||
* [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
|
- [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
|
@ -23,9 +23,7 @@
|
|||||||
|
|
||||||
## Stealing OAuth Token via referer
|
## Stealing OAuth Token via referer
|
||||||
|
|
||||||
From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
|
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer - [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544)
|
||||||
|
|
||||||
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer
|
|
||||||
|
|
||||||
|
|
||||||
## Grabbing OAuth Token via redirect_uri
|
## Grabbing OAuth Token via redirect_uri
|
||||||
@ -81,8 +79,8 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
- [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
||||||
* [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
|
- [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - asanso - April 8, 2014](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
|
||||||
* [How I hacked Github again. - Egor Homakov](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
|
- [How I hacked Github again - Egor Homakov - February 7, 2014](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
|
||||||
* [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
|
- [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka - September 16, 2014](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
|
||||||
- [Bypassing Google Authentication on Periscope's Administration Panel](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/) By Jack Whitton
|
- [Bypassing Google Authentication on Periscope's Administration Panel - Jack Whitton - July 20, 2015](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/)
|
@ -3,6 +3,23 @@
|
|||||||
An ORM leak vulnerability occurs when sensitive information, such as database structure or user data, is unintentionally exposed due to improper handling of ORM queries. This can happen if the application returns raw error messages, debug information, or allows attackers to manipulate queries in ways that reveal underlying data.
|
An ORM leak vulnerability occurs when sensitive information, such as database structure or user data, is unintentionally exposed due to improper handling of ORM queries. This can happen if the application returns raw error messages, debug information, or allows attackers to manipulate queries in ways that reveal underlying data.
|
||||||
|
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [CVE](#cve)
|
||||||
|
* [Django (Python)](#django-python)
|
||||||
|
* [Query filter](#query-filter)
|
||||||
|
* [Relational Filtering](#relational-filtering)
|
||||||
|
* [One-to-One](#one-to-one)
|
||||||
|
* [Many-to-Many](#many-to-many)
|
||||||
|
* [Error-based leaking - ReDOS](#error-based-leaking---redos)
|
||||||
|
* [Prisma (Node.JS)](#prisma-nodejs)
|
||||||
|
* [Relational Filtering](#relational-filtering-1)
|
||||||
|
* [One-to-One](#one-to-one-1)
|
||||||
|
* [Many-to-Many](#many-to-many-1)
|
||||||
|
* [Ransack (Ruby)](#ransack-ruby)
|
||||||
|
* [Resources](#resources)
|
||||||
|
|
||||||
|
|
||||||
## CVE
|
## CVE
|
||||||
|
|
||||||
* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
|
* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
|
||||||
@ -218,9 +235,9 @@ Only in Ransack < `4.0.0`.
|
|||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
* [PLORMBING YOUR DJANGO ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/)
|
- [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
|
||||||
* [PLORMBING YOUR PRISMA ORM WITH TIME-BASED ATTACKS - Alex Brown - July 09, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/)
|
- [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)
|
||||||
* [QuerySet API reference - Django](https://docs.djangoproject.com/en/5.1/ref/models/querysets/)
|
- [plORMbing your Django ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/)
|
||||||
* [Ransacking your password reset tokens - LUKAS EULER - JANUARY 26, 2023](https://positive.security/blog/ransack-data-exfiltration)
|
- [plORMbing your Prisma ORM with Time-based Attacks - Alex Brown - July 9, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/)
|
||||||
* [ORM Injection - HackTricks](https://book.hacktricks.xyz/pentesting-web/orm-injection)
|
- [QuerySet API reference - Django - August 8, 2024](https://docs.djangoproject.com/en/5.1/ref/models/querysets/)
|
||||||
* [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - PentesterLab](https://pentesterlab.com/blog/orm-leak-with-sqlite3)
|
- [Ransacking your password reset tokens - Lukas Euler - January 26, 2023](https://positive.security/blog/ransack-data-exfiltration)
|
@ -6,10 +6,10 @@
|
|||||||
|
|
||||||
* [Labs](#labs)
|
* [Labs](#labs)
|
||||||
* [Exploitation](#exploitation)
|
* [Exploitation](#exploitation)
|
||||||
* [HTTP Redirection Status Code](#http-redirection-status-code)
|
* [HTTP Redirection Status Code](#http-redirection-status-code)
|
||||||
* [Fuzzing](#fuzzing)
|
* [Fuzzing](#fuzzing)
|
||||||
* [Filter Bypass](#filter-bypass)
|
* [Filter Bypass](#filter-bypass)
|
||||||
* [Common injection parameters](#common-injection-parameters)
|
* [Common injection parameters](#common-injection-parameters)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
@ -193,9 +193,9 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Open-Redirect-Payloads - cujanovic](https://github.com/cujanovic/Open-Redirect-Payloads)
|
- [Host/Split Exploitable Antipatterns in Unicode Normalization - Jonathan Birch - August 3, 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
|
||||||
* [Host/Split Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
|
- [Open Redirect Cheat Sheet - PentesterLand - November 2, 2018](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||||
* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
|
- [Open Redirect Vulnerability - s0cket7 - August 15, 2018](https://s0cket7.com/open-redirect-vulnerability/)
|
||||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
- [Open-Redirect-Payloads - Predrag Cujanović - April 24, 2017](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
- [Unvalidated Redirects and Forwards Cheat Sheet - OWASP - February 28, 2024](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||||
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
- [You do not need to run 80 reconnaissance tools to get access to user accounts - Stefano Vettorazzi (@stefanocoding) - May 16, 2019](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
@ -7,8 +7,8 @@
|
|||||||
|
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Applications](#applications)
|
* [Applications](#applications)
|
||||||
* [Story Generation](#story-generation)
|
* [Story Generation](#story-generation)
|
||||||
* [Potential Misuse](#potential-misuse)
|
* [Potential Misuse](#potential-misuse)
|
||||||
* [Prompt Examples](#prompt-examples)
|
* [Prompt Examples](#prompt-examples)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
@ -114,14 +114,14 @@ Indirect Prompt Injection use the memory features of an LLM.
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Language Models are Few-Shot Learners - Tom B Brown](https://arxiv.org/abs/2005.14165)
|
- [Brex's Prompt Engineering Guide - Brex - April 21, 2023](https://github.com/brexhq/prompt-engineering)
|
||||||
- [The AI Attack Surface Map v1.0 - 15 May 2023 - Daniel Miessler](https://danielmiessler.com/blog/the-ai-attack-surface-map-v1-0/)
|
- [ChatGPT Plugin Exploit Explained: From Prompt Injection to Accessing Private Data - wunderwuzzi23 - May 28, 2023](https://embracethered.com/blog/posts/2023/chatgpt-cross-plugin-request-forgery-and-prompt-injection./)
|
||||||
- [From Theory to Reality: Explaining the Best Prompt Injection Proof of Concept - 19 May 2023 - rez0](https://rez0.blog/hacking/2023/05/19/prompt-injection-poc.html)
|
- [ChatGPT Plugins: Data Exfiltration via Images & Cross Plugin Request Forgery - wunderwuzzi23 - May 16, 2023](https://embracethered.com/blog/posts/2023/chatgpt-webpilot-data-exfil-via-markdown-injection/)
|
||||||
- [Large Language Model Prompts(RTC0006) - RedTeamRecipe](https://redteamrecipe.com/Large-Language-Model-Prompts/)
|
|
||||||
- [ChatGPT Plugin Exploit Explained: From Prompt Injection to Accessing Private Data - May 28, 2023 - wunderwuzzi23](https://embracethered.com/blog/posts/2023/chatgpt-cross-plugin-request-forgery-and-prompt-injection./)
|
|
||||||
- [ChatGPT Plugins: Data Exfiltration via Images & Cross Plugin Request Forgery - May 16, 2023 - wunderwuzzi23](https://embracethered.com/blog/posts/2023/chatgpt-webpilot-data-exfil-via-markdown-injection/)
|
|
||||||
- [You shall not pass: the spells behind Gandalf - Max Mathys and Václav Volhejn - 2 Jun, 2023](https://www.lakera.ai/insights/who-is-gandalf)
|
|
||||||
- [Brex's Prompt Engineering Guide](https://github.com/brexhq/prompt-engineering)
|
|
||||||
- [Demystifying RCE Vulnerabilities in LLM-Integrated Apps - Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, Kai Chen](https://browse.arxiv.org/pdf/2309.02926.pdf)
|
|
||||||
- [ChatGPT: Hacking Memories with Prompt Injection - wunderwuzzi - May 22, 2024](https://embracethered.com/blog/posts/2024/chatgpt-hacking-memories/)
|
- [ChatGPT: Hacking Memories with Prompt Injection - wunderwuzzi - May 22, 2024](https://embracethered.com/blog/posts/2024/chatgpt-hacking-memories/)
|
||||||
- [LLM Hacker's Handbook - Forces Unseen](https://doublespeak.chat/#/handbook)
|
- [Demystifying RCE Vulnerabilities in LLM-Integrated Apps - Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, Kai Chen - October 8, 2023](https://arxiv.org/pdf/2309.02926)
|
||||||
|
- [From Theory to Reality: Explaining the Best Prompt Injection Proof of Concept - Joseph Thacker (rez0) - May 19, 2023](https://rez0.blog/hacking/2023/05/19/prompt-injection-poc.html)
|
||||||
|
- [Language Models are Few-Shot Learners - Tom B Brown - May 28, 2020](https://arxiv.org/abs/2005.14165)
|
||||||
|
- [Large Language Model Prompts (RTC0006) - HADESS/RedTeamRecipe - March 26, 2023](http://web.archive.org/web/20230529085349/https://redteamrecipe.com/Large-Language-Model-Prompts/)
|
||||||
|
- [LLM Hacker's Handbook - Forces Unseen - March 7, 2023](https://doublespeak.chat/#/handbook)
|
||||||
|
- [The AI Attack Surface Map v1.0 - Daniel Miessler - May 15, 2023](https://danielmiessler.com/blog/the-ai-attack-surface-map-v1-0/)
|
||||||
|
- [You shall not pass: the spells behind Gandalf - Max Mathys and Václav Volhejn - June 2, 2023](https://www.lakera.ai/insights/who-is-gandalf)
|
@ -24,7 +24,8 @@
|
|||||||
* [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages
|
* [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages
|
||||||
* [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution) - Prototype Pollution and useful Script Gadgets
|
* [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution) - Prototype Pollution and useful Script Gadgets
|
||||||
* [portswigger/server-side-prototype-pollution](https://github.com/portswigger/server-side-prototype-pollution) - Burp Suite Extension detectiong Prototype Pollution vulnerabilities
|
* [portswigger/server-side-prototype-pollution](https://github.com/portswigger/server-side-prototype-pollution) - Burp Suite Extension detectiong Prototype Pollution vulnerabilities
|
||||||
* [msrkp/PPScan](https://github.com/msrkp/PPScan)
|
* [msrkp/PPScan](https://github.com/msrkp/PPScan) - Client Side Prototype Pollution Scanner
|
||||||
|
|
||||||
|
|
||||||
## Labs
|
## Labs
|
||||||
|
|
||||||
@ -175,18 +176,18 @@ Either create your own gadget using part of the source with [yeswehack/pp-finder
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)
|
- [A Pentester's Guide to Prototype Pollution Attacks - Harsh Bothra - January 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)
|
||||||
* [A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild - s1r1us](https://blog.s1r1us.ninja/research/PP)
|
- [A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild - s1r1us - September 28, 2021](https://blog.s1r1us.ninja/research/PP)
|
||||||
* [Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023](https://www.intruder.io/research/server-side-prototype-pollution)
|
- [Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023](https://www.intruder.io/research/server-side-prototype-pollution)
|
||||||
* [Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - MICHAŁ BENTKOWSKI - October 30, 2019](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
|
- [Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Michał Bentkowski - October 30, 2019](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
|
||||||
* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
|
- [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes - March 27, 2023](https://youtu.be/LD-KcuKM_0M)
|
||||||
* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution)
|
- [NodeJS - __proto__ & prototype Pollution - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
|
||||||
* [Prototype pollution - Snyk](https://learn.snyk.io/lessons/prototype-pollution/javascript/)
|
- [Prototype Pollution - PortSwigger - November 10, 2022](https://portswigger.net/web-security/prototype-pollution)
|
||||||
* [Prototype pollution and bypassing client-side HTML sanitizers - MICHAŁ BENTKOWSKI - August 18, 2020](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
|
- [Prototype pollution - Snyk - August 19, 2023](https://learn.snyk.io/lessons/prototype-pollution/javascript/)
|
||||||
* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA)
|
- [Prototype pollution and bypassing client-side HTML sanitizers - Michał Bentkowski - August 18, 2020](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
|
||||||
* [Prototype Pollution Attack in NodeJS - Olivier Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
|
- [Prototype Pollution and Where to Find Them - BitK & SakiiR - August 14, 2023](https://youtu.be/mwpH9DF_RDA)
|
||||||
* [Prototype pollution attacks in NodeJS applications - Olivier Arteau - Youtube](https://youtu.be/LUsiFV3dsK8)
|
- [Prototype Pollution Attacks in NodeJS - Olivier Arteau - May 16, 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
|
||||||
* [Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov](https://youtu.be/v5dq80S1WF4)
|
- [Prototype Pollution Attacks in NodeJS applications - Olivier Arteau - October 3, 2018](https://youtu.be/LUsiFV3dsK8)
|
||||||
* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
|
- [Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov - September 29, 2023](https://youtu.be/v5dq80S1WF4)
|
||||||
* [Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - 15 February 2023](https://portswigger.net/research/server-side-prototype-pollution)
|
- [Server side prototype pollution, how to detect and exploit - BitK - February 18, 2023](http://web.archive.org/web/20230218081534/https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
|
||||||
* [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes](https://youtu.be/LD-KcuKM_0M)
|
- [Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - February 15, 2023](https://portswigger.net/research/server-side-prototype-pollution)
|
@ -17,12 +17,14 @@
|
|||||||
- [Example 2](#example-2)
|
- [Example 2](#example-2)
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
- [PortSwigger/turbo-intruder](https://github.com/PortSwigger/turbo-intruder) - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
|
- [PortSwigger/turbo-intruder](https://github.com/PortSwigger/turbo-intruder) - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
|
||||||
- [JavanXD/Raceocat](https://github.com/JavanXD/Raceocat) - Make exploiting race conditions in web applications highly efficient and ease-of-use.
|
- [JavanXD/Raceocat](https://github.com/JavanXD/Raceocat) - Make exploiting race conditions in web applications highly efficient and ease-of-use.
|
||||||
- [nxenon/h2spacex](https://github.com/nxenon/h2spacex) - HTTP/2 Single Packet Attack low Level Library / Tool based on Scapy + Exploit Timing Attacks
|
- [nxenon/h2spacex](https://github.com/nxenon/h2spacex) - HTTP/2 Single Packet Attack low Level Library / Tool based on Scapy + Exploit Timing Attacks
|
||||||
|
|
||||||
|
|
||||||
## Labs
|
## Labs
|
||||||
|
|
||||||
- [PortSwigger - Limit overrun race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)
|
- [PortSwigger - Limit overrun race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)
|
||||||
@ -155,11 +157,11 @@ def handleResponse(req, interesting):
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle](https://youtu.be/tKJzsaB1ZvI)
|
- [Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit - @ryotkak - August 2, 2024](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)
|
||||||
- [Smashing the state machine: the true potential of web race conditions - James Kettle / @albinowax - 09 August 2023](https://portswigger.net/research/smashing-the-state-machine)
|
- [DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle (@albinowax) - September 15, 2023](https://youtu.be/tKJzsaB1ZvI)
|
||||||
- [Turbo Intruder: Embracing the billion-request attack - James Kettle - 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
|
- [Exploiting Race Condition Vulnerabilities in Web Applications - Javan Rasokat - October 6, 2022](https://conference.hitb.org/hitbsecconf2022sin/materials/D2%20COMMSEC%20-%20Exploiting%20Race%20Condition%20Vulnerabilities%20in%20Web%20Applications%20-%20Javan%20Rasokat.pdf)
|
||||||
- [Race Condition Bug In Web App: A Use Case - Mandeep Jadon - Apr 24, 2018](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
|
- [New techniques and tools for web race conditions - Emma Stocks - August 10, 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions)
|
||||||
- [Race conditions on the web - Josip Franjkovic - July 12th, 2016](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
|
- [Race Condition Bug In Web App: A Use Case - Mandeep Jadon - April 24, 2018](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
|
||||||
- [New techniques and tools for web race conditions - Emma Stocks - 10 August 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions)
|
- [Race conditions on the web - Josip Franjkovic - July 12, 2016](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
|
||||||
- [Exploiting Race Condition Vulnerabilities in Web Applications - Javan Rasokat](https://conference.hitb.org/hitbsecconf2022sin/materials/D2%20COMMSEC%20-%20Exploiting%20Race%20Condition%20Vulnerabilities%20in%20Web%20Applications%20-%20Javan%20Rasokat.pdf)
|
- [Smashing the state machine: the true potential of web race conditions - James Kettle (@albinowax) - August 9, 2023](https://portswigger.net/research/smashing-the-state-machine)
|
||||||
- [Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit- @ryotkak - August 2, 2024 ](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)
|
- [Turbo Intruder: Embracing the billion-request attack - James Kettle (@albinowax) - January 25, 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
|
@ -2,6 +2,13 @@
|
|||||||
|
|
||||||
> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash.
|
> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Denial of Service - ReDoS](#denial-of-service---redos)
|
||||||
|
* [Evil Regex](#evil-regex)
|
||||||
|
* [Backtrack Limit](#backtrack-limit)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Denial of Service - ReDoS
|
## Denial of Service - ReDoS
|
||||||
|
|
||||||
@ -59,8 +66,8 @@ if (preg_match($pattern, $subject)) {
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
- [Intigriti Challenge 1223 - Hackbook Of A Hacker - December 21, 2023](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)
|
||||||
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
|
- [MyBB Admin Panel RCE CVE-2023-41362 - SorceryIE - September 11, 2023](https://blog.sorcery.ie/posts/mybb_acp_rce/)
|
||||||
* [PHP Manual > Function Reference > Text Processing > PCRE > Installing/Configuring > Runtime Configuration](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit)
|
- [OWASP Validation Regex Repository - OWASP - March 14, 2018](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
|
||||||
* [Intigriti Challenge 1223 - HACKBOOK OF A HACKER](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)
|
- [PCRE > Installing/Configuring - PHP Manual - May 3, 2008](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit)
|
||||||
* [MyBB Admin Panel RCE CVE-2023-41362 - SorceryIE - 2023-09-11](https://blog.sorcery.ie/posts/mybb_acp_rce/)
|
- [Regular expression Denial of Service - ReDoS - Adar Weidman - December 4, 2019](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
Loading…
Reference in New Issue
Block a user