diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 5db6c97..b30e286 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -254,6 +254,13 @@ Enter the code **000000** or **null** to bypass 2FA protection. * Session hijacking * OAuth misconfiguration +## Labs + +* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) +* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) +* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) +* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) +* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) ## References diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 12f8dad..b4f2b38 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -244,6 +244,13 @@ function reqListener() { }; ``` +## Labs + +* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) +* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) +* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack) +* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack) + ## Bug Bounty reports * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 04fe4f8..14f3eeb 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -103,6 +103,9 @@ Remainder: * %E5%98%BE = %3E = \u563e (>) * %E5%98%BC = %3C = \u563c (<) +## Labs + +* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) ## Exploitation Tricks * Try to search for parameters that lead to redirects and fuzz them diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md index f6eb20b..a04796b 100644 --- a/CSRF Injection/README.md +++ b/CSRF Injection/README.md @@ -160,6 +160,18 @@ Referer: https://attacker.com/csrf.html;trusted.domain.com Referer: https://trusted.domain.com.attacker.com/csrf.html ``` +## Labs + +* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses) +* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method) +* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present) +* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session) +* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie) +* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie) +* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present) +* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken) + + ## References - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)