From a670a26eeabd6ed01084a6b8389a1ca3d0ac59a7 Mon Sep 17 00:00:00 2001 From: Deep Dhakate <75447837+InTruder-Sec@users.noreply.github.com> Date: Sun, 2 Oct 2022 06:13:01 +0000 Subject: [PATCH] Update --- Account Takeover/README.md | 7 ------- Directory Traversal/README.md | 8 ++++++++ Insecure Deserialization/README.md | 4 ++++ Insecure Direct Object References/README.md | 4 ++++ JSON Web Token/README.md | 9 +++++++++ OAuth/README.md | 9 +++++++++ Open Redirect/README.md | 4 ++++ SQL Injection/README.md | 7 +++++++ Server Side Request Forgery/README.md | 8 ++++++++ Upload Insecure Files/README.md | 4 ++++ Web Cache Deception/README.md | 3 +++ Web Sockets/README.md | 4 ++++ XSS Injection/README.md | 4 ++++ XXE Injection/README.md | 3 +++ 14 files changed, 71 insertions(+), 7 deletions(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index b30e286..5db6c97 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -254,13 +254,6 @@ Enter the code **000000** or **null** to bypass 2FA protection. * Session hijacking * OAuth misconfiguration -## Labs - -* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) -* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) -* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) -* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) -* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) ## References diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 665af6c..eea6bfa 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -194,6 +194,14 @@ The following log files are controllable and can be included with an evil payloa /var/log/sshd.log /var/log/mail ``` +## Labs + +* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple) +* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass) +* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively) +* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode) +* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path) +* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) ## References diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 6faf500..a62322f 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -10,6 +10,10 @@ Check the following sub-sections, located in other files : * [Python : pickle, ...](Python.md) * [YAML : PyYAML, ...](YAML.md) +## LABS + +* [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization) + ## References * [Github - ysoserial](https://github.com/frohoff/ysoserial) diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index 6b4dba2..6f240a8 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -48,6 +48,10 @@ http://foo.bar/accessPage?menuitem=12 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) +## Labs + +* [Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) + ## References * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index e04d378..242a9a9 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -287,6 +287,15 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret * CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability * CVE-2020-28042 - Null signature vulnerability +## Labs + +* [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature) +* [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification) +* [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key) +* [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection) +* [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection) +* [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal) + ## References - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6) diff --git a/OAuth/README.md b/OAuth/README.md index 4e728c5..478f03b 100644 --- a/OAuth/README.md +++ b/OAuth/README.md @@ -62,6 +62,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request. +## Labs + +* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) +* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) +* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) +* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) +* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) + + ## References * [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) diff --git a/Open Redirect/README.md b/Open Redirect/README.md index badb20c..fe14b59 100644 --- a/Open Redirect/README.md +++ b/Open Redirect/README.md @@ -178,6 +178,10 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) ?continue={payload} ?return_path={payload} ``` +## Labs + +* [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection) + ## References diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 1827c28..f582268 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -612,6 +612,13 @@ Obfuscated query 1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2 ``` +## Labs + +* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) +* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass) +* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) +* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection) + ## References * Detect SQLi diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 9db678d..a79bf37 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -829,6 +829,14 @@ curl http://rancher-metadata// More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/ +## Labs + +* [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost) +* [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system) +* [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter) +* [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter) +* [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection) + ## References diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 1eb363d..03d57bb 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -191,6 +191,10 @@ When a ZIP/archive file is automatically decompressed after the upload Upload the XML file to `$JETTY_BASE/webapps/` * [JettyShell.xml - From Mikhail Klyuchnikov](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml) +## Labs + +* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities) + ## References diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 50b28e5..6918db5 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -49,6 +49,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page "> ``` +## Labs + +* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) ## References diff --git a/Web Sockets/README.md b/Web Sockets/README.md index ffe7ec0..ea11043 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -59,6 +59,10 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request, you have to add this value as a 2nd parameter to the `WebSocket` function call in order to add this header. +## Labs + +* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling) + ## References - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 44b9b06..6cb88ea 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -1227,6 +1227,10 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e ``` +## Labs + +* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting) + ## References - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 826cdda..8136e66 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -592,6 +592,9 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ``` +## Labs + +* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection) ## References