mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Update
This commit is contained in:
parent
9f0c70d46f
commit
a670a26eea
@ -254,13 +254,6 @@ Enter the code **000000** or **null** to bypass 2FA protection.
|
||||
* Session hijacking
|
||||
* OAuth misconfiguration
|
||||
|
||||
## Labs
|
||||
|
||||
* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
|
||||
* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
|
||||
* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
|
||||
* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
|
||||
* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -194,6 +194,14 @@ The following log files are controllable and can be included with an evil payloa
|
||||
/var/log/sshd.log
|
||||
/var/log/mail
|
||||
```
|
||||
## Labs
|
||||
|
||||
* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
|
||||
* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
|
||||
* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
|
||||
* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
|
||||
* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
|
||||
* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -10,6 +10,10 @@ Check the following sub-sections, located in other files :
|
||||
* [Python : pickle, ...](Python.md)
|
||||
* [YAML : PyYAML, ...](YAML.md)
|
||||
|
||||
## LABS
|
||||
|
||||
* [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization)
|
||||
|
||||
## References
|
||||
|
||||
* [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
|
@ -48,6 +48,10 @@ http://foo.bar/accessPage?menuitem=12
|
||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
||||
|
||||
## Labs
|
||||
|
||||
* [Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||
|
@ -287,6 +287,15 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||
* CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability
|
||||
* CVE-2020-28042 - Null signature vulnerability
|
||||
|
||||
## Labs
|
||||
|
||||
* [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)
|
||||
* [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)
|
||||
* [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)
|
||||
* [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
|
||||
* [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
|
||||
* [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
|
||||
|
||||
## References
|
||||
|
||||
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
|
||||
|
@ -62,6 +62,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
|
||||
|
||||
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
|
||||
|
||||
## Labs
|
||||
|
||||
* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
|
||||
* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
|
||||
* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
|
||||
* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
|
||||
* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
|
||||
|
@ -178,6 +178,10 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
?continue={payload}
|
||||
?return_path={payload}
|
||||
```
|
||||
## Labs
|
||||
|
||||
* [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
@ -612,6 +612,13 @@ Obfuscated query
|
||||
1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
|
||||
* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
|
||||
* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
|
||||
* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
|
||||
|
||||
## References
|
||||
|
||||
* Detect SQLi
|
||||
|
@ -829,6 +829,14 @@ curl http://rancher-metadata/<version>/<path>
|
||||
|
||||
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
|
||||
|
||||
## Labs
|
||||
|
||||
* [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
|
||||
* [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)
|
||||
* [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
|
||||
* [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)
|
||||
* [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
@ -191,6 +191,10 @@ When a ZIP/archive file is automatically decompressed after the upload
|
||||
Upload the XML file to `$JETTY_BASE/webapps/`
|
||||
* [JettyShell.xml - From Mikhail Klyuchnikov](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml)
|
||||
|
||||
## Labs
|
||||
|
||||
* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
@ -49,6 +49,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
<meta property="og:image" content="https://test"><script>alert(1)</script>">
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -59,6 +59,10 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request,
|
||||
you have to add this value as a 2nd parameter to the `WebSocket` function call
|
||||
in order to add this header.
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling)
|
||||
|
||||
## References
|
||||
|
||||
- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
|
||||
|
@ -1227,6 +1227,10 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
|
||||
|
||||
## References
|
||||
|
||||
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
||||
|
@ -592,6 +592,9 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org
|
||||
cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
|
||||
```
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
|
||||
|
||||
## References
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user