diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index cf29316..c99c38b 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -1,4 +1,4 @@ -# API Key Leaks +# API Key and Token Leaks > The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. diff --git a/Business Logic Errors/README.md b/Business Logic Errors/README.md index 009b32f..cb11184 100644 --- a/Business Logic Errors/README.md +++ b/Business Logic Errors/README.md @@ -15,54 +15,65 @@ Unlike other types of security vulnerabilities like SQL injection or cross-site Common examples of Business Logic Errors. -* Review Feature Testing - * Assess if you can post a product review as a verified reviewer without having purchased the item. - * Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system. - * Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions. - * Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints. - * Investigate the possibility of posting reviews impersonating other users. - * Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens. +### Review Feature Testing -* Discount Code Feature Testing - * Try to apply the same discount code multiple times to assess if it's reusable. - * If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously. - * Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one. - * Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature. - * Attempt to apply discount codes to non-discounted items by manipulating the server-side request. +* Assess if you can post a product review as a verified reviewer without having purchased the item. +* Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system. +* Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions. +* Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints. +* Investigate the possibility of posting reviews impersonating other users. +* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens. -* Delivery Fee Manipulation - * Experiment with negative values for delivery charges to see if it reduces the final amount. - * Evaluate if free delivery can be activated by modifying parameters. -* Currency Arbitrage - * Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit. +### Discount Code Feature Testing + +* Try to apply the same discount code multiple times to assess if it's reusable. +* If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously. +* Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one. +* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature. +* Attempt to apply discount codes to non-discounted items by manipulating the server-side request. + + +### Delivery Fee Manipulation + +* Experiment with negative values for delivery charges to see if it reduces the final amount. +* Evaluate if free delivery can be activated by modifying parameters. + + +### Currency Arbitrage + +* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit. -* Premium Feature Exploitation - * Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription. - * Purchase a premium feature, cancel it, and see if you can still use it after a refund. - * Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access. - * Review cookies or local storage for variables validating premium access. -* Refund Feature Exploitation - * Purchase a product, ask for a refund, and see if the product remains accessible. - * Look for opportunities for currency arbitrage. - * Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds. +### Premium Feature Exploitation -* Cart/Wishlist Exploitation - * Test the system by adding products in negative quantities, along with other products, to balance the total. - * Try to add more of a product than is available. - * Check if a product in your wishlist or cart can be moved to another user's cart or removed from it. +* Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription. +* Purchase a premium feature, cancel it, and see if you can still use it after a refund. +* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access. +* Review cookies or local storage for variables validating premium access. -* Thread Comment Testing - * Check if there's a limit to the number of comments on a thread. - * If a user can only comment once, use race conditions to see if multiple comments can be posted. - * If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well. - * Attempt to post comments impersonating other users. -* Parameter Tampering - * Manipulate payment or other critical fields to alter their values. - * By exploiting HTTP Parameter Pollution & Mass Assignment, add extra or unexpected fields. - * Try to manipulate the response to bypass restrictions, such as 2FA. +### Refund Feature Exploitation + +* Purchase a product, ask for a refund, and see if the product remains accessible. +* Look for opportunities for currency arbitrage. +* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds. + + +### Cart/Wishlist Exploitation + +* Test the system by adding products in negative quantities, along with other products, to balance the total. +* Try to add more of a product than is available. +* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it. + + +### Thread Comment Testing + +* Check if there's a limit to the number of comments on a thread. +* If a user can only comment once, use race conditions to see if multiple comments can be posted. +* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well. +* Attempt to post comments impersonating other users. + ## References diff --git a/Client Side Path Traversal/README.md b/Client Side Path Traversal/README.md index 457b2e3..144b771 100644 --- a/Client Side Path Traversal/README.md +++ b/Client Side Path Traversal/README.md @@ -51,7 +51,7 @@ Real-World Scenarios: * [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html) * [Exploiting Client-Side Path Traversal - CSRF is dead, long live CSRF - Whitepaper- Maxence Schmitt](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf) -* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024][https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf] +* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf) * [Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug - Davwwwx - 30-08-2023](https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/) * [Tweet - @HusseiN98D - 5 july 2024](https://twitter.com/HusseiN98D/status/1809164551822172616) * [On-site request forgery - Dafydd Stuttard - 03 May 2007](https://portswigger.net/blog/on-site-request-forgery) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 3011835..7e47f1a 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -363,7 +363,7 @@ vbscript:msgbox("XSS") ## XSS in files -** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup. +**NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup. ```xml