diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index c99c38b..0e1a56b 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -57,29 +57,30 @@ The following commands can be used to takeover accounts or extract personal info ### Google Maps -Use : https://github.com/ozguralp/gmapsapiscanner/ +* [ozguralp/gmapsapiscanner/](https://github.com/ozguralp/gmapsapiscanner/) - Google Maps API Scanner | Name | Endpoint | | --------------------- | --------- | -| Static Maps | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE | -| Streetview | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE | -| Embed | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE | -| Directions | https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY_HERE | -| Geocoding | https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY_HERE | -| Distance Matrix | https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE | -| Find Place from Text | https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE | -| Autocomplete | https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY_HERE | -| Elevation | https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY_HERE | -| Timezone | https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY_HERE | -| Roads | https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795|60.170879,24.942796|60.170877,24.942796&key=KEY_HERE | -| Geolocate | https://www.googleapis.com/geolocation/v1/geolocate?key=KEY_HERE | +| Static Maps | [/maps/api/staticmap?key=KEY](https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY) | +| Streetview | [/maps/api/streetview?key=KEY](https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY) | +| Embed | [/maps/embed/v1/place?key=KEY](https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY) | +| Directions | [/maps/api/directions/json?key=KEY](https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY) | +| Geocoding | [/maps/api/geocode/json?key=KEY](https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY) | +| Distance Matrix | [/maps/api/distancematrix/json?key=KEY](https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY) | +| Find Place from Text | [/maps/api/place/findplacefromtext/json?key=KEY](https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY) | +| Autocomplete | [/maps/api/place/autocomplete/json?key=KEY](https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY) | +| Elevation | [/maps/api/elevation/json?key=KEY](https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY) | +| Timezone | [/maps/api/timezone/json?key=KEY](https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY) | +| Roads | [roads.googleapis.com/v1/nearestRoads?key=KEY](https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795&key=KEY) | +| Geolocate | [www.googleapis.com/geolocation/v1/geolocate?key=KEY](https://www.googleapis.com/geolocation/v1/geolocate?key=KEY) | -Impact: +**Impact**: * Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company * Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account + ### Algolia ```powershell @@ -91,42 +92,49 @@ curl --request PUT \ --data '{"highlightPreTag": ""}' ``` + ### Slack API Token ```powershell curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1" ``` + ### Facebook Access Token ```powershell curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2 ``` + ### Github client id and client secret ```powershell curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy' ``` + ### Twilio Account_sid and Auth token ```powershell curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN ``` + ### Twitter API Secret ```powershell curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token' ``` + ### Twitter Bearer Token ```powershell curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN' ``` + ### Gitlab Personal Access Token ```powershell @@ -145,9 +153,15 @@ curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hoc A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time. -* Check token validity: `curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"` -* Get list of all tokens associated with an account (only works if the token is a Secret Token (sk), and has the appropriate scope): `curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"` - +* Check token validity: + ```ps1 + curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN" + ``` + +* Get list of all tokens associated with an account (only works if the token is a Secret Token (sk), and has the appropriate scope) + ```ps1 + curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN" + ``` ## References diff --git a/Cross-Site Request Forgery/README.md b/Cross-Site Request Forgery/README.md index 693715f..493b9f8 100644 --- a/Cross-Site Request Forgery/README.md +++ b/Cross-Site Request Forgery/README.md @@ -32,7 +32,7 @@ ## Methodology -![CSRF_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/Images/CSRF-CheatSheet.png?raw=true) +![CSRF_cheatsheet](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Cross-Site%20Request%20Forgery/Images/CSRF-CheatSheet.png) ## Payloads diff --git a/README.md b/README.md index e30b1a8..278223d 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ An alternative display version is available at [PayloadsAllTheThingsWeb](https:/

-📖 Documentation +:book: Documentation ----- Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: @@ -53,7 +53,7 @@ You might also like the `Methodology and Resources` folder : You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/YOUTUBE.md) selections. -👨‍💻 Contributions +:technologist: Contributions ----- Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CONTRIBUTING.md) @@ -66,7 +66,7 @@ Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheT Thanks again for your contribution! :heart: -🧙‍♂️ Sponsors +:beers: Sponsors ----- This project is proudly sponsored by these companies: diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 2f2bc29..dbe481c 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -681,8 +681,6 @@ We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API. http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role ``` -![notsosecureblog-awskey](https://www.notsosecure.com/wp-content/uploads/2019/02/aws-cli.jpg) - Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. @@ -920,7 +918,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978) - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) -- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) +- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://notsosecure.com/exploiting-ssrf-aws-elastic-beanstalk) - [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) - [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) - [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)