diff --git a/Insecure direct object references/README.md b/Insecure direct object references/README.md new file mode 100644 index 00000000..bf3bd97f --- /dev/null +++ b/Insecure direct object references/README.md @@ -0,0 +1,48 @@ +# Insecure Direct Object References + +> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP + +Tools : + +- Burp Suite plugin Authz +- Burp Suite plugin AuthMatrix +- Burp Suite plugin Authorize + +## Exploit + +![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK) + +The value of a parameter is used directly to retrieve a database record. + +```powershell +http://foo.bar/somepage?invoice=12345 +``` + +The value of a parameter is used directly to perform an operation in the system + +```powershell +http://foo.bar/changepassword?user=someuser +``` + +The value of a parameter is used directly to retrieve a file system resource + +```powershell +http://foo.bar/showImage?img=img00011 +``` + +The value of a parameter is used directly to access application functionality + +```powershell +http://foo.bar/accessPage?menuitem=12 +``` + +## Examples + +* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) +* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) + +## Thanks to + +* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) +* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet) +* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) \ No newline at end of file diff --git a/Insecure direct object references/idor.png b/Insecure direct object references/idor.png new file mode 100644 index 00000000..b41c634a Binary files /dev/null and b/Insecure direct object references/idor.png differ diff --git a/SSRF injection/README.md b/SSRF injection/README.md index f1b06e3b..cb36b306 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -9,20 +9,23 @@ Tools: ## Summary -* [Exploit with localhost](#summary) -* [Bypassing filters](#summary) -* [SSRF via URL Scheme](#summary) -* [SSRF to XSS](#summary) -* [SSRF URL for Cloud Instances](#summary) - * [SSRF URL for AWS Bucket](#summary) - * [SSRF URL for Google Cloud](#summary) - * [SSRF URL for Digital Ocean](#summary) - * [SSRF URL for Packetcloud](#summary) - * [SSRF URL for Azure](#summary) - * [SSRF URL for OpenStack/RackSpace](#summary) - * [SSRF URL for HP Helion](#summary) - * [SSRF URL for Oracle Cloud](#summary) - * [SSRF URL for Alibaba](#summary) +* [Exploit with localhost](#exploit-with-localhost) +* [Bypassing filters](#bypassing-filters) +* [SSRF via URL Scheme](#ssrf-via-url-scheme) +* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera) +* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) + * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) + * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud) + * [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean) + * [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud) + * [SSRF URL for Azure](#ssrf-url-for-azure) + * [SSRF URL for OpenStack/RackSpace](#ssrf-url-for-openstackrackspace) + * [SSRF URL for HP Helion](#ssrf-url-for-hp-helion) + * [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud) + * [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd) + * [SSRF URL for Alibaba](#ssrf-url-for-alibaba) + * [SSRF URL for Docker](#ssrf-url-for-docker) + * [SSRF URL for Rancher](#ssrf-url-for-rancher) ## Exploit with localhost @@ -451,19 +454,27 @@ curl http://rancher-metadata// More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/ +## Examples + +- [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857) +- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748) +- [SSRF in proxy.duckduckgo.com](https://hackerone.com/reports/358119) +- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737) +- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612) + ## Thanks to -* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF) -* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648) -* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html) -* [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk) -* [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/) -* [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748) -* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/) -* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) -* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) -* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) -* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51) -* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) -* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) -* [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8) +- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF) +- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648) +- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html) +- [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk) +- [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/) +- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748) +- [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/) +- [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) +- [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) +- [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) +- [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51) +- [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) +- [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) +- [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)