mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 15:41:34 +00:00
GITBOOK-4178: change request with no subject merged in GitBook
This commit is contained in:
parent
d7952703e4
commit
0a792c2576
3 changed files with 17 additions and 5 deletions
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Join [HackenProof Discord](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||||||
|
|
||||||
**Hacking Insights**\
|
**Hacking Insights**\
|
||||||
Engage with content that delves into the thrill and challenges of hacking
|
Engage with content that delves into the thrill and challenges of hacking
|
||||||
|
@ -25,9 +25,7 @@ Keep up-to-date with fast-paced hacking world through real-time news and insight
|
||||||
**Latest Announcements**\
|
**Latest Announcements**\
|
||||||
Stay informed with the newest bug bounties launching and crucial platform updates
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
||||||
|
|
||||||
Join us on [Discord](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
||||||
|
|
||||||
{% embed url="https://discord.com/invite/N3FrSbmwdy" %}
|
|
||||||
|
|
||||||
## Android Applications Basics
|
## Android Applications Basics
|
||||||
|
|
||||||
|
|
|
@ -713,7 +713,11 @@ Please, note that prototype pollution works if the **attribute** of an object th
|
||||||
In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\
|
In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\
|
||||||
At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!).
|
At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!).
|
||||||
|
|
||||||
In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to \*\*`kEmptyObject` \*\* instead of **`{}`.**
|
In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject`** instead of **`{}`.**
|
||||||
|
|
||||||
|
### **Other Gadgets**
|
||||||
|
|
||||||
|
* [https://github.com/yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -202,6 +202,16 @@ For more detailed info about how to abuse AWS cognito check:
|
||||||
|
|
||||||
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %}
|
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %}
|
||||||
|
|
||||||
|
### Abusing other Apps tokens <a href="#bda5" id="bda5"></a>
|
||||||
|
|
||||||
|
As [**mentioned in this writeup**](https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts), OAuth flows that expect to receive the **token** (and not a code) could be vulnerable if they not check that the token belongs to the app.
|
||||||
|
|
||||||
|
This is because an **attacker** could create an **application supporting OAuth and login with Facebook** (for example) in his own application. Then, once a victim logins with Facebook in the **attackers application**, the attacker could get the **OAuth token of the user given to his application, and use it to login in the victim OAuth application using the victims user token**.
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Therefore, if the attacker manages to get the user access his own OAuth application, he will be able to take over the victims account in applications that are expecting a token and aren't checking if the token was granted to their app ID.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### Two links & cookie <a href="#bda5" id="bda5"></a>
|
### Two links & cookie <a href="#bda5" id="bda5"></a>
|
||||||
|
|
||||||
According to [**this writeup**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), it was possible to make a victim open a page with a **returnUrl** pointing to the attackers host. This info would be **stored in a cookie (RU)** and in a **later step** the **prompt** will **ask** the **user** if he wants to give access to that attackers host.
|
According to [**this writeup**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), it was possible to make a victim open a page with a **returnUrl** pointing to the attackers host. This info would be **stored in a cookie (RU)** and in a **later step** the **prompt** will **ask** the **user** if he wants to give access to that attackers host.
|
||||||
|
|
Loading…
Reference in a new issue