diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png new file mode 100644 index 000000000..4c4968b48 Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png differ diff --git a/.gitbook/assets/image (436) (1).png b/.gitbook/assets/image (436) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (436) (1).png rename to .gitbook/assets/image (436) (1) (1) (1).png diff --git a/README.md b/README.md index a423cea72..16e8b2858 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,9 @@ Here you will find the **typical flow** that **you should follow when pentesting **Click in the title to start!** -If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)[@carlospolopm](https://twitter.com/carlospolopm). -**If you want to** share some tricks with the community **you can also submit** pull requests **to** https://github.com/carlospolop/hacktricks that will be reflected in this book. -Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book. +If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter **\*\*\[**🐦**\]\(**[https://emojipedia.org/bird/\)\[@carlospolopm\]\(https://twitter.com/carlospolopm](https://emojipedia.org/bird/%29[@carlospolopm]%28https://twitter.com/carlospolopm)**\).** +If you want to **share some tricks with the community** you can also submit **pull requests** to_\*_ [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks) _that will be reflected in this book. +Don't forget to\_\* give ⭐ on the github to motivate me to continue developing this book. ![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png) diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md index 5867d7ee5..9b9a7a361 100644 --- a/linux-unix/linux-privilege-escalation-checklist.md +++ b/linux-unix/linux-privilege-escalation-checklist.md @@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\* diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md index 38c9d8f43..d124ebf2c 100644 --- a/mobile-apps-pentesting/android-app-pentesting/README.md +++ b/mobile-apps-pentesting/android-app-pentesting/README.md @@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29%20%281%29.png) Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links). @@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png) #### Sensitive info diff --git a/pentesting/pentesting-web/api-pentesting.md b/pentesting/pentesting-web/api-pentesting.md index bd52013a7..4d8ebf040 100644 --- a/pentesting/pentesting-web/api-pentesting.md +++ b/pentesting/pentesting-web/api-pentesting.md @@ -2,10 +2,59 @@ ## Tricks -#### Play with routes +### Public and private endpoints + +Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways. + +### Patterns + +Search for API patterns inside the api and try to use it to discover more. +If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints. + +### Add parameters + +Something like the following example might get you access to another user’s photo album: +_/api/MyPictureList β†’ /api/MyPictureList?**user\_id=<other\_user\_id>**_ + +### Replace parameters + +You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information + +For example, if you see something like: _/api/albums?**album\_id=<album id>**_ + +You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_ + +### Parameter pollution + + /api/account?**id=<your account id>** β†’ /api/account?**id=<your account id>&id=<admin's account id>** + +### HTTP requet method change + +You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them. + +### Request content-type + +Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly: + +* **x-www-form-urlencoded** --> user=test +* **application/xml** --> <user>test</user> +* **application/json** --> {"user": "test"} + +### Play with routes `/files/..%2f..%2f + victim ID + %2f + victim filename` +### Check possible versions + +Old versions may be still be in use and be more vulenrable than latest endpoints + +* `/api/v1/login` +* `/api/v2/login` +* `/api/CharityEventFeb2020/user/pp/` +* `/api/CharityEventFeb2021/user/pp/` + +## + ## Owasp API Security Top 10 Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf) diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md index 023847c14..a2da4db11 100644 --- a/windows/active-directory-methodology/README.md +++ b/windows/active-directory-methodology/README.md @@ -398,7 +398,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s * [Python script to enumerate active directory](https://github.com/ropnop/windapsearch) * [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum) -![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) +![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%2811%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md index 0cf1ef5fa..ea454a970 100644 --- a/windows/checklist-windows-privilege-escalation.md +++ b/windows/checklist-windows-privilege-escalation.md @@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*