mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 08:57:55 +00:00
GitBook: [master] 6 pages and 3 assets modified
This commit is contained in:
parent
5c0ff3b001
commit
17b7f4d0da
8 changed files with 58 additions and 9 deletions
Binary file not shown.
After Width: | Height: | Size: 1.5 KiB |
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 1.6 KiB |
|
@ -12,9 +12,9 @@ Here you will find the **typical flow** that **you should follow when pentesting
|
||||||
|
|
||||||
**Click in the title to start!**
|
**Click in the title to start!**
|
||||||
|
|
||||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)[@carlospolopm](https://twitter.com/carlospolopm).
|
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter **\*\*\[**🐦**\]\(**[https://emojipedia.org/bird/\)\[@carlospolopm\]\(https://twitter.com/carlospolopm](https://emojipedia.org/bird/%29[@carlospolopm]%28https://twitter.com/carlospolopm)**\).**
|
||||||
**If you want to** share some tricks with the community **you can also submit** pull requests **to** https://github.com/carlospolop/hacktricks that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to_\*_ [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks) _that will be reflected in this book.
|
||||||
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
|
Don't forget to\_\* give ⭐ on the github to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
||||||
|
|
||||||
|
|
|
@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
|
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||||
|
|
||||||
|
|
|
@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo
|
||||||
|
|
||||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29%20%281%29.png)
|
||||||
|
|
||||||
Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links).
|
Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links).
|
||||||
|
|
||||||
|
@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
|
||||||
|
|
||||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28436%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png)
|
||||||
|
|
||||||
#### Sensitive info
|
#### Sensitive info
|
||||||
|
|
||||||
|
|
|
@ -2,10 +2,59 @@
|
||||||
|
|
||||||
## Tricks
|
## Tricks
|
||||||
|
|
||||||
#### Play with routes
|
### Public and private endpoints
|
||||||
|
|
||||||
|
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
|
||||||
|
|
||||||
|
### Patterns
|
||||||
|
|
||||||
|
Search for API patterns inside the api and try to use it to discover more.
|
||||||
|
If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
|
||||||
|
|
||||||
|
### Add parameters
|
||||||
|
|
||||||
|
Something like the following example might get you access to another user’s photo album:
|
||||||
|
_/api/MyPictureList → /api/MyPictureList?**user\_id=<other\_user\_id>**_
|
||||||
|
|
||||||
|
### Replace parameters
|
||||||
|
|
||||||
|
You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information
|
||||||
|
|
||||||
|
For example, if you see something like: _/api/albums?**album\_id=<album id>**_
|
||||||
|
|
||||||
|
You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_
|
||||||
|
|
||||||
|
### Parameter pollution
|
||||||
|
|
||||||
|
/api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>**
|
||||||
|
|
||||||
|
### HTTP requet method change
|
||||||
|
|
||||||
|
You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.
|
||||||
|
|
||||||
|
### Request content-type
|
||||||
|
|
||||||
|
Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly:
|
||||||
|
|
||||||
|
* **x-www-form-urlencoded** --> user=test
|
||||||
|
* **application/xml** --> <user>test</user>
|
||||||
|
* **application/json** --> {"user": "test"}
|
||||||
|
|
||||||
|
### Play with routes
|
||||||
|
|
||||||
`/files/..%2f..%2f + victim ID + %2f + victim filename`
|
`/files/..%2f..%2f + victim ID + %2f + victim filename`
|
||||||
|
|
||||||
|
### Check possible versions
|
||||||
|
|
||||||
|
Old versions may be still be in use and be more vulenrable than latest endpoints
|
||||||
|
|
||||||
|
* `/api/v1/login`
|
||||||
|
* `/api/v2/login`
|
||||||
|
* `/api/CharityEventFeb2020/user/pp/<ID>`
|
||||||
|
* `/api/CharityEventFeb2021/user/pp/<ID>`
|
||||||
|
|
||||||
|
##
|
||||||
|
|
||||||
## Owasp API Security Top 10
|
## Owasp API Security Top 10
|
||||||
|
|
||||||
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
|
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
|
||||||
|
|
|
@ -398,7 +398,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
|
||||||
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
|
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
|
||||||
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
|
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
|
||||||
|
|
||||||
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%2811%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||||
|
|
||||||
|
|
|
@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
|
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue