diff --git a/.gitbook/assets/image (466) (1).png b/.gitbook/assets/image (466) (2) (1).png similarity index 100% rename from .gitbook/assets/image (466) (1).png rename to .gitbook/assets/image (466) (2) (1).png diff --git a/.gitbook/assets/image (466).png b/.gitbook/assets/image (466) (2) (2).png similarity index 100% rename from .gitbook/assets/image (466).png rename to .gitbook/assets/image (466) (2) (2).png diff --git a/.gitbook/assets/image (477) (1).png b/.gitbook/assets/image (477) (2) (1).png similarity index 100% rename from .gitbook/assets/image (477) (1).png rename to .gitbook/assets/image (477) (2) (1).png diff --git a/.gitbook/assets/image (477).png b/.gitbook/assets/image (477) (2) (2).png similarity index 100% rename from .gitbook/assets/image (477).png rename to .gitbook/assets/image (477) (2) (2).png diff --git a/.gitbook/assets/image (481).png b/.gitbook/assets/image (479) (2).png similarity index 100% rename from .gitbook/assets/image (481).png rename to .gitbook/assets/image (479) (2).png diff --git a/.gitbook/assets/image (495) (1).png b/.gitbook/assets/image (495) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (495) (1).png rename to .gitbook/assets/image (495) (1) (1) (1).png diff --git a/.gitbook/assets/image (509).png b/.gitbook/assets/image (507) (1).png similarity index 100% rename from .gitbook/assets/image (509).png rename to .gitbook/assets/image (507) (1).png diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md index 3a8427171..912a74a8e 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md @@ -134,7 +134,7 @@ Some interesting attributes: * [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\): * Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides. -![](../../../.gitbook/assets/image%20%28509%29.png) +![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png) ![](../../../.gitbook/assets/image%20%28512%29.png) diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 794cfaddd..b2f1e04f1 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -32,7 +32,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche .\rifiuti-vista.exe C:\Users\student\Desktop\Recycle ``` -![](../../../.gitbook/assets/image%20%28495%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28495%29%20%281%29%20%281%29.png) ### Volume Shadow Copies @@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\). -![](../../../.gitbook/assets/image%20%28477%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png) ### USB Detective diff --git a/mobile-apps-pentesting/ios-pentesting/README.md b/mobile-apps-pentesting/ios-pentesting/README.md index 5086b5ecf..e4c31b719 100644 --- a/mobile-apps-pentesting/ios-pentesting/README.md +++ b/mobile-apps-pentesting/ios-pentesting/README.md @@ -593,7 +593,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console 5. Reproduce the problem. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. -![](../../.gitbook/assets/image%20%28466%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png) You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md index 0df42630e..53a3a63ef 100644 --- a/pentesting-web/cors-bypass.md +++ b/pentesting-web/cors-bypass.md @@ -89,9 +89,13 @@ Access-Control-Max-Age: 240 ![](../.gitbook/assets/preflight.svg) -Note that in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it. +Note that usually \(depending on the content-type and headers set\) in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it. **Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).** +{% hint style="info" %} +**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) **the conditions of a request to avoid sending of a pre-flight request** +{% endhint %} + ## Exploitable misconfigurations Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself. diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md index b6670e42e..637f3dc05 100644 --- a/pentesting-web/csrf-cross-site-request-forgery.md +++ b/pentesting-web/csrf-cross-site-request-forgery.md @@ -73,7 +73,13 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit ### Content-Type change -You can change to POST Content-Type to _**application/json, application/x-url-encoded**_ or _**form-multipart**_ and maybe you will be able to bypass the CSRF token. +According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values: + +* **`application/x-www-form-urlencoded`** +* **`multipart/form-data`** +* **`text/plain`** + +However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._ ### Referrer / Origin check bypass diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md index 65817a14b..4bc9225fa 100644 --- a/pentesting-web/ldap-injection.md +++ b/pentesting-web/ldap-injection.md @@ -16,7 +16,7 @@ LDAP Injection is an attack used to exploit web based applications that construc **Filterlist** = 1\*filter **Item**= simple / present / substring **Simple** = attr filtertype assertionvalue -**Filtertype** = _'=' / '~=' / '>=' / '<='_ +**Filtertype** = _'=' / '~=' / '>=' / '<='_ **Present** = attr = \* **Substring** = attr ”=” \[initial\] \* \[final\] **Initial** = assertionvalue @@ -128,7 +128,7 @@ You can iterate over the ascii letters, digits and symbols: ### **Discover valid LDAP fields** -LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of ****[**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**.** +LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\* ```python #!/usr/bin/python3 @@ -156,7 +156,7 @@ for attribute in attributes: #Extract all attributes if "Cannot login" in r.text: value += str(char) break - + if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value finish = True print() diff --git a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md index 3f8f8b6f1..9ac9ad5bb 100644 --- a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md +++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md @@ -76,11 +76,13 @@ The following `kubectl` commands indicates just how to list the objects. If you {% endhint %} ### Using kubectl + when using kubectl it might come in handy to define a temporary alias, if the token used is different to the one defined in `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount`. + ```bash alias kubectl='kubectl --token=' - ``` + [kubectl cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) ### Get namespaces @@ -273,12 +275,10 @@ If you are able to create new pods you might be able to escape from them to the ```bash kubectl get pod [-n ] -o yaml - ``` Then you create your attack.yaml file - ```yaml apiVersion: v1 kind: Pod @@ -300,35 +300,29 @@ spec: - name: host-fs mountPath: /root restartPolicy: Never - ``` + [original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba) After that you create the pod ```bash kubectl apply -f attacker.yaml [-n ] - ``` Now you can switch to the created pod as follows ```bash kubectl exec -it attacker-pod [-n ] -- bash # attacker-pod is the name defined in the yaml file - ``` And finally you chroot into the node's system ```bash chroot /root /bin/bash - ``` -Information obtained from:\ -[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)\ -[Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/) - +Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/) ## Sniffing diff --git a/todo/more-tools.md b/todo/more-tools.md index f27f0fc32..4b2d7ffa6 100644 --- a/todo/more-tools.md +++ b/todo/more-tools.md @@ -113,5 +113,3 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri * [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics. * [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs -## -