GitBook: [#3169] No subject

cloud-security/atlantis.md

@@ -305,7 +305,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
 
 This is the **setting** in Github branch protections:
 
-![](<../.gitbook/assets/image (375) (1).png>)
+![](<../.gitbook/assets/image (375) (1) (1).png>)
 
 ### Webhook Secret
 

network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md

@@ -1,4 +1,4 @@
-
+# Electron contextIsolation RCE via preload code
 
 <details>
 
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Example 1
+## Example 1
 
 Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)
 
 This code open http(s) links with default browser:
 
-![](<../../../.gitbook/assets/image (375).png>)
+![](<../../../.gitbook/assets/image (375) (1).png>)
 
 Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.
 
@@ -52,7 +51,7 @@ Check the original slides for other ways to execute programs without having a pr
 
 Apparently another way to load and execute code is to access something like `file://127.0.0.1/electron/rce.jar`
 
-# Example 2: Discord App RCE
+## Example 2: Discord App RCE
 
 Example from [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
 
@@ -92,7 +91,7 @@ module.exports.getGPUDriverVersions = async () => {
 };
 ```
 
-Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the **_**execa**_**'s internal processing**.
+Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the \_execa**\_**'s internal processing**.
 
 Specifically, the argument is replaced by changing the following two parts.
 
@@ -100,7 +99,6 @@ Specifically, the argument is replaced by changing the following two parts.
 
 [https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55](https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55)
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -116,5 +114,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

pentesting-web/cors-bypass.md

@@ -16,6 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
+## What is CORS?
 
 The CORS (Cross-origin resource sharing) standard is needed because it **allows servers to specify who can access its assets** and which **HTTP request methods are allowed** from external resources.
 
@@ -34,13 +35,13 @@ The following table shows how the same-origin policy will be applied in `http://
 
 \*_Internet Explorer will allow this access because IE does not take account of the port number when applying the same-origin policy._
 
-## `Access-Control-Allow-Origin` Header
+### `Access-Control-Allow-Origin` Header
 
 The specification of `Access-Control-Allow-Origin` allows for **multiple origins**, or the value **`null`**, or the wildcard **`*`**. However, **no browser supports multiple origins** and there are **restrictions** on the use of the **wildcard** `*`.(_The wildcard can only be used alone, this will fail `Access-Control-Allow-Origin: https://*.normal-website.com` and it cannot be used with_ _Access-Control-Allow-Credentials: true_)
 
 This header is **returned by a server** when a website requests a cross-domain resource, with an `Origin` header added by the browser.
 
-## `Access-Control-Allow-Credentials` Header
+### `Access-Control-Allow-Credentials` Header
 
 The **default** behaviour of cross-origin resource requests is for **requests** to be **passed without credentials** like cookies and the Authorization header. However, the cross-domain server can **permit reading** of the **response** when **credentials** are **passed** to it by setting the CORS **`Access-Control-Allow-Credentials`** header to **`true`**.
 
@@ -73,7 +74,7 @@ xhr.onreadystatechange = handler;
 xhr.send('<person><name>Arun</name></person>');
 ```
 
-## Pre-flight request
+### Pre-flight request
 
 Under certain circumstances, when a cross-domain request:
 
@@ -126,13 +127,13 @@ Access-Control-Max-Age: 240
 Note that usually (depending on the content-type and headers set) in a **GET/POST request no pre-flight request is sent** (the request is sent **directly**), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.\
 **Therefore, CORS doesn't protect against CSRF (but it can be helpful).**
 
-# Exploitable misconfigurations
+## Exploitable misconfigurations
 
 Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.
 
 One notable exception is when the **victim's network location functions as a kind of authentication.** You can use a victim’s browser as a proxy to bypass IP-based authentication and access intranet applications. In terms of impact this is similar to DNS rebinding, but much less fiddly to exploit.
 
-# Reflected `Origin` in `Access-Control-Allow-Origin`
+### Reflected `Origin` in `Access-Control-Allow-Origin`
 
 In the real world this cannot happen as **this 2 values of the headers are forbidden together**.\
 It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
@@ -155,7 +156,7 @@ In other cases, the developer could check that the **domain** (_victimdomain.com
 </script>
 ```
 
-# The `null` Origin
+### The `null` Origin
 
 `null` is a special value for the **Origin** header. The specification mentions it being triggered by redirects, and local HTML files. Some applications might whitelist the `null` origin to support local development of the application.\
 This is nice because **several application will allow this value** inside the CORS and any **website can easily obtain the null origin using a sandboxed iframe**:
@@ -186,11 +187,11 @@ This is nice because **several application will allow this value** inside the CO
 </script>"></iframe>
 ```
 
-# **Regexp bypasses**
+### **Regexp bypasses**
 
 If you found the domain _victim.com_ to be **whitelisted** you should check if _victim.com.**attacker.com**_ is **whitelisted also**, or, in case you can **takeover some subdomain**, check if _**somesubdomain**.victim.com_ is whitelisted.
 
-# **Advance Regexp bypasses**
+### **Advance Regexp bypasses**
 
 Most of the regex used to identify the domain inside the string will focus on alphanumeric ASCII characters and `.-` . Then, something like `victimdomain.com{.attacker.com` inside the Origin header will be interpreted by the regexp as if the domain was `victimdomain.com` but the browser (in this case Safari supports this character in the domain) will access the domain`attacker.com` .
 
@@ -202,7 +203,7 @@ The `_` character (in subdomains) is not only supported in Safari, but also in C
 
 ![](<../.gitbook/assets/image (153).png>)
 
-# From XSS inside a subdomain
+### From XSS inside a subdomain
 
 One defensive mechanism developers use against CORS exploitation is to white-list domains that frequently requests access for information. However, this isn’t entirely secure, because if even **one** of the subdomains of the **whitelisted** domain is **vulnerable** to other exploits such as **XSS**, it can enable CORS exploitation.
 
@@ -218,7 +219,7 @@ if ($_SERVER['HTTP_HOST'] == '*.requester.com')
 
 Assuming that a user has access to sub.requester.com but not requester.com, and assuming that `sub.requester.com` is vulnerable to XSS. The user can exploit `provider.com` by using cross-site scripting attack method.
 
-# **Server-side cache poisoning**
+### **Server-side cache poisoning**
 
 If the stars are aligned we may be able to use server-side cache poisoning via HTTP header injection to create a [stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) vulnerability.
 
@@ -233,7 +234,7 @@ Internet Explorer sees the response as:
 
 This isn't directly exploitable because there's no way for an attacker to make someone's web browser send such a malformed header, but I can **manually craft this request in Burp Suite and a server-side cache may save the response and serve it to other people**. The payload I've used will change the page's character set to **UTF-7**, which is notoriously useful for creating XSS vulnerabilities.
 
-# **Client-Side cache poisoning**
+### **Client-Side cache poisoning**
 
 You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:
 
@@ -264,9 +265,9 @@ req.send();
 </script>
 ```
 
-# Bypass
+## Bypass
 
-# XSSI (Cross-Site Script Inclusion) / JSONP
+### XSSI (Cross-Site Script Inclusion) / JSONP
 
 XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the `script` tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the `script` tag.
 
@@ -278,7 +279,7 @@ Try to add a **`callback`** **parameter** in the request. Maybe the page was pre
 
 ![](<../.gitbook/assets/image (229).png>)
 
-# Easy (useless?) bypass
+### Easy (useless?) bypass
 
 You can ask a web-application to make a request for you and send back the response. This will bypass the **`Access-Control-Allow-Origin`** but notice that the **credentials to the final victim won't be sent** as you will be **contacting a different domain** (the one that will make the request for you).
 
@@ -295,7 +296,7 @@ xhr.open("GET", "https://cors-escape.herokuapp.com/https://maximum.blog/@shalvah
 
 Proxying is kinda like “passing on" your request, exactly as you sent it. We could solve this in an alternative way that still involves someone else making the request for you, but this time, **instead of using passing on your request, the server makes its own request, but with whatever parameters you specified.**
 
-# Iframe + Popup Bypass
+### Iframe + Popup Bypass
 
 You can **bypass CORS checks** such as `e.origin === window.origin` by **creating an iframe** and **from it opening a new window**. More information in the following page:
 
@@ -303,7 +304,7 @@ You can **bypass CORS checks** such as `e.origin === window.origin` by **creatin
 [iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
 {% endcontent-ref %}
 
-# DNS Rebinding via TTL
+### DNS Rebinding via TTL
 
 ![](<../.gitbook/assets/image (108).png>)
 
@@ -320,16 +321,26 @@ If you need something quick to abuse this you can use a service like [https://lo
 If you want to run your own DNS rebinding server you can use something like [**DNSrebinder**](https://github.com/mogwailabs/DNSrebinder)**,** then **expose** your **local port 53/udp**, create an **A registry pointing to it** (ns.example.com), and create a **NS registry** pointing to the **previously created A subdomain**(ns.example.com).\
 Then, any subdomain of that subdomain (ns.example.com), will be resolved by your host.
 
-## Automated DNS Rebidding
+Check out also the **publicly running server in** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)
 
-[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
-
-Check out also the **publicly running server in** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)****
-
-# DNS Rebinding via **Cache**
+### DNS Rebinding via **DNS Cache Flooding**
 
 As it was explained in the previous section, **browsers** have the IPs of domains **cached more time** than the one specified in the TTL. However, there is a way to bypass this defence.
 
+You can have a service worker that will **flood the DNS cache to force a second DNS request**. SO the flow will be like:
+
+1. DNS request responded with attacker address
+2. Service worker floods DNS cache (the cached attacker server name is deleted)
+3. Second DNS request this time responded with 127.0.0.1
+
+![](<../.gitbook/assets/image (375).png>)
+
+_Blue is the first DNS request and orange is the flood._
+
+### DNS Rebinding via **Cache**
+
+As it was explained in the previous section, **browsers** have the IPs of domains **cached more time** than the one specified in the TTL. However, there is another way to bypass this defence.
+
 You can **create 2 A records** (or **1 with 2 IPs**, depending on the provider) for the **same subdomain** in the **DNS provider** and when a browser checks for them he will get both.
 
 Now, if the **browser** decides to **use** the **attacker IP address first**, the **attacker** will be able to **serve** the **payload** that will **perform HTTP requests** to the same **domain**. However, now that the attacker knows the IP of the victim, **he will stop answering the victim browser**.
@@ -340,14 +351,26 @@ When the browser finds that the **domain isn't responding** to him, it will **us
 Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
 Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
 
-![](<../.gitbook/assets/image (638) (2).png>)
+<img src="../.gitbook/assets/image (638) (2).png" alt="" data-size="original">
 {% endhint %}
 
 ![](<../.gitbook/assets/image (620) (4).png>)
 
 For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/](https://unit42.paloaltonetworks.com/dns-rebinding/)
 
-# **Tools**
+### Other Common Bypasses
+
+* If **internal IPs aren't allowed**, they might **forgot forbidding 0.0.0.0** (works on Linux and Mac)
+* If **internal IPs aren't allowed**, respond with a **CNAME** to **localhost** (works on Linux and Ma
+* If **internal IPs aren't allowed** as DNS responses, you can respond **CNAMEs to internal services** such as www.corporate.internal.
+
+### DNS Rebidding Weaponized
+
+You can find more information about the previous bypass techniques and how to use the following tool in the talk [Gerald Doussot - State of DNS Rebinding Attacks & Singularity of Origin - DEF CON 27 Conference](https://www.youtube.com/watch?v=y9-0lICNjOQ).
+
+[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
+
+## **Tools**
 
 **Fuzz possible misconfigurations in CORS policies**
 
@@ -356,7 +379,7 @@ For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/]
 * [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
 * [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe)
 
-# References
+## References
 
 {% embed url="https://portswigger.net/web-security/cors" %}
 

reversing/cryptographic-algorithms/README.md

@@ -28,7 +28,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
 
 If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
 
-![](<../../.gitbook/assets/image (375) (1) (1).png>)
+![](<../../.gitbook/assets/image (375) (1) (1) (1).png>)
 
 Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)