GitBook: [master] 3 pages and 6 assets modified

2024-11-21 20:23:18 +00:00 · 2021-10-05 10:00:17 +00:00 · 2021-10-05 10:00:17 +00:00 · e741d404a9
commit e741d404a9
parent bed47c9c72
6 changed files with 15 additions and 7 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
 * Signed using the **device identity certificate \(from APNS\)**
 * **Certificate chain** includes expired **Apple iPhone Device CA**

-![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)

 ### Step 6: Profile Installation

--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@ -9,7 +9,7 @@ This is done by **making a logged in user** in the victim platform access an att

 In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request.

-Several **counter-measures** could be in place to avoid this vulnerability. 
+Several **counter-measures** could be in place to avoid this vulnerability.

 ### **Common defenses**

@ -73,7 +73,7 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit

 ### Content-Type change

-According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
+According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:

 * **`application/x-www-form-urlencoded`**
 * **`multipart/form-data`**
@ -81,6 +81,14 @@ According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#s

 However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._

+### application/json preflight request bypass
+
+As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first.  
+However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded`** just to check if the backend is using the data independently of the Content-Type.  
+You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
+
+You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
+
 ### Referrer / Origin check bypass

 #### Avoid Referrer header
@ -109,14 +117,14 @@ https://hahwul.com/.white_domain_com (X)

 ## **Exploit Examples**

-### **Ex-filtrating CSRF Token**
+### **Exfiltrating CSRF Token**

-If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
+If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.

 ### **GET using HTML tags**

 ```markup
-<img src=http://google.es?param=VALUE style="display:none" />
+<img src="http://google.es?param=VALUE" style="display:none" />
 <h1>404 - Page not found</h1>
 The URL you are requesting is no longer available
 ```
--- a/pentesting-web/postmessage-vulnerabilities.md
+++ b/pentesting-web/postmessage-vulnerabilities.md
@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
 * **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
 * **Execute** in the developer tools console: `getEventListeners(window)`

-![](../.gitbook/assets/image%20%28616%29.png)
+![](../.gitbook/assets/image%20%28618%29.png)

 * **Go to** _Elements --&gt; Event Listeners_ in the developer tools of the browser