GitBook: [master] 3 pages and 6 assets modified

This commit is contained in:
CPol 2021-10-05 10:00:17 +00:00 committed by gitbook-bot
parent bed47c9c72
commit e741d404a9
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 15 additions and 7 deletions

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate \(from APNS\)** * Signed using the **device identity certificate \(from APNS\)**
* **Certificate chain** includes expired **Apple iPhone Device CA** * **Certificate chain** includes expired **Apple iPhone Device CA**
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) ![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
### Step 6: Profile Installation ### Step 6: Profile Installation

View file

@ -9,7 +9,7 @@ This is done by **making a logged in user** in the victim platform access an att
In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request. In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request.
Several **counter-measures** could be in place to avoid this vulnerability. Several **counter-measures** could be in place to avoid this vulnerability.
### **Common defenses** ### **Common defenses**
@ -73,7 +73,7 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
### Content-Type change ### Content-Type change
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values: According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
* **`application/x-www-form-urlencoded`** * **`application/x-www-form-urlencoded`**
* **`multipart/form-data`** * **`multipart/form-data`**
@ -81,6 +81,14 @@ According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#s
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._ However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
### application/json preflight request bypass
As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first.
However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded`** just to check if the backend is using the data independently of the Content-Type.
You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
### Referrer / Origin check bypass ### Referrer / Origin check bypass
#### Avoid Referrer header #### Avoid Referrer header
@ -109,14 +117,14 @@ https://hahwul.com/.white_domain_com (X)
## **Exploit Examples** ## **Exploit Examples**
### **Ex-filtrating CSRF Token** ### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
### **GET using HTML tags** ### **GET using HTML tags**
```markup ```markup
<img src=http://google.es?param=VALUE style="display:none" /> <img src="http://google.es?param=VALUE" style="display:none" />
<h1>404 - Page not found</h1> <h1>404 - Page not found</h1>
The URL you are requesting is no longer available The URL you are requesting is no longer available
``` ```

View file

@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
* **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\) * **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
* **Execute** in the developer tools console: `getEventListeners(window)` * **Execute** in the developer tools console: `getEventListeners(window)`
![](../.gitbook/assets/image%20%28616%29.png) ![](../.gitbook/assets/image%20%28618%29.png)
* **Go to** _Elements --&gt; Event Listeners_ in the developer tools of the browser * **Go to** _Elements --&gt; Event Listeners_ in the developer tools of the browser