├── _posts ├── README.md ├── 2022-03-01-issue2.md ├── 2022-03-01-issue1.md └── resources │ ├── 2022-02-15-vulnerable-code-39.md │ ├── 2022-02-15-vulnerable-code-23.md │ ├── 2022-02-15-vulnerable-code-38.md │ ├── 2022-02-15-vulnerable-code-36.md │ ├── 2022-02-15-vulnerable-code-40.md │ ├── 2022-02-15-vulnerable-code-45.md │ ├── 2022-02-15-vulnerable-code-43.md │ ├── 2022-02-15-vulnerable-code-14.md │ ├── 2022-02-15-vulnerable-code-10.md │ ├── 2022-02-15-vulnerable-code-13.md │ ├── 2022-02-15-vulnerable-code-24.md │ ├── 2022-02-15-vulnerable-code-33.md │ ├── 2022-02-15-vulnerable-code-08.md │ ├── 2022-02-15-vulnerable-code-04.md │ ├── 2022-02-15-vulnerable-code-16.md │ ├── 2022-02-15-vulnerable-code-34.md │ ├── 2022-02-15-vulnerable-code-32.md │ ├── 2022-02-15-vulnerable-code-26.md │ ├── 2022-02-15-vulnerable-code-01.md │ ├── 2022-02-15-vulnerable-code-30.md │ ├── 2022-02-15-vulnerable-code-28.md │ ├── 2022-02-15-vulnerable-code-05.md │ ├── 2022-02-15-vulnerable-code-29.md │ ├── 2022-02-15-vulnerable-code-17.md │ ├── 2022-02-15-vulnerable-code-11.md │ ├── 2022-02-15-vulnerable-code-37.md │ ├── 2022-02-15-vulnerable-code-20.md │ ├── 2022-02-15-vulnerable-code-12.md │ ├── 2022-02-15-vulnerable-code-35.md │ ├── 2022-02-15-vulnerable-code-06.md │ ├── 2022-02-15-vulnerable-code-22.md │ ├── 2022-02-15-vulnerable-code-41.md │ ├── 2022-02-15-vulnerable-code-44.md │ ├── 2022-02-15-vulnerable-code-07.md │ ├── 2022-02-15-vulnerable-code-21.md │ ├── 2022-02-15-vulnerable-code-02.md │ ├── 2022-02-15-vulnerable-code-19.md │ ├── 2022-02-15-vulnerable-code-42.md │ ├── 2022-02-15-vulnerable-code-18.md │ ├── 2022-02-15-vulnerable-code-09.md │ ├── 2022-02-15-vulnerable-code-03.md │ ├── 2022-02-15-vulnerable-code-15.md │ ├── 2022-02-15-vulnerable-code-31.md │ ├── 2022-02-15-vulnerable-code-27.md │ ├── 2022-02-15-vulnerable-code-25.md │ ├── 2022-02-09-path-traversal-file-upload.md │ ├── 2022-02-09-feroxbuster-explained.md │ ├── 2022-02-09-rustscan-portscanner.md │ ├── 2022-02-10-xxe-in-json.md │ ├── 2022-02-09-htmli-to-cloud-ssrf.md │ ├── 2022-02-09-bypassing-ios-biometrics.md │ ├── 2022-02-11-zip-slip-file-upload.md │ └── 2022-02-09-bypassing-filters-visual-spoofing.md ├── CNAME ├── _site ├── robots.txt ├── assets │ └── images │ │ ├── pwn │ │ └── pwn.png │ │ ├── expdev │ │ └── expdev.png │ │ ├── site_data │ │ ├── avatar.png │ │ ├── logo.png │ │ ├── favicon.ico.png │ │ ├── thumbnail.jpg │ │ ├── favicon-16x16.png │ │ └── favicon-32x32.png │ │ └── binary-exploitation │ │ └── binexp.png ├── resources │ ├── vulnerable-code-23.md │ ├── vulnerable-code-14.md │ ├── vulnerable-code-10.md │ ├── vulnerable-code-13.md │ ├── vulnerable-code-24.md │ ├── vulnerable-code-8.md │ ├── vulnerable-code-4.md │ ├── vulnerable-code-16.md │ ├── vulnerable-code-1.md │ ├── vulnerable-code-11.md │ ├── vulnerable-code-5.md │ ├── vulnerable-code-17.md │ ├── vulnerable-code-12.md │ ├── vulnerable-code-20.md │ ├── vulnerable-code-22.md │ ├── vulnerable-code-6.md │ ├── vulnerable-code-7.md │ ├── vulnerable-code-21.md │ ├── vulnerable-code-2.md │ ├── vulnerable-code-19.md │ ├── vulnerable-code-18.md │ ├── vulnerable-code-9.md │ ├── vulnerable-code-3.md │ ├── vulnerable-code-15.md │ ├── vulnerable-code-25.md │ ├── path-traversal-file-upload.md │ ├── feroxbuster-explained.md │ ├── rustscan-portscanner.md │ ├── xxe-in-json.md │ ├── htmli-to-cloud-ssrf.md │ ├── zip-slip-file-upload.md │ ├── bypassing-ios-biometrics.md │ └── bypassing-filters-visual-spoofing.md ├── banner.js └── minimal-mistakes-jekyll.gemspec ├── index.html ├── _sass ├── minimal-mistakes │ ├── vendor │ │ ├── susy │ │ │ ├── _su.scss │ │ │ ├── _susy.scss │ │ │ ├── plugins │ │ │ │ ├── _svg-grid.scss │ │ │ │ └── svg-grid │ │ │ │ │ ├── _prefix.scss │ │ │ │ │ ├── _svg-unprefix.scss │ │ │ │ │ ├── _svg-settings.scss │ │ │ │ │ └── _svg-grid-math.scss │ │ │ ├── _susy-prefix.scss │ │ │ └── susy │ │ │ │ └── _unprefix.scss │ │ └── breakpoint │ │ │ ├── _no-query.scss │ │ │ ├── parsers │ │ │ ├── single │ │ │ │ └── _default.scss │ │ │ ├── double │ │ │ │ ├── _default.scss │ │ │ │ ├── _double-string.scss │ │ │ │ └── _default-pair.scss │ │ │ ├── triple │ │ │ │ └── _default.scss │ │ │ ├── _single.scss │ │ │ ├── _triple.scss │ │ │ ├── _resolution.scss │ │ │ ├── _double.scss │ │ │ └── resolution │ │ │ │ └── _resolution.scss │ │ │ └── _settings.scss │ ├── skins │ │ ├── _default.scss │ │ ├── _mint.scss │ │ ├── _air.scss │ │ ├── _dirt.scss │ │ ├── _dark.scss │ │ ├── _aqua.scss │ │ ├── _contrast.scss │ │ ├── _sunrise.scss │ │ ├── _neon.scss │ │ └── _plum.scss │ ├── _animations.scss │ ├── _tables.scss │ ├── _footer.scss │ └── _masthead.scss └── minimal-mistakes.scss ├── assets ├── images │ ├── htb │ │ └── htb.png │ ├── pwn │ │ └── pwn.png │ ├── expdev │ │ └── expdev.png │ ├── site_data │ │ ├── ccc.png │ │ ├── code.png │ │ ├── logo.png │ │ ├── avatar.png │ │ ├── thumbnail.jpg │ │ ├── favicon.ico.png │ │ ├── favicon-16x16.png │ │ └── favicon-32x32.png │ ├── redteam │ │ └── redteam.png │ └── binary-exploitation │ │ └── binexp.png ├── css │ └── main.scss └── js │ ├── lunr │ └── lunr-store.js │ └── plugins │ └── jquery.greedy-navigation.js ├── _includes ├── footer │ └── custom.html ├── analytics-providers │ ├── custom.html │ ├── google-universal.html │ ├── google-gtag.html │ └── google.html ├── comments-providers │ ├── custom.html │ ├── facebook.html │ ├── scripts.html │ ├── utterances.html │ ├── disqus.html │ ├── discourse.html │ ├── staticman.html │ └── staticman_v2.html ├── posts-tag.html ├── posts-category.html ├── page__hero_video.html ├── page__taxonomy.html ├── browser-upgrade.html ├── author-profile-custom-links.html ├── toc ├── figure ├── head │ └── custom.html ├── search │ ├── lunr-search-scripts.html │ ├── google-search-scripts.html │ ├── search_form.html │ └── algolia-search-scripts.html ├── analytics.html ├── skip-links.html ├── documents-collection.html ├── read-time.html ├── sidebar.html ├── post_pagination.html ├── video ├── nav_list ├── scripts.html ├── head.html ├── gallery ├── comment.html ├── footer.html ├── tag-list.html ├── group-by-array ├── category-list.html ├── feature_row ├── social-share.html ├── breadcrumbs.html └── masthead.html ├── _pages ├── cve.md ├── pwn.md ├── htb.md ├── tag-archive.md ├── expdev.md ├── resources.md ├── offsec.md ├── category-archive.md └── 404.md ├── Gemfile ├── _layouts ├── category.html ├── tag.html ├── collection.html ├── home.html ├── archive.html ├── archive-taxonomy.html ├── pwn.html ├── blog.html ├── htb.html ├── expdev.html ├── resources.html ├── cve.html ├── posts.html ├── splash.html ├── default.html ├── tags.html ├── categories.html └── search.html ├── _data └── navigation.yml ├── banner.js ├── resources.html ├── minimal-mistakes-jekyll.gemspec ├── package.json └── Rakefile /_posts/README.md: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | test.securityexplained.io -------------------------------------------------------------------------------- /_site/robots.txt: -------------------------------------------------------------------------------- 1 | Sitemap: http://localhost:4000/sitemap.xml 2 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: home 3 | author_profile: true 4 | --- 5 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/_su.scss: -------------------------------------------------------------------------------- 1 | // Su 2 | // == 3 | 4 | @import 'susy/su'; 5 | -------------------------------------------------------------------------------- /assets/images/htb/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/htb/htb.png -------------------------------------------------------------------------------- /assets/images/pwn/pwn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/pwn/pwn.png -------------------------------------------------------------------------------- /_includes/footer/custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /_site/assets/images/pwn/pwn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/pwn/pwn.png -------------------------------------------------------------------------------- /assets/images/expdev/expdev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/expdev/expdev.png -------------------------------------------------------------------------------- /assets/images/site_data/ccc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/ccc.png -------------------------------------------------------------------------------- /assets/images/site_data/code.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/code.png -------------------------------------------------------------------------------- /assets/images/site_data/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/logo.png -------------------------------------------------------------------------------- /_pages/cve.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "My CVE Blogs" 3 | layout: cve 4 | permalink: /cve/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_pages/pwn.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Pwn Challenges" 3 | layout: pwn 4 | permalink: /pwn/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /assets/images/redteam/redteam.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/redteam/redteam.png -------------------------------------------------------------------------------- /assets/images/site_data/avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/avatar.png -------------------------------------------------------------------------------- /_includes/analytics-providers/custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /_includes/comments-providers/custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /_pages/htb.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Hack The Box Writeups" 3 | layout: htb 4 | permalink: /htb/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_pages/tag-archive.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Posts by Tag" 3 | permalink: /tags/ 4 | layout: tags 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_site/assets/images/expdev/expdev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/expdev/expdev.png -------------------------------------------------------------------------------- /assets/images/site_data/thumbnail.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/thumbnail.jpg -------------------------------------------------------------------------------- /_pages/expdev.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Exploit Development" 3 | layout: expdev 4 | permalink: /expdev/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_pages/resources.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Resources" 3 | layout: resources 4 | permalink: /resources/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_site/assets/images/site_data/avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/avatar.png -------------------------------------------------------------------------------- /_site/assets/images/site_data/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/logo.png -------------------------------------------------------------------------------- /assets/images/site_data/favicon.ico.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/favicon.ico.png -------------------------------------------------------------------------------- /_pages/offsec.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Offensive Security Posts" 3 | layout: offsec 4 | permalink: /offsec/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /assets/images/site_data/favicon-16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/favicon-16x16.png -------------------------------------------------------------------------------- /assets/images/site_data/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/site_data/favicon-32x32.png -------------------------------------------------------------------------------- /_site/assets/images/site_data/favicon.ico.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/favicon.ico.png -------------------------------------------------------------------------------- /_site/assets/images/site_data/thumbnail.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/thumbnail.jpg -------------------------------------------------------------------------------- /assets/images/binary-exploitation/binexp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/assets/images/binary-exploitation/binexp.png -------------------------------------------------------------------------------- /_site/assets/images/site_data/favicon-16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/favicon-16x16.png -------------------------------------------------------------------------------- /_site/assets/images/site_data/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/site_data/favicon-32x32.png -------------------------------------------------------------------------------- /_pages/category-archive.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Posts by Category" 3 | layout: categories 4 | permalink: /categories/ 5 | author_profile: true 6 | --- 7 | -------------------------------------------------------------------------------- /_site/assets/images/binary-exploitation/binexp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harsh-bothra/test/main/_site/assets/images/binary-exploitation/binexp.png -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/_susy.scss: -------------------------------------------------------------------------------- 1 | // Susy (Un-Prefixed) 2 | // ================== 3 | 4 | @import 'susy-prefix'; 5 | @import 'susy/unprefix'; 6 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/plugins/_svg-grid.scss: -------------------------------------------------------------------------------- 1 | // SVG Grid Background 2 | // =================== 3 | 4 | @import 'svg-grid/prefix'; 5 | @import 'svg-grid/svg-unprefix'; 6 | -------------------------------------------------------------------------------- /_includes/posts-tag.html: -------------------------------------------------------------------------------- 1 | {%- for post in site.tags[include.taxonomy] -%} 2 | {%- unless post.hidden -%} 3 | {% include archive-single.html %} 4 | {%- endunless -%} 5 | {%- endfor -%} 6 | -------------------------------------------------------------------------------- /_includes/posts-category.html: -------------------------------------------------------------------------------- 1 | {%- for post in site.categories[include.taxonomy] -%} 2 | {%- unless post.hidden -%} 3 | {% include archive-single.html %} 4 | {%- endunless -%} 5 | {%- endfor -%} 6 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source "https://rubygems.org" 2 | 3 | gem "github-pages", group: :jekyll_plugins 4 | 5 | gem 'jekyll-include-cache' 6 | 7 | gem 'minimal-mistakes-jekyll' 8 | 9 | gem "activesupport", ">= 6.0.3.1" 10 | 11 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/plugins/svg-grid/_prefix.scss: -------------------------------------------------------------------------------- 1 | // Prefixed SVG Plugin 2 | // =================== 3 | 4 | @import 'svg-settings'; 5 | @import 'svg-utilities'; 6 | @import 'svg-grid-math'; 7 | @import 'svg-api'; 8 | -------------------------------------------------------------------------------- /_includes/page__hero_video.html: -------------------------------------------------------------------------------- 1 | {% capture video_id %}{{ page.header.video.id }}{% endcapture %} 2 | {% capture video_provider %}{{ page.header.video.provider }}{% endcapture %} 3 | 4 | {% include video id=video_id provider=video_provider %} 5 | -------------------------------------------------------------------------------- /_layouts/category.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 |
8 | {% include posts-category.html taxonomy=page.taxonomy type=page.entries_layout %} 9 |
10 | -------------------------------------------------------------------------------- /_includes/page__taxonomy.html: -------------------------------------------------------------------------------- 1 | {% if site.tag_archive.type and page.tags[0] %} 2 | {% include tag-list.html %} 3 | {% endif %} 4 | 5 | {% if site.category_archive.type and page.categories[0] %} 6 | {% include category-list.html %} 7 | {% endif %} -------------------------------------------------------------------------------- /_layouts/tag.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 |
8 | {% include posts-tag.html taxonomy=page.taxonomy type=page.entries_layout %} 9 |
10 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_default.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Default skin 3 | ========================================================================== */ 4 | 5 | // Intentionally left blank 6 | -------------------------------------------------------------------------------- /_includes/browser-upgrade.html: -------------------------------------------------------------------------------- 1 | 4 | -------------------------------------------------------------------------------- /_includes/author-profile-custom-links.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_layouts/collection.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 |
8 | {% include documents-collection.html collection=page.collection sort_by=page.sort_by sort_order=page.sort_order type=page.entries_layout %} 9 |
10 | -------------------------------------------------------------------------------- /_pages/404.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Page Not Found" 3 | excerpt: "Page not found. Your pixels are in another canvas." 4 | sitemap: false 5 | layout: single 6 | permalink: /404.html 7 | --- 8 | 9 | Sorry, but the page you were trying to view does not exist. 10 | 11 | Don't try to bruteforce :-( 12 | -------------------------------------------------------------------------------- /_includes/toc: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_data/navigation.yml: -------------------------------------------------------------------------------- 1 | # main links 2 | main: 3 | - title: "Home" 4 | url: / 5 | - title: "Resources" 6 | url: /categories/#resources 7 | - title: "Newsletter" 8 | url: /categories/#vulnerable-code-snippet 9 | - title: "MindMaps" 10 | url: /mindmaps 11 | - title: "Guest Resources" 12 | url: /GuestResources 13 | 14 | -------------------------------------------------------------------------------- /_includes/figure: -------------------------------------------------------------------------------- 1 |
2 | {% if include.alt %}{{ include.alt }}{% endif %} 4 | {% if include.caption %} 5 |
6 | {{ include.caption | markdownify | remove: "

" | remove: "

" }} 7 |
8 | {% endif %} 9 |
10 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/_susy-prefix.scss: -------------------------------------------------------------------------------- 1 | // Susy (Prefixed) 2 | // =============== 3 | 4 | $susy-version: 3; 5 | 6 | @import 'susy/utilities'; 7 | @import 'susy/su-validate'; 8 | @import 'susy/su-math'; 9 | @import 'susy/settings'; 10 | @import 'susy/normalize'; 11 | @import 'susy/parse'; 12 | @import 'susy/syntax-helpers'; 13 | @import 'susy/api'; 14 | -------------------------------------------------------------------------------- /_posts/2022-03-01-issue2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Newsletter - Issue #2" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "" 10 | categories: 11 | - Newsletter 12 | --- 13 | Newsletter 14 | 15 | click here 16 | -------------------------------------------------------------------------------- /_includes/analytics-providers/google-universal.html: -------------------------------------------------------------------------------- 1 | 7 | 8 | -------------------------------------------------------------------------------- /assets/css/main.scss: -------------------------------------------------------------------------------- 1 | --- 2 | # Only the main Sass file needs front matter (the dashes are enough) 3 | --- 4 | 5 | @charset "utf-8"; 6 | 7 | @import "minimal-mistakes/skins/{{ site.minimal_mistakes_skin | default: 'default' }}"; // skin 8 | @import "minimal-mistakes"; // main partials 9 | 10 | body{ 11 | background-color: #222831; 12 | } 13 | .greedy-nav{ 14 | background-color: #222831; 15 | } 16 | -------------------------------------------------------------------------------- /_includes/head/custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /_posts/2022-03-01-issue1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Newsletter - Issue #1" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "" 10 | categories: 11 | - Newsletter 12 | --- 13 | Newsletter 14 | 15 | Click Here 16 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-23.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-36: Vulnerable Code Snippet - 23 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-23.jpg) 6 | 7 | 8 | #### Solution: 9 | The code utilizes XPath queries and due to lack of sanitization on line-14, it is possible to perform XPATH injection. 10 | 11 | Twitter Thread: https://twitter.com/harshbothra_/status/1489896229970792449 12 | ##### Code Credits: SonarSource -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/_no-query.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-no-query($query) { 2 | @if type-of($query) == 'list' { 3 | $keyword: nth($query, 1); 4 | 5 | @if type-of($keyword) == 'string' and ($keyword == 'no-query' or $keyword == 'no query' or $keyword == 'fallback') { 6 | @return nth($query, 2); 7 | } 8 | @else { 9 | @return false; 10 | } 11 | } 12 | @else { 13 | @return false; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/_animations.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | ANIMATIONS 3 | ========================================================================== */ 4 | 5 | @-webkit-keyframes intro { 6 | 0% { 7 | opacity: 0; 8 | } 9 | 100% { 10 | opacity: 1; 11 | } 12 | } 13 | 14 | @keyframes intro { 15 | 0% { 16 | opacity: 0; 17 | } 18 | 100% { 19 | opacity: 1; 20 | } 21 | } -------------------------------------------------------------------------------- /_layouts/home.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 |

{{ site.data.ui-text[site.locale].recent_posts | default: "Recent Posts" }}

8 | 9 | {% if paginator %} 10 | {% assign posts = paginator.posts %} 11 | {% else %} 12 | {% assign posts = site.posts %} 13 | {% endif %} 14 | 15 | {% for post in posts %} 16 | {% include archive-single.html %} 17 | {% endfor %} 18 | 19 | {% include paginator.html %} 20 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/plugins/svg-grid/_svg-unprefix.scss: -------------------------------------------------------------------------------- 1 | // Unprefix Susy SVG Grid 2 | // ====================== 3 | 4 | 5 | 6 | // SVG Grid 7 | // -------- 8 | /// Un-prefixed alias for `susy-svg-grid` 9 | /// 10 | /// @group plugin_svg-grid 11 | /// @alias susy-svg-grid 12 | @function svg-grid( 13 | $grid: $susy, 14 | $colors: susy-get('svg-grid-colors'), 15 | $offset: null 16 | ) { 17 | @return susy-svg-grid($grid, $colors, $offset); 18 | } 19 | -------------------------------------------------------------------------------- /_includes/comments-providers/facebook.html: -------------------------------------------------------------------------------- 1 |
2 | -------------------------------------------------------------------------------- /_includes/search/lunr-search-scripts.html: -------------------------------------------------------------------------------- 1 | {% assign lang = site.locale | slice: 0,2 | default: "en" %} 2 | {% case lang %} 3 | {% when "gr" %} 4 | {% assign lang = "gr" %} 5 | {% else %} 6 | {% assign lang = "en" %} 7 | {% endcase %} 8 | 9 | 10 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/single/_default.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-parse-default($feature) { 2 | $default: breakpoint-get('default feature'); 3 | 4 | // Set Context 5 | $context-setter: private-breakpoint-set-context($default, $feature); 6 | 7 | @if (breakpoint-get('to ems') == true) and (type-of($feature) == 'number') { 8 | @return '#{$default}: #{breakpoint-to-base-em($feature)}'; 9 | } 10 | @else { 11 | @return '#{$default}: #{$feature}'; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /_includes/analytics-providers/google-gtag.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 10 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/plugins/svg-grid/_svg-settings.scss: -------------------------------------------------------------------------------- 1 | // SVG Settings 2 | // ============ 3 | 4 | 5 | // Susy SVG Defaults 6 | // ================= 7 | /// This plugin adds the `svg-grid-colors` property 8 | /// and default value to `$_susy-defaults` — 9 | /// you can override that value in `$susy` 10 | /// or any other grid settings map. 11 | /// @group plugin_svg-grid 12 | $_susy-defaults: map-merge(( 13 | 'svg-grid-colors': hsla(120, 50%, 50%, 0.5) hsla(120, 50%, 75%, 0.5), 14 | ), $_susy-defaults); 15 | -------------------------------------------------------------------------------- /_includes/analytics.html: -------------------------------------------------------------------------------- 1 | {% if jekyll.environment == 'production' and site.analytics.provider and page.analytics != false %} 2 | 3 | {% case site.analytics.provider %} 4 | {% when "google" %} 5 | {% include /analytics-providers/google.html %} 6 | {% when "google-universal" %} 7 | {% include /analytics-providers/google-universal.html %} 8 | {% when "google-gtag" %} 9 | {% include /analytics-providers/google-gtag.html %} 10 | {% when "custom" %} 11 | {% include /analytics-providers/custom.html %} 12 | {% endcase %} 13 | 14 | {% endif %} -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-14.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-26: Vulnerable Code Snippet - 14 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-14.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to code execution due to use of array_map() function. An attacker can perform attack like: array.php?map=phpinfo, that execute phpinfo() in it. 10 | 11 | ##### Code Credits: Octagon Networks 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486375951084961792?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-10.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-22: Vulnerable Code Snippet - 10 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-10.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to authentication bypass vulnerability. An attacker can impersonate and login as any user as at the line-10 the code doesn't validate the JWT signature. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484947412443545602?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-13.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-25: Vulnerable Code Snippet - 13 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-13.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable remote code execution vulnerability via Path Traversal. Payload like this works: ?dir=

.

.

/

.

.

/

.

./user/profile.png 10 | 11 | ##### Code Credits: Octagon Networks 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486000043165634562?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-24.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-37: Vulnerable Code Snippet - 24 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-24.jpg) 6 | 7 | 8 | #### Solution: 9 | 10 | The above code is vulnerable to Local File Inclusion (LFI) due to improper sanitization on receiving user input on line-11 and line-12. An attacker may attempt to submit a malicious payload and gain access to internal files. 11 | 12 | Twitter Thread: https://twitter.com/harshbothra_/status/1490320844962377728 13 | 14 | ##### Code Credits: SonarSource -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-8.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-20: Vulnerable Code Snippet - 8 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-8.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to path traversal attack. There is a sanitization against this attack but the protection is not sufficient and can be bypassed with the payloads such as ".\./.\.shell.jsp". 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484208541707927554?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-4.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-16: Vulnerable Code Snippet - 4 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-4.jpg) 6 | 7 | #### Solution: 8 | 9 | The issue in this code snippet is the use of Blacklist (Denylist) instead of using a Whitelist (Allowlist). An attacker can bypass this protection in multiple ways and upload a malicious file on the server. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1482740498683285506?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-16.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-28: Vulnerable Code Snippet - 16 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-16.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to XXE attack because the use of the `LIBXML_NOENT` enables the external entity loading in php8. 10 | 11 | Similar Issue: https://blog.sonarsource.com/wordpress-xxe-security-vulnerability 12 | 13 | ##### Code Credits: SonarSource 14 | 15 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487080467861889030?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 16 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-1.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-12: Vulnerable Code Snippet - 1 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-1.png) 6 | 7 | #### Solution: 8 | 9 | The above code is vulnerable to cross-site scripting attacks due to improper filtration! The encoding is missing a single quote (') and it is possible to execute an XSS with payloads such as: '+alert(1)+'. 10 | 11 | ##### Code Credits: OWASP Secure Coding Dojo 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481257258734727171?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/double/_default.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-parse-double-default($first, $second) { 2 | $feature: ''; 3 | $value: ''; 4 | 5 | @if type-of($first) == 'string' { 6 | $feature: $first; 7 | $value: $second; 8 | } 9 | @else { 10 | $feature: $second; 11 | $value: $first; 12 | } 13 | 14 | // Set Context 15 | $context-setter: private-breakpoint-set-context($feature, $value); 16 | 17 | @if (breakpoint-get('to ems') == true) { 18 | $value: breakpoint-to-base-em($value); 19 | } 20 | 21 | @return '(#{$feature}: #{$value})' 22 | } 23 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-11.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-23: Vulnerable Code Snippet - 11 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-11.jpg) 6 | 7 | #### Solution: 8 | 9 | This answer is by SonarSource: There are two ways to serialize classes in PHP, both with O: and C:. The second encoding mode is not supported by the blocklist, and arbitrary objects could then be deserialized! It's not enough to get RCE, but it's a good start. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1485315700998938625?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-5.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-17: Vulnerable Code Snippet - 5 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-5.jpg) 6 | 7 | #### Solution: 8 | 9 | The issue in this code snippet is that the files are stored without any extension. The Apache does not attach a Content-Type header in the response. Modern browsers will interpret these files as HTML which may lead to an attack such as Stored Cross-Site Scripting. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483124633373409281?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_includes/skip-links.html: -------------------------------------------------------------------------------- 1 | 9 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-17.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-29: Vulnerable Code Snippet - 17 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-17.jpg) 6 | 7 | #### Solution: 8 | 9 | As per @SonarSource, isPrivileged() will always return true because casting an int to an int-based enum never throws an exception, even if there is no enum member corresponding to that number. To make the check correct, it has to return PrivRoles.IsDefined((PrivRoles) role). 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487434398186508294?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-12.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-24: Vulnerable Code Snippet - 12 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-12.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to prototype pollution that could even lead to remote code execution. The statement in line 12 uses a dangerous pattern that allows for Prototype Pollution. When type is set to **proto**, then id and content can specify a key and value that will be set on Object.prototype. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1485639304861069313?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-20.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-33: Vulnerable Code Snippet - 20 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-20.jpg) 6 | 7 | #### Solution: 8 | 9 | As per @SonarSource, The problem lies with the server reading 16 bytes on line 13 into its buffer without making sure that the string is null-terminated (the last byte of the buffer is null). Sending 16 non-null bytes to the server will return them and the adjacent buffer containing sensitive data! 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1488907363184566275?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_includes/analytics-providers/google.html: -------------------------------------------------------------------------------- 1 | 15 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/triple/_default.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-parse-triple-default($feature, $first, $second) { 2 | 3 | // Sort into min and max 4 | $min: min($first, $second); 5 | $max: max($first, $second); 6 | 7 | // Set Context 8 | $context-setter: private-breakpoint-set-context(min-#{$feature}, $min); 9 | $context-setter: private-breakpoint-set-context(max-#{$feature}, $max); 10 | 11 | // Make them EMs if need be 12 | @if (breakpoint-get('to ems') == true) { 13 | $min: breakpoint-to-base-em($min); 14 | $max: breakpoint-to-base-em($max); 15 | } 16 | 17 | @return '(min-#{$feature}: #{$min}) and (max-#{$feature}: #{$max})'; 18 | } 19 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-22.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-35: Vulnerable Code Snippet - 22 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-22.jpg) 6 | 7 | #### Solution: 8 | 9 | As per @SonarSource, Arbitrary arguments can be added to the tar command, e.g. by creating a file named “-I touch shell” in /opt/webapp. The -I argument allows executing an arbitrary command, here “touch shell”. --checkpoint-action works too. 10 | 11 | Twitter Thread: https://twitter.com/harshbothra_/status/1489630710025830400 12 | 13 | ##### Code Credits: SonarSource 14 | 15 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1489630648159846400?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 16 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-6.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-18: Vulnerable Code Snippet - 6 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-6.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to SSRF attack. The issue in this code snippet is that the Java's URI.resolve() will return its parameter if it is an absolute URL, which can be abused to perform SSRF. By using http:/example.com# as artifact the final URL will start with http:/example.com#, which the OkHttp library will accept when making the request. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483501885235417090?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-7.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-19: Vulnerable Code Snippet - 7 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-7.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to Remote Code Execution via SQL Injection. As per SonarSource, addslashes() is not enough to protect against SQL injections because the interpolated value is not surrounded by quotes. This value is later used in the external shell call without proper escaping. 10 | 11 | A payload like 1--$(id>foo) is enough to gain RCE! 12 | 13 | ##### Code Credits: SonarSource 14 | 15 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483835811896655877?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 16 | -------------------------------------------------------------------------------- /banner.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs"); 2 | const pkg = require("./package.json"); 3 | const filename = "assets/js/main.min.js"; 4 | const script = fs.readFileSync(filename); 5 | const padStart = str => ("0" + str).slice(-2); 6 | const dateObj = new Date(); 7 | const date = `${dateObj.getFullYear()}-${padStart( 8 | dateObj.getMonth() + 1 9 | )}-${padStart(dateObj.getDate())}`; 10 | const banner = `/*! 11 | * Minimal Mistakes Jekyll Theme ${pkg.version} by ${pkg.author} 12 | * Copyright 2013-${dateObj.getFullYear()} Michael Rose - mademistakes.com | @mmistakes 13 | * Licensed under ${pkg.license} 14 | */ 15 | `; 16 | 17 | if (script.slice(0, 3) != "/**") { 18 | fs.writeFileSync(filename, banner + script); 19 | } 20 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-39.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 39" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XPATH" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-52: Vulnerable Code Snippet - 39 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-39.jpg) 19 | 20 | 21 | #### Solution: 22 | 23 | This code is vulnerable to XPATH Injection. 🥷 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1495542532784246784 26 | 27 | ##### Code Credits: @SonarSources 28 | -------------------------------------------------------------------------------- /_site/banner.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs"); 2 | const pkg = require("./package.json"); 3 | const filename = "assets/js/main.min.js"; 4 | const script = fs.readFileSync(filename); 5 | const padStart = str => ("0" + str).slice(-2); 6 | const dateObj = new Date(); 7 | const date = `${dateObj.getFullYear()}-${padStart( 8 | dateObj.getMonth() + 1 9 | )}-${padStart(dateObj.getDate())}`; 10 | const banner = `/*! 11 | * Minimal Mistakes Jekyll Theme ${pkg.version} by ${pkg.author} 12 | * Copyright 2013-${dateObj.getFullYear()} Michael Rose - mademistakes.com | @mmistakes 13 | * Licensed under ${pkg.license} 14 | */ 15 | `; 16 | 17 | if (script.slice(0, 3) != "/**") { 18 | fs.writeFileSync(filename, banner + script); 19 | } 20 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-21.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-34: Vulnerable Code Snippet - 21 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-21.jpg) 6 | 7 | #### Solution: 8 | 9 | As per @SonarSource, This risk of DNS rebinding is always easy to overlook: Dns.GetHostEntry() does a first DNS query, validates the result against the allow-list, and then WebRequest does a second DNS query. Both DNS queries can have a different response, and unintended servers could be reached that way. Always work with the value you first validated! 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1489280271640055809?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/double/_double-string.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-parse-double-string($first, $second) { 2 | $feature: ''; 3 | $value: ''; 4 | 5 | // Test to see which is the feature and which is the value 6 | @if (breakpoint-string-value($first) == true) { 7 | $feature: $first; 8 | $value: $second; 9 | } 10 | @else if (breakpoint-string-value($second) == true) { 11 | $feature: $second; 12 | $value: $first; 13 | } 14 | @else { 15 | @warn "Neither #{$first} nor #{$second} is a valid media query name."; 16 | } 17 | 18 | // Set Context 19 | $context-setter: private-breakpoint-set-context($feature, $value); 20 | 21 | @return '(#{$feature}: #{$value})'; 22 | } -------------------------------------------------------------------------------- /_includes/documents-collection.html: -------------------------------------------------------------------------------- 1 | {% assign entries = site[include.collection] %} 2 | 3 | {% if include.sort_by == 'title' %} 4 | {% if include.sort_order == 'reverse' %} 5 | {% assign entries = entries | sort: 'title' | reverse %} 6 | {% else %} 7 | {% assign entries = entries | sort: 'title' %} 8 | {% endif %} 9 | {% elsif include.sort_by == 'date' %} 10 | {% if include.sort_order == 'reverse' %} 11 | {% assign entries = entries | sort: 'date' | reverse %} 12 | {% else %} 13 | {% assign entries = entries | sort: 'date' %} 14 | {% endif %} 15 | {% endif %} 16 | 17 | {%- for post in entries -%} 18 | {%- unless post.hidden -%} 19 | {% include archive-single.html %} 20 | {%- endunless -%} 21 | {%- endfor -%} 22 | -------------------------------------------------------------------------------- /_includes/comments-providers/scripts.html: -------------------------------------------------------------------------------- 1 | {% if site.comments.provider and page.comments %} 2 | {% case site.comments.provider %} 3 | {% when "disqus" %} 4 | {% include /comments-providers/disqus.html %} 5 | {% when "discourse" %} 6 | {% include /comments-providers/discourse.html %} 7 | {% when "facebook" %} 8 | {% include /comments-providers/facebook.html %} 9 | {% when "staticman" %} 10 | {% include /comments-providers/staticman.html %} 11 | {% when "staticman_v2" %} 12 | {% include /comments-providers/staticman_v2.html %} 13 | {% when "utterances" %} 14 | {% include /comments-providers/utterances.html %} 15 | {% when "custom" %} 16 | {% include /comments-providers/custom.html %} 17 | {% endcase %} 18 | {% endif %} -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-2.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-13: Vulnerable Code Snippet - 2 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-2.jpg) 6 | 7 | #### Solution: 8 | 9 | The above code is vulnerable to cross-site scripting attack as it can be observed that on the line 15, a handler for message events is registered which writes the event's data in the DOM on the line 13. 10 | It is possible to embed this page and send an event with an XSS payload to execute a successful attack. 11 | 12 | Similar Bug: https://blog.sonarsource.com/ghost-admin-takeover 13 | 14 | ##### Code Credits: SonarSource 15 | 16 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481606121991598081?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 17 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/double/_default-pair.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-parse-default-pair($first, $second) { 2 | $default: breakpoint-get('default pair'); 3 | $min: ''; 4 | $max: ''; 5 | 6 | // Sort into min and max 7 | $min: min($first, $second); 8 | $max: max($first, $second); 9 | 10 | // Set Context 11 | $context-setter: private-breakpoint-set-context(min-#{$default}, $min); 12 | $context-setter: private-breakpoint-set-context(max-#{$default}, $max); 13 | 14 | // Make them EMs if need be 15 | @if (breakpoint-get('to ems') == true) { 16 | $min: breakpoint-to-base-em($min); 17 | $max: breakpoint-to-base-em($max); 18 | } 19 | 20 | @return '(min-#{$default}: #{$min}) and (max-#{$default}: #{$max})'; 21 | } 22 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-23.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 23" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XPATH" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-36: Vulnerable Code Snippet - 23 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-23.jpg) 18 | 19 | 20 | #### Solution: 21 | The code utilizes XPath queries and due to lack of sanitization on line-14, it is possible to perform XPATH injection. 22 | 23 | Twitter Thread: https://twitter.com/harshbothra_/status/1489896229970792449 24 | ##### Code Credits: SonarSource 25 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-19.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-31: Vulnerable Code Snippet - 19 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-19.jpg) 6 | 7 | #### Solution: 8 | 9 | As per @SonarSource, The regex at line 7 is correct in itself as it checks for the right characters. The bug lies in the g flag; it makes the regex object retain the last match index and will continue after that index when .test() is called again. Attackers could still use quotes, and perform the SQL injection, by sending their request two times in a row: the second regex check will start after the quote. 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1488191330493014018?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_includes/comments-providers/utterances.html: -------------------------------------------------------------------------------- 1 | 21 | -------------------------------------------------------------------------------- /_layouts/archive.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | --- 4 | 5 | {% if page.header.overlay_color or page.header.overlay_image or page.header.image %} 6 | {% include page__hero.html %} 7 | {% elsif page.header.video.id and page.header.video.provider %} 8 | {% include page__hero_video.html %} 9 | {% endif %} 10 | 11 | {% if page.url != "/" and site.breadcrumbs %} 12 | {% unless paginator %} 13 | {% include breadcrumbs.html %} 14 | {% endunless %} 15 | {% endif %} 16 | 17 |
18 | {% include sidebar.html %} 19 | 20 |
21 | {% unless page.header.overlay_color or page.header.overlay_image %} 22 |

{{ page.title }}

23 | {% endunless %} 24 | {{ content }} 25 |
26 |
-------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-38.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 38" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "DOM XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-51: Vulnerable Code Snippet - 38 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-38.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | The code is vulnerable to DOM-based XSS and allows execution of XSS using "s" parameter using payloads like: x'onmouseover=alert(1)// 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1495224184611524608 25 | 26 | ##### Code Credits: @Brumens2 27 | -------------------------------------------------------------------------------- /_includes/read-time.html: -------------------------------------------------------------------------------- 1 | {% assign words_per_minute = page.words_per_minute | default: site.words_per_minute | default: 200 %} 2 | 3 | {% if post.read_time %} 4 | {% assign words = post.content | strip_html | number_of_words %} 5 | {% elsif page.read_time %} 6 | {% assign words = page.content | strip_html | number_of_words %} 7 | {% endif %} 8 | 9 | {% if words < words_per_minute %} 10 | {{ site.data.ui-text[site.locale].less_than | default: "less than" }} 1 {{ site.data.ui-text[site.locale].minute_read | default: "minute read" }} 11 | {% elsif words == words_per_minute %} 12 | 1 {{ site.data.ui-text[site.locale].minute_read | default: "minute read" }} 13 | {% else %} 14 | {{ words | divided_by:words_per_minute }} {{ site.data.ui-text[site.locale].minute_read | default: "minute read" }} 15 | {% endif %} 16 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-18.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-30: Vulnerable Code Snippet - 18 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-18.jpg) 6 | 7 | #### Solution: 8 | 9 | As per SonarSource, At line 9, the email is transformed to uppercase before its use in the SQL query. On Unicode characters, this process has the unintended effect that two distinct code points may result in the same one. 10 | 11 | It can be used to send the password reset token to another email and takeover accounts: 12 | 13 | foo@mix.com -> FOO@MIX.com 14 | foo@mıhttp://x.com -> FOO@MIX.com 15 | 16 | Interesting Blog: https://t.co/UxdZJQxzc1 17 | 18 | ##### Code Credits: SonarSource 19 | 20 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487850861770731520?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 21 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-36.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 36" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "SSRF" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-49: Vulnerable Code Snippet - 36 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-36.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to Server-Side Request Forgery due to improper filtration in the "connName". An attacker can abuse it perform the attack successfully. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1494127206552985605 25 | 26 | ##### Code Credits: @SonarSource 27 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-9.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-21: Vulnerable Code Snippet - 9 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-9.jpg) 6 | 7 | #### Solution: 8 | 9 | The code is vulnerable to Remote Code Execution by uploading a malicious file named as `img-converter.exe` that will then be executed instead of the one installed on the system. 10 | 11 | As per Sonar Source, When executing commands by name (e.g. `img-converter`) on Windows, the OS looks for the executable in the current directory first and only after that in the PATH. This applies here because the command is executed in the directory where the file is copied to. 12 | 13 | ##### Code Credits: SonarSource 14 | 15 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484590293483945984?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 16 | -------------------------------------------------------------------------------- /_includes/sidebar.html: -------------------------------------------------------------------------------- 1 | {% if page.author_profile or layout.author_profile or page.sidebar %} 2 |
3 | {% if page.author_profile or layout.author_profile %}{% include author-profile.html %}{% endif %} 4 | {% if page.sidebar %} 5 | {% for s in page.sidebar %} 6 | {% if s.image %} 7 | {% if s.image_alt %}{{ s.image_alt }}{% endif %} 9 | {% endif %} 10 | {% if s.title %}

{{ s.title }}

{% endif %} 11 | {% if s.text %}{{ s.text | markdownify }}{% endif %} 12 | {% if s.nav %}{% include nav_list nav=s.nav %}{% endif %} 13 | {% endfor %} 14 | {% if page.sidebar.nav %} 15 | {% include nav_list nav=page.sidebar.nav %} 16 | {% endif %} 17 | {% endif %} 18 |
19 | {% endif %} 20 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-40.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 40" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "LFI" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-53: Vulnerable Code Snippet - 40 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-40.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to Local File Inclusion as the backslash character can be used in a path traversal attack (..\) to disclose arbitrary files from the (Windows) host. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1495950722000580608 25 | 26 | ##### Code Credits: @SonarSources 27 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-3.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-15: Vulnerable Code Snippet - 3 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-3.jpg) 6 | 7 | #### Solution: 8 | 9 | The issue lies in line 11 due to the use of "os.path.join()" and the issue here is an attacker can read arbitrary files by supplying malicious payload through img variable. 10 | 11 | As per the documentation, when the values passed in "os.path.join()" & one of the paths to concatenate is absolute, previous values will be ignored. 12 | 13 | Hence, here the string passed in "os.path.join(harsh,/etc/passwd)" return as "/etc/passwd" resulting into accessing the sensitive file. 14 | 15 | ##### Code Credits: SonarSource 16 | 17 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1482316119101030411?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 18 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-45.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 45" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Path Traversal" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-58: Vulnerable Code Snippet - 45 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-38.jpg) 19 | 20 | 21 | #### Solution: 22 | 23 | This code is vulnerable to Path Traversal Attack. More information could be found here: https://sonarcloud.io/summary/overall?id=SonarSourceResearch_2020_calendar_15 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1497776001018859523 26 | 27 | ##### Code Credits: @SonarSource 28 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-15.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-27: Vulnerable Code Snippet - 15 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-15.jpg) 6 | 7 | #### Solution: 8 | 9 | As per SonarSource, There is a ToCToU (Time of Check - Time of Use) bug: if the file does not exist at the time of the checks, they will be skipped. Attackers could create a symlink at /tmp/logs.txt right before the call to fopen(), and write to an unintended destination! It's very common to find file checks vulnerable to such ToCToU bugs. The best ways to avoid it is to perform these operations in folders with restrictive permissions and prefer file descriptors to paths (fstat, etc). 10 | 11 | ##### Code Credits: SonarSource 12 | 13 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486753867047997442?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 14 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-43.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 43" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Command Injection" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-56: Vulnerable Code Snippet - 43 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-43.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to Command Injection as an attacker can inject malicious shell commands into the name of an uploaded file by using characters such as ";" or "`" to start a new command. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1496993342378242063 25 | 26 | ##### Code Credits: @SonarSource 27 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_mint.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Mint skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #f3f6f6 !default; 7 | $text-color: #40514e !default; 8 | $muted-text-color: #40514e !default; 9 | $primary-color: #11999e !default; 10 | $border-color: mix(#fff, #40514e, 75%) !default; 11 | $footer-background-color: #30e3ca !default; 12 | $link-color: #11999e !default; 13 | $masthead-link-color: $text-color !default; 14 | $masthead-link-color-hover: $text-color !default; 15 | $navicon-link-color-hover: mix(#fff, $text-color, 80%) !default; 16 | 17 | .page__footer { 18 | color: #fff !important; // override 19 | } 20 | 21 | .page__footer-follow .social-icons .svg-inline--fa { 22 | color: inherit; 23 | } 24 | -------------------------------------------------------------------------------- /_includes/comments-providers/disqus.html: -------------------------------------------------------------------------------- 1 | {% if site.comments.disqus.shortname %} 2 | 14 | 15 | {% endif %} 16 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_air.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Air skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #eeeeee !default; 7 | $text-color: #222831 !default; 8 | $muted-text-color: #393e46 !default; 9 | $primary-color: #0092ca !default; 10 | $border-color: mix(#fff, #393e46, 75%) !default; 11 | $footer-background-color: $primary-color !default; 12 | $link-color: #393e46 !default; 13 | $masthead-link-color: $text-color !default; 14 | $masthead-link-color-hover: $text-color !default; 15 | $navicon-link-color-hover: mix(#fff, $text-color, 80%) !default; 16 | 17 | .page__footer { 18 | color: #fff !important; // override 19 | } 20 | 21 | .page__footer-follow .social-icons .svg-inline--fa { 22 | color: inherit; 23 | } 24 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/_single.scss: -------------------------------------------------------------------------------- 1 | ////////////////////////////// 2 | // Import Pieces 3 | ////////////////////////////// 4 | @import "single/default"; 5 | 6 | @function breakpoint-parse-single($feature, $empty-media, $first) { 7 | $parsed: ''; 8 | $leader: ''; 9 | // If we're forcing 10 | @if not ($empty-media) or not ($first) { 11 | $leader: 'and '; 12 | } 13 | 14 | // If it's a single feature that can stand alone, we let it 15 | @if (breakpoint-single-string($feature)) { 16 | $parsed: $feature; 17 | // Set Context 18 | $context-setter: private-breakpoint-set-context($feature, $feature); 19 | } 20 | // If it's not a stand alone feature, we pass it off to the default handler. 21 | @else { 22 | $parsed: breakpoint-parse-default($feature); 23 | } 24 | 25 | @return $leader + '(' + $parsed + ')'; 26 | } 27 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-14.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 14" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Code Execution" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-26: Vulnerable Code Snippet - 14 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-14.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to code execution due to use of array_map() function. An attacker can perform attack like: array.php?map=phpinfo, that execute phpinfo() in it. 22 | 23 | ##### Code Credits: Octagon Networks 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486375951084961792?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/_tables.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | TABLES 3 | ========================================================================== */ 4 | 5 | table { 6 | display: block; 7 | margin-bottom: 1em; 8 | width: 100%; 9 | font-family: $global-font-family; 10 | font-size: $type-size-6; 11 | border-collapse: collapse; 12 | overflow-x: auto; 13 | 14 | & + table { 15 | margin-top: 1em; 16 | } 17 | } 18 | 19 | thead { 20 | background-color: $border-color; 21 | border-bottom: 2px solid mix(#000, $border-color, 25%); 22 | } 23 | 24 | th { 25 | padding: 0.5em; 26 | font-weight: bold; 27 | text-align: left; 28 | } 29 | 30 | td { 31 | padding: 0.5em; 32 | border-bottom: 1px solid mix(#000, $border-color, 25%); 33 | } 34 | 35 | tr, 36 | td, 37 | th { 38 | vertical-align: middle; 39 | } -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-10.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 10" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "authentication bypass" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-22: Vulnerable Code Snippet - 10 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-10.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to authentication bypass vulnerability. An attacker can impersonate and login as any user as at the line-10 the code doesn't validate the JWT signature. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484947412443545602?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-13.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 13" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE via Path Traversal" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-25: Vulnerable Code Snippet - 13 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-13.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable remote code execution vulnerability via Path Traversal. Payload like this works: ?dir=

.

.

/

.

.

/

.

./user/profile.png 22 | 23 | ##### Code Credits: Octagon Networks 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486000043165634562?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-24.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 24" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "LFI" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-37: Vulnerable Code Snippet - 24 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-24.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | The above code is vulnerable to Local File Inclusion (LFI) due to improper sanitization on receiving user input on line-11 and line-12. An attacker may attempt to submit a malicious payload and gain access to internal files. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1490320844962377728 25 | 26 | ##### Code Credits: SonarSource 27 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-33.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 33" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE via SSTI" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-46: Vulnerable Code Snippet - 33 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-33.jpg) 19 | 20 | 21 | #### Solution: 22 | 23 | This code is vulnerable to RCE via SSTI due to improper filtration. Additionally, the replace() function is case sensitive and the filters can be bypassed by case juggling to execute an XSS attack as well. 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1493412245404938241 26 | 27 | ##### Code Credits: @0xryuk 28 | 29 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-08.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 8" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Path Traversal" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-20: Vulnerable Code Snippet - 8 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-8.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to path traversal attack. There is a sanitization against this attack but the protection is not sufficient and can be bypassed with the payloads such as ".\./.\.shell.jsp". 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484208541707927554?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-04.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 4" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "File Upload" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-16: Vulnerable Code Snippet - 4 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-4.jpg) 18 | 19 | #### Solution: 20 | 21 | The issue in this code snippet is the use of Blacklist (Denylist) instead of using a Whitelist (Allowlist). An attacker can bypass this protection in multiple ways and upload a malicious file on the server. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1482740498683285506?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-16.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 16" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XXE" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-28: Vulnerable Code Snippet - 16 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-16.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to XXE attack because the use of the `LIBXML_NOENT` enables the external entity loading in php8. 22 | 23 | Similar Issue: https://blog.sonarsource.com/wordpress-xxe-security-vulnerability 24 | 25 | ##### Code Credits: SonarSource 26 | 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487080467861889030?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 28 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-34.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 34" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "IDOR" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-47: Vulnerable Code Snippet - 34 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-34.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable IDOR as the user_id and record_id are not properly protected by the authorization verification and as a result an attacker who can guess/know these two parameters can access other user's information. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1493789734392373253 25 | 26 | ##### Code Credits: @ChetanyaKunndra 27 | 28 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-32.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 32" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Open Redirect" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-45: Vulnerable Code Snippet - 32 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-32.jpg) 19 | 20 | 21 | #### Solution: 22 | 23 | This code is vulnerable to open redirection attack as the function "get_success_url" on line-27 doesn't properly implement the checks and the "Next" parameter is not using any whitelists. This may result into a redirection issue. 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1493042310589947906 26 | 27 | ##### Code Credits: @SonarSource 28 | -------------------------------------------------------------------------------- /_layouts/archive-taxonomy.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | author_profile: false 4 | --- 5 | 6 | {% if page.header.overlay_color or page.header.overlay_image or page.header.image %} 7 | {% include page__hero.html %} 8 | {% elsif page.header.video.id and page.header.video.provider %} 9 | {% include page__hero_video.html %} 10 | {% endif %} 11 | 12 | {% if page.url != "/" and site.breadcrumbs %} 13 | {% unless paginator %} 14 | {% include breadcrumbs.html %} 15 | {% endunless %} 16 | {% endif %} 17 | 18 |
19 | {% include sidebar.html %} 20 | 21 |
22 | {% unless page.header.overlay_color or page.header.overlay_image %} 23 |

{{ page.title }}

24 | {% endunless %} 25 | {% for post in page.posts %} 26 | {% include archive-single.html %} 27 | {% endfor %} 28 |
29 |
30 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-26.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 26" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "SQLi" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-39: Vulnerable Code Snippet - 26 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-26.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code demonstrates a basic SQL Injection vulnerability. As observed in the code, there is no sanitization performed & the user-controlled input is directly supplied. Looking at Line-19, it can be clearly seen as an SQLi issue. 23 | 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1490792057597616128 26 | 27 | ##### Code Credits: @ChetanyaKunndra 28 | 29 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-01.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 1" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | 15 | ### SecurityExplained S-12: Vulnerable Code Snippet - 1 16 | 17 | #### Vulnerable Code: 18 | 19 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-1.png) 20 | 21 | #### Solution: 22 | 23 | The above code is vulnerable to cross-site scripting attacks due to improper filtration! The encoding is missing a single quote (') and it is possible to execute an XSS with payloads such as: '+alert(1)+'. 24 | 25 | ##### Code Credits: OWASP Secure Coding Dojo 26 | 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481257258734727171?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 28 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-30.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 30" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE via SSTI" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-43: Vulnerable Code Snippet - 30 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-30.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | 23 | This code is vulnerable to SSTI and as a result, an attacker may attempt to gain RCE. The code uses "user input" to search in its store. However, it does not filter the return value of the template render. 24 | 25 | Ex Payload: {{10-6}} => 4 26 | 27 | 28 | Twitter Thread: https://twitter.com/harshbothra_/status/1492332636756398083 29 | 30 | ##### Code Credits: @Brumens2 31 | 32 | -------------------------------------------------------------------------------- /_includes/comments-providers/discourse.html: -------------------------------------------------------------------------------- 1 | {% if site.comments.discourse.server %} 2 | {% capture canonical %}{% if site.permalink contains '.html' %}{{ page.url | absolute_url }}{% else %}{{ page.url | absolute_url | remove:'index.html' | strip_slash }}{% endif %}{% endcapture %} 3 | 12 | 13 | {% endif %} 14 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-28.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 28" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "IDOR" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-41: Vulnerable Code Snippet - 28 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-28.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | 23 | @Brumens2 explained that this code is vulnerable to Insecure Direct Object Reference. The issue is that the if statement do check with "==" and not "&&" on line-17. This means if irrespective of "true" or "false" condition, it will grant the permission. 24 | 25 | 26 | 27 | Twitter Thread: https://twitter.com/harshbothra_/status/1491644512204394498 28 | 29 | ##### Code Credits: @Brumens2 30 | 31 | -------------------------------------------------------------------------------- /_site/resources/vulnerable-code-25.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-38: Vulnerable Code Snippet - 25 2 | 3 | #### Vulnerable Code: 4 | 5 | ![Vulnerable Code](../media/code-25.jpg) 6 | 7 | 8 | #### Solution: 9 | 10 | The above code is vulnerable to Remote Code Execution. The code implements a black-list based filter on line-15 which can be bypassed if the payload meets the following requirements: 11 | * Is inside a quote to not take advantage of the bash CLI [Ex: "$(whoami)" ] 12 | * Do not use any of the blacklist chars inside the $(...). 13 | * Execute a system command of any kind that is proven to execute. 14 | 15 | It is recommended to use a whitelist instead and also not use system cmd calls to make a task instead use a built-in function and create an own function that does the same without using os.system(ls). 16 | 17 | 18 | Twitter Thread: https://twitter.com/harshbothra_/status/1490513142375333889 19 | 20 | ##### Code Credits: SonarSource -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-05.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 5" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-17: Vulnerable Code Snippet - 5 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-5.jpg) 18 | 19 | #### Solution: 20 | 21 | The issue in this code snippet is that the files are stored without any extension. The Apache does not attach a Content-Type header in the response. Modern browsers will interpret these files as HTML which may lead to an attack such as Stored Cross-Site Scripting. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483124633373409281?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-29.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 29" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-42: Vulnerable Code Snippet - 29 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-29.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | 23 | This code is vulnerable to cross-site scripting (XSS) as an attacker can perform successful attack by supplying malicious payload in the user_comment parameter. With some interesting response from the community, it looks like the code is also vulnerable to IDOR. 24 | 25 | 26 | 27 | Twitter Thread: https://twitter.com/harshbothra_/status/1491972760343621632 28 | 29 | ##### Code Credits: @ChetanyaKunndra 30 | 31 | -------------------------------------------------------------------------------- /_includes/post_pagination.html: -------------------------------------------------------------------------------- 1 | {% if page.previous or page.next %} 2 | 14 | {% endif %} -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-17.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 17" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-29: Vulnerable Code Snippet - 17 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-17.jpg) 18 | 19 | #### Solution: 20 | 21 | As per @SonarSource, isPrivileged() will always return true because casting an int to an int-based enum never throws an exception, even if there is no enum member corresponding to that number. To make the check correct, it has to return PrivRoles.IsDefined((PrivRoles) role). 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487434398186508294?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-11.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 11" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "serialize - deserialized" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-23: Vulnerable Code Snippet - 11 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-11.jpg) 18 | 19 | #### Solution: 20 | 21 | This answer is by SonarSource: There are two ways to serialize classes in PHP, both with O: and C:. The second encoding mode is not supported by the blocklist, and arbitrary objects could then be deserialized! It's not enough to get RCE, but it's a good start. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1485315700998938625?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-37.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 37" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Host Header Injection" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-50: Vulnerable Code Snippet - 37 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-37.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to Host Header Injection as the code takes the value of HOST in the password reset link from request itself. This may allow an attacker to inject arbitrary host in the password reset link and get hold of the valid reset token to perform a successful password reset attack. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1494777872929542144 25 | 26 | ##### Code Credits: @Brumens2 27 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/_triple.scss: -------------------------------------------------------------------------------- 1 | ////////////////////////////// 2 | // Import Pieces 3 | ////////////////////////////// 4 | @import "triple/default"; 5 | 6 | @function breakpoint-parse-triple($feature, $empty-media, $first) { 7 | $parsed: ''; 8 | $leader: ''; 9 | 10 | // If we're forcing 11 | @if not ($empty-media) or not ($first) { 12 | $leader: 'and '; 13 | } 14 | 15 | // separate the string features from the value numbers 16 | $string: null; 17 | $numbers: null; 18 | @each $val in $feature { 19 | @if type-of($val) == string { 20 | $string: $val; 21 | } 22 | @else { 23 | @if type-of($numbers) == 'null' { 24 | $numbers: $val; 25 | } 26 | @else { 27 | $numbers: append($numbers, $val); 28 | } 29 | } 30 | } 31 | 32 | $parsed: breakpoint-parse-triple-default($string, nth($numbers, 1), nth($numbers, 2)); 33 | 34 | @return $leader + $parsed; 35 | 36 | } 37 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/_resolution.scss: -------------------------------------------------------------------------------- 1 | @import "resolution/resolution"; 2 | 3 | @function breakpoint-build-resolution($query-print, $query-resolution, $empty-media, $first) { 4 | $leader: ''; 5 | // If we're forcing 6 | @if not ($empty-media) or not ($first) { 7 | $leader: 'and '; 8 | } 9 | 10 | @if breakpoint-get('transform resolutions') and $query-resolution { 11 | $resolutions: breakpoint-make-resolutions($query-resolution); 12 | $length: length($resolutions); 13 | $query-holder: ''; 14 | 15 | @for $i from 1 through $length { 16 | $query: '#{$query-print} #{$leader}#{nth($resolutions, $i)}'; 17 | @if $i == 1 { 18 | $query-holder: $query; 19 | } 20 | @else { 21 | $query-holder: '#{$query-holder}, #{$query}'; 22 | } 23 | } 24 | 25 | @return $query-holder; 26 | } 27 | @else { 28 | // Return with attached resolution 29 | @return $query-print; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-20.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 20" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Buffer Overflow" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-33: Vulnerable Code Snippet - 20 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-20.jpg) 18 | 19 | #### Solution: 20 | 21 | As per @SonarSource, The problem lies with the server reading 16 bytes on line 13 into its buffer without making sure that the string is null-terminated (the last byte of the buffer is null). Sending 16 non-null bytes to the server will return them and the adjacent buffer containing sensitive data! 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1488907363184566275?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-12.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 12" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Prototype Pollution" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-24: Vulnerable Code Snippet - 12 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-12.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to prototype pollution that could even lead to remote code execution. The statement in line 12 uses a dangerous pattern that allows for Prototype Pollution. When type is set to **proto**, then id and content can specify a key and value that will be set on Object.prototype. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1485639304861069313?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-35.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 35" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS and LFI" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-48: Vulnerable Code Snippet - 35 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-35.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | The code is vulnerable to XSS and LFI. The focus of this code is that the filename can be used as a payload to execute JavaScript and perform an XSS attack. 23 | When filtering a function always remember that it's more than one bug that can be exploited in it. For example this is highly vulnerable to LFI but it's also vulnerable to XSS. 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1494127206552985605 26 | 27 | ##### Code Credits: @Brumens2 28 | 29 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-06.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 6" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "SSRF" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-18: Vulnerable Code Snippet - 6 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-6.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to SSRF attack. The issue in this code snippet is that the Java's URI.resolve() will return its parameter if it is an absolute URL, which can be abused to perform SSRF. By using http:/example.com# as artifact the final URL will start with http:/example.com#, which the OkHttp library will accept when making the request. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483501885235417090?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-22.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 22" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "CMD Injextion" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-35: Vulnerable Code Snippet - 22 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-22.jpg) 18 | 19 | #### Solution: 20 | 21 | As per @SonarSource, Arbitrary arguments can be added to the tar command, e.g. by creating a file named “-I touch shell” in /opt/webapp. The -I argument allows executing an arbitrary command, here “touch shell”. --checkpoint-action works too. 22 | 23 | Twitter Thread: https://twitter.com/harshbothra_/status/1489630710025830400 24 | 25 | ##### Code Credits: SonarSource 26 | 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1489630648159846400?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 28 | -------------------------------------------------------------------------------- /_includes/video: -------------------------------------------------------------------------------- 1 | {% capture video_id %}{{ include.id }}{% endcapture %} 2 | {% capture video_provider %}{{ include.provider }}{% endcapture %} 3 | 4 | 5 |
6 | {% if video_provider == "vimeo" %} 7 | 8 | {% elsif video_provider == "youtube" %} 9 | 10 | {% elsif video_provider == "google-drive" %} 11 | 12 | {% elsif video_provider == "bilibili" %} 13 | 14 | {% endif %} 15 |
16 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-41.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 41" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "CORS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-54: Vulnerable Code Snippet - 41 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-41.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to CORS misconfiguration as can be observed on line-14. User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to change security sensitive headers like Cross-Origin Resource Sharing headers. 23 | 24 | Twitter Thread: https://twitter.com/harshbothra_/status/1496326447954341891 25 | 26 | ##### Code Credits: @SonarSource 27 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-44.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 44" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-57: Vulnerable Code Snippet - 44 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-44.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | As per @SonarSource, there is an XSS issue but maybe not as expected. Razor takes care of output encoding for ViewData in line 4. However, ViewData also overwrites the static content in ViewBag & there is an XSS in line 2. 23 | Read More: https://sonarcloud.io/project/issues?id=SonarSourceResearch_2020_calendar_22&open=AXY4_4rsU9JBkqHd22a1&resolved=false&types=VULNERABILITY 24 | 25 | Twitter Thread: https://twitter.com/harshbothra_/status/1497431227451777027 26 | 27 | ##### Code Credits: @SonarSource 28 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-07.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 7" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE via SQLi" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-19: Vulnerable Code Snippet - 7 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-7.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to Remote Code Execution via SQL Injection. As per SonarSource, addslashes() is not enough to protect against SQL injections because the interpolated value is not surrounded by quotes. This value is later used in the external shell call without proper escaping. 22 | 23 | A payload like 1--$(id>foo) is enough to gain RCE! 24 | 25 | ##### Code Credits: SonarSource 26 | 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1483835811896655877?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 28 | -------------------------------------------------------------------------------- /_includes/search/google-search-scripts.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_layouts/pwn.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "Pwn" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | -------------------------------------------------------------------------------- /_layouts/blog.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "Blog" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | 32 | -------------------------------------------------------------------------------- /_layouts/htb.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "HTB" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | 32 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-21.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 21" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "DNS rebinding" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-34: Vulnerable Code Snippet - 21 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-21.jpg) 18 | 19 | #### Solution: 20 | 21 | As per @SonarSource, This risk of DNS rebinding is always easy to overlook: Dns.GetHostEntry() does a first DNS query, validates the result against the allow-list, and then WebRequest does a second DNS query. Both DNS queries can have a different response, and unintended servers could be reached that way. Always work with the value you first validated! 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1489280271640055809?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_layouts/expdev.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "Exploit Development" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | -------------------------------------------------------------------------------- /_layouts/resources.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "Offsec" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | 32 | -------------------------------------------------------------------------------- /resources.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "Binary Exploitation" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | 32 | -------------------------------------------------------------------------------- /_layouts/cve.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 8 | {% assign categories_max = 0 %} 9 | {% for category in site.categories %} 10 | {% if category[1].size > categories_max %} 11 | {% assign categories_max = category[1].size %} 12 | {% endif %} 13 | {% endfor %} 14 | 15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 | {% if category[0] == "CVE" %} 19 |
20 |
21 | {% for post in category.last %} 22 | {% include archive-single.html type=page.entries_layout %} 23 | {% endfor %} 24 |
25 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 26 |
27 | {% endif %} 28 | {% endif %} 29 | {% endfor %} 30 | {% endfor %} 31 | 32 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-02.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 2" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "DOM XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-13: Vulnerable Code Snippet - 2 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-2.jpg) 19 | 20 | #### Solution: 21 | 22 | The above code is vulnerable to cross-site scripting attack as it can be observed that on the line 15, a handler for message events is registered which writes the event's data in the DOM on the line 13. 23 | It is possible to embed this page and send an event with an XSS payload to execute a successful attack. 24 | 25 | Similar Bug: https://blog.sonarsource.com/ghost-admin-takeover 26 | 27 | ##### Code Credits: SonarSource 28 | 29 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481606121991598081?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 30 | -------------------------------------------------------------------------------- /_layouts/posts.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | 17 | 18 | {% assign postsByYear = site.posts | group_by_exp: 'post', 'post.date | date: "%Y"' %} 19 | {% for year in postsByYear %} 20 |
21 |

{{ year.name }}

22 |
23 | {% for post in year.items %} 24 | {% include archive-single.html type=page.entries_layout %} 25 | {% endfor %} 26 |
27 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 28 |
29 | {% endfor %} 30 | -------------------------------------------------------------------------------- /_layouts/splash.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | --- 4 | 5 | {% if page.header.overlay_color or page.header.overlay_image or page.header.image %} 6 | {% include page__hero.html %} 7 | {% elsif page.header.video.id and page.header.video.provider %} 8 | {% include page__hero_video.html %} 9 | {% endif %} 10 | 11 |
12 |
13 | {% if page.title %}{% endif %} 14 | {% if page.excerpt %}{% endif %} 15 | {% if page.date %}{% endif %} 16 | {% if page.last_modified_at %}{% endif %} 17 | 18 |
19 | {{ content }} 20 |
21 |
22 |
23 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-19.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 19" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "SQLi Regex Bypass" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-31: Vulnerable Code Snippet - 19 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-19.jpg) 18 | 19 | #### Solution: 20 | 21 | As per @SonarSource, The regex at line 7 is correct in itself as it checks for the right characters. The bug lies in the g flag; it makes the regex object retain the last match index and will continue after that index when .test() is called again. Attackers could still use quotes, and perform the SQL injection, by sending their request two times in a row: the second regex check will start after the quote. 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1488191330493014018?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_includes/nav_list: -------------------------------------------------------------------------------- 1 | {% assign navigation = site.data.navigation[include.nav] %} 2 | 3 | 27 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-42.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 42" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Multiple vulnerabilities" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-55: Vulnerable Code Snippet - 42 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-42.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to multiple security vulnerabilities: 23 | 1. The token generation algorithm is SHA-1 which is known to collision attacks and is not a best practice to use it. 24 | 2. There is a possibility of account takeover based on the actual implementation as an attacker may attempt to inject emails to get it routed to attacker email along with victim email. 25 | 3. This also looks vulnerable to Host Header Injection attack. 26 | 27 | Twitter Thread: https://twitter.com/harshbothra_/status/1496668703181651972 28 | 29 | ##### Code Credits: @SonarSource 30 | -------------------------------------------------------------------------------- /_includes/scripts.html: -------------------------------------------------------------------------------- 1 | {% if site.footer_scripts %} 2 | {% for script in site.footer_scripts %} 3 | 4 | {% endfor %} 5 | {% else %} 6 | 7 | 8 | {% endif %} 9 | 10 | {% if site.search == true or page.layout == "search" %} 11 | {%- assign search_provider = site.search_provider | default: "lunr" -%} 12 | {%- case search_provider -%} 13 | {%- when "lunr" -%} 14 | {% include_cached search/lunr-search-scripts.html %} 15 | {%- when "google" -%} 16 | {% include_cached search/google-search-scripts.html %} 17 | {%- when "algolia" -%} 18 | {% include_cached search/algolia-search-scripts.html %} 19 | {%- endcase -%} 20 | {% endif %} 21 | 22 | {% include analytics.html %} 23 | {% include /comments-providers/scripts.html %} 24 | 25 | {% if site.after_footer_scripts %} 26 | {% for script in site.after_footer_scripts %} 27 | 28 | {% endfor %} 29 | {% endif %} 30 | -------------------------------------------------------------------------------- /_includes/head.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | {% include seo.html %} 4 | 5 | 6 | 7 | 8 | 9 | 10 | 13 | 14 | 15 | 16 | 17 | 31 | 32 | {% if site.head_scripts %} 33 | {% for script in site.head_scripts %} 34 | 35 | {% endfor %} 36 | {% endif %} 37 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-18.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 18" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "password reset flaw" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | 14 | ### SecurityExplained S-30: Vulnerable Code Snippet - 18 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-18.jpg) 19 | 20 | #### Solution: 21 | 22 | As per SonarSource, At line 9, the email is transformed to uppercase before its use in the SQL query. On Unicode characters, this process has the unintended effect that two distinct code points may result in the same one. 23 | 24 | It can be used to send the password reset token to another email and takeover accounts: 25 | 26 | foo@mix.com -> FOO@MIX.com 27 | foo@mıhttp://x.com -> FOO@MIX.com 28 | 29 | Interesting Blog: https://t.co/UxdZJQxzc1 30 | 31 | ##### Code Credits: SonarSource 32 | 33 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1487850861770731520?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 34 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-09.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 9" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE via File Upload" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-21: Vulnerable Code Snippet - 9 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-9.jpg) 18 | 19 | #### Solution: 20 | 21 | The code is vulnerable to Remote Code Execution by uploading a malicious file named as `img-converter.exe` that will then be executed instead of the one installed on the system. 22 | 23 | As per Sonar Source, When executing commands by name (e.g. `img-converter`) on Windows, the OS looks for the executable in the current directory first and only after that in the PATH. This applies here because the command is executed in the directory where the file is copied to. 24 | 25 | ##### Code Credits: SonarSource 26 | 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1484590293483945984?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 28 | -------------------------------------------------------------------------------- /_site/resources/path-traversal-file-upload.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-9: Path Traversal via File Upload 2 | 3 | ``` 4 | File upload is a very interesting functionality and there are multiple attacks that are possible such as code execution, cross-site scripting and one of the functionality is "File Overwrite using Path Traversal" 5 | 6 | Whenever you find a file upload functionality that stores the files on the backend instead of just processing the data for one time use, you may try following steps: 7 | 8 | 1. Capture a file upload request. 9 | 2. In the filename parameter, change filename to "../../filename" and forward the request. 10 | 3. See, if the file is getting stored outside the expected directory, if 'yes', it is an issue. 11 | 4. Now, attempt to overwrite a system file and check if it is possible to overwrite the system file. 12 | 13 | Note: It is not recommended to overwrite a critical system file on the production system, make sure you take necessary permissions from the client before you perform such escalations. 14 | 15 | ``` 16 | 17 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480200369732931584?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 18 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-03.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 3" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Arbitrary File Read" 10 | categories: 11 | - Vulnerable Code Snippet 12 | 13 | --- 14 | ### SecurityExplained S-15: Vulnerable Code Snippet - 3 15 | 16 | #### Vulnerable Code: 17 | 18 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-3.jpg) 19 | 20 | #### Solution: 21 | 22 | The issue lies in line 11 due to the use of "os.path.join()" and the issue here is an attacker can read arbitrary files by supplying malicious payload through img variable. 23 | 24 | As per the documentation, when the values passed in "os.path.join()" & one of the paths to concatenate is absolute, previous values will be ignored. 25 | 26 | Hence, here the string passed in "os.path.join(harsh,/etc/passwd)" return as "/etc/passwd" resulting into accessing the sensitive file. 27 | 28 | ##### Code Credits: SonarSource 29 | 30 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1482316119101030411?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 31 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/susy/_unprefix.scss: -------------------------------------------------------------------------------- 1 | // Unprefix Susy 2 | // ============= 3 | 4 | 5 | // Span 6 | // ---- 7 | /// Un-prefixed alias for `susy-span` 8 | /// (available by default) 9 | /// 10 | /// @group api 11 | /// @alias susy-span 12 | /// 13 | /// @param {list} $span 14 | /// @param {map} $config [()] 15 | @function span( 16 | $span, 17 | $config: () 18 | ) { 19 | @return susy-span($span, $config); 20 | } 21 | 22 | 23 | // Gutter 24 | // ------ 25 | /// Un-prefixed alias for `susy-gutter` 26 | /// (available by default) 27 | /// 28 | /// @group api 29 | /// @alias susy-gutter 30 | /// 31 | /// @param {integer | list} $context [null] - 32 | /// @param {map} $config [()] 33 | @function gutter( 34 | $context: susy-get('columns'), 35 | $config: () 36 | ) { 37 | @return susy-gutter($context, $config); 38 | } 39 | 40 | 41 | // Slice 42 | // ----- 43 | /// Un-prefixed alias for `susy-slice` 44 | /// (available by default) 45 | /// 46 | /// @group api 47 | /// @alias susy-slice 48 | /// 49 | /// @param {list} $span 50 | /// @param {map} $config [()] 51 | @function slice( 52 | $span, 53 | $config: () 54 | ) { 55 | @return susy-slice($span, $config); 56 | } 57 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-15.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 15" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Time of Check - Time of Use" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-27: Vulnerable Code Snippet - 15 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-15.jpg) 18 | 19 | #### Solution: 20 | 21 | As per SonarSource, There is a ToCToU (Time of Check - Time of Use) bug: if the file does not exist at the time of the checks, they will be skipped. Attackers could create a symlink at /tmp/logs.txt right before the call to fopen(), and write to an unintended destination! It's very common to find file checks vulnerable to such ToCToU bugs. The best ways to avoid it is to perform these operations in folders with restrictive permissions and prefer file descriptors to paths (fstat, etc). 22 | 23 | ##### Code Credits: SonarSource 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1486753867047997442?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /minimal-mistakes-jekyll.gemspec: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | 3 | Gem::Specification.new do |spec| 4 | spec.name = "minimal-mistakes-jekyll" 5 | spec.version = "4.19.2" 6 | spec.authors = ["Michael Rose"] 7 | 8 | spec.summary = %q{A flexible two-column Jekyll theme.} 9 | spec.homepage = "https://github.com/mmistakes/minimal-mistakes" 10 | spec.license = "MIT" 11 | 12 | spec.metadata["plugin_type"] = "theme" 13 | 14 | spec.files = `git ls-files -z`.split("\x0").select do |f| 15 | f.match(%r{^(assets|_(data|includes|layouts|sass)/|(LICENSE|README|CHANGELOG)((\.(txt|md|markdown)|$)))}i) 16 | end 17 | 18 | spec.add_runtime_dependency "jekyll", ">= 3.7", "< 5.0" 19 | spec.add_runtime_dependency "jekyll-paginate", "~> 1.1" 20 | spec.add_runtime_dependency "jekyll-sitemap", "~> 1.3" 21 | spec.add_runtime_dependency "jekyll-gist", "~> 1.5" 22 | spec.add_runtime_dependency "jekyll-feed", "~> 0.1" 23 | spec.add_runtime_dependency "jekyll-include-cache", "~> 0.1" 24 | 25 | spec.add_development_dependency "bundler" 26 | spec.add_development_dependency "rake", ">= 12.3.3" 27 | end 28 | -------------------------------------------------------------------------------- /_site/minimal-mistakes-jekyll.gemspec: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | 3 | Gem::Specification.new do |spec| 4 | spec.name = "minimal-mistakes-jekyll" 5 | spec.version = "4.19.2" 6 | spec.authors = ["Michael Rose"] 7 | 8 | spec.summary = %q{A flexible two-column Jekyll theme.} 9 | spec.homepage = "https://github.com/mmistakes/minimal-mistakes" 10 | spec.license = "MIT" 11 | 12 | spec.metadata["plugin_type"] = "theme" 13 | 14 | spec.files = `git ls-files -z`.split("\x0").select do |f| 15 | f.match(%r{^(assets|_(data|includes|layouts|sass)/|(LICENSE|README|CHANGELOG)((\.(txt|md|markdown)|$)))}i) 16 | end 17 | 18 | spec.add_runtime_dependency "jekyll", ">= 3.7", "< 5.0" 19 | spec.add_runtime_dependency "jekyll-paginate", "~> 1.1" 20 | spec.add_runtime_dependency "jekyll-sitemap", "~> 1.3" 21 | spec.add_runtime_dependency "jekyll-gist", "~> 1.5" 22 | spec.add_runtime_dependency "jekyll-feed", "~> 0.1" 23 | spec.add_runtime_dependency "jekyll-include-cache", "~> 0.1" 24 | 25 | spec.add_development_dependency "bundler" 26 | spec.add_development_dependency "rake", ">= 12.3.3" 27 | end 28 | -------------------------------------------------------------------------------- /_includes/gallery: -------------------------------------------------------------------------------- 1 | {% if include.id %} 2 | {% assign gallery = page[include.id] %} 3 | {% else %} 4 | {% assign gallery = page.gallery %} 5 | {% endif %} 6 | 7 | {% if include.layout %} 8 | {% assign gallery_layout = include.layout %} 9 | {% else %} 10 | {% if gallery.size == 2 %} 11 | {% assign gallery_layout = 'half' %} 12 | {% elsif gallery.size >= 3 %} 13 | {% assign gallery_layout = 'third' %} 14 | {% else %} 15 | {% assign gallery_layout = '' %} 16 | {% endif %} 17 | {% endif %} 18 | 19 |
20 | {% for img in gallery %} 21 | {% if img.url %} 22 | 24 | {% if img.alt %}{{ img.alt }}{% endif %} 26 | 27 | {% else %} 28 | {% if img.alt %}{{ img.alt }}{% endif %} 30 | {% endif %} 31 | {% endfor %} 32 | {% if include.caption %} 33 |
{{ include.caption | markdownify | remove: "

" | remove: "

" }}
34 | {% endif %} 35 |
36 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_dirt.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Dirt skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #f3f3f3 !default; 7 | $text-color: #343434 !default; 8 | $muted-text-color: #8e8b82 !default; 9 | $primary-color: #343434 !default; 10 | $border-color: #e9dcbe !default; 11 | $footer-background-color: #e9dcbe !default; 12 | $link-color: #343434 !default; 13 | $masthead-link-color: $text-color !default; 14 | $masthead-link-color-hover: $text-color !default; 15 | $navicon-link-color-hover: mix(#fff, $text-color, 80%) !default; 16 | 17 | /* dirt syntax highlighting (base16) */ 18 | $base00: #231e18 !default; 19 | $base01: #302b25 !default; 20 | $base02: #48413a !default; 21 | $base03: #9d8b70 !default; 22 | $base04: #b4a490 !default; 23 | $base05: #cabcb1 !default; 24 | $base06: #d7c8bc !default; 25 | $base07: #e4d4c8 !default; 26 | $base08: #d35c5c !default; 27 | $base09: #ca7f32 !default; 28 | $base0a: #e0ac16 !default; 29 | $base0b: #b7ba53 !default; 30 | $base0c: #6eb958 !default; 31 | $base0d: #88a4d3 !default; 32 | $base0e: #bb90e2 !default; 33 | $base0f: #b49368 !default; 34 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-31.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 31" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "SQli" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-44: Vulnerable Code Snippet - 31 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-31.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code connects to the backend database & its purpose is to change the username inside the profile page. It first checks the username "id" by user input and runs a SQL statement to extract the current username for that user. The issue is that user input is not filtered. If you infect the "id" when it's reading the user input. It does not convert the "id" variable into an (int) type or filters it. This makes it possible to get access to the database fully by executing a SQL Injection. 23 | 24 | Example Payload: sleep(1): Will sleep "x" row that is in the table. At "line 24". 25 | 26 | Twitter Thread: https://twitter.com/harshbothra_/status/1492657271662206976 27 | 28 | ##### Code Credits: @Brumens2 29 | 30 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-27.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 27" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "XSS" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-40: Vulnerable Code Snippet - 27 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-27.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | This code is vulnerable to Cross-Site Scripting (XSS) attack. Example Payload: \"onload=alert(1)// 23 | 24 | This payload works because the "replace()" function in PHP do not properly replace the user input. The first replacement works fine replace('\"', '') but when it later replace('\\', '\\\\'), the issue occurs. The issue is that the replacement for '"' is first and coverted to '\"'. When the other replace statement is called it sees '\"' and replace the '\' with a duel backslash '\\' but this in fact destroys the filter itself. 25 | 26 | Example: 27 | value = "\\"" 28 | 29 | 30 | 31 | Twitter Thread: https://twitter.com/harshbothra_/status/1491160060076376065 32 | 33 | ##### Code Credits: @Brumens2 34 | 35 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-15-vulnerable-code-25.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Vulnerable Code Snippet - 25" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RCE" 10 | categories: 11 | - Vulnerable Code Snippet 12 | --- 13 | ### SecurityExplained S-38: Vulnerable Code Snippet - 25 14 | 15 | #### Vulnerable Code: 16 | 17 | ![Vulnerable Code](https://raw.githubusercontent.com/harsh-bothra/SecurityExplained/main/media/code-25.jpg) 18 | 19 | 20 | #### Solution: 21 | 22 | The above code is vulnerable to Remote Code Execution. The code implements a black-list based filter on line-15 which can be bypassed if the payload meets the following requirements: 23 | * Is inside a quote to not take advantage of the bash CLI [Ex: "$(whoami)" ] 24 | * Do not use any of the blacklist chars inside the $(...). 25 | * Execute a system command of any kind that is proven to execute. 26 | 27 | It is recommended to use a whitelist instead and also not use system cmd calls to make a task instead use a built-in function and create an own function that does the same without using os.system(ls). 28 | 29 | 30 | Twitter Thread: https://twitter.com/harshbothra_/status/1490513142375333889 31 | 32 | ##### Code Credits: SonarSource 33 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/_double.scss: -------------------------------------------------------------------------------- 1 | ////////////////////////////// 2 | // Import Pieces 3 | ////////////////////////////// 4 | @import "double/default-pair"; 5 | @import "double/double-string"; 6 | @import "double/default"; 7 | 8 | @function breakpoint-parse-double($feature, $empty-media, $first) { 9 | $parsed: ''; 10 | $leader: ''; 11 | // If we're forcing 12 | @if not ($empty-media) or not ($first) { 13 | $leader: 'and '; 14 | } 15 | 16 | $first: nth($feature, 1); 17 | $second: nth($feature, 2); 18 | 19 | // If we've got two numbers, we know we need to use the default pair because there are no media queries that has a media feature that is a number 20 | @if type-of($first) == 'number' and type-of($second) == 'number' { 21 | $parsed: breakpoint-parse-default-pair($first, $second); 22 | } 23 | // If they are both strings, we send it through the string parser 24 | @else if type-of($first) == 'string' and type-of($second) == 'string' { 25 | $parsed: breakpoint-parse-double-string($first, $second); 26 | } 27 | // If it's a string/number pair, we parse it as a normal double 28 | @else { 29 | $parsed: breakpoint-parse-double-default($first, $second); 30 | } 31 | 32 | @return $leader + $parsed; 33 | } 34 | -------------------------------------------------------------------------------- /_includes/comment.html: -------------------------------------------------------------------------------- 1 |
2 |
3 | {{ include.name }} 4 |
5 |
6 | 13 |

14 | {% if include.date %} 15 | {% if include.index %}{% endif %} 18 | {% endif %} 19 |

20 |
{{ include.message | markdownify }}
21 |
22 |
23 | -------------------------------------------------------------------------------- /_includes/footer.html: -------------------------------------------------------------------------------- 1 |
2 | 17 |
18 | 19 |
© {{ site.time | date: '%Y' }} {{ site.name | default: site.title }}. {{ site.data.ui-text[site.locale].powered_by | default: "Powered by" }} Jekyll & Minimal Mistakes.
20 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_dark.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Dark skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #252a34 !default; 7 | $text-color: #eaeaea !default; 8 | $primary-color: #00adb5 !default; 9 | $border-color: mix(#fff, $background-color, 20%) !default; 10 | $code-background-color: mix(#000, $background-color, 15%) !default; 11 | $code-background-color-dark: mix(#000, $background-color, 20%) !default; 12 | $form-background-color: mix(#000, $background-color, 15%) !default; 13 | $footer-background-color: mix(#000, $background-color, 30%) !default; 14 | $link-color: mix($primary-color, $text-color, 40%) !default; 15 | $link-color-hover: mix(#fff, $link-color, 25%) !default; 16 | $link-color-visited: mix(#000, $link-color, 25%) !default; 17 | $masthead-link-color: $text-color !default; 18 | $masthead-link-color-hover: mix(#000, $text-color, 20%) !default; 19 | $navicon-link-color-hover: mix(#000, $background-color, 30%) !default; 20 | 21 | .author__urls.social-icons .svg-inline--fa, 22 | .page__footer-follow .social-icons .svg-inline--fa { 23 | color: inherit; 24 | } 25 | 26 | .ais-search-box .ais-search-box--input { 27 | background-color: $form-background-color; 28 | } -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "minimal-mistakes", 3 | "version": "4.19.2", 4 | "description": "Minimal Mistakes 2 column Jekyll theme.", 5 | "repository": { 6 | "type": "git", 7 | "url": "git://github.com/mmistakes/minimal-mistakes.git" 8 | }, 9 | "keywords": [ 10 | "jekyll", 11 | "theme", 12 | "minimal" 13 | ], 14 | "author": "Michael Rose", 15 | "license": "MIT", 16 | "bugs": { 17 | "url": "https://github.com/mmistakes/minimal-mistakes/issues" 18 | }, 19 | "homepage": "https://mmistakes.github.io/minimal-mistakes/", 20 | "engines": { 21 | "node": ">= 0.10.0" 22 | }, 23 | "devDependencies": { 24 | "npm-run-all": "^4.1.5", 25 | "onchange": "^6.1.0", 26 | "uglify-js": "^3.8.0" 27 | }, 28 | "scripts": { 29 | "uglify": "uglifyjs assets/js/vendor/jquery/jquery-3.4.1.js assets/js/plugins/jquery.fitvids.js assets/js/plugins/jquery.greedy-navigation.js assets/js/plugins/jquery.magnific-popup.js assets/js/plugins/jquery.ba-throttle-debounce.js assets/js/plugins/smooth-scroll.js assets/js/plugins/gumshoe.js assets/js/_main.js -c -m -o assets/js/main.min.js", 30 | "add-banner": "node banner.js", 31 | "watch:js": "onchange \"assets/js/**/*.js\" -e \"assets/js/main.min.js\" -- npm run build:js", 32 | "build:js": "npm run uglify && npm run add-banner" 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /_includes/tag-list.html: -------------------------------------------------------------------------------- 1 | {% case site.tag_archive.type %} 2 | {% when "liquid" %} 3 | {% assign path_type = "#" %} 4 | {% when "jekyll-archives" %} 5 | {% assign path_type = nil %} 6 | {% endcase %} 7 | 8 | {% if site.tag_archive.path %} 9 | {% comment %} 10 | 11 | 12 | {% endcomment %} 13 | {% capture page_tags %}{% for tag in page.tags %}{{ tag | downcase }}|{{ tag }}{% unless forloop.last %},{% endunless %}{% endfor %}{% endcapture %} 14 | {% assign tag_hashes = page_tags | split: ',' | sort %} 15 | 16 |

17 | {{ site.data.ui-text[site.locale].tags_label | default: "Tags:" }} 18 | 19 | {% for hash in tag_hashes %} 20 | {% assign keyValue = hash | split: '|' %} 21 | {% capture tag_word %}{{ keyValue[1] | strip_newlines }}{% endcapture %} 22 | {% unless forloop.last %}, {% endunless %} 23 | {% endfor %} 24 | 25 |

26 | {% endif %} -------------------------------------------------------------------------------- /_site/resources/feroxbuster-explained.md: -------------------------------------------------------------------------------- 1 | # SecurityExplained S-2: FeroxBuster - A Content Discovery Tool! 2 | 3 | ``` 4 | Ferox Buster is easy to use, fast & convenient "Content Discovery" tool written in Rust. 5 | 6 | - Tool Link: https://github.com/epi052/feroxbuster 7 | 8 | One of the reasons to like this tool is its neat documentation: https://epi052.github.io/feroxbuster-docs/docs/ 9 | 10 | Why choose this tool over others?: https://epi052.github.io/feroxbuster-docs/docs/compare/ 11 | 12 | You can install this tool in multiple ways based upon your environment, and a straightforward example is using the following command: 13 | 14 | - sudo apt update && sudo apt install -y feroxbuster 15 | 16 | Using this tool is quite simple. You can run a simple scan with the following command: 17 | 18 | - ./feroxbuster -u -x 19 | 20 | Other interesting use-case examples can be found here: https://epi052.github.io/feroxbuster-docs/docs/examples/core-features/. 21 | 22 | Feel free to ask questions related to "How do I perform Content Discovery", etc. in the comments, and I will try to answer in the best way possible. Cheers! 23 | 24 | ``` 25 | 26 | #### Twitter Handle: @harshbothra_ 27 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1477541501311676417?s=20&t=QR8LCZPmGCrSu2SuCUBCgQ) 28 | -------------------------------------------------------------------------------- /_includes/group-by-array: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | {% assign __empty_array = '' | split: ',' %} 10 | {% assign group_names = __empty_array %} 11 | {% assign group_items = __empty_array %} 12 | 13 | 14 | {% assign __names = include.collection | map: include.field %} 15 | 16 | 17 | {% assign __names = __names | join: ',' | join: ',' | split: ',' %} 18 | 19 | 20 | {% assign __names = __names | sort %} 21 | {% for name in __names %} 22 | 23 | 24 | {% unless name == previous %} 25 | 26 | 27 | {% assign group_names = group_names | push: name %} 28 | {% endunless %} 29 | 30 | {% assign previous = name %} 31 | {% endfor %} 32 | 33 | 34 | 35 | {% for name in group_names %} 36 | 37 | 38 | {% assign __item = __empty_array %} 39 | {% for __element in include.collection %} 40 | {% if __element[include.field] contains name %} 41 | {% assign __item = __item | push: __element %} 42 | {% endif %} 43 | {% endfor %} 44 | 45 | 46 | {% assign group_items = group_items | push: __item %} 47 | {% endfor %} -------------------------------------------------------------------------------- /_layouts/default.html: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | 5 | 11 | 12 | 13 | {% include head.html %} 14 | {% include head/custom.html %} 15 | 16 | 17 | 18 | {% include_cached skip-links.html %} 19 | {% include_cached browser-upgrade.html %} 20 | {% include_cached masthead.html %} 21 | 22 |
23 | {{ content }} 24 |
25 | 26 | {% if site.search == true %} 27 |
28 | {% include_cached search/search_form.html %} 29 |
30 | {% endif %} 31 | 32 |
33 |
34 | {% include footer/custom.html %} 35 | {% include_cached footer.html %} 36 |
37 |
38 | 39 | {% include scripts.html %} 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /_layouts/tags.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | {% assign tags_max = 0 %} 8 | {% for tag in site.tags %} 9 | {% if tag[1].size > tags_max %} 10 | {% assign tags_max = tag[1].size %} 11 | {% endif %} 12 | {% endfor %} 13 | 14 |
    15 | {% for i in (1..tags_max) reversed %} 16 | {% for tag in site.tags %} 17 | {% if tag[1].size == i %} 18 |
  • 19 | 20 | {{ tag[0] }} {{ i }} 21 | 22 |
    • 23 | {% endif %} 24 | {% endfor %} 25 | {% endfor %} 26 |
27 | 28 | {% for i in (1..tags_max) reversed %} 29 | {% for tag in site.tags %} 30 | {% if tag[1].size == i %} 31 |
32 |

{{ tag[0] }}

33 |
34 | {% for post in tag.last %} 35 | {% include archive-single.html type=page.entries_layout %} 36 | {% endfor %} 37 |
38 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 39 |
40 | {% endif %} 41 | {% endfor %} 42 | {% endfor %} 43 | -------------------------------------------------------------------------------- /_site/resources/rustscan-portscanner.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-11: RustScan - The Modern Port Scanner 2 | 3 | ``` 4 | - RustScan is a port scanner written using Rust programming. The tool utilizes adaptive learning model to improvise itself over the time, i.e. more you use the tool, better it becomes. 5 | 6 | # Tool Repo: https://github.com/RustScan/RustScan/ 7 | 8 | - It is mentioned on the official repo that this tool can do following: 9 | - Scans all 65k ports in 3 seconds. 10 | - Full scripting engine support. Automatically pipe results into Nmap, or use our scripts (or write your own) to do whatever you want. 11 | - Adaptive learning. RustScan improves the more you use it. No bloated machine learning here, just basic maths. 12 | - The usuals you would expect. IPv6, CIDR, file input and more. 13 | - Automatically pipes ports into Nmap. 14 | 15 | There are two main points that makes this tool my new preffered choice for the Port Scanning Tool: 16 | - Speed [RustScan is pretty fast and I have compared it with a traditional nmap scan too. ] 17 | - Simple Usage Guide: https://github.com/RustScan/RustScan/wiki/Things-you-may-want-to-do-with-RustScan-but-don't-understand-how 18 | 19 | Installation Guide: https://github.com/RustScan/RustScan/wiki/Installation-Guide 20 | 21 | ``` 22 | 23 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480905854433988611?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 24 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes.scss: -------------------------------------------------------------------------------- 1 | /*! 2 | * Minimal Mistakes Jekyll Theme 4.19.2 by Michael Rose 3 | * Copyright 2013-2019 Michael Rose - mademistakes.com | @mmistakes 4 | * Licensed under MIT (https://github.com/mmistakes/minimal-mistakes/blob/master/LICENSE) 5 | */ 6 | 7 | /* Variables */ 8 | @import "minimal-mistakes/variables"; 9 | 10 | /* Mixins and functions */ 11 | @import "minimal-mistakes/vendor/breakpoint/breakpoint"; 12 | @include breakpoint-set("to ems", true); 13 | @import "minimal-mistakes/vendor/magnific-popup/magnific-popup"; // Magnific Popup 14 | @import "minimal-mistakes/vendor/susy/susy"; 15 | @import "minimal-mistakes/mixins"; 16 | 17 | /* Core CSS */ 18 | @import "minimal-mistakes/reset"; 19 | @import "minimal-mistakes/base"; 20 | @import "minimal-mistakes/forms"; 21 | @import "minimal-mistakes/tables"; 22 | @import "minimal-mistakes/animations"; 23 | 24 | /* Components */ 25 | @import "minimal-mistakes/buttons"; 26 | @import "minimal-mistakes/notices"; 27 | @import "minimal-mistakes/masthead"; 28 | @import "minimal-mistakes/navigation"; 29 | @import "minimal-mistakes/footer"; 30 | @import "minimal-mistakes/search"; 31 | @import "minimal-mistakes/syntax"; 32 | 33 | /* Utility classes */ 34 | @import "minimal-mistakes/utilities"; 35 | 36 | /* Layout specific */ 37 | @import "minimal-mistakes/page"; 38 | @import "minimal-mistakes/archive"; 39 | @import "minimal-mistakes/sidebar"; 40 | @import "minimal-mistakes/print"; 41 | -------------------------------------------------------------------------------- /_site/resources/xxe-in-json.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-14: Exploiting XXE in JSON Endpoints 2 | 3 | ``` 4 | XXE a.k.a XML External Entities is a vulnerability that is usally found in endpoints that process XML data. This attack happens when a misconfigured or weekly configured XML parser processed the external entity reference from a XML Input. 5 | 6 | However, if an application is using JSON as content-type in request processing, in a usual assumption, we often do not check for the XXE attack but in certain scenarios, it might be possible that the application supports XML parsing along with JSON but that is not visible via request structure. Hence, we should always check for XXE in JSON endpoints. 7 | 8 | # To perform XXE in JSON Endpoints, One can try below steps: 9 | 10 | 1. Capture a JSON request with Burp Suite. 11 | 2. Convert the content-type to XML using "Content-Type Convertor" Burp Extension. 12 | 3. Process the Request and if request is processed successfully, it means that the XML parsing is supported. 13 | 4. Now, attempt to exploit XXE 14 | 15 | Interesting Read: https://www.netspi.com/blog/technical/web-application-penetration-testing/playing-content-type-xxe-json-endpoints/ 16 | More About XXE: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing 17 | 18 | ``` 19 | 20 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481974615409041414?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 21 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-path-traversal-file-upload.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Path Traversal via File Upload" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Path Traversal via File Upload" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-9: Path Traversal via File Upload 15 | 16 | 17 | File upload is a very interesting functionality and there are multiple attacks that are possible such as code execution, cross-site scripting and one of the functionality is "File Overwrite using Path Traversal" 18 | 19 | Whenever you find a file upload functionality that stores the files on the backend instead of just processing the data for one time use, you may try following steps: 20 | 21 | 1. Capture a file upload request. 22 | 2. In the filename parameter, change filename to "../../filename" and forward the request. 23 | 3. See, if the file is getting stored outside the expected directory, if 'yes', it is an issue. 24 | 4. Now, attempt to overwrite a system file and check if it is possible to overwrite the system file. 25 | 26 | Note: It is not recommended to overwrite a critical system file on the production system, make sure you take necessary permissions from the client before you perform such escalations. 27 | 28 | 29 | 30 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480200369732931584?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 31 | -------------------------------------------------------------------------------- /_includes/category-list.html: -------------------------------------------------------------------------------- 1 | {% case site.category_archive.type %} 2 | {% when "liquid" %} 3 | {% assign path_type = "#" %} 4 | {% when "jekyll-archives" %} 5 | {% assign path_type = nil %} 6 | {% endcase %} 7 | 8 | {% if site.category_archive.path %} 9 | {% comment %} 10 | 11 | 12 | {% endcomment %} 13 | {% capture page_categories %}{% for category in page.categories %}{{ category | downcase }}|{{ category }}{% unless forloop.last %},{% endunless %}{% endfor %}{% endcapture %} 14 | {% assign category_hashes = page_categories | split: ',' | sort %} 15 | 16 |

17 | {{ site.data.ui-text[site.locale].categories_label | default: "Categories:" }} 18 | 19 | {% for hash in category_hashes %} 20 | {% assign keyValue = hash | split: '|' %} 21 | {% capture category_word %}{{ keyValue[1] | strip_newlines }}{% endcapture %} 22 | {% unless forloop.last %}, {% endunless %} 23 | {% endfor %} 24 | 25 |

26 | {% endif %} -------------------------------------------------------------------------------- /_includes/search/search_form.html: -------------------------------------------------------------------------------- 1 |
2 | {%- assign search_provider = site.search_provider | default: "lunr" -%} 3 | {%- case search_provider -%} 4 | {%- when "lunr" -%} 5 |
6 | 9 | 10 |
11 |
12 | {%- when "google" -%} 13 |
14 | 17 | 18 |
19 |
20 | 21 |
22 | {%- when "algolia" -%} 23 |
24 |
25 | {%- endcase -%} 26 |
27 | -------------------------------------------------------------------------------- /_site/resources/htmli-to-cloud-ssrf.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-4: Escalating HTML Injection to Cloud Metadata SSRF 2 | 3 | ``` 4 | If you have found an HTML Injection vulnerability that allows you to load 9 | 2. If the iframe is loaded successfully and the interaction is received on the Collaborator, next step is to check for Metadata SSRF. 10 | 3. Now, perform the attack with the following payload (Specific to AWS): 11 | 4. If the loaded iframe contains "security credentials", you can perform further enumeration. 12 | 5. Also, if the application is rendering the HTML code in the "PDF", this attack is still possible, so worth trying. 13 | 14 | Here is the list of Metadata endpoints for different cloud service providers: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md#ssrf-url-for-cloud-instances 15 | 16 | ``` 17 | 18 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1478394407095353346?s=20&t=QR8LCZPmGCrSu2SuCUBCgQ) 19 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_aqua.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Aqua skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $gray : #1976d2 !default; 7 | $dark-gray : mix(#000, $gray, 40%) !default; 8 | $darker-gray : mix(#000, $gray, 60%) !default; 9 | $light-gray : mix(#fff, $gray, 50%) !default; 10 | $lighter-gray : mix(#fff, $gray, 90%) !default; 11 | 12 | $body-color : #fff !default; 13 | $background-color : #f0fff0 !default; 14 | $code-background-color : $lighter-gray !default; 15 | $code-background-color-dark : $light-gray !default; 16 | $text-color : $dark-gray !default; 17 | $border-color : $lighter-gray !default; 18 | 19 | $primary-color : $gray !default; 20 | $success-color : #27ae60 !default; 21 | $warning-color : #e67e22 !default; 22 | $danger-color : #c0392b !default; 23 | $info-color : #03a9f4 !default; 24 | 25 | /* links */ 26 | $link-color : $info-color !default; 27 | $link-color-hover : mix(#000, $link-color, 25%) !default; 28 | $link-color-visited : mix(#fff, $link-color, 25%) !default; 29 | $masthead-link-color : $primary-color !default; 30 | $masthead-link-color-hover : mix(#000, $primary-color, 25%) !default; -------------------------------------------------------------------------------- /_layouts/categories.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: archive 3 | --- 4 | 5 | {{ content }} 6 | 7 | {% assign categories_max = 0 %} 8 | {% for category in site.categories %} 9 | {% if category[1].size > categories_max %} 10 | {% assign categories_max = category[1].size %} 11 | {% endif %} 12 | {% endfor %} 13 | 14 |
    15 | {% for i in (1..categories_max) reversed %} 16 | {% for category in site.categories %} 17 | {% if category[1].size == i %} 18 |
  • 19 | 20 | {{ category[0] }} {{ i }} 21 | 22 |
    • 23 | {% endif %} 24 | {% endfor %} 25 | {% endfor %} 26 |
27 | 28 | {% for i in (1..categories_max) reversed %} 29 | {% for category in site.categories %} 30 | {% if category[1].size == i %} 31 |
32 |

{{ category[0] }}

33 |
34 | {% for post in category.last %} 35 | {% include archive-single.html type=page.entries_layout %} 36 | {% endfor %} 37 |
38 | {{ site.data.ui-text[site.locale].back_to_top | default: 'Back to Top' }} ↑ 39 |
40 | {% endif %} 41 | {% endfor %} 42 | {% endfor %} 43 | -------------------------------------------------------------------------------- /_includes/feature_row: -------------------------------------------------------------------------------- 1 | {% if include.id %} 2 | {% assign feature_row = page[include.id] %} 3 | {% else %} 4 | {% assign feature_row = page.feature_row %} 5 | {% endif %} 6 | 7 |
8 | 9 | {% for f in feature_row %} 10 |
11 |
12 | {% if f.image_path %} 13 |
14 | {% if f.alt %}{{ f.alt }}{% endif %} 16 | {% if f.image_caption %} 17 | {{ f.image_caption | markdownify | remove: "

" | remove: "

" }} 18 | {% endif %} 19 |
20 | {% endif %} 21 | 22 |
23 | {% if f.title %} 24 |

{{ f.title }}

25 | {% endif %} 26 | 27 | {% if f.excerpt %} 28 |
29 | {{ f.excerpt | markdownify }} 30 |
31 | {% endif %} 32 | 33 | {% if f.url %} 34 |

{{ f.btn_label | default: site.data.ui-text[site.locale].more_label | default: "Learn More" }}

35 | {% endif %} 36 |
37 |
38 |
39 | {% endfor %} 40 | 41 |
42 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_contrast.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Contrast skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $text-color: #000 !default; 7 | $muted-text-color: $text-color !default; 8 | $primary-color: #ff0000 !default; 9 | $border-color: mix(#fff, $text-color, 75%) !default; 10 | $footer-background-color: #000 !default; 11 | $link-color: #0000ff !default; 12 | $masthead-link-color: $text-color !default; 13 | $masthead-link-color-hover: $text-color !default; 14 | $navicon-link-color-hover: mix(#fff, $text-color, 80%) !default; 15 | 16 | /* contrast syntax highlighting (base16) */ 17 | $base00: #000000 !default; 18 | $base01: #242422 !default; 19 | $base02: #484844 !default; 20 | $base03: #6c6c66 !default; 21 | $base04: #918f88 !default; 22 | $base05: #b5b3aa !default; 23 | $base06: #d9d7cc !default; 24 | $base07: #fdfbee !default; 25 | $base08: #ff6c60 !default; 26 | $base09: #e9c062 !default; 27 | $base0a: #ffffb6 !default; 28 | $base0b: #a8ff60 !default; 29 | $base0c: #c6c5fe !default; 30 | $base0d: #96cbfe !default; 31 | $base0e: #ff73fd !default; 32 | $base0f: #b18a3d !default; 33 | 34 | .page__content { 35 | .notice, 36 | .notice--primary, 37 | .notice--info, 38 | .notice--warning, 39 | .notice--success, 40 | .notice--danger { 41 | color: $text-color; 42 | } 43 | } 44 | 45 | .page__footer { 46 | color: #fff !important; // override 47 | } 48 | 49 | .page__footer-follow .social-icons .svg-inline--fa { 50 | color: inherit; 51 | } 52 | -------------------------------------------------------------------------------- /_site/resources/zip-slip-file-upload.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-10: Attacking Zip Upload Functionality with ZipSlip Attack 2 | 3 | ``` 4 | As mentioned in the last SecurityExplained post, file upload is a big attack vector & one of my favourite functionality to perform attack on. When an application allows uploading zip, stores it on the back and to process the content, tried to unzip it, it is an interesting attack vector for "Zip Slip" Attack. 5 | 6 | Let's understand what is a ZipSlip Attack: 7 | 8 | As per the synk.io's: Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution. The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. 9 | 10 | 11 | # How to Exploit? 12 | 13 | - Using the following tool, create a malicious zip file: https://github.com/ptoomey3/evilarc 14 | - Upload the malicious zip file using the zip upload functionality 15 | - If accepted and uploaded successfully, try to check for the endpoints that reflects the results of the uploaded file or try to check for any unintended behavior from the server/application for further exploitation. 16 | 17 | 18 | # Interesting Research Read: 19 | - https://snyk.io/research/zip-slip-vulnerability 20 | - https://github.com/snyk/zip-slip-vulnerability 21 | 22 | 23 | ``` 24 | 25 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480567796098420737?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 26 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-feroxbuster-explained.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "FeroxBuster - Content Discovery" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "FeroxBuster - Content Discovery" 10 | categories: 11 | - resources 12 | --- 13 | 14 | # SecurityExplained S-2: FeroxBuster - A Content Discovery Tool! 15 | 16 | 17 | Ferox Buster is easy to use, fast & convenient "Content Discovery" tool written in Rust. 18 | 19 | - Tool Link: https://github.com/epi052/feroxbuster 20 | 21 | One of the reasons to like this tool is its neat documentation: https://epi052.github.io/feroxbuster-docs/docs/ 22 | 23 | Why choose this tool over others?: https://epi052.github.io/feroxbuster-docs/docs/compare/ 24 | 25 | You can install this tool in multiple ways based upon your environment, and a straightforward example is using the following command: 26 | 27 | - sudo apt update && sudo apt install -y feroxbuster 28 | 29 | Using this tool is quite simple. You can run a simple scan with the following command: 30 | 31 | - ./feroxbuster -u -x 32 | 33 | Other interesting use-case examples can be found here: https://epi052.github.io/feroxbuster-docs/docs/examples/core-features/. 34 | 35 | Feel free to ask questions related to "How do I perform Content Discovery", etc. in the comments, and I will try to answer in the best way possible. Cheers! 36 | 37 | 38 | #### Twitter Handle: @harshbothra_ 39 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1477541501311676417?s=20&t=QR8LCZPmGCrSu2SuCUBCgQ) 40 | -------------------------------------------------------------------------------- /_includes/social-share.html: -------------------------------------------------------------------------------- 1 | 12 | -------------------------------------------------------------------------------- /_site/resources/bypassing-ios-biometrics.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-6: Bypassing Biometrics in iOS with Objection 2 | 3 | ``` 4 | Many applications provide a functionality to enable touch/face ID as an added layer of protection to the application. However, if the attack have "physical access" to the device, it is possible to bypass this restriction and gain access to the application. There are multiple methods to bypass the checks, however, one of the simplest method is to use "Objection". 5 | 6 | Before, performing the attack ensure that the device has frida up and running. Also, the objection must be installed on the attacker system. 7 | 8 | # How to perform the attack: 9 | 10 | 1. Run the following command: objection --gadget 11 | 2. In the objection run following command: ios ui biometrics_bypass 12 | 3. Now, give the wrong "biometric", the application says it is wrong, now simply click on "Cancel" to observe that the biometrics are bypassed. 13 | 14 | 15 | # How this works: 16 | 17 | - LAContext is a class that is responsible for the local authentication. In this, there is a evaluatePolicy method that is responsible to present a dialog and authenticate the user. When the command mentioned in the "Step-2" is executed, objection creates a hook on "-[LAContext evaluatePolicy:localizedReason:reply:]" and manipulates the boolean value from "False" to "True". 18 | 19 | A detailed explanation can be found here: https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass 20 | 21 | ``` 22 | 23 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1479127074132529155?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 24 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-rustscan-portscanner.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "RustScan - Modern Port Scanner" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "RustScan - Modern Port Scanner" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-11: RustScan - The Modern Port Scanner 15 | 16 | 17 | - RustScan is a port scanner written using Rust programming. The tool utilizes adaptive learning model to improvise itself over the time, i.e. more you use the tool, better it becomes. 18 | 19 | # Tool Repo: https://github.com/RustScan/RustScan/ 20 | 21 | - It is mentioned on the official repo that this tool can do following: 22 | - Scans all 65k ports in 3 seconds. 23 | - Full scripting engine support. Automatically pipe results into Nmap, or use our scripts (or write your own) to do whatever you want. 24 | - Adaptive learning. RustScan improves the more you use it. No bloated machine learning here, just basic maths. 25 | - The usuals you would expect. IPv6, CIDR, file input and more. 26 | - Automatically pipes ports into Nmap. 27 | 28 | There are two main points that makes this tool my new preffered choice for the Port Scanning Tool: 29 | - Speed [RustScan is pretty fast and I have compared it with a traditional nmap scan too. ] 30 | - Simple Usage Guide: https://github.com/RustScan/RustScan/wiki/Things-you-may-want-to-do-with-RustScan-but-don't-understand-how 31 | 32 | Installation Guide: https://github.com/RustScan/RustScan/wiki/Installation-Guide 33 | 34 | 35 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480905854433988611?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 36 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-10-xxe-in-json.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Exploiting XXE in JSON Endpoints" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Exploiting XXE in JSON Endpoints" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-14: Exploiting XXE in JSON Endpoints 15 | 16 | 17 | XXE a.k.a XML External Entities is a vulnerability that is usally found in endpoints that process XML data. This attack happens when a misconfigured or weekly configured XML parser processed the external entity reference from a XML Input. 18 | 19 | However, if an application is using JSON as content-type in request processing, in a usual assumption, we often do not check for the XXE attack but in certain scenarios, it might be possible that the application supports XML parsing along with JSON but that is not visible via request structure. Hence, we should always check for XXE in JSON endpoints. 20 | 21 | # To perform XXE in JSON Endpoints, One can try below steps: 22 | 23 | 1. Capture a JSON request with Burp Suite. 24 | 2. Convert the content-type to XML using "Content-Type Convertor" Burp Extension. 25 | 3. Process the Request and if request is processed successfully, it means that the XML parsing is supported. 26 | 4. Now, attempt to exploit XXE 27 | 28 | Interesting Read: https://www.netspi.com/blog/technical/web-application-penetration-testing/playing-content-type-xxe-json-endpoints/ 29 | More About XXE: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing 30 | 31 | 32 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1481974615409041414?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 33 | -------------------------------------------------------------------------------- /_site/resources/bypassing-filters-visual-spoofing.md: -------------------------------------------------------------------------------- 1 | ### SecurityExplained S-8: Bypassing Filters(and more) with Visual Spoofing 2 | 3 | ``` 4 | Visual Spoofing attacks utilizes the characters from different languages that are visually similar. For example: These all letters [AΑ А ᗅ ᗋ ᴀ A] looks like 'A' of english, visually, however, the computer program processes these characters with their exact meanings. 5 | 6 | This is where it became an interesting tool to abuse the filters and regular expression based checks & bypass them. 7 | 8 | 9 | There are multiple attack scenarios using Visual Spoofing/Homographic Attacks: 10 | 11 | 1. Abusing the Filters & Bypassing Them 12 | 13 | - One can attempt to bypass filters for any attack category such as cross-site scripting and may have a successful execution. 14 | 15 | Ex: For example: <> tags are filters, you can try ‹› instead. (Looks visually similar but are different). 16 | 17 | 18 | 2. Domain Spoofing 19 | 20 | - Highly reliable while performing a social engineering attack. The phishing emails, websites, etc looks legit and genuine. 21 | 22 | 3. Business Logic Abuse 23 | - One can attempt to perform business logic abuse, break the parsing logics and even attempt to perform account takeovers. 24 | 25 | 4. IDN Homograph Attacks 26 | 27 | 5. And other endless misc. things one can think of (Being creative is always a plus) 28 | 29 | 30 | Homoglyph Attack Generator: https://www.irongeek.com/homoglyph-attack-generator.php 31 | 32 | Interesting Resources: https://websec.github.io/unicode-security-guide/visual-spoofing/ 33 | 34 | ``` 35 | 36 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1479813683114958852?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 37 | -------------------------------------------------------------------------------- /_layouts/search.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | --- 4 | 5 | {% if page.header.overlay_color or page.header.overlay_image or page.header.image %} 6 | {% include page__hero.html %} 7 | {% endif %} 8 | 9 | {% if page.url != "/" and site.breadcrumbs %} 10 | {% unless paginator %} 11 | {% include breadcrumbs.html %} 12 | {% endunless %} 13 | {% endif %} 14 | 15 |
16 | {% include sidebar.html %} 17 | 18 |
19 | {% unless page.header.overlay_color or page.header.overlay_image %} 20 |

{{ page.title }}

21 | {% endunless %} 22 | 23 | {{ content }} 24 | 25 | {%- assign search_provider = site.search_provider | default: "lunr" -%} 26 | {%- case search_provider -%} 27 | {%- when "lunr" -%} 28 | 29 |
30 | {%- when "google" -%} 31 |
32 | 33 |
34 |
35 | 36 |
37 | {%- when "algolia" -%} 38 |
39 |
40 | {%- endcase -%} 41 |
42 |
43 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-htmli-to-cloud-ssrf.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "HTMLi to Cloud Metadata SSRF" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "HTMLi to CLoud Metadata SSRF" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-4: Escalating HTML Injection to Cloud Metadata SSRF 15 | 16 | 17 | If you have found an HTML Injection vulnerability that allows you to load 22 | 2. If the iframe is loaded successfully and the interaction is received on the Collaborator, next step is to check for Metadata SSRF. 23 | 3. Now, perform the attack with the following payload (Specific to AWS): 24 | 4. If the loaded iframe contains "security credentials", you can perform further enumeration. 25 | 5. Also, if the application is rendering the HTML code in the "PDF", this attack is still possible, so worth trying. 26 | 27 | Here is the list of Metadata endpoints for different cloud service providers: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md#ssrf-url-for-cloud-instances 28 | 29 | 30 | 31 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1478394407095353346?s=20&t=QR8LCZPmGCrSu2SuCUBCgQ) 32 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/susy/plugins/svg-grid/_svg-grid-math.scss: -------------------------------------------------------------------------------- 1 | // SVG Grid Math 2 | // ============= 3 | 4 | 5 | 6 | // SVG Column Position 7 | // ------------------- 8 | /// Determine the proper horizontal position 9 | /// for a column rectangle 10 | /// 11 | /// @access private 12 | /// 13 | /// @param {Integer} $column - 14 | /// 1-indexed column location on the grid 15 | /// @param {Map} $grid - 16 | /// Normalized settings map representing the current grid 17 | /// 18 | /// @return {Length} - 19 | /// Horizontal position of svg column rectangle, 20 | /// as distance from the grid edge 21 | @function _susy-svg-column-position( 22 | $column, 23 | $grid 24 | ) { 25 | $x: $column - 1; 26 | 27 | @if ($x > 0) { 28 | $x: susy-span(first $x wide, $grid); 29 | } 30 | 31 | @return $x; 32 | } 33 | 34 | 35 | 36 | // SVG Offset 37 | // ---------- 38 | /// Determine if a grid image needs to be offset, 39 | /// to account for edge gutters. 40 | /// 41 | /// @access private 42 | /// 43 | /// @param {Map} $grid - 44 | /// Normalized settings map representing the current grid 45 | /// 46 | /// @return {Length | null} - 47 | /// Expected distance from container edge to first column, 48 | /// based on spread values and gutter-widths 49 | @function _susy-svg-offset( 50 | $grid 51 | ) { 52 | $columns: su-valid-columns(map-get($grid, 'columns')); 53 | $gutters: su-valid-gutters(map-get($grid, 'gutters')); 54 | $container: su-valid-spread(map-get($grid, 'container-spread')) + 1; 55 | 56 | @if ($container == 0) { 57 | @return null; 58 | } 59 | 60 | $gutter: su-call('su-gutter', $grid); 61 | 62 | @if (type-of($gutter) == 'string') { 63 | @return 'calc(#{$container} * #{$gutter} / 2)'; 64 | } 65 | 66 | @return $container * $gutter / 2; 67 | } 68 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_sunrise.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Sunrise skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $dark-gray: #0e2431 !default; 7 | $background-color: #e8d5b7 !default; 8 | $text-color: #000 !default; 9 | $muted-text-color: $dark-gray !default; 10 | $primary-color: #fc3a52 !default; 11 | $border-color: mix(#000, $background-color, 20%) !default; 12 | $code-background-color: mix(#fff, $background-color, 20%) !default; 13 | $code-background-color-dark: mix(#000, $background-color, 10%) !default; 14 | $form-background-color: mix(#fff, $background-color, 15%) !default; 15 | $footer-background-color: #f9b248 !default; 16 | $link-color: mix(#000, $primary-color, 10%) !default; 17 | $link-color-hover: mix(#fff, $link-color, 25%) !default; 18 | $link-color-visited: mix(#000, $link-color, 25%) !default; 19 | $masthead-link-color: $text-color !default; 20 | $masthead-link-color-hover: mix(#000, $text-color, 20%) !default; 21 | $navicon-link-color-hover: mix(#000, $background-color, 30%) !default; 22 | 23 | /* sunrise syntax highlighting (base16) */ 24 | $base00: #1d1f21 !default; 25 | $base01: #282a2e !default; 26 | $base02: #373b41 !default; 27 | $base03: #969896 !default; 28 | $base04: #b4b7b4 !default; 29 | $base05: #c5c8c6 !default; 30 | $base06: #e0e0e0 !default; 31 | $base07: #ffffff !default; 32 | $base08: #cc6666 !default; 33 | $base09: #de935f !default; 34 | $base0a: #f0c674 !default; 35 | $base0b: #b5bd68 !default; 36 | $base0c: #8abeb7 !default; 37 | $base0d: #81a2be !default; 38 | $base0e: #b294bb !default; 39 | $base0f: #a3685a !default; 40 | 41 | .author__urls.social-icons .fa, 42 | .page__footer-follow .social-icons .svg-inline--fa { 43 | color: inherit; 44 | } 45 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/_footer.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | FOOTER 3 | ========================================================================== */ 4 | 5 | .page__footer { 6 | @include clearfix; 7 | float: left; 8 | margin-left: 0; 9 | margin-right: 0; 10 | width: 100%; 11 | clear: both; 12 | margin-top: 3em; 13 | color: $muted-text-color; 14 | -webkit-animation: $intro-transition; 15 | animation: $intro-transition; 16 | -webkit-animation-delay: 0.45s; 17 | animation-delay: 0.45s; 18 | background-color: $footer-background-color; 19 | 20 | footer { 21 | @include clearfix; 22 | margin-left: auto; 23 | margin-right: auto; 24 | margin-top: 2em; 25 | max-width: 100%; 26 | padding: 0 1em 2em; 27 | 28 | @include breakpoint($x-large) { 29 | max-width: $x-large; 30 | } 31 | } 32 | 33 | a { 34 | color: inherit; 35 | text-decoration: none; 36 | 37 | &:hover { 38 | text-decoration: underline; 39 | } 40 | } 41 | 42 | .fas, 43 | .fab, 44 | .far, 45 | .fal { 46 | color: $muted-text-color; 47 | } 48 | } 49 | 50 | .page__footer-copyright { 51 | font-family: $global-font-family; 52 | font-size: $type-size-7; 53 | } 54 | 55 | .page__footer-follow { 56 | ul { 57 | margin: 0; 58 | padding: 0; 59 | list-style-type: none; 60 | } 61 | 62 | li { 63 | display: inline-block; 64 | padding-top: 5px; 65 | padding-bottom: 5px; 66 | font-family: $sans-serif-narrow; 67 | font-size: $type-size-6; 68 | text-transform: uppercase; 69 | } 70 | 71 | li + li:before { 72 | content: ""; 73 | padding-right: 5px; 74 | } 75 | 76 | a { 77 | padding-right: 10px; 78 | font-weight: bold; 79 | } 80 | 81 | .social-icons { 82 | a { 83 | white-space: nowrap; 84 | } 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /_includes/breadcrumbs.html: -------------------------------------------------------------------------------- 1 | {% case site.category_archive.type %} 2 | {% when "liquid" %} 3 | {% assign path_type = "#" %} 4 | {% when "jekyll-archives" %} 5 | {% assign path_type = nil %} 6 | {% endcase %} 7 | 8 | {% if page.collection != 'posts' %} 9 | {% assign path_type = nil %} 10 | {% assign crumb_path = '/' %} 11 | {% else %} 12 | {% assign crumb_path = site.category_archive.path %} 13 | {% endif %} 14 | 15 | 40 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-bypassing-ios-biometrics.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Biometrics Bypass in iOS with Objection" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Biometrics Bypass in iOS" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-6: Bypassing Biometrics in iOS with Objection 15 | 16 | 17 | Many applications provide a functionality to enable touch/face ID as an added layer of protection to the application. However, if the attack have "physical access" to the device, it is possible to bypass this restriction and gain access to the application. There are multiple methods to bypass the checks, however, one of the simplest method is to use "Objection". 18 | 19 | Before, performing the attack ensure that the device has frida up and running. Also, the objection must be installed on the attacker system. 20 | 21 | # How to perform the attack: 22 | 23 | 1. Run the following command: objection --gadget 24 | 2. In the objection run following command: ios ui biometrics_bypass 25 | 3. Now, give the wrong "biometric", the application says it is wrong, now simply click on "Cancel" to observe that the biometrics are bypassed. 26 | 27 | 28 | # How this works: 29 | 30 | - LAContext is a class that is responsible for the local authentication. In this, there is a evaluatePolicy method that is responsible to present a dialog and authenticate the user. When the command mentioned in the "Step-2" is executed, objection creates a hook on "-[LAContext evaluatePolicy:localizedReason:reply:]" and manipulates the boolean value from "False" to "True". 31 | 32 | A detailed explanation can be found here: https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass 33 | 34 | 35 | 36 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1479127074132529155?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 37 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-11-zip-slip-file-upload.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Attacking Zip Upload Functionality with ZipSlip Attack" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Attacking Zip Upload Functionality with ZipSlip Attack" 10 | categories: 11 | - resources 12 | --- 13 | 14 | ### SecurityExplained S-10: Attacking Zip Upload Functionality with ZipSlip Attack 15 | 16 | 17 | As mentioned in the last SecurityExplained post, file upload is a big attack vector & one of my favourite functionality to perform attack on. When an application allows uploading zip, stores it on the back and to process the content, tried to unzip it, it is an interesting attack vector for "Zip Slip" Attack. 18 | 19 | Let's understand what is a ZipSlip Attack: 20 | 21 | As per the synk.io's: Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution. The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. 22 | 23 | 24 | # How to Exploit? 25 | 26 | - Using the following tool, create a malicious zip file: https://github.com/ptoomey3/evilarc 27 | - Upload the malicious zip file using the zip upload functionality 28 | - If accepted and uploaded successfully, try to check for the endpoints that reflects the results of the uploaded file or try to check for any unintended behavior from the server/application for further exploitation. 29 | 30 | 31 | # Interesting Research Read: 32 | - https://snyk.io/research/zip-slip-vulnerability 33 | - https://github.com/snyk/zip-slip-vulnerability 34 | 35 | 36 | 37 | 38 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1480567796098420737?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 39 | -------------------------------------------------------------------------------- /assets/js/lunr/lunr-store.js: -------------------------------------------------------------------------------- 1 | --- 2 | layout: null 3 | --- 4 | 5 | var store = [ 6 | {%- for c in site.collections -%} 7 | {%- if forloop.last -%} 8 | {%- assign l = true -%} 9 | {%- endif -%} 10 | {%- assign docs = c.docs | where_exp:'doc','doc.search != false' -%} 11 | {%- for doc in docs -%} 12 | {%- if doc.header.teaser -%} 13 | {%- capture teaser -%}{{ doc.header.teaser }}{%- endcapture -%} 14 | {%- else -%} 15 | {%- assign teaser = site.teaser -%} 16 | {%- endif -%} 17 | { 18 | "title": {{ doc.title | jsonify }}, 19 | "excerpt": 20 | {%- if site.search_full_content == true -%} 21 | {{ doc.content | newline_to_br | 22 | replace:"
", " " | 23 | replace:"

", " " | 24 | replace:"", " " | 25 | replace:"", " " | 26 | replace:"", " " | 27 | replace:"", " " | 28 | replace:"", " " | 29 | replace:"", " "| 30 | strip_html | strip_newlines | jsonify }}, 31 | {%- else -%} 32 | {{ doc.content | newline_to_br | 33 | replace:"
", " " | 34 | replace:"

", " " | 35 | replace:"", " " | 36 | replace:"", " " | 37 | replace:"", " " | 38 | replace:"", " " | 39 | replace:"", " " | 40 | replace:"", " "| 41 | strip_html | strip_newlines | truncatewords: 50 | jsonify }}, 42 | {%- endif -%} 43 | "categories": {{ doc.categories | jsonify }}, 44 | "tags": {{ doc.tags | jsonify }}, 45 | "url": {{ doc.url | absolute_url | jsonify }}, 46 | "teaser": {{ teaser | absolute_url | jsonify }} 47 | }{%- unless forloop.last and l -%},{%- endunless -%} 48 | {%- endfor -%} 49 | {%- endfor -%}] 50 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/parsers/resolution/_resolution.scss: -------------------------------------------------------------------------------- 1 | @function breakpoint-make-resolutions($resolution) { 2 | $length: length($resolution); 3 | 4 | $output: (); 5 | 6 | @if $length == 2 { 7 | $feature: ''; 8 | $value: ''; 9 | 10 | // Find which is number 11 | @if type-of(nth($resolution, 1)) == 'number' { 12 | $value: nth($resolution, 1); 13 | } 14 | @else { 15 | $value: nth($resolution, 2); 16 | } 17 | 18 | // Determine min/max/standard 19 | @if index($resolution, 'min-resolution') { 20 | $feature: 'min-'; 21 | } 22 | @else if index($resolution, 'max-resolution') { 23 | $feature: 'max-'; 24 | } 25 | 26 | $standard: '(#{$feature}resolution: #{$value})'; 27 | 28 | // If we're not dealing with dppx, 29 | @if unit($value) != 'dppx' { 30 | $base: 96dpi; 31 | @if unit($value) == 'dpcm' { 32 | $base: 243.84dpcm; 33 | } 34 | // Write out feature tests 35 | $webkit: ''; 36 | $moz: ''; 37 | $webkit: '(-webkit-#{$feature}device-pixel-ratio: #{$value / $base})'; 38 | $moz: '(#{$feature}-moz-device-pixel-ratio: #{$value / $base})'; 39 | // Append to output 40 | $output: append($output, $standard, space); 41 | $output: append($output, $webkit, space); 42 | $output: append($output, $moz, space); 43 | } 44 | @else { 45 | $webkit: ''; 46 | $moz: ''; 47 | $webkit: '(-webkit-#{$feature}device-pixel-ratio: #{$value / 1dppx})'; 48 | $moz: '(#{$feature}-moz-device-pixel-ratio: #{$value / 1dppx})'; 49 | $fallback: '(#{$feature}resolution: #{$value / 1dppx * 96dpi})'; 50 | // Append to output 51 | $output: append($output, $standard, space); 52 | $output: append($output, $webkit, space); 53 | $output: append($output, $moz, space); 54 | $output: append($output, $fallback, space); 55 | } 56 | 57 | } 58 | 59 | @return $output; 60 | } 61 | -------------------------------------------------------------------------------- /_posts/resources/2022-02-09-bypassing-filters-visual-spoofing.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Bypass Filters with Visual Spoofing" 3 | classes: wide 4 | tag: 5 | - "" 6 | header: 7 | teaser: /assets/images/htb/htb.png 8 | ribbon: green 9 | description: "Bypass Filters with Visual Spoofing" 10 | categories: 11 | - resources 12 | --- 13 | 14 | 15 | ### SecurityExplained S-8: Bypassing Filters(and more) with Visual Spoofing 16 | 17 | 18 | Visual Spoofing attacks utilizes the characters from different languages that are visually similar. For example: These all letters [AΑ А ᗅ ᗋ ᴀ A] looks like 'A' of english, visually, however, the computer program processes these characters with their exact meanings. 19 | 20 | This is where it became an interesting tool to abuse the filters and regular expression based checks & bypass them. 21 | 22 | 23 | There are multiple attack scenarios using Visual Spoofing/Homographic Attacks: 24 | 25 | 1. Abusing the Filters & Bypassing Them 26 | 27 | - One can attempt to bypass filters for any attack category such as cross-site scripting and may have a successful execution. 28 | 29 | Ex: For example: <> tags are filters, you can try ‹› instead. (Looks visually similar but are different). 30 | 31 | 32 | 2. Domain Spoofing 33 | 34 | - Highly reliable while performing a social engineering attack. The phishing emails, websites, etc looks legit and genuine. 35 | 36 | 3. Business Logic Abuse 37 | - One can attempt to perform business logic abuse, break the parsing logics and even attempt to perform account takeovers. 38 | 39 | 4. IDN Homograph Attacks 40 | 41 | 5. And other endless misc. things one can think of (Being creative is always a plus) 42 | 43 | 44 | Homoglyph Attack Generator: https://www.irongeek.com/homoglyph-attack-generator.php 45 | 46 | Interesting Resources: https://websec.github.io/unicode-security-guide/visual-spoofing/ 47 | 48 | 49 | 50 | [Follow Twitter Thread](https://twitter.com/harshbothra_/status/1479813683114958852?s=20&t=DGEwqEwXwFbWH0VXkOKVsQ) 51 | -------------------------------------------------------------------------------- /assets/js/plugins/jquery.greedy-navigation.js: -------------------------------------------------------------------------------- 1 | /* 2 | GreedyNav.js - https://github.com/lukejacksonn/GreedyNav 3 | Licensed under the MIT license - http://opensource.org/licenses/MIT 4 | Copyright (c) 2015 Luke Jackson 5 | */ 6 | 7 | $(document).ready(function() { 8 | var $btn = $("nav.greedy-nav .greedy-nav__toggle"); 9 | var $vlinks = $("nav.greedy-nav .visible-links"); 10 | var $hlinks = $("nav.greedy-nav .hidden-links"); 11 | 12 | var numOfItems = 0; 13 | var totalSpace = 0; 14 | var breakWidths = []; 15 | 16 | // Get initial state 17 | $vlinks.children().outerWidth(function(i, w) { 18 | totalSpace += w; 19 | numOfItems += 1; 20 | breakWidths.push(totalSpace); 21 | }); 22 | 23 | var availableSpace, numOfVisibleItems, requiredSpace; 24 | 25 | function check() { 26 | // Get instant state 27 | availableSpace = $vlinks.width() - $btn.width(); 28 | numOfVisibleItems = $vlinks.children().length; 29 | requiredSpace = breakWidths[numOfVisibleItems - 1]; 30 | 31 | // There is not enough space 32 | if (requiredSpace > availableSpace) { 33 | $vlinks 34 | .children() 35 | .last() 36 | .prependTo($hlinks); 37 | numOfVisibleItems -= 1; 38 | check(); 39 | // There is more than enough space 40 | } else if (availableSpace > breakWidths[numOfVisibleItems]) { 41 | $hlinks 42 | .children() 43 | .first() 44 | .appendTo($vlinks); 45 | numOfVisibleItems += 1; 46 | check(); 47 | } 48 | // Update the button accordingly 49 | $btn.attr("count", numOfItems - numOfVisibleItems); 50 | if (numOfVisibleItems === numOfItems) { 51 | $btn.addClass("hidden"); 52 | } else { 53 | $btn.removeClass("hidden"); 54 | } 55 | } 56 | 57 | // Window listeners 58 | $(window).resize(function() { 59 | check(); 60 | }); 61 | 62 | $btn.on("click", function() { 63 | $hlinks.toggleClass("hidden"); 64 | $(this).toggleClass("close"); 65 | }); 66 | 67 | check(); 68 | }); 69 | -------------------------------------------------------------------------------- /_includes/search/algolia-search-scripts.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 55 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/_masthead.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | MASTHEAD 3 | ========================================================================== */ 4 | 5 | .masthead { 6 | position: relative; 7 | border-bottom: 1px solid $border-color; 8 | -webkit-animation: $intro-transition; 9 | animation: $intro-transition; 10 | -webkit-animation-delay: 0.15s; 11 | animation-delay: 0.15s; 12 | z-index: 20; 13 | 14 | &__inner-wrap { 15 | @include clearfix; 16 | margin-left: auto; 17 | margin-right: auto; 18 | padding: 1em; 19 | max-width: 100%; 20 | display: -webkit-box; 21 | display: -ms-flexbox; 22 | display: flex; 23 | -webkit-box-pack: justify; 24 | -ms-flex-pack: justify; 25 | justify-content: space-between; 26 | font-family: $sans-serif-narrow; 27 | 28 | @include breakpoint($x-large) { 29 | max-width: $max-width; 30 | } 31 | 32 | nav { 33 | z-index: 10; 34 | } 35 | 36 | a { 37 | text-decoration: none; 38 | } 39 | } 40 | } 41 | 42 | .site-logo img { 43 | max-height: 2rem; 44 | } 45 | 46 | .site-title { 47 | display: -webkit-box; 48 | display: -ms-flexbox; 49 | display: flex; 50 | -ms-flex-item-align: center; 51 | align-self: center; 52 | font-weight: bold; 53 | // z-index: 20; 54 | } 55 | 56 | .site-subtitle { 57 | display: block; 58 | font-size: $type-size-8; 59 | } 60 | 61 | .masthead__menu { 62 | float: left; 63 | margin-left: 0; 64 | margin-right: 0; 65 | width: 100%; 66 | clear: both; 67 | 68 | .site-nav { 69 | margin-left: 0; 70 | 71 | @include breakpoint($small) { 72 | float: right; 73 | } 74 | } 75 | 76 | ul { 77 | margin: 0; 78 | padding: 0; 79 | clear: both; 80 | list-style-type: none; 81 | } 82 | } 83 | 84 | .masthead__menu-item { 85 | display: block; 86 | list-style-type: none; 87 | white-space: nowrap; 88 | 89 | &--lg { 90 | padding-right: 2em; 91 | font-weight: 700; 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /_includes/comments-providers/staticman.html: -------------------------------------------------------------------------------- 1 | {% if site.repository and site.staticman.branch %} 2 | 40 | {% endif %} 41 | -------------------------------------------------------------------------------- /_includes/comments-providers/staticman_v2.html: -------------------------------------------------------------------------------- 1 | {% if site.repository and site.comments.staticman.branch %} 2 | 40 | {% endif %} 41 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_neon.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Neon skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #141010 !default; 7 | $text-color: #fff6fb !default; 8 | $primary-color: #f21368 !default; 9 | $border-color: mix(#fff, $primary-color, 20%) !default; 10 | $code-background-color: mix(#000, $background-color, 15%) !default; 11 | $code-background-color-dark: mix(#000, $background-color, 20%) !default; 12 | $form-background-color: mix(#000, $background-color, 15%) !default; 13 | $footer-background-color: mix($primary-color, #000, 5%) !default; 14 | $link-color: $primary-color !default; 15 | $link-color-hover: mix(#fff, $link-color, 25%) !default; 16 | $link-color-visited: mix(#000, $link-color, 25%) !default; 17 | $masthead-link-color: $text-color !default; 18 | $masthead-link-color-hover: mix(#000, $text-color, 20%) !default; 19 | $navicon-link-color-hover: mix(#000, $background-color, 30%) !default; 20 | 21 | /* neon syntax highlighting (base16) */ 22 | $base00: #ffffff !default; 23 | $base01: #e0e0e0 !default; 24 | $base02: #d0d0d0 !default; 25 | $base03: #b0b0b0 !default; 26 | $base04: #000000 !default; 27 | $base05: #101010 !default; 28 | $base06: #151515 !default; 29 | $base07: #202020 !default; 30 | $base08: #ff0086 !default; 31 | $base09: #fd8900 !default; 32 | $base0a: #aba800 !default; 33 | $base0b: #00c918 !default; 34 | $base0c: #1faaaa !default; 35 | $base0d: #3777e6 !default; 36 | $base0e: #ad00a1 !default; 37 | $base0f: #cc6633 !default; 38 | 39 | .author__urls.social-icons .svg-inline--fa, 40 | .page__footer-follow .social-icons .svg-inline--fa { 41 | color: inherit; 42 | } 43 | 44 | /* next/previous buttons */ 45 | .pagination--pager { 46 | color: $text-color; 47 | background-color: $primary-color; 48 | border-color: transparent; 49 | 50 | &:visited { 51 | color: $text-color; 52 | } 53 | } 54 | 55 | .ais-search-box .ais-search-box--input { 56 | background-color: $form-background-color; 57 | } 58 | -------------------------------------------------------------------------------- /_includes/masthead.html: -------------------------------------------------------------------------------- 1 | {% capture logo_path %}{{ site.logo }}{% endcapture %} 2 | 3 |
4 |
5 |
6 | 35 |
36 |
37 |
38 | -------------------------------------------------------------------------------- /_sass/minimal-mistakes/skins/_plum.scss: -------------------------------------------------------------------------------- 1 | /* ========================================================================== 2 | Plum skin 3 | ========================================================================== */ 4 | 5 | /* Colors */ 6 | $background-color: #521477 !default; 7 | $text-color: #fffd86 !default; 8 | $primary-color: #c327ab !default; 9 | $border-color: mix(#fff, $background-color, 20%) !default; 10 | $code-background-color: mix(#000, $background-color, 15%) !default; 11 | $code-background-color-dark: mix(#000, $background-color, 20%) !default; 12 | $form-background-color: mix(#000, $background-color, 15%) !default; 13 | $footer-background-color: mix(#000, $background-color, 25%) !default; 14 | $link-color: $primary-color !default; 15 | $link-color-hover: mix(#fff, $link-color, 25%) !default; 16 | $link-color-visited: mix(#000, $link-color, 25%) !default; 17 | $masthead-link-color: $text-color !default; 18 | $masthead-link-color-hover: mix(#000, $text-color, 20%) !default; 19 | $navicon-link-color-hover: mix(#000, $background-color, 30%) !default; 20 | 21 | /* plum syntax highlighting (base16) */ 22 | $base00: #ffffff !default; 23 | $base01: #e0e0e0 !default; 24 | $base02: #d0d0d0 !default; 25 | $base03: #b0b0b0 !default; 26 | $base04: #000000 !default; 27 | $base05: #101010 !default; 28 | $base06: #151515 !default; 29 | $base07: #202020 !default; 30 | $base08: #ff0086 !default; 31 | $base09: #fd8900 !default; 32 | $base0a: #aba800 !default; 33 | $base0b: #00c918 !default; 34 | $base0c: #1faaaa !default; 35 | $base0d: #3777e6 !default; 36 | $base0e: #ad00a1 !default; 37 | $base0f: #cc6633 !default; 38 | 39 | .author__urls.social-icons .svg-inline--fa, 40 | .page__footer-follow .social-icons .svg-inline--fa { 41 | color: inherit; 42 | } 43 | 44 | .page__content { 45 | a, 46 | a:visited { 47 | color: inherit; 48 | } 49 | } 50 | 51 | /* next/previous buttons */ 52 | .pagination--pager { 53 | color: $text-color; 54 | background-color: $primary-color; 55 | border-color: transparent; 56 | 57 | &:visited { 58 | color: $text-color; 59 | } 60 | } 61 | 62 | .ais-search-box .ais-search-box--input { 63 | background-color: $form-background-color; 64 | } -------------------------------------------------------------------------------- /_sass/minimal-mistakes/vendor/breakpoint/_settings.scss: -------------------------------------------------------------------------------- 1 | ////////////////////////////// 2 | // Has Setting 3 | ////////////////////////////// 4 | @function breakpoint-has($setting) { 5 | @if map-has-key($breakpoint, $setting) { 6 | @return true; 7 | } 8 | @else { 9 | @return false; 10 | } 11 | } 12 | 13 | ////////////////////////////// 14 | // Get Settings 15 | ////////////////////////////// 16 | @function breakpoint-get($setting) { 17 | @if breakpoint-has($setting) { 18 | @return map-get($breakpoint, $setting); 19 | } 20 | @else { 21 | @return map-get($Breakpoint-Settings, $setting); 22 | } 23 | } 24 | 25 | ////////////////////////////// 26 | // Set Settings 27 | ////////////////////////////// 28 | @function breakpoint-set($setting, $value) { 29 | @if (str-index($setting, '-') or str-index($setting, '_')) and str-index($setting, ' ') == null { 30 | @warn "Words in Breakpoint settings should be separated by spaces, not dashes or underscores. Please replace dashes and underscores between words with spaces. Settings will not work as expected until changed."; 31 | } 32 | $breakpoint: map-merge($breakpoint, ($setting: $value)) !global; 33 | @return true; 34 | } 35 | 36 | @mixin breakpoint-change($setting, $value) { 37 | $breakpoint-change: breakpoint-set($setting, $value); 38 | } 39 | 40 | @mixin breakpoint-set($setting, $value) { 41 | @include breakpoint-change($setting, $value); 42 | } 43 | 44 | @mixin bkpt-change($setting, $value) { 45 | @include breakpoint-change($setting, $value); 46 | } 47 | @mixin bkpt-set($setting, $value) { 48 | @include breakpoint-change($setting, $value); 49 | } 50 | 51 | ////////////////////////////// 52 | // Remove Setting 53 | ////////////////////////////// 54 | @function breakpoint-reset($settings...) { 55 | @if length($settings) == 1 { 56 | $settings: nth($settings, 1); 57 | } 58 | 59 | @each $setting in $settings { 60 | $breakpoint: map-remove($breakpoint, $setting) !global; 61 | } 62 | @return true; 63 | } 64 | 65 | @mixin breakpoint-reset($settings...) { 66 | $breakpoint-reset: breakpoint-reset($settings); 67 | } 68 | 69 | @mixin bkpt-reset($settings...) { 70 | $breakpoint-reset: breakpoint-reset($settings); 71 | } -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require "bundler/gem_tasks" 2 | require "jekyll" 3 | require "listen" 4 | 5 | def listen_ignore_paths(base, options) 6 | [ 7 | /_config\.ya?ml/, 8 | /_site/, 9 | /\.jekyll-metadata/ 10 | ] 11 | end 12 | 13 | def listen_handler(base, options) 14 | site = Jekyll::Site.new(options) 15 | Jekyll::Command.process_site(site) 16 | proc do |modified, added, removed| 17 | t = Time.now 18 | c = modified + added + removed 19 | n = c.length 20 | relative_paths = c.map{ |p| Pathname.new(p).relative_path_from(base).to_s } 21 | print Jekyll.logger.message("Regenerating:", "#{relative_paths.join(", ")} changed... ") 22 | begin 23 | Jekyll::Command.process_site(site) 24 | puts "regenerated in #{Time.now - t} seconds." 25 | rescue => e 26 | puts "error:" 27 | Jekyll.logger.warn "Error:", e.message 28 | Jekyll.logger.warn "Error:", "Run jekyll build --trace for more information." 29 | end 30 | end 31 | end 32 | 33 | task :preview do 34 | base = Pathname.new('.').expand_path 35 | options = { 36 | "source" => base.join('test').to_s, 37 | "destination" => base.join('test/_site').to_s, 38 | "force_polling" => false, 39 | "serving" => true, 40 | "theme" => "minimal-mistakes-jekyll" 41 | } 42 | 43 | options = Jekyll.configuration(options) 44 | 45 | ENV["LISTEN_GEM_DEBUGGING"] = "1" 46 | listener = Listen.to( 47 | base.join("_data"), 48 | base.join("_includes"), 49 | base.join("_layouts"), 50 | base.join("_sass"), 51 | base.join("assets"), 52 | options["source"], 53 | :ignore => listen_ignore_paths(base, options), 54 | :force_polling => options['force_polling'], 55 | &(listen_handler(base, options)) 56 | ) 57 | 58 | begin 59 | listener.start 60 | Jekyll.logger.info "Auto-regeneration:", "enabled for '#{options["source"]}'" 61 | 62 | unless options['serving'] 63 | trap("INT") do 64 | listener.stop 65 | puts " Halting auto-regeneration." 66 | exit 0 67 | end 68 | 69 | loop { sleep 1000 } 70 | end 71 | rescue ThreadError 72 | # You pressed Ctrl-C, oh my! 73 | end 74 | 75 | Jekyll::Commands::Serve.process(options) 76 | end 77 | --------------------------------------------------------------------------------