The Web, Web Applications & Browsers
Table of Contents
-
General
- Purposely Vulnerable Web Apps -> See 'Building a Lab' page.
-
Standards
- Content Security Policy(CSP)
- Common Origin Resource Sharing (CORS)
- Cookies
- Document Object Model(DOM)
- FIDO2
- HTML
- Hyper Text Transport Protocol (HTTP)
- OAUTH
- Robots.txt
- Same-Origin-Policy
- Security Assertion Markup Language (SAML))
- Service Workers
- SubResource Integrity
- Secure Sockets Layer/Transport Layer Security
- Streams
- Uniform Resource Identifier/Locator(URIs/URLs)
- WebAuthentication
- WebBluetooth
- Web Hooks
- WebNFC
- WebRTC
- WebSockets
- WebUSB
- Tactics & Techniques
- Miscellaneous
- Application Specific/Vendor Specific
-
To Do
- Identity Providers/SSO Stuff
- Web Assembly
- Web Frameworks
- webrtc
- XML
General
-
101
-
Things to Know
- OWASP ASVS
-
OWASP Top Ten Project
- The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
- The Website Obesity Crisis
-
XSS, CSRF, CSP, JWT, WTF? IDK
¯\_(ツ)_/¯
- Dominik Kundel(JSConf Iceland2018)-
Robert'); DROP TABLE Students;--
The little Bobby Tables is embodying the classical fear of SQL injections when building web applications. However, SQL injections are just one aspect of things we need to worry about when building web applications. With the recent popularity of Angular, React and other Single Page Application frameworks we got more logic executing on the front-end create new problems and make you forget about others. In this talk you will learn about XSS, CSRF, CORS, JWT, HTTPS, SPAs, REST APIs and other weird abbreviations, how to protect yourself and your users from the new generation of Bobby Tables.
-
- Articles
-
Things to Know
-
Browsers
-
Browser-2020
- Things you can do with a browser in 2020
- It's like, did no one read 'The Tangled Web: A Guide to Securing Modern Web Applications'? Or did they, and their take away was, 'Man, what a bunch of great ideas! Blinking text with no user control? Woah. I'm so on this.'.
- My point is that it is 2020, and there is no equivalent to NoScript or UBlock Origin in any major browser. Despite this, I can have picture in picture video chats, while also connecting by bluetooth and USB, devices to the browser and having each tab color coded, along with the browser knowing my power level of my device, all according to standards.
- It's 2020, still no equivalent of NoScript or UBlock Origin available by default in any of the major browsers.
- Yet, I can share files with others, using a contextual menu depending on installed applications, or I can give my browser access to my insecure USB and Bluetooth devices, while it makes sure my battery isn't dead from the power consumption while the containing tabs for each webapp are properly color coded. 🤔
- Google released a paper the day after I made this comment. I stand by my comment.
-
Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’sIll-conceived Jaunts - Artur Janc, Mike West(2020)
- In this paper, we start from a scattered list of concretegrievances about the web platform based on informal dis-cussions among browser– and web security engineers. Afterreviewing the details of these issues, we work towards amodel of the root causes of the problems, categorizing thembased on the type of risk they introduce to the platform.We then identify possible solutions for each class of issues,dividing them by the most effective approach to address it.In the end, we arrive at a general blueprint for backingout of these dead ends. We propose a three-pronged approachwhich includes changing web browser defaults, creating aslew of features for web authors to opt out of dangerousbehaviors, and adding new security primitives. We then showhow this approach can be practically applied to addresseach of the individual problems, providing a conceptualframework for solving unsafe legacy web platform behaviors.
- How Browsers Work: Behind the scenes of modern web browsers - Tali Garsiel, Paul Irish(2011)
-
Browser-2020
- Session Management
-
Cheat Sheets
- See 'Cheats.md' for cheatsheets
- Tools
Standards
Content Security Policy (CSP)
- 101
-
Articles/Papers/Talks/Writeups
- GitHub's post-CSP journey - githubengineering
- Github's CSP Journey - githubengineering
- CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox - Masato Kinugawa
- Content Security Policy Level 3 - w3c Feb2019
-
CSP and SVG - c0nrad
- "The tl;dr is make sure object-src is ‘none’ if you’re not using it. Using this “attack” you can reflect SVGs to get execution even in a CSP controlled environment. This is just another recipe to add to your books for bypassing CSP (insecure directives, JSONP, base offset, encoding)."
- Content Security Policy (CSP) Bypasses - ghostlulz
-
How To Bypass CSP By Hiding JavaScript In A PNG Image - @Menin_theMiddle
- "TL;DR - Using HTML Canvas you can hide any JavaScript code (or an entire library) into a PNG image by converting each source code character into a pixel. The image can then be uploaded onto a trusted website like Twitter or Google (usually whitelisted by CSP) and then loaded as a remote image in a HTML document. Finally, by using the canvas getImageData method, it's possible to extract the "hidden JavaScript" from the image and execute it. Sometimes this could lead to a Content-Security-Policy bypass making an attacker able to include an entire and external JavaScript library."
- Content-Security-Policy (CSP) Bypass Techniques - Bhavesh Thakur(2020) *
- Tools
- Miscellaneous
Cross-Origin Resource Sharing (CORS)
-
101
- Cross-Origin Resource Sharing (CORS) - Mozilla Dev Docs
- CORS Findings: Another Way to Comprehend - Ryan Leese
- Same Origin Policy - dev.mozilla
- Same Origin Policy - W3C
- Cross-Origin Resource Sharing (CORS) - dev.mozilla
-
Cross-Origin Resource Sharing - w3.org
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
http://example.org
resources, a resource onhttp://hello-world.example
can opt in using the mechanism described by this specification (e.g., specifyingAccess-Control-Allow-Origin: http://example.org
as response header), which would allow that resource to be fetched cross-origin fromhttp://example.org
.
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
-
Articles/Blogposts/Writeups
- JSON API's Are Automatically Protected Against CSRF, And Google Almost Took It Away.
- Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy
- Do You Really Know CORS? - Grzegorz Mirek
- 3 Ways to Exploit Misconfigured Cross-Origin Resource Sharing (CORS) - Pavan Kumar J(2018)
- Three C-Words of Web App Security: Part 1 – CORS - Mic Whitehorn-Gillam(2018)
-
Same-Origin Policy: From birth until today - Alex Nikolova(2019)
- "In this blog post I will talk about Cross-Origin Resource Sharing (CORS) between sites on different domains, and how the web browser’s Same Origin Policy is meant to facilitate CORS in a safe way. I will present data on cross-origin behaviour of various versions of four major browsers, dating back to 2004. I will also talk about recent security bugs (CVE-2018-18511, CVE-2019-5814 and CVE-2019-9797) I discovered in the latest versions of Firefox, Chrome and Opera which allows stealing sensitive images via Cross-Site Request Forgery (CSRF)."
- Cross-Origin Resource Sharing (CORS) - Ghostlulz
-
Presentations/Talks/Videos
-
Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle(AppSecEU 2017)
- Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
- Blogpost
-
To CORS! The cause of, and solution to, your SPA problems! - Tim Tomes, Kevin Cody
- Cross-Origin Resource Sharing (CORS) is a complex and commonly misunderstood concept that is often implemented wrong for the right reasons. In this talk we will explain the Same-Origin Policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We'll continue by releasing research done on a number of development frameworks exposing poorly designed CORS libraries that default to the most dangerous behavior. We'll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation and a new tool. Finally, we'll discuss the safest ways to implement CORS. The custom tools used during the talk will be released along with the presentation.
-
Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing? - Rebecca Deck(CircleCityCon2019)
- Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how CORS works and how to find misconfigurations. Dozens of actual applications are distilled into examples demonstrate CORS protections and JavaScript code to bypass them. A basic knowledge of CORS and JavaScript will be helpful to understand the exploit code, but no special background is necessary to grasp the basics of CORS configuration.
-
Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle(AppSecEU 2017)
- Papers
-
Tools
-
CORStest
- A simple CORS misconfiguration scanner
-
CORS Exploitation Framework(CEF)
- A proof-of-concept tool for conducting distributed exploitation of permissive CORS configurations.
-
Corsy
- Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
-
CorsMe
- A cors misconfiguration scanner tool based on golang with speed and precision in mind!
-
CORStest
- Miscellaneous
-
Arbitrary Reflected Origin
- ejj.io/misconfigured-Cors https://gist.github.com/ejcx/74c7d7727767ca3aafa6
-
Cross-Origin-Read-Blocking
-
Cross-Origin Read Blocking (CORB) - Google
- This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
-
Cross-Origin Read Blocking (CORB) - Google
Cookies
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
- I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)
-
Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
Document Object Model(DOM)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
-
Talks & Presentations
-
Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
- 18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.
-
Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
Hyper Text Markup Language HTML
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
Fetch
-
-
Fetch Living Standard — 2019/7/16 - whatwg
- The Fetch standard defines requests, responses, and the process that binds them: fetching.
-
Fetch Living Standard — 2019/7/16 - whatwg
Hyper Text Transport Protocol (HTTP)
-
101
- RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1
- RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
-
http-decision-diagram
- An activity diagram to describe the resolution of HTTP response status codes, given various headers, implemented via semantical callbacks.
- Basics of HTTP - MDN WebDocs
- An Overview of HTTP - MDN WebDocs
- Robots.txt
-
Caching
-
RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.
-
RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
-
HTTP Headers
- 101
- 'Security' Headers
-
User-Agents
- 101
-
Tools
-
Security Analyser User Agents
- We've got 141 Security Analyser User Agents in our database. This is a listing of them.
-
Security Analyser User Agents
- HTTP Methods
- HTTP Objects
- HTTP Parameters
-
HTTP Pipelining
- 101
- Articles/Blogposts/Writeups
- HTTP Signatures
- HTTP Verbs
-
Syntax & Routing
-
RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.
-
RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
-
HTTP2
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things - Catherine (Kate) Pierce, Vyrus(PHV-Defcon2016)
- The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.
-
HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things - Catherine (Kate) Pierce, Vyrus(PHV-Defcon2016)
-
HTTP Parameter Pollution
-
101
-
HTTP Parameter Pollution - Imperva
- HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
-
HTTP Parameter Pollution - Imperva
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
101
- Articles/Blogposts/Presentations/Talks/Writeups
- Tools
MIME Sniffing
-
101
- MIME Sniffing - whatwg.org
-
Media Type Sniffing | draft-ietf-websec-mime-sniff-03
- Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations
- Articles/Blogposts/Presentations/Talks/Writeups
OAUTH
-
101
-
OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
- This document describes best current security practices for OAuth 2.0.. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and cover new threats relevant due to the broader application of OAuth 2.0.
-
OAuth 2.0 Dynamic Client Registration Protocol - rfc7591
- This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.
-
The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request - ietf.org
- The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.
-
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens - ietf
- This document describes Transport Layer Security (TLS) mutual authentication using X.509 certificates as a mechanism for OAuth client authentication to the authorization sever as well as for certificate bound sender constrained access tokens as a method for a protected resource to ensure that an access token presented to it by a given client was issued to that client by the authorization server.
- RFC 6819: OAuth 2.0 Threat Model and Security Considerations
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-15
-
OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
-
Articles/Blogposts/Writeups
- Dancing with OAuth: Understanding how Authorization Works - Ashish Mathur
- Shining a Light on OAuth Abuse with PwnAuth - Douglas Bienstock
- OAUTH – Everything you wanted to know but not really! - Elaheh Samani, Kevin Watkins
- An Illustrated Guide to OAuth and OpenID Connect - David Neal
- Analysis of Common Federated Identity Protocols: OpenID Connect vs OAuth 2.0 vs SAML 2.0 - hackedu.io
- RFC 8693 OAuth 2.0 Token Exchange
- Introduction to OAuth 2.0 and OpenID Connect - PragmaticWebSecurity
- Mastering OAuth 2.0 and OpenID Connect - PragmaticWebSecurity
- OAuth 2.0 : Explained - Milind Daftari(2019)
- What's new in OAuth 2.1? - Dan Moore(2020)
- Google Oauth2 API Explained - Pumudu Ruhunage(2020)
-
Presentations/Talks/Videos
-
OAuth2: Beyond The Specs - Daniele Timo Second - BSides Lisbon2018
- What if you roll out OAuth, and realize there are a bunch of small things you didn’t consider? It’s what happened to us at Pipedrive, and although it’s likely not over just yet, we’re running smoothly. It’s a good time to share what we’ve learned and save others some time. While building Pipedrive’s marketplace for third-party apps, we transitioned from API token authentication to OAuth, and it’s been an interesting learning experience. In this talk, I will explain how the protocol works, discuss differences in how OAuth is implemented on different platforms, and explain how we managed the transition from API token to OAuth. I will explain how CSRF attacks work in OAuth, how the state parameter can prevent them, how to manage synchronization between server and clients, and what you can run into when you roll out OAuth for dozens of apps.
- OAuth 2.0 and OpenID Connect (in plain English) - Nate Barbettini(OktaDev)
-
Discord Hangout: Practical OAuth Attacks - Scot Berner
- During this Discord Hangout, Scot Berner (@slobtresix0) provides some background on OAuth and how attackers can use it to gain access to an organization. Scot shows how Microsoft uses OAuth with Microsoft 365 along with how it can be used for social engineering and external attacks.
-
OAuth: When Things Go Wrong - Aaron Parecki(2019)
- Slides
- Aaron Parecki discusses common security threats when building microservices using OAuth and how to protect yourself. You'll learn about high-profile API security breaches related to OAuth; common implementation patterns for mobile apps, browser-based apps, and web server apps; and the latest best practices around OAuth security being developed by the IETF OAuth working group.
-
OAuth2: Beyond The Specs - Daniele Timo Second - BSides Lisbon2018
-
Attacking
- The most common OAuth 2.0 Hacks - Okhomiak
- Bypassing GitHub's OAuth flow - Teddy Katz
- Practical OAuth Abuse for Offensive Operations – Part 1 - Scot Berner(2020)
- An offensive guide to the Authorization Code grant - Rami McCarthy
- Bypassing GitHub's OAuth flow - Teddy Katz
- Penetration Tester's Guide to Evaluating OAuth 2.0 — Authorization Code Grants -
- OAuth 2.0 Implementation and Security - Haboob
- The Wondeful World of OAuth: Bug Bounty Edition - A Bug’z Life(2020)
- Tools
Parsers
robots.txt
Same-Origin Policy
-
101
-
RFC 6454: The Web Origin Concept
- This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request.
-
Same-origin policy - Mozilla
- The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
- Same-origin policy - Wikipedia
- Same-origin Policy - W3
-
RFC 6454: The Web Origin Concept
- Articles/Blogposts/Writeups
Security Assertion Markup Language (SAML)
- 101
-
Articles/Blogposts/Writeups
- With Great Power Comes Great Pwnage
- Out of Band XML External Entity Injection via SAML SSO - Sean Melia
- Web-based Single Sign-On and the Dangers of SAML XML Parsing
- Following the white Rabbit Down the SAML Code
- Evilginx - Advanced Phishing with Two-factor Authentication Bypass
- SAML All the Things! A Deep Dive into SAML SSO - Elijah A. Martin-Merrill
-
Golden SAML Attack
- Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps
-
shimit
- In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application. shimit allows the user to create a signed SAMLResponse object, and use it to open a session in the Service Provider. shimit now supports AWS Console as a Service Provider, more are in the works...
-
Tools
-
Evilginx
- Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.
- SAMLReQuest Burpsuite Extention
-
Evilginx
Service Workers
-
101
-
Service Worker - w3c
- This specification describes a method that enables applications to take advantage of persistent background processing, including hooks to enable bootstrapping of web applications while offline. The core of this system is an event-driven Web Worker, which responds to events dispatched from documents and other sources. A system for managing installation, versions, and upgrades is provided. The service worker is a generic entry point for event-driven background processing in the Web Platform that is extensible by other specifications.
- Web Worker - Wikipedia
- Web workers vs Service workers vs Worklets - bitsofcode(2018)
-
Service Worker - w3c
-
Articles/Blogposts/Writeups
- Service Workers: an Introduction - developers.google
- Service Worker API - MDN(Mozilla)
- Using Service Workers - MDN(Mozilla)
- ServiceWorker is dangerous - @steike(@2014)
- Abusing the Service Workers API - Daniel Abeles(2020)
- Stuff I wish I'd known sooner about service workers - Rich Harris
- Service Worker Security FAQ - Chromium.google
-
Papers
-
Master of Web Puppets: Abusing Web Browsersfor Persistent and Stealthy Computation - Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, Giorgos Vasiliadis(2019)
- In this paper, we demonstrate the powerful capabilitiesthat modern browser APIs provide to attackers by presentingMarioNet: a framework that allows a remote malicious entity tocontrol a visitor’s browser and abuse its resources for unwantedcomputation or harmful operations, such as cryptocurrencymining, password-cracking, and DDoS. MarioNet relies solely onalready available HTML5 APIs, without requiring the installationof any additional software. In contrast to previous browser-based botnets, the persistence and stealthiness characteristics ofMarioNet allow the malicious computations to continue in thebackground of the browser even after the user closes the windowor tab of the initially visited malicious website. We present thedesign, implementation, and evaluation of our prototype system,which is compatible with all major browsers, and discuss potentialdefense strategies to counter the threat of such persistent in-browser attacks. Our main goal is to raise awareness about thisnew class of attacks, and inform the design of future browserAPIs so that they provide a more secure client-side environmentfor web applications.
-
Master of Web Puppets: Abusing Web Browsersfor Persistent and Stealthy Computation - Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, Giorgos Vasiliadis(2019)
-
Tools
-
Service Worker Cookbook
- The Service Worker Cookbook is a collection of working, practical examples of using service workers in modern web sites.
-
Service Worker Cookbook
Subresource Integrity
-
101
- Subresource Integrity - W3.org
-
Subresource Integrity - w3c.github.io
- This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
- Articles/Blogposts/Writeups
- Tools
Secure Sockets Layer/Transport Layer Security(SSL/TLS)
- 101
-
Articles/Blogposts/Presentations/Talks/Writeups
- Transport Layer Security (TLS) Extensions
-
Mixed content - w3c
- This specification describes how a user agent should handle fetching of content over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.
-
Attacks Against
-
SSL/TLS Interception Proxies and Transitive Trust
- Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
-
SSL/TLS Interception Proxies and Transitive Trust
Streans
-
101
-
Streams - Dec12 2019
- This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.
-
Streams - Dec12 2019
Uniform Resource Identifier/Locator(URIs/URLs)
-
101
- RFC5785: Defining Well-Known Uniform Resource Identifiers (URIs)
- URL Living Standard - spec.whatwg.org
- Cool URIs don't change - W3C https://github.com/IAmStoxe/urlgrab
- Articles/Blogposts/Presentations/Talks/Writeups
-
Data URIs
-
101
-
data URI scheme - Wikipedia
- The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in Web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests, and used by several browser extensions to package images as well as other multimedia contents in a single HTML file for page saving. As of 2015, data URIs are fully supported by most major browsers, and partially supported in Internet Explorer and Microsoft Edge.
- Data URLs - MDN(Mozilla)
- Data URIs - Chris Coyier
-
data URI scheme - Wikipedia
- Articles/Blogposts/Writeups
- Tools
-
101
Web Authentication
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
WebBluetooth
- 101
Web Hooks
- 101
- Articles/Blogposts/Writeups
WebNFC
- 101
WebRTC
-
101
-
WebRTC for the Curious: Go beyond the APIs
- he WebRTC book that explains everything. WebRTC is a real-time communication framework that makes it easy to build real-time interactions for web and mobile devices. You will learn about the WebRTC specification and how all the protocols work in depth, not just a tour of the APIs. The book is completely Open Source and available at https://webrtcforthecurious.com and https://github.com/webrtc-for-the-curious/webrtc-for-the-curious Learn the full details of ICE, SCTP, DTLS, SRTP, and how they work together to make up the WebRTC stack. Hear how WebRTC implementers debug issues with the tools of the trade. Listen to interviews with the authors of foundational WebRTC tech! Hear the motivations and design details that pre-dated WebRTC by 20 years. Explore the cutting edge of what people are building with WebRTC. Learn about interesting use cases and how real-world applications get designed, tested and implemented in production. Written by developers who have written all of this from scratch. We learned it the hard way, now we want to share it with you! This book is vendor agnostic and multiple Open Source projects and companies are involved. We would love to have you involved!
-
WebRTC for the Curious: Go beyond the APIs
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
WebSockets
- 101
- Articles/Papers/Talks/Writeups
- Talks/Presentations/Videos
-
Tools
- [WSSiP: A WebSocket Manipulation Proxy])(https://github.com/nccgroup/wssip)
- Short for "WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.
-
Websocket Fuzzer
- A simple websocket fuzzer for application penetration testing.; HTML5 WebSocket message fuzzer
-
websocket-harness
- This python script can be placed between traditional web penetration testing tools and WebSocket connections, which does translation from HTTP to WebSocket and back. Think of it like a fuzzing harness that is used for native code.
- [WSSiP: A WebSocket Manipulation Proxy])(https://github.com/nccgroup/wssip)
- Miscellaneous
WebUSB
- 101
-
Articles/Blogposts/Presentations/Talks/Writeups
-
WebUSB - How a website could steal data off your phone
- This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.
-
WebUSB - How a website could steal data off your phone
Technologies
API Stuff
-
101
- OWASP API Security Project
- WebSocket API Standards
-
API Throwdown: RPC vs REST vs GraphQL - Nate Barbettini(Iterate 2018)
- Choosing an API design style can be downright daunting. The RPC vs. REST debate has raged for years, and now there's a new kid on the block: GraphQL. Which is right for your application? I'll demystify these API styles in clear terms and help you decide how to design your API.
- A brief look at the evolution of interface protocols leading to modern APIs - Luis Augusto Weir(2019)
-
Reference
-
White House Web API Standards
- This document provides guidelines and examples for White House Web APIs, encouraging consistency, maintainability, and best practices across applications. White House APIs aim to balance a truly RESTful API interface with a positive developer experience (DX).
-
OpenAPI
-
The OpenAPI Specification
- The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
- What Is OpenAPI?
-
The OpenAPI Specification
-
White House Web API Standards
- Building
-
Securing
- OWASP API Security Project
- OWASP API Security Top 10
-
API Security Checklist
- Checklist of the most important security countermeasures when designing, testing, and releasing your API
-
Code Patterns for API Authorization: Designing for Security - Tanner Prynn(2020)
- "This post describes some of the most common design patterns for authorization checking in web application code. Comparisons are made between the design patterns to help understand when each pattern makes sense as well as the drawbacks of the pattern. For developers and architects, this post helps you to understand what the different code patterns look like and how to choose between them. For security auditors, the most effective approaches to auditing authorization controls are explained based on which pattern the code uses."
-
Talks & Presentations
- BOLA, IDOR, MA, BFLA. Welcome to the OWASP API Top 10! - Adam Fisher(BSidesSLC 2020)
- API hacking for the Actually Pretty Inexperienced hacker with Katie Paxton-Fear(OWASP DevSlop)
-
API Security: Tokens, Flows and the Big Bad Wolf - Ingy Youssef(BSidesColombus(2019))
- OAuth Flows, OpenID Connect, tokens, nonces, gateways & all the fun API stuff. Well, there's always a big bad wolf, and APIs have lots of targets. Digital Transformations are rolling out more and more APIs, yesterday is different than today, the security model is changing, but in what ways? We need to secure APIs and be enablers of change and lock out the big bad wolf.
-
Testing
- General
- Postman
-
Insomnia
-
Insomnia - Kong
- Insomnia is a cross-platform REST client, built on top of Electron.
- Getting Started API Penetration Testing with Insomnia - Mic Whitehorn-Gillam(2020)
-
Insomnia - Kong
-
Fuzzing
-
Fuzzapi
- Fuzzapi is rails application which uses API_Fuzzer and provide UI solution for gem.
- Automating API Penetration Testing using fuzzapi - AppSecUSA 2016
-
Fuzzapi
-
REST/SOAP
- See REST section below.
-
Tools
- Postman - chrome plugin
- restclient - Firefox addon
-
Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
-
API-fuzzer
- API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
-
Automatic API Attack Tool - Imperva
- "Imperva's customizable API attack tool takes an API specification as an input, and generates and runs attacks that are based on it as an output. The tool is able to parse an API specification and create fuzzing attack scenarios based on what is defined in the API specification. Each endpoint is injected with cleverly generated values within the boundaries defined by the specification, and outside of it, the appropriate requests are sent and their success or failure are reported in a detailed manner. You may also extend it to run various security attack vectors, such as illegal resource access, XSS, SQLi and RFI, that are targeted at the existing endpoints, or even at non-existing ones. No human intervention is needed. Simply run the tool and get the results."
Web Browsers
- 101
- Articles/Blogposts
-
Browsers
-
Google Chrome
- Articles/Blogposts
- Source Code
- Building it
- Bug Tracker
-
Tools
-
autochrome
- This tool downloads, installs, and configures a shiny new copy of Chromium.
- Article
-
autochrome
-
Microsoft Internet Explorer
- Source Code
- Stuff
-
IEInternals - docs.ms
- A look at Internet Explorer from the inside out.
-
IEInternals - docs.ms
-
Mozilla Firefox
- Source Code
- Building It
- Bug Tracker
-
Webkit
- Source Code
- Building It
- Bug Tracker
-
Google Chrome
-
Rendering Engines
- Articles/Blogposts
- Blink
- Gecko
- KHTML
- Servo
- Webkit
Browser Security
- 101
- Articles/Blogposts/Writeups
-
Papers
-
Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
- Abstract: Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
- How do we Stop Spilling the Beans Across Origins? - A primer on web attacks via cross-origin information leaks and speculative execution - aaj@google.com, mkwst@google.com
-
Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
-
Presentations/Talks/Videos
-
Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client’s web browser as a means of distributed computing? In this talk I present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation includes a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser.
-
Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- Tools
-
Chrome Specific
-
Chromium Sandbox
- Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system. This document covers the Windows implementation as well as the general design.
- Chromium Cross-Origin Read Blocking (CORB)
- Chromium Sidechannel Threat Model: Post-Spectre Threat Model Re-Think(2018)
-
Security analysis of
<portal>
element - Michal Bentkowski
-
Chromium Sandbox
- Firefox Specific
- Safari Specific
-
Browser Extensions
-
Articles/Blogposts/Writeups
- Attacking Browser Extensions
- Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions
- An in-depth look into Malicious Browser Extensions(2014)
- Game of Chromes: Owning the Web with Zombie Chrome Extensions - DEF CON 25 - Tomer Cohen
- Chrome-botnet
- Malware in the browser: how you might get hacked by a Chrome extension(2016) - Maxime Kjaer
- I Sold a Chrome Extension but it was a bad decision - Amit Agarwal
- Detecting Installed Extensions (Edge)(2017) - brokenbrowser.com
- Finding Browser Extensions To Hunt Evil!(2016) - Brad Antoniewicz
- Sparse Bruteforce Addon Detection(2011) - James Kettle
- Intro to Chrome addons hacking: fingerprinting(2012) - kotowicz
- No Place Like Chrome - xorrior
- Democratizing Chrome Extension Security - Duo Security(2018)
- Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions - Matthew Bryant(2018)
-
Talks & Presentations
-
Offensive Browser Extension Development - Michael Weber(Derbycon7
- For the past few years, malware authors have abused the extension development functionality of Chrome and Firefox. More often than not, these extensions are abused for standard crimeware activities, such as ad click fraud, cryptocurrency mining, or stealing banking credentials. But this is only scratching the surface of what is possible if the appropriate browser APIs are abused. Extensions can act as a foothold into a target's internal network, provided a single user can be convinced to click two buttons. As a post-exploitation mechanism, extensions can be side-loaded with the ability to read and write files to disk. These actions will all be performed from the browser process(es) and likely go undetected by conventional endpoint protection solutions. This talk will discuss the creation, deployment, and usage of malicious browser extensions so that other red teamers can add this attack vector to their toolkit.
-
Offensive Browser Extension Development - Michael Weber(Derbycon7
- Chrome Specific
- Firefox Specific
-
Papers
-
Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
- We present a methodology whereby users exhibiting suspicious online behaviors are scanned (with permission) to identify the set of extensions in their browser, and those extensions are in turn labelled based on the threat indicators they contain. We have employed this methodology at Facebook for six weeks, identifying more than 1700 lexically distinct malicious extensions. We use this labelling to drive user device clean-up efforts as well to report to antimalware and browser vendors.
- Paper
-
Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
-
Tools
-
extension_finder
- Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons
-
CSS Keylogger
- Chrome extension and Express server that exploits keylogging abilities of CSS.
-
tarnish
- tarnish is a static-analysis tool to aid researchers in security reviews of Chrome extensions.
-
CRXcavator
- CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors. These factors include permissions, inclusion of vulnerable third party javascript libraries, weak content security policies, missing details from the Chrome Web Store description, and more. Organizations can use this tool to assess the Chrome Extensions they have installed and to move towards implementing explicit allow (whitelisting) for their organization.
-
extension_finder
-
Articles/Blogposts/Writeups
-
Exploiting
-
Smashing The Browser: From Vulnerability Discovery To Exploit
- Goes from introducing a fuzzer to producing an IE11 0day
- The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
- BeEF Browser Exploitation Framework
-
BeEF
- Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
-
Browsers Gone Wild - Angelo Prado & Xiaoran Wang - BHAsia2015
- In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.
-
Smashing The Browser: From Vulnerability Discovery To Exploit
HTTPS Certificates & Certificate Transparency
- 101
- Certificate Revocation
- Certificate Pinning
- Certificate Transparency
- HTTP Strict Transport Security
-
Tools
-
- Do you miss AXFR technique? This tool allows to get the subdomains from a HTTPS website in a few seconds. How it works? CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs.
-
Certificate Transparency Subdomains
- An hourly updated list of subdomains gathered from certificate transparency logs.
-
- Cert Spotter is a Certificate Transparency log monitor from SSLMate that alerts you when a SSL/TLS certificate is issued for one of your domains. Cert Spotter is easier than other open source CT monitors, since it does not require a database. It's also more robust, since it uses a special certificate parser that ensures it won't miss certificates.
-
- Scan subdomains from certificate transparency logs
-
- An OSINT tool that discovers sub-domains by searching Certificate Transparency logs
https://emilymstark.com/2020/07/20/certificate-transparency-a-birds-eye-view.html https://securityboulevard.com/2020/07/everything-you-need-to-know-about-ocsp-ocsp-stapling-ocsp-must-staple/
-
-
Agnostic
-
WhatWeb
- WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
-
w3af
- w3af: web application attack and audit framework, the open source web vulnerability scanner.
-
WhatWeb
-
Drupal
- 101
- Articles/Blogposts/Writeups
- Papers
-
Tools
-
Drupal Attack Scripts
- Set of brute force scripts and Checklist
-
Droopescan
- A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
-
Drupal Attack Scripts
-
Joomla
- Highly Effective Joomla Backdoor with Small Profile
-
JoomScan
- Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
-
JScanner
- Analyze target Joomla! installation using several different techniques.
-
JoomlaVS
- JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
-
Sharepoint
-
Sparty - Sharepoint/Frontpage Auditing Tool
- Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
-
Sparty - Sharepoint/Frontpage Auditing Tool
- Wordpress
Continous Integration/Delivery/Build Systems
- Hacking Jenkins Servers With No Password
- Hacking Jenkins - Ideas - Zeroknock
-
pwn_jenkins
- Notes about attacking Jenkins servers
- Hacking Jenkins Part 1 - Play with Dynamic Routing - Orange
ColdFusion
Electron
- 101
-
Articles/Blogposts/Writeups
- From Markdown to RCE in Atom
- As It Stands - Electron Security - 2016
- As It Stands - Update on Electorn Security - 2016
- Modern Alchemy: Turning XSS into RCE
- Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - CodeBlue16
- Modern Alchemy: Turning XSS into RCE - doyensec
- From Markdown to RCE in Atom - statuscode.ch
- Instrumenting Electron Apps for Security Testing - Paolo Stagno
- Signature Validation Bypass Leading to RCE In Electron-Updater - Lorenzo Stella(2020)
- The App Sandbox - Charlie Hess(Slack2020)
- Discord Desktop app RCE - Masato Kinugawa(2020)
- Documentation
- Papers
-
Talks & Presentations
- MarkDoom: How I Hacked Every Major IDE in 2 Weeks - Matt Austin, LevelUp 2017
- Electron - Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - [CB16]
- Electronegativity - A Study of Electron Security - Carettoni
- Electron Security Checklist - A guide for developers and auditors - Luca Carettoni
- Published Exploits
-
Tools
-
electron-run-shell-example
- An HTML5 stand alone app using GitHub Electron (Chrome engine + Node.js) -- this is a GUI wrapper example that runs and process output of a bash shell command.
-
Electronegativity
- Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
-
electron-run-shell-example
Flash/SWF
-
Articles/Blogposts/Writeups
- [Testing for Cross-Site-Flashing - OWASP](https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008))
- Security Domains, Application Domains, and More in ActionScript 3.0
-
The old is new, again. CVE-2011-2461 is back!
- As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications.
- Advanced Flash Vulnerabilities in Youtube Writeups Series
- Decode Adobe Flex AMF protocol
- Finding XSS vulnerabilities in flash files.
- XSS and CSRF via SWF Applets (SWFUpload, Plupload)
- WordPress Flash XSS in flashmediaelement.swf - cure53
- WordPress Flash XSS in flashmediaelement.swf - cure53
- Security Domains, Application Domains, and More in ActionScript 3.0 - senocular
- Testing for Cross site flashing (OTG-CLIENT-008) - OWASP
- XSS and CSRF via SWF Applets (SWFUpload, Plupload) - Neal Poole
- Getting started with AMF Flash Application Penetration Testing ! - nerdint
-
Securing
-
HardenFlash
- Patching Flash binary to stop Flash exploits and zero-days
-
HardenFlash
- Tools
GhostScript
GraphQL
- 101
-
Articles/Blogposts/Writeups
- GraphQL Batching Attack -
- The 5 Most Common GraphQL Security Vulnerabilities - Aidan Noll(2020)
- Practical GraphQL attack vectors - jondow.eu
- GraphQL path enumeration for better permission testing - deesee.xyz(2020)
- A Hacker’s Guide to the Shopify GraphQL API 🚀
- Introducing the Apollo GraphQL data stack - ApolloGraphQL
- The GraphQL stack: How everything fits together - Sashko Stubailo
- Securing GraphQL. Part 1 - wallarm
- GraphQL vs REST API model, common security test cases for GraphQL endpoints - just_a_noob(2019)
- A Facebook GraphQL crash course - PHWD
-
Talks/Presentations/Videos
-
An Attackers View of Serverless and GraphQL Apps - Abhay Bhargav(AppSecCali2019)
- This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.
-
REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure - Matthew Szymanski(Derbycon2019)
- BugCrowd LevelUp0x5 Version of the talk
- GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Companies such as Hacker One and New Relic have suffered from critical vulnerabilities hidden within GraphQL endpoints. In this talk we will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology?s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively, introducing a tool to help automate and streamline the process.
-
An Attackers View of Serverless and GraphQL Apps - Abhay Bhargav(AppSecCali2019)
-
Tools
- graphql-api-monitor
-
InQL Scanner
- A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script or as a Burp Suite extension.
-
GraphQL - Demo Vulnerable API
- A simple GraphQL API demonstrating several common vulnerabilities.
Imagemagick
JavaScript
- General
- Training
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
- [An Infosec Timeline: Noteworthy Events From 1970 To 2050 - Mario Heiderich(OWASP AppSec AMS)(https://www.youtube.com/watch?v=u3x_0955_TU&feature=youtu.be)
-
Free Tools! How to Use Developer Tools and Javascript in Webapp Pentests - BHIS(2020)
- I like webapps, don't you? Webapps have got to be the best way to learn about security. Why? Because they're self-contained and so very transparent. You don't need a big ol' lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you're attacking your own stuff, it's easy to stay out of trouble. You're up and running in the time it takes for a single download. And the transparent part? Ever since "view source" in the earliest web browsers, it's been easy to see exactly what's going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It's almost like there's no such thing as a "black box" webapp pentest, if you think about it... Anyhow - the Developer Tools in Firefox (and Chrome) are what happens when you take "view source" and add 25 years or so of creativity and power. We'll look at the Developer Tools in the latest Firefox with a pentester's eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site's origin context and even pause script execution in the debugger if things go too fast... Maybe we'll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser.
- JS Polyglots
- Source Maps
-
Reverse-Engineering
- Advanced JS Deobfuscation Via AST and Partial Evaluation (Google Talk WrapUp) - Stefano Di Paola(2015)
- JavaScript AntiDebugging Tricks - x-c3ll(2020)
- Reverse engineering obfuscated JavaScript - PopUnder Chrome 59 - LiveOverflow
- Reverse engineering PopUnder trick for Chrome 60 - LiveOverflow
- Custom Chromium Build to Reverse Engineer Pop-Under Trick - LiveOverflow
- [Live] Reverse Engineering new PopUnder for Chrome 63 on Windows - LiveOverflow
-
Javascript Anti Debugging — Some Next Level Sh
*
t (Part 1 — Abusing SourceMappingURL) - Gal Weizman(2019) - JavaScript tampering – detection and stealth - adtechmadness(2019)
-
Tools
-
JSFuck
- JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
-
JSDetox
- JSDetox is a tool to support the manual analysis of malicious Javascript code.
- Dom Flow - Untangling The DOM For More Easy-Juicy Bugs - BH USA 2015
- Javascript Deobfuscator - kahusecurity
- Revelo - kahusecurity
-
pwn.js
- A Javascript library for browser exploitation
-
Retire.js
- There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
-
JSFuck
Java Server Faces (JSF)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
Java Server Pages (JSP)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
JSON Web Tokens
-
101
- JSON Web Token - Wikipedia
- RFC 7159: JSON Web Token (JWT)
-
RFC 8725: JSON Web Token Best Current Practices\
- JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.
- The Anatomy of a JSON Web Token
- Introduction to JSON Web Tokens
- JSON Web Token Flowchart
- JSON Web Token Security Cheat Sheet
- Learn JSON Web Token(JWT) in 10 Minutes - tutorialdocs.com
-
Informational
-
Articles/Blogposts/Writeups
- JWT Handbook - Auth0
- Reference Tokens and Introspection - leastprivilege.com(2015)
- Stop using JWT for sessions - joepie91(2016)
- Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91(2016)
- JSON Web Token Best Current Practices - draft-ietf-oauth-jwt-bcp-07
- JWTs: Which Signing Algorithm Should I Use? - Scott Brady(2020)
- The Hard Parts of JWT Security Nobody Talks About - Philippe De Ryck(2019)
- Building a Secure Signed JWT - Dan Noore(2020)
-
Presentations/Talks/Videos
- Jwt==insecurity? - Ruxcon2018
-
JSON Web Tokens Suck - Randall Degges (DevNet Create 2018)
- JSON Web Tokens (JWTs) are all the rage in the security world. They're becoming more and more ubiquitous in web authentication libraries, and are commonly used to store a user's identity information. In this talk, you'll learn why JWTs suck, and why you should never use them.
- Attacking and Securing JWT - @airman604(OWAPS Vancouver)
-
JWTs in a Flash! - Evan Johnson(Defcon24)
- The new(ish) JOSE standard is growing rapidly in popularity. Many people are excited to adopt the new standard and use it to build interesting and new things with JWT! Let's get everyone up to speed on JWT's, talk about the do's and don't regarding JWTs, review some JWT uses, and use JWT's effectively.
-
Are You Properly Using JWTs? - Dmitry Sotnikov(AppSec California2020)
- JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation. This session focuses on best practices and real world examples of JWT usage, where we cover: Typical scenarios where using JWT is a good idea; Typical scenarios where using JWT is a bad idea!; Principles of Zero trust architecture and why you should always validate; Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.; Use cases when encryption may be required for JWT
-
JWT Parkour - Louis Nyffenegger(AppSec California2020)
- Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.
-
JWT: jku x5u - Louis Nyffenegger(2020)
- Talk on JWT jku and x5u and how to attack them
-
Articles/Blogposts/Writeups
-
Attacking
-
101
-
JWT Attack Playbook
- This wiki is a project to document the known attacks and potential security vulnerabilities and misconfigurations you may come across when testing JSON Web Tokens, and to provide a repeatable methodology for attacking them.
- JWT Hacking 101 - trustfoundry.net
-
JWT Attack Playbook
-
Articles/Blogposts/Writeups
- JWT Tool Attack Methods - ticarpi
- JWT Vulnerabilities (Json Web Tokens) - HackTricks
- JWT Attack Walk-Through - Jerome Smith(2019)
- Hacking JWT Tokens: The None Algorithm - Shivam Bathla
- How to Hack a Weak JWT Implementation with a Timing Attack - Tamas Polgar(2017)
- Practicing JWT Attacks Against Juice-Shop - scomurr(2020)
- Hardcoded secrets, unverified tokens, and other common JWT mistakes - Vasilii Ermilov(2020)
-
Talks/Presentations
- Friday the 13th: JSON Attacks - Defcon25
- Critical vulnerabilities in JSON Web Token libraries - 2015
-
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Luciano Mammino(Codemotion Milan2017)
- Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
-
The Hacker's Guide to JWT Security by Patrycja Wegrzynowicz(2019)
- JSON Web Token (JWT) is an open standard for creating tokens that assert some number of claims like a logged in user and his/her roles. JWT is widely used in modern applications as a stateless authentication mechanism. Therefore, it is important to understand JWT security risks, especially when broken authentication is among the most prominent security vulnerabilities according to the OWASP Top 10 list. This talk guides you through various security risks of JWT, including confidentiality problems, vulnerabilities in algorithms and libraries, token cracking, token sidejacking, and more. In live demos, you’ll learn how to hijack a user account exploiting common security vulnerabilities on the client-side, on the server-side, and in transport. You’ll also find out about common mistakes and vulnerabilities along with the best practices related to the implementation of JWT authentication and the usage of available JWT libraries.
- "JWAT.... Attacking JSON Web Tokens" - Louis Nyffenegger(BSides Canberra 2019)
-
Modern Webapp Pentesting: How to Attack a JWT - BB King(2020)
- In this Black Hills Information Security webcast - an excerpt from his upcoming 16-hour Modern Webapp Pentesting course - BB King will talk about what JSON Web Tokens are, why they're so controversial, and how to test for their major weaknesses. Then, using OWSAP's Juice Shop as a target, he'll show you a straightforward method for exploiting them that you can use on your own next webapp pentest
-
101
- Testing
-
Tools
- json token decode
-
JWT Inspector - FF plugin
- JWT Inspector is a browser extension that lets you decode and inspect JSON Web Tokens in requests, cookies, and local storage. Also debug any JWT directly from the console or in the built-in UI.
- c-jwt-cracker
-
JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
-
jwt_tool
- a toolkit for validating, forging and cracking JWTs (JSON Web Tokens).
- Introducing JWT Tool - ticarpi
-
jwt_secrets - BBhacKing
- A list of "secrets" from JWT sample code and readme files based on the list of projects at https://jwt.io/
-
jwt-secrets - wallarm
- The goal for this project was to find as many public-available JWT secrets as possible to help developers and DevOpses identify it by traffic analysis at the Wallarm NGWAF level.
-
Writeups
- How to configure Json.NET to create a vulnerable web API - alphabot
- 🔐 Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)
- Critical vulnerabilities in JSON Web Token libraries
- Brute Forcing HS256 is Possible: The Importance of Using Strong Keys in Signing JWTs
- Hacking JSON Web Token (JWT) - Hate_401
- JWT (JSON Web Token) (in)security - Michal Sadjak(2019)
- Practical Approaches for Testing and Breaking JWT Authentication - Mazin Ahmed
- JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight(2020))
MIME Sniffing
-
101
- What is MIME Sniffing? - keycdn.com
-
Content Sniffing - Wikipedia
- Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.
- Articles/Blogposts/Writeups
- Exploitation of
NodeJS
- 101
-
Educational
- A Roadmap for Node.js Security
-
NodeGoat
- Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- Articles/Blogposts/Writeups
-
Presentations/Talks/Videos
- NodeJS: Remote Code Execution as a Service - Peabnuts123 – Kiwicon 2016
-
It's Coming From Inside the House: An Inside-Out Approach to NodeJS Application Security - Yolonda Smith(CircleCityCon2019)
- Getting application security right often requires that developers have a deeper than average understanding of the security domain. In what other industry is this the case? We don't have to be M.D.s to get a medical diagnosis; we don't have to be auto mechanics to get our cars fixed, yet we in security wag our fingers at "iD10t errors" and build grand mousetraps to catch "so obvious" developer missteps, when they may not know what they need to add, change or remove from their applications to make it "secure" in the first place. Furthermore, patterns to address these issues don't always fit the requirements of the application short or long term, resulting in solutions that only address part of the problem, or worse, are omitted altogether because they are too cumbersome to implement. My answer to this is _spartan-a node application created for developers of node.js applications, not security people. _spartan allows developers to create security policies which address their node app's (whether it be Desktop, Web, Mobile, IoT or API) specific requirements; it installs & configures the modules to match the policy and; it generates the boilerplate code that developers can import directly into their applications.
-
Tools
-
faker.js
- generate massive amounts of fake data in Node.js and the browser
-
faker.js
-
Hidden Property Abuse
-
Discovering Hidden Properties to Attack Node js Ecosystem - Feng Xiao(DEFCON Safemode)
- BlackHat Slides
- Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients. We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues. The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.
-
Discovering Hidden Properties to Attack Node js Ecosystem - Feng Xiao(DEFCON Safemode)
Platform Agnostic Security Token (PASETO)
- 101
- Articles/Blogposts/Writeups
PHP
- 101
-
Articles/Blogposts/Writeups
- Pwning PHP mail() function For Fun And RCE | New Exploitation Techniques And Vectors
- The unexpected dangers of preg_replace
-
Imagecreatefromgif-Bypass
- A simple helper script to find byte sequences present in both of 2 given files. The main purpose of this is to find bytes that remain untouched after being processed with imagecreatefromgif() PHP function from GD-LIB. That is the place where a malicious PHP script can be inserted to achieve some nasty RCE.
- Is PHP vulnerable and under what conditions?
-
PHP7 Internals - Become a Wizard
- Welcome to the PHP Internals Hub - If you ever wondered about how PHP works internally and how you can exploit it: this is where you should start. In this repo, I show basic and advanced exploitation in PHP (some of the bugs reported by me). In every "chapter", you'll learn a little bit more about PHP Internals from an infosec perspective.
- Modern PHP Security Part 1: bug classes - Thomas Chauchefoin, Lena David(2020)
- Modern PHP Security Part 2: Breaching and hardening the PHP engine - Thomas Chauchefoin, Lena David(2020)
-
Code Reuse
- 101
- Articles/Blogposts/Writeups
-
Crypto
- 101
-
Articles/Blogposts/Writeups
-
I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
- We provide a number of practical techniques and algorithms for exploiting randomness vulnerabilities in PHP applications.We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting or algorithmically derandomizing the PHP core randomness generators. While our techniques are designed for the PHP language, the principles behind our techniques and our algorithms are independent of PHP and can readily apply to any system that utilizes weak randomness generators or low entropy sources. Our results include: algorithms that reduce the entropy of time variables, identifying and exploiting vulnera- bilities of the PHP system that enable the recovery or reconstruction of PRNG seeds, an experimental analysis of the Hastad-Shamir framework for breaking truncated linear variables, an optimized online Gaussian solver for large sparse linear systems, and an algorithm for recovering the state of the Mersenne twister generator from any level of truncation. We demonstrate the gravity of our attacks via a number of case studies. Specifically, we show that a number of current widely used web applications can be broken using our tech- niques including Mediawiki, Joomla, Gallery, osCommerce and others.
-
I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
-
De/Serialization
- 101
-
Articles/Blogposts/Writeups
- Demystifying Insecure Deserialization in PHP - Sourov Gosh(2020)
- Writing Exploits For Exotic Bug Classes: unserialize()
- Remote code execution via PHP [Unserialize] - notsosecure
- PHP Generic Gadget Chains: Exploiting unserialize in unknown environments
-
PHPGGC: PHP Generic Gadget Chains
- PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don't have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. Currently, the tool supports: Doctrine, Guzzle, Laravel, Monolog, Slim, SwiftMailer.
- File Operation Induced Unserialization via the "phar://" Stream Wrapper - secarma labs
- PHP Object Injection Cheat Sheet - Lucian Nitescu(2018)
-
Talks/Presentations/Videos
-
Exploiting PHP7 unserialize - Yannay Livneh (33c3)
- PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and present re-usable primitives for remote exploitation of these vulnerabilities.
-
Exploiting PHP7 unserialize - Yannay Livneh (33c3)
-
Pictures
- Hacking with Pictures - Syscan2015
-
Exploiting PHP-GD imagecreatefromjpeg() function - fakhrizulkifli
- Proof-of-concept to exploit the flaw in the PHP-GD built-in function, imagecreatefromjpeg(). Inspired by one of Reddit's comment on my previous thread regarding exploiting the imagecreatefromgif() PHP-GD function.
-
Property-Oriented Programming(POP)
-
Code Reuse Attacks in PHP: Automated POP Chain Generation
- In this paper, we study code reuse attacks in the context of PHP-based web applications. We analyze how PHP object injection (POI) vulnerabilities can be exploited via property-oriented programming (POP) and perform a systematic analysis of available gadgets in common PHP applications. Furthermore, we introduce an automated approach to statically detect POI vulnerabilities in object-oriented PHP code. Our approach is also capable of generating POP chains in an automated way. We implemented a prototype of the proposed approach and evaluated it with 10 well-known applications. Overall, we detected 30 new POI vulnerabilities and 28 new gadget chains
- Utilizing Code Reuse/ROP in PHP Application Exploits - BH 2010
-
POP-Exploit
- Research into Property Oriented Programming about php applications.
-
Code Reuse Attacks in PHP: Automated POP Chain Generation
- Function Injection
- Bypassing Disabled Functions
- Polyglots
-
String Parsing
-
Abusing PHP query string parser to bypass IDS, IPS, and WAF - theMiddle(2019)
- In this post, we'll see how the PHP query string parser could lead to many IDS/IPS and Application Firewall rules bypass.
-
Abusing PHP query string parser to bypass IDS, IPS, and WAF - theMiddle(2019)
-
Type Juggling
- 101
-
Articles/Blogposts/Writeups
-
(Super) Magic Hashes - myst404
- "TL;DR: Magic hashes are well known specific hashes used to exploit Type Juggling attacks in PHP. Combined with bcrypt limitations, we propose the concept of Super Magic Hashes. These hashes can detect 3 different vulnerabilities: type juggling, weak password storage and incorrect Bcrypt usage. A Go PoC found some MD5, SHA1 and SHA224 super magic hashes."
- Writing Exploits For Exotic Bug Classes: PHP Type Juggling
-
From hacked client to 0day discovery - infoteam
- PHP equivalency check failure writeup
-
(Super) Magic Hashes - myst404
-
Writeups
-
Php Codz Hacking
- Writeups of specific PHP vulns
-
Privilege Escalation in 2.3M WooCommerce Shops - Karim El Ouerghemmi, Slavco Mihajloski
- During our research we discovered a PHP Object Injection vulnerability in WooCommerce (CVE-2017-18356) that allows to escalate privileges with a unique and interesting injection technique.
-
Php Codz Hacking
REST/SOAP/Web Services(WSDL)
-
Learning/Reference
-
101
- Representational State Transfer - Wikipedia
- Microservices
- Service-Oriented-Architecture
-
The S stands for Simple
- Satire(Only it's not) of a conversation about SOAP
- RESTful Services, The Web Security Blind Spot
- Learn REST: A Tutorial
- REST and Stateless Session IDs
- Beginner’s Guide to API(REST) security
- Introduction to RESTful APIs with Chris Wahl
-
101
-
Talks & Presentations
-
Cracking and fixing REST services - Bill Sempf - Converge 2015
- REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.
-
Deconstructing REST Security by David Blevins(DevoxxUSA2017)
- With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
-
Cracking and fixing REST services - Bill Sempf - Converge 2015
- Attacking
-
Tools
-
WS-Attacker
- WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (http://nds.rub.de/ ) and the Hackmanit GmbH (http://hackmanit.de/).
-
Damn Vulnerable Web Services dvws
- Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
-
WS-Attacks.org
- WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
-
Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
-
Susanoo
- Susanoo is a REST API security testing framework.
-
WS-Attacker
-
Reference
- Web Services Security Testing Cheat Sheet Introduction - OWASP
- REST_Assessment_Cheat_Sheet.md - OWASP
- RESTful API Best Practices and Common Pitfalls - Spencer Schneidenbach
- REST API Testing Strategy: What Exactly Should You Test? - Roy Mor(2019)
- RESTful web services penetation testing -
- Penetration Testing RESTful Web Services - Prakash Dhatti(2017)
Ruby/Ruby on Rails
- 101
-
Articles/Blogposts/Writeups
- Executing commands in ruby
- Attacking Ruby on Rails Applications - phrack
- Going AUTH the Rails on a Crazy Train: A Dive into Rails Authentication and Authorization
- Property Oriented Programming - Applied to Ruby
- Pentesting Django and Rails
- Executing commands in ruby
- Execution of shell code in Ruby scripts
-
Tools
-
Brakeman
- Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
-
Brakeman
Web Assembly
-
101
- Web Assembly
- WebAssembly Specification
- A cartoon intro to WebAssembly Articles
- Lin Clark: A Cartoon Intro to WebAssembly | JSConf EU 2017
-
WebAssembly Design Documents
- This repository contains documents describing the design and high-level overview of WebAssembly.
- WebAssembly - MDN(Mozilla)
- Articles/Papers/Talks/Writeups
-
Papers
-
Security Chasms of WASM - Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, Justin Engler(2018)
- WebAssembly is a new technology that allows web developers to run native C/C++on a webpage with near-native performance. This paper provides a basic introduc-tiontoWebAssemblyandexaminesthesecurityrisksthatadevelopermaytakeonbyusing it. We cover several examples exploring the theoretical security implications ofWebAssembly. We also cover Emscripten, which is currently the most popular Web-Assembly compiler toolchain. Our assessment of Emscripten includes its implemen-tation of compiler-and-linker-level exploit mitigations as well as the internal harden-ing of itslibcimplementation, and how its augmentation of WASM introduces newattack vectors and methods of exploitation. We also provide examples of memorycorruption exploits in the Wasm environment. Under certain circumstances, theseexploits could lead to to hijacking control flow or even executing arbitrary JavaScriptwithin the context of the web page. Finally, we provide a basic outline of best prac-tices and security considerations for developers wishing to integrate WebAssemblyinto their product.
-
Everything Old is New Again:Binary Security of WebAssembly - Daniel Lehmann, Johannes Kinder, Michael Pradel(2020)
- WebAssembly is an increasingly popular compilation targetdesigned to run code in browsers and on other platforms safelyand securely, by strictly separating code and data, enforcingtypes, and limiting indirect control flow. Still, vulnerabilitiesin memory-unsafe source languages can translate to vulnera-bilities in WebAssembly binaries. In this paper, we analyze towhat extent vulnerabilities are exploitable in WebAssemblybinaries, and how this compares to native code. We find thatmany classic vulnerabilities which, due to common mitiga-tions, are no longer exploitable in native binaries, are com-pletely exposed in WebAssembly. Moreover, WebAssemblyenables unique attacks, such as overwriting supposedly con-stant data or manipulating the heap using a stack overflow. Wepresent a set of attack primitives that enable an attacker (i) towrite arbitrary memory, (ii) to overwrite sensitive data, and(iii) to trigger unexpected behavior by diverting control flowor manipulating the host environment. We provide a set ofvulnerable proof-of-concept applications along with completeend-to-end exploits, which cover three WebAssembly plat-forms. An empirical risk assessment on real-world binariesand SPEC CPU programs compiled to WebAssembly showsthat our attack primitives are likely to be feasible in practice.Overall, our findings show a perhaps surprising lack of binarysecurity in WebAssembly. We discuss potential protectionmechanisms to mitigate the resulting risks.
-
Security Chasms of WASM - Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, Justin Engler(2018)
-
Tools
-
WebAssembly for .NET
- A library able to create, read, modify, write and execute WebAssembly (WASM) files from .NET-based applications. Execution does not use an interpreter. WASM instructions are mapped to their .NET equivalents and converted to native machine language by the .NET JIT compiler.
-
octopus
- Security Analysis tool for WebAssembly module (wasm) and Blockchain Smart Contracts (BTC/ETH/NEO/EOS)
-
WebAssembly for .NET
-
Reversing
-
Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
-
https://github.com/sophos/WebAssembly/blob/master/Misc/Web-(Dis)Assembly.pdf
-
- Analyzing WebAssembly binaries: initial feel and behavioral analysis - John Bergbom
- Analyzing WebAssembly binaries - Wasm Reverse Engineering - John Bergbom
- Manual reverse engineering of WebAssembly: static code analysis - John Bergbom
-
Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
Secure Sockets Layer / Transport Layer Security
- 101
- Articles/Blogposts/Writeups
Single Sign-On(SSO)
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
-
Dupe Key Confusion
- attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
- Tools
Web Application Firewalls(WAFs)
-
101
-
Awesome WAF
- 🔥 Everything awesome about web-application firewalls (WAF).
-
Awesome WAF
-
Web Application Firewalls
-
ModSecurity
- ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys
-
Shadow Daemon
- Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
-
ModSecurity
-
Articles/Blogposts/Writeups
- Bypassing WAFs
- WAF Bypass Cheatsheet/gitbook
- Web Application Firewall (WAF) Evasion Techniques - theMiddle
- Web Application Firewall (WAF) Evasion Techniques #2 - theMiddle
- Web Application Firewall (WAF) Evasion Techniques - secjuice
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- Request encoding to bypass web application firewalls - NCCGroup
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- WAF bypass techniques - Pentestit(2019)
- A Pentesters Guide - Part 5 (Unmasking WAFs and Finding the Source) - pyr0cc
- WAF Bypassing with Unicode Compatibility - Jorge Lajara(2020)
-
Talks & Presentations
-
HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
- This talk illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
- Web Application Firewall Profiling and Evasion - Michael Ritter
-
Let's Talk About WAF (Bypass) Baby - Brett Gravois(NolaCon2019)
- All modern Web Application Firewalls are able to intercept (and even block) most common attacks from the web. However, what happens when an attacker uses HTTP2 to send attack traffic to a web application or service? In this talk we will cover basic attacks against web applications using HTTP2 to bypass WAFs and Proxies. Attendees will gain knowledge of how to bypass WAF and Proxies using the HTTP2 Protocol, and steps they can take to protect themselves against these kinds of attacks.
-
HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
-
Tools
-
WhatWaf
- WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
-
WAFPASS
- Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
- WAF_buster
-
LightBulb
- LightBulb is an open source python framework for auditing web application firewalls and filters.
-
WAFNinja
- WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
- Web Application Firewall Profiling and Evasion - Michael Ritter - OWASP
- Guide To Identifying And Bypassing WAFs
-
ftw
- Framework for Testing WAFs (FTW!)
-
wafw00f
- WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
-
WhatWaf
JS Frameworks
- 101
- Articles/Blogposts/Writeups
-
Specific Frameworks
- Angular
- Apache Struts
-
ASP.NET
- Getting Shell with XAMLX Files - Soroush Dalili
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
- Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data - Soroush Dalili
- XAML overview in WPF - docs.ms
- Rare ASP.NET request validation bypass using request encoding - nccgroup
- Understanding ASP.NET View State - docs.ms
-
viewstate
- A small Python 3.5+ library for decoding ASP.NET viewstate.
-
viewgen
- viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
-
RCEvil.NET
- RCEvil.NET is a tool for signing malicious ViewStates with a known validationKey. Any (even empty) ASPX page is a valid target. See http://illuminopi.com/ for full details on the attack vector.
- Backbone.js
- Ember.js
-
Flask
- See SSI/Template Injection
-
Injecting Flask - Ryan Reid
- In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you’ve never had the pleasure of working with Flask, you’re in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).
- MeteorJS
-
mustache.js
-
mustache-security(2013)
- This place will host a collection of security tips and tricks for JavaScript MVC frameworks and templating libraries.
- Wikis
-
mustache-security(2013)
- ReactJS
- Spring
- Vue.js
Web Proxies
- 101
- Articles/Blogposts/Writeups
-
Tools
-
Burpsuite
- Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
-
ZAP - Zed Attack Proxy
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
-
Paros - Web Proxy
- A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
-
Mallory: Transparent TCP and UDP Proxy
- Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
-
TCP Catcher
- TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
-
wssip
- Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
-
ratproxy
- Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
-
Burpsuite
Web Servers
- Apache
- IIS
- Jetty
- NGINX
Web Storage
- 101
- Articles/Blogposts/Writeups
Tactics & Techniques
- Attacking
-
Securing
- See Defense page.
-
Guides & Methodologies
- OWASP Testing Checklist
- WebAppSec Testing Checklist
-
OWASP Testing Checklist(OTGv4)
- OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This checklist is completely based on OWASP Testing Guide v 4. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application security issues. Moreover, the checklist also contains OWASP Risk Assessment Calculator and Summary Findings template.
- LTR101: Web App Testing - Methods to The Madness - Andy Gill
- LTR101: Web Application Testing Methodologies - Andy Gill
-
The Bug Hunter’s Methodology - Jason Haddix @jhaddix(Defcon Safemode RedTeamVillage 2020)
- The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or red team we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.
-
Testing Writeups
- Video Testing stateful web application workflows - András Veres-Szentkirályi
-
Paper Testing stateful web application workflows - SANS - András Veres-Szentkirályi
- Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug-and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.
- Payloads
-
Tactics
- Using HTTP Pipelining to hide requests - digi.ninja
- Advanced web security topics - george georgovassilis(2020)
-
Backslash Powered Scanning: Hunting Unknown Vulnerability Classes
- Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- Out-of-Band Attacks
-
General Reconnaissance Techniques
- General Articles/Methodology Writeups
-
Tools that didn't fit elsewhere
-
webgrep
- This self-contained tool relies on the well-known grep tool for grepping Web pages. It binds nearly every option of the original tool and also provides additional features like deobfuscating Javascript or appyling OCR on images before grepping downloaded resources.
-
webgrep
-
(Almost)Fully Automating Recon
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Mechanizing the Methodology : Automating Discovery, Testing, and Alerting using Recon/Testing Tools and Amazon SES - Daniel Miessler(Defcon Safemode RTV2020)
- There are a million techniques out there for finding new attack surface and finding potential vulnerabilities; the problem is finding the time to run your entire methodology against all your targets. This talk will take you through finding new attack surface, performing multiple types of test against those targets, and sending real-time alerts---all on a continuous basis using automation from a cloud-based Linux host.
- Writeup/Review by Clint Gibler(recommend reading)
-
Mechanizing the Methodology : Automating Discovery, Testing, and Alerting using Recon/Testing Tools and Amazon SES - Daniel Miessler(Defcon Safemode RTV2020)
-
Tools
-
chomp-scan
- A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.
-
chomp-scan
-
Attack Surface Reconaissance
-
Articles/Blogposts/Writeups
- Asset Enumeration: Expanding a Target's Attack Surface - Capt. Meelo
-
What's in a Domain Name? - Collin Meadows(SecureWV/Hack3rcon2018)
- The domain name is one of the most prominent assets an organization can have. While customers can discover an organization from many sources - social media, review aggregators, advertisements, etc - the webpage is often the first direct experience a person has with a business and brand. This vital role makes the domain a target for fraud, data leakage, and cyber attack. Implementing domain monitoring and performing risk assessments is important, but only half the battle. In this talk, we will consider amount of intelligence one can gather starting from only a domain name and investigate how this sets an attacker up with an ideal blueprint for malicious action.
-
Tools
-
AttackSurfaceMapper
- Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
-
intrigue-core
- Intrigue-core is a framework for external attack surface discovery and automated OSINT.
-
Domain Analyzer
- Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
-
domain-profiler
- domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
-
The Hamburglar
- Hamburglar -- collect useful information from urls, directories, and files
-
AutoRecon
- Simple shell script for automated domain recognition with some tools
- AutoRecon for Automated Reconnaissance - Ahmed Elsobky
-
Websy
- Keep an eye on your targets with Websy to get quickly notified for any change they push on their Web Server
-
BlueEye
- Blue Eye is a python Recon Toolkit script. It shows subdomain resolves to the IP addresses, company email addresses and much more ..!
-
AttackSurfaceMapper
-
Articles/Blogposts/Writeups
-
Browser Automation
-
playwright
- Node.js library to automate Chromium, Firefox and WebKit with a single API
-
playwright
- DNS
-
Enpdoint Discovery
- Articles/Blogposts/Writeups
-
Tools
-
JSParser
- A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
-
LinkFinder
- LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
-
relative-url-extractor
- During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file. These days web applications have frontend pipelines that make it harder for humans to understand minified code. This tool contains a nifty regular expression to find and extract the relative URLs in such files. This can help surface new targets for security researchers to look at. It can also be used to periodically compare the results of the same file, to see which new endpoints have been deployed. History has shown that this is a goldmine for bug bounty hunters.
-
hakrawler
- Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
- Introducing Hakrawler: A Fast Web Crawler for Hackers - Luke Stephens(2020)
-
endpointdiff
- endpointdiff is a simple wrapper script around LinkFinder (https://github.com/GerbenJavado/LinkFinder) to quickly identify whether endpoints have changed based on diffs of JS files.
-
JSParser
-
Forced Browsing
- Articles/Blogposts/Writeups
-
Tools
-
Dirbuster
- DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
-
Go Buster
- Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
-
WFuzz
- Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
-
dirsearch
- dirsearch is a simple command line tool designed to brute force directories and files in websites.
-
ffuf
- Fast web fuzzer written in Go
- Everything you need to know about FFUF - codingo(2020)
- ffuf on Steroids - securityjunky.com
-
Tachyon
- Tachyon is a Fast Multi-Threaded Web Discovery Tool
-
Syntribos
- Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
-
OpenDoor
- OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
-
rustbuster
- A Comprehensive Web Fuzzer and Content Discovery Tool
-
feroxbuster
- A fast, simple, recursive content discovery tool written in Rust.
-
SharpBuster
- SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
-
FES - Fast Endpoint Scanner
- A web application endpoint scanner written in Rust, designed to put less load on the domains it scans with parsing features to help grab the important stuff (inspired by tomnomnom's meg).
-
WAES
- CPH:SEC WAES: Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result
-
crithit
- Website Directory and file brute forcing at extreme scale.
-
snallygaster
- Finds file leaks and other security problems on HTTP servers.
-
Dirbuster
-
HTTP Enumeration
- Articles/Blogposts/Writeups
-
Tools
-
Arjun
- HTTP parameter discovery suite.
-
Psi-Probe
- Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
-
HTTPLeaks
- HTTPLeaks - All possible ways, a website can leak HTTP requests
-
HTTPie - curl for humans
- HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
-
gethead
- HTTP Header Analysis Vulnerability Tool
-
Arjun
-
HTTP Fingerprinting
- Articles/Blogposts/Writeups
-
Tools
-
GoFingerprint
- GoFingerprint is a Go tool for taking a list of target web servers and matching their HTTP responses against a user defined list of fingerprints.
-
GoFingerprint
-
JS-based scanning
-
Articles/Blogposts/Writeups
-
Exposing Intranets with reliable Browser-based Port scanning - Gareth Heyes
- In this blog post I describe how I created a port scanner using JavaScript.
-
Exposing Intranets with reliable Browser-based Port scanning - Gareth Heyes
- Tools
-
Articles/Blogposts/Writeups
-
(Sub)Domain Reconnaissance
- Articles/Blogposts/Writeups
-
Domain Discovery
-
DRROBOT
- Dr.ROBOT is a tool for Domain Reconnaissance and Enumeration. By utilizing containers to reduce the overhead of dealing with dependencies, inconsistencies across operating systems, and different languages, Dr.ROBOT is built to be highly portable and configurable.
-
assetfinder
- Find domains and subdomains potentially related to a given domain.
-
DRROBOT
-
Subdomain Discovery Tools
-
Sudomy
- Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.
-
domains-from-csp
- A Python script to parse domain names from CSP header
-
pdlist. A passive subdomain finder
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
hostname <something>.example.com
or URLs strictly related toexample.com
.
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
-
Find-Domains
- This repo contain scripts written for finding subdomains using various available tools
-
sub-differ
- take a list of old subdomain and new subdomain and the output is the deleted subdomain and the new subdomain
- OneForAll
-
Sudomy
-
Technology Identification
- Articles/Blogposts/Writeups
-
Tools
-
General
-
wappy
- A tool to discover technologies in web applications from your terminal. It uses the wap library, that is a python implementation of the great Wappalyzer browser extension. In fact, it uses the rules defined in the file technologies.json of the Wappalyzer repository.
-
wappy
-
CMS
-
CMSExplorer
- CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
-
BlindElephant Web Application Fingerprinter
- The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
-
Fingerprinter
- CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
-
WPScan
- WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.
-
CMSExplorer
-
Proxies
-
Web Filter External Enumeration Tool (WebFEET)
- WebFEET is a web application for the drive-by enumeration of web security proxies and policies. See associated white paper (Drive-by enumeration of web filtering solutions)
-
Web Filter External Enumeration Tool (WebFEET)
-
Web Servers
-
httprecon - Advanced Web Server Fingerprinting
- The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
-
WhatWeb
- WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
-
httprecon - Advanced Web Server Fingerprinting
-
General
-
Web Scraping
- 101
- Articles/Papers/Talks/Writeups
- General
-
Tools
-
Puppeteer
- Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
-
dvcs-ripper
- Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
-
Scrapy
- An open source and collaborative framework for extracting the data you need from websites.
-
Puppeteer
- Beautiful Soup
-
Miscellaneous
-
WeasyPrint
- WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license.
-
WeasyPrint
-
User Enumeration
- Articles/Blogposts/Writeups
-
Tools
-
WhatsMyName
- This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
-
hackability
- Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
-
WhatsMyName
-
Virtual Hosts
- 101
-
Tools
-
virtual-host-discovery
- This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
-
blacksheepwall
- blacksheepwall is a hostname reconnaissance tool
-
VHostScan
- A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
-
virtual-host-discovery
-
Visual Reconnaissance
- Articles/Blogposts/Writeups
-
Tools
-
PowerWebShot
- A PowerShell tool for taking screenshots of multiple web servers quickly.
-
HTTrack - Website Copier
- It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
-
Kraken
- Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
-
Eyeballer
- Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
-
gowitness
- gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
-
webscreenshot
- A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
-
LazyShot
- The simplest way to take an automated screenshot of given URLs. Easy installation!
- RAWR - Rapid Assessment of Web Resources
-
PowerWebShot
-
3rd Party Hosted Tools
-
VisualSiteMapper
- Visual Site Mapper is a free service that can quickly show a map of your site.
-
VisualSiteMapper
-
Web Page
-
HTCAP
- htcap is a web application scanner able to crawl single page application (SPA) recursively by intercepting ajax calls and DOM changes.
-
HTCAP
-
Wordlists
-
jhaddix all.txt
- all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
-
jhaddix content_discovery_all.txt
- a masterlist of content discovery URLs and files (used most commonly with gobuster)
-
SecLists
- SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
-
IntruderPayloads
- A collection of Burpsuite Intruder payloads, BurpBounty payloads (https://github.com/wagiro/BurpBounty), fuzz lists and pentesting methodologies.
- CommonSpeak2
-
CWFF - Custom wordlists for fuzzing
- CWFF is a tool that creates a special High quality fuzzing/content discovery wordlist for you at the highest speed possible using concurrency and it's heavily inspired by @tomnomnom's Who, What, Where, When, Wordlist
-
1ndiList v 1.0
- Recon Custom WordList Ganerator
- Who, What, Where, When, Wordlist - TomNomNom
-
jhaddix all.txt
-
General Testing Techniques
-
Authorization Testing
-
AuthCov
- AuthCov crawls your web application using a Chrome headless browser while logged in as a pre-defined user. It intercepts and logs API requests as well as pages loaded during the crawling phase. In the next phase it logs in under a different user account, the "intruder", and attempts to access each of one of the API requests or pages discovered previously. It repeats this step for each intruder user defined. Finally it generates a detailed report listing the resources discovered and whether or not they are accessible to the intruder users.
-
AuthCov
-
Authorization Testing
-
Vulnerability Scanner
- Nikto
-
Spaghetti - Web Application Security Scanner
- Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
-
skipfish
- Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
-
wikto
- Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
-
WATOBO
- WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
-
YASUO
- Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
-
ParrotNG
- ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
-
Arachni Web Scanner
- Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
-
Pyfiscan
- Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
-
jaeles
- "powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner."
- Showcase examples of usage
-
0d1n
- 0d1n is a tool for automating customized attacks against web applications.
-
reNgine
- reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.
-
Osmodeus
- Fully automated offensive security framework for reconnaissance and vulnerability scanning
Different Types of Attacks
Abuse of Functionality
-
jsgifkeylogger
- a javascript keylogger included in a gif file This is a PoC
Brute Force/Fuzzing
- 101
-
Tools
-
Dirbuster
- DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
-
Go Buster
- Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
-
WFuzz
- Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
-
dirsearch
- dirsearch is a simple command line tool designed to brute force directories and files in websites.
-
ffuf
- Fast web fuzzer written in Go
-
Tachyon
- Tachyon is a Fast Multi-Threaded Web Discovery Tool
-
Syntribos
- Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
-
Dirbuster
Attacking Continous Integration Systems
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Agnostic
-
cider - Continuous Integration and Deployment Exploiter
- CIDER is a framework written in node js that aims to harness the functions necessary for exploiting Continuous Integration (CI) systems and their related infrastructure and build chain (eg. Travis-CI, Drone, Circle-CI). Most of the exploits in CIDER exploit CI build systems through open GitHub repositories via malicious Pull Requests. It is built modularly to encourage contributions, so more exploits, attack surfaces, and build chain services will be integrated in the future.
-
Rotten Apple
- A tool for testing continuous integration (CI) or continuous delivery (CD) system security
-
cider - Continuous Integration and Deployment Exploiter
- Bamboo
- CircleCI
- Jenkins
CSV Injection
- 101
-
Articles/Blogposts/Writeups
- Everything about the CSV Excel Macro Injection - Ishaq Mohammed
- From CSV to CMD to qwerty - exploresecurity
- Everything about the CSV Excel Macro Injection - Ishaq Mohammed
-
Tricks to improve web app excel export attacks(Slides) - Jerome Smith - CamSec2016
- Video
- This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides. This talk also had more demos.
- CSV Injection Revisited - Making Things More Dangerous(and fun) - Andy Gill
- From CSV to Meterpreter - XPNSec
- CSV Injection- There's devil in the detail - Sunil Joshi
- CSV injection: Basic to Exploit!!!! - Akansha Kesharwani
- [Cell Injection] Attacking the end user through the application - David Stubley
- The Absurdly Underestimated Dangers of CSV Injection - George Mauer
- Data Extraction to Command Execution CSV Injection - Jamie Rougvie
-
Comma Separated Vulnerabilities
- This post introduces Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality in web applications to attack users and steal spreadsheet contents. It also details a command injection exploit for Apache OpenOffice and LibreOffice that can be delivered using this technique.
- [Cell Injection] Attacking the end user through the application - 7elements.co.uk
- Microsoft Excel CSV code execution/injection method - xor %eax,%eax
- Talks & Presentations
- Tools
Clickjacking
-
101
-
Clickjacking - Wikipedia
- Clickjacking (classified as a User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
-
Clickjacking Defense Cheat Sheet - OWASP
- This cheat sheet is intended to provide guidance for developers on how to defend against Clickjacking, also known as UI redress attacks.
- X-Frame-Options - MDN Web Docs
- Clickjacking (UI redressing) - PortSwigger
-
Clickjacking - Wikipedia
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- Papers
- Tools
Cross Protocol Scripting/Request Attack
- 101
- Articles/Blogposts/Writeups
-
Papers
-
HTML Form Protocol Attack - Jochen Topf(2001)
- This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
-
Cross-Protocol Request Forgery - Tanner Prynn(2018)
- Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attackmethods that enable attackers to cross network boundaries in order to attack applications,but can only target applications that speak HTTP. Custom TCP protocols are everywhere:IoT devices, smartphones, databases, development software, internal web applications, andmore. Often, these applications assume that no security is necessary because they are onlyaccessible over the local network. This paper aims to be a definitive overview of attacksthat allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and alsoexpands on the state of the art in these types of attacks to target length-specified protocolsthat were not previously thought to be exploitable.
-
HTML Form Protocol Attack - Jochen Topf(2001)
- Presentations/Talks/Videos
-
Tools
-
Extract data
- Extract data is a demo combining a cross-protocol request attack with DNS rebinding
-
Extract data
Cross Site Content Hijacking
- 101
-
Articles/Blogposts/Writeups
- Content-Type Blues - Neil Bergman
- Exploiting CVE-2011-2461 on google.com - Mauro Gentile
- Cross-Site Content (Data) Hijacking (XSCH) PoC Project
- Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)! - Soroush Dalili
- Same Origin Policy Weaknesses - Kuza55
- The lesser known pitfalls of allowing file uploads on your website - Mathias Karlsson, Frans Rosén
- Papers
- Presentations/Talks/Videos
- Tools
Cross Site History Manipulation
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
Cross Site Request Forgery (CSRF)
- 101
-
Articles/Blogposts
- ClientSideTrojan - zope.org(2000)
- Cross-Site Request Forgeries - Peter Watkins(Bugtraq 2002)](https://web.archive.org/web/20020204142607/http://www.tux.org/~peterw/csrf.txt)
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- The OWASP Top Ten and ESAPI – Part 5 – Cross Site Request Forgery (CSRF)
- [Testing for CSRF (OTG-SESS-005) - OWASP](https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005))
- A most Neglected Fact About CSRF - pdf
- Bypassing CSRF Protection - Vickie Li
- Samesite by Default and What It Means for Bug Bounty Hunters - Filedescriptor, Ron Chan & Edoverflow(2020)
- Cross Site Request Forgery: Techniques - OneHackMan(2019)
- CSRF is dead - Scott Helme(2017)
- CSRF is (really) dead - Scott Helme(2019)
-
Writeups
- WordPress 5.1 CSRF to Remote Code Execution - Simon Scannell(2019)
- CSRF to RCE bug chain in Prestashop v1.7.6.4 and below - Sivanesh Ashok(2020)
- CSRF Protection Bypass in Play Framework - Luca Carrettoni(2020)
- Research: The mass CSRFing of .google.com/ products. - missoumsai.com
- Zoom Security Exploit – Cracking private meeting passwords - Tom Anthony(2020)
- How I leveraged an interesting CSRF vulnerability to turn self XSS into a persistent attack? - Akash Methani(2020)
- Exploiting WebSocket [Application Wide XSS / CSRF] - Osama Avvan
- CSRF is No Joke: From CSRF to RCE in Cisco Energy Management - Chris Lyne
- From Csrf To Rce - fgsec.net(2020)
- From CSRF to RCE and WordPress-site takeover: CVE-2020-8417 - Jonas Lejon
- WordPress 5.1 CSRF + XSS + RCE – Poc - Pablo Plaza Martinez
- Bolt CMS <= 3.7.0 Multiple Vulnerabilities - CSRF to RCE - Sivanesh Ashok
- Playing with GZIP: RCE in GLPI (CVE-2020-11060) - @myst404
-
Papers
- [Session Riding: A Widespread Vulnerability in Today's Web Applications - Thomas Schreiber(2004)(https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf)
- Robust Defenses for Cross-Site Request Forgery
- RequestRodeo: Client Side Protection against Session Riding - Martin Johns and Justus Winter - pdf
- Presentations/Talks/Videos
- Tools
- Onsite-Request-Forgery
Cascading-StyleSheets-related Attacks
- 101
-
General
-
Articles/Blogposts/Writeups
- I know where you've been - Jeremiah Grossman(2006)
- CSS based Attack: Abusing unicode-range of @font-face - Masato Kinugawa(2015)
- CSS: Cascading Style Scripting - XSS Jigsaw(2015)
- History theft with CSS Boolean algebra - lcamtuf
- CSS mix-blend-mode is bad for your browsing history - lcamtuf(2016)
- Stealing Data With CSS: Attack and Defense - Mike Gualtieri(2018)
- Third party CSS is not safe - Jake Archibald(2018)
- CSS Security Vulnerabilities - Chris Coyier(2019)
- Cross-Origin CSS Attacks Revisited (feat. UTF-16) - @filedescriptor
-
Talks/Presentations/Videos
- The Sexy Assassin: Tactical Exploitation Using CSS - G. Heyes, D. Lindsay, and E.V. Nava(BlueHat 2009)
- XSS. (No, the other "S") - Mike West(CSSconf.eu 2013)
-
Attacking Rich Internet Applications - Stefano Di Paola, kuza55(25c3 2010)
- This presentation will examine the largely underresearched topic of rich internet applications (RIAs) security in the hopes of illustrating how the complex interactions with their executing environment, and general bad security practices, can lead to exploitable applications. In recent years rich internet applications (RIAs) have become the mainstay of large internet applications and are becoming increasingly attractive to the industry due to their similarity to desktop applications. Furthermore their user of exsting web technologies such as HTTP, HTML/XML and Javascript/Actionscript make them attractive options to companies with existing web developers. Unfortunately the use of existing technologies brings with it the burden of existing ways to write vulnerable code, but adds yet more ways. This presentation will examine the largely underresearched topic of RIA security in the hopes of illustrating how the complex interactions with their executing environment, and general bad security practices, can lead to exploitable applications.
- The Curse of Cross-Origin Stylesheets - LiveOverflow(2018)
- The Sexy Assassin Tactical Exploitation using CSS. - Gerardo Speaks
-
Papers
-
Scriptless Attacks - Stealing the Pie Without Touching the Sill - Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk(2012)
- In this paper, we examine the attack surface that remainsafter XSS and similar scripting attacks are supposedly mit-igated by preventing an attacker from executing JavaScriptcode. We address the question of whether an attacker reallyneeds JavaScript or similar functionality to perform attacksaiming for information theft. The surprising result is thatan attacker can also abuse Cascading Style Sheets (CSS) incombination with other Web techniques like plain HTML,inactive SVG images or font files. Through several casestudies, we introduce the so calledscriptless attacksanddemonstrate that an adversary might not need to executecode to preserve his ability to extract sensitive informationfrom well protected websites. More precisely, we show thatan attacker can use seemingly benign features to build sidechannel attacks that measure and exfiltrate almost arbitrarydata displayed on a given website.We conclude this paper with a discussion of potential mit-igation techniques against this class of attacks. In addition,we have implemented a browser patch that enables a websiteto make a vital determination as to being loaded in a de-tached view or pop-up window. This approach proves usefulfor prevention of certain types of attacks we here discuss.
-
Scriptless Attacks - Stealing the Pie Without Touching the Sill - Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk(2012)
-
Tools
- http://eaea.sirdarckcat.net/cssar/v2/
- CTF insomnihack'18 - Cool Storage Service web challenge
-
Articles/Blogposts/Writeups
-
CSS Injection
- 101
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
Cross Site WebSocket Hijacking
- 101
-
Articles/Blogposts/Presentations/Talks/Videos
- Security Testing HTML5 WebSockets - ethicalhack3r(2013)
- How Cross-Site WebSocket Hijacking could lead to full Session Compromise - notsosecure.com(2014)
- Analysing, Testing and Fuzzing WebSocket Implementations with IronWASP - ironwasp.org(2014)
- Cross-Site Websocket Hijacking (CSWSH) - Jesse Somerville(2019)
- Hacking WebSocket With Cross-Site WebSocket Hijacking attacks - Vickie Li(2019)
- Cross-site WebSocket hijacking (CSWSH) - HackTricks
- Talks/Presentations/Videos
- Papers
- Tools
Data Structure Attacks
- --> See XML section
- --> See 'CSV Injection' Attack
- Comma Separated Vulnerabilities
Edge Side Include Injection
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
- Cache Me If You Can - Philippe Arteau
-
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking - Louis Dion-Marcil(BHUSA2018)
- Slides
- When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
- Tools
Embedded Malicious Code
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
Exploitation of Authentication
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
IDN https://arxiv.org/pdf/1909.07539.pdf
IDN Homograph & Homograph Attacks
- 101
-
Articles/Blogposts/Writeups
- Homograph Attack - crypto-it.net
- What is an IDN Homograph Attack and How Do You Protect Yourself? - zvelo(2018)
- Phishing with Unicode Domains - Xudong Zheng(2017)
- Watch Your Step: The Prevalence of IDN Homograph Attacks - Asaf Nadler(2017)
- Homograph attacks: Don’t believe everything you see - Cecilia Pastorino(2017)
- A Quick Guide to the IDN Homograph Attack - Ronnie T. Baby
-
Talks/Presentations/Videos
-
Weaponizing Unicode Homographs Beyond IDNs - The Tarquin(DEFCON 26)
- Most people are familiar with homograph attacks due to phishing or other attack campaigns using Internationalized Domain Names with look-alike characters. But homograph attacks exist against wide variety of systems that have gotten far less attention. This talk discusses the use of homographs to attack machine learning systems, to submit malicious software patches, and to craft cryptographic canary traps and leak repudiation mechanisms. It then introduces a generalized defense strategy that should work against homograph attacks in any context.
-
Weaponizing Unicode Homographs Beyond IDNs - The Tarquin(DEFCON 26)
-
Papers
-
Cutting through the Confusion: A Measurement Study of Homograph Attacks. - Tobias Holgers, David E. Watson, Steven D. Gribble(2006)
- Web homograph attacks have existed for some time, and the recent adoption of International Domain Names (IDNs) support by browsers and DNS registrars has exacerbated the problem [Gabr02]. Many international letters have similar glyphs, such as the Cyrillic letter P (lower case 'er,' Unicode 0x0440) and the Latin letter p. Because of the large potential for misuse of IDNs, browser vendors, policy advocates, and researchers have been exploring techniques for mitigating homograph attacks [=Mozi05, Appl05, Oper05, Mark05]. There has been plenty of attention on the problem recently, but we are not aware of any data that quantifies the degree to which Web homograph attacks are currently taking place. In this paper, we use a combination of passive network tracing and active DNS probing to measure several aspects of Web homographs. Our main findings are four-fold. First, many authoritative Web sites that users visit have several confusable domain names registered. Popular Web sites are much more likely to have such confusable domains registered. Second, registered confusable domain names tend to consist of single character substitutions from their authoritative domains, though we saw instances of five-character substitutions. Most confusables currently use Latin character homographs, but we did find a non-trivial number of IDN homographs. Third, Web sites associated with non-authoritative confusable domains most commonly show users advertisements. Less common functions include redirecting victims to competitor sites and spoofing the content of authoritative site. Fourth, during our nine-day trace, none of the 828 Web clients we observed visited a non-authoritative confusable Web site. Overall, our measurement results suggest that homograph attacks currently are rare and not severe in nature. However, given the recent increases in phishing incidents, homograph attacks seem like an attractive future method for attackers to lure users to spoofed sites.
- Іntеrnɑtⅰonɑlⅰzеⅾ Dоmɑⅰn Nɑmе Hоmоɡrɑρh Attɑсκ - Chen Lai, Zhongrong Jian, J. Sidrach
-
Cutting through the Confusion: A Measurement Study of Homograph Attacks. - Tobias Holgers, David E. Watson, Steven D. Gribble(2006)
-
Tools
-
EvilURL v2.0
- Generate unicode evil domains for IDN Homograph Attack and detect them.
- homoglyphs.net
-
Punycode converter
- or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion
-
EvilURL v2.0
Insecure Direct Object Reference
- 101
-
Articles/Blogposts/Writeups
- Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP
- Insecure Direct Object Reference Prevention Cheat Sheet - OWASP
- Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages - Brett Buerhaus
- How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - BugCrowd
- A Less Known Attack Vector, Second Order IDOR Attacks - Ozgur Alp(2020)
- Talks/Presentations/Videos
- Tools
Execution After(/Open) Redirect (EAR)
- Execution After Redirect
- Open Redirect
File Upload Testing
- 101
-
Articles/Blogposts/Writeups
- Why File Upload Forms are a Major Security Threat - acunetix
- Unrestricted File Upload Testing
- BookFresh Tricky File Upload Bypass to RCE - secgeek.net
- 15 Technique to Exploit File Upload Pages - Ebrahim Hegazy(HackIT17)
-
File Upload and PHP on IIS:
>=?
and<=*
and"=.
- Soroush Dalili - Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty - HackerOnTwoWheels(2019)
- Bypassing file upload filter by source code review in Bolt CMS - Sivanesh Ashok
- Ability to upload HTML via SRT caption files for Facebook Videos - philippeharewood.com(2015)
- Papers
-
Presentations/Talks/Videos
-
FUSE: Finding File Upload Bugs via Penetration Testing - Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son(NDSS2020)
- An Unrestricted File Upload (UFU) vulnerability is a critical security threat that enables an adversary to upload her choice of a forged file to a target web server. This bug evolves into an Unrestricted Executable File Upload (UEFU) vulnerability when the adversary is able to conduct remote code execution of the uploaded file via triggering its URL. We design and implement FUSE, the first penetration testing tool designed to discover UFU and UEFU vulnerabilities in server-side PHP web applications. The goal of FUSE is to generate upload requests; each request becomes an exploit payload that triggers a UFU or UEFU vulnerability. However, this approach entails two technical challenges: (1) it should generate an upload request that bypasses all content-filtering checks present in a target web application; and (2) it should preserve the execution semantic of the resulting uploaded file. We address these technical challenges by mutating standard upload requests with carefully designed mutation operations that enable the bypassing of content- filtering checks and do not tamper with the execution of uploaded files. FUSE discovered 30 previously unreported UEFU vulnerabilities, including 15 CVEs from 33 real-world web applications, thereby demonstrating its efficacy in finding code execution bugs via file uploads.
- Paper
-
FUSE: Finding File Upload Bugs via Penetration Testing - Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son(NDSS2020)
-
Tools
- Anti Malware Testfile - EICAR
-
fuxploider
- File upload vulnerability scanner and exploitation tool.
HTML Smuggling
- 101
- Articles/Blogposts/Writeups
- Tools
HTTP Request Smuggling
-
101
-
HTTP request smuggling - Wikipedia
- HTTP request smuggling is a security exploit on the HTTP protocol that uses inconsistency between the interpretation of Content-length and/or Transfer-encoding headers between HTTP server implementations in an HTTP proxy server chain. It was first documented in 2005, and was again repopularized by PortSwigger's research.
- HTTP request smuggling - Portswigger
- HTTP Desync Attacks: Request Smuggling Reborn - James Kettle
- ‘HTTP Request Smuggling’ - Securiteam
- Help you understand HTTP Smuggling in one article - @ZeddYu_Lu
-
HTTP request smuggling - Wikipedia
-
Articles/Blogposts/Writeups
- Checking HTTP Smuggling issues in 2015 - Part1 - RBleug(2015)
- Hiding in plain sight: HTTP request smuggling - Travis Isaacson(2020)
- Demystifying HTTP request smuggling - Sam Sanoop
-
The Powerful HTTP Request Smuggling 💪 - Ricardo Iramar dos Santos
- "TL;DR: This is how I was able to exploit a HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program."
- h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) - Jake Miller(2020)
- HTTP Request Smuggling – 5 Practical Tips - Pieter Hiele(2020)
- XXE-scape through the front door: circumventing the firewall with HTTP request smuggling - Pieter Hiele(2020)
-
Performing
- A Pentester’s Guide to HTTP Request Smuggling - Bursa Demir(2020)
- Smuggling HTTP headers through reverse proxies - Robin Verton(2020)
- HTTP Request Smuggling: Abusing Reverse Proxies - Christopher Elgee(2020)
- WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour - Soroush Dalili(2018)
- Papers
-
Presentations/Talks/Videos
-
HTTP Desync Attacks: Smashing into the Cell Next Door - James Kettle(DEFCON27)
- HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties. Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.
-
Hiding Wookiees in HTTP: HTTP smuggling - regilero(Defcon24)
- HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be exploited for bad things; we'll play with HTTP to inject unexpected content in the user browser, or perform actions in his name. If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.
- Practical Attacks using HTTP Request Smuggling - @defparam(#NahamCon2020)
- HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges - Amit Klein(BHUSA2020)
-
HTTP Desync Attacks: Smashing into the Cell Next Door - James Kettle(DEFCON27)
-
Tools
-
Smuggler
- An HTTP Request Smuggling / Desync testing tool written in Python 3
-
HTTPWookie
- HTTPWookiee is an HTTP server and proxy stress tool (respect of RFC, HTTP Smuggling issues, etc). If you run an HTTP server project contact me for private repository access with more tests.
-
Smuggler
Image-based Exploitation AKA Exploiting Polyglot features of File standards
- 101
-
Articles/Blogposts/Writeups
- Revisiting XSS payloads in PNG IDAT chunks - Adam Logue
- An XSS on Facebook via PNGs & Wonky Content Types - jack@whitton.io
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts
- Bypassing CSP using polyglot JPEGs - Gareth Heyes
- Hacking group using Polyglot images to hide malvertising attacks - Josh Summit
- BMP/x86 Polyglot - steiner@warroom.securestate
- Upload a web.config File for Fun & Profit - Soroush Dalili
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
- Encoding Web Shells in PNG IDAT chunks - phil
-
Tools
-
xss2png
- A simple tool to generate PNG images with XSS payloads stored in PNG IDAT chunks
-
pixload
- Set of tools for creating/injecting payload into images.
-
PNG-IDAT-Payload-Generator
- Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code -- credit in README)
- Imagecreatefromgif-Bypass
-
xss2png
Injection Based Attacks
- 101
- Articles/Blogposts/Writeups
-
Command Injection
- 101
- Tools
- Resources
-
JSON(P) Injection
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Web PenTesting Workshop Part 12 of 12 JSON injection - Jeremy Druin
- Video from the ISSA Kentuckiana Web Pen-Testing Workshop.
-
Web PenTesting Workshop Part 12 of 12 JSON injection - Jeremy Druin
- Tools
- Resources
- Papers
-
Presentations/Talks/Videos
- Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong - AppSecUSA 2017
-
Remote Code Execution in Firefox beyond memory corruptions(2019) - Frederik Braun
- Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron.
- Tools
- See also: JNDI, JSON, SQLi, XSS
OS Command Injection
- General
- Testing
- Tools
- Writeups
JNDI Attack Class
- General
-
Testing
-
jndipoc
- Proof of concept showing how java byte code can be injected through InitialContext.lookup() calls
-
jndipoc
- Tools
- Writeups
Path Confusion Attacks
- 101
- Articles/Papers/Writeups
LFI & RFI
- 101
-
Articles/Papers/Writeups
- LFI with PHPINFO() Assistance - InsomniaSecurity 2011
-
Turning LFI into RFI
- When configured in a specific way the web application would load the JAR file and search within the file for a class. Interestingly enough, in Java classes you can define a static block that is executed upon the class being processed
- Unrestricted File Upload Security Testing - Aptive
-
LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities.
- Turning LFI to RFI
- Local file inclusion tricks
- Upgrade from LFI to RCE via PHP Sessions
- CVV #1: Local File Inclusion - SI9INT
- [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos]
- File Inclusion - nets.ec
- SMTP Log Poisioning through LFI to Remote Code Excecution - Raj Chandel
- Cheat Sheets/Reference Lists
-
Testing
- OWASP LFI
-
LFI Local File Inclusion Techniques (paper)
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
- Local File Inclusion (LFI) of session files to root escalation - ush.it(2008)
- Windows Blind Files Collection - 0xsp
-
Tools
- dotdotpwn
-
Liffy
- Liffy is a Local File Inclusion Exploitation tool.
-
lfi-labs
- small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
-
psychoPATH - LFI
- This tool is a highly configurable payload generator detecting LFI & web root file uploads. Involves advanced path traversal evasive techniques, dynamic web root list generation, output encoding, site map-searching payload generator, LFI mode, nix & windows support plus single byte generator.
-
Kadimus
- Kadimus is a tool to check sites to lfi vulnerability , and also exploit it
- lfipwn
- LFISuite
(No)SQL Injection
- 101
- Reference
-
General Articles/Blogposts/Writeups
- Finding SQL injections fast with white-box analysis — a recent bug example - Frycos
- Blind (time-based) SQLi - Bug Bounty - jspin.re
- SELECT code_execution FROM * USING SQLite; Gaining code execution using a malicious SQLite database - Omer Gull
- Beyond SQLi: Obfuscate and Bypass - CWH Underground
- Second Order SQLI: Automating with sqlmap - Jorge Lajara(2019)
- Advanced boolean-based SQLi filter bypass techniques - theMiddle(2020)
- Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins - Alex Pena(2020)
- SELECT code_execution FROM * USING SQLite; - Omer Gull(2019)
- SQL Injection filter bypass to perform blind SQL Injection - mannulinux.org(2020)
- Papers
- Talks/Presentations/Videos
- Writeups
-
Training
-
SQLi Lab lessons
- SQLI-LABS is a platform to learn SQLI
-
SQLi Lab lessons
-
NoSQL
- Articles/Blogposts/Writeups
- MeteorJS
- MongoDB
-
Talks/Presentations/Videos
-
Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturrini(Derbycon2014)
- NoSQL databases continue to grow in popularity due to their scalability, dynamic data structures, ease of development and cloud readiness. As these types of databases become more prevalent, penetration testers need to understand how these databases work, how applications interact with them, and where the inherent weaknesses of NoSQL databases are. This presentation is targeted towards penetration testers and putting the theoretical attacks researchers have discussed into practice during a penetration testing engagement. It will discuss weaknesses with a particular focus on MongoDB and how to quickly and easily exploit them as well as where the high value targets in the system are post exploitation. NoSQLMap, a Python tool written for automatically stealing data from NoSQL database servers and web applications, will also be demoed.
-
Abusing NoSQL Databases - Ming Chow
- Slides
- The days of selecting from a few SQL database options for an application are over. There is now a plethora of NoSQL database options to choose from: some are better than others for certain jobs. There are good reasons why developers are choosing them over traditional SQL databases including performance, scalabiltiy, and ease-of-use. Unfortunately like for many hot techologies, security is largely an afterthought in NoSQL databases. This short but concise presentation will illustrate how poor the quality of security in many NoSQL database systems is. This presentation will not be confined to one particular NoSQL database system. Two sets of security issues will be discussed: those that affect all NoSQL database systems such as defaults, authentication, encryption; and those that affect specific NoSQL database systems such as MongoDB and CouchDB. The ideas that we now have a complicated heterogeneous problem and that defense-in-depth is even more necessary will be stressed. There is a common misconception that SQL injection attacks are eliminated by using a NoSQL database system. While specifically SQL injection is largely eliminated, injection attack vectors have increased thanks to JavaScript and the flexibility of NoSQL databases. This presentation will present and demo new classes of injection attacks. Attendees should be familiar with JavaScript and JSON.
-
Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturrini(Derbycon2014)
-
Papers
-
No SQL, No Injection? - Examining NoSQL Security - Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
- NoSQL data storage systems have become very popular due to their scalability and ease of use. This paper examines the maturity of security measures for NoSQL databases, addressing their new query and access mechanisms. For example the emergence of new query formats makes the old SQL injection techniques irrelevant, but are NoSQL databases immune to injection in general? The answer is NO. Here we present a few techniques for attacking NoSQL databases such as injections and CSRF. We analyze the source of these vulnerabilities and present methodologies to mitigate the attacks. We show that this new vibrant technological area lacks the security measures and awareness which havedeveloped over the years in traditional RDBMSSQL systems.
-
No SQL, No Injection? - Examining NoSQL Security - Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
-
Tools
-
Nosql-Exploitation-Framework
- A FrameWork For NoSQL Scanning and Exploitation Framework
-
NoSQL Injector
- NoSQL scanner and injector.
-
Nosql-Exploitation-Framework
- DB2
-
MongoDB
- 101
-
Tools
-
mongoaudit
- mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.
-
mongot
- mongot makes it easy to extract data from open MongoDB's. By specifying an IP/port with the -d/-p parameters, mongot will connect to an open MongoDB, display any identified database names, collections, and a small sample of data in each.
-
mongoaudit
- MS-SQL
-
MySQL
- 101
- Articles/Blogposts/Writeups
-
Oracle SQL
- 101
- Articles/Blogposts/Writeups
-
PostgreSQL
- 101
-
Articles/Blogposts/Writeups
- PostgreSQL Pass The Hash protocol design weakness
- Ultimate Guide: PostgreSQL Pentesting - Shlok Yadav(2020)
- A Penetration Tester’s Guide to PostgreSQL - David Hayter(2017)
- Attacking Dell Foglight Server - infosecaddicts.com(2017)
- Postgres “unsupported frontend protocol” mystery - Greg Sabino Mullane(2015)
- SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL - Steven Seeley
- Ruby on Rails(ActiveRecord)
-
Tools
- sqlmap
-
jSQL Injection
- jSQL Injection is a Java application for automatic SQL database injection.
- mongoaudit
-
Laduanum
- “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”
- GraFScaN
-
Albatar
- Albatar is a SQLi exploitation framework in Python
Path Traversal Attacks
- 101
- Articles/Blogposts/Writeups
-
Tools
-
dotdotpwn
- It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
-
dotdotpwn
Prototype Pollution Attack
- 101
-
Articles/Blogposts/Writeups
- Prototype Pollution Affecting jquery package, versions <3.4.0 - snyk.io
- After three years of silence, a new jQuery prototype pollution vulnerability emerges once again - Liran Tal
- Prototype pollution attack (lodash) - holyvier
- Inheritance and the prototype chain - MozillaDevNetwork
- Prototype pollution attack through jQuery $.extend - Asger Feldthaus(HackerOne)
- Analysis and Exploitation of Prototype Pollution attacks on NodeJs - Nullcon HackIM CTF web 500 writeup - Anirudh Anand
- Prototype Pollution - Michal Bentkowski
- Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Michal Bentkowski
- Presentations, Talks, Videos
- Tools
Reflected File Download
- 101
- Articles/Blogposts/Writeups
- Tools
-
Talks/Presentations/Videos
-
Reflected File Download - A New Web Attack Vector - BHEU 2014
- Skip to 19:24 for technical content
- Paper
-
Reflected File Download - A New Web Attack Vector - BHEU 2014
Relative Path Overwrite
-
101
-
Relative Path Overwrite Explanation/Writeup
- RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
-
Relative Path Overwrite Explanation/Writeup
-
Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Papers
-
Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
- In this thesis, I propose novel research into understanding and mitigatingthe security risks of content inclusion in web browsers to protect website pub-lishers as well as their users. First, I introduce an in-browser approach calledExcisionto automatically detect and block malicious third-party content in-clusions as web pages are loaded into the user’s browser or during the execu-tion of browser extensions. Then, I proposeOriginTracer, an in-browserapproach to highlight extension-based content modification of web pages. Fi-1 nally, I present the first in-depth study of style injection vulnerability usingRPO and discuss potential countermeasures
-
Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
-
General
-
Tools
-
Miscellaneous
https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
(De-)Serialization Attacks
-
General
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
.NET
-
Articles/Blogposts/Writeups
- .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munoz
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili
- RCEVIL.NET: A Super Serial Story - Jared McLaren(BSides Iowa2019)
- HITCON 2018: Why so Serials? Write-up - cyku.tw
- HITCON CTF 2018 - Why so Serials? Writeup - Orange
- Talks/Presentations/Videos
- Papers
-
Tools
-
YSoSerial.Net
- ysoserial.net is a collection of utilities and property-oriented programming "gadget chains" discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
-
YSoSerial.Net
-
Articles/Blogposts/Writeups
-
Java
-
Articles/Blogposts/Writeups
- The perils of Java deserialization
- Java Deserialization Security FAQ
- The Perils of Java Deserialization
- Detecting deserialization bugs with DNS exfiltration
- Reliable discovery and Exploitation of Java Deserialization vulns
- Fastjson: exceptional deserialization vulnerabilities - Peter Stockli(2020)
- Liferay Portal JSON Web Service RCE Vulnerabilities - Markus Wulftange(2020)
-
General
-
Java-Deserialization-Cheat-Sheet
- A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
-
Java-Deserialization-Cheat-Sheet
-
Presentations/Talks/Videos
- Pwning Your Java Messaging With De- serialization Vulnerabilities
-
Marshalling Pickles - Chris Frohoff, Gabe Lawrence(AppSecCali 2015)
- Slides
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
-
Exploiting Deserialization Vulnerabilities in Java - Matthis Kaiser(2015)
- Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). This talk will give insights how this bug class can be turned into serverside Remote Code Execution. Details and a demo will be given for one of my patched vulnerabilities (CVE-2015-6576, Atlassian Bamboo RCE).
-
Deserialize My Shorts Or How I Learned to Start Worrying and Hate Java Object Deserialization - Chris Frohoff, Gabe Lawrence
- Slides
- Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
- Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
- In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL - Man Yue Mo(2019)
-
Oracle Java Deserialization Vulnerabilities - Stephen Kost, Phil Reimann(2016)
- Java deserialization is a class of security vulnerabilities that can result in server-side remote code execution (RCE). As many Oracle products are based on Java, deserialization bugs are found in many Oracle environments especially those using Oracle WebLogic, Oracle Fusion Middleware, and Oracle E-Business Suite. As an example, in November 2015 Oracle released an out-of-cycle security fix (CVE-2015-4852) in order to fix a deserialization bug in Oracle WebLogic. This education webinar provides an understanding of Java deserialization vulnerabilities, the potential impact for Oracle environments, and strategies to protect an Oracle environment from this class of security vulnerabilities.
- Defending against Java Deserialization Vulnerabilities - Luca Carettoni(2016)
-
Deserialization: what, how and why [not] - Alexei Kojenov(AppSecUSA2018)
- Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
-
Java Serialization security issues - Erno Jeges - OWASP Bay Area(2018)
- In this short talk, we'll take a look at the various security issues coming from deserializing untrusted data in Java: information disclosure, denial of service, and even code execution. We'll examine these issues through live demonstrations with step-by-step explanations of what can go wrong – and how. Most importantly, we'll discuss several best practices and countermeasures you can use as a developer to protect yourself from these issues – or prevent them from affecting you in the first place.
-
Deserialization: what, how and why [not] - Alexei Kojenov(AppSec USA2018)
- Slides
- Code
- Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
-
Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
- Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
-
New Exploit Technique In Java Deserialization Attack - Yang Zhang, Yongtao Wang, Keyi Li, Kunzhe Chai(BHEU2019)
- In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.
-
Papers
-
Java Unmarshaller Security - Turning your data into code execution
- This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
- tool from the above paper: marshalsec
-
Java Unmarshaller Security - Turning your data into code execution
-
Tools
-
Break Fast Serial
- A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
- ysoserial
-
JMET
- JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage).
-
GadgetProbe
- GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
- Blogpost
-
marshalsec
- This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
-
Break Fast Serial
-
Exploits
-
SerialKiller: Bypass Gadget Collection
- Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.
-
Serianalyzer
- A static byte code analyzer for Java deserialization gadget research
-
Java Deserialization Exploits
- A collection of Java Deserialization Exploits
-
Java Deserialization Exploits
- A collection of curated Java Deserialization Exploits
-
SerialKiller: Bypass Gadget Collection
-
Articles/Blogposts/Writeups
- .NET * .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munez(LocoMocoSec2018) * 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case. * Friday the 13th: Attacking JSON - Alvaro Muñoz & Oleksandr Mirosh(AppSecUSA 2017) * 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors. We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable. In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.
- PHP
-
Python
- Articles/Blogposts/Writeups
- Talks * Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015) * Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
-
Ruby
- See the PHP section for PHP Specific attacks
- Articles/Blogposts/Writeups
-
Talks
-
Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
-
Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
Server Side Request Forgery (SSRF)
- 101
-
General
-
AllThingsSSRF
- This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location
-
AllThingsSSRF
-
Articles/Blogposts/Writeups
- SSRF vs Business-Critical Applications Part 1: XXE Tunneling In SAP Net Weaver - erpscan
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai - BH USA 17
- curl Based SSRF Exploits Against Redis
- Pivoting from blind SSRF to RCE with HashiCorp Consul
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
- Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat - Brett Buerhaus
- CVE-2020-13379 Unauthenticated Full-Read SSRF in Grafana - rhynorater(2020)
- Blind SSRF exploitation - wallarm(2020)
-
Papers
- Cracking the Lens: Targeting HTTP's Hidden Attack Surface
- LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo) - initblog https://medium.com/a-bugz-life/exploiting-an-ssrf-trials-and-tribulations-14c5d8dbd69a
-
Presentations, Talks, Videos
- Server-Side Browsing Considered Harmful - Nicolas Gregoire(AppSec EU15)
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages - Orange Tsai(BHUSA2017)
-
Owning The Cloud Through Server-Side Request Forgery - Ben Sadeghipour, Cody Brocious (Daeken)
- With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.
-
Server Side Request Forgery (SSRF) All-In-One - Busra Demir(2020)
- In this video, Busra Demir will explore how to exploit Server Side Request Forgery (SSRF) by using different attack scenarios. She will dig into how to exploit an SSRF vulnerability: ; - On a Hack the Box machine called Player (SSRF - FFMPEG Exploit); - On a Hack the Box machine called Kotarak (SSRF Filter Bypass/port scan); - By combining SQL Injection on a VulnHub machine called6Days; - Combined with HTML Injection on a VulnHub machine Gemini Inc 1
- Testing
- Tools
Server Side Include
- General
- Testing
Client/Server Side Template Injection
-
General
- Server-Side Template Injection: RCE for the modern webapp
-
Server-Side Template Injection
- Video
- This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.
-
Purposefully Vulnerable Webapps
-
Breakable Flask
- A simple vulnerable Flask application.
-
Hackable
- A python flask app that is purposfully vulnerable to SQL injection and XSS Attacks
- Injecting Flask - Nvisium
-
hackable - JasonHinds
- A python flask app that is purposfully vulnerable to SQL injection and XSS attacks
-
Breakable Flask
- Writeups
-
Talks, Presentations, Videos
-
SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python - Moses Frost(SANS)
- Here is a word: Reflection. How many times have you read the words SSTI or even CSTI and wondered what they actually did, how they worked, or how to execute one? How can you take a file reading vulnerability like SSTI into a Remote Code Execution exploit? In this talk we will give you a glance into the SEC642 topic on Server Side Template Injection in Flask and taking that one concept a few steps further by introducing Python Method Reflection to execute code, and even backdoors. Join Moses Frost as he discusses this and other topics that are found in SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques.
-
SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python - Moses Frost(SANS)
-
Tools
-
tplmap
- Code and Server-Side Template Injection Detection and Exploitation Tool
- Templates Injections - PayloadsAllTheThings
-
tplmap
- Exploiting Custom Template Engines - Dalton Campbell
Subdomain Hijack/Takeover
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations
- Tools
Website Imaging(Taking Snapshots of WebPages)
- 101
-
Tools
-
EyeWitness
- EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
-
gowitness
- a golang, web screenshot utility using Chrome Headless
-
SharpWitness
- C# implementation of EyeWitness
-
webDisco
- Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
-
PowerWebShot
- A PowerShell tool for taking screenshots of multiple web servers quickly.
-
Kraken
- Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
-
EyeWitness
(Bit)/Typo-squatting
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
- Paper
- Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.
-
Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
Web Shells
- Articles
-
Detection
-
Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
- Look at PHP obfuscation methods for webshells
-
NeoPI
- What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
-
Shell Detector
- Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
-
Loki - Simple IOC Scanner
- Scanner for Simple Indicators of Compromise
-
Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
-
Tools
-
Weevely
- Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
- Getting Started
-
b374k shell 3.2
- This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
- Simple websockets based webshell
-
JSShell
- An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
-
htshells
- Self contained web shells and other attacks via .htaccess files.
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
-
novahot
- novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.
-
Weevely
XSS
-
101
- Types of Cross-Site Scripting - OWASP
-
Postcards from a Post-XSS World - Michael Zalewski
- This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
- ["Gimme a bit!" - Exploring Attacks in the "Post-XSS" World - Takashi Yoneuchi]
- Cross Site Scripting Prevention Cheat Sheet - OWASP
- CERT Advisory CA-2000-02 Malicious HTML TagsEmbedded in Client Web Requests
- HTML Code Injection and Cross-site Scripting - Gunter Ollmann
- Flirting with MIME Types: A Browser’sPerspective - Blake Frantz
-
Articles/Blogposts/Writeups
- Actual XSS in 2020 - Samuel Anttila(2020)
- Getting Real with XSS - Olive Simonnet(2019)
- XSS technique without parentheses - The Spanner
- Text/Plain Considered Harmful - Jan
- Setting The ‘REFERER’ Header Using Javascript - Drew Kirkpatrick(2020)
- Unleashing an Ultimate XSS Polyglot - Ahmed Elsobky
- Password stealing from HTTPS login page and CSRF protection bypass with reflected XSS - Michael Koczwara(2020)
- What is the use of CDATA inside JavaScript tags and HTML? - sptrac.com(2017)
- Detecting valid tags/events on XSS exploitation. - Jorge Lajara(2020)
-
Presentations, Talks, Videos
- Self XSS: we’re not so different you and I - Mathias Karlsson
-
Scriptless Attacks – Stealing the Pie Without Touching the Sill
- Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive informati on from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website. We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
- "Gimme a bit!" - Exploring Attacks in the "Post-XSS" World - Takashi Yoneuchi
- Tricks For Weaponizing XSS - Drew Kirkpatrick
-
Understanding XSS - Christina Mitchell(Nolacon2019)
- Come learn in depth about the web vulnerability XSS. First we discuss how browsers and web apps work to better understand how it's possible. Then we will cover the following: how to spot it in the wild, how to exploit it, remediation steps, and impact. How can I inject into your webpage? Come learn how!
- Popping Shells Instead OF Alert Boxes: Weaponizing XSS For Fun and Profit - Drew Kirkpatrick(2019)
-
Bypass Techniques & Writeups
- Cheat-Sheets/References
-
Filter Evasion
- XSS cheatsheet Esp: for filter evasion - RSnake
- Bypassing XSS Detection Mechanisms - Somdev Sangwan(2018)
- XSS Filter Evasion - Zbigniew Banach(2019)
- XSS without parentheses and semi-colons - Gareth Heyes(2019)
- Bypass XSS filters using JavaScript global variables - theMiddle
- Executing non-alphanumeric JavaScript without parenthesis - Gareth Heyes
- Non-alphanumeric code With JavaScript & PHP - Gareth Heyes
- CTF Challenge: INS Hack 2019 / Bypasses Everywhere -corb3nik
- JavaScript without parentheses using DOMMatrix - Gareth Heyes(2020)
- Arbitrary Parentheses-less XSS(against strict CSP policies) - terjang(2020)
- XSS: Arithmetic Operators & Optional Chaining To Bypass Filters & Sanitization - theMiddle(2020)
- Images
- Length
- Restricted Character Sets
- SVG
-
Other
- Bypass XSS Protection with xmp, noscript, noframes.. etc.. - Hahwul
- MITM XSS Protection – Still Popping Alerts - doyler.net(2017)
- Attacking and defending JavaScript sandboxes - Gareth Heyes(2020)
- Evading defences using VueJS script gadgets - Gareth Heyes(2020)
- Escaping JavaScript sandboxes with parsing issues - Gareth Heyes(2020)
- Bypassing modern XSS mitigations with code-reuse attacks - Alexander Andersson(2020)
- Lists
- Cheat-Sheets
-
Types-Of
-
DOM-based
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
In the DOM - no one will hear you scream - Mario Heiderich(Garage4Hackers Ranchoddas Webcast2014)
- This talk is about the DOM and its more twilight areas. Well see the weird parts and talk about where and why this might be security critical and affect your precious online applications, browser extensions or packaged apps. To understand the foundations of what the DOM has become by today, we'll further explore the historical parts - who created the DOM, what was the intention and how fought dirty about it during the browser wars. Finally, we'll see a DOM based attack called "DOM Clobbering". An attack, that is everything but obvious and affected a very popular and commonly used Rich Text Editor. Be prepared for a lot of tech-talk as well as fear and loathing in the browser window. But don't shed no tears, there's a tool that fixes the security crazy for you and this talk will present it.
-
Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets - Sebastian Lekies(AppSecEU2017)
- Over the years many techniques have been introduced to prevent or mitigate XSS. Thereby, most of these techniques such as HTML sanitizers or CSP focus on script tags and event handlers. In this talk, we present a novel Web hacking technique that enables an attacker to bypass these mitigations. In order to to so, the attacker abuses so-called script gadgets. A gadget Is a legitimate piece of JS in a page that reads elements via selectors and processes them in a way that results in script execution. To abuse a gadget, the attacker injects benign elements that match the gadget’s selector. Subsequently, the gadget selects the elements and executes the attacker's scripts. As the attacker's markup is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element. Based on real-world examples, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications.
-
Breaking XSS Mitigations Via Script Gadgets - Sebastian Lekies, Krzysztof Kotowicz & Eduardo Vela(BHUSA2017)
- In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution
-
Eval Villain: Simplifying DOM XSS and JS Reversing - Dennis Goodlett(BSidesCLE2019)
- JavaScript cruft is growing faster than my ability to read. Since I can't read every line of code, I need tools to find important lines. Eval Villain is a web extension for Firefox that hooks native JavaScript functions before the page loads so that you will be notified every time a function is called. Eval Villain has discovered instances of DOM XSS that only appear in 1 of 100 page loads. It makes the reversing of malicious, second-stage encrypted JavaScript code trivial. I plan on walking through all the features of this tool using examples. To follow along, bring a computer that can run Firefox.https://www.irongeek.com/i.php?page=videos/bsidescleveland2019/bsides-cleveland-c-00-eval-villain-simplifying-dom-xss-and-js-reversing-dennis-goodlett
-
In the DOM - no one will hear you scream - Mario Heiderich(Garage4Hackers Ranchoddas Webcast2014)
- Papers
- Tools
-
Writeups(DOM XSS)
- $20000 Facebook DOM XSS - Vinoth Kumar(2020)
- INTIGRITI XSS CHALLENGE WRITE-UP - František Uhrecký(2019)
- The XSS challenge that +100k people saw but only 90 solved - intigrit(2019)
- How our community hacked our own XSS challenge - Intigriti(2019)
- Intigriti Easter XSS Challenge Write-up - Abdullah Hussam(2020)
- Intigriti XSS Challenge Write-Up - Renaud Martinet(2019)
- Intigriti XSS Challenge #4 - PSPAUL(2019)
- Intigriti Easter XSS Challenge 2020 Write Up - lboynton.com(2020)
- Intigriti XSS Challenge – Fun with DOM XSS - doyler.net(2019)
- Solving Intigriti Challenge using… Content Injection! - Amal Murali(2020)
- Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS! - ST0K
-
Mutation XSS
- 101
-
Articles/Blogposts/Writeups
- mXSS - TheSpanner(2014)
- Write-up of DOMPurify 2.0.0 bypass using mutation XSS - Michał Bentkowski(2019)
- Mutation XSS - Infinite8security(2016)
- Mutation XSS in Google Search - Tomasz Andrzej Nidecki(2019)
- Mutation XSS- A Unique class of XSS - Pankaj Rane(2019)
- Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass - Michal Bentkowski (2020)
- Bypassing DOMPurify again with mutation XSS - Gareth Heyes(2020)
- Talks/Presentations/Videos
-
Papers
-
mXSS attacks: Attacking well-secured web-applications by using innerHTML mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius(2013)
- Back in 2007, Hasegawa discovered a novel Cross-Site Scripting (XSS) vector based on the mistreatment of the backtick character in a single browser implementation. This initially looked like an implementation error that could easily be fixed. Instead, as this paper shows, it was the first example of a new class of XSS vectors, the class of mutation-based XSS (mXSS) vectors, which may occur in innerHTML and related properties. mXSS affects all three major browser families: IE, Firefox, and Chrome. We were able to place stored mXSS vectors in high-profile applications like Yahoo! Mail, Rediff Mail, OpenExchange, Zimbra, Roundcube, and several commercial products. mXSS vectors bypassed widely deployed server-side XSS protection techniques (like HTML Purifier, kses, htmlLawed, Blueprint and Google Caja), client-side filters (XSS Auditor, IE XSS Filter), Web Application Firewall (WAF) systems, as well as Intrusion Detection and Intrusion Prevention Systems (IDS/IPS). We describe a scenario in which seemingly immune entities are being rendered prone to an attack based on the behavior of an involved party, in our case the browser. Moreover, it proves very difficult to mitigate these attacks: In browser implementations, mXSS is closely related to performance enhancements applied to the HTML code before rendering; in server side filters, strict filter rules would break many web applications since the mXSS vectors presented in this paper are harmless when sent to the browser. This paper introduces and discusses a set of seven different subclasses of mXSS attacks, among which only one was previously known. The work evaluates the attack surface, showcases examples of vulnerable high-profile applications, and provides a set of practicable and low-overhead solutions to defend against these kinds of attacks.
-
Automation of Mutated Cross Site Scripting - Anchal Tiwari, J. Jeysree
- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. In browsers Mutation event occur when there is a change in the DOM Structure of the browsers. There are various ways in which DOM structure could be changed among which innerHTML property is discussed specifically. mXSS is a new class of XSS vectors, the class of mutation-based XSS (mXSS) vectors, which may occur in innerHTML andrelated properties. mXSS affects all three major browserfamilies: IE, Firefox, and Chrome.mXSS could be placed in major browser families and effecting major web applications. In this paper we apply the idea of mutation-based testing technique to generate adequate test data sets for testing XSSVs. Our work addresses XSSVs related to web-applications that use PHP and JavaScript code to generate dynamic HTML contents. Finally there would be the development of an automatic tool which would generate mutants automatically, automatically testing the web application and finally giving the output.
-
mXSS attacks: Attacking well-secured web-applications by using innerHTML mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius(2013)
-
Persistent XSS
- 101
-
Articles/Blogposts/Writeups
- General
- Blind
- File-Based
- Talks/Presentations/Videos
- Papers
-
Reflected XSS
- 101
-
Articles/Blogposts/Writeups
- Reflected XSS at Philips.com - Jonathan Bouman
- How I XSS’ed Uber and Bypassed CSP - Efkan(2018)
- admin.google.com Reflected Cross-Site Scripting (XSS) - Brett Buerhaus(2015)
- From Reflected XSS to Account Takeover — Showing XSS Impact - A Bug'z Life(2019)
- Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html - Daniel Maksimovic(2018)
- Talks/Presentations/Videos
- Papers
-
DOM-based
-
JS Framework-Specific
- Angular
- React.js
-
JSON Hijacking
-
101
- JSON Hijacking Demystified - Rohini Sulatycki(2012)
- Reflected XSS via JSON executed with Burp, but how to do it in realistic conditions? - StackOverflow
- XSS : Content-type: application/json - StackOverflow
- Is it possible to XSS exploit JSON responses with proper JavaScript string escaping - StackOverflow
-
Articles/Blogposts/Writeups
- Story of a JSON XSS - Nikhil Mittal(2017)
- JSON hijacking for the modern web - Gareth Heyes(2020)
- Exploiting JSON Framework : 7 Attack Shots - Aditya K. Sood
- Attacking JSON Application : Pentesting JSON Application - Narendra Bhati(2018)
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus
- JSON based XSS - Koumudi Garikipati(2020)
- XSSing Google Code-in thanks to improperly escaped JSON data - Thomas Orlita
-
101
-
Testing
- XSS Test String Dump
- HTML Purifier XSS Attacks Smoketest
-
Cross-site scripting (XSS) cheat sheet - PortSwigger
- This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector. This cheat sheet is regularly updated in 2019. Last updated: Fri, 08 Nov 2019
-
Training
- XSS-Game.appspot
-
Firing-Range
- Firing Range is a test bed for web application security scanners, providing synthetic, wide coverage for an array of vulnerabilities.
- XSSer
- prompt.ml - XSS Injection Game
- alert1 to win - XSS Injection Game
-
Tools
- xsscrapy
- XSS Sniper
-
Xenotix
- OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
-
xssValidator
- This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
-
Shuriken
- Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.
-
XSStrike
- XSStrike is an advanced XSS detection and exploitation suite.
-
iframeBusterXSS
- Check for know iframeBuster XSS
-
XSS tag_event analyzer
- Script to test suitable XSS payloads when tag/events are validated in a weak way.
- Security Headers(scanner)
-
Writeups
- Writing an XSS Worm
- XSS without HTML: Client-Side Template Injection with AngularJS
- XSS in AngularJS video series (walkthrough) - explaining some AngularJS sandbox bypasses, which resulted in the removal of the sandbox in 1.6
- Chaining Cache Poisoning To Stored XSS - Rohan Aggarwal
- Stealing JWTs in localStorage via XSS -David Roccasalva
- Penetration testing & window.opener — XSS vectors part 1 - Josh Graham
- A Questionable Journey From XSS to RCE - Dominik Penner
- Firefox uXSS and CSS XSS - leucosite.com
- Referer XSS with a Side of Link Injection - doyler.net
- XSS in steam react chat client - Zemmez
- [Cerberus FTP Blind Cross-Site Scripting to remote code execution as SYSTEM. (Version 9 and 10) - Kevin(secu.dk)]
- Winning Intigriti's XSS Challenge - Ryan Wise
- iOS Bug Hunting – Web View XSS - Allyson O'Malley
- XSS in GMail’s AMP4Email via DOM Clobbering - Michal Bentkowski
-
Auditing a Payment Processing of a Booking Framework - Jorge Lajara(2018)
- This article is thanks to the collaboration with Rayco Betancor and his crazy ideas and deep knowledge of how a Payment processing works, and a lot of trying different requests, forcing errors and trying harder.
- Sarahah XSS Exploitation Tool - Compromising Sarahah Users. - Shawar Khan
- A Questionable Journey From XSS to RCE - Dominik Penner(2019)
- Documenting the impossible: Unexploitable XSS labs - Gareth Heyes
- Art of bug bounty: a way from JS file analysis to XSS - Jakub Żoczek(2020)
- XSS a Paste Service - Pasteurize (web) Google CTF 2020 - LiveOVerflow(2020)
- URL validation bypass | Filedescriptor solves Intigriti's XSS challenge - Reconless(2020)
-
Payloads
- Cross Site Scripting (XSS) Vulnerability Payload List
- Stealing HttpOnly Cookie via XSS - Yasser Gersy(2018)
-
Tiny-XSS-Payloads
- A collection of tiny XSS Payloads that can be used in different contexts.
Cross-Site History Manipulation
- 101
- Articles/Papers/Talks/Writeups
- Tools
- Miscellaneous
Tabnabbing Attacks
-
101
- Tabnabbing: A New Type of Phishing Attack - Aza Raskin
-
Reverse Tabnabbing - OWASP
- Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
- Articles/Papers/Talks/Writeups
- Tools
Timing-based Attacks/Data race Attacks
- 101
- Articles/Blogposts/Writeups
-
Papers
-
Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
- We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
-
Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
-
Tools
-
Requests-Racer
- Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
-
Race the Web
- Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
-
timing_attack
- Perform timing attacks against web applications
-
Race condition exploit
- Tool to help with the exploitation of web application race conditions
-
Requests-Racer
- Miscellaneous
TLS Redirection (and Virtual Host Confusion)
-
101
-
TLS Redirection (and Virtual Host Confusion) - GrrDog
- The goal of this document is to raise awareness of a little-known group of attacks, TLS redirection / Virtual Host Confusion, and to bring all the information related to this topic together.
-
TLS Redirection (and Virtual Host Confusion) - GrrDog
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
TypoSquatting
- 101
Web Cache Deception Attack
- 101
- Articles/Blogposts/Writeups
-
Papers
-
Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson(2020)
- Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.
-
Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson(2020)
-
Talks/Presentations/Videos
-
Web Cache Deception Attack - Omer Gil(BHUSA 2017)
- slides
- Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts.
- Web Cache Deception attack: A new web attack vector -
-
Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad "JJ" Arshad(h@ckivitycon 2020)
- Web Cache Deception (WCD) has been introduced in 2017 by Omer Gil, where an intruder lures a caching server to mistakenly store private information publicly and as a result obtains unauthorized access to cached data. In this talk, we will introduce new exploitation techniques based on the semantic disconnect among different framework-independent web technologies (e.g., browsers, CDNs, web servers) which results in different URL path interpretations. We coined the term “Path Confusion” to represent this disagreement and we will present the effectiveness of this technique on WCD attack. In February 2020, our related research was voted and led to an award as the top web hacking technique of 2019 by PortSwigger. We explore WCD as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable three years after the public disclosure of WCD. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of WCD attack on high profile sites. We present a semi-automated path confusion crawler which detects hundreds of sites that are still vulnerable to WCD only with specific types of path confusion techniques. We conclude the talk with explaining why path confusion is so complicated to remediate while shedding light on potential areas that researchers and bughunters can apply new attack vectors through different path confusion techniques.
-
Web Cache Deception Attack - Omer Gil(BHUSA 2017)
- Writeups
-
Tools
-
Web Cache Deception Burp Extension
- A Burp extension to test applications for vulnerability to the Web Cache Deception attack.
-
Web Cache Deception Burp Extension
Web Cache Poisoining Attack
-
101
- Web cache poisoning - PortSwigger
-
Practical Web Cache Poisoning: Redefining 'Unexploitable' - James Kettle(BHUSA2018)
- Slides
- Modern web applications are composed from a crude patchwork of caches and content delivery networks. In this session I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
Param-miner
- This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
-
Param-miner
XML
-
101
- [XML Schema, DTD, and Entity Attacks A Compendium of Known Techniques - Timothy D. Morgan, Omar Al Ibrahim]
-
[XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques - Timothy D. Morgan, Omar Al Ibrahim(2014)](www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf)
-
DOS
- Articles/Papers/Talks/Writeups
-
XXE Attack
- 101
-
Articles/Papers/Talks/Writeups
- Hunting in the Dark - Blind XXE
- Exploiting Out Of Band XXE using internal network and php wrappers - Mahmoud Gamal
- Playing with Content-Type – XXE on JSON Endpoints - Antti Rantasaari
- XXE: How to become a Jedi - Yaroslav Babin(Zeronights 2017)
- Advice From A Researcher: Hunting XXE For Fun and Profit
- Leading the Blind to Light! - A Chain to RCE
- Generic XXE Detection - Christian Schneider
- Playing with Content-Type – XXE on JSON Endpoints - NETSPI
- XXE OOB exploitation at Java 1.7+ - 2014
- Security of applications that parse XML (supplementary) - 2009
- Exploiting XXE In File Upload Functionality
- XML Parser Evaluation - web-in-security.blogspot.de
- Hiding in Plain Sight: XXE Vulnerability in HP Project & Portfolio Mgmt Center - Benjamin Caudill
- Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, … - thezero
- Playing with Content-Type – XXE on JSON Endpoints(2015) - Antti Rantasaari
-
Talks/Presentations/Videos
- Black Hat EU 2013 - XML Out-of-Band Data Retrieval
- What You Didn't Know About XML External Entities Attacks - Timothy D. Morgan
-
Exploiting XXE Vulnerabilities In File Parsing Functionality - Willis Vandevanter - BHUSA 2015
- In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.
- FileCry - The New Age of XXE - BH USA 2015
- Papers
- CVEs
- Reference
-
Tools
-
XXEinjector
- XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications
-
oxml_xxe
- This tool is meant to help test XXE vulnerabilities in file formats.
-
XXEinjector
- Miscellaneous
Miscellaneous
-
unindexed
- The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.
COWL: A Confinement System for the Web * Robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content. * Paper
Burp Stuff/Plugins
-
Tutorials/Tips/Stuff
-
101
-
Issue Definitions
- This listing contains the definitions of all issues that can be detected by Burp Scanner.
- Burp Suite Training - PortSwigger
-
Issue Definitions
-
Articles/Blogposts/Writeups
- Burp Pro : Real-life tips and tricks
- Behind enemy lines: Bug hunting with Burp Infiltrator
- Automating Web Apps Input fuzzing via Burp Macros
- Burp Suite Visual Aids - lanmaster53
- SSH "accept : too many open files" on OS X when using Burp - dewhurstsecurity.com
- Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com
-
Talks/Presentations/Videos
- OWASP Top 10: Hacking Web Applications with Burp Suite - Chad Furman
-
Tactical Burp Suite: Next steps webcast - SecureIdeas(2020)
- Secure Ideas' Tactical Burp: Next Steps is a two-hour video exploring topics related to Burp Suite and its use in a web application penetration test. This course explores the various features of Burp Suite, focusing on how we use the system during our penetration testing.
-
Burp Macro Auto Authentication - CyberSecurityTV(2020)
- Burp session handling rules are very powerful. In this episode, we have seen an example of how to configure burp to auto login or activate session after it detects session invalidity.
-
101
- Wordlists
-
Plugins
-
Creating
- Adapting Burp Extensions for Tailored Pentesting
-
Developing Burp Suite Extensions - DOYENSEC
- Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
-
API
-
burp-rest-api
- A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
-
burp-rest-api
-
AuthN/AuthZ-related
-
AuthMatrix
- AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
-
Autorize
- Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
- Escalating Privileges like a Pro - Gaurav Narwani
-
AutoRepeater
- Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
-
Uniqueness plugin for Burp Suite
- Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
-
AuthMatrix
-
Collaborator-related
-
collaborator-everywhere
- A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
-
collaborator-everywhere
-
Extra-Checks/Scanners
-
backslash-powered-scanner
- This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
-
HUNT
- HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
-
Burp-molly-pack
- Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
-
burp-suite-error-message-checks
- Burp Suite extension to passively scan for applications revealing server error messages
-
Asset Discover
- Burp Suite extension to discover assets from HTTP response using passive scanning.
- Blogpost
-
Dr. Watson
- Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
-
LinkDumper Burp Plugin
- Extract (links/possible endpoints) from responses & filter them via decoding/sorting
- BurpExtenderHeaderChecks
-
SQLTruncScanner
- Messy BurpSuite plugin for SQL Truncation vulnerabilities.
-
Asset_Discover
- Burp Suite extension to discover assets from HTTP response using passive scanning.
-
backslash-powered-scanner
-
Extended-Functionality
- burp-highlighter
-
Exporter Extension for Burp Suite
- Exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
-
Stepper
- Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
-
Piper
-
Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
- Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.
-
Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
-
Forced-Browsing/File Discovery
-
BurpSmartBuster
- Looks for files, directories and file extensions based on current requests received by Burp Suite
-
BurpSmartBuster
-
J2EE
-
J2EEScan
- J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
-
J2EEScan
-
JavaScript
-
BitMapper
- Burp-suite Extension For finding .map files
-
BitMapper
-
JSONP
-
jsonp
- jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
-
jsonp
-
JWTs
-
JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
-
jwt-heartbreaker
- The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
- Blogpost
-
JWT4B
-
Proxy
-
NoPE Proxy
- Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
-
NoPE Proxy
-
Postman
-
Postman-Integration
- Postman Integration is an extension for burp to generate Postman collection fomat json file.
-
Postman-Integration
-
SAML
-
SAML Raider
- SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
-
SAML Raider
-
Serialization
-
Freddy the Serial(isation) Killer - Deserialization Bug Finder
- A Burp Suite extension to aid in detecting and exploiting serialisation libraries/APIs.
-
Freddy the Serial(isation) Killer - Deserialization Bug Finder
-
Single-Page-Apps
-
BurpKit
- BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
-
BurpKit
-
Sitemap
-
PwnBack
- Burp Extender plugin that generates a sitemap of a website using Wayback Machine
-
PwnBack
-
SQL Injection
-
sqlipy
- SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
-
SQLi Query Tampering
- SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder. This extension gives you the flexibility of manual testing with many powerful evasion techniques.
-
sqlipy
-
Swagger
-
swurg
- Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
-
swurg
-
WAFs
-
HTTPSmuggler
- A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.
-
HTTPSmuggler
-
Wordlists
-
Golden Nuggets
- Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
-
Golden Nuggets
-
Other
-
C02
- Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
-
distribute-damage
- Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
- Office Open XML Editor - burp extension
-
Bumpster
- The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
- ParrotNG - burp plugin
-
Brida
- Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
-
Cyber Security Transformation Chef
- The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
-
Hackbar
- Hackbar plugin for Burp
-
progress-burp
- Burp Suite extension to track vulnerability assessment progress
-
C02
-
Creating
Cloudflare
- 101
- Articles/Blogposts/Writeups
-
Tools
-
CloudFlair
- CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name.
-
CloudFire
- This project focuses on discovering potential IP's leaking from behind cloud-proxied services, e.g. Cloudflare. Although there are many ways to tackle this task, we are focusing right now on CrimeFlare database lookups, search engine scraping and other enumeration techniques.
-
CloudFlair
Bug Bounty Writeups
- HackerOne H1-212 Capture the Flag Solution - Corben Douglas
- ebay.com: RCE using CCS
- $10k host header - eze2307
- REMOTE CODE EXECUTION! Recon Wins - vishnuraj
- Analyzing a Creative Attack Chain Used To Compromise A Web Application
-
RCE in Hubspot with EL injection in HubL - betterhacker.com
- "This is the story of how I was able to get remote code execution on Hubspot's servers by exploiting a vulnerability in HubL expression language, which is used for creating templates and custom modules within the Hubspot CRM."
- Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token - labs.detectify
-
Tools
-
Boucan: A Bug Bounty Canary Platform
- This project is an attempt to implement a lightweight burp collaborator-esc application and consists of two main components: a DNS Server (Custom Python Implemention with dnslib) and an API. It is still very much in the early days of development. You can think of Boucan as sort of a Canary that will notify you when an external asset (DNS Record, HTTP Server, SMTP Server) has been interacted with. This is useful for blind payload injection.
-
Keyhacks
- Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
-
Boucan: A Bug Bounty Canary Platform