About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

How I was able to take over any users account with host header injection- 146

Ajay Gautam    Reference →Posted 6 Years Ago
  • Host-Header Injection is a vulnerability where a remote attacker can exploit a HTTP Host header sent by sending a fake host instead of original.
  • "When creating URI for links in web applications, developers often use the HTTP Host header in order to poison the web-cache or password reset emails." - Tenable
  • In this application, there was a form that was used reset passwords. However, the domain name (for the link) could be arbitrarily set by setting the Host Header of the request.
  • Therefore, an attacker could easily set this Host Header to something they controlled. Then, when a user clicked on the link in their email, the attacker would have the password reset token!
  • In conclusion, do not trust input set on the client side :)

OK Google: bypass the authentication!- 145

Mattia Vinci    Reference →Posted 6 Years Ago
  • A target application was built for the Google Assistant, which used voice controls.
  • There are two main vulnerabilities here: failing open and exception handling.
  • First, by saying the words "A capo" (Italian for newline) the Google input device interrupted this as a legit newline ('\n'). The application assumed that the form had to have data inside of it.
  • The default intent was not the authentication page but the main page of the application. Therefore, once the crash happened (from the newline) then the app would reopen in the default intent!
  • Main things to take away: special characters, such as newlines and tabs, can cause major issues. Additionally, make sure all items fail closed. So, even if there is a crash then this will not occur.

XSS to XXE in Prince v10 and below- 144

Corben Leo    Reference →Posted 6 Years Ago
  • Prince is a software that converts HTML, XHTML and several other formats to PDF's.
  • The XML parsing library allows External Entities to be loaded. Because of this, it is vulnerable to XXE.
  • The XXE vulnerability can be used for SSRF and/or read files on the current OS.

Server-Side Template Injection (SSTI)- 143

James Kettle - PortSwigger    Reference →Posted 6 Years Ago
  • Templating engines are used to embed dynamic content into web pages and emails. Template injection occurs when user input is embedded in a template in an unsafe manner.
  • The templating is a vulnerability that can easily be overlooked as a poor XSS vulnerability. SSTI is essentially server-side template injection inside a sandbox.
  • There are two distinct contexts: plaintext (inject directly into HTML) and code context (placed within a template statement as a variable name). Both of these being used incorrectly can lead to XSS and/or RCE.
  • The first aspect is figuring out which template engine is being used (identify). The article has a flow chart to figure out which engine is being used.
  • The second part of this is exploitation. The article shows several steps to to attacking: reading, exploring and attacking.
  • Read: Each language and templating engine has many complex built in functions, leading to many possible outcomes. So, understanding the template injection and reading the documentation on this is very important. This includes basic syntax, security considerations, builtin methods and plugins.
  • Explore: Explore the environment that is being used on the application. What is in the namespace? What objects are available?
  • Attack: Understand the application as a whole and proceed to normal exploitation techniques.
  • There are several cases of applications being exploited within this application. I always enjoy the real world exploitation within the Portswigger articles!

RCE in Hubspot with EL Injection in HubL- 142

BetterHacker    Reference →Posted 6 Years Ago
  • Interrupters are IMPOSSIBLE to do correctly... Anytime there is an interrupter go after it!
  • EL (expression language) is used for creating templates for several frameworks. In this situation, the HubL EL was being used in the HubSpot Customer Relationship Manager (CRM).
  • The classic example is {7*7} evaluating to 49. By abusing the templating engine (which is in Java), specific functions in Java could be called that lead to a complete compromise of the system. Although, calling Java in this restricted context is very complex...
  • I was super impressed with the reverse engineering that allowed this to be possible! Lots of reading from the JinJava project, as well as just general Java knowledge.
  • Here is the final payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager') .newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

IP Fragmentation Attack- 141

Imperva    Reference →Posted 6 Years Ago
  • Fragmentation is necessary for data transmission from each and every network.
  • By abusing the way that TCP and UDP fragment data works, the resources of a web server could be consumed. This creates a denial of service (DoS) attack.

Publicly Exposed .git Files- 140

Internet Wache    Reference →Posted 6 Years Ago
  • .git holds all of the information about the version control of a Git repo. Because of the period (.) in the directory name, it is commonly missed (such as ls -l command will not find this). These can be used to completely recreate the source code of the application!
  • Some web servers, such as Apache, will then show all of the contents of that directory to the rest of the world!
  • By putting these all together, downloading .git repo from a site can allow for a complete reconstruction of the source code.
  • When I tried searching for the .git file in Google a significant amount of repos were vulnerable to this attack.
  • It should be noted that the article has all commands to perform this attack. However, the .git reset takes a fair amount of time to do.

My Name Is Johann Wolfgang Von Goethe - I Can Prove It- 139

Sec-Consult    Reference →Posted 6 Years Ago
  • The authentication on the site uses a SAML based model.
  • During the digital signature check on the application, it uses the first parameter even though multiple can be specified.
  • This creates a HTTP Parameter Poising vulnerability that can bypass security features.

ProtoMail Perfect 'End to End Encryption Claim'- 138

Nadim Kobeissi     Reference →Posted 6 Years Ago
  • ProtonMail claims of perfect end to end encryption for the ProtonMail app An article was released disputing this claim.
  • The argument is that because the browser could be compromised that the encryption keys could be discovered... Although this is true, this situation is very, very unlikely.
  • This Reddit link is hilarious though. After posting this article, ProtonMail officially comments on this paper in the Reddit thread! I thought this was absolutely hilarious. Feel free to read through the thread.

What is Good Research? - 137

LiveOverflow    Reference →Posted 6 Years Ago
  • Although XSS is super common, there is an infinite amount of ways to trigger it!
  • Copying and pasting payloads into forms is good for a while but not that great to get a pHD in XSS.
  • The base tag is used for the base of a URL. However, JavaScript URI's cannot be in the URI. This needs to look like a normal URL but still execute the JS (// looks like a comment). This can be bypassed by either using a multi line comment or a regex.
  • Gareth Heyes, from Portswigger, demonstrates a parsing bug in Safari that looks like it makes zero sense...Just abusing the parser and understanding of the browser.
  • Good hacking can be found by a deep understanding of something with a large amount of creativity.

← Prev1 ... 176177178179180 ... 191Next →
Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed