Ever wondered what happens when you type in a URL in an address bar in a browser? Here is a brief overview...

#programming #web #sketchnotes

Bypassing HttpOnly

1. Why phpinfo
2. Stealing ci_session with info.php file
3. PoC

Research:
https://aleksikistauri.medium.com/bypassing-httponly-with-phpinfo-file-4e5a8b17129b

#web #httponly #phpinfo #xss

Bypass Rate Limits in Web Applications and API's.

— What is Rate Limit

Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.

—Where to Look for Rate Limit Bugs

Place like :
— Login/Signup pages
— Register Pages
— 2FA codes
— Confirmation Codes

...and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.

[Bypass 1] - Using Null Chars

%00, %0d%0a, %09, %0C, %20, %0

Example:
— Bruteforce with [email protected]
— After some time you will be blocked
— Now Bruteforce with [email protected]%00 and check if you are able continue bruteforce it

[Bypass 2] - Adding Spaces

A webserver may strip off extra spaces added to email/username at the backend, Which may allow you to bruteforce the same email by appending an extra space every time you are blocked.

[Bypass 3] - Host Header Injection

Try Modifying Host header of the request after being blocked by the server

Change Host: www,newsite,com
Change Host: localhost
Change Host: 127.0.0.1

[Bypass 4] - Changing Cookies

Try changing Session cookie after being blocked by the server. This can be achieved by figuring out which request is responsible to set session cookies to the user and then use that request to update session cookie everytime you are blocked.

[Bypass 5] - X-forwarded-For

— dig target,com
— Change The X-Forwarded-For: IP Address

This may confuse WAF/server/loadbalancer, as if requests are being forwarded to another host but will be forwarded to same target host hence will allow you to bypass the rate limit.

[Bypass 6] - Confuse server with correct attempts

If the server is blocking you after 20 attempts, Try bruteforcing with 19 attempts and use your credentials to login to your account on 20th attempt and then repeat the process.

[Bypass 7] - Updating target Paths

Appending random param=value may sometimes bypass rate limit on the endpoint

Eg:
— Bruteforce /api/v1/users/<id>
— Got blocked after 200 attempts
— Now Bruteforce /api/v1/users/<id>?xyz=123
— Change the param=value after each 200 attempts

[Bypass 8] - IP based Rate limits

IP based rate limits can be easily bypassed by changing the Ip address of your machine. The alternative would be using IP Rotate Burp Extension.

#web #api #rate #limit #bypass

Rockyou for Web Fuzzing

This is a wordlist for fuzzing purposes made from the best wordlists currently available, lowercased and deduplicated later with duplicut, added cleaner from BonJarber.

The lists used have been some selected within these repositories:

— fuzzdb
— SecLists
— xmendez
— minimaxir
— TheRook
— danielmiessler
— swisskyrepo
— 1N3
— cujanovic
— lavalamp
— ics-default
— jeanphorn
— j3ers3
— nyxxxie
— dirbuster
— dotdotpwn
— hackerone_wordlist
— commonspeak2
— bruteforce-list
— assetnote

https://github.com/six2dez/OneListForAll

#web #fuzzing #wordlist

🧨 RCE в BIG-IP iControl REST (CVE-2022-1388)

Эта уязвимость может позволить неаутентифицированному злоумышленнику с сетевым доступом к системе BIG-IP выполнять произвольные системные команды, создавать или удалять файлы или отключать службы (CVE-2022-1388)

Дорк для Shodan:

http.title:"BIG-IP®-+Redirect" +"Server"

PoC представлен на изображении ниже или по ссылке.

Ссылка на PoC

#web #cve #rce

​​🐘 Удаленная эксплуатация переполнения кучи в веб-приложениях PHP (CVE 2022-31626)

Представлен PoC для RCE уязвимости в PHP <=7.4.29, которая может быть запущена через мошеннический сервер MySQL/MariaDB.

Ссылка на PoC

#web #rce

⌛ Attacking Predictable GUID

Few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one. In this blog post walk through an account takeover issue from a recent penetration test where GUIDs were used as password reset tokens.

https://www.intruder.io/research/in-guid-we-trust

#web #pentest #guid #account #takeover

⚔️ Katana — Web Crawler

A next-generation crawling and spidering framework.

Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control

https://github.com/projectdiscovery/katana

#web #crawler #tools #bugbounty

⚙️ Subdomain Generator

If you want to create subdomains quickly, try this site.

🔗 Source:
https://husseinphp.github.io/subdomain/

#subdomain #generator #bugbounty #web

🔐 Bitrix CMS Ultimate Pentest Guide

A detailed guide on penetration testing for 1C-Bitrix CMS, one of the most popular content management systems in CIS countries. The guide covers authentication bypasses, XSS, SSRF, LFI, RCE exploits, WAF bypass methods, and vulnerabilities in third-party modules (especially Aspro).

🔗 Source:
https://pentestnotes.ru/notes/bitrix_pentest_full/

#1c #bitrix #web