Useful Tips and Tricks for Web Pentesting

Generating Custom SSRF Payloads

https://tools.intigriti.io/redirector/#

How to do it

1. Go to Intigriti payload generator → https://tools.intigriti.io/redirector/#

2. Enter the target domain (it can be anything)

3. Enter your own collaborator URL

4. Submit

5. Download the .txt file and use it as part of intruder

This will generate an SSRF payload list that:

Contains your collaborator URL

Applies encoding on your collaborator URL to bypass filters

 

Injecting Payloads in Email Address Fields

test+(<script>alert(0)</script>)@example.com

test@example(<script>alert(0)</script>).com

"<script>alert(0)</script>"@example.com

"<%=7*7%>"@example.com

test+(${{7*7}})@example.com

"'OR1=1--'"@example.com

user@test.burpcollaborator.net

user@[127.0.0.1]

user@email=attacker@example.com

%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com

"recipient@test.com\r\nRCPT TO:<victim+"@test.com


Formatting XSS Payloads for XML Forms

How to do it

1. Send request to intruder

2. Pick the injection place (for example the <City>Boston</City> tag in image)

3. Surround the value with the <![CDATA[]]> tag (i.e: <![CDATA[Boston]]>)

4. Now set the Intruder injection point <City><![CDATA[§INJECTION_POINT§]]></City>

𝐖𝐫𝐨𝐧𝐠: <City>§INJECTION_POINT§</City>

𝐂𝐨𝐫𝐫𝐞𝐜𝐭:  <City><![CDATA[§INJECTION_POINT§]]></City> 


Processing Payload Lists for Better Results

How to do it

1. Send your request to Intruder

2. Set the injection point for you chosen parameter

3. Load your favorite payload list

4. Scroll down to the Payload processing and proceed to add a new regex rule

Example 1 - look for passwd file

𝐌𝐚𝐭𝐜𝐡: \{file\} 

𝐑𝐞𝐩𝐥𝐚𝐜𝐞: passwd

Example 2 - listen for requests on collaborator

𝐌𝐚𝐭𝐜𝐡: \{collaborator\}

𝐑𝐞𝐩𝐥𝐚𝐜𝐞: ppi1cty6kllsnobn70ljb5g4bvhm5ct1.oastify.com

Example 3 - redirect to own domain

𝐌𝐚𝐭𝐜𝐡: \{collaborator\}

𝐑𝐞𝐩𝐥𝐚𝐜𝐞: yourdomain.com


Exploiting Race Conditions

How to do it

1. Find the request that triggers the server-side check (i.e: /api/check-coupon)

2. Create a new tab group in Repeater

3. Add the same request multiple times to the group (CTRL+R)

4. Select Send group in parallel

5. Run the attack

6. Check if more than one response is valid


Exploiting Range Header for Directory Listing

curl -H "Range: 10000" http://target.com/img/


Finding SSRF Vulnerabilities in PDF Generators

In just 10 minutes I found 7 vulnerable online PDF convertors on the first page of Google including wkhtmltopdf, Select.Pdf and PhantomJS

Among other things, SSRF vulnerabilities can be used to

access data behind firewalls

interact with hosts/services on the internal network

read cloud tokens/keys

remote code execution

How to do it

1. Find a feature in the app that generates a PDF file

2. Identify the piece of data that you can control within the generated file (i.e: firstname, email, address, etc.)

3. Inject a test payload to check if HTML rendering is enable (for example <h1>test</h1> will display the word test in a larger font)

4. Use one of the following payload to load files hosted on the internal network


Bypassing Authorization using 0-based UUIDs

While UUID-based authorization may seem hard to bypass because they are so unique and hard to guess/crack, this is not always the case

The application may return 403 Forbidden if your remove the token, but accept the request as long as there is a valid formatted UUID

So, next time you see authorization based on UUID values, remember to check

1. Is request accepted if I remove the whole Authorization: Bearer token?

2. Is request accepted if I set token to 00000000-0000-0000-0000-000000000000 ?

3. Is request accepted if I zero-out parts of the UUID: 00000000-32fa-4929-8e59-abfeb3add5e0, ad736aee-0000-0000-0000-abfeb3add5e0 or ad736aee-32fa-4929-8e59-000000000000


Exploiting DMARC Policies for Email Spoofing

One of the best sites I've come across to check and exploit misconfiguration in email security is https://emkei.cz/

All you have to do is enter the email address that you want to spoof (something along the lines of admin@application.com) and send yourself an email

Weaponizing XSS for Maximum Impact

Broken access control

Key loggers


Finding NPM Dependency Confusion

Dependency confusion occurs when a malicious actor publishes a package to a public registry (like npm) with the same name as an internal package used by an organization 

How to do it

1. Browse the application using Burp

2. Check for NPM modules loaded (things like define(["exports","../node_modules/@organization-name/package-name/)

3. Check if the organization is registered on https://www.npmjs.com/

4. If not, register it and create the package name with your malicious code

https://deephunt3r.medium.com/dependency-confusion-4d675eb36e0f


Generating Payloads using the SCAMMPERR Framework

Here are 9 things suggested by SCAMMPERR framework to help you generate new (payload) ideas:

1. S - Substitute - keys, values, parameters

2. C - Combine - mix, combine with other assemblies or services, integrate

3. A - Adapt - alter, change function, use part of another element

4. M - Magnify - Make it enormous, longer, higher, overstated, added features

5. M - Modify - increase or reduce in scale, change shape, modify attributes (e.g. colour)

6. P - Put to another use

7. E - Eliminate - remove elements, simplify, reduce to core functionality

8. R - Rearrange - change the order, interchange components, change the speed or other pattern.

9. R - Reverse - turn inside out or upside down

Complete

Registering Accounts using Collaborator as Inbox

Did you know that Burp Collaborator listens to SMTP messages, on top of HTTP and DNS?

This means that you can use the collaborator as a throw away email address and register as many accounts on your target platform as you want.

Most applications will send you a verification code which you can also read from the SMTP body and confirm that the email is valid.

Best part is that you can have as many unique email addresses as you want without "registering" a new email inbox.

Worst part is that you'll lose access to the inbox. But that's what throw away emails are for, right?

 How to do it

1. Navigate to the registration page of the app (in my case Linkedin)

2. Copy the collaborator URL from Burp and use it as domain for your email (i.e: test@onfqio8a5qv1kuzw0iwchs3q7hd81zpo.oastify.com)

3. Check the collaborator requests for SMTP messages

4. Use the confirmation code in the message to confirm the legitimacy of your email


Tracking Users with Image URLs

No Collaborator? No Problem!

How to do it

1. Navigate to https://pipedream.com/requestbin

2. Create a new request bin

3. Signup with Google/Github account

4. Copy and use the Public URL as part of your pentest payloads

5. Inspect the left hand side tab for upcoming requests

Note that even if you are limited to 10 valid responses per day, you can still see all upcoming requests.


Comments

Post a Comment

Popular posts from this blog

SAML Security Test Cases

Signature Exclusion Attack -Test whether or not the SP accepts an Assertion without a Signature  Signature Spoofing attack -Test whether SP accepts fake signature or using previously generated/invalid signature Signature Wrapping Attack (8 Different Ways)-Test whether or not the SP is susceptible to Signature Wrapping XML Injection -Test if can inject malicious code into the SAML response from IDP, allowing them to execute arbitrary code on the SP server. XML Entity Expansion (XEE)/XXE -Test whether or not the SP is vulnerable to XML External Entities Replay attacks -Test if previously generated SAML response from IDP can be accepted by SP Certificate Faking/Self signed certificate -Test whether or not the SP verifies that the Assertion came from a trusted IDP/Test if SP accepts self-signed certificate XSLT Injection -Test whether or not the SP is vulnerable to XSLT Predictable signature -Test whether IDP generating guessable signature SAML message expiration -Test whether SP acc...
Read more

File Upload Security Testing Checklists

  Security Checklist Are filenames reflected back on the page? If so, are they HTML Entity encoded (XSS via file names)? Does it accept .zip files? Try a  ZipSlip If it processes an image, check for  Image Tragick (CVE-2016-3714) Can you bypass file type restrictions by changing the content-type value? Can you bypass file type restrictions by  forging valid magic bytes ? Can you upload a file with a less-common extension (such as .phtml)? Try playing with the filename in the request, a potential vector for traversal or SQL injection. Check for the acceptance of double extensions on uploaded files. Test for  null-byte injection . Is the server windows? Try adding a  trailing  .  to bypass extension blacklists , this dot will be removed automatically by the OS. Can you upload an  SVG for XSS ? If supported by the webserver, can you  upload .htaccess files ? Does the backend process the image with the  PHP GD library ? Is the app vulne...
Read more

Drozer - A Framework for Android Application Security Assessment.

Image
1.             Introduction 1.1   This document explains how to get started with Drozer, and how to use it to perform a security assessment of an android application. 1.1.      Drozer Drozer is a python based comprehensive security audit and attack framework for Android. It is an open-source framework, used for android pen-testing. It works like a client-server model and makes use of Android’s Inter-Process Communication (IPC) mechanism to interact with the underlying operating system of the device. IPC is a mechanism by which different components of android like intents and data binders communicate with each other so that the communication is established between the apps present in the android device. Drozer helps to remotely exploit android devices with predefined and custom modules that exploit known vulnerabilities. 1.2.      Conventions used Throughout this docu...
Read more