Skip to content

Commit

Permalink
add big updates
Browse files Browse the repository at this point in the history
  • Loading branch information
xanhacks committed Dec 1, 2023
1 parent 54814f9 commit 5894bde
Show file tree
Hide file tree
Showing 24 changed files with 194 additions and 40 deletions.
10 changes: 8 additions & 2 deletions content/en/docs/client-side/browser-cache.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,15 @@ weight: 630
toc: true
---

## Todo
## Definition

todo
**Browser caching** is a process where web browsers locally store webpage resources, like images and HTML files, to improve loading speed and reduce server load for subsequent visits to the same page.

## Backward/Forward cache (BFcache)

TODO

## References

- [Mizu - Intigriti March 2023 - XSS Challenge](https://mizu.re/post/intigriti-march-2023-xss-challenge)
- [Ark - SECCON CTF 2022 Quals writeup - Web Spanote](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote)
3 changes: 1 addition & 2 deletions content/en/docs/client-side/dom-clobbering.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,10 @@ weight: 620
toc: true
---

## Getting started
## Definition

**DOM Clobbering** is a vulnerability that originates from a naming collision between JavaScript variables and named HTML markups, where browsers replace pre-existing content of an undefined variable with an HTML element when the variable name and the element’s `name` (or `id`) attribute match.


## Attributes

### Attribute id
Expand Down
4 changes: 2 additions & 2 deletions content/en/docs/client-side/service-worker.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ weight: 610
toc: true
---

## Todo
## Definition

todo
**Service Workers** are JS scripts that run in the background of a web browser, separate from a web page, enabling features like push notifications and background sync, and providing offline support for web applications.
18 changes: 10 additions & 8 deletions content/en/docs/client-side/some.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: "Same-Origin-Method-Execution"
title: "Same Origin Method Execution"
description: "Cheatsheet on Same-Origin-Method-Execution (SOME)"
lead: "Cheatsheet on Same-Origin-Method-Execution (SOME)"
date: 2020-10-06T08:49:31+00:00
Expand All @@ -13,12 +13,14 @@ weight: 630
toc: true
---

## Todo
## Definition

todo
**Same-Origin Method Execution (SOME)** is a security vulnerability that allows an attacker to execute functions of a web application in the context of another user's session. This attack exploits the same-origin policy of web browsers but requires that the target website contains a suitable vulnerable function and that the attacker tricks the user into executing malicious JavaScript in their browser.

- RCTF2023: https://www.ctfiot.com/90966.html
- Intigriti XSS challenge 1022: https://www.youtube.com/watch?v=EZfPrgrV5p4
- HackTricks: https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution
- SOME Attack: https://www.someattack.com/Playground/About
- https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/
## References

- [Real World CTF 2023 - The cult of 8 bit](https://www.ctfiot.com/90966.html)
- [Youtube - Intigriti XSS challenge 1022](https://www.youtube.com/watch?v=EZfPrgrV5p4)
- [HackTricks - SOME](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution)
- [SOME Attack](https://www.someattack.com/Playground/About)
- [Bypass CSP Using WordPress By Abusing Same Origin Method Execution](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
2 changes: 1 addition & 1 deletion content/en/docs/client-side/window.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ weight: 620
toc: true
---

## Introduction
## Definition

The [Window](https://developer.mozilla.org/en-US/docs/Web/API/Window) interface represents a window containing a DOM document; the document property points to the DOM document loaded in that window.

Expand Down
11 changes: 7 additions & 4 deletions content/en/docs/client-side/xsleaks.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ weight: 630
toc: true
---

## Todo
## Definition

todo
**XS Leaks** (Cross-Site Leaks) enable attackers to leak sensitive information from a different origin by exploiting side-channel techniques, which observe the behavior of the browser rather than directly accessing the data.

- https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks
- https://twitter.com/terjanq/status/1686701251080097792?t=LlxlNiIwGjCl0r2n1I7ujg&s=33
## References

- [XS-Leaks Wiki](https://xsleaks.dev/)
- [From XS-Leaks to SS-Leaks Using object](https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks)
- [XS-Leaks with Restrictive CSP](https://twitter.com/terjanq/status/1686701251080097792)
4 changes: 4 additions & 0 deletions content/en/docs/client-side/xss.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Definition

**Cross-Site Scripting (XSS)** is a security vulnerability that allows attackers to inject malicious scripts into webpages viewed by other users.

## Basic payloads

- [Cross-site scripting (XSS) cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet): List of XSS payloads.
Expand Down
7 changes: 3 additions & 4 deletions content/en/docs/framework/express.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ weight: 620
toc: true
---

## Express stack
## Express

[Express](https://www.npmjs.com/package/express) is a minimalist web framework for Node.js which has 31 [dependencies](https://www.npmjs.com/package/express?activeTab=dependencies).

Expand Down Expand Up @@ -186,13 +186,12 @@ exports.renderFile = function () {
The `opts` variable is then passed to the `Template` object. So, we can get a RCE with the following query string.

```
?settings[view options][escape]=1;return+process.mainModule.require("child_process").execSync("id").toString();
&client=1
?client=1&settings[view options][escape]=1;return+process.mainModule.require("child_process").execSync("id").toString();
```

This query string is equals to:

```json
```js
{
settings: {
'view options': {
Expand Down
14 changes: 8 additions & 6 deletions content/en/docs/framework/nginx.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ toc: true

## Nginx

### Passing Request Headers
[Nginx](https://nginx.org/) is a high-performance web server, reverse proxy, and load balancer, known for its efficiency and low resource consumption.

## Passing Request Headers

By default, NGINX eliminates the header fields whose values are empty strings and redefines two header fields in proxied requests:

Expand All @@ -24,7 +26,7 @@ By default, NGINX eliminates the header fields whose values are empty strings an

To change these setting, as well as modify other header fields, use the `proxy_set_header` directive.

### Caching
## Caching

By default, NGINX Plus caches all responses to requests:

Expand Down Expand Up @@ -52,19 +54,19 @@ To change the request characteristics used in calculating the key, include the `
proxy_cache_key "$host$request_uri$cookie_user";
```

### Security
## Security

#### Basic Auth
### Basic Auth

- `auth_basic_user_file`: The path to the .htpasswd file that contain user/password pairs
- Package `apache2-utils` or `httpd-tools`
- Command `htpasswd -c /etc/apache2/.htpasswd user1`

#### Filtering
### Filtering

- `allow` / `deny`: Allow or deny access from particular IP addresses / subnets

#### Rate limit
### Rate limit

Limit of 1 request per minute based on IP address (binary mode for performance). [Learn more](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/#limiting-the-request-rate)

Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/framework/sping_boot.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ weight: 620
toc: true
---

## Definition
## Spring Boot

[Spring Boot](https://spring.io/) is a Java-based framework used to create stand-alone, production-grade Spring applications with minimal configuration. It simplifies the bootstrapping and development of new Spring applications by providing various capabilities like auto-configuration, standalone code, and opinionated defaults.

1 change: 1 addition & 0 deletions content/en/docs/getting-started/vulnerability-reports.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ toc: true
- [Article - The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/)
- [Article - CSP bypass on Wordpress using SOME](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
- [Article - XSS with bypass on ProtonMail webclient](https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/)
- [Article - Fetch Diversion](https://acut3.net/posts/2023-01-03-fetch-diversion/)

## Server-Side

Expand Down
3 changes: 3 additions & 0 deletions content/en/docs/http/content-type.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ weight: 620
toc: true
---

## Content-Type

[Content-Type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type) is an HTTP header used to indicate the media type (MIME type) of the resource being sent in the response body, such as "text/html" for HTML documents or "application/json" for JSON data.

## Script loading Content-Type page

Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/http/cookie.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Cookies

[Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) are small pieces of data stored on a user's device by a web browser, used to remember information about the user, such as login details, preferences, browsing activity...

## Cookies Attributes

### HttpOnly
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/others/browser-exploit.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Definition

**Browser exploits** are vulnerabilities in web browsers to execute unauthorized actions, such as stealing data, reading files, or obtain remote code execution.

## Chrome - Remote Debugging Port

```bash
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/others/debugging.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Definition

**Debugging** involves examining and testing software to understand its behavior, identify any anomalies or errors.

## Node.js

### VSCode
Expand Down
93 changes: 85 additions & 8 deletions content/en/docs/others/open-redirect.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,88 @@ weight: 620
toc: true
---

- https://www.youtube.com/attribution_link?u=https://[email protected]
- https://www.youtube.com/attribution_link?u=https://m.youtube.com.xanhacks.xyz
- https://www.youtube.com/logout?continue=https://google.com/amp/xanhacks.xyz
- https://accounts.google.com/ServiceLogin?continue=https://google.com/amp/xanhacks.xyz
- https://accounts.google.com/SignOutOptions?hl=fr&continue=https://google.com/amp/xanhacks.xyz
- https://google.com/amp/xanhacks.xyz

- TODO: Fetch on OPR
## Definition

**Open Redirect** (or OPR) occurs when a web application redirects a user to an URL without properly validating the redirect target.

## OPR to XSS

When you have a client-side redirection using `window.location = target`, you can trigger an XSS attack using the `javascript:` protocol. Example:

```js
window.location = "javascript:alert(document.domain)"
// ?redirect=javascript:alert(document.domain)
```

## OPR to External URLs

**Open Redirect to external URLs** can enhance the success rate of phishing attacks if victims trust the main domain, but it still requires user interaction from the victim.

Example: `https://example.com?redirect=https://evil.com`

## Execution After Redirect (EAR)

**Execution After Redirect** happens when a server redirects a user but executes code on the server before the redirection occurs. Example:

```php
<?php
session_start();

if (!isset($_SESSION['auth'])) {
header("Location: /login");
}

echo "Private content!";
```

You can access the private content in the response body if the execution is not terminated after the redirection.

```
$ curl -v 'http://localhost:8888'
< HTTP/1.1 302 Found
< Host: localhost:8888
< Location: /login
< [...]
Private content!
```

Fix using the `exit` function in PHP:

```php
if (!isset($_SESSION['auth'])) {
header("Location: /login");
exit();
}
```

## Follow redirects

**Follow redirects** refers to the process where an HTTP client automatically proceeds the redirection. Examples:

```python
>>> import requests
>>> requests.get("http://localhost:8888?redirect=https://xanhacks.xyz").url
'https://xanhacks.xyz'
```

```js
fetch("/?redirect=https://xanhacks.xyz")
.then(r => r.text())
.then(html => console.log(html)) // HTML content of xanhacks.xyz
```

## OPR on famous websites

### Google

Open Redirect is not considered a vulnerability by Google, so they will not fix the following ones:

```
https://www.youtube.com/attribution_link?u=https://[email protected]
https://www.youtube.com/attribution_link?u=https://m.youtube.com.xanhacks.xyz
https://www.youtube.com/logout?continue=https://google.com/amp/xanhacks.xyz
https://accounts.google.com/ServiceLogin?continue=https://google.com/amp/xanhacks.xyz
https://accounts.google.com/SignOutOptions?hl=fr&continue=https://google.com/amp/xanhacks.xyz
https://google.com/amp/xanhacks.xyz
```
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@ draft: false
images: []
menu:
docs:
parent: "javascript"
parent: "others"
weight: 620
toc: true
---

## Definition

**Prototype pollution** is a security vulnerability in JavaScript where an attacker modifies a prototype of a standard object, potentially leading to unintended side effects or behavior in applications that rely on those objects.

## Payloads

```js
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/programming/javascript/javascript.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Javascript

**JavaScript** is a dynamic, high-level programming language widely used for web development, enabling interactive and dynamic content on websites and applications, both on the client and server side.

## let and var

```js
Expand Down
2 changes: 2 additions & 0 deletions content/en/docs/programming/php.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ draft: false
images: []
---

## PHP

[PHP](https://www.php.net/) is a popular general-purpose scripting language that is especially suited to web development.

## PHP Wrappers
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/programming/python.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ weight: 620
toc: true
---

## Python

[Python](https://www.python.org/) is a high-level, interpreted programming language known for its simplicity and readability.

## Modules

### os.path
Expand Down
Loading

0 comments on commit 5894bde

Please sign in to comment.