DOCSLIB.ORG

View the Index

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

INDEX Symbols and Numbers Amazon Simple Storage (S3) and bucket permissions, 181–183 ; (semicolon), 110 subdomain takeovers, 141–142 -- (MySQL comment), 83, 84 Amazon Web Services, 192 <> (angle brackets), 53, 56 ampersand (&), 22–23, 110, 112 ../ file path reference, 128 angle brackets (<>), 53, 56 / (forward slash), 99 AngularJS template engine | (pipe), 124 injection examples, 73–74, 198–199 ` (backtick), 122, 124 Sandbox bypasses, 72–73 " (double quote), 56 API See application programming ' (single quote), 44–46, 56 interface (API) # (hash), 44, 69 apok (hacker), 186 % (percent), 112 application/json content-type, %00 (null byte), 99 33–34, 35 %0A (line feed), 49 application logic and configuration %0D (carriage return), 49 vulnerabilities, 177–190 & (ampersand), 22–23, 110, 112 GitLab two-factor authentication 2FA (two-factor authentication), bug, 183–184 183–184 HackerOne and S3 bucket 32-bit processors, 133 permissions, 181–183 64-bit processors, 133 HackerOne Hacktivity voting, 127.0.0.1 (localhost), 102, 104–105 186–187 .docx file type, 113–114 HackerOne Signal manipulation, !ELEMENT (XML), 110, 111–112 180–181 !ENTITY (XML), 110, 111–112 overview, 177–178, 189–190 <img> tags, 32, 36–37, 63–65, 70, 171 PornHub memcache installation, <s> tag, 198 188–189 Shopify administrator privileges A bypass, 179 Abma, Jobert, 183–184, 198, 207–208 Twitter account protections, 180 about:blank context, 57 Yahoo! PHP info disclosure, Access-Control-Allow-Origin header, 34 184–186 access_denied parameter, 47 application programming interface access_token (OAuth), 169–170 (API), 7, 37–38, 90, 180, 197 ACME customer information application/x-www-form-urlencoded disclosure, 163–165 content-type, 32–34, 35 Ahrens, Julien, 101–104 Aquatone, 194 alert function, 56, 65, 69–70 A records, 140 Algolia remote code execution bug, arrays, 91–93 125–127 asset takeovers, 174–176. See also Amass, 211 subdomain takeover vulnerabilities Assis, Rodolfo, 69–70 authentication and hacker’s reputation, 205–206 HTTP requests, 50, 54, 150 informative, 163–164 misconfigurations, 173 –174, 197 permission to test further, 76 process, 30 proof of concept tips, 145 Authmatrix plug-in, 160 responses to, 16, 164–165 autofocus attribute, 58 rewards appeals, 207–208 automation techniques, 185–186, 200 bugs previously reported, 125, 196 Autorize plug-in, 160 BuiltWith, 72, 213 AWS metadata query bug, 100 Burp Suite, 40, 152, 158, 160, 195, 199–200, 210 B Bacchus, Adam, 206 C background jobs, 153–154, 156 Cable, Jack, 172 backtick (`), 122, 124 cache poisoning, 50 Badoo full account takeover, 38–40 call_user_func (PHP), 121 banking application illustrations Carettoni, Luca, 21, 22 cross-site request forgeries, 29–30, carriage return line feed (CRLF) 31–34 CRLF injection vulnerabilities, HTTP parameter pollution, 20–22 49–54 race conditions, 149–150 overview, 49–50, 54 base64-encoded content, 9 Shopify response splitting, 51–52 bash, 120, 185–186 Twitter response splitting, 52–54 binary.com privilege escalation, 159–160 Cascading Style Sheets (CSS), 6 blacklisted characters, 52 C/C++ memory management, blind SQLi, 84–87 129–133, 135 blind SSRFs, 97–98 CDNs (content delivery networks), 144 blind XSS attacks, 60, 198 censys.io website, 143, 214 Boolean attribute checks, 64, 86–87 certificate hashes tracking site, 143 Bounty Factory, 219 Chan, Ron, 224 browsers characters. See also sanitization of and cookies, 30–31 characters operations, 6–7 blacklisted, 52–53 plug-ins for, 216 encoding, 42–45, 49, 88–90, brute-forcing, 88–89, 195, 199, 211 173 –174 Bryant, Matthew, 60, 223 Charles (web proxy), 210 Bucket Finder, 182, 214 client-side HPP, 19, 22–23 Buerhaus, Brett, 99–100, 222 client-side template injection (CSTI) buffer overflow vulnerabilities, 130–133, vulnerabilities, 72–73, 73–74 134–135 clients bug bounties, 2 defined, 3 platforms, 219–220 OAuth resource, 168–170 programs, 2, 90, 123, 188, 189, CNAME records, 140–146 203–204 Cobalt, 219 Bugbounty JP, 219 Coinbase comment injection, 42–43 Bugcrowd resources, 219, 222, 223 comments in SQL queries, 83, 84, 92 A Bug Hunter’s Diary (Klein), 220 companies The Bug Hunters Methodology acquisition process exposures, 142 (Haddix), 220 and bug bounty programs, 2, 204, bug reporting 206–208 after disclosures, 125 configuration vulnerabilities, 177–178 approach, 204–207 CONNECT method, 7–8 226 Index connection headers, 5 cURL requests, 124–125, 136 content attribute, 13, 45 CVEs (disclosed security issues), 127 content delivery networks (CDNs), 144 CyberChef, 44, 214 content discovery, 195 content spoofing, 41–42, 48 D content-type headers, 6, 32–34, 35, 54 cookies dangerouslySetInnerHTML function, and carriage return line feed 45, 72 injection, 50, 51–54 databases, 150–151. See also SQL in cross-site request forgeries, 32, databases 35–36 db_query function (SQL), 92 in cross-site scripting, 56 De Ceukelaire, Inti, 44–46 forgeries on, 126–127, 128 DELETE method, 7–8 operations and attributes, 30–31 deserialization, 126–127 in subdomain takeovers, 140–141 Detectify Labs, 112, 201, 223 CORS See cross-origin resource dex2jar, 215 sharing (CORS) “did not respond”, 102 Coursera, 218 dig A command, 4 CRLF characters See carriage return directory and file enumeration line feed (CRLF) tools, 212 CRLF injection See carriage return line disclosed security issues (CVEs), 127 feed (CRLF), 49–54 DNS See Domain Name System (DNS) cross-origin resource sharing (CORS), Document Object Module (DOM), 7, 34, 35, 38 13, 45 cross-site request forgery (CSRF), 29–40 document parameters, 16, 56 Badoo full account takeover, 38–40 document type definitions (DTDs), defenses, 34–36 108–110 Instacart, 37–38 domain cookie attribute, 30–31 overview, 29–30, 40 Domain Name System (DNS), 3–4, 14, vs. server-side request forgeries, 95 97–98, 101–104, 141, 142 Shopify Twitter disconnect, 36–37 domain names, 3, 139–140 cross-site scripting (XSS) domain_name parameter, 14 vulnerabilities. See also XSS DOM-based XSS, 59–60 Jigsaw blog; XSSHunter, Drupal SQLi, 90–93 55–70 DTDs (document type definitions), and client-side template 108–110 injections, 72 Google image search, 65–66 E Google tag manager, 66–67 overview, 55–58 Ebrietas (hacker), 144 Shopify currency formatting, 62–63 EdOverflow (hacker), 146–147 Shopify wholesale, 61–62 email bug hunting examples, 74–76, types, 58–61 78–80, 87–90 United Airlines, 67–70 Emek, Tanner, 154–155 Yahoo! Mail stored XSS, 63–65 encoded characters, 42–45, 49, crt.sh website, 143, 211 173 –174, 197 CSRF See cross-site request error messages, 144 forgery (CSRF) escapeshellcmd (PHP), 120–121 CSRF tokens, 33–35, 38–40, 45 E-Sports Entertainment Association CSTI See client-side template injection (ESEA) bug, 98–100 (CSTI) vulnerabilities expandArguments function (SQL), 91–92 Cure53 Browser Security White Paper, 220 expires cookie attribute, 31 Exploit Database (DB), 195, 218 Index 227 eXtensible Markup Language (XML), operations, 7 110–117 and server-side modifications, entities, 110 36–37 overview, 107–110 with SSRFs, 97 parsing and file types, 111–117 Ghostscript vulnerabilities, 202 external HTTP requests, 96–97, Gill, Andy, 188–189, 224 100–104, 104–105 GitHub, 126, 141, 178, 195 EyeWitness, 127, 188, 212 GitLab two-factor authentication bug, 183–184 F Gitrob, 126, 195, 215 Gobuster, 195, 212 Facebook Google and OAuth access token bug, AngularJS template engine, 72–73, 174 –176 73–76 ReactJS template engine, 72 bug bounty program, 11 XXE with Microsoft Word bug, dig tool, 101–104 112–114 internal DNS SSRF, 100–104 Fastly, 144 Google bugs Fehrenbach, Patrik, 66–67, 185–186, image search, 65–66 222, 224 tag manager, 66–67 Fiddler (web proxy), 210 XXE vulnerability, 112 file and directory enumeration Google Chrome XSS Auditor, 59 tools, 212 Google dorking, 99, 100, 162, 195, 214 FileDescriptor (hacker), 46, 52–53, 59, Google Gruyere, 218 202, 224 Gowitness, 194, 212 file path expressions, 128 file types, 99, 114, 124–125, 197 file uploads, 122–123 H filtered ports, 97 The Hacker Blog, 223 Firefox cookie bug, 52 Hacker101, 218 firewall evasion, 50 HackerOne bugs flags on command line, 121 Hacktivity voting, 186–187 Flask Jinja2 template injection, 74, 123 interstitial redirect vulnerability, Flurry password authentication, 172 13, 15–16 forms invite multiple times, 150–151 hidden HTML, 33, 37 payments race condition, 153–154 as HTML injection, 42–43 and S3 bucket permissions, 181–183 forward slash (/), 99 Signal manipulation, 180–181 FoxyProxy add-on, 216 social sharing buttons, 23–24 Franjković, Josip, 152 unintended HTML inclusion, ftp_genlist() function (PHP), 134–135 44–47 functionality mapping, 197–198 HackerOne resources, 219, 221, 223 function execution, 121–122 hacking blogs, 222–224 fuzzing, 182 hacking techniques, 191–202 efficiency suggestions, 200–202 G overview, 191–192, 202 reconnaissance, 192–196 Gamal, Mahmoud, 159 testing, 196–200 GET requests Hacking: The Art of Exploitation in cross-site request forgeries, (Erikson), 221 31–32, 35, 40 hacking tools, 214–215 with open redirects, 12, 13 228 Index Hack the Box, 218 Hypertext Markup Language (HTML). Harewood, Philippe, 174–176, 201, 224 See also HTML injection harry_mg (hacker), 142 vulnerabilities Hasan, Mustafa, 67–70 character encoding, 42–43 hash (#), 44, 69 hidden forms, 33, 37 headers rendering, 6 host and connection, 5 Hypertext Transfer Protocol (HTTP). injections, 50–52 See also HTTP parameter HEAD method, 7–8 pollution (HPP); HTTP Heartbleed bug, 133–134 requests; HTTPScreenShot Heroku platform subdomain takeover HTTPS sites, 31 example, 140–141 messages,
Recommended publications
  • Android Euskaraz Windows Euskaraz Android Erderaz Windows Erderaz GNU/LINUX Sistema Eragilea Euskeraz Ubuntu Euskaraz We

    Android Euskaraz Windows Euskaraz Android Erderaz Windows Erderaz GNU/LINUX Sistema Eragilea Euskeraz Ubuntu Euskaraz We

    Oharra: Android euskaraz Windows euskaraz Android erderaz Windows erderaz GNU/LINUX Sistema Eragilea euskeraz Ubuntu euskaraz Web euskaraz Ubuntu erderaz Web erderaz GNU/LINUX Sistema Eragilea erderaz APLIKAZIOA Bulegotika Adimen-mapak 1 c maps tools 2 free mind 3 mindmeister free 4 mindomo 5 plan 6 xmind Aurkezpenak 7 google slides 8 pow toon 9 prezi 10 sway Bulegotika-aplikazioak 11 andropen office 12 google docs 13 google drawing 14 google forms 15 google sheets 16 libreoffice 17 lyx 18 office online 19 office 2003 LIP 20 office 2007 LIP 21 office 2010 LIP 22 office 2013 LIP 23 office 2016 LIP 24 officesuite 25 wps office 26 writer plus 1/20 Harrobi Plaza, 4 Bilbo 48003 CAD 27 draftsight 28 librecad 29 qcad 30 sweet home 31 timkercad Datu-baseak 32 appserv 33 dbdesigner 34 emma 35 firebird 36 grubba 37 kexi 38 mysql server 39 mysql workbench 40 postgresql 41 tora Diagramak 42 dia 43 smartdraw Galdetegiak 44 kahoot Maketazioa 45 scribus PDF editoreak 46 master pdf editor 47 pdfedit pdf escape 48 xournal PDF irakurgailuak 49 adobe reader 50 evince 51 foxit reader 52 sumatraPDF 2/20 Harrobi Plaza, 4 Bilbo 48003 Hezkuntza Aditzak lantzeko 53 aditzariketak.wordpress 54 aditz laguntzailea 55 aditzak 56 aditzak.com 57 aditzapp 58 adizkitegia 59 deklinabidea 60 euskaljakintza 61 euskera! 62 hitano 63 ikusi eta ikasi 64 ikusi eta ikasi bi! Apunteak partekatu 65 flashcard machine 66 goconqr 67 quizlet 68 rincon del vago Diktaketak 69 dictation Entziklopediak 70 auñamendi eusko entziklopedia 71 elhuyar zth hiztegi entziklopedikoa 72 harluxet 73 lur entziklopedia tematikoa 74 lur hiztegi entziklopedikoa 75 wikipedia Esamoldeak 76 AEK euskara praktikoa 77 esamoldeapp 78 Ikapp-zaharrak berri Estatistikak 79 pspp 80 r 3/20 Harrobi Plaza, 4 Bilbo 48003 Euskara azterketak 81 ega app 82 egabai 83 euskal jakintza 84 euskara ikasiz 1.
  • Web Hacking 101 How to Make Money Hacking Ethically

    Web Hacking 101 How to Make Money Hacking Ethically

    Web Hacking 101 How to Make Money Hacking Ethically Peter Yaworski © 2015 - 2016 Peter Yaworski Tweet This Book! Please help Peter Yaworski by spreading the word about this book on Twitter! The suggested tweet for this book is: Can’t wait to read Web Hacking 101: How to Make Money Hacking Ethically by @yaworsk #bugbounty The suggested hashtag for this book is #bugbounty. Find out what other people are saying about the book by clicking on this link to search for this hashtag on Twitter: https://twitter.com/search?q=#bugbounty For Andrea and Ellie. Thanks for supporting my constant roller coaster of motivation and confidence. This book wouldn’t be what it is if it were not for the HackerOne Team, thank you for all the support, feedback and work that you contributed to make this book more than just an analysis of 30 disclosures. Contents 1. Foreword ....................................... 1 2. Attention Hackers! .................................. 3 3. Introduction ..................................... 4 How It All Started ................................. 4 Just 30 Examples and My First Sale ........................ 5 Who This Book Is Written For ........................... 7 Chapter Overview ................................. 8 Word of Warning and a Favour .......................... 10 4. Background ...................................... 11 5. HTML Injection .................................... 14 Description ....................................... 14 Examples ........................................ 14 1. Coinbase Comments .............................
  • Volunteered Geographic Information System Design: Project and Participation Guidelines

    Volunteered Geographic Information System Design: Project and Participation Guidelines

    International Journal of Geo-Information Article Volunteered Geographic Information System Design: Project and Participation Guidelines José-Pablo Gómez-Barrón *, Miguel-Ángel Manso-Callejo, Ramón Alcarria and Teresa Iturrioz MERCATOR Research Group: Geo-Information Technologies, Technical High School of Topography, Geodesy and Cartography Engineering, Technical University of Madrid (UPM), Campus Sur, 28031 Madrid, Spain; [email protected] (M.-A.M.-C.); [email protected] (R.A.); [email protected] (T.I.) * Correspondence: [email protected]; Tel.: +34-913-366-487 Academic Editors: Linda See, Vyron Antoniou, David Jonietz and Wolfgang Kainz Received: 14 March 2016; Accepted: 20 June 2016; Published: 5 July 2016 Abstract: This article sets forth the early phases of a methodological proposal for designing and developing Volunteered Geographic Information (VGI) initiatives based on a system perspective analysis in which the components depend and interact dynamically among each other. First, it focuses on those characteristics of VGI projects that present different goals and modes of organization, while using a crowdsourcing strategy to manage participants and contributions. Next, a tool is developed in order to design the central crowdsourced processing unit that is best suited for a specific project definition, associating it with a trend towards crowd-based or community-driven approaches. The design is structured around the characterization of different ways of participating, and the task cognitive demand of working on geo-information management, spatial problem solving and ideation, or knowledge acquisition. Then, the crowdsourcing process design helps to identify what kind of participants are needed and outline subsequent engagement strategies. This is based on an analysis of differences among volunteers’ participatory behaviors and the associated set of factors motivating them to contribute, whether on a crowd or community-sourced basis.
  • Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts Lorenz Breidenbach, Cornell Tech, IC3, ETH Zurich; Philip Daian, Cornell Tech, IC3; Florian Tramer, Stanford; Ari Juels, Cornell Tech, IC3, Jacobs Institute https://www.usenix.org/conference/usenixsecurity18/presentation/breindenbach This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts∗ Lorenz Breidenbach Philip Daian Florian Tramer` Ari Juels [email protected] [email protected] [email protected] [email protected] Cornell Tech, IC3,† Cornell Tech, IC3† Stanford Cornell Tech, IC3,† ETH Zurich¨ Jacobs Institute Abstract ble security problem. Vulnerability reward programs— bug bounties Bug bounties are a popular tool to help prevent soft- a.k.a. —have become instrumental in orga- ware exploits. Yet, they lack rigorous principles for set- nizations’ security assurance strategies. These programs ting bounty amounts and require high payments to attract offer rewards as incentives for hackers to disclose soft- economically rational hackers. Rather than claim boun- ware bugs. Unfortunately, hackers often prefer to exploit ties for serious bugs, hackers often sell or exploit them. critical vulnerabilities or sell them in gray markets. We present the Hydra Framework, the first general, The chief reason for this choice is that the bugs eli- principled approach to modeling and administering bug gible for large bounties are generally weaponizable vul- bounties that incentivize bug disclosure.
  • Exploring Coordinated Disclosure SHEDDING LIGHT on PERCEPTIONS and EXPERIENCES in HOW SOFTWARE VULNERABILITIES ARE REPORTED

    Exploring Coordinated Disclosure SHEDDING LIGHT on PERCEPTIONS and EXPERIENCES in HOW SOFTWARE VULNERABILITIES ARE REPORTED

    Exploring Coordinated Disclosure SHEDDING LIGHT ON PERCEPTIONS AND EXPERIENCES IN HOW SOFTWARE VULNERABILITIES ARE REPORTED COMMISSIONED BY SEPTEMBER 2019 ©COPYRIGHT 2019 451 RESEARCH. ALL RIGHTS RESERVED. About this paper A Black & White paper is a study based on primary research survey data that assesses the market dynamics of a key enterprise technology segment through the lens of the “on the ground” experience and opinions of real practitioners — what they are doing, and why they are doing it. ABOUT THE AUTHOR DAN KENNEDY RESEARCH DIRECTOR, VOICE OF THE ENTERPRISE: INFORMATION SECURITY Daniel Kennedy is the Research Director for Information Security for 451 Research’s Voice of the Enterprise (VoTE) quantitative research product, where he is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference. COMMISSIONED BY VERACODE 2 Table of Contents Executive Summary 4 Key Findings 4 Methodology 5 Brief History of Vulnerability Disclosure 5 Today’s Perceptions of Disclosure 8 Figure 1: Vulnerability disclosure preferences � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 Vulnerability Disclosure as a Public Good 8 Solicited Versus Unsolicited Testing 9 Disclosure
  • Web Vulnerabilities (Level 1 Scan)

    Web Vulnerabilities (Level 1 Scan)

    Web Vulnerabilities (Level 1 Scan) Vulnerability Name CVE CWE Severity .htaccess file readable CWE-16 ASP code injection CWE-95 High ASP.NET MVC version disclosure CWE-200 Low ASP.NET application trace enabled CWE-16 Medium ASP.NET debugging enabled CWE-16 Low ASP.NET diagnostic page CWE-200 Medium ASP.NET error message CWE-200 Medium ASP.NET padding oracle vulnerability CVE-2010-3332 CWE-310 High ASP.NET path disclosure CWE-200 Low ASP.NET version disclosure CWE-200 Low AWStats script CWE-538 Medium Access database found CWE-538 Medium Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629CVE-2013-0631 CVE-2013-0 CWE-287 High 632 Adobe ColdFusion directory traversal CVE-2013-3336 CWE-22 High Adobe Coldfusion 8 multiple linked XSS CVE-2009-1872 CWE-79 High vulnerabilies Adobe Flex 3 DOM-based XSS vulnerability CVE-2008-2640 CWE-79 High AjaxControlToolkit directory traversal CVE-2015-4670 CWE-434 High Akeeba backup access control bypass CWE-287 High AmCharts SWF XSS vulnerability CVE-2012-1303 CWE-79 High Amazon S3 public bucket CWE-264 Medium AngularJS client-side template injection CWE-79 High Apache 2.0.39 Win32 directory traversal CVE-2002-0661 CWE-22 High Apache 2.0.43 Win32 file reading vulnerability CVE-2003-0017 CWE-20 High Apache 2.2.14 mod_isapi Dangling Pointer CVE-2010-0425 CWE-20 High Apache 2.x version equal to 2.0.51 CVE-2004-0811 CWE-264 Medium Apache 2.x version older than 2.0.43 CVE-2002-0840 CVE-2002-1156 CWE-538 Medium Apache 2.x version older than 2.0.45 CVE-2003-0132 CWE-400 Medium Apache 2.x version
  • Penetration Testing of Web Applications in a Bug Bounty Program

    Penetration Testing of Web Applications in a Bug Bounty Program

    Penetration Testing of Web Applications in a Bug Bounty Program Pascal Schulz Faculty of Health, Science and Technology Computer Science 15hp Leonardo Martucci Donald F. Ross 140604 Penetration Testing of Web Applications in a Bug Bounty Program PASCAL SCHULZ Department of Mathematics and Computer Science Abstract Web applications provide the basis for the use of the "World-Wide-Web", as people know it nowadays. These software solutions are programmed by a numerous amount of devel- opers all over the world. For all this software, it is not possible to guarantee a 100 percent security. Therefore, it is desirable that every application should be evaluated using penetra- tion tests. A new form of security testing platforms is provided by bug bounty programs, which encourage the community to help searching for security breaches. This work intro- duces the currently leading portal for bug bounties, called Bugcrowd Inc. In addition, web applications, which were part of the program, were tested in order to evaluate their security level. A comparison is made with statistics provided by leading penetration testing compa- nies, showing the average web application security level. The submission process, to send information about vulnerabilities, has been evaluated. The average time it takes, to receive an answer regarding a submission has been reviewed. In the end, the findings are retested, to evaluate, if the bug bounty program is a useful opportunity to increase security and if website operators take submissions serious by patching the software flaws. Keywords: Penetration Testing, Bug-Bounty Program, Web Application Analysis. iii This thesis is submitted in partial fulfillment of the requirements for the Bachelor’s degree in Computer Science.
  • HTTP Parameter Pollution Vulnerabilities in Web Applications @ Blackhat Europe 2011 @

    HTTP Parameter Pollution Vulnerabilities in Web Applications @ Blackhat Europe 2011 @

    HTTP Parameter Pollution Vulnerabilities in Web Applications @ BlackHat Europe 2011 @ Marco ‘embyte’ Balduzzi embyte(at)madlab(dot)it http://www.madlab.it Contents 1 Introduction 2 2 HTTP Parameter Pollution Attacks 3 2.1 Parameter Precedence in Web Applications . .3 2.2 Parameter Pollution . .4 2.2.1 Cross-Channel Pollution . .5 2.2.2 HPP to bypass CSRF tokens . .5 2.2.3 Bypass WAFs input validation checks . .6 3 Automated HPP Vulnerability Detection 6 3.1 Browser and Crawler Components . .7 3.2 P-Scan: Analysis of the Parameter Precedence . .7 3.3 V-Scan: Testing for HPP vulnerabilities . .9 3.3.1 Handling special cases . 10 3.4 Implementation . 10 3.4.1 Online Service . 11 3.5 Limitations . 11 4 Evaluation 11 4.1 HPP Prevalence in Popular Websites . 11 4.1.1 Parameter Precedence . 13 4.1.2 HPP Vulnerabilities . 14 4.1.3 False Positives . 15 4.2 Examples of Discovered Vulnerabilities . 15 4.2.1 Facebook Share . 16 4.2.2 CSRF via HPP Injection . 16 4.2.3 Shopping Carts . 16 4.2.4 Financial Institutions . 16 4.2.5 Tampering with Query Results . 17 5 Related work 17 6 Conclusion 18 7 Acknowledgments 18 1 1 Introduction In the last twenty years, web applications have grown from simple, static pages to complex, full-fledged dynamic applications. Typically, these applications are built using heterogeneous technologies and consist of code that runs on the client (e.g., Javascript) and code that runs on the server (e.g., Java servlets). Even simple web applications today may accept and process hundreds of different HTTP parameters to be able to provide users with rich, inter- active services.
  • Developer Report Testphp Vulnweb Com.Pdf

    Developer Report Testphp Vulnweb Com.Pdf

    Acunetix Website Audit 31 October, 2014 Developer Report Generated by Acunetix WVS Reporter (v9.0 Build 20140422) Scan of http://testphp.vulnweb.com:80/ Scan details Scan information Start time 31/10/2014 12:40:34 Finish time 31/10/2014 12:49:30 Scan time 8 minutes, 56 seconds Profile Default Server information Responsive True Server banner nginx/1.4.1 Server OS Unknown Server technologies PHP Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website. Alerts distribution Total alerts found 190 High 93 Medium 48 Low 8 Informational 41 Knowledge base WordPress web application WordPress web application was detected in directory /bxss/adminPan3l. List of file extensions File extensions can provide information on what technologies are being used on this website. List of file extensions detected: - php => 50 file(s) - css => 4 file(s) - swf => 1 file(s) - fla => 1 file(s) - conf => 1 file(s) - htaccess => 1 file(s) - htm => 1 file(s) - xml => 8 file(s) - name => 1 file(s) - iml => 1 file(s) - Log => 1 file(s) - tn => 8 file(s) - LOG => 1 file(s) - bak => 2 file(s) - txt => 2 file(s) - html => 2 file(s) - sql => 1 file(s) Acunetix Website Audit 2 - js => 1 file(s) List of client scripts These files contain Javascript code referenced from the website. - /medias/js/common_functions.js List of files with inputs These files have at least one input (GET or POST).
  • Byos Bug Bounty Program: Las Vegas 2019

    Byos Bug Bounty Program: Las Vegas 2019

    Byos Bug Bounty Program: Las Vegas 2019 White Paper Document version: 1.0 August 21st, 2019 Byos Bug Bounty Program - Las Vegas 2019 White Paper - © 2019 Mkit North America Inc. All rights reserved - ​byos.io Page 1 of 14 1.0 - Introduction 3 2.0 - Findings 5 2.1 - Critical Vulnerabilities 5 2.1.1 - Timing ARP Spoof attack 5 2.2 - High Vulnerabilities 6 2.2.1 - SQL Injection 6 2.2.2 - Authentication bypass (JWT) 7 2.2.3 - Authentication Bypass (Remember Me) 8 2.3 - Medium Vulnerabilities 9 2.3.1 - Persistent XSS 9 2.4 - Low Vulnerabilities 10 2.4.1 - Unicode in SSID 10 2.4.2 - CSRF 11 2.4.3 - Outdated libraries 12 3.0 - Conclusion 12 4.0 - Footnotes 14 Byos Bug Bounty Program - Las Vegas 2019 White Paper - © 2019 Mkit North America Inc. All rights reserved - ​byos.io Page 2 of 14 1.0 - Introduction 1.1 - Summary Over the course of 3 days, more than 20 security researchers from North America, South America, and Europe participated in our company’s first bug bounty event. The event was by invitation only. 1.2 - Objective The overall objective of the bug bounty program is to validate the security claims of the Byos Portable Secure Gateway and to discover any existing vulnerabilities in the product and its features. Additional benefits include: ● Practising the company’s internal vulnerability handling process ● Increasing our security team’s awareness of how attackers approach the security mechanisms of the product ● Learning and validating security development best practices by having active feedback from researchers ● Gathering external expert opinions on the product’s feature-set, benefits and use-cases 1.3 - Time and Location The Bug Bounty took place during August 8-9-10, 2019, in Las Vegas, NV (USA).
  • Manual Oruxmaps V.7.0.0

    Manual Oruxmaps V.7.0.0

    Manual OruxMaps v.7.0.0 ¡COLABRORATE WITH ORUXMAPS! You can help the project: Donate using Paypal Download OruxMaps Donate WORKING WITH THE MANUALS It is an easy task if we do it between all. Español English ***NEEDS A LOT OF HELP*** 1 INDEX NEWS 7.0. VERSION ............................................................................................ 3 NEWS 6.5.0 VERSION .......................................................................................... 6 QUICK START ................................................................................................... 13 Widget ..............................................................................................................................14 MAPS ............................................................................................................... 15 Online Maps ....................................................................................................................16 WMS (Web Map Service) ......................................................................................18 Composite maps .......................................................................................................22 Maps Off-Line ................................................................................................................24 Index map .......................................................................................................................29 Nigth mode .....................................................................................................................29
  • WEB APPLICATION PENETRATION TESTING] March 1, 2018

    WEB APPLICATION PENETRATION TESTING] March 1, 2018

    [WEB APPLICATION PENETRATION TESTING] March 1, 2018 Contents Information Gathering .................................................................................................................................. 4 1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage .......................... 4 2. Fingerprint Web Server ..................................................................................................................... 5 3. Review Webserver Metafiles for Information Leakage .................................................................... 7 4. Enumerate Applications on Webserver ............................................................................................. 8 5. Review Webpage Comments and Metadata for Information Leakage ........................................... 11 6. Identify Application Entry Points ................................................................................................... 11 7. Map execution paths through application ....................................................................................... 13 8. Fingerprint Web Application & Web Application Framework ...................................................... 14 Configuration and Deployment Management Testing ................................................................................ 18 1. Test Network/Infrastructure Configuration..................................................................................... 18 2. Test Application Platform Configuration.......................................................................................