Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

swisskyrepo · Nov 10, 2024 · 1a3e605 · 1a3e605
1 parent 2304101
commit 1a3e605
Show file tree

Hide file tree

Showing 10 changed files with 103 additions and 86 deletions.
diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
@@ -2,7 +2,8 @@
 
 > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
 
-## Summary 
+
+## Summary
 
 - [Tools](#tools)
 - [JWT Format](#jwt-format)
@@ -23,6 +24,7 @@
 - [JWT Claims](#jwt-claims)
     - [JWT kid Claim Misuse](#jwt-kid-claim-misuse)
     - [JWKS - jku header injection](#jwks---jku-header-injection)
+- [Labs](#labs)
 - [References](#references)
 
 
@@ -509,6 +511,14 @@ You should create your own key pair for this attack and host it. It should look
 * [PortSwigger - JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
 * [PortSwigger - JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
 * [PortSwigger - JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
+* [Root Me - JWT - Introduction](https://www.root-me.org/fr/Challenges/Web-Serveur/JWT-Introduction)
+* [Root Me - JWT - Revoked token](https://www.root-me.org/en/Challenges/Web-Server/JWT-Revoked-token)
+* [Root Me - JWT - Weak secret](https://www.root-me.org/en/Challenges/Web-Server/JWT-Weak-secret)
+* [Root Me - JWT - Unsecure File Signature](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-File-Signature)
+* [Root Me - JWT - Public key](https://www.root-me.org/en/Challenges/Web-Server/JWT-Public-key)
+* [Root Me - JWT - Header Injection](https://www.root-me.org/en/Challenges/Web-Server/JWT-Header-Injection)
+* [Root Me - JWT - Unsecure Key Handling](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-Key-Handling)
+
 
 ## References
 

diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md
@@ -2,18 +2,22 @@
 
 > LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
 
+
 ## Summary
 
-* [Exploitation](#exploitation)
+* [Methodology](#methodology)
 * [Payloads](#payloads)
 * [Blind Exploitation](#blind-exploitation)
 * [Defaults attributes](#defaults-attributes)
 * [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
 * [Scripts](#scripts)
   * [Discover valid LDAP fields](#discover-valid-ldap-fields)
   * [Special blind LDAP injection](#special-blind-ldap-injection)
+* [Labs](#labs)
+* [References](#references)
+
 
-## Exploitation
+## Methodology
 
 Example 1.
 
@@ -78,6 +82,7 @@ We can extract using a bypass login
 (&(sn=administrator)(password=MYKE)) : OK
 ```
 
+
 ## Defaults attributes
 
 Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
@@ -94,6 +99,7 @@ givenName
 commonName
 ```
 
+
 ## Exploiting userPassword attribute
 
 `userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
@@ -113,15 +119,12 @@ userPassword:2.5.13.18:=\xx\xx\xx
 
 ```python
 #!/usr/bin/python3
-
 import requests
 import string
 
 fields = []
-
 url = 'https://URL.com/'
-
-f = open('dic', 'r') #Open the worldists of common attributes
+f = open('dic', 'r')
 world = f.read().split('\n')
 f.close()
 
@@ -137,7 +140,6 @@ print(fields)
 
 ```python
 #!/usr/bin/python3
-
 import requests, string
 alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 
@@ -152,15 +154,14 @@ for i in range(50):
             break
 ```
 
+Exploitation script by [@noraj](https://github.com/noraj)
 
 ```ruby
 #!/usr/bin/env ruby
-
 require 'net/http'
 alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
 
 flag = ''
-
 (0..50).each do |i|
   puts("[i] Looking for number #{i}")
   alphabet.each do |char|
@@ -174,7 +175,12 @@ flag = ''
 end
 ```
 
-By [noraj](https://github.com/noraj)
+
+
+## Labs
+
+* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication)
+* [Root Me - LDAP injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Blind)
 
 
 ## References

diff --git a/LaTeX Injection/README.md b/LaTeX Injection/README.md
@@ -1,17 +1,23 @@
-# LaTex Injection
+# LaTeX Injection
+
+> LaTeX Injection is a type of injection attack where malicious content is injected into LaTeX documents. LaTeX is widely used for document preparation and typesetting, particularly in academia, for producing high-quality scientific and mathematical documents. Due to its powerful scripting capabilities, LaTeX can be exploited by attackers to execute arbitrary commands if proper safeguards are not in place. 
+
 
 ## Summary
 
-* [Read File](#read-file)
-* [Write File](#write-file)
+* [File Manipulation](#file-manipulation)
+    * [Read File](#read-file)
+    * [Write File](#write-file)
 * [Command Execution](#command-execution)
 * [Cross Site Scripting](#cross-site-scripting)
 * [References](#references)
 
 
-## Read File
+## File Manipulation
 
-You might need to adjust injection with wrappers as `\[` or `$`.
+### Read File
+
+Attackers can read the content of sensitive files on the server.
 
 Read file and interpret the LaTeX code in it:
 
@@ -70,7 +76,7 @@ To bypass a blacklist try to replace one character with it's unicode hex value.
 \lstin^^70utlisting{/etc/passwd}
 ```
 
-## Write File
+### Write File
 
 Write single lined file:
 
@@ -83,6 +89,7 @@ Write single lined file:
 \closeout\outfile
 ```
 
+
 ## Command Execution
 
 The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
@@ -104,6 +111,7 @@ If you get any LaTex error, consider using base64 to get the result without bad
 \input{|"/bin/hostname"}
 ```
 
+
 ## Cross Site Scripting
 
 From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 
@@ -120,6 +128,12 @@ in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.htm
 ```
 
 
+## Labs
+
+* [Root Me - LaTeX - Input](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Input)
+* [Root Me - LaTeX - Command execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution)
+
+
 ## References
 
 - [Hacking with LaTeX - Sebastian Neef - March 10, 2016](https://0day.work/hacking-with-latex/)

diff --git a/Mass Assignment/README.md b/Mass Assignment/README.md
@@ -4,12 +4,12 @@
 
 ## Summary
 
-* [Exploit](#exploit)
+* [Methodology](#methodology)
 * [Labs](#labs)
 * [References](#references)
 
 
-## Exploit
+## Methodology
 
 Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.
 

diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md
diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
@@ -2,10 +2,11 @@
 
 > NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
 
+
 ## Summary
 
 * [Tools](#tools)
-* [Exploit](#exploits)
+* [Methodology](#methodology)
     * [Authentication Bypass](#authentication-bypass)
     * [Extract length information](#extract-length-information)
     * [Extract data information](#extract-data-information)
@@ -14,16 +15,18 @@
     * [POST with urlencoded body](#post-with-urlencoded-body)
     * [GET](#get)
 * [MongoDB Payloads](#mongodb-payloads)
+* [Labs](#references)
 * [References](#references)
 
+
 ## Tools
 
 * [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool
 * [digininja/nosqlilab](https://github.com/digininja/nosqlilab) - A lab for playing with NoSQL Injection
 * [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities. 
 
 
-## Exploit
+## Methodology
 
 ### Authentication Bypass
 
@@ -214,6 +217,12 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 ```
 
 
+## Labs
+
+* [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication)
+* [Root Me - NoSQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Blind)
+
+
 ## References
 
 - [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)

diff --git a/OAuth Misconfiguration/README.md b/OAuth Misconfiguration/README.md
@@ -1,26 +1,20 @@
 # OAuth Misconfiguration
 
+> OAuth is a widely-used authorization framework that allows third-party applications to access user data without exposing user credentials. However, improper configuration and implementation of OAuth can lead to severe security vulnerabilities. This document explores common OAuth misconfigurations, potential attack vectors, and best practices for mitigating these risks. 
+
+
 ## Summary
 
-- [Labs](#labs)
 - [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
 - [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
 - [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
 - [OAuth private key disclosure](#oauth-private-key-disclosure)
 - [Authorization Code Rule Violation](#authorization-code-rule-violation)
 - [Cross-Site Request Forgery](#cross-site-request-forgery)
+- [Labs](#labs)
 - [References](#references)
 
 
-## Labs
-
-* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
-* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
-* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
-* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
-* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
-
-
 ## Stealing OAuth Token via referer
 
 > Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer - [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544)
@@ -66,6 +60,7 @@ Some Android/iOS app can be decompiled and the OAuth Private key can be accessed
 ## Authorization Code Rule Violation
 
 > The client MUST NOT use the authorization code  more than once.  
+
 If an authorization code is used more than once, the authorization server MUST deny the request 
 and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
 
@@ -77,6 +72,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
 > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
 
 
+## Labs
+
+* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
+* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
+* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
+* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
+* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
+
+
 ## References
 
 - [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) 

diff --git a/ORM Leak/README.md b/ORM Leak/README.md
@@ -5,7 +5,6 @@ An ORM leak vulnerability occurs when sensitive information, such as database st
 
 ## Summary
 
-* [CVE](#cve)
 * [Django (Python)](#django-python)
     * [Query filter](#query-filter)
     * [Relational Filtering](#relational-filtering)
@@ -17,14 +16,8 @@ An ORM leak vulnerability occurs when sensitive information, such as database st
         * [One-to-One](#one-to-one-1)
         * [Many-to-Many](#many-to-many-1)
 * [Ransack (Ruby)](#ransack-ruby)
-* [Resources](#resources)
-
-
-## CVE
-
-* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
-* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9)
-* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf)
+* [CVE](#cve)
+* [References](#references)
 
 
 ## Django (Python)
@@ -233,7 +226,14 @@ Only in Ransack < `4.0.0`.
     ```
 
 
-## Resources
+## CVE
+
+* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
+* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9)
+* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf)
+
+
+## References
 
 - [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
 - [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)