Skip to content

Latest commit

 

History

History
executable file
·
4241 lines (3738 loc) · 457 KB

Web.md

File metadata and controls

executable file
·
4241 lines (3738 loc) · 457 KB

The Web, Web Applications & Browsers

Table of Contents

Standards & Technologies

Attacks & Techniques

  • To Do
    1. cookies
    2. backlog
    3. TLS
    4. HTTP2/3

General

  • 101
    • Things to Know
      • OWASP Application Security Verification Standard
        • "The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications."
      • OWASP Top Ten Project
        • The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
      • The Website Obesity Crisis
      • XSS, CSRF, CSP, JWT, WTF? IDK ¯\_(ツ)_/¯ - Dominik Kundel(JSConf Iceland2018)
        • Robert'); DROP TABLE Students;-- The little Bobby Tables is embodying the classical fear of SQL injections when building web applications. However, SQL injections are just one aspect of things we need to worry about when building web applications. With the recent popularity of Angular, React and other Single Page Application frameworks we got more logic executing on the front-end create new problems and make you forget about others. In this talk you will learn about XSS, CSRF, CORS, JWT, HTTPS, SPAs, REST APIs and other weird abbreviations, how to protect yourself and your users from the new generation of Bobby Tables.
    • Articles
  • Browsers
    • Browser-2020
      • Things you can do with a browser in 2020
      • It's like, did no one read 'The Tangled Web: A Guide to Securing Modern Web Applications'? Or did they, and their take away was, 'Man, what a bunch of great ideas! Blinking text with no user control? Woah. I'm so on this.'.
      • My point is that it is 2020, and there is no equivalent to NoScript or UBlock Origin in any major browser. Despite this, I can have picture in picture video chats, while also connecting by bluetooth and USB, devices to the browser and having each tab color coded, along with the browser knowing my power level of my device, all according to standards.
      • It's 2020, still no equivalent of NoScript or UBlock Origin available by default in any of the major browsers.
        • Yet, I can share files with others, using a contextual menu depending on installed applications, or I can give my browser access to my insecure USB and Bluetooth devices, while it makes sure my battery isn't dead from the power consumption while the containing tabs for each webapp are properly color coded. 🤔
      • Google released a paper the day after I made this comment. I stand by my comment.
      • Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’sIll-conceived Jaunts - Artur Janc, Mike West(2020)
        • In this paper, we start from a scattered list of concrete grievances about the web platform based on informal discussions among browser and web security engineers. After reviewing the details of these issues, we work towards amodel of the root causes of the problems, categorizing them based on the type of risk they introduce to the platform. We then identify possible solutions for each class of issues, dividing them by the most effective approach to address it. In the end, we arrive at a general blueprint for backing out of these dead ends. We propose a three-pronged approach which includes changing web browser defaults, creating aslew of features for web authors to opt out of dangerous behaviors, and adding new security primitives. We then show how this approach can be practically applied to address each of the individual problems, providing a conceptual framework for solving unsafe legacy web platform behaviors.
    • How Browsers Work: Behind the scenes of modern web browsers - Tali Garsiel, Paul Irish(2011)
  • Session Management
  • Cheat Sheets
    • See 'Cheats.md' for cheatsheets
  • Tools

Standards & Technologies

API Stuff

  • Tools
    • Postman - chrome plugin
    • restclient - Firefox addon
    • Astra
      • REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

Browser Security

  • Exploiting
    • Smashing The Browser: From Vulnerability Discovery To Exploit
      • Goes from introducing a fuzzer to producing an IE11 0day
    • The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
    • BeEF Browser Exploitation Framework
    • BeEF
      • Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
    • Browsers Gone Wild - Angelo Prado & Xiaoran Wang - BHAsia2015
      • In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.

Cascading StyleSheets

HTTPS Certificates & Certificate Transparency

Content Management Systems

  • Agnostic
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • WhatWeb
        • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
      • w3af
        • w3af: web application attack and audit framework, the open source web vulnerability scanner.
  • Adobe Experience Manager
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • aem-hacker
        • Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
  • ColdFusion
  • Drupal
  • Joomla
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • JoomScan
        • Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
      • JScanner
        • Analyze target Joomla! installation using several different techniques.
      • JoomlaVS
        • JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
  • Sharepoint
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • Sparty - Sharepoint/Frontpage Auditing Tool
        • Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
  • Wordpress
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
    • WPScan
      • WPScan is a black box WordPress vulnerability scanner.
    • WPSeku
      • Wordpress Security Scanner

Cookies

  • Talks/Presentations/Videos
    • Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
      • I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)
    • Got Cookies? Exploiting Vulnerabilities in Cookie Based Authentication - Harsh Bothra(Mayhem2021 RTV)
      • Abstract: Cookies are a widely used way to enable authentication in many of the applications out there. Over time, there has been a lot of security implications in Cookie-Based Authentication and new methods such as token-based authentication has entered the picture. Although many modern applications are adapting Token-Based authentication, Cookie-Based Authentication is still alive and can be observed in the wild. In this talk, we will look at various attack scenarios that can be exploited in the wild if the application is using cookies for authentication, tracking, personalization, or some value reflections.
  • Papers
  • Tools
    • CookieMonster
      • Blogpost
      • 🍪 CookieMonster helps you detect and abuse vulnerable implementations of stateless sessions.

Content Security Policy (CSP)

Cross-Origin Resource Sharing (CORS)

Document Object Model(DOM)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Talks & Presentations
    • Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
      • 18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.

Electron

FIDO2/CTAP

  • 101
  • Articles/Blogposts/Writeups
  • Documentation
  • Tools

Flash/SWF

GhostScript

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Tools

GraphQL

Hyper Text Markup Language HTML

Hyper Text Transport Protocol (HTTP)

Imagemagick

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Tools

Java & related

JavaScript

JS Frameworks

.NET-based Frameworks

Python-based Frameworks

  • General
    • the_storm/ Unexpected Execution: Wild Ways Code Execution can Occur in Python - Graham Bleaney(PyConUS2021
      • Code
      • Every Python user knows that you can execute code using eval or exec, but what about yaml or str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description). The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
  • Flask
    • Articles/Blogposts/Writeups
      • Injecting Flask - Ryan Reid
        • In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you’ve never had the pleasure of working with Flask, you’re in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).

JSON

  • 101
    • json.org
      • "JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language."
    • JSON Schema
      • JSON Schema is a declarative language that allows you to annotate and validate JSON documents.
  • Articles/Blogposts/Writeups
  • Tools

JSON Web Tokens

MIME Sniffing

  • Tools

OAUTH

Parsers

Platform Agnostic Security Token (PASETO)

PHP

101

robots.txt

RPC-related

Ruby/Ruby on Rails

Same-Origin Policy

Security Assertion Markup Language (SAML)

Service Workers

Subresource Integrity

Secure Sockets Layer/Transport Layer Security(SSL/TLS)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Attacks Against
    • Articles/Blogposts/Writeups
    • Talks/Presentations
      • SSL/TLS Interception Proxies and Transitive Trust
        • Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
    • Tools

Single Sign-On(SSO)

  • 101
  • Articles/Blogposts/Writeups
  • Talks & Presentations
  • Dupe Key Confusion
    • attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
    • Tools
      • DupeKeyInjector
        • Dupe Key Injetctor is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 "SSO Wars: The Token Menace" presentation.
        • Slides
        • Paper

Streans

  • 101
    • Streams - Dec12 2019
      • This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.

Uniform Resource Identifier/Locator(URIs/URLs)

Web Application Firewalls(WAFs)

Web Assembly

Web Authentication

WebBluetooth

Web Hooks

WebNFC

Web Proxies

  • 101
  • Articles/Blogposts/Writeups
  • Tools
    • Burpsuite
      • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
      • See burp section at bottom of page.
    • ZAP - Zed Attack Proxy
      • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
    • Paros - Web Proxy
      • A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
    • Mallory: Transparent TCP and UDP Proxy
      • Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
    • TCP Catcher
      • TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
    • wssip
      • Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
    • ratproxy
      • Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

WebRTC

Web Servers

WebSockets

Web Storage

WebUSB

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
    • WebUSB - How a website could steal data off your phone
      • This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.

End of Technologies Section

Attacks & Techniques

  • Tactics
  • General Reconnaissance Techniques
    • General Articles/Methodology Writeups
    • Tools that didn't fit elsewhere
      • webgrep
        • This self-contained tool relies on the well-known grep tool for grepping Web pages. It binds nearly every option of the original tool and also provides additional features like deobfuscating Javascript or appyling OCR on images before grepping downloaded resources.
    • (Almost)Fully Automating Recon
    • Attack Surface Reconaissance
      • Articles/Blogposts/Writeups
        • Asset Enumeration: Expanding a Target's Attack Surface - Capt. Meelo
        • What's in a Domain Name? - Collin Meadows(SecureWV/Hack3rcon2018)
          • The domain name is one of the most prominent assets an organization can have. While customers can discover an organization from many sources - social media, review aggregators, advertisements, etc - the webpage is often the first direct experience a person has with a business and brand. This vital role makes the domain a target for fraud, data leakage, and cyber attack. Implementing domain monitoring and performing risk assessments is important, but only half the battle. In this talk, we will consider amount of intelligence one can gather starting from only a domain name and investigate how this sets an attacker up with an ideal blueprint for malicious action.
      • Tools
        • AttackSurfaceMapper
          • Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
        • intrigue-core
          • Intrigue-core is a framework for external attack surface discovery and automated OSINT.
        • Domain Analyzer
          • Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
        • domain-profiler
          • domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
        • The Hamburglar
          • Hamburglar -- collect useful information from urls, directories, and files
        • AutoRecon
        • Websy
          • Keep an eye on your targets with Websy to get quickly notified for any change they push on their Web Server
        • BlueEye
          • Blue Eye is a python Recon Toolkit script. It shows subdomain resolves to the IP addresses, company email addresses and much more ..!
        • FinalRecon
          • "FinalRecon is an automatic web reconnaissance tool written in python. Goal of FinalRecon is to provide an overview of the target in a short amount of time while maintaining the accuracy of results. Instead of executing several tools one after another it can provide similar results keeping dependencies small and simple."
        • changedetection.io
          • "The best and simplest self-hosted free open source website change detection, monitor and notification service."
        • KENZER - Automated web assets enumeration & scanning
        • webstor
          • "A script to quickly enumerate all websites across all of your organization's networks, store their responses, and query for known web technologies, such as those with zero-day vulnerabilities."
        • cariddi
          • Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
        • Crossfeed
          • Crossfeed is a tool that continuously enumerates and monitors an organization's public-facing attack surface in order to discover assets and flag potential security flaws. By operating in either passive or active scanning modes, Crossfeed collects data from a variety of open source tools and data feeds to provide actionable information about organization assets. Crossfeed is offered as a self-service portal and allows customers to view reports and customize scans performed.
        • kunyu
          • Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.
    • Browser Automation
      • playwright
        • Node.js library to automate Chromium, Firefox and WebKit with a single API
    • Browser/Client Fingerprinting(see Also AnonOpSecPrivacy.md)
      • Articles/Blogposts/Writeups
      • Talks/Presentations/Videos
      • Papers
      • Tools
        • CSS-Fingerprint
          • An experimental method for CSS based fingerprinting and a pure CSS 'supercookie'.
        • Sniffer
          • Sniffer is a browser/engine/os/device detection tool. Works both in a browser and with Node.
        • FingerprintJS
          • FingerprintJS is a browser fingerprinting library that queries browser attributes and computes a hashed visitor identifier from them. Unlike cookies and local storage, a fingerprint stays the same in incognito/private mode and even when browser data is purged. FingerprintJS is 100% open-source, but its accuracy is limited because it's only a client-side library without a backend.
        • TorZillaPrint
          • TorZillaPrint (TZP) aims to provide a comprehensive, all-in-one, fingerprinting test suite, nicely broken into suitable sections with relevant information together. Long term, the goal is to collect Gecko only fingerprint data (no PII) for analysis to see how many classifications each metric or section provides.
    • DNS
      • See Network_Attacks.md -> DNS
    • Endpoint Discovery
      • Articles/Blogposts/Writeups
      • Tools
        • JSParser
          • A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
        • LinkFinder
          • LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
        • relative-url-extractor
          • During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file. These days web applications have frontend pipelines that make it harder for humans to understand minified code. This tool contains a nifty regular expression to find and extract the relative URLs in such files. This can help surface new targets for security researchers to look at. It can also be used to periodically compare the results of the same file, to see which new endpoints have been deployed. History has shown that this is a goldmine for bug bounty hunters.
        • hakrawler
        • endpointdiff
        • gau
          • Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
        • FFUF Me - Target Practice For FFUFhttps://github.com/adamtlangley/ffufme
          • This is a simple website to get you used to using ffuf against a live target
    • Forced Browsing
      • Articles/Blogposts/Writeups
      • Tools
        • Dirbuster
          • DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
        • Go Buster
          • Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
        • WFuzz
          • Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
        • dirsearch
          • dirsearch is a simple command line tool designed to brute force directories and files in websites.
        • ffuf
        • Tachyon
          • Tachyon is a Fast Multi-Threaded Web Discovery Tool
        • Syntribos
          • Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
        • OpenDoor
          • OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
        • rustbuster
          • A Comprehensive Web Fuzzer and Content Discovery Tool
        • feroxbuster
          • A fast, simple, recursive content discovery tool written in Rust.
        • SharpBuster
          • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
        • FES - Fast Endpoint Scanner
          • A web application endpoint scanner written in Rust, designed to put less load on the domains it scans with parsing features to help grab the important stuff (inspired by tomnomnom's meg).
        • WAES
          • CPH:SEC WAES: Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result
        • crithit
          • Website Directory and file brute forcing at extreme scale.
        • snallygaster
          • Finds file leaks and other security problems on HTTP servers.
    • HTTP Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • Arjun
          • HTTP parameter discovery suite.
        • Psi-Probe
          • Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
        • HTTPLeaks
          • HTTPLeaks - All possible ways, a website can leak HTTP requests
        • HTTPie - curl for humans
          • HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
        • gethead
          • HTTP Header Analysis Vulnerability Tool
    • HTTP Fingerprinting
    • JS-based scanning
    • (Sub)Domain Reconnaissance
    • Technology Identification
      • Articles/Blogposts/Writeups
      • Tools
        • General
          • wappy
            • A tool to discover technologies in web applications from your terminal. It uses the wap library, that is a python implementation of the great Wappalyzer browser extension. In fact, it uses the rules defined in the file technologies.json of the Wappalyzer repository.
        • CMS
          • CMSExplorer
            • CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
          • BlindElephant Web Application Fingerprinter
            • The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
          • Fingerprinter
            • CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
          • WPScan
            • WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.
        • Proxies
        • Web Servers
          • httprecon - Advanced Web Server Fingerprinting
            • The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
          • WhatWeb
            • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
    • Web Scraping
      • 101
      • Articles/Papers/Talks/Writeups
      • General
        • browser-fingerprinting
          • "Analysis of Bot Protection systems with available countermeasures 🚿. How to defeat anti-bot system 👻 and get around browser fingerprinting scripts 🕵️‍♂️ when scraping the web?"
      • Tools
        • Puppeteer
          • Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
        • dvcs-ripper
          • Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
        • Scrapy
          • An open source and collaborative framework for extracting the data you need from websites.
      • Beautiful Soup
      • Miscellaneous
        • WeasyPrint
          • WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license.
    • User Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • WhatsMyName
          • This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
        • hackability
          • Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
    • Virtual Hosts
      • 101
      • Tools
        • virtual-host-discovery
          • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
        • blacksheepwall
          • blacksheepwall is a hostname reconnaissance tool
        • VHostScan
          • A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
    • Visual Reconnaissance
      • Articles/Blogposts/Writeups
      • Tools
        • PowerWebShot
          • A PowerShell tool for taking screenshots of multiple web servers quickly.
        • HTTrack - Website Copier
          • It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
        • Kraken
          • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
        • Eyeballer
          • Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
        • gowitness
          • gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
        • webscreenshot
          • A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
        • LazyShot
          • The simplest way to take an automated screenshot of given URLs. Easy installation!
        • RAWR - Rapid Assessment of Web Resources
        • EyeWitness
          • EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
        • SharpWitness
          • C# implementation of EyeWitness
        • webDisco
          • Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
        • PowerWebShot
          • A PowerShell tool for taking screenshots of multiple web servers quickly.
        • Kraken
          • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
        • electric-scan
          • Electron based screenshot scanner
        • EyeWitnessTheFitness
          • Generate one FireProx API to be used for all your EyeWitness targets, making your enumeration both opsec-friendly and convenient.
      • 3rd Party Hosted Tools
        • VisualSiteMapper
          • Visual Site Mapper is a free service that can quickly show a map of your site.
      • Web Page
        • HTCAP
          • htcap is a web application scanner able to crawl single page application (SPA) recursively by intercepting ajax calls and DOM changes.
  • Vulnerability Scanner
    • Nikto
    • Spaghetti - Web Application Security Scanner
      • Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
    • skipfish
      • Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
    • wikto
      • Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
    • WATOBO
      • WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
    • YASUO
      • Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
    • ParrotNG
      • ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
    • Arachni Web Scanner
      • Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
    • Pyfiscan
      • Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
    • jaeles
      • "powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner."
      • Showcase examples of usage
    • 0d1n
      • 0d1n is a tool for automating customized attacks against web applications.
    • reNgine
      • reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.
    • Osmodeus
      • Fully automated offensive security framework for reconnaissance and vulnerability scanning

Abuse of Functionality

  • jsgifkeylogger
    • a javascript keylogger included in a gif file This is a PoC

Backend File Parsing/Processing Exploitation

Brute Force/Fuzzing

  • See 'Forced-Browsing'

Cache-based Attacks

Attacking Continous Integration Systems

  • See section of same name under the 'Privesc/PostEx - General' page.

CSV Injection

Clickjacking

Cross Protocol Scripting/Request Attack

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • HTML Form Protocol Attack - Jochen Topf(2001)
      • This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
    • Cross-Protocol Request Forgery - Tanner Prynn(2018)
      • Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attackmethods that enable attackers to cross network boundaries in order to attack applications,but can only target applications that speak HTTP. Custom TCP protocols are everywhere:IoT devices, smartphones, databases, development software, internal web applications, andmore. Often, these applications assume that no security is necessary because they are onlyaccessible over the local network. This paper aims to be a definitive overview of attacksthat allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and alsoexpands on the state of the art in these types of attacks to target length-specified protocolsthat were not previously thought to be exploitable.
  • Presentations/Talks/Videos
  • Tools
    • Extract data
      • Extract data is a demo combining a cross-protocol request attack with DNS rebinding

Cross Site Content Hijacking

Cross Site History Manipulation

Cross Site Request Forgery (CSRF)

Cascading-StyleSheets-related Attacks

Cross Site WebSocket Hijacking

Data Structure Attacks

Edge Side Include Injection

Embedded Malicious Code

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Exploitation of Authentication

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Fuzzing

IDN Homograph & Homograph Attacks

Insecure Direct Object Reference

Execution After(/Open) Redirect (EAR)

File Upload Testing

HTML Smuggling

HTTP Request Smuggling

Image-based Exploitation AKA Exploiting Polyglot features of File standards

Injection Based Attacks

  • See also: JNDI, JSON, SQLi, XSS

OS Command Injection

JNDI Attack Class

Path Confusion Attacks

  • 101
  • Articles/Papers/Writeups

LFI & RFI

Log4j

(No)SQL Injection

  • Out-of-Band
    • Out-of-Band (OOB) SQL Injection - Lee Chun How(2019)
    • A Study of Out-of-Band Structured Query Language Injection - Lee Chun How(2019)
      • "Out-of-Band (OOB) Structured Query Language (SQL) Injection is an exploitation to exfiltrate data from database through different outbound channel. Common channel use by OOB SQL Injection for data exfiltration are through Domain Name Server (DNS) and HyperText Transfer Protocol (HTTP) channels. This type of SQL injection should address properly due to the impact is on the par with traditional methods. OOB SQL Injection impacts on database systems with insufficient of input validation control in place and allowed access to public, either DNS or HTTP protocol. Test cases and recommendation for remediation have been discussed in this paper in order to raise awareness of the exploitation."
  • NoSQL
    • Articles/Blogposts/Writeups
    • MeteorJS
    • MongoDB
    • Talks/Presentations/Videos
      • Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturrini(Derbycon2014)
        • NoSQL databases continue to grow in popularity due to their scalability, dynamic data structures, ease of development and cloud readiness. As these types of databases become more prevalent, penetration testers need to understand how these databases work, how applications interact with them, and where the inherent weaknesses of NoSQL databases are. This presentation is targeted towards penetration testers and putting the theoretical attacks researchers have discussed into practice during a penetration testing engagement. It will discuss weaknesses with a particular focus on MongoDB and how to quickly and easily exploit them as well as where the high value targets in the system are post exploitation. NoSQLMap, a Python tool written for automatically stealing data from NoSQL database servers and web applications, will also be demoed.
      • Abusing NoSQL Databases - Ming Chow
        • Slides
        • The days of selecting from a few SQL database options for an application are over. There is now a plethora of NoSQL database options to choose from: some are better than others for certain jobs. There are good reasons why developers are choosing them over traditional SQL databases including performance, scalabiltiy, and ease-of-use. Unfortunately like for many hot techologies, security is largely an afterthought in NoSQL databases. This short but concise presentation will illustrate how poor the quality of security in many NoSQL database systems is. This presentation will not be confined to one particular NoSQL database system. Two sets of security issues will be discussed: those that affect all NoSQL database systems such as defaults, authentication, encryption; and those that affect specific NoSQL database systems such as MongoDB and CouchDB. The ideas that we now have a complicated heterogeneous problem and that defense-in-depth is even more necessary will be stressed. There is a common misconception that SQL injection attacks are eliminated by using a NoSQL database system. While specifically SQL injection is largely eliminated, injection attack vectors have increased thanks to JavaScript and the flexibility of NoSQL databases. This presentation will present and demo new classes of injection attacks. Attendees should be familiar with JavaScript and JSON.
    • Papers
      • No SQL, No Injection? - Examining NoSQL Security - Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
        • NoSQL data storage systems have become very popular due to their scalability and ease of use. This paper examines the maturity of security measures for NoSQL databases, addressing their new query and access mechanisms. For example the emergence of new query formats makes the old SQL injection techniques irrelevant, but are NoSQL databases immune to injection in general? The answer is NO. Here we present a few techniques for attacking NoSQL databases such as injections and CSRF. We analyze the source of these vulnerabilities and present methodologies to mitigate the attacks. We show that this new vibrant technological area lacks the security measures and awareness which havedeveloped over the years in traditional RDBMSSQL systems.
    • Tools

Path Traversal Attacks

Prototype Pollution Attack

Reflected File Download

Relative Path Overwrite

  • 101
    • Relative Path Overwrite Explanation/Writeup
      • RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
  • Papers
    • Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
      • In this thesis, I propose novel research into understanding and mitigatingthe security risks of content inclusion in web browsers to protect website pub-lishers as well as their users. First, I introduce an in-browser approach calledExcisionto automatically detect and block malicious third-party content in-clusions as web pages are loaded into the user’s browser or during the execu-tion of browser extensions. Then, I proposeOriginTracer, an in-browserapproach to highlight extension-based content modification of web pages. Fi-1 nally, I present the first in-depth study of style injection vulnerability usingRPO and discuss potential countermeasures
  • General
  • Tools
  • Miscellaneous

(De-)Serialization Attacks

  • General
  • .NET
  • Java
    • Articles/Blogposts/Writeups
    • General
    • Presentations/Talks/Videos
      • Pwning Your Java Messaging With De- serialization Vulnerabilities
      • Marshalling Pickles - Chris Frohoff, Gabe Lawrence(AppSecCali 2015)
        • Slides
        • Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
      • Exploiting Deserialization Vulnerabilities in Java - Matthis Kaiser(2015)
        • Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). This talk will give insights how this bug class can be turned into serverside Remote Code Execution. Details and a demo will be given for one of my patched vulnerabilities (CVE-2015-6576, Atlassian Bamboo RCE).
      • Deserialize My Shorts Or How I Learned to Start Worrying and Hate Java Object Deserialization - Chris Frohoff, Gabe Lawrence
        • Slides
        • Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
      • Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
      • In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL - Man Yue Mo(2019)
      • Oracle Java Deserialization Vulnerabilities - Stephen Kost, Phil Reimann(2016)
        • Java deserialization is a class of security vulnerabilities that can result in server-side remote code execution (RCE). As many Oracle products are based on Java, deserialization bugs are found in many Oracle environments especially those using Oracle WebLogic, Oracle Fusion Middleware, and Oracle E-Business Suite. As an example, in November 2015 Oracle released an out-of-cycle security fix (CVE-2015-4852) in order to fix a deserialization bug in Oracle WebLogic. This education webinar provides an understanding of Java deserialization vulnerabilities, the potential impact for Oracle environments, and strategies to protect an Oracle environment from this class of security vulnerabilities.
      • Defending against Java Deserialization Vulnerabilities - Luca Carettoni(2016)
      • Deserialization: what, how and why [not] - Alexei Kojenov(AppSecUSA2018)
        • Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
      • Java Serialization security issues - Erno Jeges - OWASP Bay Area(2018)
        • In this short talk, we'll take a look at the various security issues coming from deserializing untrusted data in Java: information disclosure, denial of service, and even code execution. We'll examine these issues through live demonstrations with step-by-step explanations of what can go wrong – and how. Most importantly, we'll discuss several best practices and countermeasures you can use as a developer to protect yourself from these issues – or prevent them from affecting you in the first place.
      • Deserialization: what, how and why [not] - Alexei Kojenov(AppSec USA2018)
        • Slides
        • Code
        • Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
      • Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
        • Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
      • Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
      • New Exploit Technique In Java Deserialization Attack - Yang Zhang, Yongtao Wang, Keyi Li, Kunzhe Chai(BHEU2019)
        • In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.
    • Papers
      • Java Unmarshaller Security - Turning your data into code execution
        • This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
        • tool from the above paper: marshalsec
    • Tools
      • Break Fast Serial
        • A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
      • ysoserial
      • JMET
        • JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage).
      • GadgetProbe
        • GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
        • Blogpost
      • marshalsec
        • This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
    • Exploits
  • .NET * .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munez(LocoMocoSec2018) * 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case. * Friday the 13th: Attacking JSON - Alvaro Muñoz & Oleksandr Mirosh(AppSecUSA 2017) * 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors. We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable. In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.
  • PHP
  • Python
  • Ruby

Server Side Request Forgery (SSRF)

Server Side Include

Client/Server Side Template Injection

Subdomain Hijack/Takeover

Tabnabbing Attacks

Timing-based Attacks/Data race Attacks

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
      • We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
  • Tools
    • Requests-Racer
      • Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
    • Race the Web
      • Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
    • timing_attack
      • Perform timing attacks against web applications
    • Race condition exploit
      • Tool to help with the exploitation of web application race conditions
  • Miscellaneous

TLS Redirection (and Virtual Host Confusion)

TypoSquatting

  • 101

(Bit)/Typo-squatting

  • 101
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
    • Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
      • Paper
      • Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.

Web Shells

  • Articles
  • Detection
    • Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
      • Look at PHP obfuscation methods for webshells
    • NeoPI
      • What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
    • Shell Detector
      • Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
    • Loki - Simple IOC Scanner
      • Scanner for Simple Indicators of Compromise
  • Tools
    • Weevely
      • Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
      • Getting Started
    • b374k shell 3.2
      • This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
    • Simple websockets based webshell
    • JSShell
      • An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
    • htshells
      • Self contained web shells and other attacks via .htaccess files.
    • Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
    • novahot
      • novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

XSS

XML

End of Attacks section

Miscellaneous

Burpsuite Stuff/Plugins

Cloudflare

Bug Bounty Writeups