Self promotion time - if you are testing a payment system or a shop, check the whitepaper that I had written and updated last year: 💰💰💰
#bugbountytip
#pentest
#Financial
From now until Christmas, I will try to share something from my notes / research every day - most of them are old but might still be useful to remember
#XMas2020
#AppSec
#Web
#HTTP
Having a breakout exercise and direct drive access is forbidden? Perhaps try these too:
\\localhost\d$
\\127.0.0.1\d$
file:\\127.0.0.1\d$
\\--1.ipv6-literal.net\d$
\\\d$
\\--0-1.ipv6-literal.net\d$
file://--0-1.ipv6-literal.net\d$
.
@NahamSec
Here is the list of all links in Web Application Hacking Techniques since 2006 - These are really good to revive old techniques and to learn how different people think:
#SelfPromotion
URI schemas and their format can be what you need to bypass certain restrictions in Apps like Outlook or in exploiting vulns like SSRF or XXE - I had included more than 800 of known schemas + useful references here in `Schemes-List.xlsx`:
#SelfPromotion
- HTTP encoding still works to bypass most WAFs 🧙♀️🧙🧙♂️
+ see: for .NET
+
Note: [] is not the same as HTTP Desync by
@albinowax
& I didn't see it coming 🙃
#pentest
#tip
As some people couldn't quite solve the CTF () using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited - I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-)
1/ Last month, I dived into a bug bounty, taking on the challenge of bypassing a Web Application Firewall (WAF) for XML External Entity (XXE) injection. Buckle up, here's the story!
#Tip
#BugBounty
#AppSec
🧵
#BugBountyDiray
`BugCrowd` - `a private programme`
🌠It was the day 1 with the bug bounty hat on: I still have no proper automation in-place but I will sort it out when I have the energy probably in the next 6 months or when I realise I missing out a lot!
😱 My account got
App blocks %0D%0A? we try %0A or %0D or %u2028 or %2029 (using correct encoding).
But also remember to try things like this especially if you are dealing with Java:
%C0%8D%C0%8A
%c4%8a
%EA%A8%8A
Find why & more using and
As the cat is out of the hat anyways, here are my views on Microsoft Exchange
#Proxylogon
so far:
The super SSRF (controlling almost the full http message including verb/path/most headers/body) is the most important piece IMHO.
On CVE-2020-1147 () and the great write up by
@steventseeley
(), you can exploit it w/o creating an ASPX page by `?mode=Suggestion`:
/_layouts/15/quicklinks.aspx?Mode=Suggestion
/_layouts/15/quicklinksdialogform.aspx?Mode=Suggestion
#BugBountyDiray
`BugCrowd` - `a private programme`
🌠It was the day 1 with the bug bounty hat on: I still have no proper automation in-place but I will sort it out when I have the energy probably in the next 6 months or when I realise I missing out a lot!
😱 My account got
If you are using the latest early edition of
#BurpSuite
, you can use the following
#bambda
code for highlighting:
It highlights the request with BurpCOLOR like "BurpRed"!
You won't need an extension for PwnFox Firefox extension either btw!
@Burp_Suite
Just updated the legacy IIS Short File Name scanner (to v2023.3) to address an issue that it could miss some rare vulnerable servers due to an intrusive RegEx responsible to clean dynamic contents.
Have a happy hunting!
#Appsec
#IIS
#BugBounty
I like the fact that this still works like a charm as PoC when I need it: This can make testers life a lot easier but so many don't know it even exists
#pentest
#bugbounty
CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability - if you use SSRS patch now not even tomorrow! It is a simple unauth rce!
Bug hunters are not researchers
Fiddler is better than Burp
Red teaming is real pentest
Sec companies make vulnerabilities
People share to get attention
It pronounced ReJex not ReGx
Burp soot not burp sweet
Sequel not s q l
Here is my research on SMB hash hijacking & user tracking in MS Outlook using special URI schemes, URI formats, and some HTML code: - github project for further research:
#outlook
#smbhash
#tracking
#patched
Story of my two (but actually three) RCEs in SharePoint in 2018: - it all began with a simple question in Jan. 2018: "have you worked with ysoserial .net?" what a year! Glad is in Top 10 Web Hacking Techniques of 2017
@pwntester
I've just updated , it supports infinite bridge gadget party now!
So this is now possible:
```
a payload to exploit Exchange CVE-2021-42321 using the ActivitySurrogateDisableTypeCheck gadget inside the ClaimsPrincipal gadget.
```
@MDSecLabs
@pwntester
If you have more free time these days to learn more about appsec, perhaps have a look at very useful source for manual source code review as a checklist. Grab an open source app and practice these on and take notes of your discovery techniques!
Since having
@albinowax
research tools embedded in
#BurpSuite
, I keep finding race condition issues in the payment systems. I was doing this stuff before (since 2010 at least) but was not always successful. The single packet attack is 👌 - Turbo Intruder can also elevate it!
After attending my training course last week, an attendee was eager to start his next audit. And he found a race condition on the very first day, thanks to the methodology and the tools we covered 🔥
He's happy, his manager is happy, and I'm happy too 🥲
This morning, PoC code to abuse CVE-2020-0688 (Microsoft Exchange Validation Key Remote Code Execution Vulnerability) was released. In case you haven't done so, it's time to patch, patch, patch!
Our sigma rule to detect this:
"max-forwards" http header:
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header
Some usage example:
old:
old: counting servers (proxies) in the middle
new:
I'm impressed w MS security monitoring team! As I was in the middle of confirming an RCE (15 min through) to c whether or not it worked in practice, they contacted me via burp collaborator HOST header! Workaround applied in less than an hour
#RecentGoodExprience
@msftsecresponse
In the past I have found many deserialization issues in .NET by source code review. Here is my list to find interesting points to start with:
If you want to know what to do next when you are in control, read the references in ysoserial .net
Burp Suite
#Sharpener
v3.0 is out in the GitHub repo:
Some bugs have been fixed and icons sizes are now bearable!
This is only compatible with Burp v2023.1 (early adaptor currently) as it is based on the new Montoya API v1.0.
#BurpSuite
latest early version 2023.10.3 is giving us
#Bambda
in filtering among other things!
It is very very powerful in filtering and it runs pure Java code very well. As seen in the screenshot, I even managed to open calc with it😎
I hope to see it in Target Search soon!
It
Time to find some eager people in
@MDSecLabs
to beta test :) this is just the beginning but I really needed it so I hope it works well
#BurpSuite
#Sharpener
The 1.07 version of
@MDSecLabs
#BurpSuite
#Sharpener
extension is out. In addition to some bug fixes, this version comes with the Halloween theme! Just what we need to harvest more bugz!!!
🎃🎃🎃
🎃🎃🎃
Thanks to
@CoreyD97
for a swift library update! 👻
Thanks to
@albinowax
for giving me this opportunity, my name has been added to due to the work I did in designing the NoSQLi labs and another topic that is going to be released soon 😇
I want to start bug bounty as a serious task very soon and I hope it is worth it, any great suggestions or pointers for an experienced web tester?
Also if you are a vendor and like my work, please invite me to your prv programme!
I am accepting all invites now 🥹
gethostbyname() in php can be confused using a hex value or long domain name or IP
"0x000000007f000001";
"127.0x00.0.1";
"127.0x1";
"00000000000...[255 more 0s]...00000177.0.0.1";
#tip
#php
#ssrf
@vxunderground
@ReneFreingruber
This can be done by a non state sponsored actor too as it doesn't seem to be complex if orchestrated and planned properly when time doesn't matter. I can see how some other groups like ransomware guys might be interested in doing such things too.
I've only just discovered the joys of IIS hacking and shortname scanning today after watching great talks by
@infosec_au
and
@irsdl
and using the great shortscan tool from
@bitquark
🤘
Burp Suite has come a long way and is still in our hearts 🫀although is in Java!😅
From when proxy had no close friends -> scanner was not born -> extender was not a thing -> ... -> Dashboard, profiles, etc. etc. - still going strong
@Burp_Suite
🪄
#nostalgia
#appsec
#burpsuite
now has another gadget which is capable of loading code rather than running command to avoid easy detection: `DataSetOldBehaviourFromFile`
Thanks to
@steventseeley
&
@mwulftange
for the 🦈
This release also has 1 new derived gadget just for fun!
- Do you also want to know how you can proxy Exchange frontend and backend easily?
- How to debug Exchange using dnSpy?
- How to send plain/text to submit your form to an ASPX page?
- How to bypass some WAFs? What's still unpatched there?
We have you covered
@MDSecLabs
🧙♂️
#ASPNET
web form tip when bypassing certain WAF rules using
#COOKIELESS
:
✔️WAF blocks `/admin/main.aspx`
✔️WAF uses canonicalization & not case sensitive
Possible bypasses:
🍪/admin/(S(X))/main.aspx
🍪/admin/Foobar/(S(X))/../(S(X))/main.aspx
🍪/(S(X))/admin/(S(X))/main.aspx
Besides joking, these days you literally need to find one XSS using zap or free burp to pay for the pro! Also you don’t need burp pro for many bug categories. Perhaps stick to zap if you need automation and have no money and no coding skill :)
Don’t install the malware 😈👻
Thanks to
@MDSecLabs
research, new stuff are being released for soon - as for the features, payload minimization, raw cmd command, and auto command encoding within JSON/XML messages are being released after the PR review by
@pwntester
Only to make the firewalls better, I am going to leave this here to show how much requests can change and hopefully a blog post soon will come to show how we combined the ProxyShell and NSA Meeting exploits :)
Today was my last day working at
@MDSecLabs
! Thanks to all my colleagues and clients, I have learned loads 🪄
From tomorrow a new work chapter for me begins, and I hope it works out well 😊
See you around 🤩
Sharpener v1.09 is out. It is a must have extension for serious Burp users IMHO before its major UI revamp anyway.
I don't know about you, but I cannot Burp properly without it!!!
#BurpSuite
#MDSec
#Extension
#AppSec
@MDSecLabs
have been updated, now it can: generate payloads for CVE-2020-1147 and CVE-2020-0932 (sharepoint RCEs) as well as XmlSerializer payload the
@steventseeley
way! See the closed PRs for other changes if you are interested 😎
@pwntester
As some people couldn't quite solve the CTF () using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited - I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-)
Unfortunately the CTF did not have any winner :( hopefully no one secretly has shelled the test server as it was probably possible ;) I’m going to turn the server off probably tonight :)
#appseceu
#appseceu18
@AppSecEU
solution will be released tomorrow during my talk
If you haven't joined already, tune in at least for my talk to learn the correct pronunciation of "Enumeration" and other words!
I guess as soon as AI can start talking for me, I will be fine!
Well this bug has given me $10k from
@msftsecresponse
🥳 I am happier a bit now 🤓 (only one of them got bounty as the same code change can stop them both)
And
@blowdart
knows it all! Follow him 🙂
I wanted to tweet more tips but something led to another & now I have reported two issues to MS one for abusing the IIS Application Pools and one for bypassing authentication on restricted folders in IIS 🔥 Hopefully they will patch it soon so it can be presented at
@Steel_Con
!
I wanted to tweet more tips but something led to another & now I have reported two issues to MS one for abusing the IIS Application Pools and one for bypassing authentication on restricted folders in IIS 🔥 Hopefully they will patch it soon so it can be presented at
@Steel_Con
!
#IIS
#Shortname
scanner tip:
If you are using Powershell and are going to use ADS to inside the restricted /bin/ folder, remember to escape the $ sign:
bin::`$INDEX_ALLOCATION
Going to submit a talk for
@Steel_Con
to include some useful tricks like this + some new things
I had a CRLF vuln in a HTTP response, it removed characters such as `< > " and =`.
I exploited it by adding CORS headers to allow cross-site content hijacking!
I also added a `X-Frame-Options:Foobar` to make the existing one invalid so I could exploit it via an iframe!
#AppSec
I did a few hours of bug bounty for a few nights last week to get a feel.
I chose a couple of different programmes in h1 and bugcrowd to also get a feel of these platforms differences.
Surprisingly both programmes were using Akamai WAF so direct automation was out, however,
For those who use Burp Suite Sharpener, you can now get the latest version from
The latest version now uses the latest version of Montoya API.
Please feel free to submit any issues.
My latest blog post is out:
Anchor Tag XSS Exploitation in Firefox with Target="_blank"
We could use Middle-Mouse-Click or SHIFT/CTRL/ALT+CLICK in Chrome, now a similar approach for Firefox to access `document.cookie`!
#AppSec
#bugbountytips
🛎️
@s7az2mm
جمع بندی جوابهایی که اینجا توسط دوستان مخصوصا
@hkashfi
داده شد اینه که اگه کسی خواست کار مشابه کنه، از اول ناشناس وارد بشه و بعدش ادامه بده. اومدیم و چیزی اونجا نباشه همچنان جرم حساب میشه پس بهتره حساب شده باشه.
حالا اگه هم چیزی پیدا شد باز به صورت ناشناس به پلیس فتا یا غیره داده
And finally I managed to make the stand-alone recent SharePoint exploit that does not rely on ysoserial . net code. (it is very dirty but it works & won't be released)
@steventseeley
I really liked the exploit as well! He could probably hardcode the /web.config in the first request; but no, he creates a function that can be used over and over again which is cool :)
My next guest is a BEAST hacker, OG bug bounty hunter and security researcher:
@irsdl
! Soroush has 100+ CVEs, tons of awesome blog posts, and he has contributed to a ton of useful tools! (I ♥️ IIS-ShortName-Scanner)
Live interview this Sunday on
A decade ago, I developed Burp Suite JSBeautifier (). At that time, no browsers had JS beautifiers, and no extensions were capable of it. I later had it removed from BAppStore, as I couldn't invest the time to rectify a security flaw. Now, with the Montoya