Skip to content

Commit

Permalink
Regex + SSRF
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Nov 30, 2024
1 parent 8b27a17 commit 8c09568
Show file tree
Hide file tree
Showing 8 changed files with 731 additions and 698 deletions.
5 changes: 3 additions & 2 deletions Prompt Injection/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
* [Applications](#applications)
* [Story Generation](#story-generation)
* [Potential Misuse](#potential-misuse)
* [Prompt Examples](#prompt-examples)
* [Methodology](#methodology)
* [Indirect Prompt Injection](#indirect-prompt-injection)
* [References](#references)


Expand Down Expand Up @@ -70,7 +71,7 @@ For instance, if you're using a language model to generate a story and you want
In the context of security, "prompt injection" could refer to a type of attack where an attacker manipulates the input to a system (the "prompt") in order to cause the system to behave in a way that benefits the attacker. This could involve, for example, injecting malicious code or commands into user input fields on a website.
## Prompt Examples
## Methodology
Here are a list of basic prompts to test against NLP models.
Expand Down
12 changes: 8 additions & 4 deletions Prototype Pollution/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
* [Methodology](#methodology)
* [Examples](#examples)
* [Manual Testing](#manual-testing)
* [Prototype Pollution via JSON input](#prototype-pollution-via-json-input)
* [Prototype Pollution via JSON Input](#prototype-pollution-via-json-input)
* [Prototype Pollution in URL](#prototype-pollution-in-url)
* [Prototype Pollution Payloads](#prototype-pollution-payloads)
* [Prototype Pollution Gadgets](#prototype-pollution-gadgets)
Expand All @@ -33,10 +33,14 @@ In JavaScript, prototypes are what allow objects to inherit features from other

```js
var myDog = new Dog();
```

```js
// Points to the function "Dog"
myDog.constructor;
```

```js
// Points to the class definition of "Dog"
myDog.constructor.prototype;
myDog.__proto__;
Expand Down Expand Up @@ -68,7 +72,7 @@ myDog["__proto__"];
* Change the status code: `{ "__proto__":{"status":510}}`


### Prototype Pollution via JSON input
### Prototype Pollution via JSON Input

You can access the prototype of any object via the magic property `__proto__`.
The `JSON.parse()` function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen.
Expand Down Expand Up @@ -141,7 +145,7 @@ Depending if the prototype pollution is executed client (CSPP) or server side (S
```
* Reflected XSS: [Reflected XSS on www.hackerone.com via Wistia embed code - #986386](https://hackerone.com/reports/986386)
* Client-side bypass: [Prototype pollution – and bypassing client-side HTML sanitizers](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
* Deny of Service
* Denial of Service


### Prototype Pollution Payloads
Expand Down Expand Up @@ -181,7 +185,7 @@ Either create your own gadget using part of the source with [yeswehack/pp-finder
- [Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023](https://www.intruder.io/research/server-side-prototype-pollution)
- [Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Michał Bentkowski - October 30, 2019](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
- [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes - March 27, 2023](https://youtu.be/LD-KcuKM_0M)
- [NodeJS - __proto__ & prototype Pollution - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
- [NodeJS - \_\_proto\_\_ & prototype Pollution - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
- [Prototype Pollution - PortSwigger - November 10, 2022](https://portswigger.net/web-security/prototype-pollution)
- [Prototype pollution - Snyk - August 19, 2023](https://learn.snyk.io/lessons/prototype-pollution/javascript/)
- [Prototype pollution and bypassing client-side HTML sanitizers - Michał Bentkowski - August 18, 2020](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
Expand Down
36 changes: 18 additions & 18 deletions Race Condition/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@

- [Tools](#tools)
- [Methodology](#methodology)
- [Limit-overrun](#limit-overrun)
- [Rate-limit bypass](#rate-limit-bypass)
- [Limit-overrun](#limit-overrun)
- [Rate-limit Bypass](#rate-limit-bypass)
- [Techniques](#techniques)
- [HTTP/1.1 last-byte synchronization](#http11-last-byte-synchronization)
- [HTTP/2 Single-packet attack](#http2-single-packet-attack)
- [HTTP/1.1 Last-byte Synchronization](#http11-last-byte-synchronization)
- [HTTP/2 Single-packet Attack](#http2-single-packet-attack)
- [Turbo Intruder](#turbo-intruder)
- [Example 1](#example-1)
- [Example 2](#example-2)
- [Example 1](#example-1)
- [Example 2](#example-2)
- [Labs](#labs)
- [References](#references)

Expand All @@ -30,27 +30,27 @@

### Limit-overrun

Overdrawing limit, multiple voting, multiple spending of a giftcard.
Limit-overrun refers to a scenario where multiple threads or processes compete to update or access a shared resource, resulting in the resource exceeding its intended limits.

**Examples**:
**Examples**: Overdrawing limit, multiple voting, multiple spending of a giftcard.

- [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
- [Race conditions can be used to bypass invitation limit - @franjkovic](https://hackerone.com/reports/115007)
- [Register multiple users using one invitation - @franjkovic](https://hackerone.com/reports/148609)


### Rate-limit bypass
### Rate-limit Bypass

Bypassing anti-bruteforce mechanism and 2FA.
Rate-limit bypass occurs when an attacker exploits the lack of proper synchronization in rate-limiting mechanisms to exceed intended request limits. Rate-limiting is designed to control the frequency of actions (e.g., API requests, login attempts), but race conditions can allow attackers to bypass these restrictions.

**Examples**:
**Examples**: Bypassing anti-bruteforce mechanism and 2FA.

- [Instagram Password Reset Mechanism Race Condition - Laxman Muthiyah](https://youtu.be/4O9FjTMlHUM)


## Techniques

### HTTP/1.1 last-byte synchronization
### HTTP/1.1 Last-byte Synchronization

Send every requests except the last byte, then "release" each request by sending the last byte.

Expand All @@ -67,16 +67,16 @@ engine.openGate('race1')
- [Cracking reCAPTCHA, Turbo Intruder style - James Kettle](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style)


### HTTP/2 Single-packet attack
### HTTP/2 Single-packet Attack

In HTTP/2 you can send multiple HTTP requests concurrently over a single connection. In the single-packet attack around ~20/30 requests will be sent and they will arrive at the same time on the server. Using a single request remove the network jitter.

- [turbo-intruder/race-single-packet-attack.py](https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py)
- [PortSwigger/turbo-intruder/race-single-packet-attack.py](https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py)
- Burp Suite
- Send a request to Repeater
- Duplicate the request 20 times (CTRL+R)
- Create a new group and add all the requests
- Send group in parallel (single-packet attack)
- Send a request to Repeater
- Duplicate the request 20 times (CTRL+R)
- Create a new group and add all the requests
- Send group in parallel (single-packet attack)

**Examples**:

Expand Down
21 changes: 15 additions & 6 deletions Regular Expression/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@
## Summary

* [Tools](#tools)
* [Evil Regex](#evil-regex)
* [Backtrack Limit](#backtrack-limit)
* [Methodology](#methodology)
* [Evil Regex](#evil-regex)
* [Backtrack Limit](#backtrack-limit)
* [References](#references)


Expand All @@ -18,7 +19,9 @@
* [devina.io/redos-checker](https://devina.io/redos-checker) - Examine regular expressions for potential Denial of Service vulnerabilities


## Evil Regex
## Methodology

### Evil Regex

Evil Regex contains:

Expand All @@ -35,14 +38,20 @@ Evil Regex contains:
* `(a|a?)+`
* `(.*a){x}` for x \> 10

These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!` (20 'a's followed by a '!').

```ps1
aaaaaaaaaaaaaaaaaaaa!
```

For this input, the regex engine will try all possible ways to group the `a` characters before realizing that the match ultimately fails because of the `!`. This results in an explosion of backtracking attempts.


## Backtrack Limit
### Backtrack Limit

Backtracking in regular expressions occurs when the regex engine tries to match a pattern and encounters a mismatch. The engine then backtracks to the previous matching position and tries an alternative path to find a match. This process can be repeated many times, especially with complex patterns and large input strings.

PHP PCRE configuration options
**PHP PCRE configuration options**

| Name | Default | Note |
|----------------------|---------|---------|
Expand Down
15 changes: 7 additions & 8 deletions Request Smuggling/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,7 @@

## Methodology

If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as PortSwigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`.

For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it.
If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as PortSwigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`.


### CL.TE Vulnerabilities
Expand Down Expand Up @@ -97,7 +95,7 @@ x=1
```

:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence `\r\n\r\n` following the final 0.


### TE.TE Vulnerabilities
Expand Down Expand Up @@ -156,7 +154,8 @@ This could be used to:
* get the victim to send an exploit to a site (eg for internal sites the attacker cannot access, or to make it harder to attribute the attack)
* to get the victim to run arbitrary JavaScript as if it were from the site

Eg:
**Example**:

```javascript
fetch('https://www.example.com/redirect', {
method: 'POST',
Expand All @@ -168,10 +167,10 @@ fetch('https://www.example.com/redirect', {
})
```

tells the victim browser to send a POST request to www.example.com/redirect. That returns a redirect which is blocked by CORS, and causes the browser to execute the catch block, by going to www.example.com.
This script tells the victim browser to send a `POST` request to `www.example.com/redirect`. That returns a redirect which is blocked by CORS, and causes the browser to execute the catch block, by going to `www.example.com`.

www.example.com now incorrectly processes the HEAD request in the POST's body, instead of the browser's GET request, and returns 404 not found with a content-length, before replying to the next misinterpreted third (`GET /x?x=<script>...`) request and finally the browser's actual GET request.
Since the browser only sent one request, it accepts the response to the HEAD request as the response to its GET request and interprets the third and fourth responses as the body of the response, and thus executes the attacker's script.
www.example.com now incorrectly processes the `HEAD` request in the `POST`'s body, instead of the browser's `GET` request, and returns 404 not found with a content-length, before replying to the next misinterpreted third (`GET /x?x=<script>...`) request and finally the browser's actual `GET` request.
Since the browser only sent one request, it accepts the response to the `HEAD` request as the response to its `GET` request and interprets the third and fourth responses as the body of the response, and thus executes the attacker's script.


## Labs
Expand Down
Loading

0 comments on commit 8c09568

Please sign in to comment.