Showing 39 Result(s)

Writeup: Blind SSRF with out-of-band detection

Lab link. Blind SSRF occurs when an application can be encouraged to send a back-end HTTP request to a given URL, but the response from the back-end request is not returned in the application’s front-end response. Using Burp Collaborator we can create unique domains and send them as payloads to the application. We can monitor …

Writeup: SSRF with whitelist-based input filter

Lab link. Another SSRF measure is Whitelist-Based. The application only allows entries that match a whitelist. The filter can search for a match inside the input. We bypass this filter by exploiting inconsistencies in URL parsing. We try to find an SSRF vulnerability in the check stock feature in the application. We try some SSRF …

Writeup: SSRF with blacklist-based input filter

Lab link. Blacklist-based management can be used as a precaution against SSRF attacks. Some applications can block IP and keywords such as localhost, admin, or 127[.]0[.]0[.]0[.]1. This method can be bypassed. We navigate the application and find where an HTTP request communicates with the API endpoint. This is the stock check section. With the stockApi …

Writeup: Stealing OAuth access tokens via a proxy page

Lab link. First, we check if redirect_uri has a defense against path traversal. Browse other pages. Requests are followed in the comments section of the blog page. window.location.href and postMessage() are used in the comment section. window.location.href contains the current URL of the browser. postMessage() function is used in WebExtension API to communicate messages between …

Writeup: Stealing OAuth access tokens via an open redirect

Lab link. Various methods can be used to prevent manipulation of the redirect_uri parameter, one of them is the whitelist method. However, suppose we manage to communicate with the external domain at another point in the system, for example through a directory traversal vulnerability. In that case, we can manipulate it and steal important tokens. …

Writeup: OAuth account hijacking via redirect_uri

Lab link. We log in and when we log out and log in again, we see that we can log in without entering any login information. We pass the “GET /auth?client_id” request to the repeater and experiment with the redirect_uri parameter. When we change the value of the redirect_uri parameter, we do not get an …

Writeup: Forced OAuth profile linking

Lab link. The state parameter stores a unique unpredictable value that depends on the current session in the client application. The OAuth service should return exactly this value in the response along with the authorization code. The state parameter ensures that the request comes from the person who initiated the OAuth flow. The state parameter …

Writeup: Authentication bypass via OAuth implicit flow

Lab link. Implicit Grant Type is used as OAuth Grant Type in Lab. The difference of the Implicit Grant Type is that the access token is sent immediately after the user approves. It is less reliable because all communication is routed through the browser. After logging in with the wiener:peter gave to us in the …

Writeup: Password brute-force via password change

Lan link. We are evaluating the requests for the password change system. If we enter the existing password incorrectly in the password change process, the system logs us out of our account and says “You have made too many incorrect login attempts. Please try again in 1 minute(s).” error. To bypass this measure against brute-force …