The Web, Web Applications & Browsers

Table of Contents

Technologies Attacks
API Stuff Abuse of Functionality
Web Browsers Brute Force/Fuzzing
Browser Security Attacking Continous Integration Systems
HTTPS Certificates & Certificate Transparency CSV Injection
Content Management Systems Clickjacking
Continous Integration/Delivery/Build Systems Cross Protocol Scripting/Request Attack
ColdFusion Cross Site Content Hijacking
Electron Cross Site History Manipulation
Flash/SWF Cross Site Request Forgery (CSRF)
GhostScript Cascading-StyleSheets-related Attacks
GraphQL Cross Site WebSocket Hijacking
Imagemagick Data Structure Attacks
JavaScript Edge Side Include Injection
Java Server Faces (JSF) Embedded Malicious Code
Java Server Pages (JSP) Exploitation of Authentication
JSON Web Tokens IDN Homograph & Homograph Attacks
MIME Sniffing Insecure Direct Object Reference
NodeJS Execution After(/Open) Redirect (EAR)
Platform Agnostic Security Token (PASETO) File Upload Testing
PHP HTML Smuggling
REST/SOAP/Web Services (WSDL) HTTP Request Smuggling
Ruby/Ruby on Rails Image-based Exploitation AKA Exploiting Polyglot features of File standards
Web Assembly Injection Based Attacks
Secure Sockets Layer / Transport Layer Security OS Command Injection
Single Sign-On (SSO) JNDI Attack Class
Web Application Firewalls (WAFs) Path Confusion Attacks
JS Frameworks LFI & RFI
Web Proxies (No)SQL Injection
Web Servers Path Traversal Attacks
Web Storage Prototype Pollution Attack
Reflected File Download
Relative Path Overwrite
(De-)Serialization Attacks
Server Side Request Forgery (SSRF)
Server Side Include
Client/Server Side Template Injection
Subdomain Hijack/Takeover
Website Imaging(Taking Snapshots of WebPages)
(Bit)/Typo-squatting
Web Shells
XSS
Cross-Site History Manipulation
Tabnabbing Attacks
Timing / Race Condition Attacks
TLS Redirection (and Virtual Host Confusion)
TypoSquatting
Web Cache Deception Attack
Web Cache Poisoining Attack
XML

  • To Do
    • Identity Providers/SSO Stuff
    • Web Frameworks

General

  • 101
  • Browsers
    • Browser-2020
      • Things you can do with a browser in 2020
      • It's like, did no one read 'The Tangled Web: A Guide to Securing Modern Web Applications'? Or did they, and their take away was, 'Man, what a bunch of great ideas! Blinking text with no user control? Woah. I'm so on this.'.
      • My point is that it is 2020, and there is no equivalent to NoScript or UBlock Origin in any major browser. Despite this, I can have picture in picture video chats, while also connecting by bluetooth and USB, devices to the browser and having each tab color coded, along with the browser knowing my power level of my device, all according to standards.
      • Google released a paper the day after I made this comment. I stand by my comment.
    • Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’sIll-conceived Jaunts - Artur Janc, Mike West(2020)
      • In this paper, we start from a scattered list of concrete grievances about the web platform based on informal discussions among browser and web security engineers. After reviewing the details of these issues, we work towards a model of the root causes of the problems, categorizing them based on the type of risk they introduce to the platform. We then identify possible solutions for each class of issues, dividing them by the most effective approach to address it. In the end, we arrive at a general blueprint for backing out of these dead ends. We propose a three-pronged approach which includes changing web browser defaults, creating a slew of features for web authors to opt out of dangerous behaviors, and adding new security primitives. We then show how this approach can be practically applied to address each of the individual problems, providing a conceptual framework for solving unsafe legacy web platform behaviors.
    • How Browsers Work: Behind the scenes of modern web browsers - Tali Garsiel, Paul Irish(2011)
  • Other

Standards

Content Security Policy (CSP)


Cross-Origin Resource Sharing (CORS)

  • 101
  • Articles/Blogposts/Writeups
  • Presentations/Talks/Videos
    • Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle(AppSecEU 2017)
      • Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
      • Blogpost
    • To CORS! The cause of, and solution to, your SPA problems! - Tim Tomes, Kevin Cody
      • Cross-Origin Resource Sharing (CORS) is a complex and commonly misunderstood concept that is often implemented wrong for the right reasons. In this talk we will explain the Same-Origin Policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We'll continue by releasing research done on a number of development frameworks exposing poorly designed CORS libraries that default to the most dangerous behavior. We'll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation and a new tool. Finally, we'll discuss the safest ways to implement CORS. The custom tools used during the talk will be released along with the presentation.
    • Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing? - Rebecca Deck(CircleCityCon2019)
      • Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how CORS works and how to find misconfigurations. Dozens of actual applications are distilled into examples demonstrate CORS protections and JavaScript code to bypass them. A basic knowledge of CORS and JavaScript will be helpful to understand the exploit code, but no special background is necessary to grasp the basics of CORS configuration.
  • Papers
  • Tools
    • CORStest
      • A simple CORS misconfiguration scanner
    • CORS Exploitation Framework(CEF)
      • A proof-of-concept tool for conducting distributed exploitation of permissive CORS configurations.
    • Corsy
      • Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
    • CorsMe
      • A cors misconfiguration scanner tool based on golang with speed and precision in mind!

Cookies

  • 101
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
    • Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
      • I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)

Document Object Model (DOM)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Talks & Presentations
    • Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
      • 18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.

Hyper Text Markup Language HTML


Fetch


Hyper Text Transport Protocol (HTTP)


MIME Sniffing

  • 101
    • MIME Sniffing - whatwg.org
    • Media Type Sniffing | draft-ietf-websec-mime-sniff-03
      • Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations
  • Articles/Blogposts/Presentations/Talks/Writeups

OAUTH


Same-Origin Policy


Security Assertion Markup Language (SAML)


Service Workers


Subresource Integrity


Secure Sockets Layer/Transport Layer Security (SSL/TLS)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Attacks Against
    • SSL/TLS Interception Proxies and Transitive Trust
      • Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances

Streams

  • 101
    • Streams - Dec12 2019
      • This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.

Uniform Resource Identifier/Locator (URIs/URLs)


Web Authentication


Web Bluetooth


Web Hooks


Web NFC


WebRTC

  • 101
    • WebRTC for the Curious: Go beyond the APIs
      • he WebRTC book that explains everything. WebRTC is a real-time communication framework that makes it easy to build real-time interactions for web and mobile devices. You will learn about the WebRTC specification and how all the protocols work in depth, not just a tour of the APIs. The book is completely Open Source and available at https://webrtcforthecurious.com and https://github.com/webrtc-for-the-curious/webrtc-for-the-curious Learn the full details of ICE, SCTP, DTLS, SRTP, and how they work together to make up the WebRTC stack. Hear how WebRTC implementers debug issues with the tools of the trade. Listen to interviews with the authors of foundational WebRTC tech! Hear the motivations and design details that pre-dated WebRTC by 20 years. Explore the cutting edge of what people are building with WebRTC. Learn about interesting use cases and how real-world applications get designed, tested and implemented in production. Written by developers who have written all of this from scratch. We learned it the hard way, now we want to share it with you! This book is vendor agnostic and multiple Open Source projects and companies are involved. We would love to have you involved!
  • Articles/Papers/Talks/Writeups
  • General
  • Tools

WebSockets


WebUSB

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
    • WebUSB - How a website could steal data off your phone
      • This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.

Technologies

API Stuff


Web Browsers


Browser Security


HTTPS Certificates & Certificate Transparency


Content Management Systems

  • Agnostic
    • WhatWeb
      • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
    • w3af
      • w3af: web application attack and audit framework, the open source web vulnerability scanner.
  • Drupal
  • Joomla
    • Highly Effective Joomla Backdoor with Small Profile
    • JoomScan
      • Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
    • JScanner
      • Analyze target Joomla! installation using several different techniques.
    • JoomlaVS
      • JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
  • Sharepoint
    • Sparty - Sharepoint/Frontpage Auditing Tool
      • Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
  • Wordpress
    • WPScan
      • WPScan is a black box WordPress vulnerability scanner.
    • WPSeku
      • Wordpress Security Scanner

Continous Integration/Delivery/Build Systems


ColdFusion


Electron


Flash/SWF


GhostScript


GraphQL


Imagemagick


JavaScript


Java Server Faces (JSF)


Java Server Pages (JSP)


JSON Web Tokens


MIME Sniffing


NodeJS

  • 101
  • Educational
    • A Roadmap for Node.js Security
    • NodeGoat
      • Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
  • Articles/Blogposts/Writeups
  • Presentations/Talks/Videos
    • NodeJS: Remote Code Execution as a Service - Peabnuts123 – Kiwicon 2016
    • It's Coming From Inside the House: An Inside-Out Approach to NodeJS Application Security - Yolonda Smith(CircleCityCon2019)
      • Getting application security right often requires that developers have a deeper than average understanding of the security domain. In what other industry is this the case? We don't have to be M.D.s to get a medical diagnosis; we don't have to be auto mechanics to get our cars fixed, yet we in security wag our fingers at "iD10t errors" and build grand mousetraps to catch "so obvious" developer missteps, when they may not know what they need to add, change or remove from their applications to make it "secure" in the first place. Furthermore, patterns to address these issues don't always fit the requirements of the application short or long term, resulting in solutions that only address part of the problem, or worse, are omitted altogether because they are too cumbersome to implement. My answer to this is _spartan-a node application created for developers of node.js applications, not security people. _spartan allows developers to create security policies which address their node app's (whether it be Desktop, Web, Mobile, IoT or API) specific requirements; it installs & configures the modules to match the policy and; it generates the boilerplate code that developers can import directly into their applications.
  • Tools
    • faker.js
      • generate massive amounts of fake data in Node.js and the browser
  • Hidden Property Abuse
    • Discovering Hidden Properties to Attack Node js Ecosystem - Feng Xiao(DEFCON Safemode)
      • BlackHat Slides
      • Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients. We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues. The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.

Platform Agnostic Security Token (PASETO)


PHP


REST/SOAP/Web Services (WSDL)


Ruby/Ruby on Rails


Web Assembly


Secure Sockets Layer / Transport Layer Security


Single Sign-On (SSO)

  • 101
  • Articles/Blogposts/Writeups
  • Talks & Presentations
  • Dupe Key Confusion
    • attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
    • Tools
      • DupeKeyInjector
        • Dupe Key Injetctor is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 "SSO Wars: The Token Menace" presentation.
        • Slides
        • Paper

Web Application Firewalls (WAFs)


JS Frameworks


Web Proxies

  • 101
  • Articles/Blogposts/Writeups
  • Tools
    • Burpsuite
      • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
    • ZAP - Zed Attack Proxy
      • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
    • Paros - Web Proxy
      • A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
    • Mallory: Transparent TCP and UDP Proxy
      • Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
    • TCP Catcher
      • TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
    • wssip
      • Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
    • ratproxy
      • Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Web Servers


Web Storage


Tactics & Techniques

  • Attacking
  • Securing
  • Guides & Methodologies
    • OWASP Testing Checklist
    • WebAppSec Testing Checklist
    • OWASP Testing Checklist(OTGv4)
      • OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This checklist is completely based on OWASP Testing Guide v 4. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application security issues. Moreover, the checklist also contains OWASP Risk Assessment Calculator and Summary Findings template.
    • LTR101: Web App Testing - Methods to The Madness - Andy Gill
    • LTR101: Web Application Testing Methodologies - Andy Gill
    • The Bug Hunter’s Methodology - Jason Haddix @jhaddix(Defcon Safemode RedTeamVillage 2020)
      • The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or red team we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.
  • Testing Writeups
    • Video Testing stateful web application workflows - András Veres-Szentkirályi
    • Paper Testing stateful web application workflows - SANS - András Veres-Szentkirályi
      • Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug-and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.
  • Payloads
  • Tactics
  • General Reconnaissance Techniques
    • General Articles/Methodology Writeups
    • Tools that didn't fit elsewhere
      • webgrep
        • This self-contained tool relies on the well-known grep tool for grepping Web pages. It binds nearly every option of the original tool and also provides additional features like deobfuscating Javascript or appyling OCR on images before grepping downloaded resources.
    • (Almost)Fully Automating Recon
    • Attack Surface Reconaissance
      • Articles/Blogposts/Writeups
        • Asset Enumeration: Expanding a Target's Attack Surface - Capt. Meelo
        • What's in a Domain Name? - Collin Meadows(SecureWV/Hack3rcon2018)
          • The domain name is one of the most prominent assets an organization can have. While customers can discover an organization from many sources - social media, review aggregators, advertisements, etc - the webpage is often the first direct experience a person has with a business and brand. This vital role makes the domain a target for fraud, data leakage, and cyber attack. Implementing domain monitoring and performing risk assessments is important, but only half the battle. In this talk, we will consider amount of intelligence one can gather starting from only a domain name and investigate how this sets an attacker up with an ideal blueprint for malicious action.
      • Tools
        • AttackSurfaceMapper
          • Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
        • intrigue-core
          • Intrigue-core is a framework for external attack surface discovery and automated OSINT.
        • Domain Analyzer
          • Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
        • domain-profiler
          • domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
        • The Hamburglar
          • Hamburglar -- collect useful information from urls, directories, and files
        • AutoRecon
        • Websy
          • Keep an eye on your targets with Websy to get quickly notified for any change they push on their Web Server
        • BlueEye
          • Blue Eye is a python Recon Toolkit script. It shows subdomain resolves to the IP addresses, company email addresses and much more ..!
    • Browser Automation
      • playwright
        • Node.js library to automate Chromium, Firefox and WebKit with a single API
    • DNS
    • Enpdoint Discovery
      • Articles/Blogposts/Writeups
      • Tools
        • JSParser
          • A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
        • LinkFinder
          • LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
        • relative-url-extractor
          • During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file. These days web applications have frontend pipelines that make it harder for humans to understand minified code. This tool contains a nifty regular expression to find and extract the relative URLs in such files. This can help surface new targets for security researchers to look at. It can also be used to periodically compare the results of the same file, to see which new endpoints have been deployed. History has shown that this is a goldmine for bug bounty hunters.
        • hakrawler
        • endpointdiff
          • endpointdiff is a simple wrapper script around LinkFinder (https://github.com/GerbenJavado/LinkFinder) to quickly identify whether endpoints have changed based on diffs of JS files.
    • Forced Browsing
      • Articles/Blogposts/Writeups
      • Tools
        • Dirbuster
          • DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
        • Go Buster
          • Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
        • WFuzz
          • Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
        • dirsearch
          • dirsearch is a simple command line tool designed to brute force directories and files in websites.
        • ffuf
        • Tachyon
          • Tachyon is a Fast Multi-Threaded Web Discovery Tool
        • Syntribos
          • Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
        • OpenDoor
          • OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
        • rustbuster
          • A Comprehensive Web Fuzzer and Content Discovery Tool
        • feroxbuster
          • A fast, simple, recursive content discovery tool written in Rust.
        • SharpBuster
          • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
        • FES - Fast Endpoint Scanner
          • A web application endpoint scanner written in Rust, designed to put less load on the domains it scans with parsing features to help grab the important stuff (inspired by tomnomnom's meg).
        • WAES
          • CPH:SEC WAES: Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result
        • crithit
          • Website Directory and file brute forcing at extreme scale.
        • snallygaster
          • Finds file leaks and other security problems on HTTP servers.
    • HTTP Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • Arjun
          • HTTP parameter discovery suite.
        • Psi-Probe
          • Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
        • HTTPLeaks
          • HTTPLeaks - All possible ways, a website can leak HTTP requests
        • HTTPie - curl for humans
          • HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
        • gethead
          • HTTP Header Analysis Vulnerability Tool
    • HTTP Fingerprinting
    • JS-based scanning
    • (Sub)Domain Reconnaissance
    • Technology Identification
      • Articles/Blogposts/Writeups
      • Tools
        • General
          • wappy
            • A tool to discover technologies in web applications from your terminal. It uses the wap library, that is a python implementation of the great Wappalyzer browser extension. In fact, it uses the rules defined in the file technologies.json of the Wappalyzer repository.
        • CMS
          • CMSExplorer
            • CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
          • BlindElephant Web Application Fingerprinter
            • The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
          • Fingerprinter
            • CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
          • WPScan
            • WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.
        • Proxies
        • Web Servers
          • httprecon - Advanced Web Server Fingerprinting
            • The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
          • WhatWeb
            • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
    • Web Scraping
    • User Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • WhatsMyName
          • This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
        • hackability
          • Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
    • Virtual Hosts
      • 101
      • Tools
        • virtual-host-discovery
          • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
        • blacksheepwall
          • blacksheepwall is a hostname reconnaissance tool
        • VHostScan
          • A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
    • Visual Reconnaissance
      • Articles/Blogposts/Writeups
      • Tools
        • PowerWebShot
          • A PowerShell tool for taking screenshots of multiple web servers quickly.
        • HTTrack - Website Copier
          • It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
        • Kraken
          • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
        • Eyeballer
          • Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
        • gowitness
          • gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
        • webscreenshot
          • A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
        • LazyShot
          • The simplest way to take an automated screenshot of given URLs. Easy installation!
        • RAWR - Rapid Assessment of Web Resources
      • 3rd Party Hosted Tools
        • VisualSiteMapper
          • Visual Site Mapper is a free service that can quickly show a map of your site.
      • Web Page
        • HTCAP
          • htcap is a web application scanner able to crawl single page application (SPA) recursively by intercepting ajax calls and DOM changes.
    • Wordlists
      • jhaddix all.txt
        • all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
      • jhaddix content_discovery_all.txt
        • a masterlist of content discovery URLs and files (used most commonly with gobuster)
      • SecLists
        • SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
      • IntruderPayloads
        • A collection of Burpsuite Intruder payloads, BurpBounty payloads (https://github.com/wagiro/BurpBounty), fuzz lists and pentesting methodologies.
      • CommonSpeak2
      • CWFF - Custom wordlists for fuzzing
        • CWFF is a tool that creates a special High quality fuzzing/content discovery wordlist for you at the highest speed possible using concurrency and it's heavily inspired by @tomnomnom's Who, What, Where, When, Wordlist
      • 1ndiList v 1.0
        • Recon Custom WordList Ganerator
      • Who, What, Where, When, Wordlist - TomNomNom
  • Vulnerability Scanner
    • Nikto
    • Spaghetti - Web Application Security Scanner
      • Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
    • skipfish
      • Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
    • wikto
      • Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
    • WATOBO
      • WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
    • YASUO
      • Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
    • ParrotNG
      • ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
    • Arachni Web Scanner
      • Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
    • Pyfiscan
      • Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
    • jaeles
      • "powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner."
      • Showcase examples of usage
    • 0d1n
      • 0d1n is a tool for automating customized attacks against web applications.
    • reNgine
      • reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.
    • Osmodeus
      • Fully automated offensive security framework for reconnaissance and vulnerability scanning

Attacks

Abuse of Functionality

  • jsgifkeylogger
    • a javascript keylogger included in a gif file This is a PoC

Brute Force/Fuzzing

  • 101
  • Tools
    • Dirbuster
      • DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
    • Go Buster
      • Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
    • WFuzz
      • Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
    • dirsearch
      • dirsearch is a simple command line tool designed to brute force directories and files in websites.
    • ffuf
      • Fast web fuzzer written in Go
    • Tachyon
      • Tachyon is a Fast Multi-Threaded Web Discovery Tool
    • Syntribos
      • Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
    • Patator
      • multi-purpose brute-forcer

Attacking Continous Integration Systems


CSV Injection


Clickjacking


Cross Protocol Scripting/Request Attack

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • HTML Form Protocol Attack - Jochen Topf(2001)
      • This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
    • Cross-Protocol Request Forgery - Tanner Prynn(2018)
      • Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attackmethods that enable attackers to cross network boundaries in order to attack applications,but can only target applications that speak HTTP. Custom TCP protocols are everywhere:IoT devices, smartphones, databases, development software, internal web applications, andmore. Often, these applications assume that no security is necessary because they are onlyaccessible over the local network. This paper aims to be a definitive overview of attacksthat allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and alsoexpands on the state of the art in these types of attacks to target length-specified protocolsthat were not previously thought to be exploitable.
  • Presentations/Talks/Videos
  • Tools
    • Extract data
      • Extract data is a demo combining a cross-protocol request attack with DNS rebinding

Cross Site Content Hijacking


Cross Site History Manipulation


Cross Site Request Forgery (CSRF)


Cascading-StyleSheets-related Attacks


Cross Site WebSocket Hijacking


Data Structure Attacks


Edge Side Include Injection


Embedded Malicious Code

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Exploitation of Authentication

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

IDN Homograph & Homograph Attacks


Insecure Direct Object Reference


Execution After(/Open) Redirect (EAR)


File Upload Testing


HTML Smuggling


HTTP Request Smuggling


Image-based Exploitation AKA Exploiting Polyglot features of File standards


Injection Based Attacks


OS Command Injection


JNDI Attack Class


Path Confusion Attacks

  • 101
  • Articles/Papers/Writeups

LFI & RFI


(No)SQL Injection


Path Traversal Attacks


Prototype Pollution Attack


Reflected File Download


Relative Path Overwrite

  • 101
    • Relative Path Overwrite Explanation/Writeup
      • RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
  • Papers
    • Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
      • In this thesis, I propose novel research into understanding and mitigatingthe security risks of content inclusion in web browsers to protect website pub-lishers as well as their users. First, I introduce an in-browser approach calledExcisionto automatically detect and block malicious third-party content in-clusions as web pages are loaded into the user’s browser or during the execu-tion of browser extensions. Then, I proposeOriginTracer, an in-browserapproach to highlight extension-based content modification of web pages. Fi-1 nally, I present the first in-depth study of style injection vulnerability usingRPO and discuss potential countermeasures
  • Tools

(De-)Serialization Attacks

  • General
  • .NET
  • Java
    • Articles/Blogposts/Writeups
    • General
    • Presentations/Talks/Videos
      • Pwning Your Java Messaging With De- serialization Vulnerabilities
      • Marshalling Pickles - Chris Frohoff, Gabe Lawrence(AppSecCali 2015)
        • Slides
        • Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
      • Exploiting Deserialization Vulnerabilities in Java - Matthis Kaiser(2015)
        • Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). This talk will give insights how this bug class can be turned into serverside Remote Code Execution. Details and a demo will be given for one of my patched vulnerabilities (CVE-2015-6576, Atlassian Bamboo RCE).
      • Deserialize My Shorts Or How I Learned to Start Worrying and Hate Java Object Deserialization - Chris Frohoff, Gabe Lawrence
        • Slides
        • Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
      • Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
      • In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL - Man Yue Mo(2019)
      • Oracle Java Deserialization Vulnerabilities - Stephen Kost, Phil Reimann(2016)
        • Java deserialization is a class of security vulnerabilities that can result in server-side remote code execution (RCE). As many Oracle products are based on Java, deserialization bugs are found in many Oracle environments especially those using Oracle WebLogic, Oracle Fusion Middleware, and Oracle E-Business Suite. As an example, in November 2015 Oracle released an out-of-cycle security fix (CVE-2015-4852) in order to fix a deserialization bug in Oracle WebLogic. This education webinar provides an understanding of Java deserialization vulnerabilities, the potential impact for Oracle environments, and strategies to protect an Oracle environment from this class of security vulnerabilities.
      • Defending against Java Deserialization Vulnerabilities - Luca Carettoni(2016)
      • Deserialization: what, how and why [not] - Alexei Kojenov(AppSecUSA2018)
        • Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
      • Java Serialization security issues - Erno Jeges - OWASP Bay Area(2018)
        • In this short talk, we'll take a look at the various security issues coming from deserializing untrusted data in Java: information disclosure, denial of service, and even code execution. We'll examine these issues through live demonstrations with step-by-step explanations of what can go wrong – and how. Most importantly, we'll discuss several best practices and countermeasures you can use as a developer to protect yourself from these issues – or prevent them from affecting you in the first place.
      • Deserialization: what, how and why [not] - Alexei Kojenov(AppSec USA2018)
        • Slides
        • Code
        • Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk. We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
      • Marshalling Pickles - Chris Frohoff & Gabriel Lawrence(OWASPAppSec California2015)
        • Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
      • Automated Discovery of Deserialization Gadget Chains - Ian Haken(Defcon26)
      • New Exploit Technique In Java Deserialization Attack - Yang Zhang, Yongtao Wang, Keyi Li, Kunzhe Chai(BHEU2019)
        • In our depth research, we analyzed more than 10000+ Java third-party libraries and found many cases which can be exploited in real-world attack scenarios. In this talk, we will bat around the principle and exploit technique of these vulnerabilities. Also, we will present how to pwn target server by our new exploit technique. It can not only improve the effect of java deserialization vulnerability but also enhance other Java security issues impact, and we will discuss profound impacts of the attack vector in the java security field.
    • Papers
      • Java Unmarshaller Security - Turning your data into code execution
        • This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
        • tool from the above paper: marshalsec
    • Tools
      • Break Fast Serial
        • A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
      • ysoserial
      • JMET
        • JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage).
      • GadgetProbe
        • GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
        • Blogpost
      • marshalsec
        • This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
    • Exploits
  • .NET
    • .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munez(LocoMocoSec2018)
      • 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.
    • Friday the 13th: Attacking JSON - Alvaro Muñoz & Oleksandr Mirosh(AppSecUSA 2017) * 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors. We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable. In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.
  • PHP
  • Python
  • Ruby

Server Side Request Forgery (SSRF)


Server Side Include


Client/Server Side Template Injection


Subdomain Hijack/Takeover


Website Imaging(Taking Snapshots of WebPages)

  • 101
  • Tools
    • EyeWitness
      • EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
    • gowitness
      • a golang, web screenshot utility using Chrome Headless
    • SharpWitness
      • C# implementation of EyeWitness
    • webDisco
      • Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
    • PowerWebShot
      • A PowerShell tool for taking screenshots of multiple web servers quickly.
    • Kraken
      • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.

(Bit)/Typo-squatting

  • 101
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
    • Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
      • Paper
      • Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.

Web Shells

  • Articles
  • Detection
    • Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
      • Look at PHP obfuscation methods for webshells
    • NeoPI
      • What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
    • Shell Detector
      • Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
    • Loki - Simple IOC Scanner
      • Scanner for Simple Indicators of Compromise
  • Tools
    • Weevely
      • Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
      • Getting Started
    • b374k shell 3.2
      • This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
    • Simple websockets based webshell
    • JSShell
      • An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
    • htshells
      • Self contained web shells and other attacks via .htaccess files.
    • Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
    • novahot
      • novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

XSS


Cross-Site History Manipulation


Tabnabbing Attacks


Timing / Race Condition Attacks

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
      • We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
  • Tools
    • Requests-Racer
      • Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
    • Race the Web
      • Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
    • timing_attack
      • Perform timing attacks against web applications
    • Race condition exploit
      • Tool to help with the exploitation of web application race conditions
  • Miscellaneous

TLS Redirection (and Virtual Host Confusion)


TypoSquatting

  • 101

Web Cache Deception Attack

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson(2020)
      • Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.
  • Talks/Presentations/Videos
    • Web Cache Deception Attack - Omer Gil(BHUSA 2017)
      • slides
      • Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts.
    • Web Cache Deception attack: A new web attack vector -
    • Cached and Confused: Web Cache Deception in the Wild - Seyed Ali Mirheidari, Sajjad "JJ" Arshad(h@ckivitycon 2020)
      • Web Cache Deception (WCD) has been introduced in 2017 by Omer Gil, where an intruder lures a caching server to mistakenly store private information publicly and as a result obtains unauthorized access to cached data. In this talk, we will introduce new exploitation techniques based on the semantic disconnect among different framework-independent web technologies (e.g., browsers, CDNs, web servers) which results in different URL path interpretations. We coined the term ‚ÄúPath Confusion‚Äù to represent this disagreement and we will present the effectiveness of this technique on WCD attack. In February 2020, our related research was voted and led to an award as the top web hacking technique of 2019 by PortSwigger. We explore WCD as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable three years after the public disclosure of WCD. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of WCD attack on high profile sites. We present a semi-automated path confusion crawler which detects hundreds of sites that are still vulnerable to WCD only with specific types of path confusion techniques. We conclude the talk with explaining why path confusion is so complicated to remediate while shedding light on potential areas that researchers and bughunters can apply new attack vectors through different path confusion techniques.
  • Writeups
  • Tools

Web Cache Poisoining Attack


XML


Miscellaneous

Burp Stuff/Plugins

  • Tutorials/Tips/Stuff
  • Wordlists
  • Plugins
    • Creating
    • API
      • burp-rest-api
        • A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
    • AuthN/AuthZ-related
      • AuthMatrix
        • AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
      • Autorize
        • Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
      • Escalating Privileges like a Pro - Gaurav Narwani
      • AutoRepeater
        • Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
      • Uniqueness plugin for Burp Suite
        • Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
    • Collaborator-related
      • collaborator-everywhere
        • A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
    • Extra-Checks/Scanners
      • backslash-powered-scanner
        • This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
      • HUNT
        • HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
      • Burp-molly-pack
        • Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
      • burp-suite-error-message-checks
        • Burp Suite extension to passively scan for applications revealing server error messages
      • Asset Discover
        • Burp Suite extension to discover assets from HTTP response using passive scanning.
        • Blogpost
      • Dr. Watson
        • Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
      • LinkDumper Burp Plugin
        • Extract (links/possible endpoints) from responses & filter them via decoding/sorting
      • BurpExtenderHeaderChecks
      • SQLTruncScanner
        • Messy BurpSuite plugin for SQL Truncation vulnerabilities.
      • Asset_Discover
        • Burp Suite extension to discover assets from HTTP response using passive scanning.
    • Extended-Functionality
      • burp-highlighter
      • Exporter Extension for Burp Suite
        • Exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
      • Stepper
        • Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
      • Piper
        • Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
          • Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.
    • Forced-Browsing/File Discovery
      • BurpSmartBuster
        • Looks for files, directories and file extensions based on current requests received by Burp Suite
    • J2EE
      • J2EEScan
        • J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
    • JavaScript
      • BitMapper
        • Burp-suite Extension For finding .map files
    • JSONP
      • jsonp
        • jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
    • JWTs
      • JWT4B
        • JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
      • jwt-heartbreaker
        • The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
        • Blogpost
    • Proxy
      • NoPE Proxy
        • Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
    • Postman
      • Postman-Integration
        • Postman Integration is an extension for burp to generate Postman collection fomat json file.
    • SAML
      • SAML Raider
        • SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
    • Serialization
    • Single-Page-Apps
      • BurpKit
        • BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
    • Sitemap
      • PwnBack
        • Burp Extender plugin that generates a sitemap of a website using Wayback Machine
    • SQL Injection
      • sqlipy
        • SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
      • SQLi Query Tampering
        • SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder. This extension gives you the flexibility of manual testing with many powerful evasion techniques.
    • Swagger
      • swurg
        • Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
    • WAFs
      • HTTPSmuggler
        • A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.
    • Wordlists
      • Golden Nuggets
        • Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
    • Other
      • C02
        • Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
      • distribute-damage
        • Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
      • Office Open XML Editor - burp extension
      • Bumpster
        • The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
      • ParrotNG - burp plugin
      • Brida
        • Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
      • Cyber Security Transformation Chef
        • The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
      • Hackbar
        • Hackbar plugin for Burp
      • progress-burp
        • Burp Suite extension to track vulnerability assessment progress

Cloudflare


Bug Bounty Writeups


Random

  • unindexed
    • The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.
  • COWL: A Confinement System for the Web
    • Robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content.
    • Paper