What bug you want to Report?
A bug report contains device logs, stack traces, and other diagnostic
information to help you find and fix bugs in your app.
Authentication Bypass
Authentication Bypass is a dangerous vulnerability which is found in
Web-Applications. Attackers can bypass the control mechanisms which are used
by the underlying web application like OTP, Captcha, 2FA, Email verification
etc.
An Attacker can perform a complete Account takeover of
Victim.
Severity : High
Complexity : Easy
From : Remote /
External
Impact : An Adversary can carry
out Auth Bypass attack and perform an Account Take Over
Affected IP's : IP Address
Port
https://www.example.com/
443
Recommendations :
The
application should protect the sensitive actions and validate the verification
process of the web application. Restrict the user for any malicious
behaviour.
References :
https://hackerone.com/reports/770504
https://hackerone.com/reports/257305
https://hackerone.com/reports/219205
No Rate Limit
No Rate Limit is a type of computer security vulnerability
typically found in web applications. No Rate Limit enables attackers to
perform actions on the web application where the attacker can do signup
creation, password reset or 2FA of other users. No Rate Limit vulnerability
may be used by attackers to bypass access controls such &
bruteforce tokens
and passwords without any limiting of any requests. There should be
protection on the web application for sensitive actions. Attackers send a high
number of requests to perform desirable actions to get access to the
application or accounts.
NO RL effects vary in range from petty nuisance to significant security
risk, depending on the sensitivity of the data handled by the vulnerable site
and the nature of any security mitigation implemented by the site's owner
network.
Severity :
High
POST Request :
Complexity :
Easy
From : Remote / External
Impact
:An Adversary can carry out No Rate-Limit attack and also can take over the
victim Account.
Also, an adversary can manage to login through any other
user's account.
Affected IP's :
IP Address Port
https://www.example.com/ 443
Recommendations :
There should be a protection on the web application for limiting
the users simultaneous requests.
Any user should be Rate limited if He/She sends or races high amount of
requests in a significant amount of time.
References :
https://hackerone.com/reports/743545
https://hackerone.com/reports/385381
https://hackerone.com/reports/297359
Cross Site Scripting (XSS) :
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications. XSS enables
attackers to inject client-side scripts into web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access
controls such as the same-origin policy. Cross-site scripting carried out on
websites accounted for roughly 84% of all security vulnerabilities documented
by Symantec as of 2007.
An attacker can use XSS to send a
malicious script to an unsuspecting user. The end user̢۪s browser has no way
to know that the script should not be trusted and will execute the script.
Because it thinks the script came from a trusted source, the malicious script
can access any cookies, session tokens, or other sensitive information
retained by the browser and used with that site. These scripts can even
rewrite the content of the HTML page. For more details on the different types
of XSS flaws, see: Types of Cross-Site Scripting.
Severity : High
Payload : Enter the payload here
Complexity : Easy
From : Remote /
External
Impact : An Adversary can carry
out XSS attack and also can take the cookie of the Admin and login through
Admin Account.
Also, an adversary can manage to login through any other
users account with valid session cookies.
Affected IP's : IP Address Port
https://www.example.com/ 443
Recommendations :
Sanitize all the user inputs before executing them, also add XSS
protection headers on server and client side.
References :
https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://portswigger.net/web-security/cross-site-scripting
Provided by
HACKING TRUTH (CLICK HERE)
CSRF
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to
perform actions that they do not intend to perform. It allows an attacker to
partly circumvent the same origin policy, which is designed to prevent
different websites from interfering with each other.
Severity
: High
POST Request :
Complexity
: Easy
From : Remote / External
Steps to Reproduce:
1. Victim login their example account first.
2. Attacker send a form/link to victim.
3. If victim click the
form/link, A desirable action could happen (eg- Profile Details Update or
Email Password)
4. Attacker successfully performs ATO
Impact
: An Adversary can carry out CSRF attack to modify the details of a victim and
also can take over the victim Account.
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
This CSRF protection protects the form against Cross-site
Request Forgery attacks because an attacker would also need to guess the token
to successfully trick a victim into sending a valid request. The token should
also be invalidated after some time and after the user logs out.
References :
https://owasp.org/www-community/attacks/csrf
https://www.acunetix.com/websitesecurity/csrf-attacks/
https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/
CORS
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located
outside of a given domain. However, it also provides potential for
cross-domain based attacks, if a website's CORS policy is poorly configured
and implemented. CORS can be exploited to trust any arbitrary domain
attacker controlled domain name and send the data to it. Attackers can
make an exploit and ask the domain to send data of the victim to the attacker
domain.
Severity : High
CURL Request : curl “https://example.com/wp-json” -I -H
Origin:hackingtruth.in
As you can see when we run the above request in
curl we can see these header results in the response.
Access-Control-Allow-Origin: hackingtruth
Access-Control-Allow-Credentials
: true
Complexity : Easy
From : Remote /
External
Steps to Reproduce:
1. Enter the domain name example.com in the POC Code shown below
and save it as exploit.html and click on exploit button :
Exploit Code :
<html>
<body>
<center>
<h2>CORS POC Exploit>/h2>
<h3>Extract SID</h3>
<div id="demo">
<button onclick="cors()" type="button">Exploit Click here
</button></div>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET", "https://example.com/wp-json/", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</body>
</html>
Impact : An Adversary can carry out CORS attack to exfiltrate the sensitive details of a victim
Affected IP's :
IP Address Port
https://www.example/ 443
Recommendations :
All the REST Apis should be authenticated and the domain
should not trust any other domains. Allow only selected, trusted domains in
the Access-Control-Allow-Origin header.
References :
https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Provided by
HACKING TRUTH (CLICK HERE)
SSRF
Server-side request forgery (also known as SSRF) is a
web security vulnerability that allows an attacker to induce the
server-side application to make HTTP requests to an arbitrary domain of the
attacker's choosing.
In typical SSRF examples, the attacker
might cause the server to make a connection back to itself, or to other
web-based services within the organization's infrastructure, or to external
third-party systems
Severity :
High
POST Request :
Complexity :
Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the vulnerable injection point
(parameter)
2. Attacker sends a localhost request or request to
his controlled domain (eg: Burp collaborator)
3. Attacker is able
to scan the internal network or connect to localhost. Also attacker can get a
HTTP connection on his controlled domain.
4. Attacker successfully
performs SSRF and exfiltrates data if any.
Impact
: An Adversary can carry out SSRF attack to scan the internal network, perform
sensitive actions, download sensitive files like meta-data etc.
Affected
IP's : IP Address Port
https://www.india.gov.in/
443
Recommendations :
There
should be a proper validation and sanitization of any URL's,IP or shortlinks
given by the user. More here -
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
References :
https://portswigger.net/web-security/ssrf
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
Provided by
HACKING TRUTH (CLICK HERE)
SQL Injection
SQL injection is a web security vulnerability that allows
an attacker to interfere with the queries that an application makes to its
database. It generally allows an attacker to view data that they are not
normally able to retrieve. This might include data belonging to other users,
or any other data that the application itself is able to access. In many
cases, an attacker can modify or delete this data, causing persistent changes
to the application's content or behavior.
Severity
: High
POST Request :
Complexity
: Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the vulnerable injection point
(parameter)
2. Attacker sends a query to retreive the DB Version
or DB Name or DB Tables
3. Attacker is able to perfrom successfull
SQLi
Impact : An Adversary can carry out
SQLi attack to download database,usernames,passwords modify the logic or
perform sensitive actions etc.
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
Most instances of SQL injection can be prevented by using
parameterized queries (also known as prepared statements) instead of string
concatenation within the query.
References :
https://portswigger.net/web-security/sql-injection
https://www.acunetix.com/vulnerabilities/web/sql-injection/
Provided by
HACKING TRUTH (CLICK HERE)
Broken Link Hijacking
When an web application has any pages, sources, links to external 3rd
party services and are broken then the attacker can claim those endpoints to
successfully conduct the attack and claim those endpoints on behalf of the
target website and impersonate his identity.
Severity : Medium
POST Request :
Complexity
: Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the vulnerable injection point (broken link)
2.
Attacker is able to claim the broken link
3. Attacker is succesfully
perfrom the BLH Attack
Impact : An
Adversary can carry out BLH attack to trick the victim in clicking the link
and visiting the resources which are linked to the website, this way attacker
can perfrom identify theft and steal credentials.
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
Fix all the broken links in the web application to any external
resources.
References :
https://medium.com/@iamtess5277/what-is-broken-link-hijacking-o-o-872d821da6fd
https://medium.com/@arbazhussain/broken-link-hijacking-burp-plugin-6918d922c3fb
https://hackerone.com/reports/266908
Click Jacking
Clickjacking is an interface-based attack in which a user
is tricked into clicking on actionable content on a hidden website by clicking
on some other content in a decoy website.
Severity
: High
POST Request :
Complexity
: Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the web application is vulnerable
to Clickjacking and loads successfully into the iframe of the attacker.
2. Attacker creates a POC with the target.com which loads in the iframe
3. Attacker creates or induces a sensitive action
4. Attacker is
able to achieve sesntive action on the targt.com
Impact
: Clickjacking is an interface-based attack in which a user is tricked into
clicking on actionable content on a hidden website by clicking on some other
content in a decoy website.
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
https://portswigger.net/web-security/clickjacking
References :
https://portswigger.net/web-security/clickjacking
Proof of Concept :
<head>
<style>
#target_website {
position:relative;
width:128px;
height:128px;
opacity:0.00001;
z-index:2;
}
#decoy_website {
position:absolute;
width:300px;
height:400px;
z-index:1;
}
</style>
</head>
...
<body>
<div id="decoy_website">
...decoy web content here...
</div>
<iframe id="target_website" src="https://vulnerable-website.com">
</iframe>
</body>
Subdomain Takeover
A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization̢۪s subdomain via cloud services like AWS or Azure
Severity : High
POST Request :
Complexity : Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the vulnerable subdomain (DANGLING DNS RECORD)
2. Attacker is able to claim the subdomain on the cloud service
3. Attacker is succesfully perfrom the Subdomain Takeover Attack
Impact : An Adversary can carry out Subdomain Takeover attack to claim the unclaimed subdomains from the target website and host malicious content on the claimed subdomains.
He can also perform Identity thefts by hosting malicious login pages etc..
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
Fix all the broken links in the web application to any external resources.
References :
https://medium.com/@friendly_/subdomain-takeover-awarded-200-8296f4abe1b0
https://safaras.medium.com/find-your-first-bug-1-subdomain-takeover-8c7e6192220f
HTML Injection
When an application does not properly handle user supplied data, an
attacker can supply valid HTML code, typically via a parameter value, and
inject their own content into the page. This attack is typically used in
conjunction with some form of social engineering, as the attack is exploiting
a code-based vulnerability and a user's trust.
Severity
: Medium
POST Request :
Complexity : Easy
From : Remote / External
Steps to Reproduce:
1. Attacker finds the vulnerable injection point
(parameter)
2. Attacker is able to inject the HTML Tags and it
gets executed
3. Attacker is able to perfrom successfull HTML
Injection
Impact : An Adversary can carry
out HMTLi attack to trick the victim in clicking the link and visiting the
website, this way attacker can perfrom identify theft and steal
credentials.
Affected IP's : IP Address Port
https://www.india.gov.in/ 443
Recommendations :
Do not allow parsing or execution of HTML tags from the user
input.
References :
https://www.acunetix.com/vulnerabilities/web/html-injection/#:~:text=HTML%20Injection%20is%20an%20attack,injection%20of%20certain%20HTML%20tags.
https://www.softwaretestinghelp.com/html-injection-tutorial/
File Inclusion
An attacker can use Local File Inclusion (LFI) to trick
the web application into exposing or running files on the web server. An LFI
attack may lead to information disclosure, remote code execution, or even
Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the
path to a file as input. If the application treats this input as trusted, a
local file may be used in the include statement.
Severity
: High
Complexity : Easy
From : Remote / External
Steps to Reproduce:
1. Attacker identfies a vulnerable injection point (parameter)
2.
Attacker tries to read and execute the internal file
3. Attacker is
successfully able to perfrom File Inclusion Attack
Impact : An Adversary can carry out Directory Listing to gain sensitive information
from the target server
Affected IP's : IP Address Port
https://www.example.com/ 443
Recommendations :
The application should have proper whitelist of files and ignore
every other filename and path.
References :
https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/
Directory Listing
Directory Listing is a vulnerabilty in which
the server has misconfiguration and exposes the internal and
hidden directories from the server to the public internet.
Sometime an
attacker can gain sensitive information from the server like backup files,
source code , api keys , password files etc.
Severity : Medium
Complexity : Easy
From : Remote / External
Impact
: An Adversary can carry out Directory Listing to gain sensitive information
from the target server
Affected IP's : IP Address Port
https://www.example.com/ 443
Recommendations :
The application should have proper permissions on sensitive
directories and content.
References :
https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/#:~:text=Directory%20listing%20is%20a%20web,it%20leads%20to%20information%20disclosure.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal
