diff --git a/.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (1).png b/.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (1).png rename to .gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1).png diff --git a/.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2).png b/.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2).png rename to .gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (2).png diff --git a/.gitbook/assets/image (616).png b/.gitbook/assets/image (618) (1).png similarity index 100% rename from .gitbook/assets/image (616).png rename to .gitbook/assets/image (618) (1).png diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md index 4bc53b18..72336a7c 100644 --- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md +++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md @@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like: * Signed using the **device identity certificate \(from APNS\)** * **Certificate chain** includes expired **Apple iPhone Device CA** -![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) +![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png) ### Step 6: Profile Installation diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md index 1f8245a5..b1371417 100644 --- a/pentesting-web/csrf-cross-site-request-forgery.md +++ b/pentesting-web/csrf-cross-site-request-forgery.md @@ -9,7 +9,7 @@ This is done by **making a logged in user** in the victim platform access an att In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request. -Several **counter-measures** could be in place to avoid this vulnerability. +Several **counter-measures** could be in place to avoid this vulnerability. ### **Common defenses** @@ -73,7 +73,7 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit ### Content-Type change -According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values: +According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values: * **`application/x-www-form-urlencoded`** * **`multipart/form-data`** @@ -81,6 +81,14 @@ According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#s However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._ +### application/json preflight request bypass + +As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first. +However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded`** just to check if the backend is using the data independently of the Content-Type. +You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`** + +You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937). + ### Referrer / Origin check bypass #### Avoid Referrer header @@ -109,14 +117,14 @@ https://hahwul.com/.white_domain_com (X) ## **Exploit Examples** -### **Ex-filtrating CSRF Token** +### **Exfiltrating CSRF Token** -If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. +If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. ### **GET using HTML tags** ```markup - +

404 - Page not found

The URL you are requesting is no longer available ``` diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md index 24fbf491..82713faf 100644 --- a/pentesting-web/postmessage-vulnerabilities.md +++ b/pentesting-web/postmessage-vulnerabilities.md @@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can: * **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\) * **Execute** in the developer tools console: `getEventListeners(window)` -![](../.gitbook/assets/image%20%28616%29.png) +![](../.gitbook/assets/image%20%28618%29.png) * **Go to** _Elements --> Event Listeners_ in the developer tools of the browser