A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.
Lets say , we visit a signup page of a website and we entered email and password and click on signup . But before clicking sign up , I am capturing request in the Burp Suite . So when i captured the request , I changed email to some long string , like if email is "davinder@gmail.com" , i changed that to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@gmail.com" or even more in size
If i am able to proceed further without any restriction and or boundation, that this vulnerability exists.
Another example of code
Steps to resolve:
Restrict size limit on input parameter.
Impact
Category:Availability: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. Access control (instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Portswigger.net will give you detailed video for burp setup , But to hunt bugs on Android , Below are some important steps in order to unpin Apps for testing . To do so you need to install below apps
1. Dowload genymotion - This is Your Andoid Emulater
2. Download super su v2.46 or latest
3. Download xposed installer apk
4. download xposed sdk
5. Download ssl unpinning
first root your android fone
than download xposed apk in that fone
than install xposed sdk (Note sdk version must be same as your fone apk version)
than ssl unpinning
After all steps , Restart android phone.
After Restarting the phone , Open SSL pinning App, Select the app you want to test and click on upin.
After that capture the requests on the Burp and have fun.
This is something when we are able to sign up on any web application using a long 100000 characters password which may lead website becoming unavailable or unresponsive.
When you supply a long password , Generally what happens applications are implementing password hashing algorithms , So when we supply long password than server will get busy doing that and website becomes unavailable or unresponsive . When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Prevention
Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack.
The password hashing implementation must be fixed to limit the maximum length of accepted passwords.
A rate limiting is used to check if the user session has to be limited based on the information in the session
cache. If user make too many requests within a given time ,
HTTP-Servers has to respond with status code
429: Too Many Requests.
Description:-
I have identified that when Forgetting Password for account , the
request has no rate limit which then can be used to loop through one
request. Which can be annoying to the root users sending mass password
to one email.
Steps To Reproduce The Issue
Go to Forget Password page
Enter the mail where you want to receive the link
Capture that request in BURP.
Send this to Intruder and set parameter at"Accept-Language: en-US,en;q=0.5"
Now go to payload and select number from 1 to 100.
Click on start attack.
If you will receive 100 mails with this , than this is a bug which have to be reported.
Solution -
I Will Recommend to Add A ReCaptcha & Sort Of Something Which
Requires Manual Human Interaction To Proceed Like You Can Add Captcha
Like 2+2=___ so that it cannot be brute forced and you also can have a
limit at the backend for particular number upto 5 times a day user can
request Forget Password Email or Link something like that will prevent
you from someone exploiting this vulnerability
Impact
If You Are Using Any Email Service Software API Or Some Tool Which
Costs You For Your Email This Type Of Attack Can Result You In Financial
Lose And It Can Also Slow Down Your Services It Can Take Bulk Of
Storage In Sent Mail Although If Users Are Affected By This
Vulnerability They Can Stop Using Your Services Which Can Lead To
Business Risk
Redirect means allowing a website to forward the request for the resources to another URL/endpoint. Let’s assume that you make a request to davindertutorials.com and davindertutorials.com can redirect you to another website(new-davindertutorials.com), so you’ll end up at new-davindertutorials.com even though the original request was made for davindertutorials.com. This is called “redirection”. There are different types of redirects in HTTP, check em out below.
Now Lets understand this vulnerability:
Open redirect is basically what the name says, Openly allow Redirects to any website.
URL redirection vulnerabilities found when user redirect to some other url , mainly the attacker url in unsafe way.
An attacker can construct a URL within the application that causes a redirection to an external domain. This behavior is well known for doing phishing attacks against users of the application.
Redirection Status Code - 3xx
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307 Temporary Redirect
308 Permanent Redirect
The redirection can happen on the server-side or the client side.
Server-Side: Request to redirect is sent to the server, then the server notifies the browser to redirect to the url specified via the response.
Client-Side: Browser is notified to redirect to the url specified directly without the intervention of the server.
Why is this an issue?
Think about it for a moment, what if davindertutorials.com, a TRUSTED website allows you to redirect to any other website. Then a malicious user can simply redirect davindertutorials.com to attacker.com, and people fall for it all the time believing that it’s trusted, but infact, it’s not. So allowing redirects to any website without a stop in the middle or without a proper notification for the user is Bad.
Explanation
Let’s say there’s a “well known” website - https://example.com/. And let’s assume that there’s a link like
This link is to a sigup page, once you signup, you get redirected to https://example.com/login which is specified in the HTTP GET Parameter redirectUrl.
What happens if we change the example.com/login to attacker.com?
By visiting this url, if we get redirected to attacker.com after the signup, this means we have an open redirect vulnerablility. This is a classic open redirect vulnerability.
Why does this happen?
This happens due to insufficient redirection checks in the back-end, which means the server is not properly checking if the redirect URL is in their whitelist or not.
Here are some examples of vulnerable code
HTML Meta tags can refresh the site with the given url as it’s content and also you can specify the refresh delay time.
How to find them?
Visit every endpoint of the target to find these “redirect” parameters.
View your proxy history, you might find something. Make sure to use filters.
Bruteforcing helps too.
You might uncover many endpoints by reading javascript code.
Google is your friend, example query: inurl:redirectUrl=http site:target.com
Understand and analyze where the redirection is needed in the target application like redirecting to dashboard after login or something like that.
Some tricks to find this bugs
Test for basic modification of the url like target.com/?redirect_url=https://attacker.com.
Try with double forward slashes target.com//attacker.com.
Try target.com/@attacker.com. In this case the interpretation will be like, the target.com is the username and attacker.com will be the domain.
Test for javascript Protocol javascript:confirm(1).
Try target.com/?image_url=attacker.com/.jpg if there’s an image resource being loaded.
Try IP address instead of the domain name.
You can go further in terms of representing the IP in decimal, hex or octal.
You can also try target.com/?redirect_url=target.com.attacker.com to bypass weak regex implementations.
Chinese seperator 。 as the dot - https://attacker%E3%80%82com.
Test for String reverser unicode(“\u202e”) target.com@%E2%80%AE@attacker.com.
No slashes https:attacker.com.
Back slashes http:/\/\attacker.com or https:/\attacker.com.
Different domain redirect_url=.jp resulting in redirection of target.com.jp which is not the same as target.com.
Try some unicode(including emojis) madness t𝐀rget.com or 𝐀ttacker.com(‘𝐀’ is “\uD835\uDC00”).
Exploitation
Phishing
Assume that the target is example.com. It has a password recovery page at example.com/forgot-password. You enter the email and you click on Forgot Password button, and it’ll send you an email with a password reset link, and this link might look like
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Suppose a website has a search function which receives the user-supplied search term in a URL parameter:
https://davindertutorials.com/search?term=hello
The application echoes the supplied search term in the response to this URL:
<p>You searched for: hello</p>
Assuming the application doesn't perform any other processing of the data, an attacker can construct an attack like this:
<p>You searched for: <script>/* Bad stuff here... */</script></p>
If another user of the application requests the attacker's URL, then the script supplied by the attacker will execute in the victim user's browser, in the context of their session with the application.
AFFECT OF THE VULNERABILITY If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Among other things, the attacker can:
Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
There are various means by which an attacker might induce a victim
user to make a request that they control, to deliver a reflected XSS
attack. These include placing links on a website controlled by the
attacker, or on another website that allows content to be generated, or
by sending a link in an email, tweet or other message.
Because of the external delivery mechanism for the attack means that the impact of reflected XSS is generally less severe than stored XSS, where a self-contained attack can be delivered within the vulnerable application itself.
REAL WORLD EXAMPLE OF THIS VULNNERABILITY:
PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting (XSS).
Steps To Reproduce:
How this can be done by attacker
Prepare a JavaScript payload that it wants the victim to execute. In this case, for Proof of Concept purposes, our JavaScript code will prompt an alert showing the users' cookies.
alert(document.cookie);
Inject this Javascript code properly into the vulnerable parameter, creating thus a crafted future GET request that will inject the payload.
GET /?p=iqz78'%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3d1%3echplq HTTP/1.1
Host: www.pubg.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://www.pubg.com/es/feed/
Cookie: _icl_current_language=en; _icl_visitor_lang_js=en-us; wpml_browser_redirect_test=0; __cfduid=de74423d435717d651b1c9e2c63f4acc21575460678
As this injection happens in a GET parameter, the attacker simply needs to send the crafted Link that produces this GET request to the victim and have the victim click it.
Posts
