Davinder Tutorials

This blog is all about Cyber Security and IT

Wednesday, October 5, 2022

What is an IDOR?

  October 05, 2022    

 

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.

This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it.

 

Example:

Imagine you've just signed up for an online service, and you want to change your profile information. The link you click on goes to http://davindertutorials.com/profile?user_id=1105, and you can see your information.

Curiosity gets the better of you, and you try changing the user_id value to 1000 instead (http://davindertutorials.com/profile?user_id=1000), and to your surprise, you can now see another user's information. You've now discovered an IDOR vulnerability! Ideally, there should be a check on the website to confirm that the user information belongs to the user logged requesting it.

 

 

  No Comments

Tuesday, April 19, 2022

What happens when we type HTTPS in browser - Interview Question

  April 19, 2022    

Usually whenever I take Interview for any candidate related to security background. I must ask one question.

What happens when we type https://example.com

Mostly security people know answer this question. With this answer i come to know how in-depth knowledge candidate have in this domain. 

Let's try to understand the concept in a little brief.

Websites are secured by https protocol. But most of us do not have clear concept about how it really works. Let me give you a high level overview of how https works.


Suppose we are trying to access https://abc.com. After typing the url in address bar of browser when we press enter first SSL handshaking happens. 

First When we type a domain and click enter 

  • Domain Name resolve to IP address by DNS server and request reaches to the server we want to communicate with.
  • Then the server immediately responds to the initial connection by offering a list of encryption methods the webserver supports.
  • The client selects a connection method. Then the client and server exchange certificates to authenticate their identities for this first server sends its public certificate to the browser. 
  • After receiving that public certificate browser performs some tasks. 
  • First it validates signature of the certificate. For this it takes the value of Issued by field and search in Trusted Root Certification Authorities certificate store to get the public key of that authority. If it finds that public certificate it uses that to validate the signature of the public certificate received from abc.com. Popular certificates providers are VeriSign, GoDaddy etc.
  • Next it tries to match value of Issued to field with domain name(here abc.com). 
  • Next it checks validity period of that certificate to check it expired or not. 
  • After that it calls to check the revocation list of that certificate authority in the web to check is that certificate blacklisted or not.
  • If everything goes fine the browser generates a random key and encrypt the key with that public key got from server and sends that encrypted value to the server(abc.com). Because it is encrypted by the public key of abc.com no one except abc.com can decrypt it. When server(abc.com) got this encrypted key it uses its private key to decrypt it. Then both server(abc.com) and browser uses that random key sent from browser to encrypt, decrypt, sign and verify signature of all data sent or received between them in that communication. Thus using symmetric encryption data remains secured in https communication. 

   /

  1 Comment

Monday, April 18, 2022

Top Github Dorks- 2022 Bug Bounty

  April 18, 2022    

Below are list of popular dorks bug hunters use for hunting bugs

api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret
password hash
OTP
user auth
#Some of the mine which I use generally
remove password
root
admin
log
trash
token
FTP_PORT
FTP_PASSWORD
DB_DATABASE=
DB_HOST=
DB_PORT=
DB_PASSWORD=
DB_PW=
DB_USER=
number

 

 Some other dorks

filename:sftp-config.json password

filename:.s3cfg
filename:config.php dbpasswd
filename:.bashrc password
filename:.esmtprc password
filename:.netrc password
filename:_netrc password
filename:.env MAIL_HOST=smtp.gmail.com
filename:prod.exs NOT prod.secret.exs
filename:.npmrc _auth
filename:WebServers.xml
filename:sftp-config.json
filename:.esmtprc password
filename:passwd path:etc
filename:prod.secret.exs
filename:sftp-config.json
filename:proftpdpasswd
filename:travis.yml
filename:vim_settings.xml
filename:sftp.json path:.vscode
filename:secrets.yml password
extension:sql mysql dump
extension:sql mysql dump
extension:sql mysql dump password
extension:pem private
extension:ppk private

  No Comments

Dynamic Programming Patterns

  April 18, 2022    

  No Comments

Top Best IT companies in Delhi for Working

  April 18, 2022    

Some People prefer to stay close to family. In North India , There are rare locations availabe like we have Delhi, Noida, Gurgaon, Mohali, Chandigarh,Panchkula in which maximum IT companies are present.

I am sharing list of TOP companies in NCR


Adobe - Noida
Swiggy - Gurgaon
Airtel - Gurgaon
American Express - Gurgaon
Bank of America - Gurgaon
SAP Labs - Gurgaon
Paytm - Noida
Arcesium - Gurgaon
PolicyBazzar - Gurgaon
MakeMyTrip - Gurgaon
OYO - Gurgaon
Amazon - Noida/Gurgaon
Expedia - Gurgaon
Times Internet - Noida/Gurgaon
DE Shaw - Gurgaon(New office)
Netomi - Gurgaon
OLX - Gurgaon
Postman - WFH
Housing.com - Gurgaon
Browserstack - WFH
Microsoft - Noida/Gurgaon
Samsung - Noida
Ion Trading - Noida
Innovacer - Noida
Publicisapient - Gurgaon
Qualcomm - Noida
Angel One - WFH
Meesho - WFH
Zomato - Gurgaon
LensKart - Gurgaon
BharatPe - Delhi
Oracle - Noida
Sprinklr - Gurgaon
Tower Research Capital - Gurgaon
Info Edge(Naukri.com) - Noida
Ansys - Noida
Birdeye - Gurgaon
Nagarro - Gurgaon
Optum - Gurgaon
Chegg - Delhi
Amdocs - Gurgaon/Delhi
Quadeye - Gurgaon
Chargebee - WFH
Indeed - WFH
Cadance - Noida
Airbnb - Gurgaon
Udaan - WFH
VMware - WFH
Slack - WFH
Coinbase - WFH
Atlassian WFH
Salesforce - Gurgaon/WFH
Nvidia - Noida
Urban company - Gurgaon
PineLabs - Noida
Rategain - Noida
Synopsys - Noida
Chargebee - WFH
SplashLearn - WFH/Gurgaon
Globant - WFH
Simpl - WFH
Leena.ai - Gurgaon
ixigo - Gurgaon
Spinny - Gurgaon
Cardekho - Gurgaon

Hope that will help. If you like it please share

  No Comments

Sunday, April 17, 2022

Top Tricks for Rate Limit Bypass - Bug Hunting

  April 17, 2022    

We have  some headers which can be used to Bypass Rate Limitation. All you have to do is to Use the Header just under the Host Header in the Request.


Use the following Header just Below the Host Header

X-Forwarded-For: IP

X-Forwarded-IP: IP

X-Client-IP: IP

X-Remote-IP: IP

X-Originating-IP: IP

X-Host: IP

X-Client: IP


#or use double X-Forwarded-For header

X-Forwarded-For:

X-Forwarded-For: IP



Example Use

X-Forwarded: 127.0.0.1

X-Forwarded-By: 127.0.0.1

X-Forwarded-For: 127.0.0.1

X-Forwarded-For-Original: 127.0.0.1

X-Forwarder-For: 127.0.0.1

X-Forward-For: 127.0.0.1

Forwarded-For: 127.0.0.1

Forwarded-For-Ip: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

X-Originating-IP: 127.0.0.1

X-Remote-IP: 127.0.0.1

X-Remote-Addr: 127.0.0.1



Rate Limit Bypass using Special Characters


  • Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
  • Try adding a Space Character after a Email. ( Not Encoded )
  • Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
  • Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/

Using IP Rotate Burp Extension

Try changing the user-agent, the cookies... anything that could be able to identify you

If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers

Burp Suite's Extension IP Rotate works great in most of the cases. Make sure you have Python installed along.

Here You'll everything you need - https://github.com/PortSwigger/ip-rotate


Example Report Submitted by Bug Hunter for Rate Limit Bypass

https://hackerone.com/reports/1067533

I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header X-Forwarded-For: 127.0.0.1 which will bypass the rate limit and reset request limits . Every time rate limit exceeded just change IP to another one and rate limit will itself reset.

Step to Reproduce:

Visit https://www.trycourier.app/

Goto email section

Enter victims email address

Fire-up burp-suite and intercept the request

Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For:127.0.0.1 header. This will easily reset rate limit. You can change IP address to 127.0.0.2 ,3,4,5,6 every time website blocked you.

( With this bypass you can easily send unlimited amount of huge email notification to victim and make victim annoying )

Impact

  • Brute forcing login panel
  • Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
  • Brute force OTP codes etc.

 

  No Comments

Passive Recon using Google Dorks and Shodan - Bug Hunting

  April 17, 2022    

During bug bounty or hacking.. I always try to find more and more tricks to enumerate for my target domain. So most of the times I love to find free information on google using dorks and Shodan. So I will tell you how we can find very juicy information which I use to broaden my attack surface by finding more (potentially vulnerable) assets and uncovering secrets. 

Google Search

Google already have lots of information but to get information about our target we need to follow some tricks. So we use google dorking which is a technique of making more specific queries to Google Search based on filters and restrictions defined by the user so that the search engine returns more concrete results. It includes filters of the form

filter:value

and logical operators between the filters

filter:value [OPERATOR] filter:value

Some easy to use filters are

site:example.com

nurl:cmd and allinurl:cmd execute

related:randstad.com returns results from companies’ domains, like monster.com, which belongs to Randstad.

filetype:pdf

intitle:Organisation intitle:Internal or allintitle:Organisation Internal

intext:password

site:example.com -www

will ask Google to return results from every subdomain of example.com known to it, except for www.example.com. This is a good query to use for additional subdomain discovery, in case your automation missed any subdomains.


Lets try some practical approach

site:example.com inurl:src

returns result with the parameter src in the url, like e.g. https://example.com/css_src.php?src=. Then later, the endpoint can be analysed for possible vulnerabilities, especially if the parameter has a name that points to specific vulnerabilities like e.g. the parameter return points to Open Redirections.

Now if we try to find Dashboard for Jenkins . We can do that like

intitle:"Dashboard [Jenkins]" site:example.com

This will return a public Jenkins instance belonging to example.com, if there is any.


Many more info about google dorkings can be found at exploit-db.com which contains large number of Google dorks queries for uncovering secrets and information on a target, like e.g. discovering private keys with the query

Now lets talk about SHODAN and how we can use it to find relevant information about our target

This project  collects information about web servers such as open ports, services running on those ports and their banners. 

To use Shodan , we need paid account then only you can explore to the highest level. To use it we also need to use tricks as we use google dorks. So below are some of the ways how we can use this search engine.

http.status

Returns the servers with the specified http status code, e.g. http.status:200.

http.title

Queries for the specified http title that can be found in the banners. A distinctive example is the shodan dork used to find BIG IP vulnerable components: http.title:"BIG-IP®- Redirect".

http.component

Returns servers with the specified web technology that is used on the website, e.g. http.component:"jenkins".

ssl

Finds servers with the specified string included in the SSL certificate, e.g. ssl:"Microsoft". This Filter can be further specified with ssl.expired, ssl.version (more on the resources).

org

Finds servers with IP belonging to the specified organization’s netblock, e.g., org:"Microsoft"

port

The port filter returns components with the specified port open, e.g. port:8080.

os

Using this filter shodan returns servers running the specified operating system, e.g. os:Windows.

product

Using this filter shodan returns devices running this specific product, e.g. product:"Apache Tomcat" or product:"IIS Windows Server"

version

The version filter is to be combined with the product filter. It specifies the version of the specified product, e.g. product:"Apache Tomcat" version:"7.0.82"

vuln

This filter is only available to academic users or Small Business API subscriptions and higher. It’s used to to return components vulnerable to the specified CVE identifier, e.g. vuln:cve-2010-2730.


Conclusion

Using search engines for passive reconnaissance, either that is endpoint or secret or subdomain discovery, requires a lot of digging and can take some time. But when it comes to bug hunting, the more digging a bug requires the more probable it is to not be a dupe. Testing out the filters and creating unique and creative queries is the key.

  No Comments

Subscribe to: Posts (Atom)