From now until Christmas, I will try to share something from my notes / research every day - most of them are old but might still be useful to remember #XMas2020 #AppSec #Web #HTTP
"max-forwards" http header:
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header

Some usage example:
old: securiteam.com/securityreview…
old: counting servers (proxies) in the middle
new: portswigger.net/research/crack… Image
In something like JS
/*/ comment /*/
is the same as
/* comment */
, makes sense, right? But MSSQL sees it as
/* comment /*...
more interestingly, if you want to close it, you need 2 */
This is important when injections go into multiple places and newline is involved! Image
App blocks %0D%0A? we try %0A or %0D or %u2028 or %2029 (using correct encoding).

But also remember to try things like this especially if you are dealing with Java:
%C0%8D%C0%8A
%c4%8a
%EA%A8%8A

Find why & more using r12a.github.io/app-conversion/ and compart.com/en/unicode/sea…
Sometimes you just need a simple match/replace in Burp or chain Burps to address problems fast. If you are testing a site that uses JSON, Burp Scanner does not automatically add quotes around numbers (or anything). The following easy match/replace can come in handy for numbers: Image
Another example usage of HackVertor extension by @garethheyes can be to bypass WAFs using request encoding (slideshare.net/SoroushDalili/…)
See the screenshots in which a custom tag has been created in HV to do this properly - this was for an APSX page on IIS (catalog.update.microsoft.com/Search.aspx?q=…) ImageImageImage
If you are using Windows and like me too lazy to use something like github.com/ptoomey3/evila… to create ".." dir in zip files, you can download 7-zip version 9.20 (sourceforge.net/projects/seven…) and use its GUI! The only limit is that you need to drag and drop files to it Image
Fiddler vs. Burp is not a good comparison. Fiddler is not for sec testing but has better performance & can be a life saver when testing some apps in Windows. Chaining `Client App ~> Fiddler -> Burp ~> Target` is normally a good solution and can be done like the screenshots - 1/3 ImageImage
Burp vs. Fiddler is not a good comparison. Burp doesn't mess with the request to make standard, it sends what you want to send! Fiddler sometimes does not even let you send a mangled request so `if Fiddler is a professional kitchen knife, Burp is a surgical knife` yeaaah! 2/3
The screenshot shows an example of making a request with Burp while Fiddler does not let you send it!

BONUS: a similar req (w a few changes) over HTTP from the victim's box was enough to kill the local @kaspersky 2019 products which doesn't work in the latest version 3/3 ImageImage
If you are testing a multi-factor authentication, always check the MFA req after providing victim's credentials - sometimes it might have an object reference which is linked to MFA, change that to attacker's MFA ID as you have its value - a bizarre issue but can happen ;)
Reviewing .NET MVC Razor? Some quick tips next to normal checks:
> XSS: +@html.raw ->
> CSRF: +IgnoreAntiforgeryToken -ValidateAntiforgeryToken -AutoValidateAntiforgeryToken
> `Request`, `[HTTP`, `Route` to find paths/params

vulncat.fortify.com/en/weakness?co…

syncfusion.com/blogs/post/10-…
Trailer headers in HTTP 1/2:
- Additional header in the body of a HTTP request
- Come with `Transfer-Encoding: chunked` after the last 0\r\n and ends with
- There is a disallowed list in browsers

But, RFC does not limit it to HTTP Response, so can this be abused in requests?
Trailer headers in HTTP 2/2:
The trailer headers used to work at least until 2013 in PHP and Apache: martin.swende.se/blog/HTTPChunk…
httpd.apache.org/docs/2.4/mod/c…
However, IIS & Apache show error if you miss the : in the trailer header so it is somehow being validated but ignored? ImageImageImage
Removing headers by proxy: in 2016, I had written this note to remove some headers from a request:
"Connection header can be used to remove other headers after it passes through a proxy - not limited to the hop-by-hop headers..."
Little I knew about @albinowax research Image
In the past I have found many deserialization issues in .NET by source code review. Here is my list to find interesting points to start with:
gist.github.com/irsdl/9315521b…
If you want to know what to do next when you are in control, read the references in ysoserial .net
RFC - 1/2: I started reading boring RFCs after learning this from other researchers. I love them now, here is why:
- I would understand a technology better to find more sec bugs
- Inconsistent implementations -> Canonical/Sec Issues
See RFC2119 -> even that needed RFC8174!!! 😄 Image
RFC - 2/2: Here is where I normally find the most interesting stuffs:
- Relaxed rules (SHOULD,MAY,...)
- Vague rules (is it clear enough to be implemented?)
- Complicated and/or parsing rules
- Changes in new versions
- Delimiters! (love it)
- Usage in other RFCs (more targets)
RFC - 2.001/2;: Logical issues can be missed by fuzzers that might detect hard to find [parsing] issues.
To find simple examples of identified issues by reading RFCs, see stuffs that have been done to bypass WAFs by reshaping a HTTP request.
Screenshots from my notes of RFC2616🤔 ImageImage
Burp Java Ext Debugging 1/3:
Most Burp extension writers do not use debugging and use the old style print line by line approach 😁The solution is easy for Java without running burp in legacy mode (jython can be memory intensive when code is not quality like most mine)
... 2/3:
NetBeans, Eclipse, & IntelliJ all support Remote Debugging (google it for your favourite IDE).

IJ Example:
0) Get this github.com/irsdl/EmptyBur… for start (🙏to @alexlauerman) and open it in IJ
1) Run> Edit Configurations...
2) Templates> Remote JVM Debug> Set your port ImageImage
... 3/3:
3) Run burp.jar with required debug args - e.g.: github.com/irsdl/BurpRunn…
4) Load your Burp extension after building the latest jar version in IJ (ensure there is no error)
5) Run MyBurpDebug
6) Set a breakpoint
7) Reload the extension (ctrl+click)
8) Proper debug time😎 ImageImageImageImage
SalesForce apps tips; cmn vulns:
SOQL & SOSL injections, XSS, CSRF, Access control issues, Insecure storages, Insecure communications/cryptographic modules, etc.
>know.bishopfox.com/research/sfdc-…
>vulncat.fortify.com/en/weakness?co…
-Apex in classes+triggers
-Make valid requests from Apex
& more ;) ImageImageImage
- Mental health is important; don't be afraid of seeking help & sharing with someone. Don't suffer in silence, it's not just you!
- Improve your soft skills
- Share notes/tools/etc but avoid re-inventing the wheel/rediscover XSS
- Reference other people's work

Happy Holidays 🎅
@UnrollHelper unroll please

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Soroush Dalili 🤖

Soroush Dalili 🤖 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @irsdl

23 Dec
Almost there, tomorrow I will publish the last but probably less serious tips then we can unroll it 🎅 hopefully others will do a similar short-continues note sharing in the future so we can see overlooked/secret stuffs.
Some good candidates from different worlds that quickly come to my mind🤩👀:
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!