Day 4⃣1⃣
We will learn how to fuzz input fields today - first we fuzz manually today.
We will learn how to fuzz input fields today - first we fuzz manually today.
First things first - remember we had a giveaway yesterday - Winner:
@Illusionist3886
Twist 1: @Rohaan_ because I am having a nice day - you win as well
Congratulations to both of you - DM me for details.
Now on to hacking!
@Illusionist3886
Twist 1: @Rohaan_ because I am having a nice day - you win as well
Congratulations to both of you - DM me for details.
Now on to hacking!
We checked the technologies, found version numbers and tried to find previously reported vulnerabilities.
One thing should have caught your eye - farmOS does not have ANY! reported vulnerabilities.
Is this good or bad?
BOTH.
One thing should have caught your eye - farmOS does not have ANY! reported vulnerabilities.
Is this good or bad?
BOTH.
Good
- it could mean that no one tried hacking them yet
- there is a chance we will find something and can get a CVE for it
Bad
- no one touched this before? huh?
- it's incredibly hard to find anything that most people give up without finding anything
Well...
- it could mean that no one tried hacking them yet
- there is a chance we will find something and can get a CVE for it
Bad
- no one touched this before? huh?
- it's incredibly hard to find anything that most people give up without finding anything
Well...
We will be seasoned bug hunters soon - in my book the positive side wins, and we will never know until we try 🧑🌾🔥
PERSISTENCE is key, remember that!
1% growth each day is >3.5x better after only 1 year!
PERSISTENCE is key, remember that!
1% growth each day is >3.5x better after only 1 year!
The application seems to consist of two parts - a frontend and a backend in tech lingo.
the frontend is the part that you see and can click around
backend is often text-based and gives data to the frontend to display
the frontend is the part that you see and can click around
backend is often text-based and gives data to the frontend to display
How did I find the two parts?
I looked where no one else looks usually - the documentation 😅🔥
farmOS has really good documentation and you can find it here: farmos.org/development/ap…
They describe that farmOS has an API or Artificial Programming Interface - wait whats that?
I looked where no one else looks usually - the documentation 😅🔥
farmOS has really good documentation and you can find it here: farmos.org/development/ap…
They describe that farmOS has an API or Artificial Programming Interface - wait whats that?
It essentially means that the farmOS application talks to other applications in text form - usually this is JSON
Oh my gosh stop it with the acronyms already...
JSON - JavaScript Object Notation - is how objects are stored/displayed in ... you guessed it JavaScript.
Oh my gosh stop it with the acronyms already...
JSON - JavaScript Object Notation - is how objects are stored/displayed in ... you guessed it JavaScript.
If you are familiar with Python - this looks like a dictionary - if you are familiar with other languages it looks like this:
{
"hacker": "maikroservice",
"favorite_color": "purple"
}
Sometimes people also call this a key-value object, hashmap and other names wrapped in {}
{
"hacker": "maikroservice",
"favorite_color": "purple"
}
Sometimes people also call this a key-value object, hashmap and other names wrapped in {}
But they all mean the same:
1. Key - you can search this key, they are usually unique - so only one hacker with handle maikroservice can exist - TAKE THAT BOTS!
2. Values - can be 1 or many per key
1 Key - (many) Value(s)
Sidetrack off.
1. Key - you can search this key, they are usually unique - so only one hacker with handle maikroservice can exist - TAKE THAT BOTS!
2. Values - can be 1 or many per key
1 Key - (many) Value(s)
Sidetrack off.
Why did I tell you this?
It is easier to hunt for bugs if you understand what you are looking at and APIs & JSON are everywhere.
Literally.
Everyone is using them.
So how do we hack APIs?
It is easier to hunt for bugs if you understand what you are looking at and APIs & JSON are everywhere.
Literally.
Everyone is using them.
So how do we hack APIs?
1. Typically we would first map out all the APIs
- What is available?
2. We then identify potential areas that take input
- Where can we type something?
3. We fuzz.
wait we what now?
- What is available?
2. We then identify potential areas that take input
- Where can we type something?
3. We fuzz.
wait we what now?
Fuzzing is the process of using different inputs in order to see if we can:
- break the application (cause an error)
- display information that is not supposed to be seen (Can I see your account email / password?)
- break the application (cause an error)
- display information that is not supposed to be seen (Can I see your account email / password?)
We will first do that manually and with a very simple payload.
A payload is text that we send to the application, sometimes our name, sometimes evil code. 👿
Our payload that we will test is
<script>javascript:alert("XSS")</script>
A payload is text that we send to the application, sometimes our name, sometimes evil code. 👿
Our payload that we will test is
<script>javascript:alert("XSS")</script>
Let us figure out what that means and why I chose this payload/class of vulnerabilities.
1. <script> - this is something called a tag, or HTML element - anything between <> is a tag
2. javascript:alert - this is an instruction to start a popup when the code is executed
1. <script> - this is something called a tag, or HTML element - anything between <> is a tag
2. javascript:alert - this is an instruction to start a popup when the code is executed
umm.... I know what a popup is but why would you want to see a popup when you hack?
Well - XSS or cross site scripting is a class of vulnerabilities that is often identified by this method because its very VISUAL - you can see the popup when it works <3
Well - XSS or cross site scripting is a class of vulnerabilities that is often identified by this method because its very VISUAL - you can see the popup when it works <3
3. alert("XSS") - this will show the text "XSS" in the popup - for illustrative purposes.
4. </script> - a tag should be closed (closing is done by adding a "/" in front of the tag
4. </script> - a tag should be closed (closing is done by adding a "/" in front of the tag
Nice, so now you know what to do.
Start the application and put the payload we defined in all the input fields.
every one? YES, in every single one.
No one said this would be a walk in the park 🛝
Start the application and put the payload we defined in all the input fields.
every one? YES, in every single one.
No one said this would be a walk in the park 🛝
Let me know if you find a spot where this causes a popup 💜
Tomorrow we will meet a new tool - the intercept software @zaproxy and @Burp_Suite
I will tell you my favorite one ;)
Tomorrow we will meet a new tool - the intercept software @zaproxy and @Burp_Suite
I will tell you my favorite one ;)
Feel free to reply with ideas or questions - you can also DM me.
October is #BugBounty focus
November is #BlueTeam
In December we built a hacking portfolio and hunt jobs for you
I cannot wait and am very grateful that you are following me - enjoy the weekend!
October is #BugBounty focus
November is #BlueTeam
In December we built a hacking portfolio and hunt jobs for you
I cannot wait and am very grateful that you are following me - enjoy the weekend!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
