CSRF Mitigation

Mitigation:

referrer check 
token: real random and store in the form
verification code

Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

OSCP Capstone Lab Writeup - SQLi Module - Alvida-Eatery

Image
  Take a look Website Content Analysis: Accessed the website (http://192.168.139.47:80)   Website Content Analysis: Displays bakery goods and coffee products Static content only No interactive elements found: No search functionality No login forms No input fields Initial Assessment: Limited attack surface due to lack of user input fields Traditional injection techniques not immediately applicable Need to explore alternative entry points Further Website Exploration:  Located and clicked on alvida-eatery.org link within the main website http://www6.alvida-eatery.org/lander?template=ARROW_3&tdfs=0&s_token=1731789108.0467710000&uuid=1731789108.0467710000&term=Caterer%20Menu&term=Lunch%20Catering&term=Restaurant%20Table%20Reservations%20Online&searchbox=0&showDomain=0&backfill=0 Attempted SQLMap injection on URL parameters: Targeted 'uuid' parameter Result: 403 Forbidden error received  Initial Attack Attempts: Hint Analysis: Hin...
Read more