Day 1/100 Learning and Improvement

1 minute read

Before opening up with day 1, I’d like to give a big shout out to Peter Yaworski for his amazing contribution to the infosec community with his book Real-World Bug Hunting. The following days will describe some of vulnerabilites and attack scenearios explained in this book.

Open Redirect

From Sam (CoffeeJunkie), Reading the book Real-World Bug Hunting from Peter Yaworski, in the first chapters of the book it explains how open redirect can be combined with other attacks, and anable attackers to distribute malwarer from the malicious site or to steal OAuth tokens. Open redirect attacks has certain importance and value depending on the place where the vulnerability is found. There are certain parameters that can lead to open redirects and can be found in the URLs. There are many names for these parameters, but some of them can be found as next, redirect, url, r, u, domain_name, return_to, and more. In order to find these parameters, it is always good to look closely to the URLs.

Some open redirect attacks can be found in the html code of the website with <meta> tags. The <meta> tags allow redirect actions from the browser. In order to trigger this vulnerability, there must be some kind of manipulation in the DOM, or attackers can inject their own tag via some other vulnerability. In order to do this, the attacker can also sue JavaScript to manipiulate the window.location in the DOM.

window.location = https://www.google.com/
window.location.href = https://www.google.com
window.location.replace(https://www.google.com)

Ways to bypass open redirect protection

  • If the website doesn’t allow to insert a different domain in the URL, this can be one of the solutions.
    accounts?return_to=////attacker.com
    
  • If the website only allows site with the same source of domain, you can try the following.
    checkout_url=.attacker.com”
    checkout_url=.vicim.com.attacker.co”
    

    Writeups

  • Open Redirect in login page in Spotify
  • Interstitial Redirect Hacker One

Some Shodan Tricks

From Rajesh Ranjan who’s curious about the usage of shodan. He was hovering different ways to obtain company assets using ASN numbers on Shodan.

Finding company assets using ASN on shodan

  1. Go to Hurrican Electric BGP Toolkit for finding the ASN number.

  2. After finding the ASN number, it’s time to go to shodan using the following filter. In this case Rajesh Ranjan used PayPal, due it’s a public program on HackerOne

    asn:AS17012
    

    nmap scan

Finding kubernetes information exposudre on Shodan

Shodan has a great filter that allows to find different products that companies and organizations might be using in their infrastructure. To find kubernetes information exposure, do the following.

  1. In shodan type the following filter: product:"kubernetes" port:"10250" nmap scan

  2. If the search has been successful for the company were you looking for, you can try in the url. https://domain.com:10250/pods

This will expose private information.

Conclusion

Open redirects and different filters in shodan can bring a exposure to different kind of vulnerabilites. Remind yourself different ways to bypass Open Redirect, and be creative with Shodan filters in order to get the maximum out the site.

This has been brought from noobs, for noobs, for the infosec community.

Leave a comment