After readings and more content, there is a bast amount of information that we’re willing to learn. Today, for day 15 it comes with Open Redirect escalation and capabilities, and Directory Traversal Attacks with its bypasses. Happy reading!
Open Redirect Capabilities and Escalations
From Sam (CoffeeJunkie). Open redirects might seen such as low value vulnerabilities for some programs, but they actually have a real impact where the attack can be able to steal the user cookies, OAuth tokens, achieve stored, and reflected XSS, and get account takeovers. The idea of getting all these kind of scalations strongly depends on the creativity of the attacker. In the talk Giving Back to the Bug Bounty Community by zseano talk about the great chances to link OAuth misconfigurations with open redirects and stored XSS.
Besides the examples for the talk from above, there are several examples of open redirect with its filters and bypasses such as the following:
The attacker has the following PoC
As you can see, here the filter is
%5c and the desired url that the attacker wants to redirect. But, how about if the attacker want’s to scalate to reflected XSS? Here is the following PoC:
And this is the response from the target.
As you can see the XSS is achieved due to the redirection, also the URL being redirected is being reflected on a
There are countless examples of this kind of attack, but something that you might find useful are the following payloads and bypasses.
Directory Traversal Attack
From Rajesh Ranjan. It is a type of attack in which an attacker might be able to view the directories which he/she should not be able to access. In this attack scenario, the attacker can simply traverse the path of filesystem and gain unauthorized access to restricted files or directories.
Exploiting Directory Traversal
There are numerous ways to exploit the Directory Traversal vulnerability, it depends the scenario, but there are few bypass i want to share with you.
Example: Suppose, there is a website
https://example.com/view.php?file=image1.png has an image stored named
image1.png . Here the
view.php uses file paramter to retrive the content of the file from the Application server.
In this case, the images are stored in
var/www/images directory, so an attacker can perform a directory traverse to view the
/etc/passwd file on this server. So he can craft a payload something like:
In most of the cases, WAF will block these attacks, but we can use several techniques to bypass the WAF
- Double URL encoding and Unicode Encoding
- Bypassing the Restriction of ../
so instead of using ../ , we can use the following too
Directory Traversal Tool
To automate these process, we can use a tool named DotDotPwd, which is a directory traversal fuzzer, comes preinstalled with Kali Linux. Here is the Link for that tool.
Directory Traversal Bypass
I got these amazing bypass from twitter, check this out here https://www.hahwul.com/2019/09/path-traversal-pattern-of-dotdot-slash.html