Forem: FENIL SHAH

Day-11: Read Info-sec Write-Ups!

FENIL SHAH — Sat, 27 Jun 2020 17:20:28 +0000

Day-11: Did Unix badge exercise on Pentesterlab and was not in the mood to do research so did read some amazing info-sec write-ups! Understanding and reading other's methodology always helps you make your thoughts broad!

1. Access to Server and Database of a French Bank 💸 ~ Thibeault Chenu!

Understanding the structure of Target is Important!
This was pretty good but I guess I need more knowledge to understand this completely if you can help, lemme know in the comment section! Thanks!❤️

2. Getting First Bounty with IDOR ~ Mukul Trivedi

Idor's are great when you get the logic errors!
He also linked amazing blogs about IDOR in his blog, do not forget to check that out also!

3. How Inspect Element Got me a Bounty ~ Aditya Soni

Make Inspect Element your best friend!
Idk I never tried to change value which is disabled by default! Nice catch though!

PS: It is pretty easy to understand, If you do not understand lemme know in the comment section, I'll help you!

Resources:

Medium Blogs:

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-10: Bash Scripting - #2

FENIL SHAH — Fri, 26 Jun 2020 17:29:05 +0000

Day-10: So I did continued with bash scripting today! Going more deep in bash scripts! Check out my Bash Scripting - #1 before reading the below notes!

Variables!

In bash syntax, variables $1 to represent the first command-line argument, $2 to represent the second command-line argument, and so on. And “$@” is the variable name for all arguments passed in. Use the syntax VARIABLE_NAME=VARIABLE_VALUE

#!/bin/bash

BIRTHDATE=$1

Operating the Variables!

The user’s input string will be in the format of “2020–05–06”, we can convert the user’s birthdate to a Unix timestamp.

#!/bin/bash

BIRTHDATE=$(date -jf “%Y-%m-%d” $1 +%s)
NOW=$(date -jf “%a %b %d %T %Z %Y” “$(date)” +%s)

DIFF_IN_SECONDS=$(expr $NOW — $BIRTHDATE)
DIFF_IN_DAYS=$(expr $DIFF_IN_SECONDS / 86400)

echo "You are $DIFF_IN_DAYS days old."

Breaking down, The $() tells Unix to execute the command surrounded by the parenthesis and replace the variable with the output of the command. This is called "command substitution".
Date: displays time on Unix systems!
-jf: Convert one date format to another
'%Y-%m-%d': Tells date that the input date string will be in the format of year-month-day!
$1: Specifies that the input string is the first argument of the script!
+%s: Tells date to output the date as the number of seconds that have passed since the “Unix epoch”.
The second line command: NOW=$(date -jf “%a %b %d %T %Z %Y” “$(date)” +%s) in this converted the current time into a Unix timestamp.
The third line command:DIFF_IN_SECONDS=$(expr $NOW — $BIRTHDATE) in this calculated the difference between the two dates in seconds. We can calculate the difference between the two timestamps by using "expr".
The fourth line command: DIFF_IN_DAYS=$(expr $DIFF_IN_SECONDS / 86400) then converted the difference in seconds to a difference in days by dividing the time difference in seconds by 86400. 86400 Seconds = 1 day.
The fifth line command: echo "You are $DIFF_IN_DAYS days old." used echo then to display the time difference!

Resources:

Bash Scripting Cheatsheet: https://devhints.io/bash
Bash Script examples: https://linuxhint.com/30_bash_script_examples/
Medium Blog: Bash Scripting (You need Premium subs to access this!)

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-9: Bash Scripting - #1

FENIL SHAH — Thu, 25 Jun 2020 17:17:33 +0000

Day-9: Started my day with completing 5 exercises out of 35 of Unix Badge on pentesterlab! After that did some research on Bash scripting, follow my notes below to know more!

Bash Scripting, Whattttt?

Okay so, BASH stands for Bourne-Again SHell. what it does is that it takes in commands from the user and performs actions using operating system services. It is basically a shell interpreter!
A Bash script is a plain text file which contains a series of commands.
For example, the ls command lists the files and folders in a directory. Bash is the improved version of Sh (Bourne Shell).
Bash Scripting is used for:
- Managing complexities and for automating recurrent tasks.

Writing the first Script!

The first line should be "shebang" - (#!). Starts with hash character (#) and a bang character (!) and it declares the interpreter for the script.
- #!/bin/bash - This line indicates that we are using bash interpreter!
Adding Commands: The command “echo” prints out its arguments to standard output. “$@” is the variable name for all arguments passed in.
File Permissions: First save the file in your current directory with the extension of ".sh" (The “.sh” extension is conventional for shell scripts.) and then give permission with the following command! The “chmod” command edits the permissions for a file, and “+x” indicates that we want to add the permission to execute for all users.

chmod +x hello.sh

4 . Executing the script: Now you can execute the file ./hello.sh and it will give you the following result!

PS: You can use any file editor like nano, vim, etc. Here I used nano hello.sh

Resources:

Bash Scripting Cheatsheet: https://devhints.io/bash
Bash Script examples: https://linuxhint.com/30_bash_script_examples/

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-8: Started with Pentesterlab!

FENIL SHAH — Wed, 24 Jun 2020 17:01:55 +0000

Day-8: Today was a very busy day so couldn't do any research on any specific topic but I did start with pentesterlab and done with the introduction badge!

Some tips from today's learnings:

Always look for robots.txt! (I repeat do not ignore robots.txt)
Make developers tools (available in chrome as well as firefox) your best friends!

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-7: Nmap -- Hacker's Favourite Scanning Tool!

FENIL SHAH — Tue, 23 Jun 2020 17:36:52 +0000

Day-7: I started my day watching Dude perfect's documentary and ended it learning Nmap and about its scan types! Also, In between, I bought pentesterlab pro access (3mths - Student access).

Note: I won't be writing more in deep, but my notes! And will be providing all the links/resources (Don't forget to check-out the resource section) from where I learned so that you can refer to that resource and learn more! Thanks!❤️

What is Nmap?

Nmap stands for Network Mapped (Nmap) and is a network scanning and host detection tool that is very useful during several steps of penetration testing.
Nmap is open source and can be used to:
- Detect the live host on the network (host discovery)
- Detect the open ports on the host (port discovery or enumeration)
- Detect the software and the version to the respective port (service discovery)
- Detect the operating system, hardware address, and the software version
- Detect the vulnerability and security holes (Nmap scripts)

Nmap Syntax:

nmap [scan type] [options] [target specification]

Nmap Scan types:

TCP SCAN
UDP SCAN
SYN SCAN
ACK SCAN
FIN SCAN
NULL SCAN
XMAS SCAN
RPC SCAN
IDLE SCAN

Using Nmap help:

The best way to get used to nmap and its flags is using nmap -h, run this command in the terminal and will give you the following results: and one more screenshot, but it is creating a mess so wont post it! Try yourself and explore the world of nmap! Happy Scanning!

Port states recognized by Nmap?

Six port states recognized by Nmap are:
- Open
- Closed
- Filtered
- Unfiltered
- Openfiltered
- Closedfiltered

Resources:

Medium Blogs: https://medium.com/bugbountywriteup/intro-to-nmap-192c1796bb39
Nmap Installation: https://nmap.org/download.html
HackerSploit Nmap Tutorial: YouTube
Port Scanning basics: https://nmap.org/book/man-port-scanning-basics.html
Scan Types: Edureka

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-6: JSON Web Tokens (JWT).

FENIL SHAH — Mon, 22 Jun 2020 18:07:29 +0000

Day-6: It was a lazy day but also excited at the same time because WWDC Apple Event 2020 happening today. As said on day-4 that will do research on cross-site WebSocket hijacking, I'm not doing this right now because It's kinda more advance to me or will need more time, So I have marked this into my list, will do soon! Today did research on Json web Tokens (JWT)! So let's get started...!

What is JSON Web Tokens (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that means that anyone can use and it is used to Securely transfer information between any two bodies like any two servers or any two users.
The main reason it is used because it is digitally signed that means the information is verified and trusted. There is no alteration of data in between the transfer!
It is compact: It can be sent via URL, post request, Http header and also this makes the transmission process fast!

What problem does it solve?

Authentication
Authorization
Federated identity
Client-side sessions (“stateless” sessions)
Client-side secrets

What is the JSON Web Token structure?

A JSON Web Token looks like this,

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Breaking down, JWT token is divided into 3 parts i.e:

Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header:

Consists of 2 parts: Type of Token and Algorithm!
This JSON is Base64Url encoded!
Eg.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

It contains the claims. Basically claims are user details and additional data like iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
There are 3 types of claims:
- Registered claims
- Public claims
- Private claims
This JSON is Base64Url encoded!
Eg.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature:

It is formed by Combining the encoded header, the encoded payload with the secret.
The signature is used to verify the message wasn't changed along the way!
Eg.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

How does it works?

This Picture explains in a perfect way,

Resources:

Jwt.io doc: https://jwt.io/introduction/
JWT Handbook: https://www.fomasgroup.com/Portals/0/MgmNewsDocuments/jwt-handbook.pdf

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-5: A day off but...

FENIL SHAH — Sun, 21 Jun 2020 16:11:39 +0000

Day-5: Sunday...Hmmm! Today I did nothing In research but I read Two Medium blogs/Write-Ups one on ATO (Account Takeover) and one on Bypassing 2FA (2 Factor Authentication). And gave the rest of my time to family. Also realized Family talks actually makes your stress/Confusion low!😛

Lessons learned:

ATO by Avanish Pathak:

Changing value in Email Parameter in response request can lead to ATO!
The company was asking for OTP for login, what he did was: Put in the write email and code and then,
- Capture the request in Burp ==> Response request ==> Change the Email in Email Parameter to victim's email with correct OTP code ==> BOOM!
For more In detail Information check out his blog! Link in Resource down there!

2FA bypass by Seqrity:

Subdomain enumeration helps alot! It opens a whole lot of opportunities to attack the target!
If the main domain is asking for 2FA Don't forget to check out that other domains are?, You can change the Host Header and can bypass 2FA!
For more In detail Information check out his blog! Link in Resource down there!

PS: Happy Father's Day to all Fathers out there!❤️

Resources:

ATO WriteUp by Avanish Pathak: https://medium.com/@avanishpathak46/an-interesting-account-takeover-vulnerability-f5bf6a89152c
2FA bypass by Seqrity:
https://medium.com/@seqrity/bypass-2fa-like-a-boss-378787707ba

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-4: WebSocket! Wait, what???

FENIL SHAH — Sat, 20 Jun 2020 14:48:58 +0000

Day-4: Okay so I was scrolling on Twitter and read this, This made me think what the heck is WebSocket? I never heard about it before!👀

Also, he got $8000 as Bug bounty for his submission on another report! Basically, it was somewhat related to Npm token as well as WebSocket hijacking! At first, I watched his WriteUp Video and then read his WriteUp but was not clear so I thought let's understand the concept and then maybe I understand what he wanted to say!

What is WebSocket?

Ohhhh lol, Websocket is just like Http, a communication protocol that enables interaction between a browser and a web server. I thought it was linked with a socket or something (Just Kidding)!
WebSocket is especially great for services that require continuous data exchange, e.g. online games, real-time trading systems and so on. For example, Slack’s web app uses WebSocket connections to sync messages in its chat functionality.
During the lifetime of a WebSocket connection, the client and the server are free to exchange any amount of data without incurring the overhead and latency of using traditional HTTP requests.
For more good Understanding I prefer you to watch this https://www.youtube.com/watch?v=ZbrEztkwcw8!

How WebSocket it different from HTTP?

https://www.youtube.com/watch?v=i5OVcTdt_OU

How WebSocket connections are created?

A WebSocket connection between a client and a server is established through a WebSocket handshake.
To open a WebSocket connection, we need to create new WebSocket using the special protocol ws:// in the URL.
There's also an encrypted wss:// protocol. It’s like HTTPS for WebSockets.

Problems with WebSocket?

WebSocket allows an unlimited number of connections to the target server and thus resources on the server can be exhausted because of DOS attack.
WebSockets are vulnerable to malicious input data attacks, therefore leading to attacks like Cross-Site Scripting (XSS).
The Websocket protocol doesn’t handle authorization and/or authentication. Application-level protocols should handle that separately in case sensitive data is being transferred.
Also, some more problems, Do refer WebSocket Issues for the same!

PS: Now I got Idea what actually WebSocket is, So probably I'll do research about Hijacking WebSockets on Day-5! I hope my notes from different websites are/will helping/help you! Thanks!❤️

Resources

Aseem's WriteUp: https://medium.com/@aseem.shrey/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
Aseem's WriteUp Video: YouTube
Javascript Docs: https://javascript.info/websocket
Infosecinstitue: WebSocket Issues

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-3: Bypassing the SOP!💣

FENIL SHAH — Fri, 19 Jun 2020 17:40:04 +0000

Day-3: Yesterday I looked and researched about what actually the SOP is and what actually the SOP does, Today I looked at all the attack vectors for SOP and also watched Nahamsec's Interview with Ngalongc! Nahamsec is one of the famous hackers who frequently does youtube videos as well as goes live on Twitch doing live hacking and interviews and much more. Do check out https://www.twitch.tv/nahamsec!

Attacking the SOP!

There are often ways that an attacker can use to manipulate cross-origin communication because of faulty implementation of one of the SOP relaxing techniques. (Refer Day-2 for Relaxing techniques!)
This faulty implementation of one of the SOP relaxing techniques, may can cause private information to be leaked and often leads to more vulnerabilities such as authentication bypass, account takeover and large data breaches.
I got quite a good result by researching ways of how the attacker can achieve this, Let's talk about some:

1.) XSS!

XSS is full SOP bypass because attacker can run malicious script executed on the victim page, the script can access the page’s resources and data. For example: running alert(document.cookie), This will return all the cookies and also we can get this with the help of src vector!

2.) Exploiting CORS!

Exploitable misconfigurations:
- When the site uses weak regex to validate origins. For example, have a look at this blog (Refer to CORS)!
- Another misconfiguration of CORS that can be exploited is setting allowed origins to NULL or attacker.com.
Unexploitable misconfigurations:
- When custom headers are used for authentication, or when there are random, unguessable keys placed in the request or the URL.

3.) Exploiting postMessage:

When using postMessage, both the sender and the receiver of the message should verify the origin of the other side. Vulnerabilities happen when pages enforce poor origin check (weak regex, for example), or lack origin checks altogether.
To exploit this issue, an attacker can create a malicious HTML page that listens for events coming from the vulnerable page. The attacker can then trick victims into triggering the postMessage utilizing a malicious link or fake image and make the victim page send data to the attacker’s page. (Refer Medium blog 1 for more details)

Resources:

Medium blogs:

https://medium.com/swlh/hacking-the-same-origin-policy-f9f49ad592fc (You need premium subs to read this blog).
https://medium.com/@minosagap/same-origin-policy-and-ways-to-bypass-250effdc4a12

Hackerone Report: https://hackerone.com/reports/47495
Fedora bypassing SOP docs: SOP DOC
Mozilla web docs: Same-Origin Policy
Tool to Remove SOP issues: Proxrox (This tool removes same-origin policy issues that typically occur during development.)
Nahamsec's Interview with Ngalongc: YouTube

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-2: Understanding the SOP! 🔪

FENIL SHAH — Thu, 18 Jun 2020 17:40:02 +0000

Day-2: I started My day with Netflix (Peaky Blinders) and ended it with watching OWASP Stockholm - Mathias Karlsson's Talk on YouTube (How to Differentiate Yourself as a Bug Bounty Hunter) and In between I read and researched about Same-Origin Policy!

So, What the heck is SOP?

As you can see the cover page of this blog, you can cleary understand what actually Same-Origin Policy means! In simple words, A script from page A can only access data from page B if they are of the same origin.

Who has the Same Origin?

If Two urls share the same protocol, hostname and port number are said to have Same Origin.

Example 1 is given in the starting of the blog!

Example 2: https://fenilshah.com. [Port 443 by default]

https://fenilshah.com/ (same origin because same protocol(https), hostname(fenilshah) and port number(443) )
http://fenilshah.com/ (different origin, because protocol differs (http insted of https) )
https://fenil.com/ (different origin, because hostname differs (fenil instead of fenilshah) )
https://fenilshah.com:8080/ (different origin, because port number differs (8080 instead of 443) )

What actually the Same-Origin Policy does?

Modern web applications often base their authentication on HTTP cookies, and servers take action based on the cookies included automatically by the browser. This makes SOP especially important.

Okay, so imagine you are logged in apple.com and at the same time you are visiting fenilshah.com. If SOP doesn’t exist, a script hosted on fenilshah.com is free to access your information on apple.com, since your browser would automatically include your apple.com cookies in every request you send to apple.com (Even if the request is a malicious one generated from a script hosted on fenilshah.com).

This way attacker can steal the csrf tokens, private email addresses, addresses and other information parsed from the page. And this is why Same-Origin Policy is Important, as SOP will prevent the malicious script hosted on fenilshah.com to read the HTML data returned from apple.com.

Relaxing the SOP!

Large websites would not be able to share information with each other because of the restrictive Same-Origin Policy so for such Issues new ways were Invented such as:

Setting document.domain!
Cross-origin resource sharing (CORS)!
Cross-domain messaging (postMessage)!
JSON with Padding (JSONP)!

Resources: https://medium.com/swlh/hacking-the-same-origin-policy-f9f49ad592fc (You need premium subs to read this blog).
Mozilla web docs: Same-Origin Policy
Tool to Remove SOP issues: Proxrox (This tool removes same-origin policy issues that typically occur during development.)
Mathias Karlsson's Talk: YouTube

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Day-1: Understanding Base64

FENIL SHAH — Wed, 17 Jun 2020 15:13:10 +0000

Same as other students who want to become software engineer or full stack developer I decided to start my journey in website hacking/pentesting, I'll be posting everyday what I learnt that particular day! The motive of doing this is simple which is to share knowledge. Maybe my daily blogging may help people who want to do the same as me but donno where to start with and also in the other way this will help me to keep tracking of my learnings!

About me: I'm Fenil Shah(18), I'm a security enthusiast as well as a Mozillian. Currently pursuing Bachelor of Computer Application (Second Year).

Day-1: Before moving on to different types of vulnerability I am starting with concepts of website or say how the internet works or types of encryptions and tokens used!

Today I read a blog of Vickie Li in which she explains what base64 encoding is, how to identify the base64 string, how does base64 work, decoding it and other base64 implementations!

Base64 is a binary to ASCII encoding scheme. The pilot use case of base64 is to transmit data across different machines.

This is how base64 encoded string looks like,
eg: SGVsbG8gZGV2enohCkhvcGUgeW91J2xsIGFyZSBkb2luZyB3ZWxsIQ==

- Upper case alphabet characters A-Z.
- Lower case alphabet characters a-z.
- Number characters 0–9.
- Characters + and /.
- The = character is used for padding.

Each Base64 digit represents exactly 6 bits of data. The = padding character is added so that the last encoded block will have four base64 characters.

What is it used for?

Data transmission
File embedding
Data hashing
Cryptography
Data obfuscation

How does base64 work?

Base64 encoding converts every three bytes of data into four base64 characters. For more to understand in a practical way, I would suggest to have a look at this video on YouTube.

Resources: https://medium.com/swlh/powering-the-internet-with-base64-d823ec5df747 (You need premium subs to read this blog).
Encoding: You can encode any base64 string here
Decoding: You can Decode any base64 string here
Another Tool for Encoding and Decoding: https://url-decode.com/tool/base64-decode

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)