-
Notifications
You must be signed in to change notification settings - Fork 85
/
http
91 lines (74 loc) · 4.42 KB
/
http
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# http
# Security Headers http://guides.rubyonrails.org/security.html https://www.cyber.gov.au/acsc/view-all-content/publications/protecting-web-applications-and-users
X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' or ALLOW-FROM to allows all, one or more origins (wildcards are not permitted)
X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off (useful if response contents scripts from request parameters)
X-Content-Type-Options 'nosniff' - stops the browser from guessing the MIME type of a file
X-Content-Security-Policy - mitigates attacks such as cross-site scripting (XSS) and other attacks based on introducing malicious or otherwise undesirable content into a web application
Access-Control-Allow-Origin - control which sites are allowed to bypass same origin policies and send cross-origin requests
Strict-Transport-Security: max-age=31536000 ; includeSubDomains - forces the browser to always interact with the site over HTTPS
# CORS
The Same-Origin Policy does not prevent requests being made to other origins, but disables access to the response from JavaScript. CORS headers allow access to cross-origin responses.
https://medium.com/statuscode/cors-a-guided-tour-4e72230a8739#.vrov01jfg pitfall: allow credentials without whitelist
https://ejj.io/breaking-sop/
https://ejj.io/misconfigured-cors/
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://www.corben.io/advanced-cors-techniques/
# CORP, COOP, CORB
https://w3c.github.io/webappsec-post-spectre-webdev/
# CSP
https://csp-evaluator.withgoogle.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# if there's a reverse proxy removing the Server: try to send http header with invalid values like with the Expect: header
# BigIP <-> Tomcat
GET /blah/ HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0
Host: foobar
Expect: 101-continue // != 100-continue
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1 // would not be returned with 100-continue
Transfer-Encoding: chunked
Date: Wed, 03 Jul 2013 07:52:02 GMT
X-Cnection: close
# methode TRACE / TRACK
# http://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/
$ echo -ne 'TRACE /kikool HTTP/1.1\r\nHost: 10.0.0.10\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n' | nc -n 127.0.0.1 80
HTTP/1.1 200 OK
Date: Tue, 16 Jul 2013 06:26:11 GMT
Server: Apache/2.4.4 (Fedora) OpenSSL/1.0.1e-fips PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /kikool HTTP/1.1
Host: 10.10.220.230
Accept: */*
User-Agent: Mozilla/5.0
# http request splitting
https://labs.detectify.com/2021/02/18/middleware-middleware-everywhere-and-lots-of-misconfigurations-to-fix/
proxy_pass http://unix://tmp/socket
# http response splitting
language=fr%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>
# websockets
https://sharan-panegav.medium.com/account-takeover-using-cross-site-websocket-hijacking-cswh-99cf9cea6c50
https://cybercx.com.au/blog/logrhythm-zero-days/
https://github.com/0ang3el/websocket-smuggle
https://www.notsosecure.com/blog/2014/11/27/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/
# h2c smuggling
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
# socket poisoning / http desync / http request smuggling
https://www.youtube.com/watch?v=3tpnuzFLU8g
https://zonduu.me/posts/http-smuggling-writeup
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf
http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling
https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
# web cache poisoning
https://portswigger.net/research/practical-web-cache-poisoning
https://portswigger.net/research/web-cache-entanglement
# tabnabbing
https://owasp.org/www-community/attacks/Reverse_Tabnabbing
search for <a target="_blank" without rel="noopener noreferrer"
# browser security
https://github.com/cure53/browser-sec-whitepaper
# prototype pollution
https://codeburst.io/what-is-prototype-pollution-49482fc4b638
https://github.com/BlackFan/client-side-prototype-pollution