THE "WEB"

REQUESTS: 

actions which browser makes to server in order to fetch some information.
Basic format for request:
verb HTTP/1.1
     Header1: value1
     Header2:value2
     ....
     <request body>

 HEADERS(requests):

  • Host: indicates host handling request.
  • Accept: indicates what MIME(multipurpose internet mail extensions) types are accepted.
  • Cookie: passes cookies to server.
  • Authorisation: mainly used for 'basic auth' pages of form "Basic <base64'd username:password >"
COOKIES: key-value pairs of data that are sent from the server and reside on the client for a fixed period of time. each cookie is unique as they have their unique domain pattern, and are passed with each request the client makes to matching tools.
#cookie security :)

  • Cookies added for any site say foobar.com can be read by any subdomains of that site i.e: foobar.com .
  • Cookies added for a subdomains can only be read in that subdomains or by the subdomains of that subdomain, i.e: let cookies for subdomain boofar.foobar.com then cookies of this is only be accessed by this subdomain or sub subdomain of this subdomain, cookies can be accessed by lala.boofar.foobar.com.
  • A subdomain can set cookies on its parents and child but not on its siblings. let main site example.com has two children or subdomain as test.example.com and test2.example.com and test.example.com has another child named foobar.test.example.com,, now test.example.com can set cookies on example.com and on foobar.test.example.com but, can't set on test2.example.com

Talking of web, and isn't discussing making of web sites can't happen,

HTML :D

Everyone know full-form of HTML and its not a programming language ofc, its a markup language.

#Parsing: HTML must be parsed according to the relevant specification, and this depends on the HTML version being used in your time, right now HTML5 and if you are reading this in future clearly newer version can come into existence. Parsing primarily isn't only done by the browser, but also by web-application firewalls and other web filters. Vulnerability occurs when parsing is confused by browser and applications in the computer. BAD PARSING:
<!doctype html>
<html>
           <head>
                      <title>ggggggggggggggggggg<script/xss src=http://badwebsite.com/></title>
           </head>
</html>
In this a bad XSS(cross site scripting) filter on the web applicaiton may not see that as a script tag due to it being a 'script/xss' tag. But browser parser for instance will treat forward slash in script tag as a white space which leads to attack xD.

#Legacy Parsing: HTML is bad, its a fact and clearly people worked on this to make it better and their hard work paid out, its quite stable right now. <script> tag on its own will be closed in end of the page and tag missing its closing bracket will automatically be closed by the next angle bracket in the page.

Browser not always looks at the !doctype tag to serve whether it is written in html or something else, browser occasionally looks at the code also and if it seems as html it would be passed as html. it is a type of sniffing, let a site accepting a file upload function for profile picture now if attacker include enough HTML triggers in the file then attacker can sniff other user's data and links to victims.
likewise, famous sites uses separate domain pop up window to set a profile picture or something.

Encoding sniffing can be done by old browsers in particular files, mainly if someone doesn't specifies metadata for a web page and its encoding then clearly browser try its best to make a logical guess now, if you are able to control the way that browser decodes text present then easily parsing can be altered. Consider a encoding sniffing example:
payload: +ADw-script+AD4-alert(1);+ADw-/script+AD4-  [UTF-7]
now a days we use UTF-8 encoding scheme, in example its clear that it is a XSS attack with most simple statement with a alert function. Here, +ADw- represents opening angle bracket similarly +AD4- represent closing angle bracket in UTF-7 encoding.
hence, statement becomes: <script>alert(1);</script>
its a simple XSS injection, with no invalid characters in the payload hence attacks works!! :D

#SOP: in simplest terms ,it expands to same-origin policy and refers to policy under which scripts residing on first page are allowed to access data on the second page only of both pages has the same origin. However it is possible for the developers to bypass SOP by changing document.domain (domain of the document), posting messages between windows and ofc by using CORS (cross-origin resource sharing) , this opens up a whole lot of new attacks possible to web applications like: calling postMessage into the iFrame of the page {can't validate properly}.

There is a whole lot of things remaining mainly CSRF and mitigation for CSRF , let's save it for another day

Comments

Post a Comment

Popular posts from this blog

CSRF #1 {request forgery}

Looking around internet it is quite clear that the most general type of web attack is CSRF attacks, CSRF stands for Cross Site Request Forgery (CSRF).  CSRF attacks are mainly actions which when an attacker tricks a victim/user into going to a page controlled by the attacker, then depending on the type of forge site victims enters their data to the target sites as the victim. CSRF attacks specifically target state-changing requests. A successful CSRF attack can force the user/victim to perform state changing requests like transferring funds, changing their email addresses and many more. lucky for attacker if victim has a administrative account then CSRF can compromise the entire web application. Consider  OWASP  for detailed information. EXAMPLE:  Bank transfer site is a perfect example. <form action="/levels/0/" method="POST">     <h2>Transfer Funds</h2>     Destination account: <input type="input" name="to" value=
Read more

CTF WRITEUPS : Birdman's Data {Network}

Otter ctf is an online capture the flag hacking and reverse engineering competition of format jeopardy.  For more otter ctf information visit  here  or visit the  official website . One of the challenges was of network type "Birdman's Data" which says " We recorded some BirdMan's networking, but a part of it (the important part) got scrambled ", along with a downloadable .pcap file. .pcap files are packet capture packets that can be seen with help of network monitoring software or packet listening programs like wireshark etc. So I am not very good at capture the flag things so my friend helped with this a lot, ok let's dive right into it. # After downloading the file first logical thing to do, which isn't efficient but is necessary in my opinion, so just open terminal and " cd " directories to the downloaded file location. then just " file " out the .pcap file name i.e: $file Birdmans_data.pcap , this gives some informati
Read more

BANDIT OVERTHEWIRE.org writeup.

Bandit is a virtual remote lab setup by overthewire.org to carry out accessing files in the server and sharpening linux skills.  Overthewire.org is by the best way to start with wargames and linux handling. There are other labs also besides bandit and carry different obj. bandit is somewhat is quite simple and userfriendly to use. The solutions for all bandit lab levels are gonna be pulished on github for reference. Only lookup to the solutions when you have everything in your will. All the solutions are done by me and there can be multiple solutions to same problem so its quite possible that my solution and your solution wont match and its ok as long as we are completing levels. happie crackin!! :D BANDIT OVERTHEWIRE.org githubrepo NOTE: feedback and suggestions serve as great help. 
Read more