| # main.py | |
| from fastapi import FastAPI, HTTPException | |
| from fastapi.middleware.cors import CORSMiddleware | |
| from pydantic import BaseModel | |
| import litellm | |
| import asyncio | |
| from typing import List | |
| import os | |
| from dotenv import load_dotenv | |
| import json |
| ---------------------------------------------------------------------------------------------------- | |
| Question: | |
| The following code is exploitable in modern browsers? Take into consideration that html separator characters like < and > from document.URL are automatically URL encoded in modern browsers. | |
| example URL: | |
| http://localhost:3000/#context=before<script>after | |
| document.URL | |
| 'http://localhost:3000/#context=before%3Cscript%3Eafter' | |
| code: |
| <h1>this is not ritzcarlton.com</h1> |
I was trying to exploit a client-side prototype pollution and nothing was working.
I figured out that if you try to use a script gadget by visiting a URL like this dirrectly:
https://example.com/#&__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x
will not work because the page will not load properly as the prototype pollution will break the page.
| this is a text file | |
| aaa | |
| aaaa | |
| bbb | |
| cccc | |
| sddd |
| { | |
| "sampleJSONProperty":"sample JSON value", | |
| "sampleJSONProperty2":"sample JSON value2" | |
| } |
| so, you can read WEB-INF/web.xml. how can you escalate this issue? | |
| [step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml. | |
| use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan): | |
| https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt | |
| with time you can build your own wordlist adding files you've discovered over time. | |
| use Burp Intruder for this, it's perfect for this job. | |
| sort Intruder results by status code so you can see instantly which files were found. |
| database.yml | |
| database.yml_original | |
| database.yml~ | |
| database.yml.pgsql | |
| database.yml.sqlite3 | |
| config/database.yml | |
| config/database.yml_original | |
| config/database.yml~ | |
| config/database.yml.pgsql | |
| config/database.yml.sqlite3 |
| An idea for a tool. | |
| So, going through Wayback archive we get thousands of links like the ones below. | |
| It's the same path and different values for GET parameters. | |
| A very useful tool would filter these using this algo: | |
| - for each link, parse the link with an URL parser: | |
| - create a hash from: hostname + path + (parameter names (without values) sorted). | |
| - save the hash in an array | |
| - for the next links, compute the hash | |
| - if the hash is in the array, ignore the link |
| connect-src 'self' blob: https://*.giphy.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://caps.twitter.com https://media.riffsy.com https://pay.twitter.com https://sentry.io https://ton.twitter.com https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://smdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://smmdhdsnappytv-vh.akamaihd.net https://rmdhdsnappytv-vh.akamaihd.net https://rmpdhdsnappytv-vh.akamaihd.net https://rmmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net ; | |
| default-src 'self'; | |
| form-action 'self' https://twitter.com https://*.twitter.com; | |
| font-src 'self' https://*.twimg.com; | |
| frame-src 'self' https://twitter.com https://mobile.twitter.com https://pay.twitter. |