[HackerNotes Ep.88] News, Tools, and Writeups

Hacker TLDR;

• PortSwigger URL validation bypass cheat sheet

  • This new cheat sheet in PortSwigger’s website lets us customize and generate a crazy amount of payloads to use in URLs.

• SanicDNS, gotta go fast!

  • A crazy tool that can resolve up to 5 MILLION domain names per second with the right hardware. You only need Joel’s internet connection and probably his machine too.

• WordPress GiveWP POP to RCE

  • Unauthenticated RCE via the AJAX action give_process_donation. Using four backslashes \\\\\\\\ you could bypass GiveWP’s sanitisation and make your payload arrive intact in the deserialisation function intact.

• Tracking Protection bypass abusing CORS misconfig

  • Triggering a window.open() to an attacker's page tricks the user's browser into granting the attacker's controlled server third-party storage access. This allows the attacker to access the user's information from the website where the attack originated. Only works on Safari and Firefox.

• <a href="#" ping="http://what.ever/">Works on my machine!</a>

  • Did you know that adding an ping attribute to an anchor in HTML triggers a POST request? And it includes the Ping-From and Ping-To headers, too!

New PortSwigger “Cheatsheet”

PortSwigger came out with a new cheat sheet for URL validation bypass, where you can input target domain and attacker domain, set URL encoding, Unicode escapes, special chars, IPv6/IPv4, and all that good stuff. Then you just copy all that to your clipboard and paste it into Caido! BurpSuite!

• Note: It’s a very versatile tool that's worth checking out. Not only does it provide a monstrous list of payloads, but it also explains why certain approaches work and others don't. It’s incredibly powerful and easy to use.

PortSwigger quality tool, created by @d4d89704243!

Links:

• https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

• https://x.com/d4d89704243

SanicDNS — Gotta Go Fast!

This shit is just insane and resolves DNS requests at 5M domain names PER SECOND. You just need to provide the list of domains and a list with resolvers.

In order for it to work at top speed, of course, you’ll need the right hardware and a powerful internet connection, maybe 10 gigs can do the trick! That being said, even if it works at 10 to 20% speed, that’s still 500k+ requests per second… Dude, what? Hahaha

After having @d0nut review the code, he found out this program uses something called XDP (eXpress Data Path) which is an eBPF-based high-performance data path. Well, that’s a fancy way to say it works at a lower level so it bypasses the restrictions that we usually have with everything that is more “user-friendly” and high-level.

Links:

• https://github.com/hadriansecurity/sanicdns

• https://x.com/d0nutptr

• https://en.wikipedia.org/wiki/Express_Data_Path

• https://en.wikipedia.org/wiki/EBPF

Orange Confusion Attacks

A while back we talked about Orange’s confusion attacks in Apache, but setting things up wasn’t very practical so we just didn’t test it. Turns out @har1sec came up with a GitHub repo with some Docker containers so we can play with the attacks ourselves.

These initiatives are incredibly valuable for the community. It would be fantastic to see future research accompanied by 'labs' as well. Creating Docker containers for every tool we want to test is time-consuming, so it’s awesome when someone dedicates their time to release such resources to the community.

Even if Docker is not a part of your usual workflow, knowing some basics about the tool is actually helpful and will definitely save you some time in the long run. Just like Linux, Docker is probably one more fundamental piece of knowledge that if you don’t have you’re missing out big time.

Thanks to @har1sec for his work!

Links:

• https://x.com/har1sec

• https://github.com/harisec/orange-confusion-attacks

• https://blog.orange.tw/posts/2024-08-confusion-attacks-en/

• https://x.com/orange_8361

• https://docs.docker.com/

WordPress GiveWP POP to RCE

@MrTuxracer recently dropped a writeup about a PHP Object Injection vulnerability in the GiveWP plugin ≤ v3.14.1, originally found by @villu164. This vulnerability allowed for unauthenticated Remote Code Execution (RCE) through the give_process_donation AJAX action, which lacked proper nonce validation.

The bypass was possible due to the use of stripslashes_deep during validation of the $user_info array. PHP namespaces, which typically contain slashes, were sanitized by this function. However, the attacker could bypass it using \\\\\\\\ in the namespace, allowing for malicious code to slip through.

This vuln affected over 100k websites, and both MrTuxracer’s and WordFence’s post are worth checking out:

• We talked about this in episode 55 that one of the ways to do WordPress security in general is to have nonces in place and have them only be accessible from pages that admins have access. But if the endpoint doesn’t require the privilege, then the endpoint is actually vulnerable once the attacker finds a way to leak that nonce.

  • And by the way, WordFence is running a special thing where they’re encouraging hackers to go find XSS in WordPress themes and plugins by ramping up the bounties. Wordpress is not going anywhere anytime soon, so even if you got no XP with WP, what a nice time to start digging into it.

• We've got some automation scripts running that check commits for all WordPress plugins with over 50k installs. These scripts use AST to scan for nonces and verify permission checks. If you're a Critical Thinker on our Discord, you've got access to this script.

Links:

• https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/

• https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/

• https://x.com/MrTuxracer

• https://x.com/villu164

• https://en.wikipedia.org/wiki/Cryptographic_nonce

• https://en.wikipedia.org/wiki/Abstract_syntax_tree

• https://www.wordfence.com/blog/2024/09/wordpress-xssplorer-challenge-an-expanded-scope-for-all-researchers-in-the-wordfence-bug-bounty-program/

XSSTools

Since it is was tool tuesday, here’s another cool one for you. YesWeHack just released a tool (if you’re reading this 3 years in the past) that functions kinda like a PwnTools, but for XSS.

It’s designed to be used when writing payloads, allowing you to write them more easily by giving you a lot of classes to choose from and each one of them come with built-in functions, you just import the classes you’re planning to use and it’s good to go.

Really fun tool, and even though nowadays we can generate payloads at will with AI, xsstools allows you to create more elegant and precise payloads.

Links:

• https://yeswehack.github.io/xsstools/index.html

• https://github.com/yeswehack/xsstools

Text Injection to ATO

Bálint, a CTBB community member, ingeniously "drew" a QR code using only basic text injection via URL. He went through a ton of effort to craft the QR code much like anyone would when creating ASCII art.

Here's the kicker: when scanned, this QR code actually takes over the victim's account. This is art, and we’re not even kidding.

This comes to show how important it is to think outside of the box, AI wouldn’t come up with such a crazy idea in a million years.

Tracking Protection Bypass Abusing CORS Misconfig

Nikita Sveshnikov from PT Swarm discovered a method to bypass browser tracking protections in Firefox’s Enhanced Tracking Protection (ETP) and Safari’s Intelligent Tracking Prevention (ITP) by exploiting CORS misconfigurations. In order for the attacker to send authenticated requests, the victim must click on something that triggers window.open('attacker.com'). Once this happens, the attacker’s domain is granted third-party storage access for up to 30 days, allowing continuous cross-origin requests to be made.

The Attack Process:

• CORS Misconfigurations: Websites incorrectly configure headers like Access-Control-Allow-Origin, allowing cross-origin access.

• Protection Bypass: Attackers trick users into clicking links or popups that open new tabs or windows (window.open()), bypassing browser tracking protections.

• Credential Sending: CORS allows requests that include credentials (like cookies), but the cookies themselves are not exposed to the attacker; only the response data (if allowed by the server) can be leaked.

• Data Exfiltration: Attackers can extract sensitive information from the server's response using JavaScript functions like response.json() or response.text(), depending on what kind of data is returned.

Let’s break it down from a victim’s perspective:

A user named Joel is browsing a website and clicks on a link that seems legitimate. While it appears nothing has changed, in the background, a CORS request triggers and it sends an authenticated request to a third-party server. Joel’s cookies remain hidden, but the server's response, such as sensitive data or user information, is leaked back to the attacker, depending on the server's CORS setup.

One funny thing about this is that even if you completely clear your browser, you won’t need to do the window.open() part again in order to exfiltrate data, it just continues working. So, even if everything is cleared, this setting is still stored somewhere.

Links:

• https://swarm.ptsecurity.com/bypassing-browser-tracking-protection-for-cors-misconfiguration-abuse/

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

DOM Clobbering

If you're unfamiliar with DOM Clobbering, this part of the pod is for you! DOM Clobbering is a type of attack that exploits the interaction between JavaScript and the Document Object Model (DOM). It involves overwriting or hijacking important JavaScript objects or variables to perform unintended actions on the victim's end.

But we’re not here to explain what it is, here’s what you really should give a read: https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf

Also, here’s a fun tool to help you find some more payloads to use: https://domclob.xyz/domc_payload_generator/

One takeaway from this is that even though we know things are possible, doing the research and figuring out how things are supposed to work takes up some valuable time from our bug-hunting workflow. Tools and guides like these can help a lot when we know our objective but are trying to find an efficient way to get there.

Understanding stuff is cool, but if we're planning on following this cybersec path, there's only so much we can keep in our heads. Tools like these make our lives much easier. Investing some time into finding and building cool tools to streamline our work is essential.

Links:

• https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf

• https://domclob.xyz/domc_payload_generator/

Final Thoughts + a Bonus From Justin

An important thing with hacking is that everyone looks into the same thing differently, some people look into one type of functionality and see things that others don’t. That’s why it’s important to have a lot of people looking into an application and not having a pentest company look into it once or twice a year.

Also, spending time and focusing on a program truly helps with our creativity. Everything in an app's code is there for a reason, and the more we dig into an app, the more connections we make in our minds, so don’t be afraid of getting intimate with the app. Even if you’ve seen something a million times it doesn’t mean it’s secure or unimportant to us, we want to be the person who looks into that part of the application and sees something worth testing!

One bonus thing! Justin found out the other day that the ping attribute inside an <a></a> tag sends a POST request.

Here’s an example:

<a href="#" ping="https://poc.rhynorater.com/hitmewithpost">Post</a>

And another fun thing is that if you take a look at the request headers, it’s got a Ping-From and a Ping-To header, which is interesting and might help us leak the current page of the user and might be also in strict scenarios when a request must be made from the same origin. Here’s what the headers look like when you click the anchor.

Well, do whatever you want with that info, we’re wrapping up!

As always, keep hacking.