Scribd
Upload
24 views4 pages

BugBountyBootcamp Errata p3

This is the family

Uploaded by

kinglinux79
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views4 pages

BugBountyBootcamp Errata p3

This is the family

Uploaded by

kinglinux79
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Bug Bounty Bootcamp

The Guide to Finding and Reporting Web Vulnerabilities


by Vickie Li

errata updated to print 3


Print
Page Error Correction
corrected

xvi Mechanisms Mechanisms Print 2

Cooking Sharing Cookie Sharing


35 Figure update Print 2

42 Print 2
{ "alg" : "none", "typ" : "JWT" } { "user" : "admin" } { "alg" : "none", "typ" : "JWT" } { "user_name" : "admin" }

135 Print 2
inurl:redirecturi site:example.com inurl:redirecturi site:example.com
inurl:redirect_uri site:example.com inurl:redirect_uri site:example.com
inurl:redirecturl site:example.com inurl:redirecturl site:example.com
inurl:redirect_uri site:example.com inurl:redirect_url site:example.com
Print
Page Error Correction
corrected

166 Print 2
def validate_token(): def validate_token():
1 if (request.csrf_token == session.csrf_token): if (request.csrf_token == session.csrf_token):
pass pass
else: else:
2throw_error("CSRF token incorrect. Request rejected.") 1throw_error("CSRF token incorrect. Request rejected.")
[...] [...]

def process_state_changing_action(): def process_state_changing_action():


if request.csrf_token: 2 if request.csrf_token:
validate_token() validate_token()
3 execute_action() 3 execute_action()
1
This fragment of Python code first checks whether the CSRF token exists . If it 2
This fragment of Python code first checks whether the CSRF token exists . If it
exists, the code will proceed to validate the token. If the token is valid, the code will exists, the code will proceed to validate the token. If the token is valid, the code will
continue. If the token is invalid, the code will stop the execution and produce an error continue. If the token is invalid, the code will stop the execution and produce an error
2 . 1 .

203 URL update You can find it at https://github.com/digininja/DVWA/ Print 2

250 For example, a base64-encoded block of XML code tends to start with LD94bWw, which For example, a base64-encoded block of XML code tends to start with PD94bWw, which Pending
is the base64-encoded string of "<?xml". is the base64-encoded string of "<?xml".

273 URL update CTF Wiki, https://ctf-wiki.org/pwn/sandbox/python/python-sandbox-escape/ Print 2

297 Print 3
Access-Control-Allow-Origin: b.example.com Access-Control-Allow-Origin: https://b.example.com

The application can also return the Access-Control-Allow-Origin header with a The application can also return the Access-Control-Allow-Origin header with a
wildcard character (*) to indicate that the resource on that page can be accessed by wildcard character (*) to indicate that the resource on that page can be accessed by
any domain: any origin:

Access-Control-Allow-Origin: * Access-Control-Allow-Origin: *

On the other hand, if the origin of the requesting page isn’t allowed to access the On the other hand, if the origin of the requesting page isn’t allowed to access the
resource, the user’s browser will block the requesting page from reading the data. resource, the user’s browser will block the requesting page from reading the data.

CORS is a great way to implement cross-origin communication. However, CORS is CORS is a great way to implement cross-origin communication. However, CORS is
safe only when the list of allowed origins is properly defined. If CORS is safe only when the list of allowed origins is properly defined. If CORS is
misconfigured, attackers can exploit the misconfiguration and access the protected misconfigured, attackers can exploit the misconfiguration and access the protected
resources. resources.

The most basic misconfiguration of CORS involves allowing the null origin. If the The most basic misconfiguration of CORS involves allowing the null origin. If the
server sets Access-Control-Allow-Origin to null, the browser will allow any site with a server sets Access-Control-Allow-Origin to null, the browser will allow any site with a
null origin header to access the resource. This isn’t safe because any origin can create null origin header to access the resource. This isn’t safe because any origin can create
a request with a null origin. For instance, cross-site requests generated from a a request with a null origin. For instance, cross-origin requests generated from a
document using the data: URL scheme will have a null origin. document using the data: URL scheme will have a null origin.
Print
Page Error Correction
corrected

298 An interesting configuration that isn’t exploitable is setting the allowed origins to the An interesting configuration that isn’t susceptible to information leak is setting the Print 3
wildcard (*). This isn’t exploitable because CORS doesn’t allow credentials, allowed origins to the wildcard (*). If a client sends a request with credentials to a
including cookies, authentication headers, or client-side certificates, to be sent page with a wildcard Access-Control-Allow-Originc header, the browser will raise
with requests to these pages. Since credentials cannot be sent in requests to an error and won't allow the client to read the response, so no private
these pages, no private information can be accessed: information can be accessed:

304 If not, send a request to the site with the origin header attacker.com, and see if the If not, send a request to the site with the origin header https://attacker.com, and see Print 3
Access-Control-Allow-Origin in the response is set to attacker.com. (You can add an if the Access-Control-Allow-Origin in the response is set to https://attacker.com.
Origin header by intercepting the request and editing it in a proxy.) (You can add an Origin header by intercepting the request and editing it in a proxy.)

Origin: attacker.com Origin: https://attacker.com

Finally, test whether the site properly validates the origin URL by submitting an Finally, test whether the site properly validates the origin URL by submitting an
Origin header that contains an allowed site, such as www.example.com.attacker.com. See Origin header that contains an allowed site, such as
if the Access-Control-Allow-Origin header returns the origin of the attacker’s domain. https://www.example.com.attacker.com. See if the Access-Control-Allow-Origin header
returns the origin of the attacker’s domain.
Origin: www.example.com.attacker.com
Origin: https://www.example.com.attacker.com

304 Figure update Print 3


Print
Page Error Correction
corrected

308 Print 2
Cooking Sharing Cookie Sharing

You might also like