From 715ff25f7aee3e28e5619d456b6a7187c78c6145 Mon Sep 17 00:00:00 2001 From: Vlad Toie Date: Sat, 19 Jun 2021 09:39:21 +0000 Subject: [PATCH] GitBook: [master] 12 pages and one asset modified --- .gitbook/assets/image.png | Bin 0 -> 19274 bytes README.md | 6 +- SUMMARY.md | 1 + auxiliary/session-hijacking.md | 2 + .../server-side-request-forgery-ssrf.md | 145 ++++++++++++++++++ 5 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 .gitbook/assets/image.png create mode 100644 auxiliary/session-hijacking.md diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png new file mode 100644 index 0000000000000000000000000000000000000000..e76be15ead571f1ddab1330a4f1ca9d2abcb4f9d GIT binary patch literal 19274 zcmeIa^;=Zk{s0Q&&>|%uAPv$jHKe3;*N`gR(p?H7-5}i{E!`j?-Q6JF4H5%)qrUGs z_xn8eAGpuq2iUAxYwh*vT=Q8`UJ@OZ5ETv%4qfWCm@*t3s2C0o9vc}E7@4Boi-Us$ zKQR*(RkRS56t%Imu~V^q^Ug@p$lA!x?47ct2pk+wXsDX5>2tNGf=P813{-<3#&dI{ zp4@T9R9Y&Je4O37GpewfXN6b9ryFTcRilAGqK@UBuH% z@zV(I4!5&h*9ZLSrWWeed7KGe&%mpHC zQeHs8NcKl_Vf>u=#dH*X;yql2iSm?VO&@N&tHl>AI_5qogjcY7K3#fLdl64>7q{{W zGfi!6-XXA**{q@y^WLb=4CR;-PPd`a-wyRyu;ZPYd*kyhhpz?PBdrX1<6lfLmp-^S ze&_G~aUgbE#ipN(>gc7M{CER{1aA2!JyV(6B_&CjoEd#!U#NyDSJz44ui6bfW02AZJ454OGuR0d#_SUGP$;Q;LcJL1WIo~Ze7u^e=){;iJt{6=ky{{wKftwK8BmDiN z>mDwv0ghM%8HSmMwn0`ND&dxC##WAL#;=Lxy`?s~t2?+FRr9;<-K`N;k=%RAqv3+K zLsK=%#>ZZ+riG5fD8{yw<7`qaQc)j%J*S9XV_e(zAy35RV z`gZ#7N$t}l&Bt92Us@cLW_?55FpF23PZNPoGx5_J`U|wRw;9SPY~cocM0vyF=EPly z6N<0ffY?=LV_4`})vy{rJ#GRn_p0(At zsHN=mc#qdx(`k3>w;G<0cV#foEhmFgzmMBj5=h4)mZx{yxJ4&$Ry; z|6~RS{yhf{P7wGD=$mxVKO>;x^hf_Z1M7jG_KFJwU<#UjTQ47Lz}lo z%q~{84-??{T_C`tm65|6G8ZdLYkP=`0LAYa5a9V?n1zDu_Y?;U0SZkyMKVzvJ0mhK zW>#ia3PDsdGBSQULt}`tn8e@Zz<&Z1rVb9a5Ed3^XJ=+-4rUuW6BagJUS1Yfb{2Ma zCSV4Wy{omu8y6;Pd&)nX{Iidkk^MV6Gg}8U8*8$Mec!ybadZ%%pm=!EzdwJ@>0oC3 zpEp_C{{;&GkmcbM7B*&9mVfsKmhwN0LX?f{Z7dxhwpX(@a}Z?b|2_Ht4*%zEe^x2j znHd4+eOM;Q_IJsDkNw~IqBd5xc1HI0|2_Y|$NukpMN=CG8vxgUNszL3FtP&{|9#s( z2mJq@@pmtNmIrkG7yACt=JzN-96?lmmVXH?h#HqKJq!mY3@0V_O4S8^KLsrTxAV*8 z(i^x}%yvr5A`TJ=Hi6`RKinUSp__BDu}Q!li^=`8o;0C6F!}j{Uz+*m%fOCtJXMmV z--sj5l&ME%`U?s1&=D|OP!NFX5g$tDSD4R#?d;nZC^)AHnq2oM%Qz2|dOXQ%D5&2l z)(;i9|LRs)U{;DE;sXa30ng6Pu1#p@$5vTP^&TuVh?<=@n^{}OVNpuFwy-D+A>=Gr zoKPVJlP$yfwphBqlGx)@cRSyTzM4Gp8uY+-s)rZggHd6Kw7vrE@9*1n5j%I!*Vz*> zt7o~WHOhZs7tfVTdf|C(c#p48={YY72dW}3+g{*aYo1t&@=UzxL1`DFl*CA-5J*h4 zP|-q{S%>L}))LUwe~z3CIeTh6ncSKx;J!AgZ4>Kyx-rpMQle_R@x`R~Y{Vr#+xQJe-O_n;PC}=Gao1ueoTe_sypP|QHnu2w{;gEfvmgTxIXkU22$w;b zMKkuND24!)OdO+>kRszpI545S!AQW3sGl18Y@VyW8T-8v9RQuO&BUO(n8p6IvfU44 zM(t`w4!lxm6+K7wTUs#L@H3DVpL%Z}5h-1P&cdUM!!hNjX&cCkLuLml*E0d8#iSPI z(!9R=b2WMMZGNsv+&0Yfwg~XZ!ejxheMuy7HBJHdtpaa{x9!Fw=-BGUh&yk17hozZ zyO_o26mkNX0By+Nd?8paMyH4C>vAhflQ6gNBd~=%jz!t-IJ&Be5h!qy{!tDOvM?M7 z(?^&RrLpOTiBgj^?($*}^~?K8f;YqqHafInM97Ap;W9a8n*59ZZu$h7aq(B#R&&w! zVTeKIb50jK)*uUH!!S5|@Rwco$JS4MyL*% zLpU=#IIKh1o3mGZ*}!qxn3l5LTaNy!GOkmU0*nei%W+xp$H${Ecj5HDyDiVGN=`4% z(0YmvkDQ&*dLY0jE~!tdM%bI4!wH$YodzQx)# zy>0$zMgxhQDU7~d5K)6~$M1BT*D*3AB@f)Qok8lfQ2=l;aFoRa`#k+6LcS?{&Ou>5 zla!{q>!1Vp^{t3WT98}+hOYAhweyl^%~n-F#UMn6x#iYwd!kSytA7XYyn5fI%2YvJ zKzMnJJlg0;Fe}-l^=9UZ`GPRebe{w!%TOpREE#S*l&b3=Rj&s=fY&v7jWR)s8DmvdzjW+I22@GErm=zhHEXd$_4M#pnLP z-KRoVrkxB99(nvzYqizf8jaAERHQ*w)vlR@(68?p{Kw|2ze-4aHMoTIUiLx^(=J!= z6a_kBVz2>f$2fqEABf#e0Z;q}wu0eJ3(15s=Z6=f&V}jd_r|`0viTM_%o={<6-)O# zJW$L$=z+Xl`j)|CO%~w@tS`DGy8r|b(-adPH=TRYG*or;&4C+M@g{95VRQH2AX_DxL2Is!4aKW9>$({TX-7PgG@-QQ>{e2<#tfKG6 z=ewL8I7LlKm*^7q=VxkD~vvQ;5=N+VSlCXBhth@ z9=FF`O$zq*6@U(umI!-JM=239)?)#j)du8qPuKk}IZ4NY*98@iaNSXv{e0-Ze z@s3Ck!u#@oepUWZB7Xu1r%yZBZ){J?+PF!~v6w)h#jAw>+XbHMX4Amu0=I)=_kq-+ zQvZ{%nZu_9d|Ts+&$%&eLjlPtIj7zC1ys#2yl=X;Fp`#337ao>HA|d05lIA7!(`7+ zFFX}V(X!@Gy*HmyiGo%ULCn~~mG#qwl_(Dyf&c`mIuO~K z;h1Y_yV$ehF1#nb02f|#ZRlDUy_(Z4x7!8Tj5`z&2oO)Z*Dk4PJ2h<+Q6w*X(!1YrhgI1qwRn;u0LyY5gZdZ`> z)Ytp-UA^edsiA0`0Pi2CYWpMOjKSQ3RHZiFbTRt)`k|!PBfp`I6RA|^h`Bp8X3C6n|?}&t=gosGh1y**3b`R0j7U#!hUW8vO|K=sxbmmOQ)gPfJ-IU>h2Zc4j z$)or$m%P1sZ;#s7*P<0JK3evKQ2kNbc_{hQDl5=!Uru^Tfxyq-z3dXsU zY{t3U>|3L`ObV!W$Xu(+t~E=Lkk@ox=nY&0!c$-JHZ2e*ZZW+wJ`{98t_({GD43Vs6FN)Nh}VA6%cRIV@fwNJ)NuC-NC2yZT) z({?>cq5t&w<nIfHU;@;RbfW6)i7=qJu-w7>!P!}Im#A2kc7AY2Tb+E+){X$=)=jj^p?ll}X zr|MhB%_;U?z&BmQuRi%zn+$8VSo>g1J{jRD@u_@Asrb{ATLW5VG;VrzlYvC)EXnXV zBI{c6Q%abY!9ilE8h&wU^K}9L*|2E2$xv#+w^6LAtJ6)5Vt!P=2XR?IG1RTBuB_x) z^8awbs~AS=l%Zq06?$?98^Y0bnP{0(tjKEh|6+OLx|u>ldOiF}EF7$U?A8j8M5f0v z6CKJ?Uy$iIRibNm*t9YcI$=IrF(k+kjL%Y{{yydrK&*6aoM&ur#d7EFn=dte5F zy59Zj66y^j=F1#;aJ>Kl^#?m-SAG5ZwJmQnx{2?zx{R);=BIOk{zc;xZAtBLo}Ymc z`%Y`PHNKd5)^Cwj)hc&(TA=|`dhT-SC5%qerA8?+fFT!d6$e2^6W2%7bze(#zwq_G ziueA^`TUqL*uNXjw;*WJ&b*n#7!^!F*a8E^v`>gP!Y8jGezDSo{GABd%uAt*~9XA?g)z4GLx;WyFRjoFnBW zWjMdGL@439r`zQL@zlqT_X}^<9o{}O+LRS+^5eqJ`@AnCH7E$PLq%d44q9 zIt!qi^JMl&liPXJ`_&)EUL`0CJ9tpF5s1UqaANResz9N+ouipDv>j!uPcARjy7|iZ z-e_t|t_Y9|vAVtTKC%1z?zaXFb&MBKyClc+i_;;Yv|C@qO;z&Kt*r3g??|Nc1~U20 z72u7*l-;I083EF#g;ieOyEm@0m1gXg&$?FPcEVqFYD@^ElY|{>>G4G5hB;5fRqj8^ z2VEyxl=KuCIG%5Qbize`?s+!ipY&K~8*2%9^09*|0ZwVt#q6{yZsC-^cT?lt_3q+b zaTQ+CW~zJ1rI$q64<|`_%0h@G@B5!(N-fb)`IVaL>RfCpiJVV9VbwcB8Hf!S29y$d z=i#+7EKRCzXSBCg`D5Q$n$DEfFqV!8p&z`*5q$5L%;C6<#7P{-l@|SSo7^vR`^#PI zRV%T}WrQWQ;+b^`&4mRd)vY=qa6fKlM!N@{)x-<0_qXfX+|JCI{O%??(F*Yl7wE?h z9zFA5gMPYm3z|A!?Yilbt*)u*yKK4lbOj7B2ZFZvZvPh!qv7nIwPc>B*!RJi^+u6~*CKQ|#;4@;&57!s^&I^vI3>w9fYE~&1?rk4YGMkII=I#2J z79)=@1ksijj$t~_Kn2PeDQ-Jo7uBiM=$TdfwMs2%tdbeV>s+wOA(UUlQLDVJw7Nn9VFPB^sNpS8g+|(&Y zIkyX4fbQW=x(d-`={t@TOn9ATk>U~?6&Mfe zXG=+FIV!=sUmDpTHk)5)Kb)bYTfSY&`uaX1Xc9-B=li|>X+dELHZ0#F91$1HCGQLw zF0iOvMjh1-fU;rokk(azg zOThtrbua94X-S(PUkD7Soa&L3>&fj$`?7lKDQ#V%#F)tS=sI>i)WmCpPUY5ArIgKp zi+D`*))~>|d_tp%2REOqBuQcQ$9+#I#^qvOOWu8wMd!Y6x{HKqXZ%ks8rx?FVUs@u};+}Rq*Y8sgU z;=fATrYz(Xw_%J7cbwN_f<7au!vgRX%kg=j0GzGNrp<#U)OH20lW2C6!Q^pHWlw9Z z#|ib;??=fNhqezUnS&>t7hNSMOLQ3^A{B?tH$m6L+kMn-Kf{^NYPT|j8;iZpwuA*n z#L{LeOu{8!=jEMciEv(9)?>ZZB}9ptLmEyk8>L;zzgzq+4rjKO$F+@k5I9+RA#b%e z+DYbpJ(kuu^KEuq(e>-~{dSko-ElAJ8Va(59{{1eaN#Ot3U)C>`MRHDsC!I7h?p-n zo8dN`?|^3{`bEHF0&MfJuxt{SW#2`bn22QwaqFy)5}?!WC~T0~3=%6f59=ckE>`Wb zADS3`?pEH&D!?;#S!4s^Z{oR#Mq}G~5 z@_hR*m7EbkfM*RaL-x&dB64u)c7yw(E~sT9Tun$p@G84zSlSt3_%v(6lg!1yM_vlH z&f*;zukSU3(~v_Ct+xD9!{JNPKKTVfJExaga1OjD=tHkrxG$aAJPWlRO-Dmr6>0H; z{mlIQLD(F5tAubzvVd6&4UaLuK{tuZ3Y*xd_~O3Z(FPfJG87(U)3 z;R)2zmb?0`E<|0Q93k7?snSwYN_$7*+TD_dwO)qOj?JF7y&p@EOz*>{%gH_b6lTol z+}1krC^k#YO?^g+aA0#eVT|}+ZTQV(5Mjk3tFrMX*_zkS`J60^lU`pv!CHpxDVoHY zNq?ewyUi8`>4o;C-+iNh%V&QQR!`4=)cPpX`wLDzH~e{;v0<+J{o~>59qeZihkTEH z3w<128O88)KQ-?q%jvQVk_jawFj)i}$Vd|ENOc-1NpdV9JT_mFBNN|yw9?+xsbyA; zGgmGre9xN5Yj6BhV#|1I2N4Io7D?>0ZJIHt9&cr*ury8|wxh9_Z&7SH5xJm$e?5gf z359oR)L9$~bGB`EH4@)_aC$5zi+aE)Rchhx6HHaenE434K-{R|z5*Pw5yQYWh9||x0$EY0?0>R2P7~Z<&|v=pKDwr z>ippE!7R-Qxc1+09{iqM43$oWxFLJRrM8<{Oo% zmU1|e#wqirGYD6U9bcOq@R|*Se3%np8{92)Zbjytey9`P_m|%BfJaeI*r|jFtmE;G zI)DfKZ;_3}63XJVUmY~ISlv29Z&(5R;ezUEcTdyq8=nJ4@}yx2R-$qMVq#*lyO=R? z|Mbi-XJHxz9{FXeaFOW*ZgPE|`J^B7^D$8*2PM3Rd<#Hu$z{Oj#XEPLutJ)cs%mNy zP%^@ykw2@ZQ>}q};BsGS?ivg09;LbS25-~t8=WK)ySvDQMB=!^LCP%%ez<)TrInJ;@G+x)~ ziw=-6T8vx(qKo(72S0v-43hzh0ofuO!2l3Ji)nDW141hyQw;N|Z%uZb)LJi(K=duZ zUWVzYC4XgNRIkjPgg*Wt{0ODY)$!4a3g^S->|ht6c;8h;Hd=@S)%_8{XijuaxD5LVEml}2d;kvkN4K`lU{BpI?Zr{ zv&~Wf5EAtHA)wvfRO(H`5*0HsARe@Q*d&A2*TCcOQ_-%N%(BHW~cAdlcwQ9AXt$6gj zeRK0TsxBeE#_M%d&kDm3JAXC}_;>DUYwD2|i(pi= zZ*fDo6GedPt?O>%Gdws+r|Vnakdm_-Ob+|$x2^LhUV)%&(eCJtjPx(laFemAdF^y^ z%*75ix6>m#=!2R~bprU7t&GFrnnq(1ck+33k@aK$%_ORX7jM(PP-*DAITg1; zp8Wp6M)1f_k*A%va5t<9zAtvQsK~U0+kYUIldDc{YjBUcmm$}`$i6)c_rtn!=07}u z!)7KQ-bYyzw^-yf_$h9;nDEuEnZPoZ_i{~N6PFe0RUwOt(Utfq6pq9~ANmG9nSnQf zq-58ZVZ23+pHzD{D*XU?$C>CceKs1)tE6(pjs9;}VX>5%%}=<9mL3#BJ+UvZoxG{- z_s35@-d~54E8og9-3yXXZtA`qiQ$ku=)r(6dh=e&U+4^12CT~%MS79Ce+*%35egFB zUc%^f{R~Kf4ow73vFjAvVdontKW85FlqHdkef5ixU39a%tfC~WY3R1%)?O+3*q4|? zG!;dTd%;G+ijy%a2Qq8EdyEHN&&@fwWbcpMg|##`A)P7M)#>5xu3zHg`OnmT=I&u{ zN!1}nE4`AB?4Cq0s{6{4TX&**^*d-b17$dy`&}L`dyTB zbHpdDaJ=74^2gq|lw{poAi9EK$*vKCFt_5s{3GW2&)GMV=VN5ODjmXLr?qciIzi~T zmCZ>nck6CFyiI(*3JrXoI$>A(2#RU6iZ^)H zrMM_A>;RqMU;>h;#B)NY1u14jlWu zsK51|GQWEK=u%|llH!j(CzNY#4u5oDoZ8LVf|gqlF>$uO*j-3qJb?Z-VTtrOV-)z6 zgNX*1oit$#?_R-|>&+T_m7dmRjv>!8yqQ0VyiX>UI?s!UTUbL;xJgK%N4@U5mcJ$U zrsqIC>gPB?8=@g!hOkQ9i%em1NE^%}K%Uc<1spv@>~J7m%7`P+WP5IHs>}Iz9*8xT$b7W0y7xE((cKLvj_p7SzuG(u7#uHbdvB=sV;76OXs} zdiL+FkwB}bFBuLWS)^S$V+Cq?&I&ZV3@xrcpkQP0g^jp2XqG0!s*|Z)`(jm!E2%E1 zdQ@gfZX|V&McPM)RO7I#Slslr%zEsmvce4GA_~#KQO)6b8&28Bct3Xh7*y61vR?GI z@!B^MRHY+n4kzYr0Z>p(sgakx*}q(q3~r`x(YY~J>t$eG6L;;7xz7@BiNMu+d)EBx zb4k~DR#<-Q6-1-ynH+8X5Ziq!e}!nYxsgS2FO#`E83oj2&8w^Zq>ui#=)9Yl7V}t5 znWGUu^lGpHSrcnltCn?Bj5KskVD-x_a&dg0_IXP`5mS|l_=>phm5$w5xe3)B9CL+! zI`^9Pw4aQpfqhnMU0##7W6ZBFKie@uytS6JzF$vbZ->4Uub}&cI!iAq%*bPLjSp6; z>DewEYiQ>UbbP$nqCXurly2MXjU=$)50_`~3| zKR`s4x&w$Wx6yi>qaGVkO(QK)y`Dk4wC1;+!js|L05ui{b(oI&i-J3G*XjXQQXZ`r z=W=JlY8;#~Dob=HzP=Phb0j_Y@MCqk{$cO;b+Gsme8FG`F*Qkf3U7n_1YVOc0yCDY zPcmhe#2G5yW{wzA?O~Wwds0y}(?41rQ)j+yw1)HA<53$vbrBpf!rzlo^?H-kFprh- znS?@xn>wAtgzG8ks=3Oq5>$BNE9gbpV?rK1b!)5W)gNAUh$7OGbE?Ck@pN5!jGxpx zj||9ddO2k7r&Pcv=)J@>18yk*R15bVWt-iUr6nU5Ji% z?po>`NaJQ7bL9Z&Y^m&dD7!)_~^QPB?} zJOicvFM4o_`Hw=f>hbg;E>BVz`7oxInH6$*uimA7w6m>yPS?_o0-%5Kgr_QfnVR`TL z?s5u_Hs2=+TFpx_Gyl?!UxE|R)HXbI*xo98d{gvQ$RR)A+ASVfFtfjq;Bc5>jNEg8{e?O5jf`qB0!}B@L5Vzp%ls}LF%aPTOr%g2ld?GP2mh=k( znonn(nG>>ey_5Lwa;@|uJ`Hqhk|($;Ji~h{7PW@5fuZ*aL5;Z+dCSO^R1-HMKGo!b>qm8>5iM6zwKAnwh+Z7+B6cuBGmw4k0eWW z$~KC2LtBC=A0BNrQ#>)Jm@g-;SPb?{+kGiH@x zxE~lqJzKKx>)1mF)XIGGz+LbA3TFq^nro}i7gbeXYyd{$hv#6gkwzF7Y&Xikf>;i_ zoF1Z;vr9;AsUF03Et(3(CtzveEP86DhOWs(Ns=<5PCgm(6yB{>%FXxTs=n32|3o0v zt>EssIqE^w5tvHcZZwLe(f9slO?txYkRd$bXBCZVIF`2eVgVbk?{<~Z-cy?nh3dP; zZv07`zE`~+AEQ7ryQQr;Z@ZGpwfg3|0@Yz*Xp@tkx!nj}4fgY%`if~<83Oo^8MsH2 zVpQ%-GF3dWrV?s-#+*u9D(`=e@`Z_3I`s!WpP(?%1vhqjzMAqWQODGLZHkXMOR+Cf z%1r$FOx@6_guaL$qG#-W`Ie_f<#o)vFU`y<2vUHp^A#TCY@H_>*^v9NDaoN> z{iGh*^zQfse(91`h{ED6_u=CMt_Z5|IJM^Do_<=zMj6T|MBMVR8zd<#1SAW1fS? zHy_P4%X96Y+0fT-X(?H=i>Awf`@55rD5es&*W62nKkHSj9uy@+)&%Wt?QN{OYWOQ7 z*F<}XpUkIrf#d!~6p#JYABr>*eMj3XmA&ka!d zF9M%&CU=nVQIpz{muWZQ{#vt?S9Xr#e-G}T6uYWe-Jf($?9*p8+SunaR`o!ZQj&}7 zN#3=;VcVqdsZ)9u4-9`uT zHge)8O(D^{eOirzG)ZUeGG;7)8yjbE63uWbx&`UBL0@qguVWKSFDGN-?kum!C`5u3v2X8WBA^1t+a=B7Qd`9j8fFo$2uvjl(1jvu!-z|X;40)O_~=_p{8E}W>x7znl$DR3PO!C; z_0+X#L0Ih%8z<|FP;}#QaT%iyTUYlY3*mm`tn;Y>(qEAkJW_z|cv>TbkE16W8_cj* znDjAn-{w%OL6})Ng}vt+6O{|){3}Pj*FRB#py4U}E+HmI8xPN6JHf1YYsjw|1Svhw zjb_ttDpCA7A?PgFz3Zb05_JgjqLN;`EvyXjnUp1U;*$PfPv$AgJ+53|Ju8-j8D<5? zHjd1(yBA3GZC!hoi@!Fvux5j%OE73Q(Hh0+KiyogNRu5b?#1B8ZrV#wnYsb|#Szb_ zPE&CVe@Y%5vi=Wz$c7(%m_2s3(*3Di*++Hy_wc~L2TTh^XlW40Q!=U4%1Rnyr>CUM ziqs7r-YS#^7IuN6v3o^rE1+5=)vqkHh`)0|53y(r#d7h94Ttw*7v^U<3WN0LjrfOX z;|V&xy3gJ!6OmNCtvI+Mnzzcdi?+qcPbN_Ko!j_bmPJK*PT94cTHq_Lii;O9*TA(_ z9?9}b7kOvrKrv(es?$a^K<=W3yRZz*!gm0llJSG%A>1TWbbL4iF&%+)Ej9W(O|Kw1B>B~>y#R^pxq~84w`yUF9K1o2ggY^YN@k0RkC)*;ACH%jQ z{)eOg@zL+7{C^_yKQ;3I7Y*r~Dqj`w}a;sIA~#XnvONf zZ&>*fV_M&h^!84+#^dH9uT-h{1;uR=e zE&V2t1}C8HeCS{E5#B^5gNi%dJAQ3EZaL3M~}_Id6V@5OBT@Sko74 z_Z_H{&0VQXqIpAcdhHmy!v+ID??WvgjknU`_3`FfQ;qtkR3J~^zQ;a%A9Ifrw227P zB5xHe*4n1q13I(;8f_x)d0eq+*?^68rY$61Ctdc{!FS}u2kqLAe=;0*){F5qx${)Q zE0)=%5+(}<+zzchPRrj&^X(Ud9gLN zM3h5(vECrUi~x<-$orZE=Uar;DnMo-5YY4+jAgJd)8&0(K8rc)mR{j^n5HAQZ`Be+ zRKm-%dFvG@7E#xuYO{PGRk3QwJOz509`3y$k#o_Y-{NI=P`5eRDY)QNm>ga_D`LtB z)Slj5sqp=Fha5yf`!=QVOqZTC<8~>Nq<7)=Ir|$5-C^-07h|fmJAu1_-q$HL?mlS| zM{ipRG!jloP?&~C>yc!eNBN`}-mszf)6xc)!?BTYI|%4$0%#By;S#z2(GUo!uQ% z-*Z$sY!>Ik6tkk!hWm_Z$_mi^1E0^%?*e1GJC=(LEK%`8wCvEK^Po^~L~t{u!1a@( zw28=3^qSigOIYZ8%Gb{lkw~BQ5>!#gbfbfnCE!L9%b$FI{#y~+Cbup&rI;^!ZR#?7 zVEJWinpAL6Y}1q5VB8z$x)M39jJvl0v*!64UHuVlZAqldYIS0lwCu61c~gIEI7!}heag_`L8 zvhX|Yz1wB|dM3^LndN<`fhD;x8N-8&|EnHokhj_jn{fuwtBh_)y$R|S?6Phu54_i{ z#OI8*n@fnSZ;;HE2p4k0kxP*o__jIyIVJy3aIaC@gM)VN_JK#^1sW96vhF9p3Y)8jc4jQgCCwCI{$? z%7+mB+nTgmfnf5tAzLIxTzd;mDqMG$6BpH)hk8gPWt}oYho6fd~SZivbAES!`4PgW!PHbOn!M;8Iw7v4)yMuNr1RkRtK>P}Hdf zZ(YLvjft<0IAjr=4_to!?BX9TcL)-!-z-SAJD=POHe4OLFP*73H|gA01zyaZil>{6 zi|^0{S32lpA)+JrlPp34SpM??nk8llHS*g}{A&2WdMQycO>$-dW_0ZiH-3<(P z&!lDSvW707dudv#1A4khU9;Jvt`T-IH$fj}N2VAD7&i>B81W4Uwr1ztl5Z0$HD z+)Ex6TUB0&Po8T|KxiL>q#t~X^oIxFSQmPe5*GXwoIHbo3tHX!%Am< z%N86#I?pb-ZzGO3fA=yQ|GA>ix<2le?(fQ{( z18^rxnvB+f$Q(IVBh<$_G{^eUcLZ%UhGf5b1b7c%U}#AZs2M2$nh>t3w#u zgDP%xb~El_)iKa0uco1C0sZtSbVF- z``lspmECqud;oYi0G((pCtfc~!2Kc{UQLT=93i8ss>(9;AQ`xYG}xpt_g5s;$N*lP zR_yt#dGW>EGn`aNFEJ?z_S3p<9q$XbO{#aAKN@Z^hsj{fs}FXP=f>YR+-3qzi}B5N z{+d~y*FbBoBfgJBNRh<*o!5ovR#sM-XibC!XIoPbcfNoQO~dbg2&r^#YsCT7GI8DY zj=N&`Azv{{0)URo!M>YctKof1w*yNq?{8Irjv1!1Wgyq~o6UVufliIx^C|tq6gM@D zvUBo|#)L#ebHj7Y>RYWAE6{}=|$EkUq@hA*Qf^*PX?Ljmo( z)hs`?Cg7p^?cx6s^z0A7MLS}c5AI*ydtgu_fVcWu$scaV{Fx+7MhreOlamxO`1b%< zAUFE)5CRU0Z#g!S;UvUK`9!xkwcF;&- zk99jxWc!_{y8$~LE;0fA!1D9M7~a3yzq!5#TJNIjUe7;bpE7#(_%CJwSBex6fXiKb z=zoUTC4sZnF}EB1*$V)47zV)Ipr1DO_TQlhUJzqPuTK0!YurO7Fx?&VclY7V+>-qK zwC^LN9~(xOKAMbQf&rN+>0^EN2W7(o$S=9M`^w(5*UxJ@VQjItsXp~_7pAX=|E+0$ zA07_ei)D~q^_+P0_s#%3rqAG?;F~_XR#gu%l{2a_c=`{Do-?-&2}i&kz`r8=(_-|O zbWs55Vi)|B{=plt?<>Hnk)fCT<;RB)l!1(AVz2dg+JAw9^Cbh67J`}WUoPV5niL1+;-DdiIyrZ_ZU;10l79qF7TeUq0tcqba0VEQ zA7RA1_*09E2cOk(E3}a5D`{jC$beGLC0-_HD%!XIf{Ko!Rix;tBVz7f%spVN14sCw z>Vx-ROezit6y45a+5c*r3#9Qe4c!!B{0Ef)w*>)IRv9Nq_($#lWMTq*OZd+<&OfT* zDUk8a&F5f6_^8Y7jNB1l4w~_{BdRA zz~yoVRo$YcYl%n0t25R?sFGQnJ0z8hHy^49Q`5>p0?%wpLnABXQtg{*N8he0pDiGV zh2~dauQ83udVfJOzVG)&9oflR2K_m@A`+-DR8eifE$k}vwpWxm98krQ!_EGK9jr|47ge6dx%c888zWDfYuN@x(5Yi4@O-)$zbbnrfCvH_ZX z@O*XW3|)4r(@?EAx8jroJ8;s$5o7W^&)oKnHR(^($8D5su#TcntU`_#34INUGpWl79v~e z=wEjJQHKIFG`(%Wl2$Ck5cqMT&<^WU+80tzD=c2dC>n9w$N=uiX8rr%f17pWHAn1sS+rTbA|Pik>>p zB3eXyNnRIc6Myr^l_YU^&CD!BIg-VL#P$yljt8{vB>S9z;|Uy35u->xf9(xn9zY)S zPO?yVhFAeKI`oq^>Jj6~>P2A!6`6VeHC*OzEzNbKNjH@P^%aoQ# z+-;P4m592MkUsVUVt#9Xx{sg|_lcfX`omCh51M6`rMBNOu3lG_I6?zUn}%cpeJKI1 zy7G$~hJf%X`GI%Ls;Y=HcRWLd6`oUXZZfNj!zwk#9tlyVR8eZm$ygj5#KtaiXL2Hc z`hB|$;CChz%_*Pula`SEGZWSJujm?I%xr9=?>Cag>7kidQEQ(q!mC8pDl|S}`O>HF zs}|t~a9O=sMAUjCfuS8@P^ogV5t;M>q}K%*O;)elzVnXxd|r3l_+xWbW#idl*$YR72^#Qd7erBs$V2y^xgg9wXy!{_`1Q zY^cjWI;=pp)gGPIsKE48a-bhZDe*nUSV9kG@UgWr?l$GK265h%Mlsjb$q3=h8Z{o0oEA~QRTuyR(Yo;rSv2`MTZ%4ItqDk2vS9Q`xk7?UoDX1j*+1ibC z-j_THIU~TU@L*jjnhdkGG;*$f3~PUrdG%35Uh(q)j^$w`OXA3|{0Z8`8|x=S!Pb06 zC4yK?iC@+3KcnEDrBpTP+(0SR##c?cOGiVNOI}r8^VI$|r{i(0J8dQKBS8n;%%B`G zjh8k82aan@FLiAgsziDgHFg_t*7a=WABV&pKlPlzOK{8;;C(gmg{I*w1ozvBNWr4> z)kT#U!_IQ^j#J>-R=RZ5Kl(l&5uPuFF!3!{RuUwrfHK(Fpa`?S>5#z;d$0AKg$#MH zgi``dgn)}{y;eu|tIl$CC#qXU$mM+=e;Xecca+zhb^VO-lkyLM&upS=+8yPPBP%*6rN zu^e{8c{Or2|JnmXC>8A=W;7QwaC|eDGp60<=pvZ>f}UsRE2Z9@AJKsI0c_&r;+V?S za&gO9#sw=P-m>Gzg3u7ksM*Hc(?cZU_vd)H1h0%8KH@iu8(vv7Ak%v9dVfu`1b~T~ zz|{z(0cEv&iLWz1VQ-TeJ8jNeFOQQMs|J5DU5rS#V3XbV>Nw*Yuax!cia12WM$3gwwHm!KA&1w%YCp4e3=irG literal 0 HcmV?d00001 diff --git a/README.md b/README.md index fea1ef3..0b5660d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Secure Coding Handbook -Welcome to the **Secure Coding Handbook!** Here, you will find everything that I have found on secure coding, analyzing, and, of course, patching code-related vulnerabilities. All of the enumerated attacks and defensive techniques are strictly related to web applications. +Welcome to the **Secure Coding Handbook!** Here, you will find everything that I have found on secure coding: best practices, analyzing, and, of course, patching **code-related** vulnerabilities. All of the enumerated attacks and defensive techniques are strictly related to web applications. \(for now :\) \) ### Handbook structure: @@ -12,3 +12,7 @@ Welcome to the **Secure Coding Handbook!** Here, you will find everything that I Sure thing! Message me on Twitter [**@VladToie**](https://twitter.com/VladToie), or simply do a pull request on the [**Secure-Coding-Handbook**](https://github.com/joswha/Secure-Coding-Handbook) repository. +#### Spotted a bug? + +Making mistakes is human nature, fortunately. Please note that I am by no means an expert and should you find something that is totally erroneous or deviated from the subject, please [create an issue here](https://github.com/joswha/Secure-Coding-Handbook/issues). + diff --git a/SUMMARY.md b/SUMMARY.md index 085fead..2037623 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -19,4 +19,5 @@ * [Authentication](auxiliary/authentication.md) * [File Upload](auxiliary/file-upload.md) +* [Session Hijacking](auxiliary/session-hijacking.md) diff --git a/auxiliary/session-hijacking.md b/auxiliary/session-hijacking.md new file mode 100644 index 0000000..d45e529 --- /dev/null +++ b/auxiliary/session-hijacking.md @@ -0,0 +1,2 @@ +# Session Hijacking + diff --git a/client-server-side/server-side-request-forgery-ssrf.md b/client-server-side/server-side-request-forgery-ssrf.md index eb2d821..38480e8 100644 --- a/client-server-side/server-side-request-forgery-ssrf.md +++ b/client-server-side/server-side-request-forgery-ssrf.md @@ -1,2 +1,147 @@ # Server-Side Request Forgery \[SSRF\] +## 1. Introduction. + + **Server-side request forgery** \(also known as SSRF\) is a web security vulnerability that allows an attacker to induce the server-side application to make **HTTP requests to an arbitrary domain** of the attacker's choosing. + + In a standard SSRF attack, the attacker might cause the server to make a **connection to internal-only services within the organization's infrastructure**. In other cases, they may be able to **force the server to connect to arbitrary external systems**, potentially leaking sensitive data such as authorization credentials. + +A successful SSRF attack can often result in **unauthorized actions** or **access to data within the organization**, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the **SSRF vulnerability might even allow an attacker to perform** [**arbitrary command execution**](https://portswigger.net/web-security/os-command-injection)**.** + +{% hint style="info" %} +You can read more about SSRF [here](https://portswigger.net/web-security/ssrf). +{% endhint %} + +## 2. Typical vulnerable code. + +Here's an example of how and why SSRF vulnerability exists. Since the code below is opening the resource located on the given `$url` without being sanitized or checked whatsoever, the attacker can manipulate the server into **forging** a request to any URL they desire. + +{% tabs %} +{% tab title="PHP" %} +```php +