Hack3rScr0lls

2020-12-27 21:02:28 We often get confused how Samesite affects cookies in different attacks in modern browsers. So, we have made a memo and now share it with you.

UPD:
Safari blocks third-party cookies (https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/), therefore restrictions in cases of "None" and "No attribute" are related to this and not samesite.

But classic CSRF POST form still works

#SameSite #Cookies #CSRF Open / Comment

2020-12-27 21:02:25 Open / Comment

2020-12-12 21:09:15 We have combined all the tricks we know about SSRF into a single mindmap.

XMind source: https://github.com/hackerscrolls/SecurityTips/raw/master/MindMaps/SSRF.xmind

#SSRF #Web Open / Comment

2020-12-12 21:08:00 Open / Comment

2020-11-07 17:05:44 Tunneling TCP over DNS

DNS tunneling is a Red Team technique that allows transferring data over DNS when a direct TCP/UDP connection is blocked.

There are a lot of tools for data exfiltration or command execution over DNS.

But what if you want to scan the internal network?

Try ThunderDNS from @fbk_cs
> TCP-SOCKS proxy to the target network over DNS tunnel
> Bash/Powershell clients (You don't even need to compile it!)

github.com/fbkcs/ThunderDNS

#RedTeam #DNS Open / Comment

2020-11-07 17:05:08 Open / Comment

2020-11-02 19:38:14 WiFi Hacking MindMap & Cheatsheet by @Xst3nZ

WiFi Cheatsheet
WiFi MindMap PDF

#wifi Open / Comment

2020-10-24 12:25:53 CSRF in 120 seconds!

As you remember Cookies without SameSite are treated as SameSite=LAX in Chrome. But there is one exception that can be used as a temporary policy bypass.

If Cookies without SameSite is obtained less than 120 seconds ago, then you can CSRF using the typical POST form.

How to exploit it:
Force the victim to re-login and to get fresh cookies, for example with OAuth.
1. window.open('/api/login/oauth') -> auto relogin
2. POST /api/vuln/method -> CSRF attack

Force the victim to log out and redirect to the login page, then wait until the victim is logged in.
1. GET /api/user/logout -> clear session
2. window.open('/login_form') -> wait
3. POST /api/vuln/method -> CSRF attack

More detailed examples by @RenwaX23

#CSRF #SameSite #Cookies Open / Comment

2020-10-24 12:25:27 Open / Comment

2020-10-23 12:19:50 Nice trick to get RCE in Android app using unzip from @_bagipro

Original

Easy arbitrary code execution on Android:

1. Write a hook (using Xposed or Frida) to log paths of File.exists() and mention all files ending with .so during app load

2.1. Grep for ZipFile usage (and all its methods such as entries(), getEntry(...), etc).

2.2. If there's no security checks such as zipFile.getName().contains("../"), it means you can overwrite arbitrary files during unzip. Now find a way to substitute that zip (very often they are stored on SD card, or its path is accepted by some unprotected component)

3. Compile a native library that executes some code (such as writing user id to a file, or performing chmod 777), create a zip with path-traversal in its name and force the app to process it.

Pretty easy technique that brought me tens of thousands in GPSRP!

#Android Open / Comment