Lazy Hacker

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th

This tool is used to run binaries through Burp, tools like SSLscan, Nmap, FFUF, etc. The binaries that give the output on the terminal can be used in this Burp extension. I am not sure if this Burp extender will make your life easy or not. I have made it for learning purpose. Download:   https://github.com/crazywifi/BurpBinaryRunner

Hello Everyone,  Finally, after one week of work, I learned many new things in Jython as well as in Java. When you will see the functionality of this Burp extension, it looks like it needs only one day of development, but for me, it took 1 week because I had zero knowledge of it but yes I know a little bit of Python. But now after one week of time, I can make this type of Burp extender that automates the process and make our life easy. What are the problems I faced while developing it, don't judge me, some are dumb questions to myself: How to create a Burp extension in Jython? What is JPanel and how to use it? How to run Tor proxy in Windows? How to run Tor Proxy in the background? How to kill the process in Windows? How to create a button in Jython? How to change color? etc....etc.....etc...... Download:   https://github.com/crazywifi/TOR_Proxy_Burp_Extension

What is serialization? Serialization is the process of converting the state of an object into byte streams to save into the file. Why do we need Serialization? Let's take an example of a computer game, when we start the game we get the option to resume it. Now think about, how it's possible that the game starts from where we last left. When we play the game we see the graphics only, but in the computer memory, it's a code running (x-axis 200, y-axis 300). When we stop the game, all the required data from the memory convert into byte streams and save that byte-stream into a file that's called Serialization. When we re-start the game, the byte-stream file is again read by the application, and all the data deserialize again and load all serialized data back into the memory. That's the reason the game resumed from the last we stop. This is one use case of sterilization and like that there are lots of test cases depending on the application like it can be used for commun

Salting is the concept of adding random data in the plaintext data ( Example: Password ) and then creating the hash of that combination this is called salting. By doing this, even if you are using the same plain text, it is possible to get different hashes.  Why do we need salting when saving passwords in the database? Hash is not unique to themselves due to the nature of the hash function, when given the same input in the hash function, the same output is always produced. We need salting because the same hash function produces the same output for the same input.  Let's take an example: An attacker is able to exploit the SQL injection vulnerability in a website and dump all the credentials from the database. The usernames are mostly unique if the application is using a username and password for authentication, but it's possible that the password is the same for many users. This means that the hash stored in the database is also the same for the same password if they are not usi

Encoding: Encoding is used to transform data into another format so that it can be consumed by a different type of system or application. The encoding uses the algorithm for the encoding and decoding, it doesn't require a key and the encoding algorithm is publicly available. We convert the data into binary so that, it can be consumed by a different system. Example: ASCII, Unicode, URL encoding, Base64, etc. Encryption: Encryption is used to transform data to keep it secret. Encryption is used for confidentiality . In encryption, we use the private or public key depending on the encryption type (Symmetric Encryption or Asymmetric Encryption). So the goal of encryption is to ensure that the data can not be consumed by anyone other than the intended recipients. Examples: aes, blowfish, rsa Hashing: Hashing is used for ensuring the integrity of data. Hashing takes an arbitrary input and produces a fixed length output. Hashing is an irreversible process, you can't directly decryp

The Same Origin Policy is the security mechanism that is implemented in the browsers to restrict scripts contained on a page from accessing HTML data from another domain. Only it is permitted when the resource is requested from the same protocol, same host, and the same port. Break the word "Same Origin Policy" . Origin means from where the request is initiated for reading the data and the same origin means that the origin from where the request is initiated for reading the data should be the same as the origin from where that request needs to read the data. Same Origin Policy = JavaScript code can access/read data that come ONLY from the Same Origin. Origin of the source request from where the script tries to read the data = Origin of the response from where the data is to be read Why do we need SOP? And How the browser works? Let's take an example, you are logged into lazyhacker22bank.com , and at the same time, you are accessing  lazyahcker22attacker.com in the same

Privilege Escalation by algorithm confusion when server public key is exposed and JWT token algorithm is RS256(Change the algorithm from RS256 or asymmetric hashing algorithm attack to HS256 or symmetric algorithm) This is not just only an algorithm confusion, it confuses you too. Yes, I am not kidding :)  Before going to understand the exploitation part, first understand what is RS256 and HS256 RS256 (Asymmetric Algorithm):  It uses the private and public keys. The private key is never shared with anyone and this key is used for generating the signature. The server sends the JWT token by adding the signature to it. Public key is used by the JWT token receiver, who used this key to verify the signature.  HS256 (Symmetric Algorithm):  It is a symmetric key hashing algorithm that uses one  secret key . The key is used for both generating the signature and validating the signature. The secret key is shared with both parties. Let's assume a scenario where you received a JWT token that

  The exploitation of kid header in JWT (Directory Traversal and command Injection) (RS256 and HS256) kid = Key ID As in the above exploitation, we have seen that we have replaced the kid value with our own kid value so that the server knows which public key should be used for the digital signature verification.  kid or key id helps the server to identify which key should be used when verifying the signature. Directory Traversal This kid parameter exploitation only works when directory traversal is possible in the kid parameter. In the case of a symmetric hashing algorithm (HS256), it is more dangerous because we can traverse it to /dev/null, which is mostly present on most Linux systems and the value of this file is null as it is an empty file. Therefore, signing the token with a Base64-encoded null byte will result in a valid signature. In an asymmetric (RS256) case, we have to find the file upload vulnerability or any method by which we are able to write our public key and then use

Privilege Escalation by JWK header injection (RS256 or asymmetric hashing algorithm attack) JWK is a  JSON web key . JWK is an optional key:value pair in a header of the JWT token. This JWK header is used by the server to embed the public key within a token itself in JWK format. Example: Check if the JWK parameter is allowed in the header by the server. Also, check if the server is misconfigured that uses the key that’s embedded in the JWK parameter. If both the condition is accepted by the server then we can use our own key and send that key by using the JWK parameter and the server use that key for signature verification. Exploitation Steps: 1. Capture the JWT request with the RS256 algorithm. 2. Send the request to the repeater 3. Navigate to “JWT EditorKeys” Burp extender 4. Click on “New RSA Key” → Click on Generate to automatically generate the new key pair (Note that you don’t need to select a key size as this will automatically be updated later.) → Click on “Ok” 5. Navigate bac

Bruteforce weak signing key Try to  brute force  a weak signing key. If you get the secret key that is used for creating the signature, then you can modify data and use that key to create a new signature. In this scenario, the server is validating the signature, but the server is using the weak key for creating the signature. I know some of you might be confused about this. Check this  blog  to understand the  digital signature . Check the above image, if you know the secret you can create your own signature, and that same secret is used for validating the signature at the server end. This is how it works. For brute force, you can sue any signature dictionary.  https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.list Copy the JWT token and paste it into the below command and give the path to the dictionary. Bruteforcing: hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list or python3 jwt_tool.py <JWT Token> -C -d jwt.secrets.list Let’s say after u