libfuzzer demo-01

在上CS110l中有一个程序用来说明C/C++内存不安全的问题,我学到这里想着就用libfuzzer来fuzzer一下吧,顺便学习一下libfuzzer。

libfuzzer我已经搭建好了的,你可以根据https://github.com/Dor1s/libfuzzer-workshop来搭建环境。

源程序:

#include <stdio.h>
#include <string.h>

int main()
{
    char s[100];
    int i;
    
    printf("\nEnter a string:");
    gets(s);

    for(i = 0; s[i] != '\0'; i++)
    {
        if ( s[i] >= 'a' && s[i] <= 'z')
        {
            s[i] = s[i] - 32;
        }
    }

    printf("\nString in Upper Case = %s", s);
    return 0;
}

很明显,这里是有缓冲区溢出的漏洞,gets函数不安全。最后发现,gets在C++11中被移除了,这个程序编译不过,放弃。

WAF bypass

bypass学习资料

  1. 门神WAF众测总结 重点

https://security.tencent.com/index.php/blog/msg/151

2.WAF的介绍与WAF绕过原理

https://cloud.tencent.com/developer/article/1536637

3.WAF绕过奇技淫巧之SQL注入

https://www.ms509.com/2020/06/24/Waf-Bypass-Sql/

4.Bypass WAF Cookbook

https://wooyun.js.org/drops/Bypass%20WAF%20Cookbook.html

5.TSRC挑战赛:WAF之SQL注入绕过挑战实录

https://security.tencent.com/index.php/blog/msg/66

6.浅谈WAF绕过技巧

https://mp.weixin.qq.com/s/Qn-zh7SwG9wA3dGEz_AEqA

开源项目

1.xwaf

https://github.com/3xp10it/xwaf

2.whatwaf

https://github.com/Ekultek/WhatWaf

3.Awesome-WAF

https://github.com/0xInfection/Awesome-WAF

AI bypass

开源项目:

1.waf-a-mole

https://github.com/AvalZ/waf-a-mole

论文:

1.A Machine Learning-Driven Evolutionary
Approach for Testing Web Application Firewalls

2.Detection and Prevention Approach to SQLi and Phishing Attack using Machine Learning

3.Improving Web Application Firewalls to detect
advanced SQL injection attacks

4.WAF-A-MoLE: An adversarial tool for assessing ML-based WAFs

WAF基础

笔记来自:

《大型互联网企业安全架构》第七章

WAF 介绍

1.WAF是Web安全的主要防护手段,可以为修复漏洞创建一定的时间差。

2.常见的开源WAF是 ModSecuritys,支持Apache,IIS和nginx

ModSecuiritys: https://github.com/SpiderLabs/ModSecurity

微软的Azuer云WAF和CloudflareWAF 都是基于它实现的。

3.现在的趋势是用语义引擎和AI引擎代替传统的正则,语义引擎有:Libinjection和libdetection AI引擎有:Wallarm

链接:https://github.com/client9/libinjection

https://github.com/wallarm/libdetection

https://wallarm.com/

4.基于AI引擎的WAF 的最大问题是:检测效率,一般实时拦截不可能使用深度学习,腾讯云的WAF也是使用传统的机器学习,包括使用HMM和SVM HMM做异常分析,SVM用来做威胁识别

5.云WAF的功能:

DDOS防护 入侵防御 CDN加速 防网页篡改 后门检测

Day051:强化第1天

尝试挖一些越权漏洞

越权漏洞的一些资料

  1. https://sec.nmask.cn/article_content?a_id=a484681d2c7b61b9c018fafe67b59c9a
  2. https://cloud.tencent.com/developer/article/1516373
  3. https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPIDOR.md
  4. https://www.cnblogs.com/AirCrk/p/12915798.html
  5. https://nosec.org/home/detail/4195.html
  6. https://hackerone.com/reports/869705

配置了burp的一些插件并实验了Goby和Xray联动

Day044

今日重点:子域名劫持与自动化扫描

hackerone漏洞列表:

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPSUBDOMAINTAKEOVER.md

漏洞原理

1.web 安全系列-15-subdomain takeover 子域劫持

https://houbb.github.io/2020/08/09/web-safe-15-subdomain-takeover

2.深入解析子域名接管(Subdomain Takeover)漏洞

https://www.secpulse.com/archives/94973.html

3.HackerOne | 子域名劫持漏洞的挖掘指南

https://www.freebuf.com/articles/web/183254.html

4.技术分析 | 我们来“劫持”个GitHub自定义域名玩吧!

https://www.freebuf.com/articles/web/171952.html

5.Domain takeover

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

6.A GUIDE TO SUBDOMAIN TAKEOVERS

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

7.Subdomain takeovers

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

8.How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

漏洞分析

1.挖洞经验 | 通过域名劫持实现Azure DevOps账户劫持

https://www.freebuf.com/articles/web/242727.html

2.挖洞经验 | 看我如何通过子域名接管绕过Uber单点登录认证机制

https://www.freebuf.com/news/141630.html

3.挖洞经验 | 看我如何在前期踩点过程中发现价值$4500的漏洞

https://www.freebuf.com/articles/network/171219.html

4.挖洞经验 | 看我如何在短时间内对Shopify五万多个子域名进行劫持

https://www.freebuf.com/articles/web/186411.html

5.Exploiting Subdomain Takeover on S3

https://gupta-bless.medium.com/exploiting-subdomain-takeover-on-s3-6115730d01d7

自动化工具

1.Osmedeus

https://github.com/j3ssie/Osmedeus

2.OneForAll

https://github.com/shmilylty/OneForAll

3.second-order

https://github.com/mhmdiaa/second-order

4.SubOver

https://github.com/Ice3man543/SubOver

5.more

https://github.com/search?q=Subdomain+Takeover&type=

视频教程

1.Live Stream Subdomain Takeovers for Bug Bounties

2.Subdomain Takeover Step by Step | Bug Bounty 2020

重点:开发自动化工具

开发进度: https://pxiaoer.blog/2020/12/01/subdomain-takeover/