Burp: Out Of band resource load

I scanned a web app using Burp and it reported this vulnerability. When I click on the issue it show this request and response:

Request:

GET / HTTP/1.1  Host: xxxxx.burpcollaborator.net  Pragma: no-cache  Cache-Control: no-cache, no-transform  Connection: close 

Response:

HTTP/1.1 200  OK Server: Burp Collaborator https://burpcollaborator.net/  X-Collaborator-Version: 4  Content-Type: text/html  Content-Length: 60  <html><body>blablalbalbalbalbalbalba</body></html> 

When I send the request to repeater and send it, app server gives an error. Advisory says that Burp submitted the payload in the SSL SNI value and the HTTP Host header. I tried to do this manually using curl. I used examples from: https://www.claudiokuenzler.com/blog/693/curious-case-of-curl-ssl-tls-sni-http-host-header

curl –resolve xxxxx.burpcollaborator.net:80:myapp.com http://xxxxx.burpcollaborator.net

openssl s_client -connect myapp.com:443 -servername xxxxx.burpcollaborator.net

After running both of these command I checked burp collaborator client for IP addresses. It only shows my client IP. Server IP address is not included in any interaction.

So if the client is interacting with the alien server (burp in this case) what is the vulnerability in here? Should not it be the server’s IP for this to become a vulnerability?

SupremeVPS – VPS Resource Pools – Various Locations, starting at $20 a year!

SupremeVPS is back with some new exclusive offers for the community. These are VPS resource pools available in various locations and sizes.
A SSD VPS resource pool allows you to create multiple VPS servers within your resource pool limitations based on your plan. You can create one large VPS, or multiple VPS’s utilizing the resources available in your pool.

You can find their ToS/Legal Docs here. They accept PayPal, Credit Cards, Alipay, WeChat Pay, Bitcoin, Litecoin and Ethereum as payment methods.

Here’s what they had to say: 

“We are on a mission to make VPS hosting affordable, easy to use, and transparent. Since day one, we have been on a constant mission to change the VPS hosting industry. Having experienced it ourselves, we have found VPS hosting to be rather tedious with hidden fees, upsells, poor support, etc. – and SupremeVPS was born to change that and to set a new standard – a high standard, for that matter. Today we are successfully empowering over 1500 customers from all over the world!

Our pricing is simple, flat-rate, and easy to understand. No calculator needed, and there are absolutely zero hidden fees. SupremeVPS was born to be simple & easy to use – and our intuitive platform allows you to deploy in under 60 seconds.”

Here are the offers: 

2x SSD Cloud VPS Pool

  • Create Up To 2 VPS’s
  • 2 vCPU Cores
  • 2GB RAM
  • 30GB SSD Storage
  • 2TB Monthly Transfer
  • 1Gbps Port
  • 2x IPv4 Addresses
  • Linux OS Options
  • Resource Manager Panel
  • OpenVZ
  • Los Angeles, Chicago and New York Locations
  • $ 20/yr
  • [ORDER]

4x SSD Cloud VPS Pool

  • Create Up To 4 VPS’s
  • 4 vCPU Cores
  • 4GB RAM
  • 50GB SSD Storage
  • 5TB Monthly Transfer
  • 1Gbps Port
  • 4x IPv4 Addresses
  • Linux OS Options
  • Resource Manager Panel
  • OpenVZ
  • Los Angeles, Chicago and New York Locations
  • $ 40/yr
  • [ORDER]

8x SSD Cloud VPS Pool

  • Create Up To 8 VPS’s
  • 8 vCPU Cores
  • 8GB RAM
  • 100GB SSD Storage
  • 10TB Monthly Transfer
  • 1Gbps Port
  • 8x IPv4 Addresses
  • Linux OS Options
  • Resource Manager Panel
  • OpenVZ
  • Los Angeles, Chicago and New York Locations
  • $ 80/yr
  • [ORDER]

NETWORK INFO:

Los Angeles, California (530 W. 6th St. Datacenter Facility)

Test IPv4: 107.175.180.6

Test file: http://107.175.180.6/1000MB.test

Chicago, Illinois (2200 Busse Rd., Elk Grove Village Facility)

Test IPv4: 66.225.198.198

Test file: http://66.225.198.198/1000MB.test

Buffalo, New York (325 Delaware Ave. Buffalo, NY Facility)

Test IPv4: 192.3.180.103

Test file: http://192.3.180.103/1000MB.test

Host Node Specifications:

– Dual Intel Xeon E5-2660v2

– 128GB DDR3 RAM

– 4x RAID-10 Samsung 860 SSD’s

– 1Gbps uplinks

Please let us know if you have any questions/comments and enjoy!

The post SupremeVPS – VPS Resource Pools – Various Locations, starting at $ 20 a year! appeared first on Low End Box.

VPSFortune – New Resource Pool Added! Sale Prices on select plans, with custom links!

VPSFortune is back with a new offer for the LowEndBox community. They are offering a 2X VPS Pool and 4X VPS Pool at sale prices, out of New York.
We were told that these are custom, exclusive plans created exclusively for LEB, so you won’t find these plans on their website except with the ordering links below.

You can find their ToS/Legal Docs here. They accept PayPal, Amazon Pay, Alipay, Credit Cards, Debit Cards, and Cryptocurrency as available payment methods.
As always, if you do decide to buy one, we’d love to hear about your experience below in the comments section!

Here’s what they had to say: 

“We have built our brand to fill the gap of flexibility in terms of VPS hosting. Since the beginning of VPSFortune, our architecture was designed to deliver high performance but also provide you with the most control and flexibility possible. Our services are reliable in a way that you don’t need to worry about scalability issues.

For us performance and security are the two pillars of reliability. Our maintenance standards have set us apart from other service providers. We also do not just provide VPS hosting – we provide VPS pools using our resource pool control panel. This allows our users to be in charge of where and how they want their resources allocated, and allows for multiple VPS’s to be deployed all under one provider and one bill!

Here are the offers: 

2x VPS Pool Special

  • Create 2 VPS’s! Resource Pool Contains The Following Resources:
  • 2GB RAM
  • 2 CPU Cores
  • 50GB SSD Storage
  • 2TB Monthly Transfer
  • 100Mbps Port
  • 2 IPv4 Address
  • $ 78/yr
  • [ORDER HERE]

4x VPS Pool Special

  • Create 4 VPS’s! Resource Pool Contains The Following Resources:
  • 4GB RAM
  • 4 CPU Cores
  • 60GB SSD Storage
  • 4TB Monthly Transfer
  • 100Mbps Port
  • 4 IPv4 Address
  • $ 120/yr
  • [ORDER HERE]

NETWORK INFO:

New York, USA Datacentre (City of Buffalo)

Test IPv4: 192.3.180.103

Test file: http://192.3.180.103/1000MB.test


VPS Host Node Specificaitons:

– Intel Xeon E3-1240 Series

– 32GB to 64GB RAM

– 4x 2TB Samsung Enterprise SSD’s

– Redundant Power

– 1Gbps Network Uplinks

Please let us know if you have any questions/comments and enjoy!

The post VPSFortune – New Resource Pool Added! Sale Prices on select plans, with custom links! appeared first on Low End Box.

A cookie associated with a resource at http://gstatic.com/

Cuando comparto una url de google drive. En la consola obtengo

view:1 A cookie associated with a resource at http://gstatic.com/ was set with  `SameSite=None` but without `Secure`. A future release of Chrome will only  deliver cookies marked `SameSite=None` if they are also marked `Secure`. You  can review cookies in developer tools under Application>Storage>Cookies and see  more details at https://www.chromestatus.com/feature/5633521622188032. 

ya es por curiosidad… me lo he encontrado varias veces, y no se muy bien a que se refiere.

The benefit of JWT refresh token if authorization and resource server are merged?

Is there any benefit in using refresh tokens if your auth and resource server are combined?

I understand the benefit when they are separate: The refresh token is never sent to the resource server, but if they are not is there any?

Without the refresh tokens, the access tokens could still be refreshed the same, but is there some additional benefit of still using separate refresh tokens?

How to add user to resource pool in sharepoint 2016 through CSOM C#?

Currently the sharepoint is setup in SharePoint permission mode. How do we add a new user to resource pool ? I’m able to add the user to a group using web.EnsureUser(“domainname//abc”). But the user doesn’t show up in the resource list until he access the sharepoint site. (PWA site)

I’m updating the owner of the project through my CSOM code.

Do I need the “e” part of a URL when sharing a SharePoint resource?

Whether it is sharing a file/folder from OneDrive or from a SharePoint site, I noticed that sharing the same file twice, with no changes to the path, file name or scope of sharing, two different URL’s are generated. Preferably, I want a “permalink” for the same file, assuming no change to its path or its sharing scope, so that I can easily share it now and forever, with whomever.

For instance, I have a SharePoint file that I want to share externally, in read-only fashion. However, I noticed that creating the link a second time via Share, most of the URL is the same as the first time but the end differs…

https://virgilholdings.sharepoint.com/:w:/s/IT/ZJincz11Hr0f-wGwzA7cBH9G4MVwPdtYwQHpfbtNQPw?e=vfRdjQ

https://virgilholdings.sharepoint.com/:w:/s/IT/ZJincz11Hr0f-wGwzA7cBH9G4MVwPdtYwQHpfbtNQPw?e=NkxNPy

Note: I changed the URL’s to invalidate them. These are just examples.

I tried removing the unique portion (e=xxx) and the link still worked, seemingly. It would be convenient to use the file’s Share functionality whenever I want to obtain the share link (for the same sharing scope, e.g. externally, read-only) but must I heed the part that changes every time, i.e. e=xxx? What is its purpose? I can’t find a reference to it online.

Bigfoot Servers – VPS Resource Pools out of Los Angeles or Dallas!

BigFootServers sent in some new deals on VPS pools that they wanted to share with the community. They are offering discounted packages on VPS resource pools, 2GB and 3GB pools.
With these VPS pools, they’re giving customers the ability to create VPS’s on-demand, in Los Angeles or Dallas!

You can find their ToS/Legal Docs here. They accept PayPal, Credit Cards and Bitcoin as payment methods.

Here’s what they had to say: 

“BigFootServers was founded when we saw a need for a simpler solution for small businesses to get started online. Our service-first business model sets us apart from the rest. At BigFootServers, we treat you with the utmost respect that you deserve, as our valued customer.

We provide a wide variety of different web hosting services to fit everyone’s budget. The solutions we provide are unique (in a good way), because they put you in control over your resources and environment, unlike conventional hosting solutions. These are unlike your traditional & conventional hosting solutions, because the services we’re providing here put you in control.”

Here are the offers: 

2 VPS Instance Pool

  • Storage: 40GB
  • RAM: 2GB
  • Bandwidth: 2000GB
  • IPv4 Addresses: 2
  • Maximum VPS Instances: 2
  • Datacenter: Los Angeles & Dallas
  • $ 72/year
  • [ORDER HERE]

3 VPS Instance Pool

  • Storage: 60GB
  • RAM: 3GB
  • Bandwidth: 3000GB
  • IPv4 Addresses: 3
  • Maximum VPS Instances: 3
  • Datacenter: Los Angeles & Dallas
  • $ 108/year
  • [ORDER HERE]

Product Description: Create, manage, resize or delete servers on demand within a few clicks! We provide you with a resource pool, and you determine how they are used! Please be sure to check out these screenshots of our easy to use and intuitive VPS Pools Interface here!

NETWORK/HARDWARE INFO:

ColoCrossing – Los Angeles, CA, USA

Test IPv4: 107.175.180.6

Test file: http://107.175.180.6/100MB.test

ColoCrossing – Dallas, TX, USA

Test IPv4: 192.3.237.150

Test file: http://192.3.237.150/100MB.test


– Intel Xeon E3 Processors

– 32GB to 64GB RAM

– 4x 2TB HDDs

– Hardware RAID10 with Caching

– 1Gbps uplink

Please let us know if you have any questions/comments and enjoy!

The post Bigfoot Servers – VPS Resource Pools out of Los Angeles or Dallas! appeared first on Low End Box.