96 matches found
Cloud Lookup (and Bypass)
This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host. More precisely, this module uses multiple data sources in order ViewDNS.info, DNS enumeration and Censys to collect...
Takeover v0.2 - Sub-Domain TakeOver Vulnerability Scanner
Sub-domain takeover vulnerability occur when a sub-domain subdomain.example.com is pointing to a service e.g: GitHub , AWS/S3 ,.. that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if...
Uber: Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE
After booking a shared ride, an attacker is able to access the profile picture of a co-rider. It is possible during the trip to view the co-rider's picture...
WAFW00F v2.0 - Allows One To Identify And Fingerprint Web Application Firewall (WAF) Products Protecting A Website
The Web Application FirewallFingerprinting Tool. — FromEnable Security How does it work? To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of potentially...
GSA Bounty: Cache poisoning DoS to various TTS assets
I have recently come across a technique to force a Cloudfoundry app to return a HTTP 404 error when requesting any resource, which contains cache friendly headers. What this means is, if the Cloudfoundry app in question is behind a web cache like Cloudfront or Cloudflare etc, it will possibly sto...
New Cache Poisoning Attack Lets Attackers Target CDN Protected Sites
A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. The issue could affect...
Magecart skimmers found on Amazon CloudFront CDN
Update 06-08-2019: The compromises of Amazon S3 buckets continue and some large sites are being affected. Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official NBA.com website. The skimmer was inserted in this JavaScript library:...
WAFW00F v1.0.0 - Detect All The Web Application Firewall!
WAFW00F identifies and fingerprints Web Application Firewall WAF products. How does it work? To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of potentially...
Ping Identity: Internal Hostname disclosure from multiple Apache servers via blank host header method
This vulnerability was due to a general misconfiguration of Apache servers; this is a good example of the importance of "Secure Defaults" in open-source projects. An example of a generic request and response would be: openssl sclient -connect apache.example.com:443 GET apache.example.com/foo...
d31bfnnwekbny6.cloudfront.net XSS vulnerability
Open Bug Bounty ID: OBB-690906 Description| Value ---|--- Affected Website:| d31bfnnwekbny6.cloudfront.net Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3...
CLI for Ephemeral Penetration Testing: hideNsneak
This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls. hideNsneak provides a simple...
Aws_Public_Ips - Fetch All Public IP Addresses Tied To Your AWS Account
awspublicips is a tool to fetch all public IP addresses both IPv4/IPv6 associated with an AWS account. It can be used as a library and as a CLI, and supports the following AWS services all with both Classic & VPC flavors: APIGateway CloudFront EC2 and as a result: ECS, EKS, Beanstalk, Fargate,...
Grab: Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com
Good day, I truly hope it treats you awesomely on your side of the screen : I have found that your website cdn.grab.com is pointed via a cname to a cloudfront instance cdn.grab.com = .cloudfront.net This was not registered on Amazon Aws Cloudfront. I was able to take over the domain: See my POC P...
CloudFrunt - A Tool For Identifying Misconfigured CloudFront Domains
CloudFrunt is a tool for identifying misconfigured CloudFront domains. Background CloudFront is a Content Delivery Network CDN provided by Amazon Web Services AWS. CloudFront users create "distributions" that serve content from specific sources an S3 bucket, for example. Each CloudFront...
Identify Misconfigured CloudFront Domains: CloudFrunt
CloudFrunt is a tool for identifying misconfigured CloudFront domains. CloudFront is a Content Delivery Network CDN provided by Amazon Web Services AWS. CloudFront users create “distributions” that serve content from specific sources an S3 bucket, for example. Each CloudFront distribution has a...
Greenhouse.io: DoS through cache poisoning using invalid HTTP parameters
I was taking a look into a related report https://hackerone.com/reports/298265 and I discovered that the https://boards.greenhouse.io/embed/jobboard/js?for= endpoint doesn't throw errors when I try to pass in an array of for parameters like this:...
GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS
Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...
GSA Bounty: Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS
An attacker can deface various pages on catalog.data.gov, leading to them executing malicious JavaScript when visited by a normal user. The root problem is that the server trusts the X-Forwarded-Host HTTP header, and uses this to populate the 'data-site-root' and 'data-locale-root' attributes on...
Trello: Subdomain Takeover Possible [N/A]
Hello , Team Trello Security Today == 04/11/2017 , 03:52 , I Discovred A Issue in Your Website , i found this error In : http://d2k1ftgv7pobq7.cloudfront.net/ ======================================================= ERROR The request could not be satisfied. Bad request. Generated by cloudfront...
subjack - Hostile Subdomain Takeover tool written in Go
subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule...