FreshRSS

๐Ÿ”’
โŒ Secure Planet Training Courses Updated For 2019 - Click Here
โ˜ท
โ–ณ ๐Ÿ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

CLZero - A Project For Fuzzing HTTP/1.1 CL.0 Request Smuggling Attack Vectors

By: Zion3R


A project for fuzzing HTTP/1.1 CL.0 Request Smuggling Attack Vectors.

About

Thank you to @albinowax, @defparam and @d3d else this tool would not exist. Inspired by the tool Smuggler all attack gadgets adapted from Smuggler and https://portswigger.net/research/how-to-turn-security-research-into-profit

For more info see: https://moopinger.github.io/blog/fuzzing/clzero/tools/request/smuggling/2023/11/15/Fuzzing-With-CLZero.html


Usage

usage: clzero.py [-h] [-url URL] [-file FILE] [-index INDEX] [-verbose] [-no-color] [-resume] [-skipread] [-quiet] [-lb] [-config CONFIG] [-method METHOD]

CLZero by Moopinger

optional arguments:
  -h, --help      show this help message and exit
  -url URL        (-u), Single target URL.
  -file FILE      (-f), Files containing multiple targets.
  -index INDEX    (-i), Index start point when using a file list. Default is first line.
  -verbose        (-v), Enable verbose output.
  -no-color       Disable colors in HTTP Status
  -resume         Resume scan from last index place.
  -skipread       Skip the read response on smuggle requests, recommended. This will save a lot of time between requests. Ideal for targets with standard HTTP traffic.
  -quiet          (-q), Disable output. Only successful payloads will be written to ./payloads/
  -lb             Last byte sync method for least request latency. Due to th   e nature of the request, it cannot guarantee that the smuggle request will be processed first. Ideal for targets with a high
                  amount of traffic, and you do not mind sending multiple requests.
  -config CONFIG  (-c) Config file to load, see ./configs/ to create custom payloads
  -method METHOD  (-m) Method to use when sending the smuggle request. Default: POST

single target attack:

  • python3 clzero.py -u https://www.target.com/ -c configs/default.py -skipread

  • python3 clzero.py -u https://www.target.com/ -c configs/default.py -lb

Multi target attack:

  • python3 clzero.py -l urls.txt -c configs/default.py -skipread

  • python3 clzero.py -l urls.txt -c configs/default.py -lb

Install

git clone https://github.com/Moopinger/CLZero.git
cd CLZero
pip3 install -r requirements.txt


HTMLSmuggler - HTML Smuggling Generator And Obfuscator For Your Red Team Operations

By: Zion3R


The full explanation what is HTML Smuggling may be found here.

The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.

The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to bypass IDS and IPS system and deliver embedded payload to the target user system. An example of created javascript library may be found here.


Features

  • Built-in highly configurable JavaScript obfuscator that fully hides your payload.
  • May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc.
  • The simplicity of the template allows you to add extra data handlers/compressions/obfuscations.

Installation

  1. Install yarn package manager.

  2. Install dependencies:

    yarn

  3. Read help message.

    yarn build -h
    Usage

    Preparation steps

    1. Modify (or use my) javascript-obfuscator options in obfuscator.js, my preset is nice, but very slow.

    2. Compile your javascript payload:

      yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -c

    3. Get your payload from dist/payload.esm.js or dist/payload.umd.js. After that, it may be inserted into your page and called with download() function.

    payload.esm.js is used in import { download } from 'payload.esm'; imports (ECMAScript standart).

    payload.umd.js is used in html script SRC and require('payload.umd'); imports (CommonJS, AMD and pure html).

    Pure HTML example

    A full example may be found here.

    1. Do preparation steps.

    2. Import created script to html file (or insert it inline):

      <head>
        <script src="payload.umd.js"></script>
      </head>

    3. Call download() function from body:

      <body>
        <button onclick="download()">Some phishy button</button>
      </body>

    4. Happy phishing :)

    VueJS example

    A full example may be found here.

    1. Do preparation steps.

    2. Import created script to vue file:

      <script>
        import { download } from './payload.esm';
      </script>

    3. Call download() function:

      <template>
        <button @click="download()">Some phishy button</button>
      </template>

    4. Happy phishing :)

    FAQ

    Q: I have an error RangeError: Maximum call stack size exceeded, how to solve it?

    A: This issue described here. To fix it, try to disable splitStrings in obfuscator.js or make smaller payload (it's recommended to use up to 2ย MB payloads because of this issue).

    Q: Why does my payload build so long?

    A: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable splitStrings in obfuscator.js. Below is a table with estimated build times using default obfuscator.js.

    Payload size Build time
    525 KB 53 s
    1.25 MB 8ย m
    3.59 MB 25ย m


โŒ