Zero day exploits
You might want to have a look at something like this as well.
Rocket_Face wrote: I know what a zero day is, but has anyone here on HBH ever found one for real, or have most of them been discovered by now, so they're rarer and harder to find ? Yes and no and yes. There's tons of software that exists and while most of the big stuff tends to have a pretty high bar for exploitation, a looooooot of the smaller stuff is still silly easy to beat up on. If you want to play on easy mode, I suggest getting your hands on some routers or other startup IoT devices and party like it's 1990 again
There's tons of software that exists and most of the big stuff tends to have a pretty high bar for exploitation
Futility is bang on with that one.
Most of the low level exploits and security holes in high profile software are gone, so there's not much hope of discovering an XSS alert in a google search, as a billion other n00bs have already been there before you, pasting in every XSS payload from the past 20 years, trying to make an alert box pop up that says "Mr_Cheese was here."
The more advanced vulnerabilities though are still around, as the vast majority of them require you to actually know what you're fucking doing in order to exploit them.
Exploits resulting in remote shells/command execution or remote code execution are complicated, time consuming and hard to pull off https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/ but the rewards are good, and less people have been there before you, so the odds are way better of finding existing vulnerabilities in these areas.
Futility wrote: There's tons of software that exists and most of the big stuff tends to have a pretty high bar for exploitation
So I wanted to perhaps be a little bit more clear. When I said most and tends to, I was speaking very generally. There are still huuuuuge big-name products that are owned, used, and run on a daily basis by people and companies the world-over that are still vulnerable to the silliest of things. See symantec, for instance. In the web realm, this Magento bug always piques my interest (despite being a couple years old). In terms of XSS, not even google is safe.
My point is, just because something is big doesn't mean it's necessarily safe and everything could use another person looking over it and if I implied that, I definitely didn't mean to. Just keep hunting!
- Futility
<kung-fu> I had a whole bunch in php-fusion a good few years back, there were SQL injection points in loads of .php files where user-supplied data was being sent via POST to stripinput() and validated by a regex. A fucking unanchored regex.
One of the biggest mistakes made when using regex patterns is leaving them unanchored. Anchors determine the span of a patterns match against an input string. The ‘^‘ anchor matches the beginning of a line. The ‘$‘ anchor matches the end of a line.
Anyone who uses regexes as part of a security or input validation filter should know that if the pattern is left unanchored, it will search through the entire input string looking for a match.
Thanks to this schoolboy error, sticking our injection anywhere in a string containing valid data will now bypass the regex checks.
The unanchored regex was used in submit, create, reset, search, members, comments, ratings and messages.php, as well as in a couple of files in the forum. All of the injection vulnerabilities were totally blind, so data had to be extracted via time delays using MySql's sleèp() function. </kung-fu>
Happy Days.