Elite Web-Hacking Patterns — August 4, 2025
Field Manual

Elite Web-Hacking Patterns — Aug 4, 2025

A memorization-grade, single-file reference of modern, high-impact web exploitation patterns. Zero external deps. Print-ready.

Scope: Web App • Cloud Edge • Identity
Format: Single-file HTML
Use: Authorized testing only

A. Transport & Caching Primitives

  • HTTP/2 “Rapid Reset” — RST stream floods can burn CPU at line-rate. If you observe slow/“graceful” GOAWAY behavior, assess exposure. Use only for controlled, authorized resilience testing.
  • HTTP/1 Desync Endgame — Upstream HTTP/1.1 parsing is brittle. If you can influence hop-by-hop framing, aim for cache/route poisoning. Watch for proxy↔origin parse drift.
  • Client-Side Desync — Browser-compatible CL.0/TRACE-assisted desync launched from a victim page; pair with cache poisoning for radius amplification.
  • Web Cache Poisoning & Deception — Poison keys or cache rules to store dynamic/semi-secret responses; chain with open-redirect or desync for delivery.

B. Request Smuggling & Parsing Gaps

  • CL.TE / TE.CL / TE.0 — Differential parsing between edge and origin. Test chunked vs content-length, mixed TE paths, and TE=trailers quirks; target cache poisoning, auth bypass, internal routes.
  • Browser-Powered Smuggling — When “raw socket” payloads are blocked, craft standards-compliant sequences that still trigger desync through intermediary layers.

C. Identity & Token Misuses (2025)

  • OAuth Misconfig Set-Pieces — Over-permissive redirect_uri (wildcards/schemes), missing state/nonce, weak PKCE. Build a checklist and hammer each IdP/SP flow.
  • SAML Signature-Wrapping (SWA) — Multi-parser stacks and detached signatures keep SWA alive. Inspect library defaults and canonicalization.
  • JWT Algorithm Confusion — Rarer, but bespoke crypto or lax algorithm whitelists revive RS256↔HS256 and none scenarios.
  • OIDC Login-CSRFstate must be unpredictable per request and session-bound; test for proxy rewrites and handler gaps.

D. Cloud SSRF Chains

  • IMDSv1 via SSRF — Still encountered. SSRF → http://169.254.169.254/ → enumerate creds → short-lived role pivot.
  • IMDSv2 Enforcement Gaps — Defaults improved, but sidecars/misapplied policies leave v1 reachable; test per region/service.

E. Frontend Persistence & Scriptless Exfil

  • Service-Worker Persistence — Landing a SW can enable offline phishing, response tampering, and durable data theft until unregistered.
  • Dangling-Markup Injection — Exfiltrate via unclosed attributes/forms; effective under strict CSP (zero JS).
  • postMessage Origin-Confusion — Unvalidated message handlers → XSS/state hijack across frames/widgets.
  • Trusted Types Reality — TT reduces DOM-XSS but adoption and bypass patterns exist; validate assumptions with real payloads.

F. Modern Client Side-Channels

  • WebGPU Cache Side-Channels — From a tab, infer keystrokes/timings/classifiers using GPU resource contention and timing. Treat GPU as an app surface.

G. GraphQL Realities

  • Introspection & Shadow Schemas — “Disabled” introspection often leaks via error paths, docs endpoints, or shadows.
  • Batching/Aliasing DoS & Auth Gaps — Aliases, fragments, and nested resolvers multiply cost; enforce auth at resolver granularity and rate-limit per field.
  • Subscriptions/Realtime — Test auth & tenancy on websockets/SSE; leakage often hides here.

H. Social-Engineering Chains (Active 2025)

  • Security-Wrapper Phishing — Abuse trusted link rewriters (e.g., email security wrappers) to wrap attacker URLs with “good” domains for deliverability.
  • People Layer = Primary Initial Access — Build scenarios around human-in-the-loop, not afterthoughts; pair with technical effects for realism.

Memorization Stacks

1) Recon → Edge Parsing

  • Enumerate surface → probe HTTP/1/2 desync
  • Poison cache/route → widen blast radius
  • Land credentialed pivot if possible

2) Auth Dance Abuse

  • Map IdP/SP → apply OAuth/OIDC/SAML checklist
  • Try SWA on XML stacks → check TT & CSP assumptions
  • Probe JWT alg/none fallbacks

3) Cloud Crown-Jewels

  • Find SSRF → hit IMDS → enumerate
  • Assume v1 exists somewhere → steal temp creds
  • Pivot with least-privilege roles

4) Frontend Control → Durable

  • Service worker foothold
  • Scriptless exfil (dangling-markup)
  • postMessage origin checks

Quick-Reference Commands

HTTP/2 Rapid Reset (test shape)

# Use an HTTP/2 client that can open parallel streams and issue RST rapidly.
# WARNING: Only on infrastructure you own/are authorized to test.
# Pseudocode flags shown; adapt to your client.
h2client --concurrency 100 --rst-stream --duration 10s https://target.example

Smuggling Probe (CL.TE / TE.CL)

# TE.CL differential example (manually craft raw HTTP if possible):
# Send to edge with Transfer-Encoding: chunked but include a conflicting Content-Length
# Observe origin behavior vs cache/store results
printf '%s\r\n' \
'POST / HTTP/1.1' \
'Host: target.example' \
'Transfer-Encoding: chunked' \
'Content-Length: 4' \
'' \
'0' \
'' \
| nc target.example 80

Scriptless Exfil (Dangling-Markup skeleton)

SSRF → EC2 IMDS

# Common IMDS paths (v1):
/latest/meta-data/iam/security-credentials/
/latest/meta-data/iam/info
/latest/meta-data/identity-credentials/

# Fetch via SSRF-capable endpoint (example indicates desired target path)
GET /proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1
Host: target.example

GraphQL Baseline Introspection

{
  __schema {
    types { name }
    directives { name }
  }
}
Reminder: The snippets are illustrative for technique recall. Adapt to your tooling and legality constraints. Never test without written authorization.

Notes & Usage

  • This document is built for memorization and field recall. Each bullet is a pattern; each pattern implies a family of specific checks and payload shapes.
  • When converting to PDF, use your browser’s “Print → Save as PDF” for a clean, paginated version. This file includes print styles, page-friendly spacing, and subdued code blocks.
  • Keep an internal checklist: Desync→Cache, OAuth/SAML→Flows, SSRF→IMDS, Frontend→SW/Scriptless, GraphQL→Resolver Auth & Cost.
© 2025 — Elite Web-Hacking Patterns (Single-file edition). For authorized testing only.

Comments

Post a Comment

Popular posts from this blog

Dolby Vision Metadata RPU Editing Guide Dolby Vision Metadata RPU Editing Guide Professional Instructional Document Introduction Workflow Processing Dolby Vision Profile 7 FEL Encoding Profile 5 to HDR10 Hybrid Release Resources Introduction In almost all cases, the source Dolby Vision metadata RPU (Reference Processing Unit) needs to be edited for use in an encode or another video. This guide will walk you through the process using dovi_tool and, for most examples, ffmpeg . Suggested RPU Editing Workflow Extract the RPU with mode 0 ffmpeg -i source.mkv -c:v copy -vbsf hevc_mp4toannexb -f hevc - | dovi_tool -m 0 extract-rpu - It's possible this step can fail with invalid files (e.g., from Apple). Remove mode 0 if you know what you're doing. Sync and Compare Video Files ...
Read more
AviSynthPlus Comprehensive Guide AviSynthPlus Comprehensive Guide Professional Instructional Document Introduction Prerequisites Setup Environment Plugins Pack Updating AviSynth+ Advanced Tools Scripts Changelog Resources Appendix Introduction This guide provides a detailed overview and step-by-step instructions for setting up and using AviSynthPlus, along with various plugins and scripts. It is designed for advanced users and developers who are looking to optimize their video processing workflows using AviSynthPlus. The document covers everything from installation and setup to advanced usage, updating, and troubleshooting. It is meant to serve as a comprehensive resource, ensuring users have all the necessary information to work effectively with AviSynthPlus. Prerequisites ...
Read more
Comprehensive Deew Guide for Dolby Encoding Comprehensive Deew Guide for Dolby Encoding In-Depth Reference and How-To for Using Deew with Dolby Encoding Engine Introduction Installation Usage Advanced Configuration Troubleshooting Conclusion Introduction Welcome to the comprehensive guide on using Deew , a powerful command-line tool that simplifies the process of working with the Dolby Encoding Engine (DEE) across various platforms including Linux, Windows, and macOS. This guide will take you through installation, usage, real-world examples, and advanced configurations, providing you with the knowledge to effectively encode audio with Dolby technologies. Whether you're dealing with Dolby Digital (DD), Dolby Digital Plus (DDP), AC-4, or TrueHD formats, Deew streamlines the encoding process, making it an essential tool for professionals...
Read more