Thái Vũ thaivd98

Dutch Government Bug Bounty Scope

The National Cyber Security Centre (NCSC) contributes to jointly enhancing the resilience of the Dutch society in the digital domain and, in doing so, realizes a safe, open and stable information society by providing insight and offering a perspective for action. Therefore it is essential that the ICT systems of the NCSC are safe. The NCSC strives towards providing a high level of security for its system. However, it can occur that one of these systems has a vulnerability.

For more information about reporting the bugs go to https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd

Source https://gist.github.com/random-robbie/f985ad14fede2c04ac82dd89653f52ad
https://www.communicatierijk.nl/vakkennis/r/rijkswebsites/verplichte-richtlijnen/websiteregister-rijksoverheid

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref https://youtu.be/nPB8o0cSnvM).

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin (https://github.com/nikitastupin/clairvoyance). I found the main repo to lack error handling and support for additional features such as proxy.

	################### This section will mostly remain as it is ###################

	def queueRequests(target, wordlists):
	engine = RequestEngine(endpoint=target.endpoint,
	concurrentConnections=5,
	requestsPerConnection=100,
	pipeline=False
	)
	################### ---------------------------------------- ###################

	# Gist of the Day: Turbo Intruder Cluster Bomb with SmartFiltering
	# Author: Evan Custodio (@defparam)
	#
	# MIT License
	# Copyright 2021 Evan Custodio
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	#

	import xml.etree.ElementTree as ET
	import urllib
	import base64
	import math
	import sys
	import re

	# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file.
	# python burplist.py burprequests.xml
	# output is saved to wordlist.txt

	# Copyright 2017-2020 Jeff Foley. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	# Should results only be collected passively and without DNS resolution? Not recommended.
	#mode = passive
	mode = active

	# The directory that stores the Cayley graph database and other output files
	# The default for Linux systems is: $HOME/.config/amass
	#output_directory = amass

	.0
	.1
	.2
	.3
	.tar
	.tgz
	.zip
	.tar.gz
	.rar
	.cache



	echo ""
	echo "********** Github Dork Links (must be logged in) *****************"
	echo ""
	echo " password"
	echo "https://github.com/search?q=%22$1%22+password&type=Code"
	echo "https://github.com/search?q=%22$without_suffix%22+password&type=Code"
	echo ""
	echo " npmrc _auth"

	0
	00
	01
	02
	03
	1
	1.0
	10
	100
	1000

	# github.com/ndavison

	import requests
	import random
	import string
	from argparse import ArgumentParser


	parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
	parser.add_argument("-u", "--url", help="URL to target (without query string)")