Latin1 was the early default character set for encoding documents delivered via HTTP for MIME types beginning with /text . Today, only around only 1.1% of websites on the internet use the encoding, along with some older applications. However, it is still the most popular single-byte character encoding scheme in use today. A funny thing about Latin1 encoding is that it maps every byte from 0 to 255 to a valid character. This means that literally any sequence of bytes can be interpreted as a valid string. The main drawback is that it only supports characters from Western European languages. The same is not true for UTF8. Unlike Latin1, UTF8 supports a vastly broader range of characters from different languages and scripts. But as a consequence, not every byte sequence is valid. This fact is due to UTF8's added complexity, using multi-byte sequences for characters beyond the general ASCII range. This is also why you can't just throw any sequence of bytes at it and ex...
Doubling back to share some more notes about web application security adjacent stuff. This is a bash script for reconnaissance that uses some tooling from Project Discovery - mapcidr and tlsx - in combination with jq and Bash, to enumerate TLS certificates.
We can assign our the search keys we're looking for to a bash array, search_keys, and then echo both the output of tlsx, as well as our search keys, into the bash translation utility, tr, to do a case-insensitive search for TLS certificates, matching for multiple possible keys.
We use globbing (*) to pattern match for the search keys anywhere they might appear in each line. Using jq, we extract the IP of each record to keep track of unique IP addresses, adding them to the unique_ips whenever we find a match, resulting in printing a sorted array of unique IP addresses that match any of our search keys.
This code gist is actually newer than the one I shared on Github and Cohost.
#!/bin/bash
# case-insensitive search of TLS certs by CIDR block
if [ "$#" -lt 2 ]; then
echo "Usage: $0 [cidr] [search_key1] [search_key2] [search_key3]"
exit 1
fi
cidr="$1"
search_keys=("${@:2:4}")
declare -a unique_ips
mapcidr -cl "$cidr" 2>/dev/null | \
tlsx -ex -ss -mm -re -un -timeout 1 -json 2>/dev/null | \
while read -r line; do
ip=$(echo $line | jq -r '.ip')
for key in "${search_keys[@]}"; do
if [[ "$(echo $line | tr '[:upper:]' '[:lower:]')" == \
*$(echo "$key" | tr '[:upper:]' '[:lower:]')* && \
! " ${unique_ips[@]} " =~ " $ip " ]]; then
unique_ips+=("$ip")
echo "$ip"
break
fi
done
doneWe submit a CIDR block — we'll use a Y Combinator IP address in this example — and print IP addresses with TLS records that match, like this:
$ ./tlsSearch.sh 209.216.230.240/23 "Y Combinator" test
209.216.230.239
209.216.230.240I've started a small repo called "bashful" to share bash scripts for various tasks related to web app security. I might add this new updated version to it soon.
This script might be helpful for web application security researchers and "bug bounty" hunters. If you find it helpful, let me know.
Comments
Post a Comment