Professional Documents
Culture Documents
Bug Bounty Methodology
Bug Bounty Methodology
** Registration page:
*** Do they allow uploading a photo? (change the extension to .pdf, .doc, .docx, .pptx, .xlxs, .txt, .xml and .svg to see
*** Display name and profile description: Again these may not be seen until after you
complete the signup process, but where are they reflected and what characters are
*** Can I register with my social media account? If yes, is this implemented via some
type of Oauth flow which contains tokens which I may be able to leak? What type social media
accounts are allowed? What information do they trust from my social media profile?
zseanos once discovered stored XSS via importing my facebook album conveniently named
<script>alert(0)</script> .
*** What characters are allowed? Is <> ' allowed in my name? (at this stage, enter the
XSS process testing. <script>Test may not work but <script does.) What about unicode, %00,
question why? Perhaps it has special privileges/features after signing up? Can you bypass
*** What happens if I revisit the register page after signing up? Does it redirect, and can
I control this with a parameter? (Most likely yes!) What happens if I re-sign up as an
authenticated user? Think about it from a developers perspective: they want the user to have
a good experience so revisiting the register page when authenticated should redirect you.
Enter the need for parameters to control where to redirect the user!
*** What parameters are used on this endpoint? Any listed in the source or javascript? Is it
the same for every language type as well device? (Desktop vs mobile)
*** If applicable, what do the .js files do on this page? Perhaps the login page has a specific
login.js file which contains more URLs. This also may give you an indication that the site
*** What does Google know about the register page? Login/register pages change often (user
inurl:join inurl:&
*** If you register with an existing username, will you be able to enumerate users?
*** Test for weak, pre-generated questions and answers (for example,favorite color, which can
easily be brute-forced).
*** Is there a redirect parameter used on the login page? Even if you don t see one being used
myemail@email.com and maybe log me in? If yes, try signup with my%00email@email.com and try for
*** Can I login with my social media account? If yes, is this implemented via some type of Oauth
flow which contains tokens which I may be able to leak? What social media accounts are allowed?
Is it the same for all countries? This would typically be related to the registration process
however not always. Sometimes you can only login via social media and NOT register, and you
connect it once logged in. (Which would be another process to test in itself!)
*** How does the mobile login flow differ from desktop?
*** Test for default credentials (for example, username=admin and password=admin).
*** Test for a lockout after a number of failed attempts for accomplishing a DOS instead.
*** Does it use CAPTCHA? It allows for defending against automated attacks.
**** Input character in the OTP field in burp and edit response field to successful response
*** When resetting your password what parameters are used? Perhaps it will be vulnerable to
IDOR (try injecting an id parameter and testing for HPP!). Is the host header trusted? Imagine
when resetting password you set the host to: Host:evil.com, will it then trust this value &
send it in the email, leading to reset password token leak when the user clicks on the link
(leading to evil.com/resetpassword?token=123)
*** Test whether a user can change someone else's password (for example, change the admin
password).
*** Does the user receive a confirmation email after the change/reset?
*** How strong (or random) are the new, temporary passwords (for password resets)?
*** Is the user forced to change the random password after his or her first login(for password
resets)?
*** For password changes, is the user required to enter his or her old password during the
changing process?
*** Is there any CSRF protection when updating your profile information? (There should be, so
expect it. Remember, we're expecting this site to be secure and we want to challenge ourselves on
bypassing their protection). If yes, how is this validated? What happens if I send a blank CSRF
*** Any second confirmation for changing your email/password? If no, then you can chain this with
XSS for account takeover. Typically by itself it isn t an issue, but if the program wants to see
%09 %07 %0d%0a - These characters should be tested everywhere possible. It's mentioned a few times,
*** If I can input my own URL on my profile, what filtering is in place to prevent something such
*** Is updating my account information different on the mobile app? Most mobile apps will use an
API to update information so maybe it's vulnerable to IDOR. As well as this, different filtering may
apply. I ve had lots of cases where XSS was filtered on the desktop site but it wasn't on the mobile
application.
*** How do they handle photo/video uploads (if available)? What sort of filtering is in place? Can I
upload .txt even though it says only .jpg .png is allowed? Do they store these files on the root
domain or is it hosted elsewhere? Even if it's stored elsewhere (example-cdn.com) check if this domain
*** What information is actually available on my public profile that I can control? The key is what
you can control how and where it is reflected. What's in place to prevent me from entering malicious
HTML in my bio for example? Perhaps they ve used html entities so < > is filtered, and it's reflected
as:
** Developer tools(Developer tools would include something such as testing webhooks, oauth flows,
graphql explorers. These are tools setup specifically for developers to explore and test various API s
publicly available.)
*** Where are they hosted? Do they host it themselves or is it hosted on AWS (usually it is. This is
important because if it is hosted on AWS then your aim will be to read AWS keys).
*** What tools are available for developers? Can I test a webhook event for example? Just google for
*** Can I actually see the response on any tools? If yes, focus on this as with the response we can
*** Can I create my own application and do the permissions work correctly? I had a bug where even if
the user clicked No when allowing an application the token returned would still have access anyway.
*** After creating an application, how does the login flow actually work? And when I disconnect the
application from my profile. Is the token invalidated? Are there new return_uri parameters used and
how do they work? One little trick is you may discover some companies whitelist certain domains for
amazonaws.com,.aws.amazon.com. http://localhost/ is common also but would not affect all users (they
*** Does the wiki/help docs reveal any information on how the API works? (zseanos once ran into a
problem where I could leak a users token but I had no idea how to use it. The wiki provided information
on how the token was authenticated and he was able to create a P1 impact). API docs also reveal more API
endpoints, plus keywords for your wordlist you're building for this target.
*** Can I upload any files such as an application image? Is the filtering the same as updating my
account information or is it using a different codebase? Just because uploading your profile photo on
example.com wasn t vulnerable doesn t mean different code is used when uploading a profile photo on
developer.example.com.
*** Can I create a separate account on the developer site or does it share the same session from the
main domain? What's the login process like if so? Sometimes you can login to the developer site
(developer.example.com) via your main session (www.example.com) there will be some type of token
exchange handled by a redirect. Enter that open url redirect you ve probably discovered by now. If it s a
brand new account then re-enter the process of seeing what s reflected & where etc. I actually prefer
when you need to sign up for a new account because it means there s more than likely going to be
different code being used, resulting in a fresh new challenge and fresh new findings.
** The main feature of the site(This can depend on the website you are using but for example if the program I choose to test
was Dropbox then I would focus on how they handle file uploads and work from there on what's available. I can connect my
dropbox account on various websites so how does the third party integration work? What about asking for certain
permissions? Or if it was AOL then I would focus on AOL Mail to start with. Go for the feature the business is built around
and should contain security and see just exactly how it works. Map their features starting from the top. This can sometimes
lead you to discover lots of features and can take up lots of time, be patient & trust the process. As you test each feature you
should overtime get a mental mind map of how the website is put together [for example, you begin to notice all requests use
GraphQL, or you discover the same parameters used throughout, xyz_id=11 . Same code? One bug equals many. ])
*** Are all of the features on the main web application also available on the mobile app? Do they work
differently at all? Sometimes you may discover some features are only available on mobile apps and
NOT desktop.Don t forget to also test various country tlds (if in scope) as you may discover different
countries offer different features (which is very common for check outs for example as different payment
*** What features are actually available to me, what do they do and what type of data is handled? Do
multiple features all use the same data source? (for example, imagine you have a shop and you may have
multiple areas to select an address for shipment. On the final checkout page, on the product page - to
estimate shipping). Is the request the same for each to retrieve this information (API), or is it different
parameters/endpoints throughout.
*** Can I pay for any upgraded features? If yes test with a paid vs free account. Can the free account
access paid content without actually paying? Typically payment areas are the most missed as
researchers are not happy to pay for potentially not finding an issue. Personally I have always found a
bug after upgrading but this may differ from program to program.
*** What are the oldest features? Research the company and look for features they were excited to
release but ultimately did not work out. Perhaps from dorking around you can find old files linked to this
*** What new features do they plan on releasing? Can I find any reference to it already on their site?
Follow them on twitter & signup to their newsletters. Stay up to date with what the company is working
on so you can get a head start at not only testing this feature when it s released, but looking for it before
it s even released (think about changing true to false?). A great article on that can be found here:
https://www.jonbottarini.com/2019/06/17/using-burp-suite-match-and-replace-settings-to-escalate-your-user-privileges-and-
find-hidden-features/
*** Do any features offer a privacy setting (private & public)? Spend time testing if something is simply
working as they ve intended it to. Is that post really private? There s no special recon or leetness
needed, you are simply looking at what s in front of you and testing if it works as intended.
*** If any features have different account level permissions (admin, moderator, user, guest) then always test the various
levels of permissions. Can a guest make API calls only a moderator should be able to? If you discover your chosen program
has various account levels then your eyes should light up with something to instantly test for.
** Payment features
*** What features are available if I upgrade my account? Can I access them without paying? Sadly
some programs will say the only impact is loss of revenue (business impact?!) and may not accept this
type of issue by itself, however from being able to upgrade from non-paying to paying you will unlock
*** Is it easily obtainable from an XSS because it s in the HTML DOM? Chain XSS to leak payment
information for higher impact. Some companies love to see impact so keep this in mind.
*** What payment options are available for different countries? I ve mentioned payment features
because a specific target required phone verification to claim ownership of a page. They introduced a
new feature to run ads and if I switched my country from the United Kingdom to the United States then
I could enter my Checking Account details. The problem is, sandbox details weren t blocked. This
allowed me to bypass all their verification mechanisms and I was granted ownership.
http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html and
https://www.paypalobjects.com/en_GB/vhelp/paypalmanager_help/credit_card_numbers.htm
** Identify the entry points to the web page (which lead to the backend;
remember that we will use the entry points in the next steps), including:
URLs
and so on)
** Check all of the backend or third-party web services and web APIs called
** Force the URL into HTTP mode, and see if it works, or if it stays in HTTPS.
** Can we load the page without authentication? Use Request in browser incBurp (unless it's not meant to be protected).
** Try to call an admin page or resource (for example, web APIs and images) directly, with a low-level privilege.
** Test with multiple accounts that have different privileges (normal users versus admins). Use Burp's compare site maps
feature to accomplish this task.
** Check the header security best practices, making sure that the following values exist:
X-frame-options
X-content-type-options
Strict-transport-security
Content-security-policy
X-permitted-cross-domain-policies
X-XSS-protection:1;mode=block
X-content-type-options:nosniff
** Brute-force the cookie/sessionID by sending it to Burp Intruder. Choose sniper as an attack type, and for the payload
type, set it to Character Frobber.
** Make sure that a new session will be generated after each login.
** Try to decode the cookie/sessionID (or ASP.NET ViewState) using Burp Decoder.
** Check the client source code (HTML and JavaScript), looking for:
HTML comments
Debugging leftovers
** Check whether the logout button exists on all of the authenticated pages.
** Search for an ID (for example, EmployeeID= 100) in the entry points, and brute-force it using Burp Intruder. Generally,
this test will allow you to reveal other users' data (two accounts with the same privileges, for example).
** Try to access resources that the testing account is not allowed to see (for example, pictures, documents, and so on).
** Test for CSRF using Burp CSRF POC. Generally, the Burp scanner will detect it automatically.
** Try to bypass each HTML control that has client-side validation (for example, <form action='addItem.aspx'
onsubmit='return validate(this)' >); check to see whether the server side will validate it, as well.
** Test for SQL Injection by using fuzzing techniques (use Burp Intruder or Repeater), and inject the following:
'
** If you received an error message, or if the delay was executed, use SQLmap to dump the database (for the following
example, we already identified that http://10.0.0.100/index.php?id=234 is a candidate, and that the database is MySQL):
** Test for XSS by using fuzzing techniques (use Burp Intruder or Repeater
"><script>alert(1)</script>
** Test for Command Injection by using fuzzing techniques (use Burp Intruder or Repeater), and try to inject the following
(I will use the whoami command, since it exists on both Windows and Linux):
& whoami
| whoami
|| whoami
; whoami
** Test for Local File Inclusion by using fuzzing techniques (use Burp Intruder or Repeater), and try to
inject -the following (try to manually change the number of slashes to get to the correct directory):
Linux: ../../../../etc/passwd
Windows: ../../../../boot.ini
** Test for Remote File Inclusion by injecting the URL of another website
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
* Service Identification
** Port Scanning
*** Nmap -
* Stack Identification
** Technology Profilers
*** Nmap -
*** Builtwith
*** Wappalyzer
* Content Discovery
** JavaScript Analysis
Burp pro
Linkfinder -
ffuf -
* Application Features
*** Test for logic flaws (for example, purchasing an item with zero dollars, orapplying a randomly generated discount).
*** ATO due to 2FA Logic flow by modifying 2FA enable request after logout using the request for enabling or disabling
2FA
*** Email ATO by adding a secondary email and activating it with the primary email verification link,then change the
secondary email to the primary email
** File Uploads
**** XXE
*** IMAGE
**** RCE
**** XSS
**** LFI
*** HTML
**** XSS
*** PHP
**** RCE
** Upload+
*** After uploading, can you access the files through a URL? Can you see others users' files?
** Interesting
*** APIs
*** Errors!
**** Try to make the page generate an error;in another words, do error messages reveal clues to hackers?
** ++
* Questions To Ask
*** XSS
* Identifying hidden contents
** Robots.txt file
If you find any item in the preceding list, check its contents for juicy
How To Hunt
* RECON
** Recon workflow
IP space discovery
Dorking
Content Discovery
Parameter Discovery
ASN Discovery
Using Nmap & ASN for discoverying IP related to the targetted ASN nmap
https://whois.arin.net
https://ipinfo.io
Subdomains using ASNs using AMASS:
Discovering Brands
Crunchbase
Crunchbase: Discover innovative companies and the people behind them Owler
Accquiredby
BuiltWith
BuiltWith
Google dork:
intext:"copyright ©? org_name"
http.favicon.hash:<hash>
** Subdomain Enumeration
Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. If
you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs
General Methodology
Passive Active
Permutation
Passive
In this stage you have to use as much resources as you can to passivly gather subdomains Now a days
it's not that much hard to do with community standard tools that usages API keys
Tools
Subfinder
Amass
Assetfinder
Findomain
Active
In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist
resolve as valid subdomain or not
Tools
ShuffleDNS Aiodnsbrute
Permutation
In this stage you have to play around the subdomains. Now do changed with the words and see still it
resolve as valid or not
Tools
AltDNS
DNSGen + ShuffleDNS
https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://0xpatrik.com/subdomain-enumeration-2019/
https://0xpatrik.com/subdomain-enumeration-smarter/
Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it
regularly depending on the methodology comes out.
Framework
An automated framework can be used to automate those whole workflow
SEF
Steps:
Check github with company name for API keys or passswords.
Enumerate the employees of the company from linkedin and twitter and check their repositories on
github for sensitive information.
Check source code of main website and subdomains for github links in the html comments or anywhere.
Search using ctl-F and search for keyword github
https://github.com/BishopFox/GitGot?
https://github.com/hisxo/gitGraber?
https://github.com/tillson/git-hound?
https://securitytrails.com/blog/github-dorks
filename:manifest.xml
filename:travis.yml
filename:vim_settings.xml
filename:database
filename:prod.secret.exs filename:.npmrc
filename:.bash_history
filename:sftp-config.json
filename:sftp.json path:.vscode
filename:secrets.yml password
filename:.esmtprc password
filename:passwd path:etc
filename:dbeaver-data-sources.xml
path:sites databases password
filename:config.php dbpasswd filename:prod.secret.exs
filename:configuration.php JConfig password
filename:.sh_history
shodan_api_key language:python
filename:shadow path:etc
JEKYLL_GITHUB_TOKEN
filename:proftpdpasswd
filename:.pgpass
filename:idea14.key
filename:hub oauth_token
HEROKU_API_KEY language:json
HEROKU_API_KEY language:shell
SF_USERNAME salesforce
filename:.bash_profile aws
extension:json api.forecast.io
filename:.env MAIL_HOST=smtp.gmail.com
filename:wp-config.php
extension:sql mysql dump
filename:credentials aws_access_key_id
filename:id_rsa or filename:id_dsa
language:python username
language:php username
language:sql username
language:html password
language:perl password
language:shell username
language:java api
HOMEBREW_GITHUB_API_TOKEN
language:shell
GiHub Dorks for Finding API Keys, Tokens and Passwords api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret password
hash OTP
user auth
GitHub Dorks for Finding Usernames user:name
(user:admin)
in:name ( in:name)
(data in:email)
created:<2012–04–05 created:>=2011–06–12
created:2016–02–07 location:iceland
created:2011–04–06..2013–01–14 in:username
extension:pem private
mysql dump
extension:ica
googleusercontent client_secret
** Google Dorks
http.title:"BIG-IP®-Redirect" org:Org
CVE 2020-3452
CVE CVE-2019-11510
http.html:/dana-na/
1. I have add a session hijacking method in broken auth and session managment.
5.If you find xss you can stole the cookies of victim and using session hijacking you can takeover the
account of victim.
So if you find that target have weak password policy try to go for no rate limit attacks in poc shows by
creating very weak password of your account.
Host:target.com
Host:attacker.com
X-Forwarded-Host: evil.com
Referrer: https://evil.com
4.Forward this if you found that in next request attacker.com means you successfully theft the token.:)
Go to my Auth Bypass folder and there is a file otp bypass response manipulation that leads to account
takeovers.
** Using CSRF
2.Email change
Sometimes using git recon and google recon you may found files that contains critical information like
user tokens, usernames and their password.
Endpoints:(Register,Forget Password)
Steps(For Registration):
1.for registeration intercept the signup request that contains data you have entered. 2.Click on
3. Click forward.
otp.
-Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor N.B: You
Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for
some of them:
-Hubspot Hard bounces: HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce
rates to be under 2%.
-AWS SES: The rate of SES ranges from first 2-5% then 5-10%
Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company
which means, No Emails would be sent to the Users !
Reference :
https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues- b9f24a35eb68
-As the value of password is hashed and then stored in Databases.If there is no limit on the length of the
Password, it can lead to consumption of resources for Hashing the Long Password.
How to test?
-Use a Password of length around 150-200 words to check the presense of Length Restriction
-If there is no Restriction, Choose a longer password and keep a eye on Response Time
test?
-Registration Password Field is usually restricted but the Length of Password on the Forgot Password
Page and the Change Password (As Authenticated User) Functionality is usually missing.
Resources/References:
https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
https://hackerone.com/reports/738569
https://hackerone.com/reports/167351
-When you set some string so long so server cannot process it anymore it cause DOS sometime
How to test
1. Create app and put field like username or address or even profile picture name parameter (
second refrence ) like 1000 character of string .
2. Search A's account from B's account either it will
?https://hackerone.com/reports/764434
* AUTHENTICATION BYPASS
** 2FA Bypasses
Technique
Analysis
2FA Disabling
Disabling Page
1. Response Manipulation
-In response if "success":false
-Change it to "success":true
-Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :
1.Create an account with a non-existing phone number
2.Intercept the Request in BurpSuite
3. Send the request to the repeater and forward
4. Go to Repeater tab and change the non-existent phone number to your phone number
5. 5.If you got an OTP to your phone, try using that OTP to register that non-existent
number
** OTP Bypass Via Response Manipulation
Steps:-
-Register account with mobile number and request for OTP.
-response will be
{"verificationStatus":false,"mobile":9072346577","profileId":"84673832"}
{"verificationStatus":true,"mobile":9072346577","profileId":"84673832"}
Steps:-
-response will be
error
Steps:
1.Register 2 accounts with any 2 mobile number(first enter right otp) 2.Intercept
your request
3.click on action -> Do intercept -> intercept response to this request. 4.check
what the message will display like status:1
5.Follow the same procedure with other account but this time enter wrong otp 6.Intercept
respone to the request
7. See the message like you get status:0
8. Change status to 1 i.e, status:1 and forward the request if you logged in means you just done
authentication bypass
* Broken-Link
Hijacking Steps:
1. Manually find and click external links on the target site ( For Example:- Some Links to Social
Media Accounts or Some external Media Link)
2. While Doing Manual work also put broken-link-checker in background using below Command
interminal.
1.Now you need to check if company has the page or not , if no then register as the company or try to get
that username or url.
Alternate Step
1.Go to Online Broken Link Checker Or Alternative Online Broken Link Checker? 2.Input the
domain name
Reference
?https://edoverflow.com/2017/broken-link-hijacking/?
?https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-
790c9ed2b04d
* BROKEN AUTH AND SESSION MANAGEMENT
Steps:
Steps:
-Server security misconfiguration -> Lack of security headers -> Cache control for a security page
Steps :
Happy Hacking:)
Resources:Google,Youtube.
* BYPASSING CSP
** CSP Bypass
What is CSP?
CSP stands for Content Security Policy which is a mechanism to define which resources can be fetched
out or executed by a web page. In other words, it can be understood as a policy that decides which
scripts, images, iframes can be called or executed on a particular page from different locations. Content
Security Policy is implemented via response headers or meta elements of the HTML page. From there,
it’s browser’s call to follow that policy and actively block violations as they are detected.
Defining Resources
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri / cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
Some defining resources
Some definitions
script-src: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded
directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets
which can trigger script execution.
default-src: This directive defines the policy for fetching resources by default. When fetch directives are
absent in CSP header the browser follows this directive by default.
Child-src: This directive defines allowed resources for web workers and embedded frame contents.
frame-src: This directive restricts URLs to which frames can be called out.
frame-ancestors: This directive specifies the sources that can embed the current page. This directive
applies to , , , and tags. This directive can't be used in tags and applies only to non-HTML resources.
media-src: It defines allowed sources from where media objects like , and can be loaded. object-src:
base-uri: It defines allowed URLs which can be loaded using element. form-action:
sandbox: sandbox directive enables a sandbox for the requested resource similar to the sandbox
attribute. It applies restrictions to a page's actions including preventing popups, preventing the
execution of plugins and scripts, and enforcing a same-origin policy.
default-src 'self' *
As you know the default-src policy acts a catch all policy. You also know that * acts as a wild card. So
this policy is basically saying allow any resources to be loaded. Its the same thing as not having a CSP
header! You should always look out for wildcard permissions.
You can also see the value data: this will allow you to load javascript if you have the data: element as
shown below: <iframe/src=”data:text/html,”>.
So far all of the techniques used to bypass CSP have been due to some misconfiguration or abusing
legitimate features of CSP. There are also a few other techniques which can be used to bypass the CSP.
https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)
As you can see above we have our alert function being displayed on the page.
The danger comes in when a CSP header has one of these endpoints whitelisted in the script- src policy.
This would mean we could load our malicious javascript via the JSONP endpoint bypassing the CSP
policy.
This would pass because accounts.google.com is allowed to load javascript files. However, we are
abusing the JSONP feature to load our malicious javascript.
?
```something.example.com?vuln_param=https://accounts.google.com/o/oauth2/revoke?callb
ack=alert(1337)
CSP Injection Bypass
The third type of CSP bypass is called CSP injection. This occurs when user supplied input is reflected in
the CSP header. Suppose you have the following url:
-> If your input is reflected in the CSP header you should have somthing like this.
script-src something_vuln_csp; object-src 'none'; base-uri 'none'; require-trusted-types-for 'script';
report-uri https://csp.example.com;
```
This means we can control what value the script-src value is set to. We can easily bypass the CSP by
setting this value to a domain we control.
* CMS
** Wordpress
Wordpress Common Misconfiguration
Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or
officially referenced. I will be attaching all poc and reference as well
Index
Wordpress Detection General
CVE-2018-6389
WP Cornjob DOS
WP User Enumeration
Wordpress Detection
Well, if you are reading this you already know about technology detection tool and methods. Still adding
them below
Wappalyzer
WhatRuns
BuildWith
xmlrpc.php
This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must
have to exploit it fully, and have to show the impact properly as well.
Detection
visit site.com/xmlrpc.php
Get the error message about POST request only Exploit
Intercept the request and change the method GET to POST
List all Methods
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Check the pingback.ping mentod is there or not Perform
DDOS
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Perform SSRF (Internal PORT scan only)
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Tool To Automate XMLRPC-Scan.
?XMLRPC-Scan?
References
?Bug Bounty Cheat Sheet?
?Medium Writeup?
?WpEngine Blog Post?
CVE-2018-6389
This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target
website is running wordpress under 4.9.3
Detection
Use the URL from my gist called loadsxploit, you will get a massive js data in response.
?loadsxploit?
Exploit
You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second
?Doser?
?CVE Details?
?Blog Post?
WP Cornjob DOS
This is another area where you can perform a DOS attack.
Detection
visit site.com/wp-cron.php
You will see a Blank page with 200 HTTP status code Exploit
You can use the same tool Doser for exploiting this
Detection
visit site.com/wp-json/wp/v2/users/
You will see json data with user info in response Exploit
If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by
collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show
some extra effort and increase the impact as well
Reference
?H1 Report?
Researcher Note
Please do not depend on those issues at all. I saw people only looking for those issues and nothing else.
Those are good to have a look while testing for other vulnerabilities and most of the time they work good
for chaining with other low bugs.
* CORS
** Misconfigured CORS
Here are few methods and steps you can do to check for misconfigure cors. Hunting
Step->1. Capture the target website and spider or crawl all the website using burp.
step 1-> find domains i.e subfinder -d target.com -o domains.txt step 2->
step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk
2>/dev/null
Both above method are manual methods so lets check an automated way Tools
https://github.com/chenjj/CORScanner
https://github.com/lc/theftfuzzer
https://github.com/s0md3v/Corsy
https://github.com/Shivangx01b/CorsMe
Automate Way :
step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a
urls.txt
Another Method
https://github.com/tomnomnom/meg https://github.com/tomnomnom/gf
https://github.com/projectdiscovery/subfinder
https://github.com/tomnomnom/assetfinder
https://github.com/Edu4rdSHL/findomain
https://github.com/projectdiscovery/httpx
Steps
3) Navigate through terminal where hosts file is located echo "/" > paths
** CORS Bypasses
- Origin:null
- Origin:attacker.com
- Origin:attacker.target.com
- Origin:attackertarget.com
- Origin:sub.attackertarget.com
- Origin:sub.attacker target.com
- Origin:sub.attacker%target.com
- Origin:attacker.com/target.com
* CSRF
https://twitter.com/hackerscrolls/status/1265217322308046849
** CSRF Bypass
Cross Site Request Forgery(CSRF)
Hello Guys, I Tried My Best To Share all The CSRF Bypasses I Know. I Hope This Will Help You.
Csrf will be login, logout, resetpass, change password, add-cart, like, comment, profie change, user
details change, blance transffer, subscription ect
-Copy a Unused Valid Token , By Dropping The Request and Use That Token
?
-Use Own CSRF Token To Feed it to Victim
?
-Remove the referer header (add this <meta name=”referrer” content=”no-referrer”> in your payload
or html code)
?
-Clickjacking
?(If you aren’t familiar with clickjacking attacks, more information can be found
https://owasp.org/www-community/attacks/Clickjacking.)
Exploiting clickjacking on the same endpoint bypasses all CSRF protection. Because technically, the
request is indeed originating from the legitimate site. If the page where the vulnerable endpoint is
located on is vulnerable to clickjacking, all CSRF protection will be rendered irrelevant and you will be
able to achieve the same results as a CSRF attack on the endpoint, albeit with a bit more effort.
* FINDING CVES
** CVES
Tools
- Google
- Twitter
- N
uclei
Steps:
Well it depends on which kind of validation the system is using …it is just verfying the extension ?? if its
just doing that then it becomes very easy to bypass and upload a PHP file or something malicious.
suppose we have to upload a JPG file so the extension must be something.jpg
so while we have to upload a JPEG file type we actaully can upload a PHAR-JPEG file which will
appear to be a JPEg file type to the server while validating. the reason is the file PHAR- JPEg file has
both the JPEG header and the PHP file also. so while uploading it didn’t get detected and later after
processing the PHP file can be used to exploit.
And at last Uploading a shell to some random websites for fun is not really cool so don’t ever try untill
unless you have the permission to test.
1.Create a malicious file with an extension that is accepted by the application. 2.Upload that
3. Capture the request in any proxy tool, edit the file extension to the malicious extension that you
want. In some cases, you might need to change the content type of a file.
* Find
Origin Identifying a
WAF
- Next, make a search using Censys and save the IP's that look to match your target in a text file.
Example: https://censys.io/ipv4?q=0x00sec.org?
- Another way you can find IP's tied to a domain is by viewing their historical
IPs. You can do this with SecurityTrails DNS trails.
https://securitytrails.com/domain/0x00sec.org/dns?
-- Here we can see what A records existed and for how long. It is so common for an administrator to
switch to a WAF solution after X amount of years of using it bare-metal, and do you think they configure
whitelisting? No of course not, it works fine!
-- you can just copy the entire table(Select full table and copy paste it in a txt file) body and use awk to
filter the IP's out.
Enumeration
1.If you enumerate your targets DNS, you may find that they have something resembling a
dev.example.com or staging.example.com subdomain, and it may be pointing to the source host with no
WAF.
?
- What we have now is a quick overview of which IP's respond to which Host header, and we can
view the title
- We went through each host, requested the IP directly with the host header, and we have our
source IP!
Setting the Host Header manually curl -s -k -H "Host: 0x00sec.org" https://<ip address>/ or set
CloudFail
- The idea is to start your normal recon process and grab as many IP addresses as you can (host,
nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat,
nmap, masscan).
- Once you have a list of web server IP, the next step is to check if the protected domain is
configured on one of them as a virtual host.
Censys
- Choose “Certificates” in the select input, provide the domain of your target, then hit \
- Click on every result to display the details and, in the “Explore” menu at the very right, choose
“IPv4 Hosts”.
- You should be able to see the IP addresses of the servers that use the certificate
- From here, grab all IP you can and, back to the previous chapter, try to access your target
through all of them.
example:
headers
- The next step is to retrieve the headers in the mails issued by your target: Subscribe the
newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do
whatever you can to get an email from the website you’re testing
- Once you get an email, check the source, and especially the headers. Record all IPs you can
find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to
access your target through all of them.
* HTTP_DESYNC_ATTACK
- Basics:
"HTTP request smuggling is a technique for interfering with the way a web site processes sequences of
HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often
critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive
data, and directly compromise other application users. " -Portswigger
Where ?:
- Any Endpoint might be Vulnerable to HTTP Desync attack.
- You can Find the Vulnerability on Non-endpoints as well, But impact is always much higher on
Sensitive Endpoints ;)
Step 1:
- Go To Repeater tab, and try various Timing based payloads to confirm the bug. More
Explaination here:
Step 2:
- Once you have successfully discovored the bug, you can chain it with various bugs eg. Account
Takeover by stealing session IDs, Cross side Scripting Attacks in User-Agent
Header,etc. More Description here:
Tools:
?1.defparam`s_smuggler.py
Usage:
- Smuggler.py :
X-Original-Url:
X-Forwarded-Server:
X-Host:
X-Forwarded-**Host**:
X-Rewrite-Url:
3.If you come accross /api.json in any AEM instance during bug hunting, try for web cache poisoning
via following
https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-
bypassing-host-header-to-sql-7b9af997c610
9. Bypass front server restrictions and access to forbidden files and directories through X-
Rewrite-Url/X-original-url:
* HTML-Injec
tion Summary
Password reset links are usually addressed to your account name followed by the reset link. Also if the
application allows you to have your account name with tags and special characters then you should try
this.
Steps
- HTML injection are usually considered as low to medium severity bugs but you can escalate the
severity by serving a malicious link by using <a href> for eg: <h1>attacker</h1><a
href="your-controlled-domain"Click here</a>
- You can redirect the user to your malicious domain and serve a fake reset password page to
steal credentials Also you can serve a previously found XSS page and steal user cookies etc etc.. The
creativity lies on you..
* IDOR
Testing for IDOR/Broken object level authorization:
Difficulty: Easy
Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you Finding
1. What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by
replacing high privaledge authorization with lower privaledge authorization and seeing what the server
responds with
2. Understand how they use ID's, hashes, and their API. Do this by looking at the API
Documentations if they have one.
Every time you see a new API endpoint that receives an object ID from the client, ask yourself the
following questions:
- What are the different possible roles in the API?(For example — user, driver, supervisor,
manager)
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
- Try to send a wildcard(*) instead of an ID. It’s rare, but sometimes it works.
- If it is a number id, be sure to test through a large amount of numbers, instead of just guessing
1. Lets say you find a low impact IDOR, like changing someone elses name, chain that with XSS
and you have stored XSS!
2. If you find IDOR on and endpoint, but it requires UUID, chain with info disclosure endpoints
that leak UUID, and bypass this!
3. If none of these work, get creative and ask
around! Reference
?https://twitter.com/swaysThinking/status/1301663848223715328
* JWT Attack
FIRST IF YOU DON'T KNOW WHAT IS JWT YOU MUST READ AND WATCH BELOW
RESOURCES
https://twitter.com/BHinfoSecurity/status/1299743624553549825?s=09 https://youtu.be/ghfmx4pr1Qg (
https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-
and-what-it-isnt-8076ca679843
- Pentester's Lab
```
It is an authentication type
It consists of header,payload,Signature
```
Header
"alg" : "HS256",
"typ" : "JWT"
Payload
"loggedInAs" : "admin",
"iat" : 1422779638
Signature
HMAC-SHA256 (
secret,
base64urlEncoding(header) + '.' +
base64urlEncoding(payload)
Example
"alg" : "NONE",
"typ" : "JWT"
``` Payload
{"loggedInAs":"admin","iat":1422779638}
5. Brute forcing the key in hs256 because it use same key to sign and verify means
publickey=private key
1) Create a account
2) Inspect the token
3) Base64 decode the header
4) If any Kid= parameter are there so you can find some bugs
5) Using that parameter you can also find directory traversal , i tell you how
6) Change that kid= parameter with you directory traversal payload
7) Change payload {"user":"admin"}
8) Create a python script that generate a exploit token. (If you want that script so dm me in Twitter
)
9) Put that token and reload the page
10) Done
```
TOOLS TO USE
(Link - https://github.com/portswigger/json-web-token-attacker)
- Base64 decoder
https://github.com/ticarpi/jwt_tool.git)
SOURCES:
Youtube,Medium,Github,Google
* MFA Bypasses
- Rate limit
- 2FA bypass by substituting part of the request from the session of another account.
1. If a parameter with a specific value is sent to verify the code in the request, try sending the
value from the request of another account.
?
2. For example, when sending an OTP code, the form ID/user ID or cookie is checked, which is
associated with sending the code. If we apply the data from the parameters of the account on which you
want to bypass code verification (Account 1) to a session of a completely different account (Account 2),
receive the code and enter it on the second account, then we can bypass the protection on the first
account. After reloading the page, 2FA should disappear.
Many sites that support 2FA, have a “remember me” functionality. It is useful when the user doesn’t
want to enter a 2FA code on subsequent login windows. And it is important to identify the way in which
2FA is “remembered”. This can be a cookie, a value in session/local storage, or simply attaching 2FA to
an IP address.
Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook send
callback code > Site.com logs a user in (Rare case)
-- Bypassing 2fa using response manipulation
Enter correct OTP -> Intercept & capture the response -> logout -> enter wrong OTP -> Intercept &
change the response with successful previous response -> logged in
Signup for two account -> Login into attacker account & capture the disable 2FA request -> generate
CSRF POC with .HTML extension -> Login into victim account and fire the request —
— -> It disable 2FA which leads to 2FA Bypass.
* MISCONFIGURATIONS
https://www.target.com/admin
https://www.target.com/admin-console
https://www.target.com/console
https://admin.target.com
https://admin-console.target.com https://console.target.com
Getting access through third party services
When the admin console login page is working on a third party service,then just search for it's default
credentials on Google
Hackerone Reports :
?https://hackerone.com/reports/192074?
?https://hackerone.com/reports/174883?
?https://hackerone.com/reports/398797? Source :
?https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)
https://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account_(OWAS
P-AT-003)
* OAuth
* OPEN REDIRECT
"I apply this everytime while testing web applications and found many Open Redirects and even an XSS
using this trick!"
Steps:
1. If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the
user.
4.Logout and Clear all the cookies and go to the homepage of the site. 5.Paste
6. If the site prompts for a login , check the address bar , you may find the login page with a
redirect parameter like the following
?- https://samplesite.me/login?next=accounts/profile?
?- https://samplesite.me/login?retUrl=accounts/profile?
7. Try to exploit the parameter by adding an external domain and load the crafted URL eg:-
https://samplesite.me/login?next=https://evil.com/ (or)
https://samplesite.me/login?next=https://samplesite.me@evil.com/ #(to beat the bad regex filter)
8. If it redirects to evil.com , thers's your open redirection bug.
This bypass I found in a application while I doing pentesting. I hope it will helps you too!
5.Due to the bad regex it has been successfully bypass their protection!
* PARAMETER POLLUTION
Steps:
1.Sent a password reset request using forget password
2.Check your email
3. copy your reset page link and paste in another tab and make burp intercept on.
4. Look for every request if you find similiar token that is in reset link with other domain like:
bat.bing.com or facebook.com
5. Than there is reset password token leakage.
** Account_Takeover_By_Password_Reset_Functionality
1. email= victim@gmail.com&email=attacker@gmil.com
2. email= victim@gmail.com%20email=attacker@gmil.com
3. email= victim@gmail.com |email=attacker@gmil.com
4. email= victim@gmail.com%0d%0acc:attacker@gmil.com
5. email= victim@gmail.com&code= my password reset token
* RATE LIMIT
X-Forwarded-For: IP
X-Forwarded-IP: IP
X-Client-IP: IP
X-Remote-IP: IP
X-Originating-IP: IP
X-Host: IP
X-Client: IP
X-Forwarded-For:
X-Forwarded-For: IP
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
- Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
- Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00,
%0d%0a, %0a, %0C
- Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login
-> domain.com/v1/login/
- Try changing the user-agent, the cookies... anything that could be able to identify you
- If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header.
Change other headers
- Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython
installed along.
https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd Reference
https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1
https://twitter.com/SalahHasoneh1/status/1287366496432332800
* SQL Injection
Here are some quick methods to detect the SQL Injection vulnerability, though the methods are not
limited. There are various tricks and tools.
1. Using Burpsuite :
1. Capture the request using burpsuite.
4. Once the scan is finished, look for SQL vulnerability that has been detected.
1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.)
2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains.
3. You can use the same method described above in 2nd point.
Post-Methods
' ORDER BY 1 --
ORDER BY 3 --
(Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every
commonly used data type.)
https://portswigger.net/web-security/sql-injection/union-attacks
3. Extracting basic information like database(), version(), user(), UUID() with concat() or
group_concat()
1. Database version
2. Database contents
4. Using group_concat() function, used to concat all the rows of the returned results.
4. Accessing system files with load_file(). and advance exploitation afterwards : '
5. Bypassing WAF :
3. URL encoding
for example :
Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't
work.
- For more step wise detailed methods, go through the link below.
https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
SQLMAP. https://github.com/m4ll0k/Atlas
https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
6. Time Delays :
Oracle dbms_pipe.receive_message(('a'),10)
7. Conditional Delays :
'0:0:10'
Resources and tools that will help gain an upper hand on finding bugs :
- GF patterns - https://github.com/1ndianl33t/Gf-Patterns
- GF (Tomnomnom)- https://github.com/tomnomnom/gf
- Waybackurls - https://github.com/tomnomnom/waybackurls
- Gau - https://github.com/lc/gau
- Arjun - https://github.com/s0md3v/Arjun
- Hakcrawler - https://github.com/hakluke/hakrawler
* SSRF
What's SSRF ??
SSRF is a type of exploit where an attacker abuses the functionality of a server causing it to access or
manipulate information in the realm of that server that would otherwise not be directly accessible to the
attacker.
3.SSRF's are more in API's so crawl the whole web app with burp proxy turned on and search for
keywords like., eg :
?url=
?uri=
?req=
etc.....
Sign up with an Email like blabla.collaborator.net. If u receive HTTP req. in collaborator then its SSRF.
But if there's no impact Don't Report it :) DNS and SMTP req. Doesn't matters.
AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
Source: https://twitter.com/ADITYASHENDE17/status/1305051512335298562?
Escalation
SSRF can be Escalated to RCE :) [Impact High]
If there's no impact! on your SSRF rather than a redirect try to escalate it to XSS.
** Blind SSRF
Blind SSRF's are those that don't show enumerated data directly to the user and hence are known as
blind SSRF.
Different Methods:
Methodology #1:
Header Injection:
One way of finding them is by inserting your burp collaborator domain into the referrer header also
known as host header injection.
Snippet:
Many organizations use services that analyse which url or service is referring the visitor to their site.
Execution of this type of attack depends upon the underlying service in my case the server was running
on an aws ec2 instance but i was unable to get to it's admin panel namely (192.168.192.168) as it was
only performing a lookup on me but not allowing anythng beyond that. Try it on different sites and
services that you come across you just might get lucky.
I will list more as i find if you have found any please kindly list them here so that other's beneift from it.
* SSTI
* Status_Code_Bypass
** 403 Bypass
403 Bypass
I am sharing all this tips and techniques from my own personal experience there no official references
for that
Directory Based
If you see directory with no slash at end then do these acts there
File Base
If you see file without any slash at end then do these acts there
Protocol Base
Well, sound wired but check out the example for better understanding
Payloads
/
/*
/%2f/
/./
./.
/*/
Header
?https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-
console-endpoints/?
X-Forwarded-For: 127.0.0.1
Tools
Here is a Tool I found on twitter.
?https://github.com/yunemse48/403bypasser
* Subdomain
Takeover Basics
DNS
When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server
with the host name.
The DNS server takes the hostname and resolves it into a numeric IP address CNAME
Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks,
the company cancels the subscription of the 3rd party cloud service provider.
But, the company forgets to update or simply remove the CNAME record in the DNS zone file
Since the CNAME record is not deleted from company.com DNS zone, anyone who registers
xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.
1. Subdomain Enumeration
Use the following tools to enumerate subdomains
?Assetfinder?
?Subfinder?
?Findomain?
?Subjack?
?SubOver?
You can also verify if the subdomain is vulnerable or not by going through common error pages.
?https://github.com/EdOverflow/can-i-take-over-xyz?
If you cannot find your engine in the above repository, Google is your friend ! Case :
case the attacker can directly buy that domain and host his/her content.
1. Method by @Virdoex_hunter?
Easy Subdomain Takeover Method
Step:
?
4::Grab all the CNAME Entries i.e, cat digs.txt | grep CNAME
?
5:Find a domain that is pointed to third party domain like sub.exampple.com CNAME x.aws.com
?
7:Go to host provider where the domain is pointed to and register that domain if you registered congrats
you have takeover the subdomain.
2. Method by @WhoIs1nVok3r?
Step-2:- Next sort out duplicate URLs using -- cat unresolved | sort -u | tee -a resolved
?
Step-4:- We can also use nuclei templates but we need to first use httpx -- cat resolved | httpx
| tee -a hosts
?
Tools Used:-
?
https://github.com/projectdiscovery/nuclei
https://github.com/projectdiscovery/subfinder
https://github.com/projectdiscovery/httpx
https://github.com/projectdiscovery/nuclei-templates
https://github.com/projectdiscovery/chaos-client
https://github.com/haccer/subjack
https://github.com/LukaSikic/subzy
* Tabnabbing
Even though this vulnerability is rated by many bug bounty programs as a low severity bug, it is worth
looking for it as it is very easy to find.
How to exploit:
1. Attacker posts a link to a website under his control that contains the following JS code:
window.opener.location = "http://evil.com"
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
3. At the same time the JS code is executed and the background tab is redirected to the website
evil.com, which is most likely a phishing website.
4. If the victim opens the background tab again and doesn't look at the address bar, it may happen
that he thinks he is logged out, because a login page appears, for example.
5. The victim tries to log on again and the attacker receives the credentials
How to search for it:
As already mentioned, you have to search for the following link formats:
* WAF BYPASSES
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Scheme Origin:
nullOrigin: [siteDomain].attacker.com
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Proxy-Host: 127.0.0.1
Request-Uri: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Base-Url: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Url: 127.0.0.1
Redirect: 127.0.0.1
Real-Ip: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization:127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Original-Url:
X-Forwarded-Server:
X-Host:
X-Forwarded-Host:
X-Rewrite-Url:
Way
- Try above mentioned when Resetting Password , Creating Account , Changing Password from
Account Settings
Second Way
- Check if you can use Password some Weak Passwords such as 123456, 111111 , abcabc ,
qwerty123
- Try above mentioned when Resetting Password , Creating Account , Changing Password from
Account Settings
- Applications usually have Restrictions on Password while Creating Account, Make sure you
check for both the cases when Resetting Password
* XSS
One Awesome mind map for approach to reflected xss can be found here
https://github.com/A9HORA/Reflected-XSS-Mindmap Made By @A9HORA?
Tip: While using other methods put method 2 in background in terminal or on vps
1. Using Burp
Download Reflection and sentinal plugin for burp. Walk
Filter the parameters using grep "=" or gf patterns and store it in a new file. Now
Now search for links which have params by adding more dorks something like site:target.com
inurl:".php?" or site:target.com filetype:php etc
Check if the param value is getting reflected in html source code Try Xss
You can Manually Check Right Click View Page Source and search for var= , ="" , =''.
5. Other Methods
Use Methods 1 or 2 to Gather the urls
Check the error pages (404,403,..) sometimes they contain reflected values Trigger
Video's
?https://www.youtube.com/watch?v=wuyAY3vvd9s?
?https://www.youtube.com/watch?v=GsyOuQBG2yM?
?https://www.youtube.com/watch?v=5L_14F-uNGk?
?https://www.youtube.com/watch?v=N3HfF6_3k94?
Stored Xss are mostly found manually 1. Enumerate the Firewall using above Methods and select a
payload to test accordingly. 2. Try that selected WAF bypass payload while registering on a site in fields
like username, name, address, email, etc. 3. Try Payload in File name of profile picture and also in the
source file of image. 4. Try in Comment section anywhere on target site. 5. Try on every input fields
which get reflected in page and which can be seen by other users. 6. Try to signup using your name +
xss payload and that can lead to stored xss. Tips
?https://www.youtube.com/watch?v=uHy1x1NkwRU?
Writeup:
-https://medium.com/@fatin151485/how-i-found-my-first-stored-xss-on-popular-eboighar-
com-6bd497b0bb96?
** Blind Xss
Similar to Reflected Xss Or Stored Xss But you Dont get any reflection, but you get response on you
server.
Similar methods As given above except try putting payload which can give a callback on your server
when executed.
Tips
Copy every payload from your xsshunter payloads section and paste it into every field you see XSS
Generate some variations of your payloads (example replace < with <)
** DOM XSS
Tips
< and > can be replace with html entities < and >
You can try an XSS polyglot
javascript:/*-
-></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+ale
rt(1)//'>
?https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626? XSS
Firewall Bypass Techniques
Check if the firewall is blocking only lowercase
Ex:- <scRipT>alert(1)</scRipT>
Try to break firewall regex with the new line(\r\n)
Ex:- <script>%0alert(1)</script>
Try Double Encoding
Ex:- %2522
Testing for recursive filters, if firewall removes text in red, we will have clear payload
Ex:- <src<script>ipt>alert(1);</scr</script>ipt>
Injecting anchor tag without whitespaces
Ex:- <a/href="j	a	v	asc	ri	pt:alert(1)">
Try to bypass whitespaces using Bullet
Ex:- <svg•onload=alert(1)>
Try to change request method
https://github.com/heilla/SecurityTesting/blob/master/HuntingCheckList.md
** Automated XSS
Make sure you have Go installed on your Machine To
Install Go on your Machine:
sudo apt install -y golang export
GOROOT=/usr/lib/go export
GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH source
.bashrc
How to Hunt XSS using QuickXSS?
* XXE Methods
These are my methods to check and hunt for XML External Entities. I might be missing a lot of things but
as the community believe in "sharing is caring" by @CXVVMVII.
Methods
2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into
the xml files.
4. If the web app offers RSS feeds , add your milicious code into the RSS.
5.Fuzz for /soap api , some applications still running soap apis
6.If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML
request/reponse