#Bug_Bounty_Tips_18
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Want to find critical bugs by changing a single header?set the ‘Host’ header to ‘localhost’ in your next directory bruteforce, the results might be surprising! You might gain access to:
1️⃣Special features
2️⃣Internal endpoints
3️⃣Config files, SSL keys
4️⃣Directory listing, …
We can even take this a step further and try to identify all sites that are hosted on the target web server by performing virtual host enumeration. How to enumerate virtual hosts? We could use tools such as these:
ffuf
https-vhosts
virtual-host-discovery
Note that we could also use curl or wget:
curl -v -H "Host: localhost" https://target/
wget -d --header="Host: localhost" https://target/
☣️@InfoSecTube
👍1
#Bug_Bounty_Tips_19
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
🛡BugBounty_Tips
🌀Javascript polyglot for XSS
Note that we may only need a certain portion of the polyglot, depending on our situation. Do not copy & paste blindly.
☣️
@InfoSecTube#Bug_Bounty_Tips_20
🛡BugBounty_Tips
🌀Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash?
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. Grab the tool from here:
☢️favihash
☣️@InfoSecTube
🛡BugBounty_Tips
🌀Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash?
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. Grab the tool from here:
☢️favihash
☣️@InfoSecTube
#Bug_Bounty_Tips_21
🛡BugBounty_Tips
🌀 Account takeover by JWT token forging
Methodolgy:
✅Decompiled APK and found API endpoint
>> /signup/users/generateJwtToken
✅Sent to repeater (Burp Suite)
✅Added Auth-Token header in the request
✅Used my account’s auth token in the header
✅Removed the signature part –> It works !!
✅Changed user id in token using JOSEPH in Burp Suite
✅Got other user’s JWT token in the response
✅Account takeover!
Note that all other endpoints were properly checking the JWK token.
🔰JOSEPH
☣️@InfoSecTube
🛡BugBounty_Tips
🌀 Account takeover by JWT token forging
Methodolgy:
✅Decompiled APK and found API endpoint
>> /signup/users/generateJwtToken
✅Sent to repeater (Burp Suite)
✅Added Auth-Token header in the request
✅Used my account’s auth token in the header
✅Removed the signature part –> It works !!
✅Changed user id in token using JOSEPH in Burp Suite
✅Got other user’s JWT token in the response
✅Account takeover!
Note that all other endpoints were properly checking the JWK token.
🔰JOSEPH
☣️@InfoSecTube
📊 در جدول فوق مشاهده می کنیم که هکرها یا نفوذگران برای بدست آوردن یا شکستنرمز عبور شما چه میزان زمان نیاز دارد.
🛎@Infosectube
🛎@Infosectube
#Bug_Bounty_Tips_22
🛡BugBounty_Tips
🌀 Top 25 remote code execution (RCE) parameters
Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities:
Take notice anytime you see any of these parameters. Chances are that you may be able to inject code in them in some way.
☣️@InfoSecTube
🛡BugBounty_Tips
🌀 Top 25 remote code execution (RCE) parameters
Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities:
?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}Take notice anytime you see any of these parameters. Chances are that you may be able to inject code in them in some way.
☣️@InfoSecTube
🌀Let’s remind ourselves what SSRF vulnerabilities are and what can we do with them. In general, SSRF allows us to:
1️⃣Access services on the loopback interface running on the remote server
2️⃣Scan internal network an potentially interact with the discovered services
3️⃣Read local files on the server using file:// protocol handler
4️⃣Move laterally / pivoting into the internal environment
How to find SSRF? When the target web application allows us to access external resources, e.g. a profile image loaded from external URL (running on a 3rd party website), we can try to load internal resources accessible by the vulnerable web application. For example:
1️⃣We discover that the following URL works:
3️⃣We can also try to scan private IPs such as 192.168.x.x and discover alive IPs in the internal network
☣️@InfoSecTube
1️⃣Access services on the loopback interface running on the remote server
2️⃣Scan internal network an potentially interact with the discovered services
3️⃣Read local files on the server using file:// protocol handler
4️⃣Move laterally / pivoting into the internal environment
How to find SSRF? When the target web application allows us to access external resources, e.g. a profile image loaded from external URL (running on a 3rd party website), we can try to load internal resources accessible by the vulnerable web application. For example:
1️⃣We discover that the following URL works:
https://example.com:8000/page?user=&link=https://127.0.0.1:80002️⃣We can then run Intruder attack (Burp Suite) trying different ports, effectively doing a port scan of the host
3️⃣We can also try to scan private IPs such as 192.168.x.x and discover alive IPs in the internal network
☣️@InfoSecTube