Check for Subdomain Takeover Vulnerabilities
This enumerates subdomains and checks if they resolve. Subdomains that return NXDOMAIN may be vulnerable to takeover if they point to external services.
Replace nasa.gov with your target.
This enumerates subdomains and checks if they resolve. Subdomains that return NXDOMAIN may be vulnerable to takeover if they point to external services.
subfinder -d target.com -silent | while read sub; do host $sub; done | grep "NXDOMAIN"
Replace nasa.gov with your target.
👍12🗿6
Hey everyone!
- Access challenging, real-world environments to hone your skills.- Tackle new labs like Odyssey and Ascension as they roll out.
- Join a community of dedicated hackers pushing their skills to new heights.
Let’s hack and learn together!
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3❤2🔥1
1.Use Katana to scan for document URLs:
katana -u subdomainsList -em pdf,docx | tee endpointsPDF_DOC
2. Filter for potentially unredacted files:
grep -i 'redacted.*\.pdf$' endpointsPDF_DOC | sed -E 's/[-_]?redacted//gi' | sort -u | httpx -mc 200 -sc
This script finds document URLs with "redacted" in the name, strips it out, and checks if the unredacted version is accessible.
Admins often leave these unredacted files online by mistake, making them a high-medium (P3) severity finding for bug bounty programs.
Please open Telegram to view this post
VIEW IN TELEGRAM
1❤14👍5
🚨CVE-2024-51482: A 10/10 Severity Vulnerability Exposes ZoneMinder’s SQL Databases
👇Dorks
HUNTER:/product.name="ZoneMinder"
SHODAN: http.favicon.hash:-1218152116
FOFA: app="ZoneMinder"
📰Refer: https://securityonline.info/zoneminders-cve-2024-51482-a-10-10-severity-vulnerability-exposes-sql-databases/
#ZoneMinder #SQL #hunterhow #infosec #infosecurity #OSINT #Vulnerability
👇Dorks
HUNTER:/product.name="ZoneMinder"
SHODAN: http.favicon.hash:-1218152116
FOFA: app="ZoneMinder"
📰Refer: https://securityonline.info/zoneminders-cve-2024-51482-a-10-10-severity-vulnerability-exposes-sql-databases/
#ZoneMinder #SQL #hunterhow #infosec #infosecurity #OSINT #Vulnerability
2👍7❤2
If you’re new to malware development, this playlist is a solid introduction! It covers:
• Native API
• A quick refresher on processes, threads, and handles
• Syscalls
Check it out here: YouTube Playlist
• Native API
• A quick refresher on processes, threads, and handles
• Syscalls
Check it out here: YouTube Playlist
🔥9
Source : https://github.com/securitycipher/awsome-websecurity-checklist/blob/main/Mindmaps/S3-Bucket%20Recon.png
Please open Telegram to view this post
VIEW IN TELEGRAM
1👍10❤1
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥6👍4❤2
👍2
🚀 Google Dorking - SQL Errors
site:[TARGET] AND (intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()")
👍4
046b11141368df687ef66ef418b6bd91.gif
12.9 MB
Bypassing Two-Factor Authentication (2FA)
1. Flawed Two-Factor Verification Logic
- Attackers can log in with their own credentials but change the
2. Clickjacking on 2FA Disable Feature
- Try to iframe the page where 2FA can be disabled. If successful, use social engineering to trick the victim.
3. Response Manipulation
- Check the 2FA request response. If it shows "Success":false, change it to "Success":true to bypass 2FA.
1. Flawed Two-Factor Verification Logic
- Attackers can log in with their own credentials but change the
account cookie to any arbitrary username when submitting the verification code.2. Clickjacking on 2FA Disable Feature
- Try to iframe the page where 2FA can be disabled. If successful, use social engineering to trick the victim.
3. Response Manipulation
- Check the 2FA request response. If it shows "Success":false, change it to "Success":true to bypass 2FA.
👍2❤1
4. Status Code Manipulation
- If the response status code is 4XX, change it to 200 OK to bypass 2FA.
5. 2FA Code Reusability
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
6. CSRF on 2FA Disable Feature
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
7. Backup Code Abuse
- Use techniques like response/status code manipulation, brute-force, etc., to bypass backup codes and disable/reset 2FA.
8. Enabling 2FA Doesn't Expire Previous Session
- Log in to the application in two different browsers. Enable 2FA in one session. Use the other session to check if it’s still active, which could be an issue.
9. 2FA Refer Check Bypass
- Directly navigate to the page after 2FA or any authenticated page. If it doesn't work, change the refer header to the 2FA page URL.
10. 2FA Code Leakage in Response
- Capture the request when 2FA code is triggered. Check the response to see if the 2FA code is leaked.
11. JS File Analysis
- Analyze all JS files referred in the response when triggering the 2FA code request to see if any contain information to bypass 2FA.
12. Lack of Brute-Force Protection
- Request 2FA codes repeatedly. If there’s no rate limit, it’s a rate limit issue. Try brute-forcing the 2FA code.
13. Password Reset/Email Change - 2FA Disable
- Change the victim's email or password. 2FA might be disabled, depending on the organization's policy.
14. Missing 2FA Code Integrity Validation
- Use a valid 2FA code from your account in the victim's 2FA request to see if it bypasses 2FA protection.
15. Direct Request
- Directly navigate to the page after 2FA or any authenticated page. Change the refer header as if you came from the 2FA page.
16. Reusing Token
- Try reusing a previously used token inside the account to authenticate.
17. Sharing Unused Tokens
- Check if you can get a token from your account and use it to bypass 2FA in a different account.
18. Leaked Token
- Check if a token is leaked in the response from the web application.
19. Session Permission
- Use the same session to start the flow using your account and the victim's account. Complete 2FA with your account but try accessing the next step with the victim's account.
20. Password Reset Function
- Check if the password reset function logs the user in after completion. Try reusing the link to reset the password multiple times.
21. Lack of Rate Limit
- Check if there’s a limit on the number of codes you can try. Brute force if there’s no limit.
22. Flow Rate Limit but No Rate Limit
- If there’s a flow rate limit but no rate limit, you can brute force the code with enough time.
23. Re-send Code and Reset the Limit
- If24. Infinite OTP Regeneration
- If you can generate a new OTP infinitely and the OTP is simple enough (e.g., 4 numbers), you can try the same 4 or 5 tokens every time and generate OTPs until it matches.
24. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
25. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
26. IP Address
- If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the X-Forwarded-For header.
27. Subdomains
- Check for "testing" subdomains with login functionality. They might not support 2FA or might have vulnerable versions of it.
28. APIs
- Look for APIs located under a
29. Previous Sessions
- When 2FA is enabled, previous sessions should be ended. If not, an attacker could hijack an active session
- If the response status code is 4XX, change it to 200 OK to bypass 2FA.
5. 2FA Code Reusability
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
6. CSRF on 2FA Disable Feature
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
7. Backup Code Abuse
- Use techniques like response/status code manipulation, brute-force, etc., to bypass backup codes and disable/reset 2FA.
8. Enabling 2FA Doesn't Expire Previous Session
- Log in to the application in two different browsers. Enable 2FA in one session. Use the other session to check if it’s still active, which could be an issue.
9. 2FA Refer Check Bypass
- Directly navigate to the page after 2FA or any authenticated page. If it doesn't work, change the refer header to the 2FA page URL.
10. 2FA Code Leakage in Response
- Capture the request when 2FA code is triggered. Check the response to see if the 2FA code is leaked.
11. JS File Analysis
- Analyze all JS files referred in the response when triggering the 2FA code request to see if any contain information to bypass 2FA.
12. Lack of Brute-Force Protection
- Request 2FA codes repeatedly. If there’s no rate limit, it’s a rate limit issue. Try brute-forcing the 2FA code.
13. Password Reset/Email Change - 2FA Disable
- Change the victim's email or password. 2FA might be disabled, depending on the organization's policy.
14. Missing 2FA Code Integrity Validation
- Use a valid 2FA code from your account in the victim's 2FA request to see if it bypasses 2FA protection.
15. Direct Request
- Directly navigate to the page after 2FA or any authenticated page. Change the refer header as if you came from the 2FA page.
16. Reusing Token
- Try reusing a previously used token inside the account to authenticate.
17. Sharing Unused Tokens
- Check if you can get a token from your account and use it to bypass 2FA in a different account.
18. Leaked Token
- Check if a token is leaked in the response from the web application.
19. Session Permission
- Use the same session to start the flow using your account and the victim's account. Complete 2FA with your account but try accessing the next step with the victim's account.
20. Password Reset Function
- Check if the password reset function logs the user in after completion. Try reusing the link to reset the password multiple times.
21. Lack of Rate Limit
- Check if there’s a limit on the number of codes you can try. Brute force if there’s no limit.
22. Flow Rate Limit but No Rate Limit
- If there’s a flow rate limit but no rate limit, you can brute force the code with enough time.
23. Re-send Code and Reset the Limit
- If24. Infinite OTP Regeneration
- If you can generate a new OTP infinitely and the OTP is simple enough (e.g., 4 numbers), you can try the same 4 or 5 tokens every time and generate OTPs until it matches.
24. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
25. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
26. IP Address
- If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the X-Forwarded-For header.
27. Subdomains
- Check for "testing" subdomains with login functionality. They might not support 2FA or might have vulnerable versions of it.
28. APIs
- Look for APIs located under a
/v*/ directory. Older API endpoints might be vulnerable to 2FA bypass. 29. Previous Sessions
- When 2FA is enabled, previous sessions should be ended. If not, an attacker could hijack an active session
👍10❤1
before 2FA.
30. Improper Access Control to Backup Codes
- If there are CORS misconfigurations or XSS vulnerabilities, backup codes can be stolen and used to bypass 2FA if the username and password are known.
31. Information Disclosure
- If confidential information, like the phone number, appears on the 2FA page that wasn't known previously, it's an information disclosure vulnerability.
32. Bypass 2FA with null or 000000
- Sometimes, 2FA can be bypassed by using null or 000000 as the code.
33. Previously Created Sessions Continue Being Valid After MFA Activation
- Access the same account on two devices. Enable 2FA on one device. If the session on the other device is still active, it's an issue.
34. Enable 2FA Without Verifying the Email
- Check if you can add 2FA to your account without verifying your email.
35. Password Not Checked When Disabling 2FA
- Try to disable 2FA without checking the password. If it succeeds, it’s a vulnerability.
36. “email” MFA Mode Allows Bypassing MFA From Victim’s Device When Device Trust Is Not Expired
- Use tools like Burp Suite to intercept requests. Modify the fields to bypass 2FA using the "email" mode.
30. Improper Access Control to Backup Codes
- If there are CORS misconfigurations or XSS vulnerabilities, backup codes can be stolen and used to bypass 2FA if the username and password are known.
31. Information Disclosure
- If confidential information, like the phone number, appears on the 2FA page that wasn't known previously, it's an information disclosure vulnerability.
32. Bypass 2FA with null or 000000
- Sometimes, 2FA can be bypassed by using null or 000000 as the code.
33. Previously Created Sessions Continue Being Valid After MFA Activation
- Access the same account on two devices. Enable 2FA on one device. If the session on the other device is still active, it's an issue.
34. Enable 2FA Without Verifying the Email
- Check if you can add 2FA to your account without verifying your email.
35. Password Not Checked When Disabling 2FA
- Try to disable 2FA without checking the password. If it succeeds, it’s a vulnerability.
36. “email” MFA Mode Allows Bypassing MFA From Victim’s Device When Device Trust Is Not Expired
- Use tools like Burp Suite to intercept requests. Modify the fields to bypass 2FA using the "email" mode.
🔥7👍3❤1🗿1
A collection of awesome tools used by Web hackers. Happy hacking , Happy bug-hunting!
https://github.com/hahwul/WebHackersWeapons/blob/main/README.md
https://github.com/hahwul/WebHackersWeapons/blob/main/README.md
GitHub
WebHackersWeapons/README.md at main · hahwul/WebHackersWeapons
⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting - hahwul/WebHackersWeapons
❤6
⚡️uro - Using a URL list for security testing can be painful as there are a lot of URLs that have uninteresting/duplicate content; uro aims to solve that.
🔗github.com/s0md3v/uro
🔗github.com/s0md3v/uro
1❤6