4. Status Code Manipulation
- If the response status code is 4XX, change it to 200 OK to bypass 2FA.
5. 2FA Code Reusability
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
6. CSRF on 2FA Disable Feature
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
7. Backup Code Abuse
- Use techniques like response/status code manipulation, brute-force, etc., to bypass backup codes and disable/reset 2FA.
8. Enabling 2FA Doesn't Expire Previous Session
- Log in to the application in two different browsers. Enable 2FA in one session. Use the other session to check if itโs still active, which could be an issue.
9. 2FA Refer Check Bypass
- Directly navigate to the page after 2FA or any authenticated page. If it doesn't work, change the refer header to the 2FA page URL.
10. 2FA Code Leakage in Response
- Capture the request when 2FA code is triggered. Check the response to see if the 2FA code is leaked.
11. JS File Analysis
- Analyze all JS files referred in the response when triggering the 2FA code request to see if any contain information to bypass 2FA.
12. Lack of Brute-Force Protection
- Request 2FA codes repeatedly. If thereโs no rate limit, itโs a rate limit issue. Try brute-forcing the 2FA code.
13. Password Reset/Email Change - 2FA Disable
- Change the victim's email or password. 2FA might be disabled, depending on the organization's policy.
14. Missing 2FA Code Integrity Validation
- Use a valid 2FA code from your account in the victim's 2FA request to see if it bypasses 2FA protection.
15. Direct Request
- Directly navigate to the page after 2FA or any authenticated page. Change the refer header as if you came from the 2FA page.
16. Reusing Token
- Try reusing a previously used token inside the account to authenticate.
17. Sharing Unused Tokens
- Check if you can get a token from your account and use it to bypass 2FA in a different account.
18. Leaked Token
- Check if a token is leaked in the response from the web application.
19. Session Permission
- Use the same session to start the flow using your account and the victim's account. Complete 2FA with your account but try accessing the next step with the victim's account.
20. Password Reset Function
- Check if the password reset function logs the user in after completion. Try reusing the link to reset the password multiple times.
21. Lack of Rate Limit
- Check if thereโs a limit on the number of codes you can try. Brute force if thereโs no limit.
22. Flow Rate Limit but No Rate Limit
- If thereโs a flow rate limit but no rate limit, you can brute force the code with enough time.
23. Re-send Code and Reset the Limit
- If24. Infinite OTP Regeneration
- If you can generate a new OTP infinitely and the OTP is simple enough (e.g., 4 numbers), you can try the same 4 or 5 tokens every time and generate OTPs until it matches.
24. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
25. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
26. IP Address
- If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the X-Forwarded-For header.
27. Subdomains
- Check for "testing" subdomains with login functionality. They might not support 2FA or might have vulnerable versions of it.
28. APIs
- Look for APIs located under a
29. Previous Sessions
- When 2FA is enabled, previous sessions should be ended. If not, an attacker could hijack an active session
- If the response status code is 4XX, change it to 200 OK to bypass 2FA.
5. 2FA Code Reusability
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
6. CSRF on 2FA Disable Feature
- Request a 2FA code and use it. Then try reusing it or requesting multiple codes to check if previously requested codes expire.
7. Backup Code Abuse
- Use techniques like response/status code manipulation, brute-force, etc., to bypass backup codes and disable/reset 2FA.
8. Enabling 2FA Doesn't Expire Previous Session
- Log in to the application in two different browsers. Enable 2FA in one session. Use the other session to check if itโs still active, which could be an issue.
9. 2FA Refer Check Bypass
- Directly navigate to the page after 2FA or any authenticated page. If it doesn't work, change the refer header to the 2FA page URL.
10. 2FA Code Leakage in Response
- Capture the request when 2FA code is triggered. Check the response to see if the 2FA code is leaked.
11. JS File Analysis
- Analyze all JS files referred in the response when triggering the 2FA code request to see if any contain information to bypass 2FA.
12. Lack of Brute-Force Protection
- Request 2FA codes repeatedly. If thereโs no rate limit, itโs a rate limit issue. Try brute-forcing the 2FA code.
13. Password Reset/Email Change - 2FA Disable
- Change the victim's email or password. 2FA might be disabled, depending on the organization's policy.
14. Missing 2FA Code Integrity Validation
- Use a valid 2FA code from your account in the victim's 2FA request to see if it bypasses 2FA protection.
15. Direct Request
- Directly navigate to the page after 2FA or any authenticated page. Change the refer header as if you came from the 2FA page.
16. Reusing Token
- Try reusing a previously used token inside the account to authenticate.
17. Sharing Unused Tokens
- Check if you can get a token from your account and use it to bypass 2FA in a different account.
18. Leaked Token
- Check if a token is leaked in the response from the web application.
19. Session Permission
- Use the same session to start the flow using your account and the victim's account. Complete 2FA with your account but try accessing the next step with the victim's account.
20. Password Reset Function
- Check if the password reset function logs the user in after completion. Try reusing the link to reset the password multiple times.
21. Lack of Rate Limit
- Check if thereโs a limit on the number of codes you can try. Brute force if thereโs no limit.
22. Flow Rate Limit but No Rate Limit
- If thereโs a flow rate limit but no rate limit, you can brute force the code with enough time.
23. Re-send Code and Reset the Limit
- If24. Infinite OTP Regeneration
- If you can generate a new OTP infinitely and the OTP is simple enough (e.g., 4 numbers), you can try the same 4 or 5 tokens every time and generate OTPs until it matches.
24. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
25. Guessable Cookie
- If the "remember me" functionality uses a guessable code in a new cookie, try to guess it.
26. IP Address
- If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the X-Forwarded-For header.
27. Subdomains
- Check for "testing" subdomains with login functionality. They might not support 2FA or might have vulnerable versions of it.
28. APIs
- Look for APIs located under a
/v*/ directory. Older API endpoints might be vulnerable to 2FA bypass. 29. Previous Sessions
- When 2FA is enabled, previous sessions should be ended. If not, an attacker could hijack an active session
๐10โค1
before 2FA.
30. Improper Access Control to Backup Codes
- If there are CORS misconfigurations or XSS vulnerabilities, backup codes can be stolen and used to bypass 2FA if the username and password are known.
31. Information Disclosure
- If confidential information, like the phone number, appears on the 2FA page that wasn't known previously, it's an information disclosure vulnerability.
32. Bypass 2FA with null or 000000
- Sometimes, 2FA can be bypassed by using null or 000000 as the code.
33. Previously Created Sessions Continue Being Valid After MFA Activation
- Access the same account on two devices. Enable 2FA on one device. If the session on the other device is still active, it's an issue.
34. Enable 2FA Without Verifying the Email
- Check if you can add 2FA to your account without verifying your email.
35. Password Not Checked When Disabling 2FA
- Try to disable 2FA without checking the password. If it succeeds, itโs a vulnerability.
36. โemailโ MFA Mode Allows Bypassing MFA From Victimโs Device When Device Trust Is Not Expired
- Use tools like Burp Suite to intercept requests. Modify the fields to bypass 2FA using the "email" mode.
30. Improper Access Control to Backup Codes
- If there are CORS misconfigurations or XSS vulnerabilities, backup codes can be stolen and used to bypass 2FA if the username and password are known.
31. Information Disclosure
- If confidential information, like the phone number, appears on the 2FA page that wasn't known previously, it's an information disclosure vulnerability.
32. Bypass 2FA with null or 000000
- Sometimes, 2FA can be bypassed by using null or 000000 as the code.
33. Previously Created Sessions Continue Being Valid After MFA Activation
- Access the same account on two devices. Enable 2FA on one device. If the session on the other device is still active, it's an issue.
34. Enable 2FA Without Verifying the Email
- Check if you can add 2FA to your account without verifying your email.
35. Password Not Checked When Disabling 2FA
- Try to disable 2FA without checking the password. If it succeeds, itโs a vulnerability.
36. โemailโ MFA Mode Allows Bypassing MFA From Victimโs Device When Device Trust Is Not Expired
- Use tools like Burp Suite to intercept requests. Modify the fields to bypass 2FA using the "email" mode.
๐ฅ7๐3โค1๐ฟ1
A collection of awesome tools used by Web hackers. Happy hacking , Happy bug-hunting!
https://github.com/hahwul/WebHackersWeapons/blob/main/README.md
https://github.com/hahwul/WebHackersWeapons/blob/main/README.md
GitHub
WebHackersWeapons/README.md at main ยท hahwul/WebHackersWeapons
โ๏ธ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting - hahwul/WebHackersWeapons
โค6
โก๏ธuro - Using a URL list for security testing can be painful as there are a lot of URLs that have uninteresting/duplicate content; uro aims to solve that.
๐github.com/s0md3v/uro
๐github.com/s0md3v/uro
1โค6
๐ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ญ๐๐ซ๐ญ๐๐ซ ๐๐๐๐ค ๐
๐๐๐ง๐ญ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ซ๐จ๐ ๐ซ๐๐ฆ๐ฌ, ๐๐ฅ๐๐ญ๐๐จ๐ซ๐ฆ๐ฌ, ๐๐ฎ๐ข๐๐๐ฌ, ๐๐จ๐จ๐ค๐ฌ, ๐๐ง๐ ๐๐๐๐ฅ ๐๐๐ฉ๐จ๐ซ๐ญ๐ฌ?
๐Do Follow+โค๏ธLike+๐Retweet+๐ฌDM "Bounty" on @brutsecurity_bot
#BugBounty #BugBountyTips
๐๐๐ง๐ญ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ซ๐จ๐ ๐ซ๐๐ฆ๐ฌ, ๐๐ฅ๐๐ญ๐๐จ๐ซ๐ฆ๐ฌ, ๐๐ฎ๐ข๐๐๐ฌ, ๐๐จ๐จ๐ค๐ฌ, ๐๐ง๐ ๐๐๐๐ฅ ๐๐๐ฉ๐จ๐ซ๐ญ๐ฌ?
๐Do Follow+โค๏ธLike+๐Retweet+๐ฌDM "Bounty" on @brutsecurity_bot
#BugBounty #BugBountyTips
2โค26๐3
Brut Security
๐ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ญ๐๐ซ๐ญ๐๐ซ ๐๐๐๐ค ๐ ๐๐๐ง๐ญ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ซ๐จ๐ ๐ซ๐๐ฆ๐ฌ, ๐๐ฅ๐๐ญ๐๐จ๐ซ๐ฆ๐ฌ, ๐๐ฎ๐ข๐๐๐ฌ, ๐๐จ๐จ๐ค๐ฌ, ๐๐ง๐ ๐๐๐๐ฅ ๐๐๐ฉ๐จ๐ซ๐ญ๐ฌ? ๐Do Follow+โค๏ธLike+๐Retweet+๐ฌDM "Bounty" on @brutsecurity_bot #BugBounty #BugBountyTips
Click on this button, you will get the materials @brutsecurity_bot
โค2๐ฟ1
Brut Security pinned ยซ๐ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ญ๐๐ซ๐ญ๐๐ซ ๐๐๐๐ค ๐ ๐๐๐ง๐ญ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐๐ฎ๐ ๐๐จ๐ฎ๐ง๐ญ๐ฒ ๐๐ซ๐จ๐ ๐ซ๐๐ฆ๐ฌ, ๐๐ฅ๐๐ญ๐๐จ๐ซ๐ฆ๐ฌ, ๐๐ฎ๐ข๐๐๐ฌ, ๐๐จ๐จ๐ค๐ฌ, ๐๐ง๐ ๐๐๐๐ฅ ๐๐๐ฉ๐จ๐ซ๐ญ๐ฌ? ๐Do Follow+โค๏ธLike+๐Retweet+๐ฌDM "Bounty" on @brutsecurity_bot #BugBounty #BugBountyTipsยป
1. Null-byte injection:
- /google.com%00/
- //google.com%00
2. Base64 encoding variations:
- aHR0cDovL2dvb2dsZS5jb20=
- aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==
- //base64:d3d3Lmdvb2dsZS5jb20=/
3. Case-sensitive variations:
- //GOOGLE.com/
- //GoOgLe.com/
4. Overlong UTF-8 sequences:
- %C0%AE%C0%AE%2F (overlong encoding for ../)
- %C0%AF%C0%AF%2F%2Fgoogle.com
5. Mixed encoding schemes:
- /%68%74%74%70://google.com
- //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D
- //base64:%2F%2Fgoogle.com/
6. Alternative domain notations:
- //[email protected]/
- //127.0.0.1.xip.io/
- //0x7F000001/ (hexadecimal IP)
7. Trailing special characters:
- //google.com/#/
- //google.com/;&/
- //google.com/?id=123&//
8. Octal IP address format:
- https://0177.0.0.1/
- https://00177.0000.0000.0001/
9. IP address variants:
- https://3232235777 (decimal notation of an IP)
- https://0xC0A80001 (hex notation of IP)
- https://192.168.1.1/
10. Path traversal with encoding:
- /..%252f..%252f..%252fetc/passwd
- /%252e%252e/%252e%252e/%252e%252e/etc/passwd
- /..%5c..%5c..%5cwindows/system32/cmd.exe
11. Alternate protocol inclusion:
- ftp://google.com/
- javascript:alert(1)//google.com
12. Protocol-relative URLs:
- :////google.com/
- :///google.com/
13. Redirection edge cases:
- //google.com/?q=//bing.com/
- //google.com?q=https://another-site.com/
14. IPv6 notation:
- https://[::1]/
- https://[::ffff:192.168.1.1]/
15. Double URL encoding:
- %252f%252fgoogle.com (encoded twice)
- %255cgoogle.com
16. Combined traversal & encoding:
- /%2E%2E/%2E%2E/etc/passwd
- /%2e%2e%5c%2e%2e/etc/passwd
17. Reverse DNS-based:
- https://google.com.reverselookup.com
- //lookup-reversed.google.com/
18. Non-standard ports:
- https://google.com:81/
- https://google.com:444/
19. Unicode obfuscation in paths:
- /%E2%80%8Egoogle.com/
- /%C2%A0google.com/
20. Query parameters obfuscation:
- //google.com/?q=https://another-site.com/
- //google.com/?redirect=https://google.com/
21. Using @ symbol for userinfo:
- https://admin:[email protected]/
- https://@google.com
22. Combination of userinfo and traversal:
- https://admin:[email protected]/../../etc/passwd
Please open Telegram to view this post
VIEW IN TELEGRAM
1โค5๐3๐ฟ1
๐ ๐ฃ๐ผ๐น๐น ๐ง๐ถ๐บ๐ฒ: ๐๐ฟ๐ฒ ๐ฌ๐ผ๐ ๐ฅ๐ฒ๐ฎ๐ฑ๐ ๐ณ๐ผ๐ฟ ๐ฃ๐ฟ๐ผ ๐๐ฎ๐ฏ๐? ๐
๐๐ฒ๐ ๐ต๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐! ๐ ๐๐ฒ๐โ๐ ๐๐ฒ๐ฒ ๐๐ต๐ฒ๐ฟ๐ฒ ๐ฒ๐๐ฒ๐ฟ๐๐ผ๐ป๐ฒ ๐๐๐ฎ๐ป๐ฑ๐ ๐ถ๐ป ๐๐ต๐ฒ๐ถ๐ฟ ๐ต๐ฎ๐ฐ๐ธ๐ถ๐ป๐ด ๐ท๐ผ๐๐ฟ๐ป๐ฒ๐! ๐๐ฎ๐ฐ๐ธ ๐ง๐ต๐ฒ ๐๐ผ๐ โ๐ ๐ฃ๐ฟ๐ผ ๐๐ฎ๐ฏ๐ ๐ผ๐ณ๐ณ๐ฒ๐ฟ ๐ฟ๐ฒ๐ฎ๐น-๐๐ผ๐ฟ๐น๐ฑ ๐ฟ๐ฒ๐ฑ ๐๐ฒ๐ฎ๐บ๐ถ๐ป๐ด ๐ถ๐ป ๐ฒ๐ป๐๐ฒ๐ฟ๐ฝ๐ฟ๐ถ๐๐ฒ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐๐ โ ๐ฎ ๐ฏ๐ถ๐ด ๐๐๐ฒ๐ฝ ๐๐ฝ ๐ถ๐ณ ๐๐ผ๐โ๐ฟ๐ฒ ๐น๐ผ๐ผ๐ธ๐ถ๐ป๐ด ๐๐ผ ๐๐ฎ๐ธ๐ฒ ๐๐ผ๐๐ฟ ๐๐ธ๐ถ๐น๐น๐ ๐๐ผ ๐๐ต๐ฒ ๐ป๐ฒ๐ ๐ ๐น๐ฒ๐๐ฒ๐น.
๐ ๐ฉ๐ผ๐๐ฒ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ฒ ๐๐ต๐ฒ๐ฟ๐ฒ ๐๐ผ๐ ๐๐๐ฎ๐ป๐ฑ ๐๐ถ๐๐ต ๐๐ต๐ฒ ๐ฐ๐ผ๐บ๐บ๐๐ป๐ถ๐๐! #๐๐๐ฏ๐ฒ๐ฟ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ #๐๐ฎ๐ฐ๐ธ๐ถ๐ป๐ด #๐ฃ๐ฟ๐ผ๐๐ฎ๐ฏ๐ #๐๐ฎ๐ฐ๐ธ๐ง๐ต๐ฒ๐๐ผ๐
๐๐ฒ๐ ๐ต๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐! ๐ ๐๐ฒ๐โ๐ ๐๐ฒ๐ฒ ๐๐ต๐ฒ๐ฟ๐ฒ ๐ฒ๐๐ฒ๐ฟ๐๐ผ๐ป๐ฒ ๐๐๐ฎ๐ป๐ฑ๐ ๐ถ๐ป ๐๐ต๐ฒ๐ถ๐ฟ ๐ต๐ฎ๐ฐ๐ธ๐ถ๐ป๐ด ๐ท๐ผ๐๐ฟ๐ป๐ฒ๐! ๐๐ฎ๐ฐ๐ธ ๐ง๐ต๐ฒ ๐๐ผ๐ โ๐ ๐ฃ๐ฟ๐ผ ๐๐ฎ๐ฏ๐ ๐ผ๐ณ๐ณ๐ฒ๐ฟ ๐ฟ๐ฒ๐ฎ๐น-๐๐ผ๐ฟ๐น๐ฑ ๐ฟ๐ฒ๐ฑ ๐๐ฒ๐ฎ๐บ๐ถ๐ป๐ด ๐ถ๐ป ๐ฒ๐ป๐๐ฒ๐ฟ๐ฝ๐ฟ๐ถ๐๐ฒ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐๐ โ ๐ฎ ๐ฏ๐ถ๐ด ๐๐๐ฒ๐ฝ ๐๐ฝ ๐ถ๐ณ ๐๐ผ๐โ๐ฟ๐ฒ ๐น๐ผ๐ผ๐ธ๐ถ๐ป๐ด ๐๐ผ ๐๐ฎ๐ธ๐ฒ ๐๐ผ๐๐ฟ ๐๐ธ๐ถ๐น๐น๐ ๐๐ผ ๐๐ต๐ฒ ๐ป๐ฒ๐ ๐ ๐น๐ฒ๐๐ฒ๐น.
๐ ๐ฉ๐ผ๐๐ฒ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ฒ ๐๐ต๐ฒ๐ฟ๐ฒ ๐๐ผ๐ ๐๐๐ฎ๐ป๐ฑ ๐๐ถ๐๐ต ๐๐ต๐ฒ ๐ฐ๐ผ๐บ๐บ๐๐ป๐ถ๐๐! #๐๐๐ฏ๐ฒ๐ฟ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ #๐๐ฎ๐ฐ๐ธ๐ถ๐ป๐ด #๐ฃ๐ฟ๐ผ๐๐ฎ๐ฏ๐ #๐๐ฎ๐ฐ๐ธ๐ง๐ต๐ฒ๐๐ผ๐
๐11โค2
๐ ๐ช๐ต๐ถ๐ฐ๐ต ๐ฏ๐ฒ๐๐ ๐ฑ๐ฒ๐๐ฐ๐ฟ๐ถ๐ฏ๐ฒ๐ ๐๐ผ๐?
Anonymous Poll
45%
Beginner โ Iโm still learning the basics.
29%
Intermediate โ Iโm comfortable with CTFs and regular HTB labs.
18%
Advanced โ Iโm looking for real-world, red team experiences.
8%
Pro โ Iโm ready to dive into Pro Labs and tackle enterprise-level challenges!
๐ Unlock That 20% Pro Labs Discount! ๐
Alright, hackers, hereโs the deal: Hack The Box Pro Labs just got REAL! ๐ฅ If youโre ready to leave the beginner stuff in the dust and dive into legit red team missions, Iโve got an exclusive 20% off waiting for you. But hereโs the catch โ only 100 of you can snag this deal. ๐
๐ฅ Use code:brutsecurityprolabs20 at checkout for 20% off the annual Pro Labs subscription! Itโs high-level hacking in real enterprise environments. Ready to go pro? ๐ถ๏ธ
๐Checkout Here - https://hackthebox.com/hacker/pro-labs
Jump on this quick โ or you might miss the boat. ๐ค๐จ #HackTheBox #LevelUp #ProLabs
Alright, hackers, hereโs the deal: Hack The Box Pro Labs just got REAL! ๐ฅ If youโre ready to leave the beginner stuff in the dust and dive into legit red team missions, Iโve got an exclusive 20% off waiting for you. But hereโs the catch โ only 100 of you can snag this deal. ๐
๐ฅ Use code:
๐Checkout Here - https://hackthebox.com/hacker/pro-labs
Jump on this quick โ or you might miss the boat. ๐ค๐จ #HackTheBox #LevelUp #ProLabs
Hack The Box
Elite Red Team Training Labs For Offensive Security Red Teaming
Practice offensive cybersecurity by penetrating complex, realistic scenarios. Red team training with labs and a certificate of completion. Browse HTB Pro Labs!
โค2๐ฅ2๐1๐ฟ1
Brut Security pinned ยซ๐ Unlock That 20% Pro Labs Discount! ๐ Alright, hackers, hereโs the deal: Hack The Box Pro Labs just got REAL! ๐ฅ If youโre ready to leave the beginner stuff in the dust and dive into legit red team missions, Iโve got an exclusive 20% off waiting for you.โฆยป
@TheSecOpsGroup have dropped an incredible Black Friday deal โ 90% OFF on ALL pentesting exams with: no expiration dates, 3 different categories, and exams based on real-world scenarios!
Use Discount Code:BLACKFRIDAY-90
https://secops.group/pentesting-exams/
Use Discount Code:
https://secops.group/pentesting-exams/
๐ฅ3๐1
1. Pre-Account Takeover
- How to Hunt:
- Register an email without verifying it.
- Register again using a different method (e.g., 'sign up with Google') with the same email.
- Check if the application links both accounts.
- Try logging in to see if you can access information from the other account.
2. Account Takeover due to Improper Rate Limiting
- How to Hunt:
- Capture the login request.
- Use tools like Burp Suite's Intruder to brute-force the login.
- Analyze the response and length to detect anomalies.
3. Account Takeover by Utilizing Sensitive Data Exposure
- How to Hunt:
- Pay attention to the request and response parts of the application.
- Look for exposed sensitive data like OTPs, hashes, or passwords.
4. Login Vulnerabilities
- Check for:
- Brute-force vulnerabilities.
- OAuth misconfigurations.
- OTP brute-forcing.
- JWT misconfigurations.
- SQL injection to bypass authentication.
- Proper validation of OTP or tokens.
5. Password Reset Vulnerabilities
- Check for:
- Brute-force vulnerabilities in password reset OTPs.
- Predictable tokens.
- JWT misconfigurations.
- IDOR vulnerabilities.
- Host header injection.
- Leaked tokens or OTPs in HTTP responses.
- Proper validation of OTP or tokens.
- HTTP parameter pollution (HPP).
6. XSS to Account Takeover
- How to Hunt:
- Try to exfiltrate cookies or auth tokens.
- Craft XSS payloads to change user email or password.
7. CSRF to Account Takeover
- Check for:
- Vulnerabilities in email update endpoints.
- Vulnerabilities in password change endpoints.
8. IDOR to Account Takeover
- Check for:
- Vulnerabilities in email update endpoints.
- Vulnerabilities in password change endpoints.
- Vulnerabilities in password reset endpoints.
9. Account Takeover by Response & Status Code Manipulation- How to Hunt:
- Look for vulnerabilities where manipulating response or status codes can lead to account takeover.
10. Account Takeover by Exploiting Weak Cryptography- Check for:
- Weak cryptographic implementations in password reset processes.
11. Password or Email Change Function- How to Hunt:
- If you see email parameters in password change requests, try changing your email to the victim's email.
12. Sign-Up Function- How to Hunt:
- Try signing up with the target email directly. - Use third-party sign-ups with phone numbers, then link the victim's email to your account.
13. Rest Token
- How to Hunt: - Try using your REST token with the target account.
- Brute 13. Rest Token- How to Hunt:
- Try using your REST token with the target account. - Brute force the REST token if it is numeric.
- Try to figure out how the tokens are generated. For example, check if they are generated based on timestamp, user ID, or email.
14. Host Header Injection- How to Hunt:
- Intercept the REST account request. - Change the Host header value from the target site to your own domain (e.g., `POST /PassRest HTTP/1.1 Host: Attacker.com`).
15. CORS Misconfiguration to Account Takeover
- How to Hunt: - Check if the application has CORS misconfigurations.
- If so, you might be able to steal sensitive information from the user to take over their account or make them change authentication information. - Refer to [CORS Bypass](https://book.hacktricks.xyz/pentesting-web/cors-bypass) for more details.
16. Account Takeover via Leaked Session Cookie
- How to Hunt: - Look for vulnerabilities where session cookies are leaked.
- Refer to [HackerOne Report 745324](https://hackerone.com/reports/745324) for more details.
17. HTTP Request Smuggling to ATO- How to Hunt:
- Look for HTTP request smuggling vulnerabilities.
- Refer to [HackerOne Reports 737140 and 740037](https://hackerone.com/reports/737140) and [HackerOne Report 740037](https://hackerone.com/reports/740037) for more details.
Please open Telegram to view this post
VIEW IN TELEGRAM
โค11๐5
18. Bypassing Digits Origin Validation Which Leads to Account Takeover- How to Hunt:
- Look for vulnerabilities where digits origin validation can be bypassed. - Refer to [HackerOne Report 129873](https://hackerone.com/reports/129873) for more details.
19. Top ATO Reports in HackerOne
- How to Hunt: - Review top account takeover reports in HackerOne.
- Refer to [TOP ACCOUNT TAKEOVER](https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md) for more details.
โค5
1. Run HxD as Admin.
2. Open (Ctrl + O) and find "sublime_text.exe".
3. Search > Replace (Ctrl + R) > Hex values
4. Enter the following: Search for: 80 79 05 00 0F 94 C2 -> Replace with C6 41 05 01 B2 00 90 Search direction: All -> Replace All (only 1 instance found for me).
5. Save (Ctrl + S) then exit HxD.
6. Run Sublime Text.
Please open Telegram to view this post
VIEW IN TELEGRAM
1๐7โค5๐ฅ2