Book of BugBounty Tips
Search…
Introduction
OSINT / Recon
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
File Upload
Open Redirect
IDOR
Injection
XXE
Local / Remote File Inclusion
Authentication / Authorization
Account Takeover
Application Login
Clickjacking
Parameter Pollution
Fuzzing
Application Logic Bypasses
Bypasses
Mobile
Password Reset
Web Cache
Server Side Template Injection
Tips from @EdOverflow
Tips From @intigriti
Hackpack From @yeswehack
Tips from @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Other Sources
Tips from Blog posts / other hunters
Others
Bugbounty Related Websites / Blogs
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Windows
Linux
Burp suite
Scope Based Recon Tips
Powered By
GitBook
Sensitive Information Disclosure
#bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source cod
e.
If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com
#BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/ entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.
A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.
Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html
and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts
This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files[]"; filename='example.txt"' #bugbountytip
sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance
What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.
Site was filtering for ://.theirsite.com/* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip
Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories …
Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache
Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip
Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows...
Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip
BugBountyTips "https://twitter.com " site:http://codegist.net
Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public
.
If you come across a request which has diff action(s), ex - example[dot]com/someendpoint?type=search&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;)
If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip
bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.
It's quite interesting that Ruby apps
by default
are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with
Rails.application.config.filter_parameters
When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip
most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat
Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/
[email protected]
-> /api/users/..%
[email protected]
or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!
#
bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!
When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send_keys or sendkeys ==> win
|| Github => "company name" language:python/bash send_keys
Github=> "company name" language:powershell pwd => working creds => unauthorized access
BugBountyTip: If you playing with
API ENDPOINT
always try to send
INVALID CONTENT TYPE
end-up by getting hidden endpoints in
RESPONSE
Shodan search RUBY DEBUG html:"secret_key_base" html:"rack.version"
Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin
Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip
#
bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search
#bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder
Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty
What are your normal testing steps when you see a 401?
if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions
Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip
#bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!
HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…
https://twitter.com/Th3G3nt3lman/status/1264642148454072322
https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20
https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20
https://twitter.com/e11i0t_4lders0n/status/1297450625106497536?s=20
One way to find information disclosure vulnerabilities is to change the header.
Change the Accept header to:
Accept: application/json, text/javascript,
/
; q=0.01
Some vulnerable servers reveal server version information, stack and route information
P1 of the day
[email protected]
: 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure
s
ite.com/file.php response = nothing http://site.com/file.php~ response = source
Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips
Previous
Server Side Request Forgery (SSRF)
Next
Cross Site Scripting (XSS)
Last modified
6mo ago
Copy link