Sensitive Information Disclosure

• #bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source code.

• If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com

• #BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/ entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.

• A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.

• Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html

• and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts

• This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files[]"; filename='example.txt"' #bugbountytip

• sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance

  What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.

• Site was filtering for ://.theirsite.com/* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip

• Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories …

• Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache

• Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip

• Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows...

• Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip

• BugBountyTips "https://twitter.com " site:http://codegist.net

• Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public.

• If you come across a request which has diff action(s), ex - example[dot]com/someendpoint?type=search&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;)

• If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip

• bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.

• It's quite interesting that Ruby apps by default are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with Rails.application.config.filter_parameters

• When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip

• most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat

• Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!

• #bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!

• When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send_keys or sendkeys ==> win || Github => "company name" language:python/bash send_keys

• Github=> "company name" language:powershell pwd => working creds => unauthorized access

• BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE

• Shodan search RUBY DEBUG html:"secret_key_base" html:"rack.version"

• Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin

• Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip

• #bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search

• #bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder

• Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty

• What are your normal testing steps when you see a 401?

• if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions

• Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip

• #bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!

• HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…

https://twitter.com/Th3G3nt3lman/status/1264642148454072322

https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20

https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20

https://twitter.com/e11i0t_4lders0n/status/1297450625106497536?s=20

• One way to find information disclosure vulnerabilities is to change the header.

  Change the Accept header to:

  Accept: application/json, text/javascript, /; q=0.01

  Some vulnerable servers reveal server version information, stack and route information

• P1 of the day on@Bugcrowd : 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure

• site.com/file.php response = nothing http://site.com/file.php~ response = source

• Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips