Sensitive Information Disclosure

​#bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source code.
​If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com ​
​#BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/  entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.​
​A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.​
​Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html​
​and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts​
​This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files[]"; filename='example.txt"' #bugbountytip​
​sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance​
​What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.​
​Site was filtering for ://.theirsite.com/* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip​
​Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories … ​
​Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache​
​Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip​
​Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows... ​
​Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip​
​BugBountyTips "https://twitter.com " site:http://codegist.net​
​Try to recon https://storage.googleapis.com/Org-name-here  you may find internal documentation which aren’t supposed to be public.​
​If you come across a request which has diff action(s), ex - example[dot]com/someendpoint?type=search&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;) ​
​If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip​
​bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.​
​It's quite interesting that Ruby apps by default are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with Rails.application.config.filter_parameters​
​When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip​
​most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat​
​Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/[email protected] -> /api/users/..%[email protected] or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!​
#bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!​
​When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send_keys or sendkeys ==> win || Github => "company name" language:python/bash send_keys
Github=> "company name" language:powershell pwd => working creds => unauthorized access
​BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE​
​Shodan search RUBY DEBUG html:"secret_key_base" html:"rack.version"​
​Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin​
​Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip​
#bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search​
​#bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder​
​Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty​
​What are your normal testing steps when you see a 401?​
​if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions​
​Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip​
​#bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!​
​HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…​
​
https://twitter.com/Th3G3nt3lman/status/1264642148454072322
​
https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20
https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20
https://twitter.com/e11i0t_4lders0n/status/1297450625106497536?s=20
​One way to find information disclosure vulnerabilities is to change the header.​
​Change the Accept header to:​
​Accept: application/json, text/javascript, /; q=0.01​
​Some vulnerable servers reveal server version information, stack and route information​
​P1 of the day [email protected] : 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure​
​s​ite.com/file.php response = nothing http://site.com/file.php~ response = source​
​Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips​
Server Side Request Forgery (SSRF)
Cross Site Scripting (XSS)
Last modified 11mo ago