Sensitive Information Disclosure

• ​#bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source code.

• ​If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com ​

• ​#BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/ entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.​

• ​A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.​

• ​Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html​

• ​and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts​

• ​This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files[]"; filename='example.txt"' #bugbountytip​

• ​sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance​

  ​What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.​

• ​Site was filtering for ://.theirsite.com/* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip​

• ​Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories … ​

• ​Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache​

• ​Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip​

• ​Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows... ​

• ​Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip​

• ​BugBountyTips "https://twitter.com " site:http://codegist.net​

• ​Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public.​

• ​If you come across a request which has diff action(s), ex - example[dot]com/someendpoint?type=search&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;) ​

• ​If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip​

• ​bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.​

• ​It's quite interesting that Ruby apps by default are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with Rails.application.config.filter_parameters​

• ​When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip​

• ​most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat​

• ​Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/[email protected] -> /api/users/..%[email protected] or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!​

• #bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!​

• ​When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send_keys or sendkeys ==> win || Github => "company name" language:python/bash send_keys

• Github=> "company name" language:powershell pwd => working creds => unauthorized access

• ​BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE​

• ​Shodan search RUBY DEBUG html:"secret_key_base" html:"rack.version"​

• ​Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming​​​

• ​Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip​

• #bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search​

• ​#bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder​

• ​Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty​

• ​What are your normal testing steps when you see a 401?​

• ​if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions​

• ​Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip​

• ​#bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!​

​