Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Related
  • File Upload
  • Open Redirect
  • IDOR
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Twitter Threads
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Sensitive Information Disclosure

  • #bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source code.

  • If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com

  • #BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/ entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.

  • A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.

  • Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html

  • and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts

  • This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files[]"; filename='example.txt"' #bugbountytip

  • sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance

    What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.

  • Site was filtering for ://.theirsite.com/* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip

  • Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories …

  • Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache

  • Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip

  • Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows...

  • Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip

  • BugBountyTips "https://twitter.com " site:http://codegist.net

  • Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public.

  • If you come across a request which has diff action(s), ex - example[dot]com/someendpoint?type=search&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;)

  • If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip

  • bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.

  • It's quite interesting that Ruby apps by default are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with Rails.application.config.filter_parameters

  • When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip

  • most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat

  • Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!

  • #bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!

  • When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send_keys or sendkeys ==> win || Github => "company name" language:python/bash send_keys

  • Github=> "company name" language:powershell pwd => working creds => unauthorized access

  • BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE

  • Shodan search RUBY DEBUG html:"secret_key_base" html:"rack.version"

  • Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin

  • Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip

  • #bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search

  • #bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder

  • Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty

  • What are your normal testing steps when you see a 401?

  • if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions

  • Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip

  • #bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!

  • HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…

  • One way to find information disclosure vulnerabilities is to change the header.

    Change the Accept header to:

    Accept: application/json, text/javascript, /; q=0.01

    Some vulnerable servers reveal server version information, stack and route information

  • P1 of the day on@Bugcrowd : 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure

  • site.com/file.php response = nothing http://site.com/file.php~ response = source

  • Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips

PreviousServer Side Request Forgery (SSRF)NextCross Site Scripting (XSS)

Last updated 3 years ago

https://twitter.com/Th3G3nt3lman/status/1264642148454072322
https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20
https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20
https://twitter.com/e11i0t_4lders0n/status/1297450625106497536?s=20