# Sensitive Information Disclosure * [#bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source cod](https://twitter.com/jayeshpatel20/status/1081798908651532294)e. * [If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com ](https://twitter.com/_bl4de/status/1082441428045914113) * [#BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/ entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.](https://twitter.com/Jhaddix/status/994230746201055232) * [A useful tip for finding Full Path Disclosure vulnerabilities: drop an array (\[\] or even \[1,2,3\]) into a parameter. This can produce a full path disclosure error.](https://twitter.com/LooseSecurity/status/1095477462295818242) * [Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html](https://twitter.com/_ayoubfathi_/status/1081911553799192576) * [and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts](https://twitter.com/therealdudez/status/1084250950703943681) * [This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files\[\]"; filename='example.txt"' #bugbountytip](https://twitter.com/zseano/status/1058345269757206535) * [sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance](https://twitter.com/_ayoubfathi_/status/1041319555308707841) [What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.](https://twitter.com/_ayoubfathi_/status/1041319555308707841) * [Site was filtering for ://.theirsite.com/\* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip](https://twitter.com/zseano/status/1064124589805060096) * [Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories … ](https://twitter.com/uraniumhacker/status/956722731449434112) * [Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache](https://twitter.com/crowdshield/status/1006920195011534849) * [Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip](https://twitter.com/quintenvi/status/998299642503757826) * [Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows... ](https://twitter.com/rootsystem2010/status/1088318918115160065) * [Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip](https://twitter.com/uraniumhacker/status/1061992982847533059) * [BugBountyTips "https://twitter.com " site:http://codegist.net](https://twitter.com/avicoder/status/1063370123967250434) * [Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public**.**](https://twitter.com/tweetrpersonal9/status/987410681304465410) * [If you come across a request which has diff action(s), ex - example\[dot\]com/someendpoint?type=search\&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;) ](https://twitter.com/prateek_0490/status/998904689096736768) * [If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip](https://twitter.com/JayJani007/status/1084554354219249664) * [bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.](https://twitter.com/LooseSecurity/status/1100024647184277505) * [It's quite interesting that Ruby apps *by default* are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with `Rails.application.config.filter_parameters`](https://twitter.com/_ayoubfathi_/status/1108341801193213952) * [When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip](https://twitter.com/NotLerhan/status/1084779396022628352) * [most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat](https://twitter.com/zer0pwn/status/1093365823106965504) * [Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!](https://twitter.com/akita_zen/status/1131652331471347712) * \#[bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!](https://twitter.com/Wh11teW0lf/status/1131170408072392704) * [When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send\_keys or sendkeys ==> win](https://twitter.com/Th3G3nt3lman/status/1143585800640258050) || Github => "company name" language:python/bash send\_keys * Github=> "company name" language:powershell pwd => working creds => unauthorized access * [BugBountyTip: If you playing with `API ENDPOINT` always try to send `INVALID CONTENT TYPE` end-up by getting hidden endpoints in `RESPONSE`](https://twitter.com/XSaadAhmedX/status/1145052664046206976) * [Shodan search RUBY DEBUG html:"secret\_key\_base" html:"rack.version"](https://twitter.com/ph0rensic/status/1151640168417374208) * [Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin](https://twitter.com/HusseiN98D/status/1194304002969743362) * [Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip](https://twitter.com/ninetyn1ne_/status/1198824497572466688) * \#[bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search](https://twitter.com/ElMrhassel/status/1063621108723826690) * [#bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder](https://twitter.com/prateek_0490/status/1005664351263625216) * [Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty](https://twitter.com/emenalf/status/1181490982325571585) * [What are your normal testing steps when you see a 401?](https://twitter.com/nnwakelam/status/1146343740455342082) * [if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions](https://twitter.com/Sajibekantibd/status/1219869425332936704) ![](/files/-LzG2Gg4_QsQurJFNklW) * [Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip](https://twitter.com/quintenvi/status/1001889053975904256) * [#bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!](https://twitter.com/marat_aziat/status/1083441856661344256) * [HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…](https://twitter.com/Momenbassel/status/1162132041649012742) ![https://twitter.com/Th3G3nt3lman/status/1264642148454072322](/files/-MGrJDDYwb9Y5pgfOg5n) ![https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20](/files/-MT9vRZYY6vrWJonUN8F) ![https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20](/files/-MT9xCb1sroYrrGlBXlO) ![https://twitter.com/e11i0t\_4lders0n/status/1297450625106497536?s=20](/files/-MTAODAlmzvZ1tLki7ZW) * [One way to find information disclosure vulnerabilities is to change the header.](https://twitter.com/jae_hak99/status/1277222157366358017?s=20) [Change the Accept header to:](https://twitter.com/jae_hak99/status/1277222157366358017?s=20) [Accept: application/json, text/javascript, */*; q=0.01](https://twitter.com/jae_hak99/status/1277222157366358017?s=20) [Some vulnerable servers reveal server version information, stack and route information](https://twitter.com/jae_hak99/status/1277222157366358017?s=20) * [P1 of the day on@Bugcrowd : 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api\_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure](https://twitter.com/Th3G3nt3lman/status/1264642148454072322?s=20) * [s](https://t.co/RCK4a1QSMN?amp=1)[ite.com/file.php response = nothing http://site.com/file.php\~ response = source](https://twitter.com/hunter0x7/status/1309429953751068672?s=20) * [Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips](https://twitter.com/sheldonx_1/status/1436629623606059010?s=20) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/sensitive-information-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.