# Sensitive Information Disclosure

* [#bugbountytip Always do directory Brute forcing on all sub-domain even on 403 page. Sometimes you will get .git file and you can download whole web application source cod](https://twitter.com/jayeshpatel20/status/1081798908651532294)e.
* [If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com ](https://twitter.com/_bl4de/status/1082441428045914113)
* [#BountyProTip: found a 401/403, basic auth, or domain that seems interesting but is somehow locked down? Look at its http://archive.org/web/  entries. Sometimes you win instantly with API keys or URL structure that you can forcefully browse to unprotected content still there.](https://twitter.com/Jhaddix/status/994230746201055232)
* [A useful tip for finding Full Path Disclosure vulnerabilities: drop an array (\[\] or even \[1,2,3\]) into a parameter. This can produce a full path disclosure error.](https://twitter.com/LooseSecurity/status/1095477462295818242)
* [Ran into an API subdomain with an empty response? You may get lucky and fetch the full API spec by hitting the following endpoints: /swagger-ui.html /swagger/swagger-ui.html /api/swagger-ui.html /v1.x/swagger-ui.html /swagger/index.html](https://twitter.com/_ayoubfathi_/status/1081911553799192576)
* [and if you are out of luck on Swagger you may be in for some Jersey's WADL: GET /application.wadl GET /application.wadl?detail=false GET /application.wadl?detail=true OPTIONS /api OPTIONS /api/v1 .. When proxied it may also reveal reachable internal hosts](https://twitter.com/therealdudez/status/1084250950703943681)
* [This site allows you to upload any file you wish and everything else was being filtered correctly until I thought.. what about the file extension. Content-Disposition: form-data; name="files\[\]"; filename='example.txt"' #bugbountytip](https://twitter.com/zseano/status/1058345269757206535)
* [sometimes you find those PATHs that forwards to a login page & you can't see the content inside them. (ex: /path/to/secret --> Google login) Take all these PATHs, prepend /public/ to all of them as: /public/path/to/secret , got access to a Jenkins instance](https://twitter.com/_ayoubfathi_/status/1041319555308707841)

  [What happens is, most companies have domains that used internally, they intend to give few APIs a public route, doing that many times DevOps end up exposing more endpoints than intended.](https://twitter.com/_ayoubfathi_/status/1041319555308707841)
* [Site was filtering for ://.theirsite.com/\* and the use of "//" was only allowed if followed by their domain. \ wasn't allowed. Bypass: https:/\\/www.google.com?c=://www.theirsite.com/ - On redirects always test http?://www.theirsite.com/ and work from there :) #bugbountytip](https://twitter.com/zseano/status/1064124589805060096)
* [Recon tip: Want to see possible new features? Check out if the company has http://sites.google.com page. Example: https://sites.google.com/a/uber.com/sites/system/app/pages/meta/dashboard/categories … ](https://twitter.com/uraniumhacker/status/956722731449434112)
* [Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers: Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache](https://twitter.com/crowdshield/status/1006920195011534849)
* [Look for developers of the organisation (Linkedin, http://hunter.io , ..) and use their name in github. Look for repositories which are public but shouldn't be. #XBugBountyTips #BugBounty #bugbountytip](https://twitter.com/quintenvi/status/998299642503757826)
* [Found an intersting bypass: https://x.x.x.x/WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/./WEB-INF/web.xml -> 403 Forbidden https://x.x.x.x/.//WEB-INF/web.xml -> 200 OK Tomcat 8 on Windows... ](https://twitter.com/rootsystem2010/status/1088318918115160065)
* [Bugbounty tip: Want to find some internal code of companies or some sample codes of new features? Checkout with: site:http://repl.it intext:. In companydomain, if you know the internal domain it is even better. #bugbountytip](https://twitter.com/uraniumhacker/status/1061992982847533059)
* [BugBountyTips "https://twitter.com " site:http://codegist.net](https://twitter.com/avicoder/status/1063370123967250434)
* [Try to recon https://storage.googleapis.com/Org-name-here  you may find internal documentation which aren’t supposed to be publi&#x63;**.**](https://twitter.com/tweetrpersonal9/status/987410681304465410)
* [If you come across a request which has diff action(s), ex - example\[dot\]com/someendpoint?type=search\&query=test, always try different action like type=users, type= accounts, type= details, you might get some good surprises ;) ](https://twitter.com/prateek_0490/status/998904689096736768)
* [If you find that your target is running on JBoss, must try this. May be you are lucky :) Step - 1 : Try to browse admin panel of the target by https://target.com/admin-console Step - 2 : Try default credentials like admin : admin or admin : password #bugbountytip](https://twitter.com/JayJani007/status/1084554354219249664)
* [bugbountytips #bugbountytip I was always check robots.txt and sitemap.xml when looking for directories and files.](https://twitter.com/LooseSecurity/status/1100024647184277505)
* [It's quite interesting that Ruby apps *by default* are logging everything including passwords, CC (yes, you've heard it right) when it reaches a controller method unless you specify to filter them out with `Rails.application.config.filter_parameters`](https://twitter.com/_ayoubfathi_/status/1108341801193213952)
* [When looking for sensitive information on public boards/repositories (eg. API keys, tokens, pwd), also look for Slack Webhooks "http://hooks.slack.com/services/ {token}", this is used to post messages on channels using the APP. More info: https://api.slack.com/incoming-webhooks …. #Bugbounty #bugbountytip](https://twitter.com/NotLerhan/status/1084779396022628352)
* [most java web apps allow bypassing common LFI filtering rules by doing the following: hxxp://domain.tld/page.jsp?include=..;/..;/sensitive.txt #bugbounty #bugbountytip #webapp #j2ee #java #tomcat](https://twitter.com/zer0pwn/status/1093365823106965504)
* [Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy!](https://twitter.com/akita_zen/status/1131652331471347712)
* \#[bugbountytip Sometimes you can find .sql files into /wp-content/ or /wp-content/vagrant/ directories of Worpress! P1 is coming!](https://twitter.com/Wh11teW0lf/status/1131170408072392704)
* [When you're looking for credentials on github and can't find anything with the known keywords try : "Company name" send\_keys or sendkeys ==> win](https://twitter.com/Th3G3nt3lman/status/1143585800640258050) || Github => "company name" language:python/bash send\_keys
* Github=> "company name" language:powershell pwd => working creds => unauthorized access
* [BugBountyTip: If you playing with `API ENDPOINT` always try to send `INVALID CONTENT TYPE` end-up by getting hidden endpoints in `RESPONSE`](https://twitter.com/XSaadAhmedX/status/1145052664046206976)
* [Shodan search RUBY DEBUG html:"secret\_key\_base" html:"rack.version"](https://twitter.com/ph0rensic/status/1151640168417374208)
* [Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More comin](https://twitter.com/HusseiN98D/status/1194304002969743362)
* [Quick tip - If '/something' => 403 Try - '/something/' '/something/%20' '/something.html' '/something.json '/something/?anything' '/something#' Works sometimes Happy hacking....!!! #bugbounty #bugbountytip](https://twitter.com/ninetyn1ne_/status/1198824497572466688)
* \#[bugbountytip If you want to get accounts email + password for any company from github you must should use this "http://target.com" password.sendkeys in search](https://twitter.com/ElMrhassel/status/1063621108723826690)
* [#bugbounty - If you ever see any third party service being used by a company, find the admin panel, google search “Service Name Default credentials”, and login. WIN WIN WIN (most of the times). #bugbountytip #TogetherWeHitHarder](https://twitter.com/prateek_0490/status/1005664351263625216)
* [Apache server-status could be a P4 or a P1. At times, it's possible to see credentials for apps being hosted on the web server. Google dork: inurl:"server-status" intitle:"Apache Status" intext:"Apache Server Status for" #bugbountytips #Bugbounty](https://twitter.com/emenalf/status/1181490982325571585)
* [What are your normal testing steps when you see a 401?](https://twitter.com/nnwakelam/status/1146343740455342082)
* [if you find 403 Forbidden while testing. Try X-Original-URL and X-Rewrite-URL Headers to bypass restrictions](https://twitter.com/Sajibekantibd/status/1219869425332936704)

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-LzCupALUpwys5aKnEi-%2F-LzG2Gg4_QsQurJFNklW%2Fimage.png?alt=media\&token=42b636c5-3ded-4e0c-9d65-d6bf1436cb1f)

* [Tip to access a 403 forbidden page: instead of going straight to the file for example :index.html Add a / behind the index.html: index.html/. Worked multiple times for me #bugbounty #bugbountytip](https://twitter.com/quintenvi/status/1001889053975904256)
* [#bugbountytip Check git repo for .travis or other CI files which can publicly disclose their API keys!](https://twitter.com/marat_aziat/status/1083441856661344256)
* [HTTP request headers can be a golden gem for finding vulnerabilities never miss tampering/adding these headers! https://gist.github.com/momenbasel/237e7269b738575d2ef7b8c748ad58b2…](https://twitter.com/Momenbassel/status/1162132041649012742)

![https://twitter.com/Th3G3nt3lman/status/1264642148454072322](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MGrIfZ4gBxQcrRFjt5X%2F-MGrJDDYwb9Y5pgfOg5n%2FScreenshot%202020-09-10%20at%202.50.21%20PM.png?alt=media\&token=0d9aa1bc-779c-419a-bdd6-0d03f8499681)

![https://twitter.com/ManasH4rsh/status/1264909858467246082?s=20](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MT9vCP7LmXy2sMDtke2%2F-MT9vRZYY6vrWJonUN8F%2Fimage.png?alt=media\&token=aeb0099e-8af2-46f3-b684-ecb7097d93d1)

![https://twitter.com/bogdantcaciuc7/status/1292962448425844736?s=20](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MT9wuuKKp4F2ZPpm-Ba%2F-MT9xCb1sroYrrGlBXlO%2Fimage.png?alt=media\&token=f7d97bc6-8d1a-41ba-8b3b-c807729f5042)

![https://twitter.com/e11i0t\_4lders0n/status/1297450625106497536?s=20](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MTAHlfdMgizZSa2AGN9%2F-MTAODAlmzvZ1tLki7ZW%2Fimage.png?alt=media\&token=04c80dcc-88d5-4c34-bafe-d6834a26c133)

* [One way to find information disclosure vulnerabilities is to change the header.](https://twitter.com/jae_hak99/status/1277222157366358017?s=20)

  [Change the Accept header to:](https://twitter.com/jae_hak99/status/1277222157366358017?s=20)

  [Accept: application/json, text/javascript, */*; q=0.01](https://twitter.com/jae_hak99/status/1277222157366358017?s=20)

  [Some vulnerable servers reveal server version information, stack and route information](https://twitter.com/jae_hak99/status/1277222157366358017?s=20)
* [P1 of the day on@Bugcrowd : 1- https://host =>403 forbidden 2- https://host/app =>Redirect to corporate SSO 3- https://host/app/main.js =>IP:8005 and Api\_key 4- https://IP:8005/ => https://IP:8005/swagger/ui/index#/Admin 5- Use key in swagger=> Info Disclosure](https://twitter.com/Th3G3nt3lman/status/1264642148454072322?s=20)
* [s](https://t.co/RCK4a1QSMN?amp=1)[ite.com/file.php response = nothing http://site.com/file.php\~ response = source](https://twitter.com/hunter0x7/status/1309429953751068672?s=20)
* [Found a domain with #Roundcube service ?! Try to request these paths, If you are lucky you can find a log files.. .example.com/logs/errors .example.com/logs/sendmail #BugBounty #bugbountytips](https://twitter.com/sheldonx_1/status/1436629623606059010?s=20)