Book of BugBounty Tips
Search…
Introduction
OSINT / Recon
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
File Upload
Open Redirect
IDOR
Injection
XXE
Local / Remote File Inclusion
Authentication / Authorization
Account Takeover
Application Login
Clickjacking
Parameter Pollution
Fuzzing
Application Logic Bypasses
Bypasses
Mobile
Password Reset
Web Cache
Server Side Template Injection
Tips from @EdOverflow
Tips From @intigriti
Hackpack From @yeswehack
Tips from @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Other Sources
Tips from Blog posts / other hunters
Others
Bugbounty Related Websites / Blogs
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Windows
Linux
Burp suite
Scope Based Recon Tips
Powered By
GitBook
Cross Site Request Forgery (CSRF)
CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano"
i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.
If you ever see an action being completed in the URL, without any CSRF token, here's a tip:
Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.
Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty
PUT and DELETE CSRF possible under two conditions
1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method
Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips
JSON CSRF -
http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html
https://twitter.com/SpiderSec/status/1239860710374617088
PHP CSRF Protection Bypass : EXPLOIT : csrftoken[]=&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.
CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty
This is the shortest alert() XSS payload I know that can be used in a context where it isn't inside any HTML tags or attributes.
<svg/onload=alert()>
Let me know in the comments if you have a shorter one!
Origin Check bypass for CSRF.
Firefox : works Chrome : if server allows
Origin: null
1
Got the solution :
2
<iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>
Copied!
Previous
API
Next
Server Side Request Forgery (SSRF)
Last modified
7mo ago
Copy link