├── AllThingsBugHunting.png ├── AllThingsIDOR.md ├── AllThingsMethodology.md ├── Demo.png ├── LICENSE └── README.md /AllThingsBugHunting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/AllThingsBugHunting/3e50147ee306a70931718da033b4f69954af0d18/AllThingsBugHunting.png -------------------------------------------------------------------------------- /AllThingsIDOR.md: -------------------------------------------------------------------------------- 1 | ## All-Things-IDOR 2 | 3 | ------ 4 | 5 | 6 | 7 | 8 | 9 | [My Bug Hunting Journey with IDORs Part 1 ]: https://dewcode.medium.com/my-bug-bounty-journey-with-idors-part-1-d97cf187729 10 | 11 | * Found base64 things in GET URL 12 | * Found that it was ID of his Application 13 | * Changed Application ID of his own to another User and got IDOR 14 | 15 | 16 | 17 | 18 | 19 | [ My Bug Hunting Journey with IDORs Part 2 ]: https://dewcode.medium.com/my-bug-hunting-journey-with-idors-part-2-422a737fb733 20 | 21 | * Introduction to IDOR -> 22 | 23 | * ``` 24 | Insecure Direct Object References (IDOR) occurs when a developer forgets to validate the objects-based user inputs, it allows a malicious user to access other user's data directly from the database server. This type of vulnerability considers as an Access Control failure. Insecure Direct Object Reference is one of the most common vulnerabilities. It is listed on OWASP TOP 10 2013 and 2017 (Merged with Broken Access Control) list. 25 | ``` 26 | 27 | * Types of IDOR -> 28 | 29 | * ``` 30 | Common IDOR 31 | Base64 based IDOR 32 | GUID/UUID based IDOR 33 | 34 | 35 | Common IDOR => 36 | 37 | This type of IDOR can easily detect to looking in the URL or body of the POST request. for finding IDORs you have to check all the parameters passing through the Post request or URL. Just modify the value of the parameter and monitor the responses of the application. 38 | 39 | 40 | Base64 based IDOR => 41 | 42 | This type of IDOR is similar to Common IDOR but the parameter is passed in base64 format. For testing this type of issue you need to decode base64 first and after modification, encode into base64, and put into URL parameter. you can perform this action using Burp Suite. First, select the value and press Ctrl+Shiift+B to decode and Ctrl+B to encode. 43 | 44 | 45 | GUID/UUID based IDOR => 46 | 47 | This type of IDOR is difficult to exploit because of nature. The server generates GUID/UUID for each user that can not be predictable. to exploiting this type IDORs you have to create another account and swap the GUID/UUID. Many bug bounty program does not consider that type of bug as a security issue. Before reporting this type IDOR you have to find another endpoint where you can able retrieve other users UUID then definitely, it should be considered as P1. 48 | 49 | 50 | ``` 51 | 52 | * **Endpoint for IDOR :** 53 | 54 | * > *Always look at in * 55 | > 56 | > *id, uid, name, role, email, appid, invoice_id, and any CRUD(Create, Read, Update, Delete) operations. You must have to monitor all requests and parameters to detect IDOR while testing.* 57 | 58 | * REFERENCES: 59 | 60 | * > https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/ 61 | 62 | * > https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-object-reference-4/ 63 | 64 | * > https://blog.intigriti.com/hackademy/idor/ 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | > ### IDOR Bypasses => 75 | 76 | - Change Method GET/POST 77 | 78 | - Parameter Pollution 79 | 80 | - Wrapping in Array => https://twitter.com/traceableai/status/1221704446880518144 81 | 82 | - Wrap ID with an array {“id”:111} --> {“id”:[111]} 83 | - JSON wrap {“id”:111} --> {“id”:{“id”:111}} 84 | - Send ID twice URL?id=&id= 85 | - Send wildcard {"user_id":"*"} 86 | 87 | - Go for the “hidden” features. CSV import, user avatars or hidden photos, the aftersales processes,... 88 | 89 | - Path Traversal 90 | 91 | - http://target/change/MY_ID/../VICTIM_ID 92 | 93 | - Same name tip 94 | 95 | - > Lets say victims group name is hello123 96 | > you will create a group named hello123 97 | > Now you can try to delete it 98 | 99 | 100 | 101 | 102 | 103 | > ### Some BugBountyTips & POCs & Writeups 104 | 105 | ### 1. Tip 106 | 107 | ``` 108 | 1. Intercept every request on each button. 109 | 2. Find request that is vulnerable to IDOR. 110 | 3. Change attacker name to victim name. 111 | 4. IDOR, lead to know victim data. 112 | ``` 113 | 114 | ### 2. Tip 115 | 116 | ``` 117 | Bypassed #IDOR protection using URL Shorteners 118 | 119 | https://blog.detectify.com/2019/07/03/lerhan-bypassing-idor-protection-with-url-shorteners/ 120 | ``` 121 | 122 | 123 | 124 | ### 3. Writeups 125 | 126 | ``` 127 | https://twitter.com/Mah3Sec_/status/1332353437439127554 128 | 129 | https://medium.com/@aysebilgegunduz/everything-you-need-to-know-about-idor-insecure-direct-object-references-375f83e03a87 130 | 131 | https://corneacristian.medium.com/top-25-idor-bug-bounty-reports-ba8cd59ad331?source=social.tw 132 | 133 | https://medium.com/bugbountywriteup/all-about-getting-first-bounty-with-idor-849db2828c8 134 | 135 | https://medium.com/bugbountywriteup/a-short-story-of-idor-to-account-takeover-b36f3983ecba 136 | 137 | https://medium.com/@swapmaurya20/a-simple-idor-to-account-takeover-88b8a1d2ec24 138 | 139 | https://sushantdhopat.medium.com/all-about-my-finding-last-week-idor-insecure-direct-object-reference-2ff221c9a329 140 | 141 | https://xploitprotocol.medium.com/hunt-for-the-idor-automation-using-burp-suit-a09f004a9d9d 142 | 143 | https://medium.com/@abhiunix/idor-on-api-endpoints-e08c740e87a2 144 | 145 | https://medium.com/@cobrabaghdad1/idor-lead-to-personally-identifiable-information-pii-leakage-fb2b1b4be93f 146 | 147 | https://jeyaseelans.medium.com/ 148 | 149 | https://medium.com/bugbountywriteup/pii-leakage-via-idor-weak-passwordreset-full-account-takeover-58d159f88d73 150 | 151 | https://mustafakemalcan.com/insecure-direct-object-reference-idor-tips/ 152 | ``` 153 | 154 | 155 | 156 | 157 | 158 | ### 4. Tip 159 | 160 | ``` 161 | Simple Bash-Command for Finding "Insecure Direct Object Referencing" 162 | 163 | cat urls.txt | grep "id=[\id]*" | tee idor.txt 164 | ``` 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | ### # 5. Tip 173 | 174 | ``` 175 | A simple IDOR after account takeover. 176 | ``` 177 | 178 | 179 | 180 | ![Image](https://pbs.twimg.com/media/Eb3BcM0UwAAI0gu?format=jpg&name=large) 181 | 182 | 183 | 184 | 185 | 186 | ``` 187 | Mass account takeover 188 | ``` 189 | 190 | ![Image](https://pbs.twimg.com/media/EaidWiHUwAAk48e?format=jpg&name=medium) 191 | 192 | 193 | 194 | 195 | 196 | ### #6. 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | -------------------------------------------------------------------------------- /AllThingsMethodology.md: -------------------------------------------------------------------------------- 1 | ### ``` Collection of Everything related to BugBounty Stuffs in Organized Manner``` 2 | 3 | ------ 4 | 5 | 6 | 7 | > ### Point to Remember => 8 | > 9 | > > Recon is the Game => Dig more to the Targets 10 | > 11 | > > Hunting on Target as SCOPE Base => 12 | > > 13 | > > ​ Small Scope | Medium Scope | Large Scope 14 | > > 15 | > > * **Small Scope** => Specific set of Single URLs/Sandbox/QA/Staging Environment 16 | > > * **Medium Scope** => Specific set of `***.target.com**` 17 | > > * **Large Scope** => Complete Internet Presence including Acquisitions & Copyrights 18 | > 19 | > > Understand Application Business Logic 20 | > 21 | > > Do Application Specific Attacks 22 | > 23 | > > Make Document Notes of Targets 24 | > 25 | > > Keep Update to Latest Vulnerabilities , CVEs, News, WAF Bypasses from Community 26 | > 27 | > > Learn Manual Hunting => Be a BurpSuite Ninja 28 | > > 29 | > > 30 | > > 31 | > > * Walk Through to Applications 32 | > > * List all Component & Functionality 33 | > > * Write Theoretical Attack Scenarios for Each Functions 34 | > > * Remember CRUD Scenarios => Create , Read, Update, Delete 35 | > > * Experiment with Parameters | Headers | Reqeust + Response Manipulation | VERB Tamperng [GET | POST | OPTIONS etc] 36 | > > * Figure Out Various Possible Flows os Same Feature [ Example => password reset feature, email setting feature etc] 37 | > > * Try To Break the Application FLOW 38 | > 39 | > > Web Security Learning PATH => 40 | > > 41 | > > 42 | > > https://portswigger.net/web-security/learning-path 43 | 44 | 45 | 46 | 47 | 48 | ### SCOPE Based RECON => 49 | 50 | ================================ 51 | 52 | 53 | 54 | 55 | 56 | ### Small Scope => 57 | 58 | 59 | 60 | - [ ] Directory Enumeration/Bruteforcing 61 | - [ ] Service Enumeration 62 | - [ ] CVEs 63 | - [ ] Port Scanning 64 | - [ ] Broken Link Hijacking 65 | - [ ] JS Files for Hardcoded APIs & Secrets 66 | - [ ] Parameter Discovery 67 | - [ ] Wayback History & WaybackURLs 68 | - [ ] Google Dork + Shodan + Other Online Service 69 | - [ ] Look for Juicy Info related to Scope Domains 70 | - [ ] Potential URL Extraction for Vulnerability Automation 71 | - [ ] GF Patterns 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | ### Medium Scope => 84 | 85 | 86 | 87 | - [ ] Subdomain Enumeration 88 | - [ ] Amass + Subfinder + Findomain + Assetfinder 89 | - [ ] Subdomain Takeovers 90 | - [ ] subjack 91 | - [ ] subover 92 | - [ ] Misconfigured 3rd Party Services 93 | - [ ] CVEs 94 | - [ ] Port Scanning 95 | - [ ] Naabu + Masscan + Nmap + Rustscan 96 | - [ ] Misconfigured Storage Options [S3 Buckets] 97 | - [ ] Broken Link Hijacking 98 | - [ ] Directory Enumeration 99 | - [ ] FFUF + Turbo Intruder 100 | - [ ] Service Enumeration 101 | - [ ] JS Files for Domains , Sensitive Information [ Hardcoded APIs & Secrets] 102 | - [ ] GitHub RECON 103 | - [ ] Wayback History 104 | - [ ] Google Dork for Increasing Attack Surface 105 | - [ ] Internet Search Engine Discovery 106 | - [ ] Shodan 107 | - [ ] Censys 108 | - [ ] FOFA 109 | - [ ] BinaryEdge 110 | - [ ] Spyse etc 111 | - [ ] Potential URL Extraction for Vulnerability Automation 112 | - [ ] GF Pattern & Automation Scripts 113 | 114 | 115 | 116 | 117 | 118 | ### Large Scope => 119 | 120 | 121 | 122 | - [ ] Tracking & Tracing every Possible signatures of the Target Application 123 | - [ ] Subsidiary & Acquisition Enumeration [Depth - Max] 124 | - [ ] DNS & SSL Enumeration 125 | - [ ] CVEs 126 | - [ ] ASN & IP Space Enumeration and Service Identification 127 | - [ ] Subdomain Enumeration 128 | - [ ] Subdomain Takeovers 129 | - [ ] Misconfigured 3rd Party Services 130 | - [ ] Misconfigured Storage Options [S3 Buckets] 131 | - [ ] Broken Link Hijacking 132 | - [ ] Directory Enumeration 133 | - [ ] Service Enumeration 134 | - [ ] JS Files for Domains, Sensitive Information [Hardcoded APIs & Secrets] 135 | - [ ] GitHub Recon 136 | - [ ] Parameter Discovery 137 | - [ ] Waybackurls 138 | - [ ] Goole Dork 139 | - [ ] Internet Search Engine 140 | - [ ] Potential URL Extraction for Vuln Automation 141 | - [ ] And Any Possible Recon Vector [Network/Web] 142 | 143 | 144 | 145 | ------ 146 | 147 | 148 | 149 | ## Following are the Important Links + Writeups + Tips 150 | 151 | 152 | 153 | ### #1. RECON Game 154 | 155 | 156 | 157 | > Check AllThingsRecon.md File 158 | 159 | 160 | 161 | 162 | 163 | ------ 164 | 165 | 166 | 167 | ## #2. All Things IDOR 168 | 169 | 170 | 171 | > Check AllThingsIDOR.md File 172 | 173 | 174 | 175 | 176 | 177 | ------ 178 | 179 | 180 | 181 | ### #3. All About Injection 182 | 183 | 184 | 185 | Command Injection + SQL Injection 186 | 187 | > Check AllThingsInjection.md File 188 | 189 | 190 | 191 | 192 | 193 | ### #4. All Things XSS 194 | 195 | 196 | 197 | > Check AllThingsXSS.md File 198 | 199 | 200 | 201 | ### #5. All Things Account Takeover 202 | 203 | 204 | 205 | > Check AllThingsATO.md File 206 | 207 | 208 | 209 | 210 | 211 | ### #6. All Things Race Condition 212 | 213 | 214 | 215 | > Check AllThingsRaceCondition.md File 216 | 217 | 218 | 219 | 220 | 221 | ### #7. All Things Open Redirect 222 | 223 | 224 | 225 | > Check AllThingsOpenRedirect.md File 226 | 227 | 228 | 229 | ### #8. All Things SSRF 230 | 231 | 232 | 233 | > Check for AllThingsSSRF.md File 234 | 235 | 236 | 237 | 238 | 239 | ### #9. All Things SSTI 240 | 241 | 242 | 243 | > Check for AllThingsSSTI.md File 244 | 245 | 246 | 247 | 248 | 249 | ### #10. All Things Subdomain Takeover 250 | 251 | 252 | 253 | > Check for AllThingsSubdomainTakeover.md File 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | -------------------------------------------------------------------------------- /Demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/AllThingsBugHunting/3e50147ee306a70931718da033b4f69954af0d18/Demo.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 attacker-codeninja 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![logo](AllThingsBugHunting.png) 2 | 3 | # AllThingsBugHunting 4 | 5 | > Collection of all the things Bug Bounty Stuffs 6 | 7 | Like => 8 | 9 | * AllThingsMethodology 10 | * AllThingsIDOR 11 | * AllThingsInjection 12 | * AllThingsRecon 13 | * AllThingsXSS 14 | 15 | 16 | and more like that and here is the Demo 17 | 18 | ![demo](Demo.png) 19 | --------------------------------------------------------------------------------