├── README.md ├── Recon.md ├── subdomains.md └── vulntypesdesc.md /README.md: -------------------------------------------------------------------------------- 1 | # WhatTo 2 | "What To" guide for finding vulnerabilities in sites. 3 | 4 | # How you can use this? 5 | The goal is to make it somewhat like a quick index of vulnerabilities other than OWASP Top 10 that you can look in websites. I will try my best to separate them depending on site type. 6 | 7 | -------------------------------------------------------------------------------- /Recon.md: -------------------------------------------------------------------------------- 1 | # Recon for target hunts 2 | 3 | When starting in bug bounty, it is important to understand the program and its scope. This does not mean just visiting the app and using it. It also means understanding the environment. In this document we will learn some techiniques for recon purposes. 4 | 5 | *Understanding the Environment* 6 | 7 | It is important to see how the application is running along with its environment. We will discuss about checking the environment in the following topics. 8 | 9 | 1) SSL Certificates 10 | 11 | SSL Certificates will help you to see different subdomains that is under the control of the domain. SSL ceritifcates help to validate the onwership of the domain from the company. For example, with similar SSL certificate and company name, we can see that ssl.example.com might is also under control of example.com 12 | To run SSL tests, multiple websites can be used: https://censys.io, https://crt.sh, https://developers.facebook.com/ct 13 | 14 | Below is the example of how Facebook certificate tools loads subdomains of hackerone.com. 15 | 16 | ![FB Certificate tool](http://i.imgur.com/PnZVBag.png "Facebook Certificate tool") 17 | 18 | Similarly we can also use censys.io: 19 | 20 | ![Censys](http://i.imgur.com/91xC8rW.png "Censys") 21 | 22 | 2) Subdomains Scanning 23 | 24 | Subdomain Scanner is another way to perform recon. Through subdomains, sometimes you can just find a takeover which is a vulnerability in itself. In another document, we will go in full depth about how Subdomain takeover works. 25 | 26 | There are multiple ways you can conduct subdomain scanners. Websites like https://virustotal.com, https://dnsdumpster.com, https://threatcrowd.org are great resources for this. 27 | 28 | Lets check out how virustotal.com works with this: 29 | 30 | First go to: https://virustotal.com and click on `Search`. In the text box put: `*.url.com`. I will be using uber.com for this. 31 | 32 | ![VirusTotal](http://i.imgur.com/WpAryeB.png "Virustotal") 33 | 34 | You can now see the subdomains that are under uber.com that was indexed by VirusTotal 35 | 36 | Lets do the same with dnsdumpster.com as well. 37 | 38 | ![DNSDumpster](http://i.imgur.com/fK0gl4R.png "DNSDumpster") 39 | 40 | There are github projects that you can use fot this as well. Some of them that I highly recommend are: [sublist3r](https://github.com/aboul3la/Sublist3r), [HostileSubBruteforcer](https://github.com/nahamsec/HostileSubBruteforcer) and many others out there. 41 | 42 | 3) Port scanners 43 | 44 | Port scanning can sometimes give you multiple ports to test out other than just the regular `:80` and `:443`. I usually use nmap and other tools for port scanning but there are some websites that help with this process as well. 45 | 46 | Following websites should allow you to do such tests: [t1shopper](http://www.t1shopper.com/tools/port-scan/), [MXtoolbox](https://mxtoolbox.com/PortScan.aspx) and [Shodan](https://shodan.io) 47 | 48 | Lets run some scans and see how each show suchs results. 49 | 50 | ![MXToolBox](http://i.imgur.com/evao6Mv.png "MXToolBox") 51 | 52 | This was the result from a scan done by MXToolBox. 53 | 54 | 4) Running a directory search 55 | 56 | Sometimes it is always good to see if you can find different files or directories of a website. This could be done from robots.txt file, Google Dorks, tools and websites. 57 | 58 | I use tools, Google dorks and websites to run bruteforce on directories. Google dorks can be done with simple search like `site:example.com ext:php | ext:log` and many others. Directories can also be found these ways. Sometimes this can give you access token that was being indexed by Google (which is bad). Along with that, websites like https://pentest-tools.com also have helped me on bruteforcing directories. 59 | 60 | Here is example of https://pentest-tools.com: 61 | 62 | ![Pentest-Tools](http://i.imgur.com/hzWpcbB.png "Pentest-Tools") 63 | 64 | Here are some small feature of https://pentest-tools.com 65 | 66 | ![Pentest-Tools](http://i.imgur.com/BDblrHJ.png "Pentest-Tools") 67 | 68 | There should be a new tool published soon by some of my colleagues. It is still being worked on and will be out soon. 69 | 70 | # YouTube Video from the one and only Nahamsec 71 | 72 | [Click Me](https://www.youtube.com/watch?v=1Kg0_53ZEq8) 73 | -------------------------------------------------------------------------------- /subdomains.md: -------------------------------------------------------------------------------- 1 | Many websites do not just work with example.com technique or just www.example.com. For emails, blog, internal domains these companies tend to use subdomains. Subdomains map itself to a specific IP, 3rd party servicec etc to serve the contents. Subdomain takeovers are still popular in bug bounty and can be seen in many programs. I don't think I will be wrong if I said 90% of the companies launching their resposnisble disclosure programs are vulnerable to subdomain takeovers. But how do these work? 2 | 3 | # History of Subdomain Takeover 4 | 5 | I personally saw subdomain takeovers in hike during the year 2014. This was when a blog post was made by the team at Detectify and for many in the community, the king of subdomain takeover is no other than Frans Rosén. 6 | We can see new subdomain takeover writeups just by searching "Subdomain Takeovers HackerOne". This will show you different ways for takeovers to be done. In this blog post, we will discuss about takeovers of Github, S3 Bucket and Tumblr. But first lets learn about subdomain enumerating techniques. 7 | 8 | # Subdomain Enumeration 9 | 10 | I mentioned most of the tools and website in my previous post, Recon.md. In this post, I will try to go deeper on each of those tools and explain their usage. 11 | 12 | 1) HostileSubBruteforcer 13 | 14 | This tool was written by Ben Sadeghipour aka (@Nahamsec). It is written in Ruby and in my personal opinion is one of the best tools for takeovers. This tool not only lists out subdomains by bruteforcing them, it also maps out where it points to. Along with that, if the domain throws out errors like `This Github pages does not exist`, `NoSuchBucket` etc, it will print it out in red alert and asks you to check them for possible takeovers. I personally have found some takeovers with this tool. 15 | 16 | 2) Sublist3r 17 | 18 | This tool is a package of multiple websites' results. It contains subdomains from VirusTotal, ThreatCrowd, DNSDumpster, PassiveDNS and many others. One bad side of this tool is that it might give out false positives. Some websites like `DNSDumpster` update their website after 1 month. Due to this, if a service was updated within that time period, DNSDumpster will take time to show it. Nonetheless, this is a great tool to have on your side. 19 | 20 | *There are also websites that we can disucss about like VirusTotal, but because they are integrated in Sublist3r I am not going to discuss much.* 21 | 22 | 3) Certificates tool 23 | 24 | Some companies like Facebook and Google allow you to check certificates of website under ownership of the company. This will allow you to enumerate many more subdomains. 25 | 26 | https://developers.facebook.com/tools/ct is what I have been using quite frequenly now. It also allows you to subscribe to the domain's alert so that you can get an alert when a new certificate is issued (this could mean new subdomains or just a renewal of certificates). 27 | 28 | # Taking over subdomains 29 | 30 | Once you enumerate subdomains, you will have to understand where they are pointing to and the third party services that they use to confirm if they are vulnerable. Sometimes, I have noticed reporters submit some false positives as well. 31 | 32 | I have seen researchers ask about Fastly subdomain takeovers but based on my checks and multiple confirmation from other hackers, I can tell that Fastly subdomain takeover is nearly impossible. Some reporters are still submiting these reports and the companies who get these validate them as correct however, Fastly subdomain takeover AGAIN is not vulnerable. 33 | 34 | In this blog, I will show you taking over a subdomain in website `securify.network`. This is my personal website that I made vulnerable to takeovers. First lets enumerate the subdomains: 35 | 36 | ![Subdomains Listed](http://i.imgur.com/wMmsGlP.png "Subdomains Listed") 37 | 38 | In the above picture, we see three section: `Sublist3r`, `Vulnerable`, `Bruteforced`. Each of these show subdomains that are good for us to know. The `vulnerable` section is an interesting one because it lists out three subdomains. 39 | 40 | Let us start with the highlighted `tutorials3.securify.network`. Its DNS information is below: 41 | 42 | ![DNS Analysis](http://i.imgur.com/qj6DTR2.png "DNS Analysis") 43 | 44 | When checking the DNS, we find the CNAME linking to bucket that does not exist. Going to the website also shows that the bucket `tutorials3.securify.network` bucket does not exist. We now go to AWS and create that bucket 45 | 46 | ![AWS Bucket](http://i.imgur.com/r6Y0bLZ.png "AWS Bucket") 47 | 48 | After we create the bucket the website now shows `Access Denied` which means that the takeover was successful. 49 | 50 | Moving on... 51 | 52 | For next takeover we can try the Github takeover. Going to the page loads `404 Github Pages not found`. Once we check its DNS we see the following information: 53 | 54 | ![Github](http://i.imgur.com/zvEF82Y.png "Github") 55 | 56 | We now know that the CNAME is pointing to: `randomuranium238980345.github.io`. We then have to create an user account. In Github for takeover, we need to also have our username to be `randomuranium238980345`. Once we signup, we can create a repositor with the name: `randomuranium238980345.github.io` and in Settings tab, put the Custom Domain to `githubtakeover.securify.network`. After about 5 mins the website should point to the github and we have our second takeovers. 57 | 58 | Next is Tumblr. 59 | 60 | Based on the picture that I listed above, `blog.securify.network` is shown to be vulnerable and it points to domains.tumblr.com as shown below: 61 | 62 | ![Tumblr](http://i.imgur.com/thXpShq.png "Tumblr") 63 | 64 | Lets go to Tumblr and create an account first. After creating account, go to settings at: https://www.tumblr.com/settings/blog/[blog-name] 65 | 66 | ![Tumblr](http://i.imgur.com/HmIKrHs.png "Tumblr") 67 | 68 | Right below username there is `Tumblr URL`. Click on it and select `Use Custom Subdomain`. It should now show `It's Good` when you press `Test Domain` 69 | 70 | ![Tumblr](http://i.imgur.com/9Xna2VU.png "Tumblr") 71 | 72 | Click `Save` and your subdomain takeover should work. 73 | 74 | There are other services like Zendesk, Desk, Unbounce and many other 3rd party services that can be used for takeovers. The key for takeovers exists in understanding how the third party works and how they setup subdomains for customers. 75 | 76 | -------------------------------------------------------------------------------- /vulntypesdesc.md: -------------------------------------------------------------------------------- 1 | Web application security or simply said, website security is widely known topic in the current world of cybersecurity. We often hear about hacks that stole millions of SSNs and created massive damage for the company. The question that emerges after each of those events is how big of a threat is cyber attack in our world? Medias start to jump in conclusions and bring out headlines about how cyber attack could be deadly for us all. While all these happens, not many cover on how this can be prevented. This is when the role of security teams, pentesters and security analyst comes up. Everyday cyber attacks happen and are prevented with work of these individuals as they test out applications. Testing application of a website is not like using a wand like a wizard (while that might cool to do). It requires research, work and sometimes overcoming frustration. When I pentest applications, I work on finding low severity issues to critical severity issues. In this post, I will discuss about some common mistakes I have seen during source code reviews or just a direct blind test (my way of saying that I test apps without source codes sometimes). 2 | 3 | As a security researcher, I work to find vulnerabilities that range from simple cross site scripting to sometimes remote code executions. One common issue I have seen in websites of many startups and sometimes even multi-billionaire companies is how they handle file upload: 4 | 5 | # Content mishap when uploading files 6 | 7 | When you try to upload an image to a site, a certain POST request is usually made to the application. This way, the content of the file is uploaded to the server and stored there. To prevent XSS from file names, some companies change the name of the files and make it suitable for them. Now that is a different topic of bypass that we can cover later. Right now lets dive into how file uploads can be risky. Lets go with an example: 8 | 9 | You own a website called `superresume.com`. In this site, you allow recruiters to hire prospected employees by checking their resumes. An employee who is looking for a job uploads a PDF file and that is stored in your server with a random name. The employee can also view their own resume and see how it looks on your website. That looks good so far right? Well what if the employee can upload another file type to your server. When a file post is made, there is two things that must be checked always: Content-type and file extension. During my pentest I have notices scenarios like this: 10 | 11 | In your superresume.com, someone uploads a HTML file, but then they see the alert: "Sorry the file you uploaded is not supported. Please upload a PDF file". That looks good so far until we start digging deeper into this. To do such test, I use BurpSuite ( a proxy application that allows to proxy http/https request to the remote host through it ). This allows you to modify the request and see how it works. To start out, I upload a PDF file; then intercept the request by Burp. Once that is done, I change the file name which might have been [randomname].pdf to [randomname].html. At the same time, I do not change the Content-Type of the "pdf". The server will now check if the mime type of the file is a pdf. Once it sees it confirms the mime type, it uploads it to the server. Once that is done, there is about 99.99% chance that I uploaded a HTML to your site and now I can use it for multiple purposes. This can get even more dangerous, if your server supports a PHP file. If that is the case, a small PHP shell can allow attacker access to your whole server. 12 | 13 | Usually to tackle this, you should do multiple things: 1) Check both extensions and file types, 2) If there are modules out there, convert the file to a diff PDF that way if I even put a PHP script I will not be able to do much. Also make sure you append .pdf to the file no matter what. 14 | 15 | # Insecure Direct Object Reference vulnerability 16 | 17 | In short this vulnerability is called `IDOR`. Through this, a user can get access to unauthorized information about another user or change information about another user without any form of verification. This can be dangerous in many cases. During my pentest, I have exploited these issues to find confidential information which included Medical records, social security numbers etc. 18 | 19 | Here is how this scenario might play in real life: (This example is a real scenario that happened) 20 | 21 | Lets again go with a recruiting site and call it (again) superresume.com. In this site, you allow user to update their accounts and add informations about where they graduated and what major they studied. You are making it easier for recruiters in a sense that they do not have to always check the resume because the same info is in the profile description. That is pretty neat of you :) 22 | 23 | Lets now move to how the request is played: 24 | 25 | Suppose the POST request looks like this when you press the "Save" button in your account: 26 | 27 | ``` 28 | POST /useraccount/edit 29 | 30 | Host: superresume.com 31 | 32 | [Cookies and info and headers] 33 | 34 | name=[First & Last Name]&userid=[int value of user id]&[and other parameters like collegename, major etc]. 35 | ``` 36 | 37 | The main part to notice here is the `userid` parameter. This might usually be the `userid` of your account in that site. So now lets create another account as well to test this IDOR. Lets say user account 1 has user id: 45890 and account 2 has user id: 45891. Edit the account 45890 and send the request to Burp. In Burp, lets send it to repeater and change the userid parameter to have 45891. Does the account information in user 45891 also change? If that happens you can now successfully changed the profile account of another user. 38 | 39 | In some cases of shopping sites, we need to see how our previous orders are displayed. For example, lets say you bought a beautiful sofa for your home from site bestfurniture.com. When you go to the site and click on your order, the link might look like this: bestfurntiture.com/api/order?orderid=4958 and then it shows your order info like who placed it, where your house is (mailing address) and other private information. What happens if you change the orderid to 4957? This could sometimes spit out the information of another order of another user. If you start bruteforcing these id and just run it through Intruder in Burp, you can grab tons of private informations of multiple users. 40 | 41 | # CSRF attacks 42 | 43 | These kind of vulnerability could differ from high severity issue to low severity. Sometimes a small CSRF can be chained for account takeover. One negative side of CSRF is that the user must visit the link with your CSRF exploit and also that they must be logged into the vulnerable site. Lets checkout the account takeover scenario: 44 | 45 | CSRF usually happens when the website does not authenticate if the request is made directly from the form and by the user instead from an external site. To prevent this, websites utilize CSRF tokens. This can be used to detect if the request was from a legitimate form or not. 46 | 47 | Usually you should be able to notice if a web app is vulnerable or not by looking at the request that it sends. If there is no token either in the POST request or in the headers then it is extremely likely that it is vulnerable. 48 | 49 | For account takeover, one of the most simplest way of attack is changing the user's email. If the /account/edit endpoint does not require a password when saving content, then you can create a form that changes the user's email. Once you have that done, you can use that email to reset the password of the account and soon after that you get full account access. Here is the scenario: 50 | 51 | User A has account in superresume.com and the profile section there is vulnerable to CSRF 52 | 53 | User B sends a perfectly legit link with hidden form that auto-submits on page load. In that form, it changes the user A's email from usera@emailprovider.com to shadyemail@emailprovider.com. Once User A opens the website their email changes. User B can then request a password reset which likely goes to shadyemail@emailprovider.com and he gets full access to the account. 54 | 55 | In part 2, I will discuss about XSS, RCE, SQLi and other bugs as well. Part 3 will include examples of business logic flaws. 56 | --------------------------------------------------------------------------------