Gray Hat™
Gray Hat #CyberSec #Hacking #Hackers Website: https://ghostsofps.org
Show more1 453
Subscribers
+224 hours
+377 days
+3930 days
- Subscribers
- Post coverage
- ER - engagement ratio
Data loading in progress...
Subscriber growth rate
Data loading in progress...
Repost from 𝗛𝗮𝗰𝗸𝗲𝗿𝘀 𝗙𝗮𝗰𝘁𝗼𝗿𝘆
Tools - Hackers Factory
Gourlex
It is a simple tool that can be used to extract URLs and paths from web pages. It can be helpful during web application assessments to uncover additional targets.
Try the tool : https://github.com/trap-bytes/gourlex
Find xss with this automation of the following work :
1. subfinder -d indeed.com -o indeed.txt //Find Subdomains
2. httpx -l subdomains.txt -o httpx.txt // Live Subdomains
3. echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints
4. cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints
5. cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates
6. cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS
7. cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters
8. dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS
Script : https://github.com/dirtycoder0124/xss
A simple powershell script that can run in powershell for linux. The purpose of the script is to identify potential privilege escalation vulnerabilities on Linux systems that run with PowerShell
https://github.com/tjnull/pentest-arsenal/tree/main/Cadiclus
InQL makes mapping out a GraphQL API easy! It also includes several automated vulnerability checks!
github.com/doyensec/inql
A Microservices-based framework for the study of Network Security and Penetration Test techniques
https://github.com/DockerSecurityPlayground/DSP
Snaffler reimplementation in Python -
https://github.com/SnaffCon/Snaffler
https://github.com/asmtlab/snafflepy
CVE-2024-24919
https://github.com/johnk3r/nuclei-templates/blob/main/http/cves/2024/CVE-2024-24919.yaml
Python for AWAE (Advanced Web Attacks and Exploitation)
https://github.com/shreyaschavhan/python-for-awae
CVE-2024-24919 [Check Point Security Gateway Information Disclosure]
https://github.com/ifconfig-me/CVE-2024-24919-Bulk-Scanner
LAZYEGG
Tool for extracting different data from web pages:
- cookies
- leaked credentials
- domains
- ips
- images
- links
https://github.com/schooldropout1337/nuclei-templates/blob/main/lazyegg.py
Extract endpoints from APK files
https://github.com/ndelphit/apkurlgrep
#HackersFactory
Question of the day: How to approach GraphQL Targets?
Unlock the full potential of GraphQL with these pro tips for tackling your bug bounty targets:
1️⃣ Retrieve the GraphQL Schema for hidden Queries/Mutations: If introspection is enabled, you can obtain the GraphQL Schema, revealing all GraphQL Operations and Mutations using the following GraphQL Query:
{"query":"{schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
Introspection Disabled? Don't worry; here are some more ideas that can help you uncover those hidden GraphQL Queries/Mutations:
1️⃣ JavaScript - Retrieve GraphQL Queries and Mutations from JavaScript files when introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these.
2️⃣ GraphQL Operation discovery via Brute Force - Clairvoyance is an excellent tool that helps obtain the GraphQL API schema via brute force even if introspection is disabled. It produces the GraphQL schema in JSON format. You can install the tool at https://github.com/nikitastupin/clairvoyance.
3️⃣ View the Schema and Continue Testing - Upload the identified operations/schema to other tools such as GraphQL Voyager, InQL, or graphql-path-enum, and start testing for GraphQL-specific security issues.
#grayhats
Question of the day: How to approach GraphQL Targets?
Unlock the full potential of GraphQL with these pro tips for tackling your bug bounty targets:
1️⃣ Retrieve the GraphQL Schema for hidden Queries/Mutations: If introspection is enabled, you can obtain the GraphQL Schema, revealing all GraphQL Operations and Mutations using the following GraphQL Query:
{"query":"{schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
Introspection Disabled? Don't worry; here are some more ideas that can help you uncover those hidden GraphQL Queries/Mutations:
1️⃣ JavaScript - Retrieve GraphQL Queries and Mutations from JavaScript files when introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these.
2️⃣ GraphQL Operation discovery via Brute Force - Clairvoyance is an excellent tool that helps obtain the GraphQL API schema via brute force even if introspection is disabled. It produces the GraphQL schema in JSON format. You can install the tool at https://github.com/nikitastupin/clairvoyance.
3️⃣ View the Schema and Continue Testing - Upload the identified operations/schema to other tools such as GraphQL Voyager, InQL, or graphql-path-enum, and start testing for GraphQL-specific security issues.
#grayhats
GitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema even if the introspection is disabled
Obtain GraphQL API schema even if the introspection is disabled - nikitastupin/clairvoyance
2FA Bypass techniques:
1. Response Manipulation
In response if "success":false
Change it to "success":true
2. Status Code Manipulation
If Status Code is 4xx
Try to change it to 200 OK and see if it bypass restrictions
3. 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4.JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
5.2FA Code Reusability
Same code can be reused
6.Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
7.Missing 2FA Code Integrity Validation
Code for any user account can be used to bypass the 2FA
8.CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
9. Password Reset Disable 2FA
2FA gets disabled on password change/email change
10.Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions
11.Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12.Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
If the session is already hijacked and there is a session timeout vulnerbility
13.Bypass 2FA with null or 000000
Enter the code 000000 or null to bypass 2FA protection.
Steps:-
1. Enter “null” in 2FA code
2. Enter 000000 in 2FA code
3. Send empty code - Someone found this in grammarly
4. Open new tab in same browser and check if other API endpoints are accessible without entering 2FA
14. Google Authenticator Bypass
Steps:-
1) Set-up Google Authenticator for 2FA
2) Now, 2FA is enabled
3) Go on password reset page and change your password
4) If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed
15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :-
1) Create an account with a non-existing phone number
2) Intercept the Request in BurpSuite
3) Send the request to the repeater and forward
4) Go to Repeater tab and change the non-existent phone number to your phone number
5) If you got an OTP to your phone, try using that OTP to register that non-existent number
#grayhats
2FA Bypass techniques:
1. Response Manipulation
In response if "success":false
Change it to "success":true
2. Status Code Manipulation
If Status Code is 4xx
Try to change it to 200 OK and see if it bypass restrictions
3. 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4.JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
5.2FA Code Reusability
Same code can be reused
6.Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
7.Missing 2FA Code Integrity Validation
Code for any user account can be used to bypass the 2FA
8.CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
9. Password Reset Disable 2FA
2FA gets disabled on password change/email change
10.Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions
11.Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12.Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
If the session is already hijacked and there is a session timeout vulnerbility
13.Bypass 2FA with null or 000000
Enter the code 000000 or null to bypass 2FA protection.
Steps:-
1. Enter “null” in 2FA code
2. Enter 000000 in 2FA code
3. Send empty code - Someone found this in grammarly
4. Open new tab in same browser and check if other API endpoints are accessible without entering 2FA
14. Google Authenticator Bypass
Steps:-
1) Set-up Google Authenticator for 2FA
2) Now, 2FA is enabled
3) Go on password reset page and change your password
4) If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed
15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :-
1) Create an account with a non-existing phone number
2) Intercept the Request in BurpSuite
3) Send the request to the repeater and forward
4) Go to Repeater tab and change the non-existent phone number to your phone number
5) If you got an OTP to your phone, try using that OTP to register that non-existent number
#grayhats
Reading 500 top SQLi reports this is a feedback
1) most sqli is found in php and asp based application that are running on php and aspx so always check site is on php or asp by checking its page source code,buitwith, Wappalyzer extension or check in burp response header & or you can use curl also for that.
2) test sqli in every endpoint where the database is fetched from the server bcz if there is database there is high chance for sqli you just need to look at right endpoint and right bypass
3) dont demotivate if you did'nt find sqli bcz i see that everbody found sqli in simple param you just need to be become first one to explore and test that endpoint..
3) use xor payloads bcz its has obfuscating in its payloads that will bypass most of firewall wafs
4) try most sqli in login fields bcz there is high chance of sqli bcz its check login from database
5) always check which waf is there and use waf bypass payloads according to that.
6) dont just check any param by putting ' in param first for getting error not always you get error by this you need to use your mind if there is any data that fetched or checked from the server database you just need to check your all blind payloads
7) and most times i checked these all guys use space2comment tamper to bypass sqli. use many mix combination but not long bcz it make your payload long and make ids ips waf triggers or drop the payloads..
#grayhats
Repost from Ghost Princess™
Creative chaos 2012
This document summarizes Tim Pritlove's talk on hacking and activism as art forms. It discusses the origins of hacking culture and the Chaos Computer Club, including their principles of sharing knowledge and challenging authority. It describes several of the Club's public demonstrations and art installations, such as hacking voting machines to expose vulnerabilities, the "Blinkenlights" display of messages in lights, and the "Arcade" interactive pixel art installation. The talk promotes values of participation, inclusion, understanding different perspectives, and embracing change.
https://www.slideshare.net/hackbo/creative-chaos-2012#5
Repost from Ghost Princess™
WarGames was the first mass-consumed visual media with a hacking theme. In the wake of the film, news media focused on the potential for a real-world scenario to materialize and contributed to the creation of the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.
Repost from Ghost Princess™
1983: The Year Pop Culture Caught Up With Hackers
https://realhackhistory.org/2023/09/29/1983-the-year-pop-culture-caught-up-with-hackers/
🖥 100 Web Vulnerabilities, categorized into various types
⚡️ Injection Vulnerabilities:
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)
⚡️ Broken Authentication and Session Management:
14. Session Fixation
15. Brute Force Attack
16. Session Hijacking
17. Password Cracking
18. Weak Password Storage
19. Insecure Authentication
20. Cookie Theft
21. Credential Reuse
⚡️ Sensitive Data Exposure:
22. Inadequate Encryption
23. Insecure Direct Object References (IDOR)
24. Data Leakage
25. Unencrypted Data Storage
26. Missing Security Headers
27. Insecure File Handling
⚡️ Security Misconfiguration:
28. Default Passwords
29. Directory Listing
30. Unprotected API Endpoints
31. Open Ports and Services
32. Improper Access Controls
33. Information Disclosure
34. Unpatched Software
35. Misconfigured CORS
36. HTTP Security Headers Misconfiguration
⚡️ XML-Related Vulnerabilities:
37. XML External Entity (XXE) Injection
38. XML Entity Expansion (XEE)
39. XML Bomb
⚡️ Broken Access Control:
40. Inadequate Authorization
41. Privilege Escalation
42. Insecure Direct Object References
43. Forceful Browsing
44. Missing Function-Level Access Control
⚡️ Insecure Deserialization:
45. Remote Code Execution via Deserialization
46. Data Tampering
47. Object Injection
⚡️ API Security Issues:
48. Insecure API Endpoints
49. API Key Exposure
50. Lack of Rate Limiting
51. Inadequate Input Validation
⚡️ Insecure Communication:
52. Man-in-the-Middle (MITM) Attack
53. Insufficient Transport Layer Security
54. Insecure SSL/TLS Configuration
55. Insecure Communication Protocols
⚡️ Client-Side Vulnerabilities:
56. DOM-based XSS
57. Insecure Cross-Origin Communication
58. Browser Cache Poisoning
59. Clickjacking
60. HTML5 Security Issues
⚡️ Denial of Service (DoS):
61. Distributed Denial of Service (DDoS)
62. Application Layer DoS
63. Resource Exhaustion
64. Slowloris Attack
65. XML Denial of Service
⚡️ Other Web Vulnerabilities:
66. Server-Side Request Forgery (SSRF)
67. HTTP Parameter Pollution (HPP)
68. Insecure Redirects and Forwards
69. File Inclusion Vulnerabilities
70. Security Header Bypass
71. Clickjacking
72. Inadequate Session Timeout
73. Insufficient Logging and Monitoring
74. Business Logic Vulnerabilities
75. API Abuse
⚡️ Mobile Web Vulnerabilities:
76. Insecure Data Storage on Mobile Devices
77. Insecure Data Transmission on Mobile Devices
78. Insecure Mobile API Endpoints
79. Mobile App Reverse Engineering
⚡️ IoT Web Vulnerabilities:
80. Insecure IoT Device Management
81. Weak Authentication on IoT Devices
82. IoT Device Vulnerabilities
⚡️ Web of Things (WoT) Vulnerabilities:
83. Unauthorized Access to Smart Homes
84. IoT Data Privacy Issues
⚡️ Authentication Bypass:
85. Insecure "Remember Me" Functionality
86. CAPTCHA Bypass
⚡️ Server-Side Request Forgery (SSRF):
87. Blind SSR
88. Time-Based Blind SSRF
⚡️ Content Spoofing:
89. MIME Sniffing
90. X-Content-Type-Options Bypass
91. Content Security Policy (CSP) Bypass
⚡️ Business Logic Flaws:
92. Inconsistent Validation
93. Race Conditions
94. Order Processing Vulnerabilities
95. Price Manipulation
96. Account Enumeration
97. User-Based Flaws
⚡️ Zero-Day Vulnerabilities:
98. Unknown Vulnerabilities
99. Unpatched Vulnerabilities
100. Day-Zero Exploits
#grayhats