Gray Hat™

Tools - Hackers Factory Gourlex It is a simple tool that can be used to extract URLs and paths from web pages. It can be helpful during web application assessments to uncover additional targets. Try the tool :  https://github.com/trap-bytes/gourlex Find xss with this automation of the following work : 1. subfinder -d indeed.com -o indeed.txt //Find Subdomains 2. httpx -l subdomains.txt -o httpx.txt // Live Subdomains 3. echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints 4. cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints 5. cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates 6. cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS 7. cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters 8. dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS Script : https://github.com/dirtycoder0124/xss A simple powershell script that can run in powershell for linux. The purpose of the script is to identify potential privilege escalation vulnerabilities on Linux systems that run with PowerShell https://github.com/tjnull/pentest-arsenal/tree/main/Cadiclus InQL makes mapping out a GraphQL API easy! It also includes several automated vulnerability checks!  github.com/doyensec/inql A Microservices-based framework for the study of Network Security and Penetration Test techniques https://github.com/DockerSecurityPlayground/DSP Snaffler reimplementation in Python - https://github.com/SnaffCon/Snaffler https://github.com/asmtlab/snafflepy CVE-2024-24919 https://github.com/johnk3r/nuclei-templates/blob/main/http/cves/2024/CVE-2024-24919.yaml Python for AWAE (Advanced Web Attacks and Exploitation) https://github.com/shreyaschavhan/python-for-awae CVE-2024-24919 [Check Point Security Gateway Information Disclosure] https://github.com/ifconfig-me/CVE-2024-24919-Bulk-Scanner LAZYEGG Tool for extracting different data from web pages: - cookies - leaked credentials - domains - ips - images - links https://github.com/schooldropout1337/nuclei-templates/blob/main/lazyegg.py Extract endpoints from APK files https://github.com/ndelphit/apkurlgrep #HackersFactory

Question of the day: How to approach GraphQL Targets? Unlock the full potential of GraphQL with these pro tips for tackling your bug bounty targets: 1️⃣ Retrieve the GraphQL Schema for hidden Queries/Mutations: If introspection is enabled, you can obtain the GraphQL Schema, revealing all GraphQL Operations and Mutations using the following GraphQL Query: {"query":"{schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} Introspection Disabled? Don't worry; here are some more ideas that can help you uncover those hidden GraphQL Queries/Mutations: 1️⃣ JavaScript - Retrieve GraphQL Queries and Mutations from JavaScript files when introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these. 2️⃣ GraphQL Operation discovery via Brute Force - Clairvoyance is an excellent tool that helps obtain the GraphQL API schema via brute force even if introspection is disabled. It produces the GraphQL schema in JSON format. You can install the tool at https://github.com/nikitastupin/clairvoyance. 3️⃣ View the Schema and Continue Testing - Upload the identified operations/schema to other tools such as GraphQL Voyager, InQL, or graphql-path-enum, and start testing for GraphQL-specific security issues. #grayhats

Question of the day: How to approach GraphQL Targets? Unlock the full potential of GraphQL with these pro tips for tackling your bug bounty targets: 1️⃣ Retrieve the GraphQL Schema for hidden Queries/Mutations: If introspection is enabled, you can obtain the GraphQL Schema, revealing all GraphQL Operations and Mutations using the following GraphQL Query: {"query":"{schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} Introspection Disabled? Don't worry; here are some more ideas that can help you uncover those hidden GraphQL Queries/Mutations: 1️⃣ JavaScript - Retrieve GraphQL Queries and Mutations from JavaScript files when introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these. 2️⃣ GraphQL Operation discovery via Brute Force - Clairvoyance is an excellent tool that helps obtain the GraphQL API schema via brute force even if introspection is disabled. It produces the GraphQL schema in JSON format. You can install the tool at https://github.com/nikitastupin/clairvoyance. 3️⃣ View the Schema and Continue Testing - Upload the identified operations/schema to other tools such as GraphQL Voyager, InQL, or graphql-path-enum, and start testing for GraphQL-specific security issues. #grayhats

2FA Bypass techniques: 1. Response Manipulation In response if "success":false Change it to "success":true 2. Status Code Manipulation If Status Code is 4xx Try to change it to 200 OK and see if it bypass restrictions 3. 2FA Code Leakage in Response Check the response of the 2FA Code Triggering Request to see if the code is leaked. 4.JS File Analysis Rare but some JS Files may contain info about the 2FA Code, worth giving a shot 5.2FA Code Reusability Same code can be reused 6.Lack of Brute-Force Protection Possible to brute-force any length 2FA Code 7.Missing 2FA Code Integrity Validation Code for any user account can be used to bypass the 2FA 8.CSRF on 2FA Disabling No CSRF Protection on disabling 2FA, also there is no auth confirmation 9. Password Reset Disable 2FA 2FA gets disabled on password change/email change 10.Backup Code Abuse Bypassing 2FA by abusing the Backup code feature Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions 11.Clickjacking on 2FA Disabling Page Iframing the 2FA Disabling page and social engineering victim to disable the 2FA 12.Iframing the 2FA Disabling page and social engineering victim to disable the 2FA If the session is already hijacked and there is a session timeout vulnerbility 13.Bypass 2FA with null or 000000 Enter the code 000000 or null to bypass 2FA protection. Steps:- 1. Enter “null” in 2FA code 2. Enter 000000 in 2FA code 3. Send empty code - Someone found this in grammarly 4. Open new tab in same browser and check if other API endpoints are accessible without entering 2FA 14. Google Authenticator Bypass Steps:- 1) Set-up Google Authenticator for 2FA 2) Now, 2FA is enabled 3) Go on password reset page and change your password 4) If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed 15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater Steps :- 1) Create an account with a non-existing phone number 2) Intercept the Request in BurpSuite 3) Send the request to the repeater and forward 4) Go to Repeater tab and change the non-existent phone number to your phone number 5) If you got an OTP to your phone, try using that OTP to register that non-existent number #grayhats

2FA Bypass techniques: 1. Response Manipulation In response if "success":false Change it to "success":true 2. Status Code Manipulation If Status Code is 4xx Try to change it to 200 OK and see if it bypass restrictions 3. 2FA Code Leakage in Response Check the response of the 2FA Code Triggering Request to see if the code is leaked. 4.JS File Analysis Rare but some JS Files may contain info about the 2FA Code, worth giving a shot 5.2FA Code Reusability Same code can be reused 6.Lack of Brute-Force Protection Possible to brute-force any length 2FA Code 7.Missing 2FA Code Integrity Validation Code for any user account can be used to bypass the 2FA 8.CSRF on 2FA Disabling No CSRF Protection on disabling 2FA, also there is no auth confirmation 9. Password Reset Disable 2FA 2FA gets disabled on password change/email change 10.Backup Code Abuse Bypassing 2FA by abusing the Backup code feature Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions 11.Clickjacking on 2FA Disabling Page Iframing the 2FA Disabling page and social engineering victim to disable the 2FA 12.Iframing the 2FA Disabling page and social engineering victim to disable the 2FA If the session is already hijacked and there is a session timeout vulnerbility 13.Bypass 2FA with null or 000000 Enter the code 000000 or null to bypass 2FA protection. Steps:- 1. Enter “null” in 2FA code 2. Enter 000000 in 2FA code 3. Send empty code - Someone found this in grammarly 4. Open new tab in same browser and check if other API endpoints are accessible without entering 2FA 14. Google Authenticator Bypass Steps:- 1) Set-up Google Authenticator for 2FA 2) Now, 2FA is enabled 3) Go on password reset page and change your password 4) If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed 15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater Steps :- 1) Create an account with a non-existing phone number 2) Intercept the Request in BurpSuite 3) Send the request to the repeater and forward 4) Go to Repeater tab and change the non-existent phone number to your phone number 5) If you got an OTP to your phone, try using that OTP to register that non-existent number #grayhats

Reading 500 top SQLi reports this is a feedback 1) most sqli is found in php and asp based application that are running on php and aspx so always check site is on php or asp by checking its page source code,buitwith, Wappalyzer extension or check in burp response header & or you can use curl also for that. 2) test sqli in every endpoint where the database is fetched from the server bcz if there is database there is high chance for sqli you just need to look at right endpoint and right bypass 3) dont demotivate if you did'nt find sqli bcz i see that everbody found sqli in simple param you just need to be become first one to explore and test that endpoint.. 3) use xor payloads bcz its has obfuscating in its payloads that will bypass most of firewall wafs 4) try most sqli in login fields bcz there is high chance of sqli bcz its check login from database 5) always check which waf is there and use waf bypass payloads according to that. 6) dont just check any param by putting ' in param first for getting error not always you get error by this you need to use your mind if there is any data that fetched or checked from the server database you just need to check your all blind payloads 7) and most times i checked these all guys use space2comment tamper to bypass sqli. use many mix combination but not long bcz it make your payload long and make ids ips waf triggers or drop the payloads.. #grayhats

Creative chaos 2012 This document summarizes Tim Pritlove's talk on hacking and activism as art forms. It discusses the origins of hacking culture and the Chaos Computer Club, including their principles of sharing knowledge and challenging authority. It describes several of the Club's public demonstrations and art installations, such as hacking voting machines to expose vulnerabilities, the "Blinkenlights" display of messages in lights, and the "Arcade" interactive pixel art installation. The talk promotes values of participation, inclusion, understanding different perspectives, and embracing change. https://www.slideshare.net/hackbo/creative-chaos-2012#5

WarGames was the first mass-consumed visual media with a hacking theme. In the wake of the film, news media focused on the potential for a real-world scenario to materialize and contributed to the creation of the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.

1983: The Year Pop Culture Caught Up With Hackers https://realhackhistory.org/2023/09/29/1983-the-year-pop-culture-caught-up-with-hackers/

🖥 100 Web Vulnerabilities, categorized into various types ⚡️ Injection Vulnerabilities: 1. SQL Injection (SQLi) 2. Cross-Site Scripting (XSS) 3. Cross-Site Request Forgery (CSRF) 4. Remote Code Execution (RCE) 5. Command Injection 6. XML Injection 7. LDAP Injection 8. XPath Injection 9. HTML Injection 10. Server-Side Includes (SSI) Injection 11. OS Command Injection 12. Blind SQL Injection 13. Server-Side Template Injection (SSTI) ⚡️ Broken Authentication and Session Management: 14. Session Fixation 15. Brute Force Attack 16. Session Hijacking 17. Password Cracking 18. Weak Password Storage 19. Insecure Authentication 20. Cookie Theft 21. Credential Reuse ⚡️ Sensitive Data Exposure: 22. Inadequate Encryption 23. Insecure Direct Object References (IDOR) 24. Data Leakage 25. Unencrypted Data Storage 26. Missing Security Headers 27. Insecure File Handling ⚡️ Security Misconfiguration: 28. Default Passwords 29. Directory Listing 30. Unprotected API Endpoints 31. Open Ports and Services 32. Improper Access Controls 33. Information Disclosure 34. Unpatched Software 35. Misconfigured CORS 36. HTTP Security Headers Misconfiguration ⚡️ XML-Related Vulnerabilities: 37. XML External Entity (XXE) Injection 38. XML Entity Expansion (XEE) 39. XML Bomb ⚡️ Broken Access Control: 40. Inadequate Authorization 41. Privilege Escalation 42. Insecure Direct Object References 43. Forceful Browsing 44. Missing Function-Level Access Control ⚡️ Insecure Deserialization: 45. Remote Code Execution via Deserialization 46. Data Tampering 47. Object Injection ⚡️ API Security Issues: 48. Insecure API Endpoints 49. API Key Exposure 50. Lack of Rate Limiting 51. Inadequate Input Validation ⚡️ Insecure Communication: 52. Man-in-the-Middle (MITM) Attack 53. Insufficient Transport Layer Security 54. Insecure SSL/TLS Configuration 55. Insecure Communication Protocols ⚡️ Client-Side Vulnerabilities: 56. DOM-based XSS 57. Insecure Cross-Origin Communication 58. Browser Cache Poisoning 59. Clickjacking 60. HTML5 Security Issues ⚡️ Denial of Service (DoS): 61. Distributed Denial of Service (DDoS) 62. Application Layer DoS 63. Resource Exhaustion 64. Slowloris Attack 65. XML Denial of Service ⚡️ Other Web Vulnerabilities: 66. Server-Side Request Forgery (SSRF) 67. HTTP Parameter Pollution (HPP) 68. Insecure Redirects and Forwards 69. File Inclusion Vulnerabilities 70. Security Header Bypass 71. Clickjacking 72. Inadequate Session Timeout 73. Insufficient Logging and Monitoring 74. Business Logic Vulnerabilities 75. API Abuse ⚡️ Mobile Web Vulnerabilities: 76. Insecure Data Storage on Mobile Devices 77. Insecure Data Transmission on Mobile Devices 78. Insecure Mobile API Endpoints 79. Mobile App Reverse Engineering ⚡️ IoT Web Vulnerabilities: 80. Insecure IoT Device Management 81. Weak Authentication on IoT Devices 82. IoT Device Vulnerabilities ⚡️ Web of Things (WoT) Vulnerabilities: 83. Unauthorized Access to Smart Homes 84. IoT Data Privacy Issues ⚡️ Authentication Bypass: 85. Insecure "Remember Me" Functionality 86. CAPTCHA Bypass ⚡️ Server-Side Request Forgery (SSRF): 87. Blind SSR 88. Time-Based Blind SSRF ⚡️ Content Spoofing: 89. MIME Sniffing 90. X-Content-Type-Options Bypass 91. Content Security Policy (CSP) Bypass ⚡️ Business Logic Flaws: 92. Inconsistent Validation 93. Race Conditions 94. Order Processing Vulnerabilities 95. Price Manipulation 96. Account Enumeration 97. User-Based Flaws ⚡️ Zero-Day Vulnerabilities: 98. Unknown Vulnerabilities 99. Unpatched Vulnerabilities 100. Day-Zero Exploits #grayhats