fa
Feedback
Bug Bounty - GitBook

Bug Bounty - GitBook

رفتن به کانال در Telegram
7 488
مشترکین
اطلاعاتی وجود ندارد24 ساعت
+387 روز
+18430 روز
آرشیو پست ها
photo content

Today, we'll talk a bit about JavaScript recon in web applications. I've based my methodology on My Javascript Recon Process - BugBounty. Collecting links to JS files can be done using gau:
gau example.com | grep -iE '\.js' | grep -ivE '\.json' | sort -u >> exampleJS.txt
Alternatively, you can use waymore, which seems to be better:
python3 waymore.py -i example.com -ko "\.js(\?|$)"
We can also try fuzzing to find hidden JS files:
ffuf -u https://www.example.com/js/ -w jsWordlist.txt -t 200
The wordlist for fuzzing can be found here: https://wordlists.assetnote.io/ After that, ping the JS links as some of them may be outdated.
httpx -l exampleJS.txt -mc 200
Now, let's look for secrets in these files using SecretFinder, a tool for detecting sensitive data such as apikeys, accesstokens, authorizations, jwt, etc. in a JS file:
cat exampleJS.txt | xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 SecretFinder.py -i @ -o cli' >> exampleJsSecrets.txt
Next, using availableForPurchase.py, we can check if the domains referenced in the JS files are available for purchase. This tool, combined with linkfinder and collector, is really powerful. Sometimes developers make mistakes when writing a domain, possibly the domain imports an external JavaScript file, etc.
cat exampleJS.txt | xargs -I @ bash -c 'python3 linkfinder.py -i @ -o cli' | python3 collector.py output
cat output/urls.txt | python3 availableForPurchase.py
[NO] www.googleapis.com
[YES] www.gooogleapis.com
After executing the above command, a list of potential endpoints that were discovered in the JS becomes available for review:
cat output/paths.txt
We can also immediately check for subdomain takeover using subzy
cat output/urls.txt |grep "https\{0,1\}://[^/]*\.example\.com/[^ ]*" >> subdomainExample.txt; subzy run --targets subdomainExample.txt

Also, excellent extensions for Burp: JS Miner and JS Link Finder which perform similar tasks but in real-time, for greater coverage it's better to use both script scanning and plugins

Can anyone do this

Find xss with this automation of the following work : 1. subfinder -d indeed.com -o indeed.txt //Find Subdomains 2. httpx -l subdomains.txt -o httpx.txt // Live Subdomains 3. echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints 4. cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints 5. cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates 6. cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS 7. cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters 8. dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS Script : https://github.com/dirtycoder0124/xss

After reading 500 top SQLi reports this is my feedback :) 1) most sqli is found in php and asp based application that are running on php and aspx so always check site is on php or asp by checking its page source code,buitwith, Wappalyzer extension or check in burp response header & or you can use curl also for that. 2) test sqli in every endpoint where the database is fetched from the server bcz if there is database there is high chance for sqli you just need to look at right endpoint and right bypass 3) dont demotivate if you did'nt find sqli bcz i see that everbody found sqli in simple param you just need to be become first one to explore and test that endpoint.. 3) use xor payloads bcz its has obfuscating in its payloads that will bypass most of firewall wafs 4) try most sqli in login fields bcz there is high chance of sqli bcz its check login from database 5) always check which waf is there and use waf bypass payloads according to that. 6) dont just check any param by putting ' in param first for getting error not always you get error by this you need to use your mind if there is any data that fetched or checked from the server database you just need to check your all blind payloads 7) and most times i checked these all guys use space2comment tamper to bypass sqli but for me i use many mix combination but not long bcz it make your payload long and make ids ips waf triggers or drop the payloads.. All the best guysss for hunting hope my suggetion will help you ❤️😇

Penetration testing MSSQL using Metasploit.

"Top 10 Web Hacking Techniques 2023".

A collection of awesome one-liner scripts especially for bug bounty https://github.com/dwisiswant0/awesome-oneliner-bugbounty

🚩HACKBOOK OF A HACKER >CTF Writeups >Smart Contracts Security >T.I.L. Link 🔗:- https://simones-organization-4.gitbook.io/hackbook-of-a-hacker @GitBook_s

Researchs >AWS Cloud Researchs >Windows Security Research >Supply Chain Research >Reverse Engineering >Failed Research Attempts Link 🔗:- https://seg-fault.gitbook.io/researchs @GitBook_s

Introduction to Reversing from Scratch Using IDA PRO Link 🔗:- https://yutewiyof.gitbook.io/intro-rev-ida-pro @GitBook_s Use Google translate

Introduction to Reversing from Scratch Using IDA PRO Link 🔗:- https://yutewiyof.gitbook.io/intro-rev-ida-pro @GitBook_s Use Google translate

🍻Linux under attack >Recon >SCAN >Vulnerability Analysis >Exploitation >Privilege Escalation >PERSISTENCE Link 🔗:- https://reeves0x0.gitbook.io/linux-under-attack @GitBook_s

https://t.me/+2L2W3Y__rlxjMDQ0 بچها یه چنل زدیم برای کسایی که میخوان وارد دنیای هک و امنیت تست نفوذ وب بشن کسایی که علاقه دارن جوین بشن مطالب خوبی میذاریم هم نقشه راه هم رایتاپ! کسایی که علاقه دارن جوین شن❤️

#promotion