ru
Feedback
Bug Bounty - GitBook

Bug Bounty - GitBook

Открыть в Telegram
7 470
Подписчики
+1024 часа
+417 дней
+18130 день
Архив постов
⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️ 💠 تست نفوذ را رایگان یاد بگیر . ⭕️ @TryHackBox 📖 کتاب ها و منابع Cyber Security 📚 @LibrarySecOfficial 💠 رودمپ های مختلف از جمله ردتیم بلوتیم تست نفوذ و ... ⭕️ @TryHackBoxOfficial 💠 تمامی منابع و ابزار های SOC ,DFIR , THIR ⭕️ @hypersec 💠 منابع BlueTeam : ⭕️ @BlueTeamKit 💠 ابزارها و دوره های OSINT ⭕️ @OsintGit 💠 برگزاری دوره های امنیت سایبری ⭕ @kasraone_com 💠 تمامی منابع Red Team اینجاست! 💠 آموزش توسعه بدافزار (رایگان) ⭕ @RedTeamVillageRTV 💠 منابع CTF و رایت آپ ها و دوره های HackTheBox : ⭕ @PfkCTF 💠پنتست وب رو یاد بگیر ⭕️ @GitBook_s 💠 برای اضافه شدن در لیست پیام دهید : 🤖 @Unique_exploitbot ⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️

photo content

⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️ 💠 تست نفوذ را رایگان یاد بگیر . ⭕️ @TryHackBox 📖 کتاب ها و منابع Cyber Security 📚 @LibrarySecOfficial 💠 رودمپ های مختلف از جمله ردتیم بلوتیم تست نفوذ و ... ⭕️ @TryHackBoxOfficial 💠 تمامی منابع و ابزار های SOC ,DFIR , THIR ⭕️ @hypersec 💠 منابع BlueTeam : ⭕️ @BlueTeamKit 💠 ابزارها و دوره های OSINT ⭕️ @OsintGit 💠 برگزاری دوره های امنیت سایبری ⭕ @kasraone_com 💠 تمامی منابع Red Team اینجاست! 💠 آموزش توسعه بدافزار (رایگان) ⭕ @RedTeamVillageRTV 💠 منابع CTF و رایت آپ ها و دوره های HackTheBox : ⭕ @PfkCTF 💠پنتست وب رو یاد بگیر ⭕️ @GitBook_s 💠 برای اضافه شدن در لیست پیام دهید : 🤖 @Unique_exploitbot ⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️

18. Bypassing Digits Origin Validation Which Leads to Account Takeover- How to Hunt: - Look for vulnerabilities where digits origin validation can be bypassed. - Refer to [HackerOne Report 129873](https://hackerone.com/reports/129873) for more details. 19. Top ATO Reports in HackerOne - How to Hunt: - Review top account takeover reports in HackerOne. - Refer to [TOP ACCOUNT TAKEOVER](https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md) for more details.

☄️𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗧𝗮𝗸𝗲𝗼𝘃𝗲𝗿 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗧𝗶𝗽𝘀 𝗳𝗼𝗿 𝗡𝗲𝘄 𝗕𝘂𝗴 𝗛𝘂𝗻𝘁𝗲𝗿𝘀☄️ ⚠️Simplified Tips for Account Takeover (ATO)
1. Pre-Account Takeover - How to Hunt: - Register an email without verifying it. - Register again using a different method (e.g., 'sign up with Google') with the same email. - Check if the application links both accounts. - Try logging in to see if you can access information from the other account. 2. Account Takeover due to Improper Rate Limiting - How to Hunt: - Capture the login request. - Use tools like Burp Suite's Intruder to brute-force the login. - Analyze the response and length to detect anomalies. 3. Account Takeover by Utilizing Sensitive Data Exposure - How to Hunt: - Pay attention to the request and response parts of the application. - Look for exposed sensitive data like OTPs, hashes, or passwords. 4. Login Vulnerabilities - Check for: - Brute-force vulnerabilities. - OAuth misconfigurations. - OTP brute-forcing. - JWT misconfigurations. - SQL injection to bypass authentication. - Proper validation of OTP or tokens. 5. Password Reset Vulnerabilities - Check for: - Brute-force vulnerabilities in password reset OTPs. - Predictable tokens. - JWT misconfigurations. - IDOR vulnerabilities. - Host header injection. - Leaked tokens or OTPs in HTTP responses. - Proper validation of OTP or tokens. - HTTP parameter pollution (HPP). 6. XSS to Account Takeover - How to Hunt: - Try to exfiltrate cookies or auth tokens. - Craft XSS payloads to change user email or password. 7. CSRF to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. 8. IDOR to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. - Vulnerabilities in password reset endpoints. 9. Account Takeover by Response & Status Code Manipulation- How to Hunt: - Look for vulnerabilities where manipulating response or status codes can lead to account takeover. 10. Account Takeover by Exploiting Weak Cryptography- Check for: - Weak cryptographic implementations in password reset processes. 11. Password or Email Change Function- How to Hunt: - If you see email parameters in password change requests, try changing your email to the victim's email. 12. Sign-Up Function- How to Hunt: - Try signing up with the target email directly. - Use third-party sign-ups with phone numbers, then link the victim's email to your account. 13. Rest Token - How to Hunt: - Try using your REST token with the target account. - Brute 13. Rest Token- How to Hunt: - Try using your REST token with the target account. - Brute force the REST token if it is numeric. - Try to figure out how the tokens are generated. For example, check if they are generated based on timestamp, user ID, or email. 14. Host Header Injection- How to Hunt: - Intercept the REST account request. - Change the Host header value from the target site to your own domain (e.g.,
`POST /PassRest HTTP/1.1 Host: Attacker.com`). 15. CORS Misconfiguration to Account Takeover - How to Hunt: - Check if the application has CORS misconfigurations. - If so, you might be able to steal sensitive information from the user to take over their account or make them change authentication information. - Refer to [CORS Bypass](https://book.hacktricks.xyz/pentesting-web/cors-bypass) for more details. 16. Account Takeover via Leaked Session Cookie - How to Hunt: - Look for vulnerabilities where session cookies are leaked. - Refer to [HackerOne Report 745324](https://hackerone.com/reports/745324) for more details. 17. HTTP Request Smuggling to ATO- How to Hunt: - Look for HTTP request smuggling vulnerabilities. - Refer to [HackerOne Reports 737140 and 740037](https://hackerone.com/reports/737140) and [HackerOne Report 740037](https://hackerone.com/reports/740037) for more details.

Python-Powered HTTP Header Sniffing for Ethical Hacking https://freedium.cfd/https://medium.com/p/2757310a2695

A basic TCP client in Python Sun, 20 Oct 2024 04:59:01 GMT https://medium.com/p/1e848c199bb3

How I Found a Subdomain Takeover Bug and Earned a $500 Bounty Sat, 19 Oct 2024 19:01:34 GMT https://medium.com/p/0edc139fe994

Python for Pentesters: Sat, 19 Oct 2024 18:02:04 GMT https://medium.com/p/f1b52910d541

HTB - Soc Analyst Path 2024.zip137.44 MB

HTB - Active Directory Penetration Tester Path 2024.zip358.56 MB

HTB - Bug Bounty Hunter Path 2024.zip56.79 MB

HTB - Senior Web Penetration Tester 2024@GREEN_ARMOR.zip92.47 MB

HackTheBox - Bug Bounty Hunter Job Role Path

✅ کتاب فارسی تست نفوذ اکتیودایرکتوری 🔸 این کتاب ترجمه کتاب Pentesting Active Directory and Windows-based Infrastructure می باشد. 🔴 تهیه شده توسط تیم تولید محتوای سایت دنیای امنیت - احسان نیک آور 🌐 https://securityworld.ir 🌐 https://t.me/irsecurityworld

Resources for source code review for beginners Tue, 26 Dec 2023 08:47:45 GMT https://medium.com/p/5672e28f404a

Parrot OS and best tools in it

Top 20 Parrot OS Tools – Linux Hint.mhtml