Bug Bounty - GitBook
Відкрити в Telegram
Everything 4 bug bounty https://t.me/GiftWay32robot?start=_tgr_HwZ24DI5MWJk
Показати більше7 470
Підписники
+1024 години
+417 днів
+18130 день
Архів дописів
7 470
⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️
💠 تست نفوذ را رایگان یاد بگیر .
⭕️ @TryHackBox
📖 کتاب ها و منابع Cyber Security
📚 @LibrarySecOfficial
💠 رودمپ های مختلف از جمله ردتیم بلوتیم تست نفوذ و ...
⭕️ @TryHackBoxOfficial
💠 تمامی منابع و ابزار های SOC ,DFIR , THIR
⭕️ @hypersec
💠 منابع BlueTeam :
⭕️ @BlueTeamKit
💠 ابزارها و دوره های OSINT
⭕️ @OsintGit
💠 برگزاری دوره های امنیت سایبری
⭕ @kasraone_com
💠 تمامی منابع Red Team اینجاست!
💠 آموزش توسعه بدافزار (رایگان)
⭕ @RedTeamVillageRTV
💠 منابع CTF و رایت آپ ها و دوره های HackTheBox :
⭕ @PfkCTF
💠پنتست وب رو یاد بگیر
⭕️ @GitBook_s
💠 برای اضافه شدن در لیست پیام دهید :
🤖 @Unique_exploitbot
⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️
7 470
⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️
💠 تست نفوذ را رایگان یاد بگیر .
⭕️ @TryHackBox
📖 کتاب ها و منابع Cyber Security
📚 @LibrarySecOfficial
💠 رودمپ های مختلف از جمله ردتیم بلوتیم تست نفوذ و ...
⭕️ @TryHackBoxOfficial
💠 تمامی منابع و ابزار های SOC ,DFIR , THIR
⭕️ @hypersec
💠 منابع BlueTeam :
⭕️ @BlueTeamKit
💠 ابزارها و دوره های OSINT
⭕️ @OsintGit
💠 برگزاری دوره های امنیت سایبری
⭕ @kasraone_com
💠 تمامی منابع Red Team اینجاست!
💠 آموزش توسعه بدافزار (رایگان)
⭕ @RedTeamVillageRTV
💠 منابع CTF و رایت آپ ها و دوره های HackTheBox :
⭕ @PfkCTF
💠پنتست وب رو یاد بگیر
⭕️ @GitBook_s
💠 برای اضافه شدن در لیست پیام دهید :
🤖 @Unique_exploitbot
⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️⚜️
7 470
18. Bypassing Digits Origin Validation Which Leads to Account Takeover- How to Hunt: - Look for vulnerabilities where digits origin validation can be bypassed. - Refer to [HackerOne Report 129873](https://hackerone.com/reports/129873) for more details. 19. Top ATO Reports in HackerOne - How to Hunt: - Review top account takeover reports in HackerOne. - Refer to [TOP ACCOUNT TAKEOVER](https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md) for more details.
7 470
☄️𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗧𝗮𝗸𝗲𝗼𝘃𝗲𝗿 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗧𝗶𝗽𝘀 𝗳𝗼𝗿 𝗡𝗲𝘄 𝗕𝘂𝗴 𝗛𝘂𝗻𝘁𝗲𝗿𝘀☄️
⚠️Simplified Tips for Account Takeover (ATO)
1. Pre-Account Takeover - How to Hunt: - Register an email without verifying it. - Register again using a different method (e.g., 'sign up with Google') with the same email. - Check if the application links both accounts. - Try logging in to see if you can access information from the other account. 2. Account Takeover due to Improper Rate Limiting - How to Hunt: - Capture the login request. - Use tools like Burp Suite's Intruder to brute-force the login. - Analyze the response and length to detect anomalies. 3. Account Takeover by Utilizing Sensitive Data Exposure - How to Hunt: - Pay attention to the request and response parts of the application. - Look for exposed sensitive data like OTPs, hashes, or passwords. 4. Login Vulnerabilities - Check for: - Brute-force vulnerabilities. - OAuth misconfigurations. - OTP brute-forcing. - JWT misconfigurations. - SQL injection to bypass authentication. - Proper validation of OTP or tokens. 5. Password Reset Vulnerabilities - Check for: - Brute-force vulnerabilities in password reset OTPs. - Predictable tokens. - JWT misconfigurations. - IDOR vulnerabilities. - Host header injection. - Leaked tokens or OTPs in HTTP responses. - Proper validation of OTP or tokens. - HTTP parameter pollution (HPP). 6. XSS to Account Takeover - How to Hunt: - Try to exfiltrate cookies or auth tokens. - Craft XSS payloads to change user email or password. 7. CSRF to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. 8. IDOR to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. - Vulnerabilities in password reset endpoints. 9. Account Takeover by Response & Status Code Manipulation- How to Hunt: - Look for vulnerabilities where manipulating response or status codes can lead to account takeover. 10. Account Takeover by Exploiting Weak Cryptography- Check for: - Weak cryptographic implementations in password reset processes. 11. Password or Email Change Function- How to Hunt: - If you see email parameters in password change requests, try changing your email to the victim's email. 12. Sign-Up Function- How to Hunt: - Try signing up with the target email directly. - Use third-party sign-ups with phone numbers, then link the victim's email to your account. 13. Rest Token - How to Hunt: - Try using your REST token with the target account. - Brute 13. Rest Token- How to Hunt: - Try using your REST token with the target account. - Brute force the REST token if it is numeric. - Try to figure out how the tokens are generated. For example, check if they are generated based on timestamp, user ID, or email. 14. Host Header Injection- How to Hunt: - Intercept the REST account request. - Change the Host header value from the target site to your own domain (e.g.,
`POST /PassRest HTTP/1.1 Host: Attacker.com`).
15. CORS Misconfiguration to Account Takeover
- How to Hunt: - Check if the application has CORS misconfigurations.
- If so, you might be able to steal sensitive information from the user to take over their account or make them change authentication information. - Refer to [CORS Bypass](https://book.hacktricks.xyz/pentesting-web/cors-bypass) for more details.
16. Account Takeover via Leaked Session Cookie
- How to Hunt: - Look for vulnerabilities where session cookies are leaked.
- Refer to [HackerOne Report 745324](https://hackerone.com/reports/745324) for more details.
17. HTTP Request Smuggling to ATO- How to Hunt:
- Look for HTTP request smuggling vulnerabilities.
- Refer to [HackerOne Reports 737140 and 740037](https://hackerone.com/reports/737140) and [HackerOne Report 740037](https://hackerone.com/reports/740037) for more details.7 470
Python-Powered HTTP Header Sniffing for Ethical Hacking
https://freedium.cfd/https://medium.com/p/2757310a2695
7 470
How I Found a Subdomain Takeover Bug and Earned a $500 Bounty
Sat, 19 Oct 2024 19:01:34 GMT
https://medium.com/p/0edc139fe994
7 470
✅ کتاب فارسی تست نفوذ اکتیودایرکتوری
🔸 این کتاب ترجمه کتاب Pentesting Active Directory and Windows-based Infrastructure می باشد.
🔴 تهیه شده توسط تیم تولید محتوای سایت دنیای امنیت - احسان نیک آور
🌐 https://securityworld.ir
🌐 https://t.me/irsecurityworld
7 470
Resources for source code review for beginners
Tue, 26 Dec 2023 08:47:45 GMT
https://medium.com/p/5672e28f404a
