Using chrome heap snapshots to find hidden API Endpoints:
- Open Chrome developer toolkit
- Go to Memory Tab and Click Record Button
- Save the Snapshot and start grepping stuff
Example : cat Heap-xx.heatsnapshot | grep '/api'
#BugBounty
#bugbountytips
#CyberSecurity
#BountyTip
Here is how to generate an efficient wordlist from "Wayback" for better bruteforcing on your bug bounty target.
Due to the size of the command i have added that in the reply of this tweet.
Demo :
#infosec
#hacking
#Cybersecurity
@Bugcrowd
Created a tool which extracts endpoints from js files.
whats new:
- uses online Api's to find as many as js files.
- Uses recursive approach to go as deep as possible.
(recusrive ? recursively finds new sources from extracted endpoints to find more endpoints)
#cybersecurity
Yesterday while listening to
@Jhaddix
talk on "TBHM V4" i decided to create its MindMap, including the tools and techniques jason mentioned during the talk.
The "TBHM V4" Mindmap:
You can have a look at my other mindmaps at :
Do you love FUZZING?
Here is an simple python script which replaces the parameter values in target URL's with your desired input.
Make your huge list of target URL's ready to go for fuzzing and mass testing.
#BountyTip
Here is my bash function to generate google/Shodan/Github dorks for my bb targets.
$ googledorks
will give me whole bunch of dorks related to target company.
[Don't copy the code / Copy the idea]
#infosec
#automation
#linux
#cybersecurity
Password reset functionalities have always been interesting targets to me, Here are some of the test-cases that i look for when testing password reset functionaries in Web Applications.
#bugbountytips
Every XSS is an account takeover.
In last few years i have found tons of xss(nonself) and 99% of them escalated to 0/1 click account takeovers.
#bugbounty
Recon Tip:
As javascript files are always full of secret information here is how to can use `grep` to extract comments inside JavaScript.
Example:
curl | grep '//'
#infosec
#bugbounty
#linux
#cybersecurity
I came across an interesting IDOR/BAC vulnerability that required a random ID to exploit.
I discovered that the next ID is generated by incrementing the previous ID with 90600,32300,65700 and a few more numbers.
I quickly wrote this POC that guesses the next ID.
#bugbounty
Do you know that forward slashes ("/") inside html tags are automatically converted by browsers to spaces (" ").
Eg:
<a/b='c'/d='e'/f='g'>X</a>
will be automatically converted into
<a b='c' d='e' f='g'>X</a>
#cybersecuritytips
#bugbounty
#bugbountytip
I reported an XSS before 4 months and was paid $300 for that. Before a couple of days i found the bypass at the same location and was paid $2200 for that.
The only reason for more payout is:
Before 1 year: i reported alert`1`.
Now: I report Organisation Takeover with same XSS.
[1/2]
In a role based application HTML Image injection can be easily converted into impactful DOS attack by injecting a logout link of an application as a src attribute of an injectable image tag, leads to DOS attack for all other members within the organisation.
#bugbountytips
Since i no longer get time to do bug-bounties, i think it would be wise to share my old findings in twitter threads.
I will post 1 Bug/day starting from tomorrow. I will also use
#onebugaday
hashtag to keep all the threads easily accessable to the audience.
#bugbounty
Subdomain Extraction:
Higher level subdomains have always tend to be more vulnerable than Lower level subdomains, here is how to Grep a specific level of subdomains from a list of subdomains.
#bugbounty
#bugbountytips
#linux
Looking for BAC issues, Try this
You have a restricted endpoint :
GET /api/users/123/profile
Try:
GET /api/users/123/profile
POST /api/users/123/profile
PUT /api/users/123/profile
PATCH /api/users/123/profile
DELETE /api/users/123/profile
#bugbountytips
#🆕Update
Added 4 new Mind-Maps to
✅ Added Cookie Based Authentication Vulnerabilities
✅ Added Tesing JIRA for CVE's
✅ Added Scope Based Testing
✅ Added OAuth 2.0 Threat Model Pentesting Checklist
Thanks
@harshbothra_
and
@BinaryBrotherh1
You can always do much more with request smuggling, Here is an example where i was able to leak API keys, get access to internal network and takeover account in masses by escalating the attack to the next level.
Thanks to
@albinowax
for his awesome work.
#BugBountyTip
You will always Find what you are looking for. So if you haven't found a RCE,SSRF or any other critical ones yet. Probably you aren't looking for them.
Here are the slides for my latest talk on "Bash and Recon" at
@Nullblr
Even though the no. slides were less because it was an hands on session on Bash. Beginners can have a really good overview of how Bash can be useful to automate Security Stuff.
#BountyTip
Remember if you found an huge number of javascript files on your bb target... Don't just leave them after having an quick look at them. You can use grep to find some juicy info inside. Here is some advance ways do better grepping.
#infosec
"API Testing" has always been my favorite. Here is an tip for guessing new API Endpoints without bruteforcing/scraping the target app.
#bugbountytips
#APItesting
I am building something which automates 70% of my API testing process, It can look for IDORs,Privilege Escalation and Other injection Issues in any Rest/graphql API's irrespective of their content-types or structure of the API.
API's are mostly protected from XSS using the correct content-types, But Several companies allows users to upload files through their webapp and then serve those files through the API, This can be abused to bypass the content-type protection sometimes.
#bugbountytips
#bugbounty
My presentation on "Bash and Recon" is live on vimeo. It about how i use bash to automate my recon process.
Check it out here:
#bugbounty
#cybersecurity
Wrote an simple bash script which continuously looks for the possible 2nd order subdomain takeover Vulnerability.
I continuously export logs from burp-suite using logger++ and and run this script over the links again and again. and It beeps whenever it finds an dead DNS record.
The replace() function in JavaScript by default only replaces the first instance of the matched string, So adding an extra characters that it wishes to replace at the beginning of your payload will completely bypass the filter.
#bugbountytips
[1/3]
One of the easiest way to get an IDOR on a role based Application is to invite the target user to your organisation, Since he becomes a member of your organisation you will be allowed to get his user information via API.
#bugbountytips
✅ Added 5 more Mindmaps to
⏺️ Access Control Vulnerabilities
⏺️ CISO MindMap 2021
⏺️ Common Vulnerabilities on Forgot Password
⏺️ Common XML Attacks
⏺️ Copy of Vulnerability Checklist for SAML
I wanted to Quickly share an idea of building an automation to Test Privilege-Escalation/IDOR's and other injection Attacks on API's, Here is a rough diagram the tool.
#bugbounty
I am building something which automates 70% of my API testing process, It can look for IDORs,Privilege Escalation and Other injection Issues in any Rest/graphql API's irrespective of their content-types or structure of the API.
Killing Open ports directly from terminal.
This can be useful when you want to start an service/tool which needs an open port to run the service, But if that port is already consumed by any unknown service you can use this command to directly kill that service.
#LINUXtips
Do you lack at coding your own tools and scripts ?
Here is something for you. I came across this book "Coding for Penetration testers" which almost covers everything you need to build better Tools.
[1/3]
Want to get started in Bug Bounties!
Here are list of things that you need to learn before jumping into bug bounties.
- How internet Works
- Understanding (TCP/IP|OSI) model
- How DNS Work
- How web Servers Work
- How to setup web server
- HTML
- JavaScript
- PHP
When it comes to API testing finding new endpoints is one of the important technique that shouldn't be ignored at all.
But most of the people do it wrong. Recursion techniques can be combined with endpoint extracting tools to get best out of them.
#bugbountytip
#cybersecurity
Created a tool which extracts endpoints from js files.
whats new:
- uses online Api's to find as many as js files.
- Uses recursive approach to go as deep as possible.
(recusrive ? recursively finds new sources from extracted endpoints to find more endpoints)
#cybersecurity
Since i have been learning some advance stuff about nmap from last one week i will be posting some interesting stuff about nmap lately.
[1] 𝗛𝗼𝘄 𝘁𝗼 𝗰𝗵𝗲𝗰𝗸 𝗶𝗳 𝘁𝗵𝗲 𝗹𝗶𝘀𝘁 𝗼𝗳 𝗵𝗼𝘀𝘁s 𝗮𝗿𝗲 𝗹𝗶𝘃𝗲/𝗱𝗲𝗮𝗱 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗲𝗿𝗳𝗼𝗿𝗺 𝘁𝗵𝗲 𝗽𝗼𝗿𝘁 𝘀𝗰𝗮𝗻.
browserstack is a cross browser testing tool to test across new and old versions of IE, Edge, Safari, Chrome and Firefox.
You can open an URL in any browser without installing the browser in your system, it can be useful when testing browser specific bugs.
#bugbountytips
I always run my tools on VPS. Making any modifications in my tools becomes headache as i always have to move files from VPS to local Machine even for a small modifications
So i wrote "Editing Files on your VPS with sublime on local machine."
#bugbountytips
If the user supplied data is reflected inside double quotes (") within a <script> tag. There is no need of escaping double quotes (") to trigger XSS.
Thanks to
@leonishan_
Here is the command used:
curl -s "" | sed 's/\//\n/g' | sort -u | grep -v 'svg\|.png\|.img\|.ttf\|http:\|:\|.eot\|woff\|ico\|css\|bootstrap\|wordpress\|.jpg\|.jpeg' > wordlist.txt
Today's Bugs !
1) I was able to find API endpoint which was leaking information related to the company which was meant to be private.
2) i was able to escalate my privileges and get access to the restricted part of the application.
#infosec
@Bugcrowd
Looking for BAC issues, Try this
You have a endpoint :
GET /api/org/1234/members/123/profile
Try:
GET /api/orgs/1234/members/123/profile
GET /api/org/1234/members/123
GET /api/orgs/1234/members
GET /api/orgs/1234
GET /api/orgs
#bugbountytips
Cross domain Token Usage:
====================
- Login in website(A) and generate a Token/session(X)
- Now use the Token(X) to access all the subdomains of website(A).
#bugbountytips
#bugbounty
Complete my 9 months of my bug hunting.(working 3 hours a day).
i reported 53 bugs including 17 p2 and 2 p1.
It was an nice experiance to work with
@Bugcrowd
and the team.
Personally i want to thank
@zseano
@brutelogic
@Jhaddix
For everthing that you did for the community.
#BountyTip
I spend a lot of time understanding the target app before actually hacking it. One can do that by reading their blogs and other documentations. But i start with companies "Youtube Channel".It always helps to me understand the app in less time than reading docs/blogs.
2nd Order Subdomain Takeover:
Always keep an eye on Network tab of Google Developer Toolkit for 404 Errors. The 404 Error could mean that a target app is trying to load resources from a host/domain which doesn't exist, Which may lead to Subdomain Takeover.
#bugbountytips
The file upload functionalities in web apps continue to be one of the most vulnerable features.
Read out blogpost to discover 10 distinct attacks that can be use to exploit file upload vulnerabilities in your web applications.
#appsec
#cybersecurity
There is no hacking without reading the docs, if you are randomly spraying payloads online and its finding you bugs, its not hacking its just pure luck.
#bugbounty
#appsec
@NahamSec
I will present these pieces of advice:
- Learn how to code
- Emphasise cultivating hacker mindset over learning more technical skills
- Become proficient in a few key areas and leave the rest aside
@n_7x9
There is no good way to look for xss, test however you feel comfortable.
This blog by
@brutelogic
is definitely the best resource available to get a good grip on xss: