I just want to write a check list for myself. This article includes various vulnerability discovery method bypass methods. I hope you can read it carefully .
Twitter @C1h2e11
Wechat : baiheming123456
RECON
Most of my recon ideas come from nahamsec, he is really good
When I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, File I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, Endpoint
For subdomains, I will use crt.sh to find them. In the face of big goals, I will choose some interesting words, such as api, prod, dev, stage,backend, admin. Etc.
Subdomian
Let’s take yahoo as an example
crt.sh | %.yahoo.com
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh | %api%%.yahoo.com
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
Use % to find the domain name you want . Here is a shell script to quickly collect some subdomains
curl https://www.threatcrowd.org/searchApi/v2/domain/report/\?domain=$1 |jq .subdomains |grep -o ‘\w.*$1’curl https://api.hackertarget.com/hostsearch/\?q\=$1 | grep -o '\w.*$1'
curl https://crt.sh/?q=%.$1 | grep "$1" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -ucurl https://certspotter.com/api/v0/certs?domain=$1 | grep -o '\[\".*\"\]'Many times we will encounter domain can not be accessed at this time we can use httprobe to detect
tomnomnom/httprobe
Take a list of domains and probe for working http and https servers. ▶ go get -u github.com/tomnomnom/httprobe httprobe…
But certificate-based subdomains are incomplete and require some bruteforce I recommend using Sublist3r
aboul3la/Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and…
We can also use Google Dork and Github I recommend the following script to search subdomains on github
gwen001/github-search
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Documents here
GitHub tools collection
This is the current thread in the bug hunter community: how to find sensitive informations on GitHub. Understand how to…
Here is the subdomain collection method I often use You can use platforms like shodan and zoomeye. I won’t go into details here.
IP
Censys.io ipinfo.io shodan.io
censys is a certificate-based query that can find many IP addresses I have found many bugs with it .We just need to query your target domain .You can click on the certificate on the right
Here you can see the subdomain name and we can use IPV4 to query. There will be an IPV4 address. If it is in Scope, we can test it. Note the get body of this mark. He takes the content in the response, so most of it is not yours Target asset
ipinfo and hostinfo.io can be used to query ASN codes and network segments .We can use shodan to combine with him
shodan also has many good features such as ssl-based search and favicon search can find a lot of target information . I won’t write much here
Dnsdumper Virustotal Can also find a lot of information
Port
Port scanning can use nmap and massscan
robertdavidgraham/masscan
This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million…
Nmap: the Network Mapper — Free Security Scanner
Nmap 7.80 was released for DEFCON 27! [release notes | download] Nmap 7.70 is now available! [release notes | download]…
nmap -sV -T3 -Pn -p2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443,19000,19080 ${target}Endpoint
There are many ways about Endpoint
curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.$1/*&output=text&fl=original&collapse=urlkey
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.$1\&output\=json |jq .urlCommoncrawl and web archive can find many endpoints for us to test. At the same time, we can also use crawlers to get what we want. The main focus should be on JS files and API endpoints.
Threezh1/JSFinder
JSFinder is a tool for quickly extracting URLs and subdomains from JS files on a website.
I recommend a tool here.You can crawl useful Endpoints and we can also do BLH discovery. We will write related search methods later.
At the same time I will use dirsearch to brute force
maurosoria/dirsearch
Current Release: v0.3.9 (2019.11.26) dirsearch is a simple command line tool designed to brute force directories and…
C1h2e1/MyFuzzingDict
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
My dictionary is here
HUNTING
I mainly hunt some BUG below
- SSRF
- CSRF(CORS,JSONP hijacking)
- SQLi
- XSS(DOM,Stored,Reflectd)
- Weak Password
- Unauthorized access
- IDOR
- Open redirect
- Information Disclosure
- XXE
- File Upload
- Subdomain Takeover
- BLH
- HTTP Requests Smuggling
- CRLF
- Auth Bypass
- DOS
- LFI
- Command injection
- Race Condition
- S3 Bucket
- Logic Flaw
- SSTI
Let me introduce one by one and share Bypass tips
SSRF
https://medium.com/swlh/ssrf-in-the-wild-e2c598900434
This picture is a good summary of the common locations of SSRF .We can find related functions based on business.When you receive a request from the server.Try to access the intranet.If no response can be determined by time, same as Time-Based SQLi
BYPASS
tools
Open redirect/SSRF payload generator
Edit description
white@black.com ==> black[.]com
black[.]com?white[.]com ==> black[.]com
black[.]com#white.com ==> black[.]com Tips By @____cypher____
http://127.0.0.1
http://localhost
https://127.0.0.1/
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0https://localhost/
http://[::]:80/
http://127.0.0.1.nip.io
http://[0:0:0:0:0:ffff:127.0.0.1]
http://spoofed.burpcollaborator.net
http://0177.0.0.1/
http://2130706433/
http://0/
https://10.0.0.1.xip.io
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3<?php
header("Location: http://127.0.0.1");
?>http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿Exploit
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
File protocol to read local file
file:///etc/passwd
http://100.100.100.200/latest/meta-data/swisskyrepo/PayloadsAllTheThings
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on…
DNS Rebinding attack
My First SSRF Using DNS Rebinding
Imagine you are a computer :D People give you URLs and you load them Of course you won’t load url that points to your…
cujanovic/SSRF-Testing
http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ http://127.88.23.245:22/+&@google.com:80#+@google.com:80/…
CSRF(CORS,JSONP hijacking)
Ordinary CSRF we will not write here. Write some token bypass methods
Delete CSRF token
Null token parameter
Modify request method Form GET to POST or PUT etc.
Replace token with any string of the same length as token
Fixed token Every user's token can be sharedCORS Bypass
Think Outside the Scope: Advanced CORS Exploitation Techniques
Hi everyone,
OUT OF SCOPE XSS and CORS
Use Safari’s URL feature to bypass
JSONP hijacking
kapytein/jsonp
jsonp is a Burp Extension which tries to discover JSONP functionality behind JSON endpoints. It does so by appending…
Burp suite Extension to discover JSONP func
FUZZ Callback Parameter
In another test, I found a JSONP hijacking at a.redacted.com. When I looked for a vulnerability in b.redacted.com, I found a JSON response, but there was no parameter in the requested URL. I tried the FUZZ parameter. But in the dictionary, Without _cb_ this parameter eventually I added _cb_ of a.redacted.com to b.redacted.com and successfully found JSONP hijacking
callback=gh0stkey
cb=gh0stkey
jsonp=gh0stkey
jsonpcallback=gh0stkey
jsonpcb=gh0stkey
jsonp_cb=gh0stkey
json=gh0stkey
jsoncallback=gh0stkey
jcb=gh0stkey
call=gh0stkey
cb_=gh0stkey
_cb_=gh0stkeySQLi
SQL injection is always there. Actually all the key is to be careful.I found SQLi in my two most recent tests.Just need you to search all the parameters of each page carefully and add single quotes or %df or look for Time-Based SQLi
tennc/fuzzdb
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Check out this repo’s SQL i Payload
Tips : SQL INJECTION VIA HTTP HEADER!
I can’t think of anything to write here so SQL i is over.
XSS
We can use the endpoints obtained in the information collection to find reflected XSS,There are many positions for XSS. We should pay attention to Bypass’s payload.
XSS in hidden input fields
Gareth Heyes | 16 November 2015 at 11:25 UTC Updated: 14 June 2019 at 12:03 UTC At PortSwigger, we regularly run…
XSS in Oculus Rifts CDN
After looking through Oculus Rifts site I came across the developer section for making apps. I quickly made a test app…
I found a lot of Blind XSS in recent tests. I think that the location of the HTTP HEADER and some XSS and SQLi Payloads will have unexpected results.
I use XSS HUNTER for BlindXSS
XSS Hunter
Edit description
!!BlindXSSEveryWhere!!
C1h2e1/c1h2e1.github.io
Contribute to C1h2e1/c1h2e1.github.io development by creating an account on GitHub.
My Blog about XSS!
Weak Password
Try more
Unauthorized access
Most of the unauthorized access I usually find comes from brute force cracking of directories.Find more ports, more IPs, more services
IDOR
Quitten/Autorize
Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by…
Burp suite Extension to find IDOR
One Way to Find Hidden IDOR Vulnerability
I received an invitation for an internal project, i found an interesting vulnerability in this project. After…
The case of IDOR
There are many different test methods in the IDOR search process.We should pay attention to unique parameters and pages, and pay attention to the function of each API. I recommend using the Repeater of Burpsuite to mark the function and return content of the API. Email returns UID, we can use UID to find IDOR
Open redirect
When testing Open redirect, we can try to combine XSS to try to redirect javascript:alert (1)
I noticed this URL when I found 302, but I couldn’t redirect after opening it, so I tried Bypass.
Payload list
C1h2e1/c1h2e1.github.io
Contribute to C1h2e1/c1h2e1.github.io development by creating an account on GitHub.
Open Redirect Cheat Sheet
Hi, this is a cheat sheet for Open redirect vulnerabilities. It’s a first draft. I will update it every time I find a…
Replace whitelisted.com with your targetInformation Disclosure
Github Pastebin Google etc.
Most of my information collection is found directly from recon
SO JUST RECON CAREFUL
Use github and pastebin to search for some sensitive information such as API key, token.
XXE
- Upload File
By uploading files in formats such as xls,doc
The process of making a malicious document
Exploiting XXE with Excel
XML External Entity attacks are very common, particularly through HTTP-based APIs, and we regularly encounter and…
2.OOB ATTACK
3.Modify Content-Type
U.S. Dept Of Defense disclosed on HackerOne: XXE in DoD website…
Summary:** XXE in https://█████ **Description:** A malicious user can modify an XML-based request to include XML…
Starbucks disclosed on HackerOne: XXE at…
johnstone discovered that both ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx &…
File Upload
Exploiting File Uploads Pt. 1 — MIME Sniffing to Stored XSS #bugbounty
While bug hunting on a private program I was able to find a Stored XSS vulnerability through a file upload…
Exploiting File Uploads Pt. 2 — A Tale of a $3k worth RCE.
In this post I show how I was able to find a Remote Code Execution vulnerability on a private program through…
We can test XSS and SSRF when uploading and ImageTragick RCE ,This idea is really hard for me to write.I will write the tips of Bypass
- Add dot after the file name
- File name with special symbol before or after
- Delete meta-data
- Race condition
modzero/mod0BurpUploadScanner
A Burp Suite Pro extension to do security tests for HTTP file uploads. Table of Contents Testing web applications is a…
I was writing this article after a day of school today. My mind is a bit messy XD
Subdomain Takeover
Echocipher/Subdomain-Takeover
一个子域名接管检测工具 author:Echocipher mail: echocipher@163.com blog: https://echocipher.github.io 本项目是我为…
haccer/subjack
Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones…
Still no good tips, more subdomains have a higher chance of taking over
BLH
Command Injection Through BLH
Hi I am Shankar R ( @trapp3r_hat) from Tirunelveli (India). I hope you all doing good. I am a security researcher from…
Broken Link Hijacking — How expired links can be exploited.
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in…
tools
stevenvachon/broken-link-checker
Find broken links, missing images, etc within your HTML. ✅ Complete: Unicode, redirects, compression, basic auth…
HTTP Requests Smuggling
Write up of two HTTP Requests Smuggling
This article about how I found two sites for HTTP Request Smuugling
CRLF
#BugBounty — Exploiting CRLF Injection can lands into a nice bounty
Hi Guys,
Auth Bypass
Phabricator disclosed on HackerOne: Bypass auth.email-domains
Email addresses are stored as `VARCHAR(128)`. However, Phabricator does not verify the length of an email address upon…
Oauth2 CSRF Modify the redirect_url to get the victim token .Can be bypassed using bypass open redirect
DOS
QIWI disclosed on HackerOne: apache access.log leakage via long…
Issue access.log is leaked by attacker who trying send many requests. #Explain: Honestly i don’t know how the bug is…
imagesize size DOS
https://target.com/Verification/?high=100&weigh=100
https://target.com/Verification/?high=100000&weigh=1000000
response boom!
If there is no parameter to control the size, we can add it by ourselves
width=250&height=250
height=250
width=250
w=250&h=250
h=250
w=250
size=250&width=250&height=250
size=250&w=250&h=250
size=250
margin=250
margin=250&width=250&height=250
margin=250&w=250&h=250
size=250&margin=250
size=250&margin=250&width=250&height=250Bypass some restrictions that affect the normal use of the user .Is what I think is the most meaningful DOS
[Writeup — FB] Crash web — app through application form of job application pages
It’s me again, after my first write-up bounty.
I think using a lot of characters or very special characters may cause DOS
