Detect Low Hanging Bugs and Sensitive Information like API Keys, Secrets etc. including JS Files and HTML Pages
First run Amass Scan and save its output and then run Sublist3r with bruteforce mode and also save its output in different file. Now open a Website such as https://www.textfixer.com/tools/remove-duplicate-lines.php to remove duplicate subdomains.
To check API keys if they vulnerable or not, use a tool such as gmapsapiscanner, it is usefull to save the time by automating the process and also if it gets any Vulnerable API, it will generate its POC itself.
Tool: https://github.com/ozguralp/gmapsapiscanner
Usage:
python3 maps_api_scanner_python3.py
SQL Injection Methodologies
*try login with admin admin and send login request to burp
There is a new tool in town called bcscope which can get you the scope of all bug bounty programs available on Bugcrowd platform, including the private ones.
All you have to do is to provide your Bugcrowd token like this:
bcscope -t <YOUR-TOKEN-HERE> -c 2 -p
Quite convenient and pretty useful!
Get the tool here:
https://github.com/sw33tLie/bcscope
Chaining file uploads with other vulns
When testing file upload functionalities in a web application, try setting the filename to the following values:
../../../tmp/lol.png โ> for path traversal
sleep(10)-- -.jpg โ> for SQL injection
.jpg/png โ> for XSS
; sleep 10; โ> for command injections
With these payloads, we may trigger additional vulnerabilities.
GitHub dorks for AWS, Jira, Okta .. secrets
Here are some useful GitHub dorks shared by @hunter0x7 for identifying sensitive information related to Amazon AWS cloud:
Hereโs another list of GitHub dorks shared by @GodfatherOrwa for identifying various other credentials and secrets:
"target.com" password or secret
"target.atlassian" password
"target.okta" password
"corp.target" password
"jira.target" password
"target.onelogin" password
target.service-now password
some time only "target"
Protip: While you are doing GitHub dorking, try also GitDorker (made by @obheda12) which automates the whole process and which contains 400+ dorks in total, for easy bug bounty wins.
Detailed information about GitDorker can be found here.
Hereโs an interesting bug bounty write-up leading to a reflected XSS (Cross-Site Scripting by visiting a link).
The author was able to successfully identify and exploit XSS despite the fact that the application was filtering some characters and keywords (possibly protected by WAF).
After trying some payloads, one payload with event as onbegin worked and XSS executed successfully!
Made a good report, sent it to the company last month and got rewarded $$
This is a perfect example why we should never give up when things get difficult. When youโve got a lead, you have to keep pushing to get the reward! Hereโs list of tools @_justYnot used:
Hereโs a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:
Check if the firewall is blocking only lowercase:
<sCRipT>alert(1)</sCRiPt>
Try to break firewall regex with new line (\r\n), aka. CRLF injection:
<script>%0d%0aalert(1)</script>
Try double encoding:
%2522
Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:
Password Field (you never know if the other side doesn't properly handle input and if your password is in view mode)
Address fields of e-commerce sites.
First or last name field while doing credit card payments
Set User-Agent to Blind XSS payload. You can do that easily from a proxy such as Burpsuite. And there are many more cases, but we would encourage you to read some reports to get a perfect knowledge, where other hackers are already applying these techniques and how you can use them in your program
Find Google map API keys in JS files & endpoints from Domains & Subdomains.