Hey Hunter's,
DarkShadow here back again!


If i ask you, "what are attacks you tried in a login page?" So you mught tell me: SQLi, XSS, common CVEs, Auth bypass, leak cradintials etc. right!?


But these are commonly use by everyone. So think definitely and try unique and most underestimate attacks as like a pro. Here's I give 10 methods that i use to find vulnerabilities in login portal during my bug bounty hunting:


1. Read the js, if they use prototype then try to pollute the proto. If possible then it's might give you admin access or DOS attack.


2. If you find a admin login page, then obviously there high chances that possibly exist a admin registration page right, so try to find admin registration page. (Using Fuzz, js file to critical path leak etc.) and register a new admin!


3. Okays if comes login portal then why not we find password forget vulnerability! 

Okay, now reset the password with host header injection. You might got a reset password url with your domain name!


4. See the login page cookie header value, if token available then try jwt vulnerabilities. And of possible this give you admin access.


5. If you forget the password and got a valid otp, then inter the otp then copy the response. Now another time try to forget the password on victim mail address and inter a invalid otp, intercept the response pest the previous response. Might this response manipulation works for auth bypass.


6. Try business login flow! Register as a normal user now grep the username. And delete the user. Now try to register using the same username. Is the web application block you to register means user deleted but username still exist in database. So, now you can create broken links, even if possible then block usernames like admin, ceo, Domain_name etc.


7. You can try another logic flow bug: reset the password got a otp in your mail or number right. Now inter the otp, but wait before sending the request with otp intercept it and change the mail or number parameter value to victim mail or number and if vulnerable then auth bypassed.


8. Try custom headers like X-Forwarded-For, X-Cluster-Client-IP, X-Originating-IP,  X-Forwarded-Server etc. with 127.0.0.1 value. High chance to bypass the auth!


9. Try to bypass auth using punycode attack. Like register with a mail which like àtteçker@mail.com now try to register again a mail like attacker@mail.com if block the website means it's vulnerable for account takeover. Cause it's consider both same mail address, so now you can send the password reset link to your attacker@mail.com and access the àttaçker@mail account. (This is not a single why to the attack, there are multiple why to do it)


10. Try to make new vulnerability!!! When send the login username and password then add a new like \n and now you can try your customer payloads for SQLi, command injection etc. cause now possibly the firewall is not check the next line and you can try now all types of attacks. 


There are many more unique attack's available, but for demonstration i share only few attacks.

So guy's if you really love to read DarkShadow's methodology's show your love and you can follow me in my X account x.com/darkshadow2bd 



#bugbountytips #method 

CVE-2025-9079: Path Traversal in Mattermost, 8.0 rating❗️

A vulnerability in some versions of Mattermost allows attackers to execute arbitrary code via a malicious plugin.

Search at Netlas.io:
👉 Link: https://nt.ls/gCXcr
👉 Dork: http.noscript:"mattermost"

Vendor's advisories: https://mattermost.com/security-updates/

Google Dork – File Uploads 📂
site:example[.]com intext:"choose file" | intext:"select file" | intext:"upload PDF"