Hey Hunter's,
DarkShadow here back again!
If i ask you, "what are attacks you tried in a login page?" So you mught tell me: SQLi, XSS, common CVEs, Auth bypass, leak cradintials etc. right!?
But these are commonly use by everyone. So think definitely and try unique and most underestimate attacks as like a pro. Here's I give 10 methods that i use to find vulnerabilities in login portal during my bug bounty hunting:
1. Read the js, if they use prototype then try to pollute the proto. If possible then it's might give you admin access or DOS attack.
2. If you find a admin login page, then obviously there high chances that possibly exist a admin registration page right, so try to find admin registration page. (Using Fuzz, js file to critical path leak etc.) and register a new admin!
3. Okays if comes login portal then why not we find password forget vulnerability!
Okay, now reset the password with host header injection. You might got a reset password url with your domain name!
4. See the login page cookie header value, if token available then try jwt vulnerabilities. And of possible this give you admin access.
5. If you forget the password and got a valid otp, then inter the otp then copy the response. Now another time try to forget the password on victim mail address and inter a invalid otp, intercept the response pest the previous response. Might this response manipulation works for auth bypass.
6. Try business login flow! Register as a normal user now grep the username. And delete the user. Now try to register using the same username. Is the web application block you to register means user deleted but username still exist in database. So, now you can create broken links, even if possible then block usernames like admin, ceo, Domain_name etc.
7. You can try another logic flow bug: reset the password got a otp in your mail or number right. Now inter the otp, but wait before sending the request with otp intercept it and change the mail or number parameter value to victim mail or number and if vulnerable then auth bypassed.
8. Try custom headers like X-Forwarded-For, X-Cluster-Client-IP, X-Originating-IP, X-Forwarded-Server etc. with 127.0.0.1 value. High chance to bypass the auth!
9. Try to bypass auth using punycode attack. Like register with a mail which like àtteçker@mail.com now try to register again a mail like attacker@mail.com if block the website means it's vulnerable for account takeover. Cause it's consider both same mail address, so now you can send the password reset link to your attacker@mail.com and access the àttaçker@mail account. (This is not a single why to the attack, there are multiple why to do it)
10. Try to make new vulnerability!!! When send the login username and password then add a new like \n and now you can try your customer payloads for SQLi, command injection etc. cause now possibly the firewall is not check the next line and you can try now all types of attacks.
There are many more unique attack's available, but for demonstration i share only few attacks.
So guy's if you really love to read DarkShadow's methodology's show your love and you can follow me in my X account x.com/darkshadow2bd
#bugbountytips #method
DarkShadow here back again!
If i ask you, "what are attacks you tried in a login page?" So you mught tell me: SQLi, XSS, common CVEs, Auth bypass, leak cradintials etc. right!?
But these are commonly use by everyone. So think definitely and try unique and most underestimate attacks as like a pro. Here's I give 10 methods that i use to find vulnerabilities in login portal during my bug bounty hunting:
1. Read the js, if they use prototype then try to pollute the proto. If possible then it's might give you admin access or DOS attack.
2. If you find a admin login page, then obviously there high chances that possibly exist a admin registration page right, so try to find admin registration page. (Using Fuzz, js file to critical path leak etc.) and register a new admin!
3. Okays if comes login portal then why not we find password forget vulnerability!
Okay, now reset the password with host header injection. You might got a reset password url with your domain name!
4. See the login page cookie header value, if token available then try jwt vulnerabilities. And of possible this give you admin access.
5. If you forget the password and got a valid otp, then inter the otp then copy the response. Now another time try to forget the password on victim mail address and inter a invalid otp, intercept the response pest the previous response. Might this response manipulation works for auth bypass.
6. Try business login flow! Register as a normal user now grep the username. And delete the user. Now try to register using the same username. Is the web application block you to register means user deleted but username still exist in database. So, now you can create broken links, even if possible then block usernames like admin, ceo, Domain_name etc.
7. You can try another logic flow bug: reset the password got a otp in your mail or number right. Now inter the otp, but wait before sending the request with otp intercept it and change the mail or number parameter value to victim mail or number and if vulnerable then auth bypassed.
8. Try custom headers like X-Forwarded-For, X-Cluster-Client-IP, X-Originating-IP, X-Forwarded-Server etc. with 127.0.0.1 value. High chance to bypass the auth!
9. Try to bypass auth using punycode attack. Like register with a mail which like àtteçker@mail.com now try to register again a mail like attacker@mail.com if block the website means it's vulnerable for account takeover. Cause it's consider both same mail address, so now you can send the password reset link to your attacker@mail.com and access the àttaçker@mail account. (This is not a single why to the attack, there are multiple why to do it)
10. Try to make new vulnerability!!! When send the login username and password then add a new like \n and now you can try your customer payloads for SQLi, command injection etc. cause now possibly the firewall is not check the next line and you can try now all types of attacks.
There are many more unique attack's available, but for demonstration i share only few attacks.
So guy's if you really love to read DarkShadow's methodology's show your love and you can follow me in my X account x.com/darkshadow2bd
#bugbountytips #method
❤29🫡5👏4👍2🗿1
ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx
intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute” site:example[.]comPlease open Telegram to view this post
VIEW IN TELEGRAM
👍15❤4
CVE-2025-9079: Path Traversal in Mattermost, 8.0 rating❗️
A vulnerability in some versions of Mattermost allows attackers to execute arbitrary code via a malicious plugin.
Search at Netlas.io:
👉 Link: https://nt.ls/gCXcr
👉 Dork: http.noscript:"mattermost"
Vendor's advisories: https://mattermost.com/security-updates/
A vulnerability in some versions of Mattermost allows attackers to execute arbitrary code via a malicious plugin.
Search at Netlas.io:
👉 Link: https://nt.ls/gCXcr
👉 Dork: http.noscript:"mattermost"
Vendor's advisories: https://mattermost.com/security-updates/
❤6🔥4🐳1
This media is not supported in your browser
VIEW IN TELEGRAM
😂
Developer's VS Penetration tester's 💀
Developer's VS Penetration tester's 💀
😁41🗿4🔥2
Password Resets via Forged JWT Tokens
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥10❤5👍1
Happy Durga Puja to all Brut Security members! May Maa Durga bless you with strength, wisdom, and protection in every battle you fight, both in life and in cyberspace. 😇 😇 😇
Please open Telegram to view this post
VIEW IN TELEGRAM
❤17🙏8👍2
Hey Hunter's,
Darkshadow here back again, just dropping another SSRF!
Look this SSRF in exif.tools that i got. Interesting but not impactful. But still it's confirmed SSRF presents.
✨Tip:
1️⃣If server made unauthenticated HTTP request and any how you see the http response content means critical SSRF
2️⃣If not showing any http response content means blind SSRF medium severity
#bugbountytips #ssrf
Darkshadow here back again, just dropping another SSRF!
Look this SSRF in exif.tools that i got. Interesting but not impactful. But still it's confirmed SSRF presents.
✨Tip:
1️⃣If server made unauthenticated HTTP request and any how you see the http response content means critical SSRF
2️⃣If not showing any http response content means blind SSRF medium severity
#bugbountytips #ssrf
🗿11🔥3❤1
Please open Telegram to view this post
VIEW IN TELEGRAM
❤15👍1
🌸 Happy Bijaya Dashami 🌸
From the Brut Security family, wishing you all joy, peace, and success on this special day of Bijaya Dashami.
As Maa Durga returns to her divine abode, may her blessings bring strength, wisdom, and prosperity into your life.
🆘 November Batch Enrollment is Now Open!
For all beginners and wanna-learners, we’re starting fresh batches for:
•bPEH (Brut Practical Ethical Hacking)
•bPWA / bPBB (Brut Practical Web Pentesting & Bug Bounty)
🎓 Special student discounts are available.
👉 Seats are limited, so do enroll early!
♾ wa.link/brutsecurity or +918945971332
From the Brut Security family, wishing you all joy, peace, and success on this special day of Bijaya Dashami.
As Maa Durga returns to her divine abode, may her blessings bring strength, wisdom, and prosperity into your life.
For all beginners and wanna-learners, we’re starting fresh batches for:
•bPEH (Brut Practical Ethical Hacking)
•bPWA / bPBB (Brut Practical Web Pentesting & Bug Bounty)
🎓 Special student discounts are available.
👉 Seats are limited, so do enroll early!
Please open Telegram to view this post
VIEW IN TELEGRAM
❤10😁2😢1
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥10👍4❤3
domains.txt
836.9 KB
🌀Download all bug bounty programs domains in scope items 🎯
😉Get a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more – all in one place!💥
👇🏼Step 1: Download the domains.txt file
📂step 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
📂Step 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactions❤️
😉Get a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more – all in one place!💥
👇🏼Step 1: Download the domains.txt file
📂step 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
📂Step 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactions❤️
❤34🔥8👍6
Hey hunters,
DarkShadow here back again!
🔥SSTI to RCE in URL 💀
POC:
target.com/docs/1.0/123 = not found.
so i tried:
target.com/docs/1.0/?123 = now it’s reflecting in source code like /docs/1.0/?123#
so i tried again:
target.com/docs/1.0/?{{7*7}} = /docs/1.0/?49#
and it’s worked! SSTI payload it executed here😏
after researching a while, code injection done by /docs/1.0/?{{phpinfo()}}
so guy’s always try be uniq and different. and if guy’s really love to read my buybounty methodologies then follow me in x x.com/darkshadow2bd
#ssti #bugbountytips
DarkShadow here back again!
🔥SSTI to RCE in URL 💀
POC:
target.com/docs/1.0/123 = not found.
so i tried:
target.com/docs/1.0/?123 = now it’s reflecting in source code like /docs/1.0/?123#
so i tried again:
target.com/docs/1.0/?{{7*7}} = /docs/1.0/?49#
and it’s worked! SSTI payload it executed here😏
after researching a while, code injection done by /docs/1.0/?{{phpinfo()}}
so guy’s always try be uniq and different. and if guy’s really love to read my buybounty methodologies then follow me in x x.com/darkshadow2bd
#ssti #bugbountytips
🔥30❤5👍3