If you guys want to support the channel, you can boost using this link: https://news.1rj.ru/str/brutsecurity?boost

TryHackMe Vouchers Available
1 Months-500 INR
3 Months-1400 INR
UPI/Paypl Accepted

🚨sj (Swagger Jacker)🚨
👉A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.
📥 https://github.com/BishopFox/sj/

GTFONow

Automatic privilege escalation on unix systems by exploiting misconfigured setuid/setgid binaries, capabilities and sudo permissions. Designed for CTFs but also applicable in real world pentests.

https://github.com/Frissi0n/GTFONow

🌟Subdominator🌟 is a powerful tool for passive subdomain enumeration during bug hunting and reconnaissance processes.

📥 https://github.com/sanjai-AK47/Subdominator

Jon The Discussion Group👇
https://news.1rj.ru/str/+bjrvAloQDJsxM2Fl

🌟WebCopilot🌟
👉An automation tool that enumerates subdomains then filters out xss,sqli, open redirect, lfi,ssrf and rce parameters and then scans for vulnerabilities.

📥https://github.com/h4r5h1t/webcopilot

Tryhackme Vouchers Stocked Again ✅1 Month 500 INR
✅3 Month 1400 INR ✅1 Year 4000 INR . Ping @wtf_yodhha

Public Bug Bounty Programs [Domain,Subdomain]
https://github.com/trickest/inventory

Public Bug Bounty Platforms Around The World
https://platforms.disclose.io/

Public Bug Bounty/ Penetration Testing Reports
https://github.com/reddelexc/hackerone-reports
https://github.com/juliocesarfort/public-pentesting-reports

Bug Bounty Books
https://github.com/akr3ch/BugBountyBooks
https://github.com/AnLoMinus/Bug-Bounty

Bug Bounty Youtube Channel
https://www.youtube.com/@BugBountyReportsExplained
https://www.youtube.com/@NahamSec
https://www.youtube.com/@STOKfredrik
https://www.youtube.com/channel/UCyBZ1F8ZCJVKSIJPrLINFyA
https://www.youtube.com/@InsiderPhD

Bug Bounty Hunter Twitter/Blog/etc
https://twitter.com/thedawgyg?lang=en
https://twitter.com/d00xing?lang=en
https://m0chan.github.io/
https://twitter.com/codecancare
http://ele7enxxh.com/
https://twitter.com/ele7enxxh?lang=en
https://twitter.com/orange_8361?lang=en
https://twitter.com/_godiego__?lang=en

💢 15 different methods for 2FA Bypass Techniques 💢

1. Response Manipulation
In response if "success":false
Change it to "success":true

2. Status Code Manipulation
If Status Code is 4xx
Try to change it to 200 OK and see if it bypass restrictions

3. 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.

4. JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot

5. 2FA Code Reusability
Same code can be reused

6. Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code

7. Missing 2FA Code Integrity Validation
Code for any user account can be used to bypass the 2FA

8. CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation

9. Password Reset Disable 2FA
2FA gets disabled on password change/email change

10. Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions

11. Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA

12. Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
If the session is already hijacked and there is a session timeout vulnerbility

13. Bypass 2FA with null or 000000
Enter the code 000000 or null to bypass 2FA protection.

Steps:-
1. Enter “null” in 2FA code
2. Enter 000000 in 2FA code
3. Send empty code - Someone found this in grammarly
4. Open new tab in same browser and check if other API endpoints are accessible without entering 2FA

14. Google Authenticator Bypass Steps:-
1) Set-up Google Authenticator for 2FA
2) Now, 2FA is enabled
3) Go on password reset page and change your password
4) If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed

15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :-
1) Create an account with a non-existing phone number
2) Intercept the Request in BurpSuite
3) Send the request to the repeater and forward
4) Go to Repeater tab and change the non-existent phone number to your phone number
5) If you got an OTP to your phone, try using that OTP to register that non-existent number.