BountyTricks

Sharing Bug Bounty tips and tricks with the community including but not limited to automation, one liners and useful thoughts

Cyllabus

πŸ’‚β€β™‚οΈ Misc

Regex Validator

Homograph Generator

Shodan-Scripts

HTTP Headers

MIME Types

Reverse-Proxies

Writeups

HTTP Request Smuggling

  • Github local recon - usage: gitsecrets β€œword” | gf pattern
gitsecrets(){
{ find .git/objects/pack/ -name "*.idx"|while read i;do git show-index < "$i"|awk '{print $2}';done;find .git/objects/ -type f|grep -v '/pack/'|awk -F'/' '{print $(NF-1)$NF}'; }|while read o;do git cat-file -p $o;done|grep -E "$1"
}
  • ffuf on many files
ffuf -u URL/FUZZ -w allipstoffuf:URL -w ~/.config/wordlists/envpath:FUZZ -maxtime 300 -t 500 -c -v

πŸ’‚β€β™‚οΈ Private Nuclei templates

  • SSRF nuclei template - Feed endpoints to probe for SSRF interaction automatically, the module tries to fetch simple interaction on the provided input, and later appends common SSRF query params to the original request.

Sample:

echo "https://checkout.stripe.com/api/color?image_url=" | nuclei -t ssrf.yaml 

nuclei_ssrf

Tips & Tricks from the wild

  • WAF bypass by changing scheme:
http://web.com/?XSSendpoint ===> no WAF
https://web.com/?XSSendpoint ===> WAF implemented

Subdomain Reconnaissance

Root Domains

  • Google Dorks:
Root Domains - "org" subsidiaries
intext: credit company
  • Amass
1. Get company's ASN numbers - amass intel -org DoD
2. Turn ASN numbers into CIDR - whois -h whois.radb.net -- "-i origin $asn" | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -u >> $recondir/cidr
3. Get TLDS from ASN - amass intel -asn $asn
4. Get TLDS from whois data - amass intel -whois -d TLD (facebook.com)
5. Get TLDS from CIDR - amass intel -cidr xxxxxx/23
  • CIDR to hostnames
prips 144.160.32.0/19 | hakrevdns  -d | httpx -title -status-code -follow-redirects

πŸ’‚β€ H1 Disclosed Reports analysis

Takeaway : FUZZ with certain characters such as \u0000 to try and trigger ReGeX verbose errors
Takeaway: If a company won't require email address verification and will automatically generate support tickets, try and sign up with noreply@github.com
Takeaway: whenever authenticity_token is presented on requests validate if the value is being processed in the back-end.
Takeaway: try (((((()0))))) when fuzzing post requests.
  • IDOR on steam id cookie - Utilizing a POST request with the victim steamid cookie value performed the action as the victims behalf
Takeaway: Swap identifyable cookie values between lateral accounts.
Takeaway: Look through org's public repos for Bitbucket content
Takeaway: When Fuzzing java application to try and insert code injection queries like ${T(java.lang.System).getenv()}
Takeaway: When supplying org name check what is the behaviour with adding " " (space) on it's name
Takeaway: Tampering with the host header with situations who involve caching, can append port to the host to cause DOS
Takeaway: Go through the "main.slug.js" files and look for API Keys, this one looks like the google maps one (AI....)
Takeaway: Look for websites who has bucket like https://s3.amazonaws.com/BUCKETNAME and try to run aws s3 ls BUCKETNAME
Takeaway: Check each step of reset password phase who might not be protected with rate limiting, this could even be a third step after clicking an email, allowing to skip phase 2.
Takeaway: on Admin / custom made login panels check the source code to determine if there are some leaks including password.
Takeaway: %27||/**/(case%20when(/*%c3*/length/*%c3*/(user)=5)then/**/(1)else(1/0)end)||%27
Takeaway: Change the scope parameter to arbitrary file and see if the redirect_url will redirect to external domain

Disclaimer

Some of the one liners or data presented might be taken from other repos and was tampered by me, I only share here stuff I use regulary or encountered in the last year, if you find here anything that was originally crafted by you lemme know and I'll credit you.