#bug-bounty

No, but there is the web fundamentals

Ok

Yeah and the big taxes on it

...big taxes?
In most countries it should be taxed as income just the same as job income would be because you're effectively self employed here

In my country it's 50% tax on it

Well a) I'd talk to an accountant about that and b) You can't speak for any countries other than your own there, it's important to understand that and mark it as "in my country" rather than just saying it's for bug bounty

My bad, the people I talked to and the people I heard from confessions/meetings/youtube and podcasts that did bug bounty, all said that they needed to pay high taxes on it, when I did some bug bounty, I also needed to pay high taxes on it. So I thought it was generally high.

If it's on top of other income, it's likely to be taxed highly. That's because of how bracketed tax works

Is there going to be any dedicated BUG BOUNTY path on THM in future ?

I'm not THM so I can't say yes or no.
To me, it does seem a little redundant as it's 90% web hacking so there would be a lot of overlap.

Ok. Thanks for your time.

Gave +1 Rep to @vocal folio

how to become bounty hunter?

in a short time?

Try harder

🙂

Nop, you need to show the impact, “As an attacker i can..”

Is it possible to search for local bugs without source code?

e.g. code execution and file inclusion

Imo the best way is trying to invoke errors to leak some source code

managed to leak several credentials and a master password once

I was checking some bug bounty programs and this rewards are a joke. Anyone that can brake your system that can cost you $1 million in damages deserves at least 10% of that amount. No wonder more and more people are going dark and selling bugs to malicious groups for crypto. I never even learned anything about bug bounty although I was introduced to XSS several years ago as a concept but being rewarded $1-5k per bug seems like a joke especially for critical bugs lol
I still can't believe a billion $ companies offer such low prizes this is insane lol.

Usually if you build up a reputation through BB platforms you can get invited to private bounties that pay more

wait till you see VDPs

in my experience on h1, private bounties rarely pay more

I was looking on h1 manly

mainly*

or disproportionately more in that case

yeah

take a look at IBM and Disney

what a joke, they deserve the attacks if they cheap out on security tbh

yeah

they don't pay

because they go off the fact researchers want reputation for bragging rights and more invites to private programs

the shock for me was knowing a decent mid sized company that has 2 security professionals - one of them is Dev Security Operations and the other is code security review and pen testing etc. This guys take home $100k+ yearly while this company turnover just $million a year and if they fire this 2 guys they save $200k+ but it shows they care about their users,
compare that to the rewards from billion dollar companies it seems like a joke I am still in disbelief lol 😂

It depends on multiple factors, you wouldn't really get 100k that easily but some pretty respectable bounties have been given. Tho this is not always true. E.g. epic is considered to have a really well-paying program but awarded an acquaintance of mine 2k for an one-click client rce

Hello Is there anyone online.

I'm sure there are a lot online if you look at the member list, just ask your question instead of asking if someone's online

Qualifications required for Pentest+

None

Hi, how can I do a bug bounty for anyone?

hackerone

bugcrowd, synack

https://www.comptia.org/certifications/pentest not hard to look up

what specifically do you guys use your vps for?

when shadow had a vps..... the obvious game server for people to play on for a decently big discord server

You could use it like a proxy or for heavy tasks like hash cracking

dunno about the hash cracking on a vps as those don't tend to have gpu:s or very good cpus either

unless you count googles colab cat which is basicly hashcat in the cloud

Yeah, fair
Hash cracking requires a decent system
And i haven't tried it myself remotely but i have definitely seen instances of it

hm

but bug-bounty wise ? 🤣 like e.g active subdomain scan, content discovery.....

What's a vuln called when you can overwrite a url content using e.g. a username?

when a webserver has a page at website.com/help and it has user profiles at website.com/USERNAME, but you can make your username help

so website.com/help points to your profile

Hilarious, that's the name

I'm curious if anyone can offer insight into how blue teams/soc's handle increased traffic when their company joins a bug bounty program. I've done a bit of research into this but I'm wondering if anyone has any personal experience they can share.

could you create a username such as .htaccess

what's the website running on

Flask

No proxies AFAIK

I also have arbitrary file write but I don't think I can escalate that to RCE

well

any templated files

if debug mode is enabled on flask

you could try get RCE

but unlikely

hm let me check

and you may have to overwrite important files

which is not what you want to do

well it is a ctf, kind of

oh not a bbp?

was asking here because there aren't any "webexp" channels

nope

I see

yeah try overwrite index.html, with a payload such as {{7*7}}

see if the file is updated

if it is, easy RCE

hm I'll check

I've got the source code, so shouldnt take too long

oh have you

sweet

how's the application being run

is Debug mode enabled

Nope. it's toggled off

let me check if I can update index.html

ah shame, want to dm?

might be easier than clogging up this chall

ah nvm I think I found the way to rce

has to do with another attack vector. thanks for explaining that flask debug vuln, though

no worries

was your thing completely unintended?

nah, I do think it was intended because it had to do with files, and those with a filename without a . where writable/readable in combination with path traversal. it happened there was a "stallable" /bin/sh proc as well

ended up making an exploit script that wrote and extracted file descriptors of that /bin/sh proc

wdym by stallable?

it's waiting for input

otherwise the process would've been terminated

I made it wait by doing a few tricks

could you send the exploit script

interested to what you mean

you want burpsuite to listen to an outside connection? like someone just opening on the website?

Nvm what I said I can still bypass 2fa without the code needed

any beginners bug bounty guide?

Check out hacker 101 it has guides and videos and ctfs also do tryhackme check it out

https://tenor.com/view/check-the-pins-kowalski-penguin-gif-20219688

OK ROAD MAP FOR BUG HUNTER

-ban @glad stump Soliciting hackers for hire

🔨 Banned Father Crypto#0001 indefinitely

lol

i found a bug with splitview

i cant send the ss

!docs verify

To send ss you'll have to verify

And all bugs are supposed to be reported through email

!email

Hello Everyone,

I was going through this talk https://www.youtube.com/watch?v=FU1fWMwGMuY&t=3s where yasine mentions that after gathering subdomains he passes the list to dnsx/puredns and then the result is passed to httpx.
I am getting confused here, the whole purpose is to find out the alive domains then isnt it possible by using httpx only? How dnsx is different from httpx and why should it be used?

Who says it's a webserver on the subdomain?

Isn't a subdomain meant to serve web server? What else could it be?

No, it's not

There's more to DNS than web

Ahan, then what httpx does is scan for HTTP server on default port e.g 443,80 or if given custom port, it will look for http servers. But what will dnsx do? How is it beneficial to use dnsx? can you give some use case?

I have no idea what that tool is, I don't use it

Here's a list of it's features, you can work out why those records might be useful

disable adblockers, refresh with ctrl+f5, try other browser

thx

Helllo

Where can I start my journey as a bug hunter

Ohk

Hi nice meet everyone hope can teaching me and sharing thank ,i hope i can help some

can somebody tell me how to really bypass 403
from tools all i see curl commands and from curl commands i only get 200 response and headers

You can't always...

Yep

try this tool, https://github.com/Dheerajmadhukar/4-ZERO-3

it contain all the possible techniques

Hello guys

@tiny rain Can you post it using a non-medium link?

Hello to all.
I need some help.
I am working on a site,
Where I can bypass the cloudfare firewall when I use \ufffdd such characters after my payload.
But I guess on server side it is able to filter my Xss payload
Can anyone suggest some ways to also bypass the server side filter and get the xss triggered?

How long did it took you to find your first bug

1 month

should i learn programming for bug bounty and if yes which languages

yes but everyone has different answers ( i just want people with experience to answer to see how i should start)

Possibly popular web languages; PHP, JS, etc.

I think there's a stok video about this

Hello everyone, I need to send a vulnerability disclosure report but the company only use s/mime encryption for reporting disclosures. I have proton but proton uses pgp and I don’t have a company microsoft account to setup s/mime. I would appreciate it if anyone has suggestions on what I can do in this situation 🙏🏾

https://askubuntu.com/questions/181851/how-to-obtain-a-s-mime-certificate-for-e-mail-encryption

Thanks a lot, I will check this out 🙏🏾

Gave +1 Rep to @onyx jay

I came across a weird sub-domain takeover/open redirect which I can't seem to understand. Could anyone known what might have been the case?
While going through my recon output, I noticed that a few sub-domains were being redirected to http://evil.com/ ( Someone already had exploited whatever this was), So instead of a typical takeover, where u host your own code, it was being redirecetd to that?.
I checked it's dns records, as it DNS something like ntlsd server and all, maybe they hosted a script that redirects it's users to evil.com, but it was being listed as "Open redirect" under the type of vuln reported instead of "subdomain-takeover", Any idea?

Anyone here know a good path/ challenge to practice actual bug bounty types of challenges in THM?

https://tryhackme.com/path/outline/web

does anyone have experience with less known platforms ?

I'm doing a bug bounty at the moment, and I ran skipfish and got this result:
Does anyone know what this means?

(I redacted the url, it actually did show a url)

Could be SSTI type thing, I'm not sure but afaik server side evals are usually SSTI, also, are you allowed to run automated scans within the bug bounty? It's usually forbidden.

It seems in this one it is allowed as long as you can prove a proper PoC of the found vulnerability

Strange

anyways, IMO it's probably an SSTI

Thanks

what's the site running on

captcha lead to disclose of sensitive info, any help how to automate this process .... !!!

Is this apart of a bug bounty program?

Yes it was

a small one

Are you able to share the program? So I can read the terms

I was browsing through a exchange program .
so , I signed in at https://site.xyz.com/dashboard
It's just the basic signed in page with name and email .
then there is https://xyz.com/exchange where I tried to do clickjacking and the thing is even though I am signed in at https://site.xyz.com/dashboard whenever i open https://xyz.com/exchange directly or through the hyperlink in https://site.xyz.com/dashboard , https://xyz.com/exchange ask to login by clicking on a button and that button calls https://connect.xyz.com/abcdabcd probably some API call and it refuses the connection in the iframe window .
DO you think i can bypass this ?

Also , The https://site.xyz.com/dashboard is vulnerable to clickjacking and I can change email but it requires , first clicking on settings icon , then changing the email and then clicking on save ( No password) . Basically , change email doesn't have a separate page and is accessed through a pop-up . Any way of reducing the user interaction ?

I am ok with sharing the program details but the program offers a very small bounty .

How does it block loading within an iframe(CSP? or sth else)

First one is , https://xyz.com/exchange ( which i iframed originally )
Second is , https://connect.xyz.com/ ( which is called by https://xyz.com/exchange when I click on login button within the iframe and it refuse to connect)

@normal crescent

Hmm
x-frame-options is enforced on browser level
You could obviously proxy it but i am not sure whether they would accept that as a vuln

Found another endpoint . A little less impact but They should accept it

Ok

Hey guys, I came across a CORS on an api endpoint that only has POST enabled. It also needs some json data to give back a 200. I tried everything i could research on and nothing worked. is there a way to exploit it? thanks in advance 🙂

is there anything that can be done from crossdomain.xml

I couldn't find that file but I know Access-Control-Allow-Origin is set to '*' and it does reflect whatever I set it to in the response header

is my question I do not think what you have asked

that's not vulnerable unfortunately, modern browsers won't allow it

im doing a bug bounty program, i was playing around with folders forms etc. and when i tried to view the uploads folder i get this xml code, anyone knows what can i do with it?

Well the error message is rather informative

im not familiar with xml injection

?

Because the response is in xml format, that doesn't mean that you can inject anything

the specified key doesn't exist

than what does the error mean?

Hello I’m doing a bug bounty program where I was able to find an admin login that’s vulnerable to insufficient logging and monitoring, i tried brute forcing just as a prove I got 3 match that seem to be working, when I try logging in it went All blank then went back to the login back without any response I try same username differ password I get an error with incorrect password and username, I know that’s Saying something but I can’t just pin point i need some help anyone please ?

That all uploaded files can be accessed using their unique key/filename/id

You can't really do anything with it

You could try testing for an idor

But that shouldn't be the case

Is this for me sorry just wondering

No i was replying to filo

Yesssssirrrrr

Since you are able to bruteforce the panel, you could report that as no rate limiting, but you should first see their terms of service in order to determine whether they allow bruteforcing logins and whether they accept lack of ratelimiting as a vuln
If that's not the case, i would advise you not to proceed

The fact that your valid creds redirect you back to the login page is a little weird

But they may have other restrictions in place like ip rules?

Thank you so much this surely help!!!, and yes sure but this url is still in scope

Gave +1 Rep to @normal crescent

That's not what i said

Not every program allows bruteforcing

Or accepts no rate limiting as a vuln

I will find out about this above if I’m not so lucky enough I will just move on then thanks

Np

Hey guys, i am working on a website to try and hack it. They have sort of challenged me that their site is not vulnerable. Anyone who is up for the task??

They don't have a bug bounty program

@river patio i just unmuted you, don't

I would not touch it. You don't own the site, but you've been asked to hack it? Best check with a local lawyer before engaging in that test.

I had an agreement with them unless I don't disclose my findings anywhere out on the internet i will be out of trouble

I didn't understand, i have not pinged everyone

that won't hold up in law, if they decide to turn you in. If you don't have a contract or agreement or bug bounty program, doing any security test on that site is a bad idea.

Okay. Will discuss with them and make a contract 👍🏻 Thanks for the advice

Gave +1 Rep to @analog glen

Get a lawyer involved

You writing your own contract is not a good idea

Hey, i found 1 thing interesting on my school's website and i am not sure if its a bug.

1. There is a page payment tab in the navigation bar and when some user clicks on it refreshes the page because the page doesnt exist.

So is it a bug that i should report?

https://twitter.com/The__Good__Guy/status/1540116715677548544
How to get access to less crowded bug-bounty programs

It is a bug, but it's not a vulnerability

Thanks

Gave +1 Rep to @normal crescent

/tableflipmessage:

https://giphy.com/gifs/clioawards-2-countdown-u00BUvSb3L5cIQHhjw

3 ¯_(ツ)_/¯

I got stung by a wasp.

Nice.

Can anyone give me advice on bypassing wafs

depends on what you want to accomplish, once you have that, move on to research the methods of bypass typically used

Thank you homie

404 not found should be general behaviour , if not report it

Hey everyone, I have a few questions about starting bug bounties.

1. Right now I know a few basic web vulnerabilities, should I jump in now and learn as I go or should I learn as many before I start.
2. Should I look for 1-2 bugs in particular or should I look for all that I know.
3. What are some good practices? Like what can I do to not miss the easy bugs but also how do companies want hunters to go about bug bounty hunting? (any advice would be appreciated)

1. Bug bounty is not good for beginners, you will not find much and you will be demoralized.
2. See 1, but you'd want to use all your knowledge within the scope
3. The scope tells you what you're allowed to do

Ok so should i grind portswigger/tryhackme and sites like that or do you recommend something else that would help?

If your goal is to make a living doing bug bounty, strop and re-evaluate

No i dont want to make it a job, i want to do it to prove my skills and put it on a resume if I do find one

Read lots of writeups
On medium
On hackerone hactivity page

And you should do portswigger labs+ pentester labs to get an experience

But yeh You might end up not finding any bug even in a frame of one year

ty

Can anyone please give me a YouTube playlist to start learning #bug-bounty...

Kinda sounds like you're forcing us, but why do you want to learn buh bounty and how much web hacking knowledge do you have?

Oh sorry...😅 I want to know from the beginning... Is there any guidelines... Like at first i need to learn this and then this... And so on to learn web hacking...

Like any book or video...

I'll gladly refer you to read the conversation just above you, bug bounty is not a beginners thing to do, you'll succeed better when having proper knowledge in different exploits than just starting out, since there is no guide to bug bounty, it is all over the place, no site is the same

Try doing Portswigger Labs and refer to https://www.youtube.com/c/RanaKhalil101/videos for walkthroughs and detailed explaination .
That might give you a initial foothold on the process .

Thm has great web application hacking training

Not sponsored just loving the platform

And just a tip diverge from your path a bit study something not in your training path but still within your range of knowledge or maybe something completely new

if you do all of portswigger, your skills will probably be in top 5%

portswigger doesn't cover a lot of the recon stuff which is really important, so it may be hard to get started initially

heyy

I'd recommend sticking with one program with a lot of functionality for a while, lots of people shill the 100 hours on a program thing

who used berp suits turbo intruder ?

what help do you need

guys i need help with a xss, its a search input so the url looks something like this:
htttps://site.com?term=<xss payload>
my payload its not executing for some reason
here's a screenshot

its a bug bounty program no bounty reward im just doing it for practice

asad</span><script>alert(1)</script> thats the payload i typed in the input form

Anyone on here?

Lots of people. It's always best to ask directly.

I am trying different XSS payloads in a markdown editor. I got this one to pop up. Not really sure what I can do with it.

what was the actual payload that triggered it

Looks like the payload didn't work, if it's displaying it as you entered it then it seems it got encoded

i wouldn't touch it

It does, the payload gets reflected 2 Times in the page and i took a look at the response and found out that the payload its also inside a json

Double quotes gets replaced with \” and the back slash with 2 back slashes

I’ll send the screen later right now im on my phone

Double quotes with a backslash and the Double quotes

inspect it, then right click and view as HTML

the payload was "}alert(1)

the backslashes gets replaced with double back slashes, is there a way i can inject the alert()?

not really, one thing is that your data is encoded and you're not escaping it because the backend is doign it's job
but the other thing is that your data is inserted into the DOM in a safe manner which means it won't be executed

so i cant do nothing about it?

not really, no

ok

how did u get the bug hunter role?

!docs bug-bounty

ty

Don't hunt on Indian company bug bounty programs

Why

Ever submitted a vulnerability on huntr.dev? I'm having an issue with my already submitted and verified vulnerability. Basically rewarded me with 0$. Is this possible?

Found a rate limiting bypass on forget password accepting 2 OTP's [ Normally it accepts 5 input in 5 minutes ]
Obviously because of 2 OTP , the luck factor drop tremendously aka chances of successful attack is less and the code also stay valid for 5 minutes ... We can regenerate it though

And the company said they have enough protection in place

Ok so you found a bug with nearly no impact and didn't get paid out?

That sounds exactly like how it works everywhere

Uhmm i won't say it have high but it does have impact i think

You should not be doing bug bounty for the money, and there's one of the many reasons.

They said that they have sufficient protections in place. It poses little to no risk, so no bounty. Makes sense to me.

It's shit for you, but that's how it's meant to work

Maybe I am letting this go as an experience

question, cuz why not

people that do bug bounty, if you know what you are doing, is there like an "average income" that u get?

I don't think there would be an average income as the bounties pay out differently.

But that's my take on it.

thats what i was thinking as well

but would a person be able to make it their full time job? like would it be able to make someone pay rent and have food lol

I mean, it's about the same as hoping to make a living as a gold miner. Additionally, there's no guarantee that the company will value a bug on par with the time it takes to find and document, and as you're not working under a defined contract or anything, there's little recourse if you don't like their response to your bug.

Like just because you manage to make something operate in an unusual fashion does not mean you've landed a profitable bug. Companies join bug bounties as an economic decision, because it's probably cheaper farming out work to randos on the internet rather than paying for an internal cybersec team.

Not unless you have extremely low costs of living.
Bear in mind that as a pentester, I get paid if I spend 8 hours testing a rock solid app. I get paid regardless of what I find. Rent doesn't decrease just because you didn't find bugs.

If I find the same bug as a coworker or a previous pentest, that's actually a good thing for us. It doesn't get closed as a dupe. I still get paid.

ah

thats nice for you (and your colleagues/coworkers)

then its an irrealistic goal to try bug-bounty?

It's why bug bounty isn't sustainable compared to a stable job

It's unrealistic to have it as a primary job.

imma ask this here even tho its not really related, but is it possible to have a good job/career in cybersec without any proper degree(or related to school)

It's possible. It's difficult. #cyber-and-careers

i just asked here to keep like... the conversation in only 1 channel yk

Yeah but that's the appropriate place now.

ok, ty btw, for your replies.

Oh ok ok

what do you guys think are the first and easiest bugs to find for a beginner?

i tried studying xss as my first bug but it seems too complicated

any tips?

Search for UncleRat on YouTube. He teaches XSS in very easy way with practical labs that he built

thanks

.

Hey guys!! Anyone looking to learn about Web Security, below is a link by Stanford University
Free Web Pentesting Class by Stanford University 🃏

https://web.stanford.edu/class/cs253/

Learn javascript, build your own lab and hack it

Thanks

Gave +1 Rep to @floral helm

Is leaking internal codes such as this should be submitted ?

It would be very low severity even if they accepted it

Yes I agree with that
But should I report it though

There is another endpoint which shows the whole directory listing due to error
Even the ones which aren't accessible by normal users such as /admin

You shouldn't be doing this on a bug bounty

IDOR

https://www.youtube.com/watch?v=_y-iz3itch0

https://www.youtube.com/watch?v=-xbbvAKGXK8

Thanks

npnp

That would be cheating

If we don't know something then we try to Google it and get answers. Here in my case, i already Googled it and tried to complete the task. But failed. So i am asking for the help from experienced people if they can help me. 🙏🏻

It's an interview, they're trying to assess your skills not ours.

Please stop.

Sure. No problem. 🙏🏻

https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/

Hi, I would like to ask you about bug bounty rules, i mean, i feel discouraged looking at the rules. For example a lot of companies ask for an additional header parameter to understand that you are a tester but some tools doesn't give the ability to add a personalized header ecc..

That was only an example other companies ask more things.
What is your approach to this things?

If i remember correctly things like acquatone, sublist3r ecc..

Just as example, but there are a lot of tool that doesn't have the -H for specifying a custom header

The solution here is this:
1 - Create a proxy.
2 - Create a script that adds a header to all intercepted traffic.
3 - Direct your tool through the proxy.
4 - Let your proxy script add the header you need.
@lethal charm

Can i do it from burp? @fallen palm

You can, but you'd still need to write either some personalised script or plugin for Burp.

Otherwise you'll be manually changing the header for each request which will become tedious very fast.

Alright!
And generally speaking which are like the best practices as that you use to approach a bug bounty hunt?
Since i understood how to find flaws, and i would like to make it in practice but i feel a bit discouraged from companies Bounty pages, do you have some advice for starter?

Thanks! @fallen palm

Gave +1 Rep to @wispy hound

Ensure you read the rules of engagement of each bounty you participate in and understand them. Anytime, if in doubt ask for clarification from the provider.

Ensure you always stay within scope by setting the scope of your tools.

Hey guys!!
While testing the main page of a site, when I enter
<img src=x onerror=alert (1)>
The script runs and pops the alert but without pressing the enter button.
But when I hit enter, the cloudflare blocks the request.
Any tips for a way around to such errors?

Don't hit enter?

But then how to make an impact and report the bug?

If it runs without pressing enter then shouldn't it be making an impact?

Does the website offer some form of preview while typing? Sometimes they can have some scripts (there's too many of them), that basically remain in a loop and check what you type, then try to execute/preview that on client-side. Usually, places that allow you to "blog" for example.
In that case, you'd see the XSS (which is awkward) but not impossible.

Then, when you press enter it gets blocked as it is likely going through backend filters. (Or just straight up slapped on the face by cloudflare proxy 😂 )

Self XSS is an issue, but not overly impactful.

Yes, it offers preview just like Google. I guess it trys to search it's database for the term

-ban 993890135122915429 -ddays 1 came here to spam a nonsense "job advert". Obviously not here for the right reasons.

🔨 Banned aniu5168#1504 indefinitely

Eh? You should be able to do it within the Proxy options

Instead of alert(1) try alert(window.origin)

if the window origin is not the same as the domain you're on, it's not really an issue

It has an option for automatically appending a specified header to every request?

Should do, aye

Can check when I get home

In that case yeah best use the built-in options

Yeah, here ya go

Nice, so they just need that and an automated "forward" for all intercepts

Or, y'know, just turn the intercept off

But yes

Even with the intercept off, the proxy is still active

Interesting

In that case, they're set to go!

Now they can catch all the bounties!

🐛

I tried your advice. But it's the same domain that I am on...

How to start with big bounty

Pls

Idk how to start

You could check out the pinned messages, there are some useful information

Thank u

Gave +1 Rep to @bitter quiver

Any advice how to move further?

The fact that the window.origin returns the same domain, shows that this can be a real XSS problem, if it was different than that would've meant no problem

Look up XSS payloads, and try one out or something

Does anyone know how I go about testing google api keys? That includes google maps api keys and stuff since it's included in the strings.xml resource file. Am I even allowed to try and make requests?

I found a consumer key & secret pair for a twitter account but I am getting a "authenticity_token_error" when I POST them for getting a bearer token. I guess they are invalidated

would have been great.

yes.

https://help.tryhackme.com/miscellaneous/the-bug-bounty-programme
Hey, reading the Out-of-Scope Vulnerabilities: atm - does this mean that things like XSS are completely out of scope?

Where does it say XSS is out of scope?

Nowhere, just wanted to make sure that I just hadn't misunderstood what any of it means

this how html5 works <.<

hi

how do i exploit reflected xss

Copy and paste that exactly into Google

okay thanks but i'd prefer an experienced person to tell me

Thm has a guide on that pls check it out

Thm materials are generally awesome and comprehensible at once, highly recommend

Unfortunately, I couldn't prolong the subscription due to unsolvable tech problems, but oh well

@wooden harness okay pls do u mind giving me the link to the room

Go to "learn" on thm site and type XSS into a search field. I remember it was in Jr Pentester course at least

alright thanks

Using google is one of the fundamental skills every bug hunter must have. Also, you need to make dorking your default companion

thanks

Error: the server returns a status code that matches the provided options for non existing urls. http://www.domain.com/b14aada5-9f1f-4c21-af40-ac4d1af64223 => 301 (Length: 707). To continue please exclude the status code, the length or use the --wildcard switch

is it that gobuster can't find sub directory i'm confused

thanks

Hello @lapis horizon
Do u have any idea on this¿ #infosec-general

Just...
Ur active so ... :)

Oh alright
my bad 👌🏽

an application I'm testing allows uploading files with names like %2e%2e/%2e%2e/ onto google storage. what's the highest impact I can reach with this?

I guess phishing right?

because when I go to website.com/file/hash I get redirected there

thus storage.googleapis.com/corp/bucket/*file/%2e%2e/%2e%2e/phishingpage*

nothing

hello

is reporting an outdated apache tomcat server part of bug bounty

For THM?

for bugcrowd

@unborn ice ...

Hi to all. I have a little question: I have startet to do some research on some platform that are exposed to a bugbounty program. The scope are normally clear and I respect them. What I want to ask is: how can I go with scanners? Sometimes they are mentioned, sometime not. I have asked the bugbounty program if I can do scans. The response was: if you don't disturb/damage the application is ok. So my question is: where is this limit: 1 req x sec? 10 req x sec? some advice from your side?

hey amazing people
I am testing a website login page
In that page, only those who have email id directly registered with the company are allowed to login.
While using burp suite, came across request =
POST /something/api/public/validateUserIdentity
and then tried modifying it to
GET /something/api/public/user=1 HTTP/2
received response HTTP/2 200 OK and {"success":0}
Any idea how to move further?

sup guys, can someone give a tip on why this xss isnt working?
its a dom xss but i dont know why its not working, i was able to escape the double quotes.

i opened the request on the browser but its not giving me the alert

this was the payload: asdsadad"});alert(1);({

what am i missing?

You would want to check the scope of your target but generally no

Well actually

Maybe

Worth a try

okay thanks

Hi done any one how to exploit

When input reflect in paragraph tag

Hi chat
I have found a url in js code at one of subdomain like that
/api/qrcode?param=https://example.com/mobile/download.html and it’s generate a qrcode

When scan that qrcode redirect me to download page of the site
, I changed the value of the param to my burp collaborator and I scanned it again it’s redirect me to burp collaborator, how to arise that from open redirect

Okay but the site should validate the input of the query param “text” to their only site
Am I right ? It’s a first time to find these kind of functionality

On their site

Yeah thanks I have reported it just trying to figure out how to high the impact

Gave +1 Rep to @lapis horizon

Nah still but I will now

The site blocks me after 10 request so I have to do it manually 🥲👾

I will now thanks again for this tip 🔥

Gave +1 Rep to @lapis horizon

what tool can be used to dir bruteforce list of hosts, I dont think ffuf and gobuster have options to scan from txt file

I don't think those kinds of tools are allowed in a bug bounty scope

you sure auto enum tools like that is in scope?

hi

sublist3r keeps on giving me an error

when i try finding sub domains

i get

[!] Error: Virustotal probably now is blocking our requests

then nothing shows up

It's nothing new. But after showing the error does it give the list of hosts after some time ?

yes it does

but am like is it possible for it not to show those thing

and does sublist3r give all the sub domain

It doesn't give all subdomains

it only gives subdomains that are on the internet

Hi, I have found private SSH keys in .pem files on a program's GH repo. The keys are 7 yrs old and found in node_modules folder. Should this be reported?

you can use amass 🙂

Yeah sure , if it's private report it as sensitive data exposure

but how can i prove the impact? I dont know the server, username to validate the keys

there isnt an impact is just a information disclosure

did you try to "extract" public key from it? AFAIK ssh-keygen adds the username as a comment

and what about server IP?

Hi 👋

Does anyone use Immunify here ?

-ban 749480773207326802 -ddays1 Advertising minor content via their bio, if account was compromised appeal bans@tryhackme.com

🔨 Banned Thesmartman#2752 indefinitely

Hey everyone

Iam new here

How much javascript do i have to learn for xss 🤔

there is a lot of XSS type. It depend which one.

They're all JavaScript though.

Technically yes but the magic of xss is mostly bypasses which is most of the time various markup stuff

Should CSRF token be disclosed in the response of the page for the same user ?
For Example : I opened the /profile page and CSRF token was disclosed in the response .
To check it's validity , I tried a CSRF attack with the disclosed token and it worked .

Yes but was just wondering if CSRF token should be disclosed in the response ? IS it a normal behaviour ?

Thank you @lapis horizon

Gave +1 Rep to @lapis horizon

It's mandatory, as the app needs to know a valid csrf token

Can anyone suggest best path to get into bug bounty