Vulnerabilities
1. HTTP and HTTPS available
Vulnerability - HTTP and HTTPS available
Description:
The website is not fully protected by an SSL certificate. This could allow an
attacker in a Man-in-the-Middle position to obtain usernames and passwords of
users visiting the site.
-------------------------------------
Steps:
1 - Go to the domain https://abc.com
2 - Copy the URL and open an incognito tab
3 - Paste the URL and remove the "S" from the domain and check if it
redirects it to http
4 - If it opens on http, it is vulnerable.
---------------------------------------------------------------------------
Impact:
If a user were to visit this page from a public or shared network (eg,
office, airport, library, etc) and login an account, a malicious user on the
same network would be able to obtain that user's username and password by
conducting a Man-in-the-Middle attack using Wireshark.
This would allow the malicious user complete access to the user's account.
Remediation:
Check for an expired SSL certificate or implement HSTS.
-----------------------------------------------------------------------------
2. HTTP by default
Vulnerability - HTTP by default
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description -
The website is not fully protected by an SSL certificate. This could allow an
attacker in a Man-in-the-Middle position to obtain usernames and passwords of
users visiting the site.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce -
1 - Open the domain - http://abc.com
2 - Copy the URL and open a new tab
3 - Paste the URL and add a "S" in the domain and check if it redirects it to
https
4 - If it does not open on https, it is vulnerable.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -
If a user were to visit this page from a public or shared network (eg,
office, airport, library, etc) and login into an account, a malicious user on
the same network would be able to obtain that user's username and password by
conducting a Man-in-the-Middle attack using Wireshark.
This would allow the malicious user complete access to the user's account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Remediation -
Add an SSL certificate so that the website becomes secure and opens on HTTPS.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
3. Improper Cache-Control on sensitive Page
Vulnerability - Improper Cache-Control on sensitive Page
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - The cache-control and pragma HTTP header have not been set
properly or are missing allowing the browser and proxies to cache content.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce -
1 - Go to the URL
2 - Login using the desired credentials
3 - Open any sensitive page like (account / settings /profile )
4 - Click on the Logout button
5 - Press the back button of the browser
6 - User's sensitive information will be visible on the page
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - When sensitive data is being stored and transmitted by the
application which does not have the `Cache-Control` header,
an advanced attacker can access the sensitive data, phish users and cause
reputational damage to the business.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Remediation -
Add the security headers that will prevent the site's cache to get loaded
again after the session has been terminated.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
4. Reset token is invalidated after use
Vulnerability - Reset token is invalidated after use
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce -
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - Open the URL https://website.com
2 - Go to Forgot password page
3 - Enter email and received reset link
4 - Change the password twice or thrice using the same reset link
5 - Reset token is not expiring after re-use
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The attacker can reuse the reset token of the user and update the
password which would lead to an account takeover
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation:
All password reset tokens should automatically expire after the issuance of
new ones.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - This vulnerability can be checked on reset token, invite token and
verification token.
5. Weak Password Reset Implementation
Vulnerability - Weak Password Reset Implementation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - When the password reset implementation is weak, the strength of
the overall authentication process for the application is diminished. Tokens
sent over HTTP, predictable reset tokens, and long expiry times create weak
conditions for the password reset implementation.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1. Go to forgot password page of the website
2. Enter the registered email
3. Go to the email inbox
4. Right-click on the box and copy the link
5. Paste the link in the new tab
6. Check if the link is on HTTP
HTTP LINK :
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability could lead to data theft from the attacker’s
ability to manipulate data through their access to the application, and their
ability to interact with other users.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
6. Weak Registration Implementation
Vulnerability - Weak Registration Implementation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Broken authentication and session management vulnerabilities
exist when a user is able to access resources or perform actions not intended
for their user role. Identity and access controls can be bypassed through a
variety of ways including but not limited to,
calling an internal post authentication page, modifying the given URL
parameters, by manipulating the form, or by counterfeiting sessions.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1. Register on the website
2. An account verification link will be sent by email
3. Go to email inbox
4. Right-click on the box and copy the link
5. Paste the link in the new tab and check if it is on HTTP
6. Hit enter and check if the account is being opened
HTTP LINK:
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Broken authentication and session management could lead to data
theft through the attacker’s ability to manipulate data through their access
to the application,
and their ability to interact with other users, including performing other
malicious attacks, which would appear to originate from a legitimate user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
7. Broken link hijacking
Vulnerability - Broken link hijacking
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Summary - Broken link hijacking (BLH) is a type of web attack. It exploits
external links that are no longer valid. If your website or web application
uses resources loaded from external URLs or points to such resources and
these resources are no longer there (for example due to an expired domain),
attackers can exploit these links to perform defacement, impersonation, or
even to launch cross-site scripting attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1- Open the link https://www.website.com
2- Click on the social media icons like - Twitter / Facebook / Instagram, etc
3- If not the account will not be made, it will return - PAGE NOT FOUND or
ACCOUNT NOT FOUND
4- The attacker can create an account by the company's name.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact:
An attacker can create an account on the social media platform with that
username and impersonate the company.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - Can be checked on domains, sub-domains, promotional emails.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
8. Clickjacking (Bugcrowd)
Vulnerability - Clickjacking
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Clickjacking, also known as a "UI redress attack", is when an
attacker uses multiple transparent or opaque layers to trick a user into
clicking on a button or link on another page when they were intending to
click on the top-level page. Thus, the attacker is "hijacking" clicks meant
for their page and routing them to another page, most likely owned by another
application, domain, or both.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce:
1. Open the target.com
2. Copy the profile URL and paste it on the clickjacking file and save
3. Open the clijacking file and the target.com will be vulnerable to
Clickjacking and loads successfully into the iframe of the attacker.
3. The attacker can perform a sensitive action
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -
Using a similar technique, keystrokes can also be hijacked. With a carefully
crafted combination of stylesheets, iframes, and text boxes, a user can be
led to believe they are typing in the password to their email or bank
account, but are instead typing into an invisible frame controlled by the
attacker.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - For bugcrowd, it will be only accepted on features like:
1 - Delete account without password through clickjacking
2 - 2FA enable/disable without password through clickjacking
8.(2) Clickjacking
Vulnerability - Clickjacking
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Clickjacking, also known as a "UI redress attack", is when an
attacker uses multiple transparent or opaque layers to trick a user into
clicking on a button or link on another page when they were intending to
click on the top-level page. Thus, the attacker is "hijacking" clicks meant
for their page and routing them to another page, most likely owned by another
application, domain, or both.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce:
1. Open the target.com and go to the profile/account/settings page
2. Copy the profile URL and paste it on the clickjacking file and save
3. Open the clijacking file and the target.com will be vulnerable to
Clickjacking and loads successfully into the iframe of the attacker.
3. The attacker can perform a sensitive action
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -
Using a similar technique, keystrokes can also be hijacked. With a carefully
crafted combination of stylesheets, iframes, and text boxes, a user can be
led to believe they are typing in the password to their email or bank
account, but are instead typing into an invisible frame controlled by the
attacker.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
HTML for Clickjacking
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Testing Clickjacking</title>
</head>
<body>
<p>This page is vulnerable of Clickjacking!</p>
<iframe
src="https://www.tripadvisor.com/Profile/Wanderer15595744505"height="700px"
width="700px" frameborder="0"></iframe>
</body>
</html>
9. Delete account without a password
Vulnerability - Delete account without a password
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - The removal of an account is one of the sensitive parts of a
web application that needs to protect, therefore removing an account should
validate the authenticity of the user, however, I have found that when
removing an account, the system did not require the user to input the account
password.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce -
1 - Go to the website and login into your account.
2 - Visit the profile/settings section.
3 - A delete/cancel/deactivate/remove account button will be displayed.
4 - Press that button and the account will be successfully deleted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The target doesn't verify the request with a Valid OTP or password
before triggering Right to Access/Deletion & allows an attacker to delete
User Accounts without user interaction.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - Put reauthentication when anyone/user is deleting an account,
and ask the user to input a password before the completion of the account
deletion.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
10. DMARC record not found
Vulnerability - DMARC record not found
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is an email authentication protocol. It is designed to give
email domain owners the ability to protect their domain from unauthorized
use, commonly known as email spoofing.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit - https://mxtoolbox.com
2 - Enter the domain name - target.com and hit go
3 - The domain name will show No DMARC Record found
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Spammers can forge the "From" address on email messages to make
messages appear to come from someone in your domain. If spammers use your
domain to send spam or junk email, your domain quality is negatively
affected. People who get the forged emails can mark them as spam or junk,
which can impact authentic messages sent from your domain.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - Implement the DMARC Record which will prevent the attacker to
spoof the email domains.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
11. External Authentication Injection / Content Spoofing / Text Injection
Vulnerability - External Authentication Injection / Content Spoofing / Text
Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to abc.com
2 - Then just change above url like this https://abc.com/admin/ or
https://abc.com/login/
3 - For example - I got this page https://withinsecurity.com/wp-
login.php?error=access_denied
4 - In above page, I found "error" parameter is vulnerable for Content
Spoofing OR Text-based injection attacks.
5 - So we need to change the above url like https://withinsecurity.com/wp-
login.php?error=Your%20account%20has%20been%20hacked%2C%20Please%20call%20us%
20this%20number%20919876543210%20
6 - If the message displays on the client side, it is vulnerable
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The website it rendering the URL data to the client side of the
website which can help to trick the user to imput the data elsewhere
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reference -
https://hackerone.com/reports/111094
https://hackerone.com/reports/327671
-----------------------------------------------------------------------------
-----------------------------------------------------------------
12. Failure to invalidate session on logout - On the password reset and/or
change.
Vulnerability - Failure to invalidate session on logout - On the password
reset and/or change.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Failure to invalidate a session after a password change is a
vulnerability which allows an attacker to maintain access on a service. Most
users have the expectation that when they reset their password, no one else
can access their account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce -
1 - Create an account on target.com
2 - Login using credentials in 2 browsers
3 - Open the profile/settings.
4 - Go to Change password and change the password in Browser 1
5 - Visit Browser 2 and edit the profile data (name/contact no/profile
picture) and click on save.
6 - Refresh the page once and the data will be changed
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability can lead to reputational damage and indirect
financial loss to the company as customers may view the application as
insecure.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
13. Misconfigured DMARC record
Vulnerability - Misconfigured DMARC record
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is an email authentication protocol. It is designed to give
email domain owners the ability to protect their domain from unauthorized
use, commonly known as email spoofing.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit - https://mxtoolbox.com
2 - Enter the domain name - target.com and hit GO
3 - The domain name will show DMARC Quarantine/Reject policy not enabled
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Spammers can forge the "From" address on email messages to make
messages appear to come from someone in your domain. If spammers use your
domain to send spam or junk email, your domain quality is negatively
affected. People who get the forged emails can mark them as spam or junk,
which can impact authentic messages sent from your domain.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - Implement the DMARC Record which will prevent the attacker to
spoof the email domains.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
14. SPF record not found
Vulnerability - SPF record not found
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - The Sender Policy Framework (SPF) is an email authentication
protocol and part of email cybersecurity used to stop phishing attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit - https://www.kitterman.com/spf/validate.html
2 - Enter the domain name - target.com and hit Get SPF Record
3 - The domain name will show No valid SPF record found
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Spammers can forge the "From" address on email messages to make
messages appear to come from someone in your domain. If spammers use your
domain to send spam or junk email, your domain quality is negatively
affected. People who get the forged emails can mark them as spam or junk,
which can impact authentic messages sent from your domain.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - Implement the SPF Record which will prevent the attacker to
spoof the email domains.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
15. Exif Geo Location - Automatic user enumeration
Vulnerability - Exif Geo Location - Automatic user enumeration
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - When a user downloads an image in example.com, the uploaded
image’s EXIF Geolocation Data does not get stripped. As a result, anyone can
get sensitive information of example.com users like their Geo-location, their
Device information like Device Name, Version, Software & Software version
used, etc.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce -
1 - Go to https://www.canva.cn/photos/MADLEAS1CIg/
2 - Download an image present on the website
3 - Go to https://jimpl.com/
4 - Upload the downloaded image
5 - Exif data will be visible
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The user's private data has not been stripped and is being shown
publically which is a strong privacy concern.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
16. Exif Geo Location - Manual user enumeration
Vulnerability - Exif Geo Location - Manual user enumeration
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description -
When a user uploads an image in example.com, the uploaded image’s EXIF
Geolocation Data does not get stripped. As a result, anyone can get sensitive
information of example.com users like their Geolocation, their Device
information like Device Name, Version, Software & Software version used, etc.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit https://target.com
2 - Go to the Upload option on the website
3 - Upload the EXIF image
4 - Download the image
5 - Visit https://jimpl.com
6 - Upload the downloaded image for checking
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability is CRITICAL and impacts all the example.com
customer base. This vulnerability violates the privacy of a User and shares
sensitive information of the user who uploads an image on example.com or any
of the example.com instances.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
17. Broken authentication and session management-failure to invalidate
session on logout (client-side/server-side)
(Without Burp)
Vulnerability - Broken authentication and session management-failure to
invalidate session on logout (client-side/server-side)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This application fails to invalidate a user’s session on
logout, leaving the account vulnerable to session hijacking. An attacker may
compromise a user’s session then be able to change the password of the
account and lock out the legitimate user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to the URL - https://www.target.com
2 - Open the same account on two different tabs on the same browser - Broswer
A
3 - Click on the Logout from one tab - TAB A
4 - Once the session is terminated, go to the second tab (TAB B) and update
some data and save it
5 - Post changing the data, click on the refresh button.
6 - Once refreshed, your second tab session is also terminated.
7 - Login again to the same account and the data has been changed
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability can lead to reputational damage and indirect
financial loss to the company as customers may view the application as
insecure.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
18. Broken authentication and session management-failure to invalidate
session on logout (client-side/server-side)
(With Burp)
Vulnerability - Broken authentication and session management-failure to
invalidate session on logout (client-side/server-side)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This application fails to invalidate a user’s session on
logout, leaving the account vulnerable to session hijacking. An attacker may
compromise a user’s session then be able to change the password of the
account and lock out the legitimate user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce -
1 - Login into an account and go to profile section to update profile details
2 - Intercept the request and send the request to the repeater.
3 - Forward the request
4 - Logout from the application.
5 - Go to the repeater and change the name
6 - Login into the account again and check if the name has been changed.
Description - This application fails to invalidate a user’s session on
logout, leaving the account vulnerable to session hijacking. An attacker may
compromise a user’s session then be able to change the password of the
account and lock out the legitimate user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability can lead to reputational damage and indirect
financial loss to the company as customers may view the application as
insecure.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
19. HTML Email Injection
Vulnerability - HTML Email Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - HTML injection is a vulnerability in which attacker-provided
input is rendered as HTML. HTML injection in emails can lead to attackers
phishing users from a legitimate email address.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Go to the URL https://abc.com
2 - Create an account with html payload in first name and last name
Payload- <img src="http://evanricafort.com/profile.png">
3 - Generate a reset password/verification email
4 - The image will be executed in the verification/reset password email sent
by the company.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -This vulnerability can lead to the reformatting/editing of emails
from an official email address, which can be used in targeted phishing
attacks. This could lead to users being tricked into giving logins away to
malicious attackers.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
FOR YOUR REFERENCE - It can be tried on registration / invite user / contact
us - support - feedback or any page through which company sends an email to
the victim.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
20. Reset token leaked in response
Vulnerability - Reset token leaked in response
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description -
-----------------------------------------------------------------------------
-----------------------------------------------------------------
I have found that if user open the link of reset password and than click on
any external links within the reset password page its leak password reset
token in response.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce -
1 - Open this link https://my-staging.finiata.pl/forgotten-password
2 - Create an accout and enter your email on forgot password page
3 - Intercept the request in burpsuite and send it to repeater
4 - Press go and check for the reset token leaked in reponse
5 - The attacker can change the password of the user
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The attacker can change the password of any user just by accessing
the email ID of the user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
21. Origin IP disclosure leads to WAF Bypass
Vulnerability Name - Origin IP disclosure leads to WAF Bypass
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - By using these IP address as a resolver instead of the intended
addresses I'm able to access the service without going through the WAF, thus
I'm able to forward unfiltered payloads to the service, as well as avoiding
the common protections offered by Cloudflare, also being able to perform
crippling denial-of-service towards the origin.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Enumerate the subdomains of https://target.com
2 - Check the firewall used by the tool DNSlytics or WafW00f
3 - To get origin IP - Use sites like : https://search.censys.io/ ,
https://www.shodan.io/
4 - Do a IP lookup of the IP
5 - Enter the IP on the URL and hit enter to check if the IP loads the
subdomain name
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Cloudflare bypasses can have a significant impact, as any adversary
is now able to communicate with the origin server directly, enabling them to
perform unfiltered attacks (such as denial-of-service), and data retrieval
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports FYR -
https://medium.com/bugbountywriteup/bypass-cloudflare-waf-to-pwned-
application-2c9e4f862319
https://hackerone.com/reports/1536299
https://www.youtube.com/watch?v=1WkZL1Qq21Y
-----------------------------------------------------------------------------
-----------------------------------------------------------------
22. No rate limit on Change email leads to email triggering
Vulnerability Name - No rate limit on Change email leads to email triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Open this link https://abc.com
2 - Go to settings and enter new email address and, the password, if asked.
3 - Intercept the request in burpsuite
4 - Send the request to intruder and click on clear
5 - Use null payloads as payload type and enter 100 as payload count.
5 - Click on start attack and multiple emails will be received on the new
email address's emailbox.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
23. No rate limit on invite user leads to email triggering
Vulnerability Name - No rate limit on invite user leads to email triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps :
1 - Go to https://target.com/
2 - GO to the invite user option and enter the victim's email
3 - Click on Send invite & capture the request on burpsuite
4 - Send the request to intruder & clear payload positions
5 - Apply payload type as null payload and payload count as 100
5 - Click on start attack after applying the threads
6 - The victim will get huge nunber of emails
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
24. No rate limit on login leads to account takeover
Vulnerability Name - No rate limit on login leads to account takeover
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This vulnerability makes the attackers move on to the next step
of the attack what they want to do, this may be the best practice for
attackers to exploit any other vulnerabilities.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to URL
2 - Enter email and wrong password
3 - Capture the POST request using the proxy
4 - Send the POST request to the burp intruder
5 - Set the payload as the wrong password and payload type as simple list
6 - Set the threads to 15 or 20
7 - Click on start attack
8 - Length will get changed at correct Password
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - No rate limiting on a login form can result in reputational damage
to the organization if an attacker successfully takes over an account through
a bruteforce login attempt.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
25. No rate limit on promo code
I have found a vulnerability issue of Rate limiting
Steps:
Go to URL -
Scroll down and find an offer code option
Enter the random digit (000000 - I entered this)
Take data on burp
Send to intruder
Apply number payload ( I entered 1000 payloads)
Start attack
POC attached
26. No rate limit on sms leads to sms triggering
Vulnerability Name - No rate limit on sms leads to sms triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Open this link https://target.com/phone-number-verify
2 - Enter the vcitim's number
3 - Intercept the request and send the request to intruder
4 - Use payload type as NULL payloads and set the payload count to 100
5 - Click on start attack
6 - All the messages will be sent to the victim's mobile number.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
27. No rate limit on OTP field leads to OTP bypass
Vulnerability Name - No rate limit on OTP field leads to OTP bypass
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce:
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - Go to the URL
2 - Enter random code (000000)
3 - Take the data on burpsuite
4 - Send it to the intruder and add a payload position on OTP
5 - Apply payload type as numbers
6 - Set the range and step as 1
7 - Click on start attack
8 - The correct code's length will change at correct OTP
Impact - The attacker will be able to bypass the OTP which can lead to an
account takover
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
28. Rate limit bypass
Links FYR -
1 - https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c
2 - https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass
3 - https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-
5185e6c67ecd
29. No rate limit on email verification leads to email triggering
Vulnerability Name - No rate limit on email verification leads to email
triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - open this link https://abc.com/verify-email
2 - Intercept the request in burpsuite
3 - Send the request to intruder and clear the payload position
4 - Use null payloads as payload type and set the paylaod count to 100
5 - Click on start attack
6 - The victim will receive the emails on the inbox
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
30. No rate limit on forget password leads to email triggering
Vulnerability Name - No rate limit on forget password leads to email
triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - open this link https://abc.com/forgot-password
2 - Enter the email of the victim
3 - Intercept the request in burpsuite
4 - Send the request to intruder and clear payload positions
5 - Use null payloads and set the paylaod count to 100
6 - Click on start attack
7 - The victim will receive the emails on the inbox
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
31. No rate limit on contact us leads to email triggering
Vulnerability Name - No rate limit on contact us leads to email triggering
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Rate limiting is a strategy for limiting network traffic. It
puts a cap on how often someone can repeat an action within a certain
timeframe – for instance, trying to log in to an account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to the URL -
2 - Open the form and fill details as required
3 - Intercept the request on Burpsuite
4 - Send the request to intruder and clear payload positions
5 - Use payload type null payloads and set the payload count to 100
6 - Click on start attack
7 - Check all the requests (All the requests are 200 OK and the mails being
to sent to the company)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the company is using any email service software API or some tool
that has been bought for the emails being sent on the support domain, the
rate limit can result in financial loss and it can also slow down your
services as huge/mass mails will lead to disruption of data that original
user might send or the quota that has been bought might be exhausted.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation -
1 - IP Based Blocking
2 - Captcha
3 - Firewall
4 - Reducing the number of API requests
-----------------------------------------------------------------------------
-----------------------------------------------------------------
32. Account lockout bypass by manipulating networks
Vulnerability - Account lockout bypass by manipulating networks
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Vulnerability Description: I've found a vulnerability which is Account
lockout bypass by manipulating networks.In the apk, the account is locked the
account on the basis of Network IP but this can be bypassed by manipulating
the networks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Open the website / APK
2 - Now enter the email id and wrong password here many times.
3 - Now here the account is locked.
4 - If you are try to login than application is pop up a message (Your
account is temporarily locked. Please try again later).
5 - So here all the attacker has to do is change the network.
6 - Enter the correct credentials and the account is successful logged in by
bypassing the account lockout mechanism.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - An attacker will be able to brute force the password by manipulating
the networks and takeover the account
-----------------------------------------------------------------------------
-----------------------------------------------------------------
33. Cleartext transmission of Session token
Vulnerability - Cleartext transmission of Session token
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Broken authentication and session management vulnerabilities
exist when a user is able to access resources or perform actions not intended
for their user role.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Login into an account using creds
2 - Check the URL if it has a token going POST login with the domain
3 - Copy the URL with the token
4 - Open an incognito window
5 - Paste the URL and hit enter
6 - Check if the website logs in directly without authentication
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Broken authentication and session management could lead to data
theft through the attacker’s ability to manipulate data through their access
to the application, and their ability to interact with other users,
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - The session token should not be sent in the URL but in the
session cookie encrypted with secure and http only flag
-----------------------------------------------------------------------------
-----------------------------------------------------------------
34. No password policy
Vulnerability - No password policy
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Some websites prevent the users to use passwords constructed of
character combinations that otherwise meet company policy, but should no
longer be used because they have been deemed insecure for one or more
reasons, such as being easily guessed, following a common pattern, or public
disclosure from previous data breaches. Common examples are 1234, qwerty, or
the word password itself.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1- Go to https://abc.com/signup.
2- Create an account by typing your email address and password to "1"
3- Hit the "Sign Up for web" button.
4- The account will be created.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Sicne the site is accepting single digit password, it will be easily
guessable and bruteforceable leading to account takeover
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Mitigation - Some policies suggest or impose requirements on what type of
password a user can choose, such as:
the use of both upper-case and lower-case letters (case sensitivity)
inclusion of one or more numerical digits
inclusion of special characters, such as @, #, $
prohibition of words found in a password blacklist
prohibition of words found in the user's personal information
prohibition of the use of company name or an abbreviation
prohibition of passwords that match the format of calendar dates, license
plate numbers, telephone
numbers, or other common numbers
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - Can be checked on registration and change password option
-----------------------------------------------------------------------------
-----------------------------------------------------------------
35. Open Redirect GET Based
Vulnerability - Open Redirect GET Based
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Open redirect is a security flaw in an app or a web page that
causes it to fail to properly authenticate URLs. Web users often encounter
redirection when they visit the Web site of a company whose name has been
changed or which has been acquired by another company.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit the link https://www.abc.com/user/login/?next=
2 - Put the payload/website name as //evil.com after the parameter
3 - It should appear like - https://www.abc.com/user/login/?next=//evil.com
4 - Enter the email id and password
5 - Click on sign in and the page will be redirected
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -
An attacker can use this vulnerability to redirect users to other malicious
websites, which can be used for phishing and similar attacks
The attacker can redirect it to evil.com and other malicious websites like
https://www.r57.gen.tr/
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
https://infosecwriteups.com/how-i-chained-p4-to-p2-open-redirection-to-full-
account-takeover-a28b09a94bf7
https://hackerone.com/reports/104087
https://hackerone.com/reports/692154
https://hackerone.com/reports/753399
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redire
ct
https://hackerone.com/reports/330008
https://hackerone.com/reports/140447
-----------------------------------------------------------------------------
-----------------------------------------------------------------
36. Sensitive token via URL
Vulnerability - Sensitive token via URL
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Sensitive data can be exposed when it is not behind an
authorization barrier. When this information is exposed it can place the
application at further risk of compromise.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Method 1-
Steps-
1 - Go to https://www.abc.com/
2 - Login into your Account
3 - The email/username and the password will be visible in plaintext in the
URL
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - This vulnerability can lead to data theft through the attacker’s
ability to manipulate data through their access to the application, and their
ability to interact with other users, including performing other malicious
attacks, which would appear to originate from a legitimate user.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Method 2 -
Vulnerability - Sensitive token via URL
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Sensitive data can be exposed when it is not behind an
authorization barrier. When this information is exposed it can place the
application at further risk of compromise.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Go to https://www.abc.com/
2 - Login into your Account
3 - Change your password ( from inside the account or using reset link)
4 - Password changed and now see the link (old and new password will be shown
in URL)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact- Even after Logout, if any person has access to your system or if you
are using a public system - that person can have access to your password
through browser history. ( Password will be shown in browser history).
it can easily lead to an account takeover.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
37. Token leakage via referrer - 3rd Party
Vulnerability - Token leakage via referrer - 3rd Party
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - The `Referer` HTTP request header is used to show the URL of
the page a user requested the resource from. This application’s `Referer`
headers leak valid user tokens over an untrusted third-party link.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to target.com
2 - Visit the forgot password page
3 - Enter the email for which the password has to be reset
4 - Open the Password reset link received from the email
5 - Intercept the request (I have used burp suite)
6 - Click on any link which is 3rd party
7 - You can see the link for reset password in the referrer
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Token Leakage via `Referer` header can lead to indirect financial
loss through an attacker accessing, deleting, or modifying data from within
the application, providing that they can escalate privileges and execute API
calls.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
38. Clipboard Enabled - The data that contains sensitive information that
can be copied to the clipboard
Clipboard Enabled - The data that contains sensitive information that can be
copied to the clipboard
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
Install an application
Start the application.
Enter text into input fields that ask for sensitive data.
Try copying this data into a note application.
If strings can be copied and pasted, the clipboard is enabled.
For Android, the Drozer module post.capture.clipboard can be used to extract
data from the clipboard:dz> run post.capture.clipboard
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -
In enabled clipboard increases the risk of the exposure of sensitive
information.
If data such as credit card numbers, social security numbers, or other
sensitive information is cut and paste from or into the application, it may
be saved to the phone and accessed at a later date.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
39. CRLF Injection
Vulnerability - CRLF Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - CRLF Injection Vulnerability is a web application vulnerability
happens due to direct passing of user entered data to the response header
fields like (Location, Set-Cookie and etc) without proper sanitsation, which
can result in various forms of security exploits.Security exploits range from
XSS, Cache-Poisoning, Cache-based defacement,page injection and etc.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1-Add a Cookie "%0D%0ASet-Cookie:mycookie=myvalue"
Request:
GET /%0D%0ASet-Cookie:mycookie=myvalue HTTP/1.1
Host: wpengine.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=d4f0d043f904a5310830e4dcd208900151537471604;
wpe_test_group=a; wpe_is_consent_required=false;
_ga=GA1.2.230473227.1537471607; _gid=GA1.2.312676497.1537471607;
__sreff=1537471607868.1537471834500.5;
__reff=(direct)&1537471607868.1537471607868.1|wpengine.com&1537471607868.1537
471834500.5; __utmzz=utmcsr=(direct)|utmcmd=(none)|utmccn=(not set);
__utmzzses=1; sliguid=1a63e900-5acb-46fb-b4d0-d5d94f4591b5;
slirequested=true; d-a8e6=36f9987d-bd4c-44df-9ad2-54c75dada1b9; s-
9da4=7c769989-a5ca-4659-aede-fb3c1f8f50fb; _gaexp=GAX1.2.ltev4O2QTmC-
g1Nj5DJ1uQ.17872.1!4T_o8nCkT563pqQxJC61sw.17835.1;
gwcc=%7B%22expires%22%3A86400%2C%22backoff_expires%22%3A1537558007%7D;
__ar_v4=O52ALOLRLRBPBEREO22RZS%3A20180920%3A4%7C5CW3DDC2HFD6PG3HGA4GUM%3A2018
0920%3A4%7CTAHWBEST55E5TJYIHVPHVJ%3A20180920%3A4; __qca=P0-1398591029-
1537471616769; _sctr=1|1537468200000; _scid=2966af08-7ab2-4830-8150-
e025fdc1a57a;
__hstc=51647990.6dfd530d6bf21a515353b67d3164bf9a.1537471652302.1537471652302.
1537471652302.1; __hssrc=1; __hssc=51647990.1.1537471652303;
hubspotutk=6dfd530d6bf21a515353b67d3164bf9a; _gat_UA-17364082-1=1; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 301 Moved Permanently
Date: Thu, 20 Sep 2018 19:43:05 GMT
Content-Type: text/html
Connection: close
Location: https://wpengine.com/
Set-Cookie: mycookie=myvalue
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-
cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 45d6c76ac8e42dbb-B
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports
- https://infosecwriteups.com/bugbounty-exploiting-crlf-injection-can-lands-
into-a-nice-bounty-159525a9cb62
- https://medium.com/cyberverse/crlf-injection-playbook-472c67f1cb46
- https://github.com/cujanovic/CRLF-Injection-Payloads/blob/master/CRLF-
payloads.txt
- https://blog.intigriti.com/2021/10/05/hacker-tools-crlfuzz/
- https://www.acunetix.com/websitesecurity/crlf-injection/
40. Lack of email verification and 2FA enable leads to DOS on owner
(Logical Flaw)
Vulnerabiltity - Logical Flaw
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description: This vulnerability occurs because faulty implementation of some
functions on the application. The entry point for this vulnerability involves
interaction with application and these kind of attacks are often tough to
identify and sometimes even tougher to prevent.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Create an account through victim's email
2 - Account should get logged in directly without email confirmation
3 - The attacker enables the two factor authentication using his number or
google auth.
4 - Victim generates a reset password mail and changes the password
5 - The victim tries to login into the account but is unable to do so as the
attacker has enabled the 2FA
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: The original user will not be able to access the account as the
attacker has enabled the 2FA which will lead to disruption of service.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Fix - Proper Input validation / Email verification can help to mitigate this
vulnerability.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
41. No Secure Integrity Check
Vulnerabililty Name - No Secure Integrity Check
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to a website or an application
2 - Upload a PHP or EXE file ( Shells preferably )
3 - Click on the download button
3 - If the file is being downloaded on your system or application and it
executable
4 - It may be a ransomware or a virus and the intigrity check is not in
place.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The system can be compromised as the file is not being scanned by
the website itself ( has not integrity check)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Report - https://muhammad-aamir.medium.com/exploitation-of-files-download-
parameters-to-create-potential-risk-of-malware-delivery-200-bug-e2bcce0e737
-----------------------------------------------------------------------------
-----------------------------------------------------------------
42. User uploaded picture/document accessible by any user even after
deletion / account deletion (privacy concern)
Vunerability Name - User uploaded picture/document accessible by any user
even after deletion / account deletion
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Log in as a user
2 - Go to profile
3 - Upload profile picture or any document
4 - Right click on the picture, the link will be
Example LINK - https://infosec-cdn-us-east-1.nextseed.qa/profile-
photo/9ef7c492-4c63-42e1-bfd0-b4dc3b16a627/1625263181_1625263181.jpeg
5 - When the user deletes the account/profile pciture, the link/ picture is
still accessible.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The attacker can steal sensitive information such as document ,
picture , etc through the link
-----------------------------------------------------------------------------
-----------------------------------------------------------------
43. Session Fixation / Session Hijacking - Local Attack Vector
Vulnerability - Session Fixation / Session Hijacking - Local Attack Vector
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Session Fixation is an attack that permits an attacker to
hijack a valid user session. The attack explores a limitation in the way the
web application manages the session ID, more specifically the vulnerable web
application.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1. Open browser and download cookie editor
2. Login into account
3. Now goto cookie editor addon and click export all cookies.
4. Log out from your account
5. Now go to the login page and just simply go to cookie editor addon and
click import a cookie and paste the code which we previously exported.
6. After pasting just refresh the page and that's done you are now logged
into your account without login details.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - A successful session fixation attack gives the attacker access to
the victim's account. This could mean access to higher level privileges or
the ability to look at sensitive data.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
44. WiFi SSID+Password Mobile
Vulenrability - WiFi SSID+Password Mobile
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps
1 - Install an application
2 - Connect that application with your local WIFI
3 - Go to file manager -> then visit Android folder in your phone
4 - Go to data/appname/wifi folder
5 - If the wifi details are saved, the filename can be like -
wpa_supplicant.conf
6 - Open the file using any word/notepad
7 - SSID and password will be visible in plaintext
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - App is saving user's private data which is directly related to
privacy concerns and unnecessary data collection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
45. Two factor auth Bypass (2FA bypass)
Vunlerability - Two factor auth Bypass
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - When Verifying mobile number for 2FA it is allowing user to
verify any random number for verification just by taking request in burp &
change the response from false to True.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce:
1 - Go to https://abc.com and enter any mobile number.
2 - Now enter any six digit number in OTP box & click enter
3 - Right click on the request & do intercept the response
4 - In response of that request just change the false to true
5 - 2FA will be bypass successfully without verifying the real OTP.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The attacker can login into the account or can verify the number
without the consent of the victim and use it as per convenience
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://www.cobalt.io/blog/bypassing-the-protections-mfa-bypass-techniques-
for-the-win
- https://infosecwriteups.com/methods-to-bypass-two-factor-authentication-
bc2bd35bd44e
- https://twitter.com/harshbothra_/status/1345044218276839424?lang=en
- https://medium.com/@surendirans7777/2fa-bypass-techniques-32ec135fb7fe
- https://book.hacktricks.xyz/pentesting-web/2fa-bypass
- https://hackerone.com/reports/897385
-----------------------------------------------------------------------------
-----------------------------------------------------------------
46. Cross site request forgery (CSRF)
Vulnerability Name - Cross site request forgery (CSRF)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Cross site request forgery (CSRF), also known as XSRF, is an
attack vector that tricks a web browser into executing an unwanted action in
an application to which a user is logged in.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps To Reproduce:
1 - Open https://abc.com/profile
2 - Update the full profile & take that request ion burp.
3 - Go to engagement tools & click on make CSRF POC.
4 - Click on test in browser and copy the request
5 - Open a new browser or an incognito mode (proxy enabled) with the victim
account logged in and submit the request
6 - The victim profile will get successfully updated.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - A successful CSRF attack can be devastating for both the business
and user. It can result in damaged client relationships, unauthorized fund
transfers, changed passwords and data theft—including stolen session cookies.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://asfiyashaikh.medium.com/cross-site-request-forgery-csrf-
8ce6f9ee0379
- https://medium.com/@chiragrai3666/csrf-today-techniques-mitigations-and-
bypasses-b1cf6a6cd81c
- https://corneacristian.medium.com/top-25-csrf-bug-bounty-reports-
ffb0b61afa55
-----------------------------------------------------------------------------
-----------------------------------------------------------------
47. Iframe injection
Vulnerability Name - Iframe injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - iFrame injection vulnerability seems like easily exploitable
and similar to the cross site scripting but that have some changes in
payloads.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Step to Reproduce:
1 - Open the Url https://example.com and login a account
2 - Enter the payload in input field <IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME>
3 - Click on Save
4 - Iframe payload got executed successfully and got injected
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: An attacker might use this vulnerability to redirect users to other
malicious websites that are used for phishing and similar attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://secnhack.in/iframe-injection-attacks-and-mitigation/
- https://infosecwriteups.com/when-i-found-iframe-injection-and-illegal-
redirect-dom-based-cfbbcec21a7
48. Server-Side Credentials Storage – Plaintext
Vulnerability Name - Server-Side Credentials Storage -- Plaintext
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to abc.com and create an account
2 - Go to account settings
3 - Enable 2FA
4 - Logout from the account
5 - Re-login using credentials and it will redirect to 2FA page
6 - Press right click and click on view page source
7 - Search email/password
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Note - The Credentials will be visible in plaintext
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The credentials of the user is being stored on source code in
plaintext
-----------------------------------------------------------------------------
-----------------------------------------------------------------
49. Blind XSS
Vulnerability Name - Blind XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Blind XSS vulnerabilities are a variant of persistent XSS
vulnerabilities. They occur when the attacker input is saved by the web
server and executed as a malicious script in another part of the application
or in another application.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to https://target.com
2 - Go to the desired URL having input field
3 - Fill First & Last Name with this payload provided in
https://xsshunter.com/app
4 - XSS will be fired in your internal web of https://xsshunter.com/app
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Example of web applications and web pages where blind XSS attacks can occur:
- Contact/Feedback pages
- Log viewers
- Exception handlers
- Chat applications / forums
- Customer ticket applications
- Web Application Firewalls
- Any application that requires user moderation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://infosecwriteups.com/blind-xss-for-beginners-c88e48083071
- https://infosecwriteups.com/how-i-found-blind-xss-on-flipkart-6b22199f3496
- https://www.geeksforgeeks.org/understanding-blind-xss-for-bug-bounty-
hunting/
- https://shr3e.medium.com/how-i-got-my-first-blind-xss-on-private-program-
b1f9b12188c8
50. Stored XSS (User to Super Admin)
Vulnerability Name - Stored XSS (User to Super Admin)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Stored cross-site scripting arises when an application receives
data from an untrusted source and includes that data within its later HTTP
responses in an unsafe way.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - Go to https://target.com
2 - Click on add user / group / template option
3 - Put the XSS payload in first name field
Payload: '"<svg/onload=prompt(document.cookie);>
4 - Click on add button
5 - Search the same payload on the search button
6 - The XSS will get popped up
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If an attacker can control a script that is executed in the victim's
browser, then they can typically fully compromise that user. The attacker can
carry out any of the actions that are applicable to the impact of reflected
XSS vulnerabilities.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/173501
- https://corneacristian.medium.com/top-25-xss-bug-bounty-reports-
b3c90e2288c8
-----------------------------------------------------------------------------
-------------
51. Off Domain XSS
Vulnerability Name - Off Domain XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Stored cross-site scripting arises when an application receives
data from an untrusted source and includes that data within its later HTTP
responses in an unsafe way.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - Go to https://target.com
2 - Click on add user option or upload picture field
3 - Put the XSS payload in first name field or upload the payload
Payload: '"<svg/onload=prompt(document.cookie);>
4 - click on add button or upload the payload
5 - Search the same payload on the search button or right click on the saved
image
6 - The XSS will get popped up with an off domain ( as shown in POC)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If an attacker can control a script that is executed in the victim's
browser, then they can typically fully compromise that user. The attacker can
carry out any of the actions that are applicable to the impact of reflected
XSS vulnerabilities.
-----------------------------------------------------------------------------
-----------------------------------------
52. P4 XSS (Referrer XSS, Flash Based XSS, UXSS)
https://hackerone.com/reports/83374 - Referrer XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
https://hackerone.com/reports/50134 - Referrer XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
https://hackerone.com/reports/335990 - Flash Based XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
https://hackerone.com/reports/243058 - UXSS
-----------------------------------------------------------------------------
------------------------------------------------------------
53. Stored XSS using file upload (Privilleged User)
Vulnerability Name - Stored XSS using file upload
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Stored cross-site scripting (also known as second-order or
persistent XSS) arises when an application receives data from an untrusted
source and includes that data within its later HTTP responses in an unsafe
way.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to URL - https://target.com
2 - Visit the profile picture option in the settings page
3 - Click on upload and upload the XSS IMAGE PAYLOAD
4 - Save the profile picture
5 - Go to the profile picture and right click -- View Image/Open link in new
tab
6 - The XSS will be popped up
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The impact of cross-site scripting vulnerabilities can vary from one
web application to another. It ranges from session hijacking to credential
theft and other security vulnerabilities. By exploiting a cross-site
scripting vulnerability, an attacker can impersonate a legitimate user and
take over their account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://medium.com/@lucideus/xss-via-file-upload-lucideus-research-
eee5526ec5e2
- https://medium.com/@sarang6489/file-upload-xss-using-filename-f2f53e10033d
- https://sm4rty.medium.com/hunting-for-bugs-in-file-upload-feature-
c3b364fb01ba
- https://medium.com/@vis_hacker/how-i-got-stored-xss-using-file-upload-
5c33e19df51e
- https://infosecwriteups.com/all-about-file-upload-xss-c72c797aaba3
54. Reflected XSS
Vulnerability - Reflected XSS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description -Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications. XSS attacks enable
attackers to inject client-side scripts into web pages viewed by other users.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
URL based - XSS
Link - https://example.com/search
XSS Payload - "><img src=x onerror=prompt(document.cookie);>
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Parameter based - XSS
Link - https://www.abbc.com/view/component/removals/page_partner-
list.seam?a=default&level4=3&lang=de&l=default&level1=%3Cimg%20src=x:alert(al
t)%20onerror=eval(src)%20alt=xss%3E&level3=removal&cid=57514
Payload- <img src=x:alert(alt) onerror=eval(src) alt=xss>
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Forgot password - XSS
Link- https://abc.com/forgot-password
XSS Link- https://abc.com/forgot-password/%22-confirm%60K%60-%22
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://medium.com/infosec/guidance-to-cross-site-scripting-for-beginners-
i-reflected-xss-591c950b87d7
- https://medium.com/iocscan/reflected-cross-site-scripting-r-xss-
b06c3e8d638a
- https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-
e48bf8f9cd3c
- https://medium.com/@onehackman/learning-xss-part-1-reflected-xss-brief-
concept-techniques-challenge-walkthrough-85f6b165541b
- https://medium.com/codelighthouse/xss-what-it-is-how-it-works-and-how-to-
prevent-it-454629e3a0da
55. Weak Captcha Implementation (method 1)
Vulnerability - Weak Captcha Implementation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - CAPTCHA (“Completely Automated Public Turing test to tell
Computers and Humans Apart”) is a type of challenge-response test used by
many web applications to ensure that the response is not generated by a
computer. CAPTCHA implementations are often vulnerable to various kinds of
attacks even if the generated CAPTCHA is unbreakable. This section will help
you to identify these kinds of attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to the target
2 - Fill the form with the captcha
3 - Take the data on burpsuite
4 - Send the data to the intruder
5 - Apply null payloads ( I applied 100 )
6 - Start attack
7 - Requests will be successfully submitted
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The captcha is being bypassed as the captcha is normally implemented
once/request but I am generating 100 requests on the same captcha.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
56. Weak Captcha Implementation (method 2)
Vulnerability - Weak Captcha Implementation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - CAPTCHA (“Completely Automated Public Turing test to tell
Computers and Humans Apart”) is a type of challenge-response test used by
many web applications to ensure that the response is not generated by a
computer. CAPTCHA implementations are often vulnerable to various kinds of
attacks even if the generated CAPTCHA is unbreakable. This section will help
you to identify these kinds of attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to the target
2 - Fill the form with the captcha
3 - Take the data on burpsuite
4 - Remove the captcha token
5 - Forward the request and close the intercept
6 - Request will be successfully submitted
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Fake accounts can be created. Also username enumeration can be
performed because no application will allow two email to choose same email.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
57. Weak Captcha Implementation (method 3)
Vulnerability - Weak Captcha Implementation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - CAPTCHA (“Completely Automated Public Turing test to tell
Computers and Humans Apart”) is a type of challenge-response test used by
many web applications to ensure that the response is not generated by a
computer. CAPTCHA implementations are often vulnerable to various kinds of
attacks even if the generated CAPTCHA is unbreakable. This section will help
you to identify these kinds of attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to the target
2 - Fill the form with the captcha
3 - Take the data on burpsuite
4 - Remove the captcha token and parameter
5 - Forward the request and close the intercept
6 - Request will be successfully submitted
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Fake accounts can be created. Also username enumeration can be
performed because no application will allow two email to choose same email.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
58. Google MAP API leaked in source code
Vulnerability - Google MAP API leaked in source code
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to the target which is using Google Map services
2 - Right click and view source code
3 - Find the keyword "maps" and search for API KEY
ApiKey - "AIzaSyAsdbhXIJnBYhjakjqXIfJpYzDr_FfrxXg"
4 - Copy the API key and put in the link provided below
5 - Check that the API is working or not (CHECK IF THE MAP IS OPENING)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Consuming the company’s monthly quota or can over-bill with
unauthorized usage of this service and do financial damage to the company, if
the company does not have any limitation settings on API budgets.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
LINK:
https://maps.googleapis.com/maps/api/staticmap?key=pastekeyhere&size=600x400
AUTOMATIC METHOD - https://github.com/ozguralp/gmapsapiscanner
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - BUGCROWD will not accept this vulnerability
59. Host Header Poisoning/Injection
Vulnerability Name - Host Header Poisoning/Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - A Host header attack, also known as Host header injection, is a
web attack where the attacker provides a false Host header to the web
application
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to the Forgot password
2 - Enter the email
3 - Take the data on burpsuite
4 - Send it to the repeater
5 - Change the host to bing.com (Can also try X-Forwarded-host)
6 - Click go and check the response code
7 - If it comes as 200 OK, check the mail.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If the server implicitly trusts the Host header, and fails to
validate or escape it properly, an attacker may be able to use this input to
inject harmful payloads that manipulate server-side behavior.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://gupta-bless.medium.com/exploiting-host-header-injection-5554fef7e25
- https://medium.com/@tameemkhalid786/host-header-injection-on-password-
reset-functionality-an-easy-p2-5c6263c2e3d4
- https://medium.com/codex/http-header-injection-4ba857fb9a16
- https://hackerone.com/reports/698416
-----------------------------------------------------------------------------
-----------------------------------------------------------------
60. Missing Secure or HTTP only
Vulnerability - Missing Secure or HTTP only
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This cookie does not have the Secure flag set. When a cookie is
set with the Secure flag, it instructs the browser that the cookie can only
be accessed over secure SSL channels. This is an important security
protection for session cookies.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Go to target.com
2 - Go to cookie editor
3 - Export the cookie
4 - Paste it in notepad
5 - Check for the session keyword
6 - Check if the Secure/HTTP only is missing
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The secure flag should be set on all cookies that are used for
transmitting sensitive data when accessing content over HTTPS. If cookies are
used to transmit session tokens, then areas of the application that are
accessed over HTTPS should employ their own session handling mechanism, and
the session tokens used should never be transmitted over unencrypted
communications.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - Do check which cookie is carrying session then proceed!
----------------------------------------------------------------------------
61. Information exposure through /debug page
Vulnerability - Information exposure through /debug page
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Debug page from ms5.twitter.com exposes internal info, such as
internal IPs and headers.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps To Reproduce:
1 - Visit domain.com/debug
2 - See internal IP and header-names used
3 - To gather more internal IPs, just refresh (or script curl requests) and
you'll get a new internal IP every time.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - If an attacker gains access to your network, knowledge of internal
IPs could help them know where to target.
Supporting Material/References:
-----------------------------------------------------------------------------
-----------------------------------------------------------------
I made a script to make requests to see if internal IPs changed and every
time I got a new one. Here is the 20 IPs I found using this technique:
10.49.205.118
10.45.237.113
10.81.156.108
10.58.127.114
10.58.103.105
10.58.217.103
10.42.70.113
10.45.222.103
10.58.101.114
10.45.221.103
10.45.109.100
10.42.70.119
10.43.71.127
10.48.219.111
10.44.90.100
10.46.246.111
10.43.73.138
10.46.6.102
10.45.65.104
10.45.64.108
Impact
Debug pages should not be public. Giving away internal IPs means that an
attacker could use this info for their advantage and know which IPs to
target.
https://hackerone.com/reports/503283
62. Application level DOS (long password or string)
Vulnerability - Application level DOS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - It is often confused with network level DoS. This vulnerability
occurs because faulty implementation of some functions on the application.
The entry point for this vulnerability involves interaction with application
and these kind of attacks are often tough to identify and sometimes even
tougher to prevent.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to a target.com
2 - Enter a long string of numeric / alphanumeric digits on any input field (
like - fname, lname, pass, etc.)
3 - Click on save and wait for the site to respond
4 - The website starts to load and after a while, it returns a 500 error
5 - Open the site with a different IP and system and check if the site is
responding.
6 - The site won't open as the long digits has lead to app level DOS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: Application Layer Denial of service will have the same effect as
network level DoS . It can take down the application server or make
application unavailable to use for other users.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Fix - Proper Input validation can help to mitigate this vulnerability.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/970760
- https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0
- https://hackerone.com/reports/390
- https://hackerone.com/reports/223854
- https://medium.com/swlh/top-25-denial-of-service-dos-bug-bounty-reports-
4aaeb4e9a052
63. Application level Denial of service (Lottapixel)
Vulnerabiltity - Application level Denial of service
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description: Application level Denial of service is often confused with
network level DoS. This vulnerability occurs because faulty implementation of
some functions on the application. The entry point for this vulnerability
involves interaction with application and these kind of attacks are often
tough to identify and sometimes even tougher to prevent.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Login into target.com
2 - Go to the profile / account section of the site
3 - Upload the DOS image / Lottapixel image of the profile picture
4 - Save the profile picture
5 - The website starts to load and after a while, it returns a 500 error
6 - Open the site with a different IP and system and check if the site is
responding.
7 - The site won't open as the pixels has been flooded leading to app level
DOS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: Application Layer Denial of service will have the same effect as
network level DoS . It can take down the application server or make
application unavailable to use for other users.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Fix - Proper File upload validation can help to mitigate this vulnerability.
-----------------------------------------------------------------------------
------
64. Application level DOS (Zip Bomb)
Vulnerability - Application level DOS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - It is often confused with network level DoS. This vulnerability
occurs because faulty implementation of some functions on the application.
The entry point for this vulnerability involves interaction with application
and these kind of attacks are often tough to identify and sometimes even
tougher to prevent.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to target.com
2 - Go to file upload option ( The target should have a zip file upload
option)
3 - Upload the zip file downloaded from -
https://www.bamsoftware.com/hacks/zipbomb/
4 - Save the file and click on view / extract option
5 - The website starts to load and after a while, it returns a 500 error
6 - Open the site with a different IP and system and check if the site is
responding.
7 - The site won't open as the zip file has been flooded leading to app level
DOS
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: Application Layer Denial of service will have the same effect as
network level DoS . It can take down the application server or make
application unavailable to use for other users.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Fix - Proper File upload validation can help to mitigate this vulnerability.
-----------------------------------------------------------------------------
-------
65. OAuth Misconfiguration Account Takeover using CSRF
Vulnerability - OAuth Misconfiguration Account Takeover using CSRF
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - A Cross Site Request Forgery attack involves a bad guy tricking
a user into clicking on a link that changes some state on the target system.
If the user is already authenticated with the target system he might not even
notice the attack since the browser will send authentication headers or
cookies automatically.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
-----------------------------------------------------------------------------
-----------------------------------------------------------------
1 - Go to https://www.abc.com/
2- If the application supports OAuth functionality service providers like
Facebook and Gmail which you can link your social accounts to the application
https://www.abc.com
3 - Intercept the request using Burpsuite and now click on Facebook / Gmail
icon for linking of social account to the account
4 - Observe the request and lookout whether state parameter is implemented or
not
5 - If state parameter is not there which means it can be vulnerable to CSRF
attack
6 - Once you are successfully authenticated then intercept the callback
request from Facebook looks like below
GET
/auth/facebook/callback?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
Host: abc.com
7 - Generate a CSRF poc on this page and save it as poc.html
8 - Now create another account an victim's account on https://www.abc.com/,
then go to the setting page where you can link the social account.
9 - Now open poc.html page in the browser and click on submit button
10 - Facebook account is successfully linked with victim account on
https://www.abc.com
11 - Logout from the application and try to login from your social account
12 - Successfully logged into the victim account of https://www.abc.com/
-----------------------------------------------------------------------------
-----------------------------------------------------------------
66. Oauth Misconfiguration leads to account squatting
Vulnerability Name - Oauth Misconfiguration leads to account squatting
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - OAuth 2.0 is an authorization framework for Web Applications.
It validates the identity of a user to the website which requested it without
disclosing passwords to the website. Vulnerability in OAuth flow leads to the
takeover of the victim account.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - Create an account at target.com using Google Auth
2 - Change Email address to victim's email address. ( victim has not received
verification email)
3 - Victim tries to create an account on app.rewind.com using an email
address but the email is already used.
4 - The victim resets the password and uses the account.
5 - The attacker can also access the victim's account through Google O-AUTH.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact: An attacker can take over the account of the victim through the Oauth
feature of the site
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://0xgaurang.medium.com/case-study-oauth-misconfiguration-leads-to-
account-takeover-d3621fe8308b
- https://hackerone.com/reports/1074047
67. Subdomain Takeover
https://github.com/EdOverflow/can-i-take-over-xyz
payapi.oneplus.in
68. Cross site request forgery (CSRF)( pin change)
Vulnerability Name - Cross site request forgery (CSRF)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Cross site request forgery (CSRF), also known as XSRF, is an
attack vector that tricks a web browser into executing an unwanted action in
an application to which a user is logged in.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to reproduce:-
1 - Go to https://www.target.com/ and log in account
2 - Go to My profile > Personal Information > PIN
3 - Type the New PIN > Update Details > Intercept the request in Burp Suite
4 - Make CSRF PoC of the request, or Simply save the given below CSRF code to
notepad as anyname.html
5 - Send the file to a victim or open in victim browser > PIN changed and the
user has to login again.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -An attacker can change the PIN/passwod of any user of the abc.com by
just sending the file to the victim.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
69. Cross site request forgery (CSRF) (Application wide)
Vulnerability Name - Cross site request forgery (CSRF)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Cross site request forgery (CSRF), also known as XSRF, is an
attack vector that tricks a web browser into executing an unwanted action in
an application to which a user is logged in.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Go to https://www.abc.com
2 - Go to profile of the attacker and click on change email
3 - Update the email and take the data on burpsuite
3 - Now make CSRF POC of that request --> Drop the request & open it in
victim's browser.
4 - The email of the victim will be changed.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -An attacker can change the email of any user of the abc.com by just
sending the file to the victim.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reference - https://www.synopsys.com/glossary/what-is-csrf.html
70. Horizontal Privilege Escalation
Vulnerability - Horizontal Privilege Escalation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Horizontal privilege escalation can allow an attacker to gain
access to data that may not necessarily belong to him. In poorly designed
applications, an attacker may have the capability of identifying flaws within
a Web application that allows him access to other users' information.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Create two accounts
2 - Open it on two browsers ( Firefox and Incognito Firefox)
3 - Go to account A and go to my account
4 - Click on users
5 - Go to a user and right-click on settings of the user
6 - Copy GUID (USER ID) of the user
7 - Go to account B and go to my account
8 - Click on users
9 - Go to a user and click on settings
10 - Click on reset password and capture the request
11 - Go to burp and replace the copied GUID
12 - Send it to the repeater and click on GO
13 - The password of the user of the account B will be shown in response.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - An attacker can exploit horizontal escalation vulnerabilities to
gain access to another user’s data, you are betraying your users’ trust,
which can have reputational, legal, and financial implications.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://medium.com/dark-roast-security/dark-side-105-intro-to-privilege-
escalation-b192e8ba7161
- https://medium.com/@GaelleTjat/horizontal-privilege-escalation-what-is-it-
and-how-to-find-them-9437d6c076e6
- https://hackerone.com/reports/244567
- https://hackerone.com/reports/246419
----------------------------------------------------
71. Insecure direct object references (IDOR)
Vulnerability - Insecure direct object references (IDOR)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This can occur when a web application or application
programming interface uses an identifier for direct access to an object in an
internal database but does not check for access control or authentication.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Create two accounts
2 - Open it on two browsers ( Firefox and Incognito Firefox)
3 - Login into attacker@gmail.com and go to my account
4 - Click on phone number
5 - Enter phone number and capture the data on burp
6 - Copy the USER ID from the account of attacker@gmail.com
7 - Login into victim@gmail.com and go to my account
8 - Click on phone number
9 - Enter phone number and capture the data on burp
10 - Replace the copied USER ID and forward the data
11 -The phone number of victim account will be changed.
NOTE - The account is getting logged in using phone number so here number
plays a vital role!
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The impact of an insecure direct object reference vulnerability
depends very much on the application's functionality. Therefore, a clear list
can not be easily given. Generally speaking, an IDOR vulnerability can
introduce a risk for CIA (confidentiality, integrity, availability) of data.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://corneacristian.medium.com/top-25-idor-bug-bounty-reports-
ba8cd59ad331
- https://hackerone.com/reports/751577
- https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-
reference-vulnerabilities-for-large-bounty-rewards/
- https://infosecwriteups.com/all-about-getting-first-bounty-with-idor-
849db2828c8
- https://hackerone.com/reports/1323406
- https://hackerone.com/reports/498351
72. Vertical Privilege Escalation
Vulnerability - Vertical Privilege Escalation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Vertical privilege escalation is where the attacker has to
grant the higher privileges to himself/herself. It is a complex procedure
since the user has to perform some high-level operations to elevate their
access rights
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Method usig JWT
Steps -
1 - Go to target.com
2 - Signup using email and password
3 - Logout and re-login
4 - Capture the data on burp --> Do intercept - Response to the request
5 - FIND the JWT and copy it
6 - Open jwt.io and paste the token there
7 - Replace the ROLE_USER BY ROLE_ADMIN
8 - Replace the generated JWT on burpsuite and forward the response
9 - Admin Dashboard will be visible on the account
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Modify the permissions in order to delete or steal data. Add or
delete users. Gain access to system files and cause disruption in the
operations. Create backdoors for future attacks.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://gupta-bless.medium.com/exploiting-privilege-escalation-
vulnerability-
500695550128#:~:text=As%20User%20'A'%20can%20take,take%20privilege%20of%20%E2
%80%9Cadmin%E2%80%9D.
- https://amiyabehera03.medium.com/a-short-story-of-vertical-privilege-
escalation-admin-account-takeover-c943c1711f62
- https://ashketchum.medium.com/privilege-escalation-unauthenticated-access-
to-admin-portal-cve-2020-35745-bb5d5dca97a0
- https://hackerone.com/reports/159387
- https://hackerone.com/reports/605720
- https://hackerone.com/reports/300879
73. Authentication bypass using response manipulation
Vulnerability - Authentication bypass using response manipulation
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - This refers to an attacker gaining access equivalent to an
authenticated user without ever going through an authentication procedure.
This is usually the result of the attacker using an unexpected access
procedure that does not go through the proper checkpoints where
authentication should occur.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - Visit the login page
2 - Enter the user id on the login page
3 - Go to the forget password page and enter the user's email address
4 - It will redirect you to the OTP page
5 - Enter the wrong OTP and capture the request on burp
6 - Right-click --> Do Intercept - Response to this request
7 - Change the response status from false to true and from error to success
8 - Forward the request and close the intercept.
9 - It will redirect you to the New password page.
10 - The Attacker will be able to change the victim's password now.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact -The attacker is able to change the victim's password just by
manipulating the response which leads to full ATO of the victim.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/1406471
- https://hackerone.com/reports/1040373
- https://medium.com/@MAALP/authentication-bypass-using-response-
manipulation-6c33eb1257ac
- https://bugreader.com/social/write-ups-general-account-takeover-by-otp-
bypass-and-response-manipulation-100962
74. Command Injection/OS Command Injection
Vulnerability - Command Injection/OS Command Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - A command injection is a class of vulnerabilities where the
attacker can control one or multiple commands that are being executed on a
system
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Payload List -
https://www.kitploit.com/2019/02/command-injection-payload-list.html
https://github.com/payloadbox/command-injection-payload-list
https://book.hacktricks.xyz/pentesting-web/command-injection
-----------------------------------------------------------------------
75. Cryptographic Flaw
Vulnerability - Cryptographic Flaw
-----------------------------------------------------------------------------
-----------------------------------------------------------------
https://medium.com/bugbountywriteup/weak-cryptography-in-password-reset-to-
full-account-takeover-fc61c75b36b9
-----------------------------------------------------------------------------
---------------------------------------
76. Directory Listing / Hardcoded Password
Vulnerability Name - Directory Listing / Hardcoded Password
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Fuzz testing or fuzzing is an automated software testing method
that injects invalid, malformed, or unexpected inputs into a system to reveal
software defects and vulnerabilities
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Choose a domain
2 - Choose a tool as per your convenience (dirb, dirbuster, dirsearch, ffuf,
wfuzz)
3 - Apply the list given
4 - Check for 200 status code
5 - Open that file and see the data
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The sensitive files of the domain can be accessible by the attacker
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/1316412
- https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480
- https://infosecwriteups.com/directory-fuzzing-bug-bounty-3deb4dd3c32
- https://thexssrat.medium.com/what-the-fuzz-the-truth-behind-content-
discovery-77cd0c0756e7
- https://mikekitckchan.medium.com/power-of-your-own-wordlist-fuzz-for-log-
file-leads-to-information-leakage-ad46958b4729
- https://scottc130.medium.com/how-to-use-wfuzz-to-fuzz-web-applications-
8594c11d59d1
- https://pentestbook.six2dez.com/enumeration/web/crawl-fuzz
- https://medium.com/bugbountywriteup/p1-vulnerability-in-60-seconds-
85ef93d42b99
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Payloads -
https://raw.githubusercontent.com/Bo0oM/fuzz.txt/master/extensions.txt
https://raw.githubusercontent.com/Bo0oM/fuzz.txt/master/fuzz.txt
https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773
https://gist.github.com/nullenc0de/96fb9e934fc16415fbda2f83f08b28e7#file-
content_discovery_nullenc0de-txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-
Content/Apache.fuzz.txt
https://github.com/kaimi-io/web-fuzz-wordlists
77. SSTI (Server-side template injection)
Vulnerability - SSTI (Server-side template injection)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Server-side template injection occurs when user-controlled
input is embedded into a server-side template, allowing users to inject
template directives.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Go to https://target.com
2 - Login using the credentials
3 - Go to an input field like first name, last name, invite user, etc
4 - Enter the basic arthimetic operation like - {{7*7}} in the input field
5 - If the code gets executed and the result is 49, it will be a
vulnerability.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Since the {php} tags are being parsed and executed, we can execute
php functions. In this case, I'll be able to extract the etc/passwd file.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/164224
- https://hackerone.com/reports/125980
- https://gauravnarwani.com/injecting-6200-to-1200/
- https://medium.com/server-side-template-injection/server-side-template-
injection-faf88d0c7f34
- https://jaypomal.medium.com/server-side-template-injection-lab-1-basic-
ssti-ff2acf1d2d84
78. LOG4J
Vulnerability - LOG4J
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description-Log4j is used worldwide across software applications and online
services, and the vulnerability requires very little expertise to exploit.
CVE-2021-44228, also named Log4Shell, is a Remote Code Execution (RCE) class
vulnerability. If attackers manage to exploit it on one of the servers, they
gain the ability to execute arbitrary code and potentially take full control
of the system.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps to Reproduce:-
1 - Go to https://canarytokens.org/generate# to load the payload for the
execution.
2 - Now visit the URL: https://target.com
3 - Fill up the form with the payload in the input field where applicable.
4 - Submit the form and wait for 10 to 20 minutes to get the trigger token in
your mailbox.
5 - Open up the Token and you will see the DNS with Hostname.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - Logging untrusted or user-controlled data with a vulnerable version
of Log4J may result in Remote Code Execution (RCE) against your application.
This includes untrusted data provided in logged errors such as exception
traces, authentication failures, and other unexpected vectors of user-
controlled input.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports-
- https://hackerone.com/reports/1442644
- https://hackerone.com/reports/1423496
- https://infosecwriteups.com/facts-to-clear-about-log4j-for-bug-bounty-
hunters-f58e04eb025
- https://infosecwriteups.com/log4j-vulnerability-explanation-in-details-
73f7556c5ff1
-----------------------------------------------------------------------------
-----------------------
79. SSRF (Server Side Request Forgery)
Vulnerability - SSRF (Server Side Request Forgery)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - Server-side request forgery (also known as SSRF) is a web
security vulnerability that allows an attacker to induce the server-side
application to make requests to an unintended location.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1) Go to https://testing.com
2) You will see a form here with an URL
3) Now enter link generated in ngrok for SSRF testing in all field, now Click
on submit
4) Check your ngrok listening port for results
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact - The vulnerability allows an attacker to make arbitrary HTTP/HTTPS
requests inside a Ringcentral instance's network.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reference -
- https://github.com/lutfumertceylan/top25-parameter/blob/master/ssrf-
parameters.txt
- https://krevetk0.medium.com/ssrf-vulnerability-due-to-sentry-
misconfiguration-5e758bdb4e44
- https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-
ways-to-exploit-it-part-2-a085ec4332c0
- https://infosecwriteups.com/external-ssrf-detected-%EF%B8%8F-a36ade59f7fd
- https://lab.wallarm.com/blind-ssrf-exploitation/
- https://ninetyn1ne.github.io/2020-10-05-open-redir-to-ato/
-----------------------------------------------------------------------------
-----------------------------------------------------------------
NOTE - This vulnerability can be performed on any input field which contains
a link, URL, Website address field, etc.
-----------------------------------------------------------------------------
--------------------------------------------
80. Using Default Credentials
Vulnerability - Using Default Credentials
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - A Default Credential vulnerability is a type of vulnerability
in a computing device that most commonly affects devices having some pre-set
(default) administrative credentials to access all configuration settings.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps:
1 - Download and open Filezilla client
2 - Copy the URL: updates1.netgear.com and enter it in the host
3 - Write anonymous in place of username and anonymous in place of the
password
4 - Login will be successful
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Impact- I was able to use default credentials and was able to login and its
an FTP client. I could have uploaded any malicious file but I didn't try
anything malicious.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://medium.com/@ashishrohra/how-default-credentials-helped-this-hacker-
to-get-13337-s-d1504ebf95e4
- https://infosecwriteups.com/how-i-was-able-to-bypass-the-admin-portal-by-
using-the-default-credentials-52bfb13e6f3
- https://hackerone.com/reports/398797
-----------------------------------------------------------------------------
---------------------------
81. Information Disclosure
I have found this link on github.
link- https://github.com/shivamswarnim96/FAHM-
BDD/blob/cf913b54d2f78988618f38f3bffcc4846e041fc0/esb.properties
Mule Application URI
applicationUrl = http://abc.com/
basic Authentication
username = bamrest_tpservice
password = WpMKgKzDNu1dRbQ
Customer login
cust_username = T5AGTBOBCLNT0121
cust_password = testers5
ApiKey and Value
SR_API_KEY = 9047fe05-75d3-4ae3-a736-02cd816548cb
FARM_API_KEY = 19e1a952-fb3e-442c-83cd-f60777bb3121
BAM_API_KEY = 85e6d5f2-ba3a-41f0-8661-294b75f0851c
FII_API_KEY = 630b4f59-19b8-4c0b-86a8-c40961d6eb16
FCM_API_KEY = 630b4f59-19b8-4c0b-86a8-c40961d6eb16
BNK_ADMIN = http://financialssvc-svc-
test5.test.statefarm.com/BankAccountManagement-web-
2.0.2/services/bankaccountmanagementws?wsdl
CRD_ADMIN = http://financialssvc-svc-
test5.test.statefarm.com/FinancialCardManagement-web-
1.1.2/services/financialcardmanagementws?wsdl
82. Local File Inclusion
Vulnerability - Local File Inclusion
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - LFI stands for Local File Includes - it’s a file local
inclusion vulnerability that allows an attacker to include files that exist
on the target web server. Typically this is exploited by abusing dynamic file
inclusion mechanisms that don’t sanitize user input.
Scripts that take filenames as parameters without sanitizing the user input
are good candidates for LFI vulnerabilities, a good example would be the
following PHP script foo.php?file=image.jpg which takes image.jpg as a
parameter. An attacker would simply replace image.jpg and insert a payload.
Normally a directory traversal payload is used that escapes the script
directory and traverses the filesystem directory structure, exposing
sensitive files such as foo.php?file=../../../../../../../etc/passwd or
sensitive files within the web application itself. Exposing sensitive
information or configuration files containing SQL usernames and passwords.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://hackerone.com/reports/497771
- https://hackerone.com/reports/1542734
- https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-
penetration-testing-cc9dc8dd3601
- https://medium.com/@tanmay_deshpande/local-file-inclusion-lfi-attack-
46485f294aef
- https://joshuanatan.medium.com/remote-file-inclusion-local-file-inclusion-
rfi-lfi-c5911c0a1a5a
- https://medium.com/@abhishake21/bypassing-lfi-local-file-inclusion-
ebf4274e7027
- https://gupta-bless.medium.com/exploiting-local-file-inclusion-lfi-using-
php-wrapper-89904478b225
- https://medium.com/@sohamlohar0503/local-file-inclusion-lfi-vulnerability-
f0d20275775b
-----------------------------------------------------------------------------
-----------------------------------------------------------------
83. CVE 2020-3452 Cisco Adaptive Security Appliance (ASA) Software and
Cisco Firepower Threat Defense (FTD) - Path Traversal
Vulnerability - CVE 2020-3452 Cisco Adaptive Security Appliance (ASA)
Software and Cisco Firepower Threat Defense (FTD) - Path Traversal
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - A vulnerability in the web services interface of Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
Software could allow an unauthenticated, remote attacker to conduct directory
traversal attacks and read sensitive files on a targeted system. The
vulnerability is due to a lack of proper input validation of URLs in HTTP
requests processed by an affected device.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps -
1 - https://iespcc.sras.ibm.com/+CSCOE+/logon.html
2 - Enter payload in url or
3 - Capture the GET request on burp and send it to the repeater
4 - Remove the endpoints and add the payload
Payload = /+CSCOT+/translation-
table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-
language&lang=../
Payload = /+CSCOT+/oem-
customization?app=AnyConnect&type=oem&platform=..&resource-
type=..&name=%2bCSCOE%2b/portal_inc.lua
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Report -
- https://hackerone.com/reports/951508
-----------------------------------------------------------
84. SQL Injection
Vulnerability - SQL Injection
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - SQL injection is a web security vulnerability that allows an
attacker to interfere with the queries that an application makes to its
database.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Steps-
1 - http://www.abc.com/gallery.php?id=1 (insert ' or " after number check
website data is hiding or generate sql error)
2 - After this, use -- or --+ for balancing the query (
http://www.abc.com/gallery.php?id='--+)
3 - Find the column number by entering order by and the number (
http://www.abc.com/gallery.php?id=' order by 1--+)
If the data vanishes - Decrease the number
If the data stays - Increase the number
4 - Check vulnerable column and use union all select command (
http://www.abc.com/gallery.php?id=' union all select 1,2,3--+) put number of
column value
5 - Find the vulnerable column number then use version command @@version
6 - Put @@version or verison() command in vulnerable column number to check
the SQL version
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Reports -
- https://brightsec.com/blog/error-based-sql-
injection/#:~:text=What%20Is%20Error%2DBased%20SQL,actor%20of%20the%20databas
e%27s%20structure.
- https://medium.com/@hninja049/example-of-a-error-based-sql-injection-
dce72530271c
- https://ozguralp.medium.com/turning-blind-error-based-sql-injection-into-
an-exploitable-boolean-one-85d6be3ca23b
- https://infosecwriteups.com/exploiting-error-based-sql-injections-
bypassing-restrictions-ed099623cd94
- https://www.indusface.com/blog/types-of-sql-injection/
- https://github.com/payloadbox/sql-injection-payload-list
- https://betterprogramming.pub/a-beginners-guide-to-sql-injection-
163c1ad2257f
-----------------------------------------------------------------------------
-----------------
85. XXE (XML external entity (XXE) injection)
Vulnerability - XXE (XML external entity (XXE) injection)
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Description - XML external entity injection (also known as XXE) is a web
security vulnerability that allows an attacker to interfere with an
application's processing of XML data. It often allows an attacker to view
files on the application server filesystem, and to interact with any back-end
or external systems that the application itself can access.
-----------------------------------------------------------------------------
-----------------------------------------------------------------
Report -
- https://medium.com/@jonathanbouman/xxe-at-bol-com-7d331186de54
- https://ismailtasdelen.medium.com/xml-external-entity-xxe-injection-
payload-list-937d33e5e116
- https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-
injections-b0e3eac388f9
- https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-
injections-b0e3eac388f9
- https://gupta-bless.medium.com/exploitation-xml-external-entity-xxe-
1f5f3e7bc5c4
- https://rajanagori.medium.com/a-long-story-of-xxe-vulnerability-
6a9a33276602
- https://medium.com/secure-you/xxe-6dcc66e31312
-----------------------------------------------------------------------------
---
Dorks
https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
https://www.exploit-db.com/google-hacking-database
https://www.cyberick.com/post/google-dorks-for-bug-bounty
https://twitter.com/kunalp94/status/1180193592846868480
https://www.google.com/search?q=%22van+de+melding+met+een+minimum+van+een%22+
-site:responsibledisclosure.nl&filter=0&biw=1836&bih=1039
https://twitter.com/nil0x42/status/1394220395255922689/photo/1
https://gist.github.com/prinsharma1999/c24e26389cb4d113205fbf89cc7ec1e6
Platforms
Name Location Active Bounties Program List
Antihack.me Singapore ✅ ✅ ✅
Bug Bounty
Switzerland Switzerland ✅ ✅ ✅
Bug Hunt Brazil ✅ ✅ ✅
bugbounty.jp Japan ✅ ✅ https://bugbounty.jp/program/list
bugbounty.sa Saudi Arabia ✅ ✅ ✅
Bugcrowd USA ✅ ✅ https://bugcrowd.com/programs
Bugv Nepal ✅ ✅ ✅
Bugbase India ✅ ✅ https://bugbase.in/h
Inspectiv USA ✅ ✅ ✅
Cobalt USA ✅ ✅ ✅
United Arab
Crowdswarm Emirates ✅ ✅ https://app.crowdswarm.io/p.html
Cyber Army
Indonesia Indonesia ✅ ✅ https://www.cyberarmy.id/programs
Detectify Sweden ✅ ✅ ✅
Dvuln Australia ✅ ✅ https://securityat.me/vdp_directory
Spain and
EpicBounties LATAM ✅ ✅ https://app.epicbounties.com/programs
Federacy USA ✅ ✅ ✅
Findbug Kosovo ✅ ✅ ✅
HackenProof Estonia ✅ ✅ https://hackenproof.com/programs
HackerOne USA ✅ ✅
Hungary,
Hackrate Europe ✅ ✅ https://hckrt.com/Programs
Central and
HACKTIFY Eastern Europe ✅ ✅ https://www.hacktify.eu/en/public-programs/
Hats ✅ ✅ ✅ https://app.hats.finance/vaults
Huntr UK ✅ ✅ https://huntr.dev/bounties/hacktivity
Immunefi ✅ ✅ ✅ https://immunefi.com/explore/
Intigriti Belgium ✅ ✅ https://www.intigriti.com/programs
Open Bug https://www.openbugbounty.org/bugbounty-
Bounty Bangladesh ✅ ✅ list/
RedStorm Indonesia ✅ ✅ https://www.redstorm.io/program
Safevuln Vietnam ✅ ✅ https://safevuln.com/programs
ScanTitan Netherlands ✅ ✅ ✅
Secuna Phillipines ✅ ✅ ✅
SlowMist China ✅ ✅ ✅
Swarmnetics Singapore ✅ ✅ ✅
Synack USA ✅ ✅ ✅
thebugbounty Malaysia ✅ ✅ ✅
v1bounty Germany ✅ ✅ ✅
Vulnerability
Lab Germany ✅ ✅ ✅
Vulnscope Chile ✅ ✅ https://www.vulnscope.com/programas
WhiteHub Vietnam ✅ ✅ https://whitehub.net/programs
YesWeHack France ✅ ✅ https://yeswehack.com/programs
Yogosha France ✅ ✅ ✅
Zero Day
Initiative USA ✅ ✅ ✅
Zerocopter Netherlands ✅ ✅ ✅
Ravro Iran ✅ ✅ https://www.ravro.ir/companies