0% found this document useful (0 votes)
39 views5 pages

Tips Notes

Uploaded by

Suga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
39 views5 pages

Tips Notes

Uploaded by

Suga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

## BAC:

1) REAL LIFE VIDEO GAME

2) TEST MANUALLY + DEEP DIVE OVER VOLUME

3) USE EVERY EXPOSED GUI FUNCTIONS AVAILABLE

4) CLICK EVERYTHING

5) LOOKS FOR URLS IN JS CODE,SEARCH ENGINES, GITHUB, WAYBACK MACHINE

6) FUZZ WITH THE COMPANY WORDLISTS

7) CREATE TWO LIST OF ALL KNOWN OBJECT IDS FOR 2 DIFF. ACCOUNT

8) REPLAY ALL THE AUTHENTICATED REQUESTS WITHOUT COOKIES

9) REQUESTS WHICH RETURN SENSITIVE PII , DO PARAMETER FUZZING TO SEE IF ID'S


ARE ACCEPTED

10) IF THE USERS HAVE ROLE= THEN TRY TO PUT ROLE=* OR ROLE= !0

11) MASS ASSIGNMENT ,RESPONSE TO REQUEST INJECTION

12) ENTER [] AFTER PARAMETERS NAME LIKE ?ID[]=1

13) HIDDEN PARAMETER FUZZING

14) SUPPLY NESTED ARRAY

15) TRY TO PATH TRAVERSAL IN API ENDPOINT TO BYPASS 403/401\

16) ADDING AN EXTENSION eg.`api/v2/user/1.json`

17) CHANGE ID WITH * LIKE `api/v2/user/*`

18) ADDING PARAMETERS LIKE `api/v2/user/1/?PAGE=1` ,`api/v2/user/?PAGE=1`

19) NULL VALUES AND EMPTY STRINGS

20) NEGATIVE AND POSITIVE VALUES + MATHEMATICAL OPERATION ON IDS

21) OVELAPPING RANGES LIKE PUT SO LONG VALUES

22) UNICODE, URL, BASE64, HTML ENTITY, HEXADECIMAL ENCODING IN IDS

23) TRY CREATE/UPDATE/DELETE

24) FIND PATTERNS IN API ROUTE EG:


`/API/POSTS/POST_ID/COMMENT` `/API/POSTS/POST_ID/DETAILS`

25) REMOVE ACTUALL USERID AND PUT THEM AS PARAMETER:


`/API/USERS/123` TO `/API/USERS/?USER_ID=123`

26) TRY REPLACING PARAMETER NAMES LIKE:


`/API/USERS/?ID=123` TO `/API/USERS/?ACCOUNT_ID=1234`
27) TRY CHANGING HTTP REQUEST METHOD

28) TRY CHANGING CONTENT-TYPE TO TOTALLY DIFFERENT

29) TRY NUMERIC ID ANYWHERE NON-NUMERIC IDS ARE ACCEPTED

30) CUSTOM HEADERS

31) TEST PAGINATION AND SORTING FEATURES.LIKE : ?page= ?size=

32) TRY FOR HPP LIKE : {"ID":"1","ID":"2"}

33) WRAP THE ID WITH ARRAY I.E; {"ID":[1]}

34) WRAP THE ID WITH JSON OBJECT I.E; {"ID":{"ID":1}}

35)

## SSRF

1) LOOK FOR ANY FUNCTIONALITY THAT TOOKS `url` AS INPUT

2) URL FETCHERS, WEBHOOKS, IMAGE PROCESSING, URL PREVIEW, FILE UPLOAD


/DONWLOAD, API INTEGRATIONS

3)

## XXE

1) IDENTIFY XML INPUTS: LOOK FOR ANY FUNCTIONALITY THAT ACCEPTS XML INPUT,
SUCH AS- FILE UPLOAD, SOAP REQUESTS, REST APIS

2) IF XML DATA IS REFLECTED IN HTTP RESPONSE , TEST WITH BASIC XML ENTITY

3) IF XML DATA IS NOT REFLECTED IN RESPONSE , TRY OUT OF BAND

4) TEST SAML-BASED AUTHENTICATION AS THEY OFTEN PROCESS XML

5) FILE PARSING FUNCTIONS: EXAMINE FUNCTIONS THAT PARSES FILE LIKE


SVGS,SITEMAPS AND HTML-TO-PDF

6) FOCUS ON COMMON XML ENDPOINTS

7) TEST FILE UPLOAD WITH XML DATA

8) CHECK RESPONE HEADERS FOR SIGNS OF XXE, LIKE CONTENT-TYPE OR BANNER

9) ANYWHERE THAT A MICROSOFT OFFICE (DOCX/XLXS/PPTX/ETC.) FILE IS PARSED

10) RSS feed parsers (RSS feeds are just XML)

11)

## OAUTH ACCOUNT TAKEOVER:

1) CHANGE OPEN-REDIRECT FOR OAUTH ACCOUNT TAKEOVER


2) IF THE OAUTH HAVE SOCIAL LINKING, TRY TO GET YOUR STATE CODE DROP
OTHERS REQUEST THEN SEND TO VICTIM

3) TRY ADDING/REMOVING ARBITRARY PATHS, QUERY PARAMETERS AND FRAGMENT

4) IF YOU CAN APPEND EXTRA VALUE TO `redirect_url=` YOU CAN TRY THIS
TECHNIQUE:
`https://www.example.com &@foo.evil-user.com#@evil.com/

5) PARAMETER POLLUTION SUBMITE DOUBLE `redirect_url=`

6) USE LOCALHOST IN THE REDIRECT URL i.e. `redirect_url=localhost.ex.com`

7) HIT THE PATH `/.well-known/oauth-authorization-server`,


`.well-known/openid-configuration`

8) ALSO TRY TO INJECT REDIRECTION IN `Referer: ` HEADER

9) IF THERE ARE JWT CHANGE `ALG: NONE`

10) BRUTE-FORCE JWT SECRET USING HASHCAT

## ACCOUNT-TAKEOVER BY HOST-HEADER + PASSWORD-RESET

1) FROM PASSWORD-RESET IT HAVE OPTIONS FOR RAW EMAIL VIEW , TRY DANGLING AT
HOST HEAER

2) IN PASSWORD-RESET , INJECT DIFFERENT HOST INJECTION LIKE :-


`X-FORWARDED-HOST: `
`X-HOST: `
`X-FORWARDED-SERVER: `
`X-HTTP-HOST-OVERRIDE: `
`FORWARDED: `
`X-FORWARDED: `

3) BEFORE PASSWORD-RESET, ENTER ABSOLUTE URL LIKE


`GET https://bugbounty.com/ HTTP/1.1`
HOST: badevil.com

4) SUBMIT DOUBLE HOST: HEADER WITH SPACE LIKE:


`GET / HTTP/1.1
HOST: badevil.com
HOST: bugbounty.com`

5) INJECT DUPLICATE HOST HEADER

6) APPLY NON-NUMERIC PORT LIEK `HOST: bugbounty.com:badpayload`

7) TRY `[email protected]&[email protected]` USE %20 OR | FOR SEPERATORS.

8) TRY TO REGISTER SAME MAIL WITH DIFFERENT TLD (.NET,.CO)

9) REMOVE PASSWORD-RESET TOKEN

10) CHANGE IT TO 000000000


11) USE NULL/NIL VALUE

12) TRY EXPIRED TOKEN

13) TRY AN ARRAY OF OLD TOKENS

14) CHANGE 1 CHAR OF TOKEN THEN SEE WHAT HAPPENS

15) USE UNICODE EMAIL IN REGISTER,CHANGE OR RESET FUNCTIONS

16) TRY [email protected]%0a%0dcc:[email protected]

17) VIA CRLF /RESETPASSWORD?Oa%0dHOST: attacker.com(x-host,x-forwarded-for:)

18) TRY PARAMETER POLLUTION

19)

## AUTHENTICATION BYPASS:

1) BUILD YOUR OWN WORDLISTS OVERTIME COMPANY

2) LOOK FOR WEIRD APPLICATION BEHAVIOURS (i.e. REDIRECT TO INTERNAL HOST OR


NONEXISTEN)

3) BRUTEFORCE EVERY SUBDIRECTORIES UNTIL THERE'S NOTHING LEFT

4) CONTENT DISCOVERY , CONTENT DISCOVERY

5) FUZZ WITH THE DOMAINS NAME

6) DROP SOME REQUESTS

## 2FA BYPASS

1) LOGIN WITH USERNAME AND PASSWORD THEN GO TO DIRECT ACCESS LINK

2)

## XXE INJECTION

1) IF FILE UPLOAD IS THERE, TRY UPLOADING XXE PAYLOADS WITH .svg

2) CHANGE CONTENT-TYPE TO XML AND SEND THE REQUESTS

3)

https://cardholder2.ebtedge-at.com/chp/index.html
https://codeconnect.fisglobal.com/app/home
https://cmethos.fisglobal.com/
https://cuinfomanagercert.fisglobal.com/register.aspx
https://dev-developer.fisglobal.com/
https://cardnav-coop-uat.efunds.com/mcs/signin.html#/signup
https://corporate.worldpay.com/
https://demo.access.worldpay.com/
https://dashboard.worldpay.com/
https://cuinfomanager.fisglobal.com/register.aspx
https://ddsms.worldpay.com/Consent/#/dashboard

You might also like