BUG BOUNTY CHECK LIST BY C1

C1h2e1
C1h2e1
Dec 21, 2019 · 11 min read

I just want to write a check list for myself. This article includes various vulnerability discovery method bypass methods. I hope you can read it carefully .

Twitter @C1h2e11

Wechat : baiheming123456

RECON

Most of my recon ideas come from nahamsec, he is really good

When I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, File I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, Endpoint

For subdomains, I will use crt.sh to find them. In the face of big goals, I will choose some interesting words, such as api, prod, dev, stage,backend, admin. Etc.

Subdomian

Let’s take yahoo as an example

Use % to find the domain name you want . Here is a shell script to quickly collect some subdomains

curl https://www.threatcrowd.org/searchApi/v2/domain/report/\?domain=$1 |jq .subdomains |grep -o ‘\w.*$1’curl https://api.hackertarget.com/hostsearch/\?q\=$1 | grep -o '\w.*$1'
curl https://crt.sh/?q=%.$1 | grep "$1" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -u
curl https://certspotter.com/api/v0/certs?domain=$1 | grep -o '\[\".*\"\]'

Many times we will encounter domain can not be accessed at this time we can use httprobe to detect

But certificate-based subdomains are incomplete and require some bruteforce I recommend using Sublist3r

We can also use Google Dork and Github I recommend the following script to search subdomains on github

Documents here

Here is the subdomain collection method I often use You can use platforms like shodan and zoomeye. I won’t go into details here.

IP

Censys.io ipinfo.io shodan.io

censys is a certificate-based query that can find many IP addresses I have found many bugs with it .We just need to query your target domain .You can click on the certificate on the right

Here you can see the subdomain name and we can use IPV4 to query. There will be an IPV4 address. If it is in Scope, we can test it. Note the get body of this mark. He takes the content in the response, so most of it is not yours Target asset

ipinfo and hostinfo.io can be used to query ASN codes and network segments .We can use shodan to combine with him

shodan also has many good features such as ssl-based search and favicon search can find a lot of target information . I won’t write much here

Dnsdumper Virustotal Can also find a lot of information

Port

Port scanning can use nmap and massscan

nmap -sV -T3 -Pn -p2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443,19000,19080 ${target}

Endpoint

There are many ways about Endpoint

curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.$1/*&output=text&fl=original&collapse=urlkey
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.$1\&output\=json |jq .url

Commoncrawl and web archive can find many endpoints for us to test. At the same time, we can also use crawlers to get what we want. The main focus should be on JS files and API endpoints.

I recommend a tool here.You can crawl useful Endpoints and we can also do BLH discovery. We will write related search methods later.

At the same time I will use dirsearch to brute force

My dictionary is here

HUNTING

I mainly hunt some BUG below

  • SSRF
  • CSRF(CORS,JSONP hijacking)
  • SQLi
  • XSS(DOM,Stored,Reflectd)
  • Weak Password
  • Unauthorized access
  • IDOR
  • Open redirect
  • Information Disclosure
  • XXE
  • File Upload
  • Subdomain Takeover
  • BLH
  • HTTP Requests Smuggling
  • CRLF
  • Auth Bypass
  • DOS
  • LFI
  • Command injection
  • Race Condition
  • S3 Bucket
  • Logic Flaw
  • SSTI

Let me introduce one by one and share Bypass tips

SSRF

https://medium.com/swlh/ssrf-in-the-wild-e2c598900434

This picture is a good summary of the common locations of SSRF .We can find related functions based on business.When you receive a request from the server.Try to access the intranet.If no response can be determined by time, same as Time-Based SQLi

BYPASS

tools

white@black.com ==> black[.]com 
black[.]com?white[.]com ==> black[.]com
black[.]com#white.com ==> black[.]com Tips By @____cypher____
http://127.0.0.1
http://localhost
https://127.0.0.1/
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0https://localhost/
http://[::]:80/
http://127.0.0.1.nip.io
http://[0:0:0:0:0:ffff:127.0.0.1]
http://spoofed.burpcollaborator.net
http://0177.0.0.1/
http://2130706433/
http://0/
https://10.0.0.1.xip.io
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3
<?php
header("Location: http://127.0.0.1");
?>
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Exploit

http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
File protocol to read local file
file:///etc/passwd
http://100.100.100.200/latest/meta-data/

DNS Rebinding attack

CSRF(CORS,JSONP hijacking)

Ordinary CSRF we will not write here. Write some token bypass methods

Delete CSRF token
Null token parameter
Modify request method Form GET to POST or PUT etc.
Replace token with any string of the same length as token
Fixed token Every user's token can be shared

0ang3el

CORS Bypass

OUT OF SCOPE XSS and CORS

Use Safari’s URL feature to bypass

JSONP hijacking

Burp suite Extension to discover JSONP func

FUZZ Callback Parameter

In another test, I found a JSONP hijacking at a.redacted.com. When I looked for a vulnerability in b.redacted.com, I found a JSON response, but there was no parameter in the requested URL. I tried the FUZZ parameter. But in the dictionary, Without _cb_ this parameter eventually I added _cb_ of a.redacted.com to b.redacted.com and successfully found JSONP hijacking

callback=gh0stkey
cb=gh0stkey
jsonp=gh0stkey
jsonpcallback=gh0stkey
jsonpcb=gh0stkey
jsonp_cb=gh0stkey
json=gh0stkey
jsoncallback=gh0stkey
jcb=gh0stkey
call=gh0stkey
cb_=gh0stkey
_cb_=gh0stkey

SQLi

SQL injection is always there. Actually all the key is to be careful.I found SQLi in my two most recent tests.Just need you to search all the parameters of each page carefully and add single quotes or %df or look for Time-Based SQLi

Check out this repo’s SQL i Payload

Tips : SQL INJECTION VIA HTTP HEADER!

I can’t think of anything to write here so SQL i is over.

XSS

We can use the endpoints obtained in the information collection to find reflected XSS,There are many positions for XSS. We should pay attention to Bypass’s payload.

I found a lot of Blind XSS in recent tests. I think that the location of the HTTP HEADER and some XSS and SQLi Payloads will have unexpected results.

I use XSS HUNTER for BlindXSS

!!BlindXSSEveryWhere!!

My Blog about XSS!

Weak Password

Try more

Unauthorized access

Most of the unauthorized access I usually find comes from brute force cracking of directories.Find more ports, more IPs, more services

IDOR

Burp suite Extension to find IDOR

The case of IDOR

There are many different test methods in the IDOR search process.We should pay attention to unique parameters and pages, and pay attention to the function of each API. I recommend using the Repeater of Burpsuite to mark the function and return content of the API. Email returns UID, we can use UID to find IDOR

Open redirect

When testing Open redirect, we can try to combine XSS to try to redirect javascript:alert (1)

I noticed this URL when I found 302, but I couldn’t redirect after opening it, so I tried Bypass.

Payload list

Replace whitelisted.com with your target

Information Disclosure

Github Pastebin Google etc.

Most of my information collection is found directly from recon

SO JUST RECON CAREFUL

Use github and pastebin to search for some sensitive information such as API key, token.

XXE

  1. Upload File

By uploading files in formats such as xls,doc

The process of making a malicious document

2.OOB ATTACK

3.Modify Content-Type

File Upload

We can test XSS and SSRF when uploading and ImageTragick RCE ,This idea is really hard for me to write.I will write the tips of Bypass

  • Add dot after the file name
  • File name with special symbol before or after
  • Delete meta-data
  • Race condition

I was writing this article after a day of school today. My mind is a bit messy XD

Subdomain Takeover

Still no good tips, more subdomains have a higher chance of taking over

BLH

tools

HTTP Requests Smuggling

CRLF

Auth Bypass

Oauth2 CSRF Modify the redirect_url to get the victim token .Can be bypassed using bypass open redirect

DOS

imagesize size DOS

https://target.com/Verification/?high=100&weigh=100
https://target.com/Verification/?high=100000&weigh=1000000
response boom!
If there is no parameter to control the size, we can add it by ourselves

width=250&height=250
height=250
width=250
w=250&h=250
h=250
w=250
size=250&width=250&height=250
size=250&w=250&h=250
size=250
margin=250
margin=250&width=250&height=250
margin=250&w=250&h=250
size=250&margin=250
size=250&margin=250&width=250&height=250

Bypass some restrictions that affect the normal use of the user .Is what I think is the most meaningful DOS

I think using a lot of characters or very special characters may cause DOS

LFI

Race Condition

HPP

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade