About me: Personally i don’t consider myself as an experienced bughunter, even.. i don’t have great skills.. i’m more closer to be a good observer, i love watch things with a clear mind and study his behaviors over systems or humans, they are kind similar and not so different.. (maybe that’s my skill, be a good observer). So, im writing here my points of view regarding to my little experience on the field.
The tweet of discord:
Recently i posted a tweet that generates some discord over bug hunters,
Hello Hunters! It’s been a while since my last write up, so i decide to share a fun experience that i had while hunting on a private program.
What the hell is a captcha?
From my point of view: A captcha solution is mostly utilized for avoid bots and ensure that the User behind the app is a real human.
Share is care, so let’s go to the write up!
Mapping the Application, i found a subscription endpoint with a captcha filter like this:
This took my attention quickly so i move to the src page:
This is a quick write up for a waf bypass on a private bbp, so i will keep hidden the name of the program.
Looking around in the app i found an entry tag feature point which call my attention:
So the app basically load a tag item, i start with this:
### FIRST ATTEMPT:
injection: “=””’><details open=“”>
output is :
<span>”=””’><details open=””> (0)</span>
### SECOND ATTEMPT
injection: “=””’></><details open=“”>
<span>”=””’></><details open=””> (0)</span>
### THIRD ATTEMPT:
output is :
<span>”=””’><details open=”…” (0)<=”” span=””><a href=”” class=”” rel=”1"></a></details></span>
bam! we got HTML INJECTION!
Hey, what’s up community? hope you are good, today i share a very strange and non-common behavior that i found a year ago when i start with bounties. We keep private the program so we can call it from now [redacted.com].
So I found this normal endpoint which is:
Interesting huh? so i decide to try some Open Redirect payloads:
return_to=http://evil.com -> rejected
return_to=http://[redacted.com].evil.com -> rejected
return_to=//google.com -> rejected
firstname.lastname@example.org -> rejected
return_to=//google.com/redacted.com -> rejected
… well the list of payloads is quite large.. but with all attemps failed :(
And my feels are:
But.. during this actions i…
Well, was a long time from my last write up so i feel the need to share with the community this interesting bug which i found over an h1 bug bounty program. From now we can call it [redacted.com] to maintain his privacy.
Doing the RECON:
One wildcard domain line took my attention was like: *.trusted.com
So the next thing was run Sublister to see the subdomains on *.trusted.com
SIX Things You Should Know Before You Make Bug Bounty
I see a lot of hackers who want to launch attacks in automatic or mechanized way. This can happens reproducing some attacks only looking disclosed reports of other researchers. But this is not the essence of hacking.
Hacking is an art from your own creation. For this you need to understand some important things:
1) INFORMATION GATHERING: Retrieves all information that you can do from your target and scope. All counts, from scan ports, subdomain list, dir searching, etc. More information, more chances to see things, details and more possibilities…
The last month was something interesting, looking to takeover some subdomains at HackerOne i found one that took my attention, was info.hacker.one . The dns was pointing to unbouncespages.com a landing pages app services. Looking at the API i try to add the hackerone domain, but when i try the output was: “domain is already claimed”.
Well.. i try to find another way to bypass this, for hours looking enpoints, trying with different requests and changing some params, i could hack & bypass the filter domain, this hack gives me the power to add any domain managed by the dns…
Focus, Focus Focus, that’s is what i tell me every day, some days are good, others don't, but remember: if you fail? try harder!
Scaning subdomains for known company i found a DNS entry who was pointing to 3rd party Apps. This Apps is well known and used for a lot of companies. So, i decided to create an account and see what is going on. My first action was trying to claim the company domain for a subdomain takeoverbut sadly with no success, the output was : Another user already claimed! so I decide to test things in the…
Why is so important control a race limit issue?
Testing Apps at the web I found that a lot of them are vuln to race limit attacks, without any src filter as ip address, or limit in registers account submit, or login attempts, etc..
As a example, i tested the register form at hackerone.com, i send this PoC to them on July 5, they closed as duplicate and explained to me that they are not concern about this issue and for hist user policy they dont like the idea of use captchas.
The video PoC shows how easy is exploiting…
WhiteHat Hacker Zen Monk & Bounty Hunter