Yay, I was awarded a $16,300 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
🎉🎉🎉
Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information!
$15k+ Worth of IDORs in the past couple of months; it takes a lot of manual verification, but use this regex in BurpSuite in order to filter out potential parameters:
(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)
#bugbountytips
#CyberSecurity
$10,000 for RCE through Dependency Confusion, this time on one of my first submissions in
@intigriti
🙌
I spent a whole month learning and developing a custom tool using Next.js, this helped me identify and exploit the RCE.
Of course, I also used:
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
! For a Critical Severity IDOR.
Tip:
1) In-depth knowledge of the program, lots of manual testing
2) Learning to master the 'Autorize' extension for Burp
Automated & manual testing🤝
#bugbountytip
#hackerone
Yay, I was awarded a $4,500 bounty on
@Hacker0x01
!
Tip:
Target had a /?back= parameter, but payloads like javascript://alert(1) did not work.
Exploited using the following with URL-encoded ASCII tab characters:
%09Jav%09ascript:alert(document.domain)
#bugbountytips
#bugbounty
Some fun & unexpected bugs I found recently👇
1. Authentication Bypass by setting session cookie value to 'null'
2. Plain text credentials in JS files expose clients' PII
Haven't found a write-up about the null cookie approach before, and the exposed credentials, just, wow...
I often find IDORs by searching in JS Files for interesting endpoints, but how do I automate this while also performing manual hunting?🤔
#bugbountytips
I mostly use my custom
@trick3st
workflow for finding unique domains & secrets in JS files, here is how it works👇
1/4
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
#bugbountytip
DOM XSS to Admin Account Takeover - No CORS policy so I was able to send authenticated requests on behalf of the victim and send the response back to my server.
👇
$5,000 for 5 IDORS on the same asset!
All manual findings, although for some of these I used the ‘Reflection’ extension in Burp in order to find more parameters vulnerable to IDOR
#bugbountytips
#hackerone
Yay, I was awarded a $4,000 bounty on
@Hacker0x01
!
For XSS to ATO
Instead of a
#bugbountytip
, here is the code snippet used to check the user-supplied input in this specific parameter, who can tell me what the problem here was, and what a potential bypass would look like?
I was awarded $7,666 for a Critical XSS
Reflected XSS, but no particular sensitive data was exposed.
Here is how I was able to escalate to account takeover👇
#bugbountytips
$4,000 for Bypassing WAF
Tip: Whenever an asset is protected by a WAF, enumerate and investigate subdomains and IP Addresses, sometimes you’ll find dev or staging environments which are exact copies of production.
-> WAF
https://69.420.69.420:443
- No WAF
Yay, I was awarded a $4,500 bounty on
@Hacker0x01
!
XSS to ATO through exposed CSRF Tokens
Tip:
If cookies are HTTP only, search for exposed CSRF tokens, you can append them to your CSRF PoC: xhr.setRequestHeader("X-Csrf-Token", "3983xn9n");
#bugbountytips
Read first comment👇
I got a $1,160 bounty for an IDOR that exposed all Machine Learning Models in Gitlab.
This was found using the Autorize extension in Burp, go check out the disclosed report!
#bugbountytips
Yay, I was awarded a $4,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
For Reflected XSS to Account Takeover
Tip: When cookies are HTTP only go for localStorage -- alert(JSON.stringify(localStorage));
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
This reponse time is literally every BugHunter's dream😮
Bug: IDOR by manually adding the parameter "user_id" to the JSON request
#bugbountytips
An API is calling your own records like this?
-> GET /v1/transactions/all
See if the response contains and object with an ID and reference it directly
-> GET /v1/transactions/813
If you get a 200 OK, check if you can access any record ID for an IDOR!
#bugbountytips
Yay, I was awarded a $1,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
SSRF by appending /param?url=
Access to internal resources but escalated to ATO by pointing the param to an XSS payload
/param?url=
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
!
Tip: If user IDs are predictable, try different features in the platform that expose user info, in my case I could add people to a team, therefore I could guess all user IDs with intruder and expose their info
#bugbountytips
Yay, I was awarded a $3,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
Blind XSS through Support Chat leads to ATO, forging requests on behalf of the victim using Fetch & sending the response to the attacker server (payload below👇🏻👇🏻👇🏻)
Yay, I was awarded a $1,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
First time seeing an SSRF lead to an account takeover by itself, I might consider a writeup for this one because of its weird nature, also some kind words :)
One of the first critical bounties of my career was because of The Wayback Machine and the amazing resources they have and these idiots trying to take it down because of unrelated politics? Amazing👍🏻
The Internet archive has and is suffering from a devastating attack We have been launching several highly successful attacks for five long hours and, to this moment, all their systems are completely down.
second round | New attack
09/10/2024 Duration 6 hours
Well this was an interesting one🤔
$500 Bounty from the
@mozilla
Bug Bounty!
Same tip as my last bounty, FFUF and keep updating your wordlists!
I have no idea how to redeem this though lol
#bugbountytips
All that is left to do is analyze the results, and hopefully find exposed secrets & interesting endpoints to target for IDORs or other bugs! :)
You can find the JSON for the workflow, which you can copy & paste into
@trick3st
UI here:
$1,500 for a vulnerability initially marked as “Not Applicable” by a triager, the tip today isn’t a technical one, rather than an advice — Triagers do not have the last word, always ask for the client to be consulted and provide irrefutable evidence!
#bugbountytips
#bugbounty
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on
@Hacker0x01
and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on
@Hacker0x01
and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
@Bhavinology
1. Single web app in scope so a lot of manual work and learning all the features
2. Once I find a vulnerable parameter I search for similar params using Reflected Parameters extension or with Logger using the regex\?.*=(\/\/?\w+|\w+\/|\w+(%3A|:)(\/|%2F)|%2F|[\.\w]+\.\w{2,4}[^\w])
The PoC URL required an SID every time, so I had to create a Python script that would generate a new SID and append it to the PoC URL, the final payload looked like this
(`<base64-encoded-code>`));
And the code used inside the atob function
@0xuchiha_MRX
Crawl using Burp + navigating web app manually, also use gau and filter out for URLs paths that only have query parameters, you can always find potential parameters there, if an ID is easily guessable try for IDOR
In this case, the CSRF token was exposed through a non-HTTP cookie and also the DOM, they expired after 24 hours so plenty of time to abuse them. I was initially paid 625 for this report, and after review, I was given the rest of the 4,500
@ThisIsDK999
@intigriti
Great question here!
The main difference I found was not putting your payload directly in the preinstall parameter of your package.json, instead use 'node preinstall.json' and put your payload in the preinstall.json file, I also hex encoded the data and used DNS exfiltration
The XSS could only retrieve non-HTTP cookies, so here is what I did:
1) I found a GraphQL endpoint (POST /graphql_service), that retrieved the user's auth token. So, how can I steal the token?
2) I tried transforming the POST query to a GET query in order to use it in my payload
The second part grabs the results & searches JS files using getjs, the results are then passed to Cariddi which crawls the URLs & scans for endpoints, secrets, API keys, file extensions, tokens, and more. Linkfinder is used to extract endpoints & params from the JS files.
3/4
@Hacker0x01
Although the right move, it's also sad for the Russian bug hunters and companies who have to endure the consequences of their leader's decisions.
The first part does a thorough subdomain scan of the desired targets, using multiple sources like Github & Shodan and tools like subfinder, vita & assetfinder. It then goes deeper by performing level-deep subdomain scans with puredns
2/4
I now have a working GET GraphQL query, but how can I expose the response that includes the auth token?
3) I found that the site also has a CORS misconfig, so I can send requests on behalf of the victim and receive the response on my server
I’ll never understand why programs don’t fix Critical/P1 vulnerabilities for months, like, I’m tired of wasting hours investigating and exploiting vulnerabilities, writing a good report just to get a duplicate on Criticals🙄
#bugbounty
Haven't seen a new Clear Verified program in a WHILE, yet new VDPs every month. Companies seem to prefer volume over quality now. Here is an interesting fact from H1 customers:
More and more BBPs programs leaving/closing at a crazy rate
New VDPs every month
Almost 300 Reports in less than a week for this new VDP
We are doomed.
Completely wrong take, you are actually head hunted if you perform well in Bug Bounty. I've interviewed candidates who do well in Bug Bounty and they perform better than Certs collectors🤷🏻
@sk1dd13
Been saying this for a while now dude. It's the most true statement ever. Some people think that bug bounties look great on a resume, but the truth is, recruiters don't give a flying shit about them. They don't consider it experience.
Not my personal opinion. Just straight facts
@heyAbdulsamad
@Hacker0x01
If the default is a 200 page instead of a 404, you can use the -fs option to filter HTTP response size. Just look at the response size of that 200 page and use -fs 2456 for example
Extra note: The 2 environments had bi-directional synchronization, so everything a user modified or posted on dev would immediately be reflected on prod and viceversa. So injecting a payload in dev would reflect on prod, but injecting a payload in prod was blocked by the WAF
Pisses me off that programs can get away with this at
@Hacker0x01
, what are they going to come with up next? Signing up for an account is considered High attack complexity?😂
Yay, I was awarded a $800 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
Second time I was able to leak an entire platform user base including PII. /users/5020 -> 403 Forbidden /users/5020.json -> 200 OK
@gonzxph
You can try different bypasses for internal assets like 127.1 instead of 127.0.0.1, also try URL shortners that point to
http://localhost,
if none of those work, host a XSS payload which extract localstorage and cookies, there is always juicy information there
I hate it when you work for hours investigating and escalating an XSS just for a stupid program to tell you "We take XSS as Medium severity, we have the final word" fucking put it on your brief then so I don't waste my time🙄
#bugbounty
@ibug___
@theXSSrat
@stokfredrik
Bypassing the 403 is a vuln by itself but it has to be accompanied by a good PoC, example: accessing sensitive files stored in the server like web.config or nginx.conf. I personally like this 403 Bypass script because I can add my own patterns
@voorivex
@Hacker0x01
You are absolutely correct, this was an oversight on my part as I took the code after the fix was pushed, the original code did not match for whitespace characters, only for the javascript string, this was the original line:
var n = decodeURI(t.modal.getUrlParam('onmodalexit'));
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
! For a Critical Severity IDOR.
Tip:
1) In-depth knowledge of the program, lots of manual testing
2) Learning to master the 'Autorize' extension for Burp
Automated & manual testing🤝
#bugbountytip
#hackerone
@disnhau
@rhetoric_URBAN
@Hacker0x01
Exactly, created a script using the eval function, the script called my XSS hunter server which stole cookies and sensitive data
If it wasn’t because of private bug bounty programs I would now have 15+ CVE’s to my name, bounty amounts are very good but sometimes I think CVE’s would be better, what would you prefer?
@_Base_64
After bypassing the WAF I was able to achieve XSS and CSRF, didn't report them separately because I had to prove impact on the WAF bypass and they were low impact vulns
Do you actually think
#ethicalhacking
has gotten to the point where we are a problem for blackhats? Like, do they wake up in the morning and say "Man I hate bug bounty hunters"
#bugbounty
Context:
The vulnerability allows an attacker to view private Github/Gitlab repos, even if Gitlab is vehind VPN
All reports were evaluated by triagers, not by the company.
The bugcrowd triager closed it 3 minutes after I reported and just gave me the standard "N/A" message
@dvrahmr
Ur lucky, most programs tell you to stop reporting because "we acknowledge we have a problem with XSS" and then pay you a Medium bounty for an XSS leading to ATO, be grateful!
I think some people are missing the point here, it's not about having a clean sheet and no N/A's, I had a couple myself; many new bug bounty hunters 'spray and pray,' sending many low-quality reports hoping one hits. This wastes a lot of effort and will later reflect badly on u
Bug bounty programs are not ur personal training ground to spam with NA reports until u learn. Go play CTFs, do portswigger's and pentesterlab's exercises. Build ur own website and break it. There are a billion ways to learn without wasting everyone's time.
@0099gaurav
But Autorize sends 3 requests by default, 1 is the original, 2 is the modified request, 3 is the unauthenticated request. You must be configuring it wrong