Bug Bounty Hunting:
I prefer below available resources to succeed in Bug Bounty Hunting. I’ll update this monthly with new techniques.
Platforms:
- OpenBugBounty - (XSS/CSRF/IDOR)(Will accept report from any site)
- BugCrowd
- HackerOne
- Cobalt.io
- SynAck (Only invited researchers)
- Other self hosted programs by different domains (Facebook Whitehat/Google VRP/ AT&T BB)
Sub Domain Enumeration:
- Enumall
- Massdns
- Sublist3r
- Knock
- VirusTotal
- Shodan
- Censys
- Eye witness
- DNS Dumpster
- Google Dorking (site:sony.com -www)
- Virus Total
- BugCrowd LevelUp
- DNSScan
- Altdns
- dns-parallel-prober
- brutesubs
- dirsearch
- Aquatone
Sub Domain Takeovers:
Cloudfront Entries
- ride.uber.com - cname - cloudfront.com
- xxxx.ubnt.com - cname - cloudfront.com
AWS Misconfiguration
- rubyci.s3.amazonaws.com
- hackerone
- uber
- ubiquitinetworks
- twitter etc.
Default Pre-Installed Instances (Install-Update Credentials-Report)
Unbouncepages
- Cname: unbouncepages.com
- Name: landing.udemy.com
- Type: CNAME
- Class: IN
- TTL: 300
Google Mapped Domains
- 216.58.203.243 moderator.ubnt.com
- 216.58.203.243 ghs.google.com
- 216.58.203.243 ghs.l.google.com
Automation:
- autoSubTakeover [Github]
- HostileSubBruteforcer
- tko-subs
- Aws Extender
Git - Recon:
- gitrob
- git-all-secrets
- trufflehog
- git-secrets
- repo-supervisor
API Enumeration from JS files:
Acquisition Enumeration:
- Crunchbase
- crt.sh
- Censys
- Google Cert Repo
Content Discovery / Dir Bruting:
- Wappalyzer
- Retire.js
- Built With
- Vulners CVE Scanner
- Patator
- GoBuster
- WPScan
- CMSMap
- Robots Disallowed
- Burp Content Discovery
- CMSExplorer
- BlindElephant
Content Management System Bugs:
- Adobe Cold Fusion - (Famous RCE/Admin Salt Leakage/SQL Vuln)
- Drupal CMS - (RCE)
- Wordpress - (Plenty of Bugs)
- Jenkins Automation Server
Parameter Bruter:
- Parameth
- Back Slash Powered Scanner [Burp]
XSS:
- Polyglot
- FlashScanner
- Common Input Vectors
- Blind XSS Frameworks
- Sleepy Puppy [Python]
- XSS Hunter [Python]
- Ground Control [Ruby/Smail]
- XSS MindMap
- XSS Hunter
- Flash XSS (FFDec-ompiler, https://github.com/riusksk/FlashScanner, https://cure53.de/flashbang)
Flash CSRF:
- Target is Accepting on JSON format data and Blocking Cross Domain requests with CORS.
SSTI:
SSRF:
- Blind SSRF
- Google PoC.
- Twitter PoC.
- AWS metadata acquiring
-
Full SSRF
- Out of Band
OAuth/OpenRedirect:
Validation missing on State/Token/Code (Open Redirection on Google Acquisition)
Fuzzing API:
Logical Bugs:
- Email Verification Check fails
- Money Rounding Issues.
Denial of Service:
- Via Large input.
- Via Images.
- Via XLS/PDF/TXT.
- Via Out of Band Blind SSRF.
Android-Hunts:
- Decompile app –> Look for /assets/ or /res/raw [AWS Prod Keys, Dev Leftovers]
- Check for External Storage - Binary Info/Code without validation, Sandbox leak, GPS Info, Log Files
- Detecting Read/Write External Storage - FileObserver
- Obfuscation - Proguard
- Webview Checks
- setAllowContent
- setAllowFileAccess
- setAllowFileAccessFromURLs
- setJavaScriptEnabled
- setPluginState
- setSavePassword
- JavaScriptInterfaces - “jsvar” ——-> RCE CVE-2012-6636 (SDK<=17 supported apps vulnerable)
Payloads:
- https://github.com/1N3
- https://github.com/danielmiessler/SecLists
Ref:
- Ron Chan Ref
- bugbounty.community/tools