Skip to content

These are just some notes about "WEB" bug bounty. I use to write down stuff which I either learned by trying or by reading other people tweets/blogs. So technically I am not claiming to be the original author of these tips/tricks. I wrote down whatever seemed good to me.

Also I want to point out that I don't do web related bounties any more so it's possible I might have written down something wrong.

Subdomains

  • assetfinder --subs-only [mocospace.com](http://mocospace.com/) | httprobe > hosts

    • meg --savestatus 200 /
    • cat out/index | cut -d' ' -f2
  • For deciding subdomains you can try to search on wolfram alpha

Rate limit testing

  • First just capture in burp and see if you can repeat it.
  • Try to add X-Forwarded-For header.
  • Try to add the %00 at the end of the username of email whatever it is sending back for verification.

For removing all the noise in Burp

SQL Injection

With Union

The best way is to find the number of column required in SQL injection is

' order by 1--

And just like this increase the number until we get the error

Another way is:

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

Remember that once using the NULL use it with the spaces and not with the + in between

XMLRPC

If you find any XMLRPC then try to send the following payload

POST /xmlrpc.php HTTP/1.1
Host: Some Host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

For refrence and further testing checkout the following report: https://hackerone.com/reports/752073

Host header injection

I think the best thing to use host header injection in general position would be to show internal information leakage

https://hackerone.com/reports/548094

Generating wordlist

git clone https://github.com/wikimedia/mediawiki.git

cd mediawiki/

ls -d -1 "./"**/* | sed '^\./' > mediawiki-wordlist

Clickjacking

<html>

<head>
    <title>Clickjack test page</title>
</head>

<body>
    <p>Website is vulnerable to clickjacking!</p>
    <iframe src="<vulnerable-URL>" width="1000" height="1000"></iframe>
</body>

</html>

Port Scanning

  • Best approach is
    • First run a 2 or 3 concurrent Masscan jobs with all 65535 ports split into 4-5 ranges.
    • Get a list of hosts and and a combined list of open ports from Masscan’s output.
    • Use these list as input to Nmap and do a regular Nmap scan.

Range

1-13107
13108-26214
26215-39321
39322-52428
52429-65535

This is the range we should use.

  • https://captmeelo.com/pentest/2019/07/29/port-scanning.html