Discover and read the best of Twitter Threads about #SSRF
Most recents (10)
A lesser-known yet effective way of #bugbounty hunting is called "hacktivity" hunting. It involves bypassing fixes on disclosed reports found on @Hacker0x01's hacktivity page. This approach helped me score a $5k bounty! Here's how it works.👇
#InfoSec #CyberSecurity
#InfoSec #CyberSecurity
With hacktivity hunting, the hard part - finding interesting behavior or insecure features - is already done for you. Your main role is to find a bypass.
For example, I found a bypass for a report on hackerone.com/reports/949643
#BugBountyTips
For example, I found a bypass for a report on hackerone.com/reports/949643
#BugBountyTips
The original report tried to restrict access to /admin by restricting the path in Nginx. However, I bypassed it using simple encoding - /%2561dmin. Endpoints required authentication, but I bypassed this by adding ".json" at the end.
#BugBounty #Hacking
#BugBounty #Hacking
The following 5 workshops simulate multiple security events. Brought to you by the AWS Customer Incident Response Team (CIRT) 👇
1/During the Unauthorized IAM Credential Use - Simulation and Detection
workshop, you will simulate the unauthorized use of IAM credentials by using a script invoked within #AWSCloudShell ⏩ go.aws/3XU6zG7
workshop, you will simulate the unauthorized use of IAM credentials by using a script invoked within #AWSCloudShell ⏩ go.aws/3XU6zG7
2/At the Ransomware on S3 – Security Event Simulation and Detection workshop, you will use an AWS CloudFormation template to replicate an environment with multiple IAM users and five #AmazonS3 buckets ⏩ go.aws/3HdX8Ky
🏹Use Different Encoding Schemes of https://127.O.O.1
➡Hex Encoding https://Ox7f.OxO.OxO.Ox1
➡Octal Encoding https://0177.O.O.01
➡Dword Encoding https://2130706433
➡URL Encoding ➡https://%6c%6f%63%61%6c%68%6f%73%74
➡Mixed Encoding https://0177.O.O.Ox1
🧵: (2/n) :👇
➡Hex Encoding https://Ox7f.OxO.OxO.Ox1
➡Octal Encoding https://0177.O.O.01
➡Dword Encoding https://2130706433
➡URL Encoding ➡https://%6c%6f%63%61%6c%68%6f%73%74
➡Mixed Encoding https://0177.O.O.Ox1
🧵: (2/n) :👇
🏹Use The Whole IP Range For Testing SSRF
(198.0.0.1-255) #bugbounty
. . .
🏹Obfuscate Strings In URL Encode or Case Transformation (Blocked Words Bypass)
🏹Use Registered Domain Names That Resolves To 127.0.0.1
🏹Embed Credentials : https://attacker@victim.com
🧵: (3/n) :👇
(198.0.0.1-255) #bugbounty
. . .
🏹Obfuscate Strings In URL Encode or Case Transformation (Blocked Words Bypass)
🏹Use Registered Domain Names That Resolves To 127.0.0.1
🏹Embed Credentials : https://attacker@victim.com
🧵: (3/n) :👇
Bug Testing Methodology Series:
𝐒𝐒𝐑𝐅 (𝐒𝐞𝐫𝐯𝐞𝐫 𝐒𝐢𝐝𝐞 𝐑𝐞𝐪𝐮𝐞𝐬𝐭 𝐅𝐨𝐫𝐠𝐞𝐫𝐲)
Learn how to test for #SSRF step by step on real #bugbounty programs
Thread🧵👇
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
𝐒𝐒𝐑𝐅 (𝐒𝐞𝐫𝐯𝐞𝐫 𝐒𝐢𝐝𝐞 𝐑𝐞𝐪𝐮𝐞𝐬𝐭 𝐅𝐨𝐫𝐠𝐞𝐫𝐲)
Learn how to test for #SSRF step by step on real #bugbounty programs
Thread🧵👇
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread won't teach how SSRF works, but rather a methodology to follow while actively testing for it.
To learn about how SSRF attacks work, have a read here ➡️ portswigger.net/web-security/s…
To learn about how SSRF attacks work, have a read here ➡️ portswigger.net/web-security/s…
1️⃣ Finding an attack vector
This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.
Ex: profile pic from URL, URL Redirects, etc.
The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.
Ex: profile pic from URL, URL Redirects, etc.
The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
Akamai WAF Bypass read internal files via SSRF
1. target[.]com/download?url=file:///etc/passwd (Blocked by akamai waf)
#bugbountytips #bugbounty #ssrf #wafbypass #hacking
1. target[.]com/download?url=file:///etc/passwd (Blocked by akamai waf)
#bugbountytips #bugbounty #ssrf #wafbypass #hacking
2. target[.]com disclosing internal ip in the response header ex: X-Server: 10.136.166.91
3. Now target[.]com/download?url=http://10.136.166.91 (weird 403)
SSRF Story | Scan The Network
1. Found SSRF and get Cloud Metadata.
2. Common high risk with disclosed cloud metadata is about security credential, but not found at this point :(
3. Found the instance public IP in latest/meta-data/public-ipv4, access the IP and got 404 response
1. Found SSRF and get Cloud Metadata.
2. Common high risk with disclosed cloud metadata is about security credential, but not found at this point :(
3. Found the instance public IP in latest/meta-data/public-ipv4, access the IP and got 404 response
4. Nmap the IP, nmap identified the server was located in Vultr cloud provider with open port 22,53,80 and 443.
5. Trying to get more exposure with SSRF with scan all port.
6. Amazed, got some firewalled port, port 8080 was run the Traefik application.
5. Trying to get more exposure with SSRF with scan all port.
6. Amazed, got some firewalled port, port 8080 was run the Traefik application.
7. Found the Traefik API documentation, and trying to reach the every single endpoint but still got 404 response (?). Until get the information from the version endpoint that identified running version is v1.7.4, the reason that why API was different from the latest API doc.
#bugbountytips #learn #learn365 #SSRF
Let's learn SSRF in a Thread 🧵
Here is my notes on SSRF (Just Basics) ->
Let's learn SSRF in a Thread 🧵
Here is my notes on SSRF (Just Basics) ->
SSRF → Server Side Request Forgery Attack
In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
Attacker forge the request in such a way that server accept it thinking it as legit and give the response what the attacker want
Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
#SSRF is a super popular vulnerability that is leveraged extensively, by bad actors. Let's look at SSRF defense in this 🧵 1/
Let's start with the basics. SSRF happens because your app makes requests to other URLs based on user-generated data. If your app doesnt need to redirect/request random URLs (functionality), ensure that you have a tight allowlist. Only redirect to URLs in the allowlist 2/
But if your app needs to redirect to a larger (purely user-defined) set of URLs, then things may get a little more complex. Now you need to validate inputs like a mf'er. Parse and Break down URLs by scheme, domain, etc. Validate each one as required 3/
#Secret2
Bug Bounty with One-Line Bash Scripts💵😎
You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
Bug Bounty with One-Line Bash Scripts💵😎
You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
1/ #Secret2
🎯 Hunt #XSS:
👉🏻 cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
👉🏻 cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
🎯 Hunt #XSS:
👉🏻 cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
👉🏻 cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
2/ #Secret2
🎯 Hunt #SQLi:
👉🏻httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
🎯 Hunt #SQLi:
👉🏻httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
We are just starting our session @hasgeek. @abh1sek talking about data breaches and how they happen.
hasgeek.com/rootconf/data-…
Join the live stream on the webpage.
#datasecurity
hasgeek.com/rootconf/data-…
Join the live stream on the webpage.
#datasecurity
Thank you @hasgeek for giving us this amazing platform to talk about what we love most #datasecurity #appsec
#cloudsecurity
#cloudsecurity
Agenda for the session
