CSRF:
- Check if the token is present on any form it should be
- Server checks if the token length is correct
- Server checks if parameter is there
- Server accepts empty parameter
- Server accepts responds without CSRF token
- Token is not session bound
JWT:
- None-signing algorithm is allowed
- Secret is leaked somewhere
- Server never checks secret
- Secret is easily guessable or brute-forceable
Open redirect bypass:
- test.com/expected.com
- Javascript openRedirects
- Hidden link open redirects
- Using // to bypass
- https:test.com (browser might correct this, filter might not catch it)
- /\ to bypass
- %00 to bypass (null byte)
- @ to bypass
BAC
- Test higher Priv functions should not be able to be executed by lower Priv user
βTest ALL user levels
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
IDOR
- Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies)
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
Captcha bypasses
- Try change request method
- Remove the captcha param from the request
- leave param empty
- Fill in random value
LFI
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
RFI:
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
SQLi:
- ββ to trigger
β SQLmap
XXE:
- SVG files (images), DOCX/XLSX, SOAP, anything XML that renders
- Blind SSRF, file exfiltration, command exec
Template injections (CSTI/SST)
- ${7*7}
- If resolves, what templating engine
- Try exploit by looking at manuals
β URL encode special chars ({}*)
β HTML entities
β Double encodings
XSS:
- ββ`><img src=x> into every input field, the moment you register and start using the application
- Enter a random value into every parameter and look for reflection
- See what context reflection is in
- Craft attack vector based on context
JS
HTML
HTML tag attribute
β¦
β Url encode
β HTML entities
β Capital letters
β BASE64 encode payload
- CSP might be active
β Try bypasses
β See what is active and where script can be gotten from
β Encode them in base64
β Mascarade script as data
SSRF
- SSRF against server itself
- SSRF against other servers on the network
Command injection
- Test every single parameter
- Make a list of commands + command separators for target OS
My amazing hacker rats, please be kind to each other <3 Don't start "exposing" people on profiles they never hack on .. don't start wars.
I did the same and I was wrong to do so, I said sorry in a public tweet for that.
If you want to judge, I will let my students speak though
90 pages of 5 star reviews
43 Pages with 5 star reviews
9 pages with 3 star reviews
4 pages of 2 star reviews
4 pages of 1 star reviews
Over 95 000 students on udemy... I don't think I have anything to be ashamed of :3
Lastly I want to thank everyone for believing in me <3
I have a good heart and it might not always seem like I mean well due to several issues such as autism but I am learning :D I am so happy to speak to every single one of you and the fact that there are better hackers than me with less of a following ... well duh (see next tweet)
#bugbountytip Broad scope target: 1) Subdomain enum 2) httprobe 3) subdomain flyover 4) Nuclei (develop your own templates as well) 5) Portscan
Now pay attention
1/4
6) Write subdomains to database for later use 7) If new domain goes into db, do full nuclei scan 8) If new nuclei template, scan old domains
BAM testing <3 9) Optional, do a cronjob every 3 weeks with nuclei
(Companies release new software that might break other things)
2/4
Now we go in manual 10) Look at screenshots
10.a) Subdirectory and file brute forcing all custom login pages
10.b) Look up default credentials for std. accounts 11) Go to google
11.a) site:target.com -www
11.b) site:target.com -mail
3/4