Hi Friends #bugbountytips #recon #bugbountytip
Here is a good thread of my brother @tabaahi_
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
Here is a good thread of my brother @tabaahi_
https://twitter.com/LearnerHunter/status/1568612845654519808
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Now, We need to check following things ->
9. what server is using by targets ?
10. what libraries & languages use by targets ?
like -> php, asp
9. what server is using by targets ?
10. what libraries & languages use by targets ?
like -> php, asp
11. We need to check cookies and session to know tech and infrastructure
Based on cookies/session -> we can enhance our attacks from experiences
Like, some cookie or session tell us about ->
11.1 what waf are using ?
11.2 what other attack can we try ?[JWT,XSS,sqli etc]
Based on cookies/session -> we can enhance our attacks from experiences
Like, some cookie or session tell us about ->
11.1 what waf are using ?
11.2 what other attack can we try ?[JWT,XSS,sqli etc]
12. Check what CMS is using -> wordpress,joomla etc
13. Grab all JS Files and enumerate it for juicy information using manually or using tools
Tool -> jsscanner , linkfinder, jsfinder, relative-url-extractor and lots of one liner commands , getjs
13. Grab all JS Files and enumerate it for juicy information using manually or using tools
Tool -> jsscanner , linkfinder, jsfinder, relative-url-extractor and lots of one liner commands , getjs
Juicy Information like ->
interesting url
intersting js library
interesting subdomain
interesting api
internal ports or portals and their creds -> port scan on internal domains
default test user creds
db creds
hardcoded secrets
hidden paths
and lots of
interesting url
intersting js library
interesting subdomain
interesting api
internal ports or portals and their creds -> port scan on internal domains
default test user creds
db creds
hardcoded secrets
hidden paths
and lots of
14. By Understand JS Code -> we can get ->
dom xss ,
Postmessage vulns,
Logical Bugs,
check for outdated frameworks and components [multiple vulnerabilities can be there]
and many things are there
dom xss ,
Postmessage vulns,
Logical Bugs,
check for outdated frameworks and components [multiple vulnerabilities can be there]
and many things are there
Examples to extract JS Stuffs ->
echo "target.com" | gau | grep -iE '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
cat targets.txt | subjs
echo "target.com" | gau | grep -iE '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
cat targets.txt | subjs
Usually What I do is ->
waybackurls + gau + hakrawl => endpoints.txt
cat targets.txt | subjs -> subjs-js.txt
cat endpoints.txt subjs-js.txt | sort -u | all-js.txt
Now enumeration on this file
Yeah I do more more ways for grabbing JS Files
waybackurls + gau + hakrawl => endpoints.txt
cat targets.txt | subjs -> subjs-js.txt
cat endpoints.txt subjs-js.txt | sort -u | all-js.txt
Now enumeration on this file
Yeah I do more more ways for grabbing JS Files
15. JS Enumeration continues ->
extract API Stuff ->
cat file.js | grep -aoP "(?<=(\"|\'|\'))\\/[a-zA-Z0-9_?&=\\/\\-\\#\\.]*(?=(\\"|\\'|\\'))" | sort -u
Deobfuscate Javascript
extract API Stuff ->
cat file.js | grep -aoP "(?<=(\"|\'|\'))\\/[a-zA-Z0-9_?&=\\/\\-\\#\\.]*(?=(\\"|\\'|\\'))" | sort -u
Deobfuscate Javascript
If see -> var test=" or var page=" in JS File or page source , try to append these as GET Parameters and check for bugs there
Monitor JS Changes regularly
Monitor JS Changes regularly
16. Time to Fetch all URLS or enumeration on them
Time to get all URLs and parameters from those web file that is alive-hosts and do enumeration on them for vulns or other things
Fetching URLs -> Might Lead to -> SSTI, XSS, SQLi, SSRF, Open Redirect, IDOR etc
Time to get all URLs and parameters from those web file that is alive-hosts and do enumeration on them for vulns or other things
Fetching URLs -> Might Lead to -> SSTI, XSS, SQLi, SSRF, Open Redirect, IDOR etc
17. Time for Github RECON ->
Now use github to more recon for juicy info using tools like gwen github tools , gitrob, git-hound etc or manually using Github Dorks
Be Smart with tools available like -> Nuclei,httpx,jaeles-signature
Now use github to more recon for juicy info using tools like gwen github tools , gitrob, git-hound etc or manually using Github Dorks
Be Smart with tools available like -> Nuclei,httpx,jaeles-signature
18. Mostly focus on Request and Response Headers during Manual Hunting
Don't make much noise by flooding useless payloads
Be smart with it
Try for Blind Attacking things like -> blind xss,blind sqli, blind ssrf etc
19. Make wordlists with custom tools using target
Don't make much noise by flooding useless payloads
Be smart with it
Try for Blind Attacking things like -> blind xss,blind sqli, blind ssrf etc
19. Make wordlists with custom tools using target
20. Time for Attacking things ->
20.1 Attacking Web Servers
=======================>
File inclusion
Command injection
Unrestricted upload
Server side request forgery
20.1 Attacking Web Servers
=======================>
File inclusion
Command injection
Unrestricted upload
Server side request forgery
20.2 Attacking Data stores
=======================>
Sql injection
Xml injections
xpath injection
The XML External Entity injection (xxe)
entity expansion attack
soap injecting
Ldap injection
=======================>
Sql injection
Xml injections
xpath injection
The XML External Entity injection (xxe)
entity expansion attack
soap injecting
Ldap injection
20.3 Attacking Users
================>
Html injection
Cross site scripting
Cross site request forgery
HTTP parameter injection
Click jacking
================>
Html injection
Cross site scripting
Cross site request forgery
HTTP parameter injection
Click jacking
20.4 Other Attacks
=======================>
Subdomain takeover
Insecure cors
SMTP injection
Host Header attack
Cache poisoning attack
CRLF Injection
HTTP Request Smuggling
Insecure Deserialization
Missing SPF record
Type juggling
Php remote xdebug vulnerability
=======================>
Subdomain takeover
Insecure cors
SMTP injection
Host Header attack
Cache poisoning attack
CRLF Injection
HTTP Request Smuggling
Insecure Deserialization
Missing SPF record
Type juggling
Php remote xdebug vulnerability
Using components with known vulnerabilities:
Race conditions
HTTP verb tempering
Insufficient Logging and Monitoring
====
20.5 Attacking Authentication
=========================>
Authentication Methods
HTTP Authentication
2 factor Authentication Bypass
Insecure captcha
Race conditions
HTTP verb tempering
Insufficient Logging and Monitoring
====
20.5 Attacking Authentication
=========================>
Authentication Methods
HTTP Authentication
2 factor Authentication Bypass
Insecure captcha
20.6 Attacking Access control
=========================>
Horizontal Access control
IDOR
Vertical Access Control
Context Based Access Control
=========================>
Horizontal Access control
IDOR
Vertical Access Control
Context Based Access Control
That's it my friends.
Next time -> I will share some good resources
Thanks
Next time -> I will share some good resources
Thanks
• • •
Missing some Tweet in this thread? You can try to
force a refresh
