Share this page!

Abhishek Meena Profile picture
Twitter logo
Nov 8 16 tweets 13 min read
Denial of Service (DOS) Attack Tips

Intro : Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it

Where to find
This vulnerability can appear in all features of the application.

How to exploit🧵(1/n) :👇
🏹Cookie bomb #bugbounty #infosec #DOS
. . .
https:// target.com/index.php?para…

After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
🏹Try input a very long payload to form. For example using very long password or using very long email
. . .

POST /register HTTP/1.1
Host: target.com

username=victim&password=aaaaaaaaaaaaaaa

#bugbounty #infosec #DOS
🏹Pixel flood, using image with a huge pixels

Reference Video :

#bugbounty #infosec #DOS
🏹Sometimes in website we found a parameter that can adjust the size of the image, for example
. . .
https: //target.com/img/vulnerable.jpg?width=500&height=500

Try change "500" to "99999999999"

https: //target.com/img/vulnerable.jpg?width=99999999999&height=99999999999
🏹Try changing the value of the header with something new, for example:

Accept-Encoding: gzip, gzip, deflate, br, br

#bugbounty #infosec #DOS
🏹Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests

🏹ReDoS (Regex DoS) occurs due to poorly implemented RegEx

🏹CPDoS (Cache Poisoned Denial of Service) :
cpdos.org

#bugbounty #infosec #DOS
🏹HTTP Header Oversize (HHO)

A malicious client sends an HTTP GET request including a header larger than the size supported by the origin server but smaller than the size supported by the cache

#bugbounty #infosec #DOS

More :👇
GET /index.html HTTP/1.1
Host: victim.com
X-Oversized-Header-1: Big_Value

The response is

HTTP/1.1 400 Bad Request

Header size exceeded

#bugbounty #infosec #DOS
🏹HTTP Meta Character (HMC)

this attack tries to bypass a cache with a request header containing a harmful meta character. Meta characters can be, e.g., control characters such as line break/carriage return (\n), line feed (\r) or bell (\a).

#bugbounty #infosec #DOS

More : 👇
GET /index.html HTTP /1.1
Host: victim.com
X-Meta-Malicious-Header: \r\n

The response is

HTTP/1.1 400 Bad Request

Character not allowed

#bugbounty #infosec #DOS
🏹HTTP Method Override (HMO) #bugbounty
There are several headers present in HTTP Standard that allow modifying overriding the original HTTP header. Some of these headers are:

1. X-HTTP-Method-Override
2. X-HTTP-Method
3. X-Method-Override

#bugbounty #infosec #DOS

More : 👇
The header instructs the application to override the HTTP method in request.
. . .

GET /index.php HTTP/1.1
Host: victim.com
X-HTTP-Method-Override: POST

The response is

HTTP/1.1 404 Not Found

POST on /index.php not found

#bugbounty #infosec #DOS
🏹X-Forwarded-Port

GET /index.php?dontpoisoneveryone=1 HTTP/1.1
Host: hackerone.com
X-Forwarded-Port: 123
...

#bugbounty #infosec #DOS
🏹X-Forwarded-Host

GET /index.php?dontpoisoneveryone=1 HTTP/1.1
Host: hackerone.com
X-Forwarded-Host: hackerone.com:123
...

#bugbounty #infosec #DOS
Hope you like the Thread🧵on : Denial of service attack (DOS) #bugbounty #infosec #DOS

Follow me for more

Join My Bugbountytips Group :
t.me/bugbountyresou…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Abhishek Meena

Abhishek Meena Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Aacle_

Abhishek Meena Profile picture
Nov 8
IDOR Exploitation #bugbounty #infosec

Include : 🔽

➡ Basics
➡ Bypass

🧵(1/n) :👇
➡ IDOR Basics : #bugbounty #infosec

Check for valuable words:
{regex + perm} id
{regex + perm} user
{regex + perm} account
{regex + perm} number
{regex + perm} order
{regex + perm} no
{regex + perm} doc

🧵: 👇
{regex + perm} key
{regex + perm} email
{regex + perm} group
{regex + perm} profile
{regex + perm} edit

🧵: 👇
Read 11 tweets
Abhishek Meena Profile picture
Nov 8
Code Review Security Tips #bugbounty #infosec

# Tips

1.Important functions first

2.Follow user input

3.Hardcoded secrets and credentials

4.Use of dangerous functions and outdated dependencies

🧵(1/3) :👇 Code Review Security Tips
5.Developer comments, hidden debug functionalities, configuration files, and the .git directory

6.Hidden paths, deprecated endpoints, and endpoints in development

7.Weak cryptography or hashing algorithms

8.Missing security checks on user input and regex strength

🧵(2/3) :👇
9.Missing cookie flags

10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions

. . .END. . .

Hope you like this Thread🧵 on : Code Review
#bugbounty #infosec #bugbountytips

Follow me For more
Read 4 tweets
Abhishek Meena Profile picture
Nov 7
API-Security-Tips v3 💢

➡ Got stuck during an API pentest? Expand the attack surface! Use http://archive. com, find old versions of the web-app and explore new API endpoints. Can't use client? scan .js files for URLs. Some of them are API endpoints.

API TIP🧵(1/10) :👇 API-Security-Tips v3
➡ APIs tend to leak PII by design. BE engineers return raw JSON objects and rely on FE engineers to filter out sensitive data. Found a sensitive resource (e.g, receipt)? Find all the EPs that return it:
/download_receipt,/export_receipt, etc..

API TIP🧵(2/10) :👇
▪ Some of the endpoints might leak excessive data that should not be accessible by the user.

▪ This is an example for OWASP Top 10 For APIs - #3 - Excessive Data Exposure
Read 15 tweets
Abhishek Meena Profile picture
Nov 6
Top 39 Most Use Burp Suite Extensions
#bugbounty #bugbountytips #infosec

➡ Burp Bounty Pro : Active and passive checks customizable based on patterns.

➡ Software Vulnerability Scanner : Passive scan to detect vulnerable software versions

More 🧵(1/n) :👇 Burp Suite Extensions
➡ Param Miner : Passive scan to detect hidden or unlinked parameters, cache poisoning.

➡ Backslash Powered Scanner : Active scan for SSTI detection

➡ CSRF Scanner : Passive CSRF detection

➡ Freddy : Active and Passive scan for Java and .NET deserialization

🧵(2/n) :👇
➡ JSON Web Token : decode and manipulate JSON web tokens

➡ Reissue Request Scripter : generates scripts for Python, Ruby, Perl, PHP and PowerShell

➡ Burp Exporter : other extension for export request to multiple languages

🧵(3/n) :👇
Read 12 tweets
Abhishek Meena Profile picture
Nov 6
Top Burp Suite Tips #bugbountytips #bugbounty #infosec

Thread🧵(1/n) :👇 Burp Suite Tips
➡ If Render Page crash:
sudo sysctl -w kernel.unprivileged_userns_clone=1

➡ If embedded browser crash due sandbox:
find .BurpSuite -name chrome-sandbox -exec chown root:root {} \; -exec chmod 4755 {}

➡ Scope with all subdomains:
.*\.test\.com$
➡ Use Intruder to target specific parameters for scanning :
▪ Right click: actively scan defined insertion points

🏹Configuration
▪ Project Options -> HTTP -> Redirections -> Enable JavaScript-driven
▪ User Options -> Misc -> Proxy Interception -> Always disabled
Read 15 tweets
Abhishek Meena Profile picture
Nov 6
🔥 Business Logic Errors #bugbounty #infosec

Intro : Business Logic Errors are ways of using legitimate processing flow of an application in a way that results in negative consequence to the org.

It can appear in all features of the application

How to exploit 🧵(1/n) :👇
➡ Review Functionality :

▪ Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.

▪ Try to post reviews like some other users.

🧵(2/n)👇
▪ Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.

▪ Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check Race Conditions.

👇
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(