Tweet

Maybe Scrolly?

Abhishek Meena

Follow @Aacle_

Nov 23 • 14 tweets • 4 min read

Testing for IDOR ( Manual-Method )
#bubgounty #infosec

🧵(1/n) :👇

➡ Base Steps :

1. Create two accounts if possible or else enumerate users first.
2. Check if the endpoint is private or public and does it contains any kind of id param.
3. Try changing the param value to some other user and see if does anything to their account.

🧵(2/n) :👇

➡ Testcase 1: Add IDs to requests that don’t have them

GET /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>

Pro tip: You can find parameter names to try by deleting or editing other objects and seeing the parameter names used.

🧵(3/n) :👇

➡ Testcase 2: Try replacing parameter names

🧵(4/n) :👇

➡ Testcase 3: Supply multiple values for the same parameter.

🧵(5/n) :👇

➡ Testcase 4: Try changing the HTTP request method when testing for IDORs

🧵(6/n) :👇

➡ Testcase 5: Try changing the request’s content type

🧵(7/n) :👇

➡ Testcase 6: Try changing the requested file type (Test if Ruby)

🧵(8/n) :👇

➡ Testcase - 7: Does the app ask for non-numeric IDs? Use numeric IDs instead

🧵(9/n) :👇

➡ Testcase 8: Try using an array

🧵(10/n) :👇

➡ Testcase 9: Wildcard ID

🧵(11/n) :👇

➡ Testcase 10: Pay attention to new features

🧵(12/n) :👇

➡ Extra IDOR Tips :

• Looking for high impact IDOR?
• Always try to find the hidden parameters for this endpoints using Arjun and Parameth
• /settings/profile
• /user/profile
• /user/settings
• /account/settings
• /username
• /profile
And any payment endpoint

🧵13/n👇

Thanks For Reading This Amazing Thread 🧵On :
Testing for IDOR ( Manual-Method )

==
Join My Bugbounty Tips Group : t.me/bugbountyresou…
==

#bugbounty #infosec #hacking

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @Aacle_

Abhishek Meena

@Aacle_

Nov 23

10 Tips to Review Code
#bugbounty #infosec #hacking

1.Important functions first
2.Follow user input
3.Hardcoded secrets and credentials
4.Use of dangerous functions and outdated dependencies

Thread🧵:👇

5.Developer comments, hidden debug functionalities, configuration files, and the .git directory
6.Hidden paths, deprecated endpoints, and endpoints in development
7.Weak cryptography or hashing algorithms

More 🧵:👇

8.Missing security checks on user input and regex strength
9.Missing cookie flags
10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions

Read 4 tweets

Abhishek Meena

@Aacle_

Nov 22

Web Cache Poisoning 🖥 [ Part - 1 ]
#bugbounty #infosec

Thread -🧵:👇

🏹Intro :
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.

🏹How to exploit -🧵:👇

➡ Basic poisoning
. . .

X-Forwarded-Host: evil. com

The response body is

<img href="evil.com/a.png" />

When you put Input as XSS payload

X-Forwarded-Host: a.\"><script>alert(1)</script>

Response body is :
<img href="https://a.\"><script>alert(1)</script>a.png" />

Read 6 tweets

Abhishek Meena

@Aacle_

Nov 20

12 Pentest Tools✨
#bugbounty #Infosec #hacking

A collection of custom security tools
for quick needs.

⬇⬇⬇ Version - 1 ⬇⬇⬇

See 🧵: 🔽

• arpa.sh
Converts IP address in arpa format to classical format.
- github.com/gwen001/pentes…

• bbhost.sh
Performs host command on a given hosts list using parallel to make it fast.
- github.com/gwen001/pentes…

🧵: 🔽

• codeshare.php
Performs a string search on codeshare.io.
- github.com/gwen001/pentes…

• cors.py
Test CORS issue on a given list of hosts.
- github.com/gwen001/pentes…

🧵: 🔽

Read 8 tweets

Abhishek Meena

@Aacle_

Nov 20

FREE labs to practice mobile app pentesting
#bugbounty #infosec #hacking

Thread 🧵: 👇🏻

code.google.com/archive/p/dvaa/
>. github.com/prateek147/DVI…
>. securitycompass.github.io/iPhoneLabs/
>. code.google.com/archive/p/owas…

>.
maddiestone.github.io/AndroidAppRE/
>.
ctf.hpandro.raviramesh.info

Read 4 tweets

Abhishek Meena

@Aacle_

Nov 19

🌱BugBounty Tips v1 🔥🌵
#bugbounty #infosec

See🧵:👇

• If you're testing for XSS on a site with a CSP, use burp's find+replace on the CSP reporting uri to point to a burp collaborator instance so you don't have to monitor dev tools for csp exceptions.

🧵:👇

• Search for hidden (and visible) input fields and try to set the value via GET. A lot of Webapps still use $_REQUEST. You will be surprised. If you have a
reflected value -> check of html/script injection.

Read 7 tweets

Abhishek Meena

@Aacle_

Nov 19

6 Account takeover tips🌵
#bugbounty #infosec

See🧵:👇

➡ Use intruder to send many reset links/token to your email in a short amount of time and compare the links/tokens.

If only a few digits are different you can brute force them. After you can do the same with 2 different emails

➡ HTTP Parameter Pollution
When requesting a password reset link:
email=victim@domain.com&youremail@domain.com

When resetting password:
token={token}&email=youremail@domain.com&email=victim@domain.com

Read 8 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Share this page!

Abhishek Meena

People who liked this thread also liked...

Try unrolling a thread yourself!

More from @Aacle_

Abhishek Meena

Abhishek Meena

Abhishek Meena

Abhishek Meena

Abhishek Meena

Abhishek Meena

Did Thread Reader help you today?

Don't want to be a Premium member but still want to support us?

Send Email!