Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

Misc

PreviousRecon One LinersNextWordpress

Last updated 7 months ago

Was this helpful?

SSL Pinning - 
https://www.youtube.com/watch?v=is8lHjEkk7U


How http works ?

How SSL / TLS works ?


How DNS Works ?


How OAUTH works ?

https://twitter.com/s0md3v/status/1168846854689132544


https://twitter.com/hackerscrolls/status/1269266750467649538


https://blog.avuln.com/article/4


https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/


https://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/


https://research.nccgroup.com/2020/07/07/an-offensive-guide-to-the-authorization-code-grant/


https://www.youtube.com/watch?v=O762qjAjAyo&list=PLnICOE3KiEs9J65ndHOeOYDiyA7FhI1g9&index=6&t=0s


https://maxfieldchen.com/posts/2020-05-17-penetration-testers-guide-oauth-2.html


https://medium.com/@apkash8/oauth-and-security-7fddce2e1dc5


https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37


https://t.co/FYJdf7Z6nG?amp=1

Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues. What worked was... \udfff -> � -> ? Therefore... {"redirectUri":"https://attacker\udfff@[victim]/"} Equals... Location: https://attacker?@[victim]/ - 
https://twitter.com/samwcyo/status/1246997498981494784


https://xpoc.pro/oauth-authentication-bypass-on-airbnb-acquisition-using-weird-1-char-open-redirect/


Got my 1st HTTP Parameter Pollution (HPP) bug rewarded! Targeting an OAuth login: by providing url parameter "scope" twice, the page asked confirmation for the first, but ended up authorizing all others too:


/oauth?redirect=x&response_type=code&client_id=x&scope=name&scope=email


https://www.hackedu.com/blog/analysis-of-common-federated-identity-protocols-openid-connect-vs-oauth-2.0-vs-saml-2.0


https://twitter.com/apisecurityio/status/1283023445081509888?s=20



Certificate Transparency:

https://www.digicert.com/certificate-transparency/how-it-works.htm


http://www.certificate-transparency.org/how-ct-works


https://medium.com/babylon-engineering/android-security-certificate-transparency-601c18157c44




HTTP headers 



https://www.federacy.com/blog/security-headers-the-whys-and-hows/


https://zgheb.com/i?v=blog&pl=46#sh_acao


https://blog.initd.sh/others-attacks/web-application/http-security-headers-detailed-explanation/


https://www.youtube.com/watch?v=eDauBJUthRo


https://int64software.com/blog/2018/11/05/hardening-website-security-part-1-http-security-headers/


https://blog.detectify.com/2019/02/05/guide-http-security-headers-for-better-web-browser-security/


https://medium.com/@Johne_Jacob/7-security-response-headers-every-security-tester-should-know-77576ffdfc0f


https://www.scip.ch/en/?labs.20180809

JWT:

https://zonksec.com/blog/jwt-hacking-101/
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
https://www.slideshare.net/snyff/jwt-insecurity
https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/january/jwt-attack-walk-through/
https://www.shawarkhan.com/2019/01/hijacking-accounts-by-retrieving-jwt.html
https://medium.com/@blackhood/simple-jwt-hacking-73870a976750
https://github.com/dwyl/learn-json-web-tokens
https://habr.com/en/post/450054/
https://gist.github.com/pranav1hivarekar/65e59cb95d56acf02ffdaf17b25f4039
https://www.youtube.com/watch?v=rCkDE2me_qk
https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781
https://www.scip.ch/en/?labs.20190523
https://blog.securitybreached.org/2018/10/27/privilege-escalation-like-a-boss/
https://badshah.io/pentesting-jwt-tokens/
https://www.owasp.org/images/0/07/20190222--Nyffenegger-JWAT.pdf
https://www.youtube.com/watch?v=sGvF8wS76Dk
https://www.youtube.com/watch?v=aYz8yPymyvk
http://intx0x80.blogspot.com/2019/10/JWT.html
https://mazinahmed.net/blog/breaking-jwt/
https://research.securitum.com/jwt-json-web-token-security/
https://github.com/ticarpi/jwt_tool/wiki
https://www.youtube.com/watch?v=nM8kibRciJQ
https://www.youtube.com/watch?v=M3jA0bGDCso&feature=emb_logo
https://youtu.be/zWVRHK3ykfo
https://youtu.be/558MFgH1t9g
https://t.co/Su15R6Vpps?amp=1
https://github.com/dwyl/learn-json-web-tokens
https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/

OAUTH / SAML - 

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

https://habr.com/en/post/449182/



How to Hunt Bugs in SAML; a Methodology - Part I
https://www.anitian.com/owning-saml/


The most common OAuth 2.0 Hacks - https://habr.com/en/post/449182/

http://blog.intothesymmetry.com/2015/12/top-10-oauth-2-implementation.html

https://twitter.com/fyoorer/status/1190304570506911744

https://medium.com/swlh/hacking-saml-bce30483d020

https://medium.com/@wdevon99/what-the-hell-is-oauth-6ba19f236612

https://twitter.com/s0md3v/status/1168846854689132544

https://twitter.com/fuxksniper/status/1297092959544856576

Host Header -

CSP -

CSP -

SAML -

nmap -

I built a tool to turn scan data into a sortable table for easier consumption. () Demo:

---Nmap Trick Techniques

How to defend your website with ZIP bombs : -

A pretty old bug in Yahoo!

New blog post about bypassing payments using webhooks:

Some nice writeup you should read it. 356115

Chaining -

Post Msg -

https://csper.io/blog/other-csp-security
https://www.youtube.com/watch?v=c3JjTRFl5D8&t=0s&list=PLv-PXy2JVvivzOKjt7_jA8NnIifCnRjOS&index=15
https://twitter.com/Alra3ees/status/1259969808969469954
https://twitter.com/JaneScott/status/1072291481728167936?ref_src=twsrc%5Etfw%7Ctwcamp%5Eembeddedtimeline%7Ctwterm%5Ecollection%3A1073939531731210240%7Ctwcon%5Etimelinechrome&ref_url=https%3A%2F%2Ftwitter.com%2Fpentesterland%2Ftimelines%2F1073939531731210240
@nmap
https://github.com/jgamblin/nmaptable/…
https://jgamblin.github.io/nmap.html
#BugBountry
https://blog.urfix.com/10-cool-nmap-tricks-techniques/amp/#click=https://t.co/IzRXAg7CiQ
https://twitter.com/binitamshah/status/882977758380310529
https://medium.com/@uranium238/co
https://lightningsecurity.io/blog/bypassing-payments-using-webhooks/…
#bugbounty
http://blog.jr0ch17.com/tags/#smtp%20header%20injection…
https://web.archive.org/web/20190407101215/https://nahamsec.com/chaining-multiple-vulnerabilities-to-gain-admin-access/
https://github.com/bb1nfosec/Information-Security-Tasks/tree/master/Web
https://medium.com/@masonhck357/chains-on-chains-chaining-multiple-low-level-vulns-into-a-critical-8b88db29738e
https://hackerone.com/reports/317476
https://hackerone.com/reports/123078
https://hackerone.com/reports/167631
https://hackerone.com/reports/226659
https://hackerone.com/reports/229498
https://hackerone.com/reports/244677
https://hackerone.com/reports/281575
https://hackerone.com/reports/317476
https://hackerone.com/reports/698416
https://hackerone.com/reports/791293
https://medium.com/bugbountywriteup/how-to-spot-and-exploit-postmessage-vulnerablities-329079d307cc
https://gccybermonks.com/posts/popups/
https://www.mannulinux.org/2021/03/from-tikiwiki-to-domain-admin-journey.html
https://blog.cryptohack.org/twitter-secrets
https://bdgajera.medium.com/ssrf-if-the-application-renders-csv-bd56c4cbea6c
https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/
https://www.hahwul.com/2020/12/24/toctou-ssrf/
https://github.com/minimaxir/big-list-of-naughty-strings
https://mr-msa.notion.site/mr-msa/Write-ups-Tips-0b10fa38dc64499192dcf8df8ec56da9
Carboncarbon_app
Logo