↳Shodan Dorks for OSINT, Recon and Bug Bounty
📸 Exposed Webcams
• Example: http.title:"webcamXP"
🧑💻 Open FTP Servers
• Example (Anonymous login access): port:21 anonymous
💻 Outdated Operation Systems
• Example: os:"Windows 7"
🌐 Misconfigured MongoDB Databases
• Example: product:"MongoDB" port:27017
🔐 Exposed Login Panels
• Example: http.title:"Admin Login"
🧭 Specific Geolocation Targets
• Example: port:22 country:"IN"
🧨 Apache Servers with Expired SSL in the US
• Example: product:"Apache httpd" ssl:"expired" country:"US"
🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
• Example: http.html:"Atlassian Confluence" port:8090
🎛 ICS/SCADA Devices
• Example: port:502 name:"modbus"
Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
📸 Exposed Webcams
Finds IP cams running webcamXP software
• Example: http.title:"webcamXP"
🧑💻 Open FTP Servers
Finds FTP servers that allow anonymous login
• Example (Anonymous login access): port:21 anonymous
💻 Outdated Operation Systems
Like Finding devices that running Windows 7
• Example: os:"Windows 7"
🌐 Misconfigured MongoDB Databases
Finds exposed MongoDB instances without authentication
• Example: product:"MongoDB" port:27017
🔐 Exposed Login Panels
Identifies admin login portals
• Example: http.title:"Admin Login"
🧭 Specific Geolocation Targets
Finds services exposed in a specific country
• Example: port:22 country:"IN"
🧨 Apache Servers with Expired SSL in the US
Finds Apache web servers with expired SSL certs in the US
• Example: product:"Apache httpd" ssl:"expired" country:"US"
🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
Finds potentially vulnerable Confluence servers
• Example: http.html:"Atlassian Confluence" port:8090
🎛 ICS/SCADA Devices
Detects Modbus protocol on industrial systems
• Example: port:502 name:"modbus"
Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
❤1🔥1
Firing 8 Account Takeover Methods
🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link
🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C
🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io
🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom
🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID
🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above
🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO
🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link
Note: check where verification doesn’t require
🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C
🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io
🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom
🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID
🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above
🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}
It works when json is being used to transfer and receive data.
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO
Wikipedia
List of Unicode characters
Wikimedia list article
🔥2
Grep tips for Javascript Analysis
🟣Extracting JavaScript Files from recursive Directories
🟣Searching for API Keys and Secrets
🟣Detecting Dangerous Function Calls
🟣Checking for URL Manipulation
🟣Searching for Cross-Origin Requests
🟣Analyzing postMessage Usage
🟣Finding Hardcoded URLs or Endpoints
🟣Locating Debugging Information
🟣Investigating User Input Handling
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS
💡Note: cat * is for all files from the folder.
🟣Extracting JavaScript Files from recursive Directories
find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;🟣Searching for API Keys and Secrets
cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"
🟣Detecting Dangerous Function Calls
cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"
🟣Checking for URL Manipulation
cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"
🟣Searching for Cross-Origin Requests
cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files
🟣Analyzing postMessage Usage
cat * | grep -r "postMessage"
🟣Finding Hardcoded URLs or Endpoints
cat * | grep -rE "https?://|www\."
🟣Locating Debugging Information
cat * | grep -rE "console\.log|debugger|alert|console\.dir"
🟣Investigating User Input Handling
cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS
❤3
A Comprehensive Repo for Shodan Dorks
This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.
• Repository: https://github.com/nullfuzz-pentest/shodan-dorks
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.
• Repository: https://github.com/nullfuzz-pentest/shodan-dorks
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
GitHub
GitHub - nullfuzz-pentest/shodan-dorks: Shodan Dorks
Shodan Dorks. Contribute to nullfuzz-pentest/shodan-dorks development by creating an account on GitHub.
❤1