Bug Bounty Tips(2022-10-28)

渗透技巧 2年前 (2022) admin
552 0 0

点击蓝字 关注不迷路

01

API-Security-Tips?


Old version of API tend to be more vulnerable
Saw a call to api/v3/login? Check api/v1/login exists as well It might be more vulnerable


Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: /api/mobile/login | /api/v3/login | /api/magic_link; etc.. 
Find and test all of them for AuthN problems.


SQL Injections used to be extremely common 5-10 years ago, and you could break almost every company? 
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2


Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? 
Developers sometimes use "Kernel#open" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)


Found SSRF? use it for:
Internal port scanningLeverage cloud services(like 169.254.169.254)Use http://webhook.site to reveal IP Address & HTTP LibraryDownload a very large file (Layer 7 DoS)Reflective SSRF? disclose local mgmt consoles


Mass Assignment is a real thing. 
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.

Bug Bounty Tips(2022-10-28)


A company exposes an API for developers? 
This is not the same API which is used by mobile / web application.
Always test them separately.
Don't assume they implement the same security mechanisms.


Pentest for REST API? 
Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.


Pentest for APIs? 
Trying to find BOLA (IDOR) vulnerabilities?
IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.


The API uses Authorization header? 
Forget about CSRF! If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.


02

Cyber Security Search Engines for Researchers:

1. Dehashed 2. SecurityTrails 3. DorkSearch 4. ExploitDB 5. FoFa

03

Meta(Facebook) BugBounty-Writeups

https://github.com/jaiswalakshansh/Facebook-BugBounty-Writeups

04

TGA Weekly Newsletter [10/26/22] — Cybersecurity Awareness Month

https://medium.com/the-gray-area/tga-weekly-newsletter-10-26-22-6b49b28e038d?source=rss——cybersecurity-5&utm_source=dlvr.it&utm_medium=twitter   

05

I have two successful article suggestions that you can benefit from on the Bug Bounty  topic❗️?  I definitely suggest adding it to your bookmark

https://www.infosecmatter.com/bug-bounty-tips-1/ 

https://www.infosecmatter.com/bug-bounty-tips-2-jun-30/

06

Bug Bounty Tips(2022-10-28)

07

Full Company Building Takeover

https://infosecwriteups.com/company-building-takeover-10a422385390

08

CVE-2022-41343 – RCE via Phar Deserialisation (Dompdf)

https://tantosec.com/blog/cve-2022-41343/

09

干货不啰嗦,觉得好看请点赞分享~谢谢



Bug Bounty Tips(2022-10-28)



原文始发于微信公众号(Bug Bounty Tips):Bug Bounty Tips(2022-10-28)

版权声明:admin 发表于 2022年10月28日 上午8:11。
转载请注明:Bug Bounty Tips(2022-10-28) | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...