Knight icons created by max.icons - Flaticon

Bug Bounty Exploitation Cheat Sheet

by

CTF & Bug Bounty » Bug Bounty » Bug Bounty Cheatsheets » Bug Bounty Exploitation Cheat Sheet

After performing proper reconnaissance on the target and identifying all endpoints, it’s time to attempt exploitation and bypass the application’s logic.

You should only test vulnerabilities that are consistent with the features and technologies identified during the recon phase.

Table of contents

Client-Side

  • CORS misconfigurations?
  • CSP misconfigurations?
  • Clickjacking?
  • JavaScript injection?
  • CSS injection?
  • HTML injection?
  • XSS?
  • CSRF?
  • CSPT (Client-Side Prototype Pollution)?
    → Can CSPT be turned into CSRF?
  • Vulnerable WebSockets
    → CSWH (Cross-Site WebSocket Hijacking), missing HTTP Origin verification?
dalfox: HTTP configurations, XSS testing, etc.
WS client: https://github.com/ethicalhack3r/scripts/blob/master/WebSockets.html

Parameters

Injections can occur in parameters (GET, POST, PUT, etc.), cookies, custom headers, and more.

  • Injection in identifiers
    → SQL, NoSQL, IDOR?
  • Injection in reflected fields
    → SSTI, JavaScript/HTML?
  • Command injection?
  • CRLF injection?
  • URL parameters
    → SSRF, Open Redirect?
  • File-related parameters
    → Directory Traversal?
  • Parameter addition?
  • Parameter removal?
  • HTTP Parameter Pollution (HPP)?

A few tools:

arjun, x8 - parameters detection
qsreplace - easily attribute values to parameters
gf - grep URL from predefined patterns
sqlmap - SQL injections
nosqlmap - NoSQL injections
nip.io, sslip.io - useful when exploiting SSRF, allows redirections
dotdotpwn - Directory Traversal fuzzer

API/Endpoints

  • REST API?
  • SOAP API (XML)?
  • GraphQL API?
  • gRPC API?
  • Is it a public API?
  • Look for API keys on GitHub
    → Based on application-specific headers (e.g. X-API-PROGRAM-TOKEN, etc.)
  • User or data enumeration via APIs?
  • Mass assignment vulnerabilities on APIs?
    → Try changing HTTP verbs: PUT, DELETE, PATCH, POST, etc.
    → Try adding key:value pairs in JSON requests
  • Adding extra parameters to requests?
  • Parameter injection?
  • Parameter type manipulation?
  • Change data formats
    → e.g. JSONXML (make sure to update the Content-Type)
  • PII leakage?
keyhacks - identify API keys (https://github.com/streaak/keyhacks)
InQL - Burp Suite addon for GraphQL
GraphQL Support - ZAP addon for GraphQL
script nmap s3-buckets - identify the use of AWS buckets

Visual GraphQL: https://graphql-kit.com/graphql-voyager/
GraphQL Wordlist: https://github.com/Escape-Technologies/graphql-wordlist
Public API:
- https://apis.guru/
- https://rapidapi.com/
- https://publicapis.dev/
- https://publicapis.io/
- https://www.postman.com/explore
- https://github.com/public-apis/public-apis

File Upload/Conversion

  • How is the filename handled or modified?
  • Where is the file stored?
  • Maximum file size bypass?
  • Metadata not stripped?
  • Malicious file types allowed
    → e.g. .svg, polyglot files, etc.
  • File conversion features
    → Read metadata with exiftool
    → Test for vulnerabilities (XSLT, SSTI, etc.)
  • XXE (XML External Entity)?
  • CSV injection with real impact?
    → De-anonymization via outbound requests leaking IP addresses
    → Extraction of spreadsheet cell values
exiftool - retrieve metadata from a file

Template image with geolocation metadat inside: https://github.com/ianare/exif-samples/blob/master/jpg/mobile/HMD_Nokia_8.3_5G.jpg
JSTL Wordlist (JSP) : https://gist.github.com/arbazkiraak/574cf1ae0a378115907f82ed07f1a374
Online file upload : https://www.anonfile.la/

Application Logic

  • IDOR (Insecure Direct Object Reference)?
  • Race conditions?
    → Send parallel requests (Burp Suite can be used for that)
  • Can premium features be abused or accessed for free?
  • $0 purchases?
  • Bruteforcing values?
  • Dependency confusion?
  • Expired or dangling links?
    → Broken Link Hijacking (BLH)
socialhunter - broken link detection

Access Control

  • Broken or missing access controls?
  • Authenticated pages accessible while logged out?
  • Token issues
    → No expiration, predictable values, reuse, etc.
  • Cookie-related issues?
  • Are JWTs properly secured?
  • 403/401 pages bypasses?
nomore403 - bypass HTTP 403
jwt_tool.py - JWT toolbox

Default passwords: https://cirt.net/passwords
Password wordlists: https://weakpass.com/

Accounts

Account Creation

  • Are temporary or disposable email addresses allowed?
  • Are special characters filtered in email addresses
    <, >, ", ', etc.?
  • Can an account be created using an email address that already exists?
  • Are email aliases allowed
    → e.g. + addressing?
  • Are weak passwords allowed?
  • Do error messages allow email enumeration?
    → Different responses for invalid email vs email already exists?
  • Temporary email tools
    Temp Mail — browser extension for disposable email addresses. Websites exist

Account Features, User Management

  • Can you change another user’s email address?
  • Can you change your email to one already used by another user?
  • Can you change another user’s password?
  • Can you modify another user’s profile information?
  • Can you delete another user’s account?
  • Are all sessions invalidated after a password change?
  • Are all sessions invalidated after account deletion?

Tokens, 2FA, (T)OTP

  • Is a pre-auth Account Takeover (ATO) possible?
  • Which tokens are used to authenticate users?
  • Do these tokens expire?
  • Can these tokens be reused to authenticate without credentials?
  • Is the password reset link predictable?
  • Can 2FA be bypassed?
  • Can you disable 2FA for another user?
  • Can (T)OTP codes be brute-forced
    → Missing or weak rate limiting?
  • Can the “forgot password” feature be brute-forced?
  • Can the login form be brute-forced?

SSO

  • Are there SSO misconfigurations?
  • Are SSO tokens properly secured?
    → Expiration, validation, non-reusability
  • Are post-authentication redirects properly filtered?
  • Does global logout work correctly?
    → Session and token revocation
  • Is token replay possible?
  • Do authentication errors leak sensitive information?
  • Do HTTP headers leak authentication tokens?

HTTP

  • HSTS enabled?
  • Can custom HTTP headers be added
    X-Whatever, etc.?
  • HTTP Host header injection?
  • HTTP request smuggling/splitting?
  • How does the server/endpoints handle HTTP errors?
    → e.g. oversized Content-Length, excessively long URLs
  • How does the server handle file extensions?
foxyproxy - browser addon to easily switch between proxies
owasp zap/burp suite - proxy

HTTP documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
File extensions: https://filext.com/

DNS

  • Wildcard DNS?
  • Zone transfers allowed?
  • CNAME pointing to a 404 resource
    → Potential Subdomain Takeover (SDTO): can we buy this subdomain?
  • Missing zone on the nameserver
    SERVFAIL errors → possible DNS hijacking
  • Servers not hosting web content can also be vulnerable
    → Mail servers and other services
  • External resources (img, js, css, etc.) loaded from non-existent domains
    Second-order Subdomain Takeover
dig - best DNS tools
subjack - SDTO
httpx -probe - to find inactive subdomains
waybackmachine - to screenshot a successful SDTO (this is a proof if we stop paying the hosting membership...)

Vulnerable hosting services: https://github.com/EdOverflow/can-i-take-over-xyz/issues

CMS

  • WordPress : wpscan
  • Drupal : droopescan
  • Joomla : joomscan

Cloud

  • Are resources hosted on Cloud services?
  • What cloud services: AWS, Azure, GCP?
site:s3.amazonaws.com "COMPANY_NAME"
etc. (refer to the recon cheathseet)

Disclaimer

All content published on this website is for educational purposes only.

The techniques, tools, and methodologies described here are intended to be used only on systems you own or have explicit permission to test.

I do not encourage or take responsibility for any illegal use of the information provided.

Leave a Comment