Yay, I was awarded a $16,300 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder
🎉🎉🎉
Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information!
$15k+ Worth of IDORs in the past couple of months; it takes a lot of manual verification, but use this regex in BurpSuite in order to filter out potential parameters:
(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)
#bugbountytips#CyberSecurity
Yay, I was awarded a $15,000 bounty on @Hacker0x01!
The program was running a 3x campaign and had an average of 0% critical vulnerabilities.
An unusual combination of persistent tokens and good ol' Google Dorking. I will be doing a write-up for this one when it is resolved, and will also be disclosing my most interesting reports here, so drop a follow :) 👇
medium.com/@moblig#bugbountytips#bugbounty#CyberSecurity
Yay, I was awarded a $10,000 bounty on @Hacker0x01! For a Critical Severity IDOR.
Tip:
1) In-depth knowledge of the program, lots of manual testing
2) Learning to master the 'Autorize' extension for Burp
Automated & manual testing🤝
#bugbountytip#hackerone
$10,000 for RCE through Dependency Confusion, this time on one of my first submissions in @intigriti 🙌
I spent a whole month learning and developing a custom tool using Next.js, this helped me identify and exploit the RCE.
Of course, I also used: medium.com/@alex.birsan/depe…
Yay, I was awarded a $4,500 bounty on @Hacker0x01!
Tip:
Target had a /?back= parameter, but payloads like javascript://alert(1) did not work.
Exploited using the following with URL-encoded ASCII tab characters:
%09Jav%09ascript:alert(document.domain)
#bugbountytips#bugbounty
Some fun & unexpected bugs I found recently👇
1. Authentication Bypass by setting session cookie value to 'null'
2. Plain text credentials in JS files expose clients' PII
Haven't found a write-up about the null cookie approach before, and the exposed credentials, just, wow...
I often find IDORs by searching in JS Files for interesting endpoints, but how do I automate this while also performing manual hunting?🤔
#bugbountytips
I mostly use my custom @trick3st workflow for finding unique domains & secrets in JS files, here is how it works👇
1/4
Yay, I was awarded a $10,000 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder#bugbountytip
DOM XSS to Admin Account Takeover - No CORS policy so I was able to send authenticated requests on behalf of the victim and send the response back to my server.
👇
I was awarded $7,666 for a Critical XSS
Reflected XSS, but no particular sensitive data was exposed.
Here is how I was able to escalate to account takeover👇
#bugbountytips
$5,000 for 5 IDORS on the same asset!
All manual findings, although for some of these I used the ‘Reflection’ extension in Burp in order to find more parameters vulnerable to IDOR
#bugbountytips#hackerone
Yay, I was awarded a $4,000 bounty on @Hacker0x01!
For XSS to ATO
Instead of a #bugbountytip, here is the code snippet used to check the user-supplied input in this specific parameter, who can tell me what the problem here was, and what a potential bypass would look like?
Feels good to be back!🙌
Using this beauty again to bypass the fix for an XSS to ATO:
%09Jav%09ascript:alert(1)
#bugbountytips#togetherwehitharder#hackerone
PS. If anyone is going to @defcon and wants to meet, I'll be in Vegas Aug 6-10! :)
Attending @Hacker0x01 recharge too.
I was awarded a $10,000 bounty by the @GoogleVRP Cloud Program!👌
I've recently shifted my focus to server-side and broken access control vulnerabilities, and I have to say it has paid off.
It was a S0-P0, but the impact was limited, which is why they downgraded the bounty.
#bugbountytips
$4,000 for Bypassing WAF
Tip: Whenever an asset is protected by a WAF, enumerate and investigate subdomains and IP Addresses, sometimes you’ll find dev or staging environments which are exact copies of production.
target.xyz -> WAF
https://69.420.69.420:443 - No WAF
I got a $1,160 bounty for an IDOR that exposed all Machine Learning Models in Gitlab.
This was found using the Autorize extension in Burp, go check out the disclosed report!
#bugbountytipshackerone.com/reports/252829…
Yay, I was awarded a $4,500 bounty on @Hacker0x01!
XSS to ATO through exposed CSRF Tokens
Tip:
If cookies are HTTP only, search for exposed CSRF tokens, you can append them to your CSRF PoC: xhr.setRequestHeader("X-Csrf-Token", "3983xn9n");
#bugbountytips
Read first comment👇
A month ago, I was able to access Microsoft's ServiceNow instance, exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments.
The write-up and my take on the state of the MSRC is now available here👇
link.medium.com/L54B9nGtXNb#bugbountytips#CybersecurityNews#microsoft
I just published "Exposing PII and SSNs through Persistent Session Tokens - $15,000 Bug Bounty" a new write-up in which I describe:
- My throught process
- My approach when hacking in program campaigns
- Technical details of the vulnerability
shorturl.at/9X9H8#bugbountytips
Yay, I was awarded a $4,000 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder
For Reflected XSS to Account Takeover
Tip: When cookies are HTTP only go for localStorage -- alert(JSON.stringify(localStorage));
An API is calling your own records like this?
-> GET /v1/transactions/all
See if the response contains and object with an ID and reference it directly
-> GET /v1/transactions/813
If you get a 200 OK, check if you can access any record ID for an IDOR!
#bugbountytips
Yay, I was awarded a $2,000 bounty on @Hacker0x01!
Tip: If user IDs are predictable, try different features in the platform that expose user info, in my case I could add people to a team, therefore I could guess all user IDs with intruder and expose their info
#bugbountytips
Yay, I was awarded a $3,000 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder
Blind XSS through Support Chat leads to ATO, forging requests on behalf of the victim using Fetch & sending the response to the attacker server (payload below👇🏻👇🏻👇🏻)
Yay, I was awarded a $1,500 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder
First time seeing an SSRF lead to an account takeover by itself, I might consider a writeup for this one because of its weird nature, also some kind words :)
One of the first critical bounties of my career was because of The Wayback Machine and the amazing resources they have and these idiots trying to take it down because of unrelated politics? Amazing👍🏻
This group conducted Denial of Service (DDOS) attack on Internet Archive, which is a 501c Non-Profit, Public Charity and Non-Governmental Organization found by Kahle Brewster in 1996, and has nothing to do with US Govt, CIA, Israel, MOSSAD and counter-terrorism.
state.gov/non-government…
irs.gov/charities-non-…
irs.gov/charities-non-…
apps.irs.gov/pub/epostcard/
Turns out #BugBounty is not the only thing I am half-decent at.😅
These are my returns on my entire portfolio, which I started out 9 months ago.
I handpicked the stocks and spent a reasonable amount of time studying each one.
The best stock is up 496%.😮💨
Well this was an interesting one🤔
$500 Bounty from the @mozilla Bug Bounty!
Same tip as my last bounty, FFUF and keep updating your wordlists!
I have no idea how to redeem this though lol
#bugbountytips
All that is left to do is analyze the results, and hopefully find exposed secrets & interesting endpoints to target for IDORs or other bugs! :)
You can find the JSON for the workflow, which you can copy & paste into @trick3st UI here: github.com/moblig/Trickest/b…
$1,500 for a vulnerability initially marked as “Not Applicable” by a triager, the tip today isn’t a technical one, rather than an advice — Triagers do not have the last word, always ask for the client to be consulted and provide irrefutable evidence!
#bugbountytips#bugbounty
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on @Hacker0x01 and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
Mil gracias a @BugCON por la invitacion y oportunidad de presentar mi charla, fue un placer!🇲🇽
The slides from the presentation will be published soon in both english and spanish✅
#bugbountytips
Delighted to announce I will be presenting my research at @BugCON in Mexico City!🇲🇽
--
Un placer anunciar que estare presentando mi investigación en @BugCON en Ciudad de Mexico!🇲🇽
#bugbounty#cybersecurity
🚨 Speaker Alert: imagina comprar el boleto más barato para el último concierto de @belindapop y poder colarte, hasta poder saludarla en persona. ¿Imposible?, @moblig_ lo hace realidad en el maintrack de #BugCON 2024 🇲🇽🌮
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on @Hacker0x01 and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
1. Single web app in scope so a lot of manual work and learning all the features
2. Once I find a vulnerable parameter I search for similar params using Reflected Parameters extension or with Logger using the regex\?.*=(\/\/?\w+|\w+\/|\w+(%3A|:)(\/|%2F)|%2F|[\.\w]+\.\w{2,4}[^\w])
The PoC URL required an SID every time, so I had to create a Python script that would generate a new SID and append it to the PoC URL, the final payload looked like this
redacted.com/redacted/path/v…(`<base64-encoded-code>`));
And the code used inside the atob function
One more example for bad behavior / Scam
in paid subscription for bugbounty
santimillionaire.com/
I was there for the last 5 months trying to find something useful but unfortunately nothing , just a ready payloads and some tips filtered for each bug
and this month I found a interesting script with lot of installing issues , and when I asked for help , he’s keep ignoring
Nothin new in the last 5 months , so it should be one time payment
payments should be 20$ and this month they took 40$
Just cancel the auto payment
as Iam always trying to show everything good in bugbounty tips and sure for free, In the same time I will drop the bad content like this as well
#bugbountyScam
Crawl using Burp + navigating web app manually, also use gau and filter out for URLs paths that only have query parameters, you can always find potential parameters there, if an ID is easily guessable try for IDOR
Estare dando mi charla "Backstage Pass: Leveraging Unauthenticated APIs to Breach Internal Infrastructure " mañana en @BugCON🇲🇽 a las 9 AM. Los espero!
Great question here!
The main difference I found was not putting your payload directly in the preinstall parameter of your package.json, instead use 'node preinstall.json' and put your payload in the preinstall.json file, I also hex encoded the data and used DNS exfiltration
In this case, the CSRF token was exposed through a non-HTTP cookie and also the DOM, they expired after 24 hours so plenty of time to abuse them. I was initially paid 625 for this report, and after review, I was given the rest of the 4,500
While this is certainly true, these numbers also highlight the disproportionate compensation that some bug bounty hunters experience when reporting critical bugs. It is also necessary to advocate for fair compensation when promoting the adoption of bug bounty programs🐞
#bugbountytips
The XSS could only retrieve non-HTTP cookies, so here is what I did:
1) I found a GraphQL endpoint (POST /graphql_service), that retrieved the user's auth token. So, how can I steal the token?
2) I tried transforming the POST query to a GET query in order to use it in my payload
The second part grabs the results & searches JS files using getjs, the results are then passed to Cariddi which crawls the URLs & scans for endpoints, secrets, API keys, file extensions, tokens, and more. Linkfinder is used to extract endpoints & params from the JS files.
3/4
The first part does a thorough subdomain scan of the desired targets, using multiple sources like Github & Shodan and tools like subfinder, vita & assetfinder. It then goes deeper by performing level-deep subdomain scans with puredns
2/4
I now have a working GET GraphQL query, but how can I expose the response that includes the auth token?
3) I found that the site also has a CORS misconfig, so I can send requests on behalf of the victim and receive the response on my server
I’ll never understand why programs don’t fix Critical/P1 vulnerabilities for months, like, I’m tired of wasting hours investigating and exploiting vulnerabilities, writing a good report just to get a duplicate on Criticals🙄
#bugbounty
Yay, I was awarded a $15,000 bounty on @Hacker0x01!
The program was running a 3x campaign and had an average of 0% critical vulnerabilities.
An unusual combination of persistent tokens and good ol' Google Dorking. I will be doing a write-up for this one when it is resolved, and will also be disclosing my most interesting reports here, so drop a follow :) 👇
medium.com/@moblig#bugbountytips#bugbounty#CyberSecurity
Haven't seen a new Clear Verified program in a WHILE, yet new VDPs every month. Companies seem to prefer volume over quality now. Here is an interesting fact from H1 customers:
More and more BBPs programs leaving/closing at a crazy rate
New VDPs every month
Almost 300 Reports in less than a week for this new VDP
We are doomed.
If the default is a 200 page instead of a 404, you can use the -fs option to filter HTTP response size. Just look at the response size of that 200 page and use -fs 2456 for example
Completely wrong take, you are actually head hunted if you perform well in Bug Bounty. I've interviewed candidates who do well in Bug Bounty and they perform better than Certs collectors🤷🏻
Been saying this for a while now dude. It's the most true statement ever. Some people think that bug bounties look great on a resume, but the truth is, recruiters don't give a flying shit about them. They don't consider it experience.
Not my personal opinion. Just straight facts
Extra note: The 2 environments had bi-directional synchronization, so everything a user modified or posted on dev would immediately be reflected on prod and viceversa. So injecting a payload in dev would reflect on prod, but injecting a payload in prod was blocked by the WAF
Pisses me off that programs can get away with this at @Hacker0x01, what are they going to come with up next? Signing up for an account is considered High attack complexity?😂
Yay, I was awarded a $800 bounty on @Hacker0x01! hackerone.com/moblig#TogetherWeHitHarder Second time I was able to leak an entire platform user base including PII. /users/5020 -> 403 Forbidden /users/5020.json -> 200 OK
You can try different bypasses for internal assets like 127.1 instead of 127.0.0.1, also try URL shortners that point to http://localhost, if none of those work, host a XSS payload which extract localstorage and cookies, there is always juicy information there
Bypassing the 403 is a vuln by itself but it has to be accompanied by a good PoC, example: accessing sensitive files stored in the server like web.config or nginx.conf. I personally like this 403 Bypass script because I can add my own patterns github.com/iamj0ker/bypass-4…
I hate it when you work for hours investigating and escalating an XSS just for a stupid program to tell you "We take XSS as Medium severity, we have the final word" fucking put it on your brief then so I don't waste my time🙄
#bugbounty
You are absolutely correct, this was an oversight on my part as I took the code after the fix was pushed, the original code did not match for whitespace characters, only for the javascript string, this was the original line:
var n = decodeURI(t.modal.getUrlParam('onmodalexit'));
Therefore, java%09script worked as well as any new line character.
Thanks for pointing this out @voorivex