Author: Shankar R
How to make a good report !!
We can find ton of write-ups for this section but one of my favorite is
The importance of Impact:
Many researchers are looking for a bug on the target if they found a small vulnerabilities then they have reported to the target. Sometimes report will be marked as N/A even it is valid one. That will be very frustrated to the researcher(they feels like they wasted time with this target).
Always kindly think about the impact and how to increase the impact of the bug and we should explain about the real time attack scenario that should we need to concentrate while hunting.
Why N/A for valid bugs !!
If you find a valid bug(like SQLi, RCE,OS Command Injections) on the target it should be high impact as per the attacker’s or researcher’s perspective but the organizations are having some standards to identify and fix the bugs
For example: The bug was SQLi found on one of the domain from the target. Once the report is placed then they will start investigating the bug. If the target is not a critical asset based on their view or the business impact is very low because of that SQLi and sometimes the fixing cost is more than the impact of the SQLi. So that time SQLi will be closed as N/A(Not Applicable) You can see those types of report closed as N/A even it is a valid IDOR or Rate Limiting Bugs in facebook Bug bounty(They closed my IDOR was closed as NA)
Thanks to Parthiban J sir to share these of type of information with me.
How long we need to spend for recon ?(ignore this if you are getting bored in this section)
Basically I spend minimum 3 days(Usually more than 20 hours because I am not a full time bug bounty hunter) to collect information about my target(Based on the Target). But this is not enough time to the recon, this is the main part to attack or find a bug on target domain.
Don’t jump to other targets before you finish your proper recon. If you jump to other targets with the minimum efforts then there is no opportunity to find a good bugs.
How to Increase the Impact ??
This part will help you to get an idea to increase the impact of the low hanging fruits
- If you found a private IP (Actually that is a public IP only) of the target. This time don’t report to them. Try to increase the impact of the issue by doing port-scan on the IP which you found.
- Then look for vulnerable service version by doing the service scan with the Nmap tool.
- If there is a vulnerable service is running on the target then look for publicly available CVE based exploits
Note: If you are getting bored(Called as Lazy baby ??) then do the Nmap script scanning on the IP which will give you some CVE based vulnerability(Based on your luck)
- If you found a full path disclosure bug. Then try to open the path on the target using different methods like LFI or open Redirection based payloads with the disclosed path.
- Sometimes this may leads to the source code disclosure or any other sensitive informations like API key or 2FA Authentication Tokens.
- If you found a web server with the default web page, Then try to brute-force the directory which is based on the what type of server is running on the target machine that will helpful to find some default config files of a web server.
This is write-up I will explain about the following ….
Burpsuite Extension Series:
How its works ! Can you understand this pictures. If no then see my description for this tool.
How Collaborator tool is detecting external service interaction:
A typical external service interaction issue can be detected as follows:
- Burp sends a payload to the application containing a URL that uses a random subdomain of the Collaborator domain, for example: https://example.com/login?param=http://f294gchg2la…r9gf.burpcollaborator.net/
Note: Here the above highlighted field is the collaborator domain this is randomly generated by the collaborator server.
- Due to its programmed behavior (intended or otherwise), the application fetches the contents of the URL. To do this, it will first perform a DNS lookup on the random subdomain, and then perform an HTTP request.
- The DNS lookup and the HTTP request are received by the Collaborator server. Both interactions contain the random data that Burp placed into the Collaborator subdomain.
- Burp polls the Collaborator server and asks: “Did you receive any interactions for my payload?”, and the Collaborator returns the interaction details.
- Burp reports the external service interaction to the Burp user, including the full interaction messages that were captured by the Collaborator server.
The original source Link: https://portswigger.net/burp/documentation/collaborator
Reference Link to know how it works and how it is very helpful to us!!
Extension Download Link:
A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal…github.com
This is not an Extension. This a one of the great feature by the BurpSuite
A macro is a predefined sequence of one or more requests. You can use macros within session handling rules to perform various tasks. Typical use cases for macros include:
- Fetching a page of the application (such as the user’s home page) to check that the current session is still valid.
- Performing a login to obtain a new valid session.
- Obtaining a token or nonce to use as a parameter in another request.
- When scanning or fuzzing a request in a multi-step process, performing the necessary preceding requests, to get the application into a state where the targeted request will be accepted.
- In a multi-step process, after the “attack” request, completing the remaining steps of the process, to confirm the action being performed, or obtain the result or error message from the conclusion of that process.
A guide for what to writing Burp Suite macros and session handling rulesdigi.ninja
BackSlash Powered Scanner
We can find lots and lots of server side vulnerabilities with this tool. But we need to understand about target application and how it’s responds for different input which is done by this tool by default
Initially we need to enable the Backslash Powered scanner settings from the scanner tab. For more info checkout the below image
Extension Download Link:
Finds unknown classes of injection vulnerabilities – PortSwigger/backslash-powered-scannergithub.com
AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are structured in a similar format to that of an access control matrix common in various threat modeling methodologies.
AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web…github.com
Note: We can use the Authz and Authoriz Extensions instead of AuthMatrix
A Blind web root file upload and LFI detection tool
For this tool I didn’t find any documentation other than this link
psychoPATH – hunting file uploads & LFI in the dark. This tool is a customisable payload generator designed for blindly…github.com
- While uploading the file which supports formats it, use the exiftool file format meta data techniques “keywords”, “comment”, “iptc:keywords”, “xmp:keywords”, “exif:ImageDescription” and “ThumbnailImage”
- It injects PHP, JSP, ASP, XXE, SSRF, XXS and SSI payloads on the target
3, It will upload with various combinations of file extensions and content- types on the target
4, Also it detects the issues via sleep based payloads, Burp Collaborator interactions or by downloading the file again
For tutorial kindly find the link below
Extension Download Link:
HTTP file upload scanner for Burp Proxy. Contribute to PortSwigger/upload-scanner development by creating an account on…github.com
This extension gives Burp Suite the ability to find Java deserialization vulnerabilities.
Serialized Java objects begin with “ac ed” when in hexadecimal format and “rO0b” when base64-encoded.
The content type header value will be equal to application/x-Java-serialized-object(It is not presented in GET request but we need to find the vulnerable endpoint and exploit with the post request)
I have seen the YSoserial & Jexboss is also good option to exploit Java Deserialization Vulnerability
Java deserialization vulnerabilities were discovered and disclosed in January 2015 by Gabriel Lawrence and Chris…techblog.mediaservice.net
Burp Suite extension is help us to find reflected XSS (Sometimes SSI injection which is based on the target )on page in real-time while browsing on web-site and include some features as:
- Highlighting of reflection in the response tab.
- Test which symbols is allowed in this reflection.
- Analyze of reflection context.
- Content-Type white-list
How to use
After plugin install you just need to start work with the tested web-application. Every time when reflection is found, reflector defines severity and generates burp issue.
Note: Moreover you can manage content-types whitelist with which reflector plugin should work. But if you will use another types except text/html, this can lead to slowdowns in work.
Extension Download Link
Burp plugin able to find reflected XSS on page in real-time while browsing on site – elkokc/reflectorgithub.com
I didn’t tested yet but I was impressed with this tool. You can try at-least once to find the Race Limiting bugs
Extension Download Link
Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. …github.com
It co-relate real time traffic with the exploit db. This is also similar to the extension Retire.js
Extension Download Link:
Wanted to share with you what IMHO is the most promising Burp Suite plugin that just might transform it to the best…medium.com
This tool is specifically for clickjacking only. Most of the people are confused with the clickjacking attack vector. But this tool will help us to clarify the real time attack scenario.
What is chaining of vulnerabilities ?
This is technique which the researcher can able to increase the impact of the bug or vulnerabilities using 2 or more bugs.
This is possible while some of the vulnerabilities with the low impact or self based vulnerabilities like self XSS and login CSRF and Logout CSRF, Clickjacking (Which are the out of scope bugs in many targets)etc.
How to chain vulnerabilities ?
I will share some of the great write-ups which the researcher exploits with the chaining of vulnerabilities(Simple to Hard)
Open Redirection to XSS
We can see ton of report for these type of chain
Open Redirection to OAuth Token Stealing
- https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/ (This is my one of the favorite bug)
Self XSS into good XSS:
- In this report Self xss is become a good XSS with the help of Clickjacking https://medium.com/@arbazhussain/self-xss-to-good-xss-clickjacking-6db43b44777e
LFI to RCE:
Local File Inclusion – aka LFI – is one of the most common Web Application vulnerabilities. If conducted successfully…outpost24.com
- This write up Will give you an Idea for LFI to RCE chaining https://resources.infosecinstitute.com/local-file-inclusion-code-execution/#gref
SSRF to XSS
SSRF to RCE:
SSTI to RCE: