Posts

Ways To Bypass Authentication ;

 Ways To Bypass Authentication. 1:) Direct page request; :)a.k.a forced browsing. :)successful authentication => Redir to /admin. :)functionality is inappropriately protected , just go to:  https//your.target.site/admin. 2. Parameter Modification; :) When authentication is verified via fixed parameters. "authenticated" = "yes" "logged_in" = true "is_admin"= true 3. Session ID Prediction; :) Cookies, tokens, etc. :) If ID is predictable => can be bruteforced/guessed. 4. SQL Injection :)improper input sanitization  admin' or '1'='1 More payloads: https://gist.github.com/spenkk/2cd2f7eeb9cac92dd550855e522c558f. :)Use Intruder with default or custom payloads in Burp Suite. 5:) Default accounts ; admin/admin root/admin admin/password 6. Weak Password Change/Reset Feature ;  :)Current password not required. :)Host header poisoning: https://0xn3va.gitbook.io/cheat-sheets/web-application/broken-authentication. Video link: https://yo

Web-Application Pentesting Tools

Web-Application Pentesting Tools 1. Burp Suite - Framework. 2. ZAP Proxy - Framework. 3. Dirsearch - HTTP bruteforcing. 4. Nmap - Port scanning. 5. Sublist3r - Subdomain discovery. 6. Amass - Subdomain discovery. 7. SQLmap - SQLi exploitation. 8. Metasploit - Framework. 9. WPscan - WordPress exploitation. 10. Nikto - Webserver scanning. 11. HTTPX - HTTP probing. 12. Nuclei - YAML based template scanning. 13. FFUF - HTTP probing. 14. Subfinder - Subdomain discovery. 15. Masscan - Mass IP and port scanner. 16. Lazy Recon - Subdomain discovery. 18. XSS Hunter - Blind XSS discovery. 19. Aquatone - HTTP based recon. 20. LinkFinder - Endpoint discovery through JS files. 21. JS-Scan - Endpoint discovery through JS files. 22. GAU - Historical attack surface mapping. 23. Parameth - Bruteforce GET and POST parameters. 24. truffleHog - Find credentials in GitHub commits.

Top XSS Dorks !

 Top 25 XSS Dorks according to OpenBugBounty 1. ?q={payload} 2. ?s={payload} 3. ?search={payload} 4. ?id={payload} 5. ?lang={payload} 6. ?keyword={payload} 7. ?query={payload} 8. ?page={payload} 9. ?keywords={payload} 10. ?year={payload} 11. ?view={payload} 12. ?email={payload} 13. ?type={payload} 14. ?name={payload} 15. ?p={payload} 16. ?month={payload} 17. ?immagine={payload} 18. ?list_type={payload} 19. ?url={payload} 20. ?terms={payload} 21. ?categoryid={payload} 22. ?key={payload} 23. ?l={payload} 24. ?begindate={payload} 25. ?enddate={payload}

Scope Base Recon Methodology

Image
 Scope Base Recon Methodology for Small, Medium,and Large scope tragedy by @Harsha Bothra

Pre Account Takeover Methodology !

While performing penetration testing on a (website.com) target, I observed that the application allowed me to automatically login to the application as soon as I created a new account. This implies that there is no email verification at all. Similarly, the application also supported multiple social login methods such as Login with Google, Facebook and Apple.  Following the below steps, I was able to perform pre-authentication account takeover successfully. 1:) [Attacker Step] Navigate to the and register a new account with using the victim user’s email. Since the application also has a Google Authentication and Facebook option, I used a Gmail account for registration as a victim account. 2:) Observe that the application successfully logs in a user upon registration process completion, and all the features of the applications are accessible. 3:) Now, log out and navigate back to the target application’s login functionality. 4:) [Victim Step] This time, use Google Authentication and log

Recon Methodology and SAML attack ;

Image
  Pentesting Mindmap ! SAML attack;

Open redirection vulnerability

 Common open redirection vulnerability parameter ; /{payload} ?next= ?url= ?target= ?rurl= ?dest= ?destination= ?redir= redirect_uri= ?redirect_url= ?redirect= /redirect/ cgi-bin/redirect.cgi?{} /out/ /out? ?view= /login?to= ?image_url= ?go= ?return= ?returnTo= ?return_to= ?checkout_url= Other common parameters: dest, redirect, uri, path, continue, url, window, to, out, view, dir, show, navigation, Open, url, file, val, validate, domain, callback, return, page, feed, host, port, next, data, reference, site, html

Endpoints to look while testing

Image
 

WordPress Juicy Endpoints

 Wordpress juicy endpoints ! 1) wp-admin.php 2) wp-config.php 3) wp-content/uploads 4) Wp-load 5) wp-signup.php 6) Wp-json 7) wp-includes [directory] 8) index.php 9) wp-login.php 10) wp-links-opml.php  11) wp-activate.php 12) wp-blog-header.php 13) wp-cron.php 14) wp-links.php 15) wp-mail.php 16) xmlrpc.php 17) wp-settings.php 18) wp-trackback.php 19) wp-signup.php 20) admin-bar.php 21) wp-content/debug.log 22) wp-config.bkp 23) wp-admin/admin.php 24) -wpeprivate 25:)  -wpeprivate/config.json              Thank you !       

Networking Cheatsheet and Amount Manipulation Testing !

Image
 Networking Cheatsheet ! Amount Manipulation Testing !

XML Attack !

Image
What is XML external entity injection? XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks. How do XML vulnerabilities arise? While XML is an extremely popular format used by developers to transfer data between the web browser and the server, this results in XXE being a common security flaw. XML requires a parser, which is typically where vulnerabilities occur. XXE enables an entity to be defined based on the content of a file path or URL. When the XML attack payload is read by the ser

Code Review Mindmap and Recon methodology

Image
 Code Review Mindmap !           Pentesting Mindmap/Recon Methodology !   

Two Factor Authentication ! [2FA]

Image
 Two Factor Authentication ! What is 2FA 🤔 ? Let's get started , 2FA stands for 2-factor authentication. It is used as an additional layer of security for user accounts. This simply means there will be two factors for you to authenticate into your account. One is simply your credentials, and if due to some case they are compromised the additional layer(second authentication) can protect your account from getting takeover. This can be of many forms like ;    1:) Sending verification code to email. 2:) Sending OTP to email or mobile number. 3:) Third-party app-generated codes. 4:) Verification through QR codes. 5:)     SMS verification. This provides an extra layer of security for user accounts. Even if your credentials got exposed, your account can still be safe if you have your 2FA turned on. But what if this 2FA is also vulnerable. Then your account is not safe even if you have your 2FA turned on. So this vulnerability is a serious one and can be used to take over other accounts

Authentication Testing( Who are you) !

Image
 Let's get started ! To identify individuals in a group of people we need any unique combination of resources by which we can identify the individual. That combination can be his first name, last name, address or SSN. These all are resources that can help users to identify uniquely. This is the case with humans but if we want to identify in web- application for that web-application uses “Authentication”. Let us discuss it in detail.           What Is Authentication !             Well , It is the process of verifying the identity of a person or a device. Authentication is used by a server when the server needs to know exactly who is accessing their information or site. In authentication, the user or computer has to prove its identity to the server or client. A common example is entering a username and password when you log into the website. In the case of a web application they use different methods of authentications , it can be username password or username with the OTP sent to yo

Know what is Shodan Exactly !

Image
 What Is Shodan Exactly? Shodan is a search engine for Internet-connected devices. It is different from search engines like Google and Bing because Google and Bing are great for finding websites but Shodan helps in finding different things like popular versions of Microsoft IIS, control servers for Malware, how many host are affected with the new CVEs, which countries are becoming more connected, SSL certificates of the websites etc. Difference between Shodan and Google : The major difference between Shodan and Google is that, that Shodan analyzes the internet and Google analyzes the Word Wide Web.        Description : Shodan is the most popular search engine ever seen. It has the capability to index small desktops, CCTVs, nuclear power plants etc. Nowadays shodan has become very popular in the world of penetration testing, bug bounties, digital forensics, threat hunting etc. Shodan’s Search Query Insights : Shodan gathers information by interacting with web services and this informati