# Table of Contents - [Hidden API Functionality Exposure | HowToHunt](#hidden-api-functionality-exposure-howtohunt) - [Broken-Link Hijacking | HowToHunt](#broken-link-hijacking-howtohunt) - [Reverse Engineer an API | HowToHunt](#reverse-engineer-an-api-howtohunt) - [Wordpress | HowToHunt](#wordpress-howtohunt) - [Application Level DoS Methods | HowToHunt](#application-level-dos-methods-howtohunt) - [AEM | HowToHunt](#aem-howtohunt) - [Moodle | HowToHunt](#moodle-howtohunt) - [OTP Bypass | HowToHunt](#otp-bypass-howtohunt) - [Drupal | HowToHunt](#drupal-howtohunt) - [Account Ban Bypass | HowToHunt](#account-ban-bypass-howtohunt) - [Account Takeover Methodology | HowToHunt](#account-takeover-methodology-howtohunt) - [CORS Bypasses | HowToHunt](#cors-bypasses-howtohunt) - [CORS | HowToHunt](#cors-howtohunt) - [Session Based Bugs | HowToHunt](#session-based-bugs-howtohunt) - [2FA Bypasses | HowToHunt](#2fa-bypasses-howtohunt) - [Web Application Pentesting Checklist | HowToHunt](#web-application-pentesting-checklist-howtohunt) - [HTML-Injection | HowToHunt](#html-injection-howtohunt) - [HTTP_Desync | HowToHunt](#http-desync-howtohunt) - [CVES | HowToHunt](#cves-howtohunt) - [GraphQL | HowToHunt](#graphql-howtohunt) - [Host-Header | HowToHunt](#host-header-howtohunt) --- # Hidden API Functionality Exposure | HowToHunt * Application programming interfaces (APIs) have become a critical part of almost every business. APIs are responsible for transferring information between systems within a company or to external companies. For example, when you log in to a website like Google or Facebook, an API processes your login credentials to verify they are correct. 1. Swagger UI Documentation 2. Dictionary Attack | Brute force 3. Common wordlist for API Enum : * https://wordlists.assetnote.io/ * https://github.com/Net-hunter121/API-Wordlist [](#steps-to-perform-this-attack) Steps to Perform This Attack : --------------------------------------------------------------------- Copy Step 1 : Capture the request into Burp, Send the request to repeater and intruder tab. Step 2 : Add the endpoint into the intruder tab and add the payload from the word-list. Step 3 : First use dictionary attack with SecLists (https://github.com/danielmiessler/SecLists) on the Endpoint. Step 4 : Either use your customized list or use the ones which I have provided in the above step. Step 5 : Then simply start the attack, start checking for 200 status. Step 7 : Once there is HTTP 200 OK status, start the recursive scan on the same endpoint for juicy information like swagger doc and so on. step 8 : Other method is to change the API version and try bruteforcing the same endpoint Eg: Redacted.com/api/v1/{Endpoint} ----- Redacted.com/api/v2/{Endpoint} * Note: There will be minimum limits per request which will be assigned without API keys so make sure to utilize manual approach as much as you can, then the rest can be automated for scanning the vulnerability in API with automated tools. [](#contributor) Contributor: ---------------------------------- * [N3T\_hunt3r](https://twitter.com/N3T_hunt3r) [PreviousHowToHunt.md](/howtohunt) [NextReverse Engineer an API](/howtohunt/api-testing/reverse_engineer_an_api) Last updated 7 months ago --- # Broken-Link Hijacking | HowToHunt ### [](#steps) Steps 1. Manually find and click external links on the target site ( For Example:- Some Links to Social Media Accounts or Some external Media Link) 2. While Doing Manual work also put [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) in background using below Command interminal. `blc -rof --filter-level 3 https://example.com/` Ouput will be like Something. `─BROKEN─ https://www.linkedin.com/company/ACME-inc-/ (HTTP_999)` 3. Now you need to check if company has the page or not , if no then register as the company or try to get that username or url. ### [](#alternate-step) Alternate Step 1. Go to [Online Broken Link Checker](https://ahrefs.com/broken-link-checker) , [Dead Link Checker](https://www.deadlinkchecker.com/) Or [Alternative Online Broken Link Checker](https://brokenlinkcheck.com/) 2. Input the domain name ### [](#reference) Reference * [https://edoverflow.com/2017/broken-link-hijacking/](https://edoverflow.com/2017/broken-link-hijacking/) * [https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d](https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d) #### [](#author) Author: * [@KathanP19](https://twitter.com/KathanP19) * [@cyph3r\_asr](https://twitter.com/cyph3r_asr) * [@v3daxt](https://twitter.com/v3daxt) [PreviousAccount Ban Bypass](/howtohunt/authentication-bypass/account_ban_bypass) [NextSession Based Bugs](/howtohunt/broken-auth-and-session-management/session_based_bugs) Last updated 2 years ago --- # Reverse Engineer an API | HowToHunt [PreviousHidden API Functionality Exposure](/howtohunt/api-testing/hidden_api_functionality_exposure) [NextAccount Takeover Methodology](/howtohunt/account-takeover-methodology/account_takeovers_methods) Last updated 7 months ago [](#tools-to-use) Tools to use ----------------------------------- 1. FoxyProxy 2. mitmweb 3. mitmproxy2swagger 4. https://editor.swagger.io/ 5. Postman [](#steps-to-reproduce) Steps to Reproduce ----------------------------------------------- 1. **Foxyproxy:** Turn on 8080 port using Foxy Proxy.(Label it anything you want) 2. **mitmweb:** Run `sudo mitmweb` and then go to mitm.it and install & import the certificate. 3. **Explore Website w/ API's functionalities:** Go to the website w/ api that you want to gather the API endpoints from and explore it's functionalities. The mitmweb tool will capture it, afterwards you can download the captures as a flow file in mitmweb by clicking on file -> save all. 4. **mitmproxy2swagger:** Here we run `sudo mitmproxy2swagger -i flows -o spec.yml -p -f flow`. This will turn flows file to a yml file. Afterwards you need to remove the ignore: in the spec.yml and run `sudo mitmproxy2swagger -i flows -o spec.yml -p -f flow --examples`, --examples is added to enhance the documentation of the api endpoints. 5. **https://editor.swagger.io/:** Now you can import the clean spec.yml file and visualize the different endpoints. 6. **Postman:** You can also import the spec.yml in postman which will produce a well organized collection. ![](https://kathan19.gitbook.io/~gitbook/image?url=https%3A%2F%2Fpasteboard.co%2Fn2094TfDB8qt.png&width=300&dpr=4&quality=100&sign=33117b8f&sv=2) --- # Wordpress | HowToHunt [](#wordpress-common-misconfiguration) Wordpress Common Misconfiguration ----------------------------------------------------------------------------- Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well [](#index) Index --------------------- * Wordpress Detection * General Scan Tool * xmlrpc.php * Directory listing * CVE-2018-6389 * CVE-2021-24364 * WP Cornjob DOS * WP User Enumeration [](#wordpress-detection) Wordpress Detection ------------------------------------------------- Well, if you are reading this you already know about technology detection tool and methods. Still adding them below * Wappalyzer * WhatRuns * BuildWith [](#geneal-scan-tool) Geneal Scan Tool ------------------------------------------- * WpScan [](#xmlrpc.php) xmlrpc.php ------------------------------- This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well. #### [](#detection) Detection * visit site.com/xmlrpc.php * Get the error message about POST request only #### [](#exploit) Exploit * Intercept the request and change the method GET to POST * List all Methods Copy system.listMethods * Check the `pingback.ping` mentod is there or not * Perform DDOS Copy pingback.ping http://: http:// * Perform SSRF (Internal PORT scan only) Copy pingback.ping http://: http:// #### [](#tool-to-automate-xmlrpc-scan) Tool To Automate XMLRPC-Scan. [XMLRPC-Scan](https://github.com/nullfil3/xmlrpc-scan) #### [](#references) References [Bug Bounty Cheat Sheet](https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html) [Medium Writeup](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32) [WpEngine Blog Post](https://wpengine.com/resources/xmlrpc-php/) [](#directory-listing) Directory listing --------------------------------------------- Sometimes developers forget to disable the directory listing on /wp-content/uploads. So this is the common issue on wordpress sites. #### [](#detection-1) Detection /wp-content/uploads #### [](#pro-tip) Pro tip Add this path to your fuzzing wordlist #### [](#references-1) References [H1 Report](https://hackerone.com/reports/201984) [H1 Report](https://hackerone.com/reports/762118) [H1 Report](https://hackerone.com/reports/789388) [H1 Report](https://hackerone.com/reports/448985) [](#cve-2018-6389) CVE-2018-6389 ------------------------------------- This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3 #### [](#detection-2) Detection Use the URL from my gist called loadsxploit, you will get a massive js data in response. [loadsxploit](https://gist.github.com/remonsec/4877e9ee2b045aae96be7e2653c41df9) #### [](#exploit-1) Exploit You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second [Doser](https://github.com/quitten/doser.py) Copy python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit' #### [](#references-2) References [H1 Report](https://hackerone.com/reports/752010) [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389) [Blog Post](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html) [](#cve-2021-24364) CVE-2021-24364 --------------------------------------- The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie\_get\_user\_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. #### [](#detection-and-exploit) Detection and Exploit * Replace to your WP-site /wp-admin/admin-ajax.php?action=tie\_get\_user\_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast\_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom\_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D * Wait for the pop-up! #### [](#reference) Reference [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-24364) [](#wp-cornjob-dos) WP Cornjob DOS --------------------------------------- This is another area where you can perform a DOS attack. #### [](#detection-3) Detection * visit site.com/wp-cron.php * You will see a Blank page with 200 HTTP status code #### [](#exploit-2) Exploit You can use the same tool Doser for exploiting this Copy python3 doser.py -t 999 -g 'https://site.com/wp-cron.php' #### [](#reference-1) Reference [GitHub Issue](https://github.com/wpscanteam/wpscan/issues/1299) [Medium Writeup](https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30) [](#wp-user-enumeration) WP User Enumeration ------------------------------------------------- This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff #### [](#detection-4) Detection * visit site.com/wp-json/wp/v2/users/ * You will see json data with user info in response #### [](#exploit-3) Exploit If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well #### [](#reference-2) Reference [H1 Report](https://hackerone.com/reports/356047) [](#researcher-note) Researcher Note ----------------------------------------- Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs. [](#author) Author ----------------------- **Name:** Mehedi Hasan Remon **Handle:** [@remonsec](https://twitter.com/remonsec) [PreviousDrupal](/howtohunt/cms/drupal) [NextMoodle](/howtohunt/cms/moodle) Last updated 2 years ago --- # Application Level DoS Methods | HowToHunt ### [](#id-1.-email-bounce-issues) 1\. Email Bounce Issues * Check if Application has Invite Functionality * Try sending Invites to Invalid Email Accounts * Try to find Email Service Provider such as AWS SES , Hubspot , Campaign Monitor **Note: You can find Email Service Provider by checking Email Headers** * Once you have the Email Service Provider, Check there Hard Bounce Limits. Here are the limits for some of them: **1\. Hubspot Hard bounces:** HubSpot's hard bounce limit is 5%. For reference, many ISPs prefer bounce rates to be under 2%. **2\. AWS SES:** The rate of SES ranges from first 2-5% then 5-10% _**Impact: Once the Hard Bounce Limits are reached, Email Service Provider will block the Company which means, No Emails would be sent to the Users !**_ ### [](#id-2.-long-password-dos-attack) 2\. Long Password DoS Attack * As the value of password is hashed and then stored in Databases. If there is no limit on the length of the Password, it can lead to consumption of resources for Hashing the Long Password. **How to test?** * Use a Password of length around 150-200 words to check the presense of Length Restriction * If there is no Restriction, Choose a longer password and keep a eye on Response Time * Check if the Application Crashes for few seconds **Where to test?** * Registration Password Field is usually restricted but the Length of Password on the Forgot Password Page and the Change Password (As Authenticated User) Functionality is usually missing. ### [](#id-3.-long-string-dos) 3\. Long String DOS * When you set some string so long so server cannot process it anymore it cause DOS sometime **How to test** Copy Create app and put field like username or address or even profile picture name parameter ( second refrence ) like 1000 character of string . Search A's account from B's account either it will * Either it will keeping on searching for long time * Either the application will crash (500 - Error Code) ### [](#use-password-from-password.txt) Use Password From Password.txt ⚠️`it's not recommended using more than 5000 characters as password.` * Here is the [Password.txt](https://raw.githubusercontent.com/KathanP19/HowToHunt/master/Application_Level_DoS/Password.txt) ### [](#id-4.-permanent-dos-to-victim) 4\. Permanent DOS to victim This is not Application Level DOS but a Permanent DOS to victim. In some website user get blocked after trying to loging in with wrong credidentials.We will untilize this feature as bug :D. **How to check**. * Go to login page of example.com. * Now enter valid account email and wrong password . * Try to login with these details for few times(at least 10-20 times).You can use repeater or intruder in burpsuite. * If your account get blocked, check the blocking time period.If the blocking time period is more than 30 min .You can report it. **Point to Remember** * Make sure there is no captcha during login because we cann't make any automated tool to loop the request. * Make sure Old session are expired after being blocked. **What is priority of this bug?** * If the user get permanently block after some wrong attempts this is considered as P2. * If the user get temporarly block this is considered as P3/P4. During report try to add impact by saying that you can permanently block user account by looping this request with some intervals. ### [](#reference) Reference : \- Email Bounce Issues * [https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68](https://medium.com/bugbountywriteup/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68) \- Long Password DoS Attack * https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/ * https://hackerone.com/reports/738569 * https://hackerone.com/reports/167351 \- Long String DOS * [https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0](https://medium.com/@shahjerry33/long-string-dos-6ba8ceab3aa0) * https://hackerone.com/reports/764434 \- Permanent DOS to victim * https://youtu.be/5drIMXCQuNw ### [](#author) Author: * [Keshav Malik](https://twitter.com/g0t_rOoT_) * [Fani Malik](https://twitter.com/fanimalikhack) [PreviousAccount Takeover Methodology](/howtohunt/account-takeover-methodology/account_takeovers_methods) [Next2FA Bypasses](/howtohunt/authentication-bypass/2fa_bypasses) Last updated 3 years ago --- # AEM | HowToHunt [](#tools) Tools --------------------- * [aem-hacker](https://github.com/0ang3el/aem-hacker) * [aemscan](https://github.com/Raz0r/aemscan) [](#wordlist-for-fuzzing) Wordlist for fuzzing --------------------------------------------------- * [aem.txt](https://raw.githubusercontent.com/clarkvoss/AEM-List/main/paths) [](#resources) Resources ----------------------------- * [Approaching AEM](https://www.bugcrowd.com/resources/webinar/aem-hacker-approaching-adobe-experience-manager-web-apps/) * [Securing AEM](https://www.slideshare.net/0ang3el/securing-aem-webapps-by-hacking-them) [PreviousSession Based Bugs](/howtohunt/broken-auth-and-session-management/session_based_bugs) [NextDrupal](/howtohunt/cms/drupal) Last updated 7 months ago --- # Moodle | HowToHunt ### [](#mass-hunting-xss-moodle) Mass Hunting XSS — Moodle * [https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516](https://dewangpanchal98.medium.com/mass-hunting-xss-moodle-ed4b50c82516) ### [](#author) Author: [@th3.d1p4k](https://twitter.com/DipakPanchal05) [PreviousWordpress](/howtohunt/cms/wordpress) [NextCORS](/howtohunt/cors/cors) Last updated 3 years ago --- # OTP Bypass | HowToHunt [](#introduction) **Introduction** --------------------------------------- One-Time Passwords (OTP) are commonly used for authentication and verification in account registration, login, and critical actions. However, poor OTP implementations can lead to **authentication bypass, account takeover, and unauthorized access**. This document outlines **various OTP bypass techniques**, including **response manipulation, rate limit exploitation, default OTP usage, and session validation flaws**. * * * [](#otp-bypass-via-response-manipulation) **OTP Bypass via Response Manipulation** --------------------------------------------------------------------------------------- ### [](#method-1-manipulating-otp-verification-response) **Method 1: Manipulating OTP Verification Response** #### [](#steps) **Steps:** 1. Register an account with a mobile number and request an OTP. 2. Enter an **incorrect OTP** and capture the request using **Burp Suite**. 3. Intercept and **modify the server's response**: * Original response: Copy {"verificationStatus":false,"mobile":9072346577,"profileId":"84673832"} * Change to: Copy {"verificationStatus":true,"mobile":9072346577,"profileId":"84673832"} 4. Forward the manipulated response. 5. The system authenticates the account despite the incorrect OTP. **Impact:** * **Full account takeover** without providing a valid OTP. * * * ### [](#method-2-changing-error-response-to-success) **Method 2: Changing Error Response to Success** #### [](#steps-1) **Steps:** 1. Go to the **login page** and enter your phone number. 2. When prompted for an OTP, enter an **incorrect OTP**. 3. Capture the **server response**: Copy { "error": "Invalid OTP" } 4. Modify it to: Copy { "success": "true" } 5. Forward the response. 6. If the server accepts this modification, you gain access without entering a valid OTP. **Impact:** * **Authentication bypass leading to account takeover**. * * * ### [](#method-3-otp-verification-across-multiple-accounts) **Method 3: OTP Verification Across Multiple Accounts** #### [](#steps-2) **Steps:** 1. Register **two different accounts** with separate phone numbers. 2. **Enter the correct OTP** for one account and intercept the request. 3. Capture the server response and note **status:1** (success). 4. Now, attempt to verify the second account with an **incorrect OTP**. 5. Intercept the server response where the status is **status:0** (failure). 6. Change **status:0** to **status:1** and forward the response. 7. If successful, you bypass OTP authentication. **Impact:** * **Bypassing OTP verification for multiple accounts**. * * * [](#otp-bypass-using-form-resubmission-in-repeater) **OTP Bypass Using Form Resubmission in Repeater** ----------------------------------------------------------------------------------------------------------- #### [](#steps-3) **Steps:** 1. Register an account using a **non-existent phone number**. 2. Intercept the OTP request in **Burp Suite**. 3. Send the request to **Repeater** and forward it. 4. Modify the phone number in the request to **your real number**. 5. If the system **sends the OTP to your real number**, use it to register under the **fake number**. **Impact:** * **Unauthorized account registration using someone else's OTP**. * * * [](#bypassing-otp-with-no-rate-limiting) **Bypassing OTP with No Rate Limiting** ------------------------------------------------------------------------------------- ### [](#steps-4) **Steps:** 1. **Create an account** and request an OTP. 2. Enter an **incorrect OTP** and capture the request in Burp Suite. 3. Send the request to **Burp Intruder** and **set a payload on the OTP field**. 4. Set **payload type as numbers** (`000000` to `999999`). 5. Start the attack. 6. If **no rate limit** is enforced, the correct OTP will eventually match. **Impact:** * **Complete OTP bypass through brute force**. * * * [](#additional-otp-bypass-test-cases) **Additional OTP Bypass Test Cases** ------------------------------------------------------------------------------- ### [](#id-1.-default-otp-values) **1\. Default OTP Values** * Some applications use default OTP values such as: Copy 111111, 123456, 000000 * Test common default values to check for misconfigurations. ### [](#id-2.-otp-leakage-in-server-response) **2\. OTP Leakage in Server Response** * Some applications leak OTPs in API responses. * **Intercept OTP request responses** and check if OTP is present. ### [](#id-3.-checking-if-old-otp-is-still-valid) **3\. Checking if Old OTP is Still Valid** * Some systems allow the **reuse of old OTPs**. * Test if **previously used OTPs** are still accepted. * * * [](#rate-limiting-attack-on-otp-verification) **Rate Limiting Attack on OTP Verification** ----------------------------------------------------------------------------------------------- ### [](#steps-5) **Steps:** 1. **Navigate to the OTP verification endpoint**: Copy https://abc.target.com/verify/phoneno 2. Enter an **invalid OTP** (e.g., `000000`). 3. **Intercept the request** and send it to **Intruder**. 4. Set the **OTP field as the payload position**. 5. Use **payload type: numbers** and define a **range (000000 - 999999)**. 6. Start the attack. 7. Identify a **response length change**, which may indicate the correct OTP. **Impact:** * **Brute-force attack leading to OTP bypass and account takeover**. * * * [](#contributors) **Contributors** --------------------------------------- * [**@akshaykerkar13**](https://twitter.com/akshaykerkar13) * [**@Yn0tWhy**](https://twitter.com/Yn0tWhy) * [**@Virdoex\_hunter**](https://twitter.com/Virdoex_hunter) * [**@febinrev**](https://twitter.com/febinrev) * [**@fani\_malik**](https://twitter.com/fanimalikhack) * [**@v3daxt**](https://twitter.com/v3daxt) * [**@prakhar0x01**](https://twitter.com/prakhar0x01) * * * _Enhanced and reformatted for HowToHunt repository by_ [_remonsec_](https://x.com/remonsec) [Previous2FA Bypasses](/howtohunt/authentication-bypass/2fa_bypasses) [NextAccount Ban Bypass](/howtohunt/authentication-bypass/account_ban_bypass) Last updated 11 days ago --- # Drupal | HowToHunt Tips: Copy If you hunt on a Drupal website: fuzz with intruder on '/node/$' where '$' is a number (from 1 to 500 for example). You could find hidden pages (test, dev) which are not referenced by the search engines. * [adrien\_jeanneau](https://twitter.com/adrien_jeanneau/status/1273952564430725123?t=SUinUf09jxjRXu1yF9AQDg&s=19) [PreviousAEM](/howtohunt/cms/aem) [NextWordpress](/howtohunt/cms/wordpress) Last updated 7 months ago --- # Account Ban Bypass | HowToHunt Steps: Copy If you got ban from xyz.com try to see other domain like forms etc where you need the same account to login. you maybe able to login from forms.xyz.com and its a bypass I found it on a hackerone private program. [PreviousOTP Bypass](/howtohunt/authentication-bypass/otp_bypass) [NextBroken-Link Hijacking](/howtohunt/broken-link-hijacking/brokenlinkhijacking) Last updated 7 months ago --- # Account Takeover Methodology | HowToHunt ### [](#chaining-session-hijacking-with-xss) Chaining Session Hijacking with XSS Copy 1.I have added a session hijacking method in broken authentication and session management. 2.If you find that on target. 3.Try anyway to steal cookies on that target. 4.Here I am saying look for xss . 5.If you find xss you can steal the cookies of victim and using session hijacking you can takeover the account of victim. ### [](#no-rate-limit-on-login-with-weak-password-policy) No Rate Limit On Login With Weak Password Policy Copy So if you find that target have weak password policy, try to go for no rate limit attacks in poc shows by creating very weak password of your account. (May or may not be accepted) ### [](#password-reset-poisioning-leads-to-token-theft) Password Reset Poisioning Leads To Token Theft Copy 1.Go to password reset funtion. 2.Enter email and intercept the request. 3.Change host header to some other host i.e, Host:target.com Host:attacker.com also try to add some headers without changing host like X-Forwarded-Host: evil.com Referrer: https://evil.com 4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :) ### [](#using-auth-bypass) Using Auth Bypass Copy Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers. 1.Enter the wrong auth code / Password 2.Capture a auth request in burpsuite and send it to repeater 3.Check for the resoponse 4.Change the respone by manipulating the following parameters {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”} {“verify”:”false”} -> {“verify”:”true”} ### [](#try-for-csrf-on) Try For CSRF On Copy 1.Change Password function. 2.Email change 3.Change Security Question ### [](#token-leaks-in-response) Token Leaks In Response * So there are multiple ways to do it but all are same. * So I will sharing my method that I have learnt here . * Endpoints:(Register,Forget Password) * Steps(For Registration): Copy 1. For registeration intercept the signup request that contains the data you have entered. 2. Click on action -> do -> intercept the response to this request. 3. Click forward. 4. Check response if that contains any link, any token or OTP. * * * * Steps (For password reset): Copy 1. Intercept the forget password option. 2. Click on action -> do -> intercept the response to this request. 3. Click forward. 4. Check response if that contains any link,any token or OTP. ### [](#reference) Reference: * Various Source From Google,Twitter,Medium * https://avanishpathak.medium.com/an-account-takeover-vulnerability-due-to-response-manipulation-e23fe629bd1 ### [](#author) Author * [@Virdoex\_hunter](https://twitter.com/Virdoex_hunter) * [@v3daxt](https://twitter.com/v3daxt) [PreviousReverse Engineer an API](/howtohunt/api-testing/reverse_engineer_an_api) [NextApplication Level DoS Methods](/howtohunt/application-level-dos/ald_methods) Last updated 2 years ago --- # CORS Bypasses | HowToHunt [](#cors-bypass) CORS Bypass --------------------------------- 1. `Origin:null` 2. `Origin:attacker.com` 3. `Origin:attacker.target.com` 4. `Origin:attackertarget.com` 5. `Origin:sub.attackertarget.com` 6. `Origin:attacker.com and then change the method Get to post/Post to Get` 7. `Origin:sub.attacker target.com` 8. `Origin:sub.attacker%target.com` 9. `Origin:attacker.com/target.com` ### [](#authors) Authors * [@tamimhasan404](https://twitter.com/tamimhasan404) [](#reference-tweets) Reference Tweets ------------------------------------------- [https://twitter.com/trbughunters/status/1287023673845612546](https://twitter.com/trbughunters/status/1287023673845612546) [https://twitter.com/Paresh\_parmar1/status/1265251507655630848](https://twitter.com/Paresh_parmar1/status/1265251507655630848) [https://twitter.com/Alra3ees/status/1141504347089584128](https://twitter.com/Alra3ees/status/1141504347089584128) [PreviousCORS](/howtohunt/cors/cors) [NextCSRF](/howtohunt/csrf/csrf) Last updated 4 years ago --- # CORS | HowToHunt [](#misconfigured-cors) Misconfigured CORS ----------------------------------------------- Here are few methods and steps you can do to check for misconfigure cors. * Hunting method 1(Single target): Copy Step->1. Capture the target website and spider or crawl all the website using burp. Step->2. Use burp search look for Access-Control Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com Step->4 If origin is reflected in response means the target is vuln to CORS * Hunting method 2(mutliple means including subdomains): Copy step 1-> find domains i.e subfinder -d target.com -o domains.txt step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk 2>/dev/null step 4-> Repeat hunting method 1 * Both above method are manual methods so lets check an automated way **Tools** * [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner) * [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer) * [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy) * [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe) [](#automate-way) Automate Way : ------------------------------------- Copy step1-> find domains i.e, subfinder -d domain.com -o target.txt step2-> grep alive: cat target.txt | httpx | tee -a alive.txt step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a urls.txt step4-> run any of these tools on each url step5-> configure the manually [](#another-method) Another Method --------------------------------------- ### [](#tools-you-will-need-for-this-method) Tools You Will Need for this method. * [https://github.com/tomnomnom/meg](https://github.com/tomnomnom/meg) * [https://github.com/tomnomnom/gf](https://github.com/tomnomnom/gf) * [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) * [https://github.com/tomnomnom/assetfinder](https://github.com/tomnomnom/assetfinder) * [https://github.com/Edu4rdSHL/findomain](https://github.com/Edu4rdSHL/findomain) * [https://github.com/projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) ### [](#steps) Steps Copy 1) Find Domains with the help of subfinder,assetfinder,findomain i.e , subfinder -d target.com | tee -a hosts1 , findomain -t target.com | tee -a hosts1 , assetfinder --subs-only target.com |tee -a hosts1 . 2) Then cat hosts1 | sort -u | tee -a hosts2 and then cat hosts2 | httpx | tee -a hosts . 3) Navigate through terminal where hosts file is located echo "/" > paths 4) Then type meg -v 5) After the completion of process type gf cors. 6) All the urls with Access-Control-Allow will be displayed. [](#authors) Authors ------------------------- * [@Virdoex\_hunter](https://twitter.com/Virdoex_hunter) [PreviousMoodle](/howtohunt/cms/moodle) [NextCORS Bypasses](/howtohunt/cors/cors_bypasses) Last updated 4 years ago --- # Session Based Bugs | HowToHunt ### [](#old-session-does-not-expire-after-password-change) Old Session Does Not Expire After Password Change: * Steps: Copy 1.create An account On Your Target Site 2.Login Into Two Browser With Same Account(Chrome, FireFox.You Can Use Incognito Mode As well) 3.Change You Password In Chrome, On Seccessfull Password Change Referesh Your Logged in Account In FireFox/Incognito Mode. 4.If you'r still logged in Then This Is a Bug ### [](#session-hijacking-intended-behavior) Session Hijacking (Intended Behavior) * Steps: Copy 1.Create your account 2.Login your account 3.Use cookie editor extension in browser 4.Copy all the target cookies 5.Logout your account 6.Paste that cookies in cookie editor extension 7.Refresh page if you are logged in than this is a session hijacking `Impact:` If attacker get cookies of victim it will leads to account takeover. ### [](#password-reset-token-does-not-expire-insecure-configurability) Password reset token does not expire (Insecure Configurability) * Steps: Copy 1.Create your account on target Site. 2.request for a forget password token. 3.Don't use that link 4.Instead logged in with your old password and change your email to other. 5.Now use that password link sents to old email and check if you are able to change your password if yes than there is the litle bug. ### [](#server-security-misconfiguration-greater-than-lack-of-security-headers-greater-than-cache-control-fo) Server security misconfiguration -> Lack of security headers -> Cache control for a security page * Steps : Copy 1. Login to the application 2. Navigate around the pages 3. Logout 4. Press (Alt+left-arrow) buttons 5. If you are logged in or can view the pages navigated by the user. Then you found a bug. `Impact:` At a PC cafe, if a person was in a very important page with alot of details and logged out, then another person comes and clicks back (because he didnt close the browser) then data is exposed. User information leaked ### [](#broken-authentication-to-email-verification-bypass-p4) Broken Authentication To Email Verification Bypass (P4) : `category` : P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change * Steps To Reproduce: Copy 1)First You need to make a account & You will receive a Email verification link. 2)Application in my case give less Privileges & Features to access if not verified. 3)Logged into the Application & I change the email Address to Email B. 4)A Verification Link was Send & I verified that. 5) Now I again Changed the email back to Email I have entered at the time of account creation. 6) It showed me that my Email is Verified. 7) Hence , A Succesful Email verfication Bypassed as I haven't Verified the Link which was sent to me in the time of account creation still my email got verified. 8)Didn't Receive any code again for verification when I changed back my email & When I open the account it showed in my Profile that its Verified Email. `Impact` : Email Verfication was bypassed due to Broken Authentication Mechanism , Thus more Privileged account can be accessed by an attacker making website prone to Future Attacks. Happy Hacking:) ### [](#email-verification-bypass-p3-p4) Email Verification Bypass (P3/P4) * Steps : Copy 1)First You need to Create an account with Your Own Email Address. 2)After Creating An Account A Verification Link will be sent to your account. 3)Dont Use The Email Verification link. Change Your Email to Victim's Email. 4)Now Go in Your Email and Click on Your Own Email Verification Link. 5)if the Victim's Email Get Verified then This is a Bug. `Impact` : Email Verfication Bypass ### [](#old-password-reset-token-not-expiring-upon-requesting-new-one-sometimes-p4) Old Password Reset Token Not Expiring Upon Requesting New One (Sometimes P4) : * Steps : Copy 1)First You need to Create an account with a Valid Email Address. 2)After Creating An Account log out from your Account and Navigate on Forgot Password Page. 3)Request a Password Reset Link for your Account.A Verification Link will be sent to your account. 4)Without Using this Password Reset Link Request A New Password Reset Link. 5)Now go in Your email and Use 1st Password Reset Link Rather than Using 2nd One And Change Your Password. 6) If You Are Able to Change Your Password Than This Is a tiny Bug ;). * Note:- Some Companies Won't Accept it As Valid Issue. ### [](#password-reset-token-not-expiring-after-password-change-p4) Password Reset Token Not Expiring After Password Change (P4): * Steps : Copy 1)First You need to Create an account with a Valid Email Address. 2)After Creating An Account log out from your Account and Navigate on Forgot Password Page. 3)Request a Password Reset Link for your Account. 4)Use The Password Reset Link And Change The Password, After Changing the Password Login to Your Account. 5)Now Use The Old Password Reset Link To Change The Password Again. 6) If You Are Able to Change Your Password Again Than This Is a tiny Bug ;). ### [](#insufficient-account-process-validation-leads-to-account-takeover-p3-p4) Insufficient account process validation leads to account takeover (P3/P4): * Steps : Copy 1) Create an account on the website. 2) Go to profile section. And Change & update your details in the name parameter and before saving it Open Burp suite, turn the proxy on and then click on Save. 3) Now capture the request in Burp suite and send it to the Repeater tab. 4) Now log out from the website and go back to the Burp suite. 5) Now change the details email & name parameters and click on "Go" in the repeater tab. 6) Now you will be able to see 200 ok response from the web server. 7) Now, login into your account and go to the Profile section to confirm * Thanks For Reading Guys Happy Hunting :). ### [](#resources) Resources: Google,Youtube. [](#authors) Authors ------------------------- * [https://twitter.com/Virdoex\_hunter](https://twitter.com/Virdoex_hunter) * Linkedin : [@chirag\_Agrawal](https://www.linkedin.com/in/chirag-agrawal-770488144/) , Twitter : [@Raiders](https://twitter.com/ChiragA15977205) * Twitter : [Fani Malik](https://twitter.com/fanimalikhack) * Linkedin : [@suprit-pandurangi](https://www.linkedin.com/in/suprit-pandurangi-a90526106/) [PreviousBroken-Link Hijacking](/howtohunt/broken-link-hijacking/brokenlinkhijacking) [NextAEM](/howtohunt/cms/aem) Last updated 1 year ago --- # 2FA Bypasses | HowToHunt [](#introduction) **Introduction** --------------------------------------- Two-Factor Authentication (2FA) is a security mechanism designed to add an extra layer of protection by requiring users to provide an additional verification code after entering their credentials. However, improper implementations of 2FA can introduce various security flaws that allow attackers to bypass authentication. This document outlines **common 2FA bypass techniques**, including **response manipulation, brute-force attacks, backup code abuse, and session hijacking**. Each method is detailed with examples and exploitation steps. For a **visual reference**, a [**2FA Bypass Mindmap**](https://mm.tt/1736437018?t=SEeZOmvt01) provides an overview of different attack vectors. * * * [](#common-2fa-bypass-techniques) **Common 2FA Bypass Techniques** ----------------------------------------------------------------------- ### [](#index-of-techniques) **Index of Techniques** # **Technique** **1** Response Manipulation **2** Status Code Manipulation **3** 2FA Code Leakage in Response **4** JavaScript File Analysis **5** 2FA Code Reusability **6** Lack of Brute-Force Protection **7** Missing 2FA Code Integrity Validation **8** CSRF on 2FA Disabling **9** Password Reset Disables 2FA **10** Backup Code Abuse **11** Clickjacking on 2FA Disabling Page **12** Enabling 2FA Without Expiring Active Sessions **13** Bypass 2FA with `null` or `000000` * * * [](#id-1.-response-manipulation) **1\. Response Manipulation** ------------------------------------------------------------------- Some 2FA implementations return a JSON response indicating whether authentication was successful. **Altering the response** can bypass restrictions. ### [](#exploitation) **Exploitation** * Intercept the response using **Burp Suite** or **a browser's developer tools**. * Look for a response like: Copy { "success": false } * Change it to: Copy { "success": true } * If client-side validation is weak, access is granted. * * * [](#id-2.-status-code-manipulation) **2\. Status Code Manipulation** ------------------------------------------------------------------------- Some applications rely on HTTP status codes to determine authentication success. ### [](#exploitation-1) **Exploitation** * If a **4xx error** (e.g., `401 Unauthorized`) is received after entering a **wrong** 2FA code, modify the response to: Copy HTTP/1.1 200 OK * Some applications may grant access **even if authentication failed**. * * * [](#id-3.-2fa-code-leakage-in-api-responses) **3\. 2FA Code Leakage in API Responses** ------------------------------------------------------------------------------------------- Some applications accidentally **leak the 2FA code** in their API response. ### [](#exploitation-2) **Exploitation** * Intercept the **request triggering the 2FA code**. * Examine the API response. * If the response contains: Copy { "otp": "123456" } * The attacker can directly **use the leaked OTP**. * * * [](#id-4.-javascript-file-analysis) **4\. JavaScript File Analysis** ------------------------------------------------------------------------- Some applications store **2FA-related logic** in JavaScript files. ### [](#exploitation-3) **Exploitation** * Check for exposed `.js` files in the application. * Look for sensitive **hardcoded values** like: Copy var otp = "123456"; * Attackers can **extract OTP verification logic** or **static OTPs**. * * * [](#id-5.-2fa-code-reusability) **5\. 2FA Code Reusability** ----------------------------------------------------------------- Some applications **do not expire OTPs after use**, allowing attackers to **reuse** them. ### [](#exploitation-4) **Exploitation** * Obtain a **valid OTP** from a previous session. * Attempt to reuse the same OTP for authentication. * If the system does not enforce **one-time use**, the **old OTP grants access**. * * * [](#id-6.-lack-of-brute-force-protection) **6\. Lack of Brute-Force Protection** ------------------------------------------------------------------------------------- Applications that **do not limit OTP attempts** allow brute-forcing. ### [](#exploitation-5) **Exploitation** * Identify the **number of OTP digits** (commonly `4`\-`6`). * Use a tool like `Burp Intruder` to brute-force: Copy 000000 - 999999 * **Weak OTP validation** allows attackers to guess the correct OTP. * * * [](#id-7.-missing-2fa-code-integrity-validation) **7\. Missing 2FA Code Integrity Validation** --------------------------------------------------------------------------------------------------- Some systems accept **any valid OTP**, even from different accounts. ### [](#exploitation-6) **Exploitation** * Obtain a **valid OTP** for **Account A**. * Use the **same OTP** to authenticate **Account B**. * If the system **does not verify OTP ownership**, access is granted. * * * [](#id-8.-csrf-on-2fa-disabling) **8\. CSRF on 2FA Disabling** ------------------------------------------------------------------- Some applications **lack CSRF protection** when disabling 2FA. ### [](#exploitation-7) **Exploitation** * Construct a **malicious request** to disable 2FA: Copy
* Trick the victim into **clicking the form**, disabling their 2FA. * * * [](#id-9.-password-reset-disables-2fa) **9\. Password Reset Disables 2FA** ------------------------------------------------------------------------------- Some systems **disable 2FA** when a user resets their password. ### [](#exploitation-8) **Exploitation** * If an account has 2FA enabled, attempt a **password reset**. * Check if **2FA is still active** after resetting the password. * If **2FA is disabled**, log in **without 2FA authentication**. * * * [](#id-10.-backup-code-abuse) **10\. Backup Code Abuse** ------------------------------------------------------------- Backup codes provide **alternative login options** when OTP is unavailable. ### [](#exploitation-9) **Exploitation** * If backup codes are stored **insecurely**, they can be leaked or stolen. * Some applications **do not expire backup codes after use**, allowing repeated exploitation. * * * [](#id-11.-clickjacking-on-2fa-disabling-page) **11\. Clickjacking on 2FA Disabling Page** ----------------------------------------------------------------------------------------------- Some applications allow **2FA to be disabled** without additional verification. ### [](#exploitation-10) **Exploitation** * Load the **2FA disabling page** in an `