avatarThexssrat

Summary

The provided content outlines a comprehensive beginner methodology for identifying common web vulnerabilities such as XSS, CSRF, SQL Injection, File Inclusion, IDOR, Security Misconfiguration, Sensitive Data Exposure, XXE Injection, Broken Authentication, Session Management issues, and SSRF.

Abstract

The article presents a systematic approach for novice bug bounty hunters to detect and exploit a range of security flaws within web applications. It categorizes vulnerabilities into distinct types, such as Cross-Site Scripting (XSS), which includes reflected, stored, and DOM-based variations. It also covers Cross-Site Request Forgery (CSRF), where the lack of CSRF tokens can lead to unauthorized actions. The methodology delves into SQL Injection techniques, including basic and blind SQL injection, and emphasizes the importance of testing for file inclusion vulnerabilities, both local and remote. The article further discusses Insecure Direct Object References (IDOR) and the risks associated with misconfigured security settings, such as directory listings and default credentials. It highlights the significance of identifying weak encryption, improperly protected credentials, and session tokens. Additionally, it touches on XML External Entity (XXE) Injection, Broken Authentication, and Session Management issues, including session hijacking and credential stuffing. Lastly, the article addresses Server-Side Request Forgery (SSRF) and the potential for internal network probing and exploitation of poorly secured HTTP clients.

Opinions

  • The article suggests that proper encoding and sanitization of user inputs are crucial for preventing XSS attacks.
  • It implies that rich-text fields and client-side scripts are common sources of XSS vulnerabilities.
  • The content indicates that forms and state-changing requests should incorporate CSRF tokens to mitigate CSRF attacks.
  • It emphasizes the need for systematic testing, such as using automated tools like SQLmap for detecting SQL Injection vulnerabilities.
  • The article conveys that file parameters should be rigorously tested to prevent Local and Remote File Inclusion vulnerabilities.
  • It suggests that incrementing numerical IDs or changing parameters can reveal IDOR vulnerabilities.
  • The content opines that directory listings should be disabled, and default credentials changed to prevent unauthorized access.
  • It advises checking for weak encryption methods and insecure data transmission practices.
  • The article recommends scrutinizing error messages for potential information leakage, particularly in the context of XXE Injection.
  • It highlights the importance of protecting cookies with Secure and HttpOnly flags and ensuring proper session invalidation.
  • The content suggests that applications should implement rate limiting to defend against credential stuffing.
  • It indicates that SSRF vulnerabilities can be exploited to probe internal networks and access sensitive resources through misconfigured HTTP clients.

A Very Basic Beginner Bug Bounty Methodology

Cross-Site Scripting (XSS)

Reflected XSS:

  • Look for parameters and user inputs that are reflected back in the page without proper encoding.
  • Use fuzzing with a list of XSS payloads to test how inputs are sanitized.

Stored XSS:

  • Test all inputs that could be stored and displayed to other users (comments, profiles, etc.).
  • Pay special attention to rich-text fields which may allow HTML content.

DOM-based XSS:

  • Investigate client-side scripts to identify points where user-supplied input may modify the DOM.
  • Use tools like browser development tools to track how JavaScript manipulates user input.

Cross-Site Request Forgery (CSRF)

Simple CSRF:

  • Check for forms and state-changing requests that do not have CSRF tokens or other anti-CSRF mechanisms.
  • Attempt to craft malicious requests that could be sent from an attacker-controlled site.

SQL Injection

Basic SQL Injection:

  • Input classic payloads like ‘ OR ‘1’=’1 to see if inputs are directly placed into SQL queries.
  • Observe error messages for hints about the database structure.

Blind SQL Injection:

  • Use time-based techniques to infer data, such as adding SLEEP(5) commands and seeing if the page response is delayed.
  • Employ automated tools like SQLmap for systematic testing.

File Inclusion Vulnerabilities

Local File Inclusion (LFI):

  • Test file parameters with local paths (../../etc/passwd) to read local files.
  • Look for scripts that include files based on user input without proper sanitization.

Remote File Inclusion (RFI):

  • Where input is used to construct file URLs, attempt to replace these with external URLs to your own server.

Insecure Direct Object References (IDOR)

IDOR:

  • Try changing parameters like user IDs in the URL or hidden fields to access data belonging to other users.
  • Test incrementing numerical IDs or substituting filenames to access unauthorized data.

Security Misconfiguration

Directory Listing:

  • Check if directory listing is enabled by accessing directories directly.
  • Look for backup files or directories that are not meant to be public.

Unprotected Files and Directories:

  • Enumerate common directory and file names to discover unprotected resources.

Default Credentials:

  • Try logging in with default username/password combinations for common software.

Sensitive Data Exposure

Weak Encryption:

  • Look for data transmission over HTTP or weak encryption methods.
  • Check password reset functionalities and how they handle user information.

Improperly Protected Credentials and Session Tokens:

  • Check for hard-coded credentials in client-side code.
  • Test for session tokens that don’t expire or aren’t properly protected with secure flags.

XML External Entity (XXE) Injection

Basic XXE:

  • Where applications parse XML, try to introduce DOCTYPE elements that define external entities containing file URIs.
  • Test error messages for information leakage that might confirm the XXE.

Broken Authentication and Session Management

Session Hijacking:

  • Look for cookies that are not protected with Secure and HttpOnly flags.
  • Test session invalidation during logout and password change operations.

Credential Stuffing:

  • Where rate limiting is not in place, check how the application handles automated login attempts with known email/password combinations.

Server-Side Request Forgery (SSRF)

Basic Internal Network Probing:

  • Use payloads that call back to your server (http://yourserver.com) to see if the application fetches external resources.
  • Attempt to access internal IP addresses (http://127.0.0.1, http://192.168.x.x) through the vulnerable application.

Exploitation of Poorly Secured HTTP Clients:

  • Test different schema like file://, dict://, ftp:// to access local resources or make unexpected protocol requests.
Bug Bounty
Ethical Hacking
Hacking
Recommended from ReadMedium