Skip to content

Latest commit

 

History

History
135 lines (124 loc) · 4.34 KB

bugbounty.md

File metadata and controls

135 lines (124 loc) · 4.34 KB
Raw

BugBounty

Good PoC

Issue type PoC
Cross-site scripting alert(document.domain) or setInterval`alert\x28document.domain\x29` if you have to use backticks. [1] Using document.domain instead of alert(1) can help avoid reporting XSS bugs in sandbox domains.
Command execution

Depends of program rules:

  • Read (Linux-based): cat /proc/1/maps
  • Write (Linux-based): touch /root/your_username
  • Execute (Linux-based): id
Code execution

This involves the manipulation of a web app such that server-side code (e.g. PHP) is executed.

  • PHP: <?php echo 7*7; ?>
SQL injection

Zero impact

  • MySQL and MSSQL: SELECT @@version
  • Oracle: SELECT version FROM v$instance;
  • Postgres SQL: SELECT version()
Unvalidated redirect
  • Set the redirect endpoint to a known safe domain (e.g. google.com), or if looking to demonstrate potential impact, to your own website with an example login screen resembling the target's.
  • If the target uses OAuth, you can try to leak the OAuth token to your server to maximise impact.
Information exposure Investigate only with the IDs of your own test accounts — do not leverage the issue against other users' data — and describe your full reproduction process in the report.
Cross-site request forgery When designing a real-world example, either hide the form (style="display:none;") and make it submit automatically, or design it so that it resembles a component from the target's page.
Server-side request forgery

The impact of a SSRF bug will vary — a non-exhaustive list of proof of concepts includes:

  • reading local files
  • obtaining cloud instance metadata
  • making requests to internal services (e.g. Redis)
  • accessing firewalled databases
Local file read Make sure to only retrieve a harmless file. Check the program security policy as a specific file may be designated for testing.
XML external entity processing Output random harmless data.
Sub-domain takeover Claim the sub-domain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page.

Good Report

# Bug bounty Report

# Summary
...

# Vulnerability details
...

# Impact
...

# Proof of concept
...

# Browsers verified in
...

# Mitigation
...