Discover and read the best of Twitter Threads about #SSRF

Most recents (10)

A lesser-known yet effective way of #bugbounty hunting is called "hacktivity" hunting. It involves bypassing fixes on disclosed reports found on @Hacker0x01's hacktivity page. This approach helped me score a $5k bounty! Here's how it works.👇

#InfoSec #CyberSecurity
With hacktivity hunting, the hard part - finding interesting behavior or insecure features - is already done for you. Your main role is to find a bypass.

For example, I found a bypass for a report on hackerone.com/reports/949643

#BugBountyTips
The original report tried to restrict access to /admin by restricting the path in Nginx. However, I bypassed it using simple encoding - /%2561dmin. Endpoints required authentication, but I bypassed this by adding ".json" at the end.

#BugBounty #Hacking
Read 8 tweets
The following 5 workshops simulate multiple security events. Brought to you by the AWS Customer Incident Response Team (CIRT) 👇
1/During the Unauthorized IAM Credential Use - Simulation and Detection
workshop, you will simulate the unauthorized use of IAM credentials by using a script invoked within #AWSCloudShellgo.aws/3XU6zG7
2/At the Ransomware on S3 – Security Event Simulation and Detection workshop, you will use an AWS CloudFormation template to replicate an environment with multiple IAM users and five #AmazonS3 buckets ⏩ go.aws/3HdX8Ky
Read 6 tweets
Server Side Request Forgery(SSRF)
#bugbounty #infosec

🧵: (1/n) ⬇⬇⬇
🏹Use Different Encoding Schemes of https://127.O.O.1

➡Hex Encoding https://Ox7f.OxO.OxO.Ox1
➡Octal Encoding https://0177.O.O.01
➡Dword Encoding https://2130706433
➡URL Encoding ➡https://%6c%6f%63%61%6c%68%6f%73%74
➡Mixed Encoding https://0177.O.O.Ox1

🧵: (2/n) :👇
🏹Use The Whole IP Range For Testing SSRF
(198.0.0.1-255) #bugbounty
. . .
🏹Obfuscate Strings In URL Encode or Case Transformation (Blocked Words Bypass)

🏹Use Registered Domain Names That Resolves To 127.0.0.1

🏹Embed Credentials : https://attacker@victim.com

🧵: (3/n) :👇
Read 6 tweets
Bug Testing Methodology Series:

𝐒𝐒𝐑𝐅 (𝐒𝐞𝐫𝐯𝐞𝐫 𝐒𝐢𝐝𝐞 𝐑𝐞𝐪𝐮𝐞𝐬𝐭 𝐅𝐨𝐫𝐠𝐞𝐫𝐲)

Learn how to test for #SSRF step by step on real #bugbounty programs

Thread🧵👇

#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread won't teach how SSRF works, but rather a methodology to follow while actively testing for it.

To learn about how SSRF attacks work, have a read here ➡️ portswigger.net/web-security/s…
1️⃣ Finding an attack vector

This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.

Ex: profile pic from URL, URL Redirects, etc.

The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
Read 9 tweets
Akamai WAF Bypass read internal files via SSRF

1. target[.]com/download?url=file:///etc/passwd (Blocked by akamai waf)

#bugbountytips #bugbounty #ssrf #wafbypass #hacking
2. target[.]com disclosing internal ip in the response header ex: X-Server: 10.136.166.91
3. Now target[.]com/download?url=http://10.136.166.91 (weird 403)
Read 7 tweets
SSRF Story | Scan The Network

1. Found SSRF and get Cloud Metadata.
2. Common high risk with disclosed cloud metadata is about security credential, but not found at this point :(
3. Found the instance public IP in latest/meta-data/public-ipv4, access the IP and got 404 response
4. Nmap the IP, nmap identified the server was located in Vultr cloud provider with open port 22,53,80 and 443.
5. Trying to get more exposure with SSRF with scan all port.
6. Amazed, got some firewalled port, port 8080 was run the Traefik application.
7. Found the Traefik API documentation, and trying to reach the every single endpoint but still got 404 response (?). Until get the information from the version endpoint that identified running version is v1.7.4, the reason that why API was different from the latest API doc.
Read 6 tweets
#bugbountytips #learn #learn365 #SSRF

Let's learn SSRF in a Thread 🧵

Here is my notes on SSRF (Just Basics) ->
SSRF → Server Side Request Forgery Attack

In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
Attacker forge the request in such a way that server accept it thinking it as legit and give the response what the attacker want

Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
Read 22 tweets
#SSRF is a super popular vulnerability that is leveraged extensively, by bad actors. Let's look at SSRF defense in this 🧵 1/
Let's start with the basics. SSRF happens because your app makes requests to other URLs based on user-generated data. If your app doesnt need to redirect/request random URLs (functionality), ensure that you have a tight allowlist. Only redirect to URLs in the allowlist 2/
But if your app needs to redirect to a larger (purely user-defined) set of URLs, then things may get a little more complex. Now you need to validate inputs like a mf'er. Parse and Break down URLs by scheme, domain, etc. Validate each one as required 3/
Read 10 tweets
#Secret2
Bug Bounty with One-Line Bash Scripts💵😎

You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
1/ #Secret2

🎯 Hunt #XSS:
👉🏻 cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
👉🏻 cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
2/ #Secret2

🎯 Hunt #SQLi:
👉🏻httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

#BugBounty #BugBountyTip
#100BugBountySecrets
🧵👇🏻
Read 13 tweets
We are just starting our session @hasgeek. @abh1sek talking about data breaches and how they happen.

hasgeek.com/rootconf/data-…

Join the live stream on the webpage.

#datasecurity
Thank you @hasgeek for giving us this amazing platform to talk about what we love most #datasecurity #appsec
#cloudsecurity
Agenda for the session
Read 29 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!