Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
BugBounty

Good PoC

Issue type
PoC
Cross-site scripting
​alert(document.domain) or setInterval`alert\x28document.domain\x29` if you have to use backticks. [1] Using document.domain instead of alert(1) can help avoid reporting XSS bugs in sandbox domains.
Command execution
Depends of program rules:
  • Read (Linux-based): cat /proc/1/maps
  • Write (Linux-based): touch /root/your_username
  • Execute (Linux-based): id
Code execution
This involves the manipulation of a web app such that server-side code (e.g. PHP) is executed.
  • PHP: <?php echo 7*7; ?>
SQL injection
Zero impact
  • MySQL and MSSQL: SELECT @@version
  • Oracle: SELECT version FROM v$instance;
  • Postgres SQL: SELECT version()
Unvalidated redirect
  • Set the redirect endpoint to a known safe domain (e.g. google.com), or if looking to demonstrate potential impact, to your own website with an example login screen resembling the target's.
  • If the target uses OAuth, you can try to leak the OAuth token to your server to maximise impact.
Information exposure
Investigate only with the IDs of your own test accounts — do not leverage the issue against other users' data — and describe your full reproduction process in the report.
Cross-site request forgery
When designing a real-world example, either hide the form (style="display:none;") and make it submit automatically, or design it so that it resembles a component from the target's page.
Server-side request forgery
The impact of a SSRF bug will vary — a non-exhaustive list of proof of concepts includes:
  • reading local files
  • obtaining cloud instance metadata
  • making requests to internal services (e.g. Redis)
  • accessing firewalled databases
Local file read
Make sure to only retrieve a harmless file. Check the program security policy as a specific file may be designated for testing.
XML external entity processing
Output random harmless data.
Sub-domain takeover
Claim the sub-domain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page.

Good Report

1
# Writeups
2
# https://github.com/devanshbatham/Awesome-Bugbounty-Writeups
Copied!
1
# Bug bounty Report
2
​
3
# Summary
4
...
5
​
6
# Vulnerability details
7
...
8
​
9
# Impact
10
...
11
​
12
# Proof of concept
13
...
14
​
15
# Browsers verified in
16
...
17
​
18
# Mitigation
19
...
Copied!
Others - Previous
Master assessment mindmaps
Next - Others
Exploiting
Last modified 9mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Good PoC
Good Report