Pentest Book
  • /home/six2dez/.pentest-book
  • Contribute/Donate
  • Recon
    • Public info gathering
    • Root domains
    • Subdomain Enum
      • Subdomain Takeover
    • Webs recon
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Files
    • SSL/TLS
    • Ports
    • Web Attacks
      • General Info
      • Quick tricks
      • Header injections
      • Bruteforcing
      • Online hashes cracked
      • Crawl/Fuzz
      • LFI/RFI
      • File upload
      • SQLi
      • SSRF
      • Open redirects
      • XSS
      • CSP
      • XXE
      • Cookie Padding
      • Webshells
      • CORS
      • CSRF
      • Web Cache Poisoning
      • Broken Links
      • Clickjacking
      • HTTP Request Smuggling
      • Web Sockets
      • CRLF
      • IDOR
      • Web Cache Deception
      • Session fixation
      • Email attacks
      • Pastejacking
      • HTTP Parameter pollution
      • SSTI
      • Prototype Pollution
      • Command Injection
      • Deserialization
      • DNS rebinding
    • Web Technologies
      • APIs
      • JS
      • ASP.NET
      • JWT
      • GitHub
      • GitLab
      • WAFs
      • Firebird
      • Wordpress
      • WebDav
      • Joomla
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • Drupal
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Tomcat
      • Adobe AEM
      • Magento
      • SAP
      • MFA/2FA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Sharepoint
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • LLM/AI/ML/prompt testing
    • Code review
    • Pentesting Web checklist
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • BugBounty
    • Exploiting
    • tools everywhere
Powered by GitBook
On this page
  • https://github.com/bugcrowd/templates
  • Good PoC
  • Good Report
  • Report flow

Was this helpful?

Edit on GitHub
Export as PDF
  1. Others

BugBounty

PreviousMaster assessment mindmapsNextExploiting

Last updated 2 months ago

Was this helpful?

Good PoC

Issue type

PoC

Cross-site scripting

Command execution

Depends of program rules:

  • Read (Linux-based): cat /proc/1/maps

  • Write (Linux-based): touch /root/your_username

  • Execute (Linux-based): id

Code execution

This involves the manipulation of a web app such that server-side code (e.g. PHP) is executed.

  • PHP: <?php echo 7*7; ?>

SQL injection

Zero impact

  • MySQL and MSSQL: SELECT @@version

  • Oracle: SELECT version FROM v$instance;

  • Postgres SQL: SELECT version()

Unvalidated redirect

  • Set the redirect endpoint to a known safe domain (e.g. google.com), or if looking to demonstrate potential impact, to your own website with an example login screen resembling the target's.

  • If the target uses OAuth, you can try to leak the OAuth token to your server to maximise impact.

Information exposure

Investigate only with the IDs of your own test accounts — do not leverage the issue against other users' data — and describe your full reproduction process in the report.

Cross-site request forgery

When designing a real-world example, either hide the form (style="display:none;") and make it submit automatically, or design it so that it resembles a component from the target's page.

Server-side request forgery

The impact of a SSRF bug will vary — a non-exhaustive list of proof of concepts includes:

  • reading local files

  • obtaining cloud instance metadata

  • making requests to internal services (e.g. Redis)

  • accessing firewalled databases

Local file read

Make sure to only retrieve a harmless file. Check the program security policy as a specific file may be designated for testing.

XML external entity processing

Output random harmless data.

Sub-domain takeover

Claim the sub-domain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page.

Good Report

# Writeups
# https://github.com/devanshbatham/Awesome-Bugbounty-Writeups
# Bug bounty Report

# Summary
...

# Vulnerability details
...

# Impact
...

# Proof of concept
...

# Browsers verified in
...

# Mitigation
...

Report flow

alert(document.domain) or setInterval`alert\x28document.domain\x29` if you have to use backticks. Using document.domain instead of alert(1) can help avoid reporting XSS bugs in sandbox domains.

https://github.com/bugcrowd/templates
[1]