VEDIO-1
1. While creating account, put html email injection payload, evil.com, in name.
Try putting one digit password, if it does't accept then put the full password and
intercept that request and try to change the password to one digit in the reqest.
2. if it doesn't allow that then put the full password and capture the request and
then check the reponse of that request, if it shows a jwt token in response then
check it in jwt.io
3. check if it allows login without email verification, if it allows then keep note
of it.
4. Go to the storage section in inspect page of the website and go in Session
Storage, Local Storage and try to find jwt token, then In Cookies sections and
start deleting all cookies one by one, if any token leads to logout then it's the
session token and a bug known as missing http or secure only bug on session token.
5.See if the website runs on http
6.Click on Forgot password and intercept the request and then change the host to
evil.com and if says forbidden then write X-Forwarded-Host: bing.com
7.Check the SPF AND DMARC LOOKUP in mxtoolbox, use this video to spoof email
https://youtu.be/lR_Ck3-_AGQ?si=rvzcKSeJnZexr1SX
8.click on forgot password and get the forgot password link on email and copy that
link and paste in a browser and check if it is http, if it is in http then it's a
weak password implementation.
9.Give a single digit password in reset password and try to make it single digit in
burp, if it doesn't works then give a normal full length password and if any social
media icons are showing in that page then click on it and intercept it in
burpsuite, then in that referrer request ur password token should not get leaked,
if it gets leaked then it's known as token leakage via a third party referrer.
10.Check the reuseability of the reset password.
11.he is putting this ' after any id parameter to see for any type of errors, i
have zero clue about that.
12. Check for clickjacking (ask chatgpt how to do it)
13. Login the same account in two different browsers and change the password in one
website and see if in the other website it logouts the session or not, if it
doesn't then it's a bug. Please verify before reporting by changing the name or
anything that if it may logout in backend.
14. Then open two tabs of the same account in one browser, and logout from one tab
and then try changing anything from other tab, if it updates it then it's a bug, if
it doesn't update it then it's not a bug.
15. Check the upload functionality
16. try putting bing.com in first name or {{7*7}}
17. then go back in at login page and put the email and password and then capture
the request and send it to intruder and put a series of wrong password until ur
account get's lock, then try to access ur account by using a VPN
�18. Check for CSRF
------------------------------------------
VIDEO-2
------------------------------
19. Use magic recon DUDE, it needs some information in it's configuration file too
20. Can u buy something without logging in, if u can then u should try to buy
something from the account of the victim.
21. clouldflair tool , it sometimes gives u the origin ip of the particular thing,
like if it's behind cloudflair waf then sometimes it gives that's why it's a
interesting tool.
22. if website has the functionality to change the email then create a forget
password link from the old email and then change the email, and then try to change
the email from the old forget password link and u can even try to delete the token
if that forget password link contains any.
23. learn how to use sqlimap and ghaurimap,
24. One more way of testing is when u r exploring the website na just keep that
http history thing active, it will give u alot of requests go on, and u can use it
according to ur interests.
25. try to put https://evil.com after any parameter, if it works then try to
escalate it via using chatgpt.
----------------------------
Video - 4
------------------------------
26. Report MTA-STS
Bug Description:
"Upon examining the DNS (Domain Name System) records for the domain
walletconnect.com, it has come to my attention that the MTA-STS record is missing.
The MTA-STS mechanism is designed to enforce secure email communication by
requiring the use of TLS (Transport Layer Security) encryption. However, in this
case, the absence of the MTA-STS record exposes the email infrastructure to
potential security vulnerabilities."
Impact:
"The absence of an MTA-STS record leaves the email infrastructure vulnerable to
various security risks such as downgrade attacks, man-in-the-middle attacks, and
interception of sensitive email content. Without the MTA-STS mechanism in place,
email communications may be transmitted over unencrypted channels, compromising the
confidentiality and integrity of the data.
Vulnerability and its potential impact on HUMANS: The MTA-STS DNS RECORD MISSING
vulnerability involves the absence of a DNS record for an enforced MTA-STS policy.
The potential impact of this vulnerability is that attackers can perform an email
downgrade attack. This means that the attacker can force the email to be sent
unencrypted, which could potentially expose sensitive information to eavesdropping.
It's important to note that the impact on humans can be significant, as sensitive
�information transmitted via email could be compromised. Therefore, it’s crucial to
ensure that the MTA-STS policy is properly implemented and that MTA-STS records are
in place."
27. If in the name section, it doesn't allow {{7*7}} this, encode it and then try
it. If it takes it as plain text then it is of no use to us, but if it executes it
then it's a bug.
28. Go in the login page and click the submit button and capture the request in
burp, now we are gonna try to bypass the recaptcha here, there are three mutations
of bypassing the reCAPTCHA we will test all one by one:-
- delete the parameter in rechatcha token like
this "recaptchaToken":"token" then delete token and
it should look like this "recaptchaToken":""
- delete the reCAPTCHAtoken along with it's parameter.
- delete some values in reCAPTCHAtoken and put null
values in it
