3186
Talk and help about bugbounty
Hi Guys I'm arab I learned sql injection I want tips To try hunter
Читать полностью…
*Open your Trading & Investment account with Angel One for FREE*
You will get:
✅ Delivery trades 🆓
✅ Intraday & FnO in Rs.20 💹
✅ Quick SIP in Direct MF ⚡
✅ 50K MTF @ 0% interest 💰
Download using my referral link to get Free Demat Account
⬇link may expire within 48hrs
https://angel-one.onelink.me/Wjgr/sdcecrru
Or use my Referral code 808077GHD
_T&C Apply_
Is CVE-2022-1471 is actually exploitable on affected version of jira software? If yes then how a attacker exploit it ?
Читать полностью…
This place is fast becoming a marketplace for scams. Anyone offering any service should first show their ability not just because it's Christmas, and scammers are just coming out of the woods. Admin please sanitize. There are over 3k subs here and a fertile hunting ground for these vile and despicable lot
Читать полностью…
I'm available for all instructional and hacking services.✅
This are my services
💠Social media/ Gmail Hacking
💠WhatsApp Account Spy/Bypass
💠pegasus and SS7 attack
💠Game hacking
💠Telegram chat Hacking/
💠Phone/ number Hacking/cloning
💠Website Database Hacking/ website clone
💠Computer/Laptop Hacking
💠Cloud Bitcoin Mining
💠Carding and selling Carded tools
Zero-click attack or one click tech/NSO group tools /CCs also available ❇️
⚠️📝 ⚠️Note: That all transactions are via Crypto📥
No free service ⛔️
🚀inbox 📲📨📩
Unknown body. Very aptly named thief. Always looking for money for drugs
Читать полностью…
You can see you are a gutter soul . See the words coming out your brain
Читать полностью…
https://dhacker.in/apt28-malware-attack-microsoft-outlook-mail-server/
Читать полностью…
Hi all I have a request :) write your opinion about the group, you can write to me in private messages or here.
What is interesting is whether you got help here important or useful information? Could you recommend the group to your bughunter friend ?
And also you are waiting for a poll below to participate.
(Link)
Methods to Bypass 2FA Mechanism
#bugbounty #2FA
1️⃣. 2-Factor Authentication Code Leakage in Response:
At 2-Factor Authentication Code Triggering request, such as Send OTP functionality, capture the request.
See the response of this request and analyze if the 2-Factor Authentication Code is leaked.
2️⃣. JS File Analysis:
While triggering the 2-Factor Authentication Code Request, Analyze all the JS Files that are referred to in response to see if any JS file contains information that can help bypass the 2FA code.
3️⃣. Lack of brute-Force Protection:
This involves all sorts of issues which comes under security misconfigurations such as lack of rate limit, no brute-force protection, etc.
Request a 2-Factor Authentication code and capture the request.
Repeat this request for 100–200 times and if there is no limitation set, that’s a rate limit issue.
At the 2-Factor Authentication Code Verification page, try to brute-force for valid 2-Factor Authentication and see if there is any success.
You can also try to initiate, requesting OTP at one side and brute-forcing at another side. At some point, the OTP will coincide and may give you a quick result.
4️⃣. Password Reset / Email Change — 2FA Disable:
Assuming that you are able to perform sophisticated phishing campaigns, force the end user to change the password.
2-Factor Authentication is disabled after the email is changed or the password is reset. This could be an issue for some organizations. However, it depends on a case-by-case basis.
5️⃣. Missing 2-Factor Authentication Code Integrity Validation:
Request a 2-Factor Authentication code from the attacker’s account.
Use this valid 2-Factor Authentication code in the victim 2FA Request and see if it bypasses the 2FA protection.
6️⃣. Direct Request:
Directly navigate to the page which comes after 2-Factor Authentication or any other authenticated page of the application and see if this bypasses the 2-Factor Authentication restrictions.
7️⃣. 2FA Refer Check Bypass:
Directly navigate to the page which comes after 2FA or any other authenticated page of the application.
If there is no success, change the refer header to the 2FA page URL. This may fool the application to pretend as if the request came after satisfying the 2FA condition.
8️⃣. Backup Code Abuse:
Apply the same techniques used on 2FA such as Response/Status Code Manipulation, brute force, etc. to bypass backup codes and disable/reset 2FA.
9️⃣. Enabling 2-Factor Authentication Doesn’t Expire Previous Session:
Log in to the application in two different browsers and enable 2FA from 1st session.
Use 2nd session and if it is not expired, it could be an issue if there is an insufficient session expiration issue. In this scenario, if an attacker hijacks an active session before 2-Factor Authentication, it is possible to carry out all functions without a need for 2-Factor Authentication.
🌚 @poxek
Hi, please i need some help or ideas, just stuck myself, have an ssrf, wich work both ways, as ssrf with get and as LFI with file:///. With get is not executable, so payload for shell didn’t work, is just showing the source code. What i can do ?(
Читать полностью…
but in case of /etc/passwd it shows me an empty document and error in console: "(index):135 Not allowed to load local resource: file:///etc/passwd"
Читать полностью…
If I understand correctly, the browser should not allow the file schema to be included
Читать полностью…
anyone here configure api keys in amass im getting trouble?
Читать полностью…
Check snyk or exploitdb,also via GitHub it's possible to find exploits
Читать полностью…
https://www.kitploit.com/2023/12/apidetector-efficiently-scan-for.html?m=1
Читать полностью…
If anybody need fake experience we provide from registered companies
Joining letter, relieving letter, pf, salary slip, background verification, company domain mail everything will be done
Hi anyone needs help in hack or cyber crime I can teach anyone if interested
Читать полностью…
I challenge you to a ctf or whatever hacking capacity you claim to have. Theeeeeiiiiiifff
Читать полностью…
Beware of this dude. I just tested him out and he's a thief. Deal with him at your own risk. He didn't take money from me but if i was gullible, he would have
Читать полностью…
Does anyone have a report on how to bypass the protection of this (Azure Front Door) ?
Читать полностью…
1️⃣0️⃣. Clickjacking on 2FA Disable Feature:
Try to iframe the page where the application allows a user to disable 2-Factor Authentication.
If the iframe attack vector is successful, try to perform a social engineering attack to manipulate the victim to fall into your trap.
1️⃣1️⃣. Response Manipulation:
Check the response of the 2FA Request.
If you observe “Success”: false, change this to “Success”: true and see if it bypasses the 2FA.
You can also use Burp “Match & Replace” rules for this.
1️⃣2️⃣. Status Code Manipulation:
If the Response Status Code is 4xx like 401, 402, etc.
Change the response Status Code to “200 OK” and see if it bypasses the 2FA.
1️⃣3️⃣. 2-Factor Authentication Code Reusability:
Request a 2FA code and use it.
Now, re-use the same 2FA code in another session and if it is authenticated successfully, that’s a potential issue.
Also, try requesting multiple 2FA codes, and see if previously requested codes expire or not when a new code is requested.
Also, try to re-use the previously used code after a long time duration i.e 1 day or more. If it is successful, that is an issue since 1 day is more than enough for a sophisticated hacker to either brute-force or crack a 6-digit 2FA Code.
1️⃣4️⃣. CSRF on 2FA Disable Feature:
Navigate to 2FA Page and click on “Disable 2FA” and capture this request with Burp Suite & generate a CSRF PoC.
Send this PoC to the victim, check if CSRF happens successfully and remove the 2FA from the victim's account.
Also, check if there is any authentication confirmation such as a password or 2FA code required before disabling 2FA.
🌚 @poxek
so then it is not the waf problem but browser?
because in case of error when file or document cannot be found it shows be in the frame error 404
hi everyone
I am trying to do lfi via stored xss and this script <script>document.write('<iframe src=file:///etc/passwd></iframe>');</script> but waf is blocking me
any idea how it can bypassed?
because the document is created but in console there is an error which saying that loading of local files is not allowed