Bug Bounty Hunting for Client-Side Injection Vulnerabilities | Part I

preview_player
Показать описание
90% of the questions I get are about Cross-Site Scripting (XSS) and other Client-Side Injection attacks, so I decided to make a nearly 5 hour video doing my best to explain how to hunt for Client-Side Injection attacks in real-world applications.

00:00 - Why I'm Making This Video
01:50 - Quick Review of Object Oriented Programming (OOP)
04:02 - The Document Object Model (DOM)
08:11 - Three Strategies for Hunting for Client-Side Injections
09:03 - Strategy 1: Reflected Input in Unauthenticated Routes (Hidden Subdomains)
12:00 - Strategy 2: Reflected Input in Authenticated Routes (Hidden Endpoints)
12:48 - Strategy 3: DOM Injection in Custom Javascript Files & NPM Packages
16:22 - How Compensating Controls Effect Client-Side Injections
18:14 - Cookie Flags (httpOnly, secure, dopmain scoping, etc.)
20:28 - Browser Security Headers
21:00 - Content Security Policy (CSP)
22:29 - Web Application Firewall (WAF)
24:00 - Client-Side Validation
24:46 - Server-Side Validation
25:12 - Output Encoding
26:30 - Shut Up and Hunt!!
26:44 - Starbucks Doesn't Care if You Steal a Cup of Coffee
29:30 - Identifying Our Target Domains
30:15 - Importing Scan Data
32:07 - Notes Are Madatory
32:55 - Defining Categories for Live URLs
39:32 - Sorting Live URL's into Categories
1:00:22 - Setting Up Burpsuite
1:01:45 - Finding Targets in Endpoints w/ No Functionality
1:26:40 - Finding Targets in Endpoints w/ Restricted Access
1:33:33 - Checking Fuzzing Results & Expanding Attack Surface
1:49:42 - Finding Targets in API Endpoints
1:54:45 - Finding Targets in Third-Party Services
2:01:18 - Finding Targets in Internal Services
2:04:21 - Finding Targets in Full Applications
2:11:16 - Discuss Possibilities for Attack Vectors in Each Category
2:14:20 - Building a Custom Burp Scan to Find Reflected Input
2:20:08 - Finding Attack Vectors in Targets
2:31:14 - Identifying Compensating Controls in First Attack Vector
3:14:36 - Testing Web Application Firewall (WAF) Bypass
3:38:20 - Testing Validation and Output Encoding Bypass
3:48:45 - Scoring Our First Attack Vector
3:53:15 - Identifying Compensating Controls in Second Attack Vector
4:09:30 - Scoring Our Second Attack Vector
4:12:20 - Talking Through Different Use-Cases
4:37:00 - Summary of Methodology & What We Learned

  1. rs0n_live
Рекомендации по теме
Bug Bounty Hunting 4:50:02

Bug Bounty Hunting for Client-Side Injection Vulnerabilities | Part I

Bug Bounty Hunting 0:04:47

Bug Bounty Hunting | Find Bugs in Hidden React Source Code!! ⏰ QUICK TIP ⏰

Bug Bounty Hunting 0:18:10

Bug Bounty Hunting for Server-Side Request Forgery - Who, What, When, Where, How, and Why?

BUG BOUNTY: USING 0:12:33

BUG BOUNTY: USING DEV TOOL TO FIND CLIENT SIDE VULNERABILITIES #1 | 2023

LIve Bug Bounty 2:31:02

LIve Bug Bounty Hunting | Unauthenticated Testing on Front.com

Live Bug Bounty 2:44:49

Live Bug Bounty Hunting | Client-Side Injection Testing on Starbucks Japan (Plus Q&A)

Client-side path traversal 0:06:17

Client-side path traversal vulnerability class explained - $6,580 GitLab bug bounty

Live Bug Bounty 2:56:01

Live Bug Bounty Hunting | Authenticated Testing the Client-Side & Server-Side on Figma's Co...

DEFCON Workshop | 1:39:02

DEFCON Workshop | Forming a Bug Bounty Hunting Party (Digital Version)

Bug Bounty | 0:00:57

Bug Bounty | Why It's SO HARD to Find An XSS Bug When You're a Beginner #bugbounty #cybers...

$360 bug bounty 0:01:25

$360 bug bounty | account takeover through reset password | hackerone bug bounty poc | most easy one

Bounty $3000 http 0:05:46

Bounty $3000 http request smuggling in twitter.com of #POC | #Hack_The_Web

$15,000 bounty : 0:03:27

$15,000 bounty : Remote Code Execution via File Upload Vulnerability | POC | Bug Bounty 2023

Client-side UI bypass 0:03:11

Client-side UI bypass to XSS | FastFoodHackings | Bug Bounty Service

BUG BOUNTY FOR 0:14:14

BUG BOUNTY FOR BEGINNERS: BUY ANYTHING AT $1! | BYPASSING CLIENT SIDE SECURITY #2 | 2024

CLIENT SIDE VULNERABILITIES: 0:14:27

CLIENT SIDE VULNERABILITIES: FINDING SECRET KEYS IN JAVASCRIPT | 2023

Bypassing client-side controls 0:03:36

Bypassing client-side controls | FirstBlood v3 | Bug Bounty Service

Client-side desync vulnerabilities 0:12:51

Client-side desync vulnerabilities - a breakthrough in request smuggling techniques

What Facebook’s TOP1 0:00:46

What Facebook’s TOP1 bounty hunter does differently from other hunters?

Client-side path traversal 0:00:57

Client-side path traversal #bugbounty #bugbountytips #bugbountyhunter

What is a 0:01:11

What is a Bug Bounty Program Bug Bounty Hunting Guide to an Advanced Earning Method

Live Captcha Bypass 0:01:50

Live Captcha Bypass POC Bug Bounty Hunting Guide to an Advanced Earning Method

[Part I] Bug 1:33:18

[Part I] Bug Bounty Hunting for IDORs and Access Control Violations

Facebook’s TOP1 bounty 0:00:57

Facebook’s TOP1 bounty hunter doesn’t bother reporting $4,000-$5,000 bugs

Комментарии
Автор

I'm glad you're going over live targets. So many people are afraid to show them. Lol. This makes it much more practical with seeing a live target than something purposely exploitable almost all the time.

ReligionAndMaterialismDebunked
Автор

Thank you so much for this! 🙏❤
Every video out there focuses on one specific endpoint on a purposely vulnerable app, so when it's time for a real target I feel so lost and overwhelmed. This is exactly what I needed.

SatouSei
Автор

Hands-down this is the best video out there about Client-Side Injection topic, looking forward to the part 2 and I would very much happy and looking forward if there's some more.

xcalibur
Автор

I didn't realize you can highlight the issues in "select individual issues" section, I tend to click one and then do ctrl + a to select all and then disable. :D One of the best content I've seen till this day!

ptyspawnbinbash
Автор

Danmmm Bro you'r just amazing ... Looking forward for more videos like these .. and please include how the impact can be increased ofc not on the live target but in your own way of teaching
Thanks for such a Great video 🙌

DevRawal-vnvp
Автор

Brilliant! 💡🔥😎 This is the content I've been looking for. As a beginner it's so helpful to see a pro actually working his work flow. This helps me figure out how to navigate my learning path! Very well received!

greeneyedguy
Автор

Was interviewed by this guy a few years back. Great guy! Love the knowledge

jyzf
Автор

The timestamps are great for such a very long video. That's quite a bit of extra effort to add those in. Thanks, again. 🤝

ReligionAndMaterialismDebunked
Автор

Man i found you todah and love everything i watch. Ive been bottlenecked lately and youve helped open that flow up

eyephpmyadmin
Автор

I put your framework in my bookmarks recently. I've been meaning to try it.

ReligionAndMaterialismDebunked
Автор

I dont have Time to look it because i know this as a pentester but your course seems awesome, i will advice it to all beginners i know. Thank you for your content

trustedsecurity
Автор

That's really amazing 🔥🔥🔥🔥🔥 we need more deep in this Your are the best

maghotv
Автор

Bruh, u did awesome work in this video. It helps me finding my methodology when trying to find sth in bb programs. Keep doing it <3

sneaky
Автор

love your videos man, thanks for the amazing content

deniskamurua
Автор

god bless you and your for the content❣

PrashannaGhimire-qc
Автор

Very very helpful, I am waiting for part 2 .. thank you very much

norah
Автор

Sir, really great video, i am waiting for part two 😊

jxkz
Автор

Hey can you add proxy server in your arson framework i guess it's helpful coz after few continuous request sites block our ip consider it is dos..

devilsworld
Автор

so was he able to find any vulnerabilities ?

MiuraUY
Автор

This video is very helpful . Thankyou so much sir

monikasharma