CodeNinja.

Aakash Choudhary

Bug Hunting Tips

aakash 07:57 3 comments


Hi friend I am CodeNinja a.k.a. Aakash Choudhary                     

Today i am sharing tips related to bug hunting which i learned from my brother "Shawar Khan" so full credits to him.


Browse Testing Site which you want to test the site and then try to find all APPLICATION ENTRY POINTS.

Example :
  1. GET
  2. POST
  3. COOKIE
  4. SEARCH BOX
  5. Comment Section
  6. Contact Us Section
  7. Hidden POST in FORMS
  8. LOGIN

After finding User Input Field or can say Application Entry Fields try to testing those fields.

Try to understand the Mechanism of those fields like what those fileds do actions.



Check JAVASCRIPT Validation and try to understand them.



Next thing to remember during TESTING is always try to test both CLIENT SIDE Request & SERVER SIDE Request

Try to intercept Request/Response through Burpsuite to understand them.

Example :->

A PASSWORD Change Field i am going to test.

Three Fields i see :->
  1. Current Password
  2. New Password
  3. Confirm New Password

So in this MECHANISM we have to use current password.
As for testing Intercept this reuqest and using burpsuite remove the parameter :-> Current Passwod and then Forward Request and if we see
200 OK Response then its mean We Bypass Server Side Request Validation
Note that first input any text on current password and input our new password in next two fields and then intercept it.


About to understand MECHANISM see another MECHANISM example :-

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. 
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. 
Once the attacker have successfully stolen the Session Token of the user, the attacker is able to log into the victim’s session by using the cookies which he have stolen.

Conclusion :->

Check both Client Side Request & Server Side Request. Find Application Entry Points and then testing on them


I will give more tips on this in future

CREDIT :-> My brother [Shawar Khan]

Thanks


  


aakash

Next PostNewer Post Previous PostOlder Post Home

3 comments:

  1. Unknown9 August 2016 at 09:43

    Make it more detailed with pics bro...
    Also visit my blog
    http://bornhackerz.blogspot.in

    ReplyDelete

© Copyright 2015 Blogger Templates Designed by VeeThemes, Powered by Blogger