Have a question? Ask it here in this thread!


#21

Okay, thanks. Without context is difficult to help.


#22

Sorry for the late replay we had some rare sunshine here, hope this helps
I have visited hxxp://example.com/marketplace?query=xxxxxxxxx

first results = 2.png 2
then hxxp://example.com/marketplace?query=xxxxxxxxx a second time = 3.png

I dont thing there is anything there I am just struggling to understand the flow and I didnt see any other site giving response code 418, the page renders as normal and there are no errors on the page, however the server response header shows
HTTP/1.1 418 Unknown Error
Content Type application/hal+json


#23

Actually I want to know that does a company provide points for this kind of report?

  1. The report was Duplicate and the severity was changed to P4.
  2. The report was then closed as “Won’t Fix”.

I wasn’t alloted the 1 point for some low priority issues as they were closed as “Won’t Fix” after changing the severity to P4. What I am saying is that only P5 priority vulns are not alloted points right? Once a bug has been set as P4, even they are not fixing it, the company gives points on BugCrowd right?
@stefanofinding @samhouston

Anyone? Any knowledge about this platform for this kind of issues. Thanks:)


#24

Difficult to help you from what I understand, sorry. It’s interesting though, that the value you send as value of query is then appended to the other requests. I would check if it’s possible to add a parameter to the other requests, like: ?query=xxx%26otherparameter%3dvalue. And if it’s added decoded like autocomplete?q=xxx&otherparameter=value then you can see if there is a parameter like callback or something like that which will return a Javascript function in the content or something like that.


#25

I don’t about that, I haven’t read how the points are assigned. I hope Sam can answer your question.
However, I wouldn’t bother for just 1 point really.


#26

I think the issue you submitted was a duplicate of a won't fix issue in the first place so the original report didn’t get points and by submitting the duplicate you also didn’t get points.


#27

Hi
I want know how to register before hacking or finding the bugs as a tester and what is the process i want to follow before hacking any website


#28

Hi
I want to know how to register as before finding bugs in a website and what is the process i. Have to follow before finding the bugs in a website


#29

Thanks, i will keep this is in pending for now. I appreciate your help @stefanofinding I looked into the unusual 418 response code hoping it would shed some light but it just lead me to ask even more questions than before. in the web hacking 101 it says “if something aint right keep digging” so thats what I’ll have to do. I am truly fascinated by everything I have learned these last weeks.

keep hunting everyone - good luck


#30

Hi

I am struggling to get an XSS from a site.

  1. In the “Contact Us” box I am trying to inject basic XSS like
  2. But it is not taking the entry as valid and showing error as "Invalid Request
  3. I have tried URL encoding for the following HTML

image

Note: It is not allowing the < or > So I have tried the following

image

  1. Now it is accepting the above input. but
  2. When I have searched the ticket created in above step, it is just showing the text, so it is not rendering.
  3. In Chrome I have checked the source and it is given as follows.

image

May be I am doing something wrong in very basic step. Could you please suggest.


#31

Amazing to read what you wrote! I hope you end up getting results in the near future.


#32

Hi @Qwerty9,
I think I replied to you on Twitter. Let me know if you are the same person.


#33

Hi @sabyasachi,
HTML encoding (like &#x3c;) is useful in some cases but not all. When trying to get an XSS, it helps if you are able to understand the context of the injection. In the case you mention, HTML encoding isn’t going to help from what I understand. However I see that the application uses AngularJS (notice the ng-binding), look at the version of the library and google it to see if it’s vulnerable to a known sandbox escape. I haven’t reported anything related to AngularJS, but maybe you have something there. Otherwise, keep trying to find a way to not get a Invalid request error sending a value that reflected is going to be useful to execute Javascript code. Or just move on to other parts of the application or other bug bounty program :smiley:


#34

@sabyasachi I’ve had 3 cases of serious needing help with xss and decided to give @brutelogic on twitter a ping. He gave me valuable information each time, so if you get chance give him a DM. He didnt even try sell his knoxss tool to me. I actually sent to his personal twitter @rodoassis He has huge knowledge about advanced xss. Also check this great hack from albinowax https://hackerone.com/reports/125027 which he got xss to fire via template injection via escaping the angualrJS sandbox Good luck


#35

Is any body aware of error code 561? According to https://msdn.microsoft.com/en-us/library/windows/desktop/ms681388(v=vs.85).aspx it means

Indicates that an attempt was made to grow an LDT by setting its size, or that the size was not an even number of selectors.
I havent a clue what that means, my questions are ;
is the error unique to windows systems?
can developers spoof response codes ?
the webroot eg www.example.com/ was 403 but after bruteforcing I found /somepath/ which rendered but response code was 561 could that cause it.


#36

Yes bro.u repalied me


#37

Hi @stefanofinding

Thanks a lot for your response. For the XSS issue the site is not accepting any < or > characters. I have tried both from the page as well as from zap. So it seems that not even in the page, it has this check in the server. But HTML encoding, it is not filtering anything. Unfortunately it is not at all parsing that even if I have tried with different combination. I am still trying, there must some other way around.

Thanks for the suggestion for Angular JS. I have already working on it. I will share the progress to you. You are amazing.


#38

Thanks for your suggestion. I will definitely explore those areas.


#39

Maybe it’s working as expected then, which is good.

Okay. Looking forward to the results. :blush:


#40

ok I am working hard on a bug and need some advice. I have managed to upload rce.php but the website only will allow to download the file the url after I uploaded the php i s

download_filename.php?some_name=1&some_path=123456 <when you click this you can only download the file
so I do this change

download_filename.php?cmd=uname -a and this time it returns in the browser
{“status”:{“success”:false,“message”:“NO TOKEN”}}

How else shall I test this to get code execution, is it possible?

thanks