→ Tips for the Ahmad Halabi write-ups

• If you find directory but see 403 and error, try to brute force that directory and find other files to bypass 403 or find secret files. (writeup)
• You can use wordlists with server technology, for example apache, IIS(asp, aspx, ...) and more. (writeup)
• If you find public panel, scripts or etc, search for default credentials. (writeup)
• Search for secret keys and on the target JavaScripts files and WaybackUrls files. (writeup)
• Try to find hidden parameters, with google dorking, application errors, source codes or for example, fuzzing and etc. (writeup)
• Use google hacking to find leaked data or default values to going, for example, account id, unique partner id, and etc. (writeup)
• Add LoginUrlSecretKey Parameter name to your private wordlist to check other websites.(writeup)
• Try to find leaked secret IPs in JavaScripts files, you can read the source codes to find them.
• Search on Company Github Repositories to find anything that helps you:
  • for example tokens, api-key, endpoints and etc, for items you found, for example, api-key for view users api in sub.domain.tld. (writeup)
• If you find third party technologies, scripts, system or etc, find application version and search for CVEs and vulnerability for that version. (writeup)
• You should full verify that the site is not vulnerable And do not despair. (writeup)
• If see the CSRF token protection, Remove token parameter in request and check again. (writeup)
• Other
  • Check Rate limiting in sending email to users and sending messages to chat system (for denial of service) on your targets. (writeup1) (writeup2)
  • Check disable/close account section for CSRF. (writeup)
  • Check update profile information inputs, like email input to find XSS. (writeup)
• Add “remoteservices” keyword in your custom wordlist to use subdomain fuzzing :) (writeup)

Links

• [x] https://ahmdhalabi.medium.com/taking-over-employee-accounts-by-managers-with-zero-employee-interaction-b60784c3ad84