HowWorks CRLF

‘HowWorks’ - new post type, explains how something works, in that case CRLF vulnerability

If we can inject some data in web app that doesn’t get proper validation/filtering and used in HTTP response Headers, then we can inject \r\n (HTTP line break, CRLF).

You can think of it as stored XSS, but instead Javascript, we inject \r\n which will allow to effectivly modify entire HTTP response from server to specific endpoint.

2025-01-14

https://blog.ca.sual.in/hacking/how_crlf_work/ Casual

BugBounty l0l: Email Subscriptions

# Spam

The most common vuln in email subscription that I’ve seen is spamming:

If you found any email subscription form, try to spam yourself by subscribing multiple times:

email@example.com (your original mail box)
email+random1@example.com (messages will be sent to 'email@example.com')
email+random2@example.com
...

Why company don’t want it? It’s possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam.

2024-12-18

https://blog.ca.sual.in/hacking/bugbounty_101_email_subscription/ Casual

HowTo dirbust

# Tools

We have 2 good options:

## ffuf

ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ

pros:

have great -ac which automatically filters potential false-positives
-sf stop when > 95% of responses return 403 Forbidden
-enc can encode wordlist with URL/base64 encoder
you can specify multiple wordlists
-mode can specify multiple wordlists and multiple FUZZ words (like in burp suite)
you can specify rate limit
more matching options
have recursive scan
better UI (+ have some interactive mode)

cons:

2024-12-04

https://blog.ca.sual.in/hacking/howto_dirb/ Casual

HowTo dirb with GoLang library

Well, if you want to integrate dirbuster to your Go app, than you are in a troube since tools dont provided usage as library. You’ll end up with 2 choices:

write own lib from scratch
hack around with known tools

I’ve did last one. I’ve modificated dirb tool so it’s easy to use as library.

Here you go - https://git.sual.in/casual/gobuster-lib

2024-11-27

https://blog.ca.sual.in/hacking/howto_dirb_golang_library/ Casual

BugBounty l0l: HowTo choose program

- Your bounty -

# Time

You have 2 options:

hack programs that new - they should be realeased in less then a day ago
hack programs that pretty old - they may have overlooked vulnurabilities

# Rules

Check for rules that could potentially prohibit sending your vulnerabilities that you specialize in

# Bounty

Try evade programs that have 0 bounty for low vulns.
Also evade programs that have high vulnurabilities submit number with low total payouts.

2024-11-13

https://blog.ca.sual.in/hacking/howto_choose_bb_program/ Casual

HowTo crawl website

Crawler (or spider) - gets you all links that site have and reference to. It isn’t dirbusting, you can’t get hidden directories with crawler.

With crawler you can more easily find hard to find website functions or interesting links (like URL parameters example.com/get?promo=code).

# How to crawl

We will use 2 tools, katana and gau

## Katana

Fast and feature-full crawler:

you can just crawl site - katana -u blog.ca.sual.in
crawl .js files for additional links (-jc -jsl)
use headless browser (in case you get blocked, -hl)
etc…

## Gau

This one doesn’t crawl site from your computer, it uses data from public internet crawlers

2024-11-05

https://blog.ca.sual.in/hacking/howto_crawl_website/ Casual

HowTo scan ports

## naabu

naabu -nmap-cli 'nmap -sC -sV' -host host.url - scan url and pass its ports to nmap service and version detection

Fast, user-friendly and have advanced features (e.g. - scan all IPs under DNS domain) - Cool!
Have service and version detection in help (-sD -sV), but they never worked and just exists in help for more than 1 year.