Google-Dorks-Bug-Bounty - A List Of Google Dorks For Bug Bounty, Web Application Security, And Pentesting

A list of Google Dorks for Bug Bounty, Web Application Security, and Pentesting

Live Tool

Broad domain search w/ negative search

site:example.com -www -shop -share -ir -mfa

PHP extension w/ parameters

site:example.com ext:php inurl:?

Disclosed XSS and Open Redirects

site:openbugbounty.org inurl:reports intext:"example.com"

Juicy Extensions

site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess

XSS prone parameters

inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:example.com

Open Redirect prone parameters

inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example.com

SQLi Prone Parameters

inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:example.com

SSRF Prone Parameters

inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example.com

LFI Prone Parameters

inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:example.com

RCE Prone Parameters

inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= inurl:& site:example.com

High % inurl keywords

inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:example[.]com

Sensitive Parameters

inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:example[.]com

API Docs

inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"example[.]com"

Code Leaks

site:pastebin.com "example.com"

site:jsfiddle.net "example.com"

site:codebeautify.org "example.com"

site:codepen.io "example.com"

Cloud Storage

site:s3.amazonaws.com "example.com"

site:blob.core.windows.net "example.com"

site:googleapis.com "example.com"

site:drive.google.com "example.com"

site:dev.azure.com "example[.]com"

site:onedrive.live.com "example[.]com"

site:digitaloceanspaces.com "example[.]com"

site:sharepoint.com "example[.]com"

site:s3-external-1.amazonaws.com "example[.]com"

site:s3.dualstack.us-east-1.amazonaws.com "example[.]com"

site:dropbox.com/s "example[.]com"

site:box.com/s "example[.]com"

site:docs.google.com inurl:"/d/" "example[.]com"

JFrog Artifactory

site:jfrog.io "example[.]com"

Firebase

site:firebaseio.com "example[.]com"

File upload endpoints

site:example.com "choose file"

Dorks that work better w/o domain

Bug Bounty programs and Vulnerability Disclosure Programs

"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"

site:*/security.txt "bounty"

Apache Server Status Exposed

site:*/server-status apache

WordPress

inurl:/wp-admin/admin-ajax.php

Drupal

intext:"Powered by" & intext:Drupal & inurl:user

Joomla

site:*/joomla/login

Medium articles for more dorks:

https://thegrayarea.tech/5-google-dorks-every-hacker-needs-to-know-fed21022a906

https://infosecwriteups.com/uncover-hidden-gems-in-the-cloud-with-google-dorks-8621e56a329d

https://infosecwriteups.com/10-google-dorks-for-sensitive-data-9454b09edc12

Top Parameters:

https://github.com/lutfumertceylan/top25-parameter

Proviesec dorks:

https://github.com/Proviesec/google-dorks

Route-Detect - Find Authentication (Authn) And Authorization (Authz) Security Bugs In Web Application Routes

Find authentication (authn) and authorization (authz) security bugs in web application routes:

Web application HTTP route authn and authz bugs are some of the most common security issues found today. These industry standard resources highlight the severity of the issue:

• 2021 OWASP Top 10 #1 - Broken Access Control
• 2021 OWASP Top 10 #7 - Identification and Authentication Failures (formerly Broken Authentication)
• 2023 OWASP API Top 10 #1 - Broken Object Level Authorization
• 2023 OWASP API Top 10 #2 - Broken Authentication
• 2023 OWASP API Top 10 #5 - Broken Function Level Authorization
• 2023 CWE Top 25 #11 - CWE-862: Missing Authorization
• 2023 CWE Top 25 #13 - CWE-287: Improper Authentication
• 2023 CWE Top 25 #20 - CWE-306: Missing Authentication for Critical Function
• 2023 CWE Top 25 #24 - CWE-863: Incorrect Authorization

Supported web frameworks (route-detect IDs in parentheses):

• Python: Django (django, django-rest-framework), Flask (flask), Sanic (sanic)
• PHP: Laravel (laravel), Symfony (symfony), CakePHP (cakephp)
• Ruby: Rails* (rails), Grape (grape)
• Java: JAX-RS (jax-rs), Spring (spring)
• Go: Gorilla (gorilla), Gin (gin), Chi (chi)
• JavaScript/TypeScript: Express (express), React (react), Angular (angular)

*Rails support is limited. Please see this issue for more information.

Installing

Use pip to install route-detect:

$ python -m pip install --upgrade route-detect

You can check that route-detect is installed correctly with the following command:

$ echo 'print(1 == 1)' | semgrep --config $(routes which test-route-detect) -
Scanning 1 file.

Findings:

  /tmp/stdin
     routes.rules.test-route-detect
        Found '1 == 1', your route-detect installation is working correctly

          1┆ print(1 == 1)


Ran 1 rule on 1 file: 1 finding.

Using

route-detect provides the routes CLI command and uses semgrep to search for routes.

Use the which subcommand to point semgrep at the correct web application rules:

$ semgrep --config $(routes which django) path/to/django/code

Use the viz subcommand to visualize route information in your browser:

$ semgrep --json --config $(routes which django) --output routes.json path/to/django/code
$ routes viz --browser routes.json

If you're not sure which framework to look for, you can use the special all ID to check everything:

$ semgrep --json --config $(routes which all) --output routes.json path/to/code

If you have custom authn or authz logic, you can copy route-detect's rules:

$ cp $(routes which django) my-django.yml

Then you can modify the rule as necessary and run it like above:

$ semgrep --json --config my-django.yml --output routes.json path/to/django/code
$ routes viz --browser routes.json

Contributing

route-detect uses poetry for dependency and configuration management.

Before proceeding, install project dependencies with the following command:

$ poetry install --with dev

Linting

Lint all project files with the following command:

$ poetry run pre-commit run --all-files

Testing

Run Python tests with the following command:

$ poetry run pytest --cov

Run Semgrep rule tests with the following command:

$ poetry run semgrep --test --config routes/rules/ tests/test_rules/

Forbidden-Buster - A Tool Designed To Automate Various Techniques In Order To Bypass HTTP 401 And 403 Response Codes And Gain Access To Unauthorized Areas In The System

Forbidden Buster is a tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system. This code is made for security enthusiasts and professionals only. Use it at your own risk.

• Probes HTTP 401 and 403 response codes to discover potential bypass techniques.
• Utilizes various methods and headers to test and bypass access controls.
• Customizable through command-line arguments.

Install requirements

pip3 install -r requirements.txt

Run the script

python3 forbidden_buster.py -u http://example.com

Forbidden Buster accepts the following arguments:

  -h, --help            show this help message and exit
  -u URL, --url URL     Full path to be used
  -m METHOD, --method METHOD
                        Method to be used. Default is GET
  -H HEADER, --header HEADER
                        Add a custom header
  -d DATA, --data DATA  Add data to requset body. JSON is supported with escaping
  -p PROXY, --proxy PROXY
                        Use Proxy
  --rate-limit RATE_LIMIT
                        Rate limit (calls per second)
  --include-unicode     Include Unicode fuzzing (stressful)
  --include-user-agent  Include User-Agent fuzzing (stressful)

Example Usage:

python3 forbidden_buster.py --url "http://example.com/secret" --method POST --header "Authorization: Bearer XXX" --data '{\"key\":\"value\"}' --proxy "http://proxy.example.com" --rate-limit 5 --include-unicode --include-user-agent

• Hacktricks - Special thanks for providing valuable techniques and insights used in this tool.
• SecLists - Credit to danielmiessler's SecLists for providing the wordlists.
• kaimi - Credit to kaimi's "Possible IP Bypass HTTP Headers" wordlist.

Decider - A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

What is it?

The Short

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.

The Long

Decider is a tool to help analysts map adversary behavior to the MITRE ATT&CK framework. Decider makes creating ATT&CK mappings easier to get right by walking users through the mapping process. It does so by asking a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or subtechnique. Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator™ heatmaps.

The Screenshots

Decider's Question Tree

(you are here)[Matrix > Tactic] > Technique > SubTechnique

Decider's Full Technique Search

Boolean expressions, prefix-matching, and stemming included.

The Notice

This project makes use of MITRE ATT&CK - ATT&CK Terms of Use

Usage

Read the User Guide

Installation

Docker

Best option for 99% of people

git clone https://github.com/cisagov/decider.git
cd decider
cp .env.example .env
[sudo] docker compose up

sudo for Linux only

Linux tested on:

• Ubuntu Jammy 22.04.2 LTS
• Docker Engine
  • Not Docker Desktop (couldn't get nested-virt in my VM)

Windows tested on:

• Windows 11 Home, version 22H2, build 22621.1344
• Home doesn't support HyperV
  • Thus tested on Docker Desktop via WSL backend

macOS (M1) tested on:

• macOS Ventura 13.2.1 (22D68)
• Mac M1 Processor
• On Docker Desktop installed via .dmg

It is ready when Starting uWSGI appears

Then visit http://localhost:8001/

(Port is set by .env WEB_PORT)

Default Login:

• Email: admin@admin.com
• Password: admin

And note: Postgres stores its data in a Docker volume to persist the database.

Manual Install

Read the Admin Guide

There are some issues in the instructions... Working on it, simplifying them

Help Tips:

• Use Python 3.8.10 / 3.8.x on Linux / mac
• Follow the order of instructions
• Watch out using sudo with python - it won't keep the venv you're in by default
• If just running for yourself locally:
  • Don't create a system account for decider
  • Don't use uWSGI
  • Use the built-in debug Flask server
• Mac M1 users should install Postgres before installing the pip requirements
  • brew install postgresql
  • Explained: psycopg2-binary isn't using a pre-built binary and tries to compile from scratch, and it can't find pg_config.

Erlik 2 - Vulnerable-Flask-App

Erlik 2 - Vulnerable-Flask-App

Tested - Kali 2022.1

Description

It is a vulnerable Flask Web App. It is a lab environment created for people who want to improve themselves in the field of web penetration testing.

Features

It contains the following vulnerabilities.

• HTML Injection
• XSS
• SSTI
• SQL Injection
• Information Disclosure
• Command Injection
• Brute Force
• Deserialization
• Broken Authentication
• DOS
• File Upload

Installation

git clone https://github.com/anil-yelken/Vulnerable-Flask-App

cd Vulnerable-Flask-App

sudo pip3 install -r requirements.txt

Usage

python3 vulnerable-flask-app.py

Contact

https://twitter.com/anilyelken06

https://medium.com/@anilyelken