If you're not doing this you're missing out. BUGBOUNTY
iSpeech
Five things to test on the main app. And If you don't test for these, well then you're missing out!.
TL:DR
1. Don't just poke around on the outside of the app. There’s a lot of stuff on the inside.
2. Always look for IDOR’s and Access control bugs, can you do the same thing as another user?
3. Test all the file uploads, not just the profile picture, test all of em! (Command injection)
BONUS: Check all the dynamic parameters that accept urls or paths for SSRF's
4. Create an epic wordlist and content discover all the hidden paths, try to identify information disclosures. find that juicy admin panel or forgotten backup.zip file..
5. Check for non technical bugs, what does the customer care about? Can you leak some data?
Some links:
HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
https://github.com/cure53/H5SC
https://html5sec.org/
ImageTragick
https://imagetragick.com/
https://www.softwaresecured.com/imagemagick-rce-take-2/
SSRF:
What is server side request forgery (SSRF)?
Go follow me on Instagram:
https://www.instagram.com/stokfredrik/
https://twitter.com/stokfredrik
Go give Jason a follow on twitter.
https://jasonhaddix.com/
https://twitter.com/jhaddix
All music from Epidemic sound,
All gifs from Giphy
All your base are belong to us.
2019-05-02 21:55:21
source
Gloss