Davinder Tutorials

This blog is all about Cyber Security and IT

Monday, April 18, 2022

Dynamic Programming Patterns

  April 18, 2022    

  No Comments

Top Best IT companies in Delhi for Working

  April 18, 2022    

Some People prefer to stay close to family. In North India , There are rare locations availabe like we have Delhi, Noida, Gurgaon, Mohali, Chandigarh,Panchkula in which maximum IT companies are present.

I am sharing list of TOP companies in NCR


Adobe - Noida
Swiggy - Gurgaon
Airtel - Gurgaon
American Express - Gurgaon
Bank of America - Gurgaon
SAP Labs - Gurgaon
Paytm - Noida
Arcesium - Gurgaon
PolicyBazzar - Gurgaon
MakeMyTrip - Gurgaon
OYO - Gurgaon
Amazon - Noida/Gurgaon
Expedia - Gurgaon
Times Internet - Noida/Gurgaon
DE Shaw - Gurgaon(New office)
Netomi - Gurgaon
OLX - Gurgaon
Postman - WFH
Housing.com - Gurgaon
Browserstack - WFH
Microsoft - Noida/Gurgaon
Samsung - Noida
Ion Trading - Noida
Innovacer - Noida
Publicisapient - Gurgaon
Qualcomm - Noida
Angel One - WFH
Meesho - WFH
Zomato - Gurgaon
LensKart - Gurgaon
BharatPe - Delhi
Oracle - Noida
Sprinklr - Gurgaon
Tower Research Capital - Gurgaon
Info Edge(Naukri.com) - Noida
Ansys - Noida
Birdeye - Gurgaon
Nagarro - Gurgaon
Optum - Gurgaon
Chegg - Delhi
Amdocs - Gurgaon/Delhi
Quadeye - Gurgaon
Chargebee - WFH
Indeed - WFH
Cadance - Noida
Airbnb - Gurgaon
Udaan - WFH
VMware - WFH
Slack - WFH
Coinbase - WFH
Atlassian WFH
Salesforce - Gurgaon/WFH
Nvidia - Noida
Urban company - Gurgaon
PineLabs - Noida
Rategain - Noida
Synopsys - Noida
Chargebee - WFH
SplashLearn - WFH/Gurgaon
Globant - WFH
Simpl - WFH
Leena.ai - Gurgaon
ixigo - Gurgaon
Spinny - Gurgaon
Cardekho - Gurgaon

Hope that will help. If you like it please share

  No Comments

Sunday, April 17, 2022

Top Tricks for Rate Limit Bypass - Bug Hunting

  April 17, 2022    

We have  some headers which can be used to Bypass Rate Limitation. All you have to do is to Use the Header just under the Host Header in the Request.


Use the following Header just Below the Host Header

X-Forwarded-For: IP

X-Forwarded-IP: IP

X-Client-IP: IP

X-Remote-IP: IP

X-Originating-IP: IP

X-Host: IP

X-Client: IP


#or use double X-Forwarded-For header

X-Forwarded-For:

X-Forwarded-For: IP



Example Use

X-Forwarded: 127.0.0.1

X-Forwarded-By: 127.0.0.1

X-Forwarded-For: 127.0.0.1

X-Forwarded-For-Original: 127.0.0.1

X-Forwarder-For: 127.0.0.1

X-Forward-For: 127.0.0.1

Forwarded-For: 127.0.0.1

Forwarded-For-Ip: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

X-Originating-IP: 127.0.0.1

X-Remote-IP: 127.0.0.1

X-Remote-Addr: 127.0.0.1



Rate Limit Bypass using Special Characters


  • Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
  • Try adding a Space Character after a Email. ( Not Encoded )
  • Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
  • Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/

Using IP Rotate Burp Extension

Try changing the user-agent, the cookies... anything that could be able to identify you

If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers

Burp Suite's Extension IP Rotate works great in most of the cases. Make sure you have Python installed along.

Here You'll everything you need - https://github.com/PortSwigger/ip-rotate


Example Report Submitted by Bug Hunter for Rate Limit Bypass

https://hackerone.com/reports/1067533

I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header X-Forwarded-For: 127.0.0.1 which will bypass the rate limit and reset request limits . Every time rate limit exceeded just change IP to another one and rate limit will itself reset.

Step to Reproduce:

Visit https://www.trycourier.app/

Goto email section

Enter victims email address

Fire-up burp-suite and intercept the request

Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For:127.0.0.1 header. This will easily reset rate limit. You can change IP address to 127.0.0.2 ,3,4,5,6 every time website blocked you.

( With this bypass you can easily send unlimited amount of huge email notification to victim and make victim annoying )

Impact

  • Brute forcing login panel
  • Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
  • Brute force OTP codes etc.

 

  No Comments

Passive Recon using Google Dorks and Shodan - Bug Hunting

  April 17, 2022    

During bug bounty or hacking.. I always try to find more and more tricks to enumerate for my target domain. So most of the times I love to find free information on google using dorks and Shodan. So I will tell you how we can find very juicy information which I use to broaden my attack surface by finding more (potentially vulnerable) assets and uncovering secrets. 

Google Search

Google already have lots of information but to get information about our target we need to follow some tricks. So we use google dorking which is a technique of making more specific queries to Google Search based on filters and restrictions defined by the user so that the search engine returns more concrete results. It includes filters of the form

filter:value

and logical operators between the filters

filter:value [OPERATOR] filter:value

Some easy to use filters are

site:example.com

nurl:cmd and allinurl:cmd execute

related:randstad.com returns results from companies’ domains, like monster.com, which belongs to Randstad.

filetype:pdf

intitle:Organisation intitle:Internal or allintitle:Organisation Internal

intext:password

site:example.com -www

will ask Google to return results from every subdomain of example.com known to it, except for www.example.com. This is a good query to use for additional subdomain discovery, in case your automation missed any subdomains.


Lets try some practical approach

site:example.com inurl:src

returns result with the parameter src in the url, like e.g. https://example.com/css_src.php?src=. Then later, the endpoint can be analysed for possible vulnerabilities, especially if the parameter has a name that points to specific vulnerabilities like e.g. the parameter return points to Open Redirections.

Now if we try to find Dashboard for Jenkins . We can do that like

intitle:"Dashboard [Jenkins]" site:example.com

This will return a public Jenkins instance belonging to example.com, if there is any.


Many more info about google dorkings can be found at exploit-db.com which contains large number of Google dorks queries for uncovering secrets and information on a target, like e.g. discovering private keys with the query

Now lets talk about SHODAN and how we can use it to find relevant information about our target

This project  collects information about web servers such as open ports, services running on those ports and their banners. 

To use Shodan , we need paid account then only you can explore to the highest level. To use it we also need to use tricks as we use google dorks. So below are some of the ways how we can use this search engine.

http.status

Returns the servers with the specified http status code, e.g. http.status:200.

http.title

Queries for the specified http title that can be found in the banners. A distinctive example is the shodan dork used to find BIG IP vulnerable components: http.title:"BIG-IP®- Redirect".

http.component

Returns servers with the specified web technology that is used on the website, e.g. http.component:"jenkins".

ssl

Finds servers with the specified string included in the SSL certificate, e.g. ssl:"Microsoft". This Filter can be further specified with ssl.expired, ssl.version (more on the resources).

org

Finds servers with IP belonging to the specified organization’s netblock, e.g., org:"Microsoft"

port

The port filter returns components with the specified port open, e.g. port:8080.

os

Using this filter shodan returns servers running the specified operating system, e.g. os:Windows.

product

Using this filter shodan returns devices running this specific product, e.g. product:"Apache Tomcat" or product:"IIS Windows Server"

version

The version filter is to be combined with the product filter. It specifies the version of the specified product, e.g. product:"Apache Tomcat" version:"7.0.82"

vuln

This filter is only available to academic users or Small Business API subscriptions and higher. It’s used to to return components vulnerable to the specified CVE identifier, e.g. vuln:cve-2010-2730.


Conclusion

Using search engines for passive reconnaissance, either that is endpoint or secret or subdomain discovery, requires a lot of digging and can take some time. But when it comes to bug hunting, the more digging a bug requires the more probable it is to not be a dupe. Testing out the filters and creating unique and creative queries is the key.

  No Comments

My Life First Seminar at University Level on Cyber Security

  April 17, 2022    

 We all learn from our University but few students actually want to this thing in life . For me ...This thing means to motivate others and help them to get started in the Field of Cyber Security.

I feel so proud when my Teacher contacted me for doing an Expert Talk live in Chitkara University. As usual as I am always ready to go on the stage . This was the time I have to proof myself. Also I am always ready to guide students.

I contacted one of the recently passed student name Harinder . He also done his graduation from Chitkara University and he was the first student of Chitkara University to whom I am able to help them getting placed. He is a great Bug Hunter. I also want students to get motivated from him.

So In this session, I covered lot of things . I hope this video will motivate you as well specially of you are from BCA or MCA student. Please watch the whole video and if you like it.. Please do comment below.



  No Comments

Online Seminar - Getting started with Cyber Security and Real Bug Hunting

  April 17, 2022    

 Hey guys, This seminar was conducted by University and more than 200 students joined this seminar.

Mostly enrolled students are from BCA, MCA and BTECH and want to get knowledge about  how to get into the field of hacking and Cyber Security.

I am ex Alumni of Chitkara University and I feel so blessed when students and teacher praise me . So I always feel lucky when I get chance of something to do for students. So I always try my level best to help them.

This time I showed how to hunt real bugs and how to report that. How much bounty you will get.

So why not you also watch my video. This will help you to better understand.. Lets get started 




  No Comments

Thursday, April 14, 2022

How to get Entry Level Job in Cyber Security

  April 14, 2022    

 

This video is for all those students who want to get a Job in Cyber Security feild but don't know from where to start. So tried to explain the whole concept in a simple manner. If you don't know what to study and what are the things required to learn . You are at the right destination. Cyber Security is a booming career in India and is having lot of Opportunities. So here at davidertutorials you will get all the relevant stuff related to Cyber Security and IT
For More videos


   / / / /

  No Comments

Wednesday, March 3, 2021

E-mail MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

  March 03, 2021    

While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.


Aug 2nd (2 years ago)

Summary:
It is possible bypass MFA without the need to have the phone code.

Description:
When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login

Steps To Reproduce:

Note:

  • Use burp suite or another tool to intercept the requests
  1. Turn on and configure your MFA
  2. Login with your email and password
  3. The page of MFA is going to appear
  4. Enter any random number
  5. when you press the button "sign in securely" intercept the request POST auth.grammarly.com/v3/api/login and in the POST message change the fields:
    • "mode":"sms" by "mode":"email"
    • "secureLogin":true by "secureLogin":false
    • send the modification and check, you are in your account! It was not necessary to enter the phone code.

Impact

The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.

  No Comments

Subscribe to: Posts (Atom)