>

🚀 We've added new community writeups and a Web3 section! Click here to see what's new.

🐛 Bug Bounty Hunting Search Engine

Made with ❤️ by @payloadartist
NEW
Example search: http://bugbountyhunting.com/?q=keyword
Found 15 resources related to aws metadata in 4.70 ms
✍️ Leaking AWS Metadata - The Unusual Way
✍️ Ssrf to Read Local Files and Abusing the AWS metadata
✍️ A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF
✍️ Conditional Love for AWS Metadata Enumeration
✍️ How I got access to Essilor International company customer PII INFO by AWS metadata access through SSRF
✍️ SSRF Bug Leads To AWS Metadata Exposure
✍️ SSRF Attack Leading To AWS Metadata
✍️ SSRF leads to access AWS metadata.
✍️ Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite
✍️ Finding multiple SSRF with aws metadata access on A BANK system
✍️ An exciting journey to find SSRF , Bypass Cloudflare , and extract AWS metadata !
✍️ How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access
✍️ Escalating SSRF to Accessing all user PII information by aws metadata
✍️ XXE To AWS Metadata Disclosure
✍️ How I discovered an SSRF leading to AWS Metadata Leakage

Frequently Asked Questions

The following are frequently asked questions about common vulnerabilities and security misconfigurations found during bug bounty hunting. Understanding these concepts is crucial for anyone starting their bug hunting journey.

What is an XSS vulnerability? Cross-Site Scripting (XSS) attacks are a type of injection attack in which malicious scripts are inserted into otherwise trustworthy and innocuous websites. XSS attacks occur when an attacker uses a web application to send malicious code to a particular end user, usually in the form of a browser side script. The flaws that enable these attacks to succeed are common and can be found wherever a web application uses input from a user within the output it generates without validating or encoding it.

There are mainly 3 types of XSS:

What is an IDOR vulnerability? When a web application or API exposes a reference to an internal implementation object, it is referred to as Insecure Direct Object Reference (IDOR). This method exposes the element's true identifier and the data format it uses. This is a common access control flaw.

An example would be an API that gives you access to data belonging to other users, through an endpoint - /api/users/:id where an attacker can fetch data of any user by manipulating the id parameter.
What is an SSRF vulnerability? In a Server-Side Request Forgery (SSRF) attack, the attacker can read or update internal resources by abusing server features. The attacker may supply or change a URL to which the server's code can read or send data, and by carefully choosing the URLs, the attacker might be able to read server configuration such as AWS metadata, connect to an internal service, or access sensitive files.
What is a SQLi vulnerability? A SQL injection attack involves inserting or "injecting" a SQL query into the application through the client's input data. An effective SQL injection exploit can read sensitive data from the database, alter database data (Insert/Update/Delete), and even perform database administration operations.
What is an RCE vulnerability? If user input is inserted into a File or a String and then executed (evaluated) by the backend programming language's parser, a remote code execution (RCE) vulnerability can be exploited. A Remote Code Evaluation will result in the entire web application and web server being compromised as it allows an attacker to execute arbitrary commands on the server.
How can I reach you? If you have any feedback or, concerns about this site, I can be reached on Twitter.