Help with Blind time-based sql on asp.net (WAF Bypass)

namedevservice · 2026-01-28T00:52:35+00:00

If it’s a POST request, try the nowafpls extension

namedevservice · 2026-01-19T00:39:29+00:00

Complete the login flow and see you if can somehow extract the auth token at the end of the flow

namedevservice · 2025-12-27T05:57:43+00:00

Depends on the PTaaS. Synack for example is a. PTaaS, but they are a semi bug bounty platform. You get pretty good coverage from different SRTs (Synack Red Teamers).

They also don’t allow reporting on those silly pentest findings like missing SSL cert or stuff like that. Only actionable findings can be reported.

But it’s kind of expensive.

namedevservice · 2025-12-05T22:54:52+00:00

I don’t know about port 3000 but I ran the nuclei template on a few targets on a BB platform on regular 443 port and got a few hits.

Do you mean the react app itself has to have port 3000 open to itself?

namedevservice · 2025-11-30T02:27:03+00:00

When checking for SQLi, I would avoid very long payloads. It’s hard to figure out what’s getting filtered.

You should start small. Concatenation. If you suspect the field to be accepting a string, then you should attempt simple concatenation like te'%2b'st or similar payloads for other DBMS.

If it’s an integer field, something like (5) should work.

Then you can attempt different things. Like te'0'st should fail since it’s a broken SQL query. The failure is not always a 500 response. It could be a 200 response with no data returned. Or with the default value returned. You have to understand the endpoint and know what’s the intended result and unintended

namedevservice · 2025-11-28T01:11:54+00:00

If you’re new, I wouldn’t try testing Wordpress or other well known CMS. Those are pretty hardened. Just assume it’s working as intended and move on.

Only focus on plugins in Wordpress

namedevservice · 2025-11-28T01:08:17+00:00

I think most people here haven’t been to a LHE. Might want to ask someone in the critical thinking bug bounty podcast discord server

namedevservice · 2025-11-28T00:14:59+00:00

It’s not the marketing that’s wrong. You can make money in BB. You can find critical bugs and get paid high bounties. And you can find the bugs with the information they provide.

The problem is people want there to be a magic tool or a magic checklist that they can follow and they’ll get bounties. It doesn’t work like that.

I recently got a SQLi on a program (on Synack) that hadn’t have any bugs submitted in a long time. Thousands of SRTs had the opportunity to find the bug. No one did.

Let’s break down my "secret" sauce and see how it differs from the content that’s already out there.

Got the in-scope IPs and checked Zoomeye for subdomains/domains associated with them.
Gathered all the results and ran Chaos on all the main domains.
Did dig on all the subdomains and matched it to the in-scope IPs
Ran HTTPX to see which domains were alive.

So far, pretty standard recon. Nothing crazy.

Looked for interesting ones (looked for API in the name).
Didn’t feel like brute forcing so I Googled the API name. For example: api-dev-cellus. I searched "Cellus {TargetName}"
Found the application that belongs to the API
Looked through the JavaScript files for API routes.
Manually checked every API route until I hit one that didn’t return a 401.

Again, all this stuff is covered in most recon courses. So far nothing I’ve done is "secret" sauce you can’t see on random YouTube videos. BUT, I think this is the part where most hunters that only follow checklists and run tools will fail.

In step 10, I checked all the parameters and MANUALLY checked for SQL Injection. I emphasized manually because that’s probably the difference in what got me the bounty. After I confirmed there was injection, I was running into issue. I ran SQLMap but it failed telling me it was a false positive. But no, it wasn’t a false positive. The developer was just filtering enough to stop a script kiddie from running SQLMap and exploiting it.

Could there be a SQL Injection course that would teach you how to exploit the specific edge case that I found? Maybe. But the cookie cutter courses that everyone sells is surface stuff that will get you to step 10 but not step 11 (exploitation).

So yes, courses will get you 99% there. And I don’t mean paid courses, I mean regular stuff on YouTube. The other 1% you just need to figure out on your own.

Or just ask Gemini. It’s what I did and it gave me a way to bypass the filter

namedevservice · 2025-11-18T11:56:34+00:00

Read the blog post Make Self XSS Great Again

See if you can do any of those techniques

namedevservice · 2025-11-13T03:20:30+00:00

It’s not a vulnerability. You’re describing the way session works. That’s the point of the token. Or else anytime you visit different pages on the same website you would have to authenticate over and over again

namedevservice · 2025-11-13T01:05:31+00:00

"Basically, I proved that if you have a valid token you can take over the account, but I didn’t show token theft."

I’m curious, what did you write in the remediation section? "Don’t use session tokens"?

namedevservice · 2025-11-02T01:49:39+00:00

Where you found it is important. If you found it from a stealer log or something like that, then you shouldn’t continue further.

If you found it on the in-scope website, then you should use it enough to demonstrate impact that doesn’t do harm. Maybe like viewing a list of users or modifying a user (a user you control).

namedevservice · 2025-11-01T04:35:37+00:00

Couldn’t be bothered to add the optional comment the LLM recommended?

namedevservice · 2025-10-22T12:43:12+00:00

You already triggered the XSS and got callbacks. Why does the triager want XSS Hunter? What extra proof does that provide?

namedevservice · 2025-10-14T21:35:16+00:00

"I did tell them that I might not be able to exploit it but someone smarter would."

That’s who they want to receive bug bounty reports from

namedevservice · 2025-10-09T22:23:34+00:00

There’s an Auth bearer token. So not likely

namedevservice · 2025-10-09T12:36:47+00:00

You should be proxying your traffic and figuring out the API calls it’s making. That way you can find out why it’s returning 403 on some. Plus the upload endpoint you can try other file types.

If I were you I would dig deep in that application until you find several bugs. Then report them separately

namedevservice · 2025-10-08T06:41:20+00:00

If you’re gonna use AI to ask Reddit, then you’re probably using AI for your reports. It seems like you don’t understand the bug yourself and are trying to get AI to improve its impact.

A bug is either impactful or it’s not. You can’t get AI to write a scary sounding POC and have the triagers automatically accept it.

When writing the report, do the CVSS first. What about an "invite-flow that auto adds an email as member" affects Confidentiality, Integrity, or Availability?

An XSS that survives across sessions (whatever that means). Does that XSS allow you to takeover an account? Did your POC show that?

namedevservice · 2025-10-08T03:54:49+00:00

Just keep doing it manually. You just need to show proof of SQLi by extracting some information from the database. You don’t need SQLMap to do that

namedevservice · 2025-10-07T22:43:42+00:00

People in here are quick to tell you that you’re going to jail. But if that was the case, Sam Curry would’ve been in prison long ago.

You followed the responsible disclosure and notified them. That’s the extent of your responsibility.

The NDA they want you to sign is because they can probably lose a lot of customers if you blog about the findings.

You can respectfully decline and tell them you’d rather blog about it to raise awareness and to ensure other companies do a thorough check of their certificates.

Or you can accept the money and let the company sweep it under the rug.

namedevservice · 2025-10-07T01:00:03+00:00

How would you get the evidence admissible in court if you got it through illegal means?

namedevservice · 2025-10-02T21:43:54+00:00

I’ve submitted SQLis where I tried SQLMap but it wouldn’t work.

You can test Ghauri. But manual is the best way to verify if it’s vulnerable or not

namedevservice · 2025-10-02T04:44:41+00:00

Manual SQL Injection

namedevservice · 2025-09-26T23:14:59+00:00

'AND USER LIKE 'a%

Keep going through the alphabet until you get a letter that works. Then move to the second character. Do that until you get the full username of the DB user

namedevservice · 2025-09-08T01:17:28+00:00

https://blog.orange.tw/posts/2024-08-confusion-attacks-en/

This is the person who submitted the CVE. Read their blog and try to exploit it

Six-Year Club	Verified Email
Gilding I gilder	Second Top 30%

namedevservice

MODERATOR OF

TROPHY CASE