Discover and read the best of Twitter Threads about #BugBountyTip

Most recents (24)

One of the most critical talents a cybersecurity analyst must have is detecting and blocking a malicious IP address.

Here are a few best online tools to detect malicious IP addresses:
🧵

#TheSecureEdge #BugBounty #bugbountytip #hacking #infosec
· AbuseIPDB (abuseipdb.com)
· CheckPhish (checkphish.ai)
· BrightCloud URL/IP Lookup (brightcloud.com/tools/url-ip-l…)
· IBM X-Force Exchange (exchange.xforce.ibmcloud.com)
· IPQualityScore (ipqualityscore.com/free-ip-lookup…)
· Malware Domain List (malwaredomainlist.com/mdl.php)
Read 7 tweets
[0]
Hello Hackers
I just created a tool/script to automate initial recon in #bugbounty.
[ Check the thread for more info about all MODE available in this tool ]

URL:- github.com/thecyberneh/sc…
[1]
1. EXP :- FULL EXPLOITATION MODE
contains functions as
- Effective Subdomain Enumeration with different services and open-source tools
- Effective URL Enumeration ( HTTP and HTTPS service )
- Run Vulnerability Detection with Nuclei
Subdomain Takeover Test on previous results
[2]
2. SUB : SUBDOMAIN ENUMERATION MODE contains functions as
Effective Subdomain Enumeration with different services and open source tools, You can use this mode if you only want to get subdomains from this tool or we can say Automation of Subdomain Enumeration.
Read 4 tweets
Day 1⃣9⃣/2⃣0⃣ -- [Subdomain Takeover]
➡️ Subdomain Takeover occurs when an attacker gains control over a subdomain of a target domain.
➡️ Below are some of the best Tips & References for Subdomain Takeover (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
1/n
Top 25 Subdomain Takeover Bug Bounty Reports
corneacristian.medium.com/top-25-subdoma…
2/n
Fastly Subdomain Takeover $2000
infosecwriteups.com/fastly-subdoma…
Read 21 tweets
Day 1⃣8⃣/2⃣0⃣ -- [XXE - XML External Entity]
➡️ XXE - is an application-layer cybersecurity attack that exploits an XXE vulnerability to parse XML input
➡️ Below some of the best Tips & References for XXE (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
1/n
XML external entity (XXE) injection
portswigger.net/web-security/x…
2/n
XML External Entity (XXE) Processing
owasp.org/www-community/…
Read 21 tweets
Bug Bounty automation script v2

#bugbounty #bugbountytip #infosec

See 🧵: 👇
Find JavaScript Files

—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————

#bugbounty #Infosec #CyberSec
Get Subdomains from BufferOver. run

—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————

#bugbounty #Infosec #CyberSec
Read 9 tweets
3 Simple broken access control vulnerabilities you should hunt for, while logic vulnerabilities testing
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
If the website allows creating an organisation you have ex.
2 roles admin && admin

access the user's information endpoint with the admin 2 , save the request

With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2:

Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
Read 5 tweets
6 Account takeover tips🌵
#bugbounty #infosec

See🧵:👇
➡ Use intruder to send many reset links/token to your email in a short amount of time and compare the links/tokens.

If only a few digits are different you can brute force them. After you can do the same with 2 different emails
➡ HTTP Parameter Pollution
When requesting a password reset link:
email=victim@domain.com&youremail@domain.com

When resetting password:
token={token}&email=youremail@domain.com&email=victim@domain.com
Read 8 tweets
30 Search Engines for Cybersecurity Researchers:

1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
4. ExploitDB—Archive of various exploits.

#cybersecurity #infosec #bugbounty
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.
13. FullHunt—Search and discovery attack surfaces.
14. AlienVault—Extensive threat intelligence feed.
12. ONYPHE—Collects cyber-threat intelligence data.
15. Grep App—Search across a half million git repos.
Read 8 tweets
Bug Bounty automation script v1

#bugbounty #bugbountytip #infosec

See 🧵: 👇
Search to files using assetfinder and ffuf : [Check IMG 👇]

—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————

#bugbounty #bugbountytip #infosec
HTTPX using new mode location and injection XSS using qsreplace.

#bugbounty #bugbountytip #infosec
Read 7 tweets
6 Bugbounty Tips from @EdOverflow
#infosec #bugbountytip

Thread 🧵(1/n) :👇 Bugbountytips
Tip #1 #bugbounty #infosec

Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects.
Read 10 tweets
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Read 7 tweets
12 #bugbountytips you NEED to know about! 🧵

A #bugbountytip is a short trick that can help you find your next bug!

Here are some quick wins you can start implementing today to become a better hunter 👇
[1️⃣] Automating SSRF by @Regala_
Instead of manually looking for SSRF sinks, why don't we let @Burp_Suite do the hard work? 👇
[2️⃣] Exploiting e-mail systems by @securinti 📧
Did you know you can exploit an SQL injection using an e-mail address? Neither do developers!
And it's not just SQLi! Find out more 👇
Read 14 tweets
Introduction to #XSS

Learn the basics of 𝐂𝐫𝐨𝐬𝐬-𝐒𝐢𝐭𝐞 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 (𝐗𝐒𝐒)

Thread🧵👇

#bugbounty #bugbountytips #bugbountytip #cybersecurity #cybersecuritytips #infosec #infosecurity #hacking
Let's inspect the name first:

The 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 part indicates, obviously, scripting, so we can think about what kind of scripting we know exist in Web Apps: HTML & JavaScript being the 2 most common.

Secondly, XSS is part of the INJECTION bug class (see @owasp's Top 10)
So, we now know XSS consists of injecting scripts in websites.

Types of XSS:

1. Reflected
2. Stored
3. DOM-based
They can also be Blind too (you don't see the reflection)

As this thread is aimed at beginners, I will focus on the first 2 as they're easier to understand at first
Read 12 tweets
TopMost Search Engines for hackers

1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(1/n) : Cybersecurity Search Engines
4. ExploitDB—Archive of various exploits.
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(2/n) :
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(3/n) :
Read 7 tweets
#BugBounty Writeup Time⏰

Application DOS through unfinished image contents:
🧵👇

#bugbountytips #infosec #cybersecurity #cybersecuritytips #hacking #bugbountytip
Context about target:

Small blockchain platform allowing users to launch and contribute to projects.

Projects can contain a banner image, and this is where the bug resides.

This is gonna be a short one.
When uploading an image for the project, it sent a POST request with an "image" WebKitFormBoundary parameter, which contained the image contents.

After some XSS testing, I came across that removing the last line of the image contents resulted in weird behavior.
Read 6 tweets
BEST FREE Burp Suite Extensions for #bugbounty:

1. Param Miner - Fuzz params everywhere

2. Autorize - Easily test for IDOR/BAC

3. InQL - GraphQL Introspection & better interface

+ More 👇🧵

#bugbountytips #bugbountytip #infosec #cybersecurity #cybersecuritytips #hacking
4. Turbo Intruder - Faster intruder

5. JSON Web Tokens - Tamper with JWTs easily

6. HTTP Request Smuggler - Test for HTTP Req Smuggling easily

7. Content Type Converter - Converts Content Type on requests

8. Bypass WAF - Adds headers for bypassing some WAFs
9. Add Custom Header - Adds custom header

10. SAML Raider - SAML message editor and certificate management tool

1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
Read 3 tweets
Hi Friends #bugbountytips #recon #bugbountytip

Here is a good thread of my brother @tabaahi_


Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing

Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain

2. Sort and Unique mean merge them to all-subdomains.txt

3. Resolve those subdomains - is ip/domain live?

4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500

6. visual recon on these subdomains -> gowitness, eyewitness, aquatone

7. Port scans on these subdomains => naabu + nmap

8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Read 22 tweets
We mostly use amass enum and forget the rest.

But did you know you can do something more?
Did you know that you can track scan requests?

Read more 👇

#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
Where do the scans you normally do on amass get stored?

Well, every single scan you do with amass get's stored in the computer you run the scan on.

Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
But how do you do this?

For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.

You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
Read 5 tweets
2FA Bypass Techniques thread 🔥🐞🔓
-------------------------

📌2FA Code Leakage in Response:

You can intercept otp using burpsuite and inspect http response and check if the 2FA code leaked

#hackerone #BugBounty #bugbountytips #BugBountyTip Image
2. JS File Analysis:
----------------

📌Analyze all the JS Files that are referred in the response to see if any JS file contains information that can help bypass 2FA code.

#hackerone #BugBounty #bugbountytips
#hackeronereport #Bugbountywriteupspublished #BugBountyTip Image
3. Lack of brute-Force Protection:
-----------------
📌type 2FA code and capture request using burpsuite
📌send request to intruder and send request for 100–200 times .
📌At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
Read 11 tweets
Platforms to practice hacking 🔥❤🐞 → Tryhackme
→ Hackthebox
→ Pentester Lab
→ tcm-security
→ Vulnhub
→ Offensive Security
→ Vulnmachines
→ Portswigger Web Security Academy
→be practical
1/3
#bugbountytips #Ethicalhacking #cybersecuritytips #bugbountytip #infosec
→ Hacker101
→ PicoCTF
→ HackMyVm
→ Try2hack
→ Cybrary
→ RangeForce
→ Letsdefend
→ vhackinglabs
→ Hacksec42
→ BugBountyHunt3r
→ CyberSecLabsUK
→ certifiedsecure
→ CTFTime
→ 247CTF
2/3
#bugbountytips #Ethicalhacking #cybersecuritytips #bugbountytip
→Alert to win
→Attack-Defense
→Bancocn
→Certified Secure
→CMD Challenge CryptoHack
→CTF Komodo Security
→Ctftime
→Cyberdefenders
→CyberSecLabs
→EchoCTF
→Explotation Education
→Google CTF
→Hack The Box
→Hackaflag BR
→Hacker Security
#bugbounty
Read 5 tweets
Brute force DNS records using shuffleDNS + BBRF + Axiom

1. Get all domains from all BBRF programs
bbrf domains --all --show-disabled > alldomains.bbrf.txt

wc -l
6,113,435 alldomains.bbrf.txt
2. Create a new list with subdomains and domains of every program (TLD included) [removing duplicated]
cat alldomains.bbrf.txt |tr '\.' '\n'|sort -u > wordlist.bruteforce.txt

wc -l
4,588,685 wordlist.bruteforce.txt
3. Build a good list of DNS resolvers.
github.com/vortexau/dnsva… (watched a video made by @codingo_ about this topic/issue)
Read 6 tweets
Save this for your hunting! How do I get debug parameters?

> Collect all the subdomains
> Filter the live hosts
> Garb the URLs via gau & Wayback
> Use meg (@TomNomNom tool)-> this will create a directory that contains all the requests & response

Next:)
@TomNomNom > Now, use GF for grepping the debug param's
> Follow the next steps
From here use this to gain the admin console
credits @_bughunter

Always go for debug parameters in sensitive endpoints

debug=true
_debug=true
debug=1
_debug=1

target/admin/console ==> 403 ❗️
target/admin/console?debug=true ==> 200

#bugbountytips #cybersecurity
Read 4 tweets
Bug Bounty Free Learning Materials

Follow this thread if you can’t google and learn things😅

#bugbounty #bugbountytip #bugbountytips
This thread will be from basics to advance and you just need to start learning from it 🙂
1. HTTP Basics
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!