Discover and read the best of Twitter Threads about #bugbountytip

Most recents (24)

Vulnexp 90 | Day69

CRLF Areas to Inspect

➡️Areas to Inspect:

#bugbountytips #bugbountytip

Thread 🧵 : 👇
Areas to Inspect:

• HTTP Headers: CRLF Injection attacks can occur in HTTP headers, such as the "User-Agent" or "Referer" headers. Attackers can insert CRLF sequences into these headers to inject additional headers or modify the response.
• Cookies: Cookies are often used to store user session information, and they can also be vulnerable to CRLF Injection attacks. An attacker can insert CRLF sequences into a cookie value to modify the response or inject additional headers.
Read 6 tweets
Vulnexp 90 | Day68

CRLF Injection

CRLF is a type of web-based attack that allows an attacker to inject malicious code or unwanted data into the HTTP response of a web application.

➡️Vulnerabilities Occur:

#bugbountytips #bugbountytip

Thread 🧵 : 👇
Vulnerabilities Occur:

• CRLF can occur when a web application fails to properly sanitize user-supplied input or validate input parameters. Specifically, they can occur in any part of the HTTP response that accepts user input, including HTTP headers, cookies, and form input.
• For example, an attacker can insert a CRLF sequence into an HTTP header to inject additional headers or modify the response. Alternatively, they may use CRLF to inject malicious code, such as JavaScript, into the response body, leading to cross-site scripting (XSS) attacks.
Read 4 tweets
In the world of bug bounty hunting, Insecure Direct Object References (IDORs) can be a goldmine. In this thread, we'll share advanced tips to sharpen your IDOR detection skills. Let's dive in! 🌊🔍

#bugbountytip #bugbountytips #CyberSecurityAwareness

Always begin with a thorough understanding of the application you're testing. Identify all possible user roles and their access rights. This knowledge is crucial for accurately identifying IDOR vulnerabilities. 🧠📝
Pay attention to API endpoints that handle user-specific data. Keep an eye out for patterns in URL parameters or request payloads. Examine how the application validates user input and authorization checks for these sensitive resources. 📡🔬
Read 6 tweets
Vulnexp 90 | Day53

➡️Insecure deserialization

when an attacker manipulates the way that HTTP requests are interpreted by a web server or a proxy server.

#bugbountytips #bugbountytip

Thread 🧵 : 👇
• Insecure deserialization is a type of vulnerability that can occur in applications that involve the serialization and deserialization of data.

• Serialization is the process of converting an object , data structure into a format that can be transmitted or stored.
• XML, or binary data. Deserialization is the process of converting the serialized data back into an object or data structure.

• When an application receives serialized data, it may deserialize it to reconstruct the original object or data structure. However,
Read 7 tweets
Here is short writeup on how I found some hardcoded credentials inside of an exe file and got paid 2000$ even the asset was OUT OF SCOPE!


1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app ImageImage
3. I tried to find the executable for the In scope app just to understand what the app will looks like when installed in the machine
4. I finally downloaded the app from the official website lf the target and tried to extract the Exe with tools like Winzip (Electron app can be easily extracted)
Read 10 tweets
One of the most critical talents a cybersecurity analyst must have is detecting and blocking a malicious IP address.

Here are a few best online tools to detect malicious IP addresses:

#TheSecureEdge #BugBounty #bugbountytip #hacking #infosec
· AbuseIPDB (
· CheckPhish (
· BrightCloud URL/IP Lookup (…)
· IBM X-Force Exchange (
· IPQualityScore (…)
· Malware Domain List (
Read 7 tweets
Hello Hackers
I just created a tool/script to automate initial recon in #bugbounty.
[ Check the thread for more info about all MODE available in this tool ]

contains functions as
- Effective Subdomain Enumeration with different services and open-source tools
- Effective URL Enumeration ( HTTP and HTTPS service )
- Run Vulnerability Detection with Nuclei
Subdomain Takeover Test on previous results
2. SUB : SUBDOMAIN ENUMERATION MODE contains functions as
Effective Subdomain Enumeration with different services and open source tools, You can use this mode if you only want to get subdomains from this tool or we can say Automation of Subdomain Enumeration.
Read 4 tweets
Day 1⃣9⃣/2⃣0⃣ -- [Subdomain Takeover]
➡️ Subdomain Takeover occurs when an attacker gains control over a subdomain of a target domain.
➡️ Below are some of the best Tips & References for Subdomain Takeover (Feel Free To Share)
Top 25 Subdomain Takeover Bug Bounty Reports…
Fastly Subdomain Takeover $2000…
Read 21 tweets
Day 1⃣8⃣/2⃣0⃣ -- [XXE - XML External Entity]
➡️ XXE - is an application-layer cybersecurity attack that exploits an XXE vulnerability to parse XML input
➡️ Below some of the best Tips & References for XXE (Feel Free To Share)
XML external entity (XXE) injection…
XML External Entity (XXE) Processing…
Read 21 tweets
Bug Bounty automation script v2

#bugbounty #bugbountytip #infosec

See 🧵: 👇
Find JavaScript Files

I've opened My Bug Bounty tips Group => Join Link :…

#bugbounty #Infosec #CyberSec
Get Subdomains from BufferOver. run

I've opened My Bug Bounty tips Group => Join Link :…

#bugbounty #Infosec #CyberSec
Read 9 tweets
3 Simple broken access control vulnerabilities you should hunt for, while logic vulnerabilities testing
If the website allows creating an organisation you have ex.
2 roles admin && admin

access the user's information endpoint with the admin 2 , save the request

With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII

Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
Read 5 tweets
6 Account takeover tips🌵
#bugbounty #infosec

➡ Use intruder to send many reset links/token to your email in a short amount of time and compare the links/tokens.

If only a few digits are different you can brute force them. After you can do the same with 2 different emails
➡ HTTP Parameter Pollution
When requesting a password reset link:

When resetting password:
Read 8 tweets
30 Search Engines for Cybersecurity Researchers:

1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
4. ExploitDB—Archive of various exploits.

#cybersecurity #infosec #bugbounty
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.
13. FullHunt—Search and discovery attack surfaces.
14. AlienVault—Extensive threat intelligence feed.
12. ONYPHE—Collects cyber-threat intelligence data.
15. Grep App—Search across a half million git repos.
Read 8 tweets
Bug Bounty automation script v1

#bugbounty #bugbountytip #infosec

See 🧵: 👇
Search to files using assetfinder and ffuf : [Check IMG 👇]

I've opened My Bug Bounty tips Group => Join Link :…

#bugbounty #bugbountytip #infosec
HTTPX using new mode location and injection XSS using qsreplace.

#bugbounty #bugbountytip #infosec
Read 7 tweets
6 Bugbounty Tips from @EdOverflow
#infosec #bugbountytip

Thread 🧵(1/n) :👇 Bugbountytips
Tip #1 #bugbounty #infosec

Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects.
Read 10 tweets
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Read 7 tweets
12 #bugbountytips you NEED to know about! 🧵

A #bugbountytip is a short trick that can help you find your next bug!

Here are some quick wins you can start implementing today to become a better hunter 👇
[1️⃣] Automating SSRF by @Regala_
Instead of manually looking for SSRF sinks, why don't we let @Burp_Suite do the hard work? 👇
[2️⃣] Exploiting e-mail systems by @securinti 📧
Did you know you can exploit an SQL injection using an e-mail address? Neither do developers!
And it's not just SQLi! Find out more 👇
Read 14 tweets
Introduction to #XSS

Learn the basics of 𝐂𝐫𝐨𝐬𝐬-𝐒𝐢𝐭𝐞 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 (𝐗𝐒𝐒)


#bugbounty #bugbountytips #bugbountytip #cybersecurity #cybersecuritytips #infosec #infosecurity #hacking
Let's inspect the name first:

The 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 part indicates, obviously, scripting, so we can think about what kind of scripting we know exist in Web Apps: HTML & JavaScript being the 2 most common.

Secondly, XSS is part of the INJECTION bug class (see @owasp's Top 10)
So, we now know XSS consists of injecting scripts in websites.

Types of XSS:

1. Reflected
2. Stored
3. DOM-based
They can also be Blind too (you don't see the reflection)

As this thread is aimed at beginners, I will focus on the first 2 as they're easier to understand at first
Read 12 tweets
TopMost Search Engines for hackers

1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(1/n) : Cybersecurity Search Engines
4. ExploitDB—Archive of various exploits.
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(2/n) :
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.

#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec

More👇(3/n) :
Read 7 tweets
#BugBounty Writeup Time⏰

Application DOS through unfinished image contents:

#bugbountytips #infosec #cybersecurity #cybersecuritytips #hacking #bugbountytip
Context about target:

Small blockchain platform allowing users to launch and contribute to projects.

Projects can contain a banner image, and this is where the bug resides.

This is gonna be a short one.
When uploading an image for the project, it sent a POST request with an "image" WebKitFormBoundary parameter, which contained the image contents.

After some XSS testing, I came across that removing the last line of the image contents resulted in weird behavior.
Read 6 tweets
BEST FREE Burp Suite Extensions for #bugbounty:

1. Param Miner - Fuzz params everywhere

2. Autorize - Easily test for IDOR/BAC

3. InQL - GraphQL Introspection & better interface

+ More 👇🧵

#bugbountytips #bugbountytip #infosec #cybersecurity #cybersecuritytips #hacking
4. Turbo Intruder - Faster intruder

5. JSON Web Tokens - Tamper with JWTs easily

6. HTTP Request Smuggler - Test for HTTP Req Smuggling easily

7. Content Type Converter - Converts Content Type on requests

8. Bypass WAF - Adds headers for bypassing some WAFs
9. Add Custom Header - Adds custom header

10. SAML Raider - SAML message editor and certificate management tool

1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
Read 3 tweets
Hi Friends #bugbountytips #recon #bugbountytip

Here is a good thread of my brother @tabaahi_

Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing

Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain

2. Sort and Unique mean merge them to all-subdomains.txt

3. Resolve those subdomains - is ip/domain live?

4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500

6. visual recon on these subdomains -> gowitness, eyewitness, aquatone

7. Port scans on these subdomains => naabu + nmap

8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Read 22 tweets
We mostly use amass enum and forget the rest.

But did you know you can do something more?
Did you know that you can track scan requests?

Read more 👇

#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
Where do the scans you normally do on amass get stored?

Well, every single scan you do with amass get's stored in the computer you run the scan on.

Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
But how do you do this?

For example let's say that you've run amass enum -d last month and you wish to see the changes in scan request on the same domain.

You can simply do amass track -d and it'd show you fresh targets.
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!