Discover and read the best of Twitter Threads about #bugbountytip
Most recents (24)
Vulnexp 90 | Day69
CRLF Areas to Inspect
➡️Areas to Inspect:
#bugbountytips #bugbountytip
Thread 🧵 : 👇
CRLF Areas to Inspect
➡️Areas to Inspect:
#bugbountytips #bugbountytip
Thread 🧵 : 👇
Areas to Inspect:
• HTTP Headers: CRLF Injection attacks can occur in HTTP headers, such as the "User-Agent" or "Referer" headers. Attackers can insert CRLF sequences into these headers to inject additional headers or modify the response.
• HTTP Headers: CRLF Injection attacks can occur in HTTP headers, such as the "User-Agent" or "Referer" headers. Attackers can insert CRLF sequences into these headers to inject additional headers or modify the response.
• Cookies: Cookies are often used to store user session information, and they can also be vulnerable to CRLF Injection attacks. An attacker can insert CRLF sequences into a cookie value to modify the response or inject additional headers.
Vulnexp 90 | Day68
CRLF Injection
CRLF is a type of web-based attack that allows an attacker to inject malicious code or unwanted data into the HTTP response of a web application.
➡️Vulnerabilities Occur:
#bugbountytips #bugbountytip
Thread 🧵 : 👇
CRLF Injection
CRLF is a type of web-based attack that allows an attacker to inject malicious code or unwanted data into the HTTP response of a web application.
➡️Vulnerabilities Occur:
#bugbountytips #bugbountytip
Thread 🧵 : 👇
Vulnerabilities Occur:
• CRLF can occur when a web application fails to properly sanitize user-supplied input or validate input parameters. Specifically, they can occur in any part of the HTTP response that accepts user input, including HTTP headers, cookies, and form input.
• CRLF can occur when a web application fails to properly sanitize user-supplied input or validate input parameters. Specifically, they can occur in any part of the HTTP response that accepts user input, including HTTP headers, cookies, and form input.
• For example, an attacker can insert a CRLF sequence into an HTTP header to inject additional headers or modify the response. Alternatively, they may use CRLF to inject malicious code, such as JavaScript, into the response body, leading to cross-site scripting (XSS) attacks.
In the world of bug bounty hunting, Insecure Direct Object References (IDORs) can be a goldmine. In this thread, we'll share advanced tips to sharpen your IDOR detection skills. Let's dive in! 🌊🔍
#bugbountytip #bugbountytips #CyberSecurityAwareness
1/n
#bugbountytip #bugbountytips #CyberSecurityAwareness
1/n
Always begin with a thorough understanding of the application you're testing. Identify all possible user roles and their access rights. This knowledge is crucial for accurately identifying IDOR vulnerabilities. 🧠📝
Pay attention to API endpoints that handle user-specific data. Keep an eye out for patterns in URL parameters or request payloads. Examine how the application validates user input and authorization checks for these sensitive resources. 📡🔬
Vulnexp 90 | Day53
➡️Insecure deserialization
when an attacker manipulates the way that HTTP requests are interpreted by a web server or a proxy server.
#bugbountytips #bugbountytip
Thread 🧵 : 👇
➡️Insecure deserialization
when an attacker manipulates the way that HTTP requests are interpreted by a web server or a proxy server.
#bugbountytips #bugbountytip
Thread 🧵 : 👇
• Insecure deserialization is a type of vulnerability that can occur in applications that involve the serialization and deserialization of data.
• Serialization is the process of converting an object , data structure into a format that can be transmitted or stored.
• Serialization is the process of converting an object , data structure into a format that can be transmitted or stored.
• XML, or binary data. Deserialization is the process of converting the serialized data back into an object or data structure.
• When an application receives serialized data, it may deserialize it to reconstruct the original object or data structure. However,
• When an application receives serialized data, it may deserialize it to reconstruct the original object or data structure. However,
Here is short writeup on how I found some hardcoded credentials inside of an exe file and got paid 2000$ even the asset was OUT OF SCOPE!
📌THREAD📌
1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app
📌THREAD📌
1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app
3. I tried to find the executable for the In scope app just to understand what the app will looks like when installed in the machine
4. I finally downloaded the app from the official website lf the target and tried to extract the Exe with tools like Winzip (Electron app can be easily extracted)
Collection of RCE write-ups. thanks to all researchers for sharing there findings.
link.medium.com/MyvJZn2E5wb
github.com/httpvoid/write…
link.medium.com/3ZDBao5E5wb
link.medium.com/QJ9Jjt8E5wb
infosecwriteups.com/how-i-found-my… #bugbountytip #bugbountytips #RCE #cybersecurity #Pentesting #writeup
link.medium.com/MyvJZn2E5wb
github.com/httpvoid/write…
link.medium.com/3ZDBao5E5wb
link.medium.com/QJ9Jjt8E5wb
infosecwriteups.com/how-i-found-my… #bugbountytip #bugbountytips #RCE #cybersecurity #Pentesting #writeup
One of the most critical talents a cybersecurity analyst must have is detecting and blocking a malicious IP address.
Here are a few best online tools to detect malicious IP addresses:
🧵
#TheSecureEdge #BugBounty #bugbountytip #hacking #infosec
Here are a few best online tools to detect malicious IP addresses:
🧵
#TheSecureEdge #BugBounty #bugbountytip #hacking #infosec
· AbuseIPDB (abuseipdb.com)
· CheckPhish (checkphish.ai)
· BrightCloud URL/IP Lookup (brightcloud.com/tools/url-ip-l…)
· CheckPhish (checkphish.ai)
· BrightCloud URL/IP Lookup (brightcloud.com/tools/url-ip-l…)
· IBM X-Force Exchange (exchange.xforce.ibmcloud.com)
· IPQualityScore (ipqualityscore.com/free-ip-lookup…)
· Malware Domain List (malwaredomainlist.com/mdl.php)
· IPQualityScore (ipqualityscore.com/free-ip-lookup…)
· Malware Domain List (malwaredomainlist.com/mdl.php)
[0]
Hello Hackers
I just created a tool/script to automate initial recon in #bugbounty.
[ Check the thread for more info about all MODE available in this tool ]
URL:- github.com/thecyberneh/sc…
Hello Hackers
I just created a tool/script to automate initial recon in #bugbounty.
[ Check the thread for more info about all MODE available in this tool ]
URL:- github.com/thecyberneh/sc…
[1]
1. EXP :- FULL EXPLOITATION MODE
contains functions as
- Effective Subdomain Enumeration with different services and open-source tools
- Effective URL Enumeration ( HTTP and HTTPS service )
- Run Vulnerability Detection with Nuclei
Subdomain Takeover Test on previous results
1. EXP :- FULL EXPLOITATION MODE
contains functions as
- Effective Subdomain Enumeration with different services and open-source tools
- Effective URL Enumeration ( HTTP and HTTPS service )
- Run Vulnerability Detection with Nuclei
Subdomain Takeover Test on previous results
[2]
2. SUB : SUBDOMAIN ENUMERATION MODE contains functions as
Effective Subdomain Enumeration with different services and open source tools, You can use this mode if you only want to get subdomains from this tool or we can say Automation of Subdomain Enumeration.
2. SUB : SUBDOMAIN ENUMERATION MODE contains functions as
Effective Subdomain Enumeration with different services and open source tools, You can use this mode if you only want to get subdomains from this tool or we can say Automation of Subdomain Enumeration.
Day 1⃣9⃣/2⃣0⃣ -- [Subdomain Takeover]
➡️ Subdomain Takeover occurs when an attacker gains control over a subdomain of a target domain.
➡️ Below are some of the best Tips & References for Subdomain Takeover (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
➡️ Subdomain Takeover occurs when an attacker gains control over a subdomain of a target domain.
➡️ Below are some of the best Tips & References for Subdomain Takeover (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
Day 1⃣8⃣/2⃣0⃣ -- [XXE - XML External Entity]
➡️ XXE - is an application-layer cybersecurity attack that exploits an XXE vulnerability to parse XML input
➡️ Below some of the best Tips & References for XXE (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
➡️ XXE - is an application-layer cybersecurity attack that exploits an XXE vulnerability to parse XML input
➡️ Below some of the best Tips & References for XXE (Feel Free To Share)
🧵🧵👇👇
#BugBounty
#bugbountytip
Find JavaScript Files
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #Infosec #CyberSec
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #Infosec #CyberSec
Get Subdomains from BufferOver. run
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #Infosec #CyberSec
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #Infosec #CyberSec
3 Simple broken access control vulnerabilities you should hunt for, while logic vulnerabilities testing
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
If the website allows creating an organisation you have ex.
2 roles admin && admin
access the user's information endpoint with the admin 2 , save the request
With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2 roles admin && admin
access the user's information endpoint with the admin 2 , save the request
With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2:
Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
➡ Use intruder to send many reset links/token to your email in a short amount of time and compare the links/tokens.
If only a few digits are different you can brute force them. After you can do the same with 2 different emails
If only a few digits are different you can brute force them. After you can do the same with 2 different emails
➡ HTTP Parameter Pollution
When requesting a password reset link:
email=victim@domain.com&youremail@domain.com
When resetting password:
token={token}&email=youremail@domain.com&email=victim@domain.com
When requesting a password reset link:
email=victim@domain.com&youremail@domain.com
When resetting password:
token={token}&email=youremail@domain.com&email=victim@domain.com
30 Search Engines for Cybersecurity Researchers:
1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
4. ExploitDB—Archive of various exploits.
#cybersecurity #infosec #bugbounty
1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
4. ExploitDB—Archive of various exploits.
#cybersecurity #infosec #bugbounty
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.
13. FullHunt—Search and discovery attack surfaces.
14. AlienVault—Extensive threat intelligence feed.
12. ONYPHE—Collects cyber-threat intelligence data.
15. Grep App—Search across a half million git repos.
13. FullHunt—Search and discovery attack surfaces.
14. AlienVault—Extensive threat intelligence feed.
12. ONYPHE—Collects cyber-threat intelligence data.
15. Grep App—Search across a half million git repos.
Search to files using assetfinder and ffuf : [Check IMG 👇]
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #bugbountytip #infosec
—————————
I've opened My Bug Bounty tips Group => Join Link : t.me/bugbountyresou…
—————————
#bugbounty #bugbountytip #infosec
Tip #1 #bugbounty #infosec
Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects.
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects.
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
12 #bugbountytips you NEED to know about! 🧵
A #bugbountytip is a short trick that can help you find your next bug!
Here are some quick wins you can start implementing today to become a better hunter 👇
A #bugbountytip is a short trick that can help you find your next bug!
Here are some quick wins you can start implementing today to become a better hunter 👇
[1️⃣] Automating SSRF by @Regala_
Instead of manually looking for SSRF sinks, why don't we let @Burp_Suite do the hard work? 👇
Instead of manually looking for SSRF sinks, why don't we let @Burp_Suite do the hard work? 👇
[2️⃣] Exploiting e-mail systems by @securinti 📧
Did you know you can exploit an SQL injection using an e-mail address? Neither do developers!
And it's not just SQLi! Find out more 👇
Did you know you can exploit an SQL injection using an e-mail address? Neither do developers!
And it's not just SQLi! Find out more 👇
Introduction to #XSS
Learn the basics of 𝐂𝐫𝐨𝐬𝐬-𝐒𝐢𝐭𝐞 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 (𝐗𝐒𝐒)
Thread🧵👇
#bugbounty #bugbountytips #bugbountytip #cybersecurity #cybersecuritytips #infosec #infosecurity #hacking
Learn the basics of 𝐂𝐫𝐨𝐬𝐬-𝐒𝐢𝐭𝐞 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 (𝐗𝐒𝐒)
Thread🧵👇
#bugbounty #bugbountytips #bugbountytip #cybersecurity #cybersecuritytips #infosec #infosecurity #hacking
Let's inspect the name first:
The 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 part indicates, obviously, scripting, so we can think about what kind of scripting we know exist in Web Apps: HTML & JavaScript being the 2 most common.
Secondly, XSS is part of the INJECTION bug class (see @owasp's Top 10)
The 𝐒𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 part indicates, obviously, scripting, so we can think about what kind of scripting we know exist in Web Apps: HTML & JavaScript being the 2 most common.
Secondly, XSS is part of the INJECTION bug class (see @owasp's Top 10)
So, we now know XSS consists of injecting scripts in websites.
Types of XSS:
1. Reflected
2. Stored
3. DOM-based
They can also be Blind too (you don't see the reflection)
As this thread is aimed at beginners, I will focus on the first 2 as they're easier to understand at first
Types of XSS:
1. Reflected
2. Stored
3. DOM-based
They can also be Blind too (you don't see the reflection)
As this thread is aimed at beginners, I will focus on the first 2 as they're easier to understand at first
TopMost Search Engines for hackers
1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(1/n) :
1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(1/n) :
4. ExploitDB—Archive of various exploits.
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(2/n) :
5. ZoomEye—Gather information about targets.
6. Pulsedive—Search for threat intelligence.
7. GrayHatWarefare—Search public S3 buckets.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(2/n) :
8. PolySwarm—Scan files and URLs for threats.
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(3/n) :
9. Fofa—Search for various threat intelligence.
10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly.
#cybersecurity #hacking #bugbounty #bugbountytips #bugbountytip #infosec
More👇(3/n) :
#BugBounty Writeup Time⏰
Application DOS through unfinished image contents:
🧵👇
#bugbountytips #infosec #cybersecurity #cybersecuritytips #hacking #bugbountytip
Application DOS through unfinished image contents:
🧵👇
#bugbountytips #infosec #cybersecurity #cybersecuritytips #hacking #bugbountytip
Context about target:
Small blockchain platform allowing users to launch and contribute to projects.
Projects can contain a banner image, and this is where the bug resides.
This is gonna be a short one.
Small blockchain platform allowing users to launch and contribute to projects.
Projects can contain a banner image, and this is where the bug resides.
This is gonna be a short one.
When uploading an image for the project, it sent a POST request with an "image" WebKitFormBoundary parameter, which contained the image contents.
After some XSS testing, I came across that removing the last line of the image contents resulted in weird behavior.
After some XSS testing, I came across that removing the last line of the image contents resulted in weird behavior.
BEST FREE Burp Suite Extensions for #bugbounty:
1. Param Miner - Fuzz params everywhere
2. Autorize - Easily test for IDOR/BAC
3. InQL - GraphQL Introspection & better interface
+ More 👇🧵
#bugbountytips #bugbountytip #infosec #cybersecurity #cybersecuritytips #hacking
1. Param Miner - Fuzz params everywhere
2. Autorize - Easily test for IDOR/BAC
3. InQL - GraphQL Introspection & better interface
+ More 👇🧵
#bugbountytips #bugbountytip #infosec #cybersecurity #cybersecuritytips #hacking
4. Turbo Intruder - Faster intruder
5. JSON Web Tokens - Tamper with JWTs easily
6. HTTP Request Smuggler - Test for HTTP Req Smuggling easily
7. Content Type Converter - Converts Content Type on requests
8. Bypass WAF - Adds headers for bypassing some WAFs
5. JSON Web Tokens - Tamper with JWTs easily
6. HTTP Request Smuggler - Test for HTTP Req Smuggling easily
7. Content Type Converter - Converts Content Type on requests
8. Bypass WAF - Adds headers for bypassing some WAFs
9. Add Custom Header - Adds custom header
10. SAML Raider - SAML message editor and certificate management tool
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
10. SAML Raider - SAML message editor and certificate management tool
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
Hi Friends #bugbountytips #recon #bugbountytip
Here is a good thread of my brother @tabaahi_
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
Here is a good thread of my brother @tabaahi_
Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing
Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
2. Sort and Unique mean merge them to all-subdomains.txt
3. Resolve those subdomains - is ip/domain live?
4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
6. visual recon on these subdomains -> gowitness, eyewitness, aquatone
7. Port scans on these subdomains => naabu + nmap
8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
We mostly use amass enum and forget the rest.
But did you know you can do something more?
Did you know that you can track scan requests?
Read more 👇
#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
But did you know you can do something more?
Did you know that you can track scan requests?
Read more 👇
#bugbountytip #bugbounty #amass #recon #infosec #cybersecurity
Where do the scans you normally do on amass get stored?
Well, every single scan you do with amass get's stored in the computer you run the scan on.
Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
Well, every single scan you do with amass get's stored in the computer you run the scan on.
Therefore, if you run the same scan again it's possible for amass to keep track of the changes that's occurred.
But how do you do this?
For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.
You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
For example let's say that you've run amass enum -d tesla.com last month and you wish to see the changes in scan request on the same domain.
You can simply do amass track -d https://t.co/1oT7xWHZR8 and it'd show you fresh targets.
