Discover and read the best of Twitter Threads about #bugbountytips

Most recents (24)

How I get RCE via Dependency Confusion 💎

#bugbountytips 🧵👇🏻
1/ Introduction 📖

Dependency Confusion occurs when software installer script is tricked into pulling malicious code file from public repository.

How I found this bug?
2/ Recon 🔦

1⃣ I started with some Shodan recon and I found a IP that belongs to TARGET.

2⃣ Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json
Read 7 tweets
6 Questions that Guarantee your Bounty 😈

How does the app pass data?

parameter or path?
How/Where does app Talk about users?

Cookie or API Calls?

uid or username or email or uuid?
Read 8 tweets
How We hacked Admin Panel just by JS file:
(step by step)
#bugbounty #bugbountytips

1/ Introduction 📖

Team gave mobile app and website.

We didn’t waste of time on mobile app and decided to work on website.

We just tried to find Admin Panel because main domain was just a single page to download the app.
2/ Subdomain Enumeration 🔎

After brute forcing the subdomains we found that website had a subdomain like that

When we visited the subdomain we just got that Login Portal
Read 8 tweets
Have you ever get bounty by using default credentials?
Read this thread 🔥

You need to have a special word list for each vendor.

This thread has most known vendors default credentials that gathered from several sources.

Default Credentials for Apache Tomcat:
Default Credentials for Cisco
Read 8 tweets
Facing problem in making your own recon methodology

Follow this thread 🧵

#bugbounty #bugbountytip #bugbountytips
1: The Bug Hunter's Methodology v4.0 - Recon Edition
2: Fundamentals of Bug Bounty Recon
Read 6 tweets
SQLi Manual Approach

Thread 🧵

#bugbounty #bugbountytip #bugbountytips
First thing to test for an SQL injection is to try to break the query,with the intention of getting the syntax of how SQL is getting input at the backend.This technique works in UNION/Error based SQL Injections,where we force the backend database to throw an error.
Using this technique,we can somehow determine the backend query structure to efficiently exploit SQL Injection.Query can be broken by throwing various characters as input.
Read 9 tweets
Here's a #bugbountytip


On a bug bounty program, I was able to access internal dashboard of an e-commerce website and see what users have ordered along with their addresses and could also manipulate order status.

The dashboard was running on a custom port.


1. The scope of the program was *
2. Collected many subdomains using different tools, and then checked for alive subdomains using httpx.
3. Visited all collected subdomains manually, none of them seemed interesting. So I moved forward with testing.

4. So I looked for more ways on how to find assets related to any domain and came across technique known as favicon hashing. I didn't knew about this so I searched for it on google and read few articles on it.


Read 8 tweets
== Trademark and Copyright Recon ==

How to find assets no other bug hunters have found.

One of my simple "secrets" for years.

Little automation exists for it.


a thread🧵

🚨follow, retweet, & like for more hacker tips!🚨

When approaching a bounty, the scope is important. Not only the domain list but, all the text.

There are about ~30 paid bounty programs across the major platforms that are explicitly open scope or have the wording right under the scope section that says something like...

"If you find anything else that you believe to belong to XYZ company, report it and we will assess its validity. It may not result in a bounty"

But.. To be honest, criticals usually DO get paid.

Read 6 tweets
= Infosec super-thread =

A big part of my presos is tools/resources I like for offensive security & bug hunting.

Here's a thread of "PRINT" resources cited in the Bug Hunter's Methodology Application Analysis v1…

a 🧵

#bugbountytips #Pentesting

The Web Application Hacker's Handbook is a pre-requisite for all web assessments. Do not sleep on it due to publish date. It remains the 👑 book for web assessment.…

by @DafyddStuttard & Marcus Pinto @MDSecLabs

The next print resource is @yaworsk's Real-World Bug Hunting:…

This is a great supplement to the above WAHH. It has so many great explanations and examples of real bugs to study.

Read 12 tweets
Different Hacking/Bug Bounty Methodologies From Different Hackers/Bug Bounty Hunters.
Feel Free To Add In This Thread If You Have Any :)
Read 15 tweets
This is your yearly reminder that ALL Udemy Bug Bounty courses are a waste of money.

The content you need is out there, completely for free.

Don't believe me?

Here is a list of the best Bug Bounty Ressources out there


@Jhaddix The Bug Hunters Methodology:

Read 17 tweets
Here's a list of some high quality Bug Bounty Methodologies / checklists.

All for FREE.


#bugbounty #bugbountytips #infosec #cybersecurity
Recon :

For recon, I personally prefer this tutorial by @Jhaddix presented by @RedTeamVillage_

Such quality information out there. Do create your own notes post watching this.
Web App Checklist :…

Kudos to @e11i0t_4lders0n for curating this gem for us.
Read 10 tweets
I recently wrote a thread on my top used Bug Bounty Tools. You can find it here :

After publishing the above thread, I got lots of requests to write on my most used / favourite Burp Suite extensions.

So here's a thread on my most used Burp extensions.
1. Autorize

Autorize is straight up one of my most used and liked extensions. I personally use Autorize to automate testing for IDORs and it's very simple to use.

In the above video I've combined with our favourite @theXSSrat on using Autorize.
2. Param Miner

Anybody who's into Bug Bounty for quite sometime knows how important it is to identify parameters. Param Miner helps you do this at ease.

I personally use Param Miner to check for web cache poisoning vulnerabilities.
Read 7 tweets
Here's a list of tools that I use on a daily basis for Bug Bounty Hunting :
1. Proxy

I use Burpsuite for this purpose.
One could also use ZAP Proxy
2. Subdomain Enumeration

I'm a big fan of amass.

One article that I would definitely recommend anybody who's using amass is this gem by @hakluke…
Read 11 tweets
As of today I passed half million milestone on @SynackRedTeam with 200k of it on last 90 days. So far this month about to catch previous one too, we will see what is going to happen in next 10 days :). #bugbounty #bugbountytips ImageImage
Almost all my bugs this month was SQLis again. I'll try to give another example from the unique ones.
One of the targets was having SQLi on some weird endpoint. It was expecting XML data but looks like it was looking for "xml" as parameter.
Read 8 tweets
Make your own hacking Tool with Python Request Module

^^\ Full Documentary Python Scripting Request /^^

#bugbounty #bugbountytips #hacking

{ }
Beloved Features¶

Requests is ready for today’s web.

> Keep-Alive & Connection Pooling

> International Domains and URLs

> Sessions with Cookie Persistence

> Browser-style SSL Verification

> Automatic Content Decoding

> Basic/Digest Authentication
Elegant Key/Value Cookies
> Elegant Key/Value Cookies

> Automatic Decompression

> Unicode Response Bodies

> HTTP(S) Proxy Support

> Multipart File Uploads

> Streaming Downloads

> Connection Timeouts

> Chunked Requests
.netrc Support
Read 4 tweets
Recently bypassed an auth with a simple trick:
1. GET site.bruh/private => 405
(homepage was just showing "Working", opened page source, got a js file, grep all endpoints using linkfinder from js file)
2. POST site.bruh/private => 500 error: "Expected JSON body"
3. POST site.bruh/private
{} => 500 error: missing auth_key

4. POST site.bruh/private
{"auth_key":"123"} => 403

After many trials and errors (passing random values, special characters, adding commonly used tricks to bypass 403, like headers etc, nothing worked)
I was about to give up, but then i remembered a technique i used in a ctf few months ago:

POST site.bruh/private

200 OK
Read 4 tweets

Share with your network and friends.

#cybersecurity #bugbounty #hacking #infosec #bugbountytips #ctf #pentesting

🧵 1/n
· Academy Hackaflag BR -
· Attack-Defense -
· Alert to win -
· CTF Komodo Security -
· CMD Challenge -
· Explotation Education -
· Google CTF -
· HackTheBox -
· Hackthis -
· Hacksplaining -
· Hacker101 -
Read 8 tweets
🧵Mistakes I make in hacking or bug bounty 🧵

#bugbountytips and hacking tips I wish I always adhered to 🙃

cc @sr_b1mal
Mistake One:

I don't templatize my submission text.

Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.
Mistake Two:

I'll stop hacking

Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.

You should always have a backup program to analyze while you hack on a new program.
Read 11 tweets
4/8/22 #bugbountydiary #bugbountytips

Everyone is sick in the house but I had some running scans I needed to check up on.

I found a SQL injection bug on a blog.

Here's how I did it, so you can learn...


🚨Like, retweet, & follow for more hacker tips!🚨

Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia.

This gave me a pretty good list of targets.

ReconFTW runs screenshotting on all web-resolvable domains and subdomains.

I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016

Read 12 tweets
SO you're a bounty hunter with a gaming rig? 🧵

If you don't want to use a VPS or run native (dual-boot Linux) you can install Ubuntu and WSL 2.

(+) You'll (probably) benefit from more memory, cores, and a fast broadband connection.
(+) You can eliminate or supplement your VPS costs
(+) Usability is nice (file management, copy-paste)

(-) WSL2 does not yet support raw sockets, so no nmap or masscan
(-) Mass DNS requests (resolver tools like massdns/puredn) will crash WSL DNS for some reason

(-) on wsl 1.0 (if you decide to use that) git is painfully slow, including setting up dependencies in large frameworks like reconFTW

(+) ... Your gains in speed per dollar are good. Most gaming rigs equivalent VPS (proc/mem/storage) costs will run you $80-$120 on Digital Ocean
Read 12 tweets
Top SQL Injection Parameters
Credits ~ @trbughunters

1. ?id={payload}
2. ?page={payload}
3. ?dir={payload}
4. ?search={payload}
5. ?category={payload}
6. ?class={payload}
7. ?file={payload}
8. ?url={payload}
9. ?news={payload}
10. ?item={payload}

#bugbounty #bugbountytips
11. ?menu={payload}
12. ?lang={payload}
13. ?name={payload}
14. ?ref={payload}
15. ?title={payload}
16. ?view={payload}
17. ?topic={payload}
18. ?thread={payload}
19. ?type={payload}
20. ?date={payload}
21. ?form={payload}
22. ?join={payload}

#cybersecurity #bugbounty
23. ?main={payload}
24. ?nav={payload}
25. ?region={payload}

#cybersecurity #hacking #bugbounty #bugbountytips
Read 3 tweets
I've been at HackerOne for about 5 months now. It's been eye-opening seeing how all of these hackers work from the other side of the screen. Here is a list of some of the tips I've gathered 🧵🧵🧵 #BugBounty #BugBountyTips
Most of the prolific hunters will focus on one target for large amounts of time, learning the ins and outs of the application.
If you are going to go for low hanging fruit, focus on building outstanding automation and recon lists.
Read 15 tweets
- Check if the token is present on any form it should be
- Server checks if the token length is correct
- Server checks if parameter is there
- Server accepts empty parameter
- Server accepts responds without CSRF token
- Token is not session bound
- None-signing algorithm is allowed
- Secret is leaked somewhere
- Server never checks secret
- Secret is easily guessable or brute-forceable
Open redirect bypass:
- Javascript openRedirects
- Hidden link open redirects
- Using // to bypass
- (browser might correct this, filter might not catch it)
- /\ to bypass
- %00 to bypass (null byte)
- @ to bypass
Read 14 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!