Discover and read the best of Twitter Threads about #bugcrowd

Most recents (3)

P1 BAC #bugbountytips:
1] Install the GAP and JS Link Finder extensions for Burp.
2] Hit every page and link you can find from software and all recon methods.
3] Extract .JS file links from JS Link Finder; hit those in your browser too.
4] Hit all URLs extracted from GAP...
... and JS Link Finder.
5] Now the work begins. Take known API paths and extensions and search within response bodies only in Burp to find JS file they are referenced in.
6] Read through the JS looking for new API paths or entire APIs.
7] Look for references to params on...
... apis like ?userId= or ?filter= ... etc. When you find one that works (IDOR), now search all JS for ?filter= (whatever the param was).
8] Try that same param or similar variations on all known API endpoints.
9] Parse response parameters from APIs and use them as request...
Read 5 tweets
3 Simple broken access control vulnerabilities you should hunt for, while logic vulnerabilities testing
#BugBounty
#bugbountytip
#bugbountytips
#Bugcrowd
👇👇
If the website allows creating an organisation you have ex.
2 roles admin && admin

access the user's information endpoint with the admin 2 , save the request

With the previous admin downgrade his role to few user and execute the request and see If you can access the users PII
2:

Remove the user from the organization and save the join URL For the organization, after removing the user use the same URL And see if you can rejoin the organization using the old URL After you removed from the ORG
Read 5 tweets
A 3 step process to finding and reporting critical secrets :

🧵👇
1️⃣ Find secrets :

➡ Look into source control like Github, gitlab etc

Use github dorks for more directed searches. Like github.com/techgaun/githu…
➡ Search for secrets in commit history and full organisation by trufflehog : github.com/trufflesecurit…
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!