Discover and read the best of Twitter Threads about #hackerone

Most recents (6)

🧵NEW THREAD🧵
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program ImageImage
1. I was invited in the morning to a private program at H1 and the program updated the scope in the evening, So I decided to take a look to see if there is something to hack
2. I visited the main website in scope, to my surprise and thanks to @trufflesec Chrome extension Trufflehog which could be found here chrome.google.com/webstore/detai…
Read 11 tweets
🧵NEW Thread🧵

Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking

1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope. ImageImage
2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS
3. I used @leak_ix search engine at leakix.net and used this dork [+target_name ++plugin:"GitConfigHttpPlugin"]
Note : this is used to search for already scanned websites that have /.git exposed
Read 13 tweets
A lesser-known yet effective way of #bugbounty hunting is called "hacktivity" hunting. It involves bypassing fixes on disclosed reports found on @Hacker0x01's hacktivity page. This approach helped me score a $5k bounty! Here's how it works.👇

#InfoSec #CyberSecurity
With hacktivity hunting, the hard part - finding interesting behavior or insecure features - is already done for you. Your main role is to find a bypass.

For example, I found a bypass for a report on hackerone.com/reports/949643

#BugBountyTips
The original report tried to restrict access to /admin by restricting the path in Nginx. However, I bypassed it using simple encoding - /%2561dmin. Endpoints required authentication, but I bypassed this by adding ".json" at the end.

#BugBounty #Hacking
Read 8 tweets
🧵Let's talk about #Telegram - here are ten useful cybersecurity groups and channels we watch:

A thread:
1. Cyber Security News (30k+ members)

Cyber Security News is a feed channel for links to breaking news stories across the internet, everything from #TechCrunch to #Portswigger. It’s a one-stop shop for cyber-related news with your morning coffee.

telegram.me/cyber_security…
2. Cyber Security Experts (23k+ members)
A great channel for exchanging #information about #cyber, #IT, and #security. Mainly used to get answers to questions and help other security experts to enhance their security maturity.

t.me/cybersecuritye…
Read 13 tweets
2FA Bypass Techniques thread 🔥🐞🔓
-------------------------

📌2FA Code Leakage in Response:

You can intercept otp using burpsuite and inspect http response and check if the 2FA code leaked

#hackerone #BugBounty #bugbountytips #BugBountyTip Image
2. JS File Analysis:
----------------

📌Analyze all the JS Files that are referred in the response to see if any JS file contains information that can help bypass 2FA code.

#hackerone #BugBounty #bugbountytips
#hackeronereport #Bugbountywriteupspublished #BugBountyTip Image
3. Lack of brute-Force Protection:
-----------------
📌type 2FA code and capture request using burpsuite
📌send request to intruder and send request for 100–200 times .
📌At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
Read 11 tweets
A 3 step process to finding and reporting critical secrets :

🧵👇
1️⃣ Find secrets :

➡ Look into source control like Github, gitlab etc

Use github dorks for more directed searches. Like github.com/techgaun/githu…
➡ Search for secrets in commit history and full organisation by trufflehog : github.com/trufflesecurit…
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!