Aseem Shrey Profile picture
Apr 12 10 tweets 4 min read
A 3 step process to finding and reporting critical secrets :

1️⃣ Find secrets :

➡ Look into source control like Github, gitlab etc

Use github dorks for more directed searches. Like…
➡ Search for secrets in commit history and full organisation by trufflehog :…
➡ Try finding sonarqube or Jenkins instances. Use #shodan for that. Check my previous thread for some ideas around it 😃 :
Here's how I found one :…
➡ Look into website's javascript files. Here's a writeup around the same :…
2️⃣ Verify those secrets :

➡ After you've found some secrets it's time to verify those. For each individual key look here :…

You can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well 😃
3️⃣ Report 💰

➡ Find the company's program on #hackerone or #bugcrowd or their own bug bounty page.

➡ If nothing like that exists, use connectbit to find contacts

➡ If even that doesn't help, check people on Linkedin or Twitter for that org

Here's a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature

Go on and check the video here : 📹 🚀
You can read the unrolled version of this thread here:…

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Aseem Shrey

Aseem Shrey Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AseemShrey

Mar 27
Top 7 #Shodan Dorks :

A thread 🧵👇
1️⃣ Search for secret API keys publicly exposed on websites :
ex : Searching for slack API token on all the scanned websites

2️⃣ Search using 'favicon' hash :
- One of the most accurate way of finding services

ex- Find all jenkins server : http.favicon.hash:81586312

A list of favicon hashes :……
Read 8 tweets
Feb 18
7 Things To Get Started With Android Pentesting :

A Thread 🧵👇
1️⃣ Get the APK
Download from : (Downloads from PlayStore)
Note: These are 3rd party sites, hence, install only on your testing device/emulator.
↪ Get apk from your own device using android adb :

Find app in PlayStore using a 'browser'. URL of the app contains the package name.

1. Connect your device to your laptop.
2. Enable 'USB debugging' on your device

Run the commands :
Read 11 tweets
Jun 17, 2021
Android Hacking | Deeplink Issues | What, Why & How

➤ What, Why, How of Deeplink ?
➤ Hacking Deeplinks - Insecure URL Validation
➤ Finding, exploiting and fixing them
➤ Demo

#android #hacking #bugbounty #hackingsimplified
1. What's a Deeplink ?

In context of mobile apps, deeplinks are URLs that send users to a certain point in the app.

For example : If you click this :


It would open my facebook profile on your FB mobile app.

Hosted Link :… Image
2. Why are they used ?

Increase user engagement on the app.

e.g. Email Marketing
A company can have their deeplink URIs sent in emails and would want to redirect users into the app from there.

Detailed Read :…
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!