Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.
Mistake Two:
I'll stop hacking
Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.
You should always have a backup program to analyze while you hack on a new program.
Mistake Three:
Not enough sleep
I can't stress this enough. You NEED sleep to hack well. make sure you're getting at least 7 hours. Otherwise, you're wasting the precious hacking time you have.
Mistake Four:
I over-index on certain classes of bugs.
If you're comfortable with something you tend to go back to it. I have to keep a written list of the bugs I often FORGET to test for.
One of mine is CSRF. I always neglect CSRF for some reason. Same with 2FA Bypass.
Mistake Five:
Compare with Twitter disclosures
I have impostor syndrome, big time. I see others finding cool shit and if I'm not finding cool shit at the time I feel horrible.
"Comparison is the thief of joy"
Your day will come, just keep at it.
Mistake Six:
I don't track my testing.
Listen, I know a lot of hackers do the whole thing by intuition. That's really cool... BUT for my ADHD brain, I need a fucking checklist.
OWASP ASVS, WAHH, Mindmap, Notion, w/e...
Keep track of what you've tested & tested for somehow!
Mistake Seven:
I get caught up too much on automation.
Coding is fun. Building or modifying your recon or scripts is fun but...
GET ON A FUCKING WEBSITE AND HACK.
Unless you're automating something you're sure 99% of hunters are missing. Then it's an investment.
Mistake Eight:
Take breaks.
If you're not feeling it, take a break. You're not going to find much in a bad mindset. Go for a walk, watch a movie, talk with a friend. They will all benefit your hacking. If you are tracking your testing well, it's easy to come back to.
Mistake Nine:
Take notes and move on.
In BB, there are thousands of domains to hack. If you feel confident you've done your best assessing something, take extensive notes on where you were at with it and move on. Later you might find something related and you can come back.
More to come at a later date =)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it...
👇
🚨follow, retweet, & like for more hacker stories!🚨
1/x
I was once contracted to do a penetration test on a porn site.
This site was more than your average view-only site. It had community functions to:
- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!
2/x 👇
I started with normal usage of the site, registering my own account on each of the websites.
The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.
I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.
A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).
👇1/x
That's 260 workdays.
$770 US a day.
$22k a month. Pre-tax.
That means as a FT Bug Hunter you need to come close to those numbers.
Now let's look at programs...
👇2/x
(napkin math)
The avg payout across all paid programs seems to come in at $500. That doesn't bode well for how impact is rated or how achievable a critical/P1 is for the bounty hunter.
On the high end, if you do find a Crit/P1, the average is $10k across big brands.
Everyone is sick in the house but I had some running scans I needed to check up on.
I found a SQL injection bug on a blog.
Here's how I did it, so you can learn...
👇
🚨Like, retweet, & follow for more hacker tips!🚨
1/x
Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia.
ReconFTW runs screenshotting on all web-resolvable domains and subdomains.
I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016
= Stealing checks worth millions & pwning a bank =
Here’s how I did it, so you can learn.
I was once contracted to do a penetration test on a bank…
Like, retweet, and follow for more hacker stories!
(1/x)
The main website was hardened. After spending a lot of time on understanding it, most of the makeup of the transfer system was API based and the infrastructure was AWS.
I decided to open up the mobile application to see if it was any different.
🧵(2/x)
I proxied the iOS app through a proxy to see its web traffic.
I also was running the app on a jailbroken phone to see what files were created when installing and using the app.
At this time, I was using dirsearch. (I would use ffuf or feroxbuster these days)
(something like the image)
I discovered, (by proxying the site through Burp Suite and looking at responses and errors), that the application was written in CodeIgniter. Noted this down.