The Web Application Hacker's Handbook is a pre-requisite for all web assessments. Do not sleep on it due to publish date. It remains the 👑 book for web assessment.
This is a great supplement to the above WAHH. It has so many great explanations and examples of real bugs to study.
3/x
Next:
(free) The @owasp Testing Guide and the OWASP ASVS (Application Security Verification Standard) are both great semi-print projects to guide and supplement web application assessment folk in their approach.
Breaking into Information Security by @ZephrFish is a great meta resource not only coving tech skills but also soft skills for new people entering the field:
Hands on Hacking has an encompassing view of what day-to-day security testing might look like, including reporting 😅 While some techniques are now dated, still a great resource.
The Bug Bounty Playbook (1 & 2) by Alex Thomas (@ghostlulz1337) are excellent references and collections of tips and tricks. Very similar to many of my talks. A great modern desk reference.
How to find assets no other bug hunters have found.
One of my simple "secrets" for years.
Little automation exists for it.
💸💸💸
a thread🧵
🚨follow, retweet, & like for more hacker tips!🚨
1/x
When approaching a bounty, the scope is important. Not only the domain list but, all the text.
There are about ~30 paid bounty programs across the major platforms that are explicitly open scope or have the wording right under the scope section that says something like...
2/x
"If you find anything else that you believe to belong to XYZ company, report it and we will assess its validity. It may not result in a bounty"
But.. To be honest, criticals usually DO get paid.
3/x
Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.
Mistake Two:
I'll stop hacking
Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.
You should always have a backup program to analyze while you hack on a new program.
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it...
👇
🚨follow, retweet, & like for more hacker stories!🚨
1/x
I was once contracted to do a penetration test on a porn site.
This site was more than your average view-only site. It had community functions to:
- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!
2/x 👇
I started with normal usage of the site, registering my own account on each of the websites.
The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.
I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.
A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).
👇1/x
That's 260 workdays.
$770 US a day.
$22k a month. Pre-tax.
That means as a FT Bug Hunter you need to come close to those numbers.
Now let's look at programs...
👇2/x
(napkin math)
The avg payout across all paid programs seems to come in at $500. That doesn't bode well for how impact is rated or how achievable a critical/P1 is for the bounty hunter.
On the high end, if you do find a Crit/P1, the average is $10k across big brands.
Everyone is sick in the house but I had some running scans I needed to check up on.
I found a SQL injection bug on a blog.
Here's how I did it, so you can learn...
👇
🚨Like, retweet, & follow for more hacker tips!🚨
1/x
Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia.
ReconFTW runs screenshotting on all web-resolvable domains and subdomains.
I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016