Tweet

Jason Haddix

May 3 • 12 tweets • 7 min read

= Infosec super-thread =

A big part of my presos is tools/resources I like for offensive security & bug hunting.

Here's a thread of "PRINT" resources cited in the Bug Hunter's Methodology Application Analysis v1

docs.google.com/presentation/d…

a 🧵

#bugbountytips #Pentesting

1/x

@DafyddStuttard

The Web Application Hacker's Handbook is a pre-requisite for all web assessments. Do not sleep on it due to publish date. It remains the 👑 book for web assessment.

amazon.com/Web-Applicatio…

by @DafyddStuttard & Marcus Pinto @MDSecLabs

2/x

@yaworsk

The next print resource is @yaworsk's Real-World Bug Hunting:

amazon.com/Real-World-Bug…

This is a great supplement to the above WAHH. It has so many great explanations and examples of real bugs to study.

3/x

@owasp

Next:

(free) The @owasp Testing Guide and the OWASP ASVS (Application Security Verification Standard) are both great semi-print projects to guide and supplement web application assessment folk in their approach.

owasp.org/www-project-we…

owasp.org/www-project-ap…

4/x

@vickieli7

A newer resource that both benefits security testers AND bug hunters is @vickieli7's "Bug Bounty Bootcamp"

amazon.com/Bug-Bounty-Boo…

An excellent zero-to-hero print resource for web security.

5/x

@hackerplaybook

The Hacker's Playbook (1 & 2 & 3) give practical command line and contextual information from the field.

amazon.com/Hacker-Playboo…

These are great references to have on the shelf and encompass web and network testing.

@hackerplaybook

6/x

@ZephrFish

Breaking into Information Security by @ZephrFish is a great meta resource not only coving tech skills but also soft skills for new people entering the field:

leanpub.com/ltr101-breakin…

7/x

Hands on Hacking has an encompassing view of what day-to-day security testing might look like, including reporting 😅 While some techniques are now dated, still a great resource.

amazon.com/Hands-Hacking-…

8/x

@ghostlulz1337

The Bug Bounty Playbook (1 & 2) by Alex Thomas (@ghostlulz1337) are excellent references and collections of tips and tricks. Very similar to many of my talks. A great modern desk reference.

payhip.com/b/wAoh

payhip.com/b/nRia

9/x

That's all the semi-PRINT/Book resources I like the best.

What are yours? 🤔

Look out for the next thread covering PRACTICE targets for testing to get your skills 💪

10/x

https://twitter.com/Jhaddix/status/1521491728754216960

Top:

https://twitter.com/Jhaddix/status/1521491728754216960

🚨follow, retweet, & like for more resources!🚨

More of my work!

jhaddix.com/links

11/x

@hAPI_hacker

a NEW one I missed because it was later in the talk,

Corey Ball's (@hAPI_hacker)

Hacking APIs - Breaking Web Application Programming Interfaces

nostarch.com/hacking-apis

I'm really enjoying this one so far!

12/x

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @Jhaddix

Jason Haddix

@Jhaddix

May 4

== Trademark and Copyright Recon ==

How to find assets no other bug hunters have found.

One of my simple "secrets" for years.

Little automation exists for it.

💸💸💸

a thread🧵

🚨follow, retweet, & like for more hacker tips!🚨

1/x

When approaching a bounty, the scope is important. Not only the domain list but, all the text.

There are about ~30 paid bounty programs across the major platforms that are explicitly open scope or have the wording right under the scope section that says something like...

2/x

"If you find anything else that you believe to belong to XYZ company, report it and we will assess its validity. It may not result in a bounty"

But.. To be honest, criticals usually DO get paid.

3/x

Read 6 tweets

Jason Haddix

@Jhaddix

Apr 17

@sr_b1mal

🧵Mistakes I make in hacking or bug bounty 🧵

#bugbountytips and hacking tips I wish I always adhered to 🙃

cc @sr_b1mal

Mistake One:

I don't templatize my submission text.

Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.

Mistake Two:

I'll stop hacking

Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.

You should always have a backup program to analyze while you hack on a new program.

Read 11 tweets

Jason Haddix

@Jhaddix

Apr 14

🧵Another hacker story thread!🧵

=== Penetrating a Porn Site ===

How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.

Here's how I did it...

👇

🚨follow, retweet, & like for more hacker stories!🚨

1/x

I was once contracted to do a penetration test on a porn site.

This site was more than your average view-only site. It had community functions to:

- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!

2/x
👇

I started with normal usage of the site, registering my own account on each of the websites.

The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.

3/x
👇

Read 18 tweets

Jason Haddix

@Jhaddix

Apr 12

🧵Full-Time Bug Bounty Hunter thread 🧵

I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.

A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).

👇1/x

That's 260 workdays.

$770 US a day.

$22k a month. Pre-tax.

That means as a FT Bug Hunter you need to come close to those numbers.

Now let's look at programs...

👇2/x

(napkin math)

The avg payout across all paid programs seems to come in at $500. That doesn't bode well for how impact is rated or how achievable a critical/P1 is for the bounty hunter.

On the high end, if you do find a Crit/P1, the average is $10k across big brands.

👇3/x

Read 6 tweets

Jason Haddix

@Jhaddix

Apr 11

A thread/tip for hackers/defenders/organizations. 🧵

⚠️A commonly found vulnerability for organizations is credentials leaked on Github.⚠️

Sometimes this can be from the organization's OWN code repositories on GitHub, but...

🚨follow, retweet, & like for more tips!🚨

1/x 👇

Most commonly it is developers who have accidentally cloned company code or secrets to their personal & public repositories.

Common mistakes:

- API keys disclosed
- Service usernames & passwords (SSH, FTP, LDAP)
- Database connection usernames & passwords

2/x

@Th3G3nt3lman

To understand the topic in more depth on how bounty hunters (and hackers) find these, check out:

(Sorry about the audio!)

by @Th3G3nt3lman

3/x

Read 7 tweets

Jason Haddix

@Jhaddix

Apr 9

4/8/22 #bugbountydiary #bugbountytips

Everyone is sick in the house but I had some running scans I needed to check up on.

I found a SQL injection bug on a blog.

Here's how I did it, so you can learn...

👇

🚨Like, retweet, & follow for more hacker tips!🚨

1/x

Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia.

This gave me a pretty good list of targets.

2/x

github.com/six2dez/reconf…

ReconFTW runs screenshotting on all web-resolvable domains and subdomains.

I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016

3/x