Share this page!

Jason Haddix Profile picture
Twitter logo
May 4 6 tweets 2 min read
== Trademark and Copyright Recon ==

How to find assets no other bug hunters have found.

One of my simple "secrets" for years.

Little automation exists for it.

💸💸💸

a thread🧵

🚨follow, retweet, & like for more hacker tips!🚨

1/x
When approaching a bounty, the scope is important. Not only the domain list but, all the text.

There are about ~30 paid bounty programs across the major platforms that are explicitly open scope or have the wording right under the scope section that says something like...

2/x
"If you find anything else that you believe to belong to XYZ company, report it and we will assess its validity. It may not result in a bounty"

But.. To be honest, criticals usually DO get paid.

3/x
In several of these programs, a simple trick that I use to great success is finding copyright and trademark text. For example:

"© Copyright, XYZ1212 Company, 2020" on Google.

Then use the minus operator like:

"© Copyright, XYZ1212 Company, 2020" -xyz1212.com

4/x
I have found whole new domains and tlds, that NO tester had tread before, using this simple technique.

I have found:

- Old marketing sites
- Outdated installs of software
- Build tools
- and more

Search for old years too... 1995+ and also check trademark strings.

5/x
This method, along with previous threads on SSL Parsing, and (upcoming) SNI Parsing, are the most reliable ways to find greenfield websites to hack in a bounty.

That's it!

🚨follow, retweet, & like for more hacker tips!🚨

#bugbountytips #Pentesting #redteam

6/x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jason Haddix

Jason Haddix Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jhaddix

Jason Haddix Profile picture
May 5
Here's another "meta" long-form hacking tip that has paid its weight in gold.

== Don't rely on TOO much automation ==

A thread 🧵

🚨follow, retweet, & like for more 🚨

Some examples:

👇

1/x
In Recon:

Let's start with subdomain enumeration techniques.

Tools like Amass & Subfinder are just tools using web API's & scraping to pull subdomains from datasets on the internet...

2/x
 👇
However, it's been shown live by many hackers (like @NahamSec) that working with a dataset or website directly, like cert.sh , can find nested subdomains, or more results than a tool.

Why does this happen? Parsing is hard, rate limits exist, etc.

3/x
 👇
Read 9 tweets
Jason Haddix Profile picture
May 3
= Infosec super-thread =

A big part of my presos is tools/resources I like for offensive security & bug hunting.

Here's a thread of "PRINT" resources cited in the Bug Hunter's Methodology Application Analysis v1

docs.google.com/presentation/d…

a 🧵

#bugbountytips #Pentesting

1/x
The Web Application Hacker's Handbook is a pre-requisite for all web assessments. Do not sleep on it due to publish date. It remains the 👑 book for web assessment.

amazon.com/Web-Applicatio…

by @DafyddStuttard & Marcus Pinto @MDSecLabs

2/x
The next print resource is @yaworsk's Real-World Bug Hunting:

amazon.com/Real-World-Bug…

This is a great supplement to the above WAHH. It has so many great explanations and examples of real bugs to study.

3/x
Read 12 tweets
Jason Haddix Profile picture
Apr 17
🧵Mistakes I make in hacking or bug bounty 🧵

#bugbountytips and hacking tips I wish I always adhered to 🙃

cc @sr_b1mal
Mistake One:

I don't templatize my submission text.

Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.
Mistake Two:

I'll stop hacking

Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.

You should always have a backup program to analyze while you hack on a new program.
Read 11 tweets
Jason Haddix Profile picture
Apr 14
🧵Another hacker story thread!🧵

=== Penetrating a Porn Site ===

How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.

Here's how I did it...

👇

🚨follow, retweet, & like for more hacker stories!🚨

1/x
I was once contracted to do a penetration test on a porn site.

This site was more than your average view-only site. It had community functions to:

- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!

2/x
 👇
I started with normal usage of the site, registering my own account on each of the websites.

The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.

3/x
 👇
Read 18 tweets
Jason Haddix Profile picture
Apr 12
🧵Full-Time Bug Bounty Hunter thread 🧵

I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.

A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).

👇1/x
That's 260 workdays.

$770 US a day.

$22k a month. Pre-tax.

That means as a FT Bug Hunter you need to come close to those numbers.

Now let's look at programs...

👇2/x
(napkin math)

The avg payout across all paid programs seems to come in at $500. That doesn't bode well for how impact is rated or how achievable a critical/P1 is for the bounty hunter.

On the high end, if you do find a Crit/P1, the average is $10k across big brands.

👇3/x
Read 6 tweets
Jason Haddix Profile picture
Apr 11
A thread/tip for hackers/defenders/organizations. 🧵

⚠️A commonly found vulnerability for organizations is credentials leaked on Github.⚠️

Sometimes this can be from the organization's OWN code repositories on GitHub, but...

🚨follow, retweet, & like for more tips!🚨

1/x 👇
Most commonly it is developers who have accidentally cloned company code or secrets to their personal & public repositories.

Common mistakes:

- API keys disclosed
- Service usernames & passwords (SSH, FTP, LDAP)
- Database connection usernames & passwords

2/x
To understand the topic in more depth on how bounty hunters (and hackers) find these, check out:



(Sorry about the audio!)

by @Th3G3nt3lman

3/x
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(