Share this page!

Jason Haddix Profile picture
Twitter logo
May 5 9 tweets 3 min read
Here's another "meta" long-form hacking tip that has paid its weight in gold.

== Don't rely on TOO much automation ==

A thread 🧵

🚨follow, retweet, & like for more 🚨

Some examples:

👇

1/x
In Recon:

Let's start with subdomain enumeration techniques.

Tools like Amass & Subfinder are just tools using web API's & scraping to pull subdomains from datasets on the internet...

2/x
 👇
However, it's been shown live by many hackers (like @NahamSec) that working with a dataset or website directly, like cert.sh , can find nested subdomains, or more results than a tool.

Why does this happen? Parsing is hard, rate limits exist, etc.

3/x
 👇
Another example in recon, Screenshotting:

Using a screenshot tool on live web servers can miss things due to timing, complex redirects, cert issues, cloud/CDN configs, etc.

Many testers notice this right away if they ever switch to just opening URLs in browser.

4/x
 👇
For the above, I use:

chrome.google.com/webstore/detai…

&

addons.mozilla.org/en-US/firefox/…

5/x
 👇
JavaScript parsing is another example. LinkFinder or derivatives give:

Full URLs
Absolute URLs or dotted URLs
Relative URLs with at least one slash
Relative URLs without a slash

But will not give you anything for minified or obfuscated js

6/x
 👇
Finally, and known by most: Vuln Scanners.

Even dynamic ones are just throwing injection strings against parameters and routes. They then parse the page returned looking for a set of conditions and if X condition(s) are met (usually a regex) then they alert you...

7/x
 👇
What you miss out on is the context around the fuzzing:

the error codes/text
the return time
the content size
etc

It's all invisible to you in most cmdline tools and each of those could lead you to a juicy bug.

8/x
 👇
So, throw your automation out the window right?!

No 😅

Use your intuition/judgment when testing. Know what your tools are doing & what they can miss. Learn to love manual testing, slow & deep testing can yield great returns.

🚨follow, retweet, & like for hacker tips🚨

9/x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jason Haddix

Jason Haddix Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jhaddix

Jason Haddix Profile picture
May 7
🧵Another new hacker story thread! 🧵

== The 100 Million Person Data Disclosure ==

That time I hacked a whole country by accident!

🚨Retweet, follow, & like for more hacker stories! 🚨

1/x
 👇
I have done consulting gigs all over the world for security testing, and I frequently travel to speak at international conferences.

Here’s a story about how I found a vulnerability that could have allowed me to steal the private information of over 100 MILLION people.

2/x
 👇
This is by far the biggest (in the number of people) hack I’ve ever done… and it wasn’t even for work.

Not too long ago I was planning on traveling out of the states for work, so I needed a VISA.

3/x
 👇
Read 15 tweets
Jason Haddix Profile picture
May 4
== Trademark and Copyright Recon ==

How to find assets no other bug hunters have found.

One of my simple "secrets" for years.

Little automation exists for it.

💸💸💸

a thread🧵

🚨follow, retweet, & like for more hacker tips!🚨

1/x
When approaching a bounty, the scope is important. Not only the domain list but, all the text.

There are about ~30 paid bounty programs across the major platforms that are explicitly open scope or have the wording right under the scope section that says something like...

2/x
"If you find anything else that you believe to belong to XYZ company, report it and we will assess its validity. It may not result in a bounty"

But.. To be honest, criticals usually DO get paid.

3/x
Read 6 tweets
Jason Haddix Profile picture
May 3
= Infosec super-thread =

A big part of my presos is tools/resources I like for offensive security & bug hunting.

Here's a thread of "PRINT" resources cited in the Bug Hunter's Methodology Application Analysis v1

docs.google.com/presentation/d…

a 🧵

#bugbountytips #Pentesting

1/x
The Web Application Hacker's Handbook is a pre-requisite for all web assessments. Do not sleep on it due to publish date. It remains the 👑 book for web assessment.

amazon.com/Web-Applicatio…

by @DafyddStuttard & Marcus Pinto @MDSecLabs

2/x
The next print resource is @yaworsk's Real-World Bug Hunting:

amazon.com/Real-World-Bug…

This is a great supplement to the above WAHH. It has so many great explanations and examples of real bugs to study.

3/x
Read 12 tweets
Jason Haddix Profile picture
Apr 17
🧵Mistakes I make in hacking or bug bounty 🧵

#bugbountytips and hacking tips I wish I always adhered to 🙃

cc @sr_b1mal
Mistake One:

I don't templatize my submission text.

Every time you find a bug, invest time upfront to write up a REALLY great submission template. This includes impact assessment and remediation advice. Then re-use it for the rest of your career.
Mistake Two:

I'll stop hacking

Often, on a bug bounty, I'll submit something good and stop and wait around for a bit to see how the client responds.

You should always have a backup program to analyze while you hack on a new program.
Read 11 tweets
Jason Haddix Profile picture
Apr 14
🧵Another hacker story thread!🧵

=== Penetrating a Porn Site ===

How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.

Here's how I did it...

👇

🚨follow, retweet, & like for more hacker stories!🚨

1/x
I was once contracted to do a penetration test on a porn site.

This site was more than your average view-only site. It had community functions to:

- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!

2/x
 👇
I started with normal usage of the site, registering my own account on each of the websites.

The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.

3/x
 👇
Read 18 tweets
Jason Haddix Profile picture
Apr 12
🧵Full-Time Bug Bounty Hunter thread 🧵

I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.

A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).

👇1/x
That's 260 workdays.

$770 US a day.

$22k a month. Pre-tax.

That means as a FT Bug Hunter you need to come close to those numbers.

Now let's look at programs...

👇2/x
(napkin math)

The avg payout across all paid programs seems to come in at $500. That doesn't bode well for how impact is rated or how achievable a critical/P1 is for the bounty hunter.

On the high end, if you do find a Crit/P1, the average is $10k across big brands.

👇3/x
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(