Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
ShreKy Profile picture
@shrekysec
Oct 3, 2022 โ€ข 3 tweets โ€ข 3 min read โ€ข Read on X
BEST FREE Burp Suite Extensions for #bugbounty:

1. Param Miner - Fuzz params everywhere

2. Autorize - Easily test for IDOR/BAC

3. InQL - GraphQL Introspection & better interface

+ More ๐Ÿ‘‡๐Ÿงต

#bugbountytips #bugbountytip #infosec #cybersecurity #cybersecuritytips #hacking
4. Turbo Intruder - Faster intruder

5. JSON Web Tokens - Tamper with JWTs easily

6. HTTP Request Smuggler - Test for HTTP Req Smuggling easily

7. Content Type Converter - Converts Content Type on requests

8. Bypass WAF - Adds headers for bypassing some WAFs
9. Add Custom Header - Adds custom header

10. SAML Raider - SAML message editor and certificate management tool

1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with ShreKy

ShreKy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @shrekysec

ShreKy Profile picture
Oct 27, 2022
Bug Testing Methodology Series:

๐’๐’๐‘๐… (๐’๐ž๐ซ๐ฏ๐ž๐ซ ๐’๐ข๐๐ž ๐‘๐ž๐ช๐ฎ๐ž๐ฌ๐ญ ๐…๐จ๐ซ๐ ๐ž๐ซ๐ฒ)

Learn how to test for #SSRF step by step on real #bugbounty programs

Thread๐Ÿงต๐Ÿ‘‡

#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread won't teach how SSRF works, but rather a methodology to follow while actively testing for it.

To learn about how SSRF attacks work, have a read here โžก๏ธ portswigger.net/web-security/sโ€ฆ
1๏ธโƒฃ Finding an attack vector

This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.

Ex: profile pic from URL, URL Redirects, etc.

The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
Read 9 tweets
ShreKy Profile picture
Oct 24, 2022
Introduction to #XSS

Learn the basics of ๐‚๐ซ๐จ๐ฌ๐ฌ-๐’๐ข๐ญ๐ž ๐’๐œ๐ซ๐ข๐ฉ๐ญ๐ข๐ง๐  (๐—๐’๐’)

Thread๐Ÿงต๐Ÿ‘‡

#bugbounty #bugbountytips #bugbountytip #cybersecurity #cybersecuritytips #infosec #infosecurity #hacking
Let's inspect the name first:

The ๐’๐œ๐ซ๐ข๐ฉ๐ญ๐ข๐ง๐  part indicates, obviously, scripting, so we can think about what kind of scripting we know exist in Web Apps: HTML & JavaScript being the 2 most common.

Secondly, XSS is part of the INJECTION bug class (see @owasp's Top 10)
So, we now know XSS consists of injecting scripts in websites.

Types of XSS:

1. Reflected
2. Stored
3. DOM-based
They can also be Blind too (you don't see the reflection)

As this thread is aimed at beginners, I will focus on the first 2 as they're easier to understand at first
Read 12 tweets
ShreKy Profile picture
Oct 18, 2022
Bug Testing Methodology Series:

๐๐€๐‚ (๐๐ซ๐จ๐ค๐ž๐ง ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ)

Learn how to test for Broken Access Control step by step on real #bugbounty programs.

Thread๐Ÿงต๐Ÿ‘‡

#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread will not teach exactly how Broken Access Control vulnerabilities arise, but rather a testing methodology.

If you want to learn how BAC bugs work, check this out โžก๏ธ portswigger.net/web-security/aโ€ฆ
1๏ธโƒฃ Know your target

In order to know what which user role can do, you have to know your target well.

If documentations are available, make full use of them, if not, use the app as much as you can from the perspective of each user role (have a different account for each role)
Read 9 tweets
ShreKy Profile picture
Oct 13, 2022
#BugBounty Writeup Timeโฐ

Application DOS through unfinished image contents:
๐Ÿงต๐Ÿ‘‡

#bugbountytips #infosec #cybersecurity #cybersecuritytips #hacking #bugbountytip
Context about target:

Small blockchain platform allowing users to launch and contribute to projects.

Projects can contain a banner image, and this is where the bug resides.

This is gonna be a short one.
When uploading an image for the project, it sent a POST request with an "image" WebKitFormBoundary parameter, which contained the image contents.

After some XSS testing, I came across that removing the last line of the image contents resulted in weird behavior.
Read 6 tweets
ShreKy Profile picture
Oct 5, 2022
Bug Testing Methodology Series:

๐—๐’๐’ (๐‚๐ซ๐จ๐ฌ๐ฌ ๐’๐ข๐ญ๐ž ๐’๐œ๐ซ๐ข๐ฉ๐ญ๐ข๐ง๐ )

Learn how to test for #XSS step by step on real #bugbounty programs.

Thread๐Ÿงต๐Ÿ‘‡

#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, it should be mentioned that this thread will only focus on the testing methodology of XSS, not teaching how it works.

If you don't already know what XSS is, check this out โžก๏ธ portswigger.net/web-security/cโ€ฆ
1๏ธโƒฃ Look for reflections

This is the first step in finding XSS.

Anywhere you see user input is reflected in the response (not limited to what you see on the page, it could be in source code/HTTP response only), note the location/parameter down, that's a potential attack vector.
Read 10 tweets
ShreKy Profile picture
Oct 4, 2022
Complete roadmap to get into #cybersecurity in 2022:

Thread๐Ÿงต๐Ÿ‘‡

#cybersecurity #cybersecuritytips #infosec #hacking #hacker #bugbounty #bugbountytips #infosecurity
1๏ธโƒฃ IT Fundamentals

Before jumping into more advanced fields, you gotta know the basics.

You can learn everything you need for FREE from
@ProfessorMesser's course โžก๏ธ professormesser.com/free-a-plus-trโ€ฆ

For reference, you should be apt for @CompTIA's A+ certification before the next step.
2๏ธโƒฃ Networking

It's time to get technical.

Networking will teach you how the internet works, and it's CRUCIAL to have a SOLID understanding of this subejct.

You don't have to be a network engineer, but know things like the OSI Model, TCP/IP, Ports & Services, CIDR, Subnets, etc
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(