Day 3️⃣ 3️⃣
What is the one thing that separates newbie bug hunters from the professionals - let me tell you
What is the one thing that separates newbie bug hunters from the professionals - let me tell you
It’s persistence. The tools and ideas that for example @Jhaddix shows is his talks are far beyond the level I thought someone would use for Bug Bounty.
There was one Technique that blew my mind 🤯
There was one Technique that blew my mind 🤯
It is scraping cloud provider IP ranges (proactively and recurring)
Imagine you are hacking on a program and you want to check which assets they have.
I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)
Imagine you are hacking on a program and you want to check which assets they have.
I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)
The big brain idea was - lets just test all their IP ranges, these are limited after all (IPv4 space).
Another important factor is https - it requires a certificate and that has a name attached to it - the domain it is for.
Ok now what?
Another important factor is https - it requires a certificate and that has a name attached to it - the domain it is for.
Ok now what?
Hackers check if an application is running on port 443 of the IP address they scan - This is the port used for https
They then compare the name of the certificate with their current target and if there is a match - BOOM!
They then compare the name of the certificate with their current target and if there is a match - BOOM!
They might have found a development server that was open to the internet but was not associated with a url - so technically the developers assumed no one would find it.
But elite bug bounty hunters do.
And they automate the detection!
But elite bug bounty hunters do.
And they automate the detection!
@erbbysam and @daehee shared talks about details and Sam even wrote a service for it - tls.bufferover.run/dns?q=.defcon.…
- Talk: github.com/erbbysam/Hunti…)
Another tool that is used is: sslscrape → github.com/cheetz/sslScra…
🤯🤯🤯
- Talk: github.com/erbbysam/Hunti…)
Another tool that is used is: sslscrape → github.com/cheetz/sslScra…
🤯🤯🤯
I hope you learned something today - feel free to follow me for more insights during #30DaysOfBugBounty
#bugbounty #hacking #bugbountytips
#bugbounty #hacking #bugbountytips
• • •
Missing some Tweet in this thread? You can try to
force a refresh
