Maik Ro Profile picture
Oct 15 20 tweets 5 min read
Day 4⃣1⃣

We will learn how to fuzz input fields today - first we fuzz manually today.
First things first - remember we had a giveaway yesterday - Winner:

@Illusionist3886

Twist 1: @Rohaan_ because I am having a nice day - you win as well

Congratulations to both of you - DM me for details.

Now on to hacking!
We checked the technologies, found version numbers and tried to find previously reported vulnerabilities.

One thing should have caught your eye - farmOS does not have ANY! reported vulnerabilities.

Is this good or bad?

BOTH.
Good
- it could mean that no one tried hacking them yet
- there is a chance we will find something and can get a CVE for it

Bad
- no one touched this before? huh?
- it's incredibly hard to find anything that most people give up without finding anything

Well...
We will be seasoned bug hunters soon - in my book the positive side wins, and we will never know until we try 🧑‍🌾🔥

PERSISTENCE is key, remember that!
1% growth each day is >3.5x better after only 1 year!
The application seems to consist of two parts - a frontend and a backend in tech lingo.

the frontend is the part that you see and can click around
backend is often text-based and gives data to the frontend to display
How did I find the two parts?

I looked where no one else looks usually - the documentation 😅🔥

farmOS has really good documentation and you can find it here: farmos.org/development/ap…

They describe that farmOS has an API or Artificial Programming Interface - wait whats that?
It essentially means that the farmOS application talks to other applications in text form - usually this is JSON

Oh my gosh stop it with the acronyms already...

JSON - JavaScript Object Notation - is how objects are stored/displayed in ... you guessed it JavaScript.
If you are familiar with Python - this looks like a dictionary - if you are familiar with other languages it looks like this:

{
"hacker": "maikroservice",
"favorite_color": "purple"
}

Sometimes people also call this a key-value object, hashmap and other names wrapped in {}
But they all mean the same:

1. Key - you can search this key, they are usually unique - so only one hacker with handle maikroservice can exist - TAKE THAT BOTS!
2. Values - can be 1 or many per key

1 Key - (many) Value(s)

Sidetrack off.
Why did I tell you this?

It is easier to hunt for bugs if you understand what you are looking at and APIs & JSON are everywhere.

Literally.

Everyone is using them.

So how do we hack APIs?
1. Typically we would first map out all the APIs
- What is available?

2. We then identify potential areas that take input
- Where can we type something?

3. We fuzz.
wait we what now?
Fuzzing is the process of using different inputs in order to see if we can:
- break the application (cause an error)
- display information that is not supposed to be seen (Can I see your account email / password?)
We will first do that manually and with a very simple payload.

A payload is text that we send to the application, sometimes our name, sometimes evil code. 👿

Our payload that we will test is

<script>javascript:alert("XSS")</script>
Let us figure out what that means and why I chose this payload/class of vulnerabilities.

1. <script> - this is something called a tag, or HTML element - anything between <> is a tag

2. javascript:alert - this is an instruction to start a popup when the code is executed
umm.... I know what a popup is but why would you want to see a popup when you hack?

Well - XSS or cross site scripting is a class of vulnerabilities that is often identified by this method because its very VISUAL - you can see the popup when it works <3
3. alert("XSS") - this will show the text "XSS" in the popup - for illustrative purposes.

4. </script> - a tag should be closed (closing is done by adding a "/" in front of the tag popup showing XSS text
Nice, so now you know what to do.

Start the application and put the payload we defined in all the input fields.

every one? YES, in every single one.

No one said this would be a walk in the park 🛝
Let me know if you find a spot where this causes a popup 💜

Tomorrow we will meet a new tool - the intercept software @zaproxy and @Burp_Suite

I will tell you my favorite one ;)
Feel free to reply with ideas or questions - you can also DM me.

October is #BugBounty focus
November is #BlueTeam
In December we built a hacking portfolio and hunt jobs for you

I cannot wait and am very grateful that you are following me - enjoy the weekend!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Maik Ro

Maik Ro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @maikroservice

Oct 16
Day 4⃣2⃣

How do hackers interact with Web applications?

Allow me to share.
We will have two iterations of todays thread -

1. everything done with @zaproxy
2. we do it all with @burpsuite
Let me introduce to you the best free tool you will ever use for hacking - @zaproxy
Some people will disagree & that's ok - I still love you 😍 @Alh4zr3d

Remember how yesterday we had to find all the input fields and all the URLs that had any - by using manual labor?!

NO MORE
Read 25 tweets
Oct 14
Day 4⃣0⃣

Today we will start hacking the application we selected yesterday.
In my case it was farmOS - you might have choosen a different Open Source Software you found on github - which is fine, the methodology is the same.

What to do first?

Right, start the application…
Recap:

We installed @Docker so that we can automagically have it running without headaches.

Now make sure that docker is running and type

docker ps

into your terminal. Your output should look similar to this one (the CONTAINER ID, PORTS and NAMES might look differently) terminal output of docker ps command - shows farmOS containe
Read 12 tweets
Oct 13
Day 3⃣9⃣

I will teach you how to find bugs in open source software step by step

Lets go!
1. You use the query I posted yesterday to find potential targets: github.com/search?q=stars…

(You can adapt the number of stars to your liking, anything more than 50 stars should suffice)

You now have 1068 RESULTS - WAOW.
2. You get into your hacker mindset and figure out which ones are juicy targets🧃

but... How?

Easy, all you have to do is think about vulnerabilities...

What?

Ok, let me explain
Read 18 tweets
Oct 12
Day 3⃣8⃣

Let's get started with Offensive Security & Bug Bounty -

What do you need to know as a Beginner?

Let me tell you.

No organization in the whole wide world needs people that can just hack.

Why - a 🧵
I believe that purple teaming - a combination of Red - offensive - and Blue - defensive security, is the path of the future, and the ONLY PATH really.

But! Currently we are training people the entirely wrong way.
We train hackers to choose between offensive and defensive sides.

So naturally there is a unwritten conflict between the two - it's a cat & mouse game.

Red Team hacks, Blue Team patches / fixes / forwards issues to the development teams.

See the issue?
Read 12 tweets
Oct 7
Day 3️⃣ 3️⃣

What is the one thing that separates newbie bug hunters from the professionals - let me tell you
It’s persistence. The tools and ideas that for example @Jhaddix shows is his talks are far beyond the level I thought someone would use for Bug Bounty.

There was one Technique that blew my mind 🤯
It is scraping cloud provider IP ranges (proactively and recurring)

Imagine you are hacking on a program and you want to check which assets they have.

I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(