Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Justin Gardner Profile picture
Justin Gardner
@Rhynorater
Christian | Full-time Bug Bounty Hunter | Host of @ctbbpodcast | Advisor @CaidoIO | 3x LHE MVH | 🗣️ English, 日本語 | ♥️ @mariahchan_ ♥️
7 subscribers
Sep 6, 2023 11 tweets 3 min read
All my current bug bounty knowledge is gone.

Here's how I get it back and make $100k in the first year:

First, I've got to learn the basics. For this, I will make sure I understand at a high level how the components I'm working with function.

I'll need to understand... Image *HTTP
*Browsers (function, security constraints, ect)
*Web architecture (APIs, reverse proxy, cloud, ect)
*Server-side (APIs, MVC structure, routing and handlers)
*Client-side (JS, HTML, CSS)

I estimate this would take around 1 months of full-time time study. Maybe 1.5 months.
Aug 26, 2023 11 tweets 2 min read
Ever wondered how people pop arbitrary account takeover vulns? I'll braindump some for ya. Here's what I got: Image * Predictable/flawed password reset token
This can occur when the password reset token is the hash of a timestamp or of some other guessable entity. Also, if there is a host header injection in the password reset token URL.
Aug 25, 2023 7 tweets 2 min read
Here is how I bypassed the auth screen on a bank app that billionaires use without any hacking tools in sub 10 seconds 😂 Image Banking apps often have extra security measures in place and sometimes those security measures backfire. In this scenario, the app had implemented a re-auth mechanism after the app was closed. However, for whatever reason, the session was still alive in the background.
Aug 11, 2023 6 tweets 2 min read
If you're not finding a way to enumerate UUIDs for UUID-based IDORs then you're leaving money on the table.

Here are some ways I've done this in the past: https://t.co/zE97jURS3Stwitter.com/i/web/status/1…
Image 1. Application-level ID Leakage

Is there any component of the application that might reveal this entity publicly (a timeline, etc)?

Can you give someone access to this UUID entity and then revoke it? If so, then the user may still have the UUID logged.
Aug 9, 2023 15 tweets 4 min read
I've made over 100k on SSRF vulnerabilities.

They aren't always as simple as pointing it at localhost or AWS Metadata service.

Here are some tricks I've picked up over the past 5 years of web app testing: Image * Check all schemes (http, https, file, ftp, gopher, etc)
Sometimes there are restrictions in-place on http that are not there in https or vice versa. See link below.
Or, if you can hit schemes like file or FTP -> local filesystem access.
github.com/request/reques…
Oct 27, 2022 12 tweets 2 min read
Here are a couple things I always check when looking at a web application: 🧵 1. How is CSRF protection implemented?
Does the application use only application/json content-type? Can you convert {"name":"Justin"} to name=Justin and change the content-type? Is CSRF token tied to account? Session? Are there any "unauthed" CSRF tokens?
Oct 10, 2022 18 tweets 4 min read
Over the past 6 months, I've had the pleasure of participating in 5 HackerOne Live Hacking events. It has been quite the challenge to my work-life balance and my hacking skills, but after ranking in the top 5 at every event, here are some lessons I've learned: 🧵 1. Pick your portion
When a live hacking event kicks off, you will likely have just received a mission to hack an absolutely enormous amount of scope in a relatively small amount of time. Large scopes are hard to address in normal bug bounty, let alone in a competition.