Want to master AWS S3 hacking? 🤑

This thread is for you! 🧵 👇 AWS S3 (Simple Storage Service) buckets are a popular storage service often used by software companies to store data.

This is often sensitive data (such as receipts, invoices, etc.) but it can also be used to store public images such as profile pictures for example!

This is the thread I wish someone created for me when I started participating in bug bounty! 😅

Not everyone shares these methods... but

Here are a few tips to help you identify & exploit more IDOR vulnerabilities! 🤑

🧵 👇 IDOR (insecure direct object reference) vulnerabilities are present in web services that directly reference a data object without proper access controls!

The data object can be anything, from sensitive fields that are stored in databases to files stored in a storage bucket.

Ever had to analyze JavaScript files using Burpsuite? 🧐

Here are 3 web extensions to help you out and find secrets, links and other sensitive data! 🤑

A thread 🧵 👇 1️⃣ JS Miner

JS Miner is a Burpsuite Pro extension to help you analyze static files like JavaScript & JSON files found on your target for finding secrets, endpoints and other hard-coded sensitive data! 😎

Check it out on the Github! 👇
buff.ly/3J9l6bl

Ever came across a subdomain on one of your targets that returned the following error? 🧐

If you ever skipped these, you may have missed out on a lot of bounties...

Here are the top 3 tools to bypass pages behind a 401 & 403 error status code! 🤑

A thread! 🧵 👇 1️⃣ bypass-url-parser

Bypass-url-parser is a fuzzer that performs all types of checks to attempt and bypass protected pages behind a 40X status code! 😎

It features several bypass modes including an option to spoof your IP!

Bypass-url-parser is Github:
buff.ly/42XeUfq

Look at this login form 👀

There are multiple vulnerabilities present. 🤑️ But can you spot them all? 😎️

Let's cover each one of them! 🧵👇 Imagine this...

You just performed subdomain enumeration

Filtered all live hosts and got a list of URLs. You know, the usual.

In them, you spot "staging-id\.example\.com" subdomain 😏️

A quick look at the scope section, you see that this subdomain is in scope! 🤑️

Top 4 tools to automate SQL Injection vulnerabilities!

A thread! 👇 1⃣ SQLMap

You probably already know about the first scanner...

SQLMap is the most popular SQL Injection vulnerability scanner out there and is fully open-source!

SQLMap is available on GitHub 👇

github.com/sqlmapproject/…

Understanding SQL Injections!

A thread! 👇️ Let's first understand what SQL is! 😎

SQL—Structured Query Language—is a query language used to perform CRUD operations in SQL-like databases!

So suppose you need to retrieve an entry from a database, you can use an SQL query to read that specific field.

XXE exploitation 👇️ Today, we will cover how you can successfully exploit XXE vulnerabilities

If you aren't familiar with the concepts of XXE yet...

This thread is made just for you! 👇️

https://twitter.com/intigriti/status/1684887385715376128

A lot happened in the #BugBounty community last week, so let's take a look at the 5 must consumes in todays #BugBytes 1⃣ We start out with a blog from @assetnote that you've definitely already seen as they dive into the recent Critrix CVE and talk about the how of finding it! blog.assetnote.io/2023/06/29/bin…

You probably saw this before...

An XSS through your User-Agent header

But is it exploitable? 🤔️ Let's find out! 👇🧵 A common mistake new hunters make is reporting XSS where the payload is supplied inside a request header

However...this leads to a self-cross-site scripting vulnerability which is often out-of-scope! 😬️

Let's understand why and when you can actually report it!

Let's take a look at why this XSS won't execute 🤔

A thread 🧵👇 You probably came across this scenario before

Your payload gets reflected without getting encoded...

But non of the HTML entered is getting rendered!

3 Tools to help you automate file upload vulnerabilities 📁🔨 1⃣Upload Scanner

Upload Scanner is a Burpsuite extension that can help you automate file upload vulnerabilities

It's capable of uploading various files, injecting ASP, JSP, and PHP code + bypassing restrictions!

portswigger.net/bappstore/b224…

An introduction to file upload vulnerabilities 🧵👇 Let's first understand file upload vulnerabilities!

File upload vulnerabilities arise when you are able to upload files without any restrictions (or validations performed on the backend) 💡

Wondering what happened this week in #BugBounty and pentesting? Procrastinating on twitter and want to pretend to be productive? Let's check out this weeks #BugBytes PS: did you notice that the write ups and tutorials are now separated? If you're looking for more advanced security research or grow your skills!

CSRF Vulnerabilities Explained!

A mega-thread 👇🧵 Let's understand CSRF vulnerabilities first before moving on to the exploitation part.

Cross-Site Request Forgery (CSRF) vulnerabilities arise when a malicious actor is able to trick the victim's browser into conducting any unauthorized action on his behalf.

5 CSRF exploitation techniques 🧵👇 1) Basic CSRF

Let's take a look at a very straight-forward example:

Look at this checkout page 👀

There are multiple vulnerabilities present. Can you spot them all?

We've made a list of 6 of the most common price manipulation vulnerabilities found in the checkout process 👇️ Skip ahead to the exploitation part if you already know what price manipulation vulnerabilities are! 👇

Imagine this:
Your laptop' screen suddenly turns off...
You don't know why but when you try to turn your pc back on
You see that the screen doesn't work anymore! 😱

Were you able to spot the vulnerability in yesterday's code snippet? 🕵️‍♂️
✅ Yes? Nicely done!
❌ No? Don't worry. This is your chance to learn, so let's take a look at the writeup 👇
🧵 Be sure to keep reading this thread for more resources and the winner of our swag! Want to take a closer look at the vulnerable code snippet? 👩‍💻

Here's the tweet we've been talking about 👇

https://twitter.com/intigriti/status/1626200344651870208

It's that time again, it's #BugBytes! Let's take a look at what's been happening this week in #BugBounty and Pentesting!
blog.intigriti.com/2023/02/15/bug… 1⃣We all love recon, but once you've hoarded all of those domain names, what comes next?? @NahamSec has the answers!

Passive recon using "Certificate Transparency": A deep dive 🧵

We all use tools like Amass, ReconFTW & subfinder for finding new subdomains. Let's demystify these tools by looking at how they work 🪄

Today: Recon through Certificate Transparency
What is it? How does it work? 👇 1️⃣ SSL Certificates
These allow users to verify a website's identity. They allow HTTPS to work and thus are at the base of how the modern web works!

These certs are issued by a CA. But what if a CA issues a cert mistakenly or even maliciously? How do users not get duped by that?

If you want to master hacking JWT tokens, open this thread!

JWT tokens are often used to authenticate logged-in users. They do this by signing the data so that the server can verify forged tokens. But in some cases, we can bypass this protection! 🤯

A Thread 🧵👇 [1️⃣] JWT.io by @auth0

This site is amazing for playing with and debugging JWT tokens. Just paste your token in to see what it's all about. Try to sign your first token and see how it changes when you change values!

👇 jwt.io