Big win! Discovered my first-ever vulnerability in @Apple and secured a spot in the Hall of Fame (HOF). Huge thanks to the awesome Twitter community for their support!
My sincerest thanks to @_anonysm#bugbountytips
Vuln Type : Improper Access Control
@NahamSec@hackinghub_io This bundle would genuinely help me upgrade my skills, strengthen my knowledge, and move closer to a cybersecurity career. Thank you for this opportunity
@NahamSec@hackinghub_io I'd love to win The Hacker's Arsenal. Due to financial challenges, I couldn't continue my formal degree as planned, but I never gave up on building a career in cybersecurity. I'm actively learning bug bounty and practical security skills to rebuild my future and support my famly
Super excited to release our latest Broken Access Control (BAC) Masterclass on @hackinghub_io with 2 hours of content and almost 20 labs. I'm giving away 3 free seats to anyone who comments, reposts, and replies to this post. Drop a ๐ฅ below!
More info ๐๐ผ https://t.co/g8gwo5vYGN
#BugBounty Step 1: "Find the things"
So you open a brief, and https://t.co/lMGtLFrLgw is in scope. What is your first move?
A]
For me, I find every domain/subdomain I can affiliated with https://t.co/lMGtLFrLgw. I dump them all, from numerous sources, and de-duplicate. Create your own process here.
B]
Now I blast all unique domains for https://t.co/lMGtLFrLgw on common web ports to see which are readily internet facing (80,443,8080,8443,etc.). This is lazy but catches 99% of them. If it responds, regardless of response code, its alive. If you feel like overachieving, scan more ports.
C]
Now I create a list of unique "responsive domains". I run each of these through <insert favorite tools here> to find links and save a unique file for each domain containing links, way back info, indexed search engine URI's, etc. This step generally contains money by itself.
D]
Use your brain and start exploring the data (links, sites, paths) manually to see what looks interesting or vulnerable, while recording everything in Burp to start collecting JS files and paths. Clicking things really isn't hard, so maybe don't skip this step. Though I appreciate it when everyone does.
E]
For best ROI (at least on new targets), start with domains with the most data/indexed links as it keeps the fuzzing/guest work to a minimum. For older mature targets, perhaps start with those where the site responded but zero history or search engine data comes back. These may have been mostly untouched, but you will have to figure out what lives there. Sometimes visiting other sites uncovers these paths in JS.
... now the fun begins. OK BYE ๐
Want to learn bug bounty but don't know where to start?
We built VulnWeb a safe playground with 50+ real vulnerabilities to exploit. Earn XP, collect flags, level up.
Free. Legal. Beginner-friendly. https://t.co/wqrsb5k0a4
#bugbounty#ethicalhacking#cybersecurity#infosec #XSS #SQLinjection #pentesting #hackerlife #CTF #learnhacking
Since there was an outage yesterday I'm doing this again.
๐จ Giveaway and new course! I just released a nuclei course and we have made it a part of our Black Friday bundle. You can get all of our courses for the price of one.
๐Iโll give some away. All you gotta do is RT & reply with which bundle you want! (I'll pick winners from both posts)
More info here ๐๐ผ https://t.co/0pEoZljSV1
๐จ Doing a giveaway for my Blind XSS Masterclass
Most people think they know XSS, until they meet blind XSS, the kind that fires where youโll never see it.
Same methods that helped me earn $250K+ from real reports. https://t.co/VL5jwf8alx
๐ Retweet and reply to enter.
Top 10 Bug Bounty Tools (Semi-Manual Hunts)
1.Burp Suite Professional
2.Browser DevTools (Chrome / Firefox) + FoxyProxy or pwnfox
3.ffuf
4.Amass
5.waybackurls / gau
6.autorize
https://t.co/OTnibQmHZM Dorking
8.Interactsh / Burp Collaborator
9.@KN0X55 / XSStrike / Dalfox
10.curl / httpie / jq
Manual in a sense of you determining exactly what Params to throw into tools like @KN0X55 instead of blindly chucking shit at the wall. I will still use tools like this if I have a hunch!
@grok In 48 hours from now, pick 3 random people in my comments to win my endless bundle/ 900 - Hacker's toolkit. They must have liked and shared the post and left a comment.
https://t.co/Zl50SdfK87
@Wilbroad256 A might be the answer because in school/college we used to say all numbers as in words but here it's different because It's denotes only the repeated numbers in words format
Hey bug bounty hunters ! I've reported info disclosure / sensitive data exposure vulns that all got accepted.. Here's what I've learned from digging into these; it's super useful when you're stuck on the main app and need to pivot to recon; when I'm out of ideas on the core app, I switch to asking, "What info does this company not want attackers to see / access ?"; then i tailor my hunt from there.
Spot anything on their site i.e "SSN must stay private" ? that's your starting line; found something juicy ? Pause before reporting ! validate it yourself. Is it intentionally public ? Is it accessible elsewhere ( like another domain/env/asset) ?; cross-check assets thoroughly.
Example : Leaked internal endpoints like http://localhost:9999/admin/login or hidden internal hosts/ports; that's an info leak.
Companies often push back asking for "impact." My go-to response, "Can't show impact since I can't connect to localhost:9999, unless you grant me access ? "; this response worked for me and it got my report accepted; for leaked creds, I say, "Can't fully validate these creds without authorisation, but I found 'em in an env fully owned/controlled by [YOU]"; this response also got my report accepted; just be honest and precise.
But really, it's not about dorks... Know what sensitive stuff the company handles ( from their privacy policy, etc. ). Craft your own searches based on that, SSNs, API keys, whatever. If you understand their data, you can craft your dorks based on the data.