Imran Parray
@imranparray101
Followers
5,898
Following
674
Media
266
Statuses
2,616
Explore trending content on Musk Viewer
Juneteenth
• 637316 Tweets
Albania
• 131300 Tweets
Stonehenge
• 85585 Tweets
Croatia
• 76052 Tweets
Musiala
• 62655 Tweets
Hungary
• 56926 Tweets
Batshuayi
• 53357 Tweets
Just Stop Oil
• 52085 Tweets
MILE FLY TO PARIS
• 51256 Tweets
Alemania
• 45589 Tweets
#GERHUN
• 40965 Tweets
Sané
• 30182 Tweets
Hungría
• 25332 Tweets
Galveston
• 25137 Tweets
desimpedidos
• 21557 Tweets
Emancipation Proclamation
• 21270 Tweets
Neuer
• 19056 Tweets
#UGCNET
• 17632 Tweets
クロアチア
• 15844 Tweets
Pistons
• 15837 Tweets
Maatsen
• 15456 Tweets
Gundogan
• 15180 Tweets
Monty Williams
• 15137 Tweets
Ungarn
• 12682 Tweets
アルバニア
• 11437 Tweets
قبرص
• 10024 Tweets
List of Linux tools every Bug Bounty Hunter should learn:
curl , sed, grep, jq, cut, find, xargs, dig, ssh, awk and vim or nano.
33
175
997
𝐔𝐬𝐢𝐧𝐠 "𝐠𝐫𝐞𝐩" 𝐭𝐨 𝗘𝘅𝘁𝗿𝗮𝗰𝘁 𝗨𝗥𝗟'𝘀 𝗳𝗿𝗼𝗺 𝗷𝘂𝗻𝗸 𝗱𝗮𝘁𝗮.
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
curl
http://host.xx/file.js
| grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
#bugbountytips
#Linux
12
360
911
grep grep grep grep grep grep grep grep grep grep
Here is an "mini thread" to learn some cool tricks about grep.
#linux
#cybersecurity
#bugbounty
19
210
715
Default Nmap scan sucks ! Why? Because they are slow.
𝗛𝗲𝗿𝗲 𝗶𝘀 𝗵𝗼𝘄 𝘁𝗼 𝘀𝗽𝗲𝗲𝗱 𝘂𝗽 𝘆𝗼𝘂𝗿 𝗡𝗺𝗮𝗽 𝘀𝗰𝗮𝗻𝘀 𝗯𝘆 𝘀𝗲𝗻𝗱𝗶𝗻𝗴 𝗺𝗼𝗿𝗲 𝗽𝗮𝗰𝗸𝗲𝘁𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗻𝗲𝘁𝘄𝗼𝗿𝗸 𝗮𝘁 𝘁𝗵𝗲 𝘀𝗮𝗺𝗲 𝘁𝗶𝗺𝗲.
#bugbountytips
#infosec
20
240
728
As promised! Here is the first story !
Title: Executing Custom Database Scripts from an Un-authorized Roles.
Bounty: $10,000
Type: Privilege Escalation
Explanation 👇
#bugbounty
#bugbountytips
#onebugaday
#cybersecurity
21
142
622
7
214
575
Another Story !
Title: Stored XSS Leads to full org Takeover.
Bounty: $4500
Type: Stored XSS
Explanation 👇
#bugbounty
#bugbountytips
#onebugaday
#cybersecurity
19
121
561
Using chrome heap snapshots to find hidden API Endpoints:
- Open Chrome developer toolkit
- Go to Memory Tab and Click Record Button
- Save the Snapshot and start grepping stuff
Example : cat Heap-xx.heatsnapshot | grep '/api'
#BugBounty
#bugbountytips
#CyberSecurity
10
201
532
#BountyTip
Here is how to generate an efficient wordlist from "Wayback" for better bruteforcing on your bug bounty target.
Due to the size of the command i have added that in the reply of this tweet.
Demo :
#infosec
#hacking
#Cybersecurity
@Bugcrowd
11
220
433
Created a tool which extracts endpoints from js files.
whats new:
- uses online Api's to find as many as js files.
- Uses recursive approach to go as deep as possible.
(recusrive ? recursively finds new sources from extracted endpoints to find more endpoints)
#cybersecurity
14
157
443
Yesterday while listening to
@Jhaddix
talk on "TBHM V4" i decided to create its MindMap, including the tools and techniques jason mentioned during the talk.
The "TBHM V4" Mindmap:
You can have a look at my other mindmaps at :
6
131
356
Do you love FUZZING?
Here is an simple python script which replaces the parameter values in target URL's with your desired input.
Make your huge list of target URL's ready to go for fuzzing and mass testing.
7
110
302
[Thread] How do i approach Bug Bounty Targets.
[~] My Whole Methodology in 5 points.
Target Example: Google Forms
#bugbountytips
#hacking
#bugbounty
4
96
274
#BountyTip
Here is my bash function to generate google/Shodan/Github dorks for my bb targets.
$ googledorks
will give me whole bunch of dorks related to target company.
[Don't copy the code / Copy the idea]
#infosec
#automation
#linux
#cybersecurity
8
117
265
3 Steps to Hack Anything!
- Understand The System.
- Assume the Vulnerability.
- Execute the Assumption.
+ Repeat
#cybersecurity
3
37
264
Oneliner Subdomain Enumeration using
#Wayback
〰️🔙
curl -s "" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | uniq
@NahamSec
@JaneScott_
@kfalconspb
16
127
261
Subdomain Enumeration using Wayback.
curl -s "" | cut -d'/' -f3 | sort -u
#appsec
#infosec
#bugbountytips
Oneliner Subdomain Enumeration using
#Wayback
〰️🔙
curl -s "" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | uniq
@NahamSec
@JaneScott_
@kfalconspb
16
127
261
1
85
254
Password reset functionalities have always been interesting targets to me, Here are some of the test-cases that i look for when testing password reset functionaries in Web Applications.
#bugbountytips
1
115
259
Awk :
grep:
cut:
find:
sed:
ssh:
curl:
dig:
List of Linux tools every Bug Bounty Hunter should learn:
curl , sed, grep, jq, cut, find, xargs, dig, ssh, awk and vim or nano.
33
175
997
1
74
243
Every XSS is an account takeover.
In last few years i have found tons of xss(nonself) and 99% of them escalated to 0/1 click account takeovers.
#bugbounty
13
39
255
Recon Tip:
As javascript files are always full of secret information here is how to can use `grep` to extract comments inside JavaScript.
Example:
curl | grep '//'
#infosec
#bugbounty
#linux
#cybersecurity
1
101
239
I came across an interesting IDOR/BAC vulnerability that required a random ID to exploit.
I discovered that the next ID is generated by incrementing the previous ID with 90600,32300,65700 and a few more numbers.
I quickly wrote this POC that guesses the next ID.
#bugbounty
6
38
225
Manually Grepping through JS files have always been a win win to me.
#bugbountytips
#bugbounty
#appsec
2
45
209
You dont need a fancy laptop to get started in bug bounties, you'd be Ok with a $200 old-used laptop.
20
10
192
Looking for BAC issues, Try this
𝗬𝗼𝘂 𝗵𝗮𝘃𝗲 𝗮 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗲𝗱 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁 :
PATCH /api/users/123
...
{"email":"newEmail
@com
"}
𝗧𝗿𝘆 𝗧𝗵𝗶𝘀:
PATCH /api/users
...
{"id":"1234","email":"newEmail
@com
"}
#bugbountytips
3
57
202
Onliner to check the list of targets against "𝗛𝗲𝗮𝗿𝘁𝗯𝗹𝗲𝗲𝗱 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆"
#bugbountytips
#Linux
5
94
188
Do you know that forward slashes ("/") inside html tags are automatically converted by browsers to spaces (" ").
Eg:
<a/b='c'/d='e'/f='g'>X</a>
will be automatically converted into
<a b='c' d='e' f='g'>X</a>
#cybersecuritytips
#bugbounty
#bugbountytip
4
42
192
I reported an XSS before 4 months and was paid $300 for that. Before a couple of days i found the bypass at the same location and was paid $2200 for that.
The only reason for more payout is:
Before 1 year: i reported alert`1`.
Now: I report Organisation Takeover with same XSS.
7
17
179
✅Added 10 more Mind-maps to the list.
Check out the full list here :
#infosec
#cybersecrity
0
61
177
[1/2]
In a role based application HTML Image injection can be easily converted into impactful DOS attack by injecting a logout link of an application as a src attribute of an injectable image tag, leads to DOS attack for all other members within the organisation.
#bugbountytips
9
48
187
Since i no longer get time to do bug-bounties, i think it would be wise to share my old findings in twitter threads.
I will post 1 Bug/day starting from tomorrow. I will also use
#onebugaday
hashtag to keep all the threads easily accessable to the audience.
#bugbounty
7
9
187
Here is my methodology that i use to find server side issues on Bug Bounty targets.
Let me know if i am missing anything !
@Hacker0x01
@Bugcrowd
@Jhaddix
(Thanks for Introducing this to us)
#bugbounty
#bugbountytip
3
63
168
Hackerone Reports categorized:
3
87
172
Subdomain Extraction:
Higher level subdomains have always tend to be more vulnerable than Lower level subdomains, here is how to Grep a specific level of subdomains from a list of subdomains.
#bugbounty
#bugbountytips
#linux
5
67
166
Looking for BAC issues, Try this
You have a restricted endpoint :
GET /api/users/123/profile
Try:
GET /api/users/123/profile
POST /api/users/123/profile
PUT /api/users/123/profile
PATCH /api/users/123/profile
DELETE /api/users/123/profile
#bugbountytips
2
62
164
#🆕Update
Added 4 new Mind-Maps to
✅ Added Cookie Based Authentication Vulnerabilities
✅ Added Tesing JIRA for CVE's
✅ Added Scope Based Testing
✅ Added OAuth 2.0 Threat Model Pentesting Checklist
Thanks
@harshbothra_
and
@BinaryBrotherh1
2
73
154
8
59
149
You can always do much more with request smuggling, Here is an example where i was able to leak API keys, get access to internal network and takeover account in masses by escalating the attack to the next level.
Thanks to
@albinowax
for his awesome work.
8
14
153
#BugBountyTip
You will always Find what you are looking for. So if you haven't found a RCE,SSRF or any other critical ones yet. Probably you aren't looking for them.
7
28
140
Here are the slides for my latest talk on "Bash and Recon" at
@Nullblr
Even though the no. slides were less because it was an hands on session on Bash. Beginners can have a really good overview of how Bash can be useful to automate Security Stuff.
5
49
136
## Changes
- Better readable readme
- Added Android security Checklist mind-map by
@harshbothra_
1
54
144
#BountyTip
Remember if you found an huge number of javascript files on your bb target... Don't just leave them after having an quick look at them. You can use grep to find some juicy info inside. Here is some advance ways do better grepping.
#infosec
1
57
141
Steal it like you own it.
#TIP
:
1- Collect endpoints/parameters from the API request.
2- Make a Brute-force List .
3-Now use that list to recursively bruteforce all the API endpoint.
#BugBountyTip
#infosec
#Cybersecurity
@Bugcrowd
3
45
129
"API Testing" has always been my favorite. Here is an tip for guessing new API Endpoints without bruteforcing/scraping the target app.
#bugbountytips
#APItesting
4
36
131
I am building something which automates 70% of my API testing process, It can look for IDORs,Privilege Escalation and Other injection Issues in any Rest/graphql API's irrespective of their content-types or structure of the API.
8
5
129
API's are mostly protected from XSS using the correct content-types, But Several companies allows users to upload files through their webapp and then serve those files through the API, This can be abused to bypass the content-type protection sometimes.
#bugbountytips
#bugbounty
2
19
132
My presentation on "Bash and Recon" is live on vimeo. It about how i use bash to automate my recon process.
Check it out here:
#bugbounty
#cybersecurity
3
49
129
Wrote an simple python script to extract parameters from the list of urls. Which in my case seems to be very helpful in API testing.
3
27
123
Wrote an simple bash script which continuously looks for the possible 2nd order subdomain takeover Vulnerability.
I continuously export logs from burp-suite using logger++ and and run this script over the links again and again. and It beeps whenever it finds an dead DNS record.
6
21
121
The replace() function in JavaScript by default only replaces the first instance of the matched string, So adding an extra characters that it wishes to replace at the beginning of your payload will completely bypass the filter.
#bugbountytips
0
45
122
We at
@snap_sec
recently published a bunch of articles on “Attacking modern web apps” , go check them out. 👇
#appsec
#bugbounty
6
53
116
[1/3]
One of the easiest way to get an IDOR on a role based Application is to invite the target user to your organisation, Since he becomes a member of your organisation you will be allowed to get his user information via API.
#bugbountytips
3
35
113
✅ Added 5 more Mindmaps to
⏺️ Access Control Vulnerabilities
⏺️ CISO MindMap 2021
⏺️ Common Vulnerabilities on Forgot Password
⏺️ Common XML Attacks
⏺️ Copy of Vulnerability Checklist for SAML
3
52
111
I wanted to Quickly share an idea of building an automation to Test Privilege-Escalation/IDOR's and other injection Attacks on API's, Here is a rough diagram the tool.
#bugbounty
I am building something which automates 70% of my API testing process, It can look for IDORs,Privilege Escalation and Other injection Issues in any Rest/graphql API's irrespective of their content-types or structure of the API.
8
5
129
4
28
115
#bugbountytip
Mastering a single bug class is better than being noob at everything.
#bugbounty
#infosec
7
19
103
Reported 5 vulnerabilities to my favorite
#BugBounty
Program on
@Bugcrowd
.
Got all of them accepted and paid. This is the largest number of valid vulnerabilities i have reported in one day.
thanks to
@Bugcrowd
#Bugbounty
#Infosec
#hacking
#cybersecurty
7
6
108
Killing Open ports directly from terminal.
This can be useful when you want to start an service/tool which needs an open port to run the service, But if that port is already consumed by any unknown service you can use this command to directly kill that service.
#LINUXtips
1
16
99
I did it.
Managed to centralize my Recon Data using a REST API build with mongodb and node-js.
3
13
111
Do you lack at coding your own tools and scripts ?
Here is something for you. I came across this book "Coding for Penetration testers" which almost covers everything you need to build better Tools.
4
25
98
We Just published a write-up : "Attacking Access Control Models In Modern Web Applications".
Follow us for more
@snap_sec
.
#bugbounty
#bugbountytips
#appsec
2
54
100
[1/3]
Want to get started in Bug Bounties!
Here are list of things that you need to learn before jumping into bug bounties.
- How internet Works
- Understanding (TCP/IP|OSI) model
- How DNS Work
- How web Servers Work
- How to setup web server
- HTML
- JavaScript
- PHP
1
30
99
An interesting Mind-map of Common Bugs/Tools/Techniques used in bug bounties.
#appsec
#bugbounty
2
44
96
When it comes to API testing finding new endpoints is one of the important technique that shouldn't be ignored at all.
But most of the people do it wrong. Recursion techniques can be combined with endpoint extracting tools to get best out of them.
#bugbountytip
#cybersecurity
Created a tool which extracts endpoints from js files.
whats new:
- uses online Api's to find as many as js files.
- Uses recursive approach to go as deep as possible.
(recusrive ? recursively finds new sources from extracted endpoints to find more endpoints)
#cybersecurity
14
157
443
5
26
92
1
42
92
Since i have been learning some advance stuff about nmap from last one week i will be posting some interesting stuff about nmap lately.
[1] 𝗛𝗼𝘄 𝘁𝗼 𝗰𝗵𝗲𝗰𝗸 𝗶𝗳 𝘁𝗵𝗲 𝗹𝗶𝘀𝘁 𝗼𝗳 𝗵𝗼𝘀𝘁s 𝗮𝗿𝗲 𝗹𝗶𝘃𝗲/𝗱𝗲𝗮𝗱 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗽𝗲𝗿𝗳𝗼𝗿𝗺 𝘁𝗵𝗲 𝗽𝗼𝗿𝘁 𝘀𝗰𝗮𝗻.
4
19
89
browserstack is a cross browser testing tool to test across new and old versions of IE, Edge, Safari, Chrome and Firefox.
You can open an URL in any browser without installing the browser in your system, it can be useful when testing browser specific bugs.
#bugbountytips
3
22
90
De-Duplicating similar endpoints with different parameters.
A quick one-liner.
#bugbountytips
3
25
86
I always run my tools on VPS. Making any modifications in my tools becomes headache as i always have to move files from VPS to local Machine even for a small modifications
So i wrote "Editing Files on your VPS with sublime on local machine."
5
24
82
#LinuxTip
You can easily upload and download files from command using ffsend command on Linux.
#infosec
#linux
#hacking
#bugbountytips
2
22
79
Have a look at these 12 different techniques to beat 2FA in web apps.
#appsec
#bugbountytips
1
36
80
#bugbountytips
If the user supplied data is reflected inside double quotes (") within a <script> tag. There is no need of escaping double quotes (") to trigger XSS.
Thanks to
@leonishan_
1
15
80
(--min-rate 10) means the number of packets sent at a time is equal to or greater than 10
You can find more about timing and performance here:
2
19
77
Here is the command used:
curl -s "" | sed 's/\//\n/g' | sort -u | grep -v 'svg\|.png\|.img\|.ttf\|http:\|:\|.eot\|woff\|ico\|css\|bootstrap\|wordpress\|.jpg\|.jpeg' > wordlist.txt
3
24
76
Looking for BAC issues, Try this
You have a endpoint :
GET /api/org/1234/members/123/profile
Try:
GET /api/orgs/1234/members/123/profile
GET /api/org/1234/members/123
GET /api/orgs/1234/members
GET /api/orgs/1234
GET /api/orgs
#bugbountytips
1
19
81
An amazing list of curated techniques to exploit blind SSRF's. Thanks to
@infosec_au
for compiling this amazing writeup.
#bugbountytips
#appsec
0
29
80
Cross domain Token Usage:
====================
- Login in website(A) and generate a Token/session(X)
- Now use the Token(X) to access all the subdomains of website(A).
#bugbountytips
#bugbounty
3
21
73
6
1
70
If you have a list of
#subdomains
and you want to do a quick IP Resolution of them here is a online bash command to do that.
#BugBounty
#Infosec
#linux
#hacking
@Bugcrowd
@Hacker0x01
2
20
72
Complete my 9 months of my bug hunting.(working 3 hours a day).
i reported 53 bugs including 17 p2 and 2 p1.
It was an nice experiance to work with
@Bugcrowd
and the team.
Personally i want to thank
@zseano
@brutelogic
@Jhaddix
For everthing that you did for the community.
8
3
70
#BountyTip
I spend a lot of time understanding the target app before actually hacking it. One can do that by reading their blogs and other documentations. But i start with companies "Youtube Channel".It always helps to me understand the app in less time than reading docs/blogs.
0
9
66
Looks much better now 😀
## Changes
- Better readable readme
- Added Android security Checklist mind-map by
@harshbothra_
1
54
144
0
17
67
2nd Order Subdomain Takeover:
Always keep an eye on Network tab of Google Developer Toolkit for 404 Errors. The 404 Error could mean that a target app is trying to load resources from a host/domain which doesn't exist, Which may lead to Subdomain Takeover.
#bugbountytips
1
15
69
The file upload functionalities in web apps continue to be one of the most vulnerable features.
Read out blogpost to discover 10 distinct attacks that can be use to exploit file upload vulnerabilities in your web applications.
#appsec
#cybersecurity
1
13
65
There is no hacking without reading the docs, if you are randomly spraying payloads online and its finding you bugs, its not hacking its just pure luck.
#bugbounty
#appsec
6
3
66
8 Techniques to bypass rate limit protection in Web Apps and API's
[A thread by
@snap_sec
]
#bugbountytip
#cybersecurity
8 different techniques to Bypass Rate Limits in Web Applications and API's.
[A Thread 🧵]
#bugbounty
#bugbountytips
#cybersecurity
#AppSec
2
220
541
0
34
67
@NahamSec
I will present these pieces of advice:
- Learn how to code
- Emphasise cultivating hacker mindset over learning more technical skills
- Become proficient in a few key areas and leave the rest aside
5
5
56
Have a look at my bash script which helps me to do bruteforcing part very quickly.
#bugbounty
#infosec
#security
#automation
5
13
60
@n_7x9
There is no good way to look for xss, test however you feel comfortable.
This blog by
@brutelogic
is definitely the best resource available to get a good grip on xss:
2
13
64