My methodology: (after re-watching naffy & m.litchefield's interviews so many times)
1. Click every button
2. Go to History and look for interesting request
3. Send it to the playground (REPEATER) [Golden Tool]
4. Fuck up the request, give it your all!!!
#bugbountytips
I started Bug Bounty in 2019, had no luck until late last when I started realizing I wasn't taking hacking seriously.
Now I know, the more you show up, start Burp / ZAP and hunt... you will def WIN if you put in the work!!!
#bugbountytip
#bugbounty
Found a token leak via an IDOR but I cannot find its purpose (endpoint: /checkPaymentStatus), anyone who is willing to collab?
#BugBounty
#bugbountytips
#bugbounty
Just found an account takeover using this Information. Just add this smart man to your follower's list. Thank you
@Jayesh25_
for insightful knowledge🫡
Since I'm receiving a lot of questions; Here's how you can disallow sharing email when using Login with Facebook:
(1) Login with Facebook to any app
(2) Click "Edit Access"
(3) Uncheck email address checkbox
(4) `Continue`
If there's one man that changed my life, It would be
@NahamSec
.
I appreciate you so much man. Things you have done for this community will never be forgotten 🙏🏾
Successfully bypassed a SSRF WAF by using a combination of IPV6 + Unicode. Payload for Metadata instances:
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80
Check images for response difference between 169.254.169.254 and the above payload I shared 🔥
#bugbounty
#infosec
#waf
@bug4you
Spotted a ?url= parameter the tried my burp collab link
Tested again with local IP and fuzzed the ports for the IP then you check response length and the response itself
Sometimes this can land you on an internal admin portal
After years of confusion and wasting time. I am really starting to enjoy testing apps.
Tip: Open Burp and try to manipulate an application EVERY FU*KN DAY!!!
#bugbountytips
#bugbounty
The way I see it, everyone has their own kind of style of hacking, that's why you always have to approach an application as if its new.
With the same request I just looked at and found an IDOR you might find a bug I never thought of.
#bugbountytip
#bugbounty
I hack better with Burp Intercept feature and Repeater. I usually do look at History unless there's a specific request I am looking for.
I just like to rip off the application in real time.
#BugBounty
#bugbountytip
Thank you for all the free resources
@WebSecAcademy
I am always grateful to all the platforms/people for giving knowledge for FREE. That's why I also share what I learn for Free it's like I give back what I have taken from the Internet.
Read every post / writeup/ video with appreciation. You will learn 📙 effectively when you appreciate every bit of information 🧠 that's been provided to you. Let's appreciate those who share their experiences to teach us as a community ♥
#bugbountytip
#bugbounty
@AlanBailward
@Jhaddix
Nmap hard forces a close on its stealth / half scan, and performs faster than Naabu does in that regard, at least in my tests.
But it’s moot. I don’t want to use raw sockets and require root privs just to do a scan. Naabu seems faster when doing the full CONNECT.
So when
Work on a program for 9 months ,
The result is a good understanding of the site,
despite the number of 9,000 vulnerabilities reported I am still able to report critical reports
happy hunting $$$$$ 🔥
@GokTest
FFUF is fast but requires carefully curated wordlists, with dirsearch you find juicy endpoints with its default worldist.
ffuf is great but I love dirsearch.
Grim
1. You were born in a cold prison, it is your country, your state.
2. You have to pay for the prison stay, they call the prison fees taxes.
3. You have no say what will be done with the money, but you have to pay.
4. To pay the money you have to work.
@zseano
Thank you so much for this Sean 🙏🏾. I think I'm going to leave weed for a moment.
It's been 2 days sober and I feel energetic. Even went for a long run today.
@GokTest
thank you bro you really helped me, I was addicted to these proxy tools and was lacking productivity these past weeks. Thank again mate!, I am already fuzzing as we speak😁