I earned $10,000 for my submission on
@bugcrowd
My highest payout so far for single report from
@Bugcrowd
.
Issue was all accounts takeover including super admin account, without user interaction.
#ItTakesACrowd
1000 points on single program on
@Bugcrowd
, also completed $50k on same program. Focusing on single application really helps. This program do not have large scope , just single application with lots of functionality to test. Awesome team & great response time & fast fix.
If you find jsp page with no parameters. You can actually add path parameters using semicolon
Like this
;');alert(1)// & perform XSS.
Apache tomcat support this.
#Bugbountytip
#BugBounty
#XSS
Found weird bug
1. While registering with username , got error username already taken, so I use another username.
2. Go to edit profile , change username to already registered username , success!
3. Existing users account with that username deleted.
#bugbounty
One of major bounty i got was for blind SQL injection , Its in prestashop CMS module. I always keep an eye on CMS & module based CVE release. Here is POC & exploit.
@PrettyRecon
database helps to find targets from my DB which using prestashop.
Focused on XSS after long time , Its sometimes hard to prevent this type of bugs, read & understand JS code, use waybackmachine , gather as much endpoints as you can, grab parameters from JS files, use
@PrettyRecon
.
I earned little over 20k this month just by doing XSS , So for all newbie hunters, you can focus on single bug class & still make decent earning from it.
Most of bugs are DOM based & mostly automated .
if [] is block in jinja2 ssti , you can use pop() function. try below payload to read internal files.
{{[].__class__.__base__.__subclasses__().pop(40)('/etc/passwd').read()}}
#ssti
#bugbounty
#bugbountytips
#jinja2
How to start with
@Bugcrowd
?
Start with points only program , focus on one bug at a time like xss, bugcrowd have some easy public target like cisa gov programs & ubisoft find bugs their then you will get private invites .
#bugbounty
#
I earned $7,500 for my submission on
@bugcrowd
Sensitive information disclosures.
Got asset by searching footers in
@PrettyRecon
web mapper tool.
Target specific directory bruteforce.
Got unauthenticated endpoint disclosing sensitive info.
#ItTakesACrowd
Here is blog for "Mass hunting vulnerabilities with subdomain database feature of
@PrettyRecon
"
I also shared few vulnerable services & software which are vulnerable to open redirects & you can use them to chain it with other bugs to increase impacts.
I earned $600 for my submission on
@bugcrowd
Privileged escalation, Easy find.. collect all requests in admin session & perform same with basic user session.
#ItTakesACrowd
I earned $1,250 for my submission on
@bugcrowd
stored xss using bulk data upload feature, sometimes developer add filters on form but forgot to do same with data upload with CSV.
#ItTakesACrowd
I earned $500 for my submission on
@bugcrowd
#ItTakesACrowd
Sometimes registering with company domain email will gives you extra privileges. Eg. test
@target
.com Or change email to company email if no email verification is there.
Got XSS on Jira with os_destination parameter , I checked hundreds of other jira targets(same version) for similar bug , no other targets are vulnerable., very strange.
I had great year, earned 3X more bounty compare to last year. Ranked 12th on all time leader board on
@bugcrowd
, Completed 11k points . I will more focus on other platforms too from next year . overall happy with progress <3
Wishing Happy & successful new year to everyone <3
How to do SQL injection if it's in insert statement.
Like
Insert into test ('user','pass') values (?,pass$myinputs);
I only have control over "myinputs" in query.
#bugbounty
Giving away 1 month subscription of
@PrettyRecon
, share your tips, tricks , articles anything interesting you found recently. Will choose random 5 users from comments. Do like , retweet & comment.
#BugBounty
I like coding more than bug bounty ,
I doing bugbounty just because it's giving me more money that programming.
Building application is cool than breaking it🤖🙌
Twitter is only reason I m still doing bug bounties, I learn all stuffs from here , I get motivation to open laptop just because seeing some one getting bounties lol, otherwise I would never …
2022 goals
1. To get proper sleep daily.
2. Improve health by acquiring healthy lifestyle.
3. I will look for some permanent job in infosec field (maybe).
4. Try to maintain same which I achieve in last year.
Hi, this time i got SQL injection vulnerability to XSS
My payloads :
concat(0x3c7363726970743e70726f6d70742822,0x3078336e30,0x7c7c,user(),0x7c7c,database(),0x222c646f63756d656e742e636f6f6b6965293c2f7363726970743e)
#bugbountytips
#cybersecurity
#infosec
#bugbounty
can I put security researcher/bug bounty hunter/pentester
@Bugcrowd
on my LinkedIn profile?
or it just not professional. I recently seen lots of people doing it.
This year , I got 25% less bounties compare to 2021 with 75% less reports.
Reported more P1-P2 compare to last year. I spent average 20hrs a week on bug bounties, hopefully I will spend more time next year.
Thanks
@Bugcrowd
for giving opportunity & sending good private invites :p
XSS is out of scope but not open redirect 😭So I use javascript code redirect to another web.
Why programs puts XSS is out of scope but not open redirect.
I rarely got SQLi, or maybe I am not looking for it , as developer I see/use lots of web framework & ORM which prevents SQLi by default. So always think that there is no chance that I will get one.
Have to look for this too. Nice work
@GodfatherOrwa
Got one endpoint /private/data/users
Which potentially disclosing all users private information. But data is so huge as that webapp have millions of users causing server to time out.
& not able to dump anything for POC
Using prettyrecon, can easily search in my bug bounty targets database for CVE-2024-24919, no need to blindly run nuclei on all target subdomains.
@PrettyRecon