I'm an engineer from Turkey, who is interested with biotechnology, computer science and digital gaming. Proud father of three little devils. A.K.A nukedx
What an honour I'm selected as Rookie of the Year for 2020-2021 on
@SynackRedTeam
, I also achieved TITAN status on recognition for my first year!
Thanks so much for all the good experience and fun I had for the year.
In this year I made over 350k+ from bug bounties on various platforms. Mainly hunted on
@SynackRedTeam
so as a result huge part of it come from there.
On there this year I reported over 10 RCE's, 33 SQL Injection's, 79 XSS's and 131 various access control issues.
I'm proud to announce that with today's payouts I hit 1M$ all time earning combined from all platforms and external programs I participated. 3/4 of these earnings coming from
@SynackRedTeam
and rest on
@Bugcrowd
,
@Hacker0x01
and some good external programs :).
#BugBounty
Can you spot the vulnerability on the code block below?
I'll explain yet another interesting engagement on
@SynackRedTeam
, how I turned blackbox testing to whitebox one.
#bugbounty
#bugbountytips
1/8
I broke my personal record for total earning in 30 days on
@SynackRedTeam
. I broke my feet last month and then got covid, so didn't hunt till 17th of the Feb and after that I was able to check stuff. Since 17th to today, I earned total 72k which is my personal record.
#BugBounty
What a month it was on
@SynackRedTeam
, technically I'm almost 100k with pending ones but time is ended before they got triaged and paid out. There are 3 more vulns to be triaged, considering max payout is 3K per vuln on
@synack
, almost all of them were SQLis.
#BugBounty
Exploiting SQL injection vulnerabilities is all about your knowledge on target DBMS, reading documentations and using specific functions for the target DBMS will help you to escalate issues when automation tools can not exploit them. 1/n
#bugbounty
#bugbountytips
As of today I passed half million milestone on
@SynackRedTeam
with 200k of it on last 90 days. So far this month about to catch previous one too, we will see what is going to happen in next 10 days :).
#bugbounty
#bugbountytips
One of the reasons I love testing on
@SynackRedTeam
is, we regularly have an opportunity to test enterprise software used by Forbes 500 companies.
I will explain a RCE I found recently on the enterprise software
#bugbounty
#bugbountytips
1/n
It is good to leave when you do not feel it's not going to better anymore on the place you are working. As of today, I'm no longer active on
@SynackRedTeam
. I had amazing 3.5 years on there during my tenure, however all good things come to an end.
I will try to explain how I find out 4x SQLi recently on one of oldest
@SynackRedTeam
targets.
Target is active for years, which is one of my favorite ones and which I actively hack on.
On their recent updates, somehow enabled directory listing
#BugBounty
#bugbountytips
1/n
As of this month I break one of the personal goals I set for my 2021 plans on bug bounty, I got total 57k of bounties on all the platforms in a month. While big chunk of it from
@SynackRedTeam
as 43.8k and about 1.5k in queue sums up 45.3k.
#BugBounty
Few months ago
@osiryszzz
and me discovered an interesting case of SQL injection on the
@SynackRedTeam
target which was black box testing.
During recon we noticed that there was an unrestricted file upload mechanism available to the any user.
#bugbounty
#bugbountytips
/1
I just noticed, I passed 100k$ earning as of this week on
@SynackRedTeam
since I start hunting at the end of July. It's truly amazing being part of it.
On recent engagements to the on program on
@SynackRedTeam
, I find out that target had error based SQL injection on LIMIT clause, it appears that DBMS was MariaDB 10.4.13 so it was limiting options to be used on the injection.
#bugbountytips
#bugbounty
1/5
Tonight, I had fun times on
@SynackRedTeam
target. Application was vulnerable to blind second order SQL injection but page was completely blank on all cases except when query resulted as error.
#BugBounty
#bugbountytips
/1
Today I received my hackerthrone from
@SynackRedTeam
for 2020-2021 recognition swag.
@SynackRedTeam
’s swag game is absolute best thank you so much! Specially to the
@ryanrutan
for making researcher experience there amazing!
While testing targets, you must always check all results from your requests. I'll explain how I found out second order SQL Injection on one of recent engagement at
@SynackRedTeam
1/n.
#BugBounty
#bugbountytip
Yazmayayım, yazmayayım diyorum ama bizim Türk yazılımcıların keşke egosu kadar yazdıkları algoritmalarda bir korelasyon içinde olsa, son bir kaç ay içinde global firmaların Türkiye'de bulunan temsilciliklerine ait bir çok uygulamayı test ettik Synack üzerinde.
When you are doing code review on Wordpress plugins, always check the usage of esc_like and whereRaw for the SQL queries, if esc_sql is not used with esc_like, it will be 99% resulting with the SQL injection.
#BugBounty
#BugBountytips
The security research team at
@assetnote
discovered a pre-authentication RCE vulnerability through a cryptographic flaw in Citrix ShareFile. It's been assigned CVE-2023-24489. You can read the technical blog post here:
Another smooth run this month, again couldnt make it 100k on dashboard but with pending ones it is close to be! Thank you
@SynackRedTeam
for all these fun.
#BugBounty
#bugbountytips
What a month it was on
@SynackRedTeam
, technically I'm almost 100k with pending ones but time is ended before they got triaged and paid out. There are 3 more vulns to be triaged, considering max payout is 3K per vuln on
@synack
, almost all of them were SQLis.
#BugBounty
I wanna share how I achieved RCE on one of recent engagements I was testing.
Target was using some in house application and observed that it used to copy files from UNC paths.
I started to try potential RCE payloads like && nslookup collaborator && but it was failing.
I
When testing application, if you want to verify potential SQL injection specially for integer value, do not directly do stuff like ' OR 1='1 but do mathematical comparisons.
#bugbountytips
Very nice resource for SQL injection techniques instead of spamming random payloads shared on here, I suggest taking references on that resource for learning and mastering SQLi, most of them the ones I use and many others.
#bugbountytips
#BugBounty
I was taking some break on bug bounty since June for summer, last year was good I managed to get titan status on
@SynackRedTeam
again for second year in a row and invited to the Hacker Hangout Event in November, which will be a live hacking event. /1
While exploiting SQL injection issues, knowing the capabilities of the target DBMS is key which is what I'm always saying. I will try to explain how to find tables with valid data on IBM DB2 targets .
#bugbountytip
1/n
@Bugcrowd
's P1 triage times are insane after Team Hunt's final phase started our team Retired Hackers (
@bsysop
,
@sw33tLie
,
@restr1ct3d
,
@rhyselsmore
and P3t3r_R4bb1t) dropped 14 P1's and all of them triaged in maximum 30 minutes and 9 of them already paid out, really amazing.
Stuff we reported was highly critical such as SSRF, if one of the items we reported caught by bad person, it could be more than this breach. However as a team we decided to move on after such treatment.
An employee laughed to the accent of our member, now we are laughing :)
@toddmckinnon
My friends and I have reported multiple high/critical vulnerabilities to you using your bug bounty program. We were underpaid and treated like sh*t by your security team, acting like they know everything. I hope this misadventure will enlight you on the importance of GOOD hackers
I'm not sure if it's well known stuff but today I discovered something new for me during quite interesting engagement on
@SynackRedTeam
.
Target had Incapsula enabled on their system, so I find out origin IP thanks to .
#BugBounty
#bugbountytips
@Hacker0x01
@jobertabma
@martenmickos
As I know each year
#hackforgood
destination changes, first it was for COVID-19 then for supporting Ukraine.
As you know one of biggest earthquakes recently happened in Türkiye, per this tweet more than 17K lost their lives.
It appears that AWS finally killed subdomain takeovers via dangling EC2 IPs and they ban accounts once they reach certain amount of IP allocation.
#BugBounty
Finally received my recognition swags for this year from
@SynackRedTeam
, kids loved both specially the Robomaster. Thank you so much for such amazing stuff.
#BugBounty
#swag
One of the fundamentals you need to exploiting issues you find is trying to understand what you have from the data you observed. On recent engagement with
@any1_0x01
we find out SQLi on target using KB_SQL which is uncommon and thats how exploited it 1/n
#bugbounty
#bugbountytips
Best bug bounty tip I can give, be polite and mannerful when you submitted an issue, I never had problem with triagers which couldn't be solved. When both sides make clear communications and respect each other, everything is always going smooth.
#bugbounty
#bugbountytip
Completed
@Hacker0x01
's Ambassador CTF as
#1
was really nice challenges out there, hats off the
@xEHLE_
for the exchanging ideas and
@adamtlangley
for another amazing set of challenges!
@Hacker0x01
@jobertabma
I'm not posting this for any bad intent but recently private payloads send to the programs on H1 is leaked by their employees with tools made by them.
Is there any agreement between programs for not exposing payloads sent by researcher?
Yay, I was awarded a $4,050 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
program scope updated recently and they added new wildcard domain which was having unclaimed elasticbeanstalk profiles pointed leading subdomain hijacking.
Few days ago while testing a target, I come up with interesting endpoint during recon.
It was showing empty page but I was wondering why that file was there, after googling it appears that file was associated with some malware. 1/n
#bugbounty
#infosec
If you are considering to become full time bug bounty hunter, all I can suggest be sure you have enough savings for you and people who you are responsible for at least 2 years.
#bugbounty
🧵Full-Time Bug Bounty Hunter thread 🧵
I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.
A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).
👇1/x
Main reason MSSQL was generating error actually column in query was having integer datatype and most like query was using double quotes something like:
select title from news id="<integer value>"
So any none integer value used, application would give same error.
#bugbountytip
Bir çok Türk kardeşimiz özelden devamlı soruyor, bu alanda gelişmek için ne yapabilirim diye. Birinci ve en önemlisi meraklı olmalısınız ve test ettiğiniz ortamı olabildiğince öğrenmelisiniz.
I had few DMs about people mentioning they will keep reporting open redirects, below you can find the reason why you shouldn't report open redirects but try to escalate them, was good collab with
@Hxzeroone
on these ones and we have many waiting on triage.
#bugbountytips
Do not report open redirects without fully analyzing and seeing potentials of it. Thanks to random guy who reported open redirect, our report for full SSRF leaking client secret of integration claimed dupe.
Again: do not report open redirects
#bugbountytips
Finally it's time to disclose reports for
#h1
-415 CTF, here is mine: , I hope you guys will enjoy it. Once again thanks
@0xacb
and
@nahamsec
for fun times.
Leveled up to 0x04! via
@SynackRedTeam
, so far it's really great experience wish I didn't start looking for last 3 months but when I joined to the platform.
Find out one of the most interesting SQL injections I've ever crossed, application was using base64 encoded serialized php object for unauth users and it appears that they didn't sanitize value when processing.
Exploiting it manually was more fun.
So finally I converted payload to retrieve HEX values one by one to retrieve full content of the file 1+procedure+analyse(extractvalue(rand(),concat(0x3a,HEX(substr(load_file(%27/etc/passwd%27),1,1)))),1).
Which allowed me to show more severe impact on limited injection. 5/5
Target was also behind Amazon WAF post based requests are easy to bypass as we can send large requests with many dummy data, however I find out bypass for get based SQLi with: OR%0A%0D8491831%0A%0DNOT%0A%0DIN%0A%0D(321231)%0A%0DLIMIT%0A%0D1--+a which allowed retrieving all data
@ReebootToInit5
First it's potential injection for insert query and you are using OR clause to exploit from what I see on the response, second it's on MySQL but you are using PostgreSQL function pg_sleep to exploit.
Ghauri is literally same as SQLMap with additional stuff done by the author.
We confirmed that it was vulnerable to the time based SQL injection but how we were going to exploit it was in the question.
I made a simple middleware proxy like PHP script such as we were able to exploit the issue. /4
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
! Got invite to private program, checked potential targets, noticed that two high impact name subdomains pointing expired domain, registered it and got rewarded, all in few days
#TogetherWeHitHarder
It appears that Microsoft Azure made some changes for profiles like AWS did on many services. Once profile dropped, it becomes available after approx. 3 days for claiming by other accounts.
#bugbounty
#bugbountytips
TIL, Chrome based browsers do not trigger onload/onerror or similar events for the tags that trying to fetch content via mixed resources but they still triggers XSS via onmouseover. This is not case for the Firefox.
#bugbountytips
#bugbounty
Let's say parameter you are testing had value 230, change it to 231-1, 231'-'1 etc then check if page is actually returning same contents, this simple stuff will be more efficient and will not force DBMS to do heavy queries like the ' OR 1='1 cases.
Wow got my fastest time to report and resolve ever. Reported issue and in 13 minutes. It got fixed and bounty paid.
Basically, it was an IDOR revealing sensitive business client information to the unprivileged users.
So I went for using CASE statement with using ST_PointFromGeoHash function.
It was basically forcing query to generate error as result.
Full payload was something like this:
(CASE WHEN 1=1 THEN 1 ELSE ST_PointFromGeoHash(USER(),1)) /3
This is your yearly reminder that ALL Udemy Bug Bounty courses are a waste of money.
The content you need is out there, completely for free.
Don't believe me?
Here is a list of the best Bug Bounty Ressources out there
🧵👇
#bugbountytips
#BugBounty
Only thing I'm against when these people are not experts still getting lots of followers and selling these copy paste courses and many beginners sadly following them.
Ancak yazılımcı kardeşlerimiz daha güvenli ve stabil bir algoritma oluşturmak yerine, en iyi ekipmanı almalıyım en iyisi olmalı ki benim işim en iyisi olsun mantığındalar bu kafalar değişmediği sürece işler zor.
What I'm trying to say, just keep thinking out of the box and believe in yourself. Do not rely on automated scans, do not run default configurations and create your own methodology. This will lead you to find more valid vulns.
I earned $1,800 for my submission on
@bugcrowd
#ItTakesACrowd
, yet another subdomain hijacking related with my previous tweet :). It was really fun case to track of.
I noticed recently I'm finding more account takeover and authentication bypass issues with altering responses sent by application, sadly it looks like many devs relying client side validations.
#bugbountytip
Of course this is case for parameters that had integer values, for strings you can try to concatenate like value is ABCD change it to ABC'+'D.
Most DBMS is supporting concatenate like this and it makes testing much easier.
Hats up to
@vortexau
for such great tool called DNS Validator, it should be one of the tools you must have as bounty hunter, if you want to speed up your dns scans drastically, you can find it on:
Yazılımı geliştiren arkadaşı OSINT ile bulduğumuzda ise kendisi ne yazık ki "Junior" tabir edebileceğimiz birisi değil bu sektöre yıllarını vermiş biriydi.